Support sysfs mounts from workspaces

[csweichel]

This PR enables mounting sysfs from within a workspace, much the same way we mount proc. We use seccomp-notify to intercept the mount call and delegate the mount to ws-daemon's in-workspace-service (IWS).

How to test

mkdir test
sudo mount -t sysfs sysfs test

also Docker container now use a "proper" sysfs mount

docker run --rm -it alpine:latest

I hope this will help with #4889 where k3s attempts to mount sysfs.

[leodido]

Went through this in a call with the author and it looks mostly fine to me.

There's only thing (at the moment) I'd suggest to think a bit more about: the concept of "tagged" directories in sysfs.

In fact, any sysfs directory can have a (1) "tag" that identifies which type of namespace controls how that directory is viewed.

Meaning that while /sys/class/net has a tag identifying the net namespace subsystem, the /sys/kernel/uids directory (for example) wants to be managed by the user namespace subsystem if I don't remember it wrong.

Basically, it's a Kernel mechanism to enable sysfs to present different views of various parts depending on the namespace tag.

But we should check the existence of this mechanism against specific Kernel versions (the ones Gitpod is intended to run on).

Also, we should verify whether we need and have things like /sys/kernel.

Edit

I was remembering correctly about /sys/kernel/uids tag, but it has been removed long ago.

Regarding the namespace tags I'm referring to kobject->sd (which is a kernfs_node that contains the namespace tag ns).

[fntlnz]

/werft run

👍 started the job as gitpod-build-cw-mount-sysfs.5

[fntlnz]

/werft run

👍 started the job as gitpod-build-cw-mount-sysfs.6

[csweichel]

@leodido @fntlnz
What is missing from this PR/can I do to make this merged?

[codecov]

Codecov Report

Merging #4897 (d2e1aec) into main (dbb9d9f) will increase coverage by 25.78%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##            main    #4897       +/-   ##
==========================================
+ Coverage   6.53%   32.32%   +25.78%     
==========================================
  Files          3       42       +39     
  Lines        979    10102     +9123     
==========================================
+ Hits          64     3265     +3201     
- Misses       911     6540     +5629     
- Partials       4      297      +293     

Flag	Coverage Δ
components-image-builder-mk3-app	?
components-local-app-app-darwin	?
components-local-app-app-linux	?
components-local-app-app-windows	?
components-supervisor-app	36.77% <ø> (?)
components-workspacekit-app	7.69% <ø> (?)
components-ws-daemon-api-go-lib	∅ <ø> (?)
components-ws-daemon-app	23.02% <ø> (?)
components-ws-daemon-nsinsider-app	∅ <ø> (?)
components-ws-manager-app	36.32% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...ents/image-builder-mk3/pkg/orchestrator/monitor.go
...image-builder-mk3/pkg/orchestrator/orchestrator.go
components/image-builder/pkg/resolve/resolve.go
...s/ws-manager/pkg/manager/internal/grpcpool/pool.go	74.46% <0.00%> (ø)
components/workspacekit/cmd/lift.go	18.18% <0.00%> (ø)
components/supervisor/pkg/supervisor/git.go	0.00% <0.00%> (ø)
components/ws-manager/pkg/manager/metrics.go	11.26% <0.00%> (ø)
components/ws-daemon/pkg/content/service.go	0.00% <0.00%> (ø)
components/ws-manager/pkg/manager/manager.go	24.89% <0.00%> (ø)
...-manager/pkg/manager/internal/workpool/workpool.go	100.00% <0.00%> (ø)
... and 35 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dbb9d9f...d2e1aec. Read the comment docs.

[roboquat]

LGTM label has been added.

Git tree hash: 318a4edf13e2f31f6f35dd8d3cc672b3b3f30591

[roboquat]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csweichel, leodido

Associated issue: #4889

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• components/docker-up/OWNERS [csweichel]
• components/workspacekit/OWNERS [csweichel]
• components/ws-daemon/OWNERS [csweichel]
• components/ws-daemon-api/OWNERS [csweichel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment