Containerd Support: Add features cmd

[galal-hussein]

The PR fixes nestybox/sysbox#958 and adds support to containerd > 2.0, after investigation I found out that containerd was failing to run sysbox-runc features and failing to register the runtime as a runtime that supports user namesapces:

can't set `spec.hostUsers: false`, RuntimeClass handler "sysbox-runc" does not support user namespaces

After enabling the debug log in containerd, the issue was more clear:

level=debug msg="failed to introspect features of runtime \"sysbox-runc\"" error="failed to unmarshal Features (*anypb.Any): type with url : not found"

The PR adds the features command to sysbox-runc hence enabling contaienrd to work with sysbox, this was tested on k3s setup with no modification to containerd except for adding runtime to the config:

/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl

...
[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.sysbox-runc]
  runtime_type = "io.containerd.runc.v2"

[plugins.'io.containerd.cri.v1.runtime'.containerd.runtimes.sysbox-runc.options]
  SystemdCgroup = false
  BinaryName="/usr/bin/sysbox-runc"
...

And running pod with the runtime class for sysbox-runc and hostUsers: false:

# cat pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
spec:
  runtimeClassName: sysbox-runc
  hostUsers: false
  containers:
  - name: ubuntu2204
    image: ubuntu:22.04
    command: ["sleep", "40000000000"]
  restartPolicy: Never

I was able to run k3s within that pod successfully.

[ctalledo]

Hi @galal-hussein, thanks for the contribution, will take a look ASAP.

I was able to run k3s within that pod successfully.

Can you do cat /proc/self/uid_map within the pod and post the result, just to double check the user-namespace mapping looks good?

Also, does each pod get a different user-ns mapping?

[galal-hussein]

Sure, here are the results of two different pods running the sysbox-runc runtime:

➜  k3k git:(chart-0.3.4-rc3) ✗ kubectl exec -it  k3k-virtualcluster-server-0 -n test-x -- sh
~ # cat /proc/self/uid_map 
         0  178192384      65536


➜  k3k git:(chart-0.3.4-rc3) ✗ kubectl exec -it  k3k-virtualcluster-server-1 -n test-x -- sh
~ # cat /proc/self/uid_map 
         0  685834240      65536

The user namespace is intact, and each pod gets a different mapping.

[ctalledo]

Thanks @galal-hussein for the contribution!

Mostly looks good, just a few comments.

[ctalledo]

Any particular reason for not using slices.Sorted(maps.Keys(unknownCaps)) (and therefore avoid the mapKeys() function)?

[galal-hussein]

no not really, slices.Sorted seems more efficient, will fix

[ctalledo]

Remove empty line please.

[galal-hussein]

sure will do

[ctalledo]

Seems like we should not use this annotation per the comment?

[galal-hussein]

ah the features annotation were copied from runc implementation of runc features command, I will remove this particular annotation tho per their instruction.

[ctalledo]

LGTM, thanks!

[ctalledo]

Thanks @galal-hussein again for the contribution!

I've merged the PR and will test it with containerd user-namespaces. Thanks!

[galal-hussein]

@ctalledo Thank you very much!

[mueckinger]

Hi, I have built latest Commit 1e3b5a2 of sysbox-runc, added the sysbox config as mentioned above to /etc/containerd/config.toml and added hostUsers: false to my manifest but Kubernetes still says:
Failed to create pod sandbox: can't set spec.hostUsers: false, RuntimeClass handler "sysbox-runc" does not support user namespaces

It seems that I had to build the -static version. Now it works in the following Environment:

• containerd 2.1.4
• Kubernetes 1.33.4
• Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-78-generic x86_64)

🎉

[bindrad]

Hello, can you share the exact steps to run sysbox with containerd > 2.0 in k3s cluster?
I updated /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl file as mentioned above but I get this error when creating pod.

Error from server (Forbidden): error when creating "STDIN": pods "ubuntu" is forbidden: pod rejected: RuntimeClass "sysbox-runc" not found