From b5e97affb1224cbc938a50a9216f7df6d15abaaa Mon Sep 17 00:00:00 2001
From: Tom Proctor <tomhjp@users.noreply.github.com>
Date: Thu, 21 Sep 2023 14:05:27 +0100
Subject: [PATCH] plugincontainer: Support mlock

---
 .github/workflows/go.yml                      |  50 +++-
 plugincontainer/compatibility_test.go         | 133 +++++++++
 plugincontainer/config.go                     |   3 +-
 plugincontainer/container_runner.go           |  14 +-
 .../container_runner_external_test.go         | 270 ++++++++++++++++++
 plugincontainer/container_runner_test.go      | 255 -----------------
 plugincontainer/examples/container/Dockerfile |  20 +-
 .../examples/container/plugin-counter/main.go |  11 +
 8 files changed, 485 insertions(+), 271 deletions(-)
 create mode 100644 plugincontainer/compatibility_test.go
 create mode 100644 plugincontainer/container_runner_external_test.go

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index b7e30f3..c3103d0 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -42,24 +42,23 @@ jobs:
       run: |
         (
           set -e
-          ARCH=$(uname -m)
-          URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
-          wget --quiet ${URL}/runsc ${URL}/runsc.sha512 \
-            ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
+          ARCH="$(uname -m)"
+          URL="https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}"
+          wget --quiet "${URL}/runsc" "${URL}/runsc.sha512" \
+            "${URL}/containerd-shim-runsc-v1" "${URL}/containerd-shim-runsc-v1.sha512"
           sha512sum -c runsc.sha512 \
             -c containerd-shim-runsc-v1.sha512
-          rm -f *.sha512
+          rm -f -- *.sha512
           chmod a+rx runsc containerd-shim-runsc-v1
           sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
         )
-        cat | sudo tee /etc/docker/daemon.json <<EOF
+        sudo tee /etc/docker/daemon.json <<EOF
         {
           "runtimes": {
             "runsc": {
               "path": "/usr/local/bin/runsc",
               "runtimeArgs": [
-                "--host-uds=all",
-                "--host-fifo=open"
+                "--host-uds=all"
               ]
             }
           }
@@ -68,6 +67,41 @@ jobs:
 
         sudo systemctl reload docker
 
+    - name: Install rootless docker
+      if: ${{ matrix.module == 'plugincontainer' }}
+      run: |
+        sudo apt-get install -y uidmap dbus-user-session
+        cat /etc/subuid /etc/subgid
+        curl -fsSL https://get.docker.com/rootless | sh
+        mkdir -p ~/.config/docker/
+        tee ~/.config/docker/daemon.json  <<EOF
+        {
+          "runtimes": {
+            "runsc": {
+              "path": "/usr/local/bin/runsc",
+              "runtimeArgs": [
+                "--host-uds=all",
+                "--ignore-cgroups"
+              ]
+            }
+          }
+        }
+        EOF
+        systemctl --user restart docker
+    
+    - name: Install rootless podman
+      if: ${{ matrix.module == 'plugincontainer' }}
+      run: |
+        sudo apt-get install -y podman slirp4netns fuse-overlayfs
+        mkdir -p ~/local/bin
+        RUNSC_SCRIPT=~/local/bin/runsc.podman
+        tee "${RUNSC_SCRIPT}" <<EOF
+        #!/bin/bash
+        /usr/local/bin/runsc --host-uds=all --ignore-cgroups "\$@"
+        EOF
+        chmod u+x "${RUNSC_SCRIPT}"
+        podman --runtime "${RUNSC_SCRIPT}" system service -t 0 &
+    
     - name: Test
       run: cd ${{ matrix.module }} && go test ./...
 
diff --git a/plugincontainer/compatibility_test.go b/plugincontainer/compatibility_test.go
new file mode 100644
index 0000000..b8c91b1
--- /dev/null
+++ b/plugincontainer/compatibility_test.go
@@ -0,0 +1,133 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package plugincontainer_test
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/go-secure-stdlib/plugincontainer"
+)
+
+const (
+	engineDocker = "docker"
+	enginePodman = "podman"
+	runtimeRunc  = "runc"
+	runtimeRunsc = "runsc"
+)
+
+type matrixInput struct {
+	containerEngine  string
+	containerRuntime string
+	rootlessEngine   bool
+	rootlessUser     bool
+	mlock            bool
+}
+
+func (m matrixInput) String() string {
+	var s string
+	if m.rootlessEngine {
+		s = "rootless " + m.containerEngine
+	} else {
+		s = m.containerEngine
+	}
+	s += ":" + m.containerRuntime
+	if m.rootlessUser {
+		s += ":" + "nonroot"
+	}
+	if m.mlock {
+		s += ":" + "mlock"
+	}
+	return s
+}
+
+func TestCompatibilityMatrix(t *testing.T) {
+	runCmd(t, "go", "build", "-o=examples/container/go-plugin-counter", "./examples/container/plugin-counter")
+
+	for _, engine := range []string{engineDocker, enginePodman} {
+		for _, runtime := range []string{runtimeRunc, runtimeRunsc} {
+			for _, rootlessEngine := range []bool{true, false} {
+				for _, rootlessUser := range []bool{true, false} {
+					for _, mlock := range []bool{true, false} {
+						i := matrixInput{
+							containerEngine:  engine,
+							containerRuntime: runtime,
+							rootlessEngine:   rootlessEngine,
+							rootlessUser:     rootlessUser,
+							mlock:            mlock,
+						}
+						t.Run(i.String(), func(t *testing.T) {
+							runExamplePlugin(t, i)
+						})
+					}
+				}
+			}
+		}
+	}
+}
+
+func skipIfUnsupported(t *testing.T, i matrixInput) {
+	switch {
+	case i.rootlessEngine && i.rootlessUser:
+		t.Skip("Unix socket permissions not yet working for rootless engine + nonroot container user")
+	case i.containerEngine == enginePodman && !i.rootlessEngine:
+		t.Skip("TODO: These tests would pass but CI doesn't have the environment set up yet")
+	case i.mlock && i.rootlessEngine:
+		if i.containerEngine == engineDocker && i.containerRuntime == runtimeRunsc {
+			// runsc works in rootless because it has its own implementation of mlockall(2)
+		} else {
+			t.Skip("TODO: These tests should work if the rootless engine is given the IPC_LOCK capability")
+		}
+	}
+}
+
+func setDockerHost(t *testing.T, containerEngine string, rootlessEngine bool) {
+	var socketFile string
+	switch {
+	case containerEngine == engineDocker && !rootlessEngine:
+		socketFile = "/var/run/docker.sock"
+	case containerEngine == engineDocker && rootlessEngine:
+		socketFile = fmt.Sprintf("/run/user/%d/docker.sock", os.Getuid())
+	case containerEngine == enginePodman && !rootlessEngine:
+		socketFile = "/var/run/podman/podman.sock"
+	case containerEngine == enginePodman && rootlessEngine:
+		socketFile = fmt.Sprintf("/run/user/%d/podman/podman.sock", os.Getuid())
+	default:
+		t.Fatalf("Unsupported combination: %s, %v", containerEngine, rootlessEngine)
+	}
+	if _, err := os.Stat(socketFile); err != nil {
+		t.Fatal("Did not find expected socket file:", err)
+	}
+	t.Setenv("DOCKER_HOST", "unix://"+socketFile)
+}
+
+func runExamplePlugin(t *testing.T, i matrixInput) {
+	skipIfUnsupported(t, i)
+	setDockerHost(t, i.containerEngine, i.rootlessEngine)
+	tag := goPluginCounterImage
+	target := "root"
+	if i.rootlessUser {
+		tag += ":nonroot"
+		target = "nonroot"
+	}
+	runCmd(t, i.containerEngine, "build", "--tag="+tag, "--target="+target, "--file=examples/container/Dockerfile", "examples/container")
+
+	// TODO: Install rootless and podman on CI
+	cfg := &plugincontainer.Config{
+		Image:    goPluginCounterImage,
+		GroupAdd: os.Getgid(),
+
+		// Test inputs
+		Runtime:    i.containerRuntime,
+		CapIPCLock: i.mlock,
+	}
+	if i.mlock {
+		cfg.Env = append(cfg.Env, "MLOCK=true")
+	}
+	if i.rootlessUser {
+		cfg.Tag = "nonroot"
+	}
+	exerciseExamplePlugin(t, cfg)
+}
diff --git a/plugincontainer/config.go b/plugincontainer/config.go
index e755226..915ccb9 100644
--- a/plugincontainer/config.go
+++ b/plugincontainer/config.go
@@ -42,10 +42,11 @@ type Config struct {
 	Labels         map[string]string // Arbitrary metadata to facilitate querying containers.
 
 	// container.HostConfig options
-	Runtime      string // OCI runtime.
+	Runtime      string // OCI runtime. NOTE: Has no effect if using podman's system service API
 	CgroupParent string // Parent Cgroup for the container
 	NanoCpus     int64  // CPU quota in billionths of a CPU core
 	Memory       int64  // Memory quota in bytes
+	CapIPCLock   bool   // Whether to add the capability IPC_LOCK, to allow the mlockall(2) syscall
 
 	// network.NetworkConfig options
 	EndpointsConfig map[string]*network.EndpointSettings // Endpoint configs for each connecting network
diff --git a/plugincontainer/container_runner.go b/plugincontainer/container_runner.go
index f7f3c3a..cc727fc 100644
--- a/plugincontainer/container_runner.go
+++ b/plugincontainer/container_runner.go
@@ -31,7 +31,7 @@ var (
 	_ runner.Runner = (*containerRunner)(nil)
 
 	errUnsupportedOS  = errors.New("plugincontainer currently only supports Linux")
-	errSHA256Mismatch = errors.New("SHA256 mismatch")
+	ErrSHA256Mismatch = errors.New("SHA256 mismatch")
 )
 
 const pluginSocketDir = "/tmp/go-plugin-container"
@@ -142,6 +142,10 @@ func (cfg *Config) NewContainerRunner(logger hclog.Logger, cmd *exec.Cmd, hostSo
 		hostConfig.GroupAdd = append(hostConfig.GroupAdd, strconv.Itoa(cfg.GroupAdd))
 	}
 
+	if cfg.CapIPCLock {
+		hostConfig.CapAdd = append(hostConfig.CapAdd, "IPC_LOCK")
+	}
+
 	// Network config.
 	networkConfig := &network.NetworkingConfig{
 		EndpointsConfig: cfg.EndpointsConfig,
@@ -186,19 +190,19 @@ func (c *containerRunner) Start(ctx context.Context) error {
 			}
 		}
 		if !imageFound {
-			return fmt.Errorf("could not find any locally available images named %s that match with the provided SHA256 hash %s: %w", ref, c.sha256, errSHA256Mismatch)
+			return fmt.Errorf("could not find any locally available images named %s that match with the provided SHA256 hash %s: %w", ref, c.sha256, ErrSHA256Mismatch)
 		}
 	}
 
 	resp, err := c.dockerClient.ContainerCreate(ctx, c.containerConfig, c.hostConfig, c.networkConfig, nil, "")
 	if err != nil {
-		return err
+		return fmt.Errorf("error creating container: %w", err)
 	}
 	c.id = resp.ID
 	c.logger.Trace("created container", "image", c.image, "id", c.id)
 
 	if err := c.dockerClient.ContainerStart(ctx, c.id, types.ContainerStartOptions{}); err != nil {
-		return err
+		return fmt.Errorf("error starting container: %w", err)
 	}
 
 	// ContainerLogs combines stdout and stderr.
@@ -296,7 +300,7 @@ func (c *containerRunner) Stderr() io.ReadCloser {
 func (c *containerRunner) PluginToHost(pluginNet, pluginAddr string) (hostNet string, hostAddr string, err error) {
 	if path.Dir(pluginAddr) != pluginSocketDir {
 		return "", "", fmt.Errorf("expected address to be in directory %s, but was %s; "+
-			"the plugin may need to be recompiled with the latest go-plugin version", c.hostSocketDir, pluginAddr)
+			"the plugin may need to be recompiled with the latest go-plugin version", pluginSocketDir, pluginAddr)
 	}
 	return pluginNet, path.Join(c.hostSocketDir, path.Base(pluginAddr)), nil
 }
diff --git a/plugincontainer/container_runner_external_test.go b/plugincontainer/container_runner_external_test.go
new file mode 100644
index 0000000..f8a1f4f
--- /dev/null
+++ b/plugincontainer/container_runner_external_test.go
@@ -0,0 +1,270 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package plugincontainer_test
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-plugin"
+	"github.com/hashicorp/go-secure-stdlib/plugincontainer"
+	"github.com/hashicorp/go-secure-stdlib/plugincontainer/examples/container/shared"
+)
+
+const (
+	goPluginCounterImage = "go-plugin-counter"
+)
+
+func TestExamplePlugin(t *testing.T) {
+	runCmd(t, "go", "build", "-o=examples/container/go-plugin-counter", "./examples/container/plugin-counter")
+	runCmd(t, "docker", "build", "--tag="+goPluginCounterImage, "--target=root", "--file=examples/container/Dockerfile", "examples/container")
+	runCmd(t, "docker", "build", "--tag=broken:v1", "testdata/")
+
+	dockerClient, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Get the full sha256 of the image we just built so we can test pinning.
+	images, err := dockerClient.ImageList(context.Background(), types.ImageListOptions{
+		Filters: filters.NewArgs(filters.Arg("reference", "go-plugin-counter:latest")),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(images) != 1 {
+		t.Fatal(err)
+	}
+	id := images[0].ID
+	sha256 := strings.TrimPrefix(id, "sha256:")
+
+	// Default docker runtime.
+	t.Run("runc", func(t *testing.T) {
+		testExamplePlugin_WithRuntime(t, "runc", id, sha256)
+	})
+
+	// gVisor runtime.
+	t.Run("runsc", func(t *testing.T) {
+		testExamplePlugin_WithRuntime(t, "runsc", id, sha256)
+	})
+}
+
+func testExamplePlugin_WithRuntime(t *testing.T, ociRuntime, id, sha256 string) {
+	if runtime.GOOS != "linux" {
+		t.Skip("Only linux is supported for now")
+	}
+
+	for name, tc := range map[string]struct {
+		image, tag, sha256 string
+	}{
+		"image":                     {goPluginCounterImage, "", ""},
+		"image with tag":            {goPluginCounterImage, "latest", ""},
+		"image and sha256":          {goPluginCounterImage, "", sha256},
+		"image with tag and sha256": {goPluginCounterImage, "latest", sha256},
+		"image and id":              {goPluginCounterImage, "", id},
+		"image with tag and id":     {goPluginCounterImage, "latest", id},
+	} {
+		t.Run(name, func(t *testing.T) {
+			cfg := &plugincontainer.Config{
+				Image:    tc.image,
+				Tag:      tc.tag,
+				SHA256:   tc.sha256,
+				Runtime:  ociRuntime,
+				GroupAdd: os.Getgid(),
+			}
+			exerciseExamplePlugin(t, cfg)
+		})
+	}
+
+	// Failure cases.
+	for name, tc := range map[string]struct {
+		image               string
+		sha256              string
+		expectedErr         error
+		expectedErrContents []string
+	}{
+		"no image": {
+			"",
+			"",
+			nil,
+			nil,
+		},
+		"image given with tag": {
+			"broken:latest",
+			"",
+			nil,
+			[]string{"broken:latest"},
+		},
+		// Error should include container image, env, and logs as part of diagnostics.
+		"simulated plugin error": {
+			"broken",
+			"",
+			nil,
+			[]string{
+				"Image ref: broken",
+				fmt.Sprintf("%s=%s", shared.Handshake.MagicCookieKey, shared.Handshake.MagicCookieValue),
+				"bye from broken",
+			},
+		},
+		// The image and sha256 both got built in this test suite, but they
+		// mismatch so error should be SHA256 mismatch.
+		"SHA256 mismatch": {
+			"broken",
+			sha256,
+			plugincontainer.ErrSHA256Mismatch,
+			nil,
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			cfg := &plugincontainer.Config{
+				Image:    tc.image,
+				Tag:      "v1",
+				SHA256:   tc.sha256,
+				Runtime:  ociRuntime,
+				GroupAdd: os.Getgid(),
+				Debug:    true,
+			}
+			pluginClient := plugin.NewClient(&plugin.ClientConfig{
+				HandshakeConfig: shared.Handshake,
+				Plugins:         shared.PluginMap,
+				SkipHostEnv:     true,
+				AutoMTLS:        true,
+				AllowedProtocols: []plugin.Protocol{
+					plugin.ProtocolGRPC,
+				},
+				Logger: hclog.New(&hclog.LoggerOptions{
+					Name:  t.Name(),
+					Level: hclog.Trace,
+				}),
+				UnixSocketConfig: &plugin.UnixSocketConfig{
+					Group: strconv.Itoa(cfg.GroupAdd),
+				},
+				RunnerFunc: cfg.NewContainerRunner,
+			})
+			defer pluginClient.Kill()
+
+			// Connect via RPC
+			_, err := pluginClient.Client()
+			if err == nil {
+				t.Fatal("Expected error starting fake plugin")
+			}
+			if tc.expectedErr != nil && !errors.Is(err, tc.expectedErr) {
+				t.Fatalf("Expected error %s, but got %s", tc.expectedErr, err)
+			}
+			for _, expected := range tc.expectedErrContents {
+				if !strings.Contains(err.Error(), expected) {
+					dockerClient, _ := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+					info, _ := dockerClient.Info(context.Background())
+					infoBytes, _ := json.MarshalIndent(info, "", "    ")
+					t.Log(string(infoBytes))
+					t.Fatalf("Expected %s in error, but got %s", expected, err)
+				}
+			}
+		})
+	}
+}
+
+func exerciseExamplePlugin(t *testing.T, cfg *plugincontainer.Config) {
+	client := plugin.NewClient(&plugin.ClientConfig{
+		HandshakeConfig: shared.Handshake,
+		Plugins:         shared.PluginMap,
+		SkipHostEnv:     true,
+		AutoMTLS:        true,
+		AllowedProtocols: []plugin.Protocol{
+			plugin.ProtocolGRPC,
+		},
+		Logger: hclog.New(&hclog.LoggerOptions{
+			Name:  t.Name(),
+			Level: hclog.Trace,
+		}),
+		UnixSocketConfig: &plugin.UnixSocketConfig{
+			Group: strconv.Itoa(cfg.GroupAdd),
+		},
+		RunnerFunc: cfg.NewContainerRunner,
+	})
+	defer client.Kill()
+
+	// Connect via RPC
+	rpcClient, err := client.Client()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Request the plugin
+	raw, err := rpcClient.Dispense("counter")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// We should have a Counter store running inside a container now! This feels
+	// like a normal interface implementation but is in fact over an RPC connection.
+	counter := raw.(shared.Counter)
+
+	storage := &inMemStorage{
+		data: make(map[string]int64),
+	}
+	v, err := counter.Increment("hello", 1, storage)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if v != 1 {
+		t.Fatal(v)
+	}
+
+	v, err = counter.Increment("hello", 2, storage)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if v != 3 {
+		t.Fatal(v)
+	}
+
+	v, err = counter.Increment("world", 2, storage)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if v != 2 {
+		t.Fatal(v)
+	}
+}
+
+func runCmd(t *testing.T, command string, args ...string) {
+	t.Helper()
+	cmd := exec.Command(command, args...)
+	// Disable cgo for 'go build' command, as we're running inside a static
+	// distroless container that doesn't have libc bindings available.
+	cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
+	out, err := cmd.CombinedOutput()
+	t.Log(string(out))
+	if err != nil {
+		t.Fatalf("failed to run %#v, err: %s, output:\n%s", cmd, err, string(out))
+	}
+}
+
+var _ shared.Storage = (*inMemStorage)(nil)
+
+type inMemStorage struct {
+	data map[string]int64
+}
+
+func (s *inMemStorage) Put(key string, value int64) error {
+	s.data[key] = value
+	return nil
+}
+
+func (s *inMemStorage) Get(key string) (int64, error) {
+	return s.data[key], nil
+}
diff --git a/plugincontainer/container_runner_test.go b/plugincontainer/container_runner_test.go
index 4f60850..eb864f0 100644
--- a/plugincontainer/container_runner_test.go
+++ b/plugincontainer/container_runner_test.go
@@ -4,11 +4,7 @@
 package plugincontainer
 
 import (
-	"context"
-	"errors"
 	"fmt"
-	"io"
-	"os"
 	"os/exec"
 	"reflect"
 	"runtime"
@@ -16,13 +12,9 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/client"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-plugin"
-	"github.com/hashicorp/go-secure-stdlib/plugincontainer/examples/container/shared"
 )
 
 // TestNewContainerRunner_config ensures all the config options passed in have
@@ -144,250 +136,3 @@ func TestNewContainerRunner_config(t *testing.T) {
 		t.Error(runner.networkConfig.EndpointsConfig)
 	}
 }
-
-func TestExamplePlugin(t *testing.T) {
-	// Default docker runtime.
-	t.Run("runc", func(t *testing.T) {
-		testExamplePlugin_WithRuntime(t, "runc")
-	})
-
-	// gVisor runtime.
-	t.Run("runsc", func(t *testing.T) {
-		testExamplePlugin_WithRuntime(t, "runsc")
-	})
-}
-
-func testExamplePlugin_WithRuntime(t *testing.T, ociRuntime string) {
-	if runtime.GOOS != "linux" {
-		t.Skip("Only linux is supported for now")
-	}
-
-	runCmd(t, "go", "build", "-o=examples/container/go-plugin-counter", "./examples/container/plugin-counter")
-	runCmd(t, "docker", "build", "-t=go-plugin-counter", "-f=examples/container/Dockerfile", "examples/container")
-
-	dockerClient, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Get the full sha256 of the image we just built so we can test pinning.
-	images, err := dockerClient.ImageList(context.Background(), types.ImageListOptions{
-		Filters: filters.NewArgs(filters.Arg("reference", "go-plugin-counter:latest")),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(images) != 1 {
-		t.Fatal(images)
-	}
-	id := images[0].ID
-	sha256 := strings.TrimPrefix(id, "sha256:")
-
-	for name, tc := range map[string]struct {
-		image, tag, sha256 string
-	}{
-		"image":                     {"go-plugin-counter", "", ""},
-		"image with tag":            {"go-plugin-counter", "latest", ""},
-		"image and sha256":          {"go-plugin-counter", "", sha256},
-		"image with tag and sha256": {"go-plugin-counter", "latest", sha256},
-		"image and id":              {"go-plugin-counter", "", id},
-		"image with tag and id":     {"go-plugin-counter", "latest", id},
-	} {
-		t.Run(name, func(t *testing.T) {
-			cfg := &Config{
-				Image:    tc.image,
-				Tag:      tc.tag,
-				SHA256:   tc.sha256,
-				Runtime:  ociRuntime,
-				GroupAdd: os.Getgid(),
-			}
-			client := plugin.NewClient(&plugin.ClientConfig{
-				HandshakeConfig: shared.Handshake,
-				Plugins:         shared.PluginMap,
-				SkipHostEnv:     true,
-				AutoMTLS:        true,
-				AllowedProtocols: []plugin.Protocol{
-					plugin.ProtocolGRPC,
-				},
-				Logger: hclog.New(&hclog.LoggerOptions{
-					Name:  t.Name(),
-					Level: hclog.Trace,
-				}),
-				UnixSocketConfig: &plugin.UnixSocketConfig{
-					Group: strconv.Itoa(cfg.GroupAdd),
-				},
-				RunnerFunc: cfg.NewContainerRunner,
-			})
-			defer client.Kill()
-
-			// Connect via RPC
-			rpcClient, err := client.Client()
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			// Request the plugin
-			raw, err := rpcClient.Dispense("counter")
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			// We should have a Counter store running inside a container now! This feels
-			// like a normal interface implementation but is in fact over an RPC connection.
-			counter := raw.(shared.Counter)
-
-			storage := &inMemStorage{
-				data: make(map[string]int64),
-			}
-			v, err := counter.Increment("hello", 1, storage)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if v != 1 {
-				t.Fatal(v)
-			}
-
-			v, err = counter.Increment("hello", 2, storage)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if v != 3 {
-				t.Fatal(v)
-			}
-
-			v, err = counter.Increment("world", 2, storage)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if v != 2 {
-				t.Fatal(v)
-			}
-		})
-	}
-
-	// Failure cases.
-	runCmd(t, "docker", "build", "-t=broken", "-f=testdata/Dockerfile", "testdata/")
-	for name, tc := range map[string]struct {
-		image               string
-		sha256              string
-		expectedErr         error
-		expectedErrContents []string
-	}{
-		"no image": {
-			"",
-			"",
-			nil,
-			nil,
-		},
-		"image given with tag": {
-			"broken:latest",
-			"",
-			nil,
-			[]string{"broken:latest"},
-		},
-		// Error should include container image, env, and logs as part of diagnostics.
-		"simulated plugin error": {
-			"broken",
-			"",
-			nil,
-			[]string{
-				"Image ref: broken",
-				fmt.Sprintf("%s=%s", shared.Handshake.MagicCookieKey, shared.Handshake.MagicCookieValue),
-				"bye from broken",
-			},
-		},
-		// The image and sha256 both got built in this test suite, but they
-		// mismatch so error should be SHA256 mismatch.
-		"SHA256 mismatch": {
-			"broken",
-			sha256,
-			errSHA256Mismatch,
-			nil,
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			cfg := &Config{
-				Image:    tc.image,
-				SHA256:   tc.sha256,
-				Runtime:  ociRuntime,
-				GroupAdd: os.Getgid(),
-				Debug:    true,
-			}
-			client := plugin.NewClient(&plugin.ClientConfig{
-				HandshakeConfig: shared.Handshake,
-				Plugins:         shared.PluginMap,
-				SkipHostEnv:     true,
-				AutoMTLS:        true,
-				AllowedProtocols: []plugin.Protocol{
-					plugin.ProtocolGRPC,
-				},
-				Logger: hclog.New(&hclog.LoggerOptions{
-					Name:  t.Name(),
-					Level: hclog.Trace,
-				}),
-				UnixSocketConfig: &plugin.UnixSocketConfig{
-					Group: strconv.Itoa(cfg.GroupAdd),
-				},
-				RunnerFunc: cfg.NewContainerRunner,
-			})
-			defer client.Kill()
-
-			// Connect via RPC
-			_, err = client.Client()
-			if err == nil {
-				t.Fatal("Expected error starting fake plugin")
-			}
-			if tc.expectedErr != nil && !errors.Is(err, tc.expectedErr) {
-				t.Fatalf("Expected error %s, but got %s", tc.expectedErr, err)
-			}
-			for _, expected := range tc.expectedErrContents {
-				if !strings.Contains(err.Error(), expected) {
-					t.Fatalf("Expected %s in error, but got %s", expected, err)
-				}
-			}
-		})
-	}
-}
-
-func runCmd(t *testing.T, name string, arg ...string) {
-	t.Helper()
-	cmd := exec.Command(name, arg...)
-	// Disable cgo for 'go build' command, as we're running inside a static
-	// distroless container that doesn't have libc bindings available.
-	cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
-	stdout, err := cmd.StdoutPipe()
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(func() {
-		stdout.Close()
-	})
-	go io.Copy(os.Stdout, stdout)
-	stderr, err := cmd.StderrPipe()
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(func() {
-		stderr.Close()
-	})
-	go io.Copy(os.Stderr, stderr)
-	err = cmd.Run()
-	if err != nil {
-		t.Fatal(err)
-	}
-}
-
-var _ shared.Storage = (*inMemStorage)(nil)
-
-type inMemStorage struct {
-	data map[string]int64
-}
-
-func (s *inMemStorage) Put(key string, value int64) error {
-	s.data[key] = value
-	return nil
-}
-
-func (s *inMemStorage) Get(key string) (int64, error) {
-	return s.data[key], nil
-}
diff --git a/plugincontainer/examples/container/Dockerfile b/plugincontainer/examples/container/Dockerfile
index 6f9eb94..64688b9 100644
--- a/plugincontainer/examples/container/Dockerfile
+++ b/plugincontainer/examples/container/Dockerfile
@@ -1,8 +1,24 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-FROM gcr.io/distroless/static-debian11
+FROM gcr.io/distroless/static-debian12 as root
 
 COPY go-plugin-counter /bin/go-plugin-counter
 
-ENTRYPOINT [ "/bin/go-plugin-counter" ]
\ No newline at end of file
+ENTRYPOINT [ "/bin/go-plugin-counter" ]
+
+FROM docker.mirror.hashicorp.services/alpine as nonroot
+
+COPY go-plugin-counter /bin/go-plugin-counter
+
+RUN apk add libcap && \
+    addgroup -S nonroot && \
+    adduser -S -G nonroot nonroot && \
+    chown -R nonroot:nonroot /bin/go-plugin-counter && \
+    setcap cap_ipc_lock=+ep /bin/go-plugin-counter
+
+USER nonroot
+
+ENTRYPOINT [ "/bin/go-plugin-counter" ]
+
+FROM root
\ No newline at end of file
diff --git a/plugincontainer/examples/container/plugin-counter/main.go b/plugincontainer/examples/container/plugin-counter/main.go
index e1e7d9a..e266d78 100644
--- a/plugincontainer/examples/container/plugin-counter/main.go
+++ b/plugincontainer/examples/container/plugin-counter/main.go
@@ -4,8 +4,13 @@
 package main
 
 import (
+	"log"
+	"os"
+	"syscall"
+
 	"github.com/hashicorp/go-plugin"
 	"github.com/hashicorp/go-secure-stdlib/plugincontainer/examples/container/shared"
+	"golang.org/x/sys/unix"
 )
 
 type Counter struct {
@@ -27,6 +32,12 @@ func (c *Counter) Increment(key string, value int64, storage shared.Storage) (in
 }
 
 func main() {
+	if _, mlock := os.LookupEnv("MLOCK"); mlock {
+		err := unix.Mlockall(syscall.MCL_CURRENT | syscall.MCL_FUTURE)
+		if err != nil {
+			log.Fatalf("failed to call unix.Mlockall: %s", err)
+		}
+	}
 	plugin.Serve(&plugin.ServeConfig{
 		HandshakeConfig: shared.Handshake,
 		Plugins: map[string]plugin.Plugin{