config: Add host privileged runtime configuration

Not all runtimes are able to handle some of the kubelet
security context options, in particular the ones granting
host privileges to containers.

By adding a host privileged runtime path configuration, we
allow ocid to use a different runtime for host privileged
operations like e.g. host namespaces access.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>

cmd/ocid/config.go

@@ -42,6 +42,12 @@ listen = "{{ .Listen }}"
 # runtime is a path to the OCI runtime which ocid will be using.
 runtime = "{{ .Runtime }}"
 
+# runtime_host_privileged is a path to the OCI runtime which ocid
+# will be using for host privileged operations.
+# If this string is empty, ocid will not try to use the "runtime"
+# for all operations.
+runtime_host_privileged = "{{ .RuntimeHostPrivileged }}"
+
 # conmon is the path to conmon binary, used for managing the runtime.
 conmon = "{{ .Conmon }}"
 

server/config.go

@@ -76,6 +76,10 @@ type RuntimeConfig struct {
 	// yet merged a CLI API (so we assume runC's API here).
 	Runtime string `toml:"runtime"`
 
+	// RuntimeHostPrivileged is a path to the OCI runtime which ocid will be
+	// using for host privileged operations.
+	RuntimeHostPrivileged string `toml:"runtime_host_privileged"`
+
 	// Conmon is the path to conmon binary, used for managing the runtime.
 	Conmon string `toml:"conmon"`
 
@@ -205,8 +209,9 @@ func DefaultConfig() *Config {
 			Listen: "/var/run/ocid.sock",
 		},
 		RuntimeConfig: RuntimeConfig{
-			Runtime: "/usr/bin/runc",
-			Conmon:  conmonPath,
+			Runtime:               "/usr/bin/runc",
+			RuntimeHostPrivileged: "",
+			Conmon:                conmonPath,
 			ConmonEnv: []string{
 				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 			},