Implement the `runsc features` command

[milantracy]

Description

implement runsc features that is similar to runc features command

$ runc features
{
    "ociVersionMin": "1.0.0",
    "ociVersionMax": "1.2.0",
    "hooks": [
        "prestart",
        "createRuntime",
        "createContainer",
        "startContainer",
        "poststart",
        "poststop"
    ],
    "mountOptions": [
        "async",
        "atime",
        "bind",
        "defaults",
        "dev",
        "diratime",
        "dirsync",
        "exec",
        "iversion",
        "lazytime",
        "loud",
        "mand",
        "noatime",
        "nodev",
        "nodiratime",
        "noexec",
        "noiversion",
        "nolazytime",
        "nomand",
        "norelatime",
        "nostrictatime",
        "nosuid",
        "nosymfollow",
        "private",
        "ratime",
        "rbind",
        "rdev",
        "rdiratime",
        "relatime",
        "remount",
        "rexec",
        "rnoatime",
        "rnodev",
        "rnodiratime",
        "rnoexec",
        "rnorelatime",
        "rnostrictatime",
        "rnosuid",
        "rnosymfollow",
        "ro",
        "rprivate",
        "rrelatime",
        "rro",
        "rrw",
        "rshared",
        "rslave",
        "rstrictatime",
        "rsuid",
        "rsymfollow",
        "runbindable",
        "rw",
        "shared",
        "silent",
        "slave",
        "strictatime",
        "suid",
        "symfollow",
        "sync",
        "tmpcopyup",
        "unbindable"
    ],
    "linux": {
        "namespaces": [
            "cgroup",
            "ipc",
            "mount",
            "network",
            "pid",
            "time",
            "user",
            "uts"
        ],
        "capabilities": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_DAC_READ_SEARCH",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_LINUX_IMMUTABLE",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_BROADCAST",
            "CAP_NET_ADMIN",
            "CAP_NET_RAW",
            "CAP_IPC_LOCK",
            "CAP_IPC_OWNER",
            "CAP_SYS_MODULE",
            "CAP_SYS_RAWIO",
            "CAP_SYS_CHROOT",
            "CAP_SYS_PTRACE",
            "CAP_SYS_PACCT",
            "CAP_SYS_ADMIN",
            "CAP_SYS_BOOT",
            "CAP_SYS_NICE",
            "CAP_SYS_RESOURCE",
            "CAP_SYS_TIME",
            "CAP_SYS_TTY_CONFIG",
            "CAP_MKNOD",
            "CAP_LEASE",
            "CAP_AUDIT_WRITE",
            "CAP_AUDIT_CONTROL",
            "CAP_SETFCAP",
            "CAP_MAC_OVERRIDE",
            "CAP_MAC_ADMIN",
            "CAP_SYSLOG",
            "CAP_WAKE_ALARM",
            "CAP_BLOCK_SUSPEND",
            "CAP_AUDIT_READ",
            "CAP_PERFMON",
            "CAP_BPF",
            "CAP_CHECKPOINT_RESTORE"
        ],
        "cgroup": {
            "v1": true,
            "v2": true,
            "systemd": true,
            "systemdUser": true,
            "rdma": true
        },
        "seccomp": {
            "enabled": true,
            "actions": [
                "SCMP_ACT_ALLOW",
                "SCMP_ACT_ERRNO",
                "SCMP_ACT_KILL",
                "SCMP_ACT_KILL_PROCESS",
                "SCMP_ACT_KILL_THREAD",
                "SCMP_ACT_LOG",
                "SCMP_ACT_NOTIFY",
                "SCMP_ACT_TRACE",
                "SCMP_ACT_TRAP"
            ],
            "operators": [
                "SCMP_CMP_EQ",
                "SCMP_CMP_GE",
                "SCMP_CMP_GT",
                "SCMP_CMP_LE",
                "SCMP_CMP_LT",
                "SCMP_CMP_MASKED_EQ",
                "SCMP_CMP_NE"
            ],
            "archs": [
                "SCMP_ARCH_AARCH64",
                "SCMP_ARCH_ARM",
                "SCMP_ARCH_MIPS",
                "SCMP_ARCH_MIPS64",
                "SCMP_ARCH_MIPS64N32",
                "SCMP_ARCH_MIPSEL",
                "SCMP_ARCH_MIPSEL64",
                "SCMP_ARCH_MIPSEL64N32",
                "SCMP_ARCH_PPC",
                "SCMP_ARCH_PPC64",
                "SCMP_ARCH_PPC64LE",
                "SCMP_ARCH_RISCV64",
                "SCMP_ARCH_S390",
                "SCMP_ARCH_S390X",
                "SCMP_ARCH_X32",
                "SCMP_ARCH_X86",
                "SCMP_ARCH_X86_64"
            ],
            "knownFlags": [
                "SECCOMP_FILTER_FLAG_TSYNC",
                "SECCOMP_FILTER_FLAG_SPEC_ALLOW",
                "SECCOMP_FILTER_FLAG_LOG"
            ],
            "supportedFlags": [
                "SECCOMP_FILTER_FLAG_TSYNC",
                "SECCOMP_FILTER_FLAG_SPEC_ALLOW",
                "SECCOMP_FILTER_FLAG_LOG"
            ]
        },
        "apparmor": {
            "enabled": true
        },
        "selinux": {
            "enabled": true
        },
        "intelRdt": {
            "enabled": true
        },
        "mountExtensions": {
            "idmap": {
                "enabled": true
            }
        }
    },
    "annotations": {
        "io.github.seccomp.libseccomp.version": "2.5.5",
        "org.opencontainers.runc.checkpoint.enabled": "true",
        "org.opencontainers.runc.commit": "v1.2.4-0-g6c52b3f",
        "org.opencontainers.runc.version": "1.2.4"
    },
    "potentiallyUnsafeConfigAnnotations": [
        "bundle",
        "org.systemd.property.",
        "org.criu.config"
    ]
}

Is this feature related to a specific bug?

No response

Do you have a specific solution in mind?

No response

[XueSongTap]

Can I work on this ?

[milantracy]

sure, let us know if you need help

[EtiennePerot]

Is this used by containerd or something similar?

[milantracy]

Is this used by containerd or something similar?

It is used by containerd while not a must have

[XueSongTap]

@milantracy @EtiennePerot Hi，I encountered a Bazel build issue while implementing the features command. I wanted to use the github.com/opencontainers/runtime-spec/specs-go/features package to maintain consistency with the OCI specification, but the Bazel build failed with the error:

ERROR: no such package '@@com_github_opencontainers_runtime_spec//specs-go/features': BUILD file not found in directory 'specs-go/features' of external repository @@com_github_opencontainers_runtime_spec. Add a BUILD file to a directory to mark it as a package.

Investigation Findings:

• The issue is that the specs-go/features directory in the runtime-spec repository lacks the BUILD file required for Bazel builds
• Attempting to add the dependency @com_github_opencontainers_runtime_spec//specs-go/features:go_default_library doesn't work
• I looked at how the Kubernetes project handles this issue and found that Kubernetes doesn't use the features package

Possible Solutions:

1. Define an equivalent Features struct in our code to avoid depending on the external package
2. Use a simple map structure instead of a struct to represent the feature list
3. Create a custom BUILD file in our project and add it to the external repository path
4. Use the Gazelle tool to automatically generate BUILD files for the external repository

Request for Suggestions:

I'm inclined to use solution 1 defining our own Features struct in our code. This avoids the dependency issue while still maintaining structural consistency with the OCI specification. What are your thoughts on this approach, or do you have other better solutions?

[milantracy]

you could use youki-dev/youki#815 as a reference

iiuc, you don't have to import any new package, com_github_opencontainers_runtime_spec//specs-go is imported at

gvisor/WORKSPACE

Lines 339 to 344 in f45c79e

	go_repository(
	name = "com_github_opencontainers_runtime_spec",
	importpath = "github.com/opencontainers/runtime-spec",
	sum = "h1:wHa9jroFfKGQqFHj0I1fMRKLl0pfj+ynAqBxo3v6u9w=",
	version = "v1.1.0-rc.1",
	)

, the issue is that the version v1.1.0-rc.1 doesn't have the package features, which was introduced at v1.1.0-rc.2 see https://pkg.go.dev/github.com/opencontainers/runtime-spec@v1.2.1/specs-go/features?tab=versions

please patch #11651