Deploy lockc as a DeamonSet

Dockerfile

@@ -0,0 +1,56 @@
+FROM docker.io/library/rust:latest as builder
+RUN wget https://apt.llvm.org/llvm-snapshot.gpg.key && \
+    apt-key add llvm-snapshot.gpg.key && \
+    rm -f llvm-snapshot.gpg.key && \
+    echo "deb http://apt.llvm.org/bullseye/ llvm-toolchain-bullseye-13 main" > /etc/apt/sources.list.d/llvm.list && \
+    apt update && \
+    apt upgrade -y --no-install-recommends && \
+    apt install -y --no-install-recommends \
+        clang-13 \
+        libelf-dev \
+        gcc-multilib \
+        lld-13 \
+        lldb-13 \
+        python3-pip \
+        sudo && \
+    apt purge --auto-remove && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+# Build libbpf and bpftool from the newest stable kernel sources.
+RUN curl -Lso linux.tar.xz \
+        $(curl -s https://www.kernel.org/ | grep -A1 "latest_link" | grep -Eo '(http|https)://[^"]+') && \
+    tar -xf linux.tar.xz && \
+    cd $(find . -maxdepth 1 -type d -name "linux*") && \
+    cd tools/lib/bpf && \
+    make -j $(nproc) && \
+    make install prefix=/usr && \
+    cd ../../bpf/bpftool && \
+    make -j $(nproc) && \
+    make install prefix=/usr && \
+    cd ../../../.. && \
+    rm -rf linux*
+RUN cargo install libbpf-cargo
+RUN rustup component add \
+        clippy \
+        rustfmt
+
+FROM builder AS build
+WORKDIR /usr/local/src/lockc
+COPY . ./
+ENV CLANG /usr/bin/clang-13
+RUN cargo build
+
+FROM registry.opensuse.org/opensuse/leap-microdnf:15.3 AS lockc-k8s-agent
+ARG PROFILE=debug
+COPY --from=build /usr/local/src/lockc/target/$PROFILE/lockc-k8s-agent /usr/bin/lockc-k8s-agent
+ENTRYPOINT ["/usr/bin/lockc-k8s-agent"]
+
+FROM registry.opensuse.org/opensuse/leap-microdnf:15.3 AS lockc-runc-wrapper
+ARG PROFILE=debug
+COPY --from=build /usr/local/src/lockc/target/$PROFILE/lockc-runc-wrapper /usr/bin/lockc-runc-wrapper
+ENTRYPOINT ["/bin/cp", "-f", "/usr/bin/lockc-runc-wrapper", "/host/opt/bin/lockc-runc-wrapper"]
+
+FROM registry.opensuse.org/opensuse/leap-microdnf:15.3 AS lockcd
+ARG PROFILE=debug
+COPY --from=build /usr/local/src/lockc/target/$PROFILE/lockcd /usr/bin/lockcd
+ENTRYPOINT ["/usr/bin/lockcd"]

Dockerfile.dapper

@@ -1,38 +1,7 @@
-FROM docker.io/library/rust:latest
-RUN wget https://apt.llvm.org/llvm-snapshot.gpg.key && \
-    apt-key add llvm-snapshot.gpg.key && \
-    rm -f llvm-snapshot.gpg.key && \
-    echo "deb http://apt.llvm.org/bullseye/ llvm-toolchain-bullseye-13 main" > /etc/apt/sources.list.d/llvm.list && \
-    apt update && \
-    apt upgrade -y --no-install-recommends && \
-    apt install -y --no-install-recommends \
-        clang-13 \
-        libelf-dev \
-        gcc-multilib \
-        lld-13 \
-        lldb-13 \
-        python3-pip \
-        sudo && \
-    apt purge --auto-remove && \
-    apt clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-# Build libbpf and bpftool from the newest stable kernel sources.
-RUN curl -Lso linux.tar.xz \
-        $(curl -s https://www.kernel.org/ | grep -A1 "latest_link" | grep -Eo '(http|https)://[^"]+') && \
-    tar -xf linux.tar.xz && \
-    cd $(find . -maxdepth 1 -type d -name "linux*") && \
-    cd tools/lib/bpf && \
-    make -j $(nproc) && \
-    make install prefix=/usr && \
-    cd ../../bpf/bpftool && \
-    make -j $(nproc) && \
-    make install prefix=/usr && \
-    cd ../../../.. && \
-    rm -rf linux*
-RUN cargo install libbpf-cargo
-RUN rustup component add \
-        clippy \
-        rustfmt
+# syntax = edrevo/dockerfile-plus
+INCLUDE+ Dockerfile
+
+FROM builder
 
 ENV DAPPER_SOURCE /source
 ENV DAPPER_OUTPUT target

contrib/guestfs/build.sh

@@ -39,7 +39,6 @@ virt-customize -a \
     ${LOCKC_IMAGE} \
     --mkdir /etc/containerd \
     --mkdir /etc/docker \
-    --copy-in provision/etc/containerd/config.toml:/etc/containerd/ \
     --copy-in provision/etc/docker/daemon.json:/etc/docker/ \
     --copy-in provision/etc/modules-load.d/99-k8s.conf:/etc/modules-load.d/ \
     --copy-in provision/etc/sysctl.d/99-k8s.conf:/etc/sysctl.d/ \

contrib/guestfs/provision/provision.sh

@@ -53,8 +53,8 @@ zypper install -y \
     bpftool \
     cargo \
     conntrack-tools \
-    containerd \
     cri-tools \
+    criu \
     docker \
     ebtables \
     ethtool \
@@ -84,7 +84,10 @@ EOF
 ### Rebuild initrd with dracut
 mkinitrd
 
-mv /etc/containerd/config.toml.rpmorig /etc/containerd/config.toml
+CONTAINERD_URL=$(curl -s https://api.github.com/repos/containerd/containerd/releases/latest | jq -r '.assets[] | select(.browser_download_url | contains("cri-containerd-cni") and endswith("linux-amd64.tar.gz")) | .browser_download_url')
+curl -L "${CONTAINERD_URL}" | sudo tar --no-overwrite-dir -C / -xz
+
+# mv /etc/containerd/config.toml.rpmorig /etc/containerd/config.toml
 
 systemctl enable containerd
 systemctl enable docker
@@ -107,7 +110,17 @@ curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSIO
 mkdir -p /etc/systemd/system/kubelet.service.d
 curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
 
+HELM_VERSION=$(curl -s https://api.github.com/repos/helm/helm/releases/latest | jq -r .tag_name)
+curl -L "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" | tar -xz
+install -D -m 0755 linux-amd64/helm /usr/bin/helm
+rm -rf linux-amd64
+
 systemctl enable kubelet
 
 curl -sL https://releases.rancher.com/dapper/latest/dapper-$(uname -s)-$(uname -m) > /usr/local/bin/dapper
 chmod +x /usr/local/bin/dapper
+
+curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
+sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
+sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
+rm cilium-linux-amd64.tar.gz{,.sha256sum}

contrib/helm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

contrib/helm/lockc/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

contrib/helm/lockc/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: lockc
+version: 0.1.0
+description: A Helm chart for Kubernetes lockc agent and daemon
+type: application
+icon: https://github.com/rancher-sandbox/lockc/blob/main/docs/src/images/logo-horizontal-lockc.png
+home: https://rancher-sandbox.github.io/lockc/
+appVersion: "v1.0.0"
+maintainers:
+  - name: Michal Rostecki
+    email: [email protected]
+  - name: Michal Jura
+    email: [email protected]

contrib/helm/lockc/templates/NOTES.txt

@@ -0,0 +1,8 @@
+lockc-agent and lockd installed SUCCESSFULLY
+
+lockc provides three policy levels for containers:
+  * baseline - meant for regular applications
+  * restricted - meant for applications for which we need to be more cautious and secure them more stricly
+  * privileged - meant for part of the infrastructure which can have full access to host resources
+
+For more information checkout https://rancher-sandbox.github.io/lockc/

contrib/helm/lockc/templates/_helpers.tpl

@@ -0,0 +1,98 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "lockc.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "lockc.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "lockc.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create lockc labels
+*/}}
+{{- define "lockc.labels" -}}
+helm.sh/chart: {{ include "lockc.chart" . }}
+{{ include "lockc.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector lockc labels
+*/}}
+{{- define "lockc.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lockc.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create lockcd labels
+*/}}
+{{- define "lockcd.labels" -}}
+helm.sh/chart: {{ include "lockc.chart" . }}
+{{ include "lockcd.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector lockcd labels
+*/}}
+{{- define "lockcd.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lockc.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create lockc-agent labels
+*/}}
+{{- define "lockc-agent.labels" -}}
+helm.sh/chart: {{ include "lockc.chart" . }}
+{{ include "lockc-agent.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "lockc-agent.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lockc.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "lockc.serviceAccountName" -}}
+{{- include "lockc.fullname" . }}
+{{- end }}

contrib/helm/lockc/templates/clusterrole.yaml

@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: lockc-agent
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "watch", "list"]

contrib/helm/lockc/templates/clusterrolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: lockc-agent
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: lockc-agent
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: lockc-agent
+  apiGroup: rbac.authorization.k8s.io