Add tasks to install runsc for gvisor integration

* Add changed_when conditions
* Add docs
* packer arguments

docs/book/src/SUMMARY.md

@@ -21,5 +21,6 @@
   - [VirtualBox](./capi/providers/virtualbox.md)
   - [Testing the Images](./capi/goss/goss.md)
   - [Using Container Images](./capi/container-image.md)
+  - [Customizing containerd](./capi/containerd/customizing-containerd.md)
   - [Releasing](./capi/releasing.md)
 - [Glossary](./glossary.md)

docs/book/src/capi/containerd/customizing-containerd.md

@@ -0,0 +1,51 @@
+# Customizing containerd
+
+## Running sandboxed containers using gVisor
+
+For additional security it is possible to run sandboxed container workloads. One 
+option for this is to use [gVisor](https://gvisor.dev/docs/).
+
+To use gVisor, the image needs to be built with the `containerd_gvisor_runtime`
+flag set to `true`.
+
+For example, in a packer configuration:
+
+```json
+{
+.
+.
+    "containerd_gvisor_runtime": true
+}
+
+```
+
+Once your cluster is built you first create a `RuntimeClass` object.
+
+```yaml
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  # The name the RuntimeClass will be referenced by.
+  # RuntimeClass is a non-namespaced resource.
+  name: gvisor 
+# The name of the corresponding CRI configuration
+handler: gvisor
+```
+
+To run a pod in the sandboxed environment you just need to specify
+it using `runtimeClassName`.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-sandboxed-pod
+spec:
+  runtimeClassName: gvisor
+  containers:
+    - name: sandboxed-container
+      image: nginx
+```
+
+Once the pod is up and running, you can verify by using `kubectl exec` to enter the
+pod and run `dmesg`. 

docs/book/src/glossary.md

@@ -58,6 +58,10 @@ ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMwar
 
 [Goss](https://github.com/goss-org/goss) is a YAML based serverspec alternative tool for validating a server’s configuration.  It is used in conjunction with [packer-provisioner-goss](https://github.com/YaleUniversity/packer-provisioner-goss/releases) to test if the images have all requisite components to work with cluster API.
 
+## gVisor
+
+[gVisor](https://gvisor.dev/docs/) an application kernel that provides isolation between running applications and the host operating system. See also [sandboxed container](#sandboxed-container).
+
 # K
 ---
 
@@ -97,6 +101,12 @@ IBM Power Systems Virtual Server is a Power Systems offering.
 
 [docs](https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-about-virtual-server)
 
+# S
+
+## Sandboxed container
+
+A container run in a specialized environment that is isolated from the host kernel.
+
 # V
 ---
 

images/capi/ansible/roles/containerd/defaults/main.yml

@@ -13,3 +13,4 @@
 # limitations under the License.
 ---
 containerd_config_file: "etc/containerd/config.toml"
+containerd_gvisor_runtime: false

images/capi/ansible/roles/containerd/tasks/main.yml

@@ -177,3 +177,26 @@
   file:
     path: /tmp/containerd_wasm_shims.tar.gz
     state: absent
+
+- name: Download runsc for gvisor
+  ansible.builtin.get_url:
+    dest: "{{ sysusr_prefix }}/bin/{{ item }}"
+    url: "https://storage.googleapis.com/gvisor/releases/release/latest/{{ ansible_architecture }}/{{ item }}"
+    mode: "0755"
+    owner: root
+    group: root
+    checksum: "sha512:https://storage.googleapis.com/gvisor/releases/release/latest/{{ ansible_architecture }}/{{ item }}.sha512"
+  loop:
+    - runsc
+    - containerd-shim-runsc-v1
+  when: containerd_gvisor_runtime
+
+- name: Install runsc as a runtime
+  ansible.builtin.command:
+    cmd: >
+      {{ sysusr_prefix }}/bin/runsc install
+  register: runsc_install_output
+  when: containerd_gvisor_runtime
+  changed_when:
+    - runsc_install_output.rc == 0
+    - runsc_install_output.stderr is search('Successfully added')

images/capi/ansible/roles/containerd/templates/etc/containerd/config.toml

@@ -32,6 +32,10 @@ imports = ["/etc/containerd/conf.d/*.toml"]
   [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.wws]
     runtime_type = "io.containerd.wws.v1"
 {% endif %}
+{% if containerd_gvisor_runtime %}
+  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.gvisor]
+    runtime_type = "io.containerd.runsc.v1"
+{% endif %}
 {% endif %}
 {% if packer_builder_type.startswith('azure') %}
   [plugins."io.containerd.grpc.v1.cri".registry.headers]

images/capi/packer/ami/packer.json

@@ -70,6 +70,7 @@
     {
       "custom_data": {
         "containerd_version": "{{user `containerd_version`}}",
+        "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "kubernetes_cni_version": "{{user `kubernetes_cni_semver`}}",
         "kubernetes_version": "{{user `kubernetes_semver`}}"
       },
@@ -159,6 +160,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,
     "encrypted": "false",

images/capi/packer/azure/packer.json

@@ -100,6 +100,7 @@
         "build_timestamp": "{{user `build_timestamp`}}",
         "build_type": "node",
         "containerd_version": "{{user `containerd_version`}}",
+        "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "kubernetes_cni_semver": "{{user `kubernetes_cni_semver`}}",
         "kubernetes_semver": "{{user `kubernetes_semver`}}",
         "kubernetes_source_type": "{{user `kubernetes_source_type`}}",
@@ -212,6 +213,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "containerd_wasm_shims_runtimes": null,
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,

images/capi/packer/config/containerd.json

@@ -3,5 +3,6 @@
   "containerd_cri_socket": "/var/run/containerd/containerd.sock",
   "containerd_sha256": "20da1f2252d2033594b06e1eb68dd4906ff439f83f1003b7ebacdffcb4b95bdc",
   "containerd_sha256_windows": "76595c69bfb21871de3c6537c7bf85a7e494bd13310e3ecb991a176c87d6ce2f",
-  "containerd_version": "1.7.6"
+  "containerd_version": "1.7.6",
+  "containerd_gvisor_runtime": "false"
 }

images/capi/packer/digitalocean/packer.json

@@ -57,6 +57,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,
     "existing_ansible_ssh_args": "{{env `ANSIBLE_SSH_ARGS`}}",

images/capi/packer/gce/packer.json

@@ -83,6 +83,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,
     "disable_default_service_account": "",

images/capi/packer/hcloud/packer.json

@@ -29,6 +29,7 @@
         "build_timestamp": "{{user `build_timestamp`}}",
         "build_type": "node",
         "containerd_version": "{{user `containerd_version`}}",
+        "containerd_gvisor_runtime": "{{user `containerd_gvisor_runtime`}}",
         "kubernetes_cni_semver": "{{user `kubernetes_cni_semver`}}",
         "kubernetes_semver": "{{user `kubernetes_semver`}}",
         "kubernetes_source_type": "{{user `kubernetes_source_type`}}",
@@ -124,6 +125,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "containerd_wasm_shims_runtimes": null,
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,

images/capi/packer/nutanix/packer.json

@@ -116,6 +116,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "cpus": "1",
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,

images/capi/packer/oci/packer.json

@@ -108,6 +108,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,
     "disable_default_service_account": "",

images/capi/packer/openstack/packer.json

@@ -103,6 +103,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,
     "existing_ansible_ssh_args": "{{env `ANSIBLE_SSH_ARGS`}}",

images/capi/packer/outscale/packer.json

@@ -89,6 +89,7 @@
     "containerd_sha256": null,
     "containerd_url": "https://github.com/containerd/containerd/releases/download/v{{user `containerd_version`}}/cri-containerd-cni-{{user `containerd_version`}}-linux-amd64.tar.gz",
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "crictl_url": "https://github.com/kubernetes-sigs/cri-tools/releases/download/v{{user `crictl_version`}}/crictl-v{{user `crictl_version`}}-linux-amd64.tar.gz",
     "crictl_version": null,
     "distribution_release": null,

images/capi/packer/powervs/packer.json

@@ -74,6 +74,7 @@
     "containerd_sha256": null,
     "containerd_url": null,
     "containerd_version": null,
+    "containerd_gvisor_runtime": "false",
     "crictl_url": null,
     "crictl_version": null,
     "existing_ansible_ssh_args": "{{env `ANSIBLE_SSH_ARGS`}}",