Merge pull request #1649 from mcastelino/topic/jail

Firecracker Add jailer support for firecracker
kata-containers · Jul 12, 2019 · bc15e44 · bc15e44
2 parents 3bd4bb6 + 4fed346
commit bc15e44
Show file tree

Hide file tree

Showing 18 changed files with 321 additions and 48 deletions.
diff --git a/Makefile b/Makefile
@@ -116,6 +116,7 @@ CONFIG_FILE = configuration.toml
 
 HYPERVISOR_ACRN = acrn
 HYPERVISOR_FC = firecracker
+JAILER_FC = jailer
 HYPERVISOR_NEMU = nemu
 HYPERVISOR_QEMU = qemu
 
@@ -130,6 +131,7 @@ QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD)
 NEMUPATH := $(NEMUBINDIR)/$(NEMUCMD)
 
 FCPATH = $(FCBINDIR)/$(FCCMD)
+FCJAILERPATH = $(FCBINDIR)/$(FCJAILERCMD)
 
 ACRNPATH := $(ACRNBINDIR)/$(ACRNCMD)
 ACRNCTLPATH := $(ACRNBINDIR)/$(ACRNCTLCMD)
@@ -355,6 +357,7 @@ USER_VARS += ACRNPATH
 USER_VARS += ACRNCTLPATH
 USER_VARS += FCCMD
 USER_VARS += FCPATH
+USER_VARS += FCJAILERPATH
 USER_VARS += NEMUCMD
 USER_VARS += NEMUPATH
 USER_VARS += SYSCONFIG
@@ -516,6 +519,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
 		-e "s|@CONFIG_FC_IN@|$(CONFIG_FC_IN)|g" \
 		-e "s|@CONFIG_PATH@|$(CONFIG_PATH)|g" \
 		-e "s|@FCPATH@|$(FCPATH)|g" \
+		-e "s|@FCJAILERPATH@|$(FCJAILERPATH)|g" \
 		-e "s|@NEMUPATH@|$(NEMUPATH)|g" \
 		-e "s|@ACRNPATH@|$(ACRNPATH)|g" \
 		-e "s|@ACRNCTLPATH@|$(ACRNCTLPATH)|g" \

diff --git a/arch/amd64-options.mk b/arch/amd64-options.mk
@@ -13,6 +13,8 @@ QEMUCMD := qemu-system-x86_64
 
 # Firecracker binary name
 FCCMD := firecracker
+# Firecracker's jailer binary name
+FCJAILERCMD := jailer
 
 # NEMU binary name
 NEMUCMD := nemu-system-x86_64

diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in
@@ -12,6 +12,11 @@
 
 [hypervisor.firecracker]
 path = "@FCPATH@"
+# Path for the jailer specific to firecracker
+# If the jailer path is not set kata will launch firecracker
+# without a jail. If the jailer is set firecracker will be
+# launched in a jailed enviornment created by the jailer
+jailer_path = "@FCJAILERPATH@"
 kernel = "@KERNELPATH_FC@"
 image = "@IMAGEPATH@"
 

diff --git a/pkg/katautils/config-settings.go b/pkg/katautils/config-settings.go
@@ -10,6 +10,7 @@ package katautils
 
 var defaultHypervisorPath = "/usr/bin/qemu-lite-system-x86_64"
 var defaultHypervisorCtlPath = "/usr/bin/acrnctl"
+var defaultJailerPath = "/usr/bin/jailer"
 var defaultImagePath = "/usr/share/kata-containers/kata-containers.img"
 var defaultKernelPath = "/usr/share/kata-containers/vmlinuz.container"
 var defaultInitrdPath = "/usr/share/kata-containers/kata-containers-initrd.img"

diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go
@@ -84,6 +84,7 @@ type factory struct {
 
 type hypervisor struct {
 	Path                    string `toml:"path"`
+	JailerPath              string `toml:"jailer_path"`
 	Kernel                  string `toml:"kernel"`
 	CtlPath                 string `toml:"ctlpath"`
 	Initrd                  string `toml:"initrd"`
@@ -175,6 +176,16 @@ func (h hypervisor) ctlpath() (string, error) {
 	return ResolvePath(p)
 }
 
+func (h hypervisor) jailerPath() (string, error) {
+	p := h.JailerPath
+
+	if h.JailerPath == "" {
+		return "", nil
+	}
+
+	return ResolvePath(p)
+}
+
 func (h hypervisor) kernel() (string, error) {
 	p := h.Kernel
 
@@ -463,6 +474,11 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		return vc.HypervisorConfig{}, err
 	}
 
+	jailer, err := h.jailerPath()
+	if err != nil {
+		return vc.HypervisorConfig{}, err
+	}
+
 	kernel, err := h.kernel()
 	if err != nil {
 		return vc.HypervisorConfig{}, err
@@ -491,6 +507,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 
 	return vc.HypervisorConfig{
 		HypervisorPath:        hypervisor,
+		JailerPath:            jailer,
 		KernelPath:            kernel,
 		InitrdPath:            initrd,
 		ImagePath:             image,
@@ -915,6 +932,7 @@ func updateRuntimeConfig(configPath string, tomlConf tomlConfig, config *oci.Run
 func GetDefaultHypervisorConfig() vc.HypervisorConfig {
 	return vc.HypervisorConfig{
 		HypervisorPath:          defaultHypervisorPath,
+		JailerPath:              defaultJailerPath,
 		KernelPath:              defaultKernelPath,
 		ImagePath:               defaultImagePath,
 		InitrdPath:              defaultInitrdPath,

diff --git a/pkg/katautils/config_test.go b/pkg/katautils/config_test.go
@@ -514,6 +514,8 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 	proxyPath := path.Join(dir, "proxy")
 	hypervisorPath := path.Join(dir, "hypervisor")
 	defaultHypervisorPath = hypervisorPath
+	jailerPath := path.Join(dir, "jailer")
+	defaultJailerPath = jailerPath
 	netmonPath := path.Join(dir, "netmon")
 
 	imagePath := path.Join(dir, "image.img")
@@ -524,12 +526,14 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 	savedDefaultImagePath := defaultImagePath
 	savedDefaultInitrdPath := defaultInitrdPath
 	savedDefaultHypervisorPath := defaultHypervisorPath
+	savedDefaultJailerPath := defaultJailerPath
 	savedDefaultKernelPath := defaultKernelPath
 
 	defer func() {
 		defaultImagePath = savedDefaultImagePath
 		defaultInitrdPath = savedDefaultInitrdPath
 		defaultHypervisorPath = savedDefaultHypervisorPath
+		defaultJailerPath = savedDefaultJailerPath
 		defaultKernelPath = savedDefaultKernelPath
 	}()
 
@@ -538,9 +542,10 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 	defaultImagePath = imagePath
 	defaultInitrdPath = initrdPath
 	defaultHypervisorPath = hypervisorPath
+	defaultJailerPath = jailerPath
 	defaultKernelPath = kernelPath
 
-	for _, file := range []string{defaultImagePath, defaultInitrdPath, defaultHypervisorPath, defaultKernelPath} {
+	for _, file := range []string{defaultImagePath, defaultInitrdPath, defaultHypervisorPath, defaultJailerPath, defaultKernelPath} {
 		err = WriteFile(file, "foo", testFileMode)
 		if err != nil {
 			t.Fatal(err)
@@ -588,6 +593,11 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 		t.Error(err)
 	}
 
+	err = createEmptyFile(jailerPath)
+	if err != nil {
+		t.Error(err)
+	}
+
 	err = createEmptyFile(netmonPath)
 	if err != nil {
 		t.Error(err)
@@ -600,6 +610,7 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 
 	expectedHypervisorConfig := vc.HypervisorConfig{
 		HypervisorPath:        defaultHypervisorPath,
+		JailerPath:            defaultJailerPath,
 		KernelPath:            defaultKernelPath,
 		ImagePath:             defaultImagePath,
 		InitrdPath:            defaultInitrdPath,

diff --git a/virtcontainers/acrn.go b/virtcontainers/acrn.go
@@ -278,7 +278,7 @@ func (a *acrn) createDummyVirtioBlkDev(devices []Device) ([]Device, error) {
 }
 
 // createSandbox is the Hypervisor sandbox creation.
-func (a *acrn) createSandbox(ctx context.Context, id string, hypervisorConfig *HypervisorConfig, store *store.VCStore) error {
+func (a *acrn) createSandbox(ctx context.Context, id string, networkNS NetworkNamespace, hypervisorConfig *HypervisorConfig, store *store.VCStore) error {
 	// Save the tracing context
 	a.ctx = ctx
 

diff --git a/virtcontainers/acrn_test.go b/virtcontainers/acrn_test.go
@@ -251,7 +251,7 @@ func TestAcrnCreateSandbox(t *testing.T) {
 		t.Fatalf("Could not create hypervisor file %s: %v", testAcrnPath, err)
 	}
 
-	if err := a.createSandbox(context.Background(), sandbox.id, &sandbox.config.HypervisorConfig, sandbox.store); err != nil {
+	if err := a.createSandbox(context.Background(), sandbox.id, NetworkNamespace{}, &sandbox.config.HypervisorConfig, sandbox.store); err != nil {
 		t.Fatal(err)
 	}