Fix rootless container spawning

It turns out that Arch Linux does not come with `/etc/{subuid,subgid}`
files by default, unlike most Linux distributions. They must be present
and configured correctly in order to work, and also the `--rootless`
global runtime flag should be dropped from `crun`.

This makes the `config.json` generated by `umoci` work without the
`crun spec --rootless` hotfix we had until now, and it also finally
fixes the errors seen in `crun start <id>`!

This commit also adds a new "Troubleshooting" section to the `README.md`
which documents the creation/configuration of the `/etc/{subuid,subgid}`
files for this program, if they don't come ready with your particular
Linux distribution by default.

Author: ebkalderon

README.md

@@ -65,3 +65,45 @@ TODO
   dependencies for `#![no_std]` alternatives, or rewriting certain functionality
   ourselves with adequate tests.
 * TODO: Add more as we go along...
+
+## Troubleshooting
+
+This container engine leverages [rootless containers] for increased security,
+convenience, and flexibility. Like other rootless container engines, e.g.
+[rootless Podman], there are several Linux kernel features that must be
+available for this engine to run:
+
+[rootless containers]: https://rootlesscontaine.rs/
+[rootless Podman]: https://github.com/containers/podman/blob/master/rootless.md
+
+### 1) System must have `/etc/subuid` and `/etc/subguid`
+
+> Required for _container creation_
+
+If you see an error like this when starting containers:
+
+```text
+writing file `/proc/7109/gid_map`: Invalid argument
+setresuid(0): Invalid argument
+```
+
+then it is possible that your Linux distribution may not come with `/etc/subuid`
+and/or `etc/subgid` files, or perhaps they are configured incorrectly. For
+example, Arch Linux's version of `shadow` does not come with either file by
+default.
+
+If neither `/etc/subuid` nor `/etc/subgid` exist, you can create them like so:
+
+```bash
+USERNAME=$(whoami) # Alternatively, use a user group that you belong to.
+echo "$USERNAME:165536-169631" | sudo tee /etc/subuid /etc/subgid
+```
+
+On the other hand, if both `/etc/subuid` and `/etc/subgid` exist, but your user
+or member group is missing, you can dedicate a range of sub-UIDs and GIDs to
+yourself for use with `light-containerd`:
+
+```bash
+USERNAME=$(whoami) # Alternatively, use a user group that you belong to.
+sudo usermod --add-subuids 165536-169631 --add-subgids 165536-169631 "$USERNAME"
+```

src/container.rs

@@ -51,7 +51,6 @@ impl Container {
             .args(&["--cuuid", &uuid_str])
             .args(&["--name", &id])
             .args(&["--runtime", RUNTIME_BIN])
-            .args(&["--runtime-arg", "--rootless=true"])
             .args(&["--bundle", bundle_dir])
             .args(&["--exit-dir", exits_dir])
             .args(&["--log-path", log_file])
@@ -145,7 +144,10 @@ impl Container {
 
 impl Drop for Container {
     fn drop(&mut self) {
-        unsafe { libc::kill(self.pid, libc::SIGKILL) };
+        std::process::Command::new(RUNTIME_BIN)
+            .args(&["delete", "--force", &self.id])
+            .status()
+            .ok();
     }
 }
 

src/image.rs

@@ -10,7 +10,6 @@ use tokio::process::Command;
 
 const SKOPEO_BIN: &str = "skopeo";
 const UMOCI_BIN: &str = "umoci";
-const CRUN_BIN: &str = "crun";
 
 /// Represents a fetched OCI image.
 #[derive(Debug)]
@@ -113,28 +112,6 @@ impl OciBundle {
             ));
         }
 
-        // Replace rootless `config.json` generated by `umoci` because it doesn't work properly.
-        tokio::fs::remove_file(bundle_dir.join("config.json")).await?;
-
-        // This configuration file works properly on rootless systems, according to my testing.
-        let mut gen_rootless_spec_cmd = Command::new(CRUN_BIN);
-        let output = gen_rootless_spec_cmd
-            .stdout(Stdio::piped())
-            .stderr(Stdio::piped())
-            .args(&["spec", "--rootless"])
-            .current_dir(&bundle_dir)
-            .output()
-            .await?;
-
-        if !output.status.success() {
-            let stderr = String::from_utf8(output.stderr)?;
-            return Err(anyhow!(
-                "failed to generate rootless spec, `{:?}` returned non-zero exit status: [{}]",
-                gen_rootless_spec_cmd,
-                stderr
-            ));
-        }
-
         // Create the `exits` subdirectory so it can be used by `conmon` later.
         tokio::fs::create_dir(&exits_dir).await?;