github.com/jiasir/docker@v1.3.3-0.20170609024000-252e610103e7/oci/defaults_linux.go (about) 1 package oci 2 3 import ( 4 "os" 5 "runtime" 6 7 "github.com/opencontainers/runtime-spec/specs-go" 8 ) 9 10 func iPtr(i int64) *int64 { return &i } 11 func u32Ptr(i int64) *uint32 { u := uint32(i); return &u } 12 func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } 13 14 func defaultCapabilities() []string { 15 return []string{ 16 "CAP_CHOWN", 17 "CAP_DAC_OVERRIDE", 18 "CAP_FSETID", 19 "CAP_FOWNER", 20 "CAP_MKNOD", 21 "CAP_NET_RAW", 22 "CAP_SETGID", 23 "CAP_SETUID", 24 "CAP_SETFCAP", 25 "CAP_SETPCAP", 26 "CAP_NET_BIND_SERVICE", 27 "CAP_SYS_CHROOT", 28 "CAP_KILL", 29 "CAP_AUDIT_WRITE", 30 } 31 } 32 33 // DefaultSpec returns default oci spec used by docker. 34 func DefaultSpec() specs.Spec { 35 s := specs.Spec{ 36 Version: specs.Version, 37 Platform: specs.Platform{ 38 OS: runtime.GOOS, 39 Arch: runtime.GOARCH, 40 }, 41 } 42 s.Mounts = []specs.Mount{ 43 { 44 Destination: "/proc", 45 Type: "proc", 46 Source: "proc", 47 Options: []string{"nosuid", "noexec", "nodev"}, 48 }, 49 { 50 Destination: "/dev", 51 Type: "tmpfs", 52 Source: "tmpfs", 53 Options: []string{"nosuid", "strictatime", "mode=755"}, 54 }, 55 { 56 Destination: "/dev/pts", 57 Type: "devpts", 58 Source: "devpts", 59 Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, 60 }, 61 { 62 Destination: "/sys", 63 Type: "sysfs", 64 Source: "sysfs", 65 Options: []string{"nosuid", "noexec", "nodev", "ro"}, 66 }, 67 { 68 Destination: "/sys/fs/cgroup", 69 Type: "cgroup", 70 Source: "cgroup", 71 Options: []string{"ro", "nosuid", "noexec", "nodev"}, 72 }, 73 { 74 Destination: "/dev/mqueue", 75 Type: "mqueue", 76 Source: "mqueue", 77 Options: []string{"nosuid", "noexec", "nodev"}, 78 }, 79 } 80 s.Process.Capabilities = &specs.LinuxCapabilities{ 81 Bounding: defaultCapabilities(), 82 Permitted: defaultCapabilities(), 83 Inheritable: defaultCapabilities(), 84 Effective: defaultCapabilities(), 85 } 86 87 s.Linux = &specs.Linux{ 88 MaskedPaths: []string{ 89 "/proc/kcore", 90 "/proc/latency_stats", 91 "/proc/timer_list", 92 "/proc/timer_stats", 93 "/proc/sched_debug", 94 "/sys/firmware", 95 }, 96 ReadonlyPaths: []string{ 97 "/proc/asound", 98 "/proc/bus", 99 "/proc/fs", 100 "/proc/irq", 101 "/proc/sys", 102 "/proc/sysrq-trigger", 103 }, 104 Namespaces: []specs.LinuxNamespace{ 105 {Type: "mount"}, 106 {Type: "network"}, 107 {Type: "uts"}, 108 {Type: "pid"}, 109 {Type: "ipc"}, 110 }, 111 // Devices implicitly contains the following devices: 112 // null, zero, full, random, urandom, tty, console, and ptmx. 113 // ptmx is a bind-mount or symlink of the container's ptmx. 114 // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices 115 Devices: []specs.LinuxDevice{}, 116 Resources: &specs.LinuxResources{ 117 Devices: []specs.LinuxDeviceCgroup{ 118 { 119 Allow: false, 120 Access: "rwm", 121 }, 122 { 123 Allow: true, 124 Type: "c", 125 Major: iPtr(1), 126 Minor: iPtr(5), 127 Access: "rwm", 128 }, 129 { 130 Allow: true, 131 Type: "c", 132 Major: iPtr(1), 133 Minor: iPtr(3), 134 Access: "rwm", 135 }, 136 { 137 Allow: true, 138 Type: "c", 139 Major: iPtr(1), 140 Minor: iPtr(9), 141 Access: "rwm", 142 }, 143 { 144 Allow: true, 145 Type: "c", 146 Major: iPtr(1), 147 Minor: iPtr(8), 148 Access: "rwm", 149 }, 150 { 151 Allow: true, 152 Type: "c", 153 Major: iPtr(5), 154 Minor: iPtr(0), 155 Access: "rwm", 156 }, 157 { 158 Allow: true, 159 Type: "c", 160 Major: iPtr(5), 161 Minor: iPtr(1), 162 Access: "rwm", 163 }, 164 { 165 Allow: false, 166 Type: "c", 167 Major: iPtr(10), 168 Minor: iPtr(229), 169 Access: "rwm", 170 }, 171 }, 172 }, 173 } 174 175 return s 176 }