[S597085][antlir2][isolate] fallback to bind-mounting /proc

Summary:
If we get an `EPERM` while mounting `/proc`, try to fall back to a bind mount.
A small number of RPM scriptlets might choke on this, but this will give the
build a better chance of succeeding.

Test Plan:
```name="Happy path where new /proc works"
❯ buck2 test fbcode//antlir/antlir2/features/rpm/...
Buck UI: https://www.internalfb.com/buck2/8114d14c-ada3-49e2-8596-bc048b4a369e
Test UI: https://www.internalfb.com/intern/testinfra/testrun/9851624322928450
Tests finished: Pass 67. Fail 0. Fatal 0. Skip 0. Omit 0. Infra Failure 0. Build failure 0
```

Since I can't reproduce the `EPERM` failure mode on my devserver, just change
the code to pretend that it failed:
```
❯ hg diff
 diff --git a/fbcode/antlir/antlir2/antlir2_isolate/isolate_unshare/isolate_unshare_preexec/src/isolation.rs b/fbcode/antlir/antlir2/antlir2_isolate/isolate_unshare/isolate_unshare_preexec/src/isolation.rs
 --- a/fbcode/antlir/antlir2/antlir2_isolate/isolate_unshare/isolate_unshare_preexec/src/isolation.rs
+++ b/fbcode/antlir/antlir2/antlir2_isolate/isolate_unshare/isolate_unshare_preexec/src/isolation.rs
@@ -334,27 +334,27 @@
         Err(e) => Err(e),
     }?;

-    match nix::mount::mount(
-        None::<&str>,
+    // match nix::mount::mount(
+    //     None::<&str>,
+    //     &newroot.open_dir("proc")?.abspath(),
+    //     Some("proc"),
+    //     MsFlags::MS_NOSUID | MsFlags::MS_NOEXEC | MsFlags::MS_NODEV,
+    //     None::<&str>,
+    // ) {
+    //     Ok(()) => Ok(()),
+    //     Err(e) if e == nix::errno::Errno::EPERM => {
+    warn!("got EPERM while mounting /proc - attempting a bind mount instead");
+    mount(
+        Some("/proc"),
         &newroot.open_dir("proc")?.abspath(),
-        Some("proc"),
-        MsFlags::MS_NOSUID | MsFlags::MS_NOEXEC | MsFlags::MS_NODEV,
         None::<&str>,
-    ) {
-        Ok(()) => Ok(()),
-        Err(e) if e == nix::errno::Errno::EPERM => {
-            warn!("got EPERM while mounting /proc - attempting a bind mount instead");
-            mount(
-                Some("/proc"),
-                &newroot.open_dir("proc")?.abspath(),
-                None::<&str>,
-                MsFlags::MS_BIND | MsFlags::MS_REC,
-                None::<&str>,
-            )
-            .context("while bind-mounting /proc")
-        }
-        Err(e) => Err(e).context("while mounting /proc"),
-    }?;
+        MsFlags::MS_BIND | MsFlags::MS_REC,
+        None::<&str>,
+    )
+    .context("while bind-mounting /proc")?;
+    //     }
+    //     Err(e) => Err(e).context("while mounting /proc"),
+    // }?;

     nix::unistd::chroot(&newroot.abspath())?;
     if let Some(wd) = working_directory {

❯ buck2 test fbcode//antlir/antlir2/features/rpm/...
Buck UI: https://www.internalfb.com/buck2/bb147ef3-a7dd-4180-8e7f-b7aebf135cb0
Test UI: https://www.internalfb.com/intern/testinfra/testrun/15762598833571210
Tests finished: Pass 67. Fail 0. Fatal 0. Skip 0. Omit 0. Infra Failure 0. Build failure 0
```

Reviewed By: vjt

Differential Revision: D89734817

fbshipit-source-id: 2c9f94d7b471f6f74534c41f935d27659a1d8dff

Author: vmagro

antlir/antlir2/antlir2_isolate/isolate_unshare/isolate_unshare_preexec/BUCK

@@ -21,6 +21,8 @@ rust_binary(
         "rustix",
         "serde_json",
         "tokio",
+        "tracing",
+        "tracing-subscriber",
         "//antlir/antlir2/antlir2_isolate/isolate_cfg:isolate_cfg",
         "//antlir/antlir2/antlir2_path:antlir2_path",
         "//antlir/util/cli/json_arg:json_arg",

antlir/antlir2/antlir2_isolate/isolate_unshare/isolate_unshare_preexec/src/isolation.rs

@@ -25,6 +25,7 @@ use nix::sched::unshare;
 use nix::unistd::Gid;
 use nix::unistd::Uid;
 use nix::unistd::User;
+use tracing::warn;
 
 /// MS_NOSYMFOLLOW (since Linux 5.10)
 /// Do not follow symbolic links when resolving paths.  Symbolic links can still
@@ -332,14 +333,28 @@ pub(crate) fn setup_isolation(isol: &IsolationContext) -> Result<()> {
         Err(e) if e.kind() == ErrorKind::AlreadyExists => Ok(()),
         Err(e) => Err(e),
     }?;
-    nix::mount::mount(
+
+    match nix::mount::mount(
         None::<&str>,
         &newroot.open_dir("proc")?.abspath(),
         Some("proc"),
         MsFlags::MS_NOSUID | MsFlags::MS_NOEXEC | MsFlags::MS_NODEV,
         None::<&str>,
-    )
-    .context("while mounting /proc")?;
+    ) {
+        Ok(()) => Ok(()),
+        Err(nix::errno::Errno::EPERM) => {
+            warn!("got EPERM while mounting /proc - attempting a bind mount instead");
+            mount(
+                Some("/proc"),
+                &newroot.open_dir("proc")?.abspath(),
+                None::<&str>,
+                MsFlags::MS_BIND | MsFlags::MS_REC,
+                None::<&str>,
+            )
+            .context("while bind-mounting /proc")
+        }
+        Err(e) => Err(e).context("while mounting /proc"),
+    }?;
 
     nix::unistd::chroot(&newroot.abspath())?;
     if let Some(wd) = working_directory {

antlir/antlir2/antlir2_isolate/isolate_unshare/isolate_unshare_preexec/src/main.rs

@@ -40,6 +40,9 @@ struct Main {
 }
 
 fn main() {
+    tracing_subscriber::fmt()
+        .with_writer(std::io::stderr)
+        .init();
     let args = Subcommand::parse();
     if let Err(e) = match args {
         Subcommand::Main(args) => do_main(args),