Make krun binary separate from crun, not a symbolic link

[tylerfanelli]

In confidential computing environments, users may want to run sensitive workloads in krun yet "normal" workloads in standard crun. However, at the moment this provides some difficulties, because the krun binary is just a symbolic link to crun built with krun extensions.

$ ls -l /bin/ | rg crun
-rwxr-xr-x. 1 root root       566320 ...  crun
lrwxrwxrwx. 1 root root            4 ...  krun -> crun

Therefore, there is difficulties with having both a krun and standard crun build in /bin. This could be alleviated by just renaming the crun with libkrun extensions binary to krun, rather than using a symbolic link.

cc @slp

[giuseppe]

why would we need two different variants for crun? Can't the crun binary have all the needed extensions?

[slp]

I also don't understand why a two binaries are needed, please elaborate further.

[tylerfanelli]

Right now, crun is compiled with libkrun, and krun is a symlink to the crun binary:

$ ls -l /bin/ | rg crun
... root root       566320 ...  crun
... root root            4 ...  krun -> crun

Yet, if someone wants to run a combination of normal containers with normal crun (i.e. not krun) AND krun containers, then they would want two separate binaries (the normal crun, and then krun). Because krun is a symlink, then there will be a collision with the two crun binaries. This would be alleviated by simply renaming the krun binary entirely, not making it a symlink.

[giuseppe]

crun looks at the argv[0] and treats the two differently. They point to the same binary, but it handles both normal containers and krun ones. Or isn't that enough?

[tylerfanelli]

I wasn't aware of this. So basically, if krun is argv[0], then the container is run as a krun container, and if it's crun then it is run as a normal container. Then yes, there's no need for the renaming.

Do I have this right? If so, I can close this issue.

[giuseppe]

yes, that is what happens. So we can ship the same binary, but it can handle different handlers

[tylerfanelli]

Thanks!