Make runc_jailer's behavior configurable regarding drive files

runc_jailer implicitly copies all drive files to a jail directory before
calling runc.

While copying provides a stronger guarantee of isolation, some clients
would want have more control on the drive files (e.g. use shred(1) for
removing files).

DriveExposePolicy allows client to use bind-mount instead of copying.

Signed-off-by: Kazuyoshi Kato <[email protected]>

Author: kzys

proto/firecracker.pb.go

@@ -81,6 +81,15 @@ message GetVMMetadataResponse {
     string Metadata = 1;
 }
 
+// DriveExposePolicy is used to configure the method to expose drive files.
+// "COPY" is copying the files to the jail, which is the default behavior.
+// "BIND" is bind-mounting the files on the jail, assuming a caller pre-configures the permissions of
+// the files appropriately.
+enum DriveExposePolicy {
+    COPY = 0;
+    BIND = 1;
+}
+
 message JailerConfig {
     string NetNS = 1;
     // List of the physical numbers of the CPUs on which processes in that
@@ -110,5 +119,8 @@ message JailerConfig {
 	// if no value was provided, then /firecracker-containerd will be used as
 	// the default value
     string CgroupPath = 6;
+
+    // DriveExposePolicy is used to configure the method to expose drive files.
+    DriveExposePolicy DriveExposePolicy = 7;
 }
 

proto/firecracker.proto

@@ -18,13 +18,13 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/firecracker-microvm/firecracker-go-sdk"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 
 	"github.com/firecracker-microvm/firecracker-containerd/config"
 	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
 	"github.com/firecracker-microvm/firecracker-containerd/proto"
+	firecracker "github.com/firecracker-microvm/firecracker-go-sdk"
 )
 
 const (
@@ -95,14 +95,15 @@ func newJailer(
 
 	l := logger.WithField("jailer", "runc")
 	config := runcJailerConfig{
-		OCIBundlePath:  ociBundlePath,
-		RuncBinPath:    service.config.JailerConfig.RuncBinaryPath,
-		RuncConfigPath: service.config.JailerConfig.RuncConfigPath,
-		UID:            request.JailerConfig.UID,
-		GID:            request.JailerConfig.GID,
-		CPUs:           request.JailerConfig.CPUs,
-		Mems:           request.JailerConfig.Mems,
-		CgroupPath:     request.JailerConfig.CgroupPath,
+		OCIBundlePath:     ociBundlePath,
+		RuncBinPath:       service.config.JailerConfig.RuncBinaryPath,
+		RuncConfigPath:    service.config.JailerConfig.RuncConfigPath,
+		UID:               request.JailerConfig.UID,
+		GID:               request.JailerConfig.GID,
+		CPUs:              request.JailerConfig.CPUs,
+		Mems:              request.JailerConfig.Mems,
+		CgroupPath:        request.JailerConfig.CgroupPath,
+		DriveExposePolicy: request.JailerConfig.DriveExposePolicy,
 	}
 	return newRuncJailer(ctx, l, service.vmID, config)
 }

runtime/jailer.go

@@ -15,8 +15,10 @@ package main
 
 import (
 	"context"
+	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/containerd/containerd"
@@ -44,6 +46,13 @@ func TestJailer_Isolated(t *testing.T) {
 			GID: 300001,
 		})
 	})
+	t.Run("With Jailer and bind-mount", func(t *testing.T) {
+		testJailer(t, &proto.JailerConfig{
+			UID:               300001,
+			GID:               300001,
+			DriveExposePolicy: proto.DriveExposePolicy_BIND,
+		})
+	})
 }
 
 func testJailer(t *testing.T, jailerConfig *proto.JailerConfig) {
@@ -63,11 +72,30 @@ func testJailer(t *testing.T, jailerConfig *proto.JailerConfig) {
 
 	vmID := testNameToVMID(t.Name())
 
-	fcClient := fccontrol.NewFirecrackerClient(pluginClient.Client())
-	_, err = fcClient.CreateVM(ctx, &proto.CreateVMRequest{
+	request := proto.CreateVMRequest{
 		VMID:         vmID,
 		JailerConfig: jailerConfig,
-	})
+	}
+
+	// If the drive files are bind-mounted, the files must be readable from the jailer's user.
+	if jailerConfig != nil && jailerConfig.DriveExposePolicy == proto.DriveExposePolicy_BIND {
+		f, err := ioutil.TempFile("", strings.Replace(t.Name(), "/", "-", -1))
+		require.NoError(err)
+		defer f.Close()
+
+		dst := f.Name()
+
+		err = copyFile(defaultRuntimeConfig.RootDrive, dst, 0400)
+		require.NoErrorf(err, "failed to copy a rootfs as %q", dst)
+
+		err = os.Chown(dst, int(jailerConfig.UID), int(jailerConfig.GID))
+		require.NoError(err, "failed to chown %q", dst)
+
+		request.RootDrive = &proto.FirecrackerRootDrive{HostPath: dst}
+	}
+
+	fcClient := fccontrol.NewFirecrackerClient(pluginClient.Client())
+	_, err = fcClient.CreateVM(ctx, &request)
 	require.NoError(err)
 
 	c, err := client.NewContainer(ctx,