Add test that runs runsc do inside a non-gVisor container.

This is used in contexts such as Dangerzone:
https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/

Updates issue #10944.

PiperOrigin-RevId: 682454284

Author: EtiennePerot

Makefile

@@ -346,7 +346,7 @@ docker-tests: load-basic $(RUNTIME_BIN)
 	@$(call install_runtime,$(RUNTIME)-dcache,--fdlimit=2000 --dcache=100) # Used by TestDentryCacheLimit.
 	@$(call install_runtime,$(RUNTIME)-host-uds,--host-uds=all) # Used by TestHostSocketConnect.
 	@$(call install_runtime,$(RUNTIME)-overlay,--overlay2=all:self) # Used by TestOverlay*.
-	@$(call test_runtime,$(RUNTIME),$(INTEGRATION_TARGETS) //test/e2e:integration_runtime_test)
+	@$(call test_runtime,$(RUNTIME),$(INTEGRATION_TARGETS) //test/e2e:integration_runtime_test //test/e2e:runtime_in_docker_test)
 .PHONY: docker-tests
 
 plugin-network-tests: load-basic $(RUNTIME_BIN)

images/basic/integrationtest/Dockerfile

@@ -4,12 +4,21 @@ WORKDIR /root
 COPY . .
 RUN chmod +x *.sh
 
-RUN apt-get update && apt-get install -y gcc iputils-ping iproute2
+RUN apt-get update && apt-get install -y \
+    build-essential iputils-ping iproute2 iptables
 
 # Compilation Steps.
 RUN gcc -O2 -o test_copy_up test_copy_up.c
 RUN gcc -O2 -o test_rewinddir test_rewinddir.c
 RUN gcc -O2 -o link_test link_test.c
 RUN gcc -O2 -o test_sticky test_sticky.c
 RUN gcc -O2 -o host_fd host_fd.c
-RUN gcc -O2 -o host_connect host_connect.c
+RUN gcc -O2 -o host_connect host_connect.c
+
+# Add nonprivileged regular user named "nonroot".
+RUN groupadd --gid 1337 nonroot && \
+    useradd --uid 1337 --gid 1337 \
+        --create-home \
+        --shell $(which bash) \
+        --password '' \
+        nonroot

pkg/test/dockerutil/container.go

@@ -116,6 +116,9 @@ type RunOpts struct {
 
 	Devices []container.DeviceMapping
 
+	// SecurityOpts are security options to set on the container.
+	SecurityOpts []string
+
 	// sniffGPUOpts, if set, sets the rules for GPU sniffing during this test.
 	// Must be set via `RunOpts.SniffGPU`.
 	sniffGPUOpts *SniffGPUOpts
@@ -347,6 +350,7 @@ func (c *Container) hostConfig(r RunOpts) *container.HostConfig {
 		CapAdd:          r.CapAdd,
 		CapDrop:         r.CapDrop,
 		Privileged:      r.Privileged,
+		SecurityOpt:     r.SecurityOpts,
 		ReadonlyRootfs:  r.ReadOnly,
 		NetworkMode:     container.NetworkMode(r.NetworkMode),
 		Resources: container.Resources{

test/e2e/BUILD

@@ -52,6 +52,26 @@ go_test(
     ],
 )
 
+go_test(
+    name = "runtime_in_docker_test",
+    size = "large",
+    srcs = [
+        "runtime_in_docker_test.go",
+    ],
+    library = ":integration",
+    tags = [
+        # Requires docker and runsc to be configured before the test runs.
+        "local",
+        "manual",
+    ],
+    visibility = ["//:sandbox"],
+    deps = [
+        "//pkg/test/dockerutil",
+        "//pkg/test/testutil",
+        "@com_github_docker_docker//api/types/mount:go_default_library",
+    ],
+)
+
 go_library(
     name = "integration",
     srcs = ["integration.go"],

test/e2e/integration_runtime_test.go

@@ -104,7 +104,7 @@ func TestDentryCacheLimit(t *testing.T) {
 		}
 	}
 
-	// Run the container. Open a bunch of files simutaneously and sleep a bit
+	// Run the container. Open a bunch of files simultaneously and sleep a bit
 	// to give time for everything to start. We shouldn't hit the FD limit
 	// because the dentry cache is small.
 	cmd := `for file in /tmp/foo/*; do (cat > "${file}") & done && sleep 10`

test/e2e/runtime_in_docker_test.go

@@ -0,0 +1,236 @@
+// Copyright 2024 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package integration provides end-to-end integration tests for runsc.
+package integration
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types/mount"
+	"gvisor.dev/gvisor/pkg/test/dockerutil"
+	"gvisor.dev/gvisor/pkg/test/testutil"
+)
+
+// testVariant is a variant of the gVisor in Docker test.
+type testVariant struct {
+	Name          string
+	User          string
+	WorkDir       string
+	CapAdd        []string
+	Args          []string
+	MountCgroupfs bool
+}
+
+// run runs the test variant.
+func (test testVariant) run(ctx context.Context, logger testutil.Logger, runscPath string) (string, error) {
+	d := dockerutil.MakeNativeContainer(ctx, logger)
+	defer d.CleanUp(ctx)
+	opts := dockerutil.RunOpts{
+		Image:   "basic/integrationtest",
+		User:    test.User,
+		WorkDir: test.WorkDir,
+		SecurityOpts: []string{
+			// Disable default seccomp filter which blocks `mount(2)` and others.
+			"seccomp=unconfined",
+
+			// Disable AppArmor which also blocks mounts.
+			"apparmor=unconfined",
+
+			// Set correct SELinux label; this allows ptrace.
+			"label=type:container_engine_t",
+		},
+		CapAdd: test.CapAdd,
+		Mounts: []mount.Mount{
+			// Mount the runtime binary.
+			{
+				Type:     mount.TypeBind,
+				Source:   runscPath,
+				Target:   "/runtime",
+				ReadOnly: true,
+			},
+		},
+	}
+	if test.MountCgroupfs {
+		opts.Mounts = append(opts.Mounts, mount.Mount{
+			Type:     mount.TypeBind,
+			Source:   "/sys/fs/cgroup",
+			Target:   "/sys/fs/cgroup",
+			ReadOnly: false,
+		})
+	}
+	// Mount an unobstructed view of procfs at /proc2 so that the runtime
+	// can mount a fresh procfs.
+	// TODO(gvisor.dev/issue/10944): Remove this once issue is fixed.
+	opts.Mounts = append(opts.Mounts, mount.Mount{
+		Type:     mount.TypeBind,
+		Source:   "/proc",
+		Target:   "/proc2",
+		ReadOnly: false,
+		BindOptions: &mount.BindOptions{
+			NonRecursive: true,
+		},
+	})
+	const wantMessage = "It became a jumble of words, a litany, almost a kind of glossolalia."
+	args := []string{
+		"/runtime",
+		"--debug=true",
+		"--debug-log=/dev/stderr",
+	}
+	args = append(args, test.Args...)
+	args = append(args, "do", "/bin/echo", wantMessage)
+	logger.Logf("Running: %v", args)
+	got, err := d.Run(ctx, opts, args...)
+	got = strings.TrimSpace(got)
+	if err != nil {
+		return got, err
+	}
+	if !strings.Contains(got, wantMessage) {
+		return got, fmt.Errorf("did not observe substring %q in logs", wantMessage)
+	}
+	return got, nil
+}
+
+// failureCases returns modified versions of this same test that are expected
+// to fail. Verifying that these variants fail ensures that each test variant
+// runs with the minimal amount of deviations from the default configuration.
+func (test testVariant) failureCases() []testVariant {
+	failureCase := func(name string) testVariant {
+		copy := test
+		copy.Name = name
+		return copy
+	}
+	var failureCases []testVariant
+	if test.MountCgroupfs {
+		copy := failureCase("without cgroupfs mounted")
+		copy.MountCgroupfs = false
+		failureCases = append(failureCases, copy)
+	}
+	for i, capAdd := range test.CapAdd {
+		copy := failureCase(fmt.Sprintf("without capability %s", capAdd))
+		copy.CapAdd = append(append([]string(nil), test.CapAdd[:i]...), test.CapAdd[i+1:]...)
+		failureCases = append(failureCases, copy)
+	}
+	for _, tryRemoveArg := range []string{
+		"--rootless=true",
+		"--ignore-cgroups=true",
+	} {
+		if index := slices.Index(test.Args, tryRemoveArg); index != -1 {
+			copy := failureCase(fmt.Sprintf("without argument %s", tryRemoveArg))
+			copy.Args = append(append([]string(nil), test.Args[:index]...), test.Args[index+1:]...)
+			failureCases = append(failureCases, copy)
+		}
+	}
+	return failureCases
+}
+
+// TestGVisorInDocker runs `runsc` inside a non-gVisor container.
+// This is used in contexts such as Dangerzone:
+// https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/
+func TestGVisorInDocker(t *testing.T) {
+	ctx := context.Background()
+	runscPath, err := dockerutil.RuntimePath()
+	if err != nil {
+		t.Fatalf("Cannot locate runtime path: %v", err)
+	}
+	for _, test := range []testVariant{
+		{
+			Name: "Rootful",
+			User: "root",
+			CapAdd: []string{
+				// Necessary to set up networking (creating veth devices).
+				"NET_ADMIN",
+				// Necessary to set up networking, which calls `ip netns add` which
+				// calls `mount(2)`.
+				"SYS_ADMIN",
+			},
+			// Mount cgroupfs as writable, otherwise the runtime won't be able to
+			// set up cgroups.
+			MountCgroupfs: true,
+		},
+		{
+			Name: "Rootful without networking",
+			User: "root",
+			CapAdd: []string{
+				// "Can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN"
+				"SYS_ADMIN",
+			},
+			Args: []string{
+				"--network=none",
+			},
+			MountCgroupfs: true,
+		},
+		{
+			Name: "Rootful with host networking",
+			User: "root",
+			CapAdd: []string{
+				// Necessary to set up networking (creating veth devices).
+				"NET_ADMIN",
+				// Necessary to set up networking, which calls `ip netns add` which
+				// calls `mount(2)`.
+				"SYS_ADMIN",
+			},
+			Args: []string{
+				"--network=host",
+			},
+			MountCgroupfs: true,
+		},
+		{
+			Name: "Rootful without networking and cgroupfs",
+			User: "root",
+			CapAdd: []string{
+				// "Can't run sandbox process in minimal chroot since we don't have CAP_SYS_ADMIN"
+				"SYS_ADMIN",
+			},
+			Args: []string{
+				"--network=none",
+				"--ignore-cgroups=true",
+			},
+		},
+		{
+			Name:    "Rootless",
+			User:    "nonroot",
+			WorkDir: "/home/nonroot",
+			Args: []string{
+				"--rootless=true",
+			},
+		},
+		{
+			Name:    "Rootless without networking",
+			User:    "nonroot",
+			WorkDir: "/home/nonroot",
+			Args: []string{
+				"--rootless=true",
+				"--network=none",
+			},
+		},
+	} {
+		t.Run(test.Name, func(t *testing.T) {
+			if logs, err := test.run(ctx, t, runscPath); err != nil {
+				t.Fatalf("Error: %v; logs:\n%s", err, logs)
+			}
+			for _, failureCase := range test.failureCases() {
+				t.Run(failureCase.Name, func(t *testing.T) {
+					if logs, err := failureCase.run(ctx, t, runscPath); err == nil {
+						t.Fatalf("Failure case unexpectedly succeeded; logs:\n%s", logs)
+					}
+				})
+			}
+		})
+	}
+}