incusd/instance/lxc: Add OCI entrypoint configuration

Author: gwenya

doc/config_options.txt

@@ -665,6 +665,40 @@ The specified version expression is used to set `libnvidia-container NVIDIA_REQU
 ```
 
 <!-- config group instance-nvidia end -->
+<!-- config group instance-oci start -->
+```{config:option} oci.cwd instance-oci
+:condition: "OCI container"
+:liveupdate: "no"
+:shortdesc: "OCI container working directory"
+:type: "string"
+Override the working directory of an OCI container.
+```
+
+```{config:option} oci.entrypoint instance-oci
+:condition: "OCI container"
+:liveupdate: "no"
+:shortdesc: "OCI container entrypoint"
+:type: "string"
+Override the entrypoint of an OCI container.
+```
+
+```{config:option} oci.gid instance-oci
+:condition: "OCI container"
+:liveupdate: "no"
+:shortdesc: "OCI container GID"
+:type: "string"
+Override the GID of the process run in an OCI container.
+```
+
+```{config:option} oci.uid instance-oci
+:condition: "OCI container"
+:liveupdate: "no"
+:shortdesc: "OCI container UID"
+:type: "string"
+Override the UID of the process run in an OCI container.
+```
+
+<!-- config group instance-oci end -->
 <!-- config group instance-raw start -->
 ```{config:option} raw.apparmor instance-raw
 :liveupdate: "yes"

internal/instance/config.go

@@ -652,6 +652,42 @@ var InstanceConfigKeysContainer = map[string]func(value string) error{
 	//  shortdesc: Required driver version
 	"nvidia.require.driver": validate.IsAny,
 
+	// gendoc:generate(entity=instance, group=oci, key=oci.entrypoint)
+	// Override the entrypoint of an OCI container.
+	// ---
+	//  type: string
+	//  liveupdate: no
+	//  condition: OCI container
+	//  shortdesc: OCI container entrypoint
+	"oci.entrypoint": validate.IsAny,
+
+	// gendoc:generate(entity=instance, group=oci, key=oci.cwd)
+	// Override the working directory of an OCI container.
+	// ---
+	//  type: string
+	//  liveupdate: no
+	//  condition: OCI container
+	//  shortdesc: OCI container working directory
+	"oci.cwd": validate.Optional(validate.IsAbsFilePath),
+
+	// gendoc:generate(entity=instance, group=oci, key=oci.gid)
+	// Override the GID of the process run in an OCI container.
+	// ---
+	//  type: string
+	//  liveupdate: no
+	//  condition: OCI container
+	//  shortdesc: OCI container GID
+	"oci.gid": validate.Optional(validate.IsUint32),
+
+	// gendoc:generate(entity=instance, group=oci, key=oci.uid)
+	// Override the UID of the process run in an OCI container.
+	// ---
+	//  type: string
+	//  liveupdate: no
+	//  condition: OCI container
+	//  shortdesc: OCI container UID
+	"oci.uid": validate.Optional(validate.IsUint32),
+
 	// Caller is responsible for full validation of any raw.* value.
 
 	// gendoc:generate(entity=instance, group=raw, key=raw.lxc)

internal/server/instance/drivers/driver_lxc.go

@@ -2341,33 +2341,65 @@ func (d *lxc) startCommon() (string, []func() error, error) {
 		}
 
 		// Configure the entry point.
-		if len(config.Process.Args) > 0 && slices.Contains([]string{"/init", "/sbin/init", "/s6-init"}, config.Process.Args[0]) {
+		entrypoint := config.Process.Args
+		if d.expandedConfig["oci.entrypoint"] != "" {
+			entrypoint, err = shellquote.Split(d.expandedConfig["oci.entrypoint"])
+			if err != nil {
+				return "", nil, err
+			}
+		}
+
+		if len(entrypoint) > 0 && slices.Contains([]string{"/init", "/sbin/init", "/s6-init"}, entrypoint[0]) {
 			// For regular init systems, call them directly as PID1.
-			err = lxcSetConfigItem(cc, "lxc.init.cmd", shellquote.Join(config.Process.Args...))
+			err = lxcSetConfigItem(cc, "lxc.init.cmd", shellquote.Join(entrypoint...))
 			if err != nil {
 				return "", nil, err
 			}
 		} else {
 			// For anything else, run them under our own PID1.
-			err = lxcSetConfigItem(cc, "lxc.execute.cmd", shellquote.Join(config.Process.Args...))
+			err = lxcSetConfigItem(cc, "lxc.execute.cmd", shellquote.Join(entrypoint...))
 			if err != nil {
 				return "", nil, err
 			}
 		}
 
-		err = lxcSetConfigItem(cc, "lxc.init.cwd", config.Process.Cwd)
-		if err != nil {
-			return "", nil, err
+		// Configure the cwd.
+		if d.expandedConfig["oci.cwd"] != "" {
+			err = lxcSetConfigItem(cc, "lxc.init.cwd", d.expandedConfig["oci.cwd"])
+			if err != nil {
+				return "", nil, err
+			}
+		} else {
+			err = lxcSetConfigItem(cc, "lxc.init.cwd", config.Process.Cwd)
+			if err != nil {
+				return "", nil, err
+			}
 		}
 
-		err = lxcSetConfigItem(cc, "lxc.init.uid", fmt.Sprintf("%d", config.Process.User.UID))
-		if err != nil {
-			return "", nil, err
+		// Configure the UID
+		if d.expandedConfig["oci.uid"] != "" {
+			err = lxcSetConfigItem(cc, "lxc.init.uid", d.expandedConfig["oci.uid"])
+			if err != nil {
+				return "", nil, err
+			}
+		} else {
+			err = lxcSetConfigItem(cc, "lxc.init.uid", fmt.Sprintf("%d", config.Process.User.UID))
+			if err != nil {
+				return "", nil, err
+			}
 		}
 
-		err = lxcSetConfigItem(cc, "lxc.init.gid", fmt.Sprintf("%d", config.Process.User.GID))
-		if err != nil {
-			return "", nil, err
+		// Configure the GID
+		if d.expandedConfig["oci.gid"] != "" {
+			err = lxcSetConfigItem(cc, "lxc.init.gid", d.expandedConfig["oci.gid"])
+			if err != nil {
+				return "", nil, err
+			}
+		} else {
+			err = lxcSetConfigItem(cc, "lxc.init.gid", fmt.Sprintf("%d", config.Process.User.GID))
+			if err != nil {
+				return "", nil, err
+			}
 		}
 
 		// Get all mounts so far.

internal/server/metadata/configuration.json

@@ -730,6 +730,46 @@
 					}
 				]
 			},
+			"oci": {
+				"keys": [
+					{
+						"oci.cwd": {
+							"condition": "OCI container",
+							"liveupdate": "no",
+							"longdesc": "Override the working directory of an OCI container.",
+							"shortdesc": "OCI container working directory",
+							"type": "string"
+						}
+					},
+					{
+						"oci.entrypoint": {
+							"condition": "OCI container",
+							"liveupdate": "no",
+							"longdesc": "Override the entrypoint of an OCI container.",
+							"shortdesc": "OCI container entrypoint",
+							"type": "string"
+						}
+					},
+					{
+						"oci.gid": {
+							"condition": "OCI container",
+							"liveupdate": "no",
+							"longdesc": "Override the GID of the process run in an OCI container.",
+							"shortdesc": "OCI container GID",
+							"type": "string"
+						}
+					},
+					{
+						"oci.uid": {
+							"condition": "OCI container",
+							"liveupdate": "no",
+							"longdesc": "Override the UID of the process run in an OCI container.",
+							"shortdesc": "OCI container UID",
+							"type": "string"
+						}
+					}
+				]
+			},
 			"raw": {
 				"keys": [
 					{