[workspacekit] Move all user namespace setup stuff to its own component

To keep supervisor free from CGO e.g. libcap or libseccomp

Author: Christian Weichel

components/supervisor/BUILD.yaml

@@ -18,17 +18,14 @@ packages:
     config:
       buildFlags:
         - "-ldflags=-w"
-      # build with >= go1.16beta1 to make libcap work without CGO. See
-      # - https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap, search for allthreadssyscall
-      # - https://github.com/golang/go/issues/1435
-      goVersion: go1.16beta1
   - name: docker
     type: docker
     srcs:
       - "supervisor-config.json"
     deps:
       - :app
       - components/supervisor/frontend:app
+      - components/workspacekit/go:app
     argdeps:
       - imageRepoBase
     config:

components/supervisor/go.mod

@@ -11,7 +11,6 @@ replace github.com/Sirupsen/logrus v1.6.0 => github.com/sirupsen/logrus v1.6.0 /
 
 require (
 	github.com/Netflix/go-env v0.0.0-20200908232752-3e802f601e28
-	github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6 // indirect
 	github.com/creack/pty v1.1.11
 	github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000
 	github.com/gitpod-io/gitpod/content-service v0.0.0-00010101000000-000000000000
@@ -24,20 +23,18 @@ require (
 	github.com/google/go-cmp v0.5.2
 	github.com/google/uuid v1.1.4
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.0.1
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/prometheus/procfs v0.0.8 // indirect
-	github.com/rootless-containers/rootlesskit v0.10.1
 	github.com/sirupsen/logrus v1.7.0
 	github.com/soheilhy/cmux v0.1.4
 	github.com/spf13/cobra v1.1.1
-	github.com/ugorji/go v1.1.4 // indirect
-	github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77 // indirect
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
 	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
 	golang.org/x/sys v0.0.0-20210110051926-789bb1bd4061
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	google.golang.org/grpc v1.34.0
 	google.golang.org/grpc/examples v0.0.0-20200902210233-8630cac324bf // indirect
-	kernel.org/pub/linux/libs/security/libcap/cap v0.2.46
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 )
 
 replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway

components/supervisor/go.sum

@@ -12,5 +12,6 @@ COPY components-supervisor-frontend--app/node_modules/@gitpod/supervisor-fronten
 WORKDIR "/.supervisor"
 COPY components-supervisor--app/supervisor /.supervisor/supervisor
 COPY supervisor-config.json /.supervisor/supervisor-config.json
+COPY components-workspacekit--app/workspacekit /.supervisor/workspacekit
 
 ENTRYPOINT ["/.supervisor/supervisor"]

components/supervisor/leeway.Dockerfile

@@ -0,0 +1,14 @@
+packages:
+    - name: app
+      type: go
+      srcs:
+        - go.mod
+        - go.sum
+        - "**/*.go"
+      deps:
+        - components/common-go:lib
+        - components/ws-daemon-api/go:lib
+        - components/content-service-api/go:lib
+      config:
+        packaging: app
+        buildCommand: ["go", "build", "-ldflags", "-w -extldflags \"-static\""]

components/workspacekit/BUILD.yaml

@@ -17,13 +17,14 @@ import (
 	"time"
 
 	"github.com/gitpod-io/gitpod/common-go/log"
-	"github.com/gitpod-io/gitpod/supervisor/pkg/supervisor"
 	daemonapi "github.com/gitpod-io/gitpod/ws-daemon/api"
+
 	"github.com/rootless-containers/rootlesskit/pkg/msgutil"
 	"github.com/rootless-containers/rootlesskit/pkg/sigproxy"
 	sigproxysignal "github.com/rootless-containers/rootlesskit/pkg/sigproxy/signal"
 	"github.com/spf13/cobra"
 	"golang.org/x/sys/unix"
+	"google.golang.org/grpc"
 	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
@@ -38,9 +39,8 @@ const (
 )
 
 var ring0Cmd = &cobra.Command{
-	Use:    "ring0",
-	Short:  "starts the supervisor ring0",
-	Hidden: true,
+	Use:   "ring0",
+	Short: "starts ring0 - enter here",
 	Run: func(_ *cobra.Command, args []string) {
 		log.Init(ServiceName, Version, true, true)
 		log := log.WithField("ring", 0)
@@ -56,7 +56,7 @@ var ring0Cmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
 
-		client, conn, err := supervisor.ConnectToInWorkspaceDaemonService(ctx)
+		client, conn, err := connectToInWorkspaceDaemonService(ctx)
 		if err != nil {
 			log.WithError(err).Error("cannot connect to daemon")
 			return
@@ -150,9 +150,8 @@ var ring1Opts struct {
 	MappingEstablished bool
 }
 var ring1Cmd = &cobra.Command{
-	Use:    "ring1",
-	Short:  "starts the supervisor ring1",
-	Hidden: true,
+	Use:   "ring1",
+	Short: "starts ring1",
 	Run: func(_cmd *cobra.Command, args []string) {
 		log.Init(ServiceName, Version, true, true)
 		log := log.WithField("ring", 1)
@@ -169,7 +168,7 @@ var ring1Cmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
 
-		client, conn, err := supervisor.ConnectToInWorkspaceDaemonService(ctx)
+		client, conn, err := connectToInWorkspaceDaemonService(ctx)
 		if err != nil {
 			log.WithError(err).Error("cannot connect to daemon")
 			failed = true
@@ -325,10 +324,12 @@ var ring1Cmd = &cobra.Command{
 	},
 }
 
+var ring2Opts struct {
+	SupervisorPath string
+}
 var ring2Cmd = &cobra.Command{
-	Use:    "ring2",
-	Short:  "starts the supervisor ring2",
-	Hidden: true,
+	Use:   "ring2",
+	Short: "starts ring2",
 	Run: func(_cmd *cobra.Command, args []string) {
 		log.Init(ServiceName, Version, true, true)
 		log := log.WithField("ring", 2)
@@ -377,7 +378,7 @@ var ring2Cmd = &cobra.Command{
 			failed = true
 			return
 		}
-		err = unix.Exec("/proc/self/exe", []string{"supervisor", "run", "--inns"}, os.Environ())
+		err = unix.Exec(ring2Opts.SupervisorPath, []string{"supervisor", "run", "--inns"}, os.Environ())
 		if err != nil {
 			log.WithError(err).Error("cannot exec")
 			failed = true
@@ -463,10 +464,47 @@ type ringSyncMsg struct {
 	Rootfs string `json:"rootfs"`
 }
 
+// ConnectToInWorkspaceDaemonService attempts to connect to the InWorkspaceService offered by the ws-daemon.
+func connectToInWorkspaceDaemonService(ctx context.Context) (daemonapi.InWorkspaceServiceClient, *grpc.ClientConn, error) {
+	const socketFN = "/.workspace/daemon.sock"
+
+	t := time.NewTicker(500 * time.Millisecond)
+	defer t.Stop()
+	for {
+		if _, err := os.Stat(socketFN); err == nil {
+			break
+		}
+
+		select {
+		case <-t.C:
+			continue
+		case <-ctx.Done():
+			return nil, nil, fmt.Errorf("socket did not appear before context was canceled")
+		}
+	}
+
+	conn, err := grpc.DialContext(ctx, "unix://"+socketFN, grpc.WithInsecure())
+	if err != nil {
+		return nil, nil, err
+	}
+	return daemonapi.NewInWorkspaceServiceClient(conn), conn, nil
+}
+
 func init() {
 	rootCmd.AddCommand(ring0Cmd)
 	rootCmd.AddCommand(ring1Cmd)
 	rootCmd.AddCommand(ring2Cmd)
 
+	supervisorPath := os.Getenv("GITPOD_WORKSPACEKIT_SUPERVISOR_PATH")
+	if supervisorPath == "" {
+		wd, err := os.Getwd()
+		if err == nil {
+			supervisorPath = "supervisor"
+		} else {
+			supervisorPath = filepath.Join(wd, "supervisor")
+		}
+	}
+
 	ring1Cmd.Flags().BoolVar(&ring1Opts.MappingEstablished, "mapping-established", false, "true if the UID/GID mapping has already been established")
+	ring2Cmd.Flags().StringVar(&ring2Opts.SupervisorPath, "supervisor-path", supervisorPath, "path to the supervisor binary (taken from $GITPOD_WORKSPACEKIT_SUPERVISOR_PATH, defaults to '$PWD/supervisor')")
 }

components/supervisor/cmd/rings.go renamed to components/workspacekit/cmd/rings.go

@@ -0,0 +1,37 @@
+// Copyright (c) 2020 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License-AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/gitpod-io/gitpod/common-go/log"
+	"github.com/spf13/cobra"
+)
+
+// rootCmd represents the base command when called without any subcommands
+var rootCmd = &cobra.Command{
+	Use:   "workspacekit",
+	Short: "Prepares a container for running a Gitpod workspace",
+}
+
+var (
+	// ServiceName is the name we use for tracing/logging
+	ServiceName = "workspacekit"
+	// Version of this service - set during build
+	Version = ""
+)
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the rootCmd.
+func Execute() {
+	log.Init(ServiceName, Version, false, true)
+
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}

components/workspacekit/cmd/root.go

@@ -0,0 +1,70 @@
+module github.com/gitpod-io/gitpod/workspacekit
+
+go 1.15
+
+replace github.com/seccomp/libseccomp-golang => github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313
+
+require (
+	github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000
+	github.com/gitpod-io/gitpod/ws-daemon/api v0.0.0-00010101000000-000000000000
+	github.com/rootless-containers/rootlesskit v0.11.1
+	github.com/seccomp/libseccomp-golang v0.9.1
+	github.com/spf13/cobra v1.1.1
+	golang.org/x/sys v0.0.0-20210113181707-4bcb84eeeb78
+	google.golang.org/grpc v1.34.0
+	kernel.org/pub/linux/libs/security/libcap/cap v0.2.46
+)
+
+replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway
+
+replace github.com/gitpod-io/gitpod/content-service/api => ../content-service-api/go // leeway
+
+replace github.com/gitpod-io/gitpod/ws-daemon/api => ../ws-daemon-api/go // leeway
+
+replace k8s.io/api => k8s.io/api v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/apimachinery => k8s.io/apimachinery v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/apiserver => k8s.io/apiserver v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/client-go => k8s.io/client-go v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/cloud-provider => k8s.io/cloud-provider v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/code-generator => k8s.io/code-generator v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/component-base => k8s.io/component-base v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/cri-api => k8s.io/cri-api v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kube-proxy => k8s.io/kube-proxy v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kubelet => k8s.io/kubelet v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/metrics => k8s.io/metrics v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/component-helpers => k8s.io/component-helpers v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/controller-manager => k8s.io/controller-manager v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kubectl => k8s.io/kubectl v0.20.1 // leeway indirect from components/common-go:lib
+
+replace k8s.io/mount-utils => k8s.io/mount-utils v0.20.1 // leeway indirect from components/common-go:lib