From 14c7e200abacdc9a5872f15905b8f6bac8c78d14 Mon Sep 17 00:00:00 2001
From: kaiyou <dev@kaiyou.fr>
Date: Sat, 15 Oct 2022 19:54:18 +0200
Subject: [PATCH] Rewrite the app main to properly invoke shims

---
 cmd/hepto.go                | 87 +++++++++++++++++++------------------
 pkg/cluster/kubeconfig.go   |  4 ++
 pkg/selfcontain/defaults.go |  3 ++
 pkg/wrappers/containerd.go  |  1 -
 4 files changed, 52 insertions(+), 43 deletions(-)

diff --git a/cmd/hepto.go b/cmd/hepto.go
index 42ba1d7..d35771e 100644
--- a/cmd/hepto.go
+++ b/cmd/hepto.go
@@ -7,56 +7,59 @@ import (
 
 	"forge.tedomum.net/acides/hepto/hepto/cmd/hepto"
 	"forge.tedomum.net/acides/hepto/hepto/cmd/shim"
+	containerd "github.com/containerd/containerd/cmd/containerd/command"
 	ctr "github.com/containerd/containerd/cmd/ctr/app"
 	"github.com/containerd/containerd/runtime/v2/runc/manager"
 	_ "github.com/containerd/containerd/runtime/v2/runc/pause"
 	_ "github.com/containerd/containerd/runtime/v2/runc/task/plugin"
 	shimv2 "github.com/containerd/containerd/runtime/v2/shim"
-	hostlocal "github.com/containernetworking/plugins/plugins/ipam/host-local"
-	"github.com/containernetworking/plugins/plugins/main/bridge"
-	"github.com/containernetworking/plugins/plugins/main/loopback"
-	"github.com/containernetworking/plugins/plugins/meta/flannel"
-	"github.com/containernetworking/plugins/plugins/meta/portmap"
-	"github.com/docker/docker/pkg/reexec"
-	"github.com/sirupsen/logrus"
+  "github.com/sirupsen/logrus"
+
+	//hostlocal "github.com/containernetworking/plugins/plugins/ipam/host-local"
+	//"github.com/containernetworking/plugins/plugins/main/bridge"
+	//"github.com/containernetworking/plugins/plugins/main/loopback"
+	//"github.com/containernetworking/plugins/plugins/meta/flannel"
+	//"github.com/containernetworking/plugins/plugins/meta/portmap"
 	"golang.org/x/sys/unix"
 	kubectl "k8s.io/kubectl/pkg/cmd"
 )
 
-func mountApp() {
-	logrus.Debug("mount with: ", os.Args)
-	err := unix.Mount(os.Args[5], os.Args[6], os.Args[2], 0, os.Args[4])
-	if err != nil {
-		logrus.Fatal("cannot mount: ", err)
-	}
-}
-
-func shimRuncApp() {
-	shimv2.RunManager(context.Background(), manager.NewShimManager("io.containerd.runc.v2"))
-}
-
-func ctrApp() {
-	app := ctr.New()
-	logrus.Fatal(app.Run(os.Args))
-}
-
-func kubectlApp() {
-	app := kubectl.NewDefaultKubectlCommand()
-	app.Execute()
-}
-
 func main() {
-	os.Args[0] = filepath.Base(os.Args[0])
-	reexec.Register("hepto", hepto.Execute)
-	reexec.Register("mount", mountApp)
-	reexec.Register("containerd-shim-runc-v2", shimRuncApp)
-	reexec.Register("containerd-shim", shim.ShimApp)
-	reexec.Register("ctr", ctrApp)
-	reexec.Register("kubectl", kubectlApp)
-	reexec.Register("host-local", hostlocal.Main)
-	reexec.Register("bridge", bridge.Main)
-	reexec.Register("flannel", flannel.Main)
-	reexec.Register("loopback", loopback.Main)
-	reexec.Register("portmap", portmap.Main)
-	reexec.Init()
+	bin := filepath.Base(os.Args[0])
+  var err error
+	if bin == "mount" {
+		// Hook the mount command for mounting configmaps
+		// This is fairly naive mount implementation, kubelet only evers calls
+		// mount with very simple very formatted arguments in that order:
+		//   mount -t tmpfs -o size=1234 /src /dst
+		err = unix.Mount(os.Args[5], os.Args[6], os.Args[2], 0, os.Args[4])
+	} else if bin == "containerd" {
+		// Containerd is also available under hepto name, guess based on
+		// call arguments
+		// This is some of an edge case, where containerd uses os.Executable
+		// to get the current binary path (hence hepto single binary) then
+		// passes that path as -publish-binary to its shim for callback
+		err = containerd.App().Run(os.Args)
+	} else if bin == "containerd-shim" {
+		// Run the containerd shim itself
+		// This is called by the shim client as the proper long-term shim
+		shim.ShimApp()
+	} else if bin == "containerd-shim-runc-v2" || (len(os.Args) > 1 && os.Args[1] == "-namespace") {
+		// Run the containerd shim client
+		// This is called as a first stage shim by embedded containerd
+		shimv2.RunManager(context.Background(), manager.NewShimManager("io.containerd.runc.v2"))
+	} else if bin == "ctr" {
+		// Run containerd cli client, for debugging purposes
+		err = ctr.New().Run(os.Args)
+	} else if bin == "kubectl" {
+		// Run kubectl client, for debugging purposes
+		err = kubectl.NewDefaultKubectlCommand().Execute()
+	} else {
+		// If no hook ran a different command, simply
+		// run hepto
+		hepto.Execute()
+	}
+  if err != nil {
+    logrus.Fatal(err)
+  }
 }
diff --git a/pkg/cluster/kubeconfig.go b/pkg/cluster/kubeconfig.go
index a33a870..6398069 100644
--- a/pkg/cluster/kubeconfig.go
+++ b/pkg/cluster/kubeconfig.go
@@ -98,6 +98,10 @@ version = 2
 
 [grpc]
   address = "{{.Socket}}"
+
+[plugins."io.containerd.snapshotter.v1.overlayfs"]
+  root_path = "/test/root/path"
+  upperdir_label = false
 `
 
 type ContainerdConfig struct {
diff --git a/pkg/selfcontain/defaults.go b/pkg/selfcontain/defaults.go
index 2a3933e..3b1954b 100644
--- a/pkg/selfcontain/defaults.go
+++ b/pkg/selfcontain/defaults.go
@@ -114,6 +114,9 @@ var capabilities = []string{
 	"CAP_NET_ADMIN",
 	// Required for raw sockets, including ICMP
 	"CAP_NET_RAW",
+  // Required for unpacking archives and images
+  "CAP_CHOWN",
+  "CAP_DAC_OVERRIDE",
 }
 
 // These networks will be setup as a default base inside the container
diff --git a/pkg/wrappers/containerd.go b/pkg/wrappers/containerd.go
index a81db50..b52ecbb 100644
--- a/pkg/wrappers/containerd.go
+++ b/pkg/wrappers/containerd.go
@@ -28,7 +28,6 @@ import (
 	_ "github.com/containerd/containerd/services/sandbox"
 	_ "github.com/containerd/containerd/services/tasks"
 	_ "github.com/containerd/containerd/services/version"
-	_ "github.com/containerd/containerd/snapshots/native/plugin"
 	_ "github.com/containerd/containerd/snapshots/overlay/plugin"
 )
 
-- 
GitLab