github.com/DaoCloud/dao@v0.0.0-20161212064103-c3dbfd13ee36/oci/defaults_linux.go (about) 1 package oci 2 3 import ( 4 "os" 5 "runtime" 6 7 specs "github.com/opencontainers/specs/specs-go" 8 ) 9 10 func sPtr(s string) *string { return &s } 11 func iPtr(i int64) *int64 { return &i } 12 func u32Ptr(i int64) *uint32 { u := uint32(i); return &u } 13 func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } 14 15 // DefaultSpec returns default oci spec used by docker. 16 func DefaultSpec() specs.Spec { 17 s := specs.Spec{ 18 Version: specs.Version, 19 Platform: specs.Platform{ 20 OS: runtime.GOOS, 21 Arch: runtime.GOARCH, 22 }, 23 } 24 s.Mounts = []specs.Mount{ 25 { 26 Destination: "/proc", 27 Type: "proc", 28 Source: "proc", 29 Options: []string{"nosuid", "noexec", "nodev"}, 30 }, 31 { 32 Destination: "/dev", 33 Type: "tmpfs", 34 Source: "tmpfs", 35 Options: []string{"nosuid", "strictatime", "mode=755"}, 36 }, 37 { 38 Destination: "/dev/pts", 39 Type: "devpts", 40 Source: "devpts", 41 Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, 42 }, 43 { 44 Destination: "/sys", 45 Type: "sysfs", 46 Source: "sysfs", 47 Options: []string{"nosuid", "noexec", "nodev", "ro"}, 48 }, 49 { 50 Destination: "/sys/fs/cgroup", 51 Type: "cgroup", 52 Source: "cgroup", 53 Options: []string{"ro", "nosuid", "noexec", "nodev"}, 54 }, 55 { 56 Destination: "/dev/mqueue", 57 Type: "mqueue", 58 Source: "mqueue", 59 Options: []string{"nosuid", "noexec", "nodev"}, 60 }, 61 } 62 63 s.Process.Capabilities = []string{ 64 "CAP_CHOWN", 65 "CAP_DAC_OVERRIDE", 66 "CAP_FSETID", 67 "CAP_FOWNER", 68 "CAP_MKNOD", 69 "CAP_NET_RAW", 70 "CAP_SETGID", 71 "CAP_SETUID", 72 "CAP_SETFCAP", 73 "CAP_SETPCAP", 74 "CAP_NET_BIND_SERVICE", 75 "CAP_SYS_CHROOT", 76 "CAP_KILL", 77 "CAP_AUDIT_WRITE", 78 } 79 80 s.Linux = &specs.Linux{ 81 MaskedPaths: []string{ 82 "/proc/kcore", 83 "/proc/latency_stats", 84 "/proc/timer_list", 85 "/proc/timer_stats", 86 "/proc/sched_debug", 87 }, 88 ReadonlyPaths: []string{ 89 "/proc/asound", 90 "/proc/bus", 91 "/proc/fs", 92 "/proc/irq", 93 "/proc/sys", 94 "/proc/sysrq-trigger", 95 }, 96 Namespaces: []specs.Namespace{ 97 {Type: "mount"}, 98 {Type: "network"}, 99 {Type: "uts"}, 100 {Type: "pid"}, 101 {Type: "ipc"}, 102 }, 103 // Devices implicitly contains the following devices: 104 // null, zero, full, random, urandom, tty, console, and ptmx. 105 // ptmx is a bind-mount or symlink of the container's ptmx. 106 // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices 107 Devices: []specs.Device{ 108 { 109 Type: "c", 110 Path: "/dev/fuse", 111 Major: 10, 112 Minor: 229, 113 FileMode: fmPtr(0666), 114 UID: u32Ptr(0), 115 GID: u32Ptr(0), 116 }, 117 }, 118 Resources: &specs.Resources{ 119 Devices: []specs.DeviceCgroup{ 120 { 121 Allow: false, 122 Access: sPtr("rwm"), 123 }, 124 { 125 Allow: true, 126 Type: sPtr("c"), 127 Major: iPtr(1), 128 Minor: iPtr(5), 129 Access: sPtr("rwm"), 130 }, 131 { 132 Allow: true, 133 Type: sPtr("c"), 134 Major: iPtr(1), 135 Minor: iPtr(3), 136 Access: sPtr("rwm"), 137 }, 138 { 139 Allow: true, 140 Type: sPtr("c"), 141 Major: iPtr(1), 142 Minor: iPtr(9), 143 Access: sPtr("rwm"), 144 }, 145 { 146 Allow: true, 147 Type: sPtr("c"), 148 Major: iPtr(1), 149 Minor: iPtr(8), 150 Access: sPtr("rwm"), 151 }, 152 { 153 Allow: true, 154 Type: sPtr("c"), 155 Major: iPtr(5), 156 Minor: iPtr(0), 157 Access: sPtr("rwm"), 158 }, 159 { 160 Allow: true, 161 Type: sPtr("c"), 162 Major: iPtr(5), 163 Minor: iPtr(1), 164 Access: sPtr("rwm"), 165 }, 166 { 167 Allow: false, 168 Type: sPtr("c"), 169 Major: iPtr(10), 170 Minor: iPtr(229), 171 Access: sPtr("rwm"), 172 }, 173 }, 174 }, 175 } 176 177 return s 178 }