oci/defaults.go

   1 package oci
   2
   3 import (
   4         "os"
   5         "runtime"
   6
   7         "github.com/opencontainers/runtime-spec/specs-go"
   8 )
   9
  10 func iPtr(i int64) *int64        { return &i }
  11 func u32Ptr(i int64) *uint32     { u := uint32(i); return &u }
  12 func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
  13
  14 func defaultCapabilities() []string {
  15         return []string{
  16                 "CAP_CHOWN",
  17                 "CAP_DAC_OVERRIDE",
  18                 "CAP_FSETID",
  19                 "CAP_FOWNER",
  20                 "CAP_MKNOD",
  21                 "CAP_NET_RAW",
  22                 "CAP_SETGID",
  23                 "CAP_SETUID",
  24                 "CAP_SETFCAP",
  25                 "CAP_SETPCAP",
  26                 "CAP_NET_BIND_SERVICE",
  27                 "CAP_SYS_CHROOT",
  28                 "CAP_KILL",
  29                 "CAP_AUDIT_WRITE",
  30         }
  31 }
  32
  33 // DefaultSpec returns the default spec used by docker for the current Platform
  34 func DefaultSpec() specs.Spec {
  35         return DefaultOSSpec(runtime.GOOS)
  36 }
  37
  38 // DefaultOSSpec returns the spec for a given OS
  39 func DefaultOSSpec(osName string) specs.Spec {
  40         if osName == "windows" {
  41                 return DefaultWindowsSpec()
  42         } else if osName == "solaris" {
  43                 return DefaultSolarisSpec()
  44         } else {
  45                 return DefaultLinuxSpec()
  46         }
  47 }
  48
  49 // DefaultWindowsSpec create a default spec for running Windows containers
  50 func DefaultWindowsSpec() specs.Spec {
  51         return specs.Spec{
  52                 Version: specs.Version,
  53                 Platform: specs.Platform{
  54                         OS:   runtime.GOOS,
  55                         Arch: runtime.GOARCH,
  56                 },
  57                 Windows: &specs.Windows{},
  58         }
  59 }
  60
  61 // DefaultSolarisSpec create a default spec for running Solaris containers
  62 func DefaultSolarisSpec() specs.Spec {
  63         s := specs.Spec{
  64                 Version: "0.6.0",
  65                 Platform: specs.Platform{
  66                         OS:   "SunOS",
  67                         Arch: runtime.GOARCH,
  68                 },
  69         }
  70         s.Solaris = &specs.Solaris{}
  71         return s
  72 }
  73
  74 // DefaultLinuxSpec create a default spec for running Linux containers
  75 func DefaultLinuxSpec() specs.Spec {
  76         s := specs.Spec{
  77                 Version: specs.Version,
  78                 Platform: specs.Platform{
  79                         OS:   "linux",
  80                         Arch: runtime.GOARCH,
  81                 },
  82         }
  83         s.Mounts = []specs.Mount{
  84                 {
  85                         Destination: "/proc",
  86                         Type:        "proc",
  87                         Source:      "proc",
  88                         Options:     []string{"nosuid", "noexec", "nodev"},
  89                 },
  90                 {
  91                         Destination: "/dev",
  92                         Type:        "tmpfs",
  93                         Source:      "tmpfs",
  94                         Options:     []string{"nosuid", "strictatime", "mode=755"},
  95                 },
  96                 {
  97                         Destination: "/dev/pts",
  98                         Type:        "devpts",
  99                         Source:      "devpts",
 100                         Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
 101                 },
 102                 {
 103                         Destination: "/sys",
 104                         Type:        "sysfs",
 105                         Source:      "sysfs",
 106                         Options:     []string{"nosuid", "noexec", "nodev", "ro"},
 107                 },
 108                 {
 109                         Destination: "/sys/fs/cgroup",
 110                         Type:        "cgroup",
 111                         Source:      "cgroup",
 112                         Options:     []string{"ro", "nosuid", "noexec", "nodev"},
 113                 },
 114                 {
 115                         Destination: "/dev/mqueue",
 116                         Type:        "mqueue",
 117                         Source:      "mqueue",
 118                         Options:     []string{"nosuid", "noexec", "nodev"},
 119                 },
 120         }
 121         s.Process.Capabilities = &specs.LinuxCapabilities{
 122                 Bounding:    defaultCapabilities(),
 123                 Permitted:   defaultCapabilities(),
 124                 Inheritable: defaultCapabilities(),
 125                 Effective:   defaultCapabilities(),
 126         }
 127
 128         s.Linux = &specs.Linux{
 129                 MaskedPaths: []string{
 130                         "/proc/kcore",
 131                         "/proc/latency_stats",
 132                         "/proc/timer_list",
 133                         "/proc/timer_stats",
 134                         "/proc/sched_debug",
 135                 },
 136                 ReadonlyPaths: []string{
 137                         "/proc/asound",
 138                         "/proc/bus",
 139                         "/proc/fs",
 140                         "/proc/irq",
 141                         "/proc/sys",
 142                         "/proc/sysrq-trigger",
 143                 },
 144                 Namespaces: []specs.LinuxNamespace{
 145                         {Type: "mount"},
 146                         {Type: "network"},
 147                         {Type: "uts"},
 148                         {Type: "pid"},
 149                         {Type: "ipc"},
 150                 },
 151                 // Devices implicitly contains the following devices:
 152                 // null, zero, full, random, urandom, tty, console, and ptmx.
 153                 // ptmx is a bind-mount or symlink of the container's ptmx.
 154                 // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices
 155                 Devices: []specs.LinuxDevice{},
 156                 Resources: &specs.LinuxResources{
 157                         Devices: []specs.LinuxDeviceCgroup{
 158                                 {
 159                                         Allow:  false,
 160                                         Access: "rwm",
 161                                 },
 162                                 {
 163                                         Allow:  true,
 164                                         Type:   "c",
 165                                         Major:  iPtr(1),
 166                                         Minor:  iPtr(5),
 167                                         Access: "rwm",
 168                                 },
 169                                 {
 170                                         Allow:  true,
 171                                         Type:   "c",
 172                                         Major:  iPtr(1),
 173                                         Minor:  iPtr(3),
 174                                         Access: "rwm",
 175                                 },
 176                                 {
 177                                         Allow:  true,
 178                                         Type:   "c",
 179                                         Major:  iPtr(1),
 180                                         Minor:  iPtr(9),
 181                                         Access: "rwm",
 182                                 },
 183                                 {
 184                                         Allow:  true,
 185                                         Type:   "c",
 186                                         Major:  iPtr(1),
 187                                         Minor:  iPtr(8),
 188                                         Access: "rwm",
 189                                 },
 190                                 {
 191                                         Allow:  true,
 192                                         Type:   "c",
 193                                         Major:  iPtr(5),
 194                                         Minor:  iPtr(0),
 195                                         Access: "rwm",
 196                                 },
 197                                 {
 198                                         Allow:  true,
 199                                         Type:   "c",
 200                                         Major:  iPtr(5),
 201                                         Minor:  iPtr(1),
 202                                         Access: "rwm",
 203                                 },
 204                                 {
 205                                         Allow:  false,
 206                                         Type:   "c",
 207                                         Major:  iPtr(10),
 208                                         Minor:  iPtr(229),
 209                                         Access: "rwm",
 210                                 },
 211                         },
 212                 },
 213         }
 214
 215         // For LCOW support, don't mask /sys/firmware
 216         if runtime.GOOS != "windows" {
 217                 s.Linux.MaskedPaths = append(s.Linux.MaskedPaths, "/sys/firmware")
 218         }
 219
 220         return s
 221 }