github.com/afbjorklund/moby@v20.10.5+incompatible/oci/defaults.go

github.com/afbjorklund/moby@v20.10.5+incompatible/oci/defaults.go (about)

     1  package oci // import "github.com/docker/docker/oci"
     2  
     3  import (
     4  	"os"
     5  	"runtime"
     6  
     7  	"github.com/docker/docker/oci/caps"
     8  	specs "github.com/opencontainers/runtime-spec/specs-go"
     9  )
    10  
    11  func iPtr(i int64) *int64        { return &i }
    12  func u32Ptr(i int64) *uint32     { u := uint32(i); return &u }
    13  func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
    14  
    15  // DefaultSpec returns the default spec used by docker for the current Platform
    16  func DefaultSpec() specs.Spec {
    17  	return DefaultOSSpec(runtime.GOOS)
    18  }
    19  
    20  // DefaultOSSpec returns the spec for a given OS
    21  func DefaultOSSpec(osName string) specs.Spec {
    22  	if osName == "windows" {
    23  		return DefaultWindowsSpec()
    24  	}
    25  	return DefaultLinuxSpec()
    26  }
    27  
    28  // DefaultWindowsSpec create a default spec for running Windows containers
    29  func DefaultWindowsSpec() specs.Spec {
    30  	return specs.Spec{
    31  		Version: specs.Version,
    32  		Windows: &specs.Windows{},
    33  		Process: &specs.Process{},
    34  		Root:    &specs.Root{},
    35  	}
    36  }
    37  
    38  // DefaultLinuxSpec create a default spec for running Linux containers
    39  func DefaultLinuxSpec() specs.Spec {
    40  	s := specs.Spec{
    41  		Version: specs.Version,
    42  		Process: &specs.Process{
    43  			Capabilities: &specs.LinuxCapabilities{
    44  				Bounding:    caps.DefaultCapabilities(),
    45  				Permitted:   caps.DefaultCapabilities(),
    46  				Inheritable: caps.DefaultCapabilities(),
    47  				Effective:   caps.DefaultCapabilities(),
    48  			},
    49  		},
    50  		Root: &specs.Root{},
    51  	}
    52  	s.Mounts = []specs.Mount{
    53  		{
    54  			Destination: "/proc",
    55  			Type:        "proc",
    56  			Source:      "proc",
    57  			Options:     []string{"nosuid", "noexec", "nodev"},
    58  		},
    59  		{
    60  			Destination: "/dev",
    61  			Type:        "tmpfs",
    62  			Source:      "tmpfs",
    63  			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
    64  		},
    65  		{
    66  			Destination: "/dev/pts",
    67  			Type:        "devpts",
    68  			Source:      "devpts",
    69  			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
    70  		},
    71  		{
    72  			Destination: "/sys",
    73  			Type:        "sysfs",
    74  			Source:      "sysfs",
    75  			Options:     []string{"nosuid", "noexec", "nodev", "ro"},
    76  		},
    77  		{
    78  			Destination: "/sys/fs/cgroup",
    79  			Type:        "cgroup",
    80  			Source:      "cgroup",
    81  			Options:     []string{"ro", "nosuid", "noexec", "nodev"},
    82  		},
    83  		{
    84  			Destination: "/dev/mqueue",
    85  			Type:        "mqueue",
    86  			Source:      "mqueue",
    87  			Options:     []string{"nosuid", "noexec", "nodev"},
    88  		},
    89  		{
    90  			Destination: "/dev/shm",
    91  			Type:        "tmpfs",
    92  			Source:      "shm",
    93  			Options:     []string{"nosuid", "noexec", "nodev", "mode=1777"},
    94  		},
    95  	}
    96  
    97  	s.Linux = &specs.Linux{
    98  		MaskedPaths: []string{
    99  			"/proc/asound",
   100  			"/proc/acpi",
   101  			"/proc/kcore",
   102  			"/proc/keys",
   103  			"/proc/latency_stats",
   104  			"/proc/timer_list",
   105  			"/proc/timer_stats",
   106  			"/proc/sched_debug",
   107  			"/proc/scsi",
   108  			"/sys/firmware",
   109  		},
   110  		ReadonlyPaths: []string{
   111  			"/proc/bus",
   112  			"/proc/fs",
   113  			"/proc/irq",
   114  			"/proc/sys",
   115  			"/proc/sysrq-trigger",
   116  		},
   117  		Namespaces: []specs.LinuxNamespace{
   118  			{Type: "mount"},
   119  			{Type: "network"},
   120  			{Type: "uts"},
   121  			{Type: "pid"},
   122  			{Type: "ipc"},
   123  		},
   124  		// Devices implicitly contains the following devices:
   125  		// null, zero, full, random, urandom, tty, console, and ptmx.
   126  		// ptmx is a bind mount or symlink of the container's ptmx.
   127  		// See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices
   128  		Devices: []specs.LinuxDevice{},
   129  		Resources: &specs.LinuxResources{
   130  			Devices: []specs.LinuxDeviceCgroup{
   131  				{
   132  					Allow:  false,
   133  					Access: "rwm",
   134  				},
   135  				{
   136  					Allow:  true,
   137  					Type:   "c",
   138  					Major:  iPtr(1),
   139  					Minor:  iPtr(5),
   140  					Access: "rwm",
   141  				},
   142  				{
   143  					Allow:  true,
   144  					Type:   "c",
   145  					Major:  iPtr(1),
   146  					Minor:  iPtr(3),
   147  					Access: "rwm",
   148  				},
   149  				{
   150  					Allow:  true,
   151  					Type:   "c",
   152  					Major:  iPtr(1),
   153  					Minor:  iPtr(9),
   154  					Access: "rwm",
   155  				},
   156  				{
   157  					Allow:  true,
   158  					Type:   "c",
   159  					Major:  iPtr(1),
   160  					Minor:  iPtr(8),
   161  					Access: "rwm",
   162  				},
   163  				{
   164  					Allow:  true,
   165  					Type:   "c",
   166  					Major:  iPtr(5),
   167  					Minor:  iPtr(0),
   168  					Access: "rwm",
   169  				},
   170  				{
   171  					Allow:  true,
   172  					Type:   "c",
   173  					Major:  iPtr(5),
   174  					Minor:  iPtr(1),
   175  					Access: "rwm",
   176  				},
   177  				{
   178  					Allow:  false,
   179  					Type:   "c",
   180  					Major:  iPtr(10),
   181  					Minor:  iPtr(229),
   182  					Access: "rwm",
   183  				},
   184  			},
   185  		},
   186  	}
   187  
   188  	// For LCOW support, populate a blank Windows spec
   189  	if runtime.GOOS == "windows" {
   190  		s.Windows = &specs.Windows{}
   191  	}
   192  
   193  	return s
   194  }