2014-10-17 08:00:59 +08:00
|
|
|
package integration
|
|
|
|
|
|
|
|
import (
|
2015-06-22 10:29:59 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
2020-05-04 20:39:37 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/specconv"
|
2017-05-10 05:38:27 +08:00
|
|
|
|
|
|
|
"golang.org/x/sys/unix"
|
2014-10-17 08:00:59 +08:00
|
|
|
)
|
|
|
|
|
2015-02-07 11:16:11 +08:00
|
|
|
var standardEnvironment = []string{
|
|
|
|
"HOME=/root",
|
|
|
|
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
|
|
|
|
"HOSTNAME=integration",
|
|
|
|
"TERM=xterm",
|
|
|
|
}
|
|
|
|
|
2017-05-10 05:38:27 +08:00
|
|
|
const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
|
2015-02-13 08:23:05 +08:00
|
|
|
|
2014-10-17 08:00:59 +08:00
|
|
|
// newTemplateConfig returns a base template for running a container
|
|
|
|
//
|
|
|
|
// it uses a network strategy of just setting a loopback interface
|
|
|
|
// and the default setup for devices
|
2014-12-17 17:12:23 +08:00
|
|
|
func newTemplateConfig(rootfs string) *configs.Config {
|
2020-05-07 11:59:36 +08:00
|
|
|
var allowedDevices []*configs.DeviceRule
|
|
|
|
for _, device := range specconv.AllowedDevices {
|
|
|
|
allowedDevices = append(allowedDevices, &device.DeviceRule)
|
|
|
|
}
|
2014-12-17 17:12:23 +08:00
|
|
|
return &configs.Config{
|
2015-02-04 09:44:58 +08:00
|
|
|
Rootfs: rootfs,
|
2017-03-15 00:36:38 +08:00
|
|
|
Capabilities: &configs.Capabilities{
|
|
|
|
Bounding: []string{
|
|
|
|
"CAP_CHOWN",
|
|
|
|
"CAP_DAC_OVERRIDE",
|
|
|
|
"CAP_FSETID",
|
|
|
|
"CAP_FOWNER",
|
|
|
|
"CAP_MKNOD",
|
|
|
|
"CAP_NET_RAW",
|
|
|
|
"CAP_SETGID",
|
|
|
|
"CAP_SETUID",
|
|
|
|
"CAP_SETFCAP",
|
|
|
|
"CAP_SETPCAP",
|
|
|
|
"CAP_NET_BIND_SERVICE",
|
|
|
|
"CAP_SYS_CHROOT",
|
|
|
|
"CAP_KILL",
|
|
|
|
"CAP_AUDIT_WRITE",
|
|
|
|
},
|
|
|
|
Permitted: []string{
|
|
|
|
"CAP_CHOWN",
|
|
|
|
"CAP_DAC_OVERRIDE",
|
|
|
|
"CAP_FSETID",
|
|
|
|
"CAP_FOWNER",
|
|
|
|
"CAP_MKNOD",
|
|
|
|
"CAP_NET_RAW",
|
|
|
|
"CAP_SETGID",
|
|
|
|
"CAP_SETUID",
|
|
|
|
"CAP_SETFCAP",
|
|
|
|
"CAP_SETPCAP",
|
|
|
|
"CAP_NET_BIND_SERVICE",
|
|
|
|
"CAP_SYS_CHROOT",
|
|
|
|
"CAP_KILL",
|
|
|
|
"CAP_AUDIT_WRITE",
|
|
|
|
},
|
|
|
|
Inheritable: []string{
|
|
|
|
"CAP_CHOWN",
|
|
|
|
"CAP_DAC_OVERRIDE",
|
|
|
|
"CAP_FSETID",
|
|
|
|
"CAP_FOWNER",
|
|
|
|
"CAP_MKNOD",
|
|
|
|
"CAP_NET_RAW",
|
|
|
|
"CAP_SETGID",
|
|
|
|
"CAP_SETUID",
|
|
|
|
"CAP_SETFCAP",
|
|
|
|
"CAP_SETPCAP",
|
|
|
|
"CAP_NET_BIND_SERVICE",
|
|
|
|
"CAP_SYS_CHROOT",
|
|
|
|
"CAP_KILL",
|
|
|
|
"CAP_AUDIT_WRITE",
|
|
|
|
},
|
|
|
|
Ambient: []string{
|
|
|
|
"CAP_CHOWN",
|
|
|
|
"CAP_DAC_OVERRIDE",
|
|
|
|
"CAP_FSETID",
|
|
|
|
"CAP_FOWNER",
|
|
|
|
"CAP_MKNOD",
|
|
|
|
"CAP_NET_RAW",
|
|
|
|
"CAP_SETGID",
|
|
|
|
"CAP_SETUID",
|
|
|
|
"CAP_SETFCAP",
|
|
|
|
"CAP_SETPCAP",
|
|
|
|
"CAP_NET_BIND_SERVICE",
|
|
|
|
"CAP_SYS_CHROOT",
|
|
|
|
"CAP_KILL",
|
|
|
|
"CAP_AUDIT_WRITE",
|
|
|
|
},
|
|
|
|
Effective: []string{
|
|
|
|
"CAP_CHOWN",
|
|
|
|
"CAP_DAC_OVERRIDE",
|
|
|
|
"CAP_FSETID",
|
|
|
|
"CAP_FOWNER",
|
|
|
|
"CAP_MKNOD",
|
|
|
|
"CAP_NET_RAW",
|
|
|
|
"CAP_SETGID",
|
|
|
|
"CAP_SETUID",
|
|
|
|
"CAP_SETFCAP",
|
|
|
|
"CAP_SETPCAP",
|
|
|
|
"CAP_NET_BIND_SERVICE",
|
|
|
|
"CAP_SYS_CHROOT",
|
|
|
|
"CAP_KILL",
|
|
|
|
"CAP_AUDIT_WRITE",
|
|
|
|
},
|
2014-10-17 08:00:59 +08:00
|
|
|
},
|
2015-01-27 20:54:19 +08:00
|
|
|
Namespaces: configs.Namespaces([]configs.Namespace{
|
|
|
|
{Type: configs.NEWNS},
|
|
|
|
{Type: configs.NEWUTS},
|
|
|
|
{Type: configs.NEWIPC},
|
|
|
|
{Type: configs.NEWPID},
|
|
|
|
{Type: configs.NEWNET},
|
|
|
|
}),
|
2015-02-03 18:53:31 +08:00
|
|
|
Cgroups: &configs.Cgroup{
|
2016-01-21 10:04:59 +08:00
|
|
|
Path: "integration/test",
|
2015-12-15 08:26:29 +08:00
|
|
|
Resources: &configs.Resources{
|
2016-02-21 09:29:53 +08:00
|
|
|
MemorySwappiness: nil,
|
2020-05-07 11:59:36 +08:00
|
|
|
Devices: allowedDevices,
|
2015-12-15 08:26:29 +08:00
|
|
|
},
|
2014-10-17 08:00:59 +08:00
|
|
|
},
|
2015-02-13 08:23:05 +08:00
|
|
|
MaskPaths: []string{
|
|
|
|
"/proc/kcore",
|
2016-09-23 15:02:10 +08:00
|
|
|
"/sys/firmware",
|
2015-02-13 08:23:05 +08:00
|
|
|
},
|
|
|
|
ReadonlyPaths: []string{
|
|
|
|
"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
|
|
|
|
},
|
2020-05-04 20:39:37 +08:00
|
|
|
Devices: specconv.AllowedDevices,
|
2015-02-07 11:16:11 +08:00
|
|
|
Hostname: "integration",
|
2015-02-13 08:23:05 +08:00
|
|
|
Mounts: []*configs.Mount{
|
2015-03-18 02:09:33 +08:00
|
|
|
{
|
|
|
|
Source: "proc",
|
|
|
|
Destination: "/proc",
|
|
|
|
Device: "proc",
|
|
|
|
Flags: defaultMountFlags,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Source: "tmpfs",
|
|
|
|
Destination: "/dev",
|
|
|
|
Device: "tmpfs",
|
2017-05-10 05:38:27 +08:00
|
|
|
Flags: unix.MS_NOSUID | unix.MS_STRICTATIME,
|
2015-03-18 02:09:33 +08:00
|
|
|
Data: "mode=755",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Source: "devpts",
|
|
|
|
Destination: "/dev/pts",
|
|
|
|
Device: "devpts",
|
2017-05-10 05:38:27 +08:00
|
|
|
Flags: unix.MS_NOSUID | unix.MS_NOEXEC,
|
2015-03-18 02:09:33 +08:00
|
|
|
Data: "newinstance,ptmxmode=0666,mode=0620,gid=5",
|
|
|
|
},
|
2015-02-13 08:23:05 +08:00
|
|
|
{
|
|
|
|
Device: "tmpfs",
|
|
|
|
Source: "shm",
|
|
|
|
Destination: "/dev/shm",
|
|
|
|
Data: "mode=1777,size=65536k",
|
|
|
|
Flags: defaultMountFlags,
|
|
|
|
},
|
2016-05-20 08:28:58 +08:00
|
|
|
/*
|
2016-05-26 02:24:26 +08:00
|
|
|
CI is broken on the debian based kernels with this
|
|
|
|
{
|
|
|
|
Source: "mqueue",
|
|
|
|
Destination: "/dev/mqueue",
|
|
|
|
Device: "mqueue",
|
|
|
|
Flags: defaultMountFlags,
|
|
|
|
},
|
2016-05-20 08:28:58 +08:00
|
|
|
*/
|
2015-02-13 08:23:05 +08:00
|
|
|
{
|
|
|
|
Source: "sysfs",
|
|
|
|
Destination: "/sys",
|
|
|
|
Device: "sysfs",
|
2017-05-10 05:38:27 +08:00
|
|
|
Flags: defaultMountFlags | unix.MS_RDONLY,
|
2015-02-13 08:23:05 +08:00
|
|
|
},
|
|
|
|
},
|
2014-12-17 17:12:23 +08:00
|
|
|
Networks: []*configs.Network{
|
2014-10-17 08:00:59 +08:00
|
|
|
{
|
|
|
|
Type: "loopback",
|
|
|
|
Address: "127.0.0.1/0",
|
|
|
|
Gateway: "localhost",
|
|
|
|
},
|
|
|
|
},
|
2014-12-17 17:12:23 +08:00
|
|
|
Rlimits: []configs.Rlimit{
|
2014-11-27 02:16:53 +08:00
|
|
|
{
|
2017-05-10 05:38:27 +08:00
|
|
|
Type: unix.RLIMIT_NOFILE,
|
2015-03-04 17:10:53 +08:00
|
|
|
Hard: uint64(1025),
|
|
|
|
Soft: uint64(1025),
|
2014-11-27 02:16:53 +08:00
|
|
|
},
|
|
|
|
},
|
2014-10-17 08:00:59 +08:00
|
|
|
}
|
|
|
|
}
|