github.com/docker/engine@v22.0.0-20211208180946-d456264580cf+incompatible/oci/defaults.go

github.com/docker/engine@v22.0.0-20211208180946-d456264580cf+incompatible/oci/defaults.go (about)

     1  package oci // import "github.com/docker/docker/oci"
     2  
     3  import (
     4  	"os"
     5  	"runtime"
     6  
     7  	"github.com/docker/docker/oci/caps"
     8  	specs "github.com/opencontainers/runtime-spec/specs-go"
     9  )
    10  
    11  func iPtr(i int64) *int64        { return &i }
    12  func u32Ptr(i int64) *uint32     { u := uint32(i); return &u }
    13  func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
    14  
    15  // DefaultSpec returns the default spec used by docker for the current Platform
    16  func DefaultSpec() specs.Spec {
    17  	if runtime.GOOS == "windows" {
    18  		return DefaultWindowsSpec()
    19  	}
    20  	return DefaultLinuxSpec()
    21  }
    22  
    23  // DefaultWindowsSpec create a default spec for running Windows containers
    24  func DefaultWindowsSpec() specs.Spec {
    25  	return specs.Spec{
    26  		Version: specs.Version,
    27  		Windows: &specs.Windows{},
    28  		Process: &specs.Process{},
    29  		Root:    &specs.Root{},
    30  	}
    31  }
    32  
    33  // DefaultLinuxSpec create a default spec for running Linux containers
    34  func DefaultLinuxSpec() specs.Spec {
    35  	return specs.Spec{
    36  		Version: specs.Version,
    37  		Process: &specs.Process{
    38  			Capabilities: &specs.LinuxCapabilities{
    39  				Bounding:    caps.DefaultCapabilities(),
    40  				Permitted:   caps.DefaultCapabilities(),
    41  				Inheritable: caps.DefaultCapabilities(),
    42  				Effective:   caps.DefaultCapabilities(),
    43  			},
    44  		},
    45  		Root: &specs.Root{},
    46  		Mounts: []specs.Mount{
    47  			{
    48  				Destination: "/proc",
    49  				Type:        "proc",
    50  				Source:      "proc",
    51  				Options:     []string{"nosuid", "noexec", "nodev"},
    52  			},
    53  			{
    54  				Destination: "/dev",
    55  				Type:        "tmpfs",
    56  				Source:      "tmpfs",
    57  				Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
    58  			},
    59  			{
    60  				Destination: "/dev/pts",
    61  				Type:        "devpts",
    62  				Source:      "devpts",
    63  				Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
    64  			},
    65  			{
    66  				Destination: "/sys",
    67  				Type:        "sysfs",
    68  				Source:      "sysfs",
    69  				Options:     []string{"nosuid", "noexec", "nodev", "ro"},
    70  			},
    71  			{
    72  				Destination: "/sys/fs/cgroup",
    73  				Type:        "cgroup",
    74  				Source:      "cgroup",
    75  				Options:     []string{"ro", "nosuid", "noexec", "nodev"},
    76  			},
    77  			{
    78  				Destination: "/dev/mqueue",
    79  				Type:        "mqueue",
    80  				Source:      "mqueue",
    81  				Options:     []string{"nosuid", "noexec", "nodev"},
    82  			},
    83  			{
    84  				Destination: "/dev/shm",
    85  				Type:        "tmpfs",
    86  				Source:      "shm",
    87  				Options:     []string{"nosuid", "noexec", "nodev", "mode=1777"},
    88  			},
    89  		},
    90  		Linux: &specs.Linux{
    91  			MaskedPaths: []string{
    92  				"/proc/asound",
    93  				"/proc/acpi",
    94  				"/proc/kcore",
    95  				"/proc/keys",
    96  				"/proc/latency_stats",
    97  				"/proc/timer_list",
    98  				"/proc/timer_stats",
    99  				"/proc/sched_debug",
   100  				"/proc/scsi",
   101  				"/sys/firmware",
   102  			},
   103  			ReadonlyPaths: []string{
   104  				"/proc/bus",
   105  				"/proc/fs",
   106  				"/proc/irq",
   107  				"/proc/sys",
   108  				"/proc/sysrq-trigger",
   109  			},
   110  			Namespaces: []specs.LinuxNamespace{
   111  				{Type: "mount"},
   112  				{Type: "network"},
   113  				{Type: "uts"},
   114  				{Type: "pid"},
   115  				{Type: "ipc"},
   116  			},
   117  			// Devices implicitly contains the following devices:
   118  			// null, zero, full, random, urandom, tty, console, and ptmx.
   119  			// ptmx is a bind mount or symlink of the container's ptmx.
   120  			// See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices
   121  			Devices: []specs.LinuxDevice{},
   122  			Resources: &specs.LinuxResources{
   123  				Devices: []specs.LinuxDeviceCgroup{
   124  					{
   125  						Allow:  false,
   126  						Access: "rwm",
   127  					},
   128  					{
   129  						Allow:  true,
   130  						Type:   "c",
   131  						Major:  iPtr(1),
   132  						Minor:  iPtr(5),
   133  						Access: "rwm",
   134  					},
   135  					{
   136  						Allow:  true,
   137  						Type:   "c",
   138  						Major:  iPtr(1),
   139  						Minor:  iPtr(3),
   140  						Access: "rwm",
   141  					},
   142  					{
   143  						Allow:  true,
   144  						Type:   "c",
   145  						Major:  iPtr(1),
   146  						Minor:  iPtr(9),
   147  						Access: "rwm",
   148  					},
   149  					{
   150  						Allow:  true,
   151  						Type:   "c",
   152  						Major:  iPtr(1),
   153  						Minor:  iPtr(8),
   154  						Access: "rwm",
   155  					},
   156  					{
   157  						Allow:  true,
   158  						Type:   "c",
   159  						Major:  iPtr(5),
   160  						Minor:  iPtr(0),
   161  						Access: "rwm",
   162  					},
   163  					{
   164  						Allow:  true,
   165  						Type:   "c",
   166  						Major:  iPtr(5),
   167  						Minor:  iPtr(1),
   168  						Access: "rwm",
   169  					},
   170  					{
   171  						Allow:  false,
   172  						Type:   "c",
   173  						Major:  iPtr(10),
   174  						Minor:  iPtr(229),
   175  						Access: "rwm",
   176  					},
   177  				},
   178  			},
   179  		},
   180  	}
   181  }