Support feature subcommand

[musaprg]

derived from #2395, and fixes #815

This PR introduces a new youki features subcommand, which returns the Features Structure¹ defined in the OCI runtime spec. Features Structure is written in JSON format and contains runtime features supported by the youki.

TODO

• Add seccomp support information based on the feature flags
  • Waiting for the response of Add seccomp into feature flags of youki to be compiled in #2924

Footnotes

1. https://github.com/opencontainers/runtime-spec/blob/main/features.md ↩

[YJDoc2]

Hey @musaprg , just wanted to confirm if you are following up on this, or might be busy with something else. No worries if you can't continue, but let us know. Thanks!

[musaprg]

@YJDoc2 Hi. sorry I have been a bit busy these days, but I'm still working on it. I'll update the dependency and add missing implementations.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 95.56962% with 7 lines in your changes missing coverage. Please review.

Project coverage is 67.04%. Comparing base (ea96160) to head (e28d8ac).
Report is 14 commits behind head on main.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2837      +/-   ##
==========================================
+ Coverage   66.76%   67.04%   +0.28%     
==========================================
  Files         131      131              
  Lines       16673    16831     +158     
==========================================
+ Hits        11131    11285     +154     
- Misses       5542     5546       +4     

[musaprg]

@YJDoc2 @utam0k Hi, this PR is ready for review now. Could you check it at your convenience?
I don't think supporting seccomp support information in this PR would be necessary. I can implement it in another PR once #2924 gets merged. Thanks!

[YJDoc2]

Couple of comments.

[YJDoc2]

Hey @musaprg , I ran this on my system and compared with runc's output, and there are some differences -

• youki's output

`./youki features`

{ "ociVersionMin": "1.0.0", "ociVersionMax": "1.0.2", "hooks": [ "prestart", "createRuntime", "createContainer", "startContainer", "poststart", "poststop" ], "mountOptions": [ "async", "atime", "bind", "defaults", "dev", "diratime", "dirsync", "exec", "mand", "noatime", "nodev", "nodiratime", "noexec", "nomand", "norelatime", "nosuid", "nostrictatime", "private", "rbind", "rdev", "relatime", "remount", "rnoatime", "rnodev", "rnodiratime", "rnoexec", "rnorelatime", "rnosuid", "rnostrictatime", "ro", "rprivate", "rrw", "rshared", "rsuid", "rsymfollow", "rslave", "rstrictatime", "runbindable", "rw", "shared", "slave", "strictatime", "suid", "sync", "unbindable" ], "linux": { "namespaces": [ "pid", "network", "uts", "ipc", "mount", "user", "cgroup", "time" ], "capabilities": [], "cgroup": { "v1": false, "v2": false, "systemd": false, "systemdUser": false, "rdma": false }, "seccomp": null, "apparmor": { "enabled": true }, "selinux": { "enabled": false }, "intelRdt": { "enabled": true }, "mountExtensions": { "idmap": { "enabled": false } } }, "annotations": null, "potentiallyUnsafeConfigAnnotations": null }

• runc's output

`runc features`

{ "ociVersionMin": "1.0.0", "ociVersionMax": "1.0.2-dev", "hooks": [ "prestart", "createRuntime", "createContainer", "startContainer", "poststart", "poststop" ], "mountOptions": [ "acl", "async", "atime", "bind", "defaults", "dev", "diratime", "dirsync", "exec", "iversion", "lazytime", "loud", "mand", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nolazytime", "nomand", "norelatime", "nostrictatime", "nosuid", "nosymfollow", "private", "ratime", "rbind", "rdev", "rdiratime", "relatime", "remount", "rexec", "rnoatime", "rnodev", "rnodiratime", "rnoexec", "rnorelatime", "rnostrictatime", "rnosuid", "rnosymfollow", "ro", "rprivate", "rrelatime", "rro", "rrw", "rshared", "rslave", "rstrictatime", "rsuid", "rsymfollow", "runbindable", "rw", "shared", "silent", "slave", "strictatime", "suid", "symfollow", "sync", "tmpcopyup", "unbindable" ], "linux": { "namespaces": [ "cgroup", "ipc", "mount", "network", "pid", "user", "uts" ], "capabilities": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", "CAP_KILL", "CAP_SETGID", "CAP_SETUID", "CAP_SETPCAP", "CAP_LINUX_IMMUTABLE", "CAP_NET_BIND_SERVICE", "CAP_NET_BROADCAST", "CAP_NET_ADMIN", "CAP_NET_RAW", "CAP_IPC_LOCK", "CAP_IPC_OWNER", "CAP_SYS_MODULE", "CAP_SYS_RAWIO", "CAP_SYS_CHROOT", "CAP_SYS_PTRACE", "CAP_SYS_PACCT", "CAP_SYS_ADMIN", "CAP_SYS_BOOT", "CAP_SYS_NICE", "CAP_SYS_RESOURCE", "CAP_SYS_TIME", "CAP_SYS_TTY_CONFIG", "CAP_MKNOD", "CAP_LEASE", "CAP_AUDIT_WRITE", "CAP_AUDIT_CONTROL", "CAP_SETFCAP", "CAP_MAC_OVERRIDE", "CAP_MAC_ADMIN", "CAP_SYSLOG", "CAP_WAKE_ALARM", "CAP_BLOCK_SUSPEND", "CAP_AUDIT_READ", "CAP_PERFMON", "CAP_BPF", "CAP_CHECKPOINT_RESTORE" ], "cgroup": { "v1": true, "v2": true, "systemd": true, "systemdUser": true }, "seccomp": { "enabled": true, "actions": [ "SCMP_ACT_ALLOW", "SCMP_ACT_ERRNO", "SCMP_ACT_KILL", "SCMP_ACT_KILL_PROCESS", "SCMP_ACT_KILL_THREAD", "SCMP_ACT_LOG", "SCMP_ACT_NOTIFY", "SCMP_ACT_TRACE", "SCMP_ACT_TRAP" ], "operators": [ "SCMP_CMP_EQ", "SCMP_CMP_GE", "SCMP_CMP_GT", "SCMP_CMP_LE", "SCMP_CMP_LT", "SCMP_CMP_MASKED_EQ", "SCMP_CMP_NE" ], "archs": [ "SCMP_ARCH_AARCH64", "SCMP_ARCH_ARM", "SCMP_ARCH_MIPS", "SCMP_ARCH_MIPS64", "SCMP_ARCH_MIPS64N32", "SCMP_ARCH_MIPSEL", "SCMP_ARCH_MIPSEL64", "SCMP_ARCH_MIPSEL64N32", "SCMP_ARCH_PPC", "SCMP_ARCH_PPC64", "SCMP_ARCH_PPC64LE", "SCMP_ARCH_RISCV64", "SCMP_ARCH_S390", "SCMP_ARCH_S390X", "SCMP_ARCH_X32", "SCMP_ARCH_X86", "SCMP_ARCH_X86_64" ] }, "apparmor": { "enabled": true }, "selinux": { "enabled": true } }, "annotations": { "io.github.seccomp.libseccomp.version": "2.5.3", "org.opencontainers.runc.checkpoint.enabled": "true", "org.opencontainers.runc.commit": "v1.1.13-0-g58aa920", "org.opencontainers.runc.version": "1.1.13" } }

The major differences I see here are capabilities list, cgroup and systemd info, also seccomp info. Can you take a look?

[musaprg]

@YJDoc2 IIUC, as for the systemd-related fields, it depends on the youki's feature flags indicating which feature should be compiled in. I guess executing cargo build without any feature flags won't include any cgroup features such as v1, v2, systemd, systemd-user. Could you try scripts/build.sh -o $PWD -c youki -f v2 for example?

[musaprg]

As for the seccomp information, #2924 is required to be merged, so I've just left it as null, which means unknown about seccomp support.

[musaprg]

As for capabilities, I probably misunderstood the spec. The capabilities listed there don't have to be actually supported on the kernel running youki. I've fixed it in b8f902a.

The recognized names of the capabilities, including capabilities that might not be supported by the host operating system. The runtime MUST recognize the elements in this array in the process.capabilities object of config.json.
https://github.com/opencontainers/runtime-spec/blob/main/features-linux.md#capabilities

[musaprg]

I noticed that namespaces also should include all possible namespaces regardless of whether it's supported on the kernel. I've fixed it in a73d957.

The recognized names of the namespaces, including namespaces that might not be supported by the host operating system. The runtime MUST recognize the elements in this array as the type of linux.namespaces objects in config.json.

[utam0k]

🚀 LGTM
Thanks for your contribution. I really appreciate it.

[utam0k]

@musaprg It looks fine, but I just want to make sure that this PR is ready for merge. I've confirmed the behavior in my local

[musaprg]

@utam0k Thank you for your confirmation. I'm ok to merge this, but we also have to support exposing seccomp information. I can submit another PR for it once this PR is merged. Either way would be fine with me.

TODO Add seccomp support information based on the feature flags Waiting for the response of #2924