feat: add gvisor

This PR adds an example system extension for gvisor.

Signed-off-by: Andrew Rynhard <andrew@rynhard.io>

.drone.yaml

@@ -0,0 +1,124 @@
+kind: pipeline
+name: default
+type: kubernetes
+
+steps:
+  - name: setup-ci
+    image: autonomy/build-container:latest
+    commands:
+      - git fetch --tags
+      - install-ci-key
+      - setup-buildx-amd64-arm64
+    environment:
+      SSH_KEY:
+        from_secret: ssh_key
+      DOCKER_CLI_EXPERIMENTAL: enabled
+    resources:
+      requests:
+        cpu: 24000
+        memory: 48GiB
+    volumes:
+      - name: docker-socket
+        path: /var/run
+      - name: ssh
+        path: /root/.ssh
+      - name: docker
+        path: /root/.docker/buildx
+
+  - name: build-pull-request
+    image: autonomy/build-container:latest
+    pull: always
+    environment:
+      DOCKER_CLI_EXPERIMENTAL: enabled
+    commands:
+      - make
+    when:
+      event:
+        include:
+          - pull_request
+    volumes:
+      - name: docker-socket
+        path: /var/run
+      - name: ssh
+        path: /root/.ssh
+      - name: docker
+        path: /root/.docker/buildx
+
+  - name: build-nonfree-pull-request
+    image: autonomy/build-container:latest
+    pull: always
+    environment:
+      DOCKER_CLI_EXPERIMENTAL: enabled
+    commands:
+      - make nonfree
+    when:
+      event:
+        include:
+          - pull_request
+    volumes:
+      - name: docker-socket
+        path: /var/run
+      - name: ssh
+        path: /root/.ssh
+      - name: docker
+        path: /root/.docker/buildx
+
+  - name: build-and-publish
+    image: autonomy/build-container:latest
+    pull: always
+    environment:
+      GHCR_USERNAME:
+        from_secret: ghcr_username
+      GHCR_PASSWORD:
+        from_secret: ghcr_token
+    commands:
+      - docker login ghcr.io --username "$${GHCR_USERNAME}" --password "$${GHCR_PASSWORD}"
+      - make PUSH=true
+    when:
+      event:
+        exclude:
+          - pull_request
+    volumes:
+      - name: docker-socket
+        path: /var/run
+      - name: ssh
+        path: /root/.ssh
+      - name: docker
+        path: /root/.docker/buildx
+
+volumes:
+  - name: docker-socket
+    host:
+      path: /var/ci-docker
+  - name: docker
+    temp: {}
+  - name: ssh
+    temp: {}
+---
+kind: pipeline
+type: kubernetes
+name: notify
+
+clone:
+  disable: true
+
+steps:
+  - name: slack
+    image: plugins/slack
+    settings:
+      webhook:
+        from_secret: slack_webhook
+      channel: proj-talos-maintainers
+    when:
+      status:
+        - success
+        - failure
+
+trigger:
+  status:
+    - success
+    - failure
+
+depends_on:
+  - default
+

Makefile

@@ -0,0 +1,66 @@
+REGISTRY ?= ghcr.io
+USERNAME ?= talos-systems
+SHA ?= $(shell git describe --match=none --always --abbrev=8 --dirty)
+TAG ?= $(shell git describe --tag --always --dirty)
+BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)
+REGISTRY_AND_USERNAME := $(REGISTRY)/$(USERNAME)
+
+BUILD := docker buildx build
+PLATFORM ?= linux/amd64,linux/arm64
+PROGRESS ?= auto
+PUSH ?= false
+COMMON_ARGS := --file=Pkgfile
+COMMON_ARGS += --progress=$(PROGRESS)
+COMMON_ARGS += --platform=$(PLATFORM)
+COMMON_ARGS += --build-arg=http_proxy=$(http_proxy)
+COMMON_ARGS += --build-arg=https_proxy=$(https_proxy)
+
+, := ,
+empty :=
+space = $(empty) $(empty)
+
+TARGETS =  gvisor
+NONFREE_TARGETS =
+
+all: $(TARGETS) ## Builds all known pkgs.
+
+nonfree: $(NONFREE_TARGETS) ## Builds all known non-free pkgs.
+
+.PHONY: help
+help: ## This help menu.
+	@grep -E '^[a-zA-Z%_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+local-%: ## Builds the specified target defined in the Dockerfile using the local output type. The build result will be output to the specified local destination.
+	@$(MAKE) target-$* TARGET_ARGS="--output=type=local,dest=$(DEST) $(TARGET_ARGS)"
+	@PLATFORM=$(PLATFORM) \
+
+target-%: ## Builds the specified target defined in the Dockerfile. The build result will only remain in the build cache.
+	@$(BUILD) \
+		--target=$* \
+		$(COMMON_ARGS) \
+		$(TARGET_ARGS) .
+
+docker-%: ## Builds the specified target defined in the Dockerfile using the docker output type. The build result will be loaded into docker.
+	@$(MAKE) target-$* TARGET_ARGS="$(TARGET_ARGS)"
+
+.PHONY: $(TARGETS) $(NONFREE_TARGETS)
+$(TARGETS) $(NONFREE_TARGETS):
+	@$(MAKE) docker-$@ TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/$@:$(TAG) --push=$(PUSH)"
+
+.PHONY: deps.png
+deps.png:
+	bldr graph | dot -Tpng > deps.png
+
+kernel-%: ## Updates the kernel configs: e.g. make kernel-olddefconfig; make kernel-menuconfig; etc.
+	for platform in $(subst $(,),$(space),$(PLATFORM)); do \
+		arch=`basename $$platform` ; \
+		$(MAKE) docker-kernel-prepare PLATFORM=$$platform TARGET_ARGS="--tag=$(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch --load"; \
+		docker run --rm -it --entrypoint=/toolchain/bin/bash -e PATH=/toolchain/bin:/bin -w /src -v $$PWD/kernel/build/config-$$arch:/host/.hostconfig $(REGISTRY)/$(USERNAME)/kernel:$(TAG)-$$arch -c 'cp /host/.hostconfig .config && make $* && cp .config /host/.hostconfig'; \
+	done
+
+# Utilities
+
+.PHONY: conformance
+conformance: ## Performs policy checks against the commit and source code.
+	docker run --rm -it -v $(PWD):/src -w /src ghcr.io/talos-systems/conform:v0.1.0-alpha.22 enforce
+

Pkgfile

@@ -0,0 +1,9 @@
+# syntax = ghcr.io/talos-systems/bldr:v0.2.0-alpha.6-frontend
+
+format: v1alpha2
+
+vars:
+  TOOLS_IMAGE: ghcr.io/talos-systems/tools:v0.10.0-alpha.0-1-g67314b1
+
+labels:
+  org.opencontainers.image.source: https://github.com/talos-systems/extensions

base/pkg.yaml

@@ -0,0 +1,21 @@
+name: base
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - image: "{{ .TOOLS_IMAGE }}"
+  - stage: musl
+    runtime: yes
+steps:
+  - prepare:
+      - |
+        cp -R /toolchain/lib/gcc /lib
+        cp -R /toolchain/lib/libgcc* /lib
+        cp -R /toolchain/lib/libz* /lib
+        mkdir /bin
+        ln -sv /toolchain/bin/bash /bin/bash
+        ln -sv /toolchain/bin/bash /bin/sh
+        ln -sv /toolchain/bin/pwd /bin/pwd
+        adjust.sh
+finalize:
+  - from: /
+    to: /

gvisor/gvisor.part

@@ -0,0 +1,2 @@
+[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
+  runtime_type = "io.containerd.runsc.v1"

gvisor/manifest.yaml

@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: gvisor
+  version: 20220117.0-v1.0.0
+  author: Andrew Rynhard
+  description: |
+    This system extension provides gVisor using containerd's runtime handler.
+  compatibility:
+    talos:
+      version: ">= v1.0.0"

gvisor/pkg.yaml

@@ -0,0 +1,50 @@
+name: gvisor
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      # sync with commit in build
+      - url: https://github.com/google/gvisor/archive/c1512ec8067c772473a4d6bad12953848eab8552.tar.gz
+        destination: gvisor.tar.gz
+        sha256: df41a38cc4d6068e6475f2f0a29c083bf11fd682869957b1b325980d3892725b
+        sha512: f4fd4bd5fbf482fceb7c46311c5dfd808cbf40e921c5f92ce4011f9b58e477af0dc3d5da8e1175c7ff22ad42d8351d6e8b9d8cc4d8339ded7cd782d617331002
+    env:
+      GOPATH: /go
+    prepare:
+      - |
+        mkdir -p /etc/ssl/certs/
+        ln -s /toolchain/etc/ssl/certs/ca-certificates /etc/ssl/certs/ca-certificates
+
+        mkdir -p ${GOPATH}/src/github.com/google/gvisor
+
+        tar -xzf gvisor.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/google/gvisor
+    build:
+      - |
+        export PATH=${PATH}:${TOOLCHAIN}/go/bin
+        cd ${GOPATH}/src/github.com/google/gvisor
+
+        mkdir ./bin
+
+        CGO_ENABLED=0 go build -o ./bin/runsc ./runsc
+
+        CGO_ENABLED=0 go build -o ./bin/containerd-shim-runsc-v1 ./shim
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/bin
+
+        cd ${GOPATH}/src/github.com/google/gvisor
+
+        cp ./bin/runsc /rootfs/usr/local/bin/runsc
+        chmod +x /rootfs/usr/local/bin/runsc
+
+        cp ./bin/containerd-shim-runsc-v1 /rootfs/usr/local/bin/containerd-shim-runsc-v1
+        chmod +x /rootfs/usr/local/bin/containerd-shim-runsc-v1
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
+  - from: /pkg/gvisor.part
+    to: /rootfs/etc/cri/conf.d/gvisor.part

musl/pkg.yaml

@@ -0,0 +1,41 @@
+name: musl
+variant: scratch
+shell: /toolchain/bin/bash
+dependencies:
+  - image: "{{ .TOOLS_IMAGE }}"
+steps:
+  - sources:
+      - url: https://www.musl-libc.org/releases/musl-1.2.2.tar.gz
+        destination: musl.tar.gz
+        sha256: 9b969322012d796dc23dda27a35866034fa67d8fb67e0e2c45c913c3d43219dd
+        sha512: 5344b581bd6463d71af8c13e91792fa51f25a96a1ecbea81e42664b63d90b325aeb421dfbc8c22e187397ca08e84d9296a0c0c299ba04fa2b751d6864914bd82
+    prepare:
+      - |
+        export PATH=${TOOLCHAIN}/cross/bin:${PATH}
+
+        tar -xzf musl.tar.gz --strip-components=1
+
+        mkdir /bin
+        ln -sv /toolchain/bin/bash /bin/sh
+
+        mkdir build
+        cd build
+
+        # From https://www.musl-libc.org/doc/1.0.0/manual.html:
+        #    $(syslibdir), $(includedir), and $(libdir) refer to the paths
+        #    chosen at build time (by default, /lib, $(prefix)/include, and
+        #    $(prefix)/lib, respectively)
+        ../configure \
+        --prefix=/usr
+    build:
+      - |
+        cd build
+        make -j $(nproc)
+    install:
+      - |
+        cd build
+        make DESTDIR=/rootfs install
+finalize:
+  - from: /rootfs
+    to: /
+