| 4f0d95fa |
package oci // import "github.com/docker/docker/oci" |
| 9c4570a9 |
import (
"os"
"runtime"
|
| 041e5a21 |
"github.com/opencontainers/runtime-spec/specs-go" |
| 9c4570a9 |
)
func iPtr(i int64) *int64 { return &i }
func u32Ptr(i int64) *uint32 { u := uint32(i); return &u }
func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
|
| 80d7bfd5 |
// DefaultCapabilities returns a Linux kernel default capabilities
func DefaultCapabilities() []string { |
| 005506d3 |
return []string{
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
}
}
|
| f1545882 |
// DefaultSpec returns the default spec used by docker for the current Platform |
| 9c4570a9 |
func DefaultSpec() specs.Spec { |
| f1545882 |
return DefaultOSSpec(runtime.GOOS)
}
// DefaultOSSpec returns the spec for a given OS
func DefaultOSSpec(osName string) specs.Spec {
if osName == "windows" {
return DefaultWindowsSpec()
} |
| 5a9b5f10 |
return DefaultLinuxSpec() |
| f1545882 |
}
// DefaultWindowsSpec create a default spec for running Windows containers
func DefaultWindowsSpec() specs.Spec {
return specs.Spec{ |
| 9c4570a9 |
Version: specs.Version, |
| f1545882 |
Windows: &specs.Windows{}, |
| 7c29103a |
Process: &specs.Process{},
Root: &specs.Root{}, |
| f1545882 |
}
}
// DefaultLinuxSpec create a default spec for running Linux containers
func DefaultLinuxSpec() specs.Spec {
s := specs.Spec{
Version: specs.Version, |
| ddae20c0 |
Process: &specs.Process{
Capabilities: &specs.LinuxCapabilities{ |
| 80d7bfd5 |
Bounding: DefaultCapabilities(),
Permitted: DefaultCapabilities(),
Inheritable: DefaultCapabilities(),
Effective: DefaultCapabilities(), |
| ddae20c0 |
},
}, |
| 71651e0b |
Root: &specs.Root{}, |
| 9c4570a9 |
}
s.Mounts = []specs.Mount{
{
Destination: "/proc",
Type: "proc",
Source: "proc",
Options: []string{"nosuid", "noexec", "nodev"},
},
{
Destination: "/dev",
Type: "tmpfs",
Source: "tmpfs", |
| bfdb0f3c |
Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, |
| 9c4570a9 |
},
{
Destination: "/dev/pts",
Type: "devpts",
Source: "devpts",
Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
},
{
Destination: "/sys",
Type: "sysfs",
Source: "sysfs",
Options: []string{"nosuid", "noexec", "nodev", "ro"},
},
{
Destination: "/sys/fs/cgroup",
Type: "cgroup",
Source: "cgroup",
Options: []string{"ro", "nosuid", "noexec", "nodev"},
},
{
Destination: "/dev/mqueue",
Type: "mqueue",
Source: "mqueue",
Options: []string{"nosuid", "noexec", "nodev"},
}, |
| 7120976d |
{
Destination: "/dev/shm",
Type: "tmpfs",
Source: "shm",
Options: []string{"nosuid", "noexec", "nodev", "mode=1777"},
}, |
| 9c4570a9 |
}
|
| 02309170 |
s.Linux = &specs.Linux{ |
| 3f81b493 |
MaskedPaths: []string{ |
| 64e52ff3 |
"/proc/asound", |
| 569b9702 |
"/proc/acpi", |
| 3f81b493 |
"/proc/kcore", |
| de23cb93 |
"/proc/keys", |
| 3f81b493 |
"/proc/latency_stats", |
| 03bd00b6 |
"/proc/timer_list", |
| 3f81b493 |
"/proc/timer_stats",
"/proc/sched_debug", |
| a21ecdf3 |
"/proc/scsi", |
| b023a46a |
"/sys/firmware", |
| 3f81b493 |
},
ReadonlyPaths: []string{
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger",
}, |
| 005506d3 |
Namespaces: []specs.LinuxNamespace{ |
| 9c4570a9 |
{Type: "mount"},
{Type: "network"},
{Type: "uts"},
{Type: "pid"},
{Type: "ipc"},
}, |
| b397f978 |
// Devices implicitly contains the following devices:
// null, zero, full, random, urandom, tty, console, and ptmx. |
| dffa5d6d |
// ptmx is a bind mount or symlink of the container's ptmx. |
| b397f978 |
// See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices |
| 005506d3 |
Devices: []specs.LinuxDevice{},
Resources: &specs.LinuxResources{
Devices: []specs.LinuxDeviceCgroup{ |
| 9c4570a9 |
{
Allow: false, |
| 005506d3 |
Access: "rwm", |
| 9c4570a9 |
},
{
Allow: true, |
| 005506d3 |
Type: "c", |
| 9c4570a9 |
Major: iPtr(1),
Minor: iPtr(5), |
| 005506d3 |
Access: "rwm", |
| 9c4570a9 |
},
{
Allow: true, |
| 005506d3 |
Type: "c", |
| 9c4570a9 |
Major: iPtr(1),
Minor: iPtr(3), |
| 005506d3 |
Access: "rwm", |
| 9c4570a9 |
},
{
Allow: true, |
| 005506d3 |
Type: "c", |
| 9c4570a9 |
Major: iPtr(1),
Minor: iPtr(9), |
| 005506d3 |
Access: "rwm", |
| 9c4570a9 |
},
{
Allow: true, |
| 005506d3 |
Type: "c", |
| 9c4570a9 |
Major: iPtr(1),
Minor: iPtr(8), |
| 005506d3 |
Access: "rwm", |
| 9c4570a9 |
},
{
Allow: true, |
| 005506d3 |
Type: "c", |
| 9c4570a9 |
Major: iPtr(5),
Minor: iPtr(0), |
| 005506d3 |
Access: "rwm", |
| 9c4570a9 |
},
{
Allow: true, |
| 005506d3 |
Type: "c", |
| 9c4570a9 |
Major: iPtr(5),
Minor: iPtr(1), |
| 005506d3 |
Access: "rwm", |
| 9c4570a9 |
},
{
Allow: false, |
| 005506d3 |
Type: "c", |
| 9c4570a9 |
Major: iPtr(10),
Minor: iPtr(229), |
| 005506d3 |
Access: "rwm", |
| 9c4570a9 |
},
},
},
}
|
| 7c29103a |
// For LCOW support, populate a blank Windows spec
if runtime.GOOS == "windows" {
s.Windows = &specs.Windows{}
}
|
| 9c4570a9 |
return s
} |