github.com/moby/docker@v26.1.3+incompatible/oci/defaults.go (about) 1 package oci // import "github.com/docker/docker/oci" 2 3 import ( 4 "runtime" 5 6 "github.com/docker/docker/oci/caps" 7 specs "github.com/opencontainers/runtime-spec/specs-go" 8 ) 9 10 func iPtr(i int64) *int64 { return &i } 11 12 const defaultUnixPathEnv = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 13 14 // DefaultPathEnv is unix style list of directories to search for 15 // executables. Each directory is separated from the next by a colon 16 // ':' character . 17 // For Windows containers, an empty string is returned as the default 18 // path will be set by the container, and Docker has no context of what the 19 // default path should be. 20 // 21 // TODO(thaJeztah) align Windows default with BuildKit; see https://github.com/moby/buildkit/pull/1747 22 // TODO(thaJeztah) use defaults from containerd (but align it with BuildKit; see https://github.com/moby/buildkit/pull/1747) 23 func DefaultPathEnv(os string) string { 24 if os == "windows" { 25 return "" 26 } 27 return defaultUnixPathEnv 28 } 29 30 // DefaultSpec returns the default spec used by docker for the current Platform 31 func DefaultSpec() specs.Spec { 32 if runtime.GOOS == "windows" { 33 return DefaultWindowsSpec() 34 } 35 return DefaultLinuxSpec() 36 } 37 38 // DefaultWindowsSpec create a default spec for running Windows containers 39 func DefaultWindowsSpec() specs.Spec { 40 return specs.Spec{ 41 Version: specs.Version, 42 Windows: &specs.Windows{}, 43 Process: &specs.Process{}, 44 Root: &specs.Root{}, 45 } 46 } 47 48 // DefaultLinuxSpec create a default spec for running Linux containers 49 func DefaultLinuxSpec() specs.Spec { 50 return specs.Spec{ 51 Version: specs.Version, 52 Process: &specs.Process{ 53 Capabilities: &specs.LinuxCapabilities{ 54 Bounding: caps.DefaultCapabilities(), 55 Permitted: caps.DefaultCapabilities(), 56 Effective: caps.DefaultCapabilities(), 57 }, 58 }, 59 Root: &specs.Root{}, 60 Mounts: []specs.Mount{ 61 { 62 Destination: "/proc", 63 Type: "proc", 64 Source: "proc", 65 Options: []string{"nosuid", "noexec", "nodev"}, 66 }, 67 { 68 Destination: "/dev", 69 Type: "tmpfs", 70 Source: "tmpfs", 71 Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, 72 }, 73 { 74 Destination: "/dev/pts", 75 Type: "devpts", 76 Source: "devpts", 77 Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, 78 }, 79 { 80 Destination: "/sys", 81 Type: "sysfs", 82 Source: "sysfs", 83 Options: []string{"nosuid", "noexec", "nodev", "ro"}, 84 }, 85 { 86 Destination: "/sys/fs/cgroup", 87 Type: "cgroup", 88 Source: "cgroup", 89 Options: []string{"ro", "nosuid", "noexec", "nodev"}, 90 }, 91 { 92 Destination: "/dev/mqueue", 93 Type: "mqueue", 94 Source: "mqueue", 95 Options: []string{"nosuid", "noexec", "nodev"}, 96 }, 97 { 98 Destination: "/dev/shm", 99 Type: "tmpfs", 100 Source: "shm", 101 Options: []string{"nosuid", "noexec", "nodev", "mode=1777"}, 102 }, 103 }, 104 Linux: &specs.Linux{ 105 MaskedPaths: []string{ 106 "/proc/asound", 107 "/proc/acpi", 108 "/proc/kcore", 109 "/proc/keys", 110 "/proc/latency_stats", 111 "/proc/timer_list", 112 "/proc/timer_stats", 113 "/proc/sched_debug", 114 "/proc/scsi", 115 "/sys/firmware", 116 "/sys/devices/virtual/powercap", 117 }, 118 ReadonlyPaths: []string{ 119 "/proc/bus", 120 "/proc/fs", 121 "/proc/irq", 122 "/proc/sys", 123 "/proc/sysrq-trigger", 124 }, 125 Namespaces: []specs.LinuxNamespace{ 126 {Type: specs.MountNamespace}, 127 {Type: specs.NetworkNamespace}, 128 {Type: specs.UTSNamespace}, 129 {Type: specs.PIDNamespace}, 130 {Type: specs.IPCNamespace}, 131 }, 132 // Devices implicitly contains the following devices: 133 // null, zero, full, random, urandom, tty, console, and ptmx. 134 // ptmx is a bind mount or symlink of the container's ptmx. 135 // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices 136 Devices: []specs.LinuxDevice{}, 137 Resources: &specs.LinuxResources{ 138 Devices: []specs.LinuxDeviceCgroup{ 139 { 140 Allow: false, 141 Access: "rwm", 142 }, 143 { 144 Allow: true, 145 Type: "c", 146 Major: iPtr(1), 147 Minor: iPtr(5), 148 Access: "rwm", 149 }, 150 { 151 Allow: true, 152 Type: "c", 153 Major: iPtr(1), 154 Minor: iPtr(3), 155 Access: "rwm", 156 }, 157 { 158 Allow: true, 159 Type: "c", 160 Major: iPtr(1), 161 Minor: iPtr(9), 162 Access: "rwm", 163 }, 164 { 165 Allow: true, 166 Type: "c", 167 Major: iPtr(1), 168 Minor: iPtr(8), 169 Access: "rwm", 170 }, 171 { 172 Allow: true, 173 Type: "c", 174 Major: iPtr(5), 175 Minor: iPtr(0), 176 Access: "rwm", 177 }, 178 { 179 Allow: true, 180 Type: "c", 181 Major: iPtr(5), 182 Minor: iPtr(1), 183 Access: "rwm", 184 }, 185 { 186 Allow: false, 187 Type: "c", 188 Major: iPtr(10), 189 Minor: iPtr(229), 190 Access: "rwm", 191 }, 192 }, 193 }, 194 }, 195 } 196 }