[WIP] validation: add test for NSProcInPath

[alban]

I initially tried to add the checks in the container process
'runtimetest' by adding annotations prefixed with "runtimetest/". But
that proved impractical with TAP outputs because I wanted to have
several tests for each namespace.

This patch now validates the namespaces outside the container with
util.RuntimeOutsideValidate().

TODO/notes:

• Fix the synchronisation with "sleep".
• Is it ok to have a dependency on 'util-linux'?
• Is it acceptable to require Linux >= 4.12? I guess not, so I would need to implement that differently.
• Unclear spec about user namespaces: userns mappings and reusing existing userns from a specified path runtime-spec#961
• Fix about cgroupns in runc: Implement setns for cgroupns by path runc#1763

Signed-off-by: Alban Crequy alban@kinvolk.io

[alban]

The sleep processes are surviving the death of the unshare parent unfortunately.

I tried cmd.Process.Signal(syscall.SIGTERM) but it does not help because:

• unshare does not catch the signal so it dies without forwarding the SIGTERM to its children
• processes in a different pid namespaces would not receive the signal anyway because of signal rules in pid namespaces (see man 7 pid_namespaces)

[dongsupark]

I created a new version of PR #628, based on this PR #613.

For the record, I'll go through each TODO item.

• I think Fix sync with sleep and stale child processes are already resolved.
• Is it ok to have a dependency on util-linux?: I think yes, as util-linux has been a de facto standard library since many years.
• /proc/pid/ns/pid_for_children for kernel >= 4.12: we don't need to care about it, because it's solved by using setpgid.
• unclear spec about user namespaces: I'm not sure if there's anything left to do
• Fix about cgroupns in runc: This is blocked by the ancient PR Carry #781: Add support for cgroup namespace runc#1184. Nothing to do right now.

[alban]

Superseded by #628.