Sudo-less operation (#2408)

* containerlab: Add sudoless operation.

This change introduces sudoless operations to containerlab, leveraging the SUID bit set on the binary.
The SUID-granted root privileges can optionally be gated behind a membership of the group 'clab_admins', which is set up automatically on version upgrade, adding the current Containerlab user to it.

* containerlab: Add sudoless changes to packaging+install script

* containerlab: Add missing root privilege gain to disable-tx-offload command

* containerlab: clab_admins should be added as as system group

* containerlab: Change not in user group hint to user usermod instead of gpasswd

* containerlab: Add shorthands for root UID and no-modify flags for readability

* upgrade: Fix sudoless upgrade

* containerlab: Only create clab_admins group during first upgrade/install

* docs: Add documentation about sudoless operation

* cmd: Fix broken rebase

* docs: Fix minimum version for sudoless operations support in install docs

* cmd: Allow unprivileged users to exec if they are part of the docker group

* cmd/netem: Add root requirement for show link impairments command

* format

* docs polish

* remove href from the embedded code block

* cicd, tests: Make tests run sudoless

* cmd/generate: Get root privileges for deploy action

* utils/file: Create files as running user instead of effective user

* cmd: Only run sudoless if Docker runtime is used

* runtimes: Add connectivity check for runtimes

* cmd: Don't allow non-Docker runtimes to run as root without membership check

* docs: Add note about non-privileged operations only being supported w/ Docker

* mocks: Update container runtime mock

---------

Co-authored-by: Roman Dodin <[email protected]>

.github/workflows/cicd.yml

@@ -173,7 +173,7 @@ jobs:
         with:
           name: containerlab
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PY_VER }}
@@ -226,7 +226,7 @@ jobs:
         with:
           name: containerlab
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PY_VER }}
@@ -289,7 +289,7 @@ jobs:
         with:
           name: containerlab
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ env.PY_VER }}

.github/workflows/cisco_iol-tests.yml

@@ -27,7 +27,7 @@ jobs:
           name: containerlab
 
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
 
       - uses: actions/setup-python@v5
         with:

.github/workflows/fortigate-tests.yml

@@ -27,7 +27,7 @@ jobs:
           name: containerlab
 
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
 
       - uses: actions/setup-python@v5
         with:

.github/workflows/kind-tests.yml

@@ -27,7 +27,7 @@ jobs:
           name: containerlab
 
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
 
       - uses: actions/setup-python@v5
         with:

.github/workflows/smoke-tests.yml

@@ -51,7 +51,7 @@ jobs:
           name: containerlab
 
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
 
       - name: Setup Podman
         if: matrix.runtime == 'podman'

.github/workflows/srlinux-tests.yml

@@ -31,7 +31,7 @@ jobs:
           name: containerlab
 
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
 
       - name: Setup Podman
         if: matrix.runtime == 'podman'

.github/workflows/sros-tests.yml

@@ -28,7 +28,7 @@ jobs:
           name: containerlab
 
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
 
       - uses: actions/setup-python@v5
         with:

.github/workflows/vxlan-tests.yml

@@ -29,7 +29,7 @@ jobs:
           name: containerlab
 
       - name: Move containerlab to usr/bin
-        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chmod a+x /usr/bin/containerlab
+        run: sudo mv ./containerlab /usr/bin/containerlab && sudo chown root:root /usr/bin/containerlab && sudo chmod 4755 /usr/bin/containerlab
 
       - uses: actions/setup-python@v5
         with:

.goreleaser.yml

@@ -97,6 +97,10 @@ nfpms:
       postinstall: ./utils/postinstall.sh
     bindir: /usr/bin
     contents:
+      - src: ./containerlab
+        dst: /usr/bin/containerlab
+        file_info:
+          mode: 4755 # SUID bit set
       - src: ./lab-examples
         dst: /etc/containerlab/lab-examples
       - src: /usr/bin/containerlab

Makefile

@@ -64,6 +64,7 @@ ifndef suite
 override suite = .
 endif
 robot-test: build-with-podman-debug
+	sudo chown root:root $(BINARY) && sudo chmod 4755 $(BINARY)
 	CLAB_BIN=$(BINARY) $$PWD/tests/rf-run.sh $(runtime) $$PWD/tests/$(suite)
 
 MOCKDIR = ./mocks

clab/clab.go

@@ -1297,3 +1297,15 @@ func (c *CLab) Exec(ctx context.Context, cmds []string, options *ExecOptions) (*
 
 	return resultCollection, nil
 }
+
+// CheckConnectivity checks the connectivity to all container runtimes, returns an error if it encounters any, otherwise nil.
+func (c *CLab) CheckConnectivity(ctx context.Context) error {
+	for _, r := range c.Runtimes {
+		err := r.CheckConnection(ctx)
+		if err != nil {
+			return fmt.Errorf("could not connect to container runtime: %v", err)
+		}
+	}
+
+	return nil
+}

cmd/common/sudo.go

@@ -1,16 +1,100 @@
 package common
 
 import (
-	"errors"
+	"fmt"
 	"os"
+	"os/user"
+	"slices"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/sys/unix"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	CLAB_AUTHORISED_GROUP = "clab_admins"
+	ROOT_UID              = 0
+	NOMODIFY              = -1
 )
 
-func SudoCheck(_ *cobra.Command, _ []string) error {
-	id := os.Geteuid()
-	if id != 0 {
-		return errors.New("containerlab requires sudo privileges to run")
+func CheckAndGetRootPrivs(_ *cobra.Command, _ []string) error {
+	_, euid, suid := unix.Getresuid()
+	if euid != 0 && suid != 0 {
+		return fmt.Errorf("this containerlab command requires root privileges or root via SUID to run, effective UID: %v SUID: %v", euid, suid)
+	}
+
+	if euid != 0 && suid == 0 {
+		clabGroupExists := true
+		clabGroup, err := user.LookupGroup(CLAB_AUTHORISED_GROUP)
+		if err != nil {
+			if _, ok := err.(user.UnknownGroupError); ok {
+				log.Debug("Containerlab admin group does not exist, skipping group membership check")
+				clabGroupExists = false
+			} else {
+				return fmt.Errorf("failed to lookup containerlab admin group: %v", err)
+			}
+		}
+
+		if clabGroupExists {
+			currentEffUser, err := user.Current()
+			if err != nil {
+				return err
+			}
+
+			effUserGroupIDs, err := currentEffUser.GroupIds()
+			if err != nil {
+				return err
+			}
+
+			if !slices.Contains(effUserGroupIDs, clabGroup.Gid) {
+				return fmt.Errorf("user '%v' is not part of containerlab admin group 'clab_admins' (GID %v), which is required to execute this command.\nTo add yourself to this group, run the following command:\n\t$ sudo gpasswd -a %v clab_admins",
+					currentEffUser.Username, clabGroup.Gid, currentEffUser.Username)
+			}
+
+			log.Debug("Group membership check passed")
+		}
+
+		err = obtainRootPrivs()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func obtainRootPrivs() error {
+	// Escalate to root privileges, changing saved UIDs to root/current group to be able to retain privilege escalation
+	err := changePrivileges(0, os.Getgid(), 0, os.Getgid())
+	if err != nil {
+		return err
+	}
+
+	log.Debug("Obtained root privileges")
+
+	return nil
+}
+
+func DropRootPrivs() error {
+	// Drop privileges to the running user, retaining current saved IDs
+	err := changePrivileges(os.Getuid(), os.Getgid(), -1, -1)
+	if err != nil {
+		return err
+	}
+
+	log.Debug("Dropped root privileges")
+
+	return nil
+}
+
+func changePrivileges(new_uid, new_gid, saved_uid, saved_gid int) error {
+	if err := unix.Setresuid(-1, new_uid, saved_uid); err != nil {
+		return fmt.Errorf("failed to set UID: %v", err)
+	}
+	if err := unix.Setresgid(-1, new_gid, saved_gid); err != nil {
+		return fmt.Errorf("failed to set GID: %v", err)
 	}
+	log.Debugf("Changed running UIDs to UID: %d GID: %d", new_uid, new_gid)
 	return nil
 }

cmd/deploy.go

@@ -56,7 +56,7 @@ var deployCmd = &cobra.Command{
 	Long:         "deploy a lab based defined by means of the topology definition file\nreference: https://containerlab.dev/cmd/deploy/",
 	Aliases:      []string{"dep"},
 	SilenceUsage: true,
-	PreRunE:      common.SudoCheck,
+	PreRunE:      common.CheckAndGetRootPrivs,
 	RunE:         deployFn,
 }
 

cmd/destroy.go

@@ -32,7 +32,7 @@ var destroyCmd = &cobra.Command{
 	Short:   "destroy a lab",
 	Long:    "destroy a lab based defined by means of the topology definition file\nreference: https://containerlab.dev/cmd/destroy/",
 	Aliases: []string{"des"},
-	PreRunE: common.SudoCheck,
+	PreRunE: common.CheckAndGetRootPrivs,
 	RunE:    destroyFn,
 }
 

cmd/disableTxOffload.go

@@ -10,6 +10,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/srl-labs/containerlab/clab"
+	"github.com/srl-labs/containerlab/cmd/common"
 	"github.com/srl-labs/containerlab/runtime"
 	"github.com/srl-labs/containerlab/utils"
 )
@@ -21,6 +22,7 @@ var disableTxOffloadCmd = &cobra.Command{
 	Use:   "disable-tx-offload",
 	Short: "disables tx checksum offload on eth0 interface of a container",
 
+	PreRunE: common.CheckAndGetRootPrivs,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx := context.Background()
 

cmd/exec.go

@@ -12,7 +12,6 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/srl-labs/containerlab/clab"
 	"github.com/srl-labs/containerlab/clab/exec"
-	"github.com/srl-labs/containerlab/cmd/common"
 	"github.com/srl-labs/containerlab/labels"
 	"github.com/srl-labs/containerlab/runtime"
 	"github.com/srl-labs/containerlab/types"
@@ -26,10 +25,9 @@ var (
 
 // execCmd represents the exec command.
 var execCmd = &cobra.Command{
-	Use:     "exec",
-	Short:   "execute a command on one or multiple containers",
-	PreRunE: common.SudoCheck,
-	RunE:    execFn,
+	Use:   "exec",
+	Short: "execute a command on one or multiple containers",
+	RunE:  execFn,
 }
 
 func execFn(_ *cobra.Command, _ []string) error {
@@ -75,6 +73,11 @@ func execFn(_ *cobra.Command, _ []string) error {
 		return err
 	}
 
+	err = c.CheckConnectivity(ctx)
+	if err != nil {
+		return err
+	}
+
 	var filters []*types.GenericFilter
 
 	if len(labelsFilter) != 0 {

cmd/generate.go

@@ -14,6 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/srl-labs/containerlab/clab"
+	"github.com/srl-labs/containerlab/cmd/common"
 	"github.com/srl-labs/containerlab/links"
 	"github.com/srl-labs/containerlab/nodes"
 	"github.com/srl-labs/containerlab/types"
@@ -89,6 +90,10 @@ var generateCmd = &cobra.Command{
 			}
 		}
 		if deploy {
+			err = common.CheckAndGetRootPrivs(nil, nil)
+			if err != nil {
+				return err
+			}
 			reconfigure = true
 			if file == "" {
 				file = fmt.Sprintf("%s.clab.yml", name)

cmd/inspect.go

@@ -19,7 +19,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/srl-labs/containerlab/clab"
-	"github.com/srl-labs/containerlab/cmd/common"
 	"github.com/srl-labs/containerlab/labels"
 	"github.com/srl-labs/containerlab/runtime"
 	"github.com/srl-labs/containerlab/types"
@@ -38,7 +37,6 @@ var inspectCmd = &cobra.Command{
 	Short:   "inspect lab details",
 	Long:    "show details about a particular lab or all running labs\nreference: https://containerlab.dev/cmd/inspect/",
 	Aliases: []string{"ins", "i"},
-	PreRunE: common.SudoCheck,
 	RunE:    inspectFn,
 }
 
@@ -85,6 +83,11 @@ func inspectFn(_ *cobra.Command, _ []string) error {
 		return fmt.Errorf("could not parse the topology file: %v", err)
 	}
 
+	err = c.CheckConnectivity(ctx)
+	if err != nil {
+		return err
+	}
+
 	var containers []runtime.GenericContainer
 	var glabels []*types.GenericFilter
 

cmd/redeploy.go

@@ -13,7 +13,7 @@ var redeployCmd = &cobra.Command{
 	Short:        "destroy and redeploy a lab",
 	Long:         "destroy a lab and deploy it again based on the topology definition file\nreference: https://containerlab.dev/cmd/redeploy/",
 	Aliases:      []string{"rdep"},
-	PreRunE:      common.SudoCheck,
+	PreRunE:      common.CheckAndGetRootPrivs,
 	SilenceUsage: true,
 	RunE:         redeployFn,
 }

cmd/root.go

@@ -14,6 +14,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"github.com/srl-labs/containerlab/cmd/common"
 	"github.com/srl-labs/containerlab/cmd/version"
 	"github.com/srl-labs/containerlab/git"
 	"github.com/srl-labs/containerlab/utils"
@@ -89,6 +90,18 @@ func preRunFn(cmd *cobra.Command, _ []string) error {
 	// setting output to stderr, so that json outputs can be parsed
 	log.SetOutput(os.Stderr)
 
+	err := common.DropRootPrivs()
+	if err != nil {
+		return err
+	}
+	// Rootless operations only supported for Docker runtime
+	if rt != "" && rt != "docker" {
+		err := common.CheckAndGetRootPrivs(cmd, nil)
+		if err != nil {
+			return err
+		}
+	}
+
 	return getTopoFilePath(cmd)
 }
 

cmd/save.go

@@ -12,7 +12,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/srl-labs/containerlab/clab"
-	"github.com/srl-labs/containerlab/cmd/common"
 	"github.com/srl-labs/containerlab/links"
 	"github.com/srl-labs/containerlab/nodes"
 	"github.com/srl-labs/containerlab/runtime"
@@ -24,7 +23,6 @@ var saveCmd = &cobra.Command{
 	Short: "save containers configuration",
 	Long: `save performs a configuration save. The exact command that is used to save the config depends on the node kind.
 Refer to the https://containerlab.dev/cmd/save/ documentation to see the exact command used per node's kind`,
-	PreRunE: common.SudoCheck,
 	RunE: func(_ *cobra.Command, _ []string) error {
 		if name == "" && topo == "" {
 			return fmt.Errorf("provide topology file path  with --topo flag")