Runwasi - A containerd shim which runs wasm workloads in wasmtime

This is a series of patches to add support for running wasm code in a cgroup. While some cgroup controllers can support running different threads in different cgroups, the main one we are interested in, the cgroup memory controller, this doesn't make sense since threads all share memory. Because of this we'll fork off a new process (which should have CoW version of the main shim's memory) to run the wasm code.

Of course all the issues of fork apply here since this is fairly unsafe from a multithreaded program (which the shim is always multi-threaded), so care must be taken to not try do things like take a lock in the new process because this can cause a deadlock. There may be some interesting things to test out with the wasmtime engine just to make sure we aren't going to deadlock if there's multiple things happening when the fork occurs.

Currently there is no troubleshotting guide. People might find it hard to follow readme to produce a hello world example.

Known issues are, but not limited to:

1. containerd currently only support Linux. So in order to build runwasi, either you need to have a linux machien or run it in WSL on Windows
2. docker buildx is a dependency
3. make load is broken

The repo has a few binaries and a wasi implementation that is fairly tied to wasmtime. #15 makes the core library runtime agnostic, meaning it does not depend on wasmtime.

In order to completely remove wasmtime as a dependency from the core library it may be useful to move the binaries along with the Wasi instance implementation into a separate crate (of course both crates can be in this repo).

This PR implements a generic engine to the shim library. This removes the dependency on wasmtime::Engine in the library entirely, and it is up to the implementation to decide what instance of the engine should be.

The RUNNER_OS env var was not set in the release job, so it made the release artifact name look like it has an extra "-". This adds the env var.

This var will likely be useful in the future when building for multiple architectures / OSes.

This runs the shim in a mode where there is 1 daemon that runs multiple shims in-process. This allows a host implementation to be shared and has reduced overhead.

This project uses two libraries for error handling, maybe we can choose only one and remove the other? I'm not sure why both are needed. If I had to choose I would keep anyhow, I like their context function. WDYT?

Right now we have only partial support for the OCI runtime spec. While some things in the spec may not make sense for running wasm code itself, it is useful for sandboxing for the wasm runtime and/or the execution of the wasm for defense-in-depth as well as ensuring fewer surprises for users expecting their settings to actually apply.

Some things missing:

• [x] cgroups: In progress: https://github.com/deislabs/runwasi/pull/21
• [ ] Lifecycle Hooks: https://github.com/opencontainers/runtime-spec/blob/main/runtime.md#lifecycle https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#posix-platform-hooks (Docker has at least some of this in their fork: https://github.com/second-state/runwasi/pull/13/files @rumpl)
• [ ] hybrid cgroup: In #21 there is support for cgroupv1 and cgroupv2, but not hybrid mode
• [ ] systemd cgroup: #21 now implements cgroupfs mode but does not support systemd cgroups
• [ ] namespaces: We do setup the network namespace, but other namespace support is still needed https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#namespaces
• [ ] seccomp: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp
• [ ] apparmor: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• [ ] selinux: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#mount-label https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• [ ] devices: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#devices
• [ ] sysctl: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#sysctl
• [ ] masked paths: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#masked-paths
• [ ] personality: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#personality
• [ ] rlimits: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#posix-process
• [ ] capabilities: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• [ ] oom score: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• [ ] no-new-privileges: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#linux-process
• [ ] Users/Groups: https://github.com/opencontainers/runtime-spec/blob/86290f6a00fbdc6d561e14b2e6a11788a1a5f29c/config.md#user
• [ ] IntelRDT: This is pretty low-priority and is very new in OCI https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#intelrdt

There is a large amount of assumed knowledge and set up in the current instructions so it would be useful to have documentation of a full run through of setup and usage with k3s.

I'm working on getting this running in my lab using k3s. If I get it all working, I can write up the commands I used.