OSSInnovation
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #633 from crosbymichael/bump-spec-v4 

Bump spec v0.4
This commit is contained in:
Mrunal Patel 2016-03-10 16:42:46 -08:00
parent 4bef923fdb 94dc520a57
commit 1beb2410db
23 changed files with 505 additions and 288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Godeps/Godeps.json generated
View File

@ -57,9 +57,9 @@
"Rev": "f7137ae6b19afbfd61a94b746fda3b3fe0491874"
},
{
"ImportPath": "github.com/opencontainers/specs",
"Comment": "v0.3.0-15-ga1e32a8",
"Rev": "a1e32a8ead2ba57adce3e36e956b4dc32c1b85c4"
"ImportPath": "github.com/opencontainers/specs/specs-go",
"Comment": "v0.4.0",
"Rev": "3ce138b1934bf227a418e241ead496c383eaba1c"
},
{
"ImportPath": "github.com/seccomp/libseccomp-golang",

42
Godeps/_workspace/src/github.com/opencontainers/specs/ChangeLog generated vendored
View File

@ -1,21 +1,53 @@
OpenContainers Specifications
Changes with v0.4.0:
Breaking changes:
* config: Move capabilities, selinuxProcessLabel, apparmorProfile,
and noNewPrivileges from the linux setting to the process setting
and make them optional, renaming selinuxProcessLabel to
selinuxLabel, #329, #330, #339
* runtime: Rename version to ociVerison in the state JSON, #225
* runtime: Remove the directory requirement for storing state, now
that there is a 'state' operation, #225, #334
* go: Shift *.go to specs-go/*.go, #276
* config: Move rlimits to process, #341
* go: Move config_linux.go content into config.go, removing
LinuxSpec, #310
Additions:
* schema: Add JSON Schema (and validator) for `config.json`, #313
* config: Add annotations for opaque-to-the-runtime data, #331
* config-linux: Make seccomp optional, #333
* runtime: Added additional operations: state, stop, and exec.
#225
Minor fixes and documentation:
* config-linux: Change mount type from *rune to *string and fix
octal fileMode examples, #323
* runtime: RFC 2119 phrasing for the lifecycle, #225
* README: Add a full example of config.json, #276
* README: Replace BlueJeans with UberConference, #326, #338
* style: Document Go-pointer exceptions, #317
Changes with v0.3.0:
Breaking changes:
* config: Single, unified config file, #284
* config: cwd is a required default, and must be absolute, #286,
#307, #308, #312
* config: qualify the name of the version field, #309
* config-linux: Convert classID from hex to uint32, #296
* config-linux: Separate mknod from cgroups, #298
Additions:
* config-linux: Add NoNewPrivileges setting for linux, #290
Minor fixes and documentation:
* config-linux: clarify oom_score_adj, #236, #292
* config-linux: Update links to cgroups documentation, #318
* config-linux: Remove pointers for slices preferring omitempty

14
Godeps/_workspace/src/github.com/opencontainers/specs/README.md generated vendored
View File

@ -5,15 +5,18 @@
Table of Contents
- [Container Principles](principles.md)
- [Specification Style](style.md)
- [Introduction](README.md)
- [Code of Conduct](code-of-conduct.md)
- [Container Principles](principles.md)
- [Style and Conventions](style.md)
- [Roadmap](ROADMAP.md)
- [Implementations](implementations.md)
- [Filesystem Bundle](bundle.md)
- [Runtime and Lifecycle](runtime.md)
- [Linux Specific Runtime](runtime-linux.md)
- Configuration
- [General](config.md)
- [Linux-specific](config-linux.md)
- [Runtime and Lifecycle](runtime.md)
- [Linux Specific Runtime](runtime-linux.md)
- [Implementations](implementations.md)
- [Glossary](glossary.md)
In the specifications in the above table of contents, the keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119) (Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997).
@ -154,5 +157,4 @@ Read more on [How to Write a Git Commit Message](http://chris.beams.io/posts/git
* If there was important/useful/essential conversation or information, copy or include a reference
8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...")
[BlueJeans]: https://bluejeans.com/1771332256/
[UberConference]: https://www.uberconference.com/ssaul

18
Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md generated vendored
View File

@ -455,24 +455,6 @@ For more information, see [the man page](http://man7.org/linux/man-pages/man8/sy
}
```
## Rlimits
rlimits allow setting resource limits.
`type` is a string with a value from those defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html).
The kernel enforces the `soft` limit for a resource while the `hard` limit acts as a ceiling for that value that could be set by an unprivileged process.
###### Example
```json
"rlimits": [
{
"type": "RLIMIT_NPROC",
"soft": 1024,
"hard": 102400
}
]
```
## seccomp
Seccomp provides application sandboxing mechanism in the Linux kernel.

92
Godeps/_workspace/src/github.com/opencontainers/specs/config.go generated vendored
View File

@ -1,92 +0,0 @@
package specs
// Spec is the base configuration for the container. It specifies platform
// independent configuration. This information must be included when the
// bundle is packaged for distribution.
type Spec struct {
// Version is the version of the specification that is supported.
Version string `json:"ociVersion"`
// Platform is the host information for OS and Arch.
Platform Platform `json:"platform"`
// Process is the container's main process.
Process Process `json:"process"`
// Root is the root information for the container's filesystem.
Root Root `json:"root"`
// Hostname is the container's host name.
Hostname string `json:"hostname,omitempty"`
// Mounts profile configuration for adding mounts to the container's filesystem.
Mounts []Mount `json:"mounts"`
// Hooks are the commands run at various lifecycle events of the container.
Hooks Hooks `json:"hooks"`
}
// Process contains information to start a specific application inside the container.
type Process struct {
// Terminal creates an interactive terminal for the container.
Terminal bool `json:"terminal"`
// User specifies user information for the process.
User User `json:"user"`
// Args specifies the binary and arguments for the application to execute.
Args []string `json:"args"`
// Env populates the process environment for the process.
Env []string `json:"env,omitempty"`
// Cwd is the current working directory for the process and must be
// relative to the container's root.
Cwd string `json:"cwd"`
// Capabilities are linux capabilities that are kept for the container.
Capabilities []string `json:"capabilities,omitempty"`
// ApparmorProfile specified the apparmor profile for the container.
ApparmorProfile string `json:"apparmorProfile,omitempty"`
// SelinuxProcessLabel specifies the selinux context that the container process is run as.
SelinuxLabel string `json:"selinuxLabel,omitempty"`
// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`
}
// Root contains information about the container's root filesystem on the host.
type Root struct {
// Path is the absolute path to the container's root filesystem.
Path string `json:"path"`
// Readonly makes the root filesystem for the container readonly before the process is executed.
Readonly bool `json:"readonly"`
}
// Platform specifies OS and arch information for the host system that the container
// is created for.
type Platform struct {
// OS is the operating system.
OS string `json:"os"`
// Arch is the architecture
Arch string `json:"arch"`
}
// Mount specifies a mount for a container.
type Mount struct {
// Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point.
Destination string `json:"destination"`
// Type specifies the mount kind.
Type string `json:"type"`
// Source specifies the source path of the mount. In the case of bind mounts on
// linux based systems this would be the file on the host.
Source string `json:"source"`
// Options are fstab style mount options.
Options []string `json:"options,omitempty"`
}
// Hook specifies a command that is run at a particular event in the lifecycle of a container
type Hook struct {
Path string `json:"path"`
Args []string `json:"args,omitempty"`
Env []string `json:"env,omitempty"`
}
// Hooks for container setup and teardown
type Hooks struct {
// Prestart is a list of hooks to be run before the container process is executed.
// On Linux, they are run after the container namespaces are created.
Prestart []Hook `json:"prestart,omitempty"`
// Poststart is a list of hooks to be run after the container process is started.
Poststart []Hook `json:"poststart,omitempty"`
// Poststop is a list of hooks to be run after the container process exits.
Poststop []Hook `json:"poststop,omitempty"`
}

196
Godeps/_workspace/src/github.com/opencontainers/specs/config.md generated vendored
View File

@ -90,10 +90,13 @@ See links for details about [mountvol](http://ss64.com/nt/mountvol.html) and [Se
* **`env`** (array of strings, optional) contains a list of variables that will be set in the process's environment prior to execution. Elements in the array are specified as Strings in the form "KEY=value". The left hand side must consist solely of letters, digits, and underscores `_` as outlined in [IEEE Std 1003.1-2001](http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html).
* **`args`** (string, required) executable to launch and any flags as an array. The executable is the first element and must be available at the given path inside of the rootfs. If the executable path is not an absolute path then the search $PATH is interpreted to find the executable.
For Linux-based systemd the process structure supports the following process specific fields:
For Linux-based systems the process structure supports the following process specific fields:
* **`capabilities`** (array of strings, optional) capabilities is an array that specifies Linux capabilities that can be provided to the process inside the container.
Valid values are the strings for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
* **`rlimits`** (array of rlimits, optional) rlimits is an array of rlimits that allows setting resource limits for a process inside the container.
The kernel enforces the `soft` limit for a resource while the `hard` limit acts as a ceiling for that value that could be set by an unprivileged process.
Valid values for the 'type' field are the resources defined in [the man page](http://man7.org/linux/man-pages/man2/setrlimit.2.html).
* **`apparmorProfile`** (string, optional) apparmor profile specifies the name of the apparmor profile that will be used for the container.
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
* **`selinuxLabel`** (string, optional) SELinux process label specifies the label with which the processes in a container are run.
@ -133,6 +136,13 @@ For Linux-based systems the user structure has the following fields:
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
]
}
```
@ -231,4 +241,188 @@ If a hook returns a non-zero exit code, then an error is logged and the remainin
`args` and `env` are optional.
The semantics are the same as `Path`, `Args` and `Env` in [golang Cmd](https://golang.org/pkg/os/exec/#Cmd).
## Annotations
Annotations are optional arbitrary non-identifying metadata that can be attached to containers.
This information may be large, may be structured or unstructured.
Annotations are key-value maps.
```json
"annotations": {
"key1" : "value1",
"key2" : "value2"
}
```
## Configuration Schema Example
Here is a full example `config.json` for reference.
```json
{
"ociVersion": "0.3.0",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": true,
"user": {
"uid": 1,
"gid": 1,
"additionalGids": [
5,
6
]
},
"args": [
"sh"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"apparmorProfile": "",
"selinuxLabel": ""
},
"root": {
"path": "rootfs",
"readonly": true
},
"hostname": "slartibartfast",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
],
"hooks": {
"prestart": [
{
"path": "/usr/bin/uptime",
"args": [
"/usr/bin/uptime"
],
"env": []
}
]
},
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
}
]
},
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
],
"devices": null,
"seccomp": {
"defaultAction": "",
"architectures": null
}
}
}
```
[uts-namespace]: http://man7.org/linux/man-pages/man7/namespaces.7.html

143
Godeps/_workspace/src/github.com/opencontainers/specs/config_linux.go → Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go generated vendored
View File

@ -2,24 +2,122 @@ package specs
import "os"
// LinuxStateDirectory holds the container's state information
const LinuxStateDirectory = "/run/opencontainer/containers"
// Spec is the base configuration for the container. It specifies platform
// independent configuration. This information must be included when the
// bundle is packaged for distribution.
type Spec struct {
// Version is the version of the specification that is supported.
Version string `json:"ociVersion"`
// Platform is the host information for OS and Arch.
Platform Platform `json:"platform"`
// Process is the container's main process.
Process Process `json:"process"`
// Root is the root information for the container's filesystem.
Root Root `json:"root"`
// Hostname is the container's host name.
Hostname string `json:"hostname,omitempty"`
// Mounts profile configuration for adding mounts to the container's filesystem.
Mounts []Mount `json:"mounts"`
// Hooks are the commands run at various lifecycle events of the container.
Hooks Hooks `json:"hooks"`
// Annotations is an unstructured key value map that may be set by external tools to store and retrieve arbitrary metadata.
Annotations map[string]string `json:"annotations,omitempty"`
// LinuxSpec is the full specification for linux containers.
type LinuxSpec struct {
Spec
// Linux is platform specific configuration for linux based containers.
Linux Linux `json:"linux"`
// Linux is platform specific configuration for Linux based containers.
Linux Linux `json:"linux" platform:"linux"`
}
// Linux contains platform specific configuration for linux based containers.
type Linux struct {
// UIDMapping specifies user mappings for supporting user namespaces on linux.
UIDMappings []IDMapping `json:"uidMappings,omitempty"`
// GIDMapping specifies group mappings for supporting user namespaces on linux.
GIDMappings []IDMapping `json:"gidMappings,omitempty"`
// Rlimits specifies rlimit options to apply to the container's process.
// Process contains information to start a specific application inside the container.
type Process struct {
// Terminal creates an interactive terminal for the container.
Terminal bool `json:"terminal"`
// User specifies user information for the process.
User User `json:"user"`
// Args specifies the binary and arguments for the application to execute.
Args []string `json:"args"`
// Env populates the process environment for the process.
Env []string `json:"env,omitempty"`
// Cwd is the current working directory for the process and must be
// relative to the container's root.
Cwd string `json:"cwd"`
// Capabilities are Linux capabilities that are kept for the container.
Capabilities []string `json:"capabilities,omitempty" platform:"linux"`
// Rlimits specifies rlimit options to apply to the process.
Rlimits []Rlimit `json:"rlimits,omitempty"`
// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`
// ApparmorProfile specified the apparmor profile for the container. (this field is platform dependent)
ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
// SelinuxProcessLabel specifies the selinux context that the container process is run as. (this field is platform dependent)
SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
}
// User specifies Linux specific user and group information for the container's
// main process.
type User struct {
// UID is the user id. (this field is platform dependent)
UID uint32 `json:"uid,omitempty" platform:"linux"`
// GID is the group id. (this field is platform dependent)
GID uint32 `json:"gid,omitempty" platform:"linux"`
// AdditionalGids are additional group ids set for the container's process. (this field is platform dependent)
AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux"`
}
// Root contains information about the container's root filesystem on the host.
type Root struct {
// Path is the absolute path to the container's root filesystem.
Path string `json:"path"`
// Readonly makes the root filesystem for the container readonly before the process is executed.
Readonly bool `json:"readonly"`
}
// Platform specifies OS and arch information for the host system that the container
// is created for.
type Platform struct {
// OS is the operating system.
OS string `json:"os"`
// Arch is the architecture
Arch string `json:"arch"`
}
// Mount specifies a mount for a container.
type Mount struct {
// Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point.
Destination string `json:"destination"`
// Type specifies the mount kind.
Type string `json:"type"`
// Source specifies the source path of the mount. In the case of bind mounts on
// Linux based systems this would be the file on the host.
Source string `json:"source"`
// Options are fstab style mount options.
Options []string `json:"options,omitempty"`
}
// Hook specifies a command that is run at a particular event in the lifecycle of a container
type Hook struct {
Path string `json:"path"`
Args []string `json:"args,omitempty"`
Env []string `json:"env,omitempty"`
}
// Hooks for container setup and teardown
type Hooks struct {
// Prestart is a list of hooks to be run before the container process is executed.
// On Linux, they are run after the container namespaces are created.
Prestart []Hook `json:"prestart,omitempty"`
// Poststart is a list of hooks to be run after the container process is started.
Poststart []Hook `json:"poststart,omitempty"`
// Poststop is a list of hooks to be run after the container process exits.
Poststop []Hook `json:"poststop,omitempty"`
}
// Linux contains platform specific configuration for Linux based containers.
type Linux struct {
// UIDMapping specifies user mappings for supporting user namespaces on Linux.
UIDMappings []IDMapping `json:"uidMappings,omitempty"`
// GIDMapping specifies group mappings for supporting user namespaces on Linux.
GIDMappings []IDMapping `json:"gidMappings,omitempty"`
// Sysctl are a set of key value pairs that are set for the container on start
Sysctl map[string]string `json:"sysctl,omitempty"`
// Resources contain cgroup information for handling resource constraints
@ -34,23 +132,12 @@ type Linux struct {
// Devices are a list of device nodes that are created for the container
Devices []Device `json:"devices"`
// Seccomp specifies the seccomp security settings for the container.
Seccomp Seccomp `json:"seccomp"`
Seccomp *Seccomp `json:"seccomp,omitempty"`
// RootfsPropagation is the rootfs mount propagation mode for the container.
RootfsPropagation string `json:"rootfsPropagation,omitempty"`
}
// User specifies linux specific user and group information for the container's
// main process.
type User struct {
// UID is the user id.
UID uint32 `json:"uid"`
// GID is the group id.
GID uint32 `json:"gid"`
// AdditionalGids are additional group ids set for the container's process.
AdditionalGids []uint32 `json:"additionalGids,omitempty"`
}
// Namespace is the configuration for a linux namespace
// Namespace is the configuration for a Linux namespace
type Namespace struct {
// Type is the type of Linux namespace
Type NamespaceType `json:"type"`
@ -59,7 +146,7 @@ type Namespace struct {
Path string `json:"path,omitempty"`
}
// NamespaceType is one of the linux namespaces
// NamespaceType is one of the Linux namespaces
type NamespaceType string
const (

3
Godeps/_workspace/src/github.com/opencontainers/specs/state.go → Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go generated vendored
View File

@ -1,9 +1,6 @@
package specs
// State holds information about the runtime state of the container.
// This information will be stored in a file called `state.json`.
// The location of this file will be operating system specific. On Linux
// it will be in `/run/opencontainers/runc/<containerID>/state.json`
type State struct {
// Version is the version of the specification that is supported.
Version string `json:"version"`

2
Godeps/_workspace/src/github.com/opencontainers/specs/version.go → Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go generated vendored
View File

@ -11,7 +11,7 @@ const (
VersionPatch = 0
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = "-dev"
VersionDev = ""
)
// Version is the specification version that the package types support.

2
exec.go
View File

@ -10,7 +10,7 @@ import (
"strings"
"github.com/codegangsta/cli"
"github.com/opencontainers/specs"
"github.com/opencontainers/specs/specs-go"
)
var execCommand = cli.Command{

2
libcontainer/configs/config.go
View File

@ -138,7 +138,7 @@ type Config struct {
// Rlimits specifies the resource limits, such as max open files, to set in the container
// If Rlimits are not set, the container will inherit rlimits from the parent process
Rlimits []Rlimit `json:"rlimits"`
Rlimits []Rlimit `json:"rlimits,omitempty"`
// OomScoreAdj specifies the adjustment to be made by the kernel when calculating oom scores
// for a process. Valid values are between the range [-1000, '1000'], where processes with

4
libcontainer/container_linux.go
View File

@ -332,6 +332,7 @@ func (c *linuxContainer) newInitConfig(process *Process) *initConfig {
NoNewPrivileges: c.config.NoNewPrivileges,
AppArmorProfile: c.config.AppArmorProfile,
ProcessLabel: c.config.ProcessLabel,
Rlimits: c.config.Rlimits,
}
if process.NoNewPrivileges != nil {
cfg.NoNewPrivileges = *process.NoNewPrivileges
@ -342,6 +343,9 @@ func (c *linuxContainer) newInitConfig(process *Process) *initConfig {
if process.Label != "" {
cfg.ProcessLabel = process.Label
}
if len(process.Rlimits) > 0 {
cfg.Rlimits = process.Rlimits
}
return cfg
}

31
libcontainer/init_linux.go
View File

@ -44,19 +44,20 @@ type network struct {
// initConfig is used for transferring parameters from Exec() to Init()
type initConfig struct {
Args []string `json:"args"`
Env []string `json:"env"`
Cwd string `json:"cwd"`
Capabilities []string `json:"capabilities"`
ProcessLabel string `json:"process_label"`
AppArmorProfile string `json:"apparmor_profile"`
NoNewPrivileges bool `json:"no_new_privileges"`
User string `json:"user"`
Config *configs.Config `json:"config"`
Console string `json:"console"`
Networks []*network `json:"network"`
PassedFilesCount int `json:"passed_files_count"`
ContainerId string `json:"containerid"`
Args []string `json:"args"`
Env []string `json:"env"`
Cwd string `json:"cwd"`
Capabilities []string `json:"capabilities"`
ProcessLabel string `json:"process_label"`
AppArmorProfile string `json:"apparmor_profile"`
NoNewPrivileges bool `json:"no_new_privileges"`
User string `json:"user"`
Config *configs.Config `json:"config"`
Console string `json:"console"`
Networks []*network `json:"network"`
PassedFilesCount int `json:"passed_files_count"`
ContainerId string `json:"containerid"`
Rlimits []configs.Rlimit `json:"rlimits"`
}
type initer interface {
@ -315,8 +316,8 @@ func setupRoute(config *configs.Config) error {
return nil
}
func setupRlimits(config *configs.Config) error {
for _, rlimit := range config.Rlimits {
func setupRlimits(limits []configs.Rlimit) error {
for _, rlimit := range limits {
l := &syscall.Rlimit{Max: rlimit.Hard, Cur: rlimit.Soft}
if err := syscall.Setrlimit(rlimit.Type, l); err != nil {
return fmt.Errorf("error setting rlimit type %v: %v", rlimit.Type, err)

6
libcontainer/process.go
View File

@ -5,6 +5,8 @@ import (
"io"
"math"
"os"
"github.com/opencontainers/runc/libcontainer/configs"
)
type processOperations interface {
@ -58,6 +60,10 @@ type Process struct {
// NoNewPrivileges controls whether processes can gain additional privileges.
NoNewPrivileges *bool
// Rlimits specifies the resource limits, such as max open files, to set in the container
// If Rlimits are not set, the container will inherit rlimits from the parent process
Rlimits []configs.Rlimit
ops processOperations
}

2
libcontainer/setns_init_linux.go
View File

@ -28,7 +28,7 @@ func (l *linuxSetnsInit) Init() error {
if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil {
return err
}
if err := setupRlimits(l.config.Config); err != nil {
if err := setupRlimits(l.config.Rlimits); err != nil {
return err
}
if l.config.NoNewPrivileges {

2
libcontainer/standard_init_linux.go
View File

@ -73,7 +73,7 @@ func (l *linuxStandardInit) Init() error {
if err := setupRoute(l.config.Config); err != nil {
return err
}
if err := setupRlimits(l.config.Config); err != nil {
if err := setupRlimits(l.config.Rlimits); err != nil {
return err
}

6
main.go
View File

@ -6,11 +6,11 @@ import (
"github.com/Sirupsen/logrus"
"github.com/codegangsta/cli"
"github.com/opencontainers/specs"
"github.com/opencontainers/specs/specs-go"
)
const (
version = "0.0.8"
version = "0.0.9"
specConfig = "config.json"
usage = `Open Container Initiative runtime
@ -59,7 +59,7 @@ func main() {
},
cli.StringFlag{
Name: "root",
Value: specs.LinuxStateDirectory,
Value: "/run/runc",
Usage: "root directory for storage of container state (this should be located in tmpfs)",
},
cli.StringFlag{

4
restore.go
View File

@ -10,7 +10,7 @@ import (
"github.com/codegangsta/cli"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/specs"
"github.com/opencontainers/specs/specs-go"
)
var restoreCommand = cli.Command{
@ -100,7 +100,7 @@ using the runc checkpoint command.`,
},
}
func restoreContainer(context *cli.Context, spec *specs.LinuxSpec, config *configs.Config, imagePath string) (code int, err error) {
func restoreContainer(context *cli.Context, spec *specs.Spec, config *configs.Config, imagePath string) (code int, err error) {
var (
rootuid = 0
id = context.Args().First()

183
spec.go
View File

@ -18,7 +18,7 @@ import (
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/seccomp"
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/specs"
"github.com/opencontainers/specs/specs-go"
)
var specCommand = cli.Command{
@ -34,79 +34,84 @@ var specCommand = cli.Command{
},
},
Action: func(context *cli.Context) {
spec := specs.LinuxSpec{
Spec: specs.Spec{
Version: specs.Version,
Platform: specs.Platform{
OS: runtime.GOOS,
Arch: runtime.GOARCH,
spec := specs.Spec{
Version: specs.Version,
Platform: specs.Platform{
OS: runtime.GOOS,
Arch: runtime.GOARCH,
},
Root: specs.Root{
Path: "rootfs",
Readonly: true,
},
Process: specs.Process{
Terminal: true,
User: specs.User{},
Args: []string{
"sh",
},
Root: specs.Root{
Path: "rootfs",
Readonly: true,
Env: []string{
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
},
Process: specs.Process{
Terminal: true,
User: specs.User{},
Args: []string{
"sh",
},
Env: []string{
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
},
Cwd: "/",
NoNewPrivileges: true,
Capabilities: []string{
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
Cwd: "/",
NoNewPrivileges: true,
Capabilities: []string{
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
},
Rlimits: []specs.Rlimit{
{
Type: "RLIMIT_NOFILE",
Hard: uint64(1024),
Soft: uint64(1024),
},
},
Hostname: "shell",
Mounts: []specs.Mount{
{
Destination: "/proc",
Type: "proc",
Source: "proc",
Options: nil,
},
{
Destination: "/dev",
Type: "tmpfs",
Source: "tmpfs",
Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
},
{
Destination: "/dev/pts",
Type: "devpts",
Source: "devpts",
Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
},
{
Destination: "/dev/shm",
Type: "tmpfs",
Source: "shm",
Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
},
{
Destination: "/dev/mqueue",
Type: "mqueue",
Source: "mqueue",
Options: []string{"nosuid", "noexec", "nodev"},
},
{
Destination: "/sys",
Type: "sysfs",
Source: "sysfs",
Options: []string{"nosuid", "noexec", "nodev", "ro"},
},
{
Destination: "/sys/fs/cgroup",
Type: "cgroup",
Source: "cgroup",
Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
},
},
Hostname: "runc",
Mounts: []specs.Mount{
{
Destination: "/proc",
Type: "proc",
Source: "proc",
Options: nil,
},
{
Destination: "/dev",
Type: "tmpfs",
Source: "tmpfs",
Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
},
{
Destination: "/dev/pts",
Type: "devpts",
Source: "devpts",
Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
},
{
Destination: "/dev/shm",
Type: "tmpfs",
Source: "shm",
Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
},
{
Destination: "/dev/mqueue",
Type: "mqueue",
Source: "mqueue",
Options: []string{"nosuid", "noexec", "nodev"},
},
{
Destination: "/sys",
Type: "sysfs",
Source: "sysfs",
Options: []string{"nosuid", "noexec", "nodev", "ro"},
},
{
Destination: "/sys/fs/cgroup",
Type: "cgroup",
Source: "cgroup",
Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
},
},
Linux: specs.Linux{
@ -135,13 +140,6 @@ var specCommand = cli.Command{
Type: "mount",
},
},
Rlimits: []specs.Rlimit{
{
Type: "RLIMIT_NOFILE",
Hard: uint64(1024),
Soft: uint64(1024),
},
},
},
}
@ -201,7 +199,7 @@ var mountPropagationMapping = map[string]int{
// validateSpec validates the fields in the spec
// TODO: Add validation for other fields where applicable
func validateSpec(spec *specs.LinuxSpec) error {
func validateSpec(spec *specs.Spec) error {
if spec.Process.Cwd == "" {
return fmt.Errorf("Cwd property must not be empty")
}
@ -213,7 +211,7 @@ func validateSpec(spec *specs.LinuxSpec) error {
// loadSpec loads the specification from the provided path.
// If the path is empty then the default path will be "config.json"
func loadSpec(cPath string) (spec *specs.LinuxSpec, err error) {
func loadSpec(cPath string) (spec *specs.Spec, err error) {
cf, err := os.Open(cPath)
if err != nil {
if os.IsNotExist(err) {
@ -229,7 +227,7 @@ func loadSpec(cPath string) (spec *specs.LinuxSpec, err error) {
return spec, validateSpec(spec)
}
func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*configs.Config, error) {
func createLibcontainerConfig(cgroupName string, spec *specs.Spec) (*configs.Config, error) {
// runc's cwd will always be the bundle path
rcwd, err := os.Getwd()
if err != nil {
@ -280,13 +278,6 @@ func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*config
if err := setupUserNamespace(spec, config); err != nil {
return nil, err
}
for _, rlimit := range spec.Linux.Rlimits {
rl, err := createLibContainerRlimit(rlimit)
if err != nil {
return nil, err
}
config.Rlimits = append(config.Rlimits, rl)
}
c, err := createCgroupConfig(cgroupName, spec)
if err != nil {
return nil, err
@ -295,11 +286,13 @@ func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*config
// set extra path masking for libcontainer for the various unsafe places in proc
config.MaskPaths = maskedPaths
config.ReadonlyPaths = readonlyPaths
seccomp, err := setupSeccomp(&spec.Linux.Seccomp)
if err != nil {
return nil, err
if spec.Linux.Seccomp != nil {
seccomp, err := setupSeccomp(spec.Linux.Seccomp)
if err != nil {
return nil, err
}
config.Seccomp = seccomp
}
config.Seccomp = seccomp
config.Sysctl = spec.Linux.Sysctl
if oomScoreAdj := spec.Linux.Resources.OOMScoreAdj; oomScoreAdj != nil {
config.OomScoreAdj = *oomScoreAdj
@ -330,7 +323,7 @@ func createLibcontainerMount(cwd string, m specs.Mount) *configs.Mount {
}
}
func createCgroupConfig(name string, spec *specs.LinuxSpec) (*configs.Cgroup, error) {
func createCgroupConfig(name string, spec *specs.Spec) (*configs.Cgroup, error) {
var (
err error
myCgroupPath string
@ -506,7 +499,7 @@ func stringToDeviceRune(s string) (rune, error) {
}
}
func createDevices(spec *specs.LinuxSpec, config *configs.Config) error {
func createDevices(spec *specs.Spec, config *configs.Config) error {
// add whitelisted devices
config.Devices = []*configs.Device{
{
@ -591,7 +584,7 @@ func createDevices(spec *specs.LinuxSpec, config *configs.Config) error {
return nil
}
func setupUserNamespace(spec *specs.LinuxSpec, config *configs.Config) error {
func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
if len(spec.Linux.UIDMappings) == 0 {
return nil
}
@ -776,7 +769,7 @@ func setupSeccomp(config *specs.Seccomp) (*configs.Seccomp, error) {
return newConfig, nil
}
func createHooks(rspec *specs.LinuxSpec, config *configs.Config) {
func createHooks(rspec *specs.Spec, config *configs.Config) {
config.Hooks = &configs.Hooks{}
for _, h := range rspec.Hooks.Prestart {
cmd := configs.Command{

6
spec_test.go
View File

@ -6,13 +6,13 @@ import (
"strings"
"testing"
"github.com/opencontainers/specs"
"github.com/opencontainers/specs/specs-go"
)
func TestLinuxCgroupsPathSpecified(t *testing.T) {
cgroupsPath := "/user/cgroups/path/id"
spec := &specs.LinuxSpec{}
spec := &specs.Spec{}
spec.Linux.CgroupsPath = &cgroupsPath
cgroup, err := createCgroupConfig("ContainerID", spec)
@ -26,7 +26,7 @@ func TestLinuxCgroupsPathSpecified(t *testing.T) {
}
func TestLinuxCgroupsPathNotSpecified(t *testing.T) {
spec := &specs.LinuxSpec{}
spec := &specs.Spec{}
cgroup, err := createCgroupConfig("ContainerID", spec)
if err != nil {

4
start.go
View File

@ -9,7 +9,7 @@ import (
"github.com/codegangsta/cli"
"github.com/coreos/go-systemd/activation"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/specs"
"github.com/opencontainers/specs/specs-go"
)
// default action is to start a container
@ -91,7 +91,7 @@ var initCommand = cli.Command{
},
}
func startContainer(context *cli.Context, spec *specs.LinuxSpec) (int, error) {
func startContainer(context *cli.Context, spec *specs.Spec) (int, error) {
id := context.Args().First()
if id == "" {
return -1, errEmptyID

2
state.go
View File

@ -12,7 +12,7 @@ import (
// cState represents the platform agnostic pieces relating to a running
// container's status and state. Note: The fields in this structure adhere to
// the opencontainers/specs requirement for json fields that must be returned
// the opencontainers/specs/specs-go requirement for json fields that must be returned
// in a state command.
type cState struct {
// Version is the OCI version for the container

23
utils.go
View File

@ -13,7 +13,7 @@ import (
"github.com/codegangsta/cli"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/specs"
"github.com/opencontainers/specs/specs-go"
)
const wildcard = -1
@ -216,8 +216,8 @@ func getDefaultImagePath(context *cli.Context) string {
// newProcess returns a new libcontainer Process with the arguments from the
// spec and stdio from the current process.
func newProcess(p specs.Process) *libcontainer.Process {
return &libcontainer.Process{
func newProcess(p specs.Process) (*libcontainer.Process, error) {
lp := &libcontainer.Process{
Args: p.Args,
Env: p.Env,
// TODO: fix libcontainer's API to better support uid/gid in a typesafe way.
@ -228,6 +228,14 @@ func newProcess(p specs.Process) *libcontainer.Process {
NoNewPrivileges: &p.NoNewPrivileges,
AppArmorProfile: p.ApparmorProfile,
}
for _, rlimit := range p.Rlimits {
rl, err := createLibContainerRlimit(rlimit)
if err != nil {
return nil, err
}
lp.Rlimits = append(lp.Rlimits, rl)
}
return lp, nil
}
func dupStdio(process *libcontainer.Process, rootuid int) error {
@ -248,7 +256,7 @@ func dupStdio(process *libcontainer.Process, rootuid int) error {
// If systemd is supporting sd_notify protocol, this function will add support
// for sd_notify protocol from within the container.
func setupSdNotify(spec *specs.LinuxSpec, notifySocket string) {
func setupSdNotify(spec *specs.Spec, notifySocket string) {
spec.Mounts = append(spec.Mounts, specs.Mount{Destination: notifySocket, Type: "bind", Source: notifySocket, Options: []string{"bind"}})
spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", notifySocket))
}
@ -293,7 +301,7 @@ func createPidFile(path string, process *libcontainer.Process) error {
return err
}
func createContainer(context *cli.Context, id string, spec *specs.LinuxSpec) (libcontainer.Container, error) {
func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcontainer.Container, error) {
config, err := createLibcontainerConfig(id, spec)
if err != nil {
return nil, err
@ -316,7 +324,10 @@ func createContainer(context *cli.Context, id string, spec *specs.LinuxSpec) (li
// runProcess will create a new process in the specified container
// by executing the process specified in the 'config'.
func runProcess(container libcontainer.Container, config *specs.Process, listenFDs []*os.File, console string, pidFile string, detach bool) (int, error) {
process := newProcess(*config)
process, err := newProcess(*config)
if err != nil {
return -1, err
}
// Add extra file descriptors if needed
if len(listenFDs) > 0 {