Update github.com/opencontainers/runtime-tools to v0.6.0

Also add new dependencies on github.com/xeipuuv/gojson* (brought up by
new runtime-tools) and adapt the containerd/cri code to replace the APIs
that were removed by runtime-tools.

In particular, add new helpers to handle the capabilities, since
runtime-tools now split them into separate sets of functions for each
capability set.

Replace g.Spec() with g.Config since g.Spec() has been deprecated in the
runtime-tools API.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>

pkg/server/container_create.go

@@ -376,7 +376,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	// is not clearly defined in Kubernetes.
 	// See https://github.com/kubernetes/kubernetes/issues/56374
 	// Keep docker's behavior for now.
-	g.Spec().Process.Capabilities.Ambient = []string{}
+	g.Config.Process.Capabilities.Ambient = []string{}
 
 	g.SetProcessSelinuxLabel(processLabel)
 	g.SetLinuxMountLabel(mountLabel)
@@ -407,7 +407,7 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 	g.AddAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer)
 	g.AddAnnotation(annotations.SandboxID, sandboxID)
 
-	return g.Spec(), nil
+	return g.Config, nil
 }
 
 // generateVolumeMounts sets up image volumes for container. Rely on the removal of container
@@ -533,7 +533,7 @@ func clearReadOnly(m *runtimespec.Mount) {
 
 // addDevices set device mapping without privilege.
 func (c *criService) addOCIDevices(g *generate.Generator, devs []*runtime.Device) error {
-	spec := g.Spec()
+	spec := g.Config
 	for _, device := range devs {
 		path, err := c.os.ResolveSymbolicLink(device.HostPath)
 		if err != nil {
@@ -565,7 +565,7 @@ func (c *criService) addOCIDevices(g *generate.Generator, devs []*runtime.Device
 
 // addDevices set device mapping with privilege.
 func setOCIDevicesPrivileged(g *generate.Generator) error {
-	spec := g.Spec()
+	spec := g.Config
 	hostDevices, err := devices.HostDevices()
 	if err != nil {
 		return err
@@ -597,7 +597,12 @@ func setOCIDevicesPrivileged(g *generate.Generator) error {
 // addOCIBindMounts adds bind mounts.
 func (c *criService) addOCIBindMounts(g *generate.Generator, mounts []*runtime.Mount, mountLabel string) error {
 	// Mount cgroup into the container as readonly, which inherits docker's behavior.
-	g.AddCgroupsMount("ro") // nolint: errcheck
+	g.AddMount(runtimespec.Mount{
+		Source:      "cgroup",
+		Destination: "/sys/fs/cgroup",
+		Type:        "cgroup",
+		Options:     []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
+	})
 	for _, mount := range mounts {
 		dst := mount.GetContainerPath()
 		src := mount.GetHostPath()
@@ -635,8 +640,8 @@ func (c *criService) addOCIBindMounts(g *generate.Generator, mounts []*runtime.M
 				return err
 			}
 			options = append(options, "rslave")
-			if g.Spec().Linux.RootfsPropagation != "rshared" &&
-				g.Spec().Linux.RootfsPropagation != "rslave" {
+			if g.Config.Linux.RootfsPropagation != "rshared" &&
+				g.Config.Linux.RootfsPropagation != "rslave" {
 				g.SetLinuxRootPropagation("rslave") // nolint: errcheck
 			}
 		default:
@@ -657,14 +662,19 @@ func (c *criService) addOCIBindMounts(g *generate.Generator, mounts []*runtime.M
 				return errors.Wrapf(err, "relabel %q with %q failed", src, mountLabel)
 			}
 		}
-		g.AddBindMount(src, dst, options)
+		g.AddMount(runtimespec.Mount{
+			Source:      src,
+			Destination: dst,
+			Type:        "bind",
+			Options:     options,
+		})
 	}
 
 	return nil
 }
 
 func setOCIBindMountsPrivileged(g *generate.Generator) {
-	spec := g.Spec()
+	spec := g.Config
 	// clear readonly for /sys and cgroup
 	for i, m := range spec.Mounts {
 		if spec.Mounts[i].Destination == "/sys" {
@@ -704,6 +714,40 @@ func getOCICapabilitiesList() []string {
 	return caps
 }
 
+// Adds capabilities to all sets relevant to root (bounding, permitted, effective, inheritable)
+func addProcessRootCapability(g *generate.Generator, c string) error {
+	if err := g.AddProcessCapabilityBounding(c); err != nil {
+		return err
+	}
+	if err := g.AddProcessCapabilityPermitted(c); err != nil {
+		return err
+	}
+	if err := g.AddProcessCapabilityEffective(c); err != nil {
+		return err
+	}
+	if err := g.AddProcessCapabilityInheritable(c); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Drops capabilities to all sets relevant to root (bounding, permitted, effective, inheritable)
+func dropProcessRootCapability(g *generate.Generator, c string) error {
+	if err := g.DropProcessCapabilityBounding(c); err != nil {
+		return err
+	}
+	if err := g.DropProcessCapabilityPermitted(c); err != nil {
+		return err
+	}
+	if err := g.DropProcessCapabilityEffective(c); err != nil {
+		return err
+	}
+	if err := g.DropProcessCapabilityInheritable(c); err != nil {
+		return err
+	}
+	return nil
+}
+
 // setOCICapabilities adds/drops process capabilities.
 func setOCICapabilities(g *generate.Generator, capabilities *runtime.Capability) error {
 	if capabilities == nil {
@@ -716,14 +760,14 @@ func setOCICapabilities(g *generate.Generator, capabilities *runtime.Capability)
 	// will be all capabilities without `CAP_CHOWN`.
 	if util.InStringSlice(capabilities.GetAddCapabilities(), "ALL") {
 		for _, c := range getOCICapabilitiesList() {
-			if err := g.AddProcessCapability(c); err != nil {
+			if err := addProcessRootCapability(g, c); err != nil {
 				return err
 			}
 		}
 	}
 	if util.InStringSlice(capabilities.GetDropCapabilities(), "ALL") {
 		for _, c := range getOCICapabilitiesList() {
-			if err := g.DropProcessCapability(c); err != nil {
+			if err := dropProcessRootCapability(g, c); err != nil {
 				return err
 			}
 		}
@@ -734,7 +778,7 @@ func setOCICapabilities(g *generate.Generator, capabilities *runtime.Capability)
 			continue
 		}
 		// Capabilities in CRI doesn't have `CAP_` prefix, so add it.
-		if err := g.AddProcessCapability("CAP_" + strings.ToUpper(c)); err != nil {
+		if err := addProcessRootCapability(g, "CAP_"+strings.ToUpper(c)); err != nil {
 			return err
 		}
 	}
@@ -743,7 +787,7 @@ func setOCICapabilities(g *generate.Generator, capabilities *runtime.Capability)
 		if strings.ToUpper(c) == "ALL" {
 			continue
 		}
-		if err := g.DropProcessCapability("CAP_" + strings.ToUpper(c)); err != nil {
+		if err := dropProcessRootCapability(g, "CAP_"+strings.ToUpper(c)); err != nil {
 			return err
 		}
 	}

pkg/server/container_create_test.go

@@ -426,18 +426,19 @@ func TestContainerSpecCommand(t *testing.T) {
 	} {
 
 		config, _, imageConfig, _ := getCreateContainerTestData()
-		g := generate.New()
+		g, err := generate.New("linux")
+		assert.NoError(t, err)
 		config.Command = test.criEntrypoint
 		config.Args = test.criArgs
 		imageConfig.Entrypoint = test.imageEntrypoint
 		imageConfig.Cmd = test.imageArgs
-		err := setOCIProcessArgs(&g, config, imageConfig)
+		err = setOCIProcessArgs(&g, config, imageConfig)
 		if test.expectErr {
 			assert.Error(t, err)
 			continue
 		}
 		assert.NoError(t, err)
-		assert.Equal(t, test.expected, g.Spec().Process.Args, desc)
+		assert.Equal(t, test.expected, g.Config.Process.Args, desc)
 	}
 }
 
@@ -620,13 +621,14 @@ func TestPrivilegedBindMount(t *testing.T) {
 		},
 	} {
 		t.Logf("TestCase %q", desc)
-		g := generate.New()
+		g, err := generate.New("linux")
+		assert.NoError(t, err)
 		c := newTestCRIService()
 		c.addOCIBindMounts(&g, nil, "")
 		if test.privileged {
 			setOCIBindMountsPrivileged(&g)
 		}
-		spec := g.Spec()
+		spec := g.Config
 		if test.expectedSysFSRO {
 			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, []string{"rw"})
 		} else {
@@ -728,15 +730,16 @@ func TestMountPropagation(t *testing.T) {
 		},
 	} {
 		t.Logf("TestCase %q", desc)
-		g := generate.New()
+		g, err := generate.New("linux")
+		assert.NoError(t, err)
 		c := newTestCRIService()
 		c.os.(*ostesting.FakeOS).LookupMountFn = test.fakeLookupMountFn
-		err := c.addOCIBindMounts(&g, []*runtime.Mount{test.criMount}, "")
+		err = c.addOCIBindMounts(&g, []*runtime.Mount{test.criMount}, "")
 		if test.expectErr {
 			require.Error(t, err)
 		} else {
 			require.NoError(t, err)
-			checkMount(t, g.Spec().Mounts, test.criMount.HostPath, test.criMount.ContainerPath, "bind", test.optionsCheck, nil)
+			checkMount(t, g.Config.Mounts, test.criMount.HostPath, test.criMount.ContainerPath, "bind", test.optionsCheck, nil)
 		}
 	}
 }

pkg/server/container_execsync.go

@@ -102,7 +102,7 @@ func (c *criService) execInContainer(ctx context.Context, id string, opts execOp
 	if opts.tty {
 		g := newSpecGenerator(spec)
 		g.AddProcessEnv("TERM", "xterm")
-		spec = g.Spec()
+		spec = g.Config
 	}
 	pspec := spec.Process
 	pspec.Args = opts.cmd

pkg/server/container_update_resources.go

@@ -157,5 +157,5 @@ func updateOCILinuxResource(spec *runtimespec.Spec, new *runtime.LinuxContainerR
 		g.SetLinuxResourcesCPUMems(new.GetCpusetMems())
 	}
 
-	return g.Spec(), nil
+	return g.Config, nil
 }

pkg/server/sandbox_run.go

@@ -394,7 +394,12 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 	if nsOptions.GetIpc() == runtime.NamespaceMode_NODE {
 		sandboxDevShm = devShm
 	}
-	g.AddBindMount(sandboxDevShm, devShm, []string{"rbind", "ro"})
+	g.AddMount(runtimespec.Mount{
+		Source:      sandboxDevShm,
+		Destination: devShm,
+		Type:        "bind",
+		Options:     []string{"rbind", "ro"},
+	})
 
 	selinuxOpt := securityContext.GetSelinuxOptions()
 	processLabel, mountLabel, err := initSelinuxOpts(selinuxOpt)
@@ -423,7 +428,7 @@ func (c *criService) generateSandboxContainerSpec(id string, config *runtime.Pod
 	g.AddAnnotation(annotations.ContainerType, annotations.ContainerTypeSandbox)
 	g.AddAnnotation(annotations.SandboxID, id)
 
-	return g.Spec(), nil
+	return g.Config, nil
 }
 
 // setupSandboxFiles sets up necessary sandbox files including /dev/shm, /etc/hosts