github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/engine/oci/defaults.go

github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/engine/oci/defaults.go (about)

     1  package oci // import "github.com/docker/docker/oci"
     2  
     3  import (
     4  	"os"
     5  	"runtime"
     6  
     7  	"github.com/docker/docker/oci/caps"
     8  	specs "github.com/opencontainers/runtime-spec/specs-go"
     9  )
    10  
    11  func iPtr(i int64) *int64        { return &i }
    12  func u32Ptr(i int64) *uint32     { u := uint32(i); return &u }
    13  func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
    14  
    15  // DefaultSpec returns the default spec used by docker for the current Platform
    16  func DefaultSpec() specs.Spec {
    17  	return DefaultOSSpec(runtime.GOOS)
    18  }
    19  
    20  // DefaultOSSpec returns the spec for a given OS
    21  func DefaultOSSpec(osName string) specs.Spec {
    22  	if osName == "windows" {
    23  		return DefaultWindowsSpec()
    24  	}
    25  	return DefaultLinuxSpec()
    26  }
    27  
    28  // DefaultWindowsSpec create a default spec for running Windows containers
    29  func DefaultWindowsSpec() specs.Spec {
    30  	return specs.Spec{
    31  		Version: specs.Version,
    32  		Windows: &specs.Windows{},
    33  		Process: &specs.Process{},
    34  		Root:    &specs.Root{},
    35  	}
    36  }
    37  
    38  // DefaultLinuxSpec create a default spec for running Linux containers
    39  func DefaultLinuxSpec() specs.Spec {
    40  	s := specs.Spec{
    41  		Version: specs.Version,
    42  		Process: &specs.Process{
    43  			Capabilities: &specs.LinuxCapabilities{
    44  				Bounding:  caps.DefaultCapabilities(),
    45  				Permitted: caps.DefaultCapabilities(),
    46  				Effective: caps.DefaultCapabilities(),
    47  			},
    48  		},
    49  		Root: &specs.Root{},
    50  	}
    51  	s.Mounts = []specs.Mount{
    52  		{
    53  			Destination: "/proc",
    54  			Type:        "proc",
    55  			Source:      "proc",
    56  			Options:     []string{"nosuid", "noexec", "nodev"},
    57  		},
    58  		{
    59  			Destination: "/dev",
    60  			Type:        "tmpfs",
    61  			Source:      "tmpfs",
    62  			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
    63  		},
    64  		{
    65  			Destination: "/dev/pts",
    66  			Type:        "devpts",
    67  			Source:      "devpts",
    68  			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
    69  		},
    70  		{
    71  			Destination: "/sys",
    72  			Type:        "sysfs",
    73  			Source:      "sysfs",
    74  			Options:     []string{"nosuid", "noexec", "nodev", "ro"},
    75  		},
    76  		{
    77  			Destination: "/sys/fs/cgroup",
    78  			Type:        "cgroup",
    79  			Source:      "cgroup",
    80  			Options:     []string{"ro", "nosuid", "noexec", "nodev"},
    81  		},
    82  		{
    83  			Destination: "/dev/mqueue",
    84  			Type:        "mqueue",
    85  			Source:      "mqueue",
    86  			Options:     []string{"nosuid", "noexec", "nodev"},
    87  		},
    88  		{
    89  			Destination: "/dev/shm",
    90  			Type:        "tmpfs",
    91  			Source:      "shm",
    92  			Options:     []string{"nosuid", "noexec", "nodev", "mode=1777"},
    93  		},
    94  	}
    95  
    96  	s.Linux = &specs.Linux{
    97  		MaskedPaths: []string{
    98  			"/proc/asound",
    99  			"/proc/acpi",
   100  			"/proc/kcore",
   101  			"/proc/keys",
   102  			"/proc/latency_stats",
   103  			"/proc/timer_list",
   104  			"/proc/timer_stats",
   105  			"/proc/sched_debug",
   106  			"/proc/scsi",
   107  			"/sys/firmware",
   108  		},
   109  		ReadonlyPaths: []string{
   110  			"/proc/bus",
   111  			"/proc/fs",
   112  			"/proc/irq",
   113  			"/proc/sys",
   114  			"/proc/sysrq-trigger",
   115  		},
   116  		Namespaces: []specs.LinuxNamespace{
   117  			{Type: "mount"},
   118  			{Type: "network"},
   119  			{Type: "uts"},
   120  			{Type: "pid"},
   121  			{Type: "ipc"},
   122  		},
   123  		// Devices implicitly contains the following devices:
   124  		// null, zero, full, random, urandom, tty, console, and ptmx.
   125  		// ptmx is a bind mount or symlink of the container's ptmx.
   126  		// See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices
   127  		Devices: []specs.LinuxDevice{},
   128  		Resources: &specs.LinuxResources{
   129  			Devices: []specs.LinuxDeviceCgroup{
   130  				{
   131  					Allow:  false,
   132  					Access: "rwm",
   133  				},
   134  				{
   135  					Allow:  true,
   136  					Type:   "c",
   137  					Major:  iPtr(1),
   138  					Minor:  iPtr(5),
   139  					Access: "rwm",
   140  				},
   141  				{
   142  					Allow:  true,
   143  					Type:   "c",
   144  					Major:  iPtr(1),
   145  					Minor:  iPtr(3),
   146  					Access: "rwm",
   147  				},
   148  				{
   149  					Allow:  true,
   150  					Type:   "c",
   151  					Major:  iPtr(1),
   152  					Minor:  iPtr(9),
   153  					Access: "rwm",
   154  				},
   155  				{
   156  					Allow:  true,
   157  					Type:   "c",
   158  					Major:  iPtr(1),
   159  					Minor:  iPtr(8),
   160  					Access: "rwm",
   161  				},
   162  				{
   163  					Allow:  true,
   164  					Type:   "c",
   165  					Major:  iPtr(5),
   166  					Minor:  iPtr(0),
   167  					Access: "rwm",
   168  				},
   169  				{
   170  					Allow:  true,
   171  					Type:   "c",
   172  					Major:  iPtr(5),
   173  					Minor:  iPtr(1),
   174  					Access: "rwm",
   175  				},
   176  				{
   177  					Allow:  false,
   178  					Type:   "c",
   179  					Major:  iPtr(10),
   180  					Minor:  iPtr(229),
   181  					Access: "rwm",
   182  				},
   183  			},
   184  		},
   185  	}
   186  
   187  	// For LCOW support, populate a blank Windows spec
   188  	if runtime.GOOS == "windows" {
   189  		s.Windows = &specs.Windows{}
   190  	}
   191  
   192  	return s
   193  }