github.com/ssdev-go/moby@v17.12.1-ce-rc2+incompatible/oci/defaults.go (about) 1 package oci 2 3 import ( 4 "os" 5 "runtime" 6 7 "github.com/opencontainers/runtime-spec/specs-go" 8 ) 9 10 func iPtr(i int64) *int64 { return &i } 11 func u32Ptr(i int64) *uint32 { u := uint32(i); return &u } 12 func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } 13 14 func defaultCapabilities() []string { 15 return []string{ 16 "CAP_CHOWN", 17 "CAP_DAC_OVERRIDE", 18 "CAP_FSETID", 19 "CAP_FOWNER", 20 "CAP_MKNOD", 21 "CAP_NET_RAW", 22 "CAP_SETGID", 23 "CAP_SETUID", 24 "CAP_SETFCAP", 25 "CAP_SETPCAP", 26 "CAP_NET_BIND_SERVICE", 27 "CAP_SYS_CHROOT", 28 "CAP_KILL", 29 "CAP_AUDIT_WRITE", 30 } 31 } 32 33 // DefaultSpec returns the default spec used by docker for the current Platform 34 func DefaultSpec() specs.Spec { 35 return DefaultOSSpec(runtime.GOOS) 36 } 37 38 // DefaultOSSpec returns the spec for a given OS 39 func DefaultOSSpec(osName string) specs.Spec { 40 if osName == "windows" { 41 return DefaultWindowsSpec() 42 } 43 return DefaultLinuxSpec() 44 } 45 46 // DefaultWindowsSpec create a default spec for running Windows containers 47 func DefaultWindowsSpec() specs.Spec { 48 return specs.Spec{ 49 Version: specs.Version, 50 Windows: &specs.Windows{}, 51 Process: &specs.Process{}, 52 Root: &specs.Root{}, 53 } 54 } 55 56 // DefaultLinuxSpec create a default spec for running Linux containers 57 func DefaultLinuxSpec() specs.Spec { 58 s := specs.Spec{ 59 Version: specs.Version, 60 Process: &specs.Process{ 61 Capabilities: &specs.LinuxCapabilities{ 62 Bounding: defaultCapabilities(), 63 Permitted: defaultCapabilities(), 64 Inheritable: defaultCapabilities(), 65 Effective: defaultCapabilities(), 66 }, 67 }, 68 Root: &specs.Root{}, 69 } 70 s.Mounts = []specs.Mount{ 71 { 72 Destination: "/proc", 73 Type: "proc", 74 Source: "proc", 75 Options: []string{"nosuid", "noexec", "nodev"}, 76 }, 77 { 78 Destination: "/dev", 79 Type: "tmpfs", 80 Source: "tmpfs", 81 Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, 82 }, 83 { 84 Destination: "/dev/pts", 85 Type: "devpts", 86 Source: "devpts", 87 Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, 88 }, 89 { 90 Destination: "/sys", 91 Type: "sysfs", 92 Source: "sysfs", 93 Options: []string{"nosuid", "noexec", "nodev", "ro"}, 94 }, 95 { 96 Destination: "/sys/fs/cgroup", 97 Type: "cgroup", 98 Source: "cgroup", 99 Options: []string{"ro", "nosuid", "noexec", "nodev"}, 100 }, 101 { 102 Destination: "/dev/mqueue", 103 Type: "mqueue", 104 Source: "mqueue", 105 Options: []string{"nosuid", "noexec", "nodev"}, 106 }, 107 { 108 Destination: "/dev/shm", 109 Type: "tmpfs", 110 Source: "shm", 111 Options: []string{"nosuid", "noexec", "nodev", "mode=1777"}, 112 }, 113 } 114 115 s.Linux = &specs.Linux{ 116 MaskedPaths: []string{ 117 "/proc/kcore", 118 "/proc/latency_stats", 119 "/proc/timer_list", 120 "/proc/timer_stats", 121 "/proc/sched_debug", 122 "/proc/scsi", 123 "/sys/firmware", 124 }, 125 ReadonlyPaths: []string{ 126 "/proc/asound", 127 "/proc/bus", 128 "/proc/fs", 129 "/proc/irq", 130 "/proc/sys", 131 "/proc/sysrq-trigger", 132 }, 133 Namespaces: []specs.LinuxNamespace{ 134 {Type: "mount"}, 135 {Type: "network"}, 136 {Type: "uts"}, 137 {Type: "pid"}, 138 {Type: "ipc"}, 139 }, 140 // Devices implicitly contains the following devices: 141 // null, zero, full, random, urandom, tty, console, and ptmx. 142 // ptmx is a bind mount or symlink of the container's ptmx. 143 // See also: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#default-devices 144 Devices: []specs.LinuxDevice{}, 145 Resources: &specs.LinuxResources{ 146 Devices: []specs.LinuxDeviceCgroup{ 147 { 148 Allow: false, 149 Access: "rwm", 150 }, 151 { 152 Allow: true, 153 Type: "c", 154 Major: iPtr(1), 155 Minor: iPtr(5), 156 Access: "rwm", 157 }, 158 { 159 Allow: true, 160 Type: "c", 161 Major: iPtr(1), 162 Minor: iPtr(3), 163 Access: "rwm", 164 }, 165 { 166 Allow: true, 167 Type: "c", 168 Major: iPtr(1), 169 Minor: iPtr(9), 170 Access: "rwm", 171 }, 172 { 173 Allow: true, 174 Type: "c", 175 Major: iPtr(1), 176 Minor: iPtr(8), 177 Access: "rwm", 178 }, 179 { 180 Allow: true, 181 Type: "c", 182 Major: iPtr(5), 183 Minor: iPtr(0), 184 Access: "rwm", 185 }, 186 { 187 Allow: true, 188 Type: "c", 189 Major: iPtr(5), 190 Minor: iPtr(1), 191 Access: "rwm", 192 }, 193 { 194 Allow: false, 195 Type: "c", 196 Major: iPtr(10), 197 Minor: iPtr(229), 198 Access: "rwm", 199 }, 200 }, 201 }, 202 } 203 204 // For LCOW support, populate a blank Windows spec 205 if runtime.GOOS == "windows" { 206 s.Windows = &specs.Windows{} 207 } 208 209 return s 210 }