github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/oci/defaults.go (about) 1 package oci // import "github.com/docker/docker/oci" 2 3 import ( 4 "runtime" 5 6 "github.com/docker/docker/oci/caps" 7 specs "github.com/opencontainers/runtime-spec/specs-go" 8 ) 9 10 func iPtr(i int64) *int64 { return &i } 11 12 // DefaultSpec returns the default spec used by docker for the current Platform 13 func DefaultSpec() specs.Spec { 14 if runtime.GOOS == "windows" { 15 return DefaultWindowsSpec() 16 } 17 return DefaultLinuxSpec() 18 } 19 20 // DefaultWindowsSpec create a default spec for running Windows containers 21 func DefaultWindowsSpec() specs.Spec { 22 return specs.Spec{ 23 Version: specs.Version, 24 Windows: &specs.Windows{}, 25 Process: &specs.Process{}, 26 Root: &specs.Root{}, 27 } 28 } 29 30 // DefaultLinuxSpec create a default spec for running Linux containers 31 func DefaultLinuxSpec() specs.Spec { 32 return specs.Spec{ 33 Version: specs.Version, 34 Process: &specs.Process{ 35 Capabilities: &specs.LinuxCapabilities{ 36 Bounding: caps.DefaultCapabilities(), 37 Permitted: caps.DefaultCapabilities(), 38 Effective: caps.DefaultCapabilities(), 39 }, 40 }, 41 Root: &specs.Root{}, 42 Mounts: []specs.Mount{ 43 { 44 Destination: "/proc", 45 Type: "proc", 46 Source: "proc", 47 Options: []string{"nosuid", "noexec", "nodev"}, 48 }, 49 { 50 Destination: "/dev", 51 Type: "tmpfs", 52 Source: "tmpfs", 53 Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, 54 }, 55 { 56 Destination: "/dev/pts", 57 Type: "devpts", 58 Source: "devpts", 59 Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, 60 }, 61 { 62 Destination: "/sys", 63 Type: "sysfs", 64 Source: "sysfs", 65 Options: []string{"nosuid", "noexec", "nodev", "ro"}, 66 }, 67 { 68 Destination: "/sys/fs/cgroup", 69 Type: "cgroup", 70 Source: "cgroup", 71 Options: []string{"ro", "nosuid", "noexec", "nodev"}, 72 }, 73 { 74 Destination: "/dev/mqueue", 75 Type: "mqueue", 76 Source: "mqueue", 77 Options: []string{"nosuid", "noexec", "nodev"}, 78 }, 79 { 80 Destination: "/dev/shm", 81 Type: "tmpfs", 82 Source: "shm", 83 Options: []string{"nosuid", "noexec", "nodev", "mode=1777"}, 84 }, 85 }, 86 Linux: &specs.Linux{ 87 MaskedPaths: []string{ 88 "/proc/asound", 89 "/proc/acpi", 90 "/proc/kcore", 91 "/proc/keys", 92 "/proc/latency_stats", 93 "/proc/timer_list", 94 "/proc/timer_stats", 95 "/proc/sched_debug", 96 "/proc/scsi", 97 "/sys/firmware", 98 }, 99 ReadonlyPaths: []string{ 100 "/proc/bus", 101 "/proc/fs", 102 "/proc/irq", 103 "/proc/sys", 104 "/proc/sysrq-trigger", 105 }, 106 Namespaces: []specs.LinuxNamespace{ 107 {Type: "mount"}, 108 {Type: "network"}, 109 {Type: "uts"}, 110 {Type: "pid"}, 111 {Type: "ipc"}, 112 }, 113 // Devices implicitly contains the following devices: 114 // null, zero, full, random, urandom, tty, console, and ptmx. 115 // ptmx is a bind mount or symlink of the container's ptmx. 116 // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices 117 Devices: []specs.LinuxDevice{}, 118 Resources: &specs.LinuxResources{ 119 Devices: []specs.LinuxDeviceCgroup{ 120 { 121 Allow: false, 122 Access: "rwm", 123 }, 124 { 125 Allow: true, 126 Type: "c", 127 Major: iPtr(1), 128 Minor: iPtr(5), 129 Access: "rwm", 130 }, 131 { 132 Allow: true, 133 Type: "c", 134 Major: iPtr(1), 135 Minor: iPtr(3), 136 Access: "rwm", 137 }, 138 { 139 Allow: true, 140 Type: "c", 141 Major: iPtr(1), 142 Minor: iPtr(9), 143 Access: "rwm", 144 }, 145 { 146 Allow: true, 147 Type: "c", 148 Major: iPtr(1), 149 Minor: iPtr(8), 150 Access: "rwm", 151 }, 152 { 153 Allow: true, 154 Type: "c", 155 Major: iPtr(5), 156 Minor: iPtr(0), 157 Access: "rwm", 158 }, 159 { 160 Allow: true, 161 Type: "c", 162 Major: iPtr(5), 163 Minor: iPtr(1), 164 Access: "rwm", 165 }, 166 { 167 Allow: false, 168 Type: "c", 169 Major: iPtr(10), 170 Minor: iPtr(229), 171 Access: "rwm", 172 }, 173 }, 174 }, 175 }, 176 } 177 }