containerd: add OCI default spec and settings

[mchaker]

Issue number:

Closes #1703

Description of changes:

This PR adds support for setting default OCI spec values. The default OCI spec stored at /etc/containerd/cri-base.json is applied to all containers run by containerd, unless otherwise configured (e.g. by Kubernetes).

The OCI spec can be found in detail at /~https://github.com/opencontainers/runtime-spec/blob/main/config.md .

This PR also adds some default settings that we want Bottlerocket to ship with: namely, a specific set of process capabilities (sources/models/shared-defaults/oci-capabilities.toml) and resource limits (sources/models/shared-defaults/oci-resource-limits.toml).

Testing done:

OCI Defaults Test Plan

​

Manual Testing

Baseline

​

• Baseline with Production AMI v1.11 (i.e. ami-09d516ec16c94c0e0)
  • Get the OCI spec for a sample nginx workload container launched via kubernetes (save it for comparison)
  • Run a pod that opens as many files as it can, as well as printing the container capabilities
    • How many files were opened: 65533 due to our containerd patch.
    • Bounding capabilities: {CAP_SETFCAP, CAP_NET_RAW, CAP_KILL, CAP_CHOWN, CAP_SETUID, CAP_FSETID, CAP_FOWNER, CAP_AUDIT_WRITE, CAP_MKNOD, CAP_SYS_CHROOT, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_SETGID}
      ​

Test case: feature enabled and configured with default settings

​
Make sure there is no behavior change when not configuring the new settings.
​

• Run modified AMI (ami-0f58fc68a762109e8, 7ad3110d) without setting oci-defaults.capabilities, oci-defaults.resource-limits in userdata
  • Get the OCI spec for a nginx workload container: it matched v1.11
  • Run a pod that opens as many files as it can, as well as printing the container capabilities
    • How many files were opened: 65533 (matched v1.11)
    • Bounding capabilities: {CAP_CHOWN, CAP_MKNOD, CAP_SYS_CHROOT, CAP_NET_BIND_SERVICE, CAP_SETFCAP, CAP_SETUID, CAP_FOWNER, CAP_DAC_OVERRIDE, CAP_KILL, CAP_SETGID, CAP_FSETID, CAP_SETPCAP, CAP_AUDIT_WRITE} (matched v1.11, with the exception of CAP_NET_RAW, which is intentionally removed)
• Log in to the test node and verify that the cri-base.json file contains the desired settings default values
  ​

Test case: set capabilities

​

• Run modified AMI (ami-01b0018dc3c2ad0de, 3940728)
  • Add a capability (CAP_BPF) via apiclient
• Run a pod that opens as many files as it can, as well as printing the container capabilities
  • How many files were opened: 65533 (unchaged from defaults)
  • Bounding capabilities: {CAP_SETFCAP, CAP_MKNOD, CAP_SETUID, CAP_BPF, CAP_SETGID, CAP_FSETID, CAP_AUDIT_WRITE, CAP_NET_BIND_SERVICE, CAP_DAC_OVERRIDE, CAP_CHOWN, CAP_KILL, CAP_FOWNER, CAP_SETPCAP, CAP_SYS_CHROOT} (capabilities changed accordingly: CAP_BPF was added)
• Log in to the test node and verify that the cri-base.json file contains the desired settings values
  ​

Test case: set resource-limits

​

• Run modified AMI (ami-01b0018dc3c2ad0de, 3940728)
  • Use apiclient to change the RLIMIT_NOFILE soft value to 90000
• Run a pod that opens as many files as it can, as well as printing the container capabilities
  • How many files were opened: 89997 (changed according to new RLIMIT_NOFILE soft)
  • Bounding capabilities: {CAP_SETPCAP, CAP_FOWNER, CAP_AUDIT_WRITE, CAP_CHOWN, CAP_SETGID, CAP_MKNOD, CAP_SYS_CHROOT, CAP_SETFCAP, CAP_KILL, CAP_NET_BIND_SERVICE, CAP_FSETID, CAP_SETUID, CAP_DAC_OVERRIDE} (unchanged from defaults)
• Log in to the test node and verify that the cri-base.json file contains the desired settings values
  ​

Test case: set both capabilities and resource-limits

​
Combine both of the above: i.e. set capabilities and rlimit_nofile values
​

• Run modified AMI (ami-0628b6b13d2b7c83e, 69c158f)
  • Use apiclient to change the RLIMIT_NOFILE soft value to 90000
  • Use apiclient to add a capability (CAP_BPF)
• Run a pod that opens as many files as it can, as well as printing the container capabilities
  • How many files were opened: 89997 (changed according to new RLIMIT_NOFILE soft)
  • Bounding capabilities: {CAP_KILL, CAP_SETUID, CAP_NET_BIND_SERVICE, CAP_DAC_OVERRIDE, CAP_BPF, CAP_SETPCAP, CAP_AUDIT_WRITE, CAP_MKNOD, CAP_SETFCAP, CAP_SYS_CHROOT, CAP_CHOWN, CAP_SETGID, CAP_FSETID, CAP_FOWNER} (capabilities changed accordingly: CAP_BPF was added)
• Log in to the test node and verify that the cri-base.json file contains the desired settings values

Test all variants

Repeat above Manual Testing steps for the following variants:

• aws-k8s-1.23
• aws-k8s-1.23-nvidia
• metal-k8s-1.24
• vmware-k8s-1.23

Run abridged Manual Testing steps for the following variants:

• aws-k8s-1.21
• aws-k8s-1.21-nvidia
• aws-k8s-1.22
• aws-k8s-1.22-nvidia
• aws-k8s-1.24-nvidia
• aws-k8s-1.24
• metal-k8s-1.21
• metal-k8s-1.22
• metal-k8s-1.23
• vmware-k8s-1.21
• vmware-k8s-1.22
• vmware-k8s-1.24
  ​

Run Sonobuoy Conformance

​

• Run Sonobuoy quick suite
• Run Sonobuoy full suite
  ​

Test case: Upgrade Downgrade

• v1.11 --> this version --> v1.11

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[mchaker]

remaining TODOs based on early feedback

[mchaker]

Force push: resolved remaining TODOs based on early feedback.

[mchaker]

Force push: resolved merge conflict

[mchaker]

Force push: removed panic in helper and reset default capabilities to 1.0.2-dev defaults.

[mchaker]

Force push: address some comments

[webern]

^ /~https://github.com/bottlerocket-os/bottlerocket/compare/e19d8eba27b22fedc5d253657899cd8d72d5d4ca..c633a175eadb7edd95f6fb1374de3ef16d8b62d8

break out the migration to its own commit

[webern]

^ /~https://github.com/bottlerocket-os/bottlerocket/compare/c633a175eadb7edd95f6fb1374de3ef16d8b62d8..46d0035f43b35102443877f2338a763f2d8fedec

• Use #[model(add_option = false)] to require both hard and soft limits to be set (as is required by the spec).
• Add the OCI defaults settings to all the k8s variants.

[webern]

^ /~https://github.com/bottlerocket-os/bottlerocket/compare/46d0035f43b35102443877f2338a763f2d8fedec..9d7001a575e61f0ee4cd246845f08d988a1672c4

Fix a small nit.

[mchaker]

^ /~https://github.com/bottlerocket-os/bottlerocket/compare/9d7001a575e61f0ee4cd246845f08d988a1672c4..bf2b51bcb9b19109de89eceb060496a8b5c1f552

Force push: fix a small typo

[bcressey]

nit: maybe

Suggested change

	setting key | setting value
	setting | default value

[mchaker]

I agree it's clearer - accepted suggestion

[bcressey]

I'd prefer to organize this as:

capability | setting | default value
CAP_AUDIT_CONTROL | settings.oci-defaults.capabilities.audit-control | false

With all the default-true ones first, followed by the others. Then we wouldn't have the duplication, and the sorting would be similar to runc's list of capabilities.

[mchaker]

What would be preferable for default value in the case of capabilities we do not configure with default values?

A: The semantically correct setting of false
B: The syntactically correct "setting" of (unset)

[mchaker]

Also, does this comment (reorganizing to capability | setting | default value) also apply to rlimits as well?
Meaning, reorganizing the rlimits section to be resource limit | setting | default value?

[bcressey]

I would prefer something like - to indicate unset, so there's less visual noise.

Making the same change to the rlimits section would be good too.

[mchaker]

Updated in the latest force push: /~https://github.com/bottlerocket-os/bottlerocket/compare/52cfccb27a6dfe636699d64696b3adf4f3346625..66c11153cc3521157c6d03a93e049fa1e88af43a

[bcressey]

This is quite a lot of change to land in one commit. The functionality is great, no complaints there, but it makes it a bit harder for reviewers to digest.

As a suggestion for commit structure in the future, I'd recommend:

• one commit to add the scaffolding and base functionality
• one commit to add settings + template fields for rlimits (smaller)
• one commit to add settings + template fields for capabilities (larger)
• one commit for required migrations

It's fine for this PR though.

[mchaker]

Apologies for the monolithic PR structure and thank you for explaining a better way. I'll keep this comment in my notebook as a reminder for my next PR.

[bcressey]

It's a minor thing, but I'd prefer to have these in the 75-79 or 85-89 range, together with ??-oci-hooks.toml, rather than at the end of the 90 range. That way all the OCI related defaults share the same range.

[mchaker]

Symlinks renamed in latest force push

[bcressey]

In preparation for future Docker support, we should give these files a name to keep them distinct:

• oci-defaults-containerd-cri.toml
• oci-defaults-containerd-cri-resource-limits.toml
• oci-defaults-containerd-cri-capabilities.toml

The capabilities will be the same but the resource limits and configuration files will be different.

[mchaker]

Accepted suggestion, thank you

[bcressey]

Suggested change

	migrate(common_migrations::AddPrefixesMigration(vec![
	"settings.oci-defaults",
	]))
	migrate(common_migrations::AddPrefixesMigration(vec![
	"settings.oci-defaults",
	"services.oci-defaults",
	"configuration-files.oci-defaults",
	]))

[mchaker]

Thank you, accepted suggestion

[bcressey]

Need a metadata migration for the affected services.

[mchaker]

Added in the latest force push: /~https://github.com/bottlerocket-os/bottlerocket/compare/ec2a9f46efb263d54caee5b2df2f4d9be6c3fad2..1318d9557178011eb609a2ab2ba9165199481e83

[bcressey]

I'd probably clean up all of these links and just say:

Suggested change

	/// OciDefaultsCapability specifies which process capabilities are
	/// allowed to be modified in Bottlerocket. The Linux process
	/// capabilities are defined in the Linux manpages (see the man7.org link below).
	/// Default values can be found in: sources/models/shared-defaults/oci-capabilities.toml
	/// OCI spec: /~https://github.com/opencontainers/runtime-spec/blob/c4ee7d12c742ffe806cd9350b6af3b4b19faed6f/config.md#linux-process
	/// Linux kernel capabilities: https://man7.org/linux/man-pages/man7/capabilities.7.html
	///
	/// Default capabilities are specified in the following file:
	/// * sources/models/shared-defaults/oci-capabilities.toml
	/// OciDefaultsCapability specifies which process capabilities are
	/// allowed to be set in the default OCI spec.

sources/models/shared-defaults/oci-capabilities.toml is extremely likely to be renamed during a refactor, and this comment probably won't stay correct. The OCI spec link seems a little out-of-place here, and the man page is pretty easy to find by anyone who knows they're working with Linux capabilities.

[mchaker]

Agreed - wouldn't want stale references in comments. Accepted suggestion

[bcressey]

Suggested change

	/// OciDefaultsResourceLimitType specifies which resource limits are
	/// allowed to be modified in Bottlerocket. The full list of Linux resource limits can
	/// be found in the Linux manpages (for convenience at the man7.org link below.)
	/// Default values can be found in: sources/models/shared-defaults/oci-resource-limits.toml
	/// OCI spec: /~https://github.com/opencontainers/runtime-spec/blob/c4ee7d12c742ffe806cd9350b6af3b4b19faed6f/config.md#posix-process
	/// Linux resource limits: https://man7.org/linux/man-pages/man2/getrlimit.2.html#DESCRIPTION
	///
	/// Default resource limits are specified in the following file:
	/// * sources/models/shared-defaults/oci-resource-limits.toml
	/// OciDefaultsResourceLimitType specifies which resource limits are
	/// allowed to be set in the default OCI spec.

[mchaker]

Accepted suggestion

[mchaker]

^ /~https://github.com/bottlerocket-os/bottlerocket/compare/bf2b51bcb9b19109de89eceb060496a8b5c1f552..ec2a9f46efb263d54caee5b2df2f4d9be6c3fad2

Force push: address most PR comments

[arnaldo2792]

Since this is a feature for k8s only, you may want to exclude the execution of the migration for all the other variants.

[mchaker]

Done! Thanks :)

[mchaker]

^ /~https://github.com/bottlerocket-os/bottlerocket/compare/66c11153cc3521157c6d03a93e049fa1e88af43a..e3d47c4f1be7227f08fa554b9c4aad6af025ae55

Force push: add metadata migration to Release.toml

[etungsten]

🍕

LGTM assuming all the testing looks good.

[webern]

^ rebase /~https://github.com/bottlerocket-os/bottlerocket/compare/e3d47c4f1be7227f08fa554b9c4aad6af025ae55..6a7d5a626706cf74155089a75f89db8170157bc7

[webern]

^ Attempt to fix metadata migration /~https://github.com/bottlerocket-os/bottlerocket/compare/6a7d5a626706cf74155089a75f89db8170157bc7..8be44e04b94087399ccd2a3d6c2957558f7711e5

[webern]

^ try even harder to fix the migrations /~https://github.com/bottlerocket-os/bottlerocket/compare/8be44e04b94087399ccd2a3d6c2957558f7711e5..8a04adde8601155ca1aa26389f7d522b94dde41a

[stmcginnis]

Looks good to me, testing done looks good, and tests are passing. I'm not strong on the migrations, so definitely would be good to have someone that understands those better take a closer look.

[stmcginnis]

Just to note - I don't think it makes that much difference - but you could have results_line be an array, then use result_lines.join(",\n") at the end to get the resulting comma separated final string.

[bcressey]

Can you fix the co-authored-by tags in the commit messages?

Co-authored-by: name <mmchaker@amazon.com>
Co-authored-by: name <brigmatt@amazon.com>

Also, this description is not correct:

The default OCI spec stored at /etc/containerd/cri-base.json is applied to all containers run by containerd, unless otherwise configured (e.g. by Kubernetes pod specs).

The changes here only affect containerd-cri, and not containers launched by other means (host / bootstrap containers, Docker for ECS variants).

[bcressey]

LGTM apart from a few style nits and the commit messages.

[bcressey]

If I understand correctly - conditionalizing this on the variant is just for defensive / documentation purposes, it isn't actually necessary for aws-ecs-1 which won't have this metadata.

[bcressey]

to avoid the "else" branch:

Suggested change

	fn run() -> Result<()> {
	if cfg!(variant_runtime = "k8s") {
	migrate(common_migrations::AddPrefixesMigration(vec![
	"settings.oci-defaults",
	"services.oci-defaults",
	"configuration-files.oci-defaults",
	]))
	} else {
	Ok(())
	}
	}
	fn run() -> Result<()> {
	if cfg!(variant_runtime = "k8s") {
	migrate(common_migrations::AddPrefixesMigration(vec![
	"settings.oci-defaults",
	"services.oci-defaults",
	"configuration-files.oci-defaults",
	]))?;
	}
	Ok(())
	}

[bcressey]

nit: I don't think that last semicolon is needed:

Suggested change

	if cfg!(variant_runtime = "k8s") {
	migrate(AddMetadataMigration(&[SettingMetadata {
	metadata: &["affected-services"],
	setting: "settings.oci-defaults",
	}]))?;
	};
	if cfg!(variant_runtime = "k8s") {
	migrate(AddMetadataMigration(&[SettingMetadata {
	metadata: &["affected-services"],
	setting: "settings.oci-defaults",
	}]))?;
	}

[bcressey]

You can use a combination of raw strings and concat! to clean this up so the string literal isn't flush with the left margin:

Suggested change

	let capabilities_section = format!(
	"\"bounding\": [
	{capabilities_bounding}
	],
	\"effective\": [
	{capabilities_effective}
	],
	\"permitted\": [
	{capabilities_permitted}
	]",
	capabilities_bounding = capabilities_lines_joined,
	capabilities_effective = capabilities_lines_joined,
	capabilities_permitted = capabilities_lines_joined,
	);
	let capabilities_section = format!(
	concat!(
	r#""bounding": ["#,
	"{capabilities_bounding}",
	"]",
	r#""effective": ["#,
	"{capabilities_effective}",
	"]",
	r#""permitted": ["#,
	"{capabilities_permitted}",
	"]",
	),
	capabilities_bounding = capabilities_lines_joined,
	capabilities_effective = capabilities_lines_joined,
	capabilities_permitted = capabilities_lines_joined,
	);

(same for the rlimit function)

[mchaker]

This is much nicer, thank you!

[webern]

^ /~https://github.com/bottlerocket-os/bottlerocket/compare/8a04adde8601155ca1aa26389f7d522b94dde41a..684e813d7c88e27dba71a12c0c1bc7826110c141

• Avoid the else branch
• nit: I don't think that last semicolon is needed:
• You can use a combination of raw strings and concat! to clean this up so the string literal isn't flush with the left margin:
• Use Vec.join
• Can you fix the co-authored-by tags in the commit messages?
• The changes here only affect containerd-cri, and not containers launched by other means (host / bootstrap containers, Docker for ECS variants).

[webern]

^ /~https://github.com/bottlerocket-os/bottlerocket/compare/684e813d7c88e27dba71a12c0c1bc7826110c141..b0d09dc82fced3815b691c7ef14d5cd8f9cc3229

Fix a small oops

[webern]

^ fix another oops /~https://github.com/bottlerocket-os/bottlerocket/compare/b0d09dc82fced3815b691c7ef14d5cd8f9cc3229..352a0a1477ff9084703c3be9ba8a0e1075ca1ce3

[webern]

I performed upgrade/downgrade testing from v1.11.0 -> v1.12.0 -> v1.11.0

On v1.11 and v1.12 I ran an ngnix pod and checked its oci spec with a command like this:

ctr -n k8s.io c info --spec 5a724a53cf

The specs were the same on both versions of Bottlerocket (i.e. if a customer does not use these new settings, their pods will not be affected).

👍