Firecracker: Enable jailer by default

Add jailer support to configuration files.
Also enable jailer by default in Kata containers.

Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>

Makefile

@@ -116,6 +116,7 @@ CONFIG_FILE = configuration.toml
 
 HYPERVISOR_ACRN = acrn
 HYPERVISOR_FC = firecracker
+JAILER_FC = jailer
 HYPERVISOR_NEMU = nemu
 HYPERVISOR_QEMU = qemu
 
@@ -130,6 +131,7 @@ QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD)
 NEMUPATH := $(NEMUBINDIR)/$(NEMUCMD)
 
 FCPATH = $(FCBINDIR)/$(FCCMD)
+FCJAILERPATH = $(FCBINDIR)/$(FCJAILERCMD)
 
 ACRNPATH := $(ACRNBINDIR)/$(ACRNCMD)
 ACRNCTLPATH := $(ACRNBINDIR)/$(ACRNCTLCMD)
@@ -355,6 +357,7 @@ USER_VARS += ACRNPATH
 USER_VARS += ACRNCTLPATH
 USER_VARS += FCCMD
 USER_VARS += FCPATH
+USER_VARS += FCJAILERPATH
 USER_VARS += NEMUCMD
 USER_VARS += NEMUPATH
 USER_VARS += SYSCONFIG
@@ -516,6 +519,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
 		-e "s|@CONFIG_FC_IN@|$(CONFIG_FC_IN)|g" \
 		-e "s|@CONFIG_PATH@|$(CONFIG_PATH)|g" \
 		-e "s|@FCPATH@|$(FCPATH)|g" \
+		-e "s|@FCJAILERPATH@|$(FCJAILERPATH)|g" \
 		-e "s|@NEMUPATH@|$(NEMUPATH)|g" \
 		-e "s|@ACRNPATH@|$(ACRNPATH)|g" \
 		-e "s|@ACRNCTLPATH@|$(ACRNCTLPATH)|g" \

arch/amd64-options.mk

@@ -13,6 +13,8 @@ QEMUCMD := qemu-system-x86_64
 
 # Firecracker binary name
 FCCMD := firecracker
+# Firecracker's jailer binary name
+FCJAILERCMD := jailer
 
 # NEMU binary name
 NEMUCMD := nemu-system-x86_64

cli/config/configuration-fc.toml.in

@@ -12,6 +12,11 @@
 
 [hypervisor.firecracker]
 path = "@FCPATH@"
+# Path for the jailer specific to firecracker
+# If the jailer path is not set kata will launch firecracker
+# without a jail. If the jailer is set firecracker will be
+# launched in a jailed enviornment created by the jailer
+jailer_path = "@FCJAILERPATH@"
 kernel = "@KERNELPATH_FC@"
 image = "@IMAGEPATH@"
 

pkg/katautils/config_test.go

@@ -514,6 +514,8 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 	proxyPath := path.Join(dir, "proxy")
 	hypervisorPath := path.Join(dir, "hypervisor")
 	defaultHypervisorPath = hypervisorPath
+	jailerPath := path.Join(dir, "jailer")
+	defaultJailerPath = jailerPath
 	netmonPath := path.Join(dir, "netmon")
 
 	imagePath := path.Join(dir, "image.img")
@@ -524,12 +526,14 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 	savedDefaultImagePath := defaultImagePath
 	savedDefaultInitrdPath := defaultInitrdPath
 	savedDefaultHypervisorPath := defaultHypervisorPath
+	savedDefaultJailerPath := defaultJailerPath
 	savedDefaultKernelPath := defaultKernelPath
 
 	defer func() {
 		defaultImagePath = savedDefaultImagePath
 		defaultInitrdPath = savedDefaultInitrdPath
 		defaultHypervisorPath = savedDefaultHypervisorPath
+		defaultJailerPath = savedDefaultJailerPath
 		defaultKernelPath = savedDefaultKernelPath
 	}()
 
@@ -538,9 +542,10 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 	defaultImagePath = imagePath
 	defaultInitrdPath = initrdPath
 	defaultHypervisorPath = hypervisorPath
+	defaultJailerPath = jailerPath
 	defaultKernelPath = kernelPath
 
-	for _, file := range []string{defaultImagePath, defaultInitrdPath, defaultHypervisorPath, defaultKernelPath} {
+	for _, file := range []string{defaultImagePath, defaultInitrdPath, defaultHypervisorPath, defaultJailerPath, defaultKernelPath} {
 		err = WriteFile(file, "foo", testFileMode)
 		if err != nil {
 			t.Fatal(err)
@@ -588,6 +593,11 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 		t.Error(err)
 	}
 
+	err = createEmptyFile(jailerPath)
+	if err != nil {
+		t.Error(err)
+	}
+
 	err = createEmptyFile(netmonPath)
 	if err != nil {
 		t.Error(err)
@@ -600,6 +610,7 @@ func TestMinimalRuntimeConfig(t *testing.T) {
 
 	expectedHypervisorConfig := vc.HypervisorConfig{
 		HypervisorPath:        defaultHypervisorPath,
+		JailerPath:            defaultJailerPath,
 		KernelPath:            defaultKernelPath,
 		ImagePath:             defaultImagePath,
 		InitrdPath:            defaultInitrdPath,