feat: Enhance OCI runtime spec generation with user namespace support and seccomp configuration

[garnizeh]

This pull request introduces a new networking engine (Beam) for managing container networks, adds its supporting configuration and test files, and updates dependencies to support CNI and testing. The most important changes include the implementation of the Beam networking manager, the addition of default configuration files for CNI and seccomp, and the introduction of comprehensive failure-mode tests for the new networking logic.

Networking Engine Implementation:

• Added a new beam.go file in internal/beam implementing the Beam struct, which manages container network namespaces and CNI integration, including support for both rootful and rootless networking modes. The implementation includes methods for attaching and detaching networks, loading default configs, and dependency injection for testing and extensibility.

Configuration Files:

• Added a default CNI network configuration file configs/cni-beam0.conflist for the beam0 bridge, specifying plugin types, IPAM, and network routes.
• Added a seccomp profile configs/seccomp-default.json with a restrictive default action and a whitelist of allowed syscalls for multiple architectures.

Testing and Robustness:

• Added beam_failure_internal_test.go to test error handling in the Beam networking engine, covering failure scenarios for configuration loading and plugin download logic using mock implementations.

Dependency Updates:

• Updated go.mod to add dependencies on github.com/containernetworking/cni, github.com/kr/pretty, and golang.org/x/sync for CNI support and improved testing utilities. Also added indirect dependencies required by new features and tests. [1] [2]

[coderabbitai]

Important

Review skipped

Too many files!

This PR contains 174 files, which is 24 over the limit of 150.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a424be42-3bf2-4bfa-826c-8b502b41831e

📥 Commits

Reviewing files that changed from the base of the PR and between 650a38c and f4e0a4a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (174)

• .gitignore
• .golangci.yml
• .goreleaser.yml
• Makefile
• cmd/maestro/main.go
• configs/cni-beam0.conflist
• configs/seccomp-default.json
• go.mod
• internal/beam/beam.go
• internal/beam/beam_failure_internal_test.go
• internal/beam/beam_internal_test.go
• internal/beam/cni_downloader.go
• internal/beam/cni_downloader_integration_test.go
• internal/beam/cni_downloader_internal_test.go
• internal/beam/doorway.go
• internal/beam/doorway_internal_test.go
• internal/beam/guardian.go
• internal/beam/guardian_internal_test.go
• internal/beam/interfaces.go
• internal/beam/interfaces_linux.go
• internal/beam/interfaces_unsupported.go
• internal/beam/mejis.go
• internal/beam/mejis_test.go
• internal/beam/todash.go
• internal/beam/todash_failure_internal_test.go
• internal/beam/todash_internal_linux_test.go
• internal/beam/todash_internal_test.go
• internal/beam/todash_linux.go
• internal/beam/todash_rootless_internal_test.go
• internal/beam/todash_unsupported.go
• internal/bin/README.md
• internal/bin/assets/fuse-overlayfs
• internal/bin/assets/pasta
• internal/bin/bin.go
• internal/bin/embed.go
• internal/cli/cmd_config.go
• internal/cli/cmd_config_test.go
• internal/cli/cmd_container.go
• internal/cli/cmd_container_test.go
• internal/cli/cmd_generate.go
• internal/cli/cmd_groups.go
• internal/cli/cmd_image.go
• internal/cli/cmd_image_internal_test.go
• internal/cli/cmd_image_test.go
• internal/cli/cmd_login.go
• internal/cli/cmd_login_internal_test.go
• internal/cli/cmd_netns_holder.go
• internal/cli/cmd_netns_holder_internal_test.go
• internal/cli/cmd_netns_holder_test.go
• internal/cli/cmd_port.go
• internal/cli/cmd_pull.go
• internal/cli/cmd_pull_internal_test.go
• internal/cli/cmd_pull_test.go
• internal/cli/cmd_shortcuts.go
• internal/cli/cmd_system.go
• internal/cli/cmd_system_test.go
• internal/cli/cmd_version.go
• internal/cli/cmd_version_test.go
• internal/cli/format_test.go
• internal/cli/handler.go
• internal/cli/log.go
• internal/cli/log_internal_test.go
• internal/cli/log_test.go
• internal/cli/progress.go
• internal/cli/progress_internal_test.go
• internal/cli/root.go
• internal/cli/root_test.go
• internal/cli/version_test.go
• internal/eld/common_test.go
• internal/eld/eld.go
• internal/eld/export_test.go
• internal/eld/interfaces.go
• internal/eld/monitor.go
• internal/eld/monitor_internal_test.go
• internal/eld/monitor_test.go
• internal/eld/oci.go
• internal/eld/oci_internal_test.go
• internal/eld/oci_test.go
• internal/eld/pathfinder.go
• internal/eld/pathfinder_internal_test.go
• internal/eld/thin_shell_test.go
• internal/gan/gan.go
• internal/gan/gan_internal_test.go
• internal/gan/interfaces.go
• internal/gan/ops.go
• internal/gan/ops_internal_test.go
• internal/gan/ops_test.go
• internal/gan/thin_shell_test.go
• internal/maturin/drawing.go
• internal/maturin/drawing_test.go
• internal/maturin/image_info.go
• internal/maturin/image_info_failure_internal_test.go
• internal/maturin/image_info_test.go
• internal/maturin/index.go
• internal/maturin/index_failure_internal_test.go
• internal/maturin/index_internal_test.go
• internal/maturin/index_test.go
• internal/maturin/interfaces.go
• internal/maturin/keystone_internal_test.go
• internal/maturin/manifests.go
• internal/maturin/manifests_test.go
• internal/maturin/mock_test.go
• internal/maturin/store.go
• internal/maturin/store_failure_internal_test.go
• internal/maturin/store_test.go
• internal/maturin/swell.go
• internal/maturin/swell_failure_internal_test.go
• internal/maturin/swell_test.go
• internal/prim/allworld.go
• internal/prim/allworld_failure_internal_test.go
• internal/prim/allworld_fallback.go
• internal/prim/allworld_internal_test.go
• internal/prim/allworld_linux.go
• internal/prim/allworld_test.go
• internal/prim/common.go
• internal/prim/common_internal_test.go
• internal/prim/detect.go
• internal/prim/detect_internal_test.go
• internal/prim/detect_test.go
• internal/prim/export_test.go
• internal/prim/fuse.go
• internal/prim/fuse_internal_test.go
• internal/prim/interfaces.go
• internal/prim/prim.go
• internal/prim/test_helpers_test.go
• internal/prim/vfs.go
• internal/prim/vfs_failure_internal_test.go
• internal/prim/vfs_internal_test.go
• internal/shardik/horn.go
• internal/shardik/horn_test.go
• internal/shardik/shardik.go
• internal/shardik/shardik_test.go
• internal/shardik/sigul.go
• internal/shardik/sigul_internal_test.go
• internal/shardik/sigul_test.go
• internal/shardik/thinny_test.go
• internal/sys/sys.go
• internal/testutil/fs.go
• internal/tower/config.go
• internal/tower/config_errors_test.go
• internal/tower/config_test.go
• internal/tower/firstrun.go
• internal/tower/firstrun_test.go
• internal/tower/tower_failure_internal_test.go
• internal/waystation/khef.go
• internal/waystation/khef_errors_test.go
• internal/waystation/khef_test.go
• internal/waystation/starkblast_extra_test.go
• internal/waystation/starkblast_full_test.go
• internal/waystation/starkblast_test.go
• internal/waystation/waystation.go
• internal/waystation/waystation_errors_test.go
• internal/waystation/waystation_failure_internal_test.go
• internal/waystation/waystation_test.go
• internal/white/calla.go
• internal/white/calla_test.go
• internal/white/seccomp.go
• openspec/changes/p0-stabilization.md
• openspec/changes/p1-1.1-tower-rises.md
• openspec/changes/p1-1.2-drawing.md
• openspec/changes/p1-1.3-gan-creates.md
• openspec/changes/p1-1.4-beam-connects.md
• openspec/changes/p1-1.5-calla-stands-rootless.md
• openspec/changes/p2-2.7-tet-gathers.md
• openspec/specs/dinh-cli/spec.md
• openspec/specs/tet-compose/spec.md
• pkg/archive/tar.go
• pkg/archive/tar_internal_test.go
• pkg/specgen/specgen.go
• pkg/specgen/specgen_test.go
• scripts/smoke-test-alpine-echo.sh
• scripts/smoke-test-alpine-volume-mount.sh
• scripts/smoke-test-nginx-welcome.sh
• test/testutil/fixture.go

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch p1/1.5/75-87-calla-stands-epic

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}