Sudo-less operation

[vista-]

This PR adds sudo-less operation to Containerlab. See #2307 for more information on this feature.

Sudo-less?

The sudo-less operation is implemented via setting the SUID (or sticky) bit on the Containerlab binary. The changes include handling of SUID-based running of Containerlab, and properly grabbing the correct user for lab directory ACL/ownership management when not run with sudo.

Security?

Root privileges are not used where they are not needed, as Containerlab immediately drops to regular user privilege on startup, and only escalates to root privilege where needed (this is currently done on a per-command granularity).

For use-cases where sudo-less operation is required (for example, Containerlab hosts and labs shared between colleagues, or in education), it is not necessarily desired for every user to be able to perform privileged operations on containerlabs, after all, being able to spin up arbitrary containers is the same as granting sudo rights. However, operations that don't require such privileges, such as saving configs, or creating topology graphs might still be useful for these users.

This feature also includes an optional check for group membership of the clab_admins group:

• If the group does not exist, the check is bypassed
• If the group exists, a check is performed whether the user running Containerlab is a member of the clab_admins Unix group before escalating to root privileges

The clab_admins group is created and the user running the command is added to it by default by the upgrade script, the quick install script and the post-install script.

Potential breakages

• Windows/minGW! I'd appreciate if someone could test this out.
• groupadd/usermod might not work on the post-install script for Alpine without shadow utils installed -- this platform is not officially supported by Containerlab, but nfpm is still configured to emit an apk file.

[kaelemc]

Brilliant! sudoless working great on deploy/destroy/redeploy. Tested that the group check is working correctly as well.

Windows/minGW! I'd appreciate if someone could test this out.

I see mingw in the get.sh but surely this isn't supported for clab on windows @hellt? The blame says it's from 5 years ago too. If I'm missing something here and it is supported, I'll happily test.

Let me know if there's anything specific you want tested.

[hellt]

correct, windows is not supported. Windows users should use WSL

[codecov]

Codecov Report

Attention: Patch coverage is 32.35294% with 69 lines in your changes missing coverage. Please review.

Project coverage is 52.40%. Comparing base (d7588f9) to head (b109891).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/root.go	18.75%	46 Missing and 6 partials ⚠️
utils/file.go	51.42%	13 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2408      +/-   ##
==========================================
- Coverage   52.51%   52.40%   -0.12%     
==========================================
  Files         168      168              
  Lines       16940    16999      +59     
==========================================
+ Hits         8896     8908      +12     
- Misses       7128     7172      +44     
- Partials      916      919       +3     

Files with missing lines	Coverage Δ
cmd/deploy.go	76.84% <ø> (ø)
cmd/destroy.go	77.77% <ø> (ø)
cmd/disableTxOffload.go	12.50% <ø> (ø)
cmd/exec.go	77.27% <ø> (ø)
cmd/inspect.go	75.11% <ø> (ø)
cmd/redeploy.go	90.62% <ø> (ø)
cmd/save.go	73.33% <ø> (ø)
cmd/tools_netem.go	70.87% <100.00%> (+0.28%)	⬆️
cmd/tools_veth.go	72.78% <ø> (ø)
cmd/verUpgrade.go	5.55% <ø> (ø)
... and 3 more