github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/mergeCode/runc/libcontainer/integration/template_test.go (about) 1 package integration 2 3 import ( 4 "syscall" 5 6 "github.com/opencontainers/runc/libcontainer/configs" 7 ) 8 9 var standardEnvironment = []string{ 10 "HOME=/root", 11 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 12 "HOSTNAME=integration", 13 "TERM=xterm", 14 } 15 16 const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV 17 18 // newTemplateConfig returns a base template for running a container 19 // 20 // it uses a network strategy of just setting a loopback interface 21 // and the default setup for devices 22 func newTemplateConfig(rootfs string) *configs.Config { 23 allowAllDevices := false 24 return &configs.Config{ 25 Rootfs: rootfs, 26 Capabilities: []string{ 27 "CAP_CHOWN", 28 "CAP_DAC_OVERRIDE", 29 "CAP_FSETID", 30 "CAP_FOWNER", 31 "CAP_MKNOD", 32 "CAP_NET_RAW", 33 "CAP_SETGID", 34 "CAP_SETUID", 35 "CAP_SETFCAP", 36 "CAP_SETPCAP", 37 "CAP_NET_BIND_SERVICE", 38 "CAP_SYS_CHROOT", 39 "CAP_KILL", 40 "CAP_AUDIT_WRITE", 41 }, 42 Namespaces: configs.Namespaces([]configs.Namespace{ 43 {Type: configs.NEWNS}, 44 {Type: configs.NEWUTS}, 45 {Type: configs.NEWIPC}, 46 {Type: configs.NEWPID}, 47 {Type: configs.NEWNET}, 48 }), 49 Cgroups: &configs.Cgroup{ 50 Path: "integration/test", 51 Resources: &configs.Resources{ 52 MemorySwappiness: nil, 53 AllowAllDevices: &allowAllDevices, 54 AllowedDevices: configs.DefaultAllowedDevices, 55 }, 56 }, 57 MaskPaths: []string{ 58 "/proc/kcore", 59 "/sys/firmware", 60 }, 61 ReadonlyPaths: []string{ 62 "/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus", 63 }, 64 Devices: configs.DefaultAutoCreatedDevices, 65 Hostname: "integration", 66 Mounts: []*configs.Mount{ 67 { 68 Source: "proc", 69 Destination: "/proc", 70 Device: "proc", 71 Flags: defaultMountFlags, 72 }, 73 { 74 Source: "tmpfs", 75 Destination: "/dev", 76 Device: "tmpfs", 77 Flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, 78 Data: "mode=755", 79 }, 80 { 81 Source: "devpts", 82 Destination: "/dev/pts", 83 Device: "devpts", 84 Flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, 85 Data: "newinstance,ptmxmode=0666,mode=0620,gid=5", 86 }, 87 { 88 Device: "tmpfs", 89 Source: "shm", 90 Destination: "/dev/shm", 91 Data: "mode=1777,size=65536k", 92 Flags: defaultMountFlags, 93 }, 94 /* 95 CI is broken on the debian based kernels with this 96 { 97 Source: "mqueue", 98 Destination: "/dev/mqueue", 99 Device: "mqueue", 100 Flags: defaultMountFlags, 101 }, 102 */ 103 { 104 Source: "sysfs", 105 Destination: "/sys", 106 Device: "sysfs", 107 Flags: defaultMountFlags | syscall.MS_RDONLY, 108 }, 109 }, 110 Networks: []*configs.Network{ 111 { 112 Type: "loopback", 113 Address: "127.0.0.1/0", 114 Gateway: "localhost", 115 }, 116 }, 117 Rlimits: []configs.Rlimit{ 118 { 119 Type: syscall.RLIMIT_NOFILE, 120 Hard: uint64(1025), 121 Soft: uint64(1025), 122 }, 123 }, 124 } 125 }