Remove rootless option for gdn

This feature has been abandoned and not working as expected. Context: #196 Signed-off-by: Marc Paquette <[email protected]>
cloudfoundry · Apr 19, 2024 · d012eed · d012eed
1 parent 4caf1df
commit d012eed
Show file tree

Hide file tree

Showing 19 changed files with 20 additions and 220 deletions.
diff --git a/README.md b/README.md
@@ -43,15 +43,6 @@ The following doc provides an overview of security features on Garden vs Docker
 
 [Security overview.](docs/security-overview.md)
 
-### Rootless containers
-
-Garden has experimental support for running containers without requiring root
-privileges. Take a look at the
-[rootless-containers.md](docs/articles/rootless-containers.md) doc for further info.
-
-If you would like to enable rootless containers please read [this
-document](docs/enabling-rootless-containers.md).
-
 ## Contributing
 See the [Contributing.md](./.github/CONTRIBUTING.md) for more information on how to contribute.
 

diff --git a/docs/BPM_support.md b/docs/BPM_support.md
@@ -18,7 +18,7 @@ Its default value is left blank.
 ### Secondary Properties
 In addition to the above primary properties, there are some secondary properties that have caveats when enabling BPM:
 #### `garden.experimental_use_containerd_mode_for_processes`
-When enabling [`garden.experimental_use_containerd_mode_for_processes`](https://github.com/cloudfoundry/garden-runc-release/blob/develop/jobs/garden/spec#L231-L233), please ensure you do NOT have `bpm.enabled` enabled. The two properties are incompatible with one another. The purpose of the property is to use Containerd for container process management. Must be used with containerd_mode also set to true. NOTE: cannot be used in combination with bpm or rootless
+When enabling [`garden.experimental_use_containerd_mode_for_processes`](https://github.com/cloudfoundry/garden-runc-release/blob/develop/jobs/garden/spec#L231-L233), please ensure you do NOT have `bpm.enabled` enabled. The two properties are incompatible with one another. The purpose of the property is to use Containerd for container process management. Must be used with containerd_mode also set to true. NOTE: cannot be used in combination with bpm
 By default it is disabled(set to false).
 
 #### `garden.destroy_containers_on_start`

diff --git a/docs/enabling-rootless-containers.md b/docs/enabling-rootless-containers.md
diff --git a/jobs/garden/spec b/jobs/garden/spec
@@ -199,18 +199,14 @@ properties:
     description: AppArmor profile to use for unprivileged container processes
     default: garden-default
 
-  garden.experimental_rootless_mode:
-    description: A boolean stating whether or not to run garden-server as a non-root user
-    default: false
-
   # We believe this defaults to false to help concourse: https://github.com/cloudfoundry/garden-runc-release/releases/tag/v1.5.0
   # For diego/cf, this should be set to true
   garden.cleanup_process_dirs_on_wait:
     description: A boolean stating whether or not to cleanup process state after waiting for it. If set a process can be waited for only once.
     default: false
 
   garden.containerd_mode:
-    description: "Use containerd for container lifecycle management. NOTE: cannot be used in combination with bpm or rootless"
+    description: "Use containerd for container lifecycle management. NOTE: cannot be used in combination with bpm"
     default: false
 
   garden.tcp_keepalive_time:

diff --git a/jobs/garden/templates/bin/containerd_utils.erb b/jobs/garden/templates/bin/containerd_utils.erb
@@ -43,14 +43,6 @@ start_containerd() {
 
   containerd_config_filepath="$GARDEN_CONFIG_DIR/containerd.toml"
   exec_command="exec"
-  <% if p("garden.experimental_rootless_mode") -%>
-    maximus=$(/var/vcap/packages/garden-idmapper/bin/maximus)
-    cp "$GARDEN_CONFIG_DIR/containerd.toml" "$GARDEN_ROOTLESS_CONFIG_DIR"
-    chown "$maximus:$maximus" "$GARDEN_ROOTLESS_CONFIG_DIR/containerd.toml"
-    containerd_config_filepath="$GARDEN_ROOTLESS_CONFIG_DIR/containerd.toml"
-
-    exec_command="exec execas --uid $maximus --gid $maximus"
-  <% end -%>
 
   log "running containerd"
   $exec_command /var/vcap/packages/containerd/bin/containerd -c "$containerd_config_filepath" \

diff --git a/jobs/garden/templates/bin/envs.erb b/jobs/garden/templates/bin/envs.erb
@@ -23,19 +23,6 @@ if [ -d "/run/systemd/system" ]; then
   export IS_RUNNING_SYSTEMD=true
 fi
 
-<% if p("garden.experimental_rootless_mode") %>
-# runc makes use of the XDG_RUNTIME_DIR env var in order to determine
-# where to place the runc root dir in rootless mode.
-# Given that this is not set on stemcells we choose to set it explicitely
-# here.
-export XDG_RUNTIME_DIR=/var/run/user/$MAXIMUS
-export TMPDIR=$TMPDIR/user/$MAXIMUS/tmp
-export GARDEN_ROOTLESS_CONFIG_DIR="$GARDEN_DATA_DIR/config"
-export GARDEN_CONFIG_PATH="$GARDEN_ROOTLESS_CONFIG_DIR/config.ini"
-export GARDEN_ROOTLESS_CERTS_DIR="$GARDEN_DATA_DIR/certs"
-export CONTAINERD_DATA_DIR=/var/vcap/data/containerd
-<% end %>
-
 <% if_p('garden.http_proxy') do |http_proxy| %>
 export HTTP_PROXY='<%= http_proxy %>'
 export http_proxy='<%= http_proxy %>'

diff --git a/jobs/garden/templates/bin/garden_start.erb b/jobs/garden/templates/bin/garden_start.erb
@@ -11,9 +11,6 @@ exec 2>> "${LOG_DIR}/garden_ctl.stderr.log"
 
 log "running greenskeeper"
 greenskeeper_cmd="/var/vcap/packages/greenskeeper/bin/greenskeeper"
-<% if p("garden.experimental_rootless_mode") %>
-  greenskeeper_cmd="$greenskeeper_cmd --rootless"
-<% end %>
 $greenskeeper_cmd
 log "running greenskeeper: done"
 
@@ -60,24 +57,6 @@ setup_cmd="/var/vcap/packages/guardian/bin/gdn setup"
 exec_command="exec"
 id_map_start=1
 
-<% if p("garden.experimental_rootless_mode") %>
-  <% if p("garden.listen_network") == "tcp" %>
-    exec_command="exec execas --uid $MAXIMUS --gid $MAXIMUS"
-  <% else %>
-    exec_command="exec socket2me --socket-path <%= p("garden.listen_address") %> --uid $MAXIMUS --gid $MAXIMUS --socket-uid 1000 --socket-gid 1000"
-  <% end %>
-  setup_cmd="$setup_cmd --rootless-uid $MAXIMUS --rootless-gid $MAXIMUS"
-  id_map_start=65536
-
-  cp "$GARDEN_CONFIG_DIR/grootfs_config.yml" "$GARDEN_CONFIG_DIR/config.ini" "$GARDEN_ROOTLESS_CONFIG_DIR"
-  chown "$MAXIMUS:$MAXIMUS" "$GARDEN_ROOTLESS_CONFIG_DIR/grootfs_config.yml" "$GARDEN_ROOTLESS_CONFIG_DIR/config.ini"
-
-  mkdir $GARDEN_ROOTLESS_CERTS_DIR
-  cp "$GARDEN_CERTS_DIR/remote-layer.cert" "$GARDEN_CERTS_DIR/remote-layer.crt" "$GARDEN_CERTS_DIR/remote-layer.key" "$GARDEN_ROOTLESS_CERTS_DIR"
-  chown "$MAXIMUS:$MAXIMUS" "$GARDEN_ROOTLESS_CERTS_DIR/remote-layer.cert" "$GARDEN_ROOTLESS_CERTS_DIR/remote-layer.crt" "$GARDEN_ROOTLESS_CERTS_DIR/remote-layer.key"
-
-<% end %>
-
 log "running setup"
 $setup_cmd
 log "running setup: done"

diff --git a/jobs/garden/templates/bin/grootfs-utils.erb b/jobs/garden/templates/bin/grootfs-utils.erb
@@ -17,9 +17,6 @@ unprivileged_root_mapping() {
 unprivileged_range_mapping() {
   maximus_uid=$(/var/vcap/packages/garden-idmapper/bin/maximus)
   range="1:1:$((maximus_uid-1))"
-  <% if p('garden.experimental_rootless_mode') %>
-    range="1:65536:$((maximus_uid-65536))"
-  <% end %>
   echo -n $range
 }
 

diff --git a/jobs/garden/templates/config/config.ini.erb b/jobs/garden/templates/config/config.ini.erb
@@ -42,8 +42,7 @@ parse_ip(p('garden.network_pool'), 'garden.network_pool')
 
 <%
     runtime_bin_dir  = "/var/vcap/data/garden/bin"
-    rootless         = p("garden.experimental_rootless_mode")
-    groot_config_dir = rootless ? "/var/vcap/data/garden/config" : "/var/vcap/jobs/garden/config"
+    groot_config_dir = "/var/vcap/jobs/garden/config"
 
     bind_ip, bind_port = p("garden.listen_address").split(":")
 
@@ -64,7 +63,7 @@ parse_ip(p('garden.network_pool'), 'garden.network_pool')
     use_provided_image_plugin             = image_plugin_provided
     use_provided_privileged_image_plugin  = privileged_image_plugin_provided
     use_default_image_plugin              = !image_plugin_provided
-    use_default_privileged_image_plugin   = !privileged_image_plugin_provided && !rootless
+    use_default_privileged_image_plugin   = !privileged_image_plugin_provided
 
     apparmor_profile_provided = !p("garden.apparmor_profile").empty?
 -%>
@@ -242,15 +241,8 @@ parse_ip(p('garden.network_pool'), 'garden.network_pool')
   skip-setup = true
   depot = /var/vcap/data/garden/depot
   runtime-plugin=<%= p("garden.runtime_plugin") %>
-<% if rootless -%>
-  disable-privileged-containers = true
-<% end -%>
 
 <% if p("garden.containerd_mode") -%>
 ; containerd
-	<% if rootless -%>
-  containerd-socket = /var/vcap/data/containerd/sockets/containerd.sock
-	<% else -%>
   containerd-socket = /var/vcap/sys/run/containerd/containerd.sock
-  <% end -%>
 <% end -%>
diff --git a/jobs/garden/templates/config/containerd.toml.erb b/jobs/garden/templates/config/containerd.toml.erb
@@ -26,26 +26,8 @@ disabled_plugins = [
 ]
 
 [grpc]
-<% if p("garden.experimental_rootless_mode") -%>
-address = "/var/vcap/data/containerd/sockets/containerd.sock"
-uid = 4294967294
-gid = 4294967294
-<% else -%>
 address = "/var/vcap/sys/run/containerd/containerd.sock"
-<% end -%>
 
 [debug]
-<% if p("garden.experimental_rootless_mode") -%>
-address = "/var/vcap/data/containerd/sockets/debug.sock"
-uid = 4294967294
-gid = 4294967294
-<% else -%>
 address = "/var/vcap/sys/run/containerd/debug.sock"
-<% end -%>
 level = "info"
-
-<% if p("garden.experimental_rootless_mode") -%>
-[plugins]
-  [plugins.linux]
-    runtime_root = "/var/run/user/4294967294/runc"
-<% end -%>
diff --git a/jobs/garden/templates/config/grootfs_config.yml.erb b/jobs/garden/templates/config/grootfs_config.yml.erb
@@ -15,11 +15,7 @@ create:
   insecure_registries: <%= p("garden.insecure_docker_registry_list").any? ? p("garden.insecure_docker_registry_list") : p("grootfs.insecure_docker_registry_list") %>
   skip_layer_validation: true
   clean_log_file: "/var/vcap/sys/log/garden/groot.clean.log"
-<% if p("garden.experimental_rootless_mode") -%>
-  remote_layer_client_certificates_path: /var/vcap/data/garden/certs
-<% else -%>
   remote_layer_client_certificates_path: /var/vcap/jobs/garden/certs
-<% end -%>
 
 <% if p("grootfs.experimental_direct_io") -%>
 init:

diff --git a/jobs/garden/templates/config/privileged_grootfs_config.yml.erb b/jobs/garden/templates/config/privileged_grootfs_config.yml.erb
@@ -15,11 +15,7 @@ create:
   insecure_registries: <%= p("garden.insecure_docker_registry_list").any? ? p("garden.insecure_docker_registry_list") : p("grootfs.insecure_docker_registry_list") %>
   skip_layer_validation: true
   clean_log_file: "/var/vcap/sys/log/garden/groot.clean.log"
-<% if p("garden.experimental_rootless_mode") -%>
-  remote_layer_client_certificates_path: /var/vcap/data/garden/certs
-<% else -%>
   remote_layer_client_certificates_path: /var/vcap/jobs/garden/certs
-<% end -%>
 
 <% if p("grootfs.experimental_direct_io") -%>
 init:

diff --git a/jobs/gats/spec b/jobs/gats/spec
@@ -22,9 +22,6 @@ properties:
   garden_test_rootfs:
     description: Test rootfs to use
     default: 'docker:///cloudfoundry/garden-rootfs'
-  rootless:
-    description: Run GATS with ROOTLESS env var
-    default: false
   cpu_throttling:
     description: Run GATS with CPU_THROTTLING_ENABLED
     default: false

diff --git a/jobs/gats/templates/run.erb b/jobs/gats/templates/run.erb
@@ -9,7 +9,6 @@ cd packages/gats/bin
 
 export GDN_BIND_IP="<%= p("garden_address") %>"
 export GDN_BIND_PORT="<%= p("garden_port") %>"
-export ROOTLESS="<%= p("rootless") %>"
 export CPU_THROTTLING_ENABLED="<%= p("cpu_throttling") %>"
 export GARDEN_TEST_ROOTFS="<%= p("garden_test_rootfs") %>"
 export LIMITS_TEST_URI="<%= p("limits_test_uri") %>"

diff --git a/packages/grootfs/spec b/packages/grootfs/spec
@@ -157,7 +157,6 @@ files:
   - grootfs/vendor/github.com/opencontainers/go-digest/*.go # gosub
   - grootfs/vendor/github.com/opencontainers/image-spec/specs-go/*.go # gosub
   - grootfs/vendor/github.com/opencontainers/image-spec/specs-go/v1/*.go # gosub
-  - grootfs/vendor/github.com/opencontainers/runc/libcontainer/user/*.go # gosub
   - grootfs/vendor/github.com/opencontainers/runtime-spec/specs-go/*.go # gosub
   - grootfs/vendor/github.com/openzipkin/zipkin-go/idgenerator/*.go # gosub
   - grootfs/vendor/github.com/openzipkin/zipkin-go/model/*.go # gosub

diff --git a/scripts/create-docker-container.bash b/scripts/create-docker-container.bash
@@ -29,13 +29,27 @@ pushd "$CI/garden-runc-release/dockerfiles"
 LOCATION=${LOCATION} make
 popd
 
+if [[ -f "${HOME}/workspace/devenv/functions/gcp-secret-manager-helpers.bash" ]]; then
+  . "${HOME}/workspace/devenv/functions/gcp-secret-manager-helpers.bash"
+  export DOCKER_REGISTRY_USERNAME="$(gimme-secret-value-only dockerhub-tasruntime-username)"
+  export DOCKER_REGISTRY_PASSWORD="$(gimme-secret-value-only dockerhub-tasruntime-password)"
+fi
+if [[ "${DOCKER_REGISTRY_USERNAME:-undefined}" == "undefined" || "${DOCKER_REGISTRY_PASSWORD:-undefined}" == "undefined" ]]; then
+  cat << EOF
+  Run this script with DOCKER_REGISTRY_USERNAME, DOCKER_REGISTRY_PASSWORD env variables
+EOF
+exit 1
+fi
+
 docker pull "${IMAGE}"
 docker rm -f $CONTAINER_NAME
 docker run -it \
   --env "REPO_NAME=$REPO_NAME" \
   --env "REPO_PATH=/repo" \
   --env "GARDEN_TEST_ROOTFS=/artifacts/garden-rootfs.tar" \
   --env "GARDEN_FUSE_TEST_ROOTFS=/artifacts/garden-fuse.tar" \
+  --env "DOCKER_REGISTRY_USERNAME=$DOCKER_REGISTRY_USERNAME" \
+  --env "DOCKER_REGISTRY_PASSWORD=$DOCKER_REGISTRY_PASSWORD" \
   --rm \
   --name "$CONTAINER_NAME" \
   -v "${REPO_PATH}:/repo" \

diff --git a/scripts/fly/test.bash b/scripts/fly/test.bash
@@ -28,8 +28,8 @@ GARDEN_FUSE_TEST_ROOTFS=$PWD/input-01/garden-fuse.tar'
 
 if [[ -f "${HOME}/workspace/devenv/functions/gcp-secret-manager-helpers.bash" ]]; then
   . "${HOME}/workspace/devenv/functions/gcp-secret-manager-helpers.bash"
-  export DOCKER_REGISTRY_USERNAME="$(gimme-secret-value-only dockerhub-tasruntime | yq -r .user)"
-  export DOCKER_REGISTRY_PASSWORD="$(gimme-secret-value-only dockerhub-tasruntime | yq -r .password)"
+  export DOCKER_REGISTRY_USERNAME="$(gimme-secret-value-only dockerhub-tasruntime-username)"
+  export DOCKER_REGISTRY_PASSWORD="$(gimme-secret-value-only dockerhub-tasruntime-password)"
 fi
 
 if [[ "${DOCKER_REGISTRY_USERNAME:-undefined}" == "undefined" || "${DOCKER_REGISTRY_PASSWORD:-undefined}" == "undefined" ]]; then

diff --git a/src/greenskeeper/cmd/greenskeeper/main.go b/src/greenskeeper/cmd/greenskeeper/main.go
@@ -10,15 +10,10 @@ import (
 )
 
 func main() {
-	var rootlessMode bool
-	flag.BoolVar(&rootlessMode, "rootless", false, "run rootless setup")
 
 	flag.Parse()
 
 	owner := 0
-	if rootlessMode {
-		owner = mustGetMaximus()
-	}
 
 	pidFilePath := os.Getenv("PIDFILE")
 	if err := greenskeeper.CheckExistingGdnProcess(pidFilePath); err != nil {
@@ -35,12 +30,6 @@ func main() {
 		greenskeeper.NewDirectoryBuilder(mustGetenv("RUNTIME_BIN_DIR")).Mode(0750).GID(mustGetMaximus()).Build(),
 	}
 
-	if rootlessMode {
-		directories = append(directories, greenskeeper.NewDirectoryBuilder(mustGetenv("XDG_RUNTIME_DIR")).Mode(0700).UID(owner).GID(owner).Build())
-		directories = append(directories, greenskeeper.NewDirectoryBuilder(mustGetenv("GARDEN_ROOTLESS_CONFIG_DIR")).Mode(0700).UID(owner).GID(owner).Build())
-		directories = append(directories, greenskeeper.NewDirectoryBuilder(mustGetenv("CONTAINERD_DATA_DIR")).Mode(0700).UID(owner).GID(owner).Build())
-	}
-
 	if err := greenskeeper.CreateDirectories(directories...); err != nil {
 		fmt.Fprintln(os.Stderr, err.Error())
 		os.Exit(1)