github.com/devdivbcp/moby@v17.12.0-ce-rc1.0.20200726071732-2d4bfdc789ad+incompatible/oci/defaults.go (about) 1 package oci // import "github.com/docker/docker/oci" 2 3 import ( 4 "os" 5 "runtime" 6 7 "github.com/opencontainers/runtime-spec/specs-go" 8 ) 9 10 func iPtr(i int64) *int64 { return &i } 11 func u32Ptr(i int64) *uint32 { u := uint32(i); return &u } 12 func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } 13 14 // DefaultCapabilities returns a Linux kernel default capabilities 15 func DefaultCapabilities() []string { 16 return []string{ 17 "CAP_CHOWN", 18 "CAP_DAC_OVERRIDE", 19 "CAP_FSETID", 20 "CAP_FOWNER", 21 "CAP_MKNOD", 22 "CAP_NET_RAW", 23 "CAP_SETGID", 24 "CAP_SETUID", 25 "CAP_SETFCAP", 26 "CAP_SETPCAP", 27 "CAP_NET_BIND_SERVICE", 28 "CAP_SYS_CHROOT", 29 "CAP_KILL", 30 "CAP_AUDIT_WRITE", 31 } 32 } 33 34 // DefaultSpec returns the default spec used by docker for the current Platform 35 func DefaultSpec() specs.Spec { 36 return DefaultOSSpec(runtime.GOOS) 37 } 38 39 // DefaultOSSpec returns the spec for a given OS 40 func DefaultOSSpec(osName string) specs.Spec { 41 if osName == "windows" { 42 return DefaultWindowsSpec() 43 } 44 return DefaultLinuxSpec() 45 } 46 47 // DefaultWindowsSpec create a default spec for running Windows containers 48 func DefaultWindowsSpec() specs.Spec { 49 return specs.Spec{ 50 Version: specs.Version, 51 Windows: &specs.Windows{}, 52 Process: &specs.Process{}, 53 Root: &specs.Root{}, 54 } 55 } 56 57 // DefaultLinuxSpec create a default spec for running Linux containers 58 func DefaultLinuxSpec() specs.Spec { 59 s := specs.Spec{ 60 Version: specs.Version, 61 Process: &specs.Process{ 62 Capabilities: &specs.LinuxCapabilities{ 63 Bounding: DefaultCapabilities(), 64 Permitted: DefaultCapabilities(), 65 Inheritable: DefaultCapabilities(), 66 Effective: DefaultCapabilities(), 67 }, 68 }, 69 Root: &specs.Root{}, 70 } 71 s.Mounts = []specs.Mount{ 72 { 73 Destination: "/proc", 74 Type: "proc", 75 Source: "proc", 76 Options: []string{"nosuid", "noexec", "nodev"}, 77 }, 78 { 79 Destination: "/dev", 80 Type: "tmpfs", 81 Source: "tmpfs", 82 Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, 83 }, 84 { 85 Destination: "/dev/pts", 86 Type: "devpts", 87 Source: "devpts", 88 Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, 89 }, 90 { 91 Destination: "/sys", 92 Type: "sysfs", 93 Source: "sysfs", 94 Options: []string{"nosuid", "noexec", "nodev", "ro"}, 95 }, 96 { 97 Destination: "/sys/fs/cgroup", 98 Type: "cgroup", 99 Source: "cgroup", 100 Options: []string{"ro", "nosuid", "noexec", "nodev"}, 101 }, 102 { 103 Destination: "/dev/mqueue", 104 Type: "mqueue", 105 Source: "mqueue", 106 Options: []string{"nosuid", "noexec", "nodev"}, 107 }, 108 { 109 Destination: "/dev/shm", 110 Type: "tmpfs", 111 Source: "shm", 112 Options: []string{"nosuid", "noexec", "nodev", "mode=1777"}, 113 }, 114 } 115 116 s.Linux = &specs.Linux{ 117 MaskedPaths: []string{ 118 "/proc/asound", 119 "/proc/acpi", 120 "/proc/kcore", 121 "/proc/keys", 122 "/proc/latency_stats", 123 "/proc/timer_list", 124 "/proc/timer_stats", 125 "/proc/sched_debug", 126 "/proc/scsi", 127 "/sys/firmware", 128 }, 129 ReadonlyPaths: []string{ 130 "/proc/bus", 131 "/proc/fs", 132 "/proc/irq", 133 "/proc/sys", 134 "/proc/sysrq-trigger", 135 }, 136 Namespaces: []specs.LinuxNamespace{ 137 {Type: "mount"}, 138 {Type: "network"}, 139 {Type: "uts"}, 140 {Type: "pid"}, 141 {Type: "ipc"}, 142 }, 143 // Devices implicitly contains the following devices: 144 // null, zero, full, random, urandom, tty, console, and ptmx. 145 // ptmx is a bind mount or symlink of the container's ptmx. 146 // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices 147 Devices: []specs.LinuxDevice{}, 148 Resources: &specs.LinuxResources{ 149 Devices: []specs.LinuxDeviceCgroup{ 150 { 151 Allow: false, 152 Access: "rwm", 153 }, 154 { 155 Allow: true, 156 Type: "c", 157 Major: iPtr(1), 158 Minor: iPtr(5), 159 Access: "rwm", 160 }, 161 { 162 Allow: true, 163 Type: "c", 164 Major: iPtr(1), 165 Minor: iPtr(3), 166 Access: "rwm", 167 }, 168 { 169 Allow: true, 170 Type: "c", 171 Major: iPtr(1), 172 Minor: iPtr(9), 173 Access: "rwm", 174 }, 175 { 176 Allow: true, 177 Type: "c", 178 Major: iPtr(1), 179 Minor: iPtr(8), 180 Access: "rwm", 181 }, 182 { 183 Allow: true, 184 Type: "c", 185 Major: iPtr(5), 186 Minor: iPtr(0), 187 Access: "rwm", 188 }, 189 { 190 Allow: true, 191 Type: "c", 192 Major: iPtr(5), 193 Minor: iPtr(1), 194 Access: "rwm", 195 }, 196 { 197 Allow: false, 198 Type: "c", 199 Major: iPtr(10), 200 Minor: iPtr(229), 201 Access: "rwm", 202 }, 203 }, 204 }, 205 } 206 207 // For LCOW support, populate a blank Windows spec 208 if runtime.GOOS == "windows" { 209 s.Windows = &specs.Windows{} 210 } 211 212 return s 213 }