docs: rootless podman support (#6026)

bpmct · web-flow · commit 968d7e4dc566 · 2023-02-06T08:05:38.000-06:00
* rootless podman WIP

* docs: rootless podman support
diff --git a/docs/templates/docker-in-docker.md b/docs/templates/docker-in-docker.md
@@ -2,10 +2,11 @@
 
 There are a few ways to run Docker within container-based Coder workspaces.
 
-| Method                                                     | Description                                                                                                          | Limitations                                                                                                                                                                                                 |
-| ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Sysbox container runtime](#sysbox-container-runtime)      | Install sysbox on your Kubernetes nodes for secure docker-in-docker and systemd-in-docker. Works with GKE, EKS, AKS. | Requires [compatible nodes](https://github.com/nestybox/sysbox#host-requirements). Max of 16 sysbox pods per node. [See all](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/limitations.md) |
-| [Privileged docker sidecar](#privileged-sidecar-container) | Run docker as a privilged sidecar container.                                                                         | Requires a privileged container. Workspaces can break out to root on the host machine.                                                                                                                      |
+| Method                                                                                | Description                                                                                                                              | Limitations                                                                                                                                                                                                 |
+| ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Sysbox container runtime](#sysbox-container-runtime)                                 | Install the sysbox runtime on your Kubernetes nodes for secure docker-in-docker and systemd-in-docker. Works with GKE, EKS, AKS.         | Requires [compatible nodes](https://github.com/nestybox/sysbox#host-requirements). Max of 16 sysbox pods per node. [See all](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/limitations.md) |
+| [Rootless Podman](https://github.com/bpmct/coder-templates/tree/main/rootless-podman) | Run podman inside Coder workspaces. Does not require a custom runtime or privileged containers. Works with GKE, EKS, AKS, RKE, OpenShift | Requires smarter-device-manager for FUSE mounts. [See all](https://github.com/containers/podman/blob/main/rootless.md#shortcomings-of-rootless-podman)                                                      |
+| [Privileged docker sidecar](#privileged-sidecar-container)                            | Run docker as a privileged sidecar container.                                                                                            | Requires a privileged container. Workspaces can break out to root on the host machine.                                                                                                                      |
 
 ## Sysbox container runtime
 
@@ -109,6 +110,75 @@ resource "kubernetes_pod" "dev" {
 
 > Sysbox CE (Community Edition) supports a maximum of 16 pods (workspaces) per node on Kubernetes. See the [Sysbox documentation](https://github.com/nestybox/sysbox/blob/master/docs/user-guide/install-k8s.md#limitations) for more details.
 
+## Rootless podman
+
+[Podman](https://docs.podman.io/en/latest/) is Docker alternative that is compatible with OCI containers specification. which can run rootless inside Kubernetes pods. No custom RuntimeClass is required.
+
+Prior to completing the steps below, please review the following Podman documentation:
+
+- [Basic setup and use of Podman in a rootless environment](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md)
+
+- [Shortcomings of Rootless Podman](https://github.com/containers/podman/blob/main/rootless.md#shortcomings-of-rootless-podman)
+
+1. Enable [smart-device-manager](https://gitlab.com/arm-research/smarter/smarter-device-manager#enabling-access) to securely expose a FUSE devices to pods.
+
+   ```sh
+     cat <<EOF | kubectl create -f -
+     apiVersion: apps/v1
+     kind: DaemonSet
+     metadata:
+     name: fuse-device-plugin-daemonset
+     namespace: kube-system
+     spec:
+     selector:
+     matchLabels:
+         name: fuse-device-plugin-ds
+     template:
+     metadata:
+         labels:
+         name: fuse-device-plugin-ds
+     spec:
+         hostNetwork: true
+         containers:
+         - image: soolaugust/fuse-device-plugin:v1.0
+         name: fuse-device-plugin-ctr
+         securityContext:
+             allowPrivilegeEscalation: false
+             capabilities:
+             drop: ["ALL"]
+         volumeMounts:
+             - name: device-plugin
+             mountPath: /var/lib/kubelet/device-plugins
+         volumes:
+         - name: device-plugin
+             hostPath:
+             path: /var/lib/kubelet/device-plugins
+         imagePullSecrets:
+         - name: registry-secret
+     EOF
+   ```
+
+2. Be sure to label your nodes to enable smarter-device-manager:
+
+   ```sh
+   kubectl get nodes
+   kubectl label nodes --all smarter-device-manager=enabled
+   ```
+
+   > ⚠️ **Warning**: If you are using a managed Kubernetes distribution (e.g. AKS, EKS, GKE), be sure to set node labels via your cloud provider. Otherwise, your nodes may drop the labels and break podman functionality.
+
+3. For systems running SELinux (typically Fedora-, CentOS-, and Red Hat-based systems), you may need to disable SELinux or set it to permissive mode.
+
+4. Import our [kubernetes-podman](https://github.com/coder/coder/tree/main/examples/templates/kubernetes-podman) example template, or make your own.
+
+   ```sh
+   echo "kubernetes-podman" | coder templates init
+   cd ./kubernetes-podman
+   coder templates create
+   ```
+
+   > For more information around the requirements of rootless podman pods, see: [How to run Podman inside of Kubernetes](https://www.redhat.com/sysadmin/podman-inside-kubernetes)
+
 ## Privileged sidecar container
 
 A [privileged container](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) can be added to your templates to add docker support. This may come in handy if your nodes cannot run Sysbox.
diff --git a/examples/templates/kubernetes-with-podman/README.md b/examples/templates/kubernetes-with-podman/README.md
@@ -0,0 +1,117 @@
+---
+name: Develop in Kubernetes
+description: Get started with Kubernetes development.
+tags: [cloud, kubernetes]
+icon: /icon/k8s.png
+---
+
+# Getting started
+
+This template creates [rootless podman](./images) pods with either an Ubuntu or Fedora base image.
+
+> **Warning**: This template requires additional configuration on the Kubernetes cluster, such as installing `smarter-device-manager` for FUSE mounts. See our [Docker-in-Docker documentation](https://coder.com/docs/v2/latest/templates/docker-in-docker#rootless-podman) for instructions.
+
+Base images are pushed to [Docker Hub](https://hub.docker.com//codercom)
+
+## RBAC
+
+The Coder provisioner requires permission to administer pods to use this template. The template
+creates workspaces in a single Kubernetes namespace, using the `workspaces_namespace` parameter set
+while creating the template.
+
+Create a role as follows and bind it to the user or service account that runs the coder host.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: coder
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["*"]
+```
+
+## Authentication
+
+This template can authenticate using in-cluster authentication, or using a kubeconfig local to the
+Coder host. For additional authentication options, consult the [Kubernetes provider
+documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs).
+
+### kubeconfig on Coder host
+
+If the Coder host has a local `~/.kube/config`, you can use this to authenticate
+with Coder. Make sure this is done with same user that's running the `coder` service.
+
+To use this authentication, set the parameter `use_kubeconfig` to true.
+
+### In-cluster authentication
+
+If the Coder host runs in a Pod on the same Kubernetes cluster as you are creating workspaces in,
+you can use in-cluster authentication.
+
+To use this authentication, set the parameter `use_kubeconfig` to false.
+
+The Terraform provisioner will automatically use the service account associated with the pod to
+authenticate to Kubernetes. Be sure to bind a [role with appropriate permission](#rbac) to the
+service account. For example, assuming the Coder host runs in the same namespace as you intend
+to create workspaces:
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: coder
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: coder
+subjects:
+  - kind: ServiceAccount
+    name: coder
+roleRef:
+  kind: Role
+  name: coder
+  apiGroup: rbac.authorization.k8s.io
+```
+
+Then start the Coder host with `serviceAccountName: coder` in the pod spec.
+
+## Namespace
+
+The target namespace in which the pod will be deployed is defined via the `coder_workspace`
+variable. The namespace must exist prior to creating workspaces.
+
+## Persistence
+
+The `/home/coder` directory in this example is persisted via the attached PersistentVolumeClaim.
+Any data saved outside of this directory will be wiped when the workspace stops.
+
+Since most binary installations and environment configurations live outside of
+the `/home` directory, we suggest including these in the `startup_script` argument
+of the `coder_agent` resource block, which will run each time the workspace starts up.
+
+For example, when installing the `aws` CLI, the install script will place the
+`aws` binary in `/usr/local/bin/aws`. To ensure the `aws` CLI is persisted across
+workspace starts/stops, include the following code in the `coder_agent` resource
+block of your workspace template:
+
+```terraform
+resource "coder_agent" "main" {
+  startup_script = <<-EOT
+    set -e
+    # install AWS CLI
+    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+    unzip awscliv2.zip
+    sudo ./aws/install
+  EOT
+}
+```
+
+## code-server
+
+`code-server` is installed via the `startup_script` argument in the `coder_agent`
+resource block. The `coder_app` resource is defined to access `code-server` through
+the dashboard UI over `localhost:13337`.
diff --git a/examples/templates/kubernetes-with-podman/images/Dockerfile.fedora b/examples/templates/kubernetes-with-podman/images/Dockerfile.fedora
@@ -0,0 +1,35 @@
+FROM registry.fedoraproject.org/fedora:latest
+
+LABEL org.opencontainers.image.description="Base Fedora image for rootless podman in Coder. See https://coder.com/docs/v2/latest/templates/docker-in-docker#rootless-podman"
+
+RUN dnf -y update && \
+    rpm --setcaps shadow-utils 2>/dev/null && \
+    dnf -y install podman fuse-overlayfs openssh-clients \
+        --exclude container-selinux && \
+    dnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+RUN useradd podman; \
+echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid; \
+echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid;
+
+ADD containers.conf /etc/containers/containers.conf
+ADD storage.conf /etc/containers/storage.conf
+RUN chmod 644 /etc/containers/containers.conf && \
+    chmod 644 /etc/containers/storage.conf
+
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers \
+             /var/lib/shared/vfs-images \
+             /var/lib/shared/vfs-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock && \
+    touch /var/lib/shared/vfs-images/images.lock && \
+    touch /var/lib/shared/vfs-layers/layers.lock
+
+# Alias "docker" to "podman"
+RUN ln -s /usr/bin/podman /usr/bin/docker
+
+USER podman
+
+ENV _CONTAINERS_USERNS_CONFIGURED=""
diff --git a/examples/templates/kubernetes-with-podman/images/Dockerfile.ubuntu b/examples/templates/kubernetes-with-podman/images/Dockerfile.ubuntu
@@ -0,0 +1,59 @@
+FROM ubuntu:22.04
+
+LABEL org.opencontainers.image.description="Base Ubuntu image for rootless podman in Coder. See https://coder.com/docs/v2/latest/templates/docker-in-docker#rootless-podman"
+
+USER root
+
+# Install dependencies
+RUN apt-get update && apt-get install -y sudo gnupg2 curl vim fuse-overlayfs libvshadow-utils openssh-client
+
+# Install podman
+RUN mkdir -p /etc/apt/keyrings
+RUN curl -fsSL https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_22.04/Release.key \
+  | gpg --dearmor \
+  | tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
+RUN echo \
+  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
+    https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_22.04/ /" \
+  | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
+RUN apt-get update && apt-get -y install podman
+
+RUN setcap cap_setuid+ep /usr/bin/newuidmap
+RUN setcap cap_setgid+ep /usr/bin/newgidmap
+RUN chmod 0755 /usr/bin/newuidmap
+RUN chmod 0755 /usr/bin/newgidmap
+
+RUN useradd podman
+RUN echo "podman:100000:65536" > /etc/subuid
+RUN echo "podman:100000:65536" > /etc/subgid
+RUN echo "podman ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers
+
+ADD containers.conf /etc/containers/containers.conf
+ADD storage.conf /etc/containers/storage.conf
+RUN chmod 644 /etc/containers/containers.conf && \
+  chmod 644 /etc/containers/storage.conf
+
+RUN mkdir -p /home/podman/.local/share/containers && \
+    chown podman:podman -R /home/podman && \
+    chmod 644 /etc/containers/containers.conf
+
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers \
+             /var/lib/shared/vfs-images \
+             /var/lib/shared/vfs-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock && \
+    touch /var/lib/shared/vfs-images/images.lock && \
+    touch /var/lib/shared/vfs-layers/layers.lock
+
+ENV _CONTAINERS_USERNS_CONFIGURED=""
+
+# Alias "docker" to "podman"
+RUN ln -s /usr/bin/podman /usr/bin/docker
+
+RUN chsh -s /bin/bash podman
+
+
+USER podman
+
+ENV SHELL=/bin/bash
diff --git a/examples/templates/kubernetes-with-podman/images/containers.conf b/examples/templates/kubernetes-with-podman/images/containers.conf
@@ -0,0 +1,16 @@
+[containers]
+netns="host"
+userns="host"
+ipcns="host"
+utsns="host"
+cgroupns="host"
+cgroups="disabled"
+log_driver = "k8s-file"
+volumes = [
+	"/proc:/proc",
+]
+default_sysctls = []
+[engine]
+cgroup_manager = "cgroupfs"
+events_logger="file"
+runtime="crun"
diff --git a/examples/templates/kubernetes-with-podman/images/storage.conf b/examples/templates/kubernetes-with-podman/images/storage.conf
diff --git a/examples/templates/kubernetes-with-podman/main.tf b/examples/templates/kubernetes-with-podman/main.tf
