cli: implement --rootless option

By default virtcontainer auto-detects if the current process is running
rootless or not, but this behavior can change from commandline with the
--rootless option

fixes #2417

Signed-off-by: Julio Montes <julio.montes@intel.com>

cli/main.go

@@ -102,6 +102,11 @@ var runtimeFlags = []cli.Flag{
 		Value: defaultRootDirectory,
 		Usage: "root directory for storage of container state (this should be located in tmpfs)",
 	},
+	cli.StringFlag{
+		Name:  "rootless",
+		Value: "auto",
+		Usage: "ignore cgroup permission errors ('true', 'false', or 'auto')",
+	},
 	cli.BoolFlag{
 		Name:  showConfigPathsOption,
 		Usage: "show config file paths that will be checked for (in order)",
@@ -266,6 +271,19 @@ func beforeSubcommands(c *cli.Context) error {
 		return nil
 	}
 
+	r, err := parseBoolOrAuto(c.GlobalString("rootless"))
+	if err != nil {
+		return err
+	}
+	// If flag is true/false, assign the rootless flag.
+	// vc will not perform any auto-detection in that case.
+	// In case flag is nil or auto, vc detects if the runtime is running as rootless.
+	if r != nil {
+		rootless.SetRootless(*r)
+	}
+	// Support --systed-cgroup
+	// Issue: https://github.com/kata-containers/runtime/issues/2428
+
 	ignoreConfigLogs := false
 	var traceRootSpan string
 

cli/utils.go

@@ -1,3 +1,4 @@
+// Copyright (c) 2014 Docker, Inc.
 // Copyright (c) 2017 Intel Corporation
 //
 // SPDX-License-Identifier: Apache-2.0
@@ -8,6 +9,7 @@ package main
 import (
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 
 	"github.com/kata-containers/runtime/pkg/katautils"
@@ -131,3 +133,13 @@ func genericGetCPUDetails() (vendor, model string, err error) {
 
 	return vendor, model, nil
 }
+
+// from runC
+// parseBoolOrAuto returns (nil, nil) if s is empty or "auto"
+func parseBoolOrAuto(s string) (*bool, error) {
+	if s == "" || strings.ToLower(s) == "auto" {
+		return nil, nil
+	}
+	b, err := strconv.ParseBool(s)
+	return &b, err
+}

virtcontainers/pkg/rootless/rootless.go

@@ -36,12 +36,9 @@ import (
 )
 
 var (
-	// initRootless states whether the isRootless variable
-	// has been set yet
-	initRootless bool
-
 	// isRootless states whether execution is rootless or not
-	isRootless bool
+	// If nil, rootless is auto-detected
+	isRootless *bool
 
 	// lock for the initRootless and isRootless variables
 	rLock sync.Mutex
@@ -58,6 +55,10 @@ var (
 	IsRootless = isRootlessFunc
 )
 
+func SetRootless(rootless bool) {
+	isRootless = &rootless
+}
+
 // SetLogger sets up a logger for the rootless pkg
 func SetLogger(ctx context.Context, logger *logrus.Entry) {
 	fields := rootlessLog.Data
@@ -68,9 +69,9 @@ func SetLogger(ctx context.Context, logger *logrus.Entry) {
 func isRootlessFunc() bool {
 	rLock.Lock()
 	defer rLock.Unlock()
-	if !initRootless {
+	// auto-detect if nil
-		initRootless = true
+	if isRootless == nil {
-		isRootless = true
+		SetRootless(true)
 		// --rootless and --systemd-cgroup options must honoured
 		// but with the current implementation this is not possible
 		// https://github.com/kata-containers/runtime/issues/2412
@@ -80,9 +81,9 @@ func isRootlessFunc() bool {
 		if system.RunningInUserNS() {
 			return true
 		}
-		isRootless = false
+		SetRootless(false)
 	}
-	return isRootless
+	return *isRootless
 }
 
 // GetRootlessDir returns the path to the location for rootless

virtcontainers/pkg/rootless/rootless_test.go

@@ -1,6 +1,36 @@
-// Copyright (c) 2019 Intel Corporation
+// Copyright (c) 2020 Intel Corporation
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 
 package rootless
+
+import (
+	"os"
+	"testing"
+
+	"github.com/opencontainers/runc/libcontainer/system"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsRootless(t *testing.T) {
+	assert := assert.New(t)
+	isRootless = nil
+
+	var rootless bool
+	if os.Getuid() != 0 {
+		rootless = true
+	} else {
+		rootless = system.RunningInUserNS()
+	}
+
+	assert.Equal(rootless, isRootlessFunc())
+
+	SetRootless(true)
+	assert.True(isRootlessFunc())
+
+	SetRootless(false)
+	assert.False(isRootlessFunc())
+
+	isRootless = nil
+}