feat: Allow containers to use both host network and user namespace

[HirazawaUi]

This PR implements the feature proposed in KEP: kubernetes/enhancements#5607 for containerd.

This PR modifies the behavior to use bind mounts for /sys when a pod employs both hostNetwork and user namespace.

relate: #12489

Allow containers to use user namespaces with host networking

[mikebrow]

Hello! see: " FAIL - does not have a valid DCO" All commits must be signed. Suggest setting your git config to have user name and email.. Then git commit -s --amend to sign your commit." Detail: https://github.com/containerd/project/blob/main/CONTRIBUTING.md#sign-your-work

[mikebrow]

note to self.. needs feature issue for tracking support of the case.

[HirazawaUi]

Hello! see: " FAIL - does not have a valid DCO" All commits must be signed. Suggest setting your git config to have user name and email.. Then git commit -s --amend to sign your commit." Detail: https://github.com/containerd/project/blob/main/CONTRIBUTING.md#sign-your-work

Signed

[rata]

Oh, I missed this PR was open, sorry! Thanks a lot for the PR.

The code looks good, simple and effective. I've tested it locally and works as expected.

I've revisited #10607 to make sure I wasn't forgetting any reason to pin the userns. But no, the pinning is just needed because the netns is created by containerd and, therefore, the userns needs to be created by containerd (since that PR, before we were letting runc create it for us).

So, when no netns is created (using the host netns), the pinning is not needed. So, just skping it and adding the /sys bind mount works just fine, with both runc and crun. This is a quite an elegant solution :)

IMHO now is safe to add tests, as everything works and IMHO looks good. For that, please check TestLinuxSandboxContainerSpec() and TestLinuxSandboxContainerSpec() to test the changes in these two functions. There are quite a bunch of userns tests you can check. For the not pinned userns, see the specCheck func in the user namespace test case. You can use something similar but with assert.NotContains, for example.

Please ping me when tests are ready and thanks again for the PR! :)

[rata]

Also, can you update the PR description? The runc pr is not needed.

[HirazawaUi]

Also, can you update the PR description? The runc pr is not needed.

updated.

Please ping me when tests are ready and thanks again for the PR! :)

Unit tests have been added.

[rata]

Thanks!

Sorry, my previous suggestion was wrong. Let's change back that code :-/

[rata]

This mostly LGTM, left some comments on the tests (on the existing threads we had).

[HirazawaUi]

@HirazawaUi can you push again? Checking quickly the CI failure seems unrelated, but without a green CI this might not get a lot of attention :(

I have recommited it

[rata]

@HirazawaUi CI is still broken :(

[HirazawaUi]

@mikebrow all tests have passed. Could you please approve this PR?

[rata]

CI is broken (windows, so unrelated). Can you push again?

[samuelkarp]

/retest

(you can do this too, it should rerun the failing GitHub Actions workflows)

[rata]

Oh, I missed containerd suppoted this! Cool, CI is green now, PTAL :)

[mikebrow]

LGTM
/cc @MikeZappa87