Add support for bootstrap containers via API settings

[arnaldo2792]

Issue number:
#1392

Description of changes:

5153d08c host-containers: change permissions in `/etc/host-containers`

This commit updates the permissions in /etc/host-containers from 755 to 750

d59628c7 models: change ContainerImage to HostContainer

This commit updates the model name used to configure a host container from ContainerImage to HostContainer

8ce2cae3 Add support for bootstrap-containers via settings

This commit adds support to create bootstrap containers through the API. Bootstrap containers are host containers that can be used to setup the host during the execution of the configured target.

These containers are created with the prefix boot to prevent collisions with normal host containers. They can be setup to fail the boot process if the underlying container task exists with a non-zero status code.

f5e29ce9 host-ctr: support for bootstrap containers

This commit adds support for bootstrap containers in host-ctr. The container-type flag was added to specify the type of container to be setup, which defaults to host. This allows to add support for other type of containers in the future without adding flags for each of them.

The root filesystem mounts were refactored out from withSuperpowered to withRootFilesystemMounts, since bootstrap containers require access to the underlying root filesystem without being given the superpowered treatment.

Failed container tasks will now return an error if the task exited with a non-zero status.

Testing done:
In k8s 1.18, ecs and dev aarch64:

• Run systemctl status to check that no units were failing
• Create nginx pods/containers, access them and curl http://localhost successfully
• Verifiy that both the control and admin host containers are running, with the proper configurations
• Execute systemctl isolate multi-user to verify that no services were killed/restarted
• Migrate from 1.0.7 to 1.0.8, back and forth to verify the new configurations were deleted/created
• Create a bootstrap container with the following configurations:

# user-data
[settings.bootstrap-containers.admin]
mode = "once"
source = "docker.io/arnaldo2792/sleeper:latest"
user-data = "ypXCt82h4bSlwrfKlA==" # base64 of ʕ·͡ᴥ·ʔ

# Image definition
FROM alpine
ADD bootstrap-script /
RUN chmod +x /bootstrap-script
ENTRYPOINT ["sh", "bootstrap-script"]

# bootstrap-script
set -e
CURRENT_DIR=/.bottlerocket/bootstrap-containers/current
BEAR_DIR=/.bottlerocket/bootstrap-containers/admin
VAR_DIR=/.bottlerocket/rootfs/var
MY_DIR=$VAR_DIR/lib/my_directory
cat $BEAR_DIR/user-data
touch $CURRENT_DIR/access
mkdir $MY_DIR
chmod -R o+r $MY_DIR
chown -R 1000:1000 $MY_DIR
sleep 120

• Verified that:

  • ʕ·͡ᴥ·ʔ appears in the journal logs
  • The directory /var/lib/my_directory was created, with the expected user/group ids, and permissions
  • The file /local/bootstrap-containers/access created through the current mount
  • configured.target was "blocked" for two minutes
  • mark-successful-boot.service executed successfully
  • After a reboot, the bootstrap container wasn't executed

• Update the bootstrap container's configuration with apiclient set bootstrap-containers.admin.mode=once, reboot and verified its execution failed because /var/lib/my_dir already exists.

Starting bootstrap container admin...
[8.350595] host-ctr[456]: mkdir: can't create directory '/.bottlerocket/rootfs/var/lib/my_directory': File exists
[ 8.415213] host-ctr[456]: time="2021-04-02T00:54:43Z" level=fatal msg="Container exited with non-zero status"
[FAILED] Failed to start bootstrap container admin.

• Update the bootstrap container's configuration with apiclient set bootstrap-containers.admin.essential=true, reboot and verified the boot failed:

[FAILED] Failed to start bootstrap container admin.
See 'systemctl status bootstrap-containers@admin.service' for details.
[DEPEND] Dependency failed for Bottlerocket final configuration complete.
[DEPEND] Dependency failed for Isolates multi-user.target.
[FAILED] Failed to start Isolates configured.target.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[bcressey]

Nice!

I've reviewed the changes to the unit dependencies; haven't looked at the actual bootstrap containers implementation yet.

[zmrow]

Since this function's definition is getting fairly large, would it make sense to use a single struct containing the arguments (essentially the "config" of the container to run)? (The Go folks might have more to say about how idiomatic this would be).

[samuelkarp]

Since this is a private function that really only gets called in one place, I don't know if we need to do that yet. One change we could make is to separate this function a bit more. The first two arguments here are only used up until line 181 for constructing the client; if we extract the client object from this function and instead pass it in (either directly or as a data field on a receiver object) that might be a bit cleaner. I think that's the route I would go.

[zmrow]

Do these make sense as constants?

[arnaldo2792]

I used a different approach now, let me know if you still think the new approach should use constants

[samuelkarp]

I haven't gotten through all the rust code in the third commit yet, but figured I'd stop here to get the questions I already have answered first. Two things I'd like to get worked out:

1. If bootstrap containers can't be superpowered, we should enforce this assertion in the code of host-ctr
2. If host containers and bootstrap containers are allowed to share the same name, we need to work out non-collision for the container IDs in containerd

[arnaldo2792]

IMPORTANT UPDATE

I changed the base branch to have this and #1423 reviewed in parallel

Changes in forced push:

• Replaced "fatals" with Result<> in bootstrap containers
• Use the containerd's namespace "bootstrap" for bootstrap containers to avoid collisions
• Removed the withPrivilegedAccess specs function, and replace it with withRootFilesystemMounts
• Added the essential flag on bootstrap containers, used to fail boots when set to true

[arnaldo2792]

Changes in forced push:

• Update the commits messages
• Update bootstrap-containers documentation
• Use the BOOTSTRAP_CONTAINERS_NS constant in clean-up commands

[arnaldo2792]

• Rebase base branch

[arnaldo2792]

@samuelkarp

If bootstrap containers can't be superpowered, we should enforce this assertion in the code of host-ctr
If host containers and bootstrap containers are allowed to share the same name, we need to work out non-collision for the container IDs in containerd

• I updated to code to enforce that bootstrap containers can't be superpowered
• Bootstrap containers are now created in the bootstrap namespace to prevent collisions

@bcressey

I marked all the systemd changes as resolved since I separated those changes in #1423

[arnaldo2792]

• Fixed typo in documentation
• Removed repeated documentation in crate
• Error out when no command is passed to bootstrap-containers
• Suggested essential=true in documentation
• Added container id in non-zero status error message in host-ctr
• Removed status code from bootstrap-containers command function
• Removed Valid from BootstrapContainerMode

[arnaldo2792]

• Use off as default for mode
• Removed a note from the documentation
• Removed --now from disable command and added a note explaining why

bcressey@ confirmed this needs regular re-review, but not a big red "changes requested" :)

[arnaldo2792]

• Rebase upstream
• Fixed typo

[arnaldo2792]

• Updated the commit message that mentioned using namespaces instead of the prefix in host-ctr

[arnaldo2792]

• Fixed documentation in bootstrap containers

[jahkeup]

There's a couple small changes I'd like to see in host-ctr before merge.

[jahkeup]

The call sites for these don't seem to use the third state, and is not idiomatic in this case (return the zero value). Can we drop this from the signature please?

Suggested change

	// PersistentDir returns the persistent base directory for the container type
	func (ct ContainerType) PersistentDir() (string, bool) {
	switch ct {
	case Host:
	return "host-containers", true
	case Bootstrap:
	return "bootstrap-containers", true
	}
	return "", false
	}
	// PersistentDir returns the persistent base directory for the container type
	func (ct ContainerType) PersistentDir() string {
	switch ct {
	case Host:
	return "host-containers"
	case Bootstrap:
	return "bootstrap-containers"
	}
	return ""
	}

[jahkeup]

The call sites for these don't seem to use the third state, and is not idiomatic in this case (return the zero value). Can we drop this from the signature please?

Suggested change

	// Prefix returns the prefix for the container type
	func (ct ContainerType) Prefix() (string, bool) {
	switch ct {
	case Bootstrap:
	return "boot.", true
	case Host:
	return "", true
	}
	return "", false
	}
	// Prefix returns the prefix for the container type
	func (ct ContainerType) Prefix() string {
	switch ct {
	case Bootstrap:
	return "boot."
	case Host:
	return ""
	}
	return ""
	}

[arnaldo2792]

• Rebase upstream

[jahkeup]

GitHub lost my comment.

Please update this to keep the types private.

Suggested change

	// Used to define valid container types
	type ContainerType string
	const (
	Host ContainerType = "host"
	Bootstrap ContainerType = "bootstrap"
	)
	// Used to define valid container types
	type containerType string
	const (
	containerTypeHost containerType = "host"
	containerTypeBootstrap containerType = "bootstrap"
	)

[arnaldo2792]

• Refactored ContainerType, Host and Bootstrap to containerType, host and bootstrap. I had to use cType as variables' names to prevent collisions

[arnaldo2792]

• I rebased upstream, and had to update some rust dependencies as part of the rebase
• Removed user-data base64 string from error message (shouldn't be part of the rebased change, but I forge to not merge it)