github.com/reds/docker@v1.11.2-rc1/oci/defaults_linux.go (about) 1 package oci 2 3 import ( 4 "os" 5 "runtime" 6 7 "github.com/opencontainers/specs/specs-go" 8 ) 9 10 func sPtr(s string) *string { return &s } 11 func rPtr(r rune) *rune { return &r } 12 func iPtr(i int64) *int64 { return &i } 13 func u32Ptr(i int64) *uint32 { u := uint32(i); return &u } 14 func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } 15 16 // DefaultSpec returns default oci spec used by docker. 17 func DefaultSpec() specs.Spec { 18 s := specs.Spec{ 19 Version: specs.Version, 20 Platform: specs.Platform{ 21 OS: runtime.GOOS, 22 Arch: runtime.GOARCH, 23 }, 24 } 25 s.Mounts = []specs.Mount{ 26 { 27 Destination: "/proc", 28 Type: "proc", 29 Source: "proc", 30 Options: []string{"nosuid", "noexec", "nodev"}, 31 }, 32 { 33 Destination: "/dev", 34 Type: "tmpfs", 35 Source: "tmpfs", 36 Options: []string{"nosuid", "strictatime", "mode=755"}, 37 }, 38 { 39 Destination: "/dev/pts", 40 Type: "devpts", 41 Source: "devpts", 42 Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, 43 }, 44 { 45 Destination: "/sys", 46 Type: "sysfs", 47 Source: "sysfs", 48 Options: []string{"nosuid", "noexec", "nodev", "ro"}, 49 }, 50 { 51 Destination: "/sys/fs/cgroup", 52 Type: "cgroup", 53 Source: "cgroup", 54 Options: []string{"ro", "nosuid", "noexec", "nodev"}, 55 }, 56 { 57 Destination: "/dev/mqueue", 58 Type: "mqueue", 59 Source: "mqueue", 60 Options: []string{"nosuid", "noexec", "nodev"}, 61 }, 62 } 63 64 s.Process.Capabilities = []string{ 65 "CAP_CHOWN", 66 "CAP_DAC_OVERRIDE", 67 "CAP_FSETID", 68 "CAP_FOWNER", 69 "CAP_MKNOD", 70 "CAP_NET_RAW", 71 "CAP_SETGID", 72 "CAP_SETUID", 73 "CAP_SETFCAP", 74 "CAP_SETPCAP", 75 "CAP_NET_BIND_SERVICE", 76 "CAP_SYS_CHROOT", 77 "CAP_KILL", 78 "CAP_AUDIT_WRITE", 79 } 80 81 s.Linux = specs.Linux{ 82 MaskedPaths: []string{ 83 "/proc/kcore", 84 "/proc/latency_stats", 85 "/proc/timer_stats", 86 "/proc/sched_debug", 87 }, 88 ReadonlyPaths: []string{ 89 "/proc/asound", 90 "/proc/bus", 91 "/proc/fs", 92 "/proc/irq", 93 "/proc/sys", 94 "/proc/sysrq-trigger", 95 }, 96 Namespaces: []specs.Namespace{ 97 {Type: "mount"}, 98 {Type: "network"}, 99 {Type: "uts"}, 100 {Type: "pid"}, 101 {Type: "ipc"}, 102 }, 103 Devices: []specs.Device{ 104 { 105 Type: "c", 106 Path: "/dev/zero", 107 Major: 1, 108 Minor: 5, 109 FileMode: fmPtr(0666), 110 UID: u32Ptr(0), 111 GID: u32Ptr(0), 112 }, 113 { 114 Type: "c", 115 Path: "/dev/null", 116 Major: 1, 117 Minor: 3, 118 FileMode: fmPtr(0666), 119 UID: u32Ptr(0), 120 GID: u32Ptr(0), 121 }, 122 { 123 Type: "c", 124 Path: "/dev/urandom", 125 Major: 1, 126 Minor: 9, 127 FileMode: fmPtr(0666), 128 UID: u32Ptr(0), 129 GID: u32Ptr(0), 130 }, 131 { 132 Type: "c", 133 Path: "/dev/random", 134 Major: 1, 135 Minor: 8, 136 FileMode: fmPtr(0666), 137 UID: u32Ptr(0), 138 GID: u32Ptr(0), 139 }, 140 { 141 Type: "c", 142 Path: "/dev/fuse", 143 Major: 10, 144 Minor: 229, 145 FileMode: fmPtr(0666), 146 UID: u32Ptr(0), 147 GID: u32Ptr(0), 148 }, 149 }, 150 Resources: &specs.Resources{ 151 Devices: []specs.DeviceCgroup{ 152 { 153 Allow: false, 154 Access: sPtr("rwm"), 155 }, 156 { 157 Allow: true, 158 Type: sPtr("c"), 159 Major: iPtr(1), 160 Minor: iPtr(5), 161 Access: sPtr("rwm"), 162 }, 163 { 164 Allow: true, 165 Type: sPtr("c"), 166 Major: iPtr(1), 167 Minor: iPtr(3), 168 Access: sPtr("rwm"), 169 }, 170 { 171 Allow: true, 172 Type: sPtr("c"), 173 Major: iPtr(1), 174 Minor: iPtr(9), 175 Access: sPtr("rwm"), 176 }, 177 { 178 Allow: true, 179 Type: sPtr("c"), 180 Major: iPtr(1), 181 Minor: iPtr(8), 182 Access: sPtr("rwm"), 183 }, 184 { 185 Allow: true, 186 Type: sPtr("c"), 187 Major: iPtr(5), 188 Minor: iPtr(0), 189 Access: sPtr("rwm"), 190 }, 191 { 192 Allow: true, 193 Type: sPtr("c"), 194 Major: iPtr(5), 195 Minor: iPtr(1), 196 Access: sPtr("rwm"), 197 }, 198 { 199 Allow: false, 200 Type: sPtr("c"), 201 Major: iPtr(10), 202 Minor: iPtr(229), 203 Access: sPtr("rwm"), 204 }, 205 }, 206 }, 207 } 208 209 return s 210 }