google
Implement the `runsc features` command
Description
implement runsc features that is similar to runc features command
$ runc features
{
"ociVersionMin": "1.0.0",
"ociVersionMax": "1.2.0",
"hooks": [
"prestart",
"createRuntime",
"createContainer",
"startContainer",
"poststart",
"poststop"
],
"mountOptions": [
"async",
"atime",
"bind",
"defaults",
"dev",
"diratime",
"dirsync",
"exec",
"iversion",
"lazytime",
"loud",
"mand",
"noatime",
"nodev",
"nodiratime",
"noexec",
"noiversion",
"nolazytime",
"nomand",
"norelatime",
"nostrictatime",
"nosuid",
"nosymfollow",
"private",
"ratime",
"rbind",
"rdev",
"rdiratime",
"relatime",
"remount",
"rexec",
"rnoatime",
"rnodev",
"rnodiratime",
"rnoexec",
"rnorelatime",
"rnostrictatime",
"rnosuid",
"rnosymfollow",
"ro",
"rprivate",
"rrelatime",
"rro",
"rrw",
"rshared",
"rslave",
"rstrictatime",
"rsuid",
"rsymfollow",
"runbindable",
"rw",
"shared",
"silent",
"slave",
"strictatime",
"suid",
"symfollow",
"sync",
"tmpcopyup",
"unbindable"
],
"linux": {
"namespaces": [
"cgroup",
"ipc",
"mount",
"network",
"pid",
"time",
"user",
"uts"
],
"capabilities": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_DAC_READ_SEARCH",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETPCAP",
"CAP_LINUX_IMMUTABLE",
"CAP_NET_BIND_SERVICE",
"CAP_NET_BROADCAST",
"CAP_NET_ADMIN",
"CAP_NET_RAW",
"CAP_IPC_LOCK",
"CAP_IPC_OWNER",
"CAP_SYS_MODULE",
"CAP_SYS_RAWIO",
"CAP_SYS_CHROOT",
"CAP_SYS_PTRACE",
"CAP_SYS_PACCT",
"CAP_SYS_ADMIN",
"CAP_SYS_BOOT",
"CAP_SYS_NICE",
"CAP_SYS_RESOURCE",
"CAP_SYS_TIME",
"CAP_SYS_TTY_CONFIG",
"CAP_MKNOD",
"CAP_LEASE",
"CAP_AUDIT_WRITE",
"CAP_AUDIT_CONTROL",
"CAP_SETFCAP",
"CAP_MAC_OVERRIDE",
"CAP_MAC_ADMIN",
"CAP_SYSLOG",
"CAP_WAKE_ALARM",
"CAP_BLOCK_SUSPEND",
"CAP_AUDIT_READ",
"CAP_PERFMON",
"CAP_BPF",
"CAP_CHECKPOINT_RESTORE"
],
"cgroup": {
"v1": true,
"v2": true,
"systemd": true,
"systemdUser": true,
"rdma": true
},
"seccomp": {
"enabled": true,
"actions": [
"SCMP_ACT_ALLOW",
"SCMP_ACT_ERRNO",
"SCMP_ACT_KILL",
"SCMP_ACT_KILL_PROCESS",
"SCMP_ACT_KILL_THREAD",
"SCMP_ACT_LOG",
"SCMP_ACT_NOTIFY",
"SCMP_ACT_TRACE",
"SCMP_ACT_TRAP"
],
"operators": [
"SCMP_CMP_EQ",
"SCMP_CMP_GE",
"SCMP_CMP_GT",
"SCMP_CMP_LE",
"SCMP_CMP_LT",
"SCMP_CMP_MASKED_EQ",
"SCMP_CMP_NE"
],
"archs": [
"SCMP_ARCH_AARCH64",
"SCMP_ARCH_ARM",
"SCMP_ARCH_MIPS",
"SCMP_ARCH_MIPS64",
"SCMP_ARCH_MIPS64N32",
"SCMP_ARCH_MIPSEL",
"SCMP_ARCH_MIPSEL64",
"SCMP_ARCH_MIPSEL64N32",
"SCMP_ARCH_PPC",
"SCMP_ARCH_PPC64",
"SCMP_ARCH_PPC64LE",
"SCMP_ARCH_RISCV64",
"SCMP_ARCH_S390",
"SCMP_ARCH_S390X",
"SCMP_ARCH_X32",
"SCMP_ARCH_X86",
"SCMP_ARCH_X86_64"
],
"knownFlags": [
"SECCOMP_FILTER_FLAG_TSYNC",
"SECCOMP_FILTER_FLAG_SPEC_ALLOW",
"SECCOMP_FILTER_FLAG_LOG"
],
"supportedFlags": [
"SECCOMP_FILTER_FLAG_TSYNC",
"SECCOMP_FILTER_FLAG_SPEC_ALLOW",
"SECCOMP_FILTER_FLAG_LOG"
]
},
"apparmor": {
"enabled": true
},
"selinux": {
"enabled": true
},
"intelRdt": {
"enabled": true
},
"mountExtensions": {
"idmap": {
"enabled": true
}
}
},
"annotations": {
"io.github.seccomp.libseccomp.version": "2.5.5",
"org.opencontainers.runc.checkpoint.enabled": "true",
"org.opencontainers.runc.commit": "v1.2.4-0-g6c52b3f",
"org.opencontainers.runc.version": "1.2.4"
},
"potentiallyUnsafeConfigAnnotations": [
"bundle",
"org.systemd.property.",
"org.criu.config"
]
}
Is this feature related to a specific bug?
No response
Do you have a specific solution in mind?
No response
Is this used by containerd or something similar?
It is used by containerd while not a must have
@milantracy @EtiennePerot Hi,I encountered a Bazel build issue while implementing the features command. I wanted to use the github.com/opencontainers/runtime-spec/specs-go/features package to maintain consistency with the OCI specification, but the Bazel build failed with the error:
ERROR: no such package '@@com_github_opencontainers_runtime_spec//specs-go/features': BUILD file not found in directory 'specs-go/features' of external repository @@com_github_opencontainers_runtime_spec. Add a BUILD file to a directory to mark it as a package.
Investigation Findings:
- The issue is that the
specs-go/featuresdirectory in theruntime-specrepository lacks the BUILD file required for Bazel builds - Attempting to add the dependency
@com_github_opencontainers_runtime_spec//specs-go/features:go_default_librarydoesn't work - I looked at how the Kubernetes project handles this issue and found that Kubernetes doesn't use the
featurespackage
Possible Solutions:
- Define an equivalent
Featuresstruct in our code to avoid depending on the external package - Use a simple map structure instead of a struct to represent the feature list
- Create a custom BUILD file in our project and add it to the external repository path
- Use the Gazelle tool to automatically generate BUILD files for the external repository
Request for Suggestions:
I'm inclined to use solution 1 defining our own Features struct in our code. This avoids the dependency issue while still maintaining structural consistency with the OCI specification. What are your thoughts on this approach, or do you have other better solutions?
you could use https://github.com/youki-dev/youki/issues/815 as a reference
iiuc, you don't have to import any new package, com_github_opencontainers_runtime_spec//specs-go is imported at https://github.com/google/gvisor/blob/f45c79e15a27236e4f0dd76a346a32b7873ae5fb/WORKSPACE#L339-L344, the issue is that the version v1.1.0-rc.1 doesn't have the package features, which was introduced at v1.1.0-rc.2 see https://pkg.go.dev/github.com/opencontainers/[email protected]/specs-go/features?tab=versions
please patch https://github.com/google/gvisor/pull/11651