Add bare bones unsupported syscall logging

This change introduces a new flags to create/run called
--user-log. Logs to this files are visible to users and
are meant to help debugging problems with their images
and containers.

For now only unsupported syscalls are sent to this log,
and only minimum support was added. We can build more
infrastructure around it as needed.

PiperOrigin-RevId: 216735977
Change-Id: I54427ca194604991c407d49943ab3680470de2d0

5 files changed, 17 insertions, 4 deletions

diff --git a/runsc/cmd/boot.go b/runsc/cmd/boot.go
index d26e92bcd..023b63dc0 100644
--- a/runsc/cmd/boot.go
+++ b/runsc/cmd/boot.go
@@ -66,6 +66,9 @@ type Boot struct {
 	// totalMem sets the initial amount of total memory to report back to the
 	// container.
 	totalMem uint64
+
+	// userLogFD is the file descriptor to write user logs to.
+	userLogFD int
 }
 
 // Name implements subcommands.Command.Name.
@@ -95,6 +98,7 @@ func (b *Boot) SetFlags(f *flag.FlagSet) {
 	f.BoolVar(&b.applyCaps, "apply-caps", false, "if true, apply capabilities defined in the spec to the process")
 	f.IntVar(&b.cpuNum, "cpu-num", 0, "number of CPUs to create inside the sandbox")
 	f.Uint64Var(&b.totalMem, "total-memory", 0, "sets the initial amount of total memory to report back to the container")
+	f.IntVar(&b.userLogFD, "user-log-fd", 0, "file descriptor to write user logs to. 0 means no logging.")
 }
 
 // Execute implements subcommands.Command.Execute.  It starts a sandbox in a
@@ -163,6 +167,7 @@ func (b *Boot) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
 		Console:      b.console,
 		NumCPU:       b.cpuNum,
 		TotalMem:     b.totalMem,
+		UserLogFD:    b.userLogFD,
 	}
 	l, err := boot.New(bootArgs)
 	if err != nil {
diff --git a/runsc/cmd/capability_test.go b/runsc/cmd/capability_test.go
index be9ef2e7b..3329b308d 100644
--- a/runsc/cmd/capability_test.go
+++ b/runsc/cmd/capability_test.go
@@ -97,7 +97,7 @@ func TestCapabilities(t *testing.T) {
 	defer os.RemoveAll(bundleDir)
 
 	// Create and start the container.
-	c, err := container.Create(testutil.UniqueContainerID(), spec, conf, bundleDir, "", "")
+	c, err := container.Create(testutil.UniqueContainerID(), spec, conf, bundleDir, "", "", "")
 	if err != nil {
 		t.Fatalf("error creating container: %v", err)
 	}
diff --git a/runsc/cmd/checkpoint.go b/runsc/cmd/checkpoint.go
index d074b8617..023ab2455 100644
--- a/runsc/cmd/checkpoint.go
+++ b/runsc/cmd/checkpoint.go
@@ -133,7 +133,7 @@ func (c *Checkpoint) Execute(_ context.Context, f *flag.FlagSet, args ...interfa
 		Fatalf("error destroying container: %v", err)
 	}
 
-	cont, err = container.Create(id, spec, conf, bundleDir, "", "")
+	cont, err = container.Create(id, spec, conf, bundleDir, "", "", "")
 	if err != nil {
 		Fatalf("error restoring container: %v", err)
 	}
diff --git a/runsc/cmd/create.go b/runsc/cmd/create.go
index 38ae03e7a..ecd76ee93 100644
--- a/runsc/cmd/create.go
+++ b/runsc/cmd/create.go
@@ -41,6 +41,13 @@ type Create struct {
 	// pseudoterminal.  This is ignored unless spec.Process.Terminal is
 	// true.
 	consoleSocket string
+
+	// userLog is the path to send user-visible logs to. This log is different
+	// from debug logs. The former is meant to be consumed by the users and should
+	// contain only information that is relevant to the person running the
+	// container, e.g. unsuported syscalls, while the later is more verbose and
+	// consumed by developers.
+	userLog string
 }
 
 // Name implements subcommands.Command.Name.
@@ -64,6 +71,7 @@ func (c *Create) SetFlags(f *flag.FlagSet) {
 	f.StringVar(&c.bundleDir, "bundle", "", "path to the root of the bundle directory, defaults to the current directory")
 	f.StringVar(&c.consoleSocket, "console-socket", "", "path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal")
 	f.StringVar(&c.pidFile, "pid-file", "", "filename that the container pid will be written to")
+	f.StringVar(&c.userLog, "user-log", "", "filename to send user-visible logs to. Empty means no logging.")
 }
 
 // Execute implements subcommands.Command.Execute.
@@ -90,7 +98,7 @@ func (c *Create) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}
 	// Create the container. A new sandbox will be created for the
 	// container unless the metadata specifies that it should be run in an
 	// existing container.
-	if _, err := container.Create(id, spec, conf, bundleDir, c.consoleSocket, c.pidFile); err != nil {
+	if _, err := container.Create(id, spec, conf, bundleDir, c.consoleSocket, c.pidFile, c.userLog); err != nil {
 		Fatalf("error creating container: %v", err)
 	}
 	return subcommands.ExitSuccess
diff --git a/runsc/cmd/run.go b/runsc/cmd/run.go
index 92aa6bc40..826e6e875 100644
--- a/runsc/cmd/run.go
+++ b/runsc/cmd/run.go
@@ -75,7 +75,7 @@ func (r *Run) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) s
 	specutils.LogSpec(spec)
 	conf.SpecFile = filepath.Join(bundleDir, "config.json")
 
-	ws, err := container.Run(id, spec, conf, bundleDir, r.consoleSocket, r.pidFile)
+	ws, err := container.Run(id, spec, conf, bundleDir, r.consoleSocket, r.pidFile, r.userLog)
 	if err != nil {
 		Fatalf("error running container: %v", err)
 	}