2016-03-25 23:44:09 +08:00
|
|
|
// +build linux
|
|
|
|
|
2016-03-31 05:48:19 +08:00
|
|
|
// Package specconv implements conversion of specifications to libcontainer
|
2016-03-25 23:44:09 +08:00
|
|
|
// configurations
|
|
|
|
package specconv
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"os"
|
|
|
|
"path/filepath"
|
|
|
|
"strings"
|
2016-03-30 02:14:59 +08:00
|
|
|
"time"
|
2016-03-25 23:44:09 +08:00
|
|
|
|
|
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
|
|
|
"github.com/opencontainers/runc/libcontainer/seccomp"
|
|
|
|
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
|
2016-04-13 04:35:51 +08:00
|
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
2017-05-10 05:38:27 +08:00
|
|
|
|
|
|
|
"golang.org/x/sys/unix"
|
2016-03-25 23:44:09 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
const wildcard = -1
|
|
|
|
|
2016-12-17 13:01:53 +08:00
|
|
|
var namespaceMapping = map[specs.LinuxNamespaceType]configs.NamespaceType{
|
2016-03-25 23:44:09 +08:00
|
|
|
specs.PIDNamespace: configs.NEWPID,
|
|
|
|
specs.NetworkNamespace: configs.NEWNET,
|
|
|
|
specs.MountNamespace: configs.NEWNS,
|
|
|
|
specs.UserNamespace: configs.NEWUSER,
|
|
|
|
specs.IPCNamespace: configs.NEWIPC,
|
|
|
|
specs.UTSNamespace: configs.NEWUTS,
|
2016-04-26 12:04:22 +08:00
|
|
|
specs.CgroupNamespace: configs.NEWCGROUP,
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
var mountPropagationMapping = map[string]int{
|
2017-11-17 16:10:38 +08:00
|
|
|
"rprivate": unix.MS_PRIVATE | unix.MS_REC,
|
|
|
|
"private": unix.MS_PRIVATE,
|
|
|
|
"rslave": unix.MS_SLAVE | unix.MS_REC,
|
|
|
|
"slave": unix.MS_SLAVE,
|
|
|
|
"rshared": unix.MS_SHARED | unix.MS_REC,
|
|
|
|
"shared": unix.MS_SHARED,
|
|
|
|
"runbindable": unix.MS_UNBINDABLE | unix.MS_REC,
|
|
|
|
"unbindable": unix.MS_UNBINDABLE,
|
|
|
|
"": 0,
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
var allowedDevices = []*configs.Device{
|
|
|
|
// allow mknod for any device
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Major: wildcard,
|
|
|
|
Minor: wildcard,
|
|
|
|
Permissions: "m",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'b',
|
|
|
|
Major: wildcard,
|
|
|
|
Minor: wildcard,
|
|
|
|
Permissions: "m",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/null",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 3,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/random",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 8,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/full",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 7,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/tty",
|
|
|
|
Major: 5,
|
|
|
|
Minor: 0,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/zero",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 5,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/urandom",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 9,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Path: "/dev/console",
|
|
|
|
Type: 'c',
|
|
|
|
Major: 5,
|
|
|
|
Minor: 1,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
// /dev/pts/ - pts namespaces are "coming soon"
|
|
|
|
{
|
|
|
|
Path: "",
|
|
|
|
Type: 'c',
|
|
|
|
Major: 136,
|
|
|
|
Minor: wildcard,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Path: "",
|
|
|
|
Type: 'c',
|
|
|
|
Major: 5,
|
|
|
|
Minor: 2,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
// tuntap
|
|
|
|
{
|
|
|
|
Path: "",
|
|
|
|
Type: 'c',
|
|
|
|
Major: 10,
|
|
|
|
Minor: 200,
|
|
|
|
Permissions: "rwm",
|
|
|
|
Allow: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2016-03-31 02:12:03 +08:00
|
|
|
type CreateOpts struct {
|
|
|
|
CgroupName string
|
|
|
|
UseSystemdCgroup bool
|
|
|
|
NoPivotRoot bool
|
2016-06-04 02:53:07 +08:00
|
|
|
NoNewKeyring bool
|
2016-03-31 02:12:03 +08:00
|
|
|
Spec *specs.Spec
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
RootlessEUID bool
|
|
|
|
RootlessCgroups bool
|
2016-03-31 02:12:03 +08:00
|
|
|
}
|
|
|
|
|
2016-03-25 23:44:09 +08:00
|
|
|
// CreateLibcontainerConfig creates a new libcontainer configuration from a
|
|
|
|
// given specification and a cgroup name
|
2016-03-31 02:12:03 +08:00
|
|
|
func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
|
2016-03-25 23:44:09 +08:00
|
|
|
// runc's cwd will always be the bundle path
|
|
|
|
rcwd, err := os.Getwd()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
cwd, err := filepath.Abs(rcwd)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-03-31 02:12:03 +08:00
|
|
|
spec := opts.Spec
|
2017-07-13 00:00:49 +08:00
|
|
|
if spec.Root == nil {
|
|
|
|
return nil, fmt.Errorf("Root must be specified")
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
rootfsPath := spec.Root.Path
|
|
|
|
if !filepath.IsAbs(rootfsPath) {
|
|
|
|
rootfsPath = filepath.Join(cwd, rootfsPath)
|
|
|
|
}
|
2016-06-03 03:44:43 +08:00
|
|
|
labels := []string{}
|
|
|
|
for k, v := range spec.Annotations {
|
|
|
|
labels = append(labels, fmt.Sprintf("%s=%s", k, v))
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
config := &configs.Config{
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
Rootfs: rootfsPath,
|
|
|
|
NoPivotRoot: opts.NoPivotRoot,
|
|
|
|
Readonlyfs: spec.Root.Readonly,
|
|
|
|
Hostname: spec.Hostname,
|
|
|
|
Labels: append(labels, fmt.Sprintf("bundle=%s", cwd)),
|
|
|
|
NoNewKeyring: opts.NoNewKeyring,
|
|
|
|
RootlessEUID: opts.RootlessEUID,
|
|
|
|
RootlessCgroups: opts.RootlessCgroups,
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
exists := false
|
|
|
|
for _, m := range spec.Mounts {
|
|
|
|
config.Mounts = append(config.Mounts, createLibcontainerMount(cwd, m))
|
|
|
|
}
|
|
|
|
if err := createDevices(spec, config); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-04-23 21:39:42 +08:00
|
|
|
c, err := createCgroupConfig(opts)
|
2016-03-25 23:44:09 +08:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
config.Cgroups = c
|
2017-05-15 15:45:06 +08:00
|
|
|
// set linux-specific config
|
|
|
|
if spec.Linux != nil {
|
|
|
|
if config.RootPropagation, exists = mountPropagationMapping[spec.Linux.RootfsPropagation]; !exists {
|
|
|
|
return nil, fmt.Errorf("rootfsPropagation=%v is not supported", spec.Linux.RootfsPropagation)
|
|
|
|
}
|
2017-10-08 14:38:12 +08:00
|
|
|
if config.NoPivotRoot && (config.RootPropagation&unix.MS_PRIVATE != 0) {
|
|
|
|
return nil, fmt.Errorf("rootfsPropagation of [r]private is not safe without pivot_root")
|
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
|
|
|
|
for _, ns := range spec.Linux.Namespaces {
|
|
|
|
t, exists := namespaceMapping[ns.Type]
|
|
|
|
if !exists {
|
|
|
|
return nil, fmt.Errorf("namespace %q does not exist", ns)
|
|
|
|
}
|
|
|
|
if config.Namespaces.Contains(t) {
|
|
|
|
return nil, fmt.Errorf("malformed spec file: duplicated ns %q", ns)
|
|
|
|
}
|
|
|
|
config.Namespaces.Add(t, ns.Path)
|
|
|
|
}
|
2018-04-12 01:28:19 +08:00
|
|
|
if config.Namespaces.Contains(configs.NEWNET) && config.Namespaces.PathOf(configs.NEWNET) == "" {
|
2017-09-08 09:30:07 +08:00
|
|
|
config.Networks = []*configs.Network{
|
|
|
|
{
|
|
|
|
Type: "loopback",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
2018-02-26 18:47:15 +08:00
|
|
|
if config.Namespaces.Contains(configs.NEWUSER) {
|
|
|
|
if err := setupUserNamespace(spec, config); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
config.MaskPaths = spec.Linux.MaskedPaths
|
|
|
|
config.ReadonlyPaths = spec.Linux.ReadonlyPaths
|
|
|
|
config.MountLabel = spec.Linux.MountLabel
|
|
|
|
config.Sysctl = spec.Linux.Sysctl
|
|
|
|
if spec.Linux.Seccomp != nil {
|
2018-04-18 01:42:04 +08:00
|
|
|
seccomp, err := SetupSeccomp(spec.Linux.Seccomp)
|
2017-05-15 15:45:06 +08:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
config.Seccomp = seccomp
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2018-10-05 11:30:55 +08:00
|
|
|
if spec.Linux.IntelRdt != nil {
|
|
|
|
config.IntelRdt = &configs.IntelRdt{}
|
|
|
|
if spec.Linux.IntelRdt.L3CacheSchema != "" {
|
|
|
|
config.IntelRdt.L3CacheSchema = spec.Linux.IntelRdt.L3CacheSchema
|
|
|
|
}
|
2018-10-16 12:37:41 +08:00
|
|
|
if spec.Linux.IntelRdt.MemBwSchema != "" {
|
|
|
|
config.IntelRdt.MemBwSchema = spec.Linux.IntelRdt.MemBwSchema
|
|
|
|
}
|
2018-10-05 11:30:55 +08:00
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2018-03-16 08:54:47 +08:00
|
|
|
if spec.Process != nil {
|
|
|
|
config.OomScoreAdj = spec.Process.OOMScoreAdj
|
2018-11-06 11:45:29 +08:00
|
|
|
if spec.Process.SelinuxLabel != "" {
|
|
|
|
config.ProcessLabel = spec.Process.SelinuxLabel
|
|
|
|
}
|
|
|
|
if spec.Process.Capabilities != nil {
|
|
|
|
config.Capabilities = &configs.Capabilities{
|
|
|
|
Bounding: spec.Process.Capabilities.Bounding,
|
|
|
|
Effective: spec.Process.Capabilities.Effective,
|
|
|
|
Permitted: spec.Process.Capabilities.Permitted,
|
|
|
|
Inheritable: spec.Process.Capabilities.Inheritable,
|
|
|
|
Ambient: spec.Process.Capabilities.Ambient,
|
|
|
|
}
|
2017-03-15 00:36:38 +08:00
|
|
|
}
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
createHooks(spec, config)
|
|
|
|
config.Version = specs.Version
|
|
|
|
return config, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func createLibcontainerMount(cwd string, m specs.Mount) *configs.Mount {
|
2016-05-27 03:36:29 +08:00
|
|
|
flags, pgflags, data, ext := parseMountOptions(m.Options)
|
2016-03-25 23:44:09 +08:00
|
|
|
source := m.Source
|
2018-03-07 07:36:48 +08:00
|
|
|
device := m.Type
|
2018-07-19 00:30:49 +08:00
|
|
|
if flags&unix.MS_BIND != 0 {
|
2019-04-08 13:08:08 +08:00
|
|
|
// Any "type" the user specified is meaningless (and ignored) for
|
|
|
|
// bind-mounts -- so we set it to "bind" because rootfs_linux.go
|
|
|
|
// (incorrectly) relies on this for some checks.
|
|
|
|
device = "bind"
|
2016-03-25 23:44:09 +08:00
|
|
|
if !filepath.IsAbs(source) {
|
|
|
|
source = filepath.Join(cwd, m.Source)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return &configs.Mount{
|
2018-03-07 07:36:48 +08:00
|
|
|
Device: device,
|
2016-03-25 23:44:09 +08:00
|
|
|
Source: source,
|
|
|
|
Destination: m.Destination,
|
|
|
|
Data: data,
|
|
|
|
Flags: flags,
|
|
|
|
PropagationFlags: pgflags,
|
2016-05-27 03:36:29 +08:00
|
|
|
Extensions: ext,
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-04-23 21:39:42 +08:00
|
|
|
func createCgroupConfig(opts *CreateOpts) (*configs.Cgroup, error) {
|
|
|
|
var (
|
|
|
|
myCgroupPath string
|
|
|
|
|
|
|
|
spec = opts.Spec
|
|
|
|
useSystemdCgroup = opts.UseSystemdCgroup
|
|
|
|
name = opts.CgroupName
|
|
|
|
)
|
2016-03-25 23:44:09 +08:00
|
|
|
|
|
|
|
c := &configs.Cgroup{
|
|
|
|
Resources: &configs.Resources{},
|
|
|
|
}
|
|
|
|
|
2017-03-15 00:36:38 +08:00
|
|
|
if spec.Linux != nil && spec.Linux.CgroupsPath != "" {
|
|
|
|
myCgroupPath = libcontainerUtils.CleanPath(spec.Linux.CgroupsPath)
|
2016-03-25 23:44:09 +08:00
|
|
|
if useSystemdCgroup {
|
2017-03-15 00:36:38 +08:00
|
|
|
myCgroupPath = spec.Linux.CgroupsPath
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if useSystemdCgroup {
|
|
|
|
if myCgroupPath == "" {
|
|
|
|
c.Parent = "system.slice"
|
|
|
|
c.ScopePrefix = "runc"
|
|
|
|
c.Name = name
|
|
|
|
} else {
|
|
|
|
// Parse the path from expected "slice:prefix:name"
|
|
|
|
// for e.g. "system.slice:docker:1234"
|
|
|
|
parts := strings.Split(myCgroupPath, ":")
|
|
|
|
if len(parts) != 3 {
|
2019-03-15 01:24:04 +08:00
|
|
|
return nil, fmt.Errorf("expected cgroupsPath to be of format \"slice:prefix:name\" for systemd cgroups, got %q instead", myCgroupPath)
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
c.Parent = parts[0]
|
|
|
|
c.ScopePrefix = parts[1]
|
|
|
|
c.Name = parts[2]
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if myCgroupPath == "" {
|
2016-08-30 14:12:15 +08:00
|
|
|
c.Name = name
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
c.Path = myCgroupPath
|
|
|
|
}
|
|
|
|
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
// In rootless containers, any attempt to make cgroup changes is likely to fail.
|
|
|
|
// libcontainer will validate this but ignores the error.
|
|
|
|
c.Resources.AllowedDevices = allowedDevices
|
2017-05-15 15:45:06 +08:00
|
|
|
if spec.Linux != nil {
|
|
|
|
r := spec.Linux.Resources
|
|
|
|
if r == nil {
|
|
|
|
return c, nil
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
for i, d := range spec.Linux.Resources.Devices {
|
|
|
|
var (
|
|
|
|
t = "a"
|
|
|
|
major = int64(-1)
|
|
|
|
minor = int64(-1)
|
|
|
|
)
|
|
|
|
if d.Type != "" {
|
|
|
|
t = d.Type
|
|
|
|
}
|
|
|
|
if d.Major != nil {
|
|
|
|
major = *d.Major
|
|
|
|
}
|
|
|
|
if d.Minor != nil {
|
|
|
|
minor = *d.Minor
|
|
|
|
}
|
|
|
|
if d.Access == "" {
|
|
|
|
return nil, fmt.Errorf("device access at %d field cannot be empty", i)
|
|
|
|
}
|
|
|
|
dt, err := stringToCgroupDeviceRune(t)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
dd := &configs.Device{
|
|
|
|
Type: dt,
|
|
|
|
Major: major,
|
|
|
|
Minor: minor,
|
|
|
|
Permissions: d.Access,
|
|
|
|
Allow: d.Allow,
|
|
|
|
}
|
|
|
|
c.Resources.Devices = append(c.Resources.Devices, dd)
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
if r.Memory != nil {
|
|
|
|
if r.Memory.Limit != nil {
|
|
|
|
c.Resources.Memory = *r.Memory.Limit
|
|
|
|
}
|
|
|
|
if r.Memory.Reservation != nil {
|
|
|
|
c.Resources.MemoryReservation = *r.Memory.Reservation
|
|
|
|
}
|
|
|
|
if r.Memory.Swap != nil {
|
|
|
|
c.Resources.MemorySwap = *r.Memory.Swap
|
|
|
|
}
|
|
|
|
if r.Memory.Kernel != nil {
|
|
|
|
c.Resources.KernelMemory = *r.Memory.Kernel
|
|
|
|
}
|
|
|
|
if r.Memory.KernelTCP != nil {
|
|
|
|
c.Resources.KernelMemoryTCP = *r.Memory.KernelTCP
|
|
|
|
}
|
|
|
|
if r.Memory.Swappiness != nil {
|
|
|
|
c.Resources.MemorySwappiness = r.Memory.Swappiness
|
|
|
|
}
|
|
|
|
if r.Memory.DisableOOMKiller != nil {
|
|
|
|
c.Resources.OomKillDisable = *r.Memory.DisableOOMKiller
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
if r.CPU != nil {
|
|
|
|
if r.CPU.Shares != nil {
|
|
|
|
c.Resources.CpuShares = *r.CPU.Shares
|
|
|
|
}
|
|
|
|
if r.CPU.Quota != nil {
|
|
|
|
c.Resources.CpuQuota = *r.CPU.Quota
|
|
|
|
}
|
|
|
|
if r.CPU.Period != nil {
|
|
|
|
c.Resources.CpuPeriod = *r.CPU.Period
|
|
|
|
}
|
|
|
|
if r.CPU.RealtimeRuntime != nil {
|
|
|
|
c.Resources.CpuRtRuntime = *r.CPU.RealtimeRuntime
|
|
|
|
}
|
|
|
|
if r.CPU.RealtimePeriod != nil {
|
|
|
|
c.Resources.CpuRtPeriod = *r.CPU.RealtimePeriod
|
|
|
|
}
|
|
|
|
if r.CPU.Cpus != "" {
|
|
|
|
c.Resources.CpusetCpus = r.CPU.Cpus
|
|
|
|
}
|
|
|
|
if r.CPU.Mems != "" {
|
|
|
|
c.Resources.CpusetMems = r.CPU.Mems
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
if r.Pids != nil {
|
|
|
|
c.Resources.PidsLimit = r.Pids.Limit
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
if r.BlockIO != nil {
|
|
|
|
if r.BlockIO.Weight != nil {
|
|
|
|
c.Resources.BlkioWeight = *r.BlockIO.Weight
|
|
|
|
}
|
|
|
|
if r.BlockIO.LeafWeight != nil {
|
|
|
|
c.Resources.BlkioLeafWeight = *r.BlockIO.LeafWeight
|
|
|
|
}
|
|
|
|
if r.BlockIO.WeightDevice != nil {
|
|
|
|
for _, wd := range r.BlockIO.WeightDevice {
|
|
|
|
var weight, leafWeight uint16
|
|
|
|
if wd.Weight != nil {
|
|
|
|
weight = *wd.Weight
|
|
|
|
}
|
|
|
|
if wd.LeafWeight != nil {
|
|
|
|
leafWeight = *wd.LeafWeight
|
|
|
|
}
|
|
|
|
weightDevice := configs.NewWeightDevice(wd.Major, wd.Minor, weight, leafWeight)
|
|
|
|
c.Resources.BlkioWeightDevice = append(c.Resources.BlkioWeightDevice, weightDevice)
|
2016-06-11 09:11:20 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
}
|
|
|
|
if r.BlockIO.ThrottleReadBpsDevice != nil {
|
|
|
|
for _, td := range r.BlockIO.ThrottleReadBpsDevice {
|
|
|
|
rate := td.Rate
|
|
|
|
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, rate)
|
|
|
|
c.Resources.BlkioThrottleReadBpsDevice = append(c.Resources.BlkioThrottleReadBpsDevice, throttleDevice)
|
2016-06-11 09:11:20 +08:00
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
if r.BlockIO.ThrottleWriteBpsDevice != nil {
|
|
|
|
for _, td := range r.BlockIO.ThrottleWriteBpsDevice {
|
|
|
|
rate := td.Rate
|
|
|
|
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, rate)
|
|
|
|
c.Resources.BlkioThrottleWriteBpsDevice = append(c.Resources.BlkioThrottleWriteBpsDevice, throttleDevice)
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
if r.BlockIO.ThrottleReadIOPSDevice != nil {
|
|
|
|
for _, td := range r.BlockIO.ThrottleReadIOPSDevice {
|
|
|
|
rate := td.Rate
|
|
|
|
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, rate)
|
|
|
|
c.Resources.BlkioThrottleReadIOPSDevice = append(c.Resources.BlkioThrottleReadIOPSDevice, throttleDevice)
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
if r.BlockIO.ThrottleWriteIOPSDevice != nil {
|
|
|
|
for _, td := range r.BlockIO.ThrottleWriteIOPSDevice {
|
|
|
|
rate := td.Rate
|
|
|
|
throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, rate)
|
|
|
|
c.Resources.BlkioThrottleWriteIOPSDevice = append(c.Resources.BlkioThrottleWriteIOPSDevice, throttleDevice)
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
for _, l := range r.HugepageLimits {
|
|
|
|
c.Resources.HugetlbLimit = append(c.Resources.HugetlbLimit, &configs.HugepageLimit{
|
|
|
|
Pagesize: l.Pagesize,
|
|
|
|
Limit: l.Limit,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
if r.Network != nil {
|
|
|
|
if r.Network.ClassID != nil {
|
|
|
|
c.Resources.NetClsClassid = *r.Network.ClassID
|
|
|
|
}
|
|
|
|
for _, m := range r.Network.Priorities {
|
|
|
|
c.Resources.NetPrioIfpriomap = append(c.Resources.NetPrioIfpriomap, &configs.IfPrioMap{
|
|
|
|
Interface: m.Name,
|
|
|
|
Priority: int64(m.Priority),
|
|
|
|
})
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
// append the default allowed devices to the end of the list
|
|
|
|
c.Resources.Devices = append(c.Resources.Devices, allowedDevices...)
|
2016-03-25 23:44:09 +08:00
|
|
|
return c, nil
|
|
|
|
}
|
|
|
|
|
2017-02-10 14:39:40 +08:00
|
|
|
func stringToCgroupDeviceRune(s string) (rune, error) {
|
2016-03-25 23:44:09 +08:00
|
|
|
switch s {
|
|
|
|
case "a":
|
|
|
|
return 'a', nil
|
|
|
|
case "b":
|
|
|
|
return 'b', nil
|
|
|
|
case "c":
|
|
|
|
return 'c', nil
|
2017-02-10 14:39:40 +08:00
|
|
|
default:
|
|
|
|
return 0, fmt.Errorf("invalid cgroup device type %q", s)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func stringToDeviceRune(s string) (rune, error) {
|
|
|
|
switch s {
|
|
|
|
case "p":
|
|
|
|
return 'p', nil
|
|
|
|
case "u":
|
|
|
|
return 'u', nil
|
|
|
|
case "b":
|
|
|
|
return 'b', nil
|
|
|
|
case "c":
|
|
|
|
return 'c', nil
|
2016-03-25 23:44:09 +08:00
|
|
|
default:
|
|
|
|
return 0, fmt.Errorf("invalid device type %q", s)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func createDevices(spec *specs.Spec, config *configs.Config) error {
|
|
|
|
// add whitelisted devices
|
|
|
|
config.Devices = []*configs.Device{
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/null",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 3,
|
|
|
|
FileMode: 0666,
|
|
|
|
Uid: 0,
|
|
|
|
Gid: 0,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/random",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 8,
|
|
|
|
FileMode: 0666,
|
|
|
|
Uid: 0,
|
|
|
|
Gid: 0,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/full",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 7,
|
|
|
|
FileMode: 0666,
|
|
|
|
Uid: 0,
|
|
|
|
Gid: 0,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/tty",
|
|
|
|
Major: 5,
|
|
|
|
Minor: 0,
|
|
|
|
FileMode: 0666,
|
|
|
|
Uid: 0,
|
|
|
|
Gid: 0,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/zero",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 5,
|
|
|
|
FileMode: 0666,
|
|
|
|
Uid: 0,
|
|
|
|
Gid: 0,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Type: 'c',
|
|
|
|
Path: "/dev/urandom",
|
|
|
|
Major: 1,
|
|
|
|
Minor: 9,
|
|
|
|
FileMode: 0666,
|
|
|
|
Uid: 0,
|
|
|
|
Gid: 0,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
// merge in additional devices from the spec
|
2017-05-15 15:45:06 +08:00
|
|
|
if spec.Linux != nil {
|
|
|
|
for _, d := range spec.Linux.Devices {
|
|
|
|
var uid, gid uint32
|
|
|
|
var filemode os.FileMode = 0666
|
2016-10-14 01:32:28 +08:00
|
|
|
|
2017-05-15 15:45:06 +08:00
|
|
|
if d.UID != nil {
|
|
|
|
uid = *d.UID
|
|
|
|
}
|
|
|
|
if d.GID != nil {
|
|
|
|
gid = *d.GID
|
|
|
|
}
|
|
|
|
dt, err := stringToDeviceRune(d.Type)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if d.FileMode != nil {
|
|
|
|
filemode = *d.FileMode
|
|
|
|
}
|
|
|
|
device := &configs.Device{
|
|
|
|
Type: dt,
|
|
|
|
Path: d.Path,
|
|
|
|
Major: d.Major,
|
|
|
|
Minor: d.Minor,
|
|
|
|
FileMode: filemode,
|
|
|
|
Uid: uid,
|
|
|
|
Gid: gid,
|
|
|
|
}
|
|
|
|
config.Devices = append(config.Devices, device)
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
|
2016-12-17 13:01:53 +08:00
|
|
|
create := func(m specs.LinuxIDMapping) configs.IDMap {
|
2016-03-25 23:44:09 +08:00
|
|
|
return configs.IDMap{
|
|
|
|
HostID: int(m.HostID),
|
|
|
|
ContainerID: int(m.ContainerID),
|
|
|
|
Size: int(m.Size),
|
|
|
|
}
|
|
|
|
}
|
2017-05-15 15:45:06 +08:00
|
|
|
if spec.Linux != nil {
|
|
|
|
for _, m := range spec.Linux.UIDMappings {
|
|
|
|
config.UidMappings = append(config.UidMappings, create(m))
|
|
|
|
}
|
|
|
|
for _, m := range spec.Linux.GIDMappings {
|
|
|
|
config.GidMappings = append(config.GidMappings, create(m))
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-03-18 01:32:16 +08:00
|
|
|
rootUID, err := config.HostRootUID()
|
2016-03-25 23:44:09 +08:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-03-18 01:32:16 +08:00
|
|
|
rootGID, err := config.HostRootGID()
|
2016-03-25 23:44:09 +08:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
for _, node := range config.Devices {
|
|
|
|
node.Uid = uint32(rootUID)
|
|
|
|
node.Gid = uint32(rootGID)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// parseMountOptions parses the string and returns the flags, propagation
|
|
|
|
// flags and any mount data that it contains.
|
2016-05-27 03:36:29 +08:00
|
|
|
func parseMountOptions(options []string) (int, []int, string, int) {
|
2016-03-25 23:44:09 +08:00
|
|
|
var (
|
2016-05-27 03:36:29 +08:00
|
|
|
flag int
|
|
|
|
pgflag []int
|
|
|
|
data []string
|
|
|
|
extFlags int
|
2016-03-25 23:44:09 +08:00
|
|
|
)
|
|
|
|
flags := map[string]struct {
|
|
|
|
clear bool
|
|
|
|
flag int
|
|
|
|
}{
|
2017-05-27 00:13:43 +08:00
|
|
|
"acl": {false, unix.MS_POSIXACL},
|
2017-05-10 05:38:27 +08:00
|
|
|
"async": {true, unix.MS_SYNCHRONOUS},
|
|
|
|
"atime": {true, unix.MS_NOATIME},
|
|
|
|
"bind": {false, unix.MS_BIND},
|
2016-03-25 23:44:09 +08:00
|
|
|
"defaults": {false, 0},
|
2017-05-10 05:38:27 +08:00
|
|
|
"dev": {true, unix.MS_NODEV},
|
|
|
|
"diratime": {true, unix.MS_NODIRATIME},
|
|
|
|
"dirsync": {false, unix.MS_DIRSYNC},
|
|
|
|
"exec": {true, unix.MS_NOEXEC},
|
2017-05-27 00:13:43 +08:00
|
|
|
"iversion": {false, unix.MS_I_VERSION},
|
|
|
|
"lazytime": {false, unix.MS_LAZYTIME},
|
|
|
|
"loud": {true, unix.MS_SILENT},
|
2017-05-10 05:38:27 +08:00
|
|
|
"mand": {false, unix.MS_MANDLOCK},
|
2017-05-27 00:13:43 +08:00
|
|
|
"noacl": {true, unix.MS_POSIXACL},
|
2017-05-10 05:38:27 +08:00
|
|
|
"noatime": {false, unix.MS_NOATIME},
|
|
|
|
"nodev": {false, unix.MS_NODEV},
|
|
|
|
"nodiratime": {false, unix.MS_NODIRATIME},
|
|
|
|
"noexec": {false, unix.MS_NOEXEC},
|
2017-05-27 00:13:43 +08:00
|
|
|
"noiversion": {true, unix.MS_I_VERSION},
|
|
|
|
"nolazytime": {true, unix.MS_LAZYTIME},
|
2017-05-10 05:38:27 +08:00
|
|
|
"nomand": {true, unix.MS_MANDLOCK},
|
|
|
|
"norelatime": {true, unix.MS_RELATIME},
|
|
|
|
"nostrictatime": {true, unix.MS_STRICTATIME},
|
|
|
|
"nosuid": {false, unix.MS_NOSUID},
|
|
|
|
"rbind": {false, unix.MS_BIND | unix.MS_REC},
|
|
|
|
"relatime": {false, unix.MS_RELATIME},
|
|
|
|
"remount": {false, unix.MS_REMOUNT},
|
|
|
|
"ro": {false, unix.MS_RDONLY},
|
|
|
|
"rw": {true, unix.MS_RDONLY},
|
2017-05-27 00:13:43 +08:00
|
|
|
"silent": {false, unix.MS_SILENT},
|
2017-05-10 05:38:27 +08:00
|
|
|
"strictatime": {false, unix.MS_STRICTATIME},
|
|
|
|
"suid": {true, unix.MS_NOSUID},
|
|
|
|
"sync": {false, unix.MS_SYNCHRONOUS},
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2016-09-06 23:41:40 +08:00
|
|
|
propagationFlags := map[string]int{
|
2017-05-10 05:38:27 +08:00
|
|
|
"private": unix.MS_PRIVATE,
|
|
|
|
"shared": unix.MS_SHARED,
|
|
|
|
"slave": unix.MS_SLAVE,
|
|
|
|
"unbindable": unix.MS_UNBINDABLE,
|
|
|
|
"rprivate": unix.MS_PRIVATE | unix.MS_REC,
|
|
|
|
"rshared": unix.MS_SHARED | unix.MS_REC,
|
|
|
|
"rslave": unix.MS_SLAVE | unix.MS_REC,
|
|
|
|
"runbindable": unix.MS_UNBINDABLE | unix.MS_REC,
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2016-05-27 03:36:29 +08:00
|
|
|
extensionFlags := map[string]struct {
|
|
|
|
clear bool
|
|
|
|
flag int
|
|
|
|
}{
|
|
|
|
"tmpcopyup": {false, configs.EXT_COPYUP},
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
for _, o := range options {
|
|
|
|
// If the option does not exist in the flags table or the flag
|
|
|
|
// is not supported on the platform,
|
|
|
|
// then it is a data value for a specific fs type
|
|
|
|
if f, exists := flags[o]; exists && f.flag != 0 {
|
|
|
|
if f.clear {
|
|
|
|
flag &= ^f.flag
|
|
|
|
} else {
|
|
|
|
flag |= f.flag
|
|
|
|
}
|
2016-09-06 23:41:40 +08:00
|
|
|
} else if f, exists := propagationFlags[o]; exists && f != 0 {
|
|
|
|
pgflag = append(pgflag, f)
|
2016-05-27 03:36:29 +08:00
|
|
|
} else if f, exists := extensionFlags[o]; exists && f.flag != 0 {
|
|
|
|
if f.clear {
|
|
|
|
extFlags &= ^f.flag
|
|
|
|
} else {
|
|
|
|
extFlags |= f.flag
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
} else {
|
|
|
|
data = append(data, o)
|
|
|
|
}
|
|
|
|
}
|
2016-05-27 03:36:29 +08:00
|
|
|
return flag, pgflag, strings.Join(data, ","), extFlags
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
|
2018-04-18 01:42:04 +08:00
|
|
|
func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
|
2016-03-25 23:44:09 +08:00
|
|
|
if config == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// No default action specified, no syscalls listed, assume seccomp disabled
|
|
|
|
if config.DefaultAction == "" && len(config.Syscalls) == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
newConfig := new(configs.Seccomp)
|
|
|
|
newConfig.Syscalls = []*configs.Syscall{}
|
|
|
|
|
|
|
|
if len(config.Architectures) > 0 {
|
|
|
|
newConfig.Architectures = []string{}
|
|
|
|
for _, arch := range config.Architectures {
|
|
|
|
newArch, err := seccomp.ConvertStringToArch(string(arch))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
newConfig.Architectures = append(newConfig.Architectures, newArch)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Convert default action from string representation
|
|
|
|
newDefaultAction, err := seccomp.ConvertStringToAction(string(config.DefaultAction))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
newConfig.DefaultAction = newDefaultAction
|
|
|
|
|
|
|
|
// Loop through all syscall blocks and convert them to libcontainer format
|
|
|
|
for _, call := range config.Syscalls {
|
|
|
|
newAction, err := seccomp.ConvertStringToAction(string(call.Action))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2017-03-15 00:36:38 +08:00
|
|
|
for _, name := range call.Names {
|
|
|
|
newCall := configs.Syscall{
|
|
|
|
Name: name,
|
|
|
|
Action: newAction,
|
|
|
|
Args: []*configs.Arg{},
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
2017-03-15 00:36:38 +08:00
|
|
|
// Loop through all the arguments of the syscall and convert them
|
|
|
|
for _, arg := range call.Args {
|
|
|
|
newOp, err := seccomp.ConvertStringToOperator(string(arg.Op))
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
|
2017-03-15 00:36:38 +08:00
|
|
|
newArg := configs.Arg{
|
|
|
|
Index: arg.Index,
|
|
|
|
Value: arg.Value,
|
|
|
|
ValueTwo: arg.ValueTwo,
|
|
|
|
Op: newOp,
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
|
2017-03-15 00:36:38 +08:00
|
|
|
newCall.Args = append(newCall.Args, &newArg)
|
|
|
|
}
|
|
|
|
newConfig.Syscalls = append(newConfig.Syscalls, &newCall)
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return newConfig, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func createHooks(rspec *specs.Spec, config *configs.Config) {
|
|
|
|
config.Hooks = &configs.Hooks{}
|
2017-03-15 00:36:38 +08:00
|
|
|
if rspec.Hooks != nil {
|
|
|
|
|
|
|
|
for _, h := range rspec.Hooks.Prestart {
|
|
|
|
cmd := createCommandHook(h)
|
|
|
|
config.Hooks.Prestart = append(config.Hooks.Prestart, configs.NewCommandHook(cmd))
|
|
|
|
}
|
|
|
|
for _, h := range rspec.Hooks.Poststart {
|
|
|
|
cmd := createCommandHook(h)
|
|
|
|
config.Hooks.Poststart = append(config.Hooks.Poststart, configs.NewCommandHook(cmd))
|
|
|
|
}
|
|
|
|
for _, h := range rspec.Hooks.Poststop {
|
|
|
|
cmd := createCommandHook(h)
|
|
|
|
config.Hooks.Poststop = append(config.Hooks.Poststop, configs.NewCommandHook(cmd))
|
|
|
|
}
|
2016-03-25 23:44:09 +08:00
|
|
|
}
|
|
|
|
}
|
2016-03-30 02:14:59 +08:00
|
|
|
|
|
|
|
func createCommandHook(h specs.Hook) configs.Command {
|
|
|
|
cmd := configs.Command{
|
|
|
|
Path: h.Path,
|
|
|
|
Args: h.Args,
|
|
|
|
Env: h.Env,
|
|
|
|
}
|
|
|
|
if h.Timeout != nil {
|
|
|
|
d := time.Duration(*h.Timeout) * time.Second
|
|
|
|
cmd.Timeout = &d
|
|
|
|
}
|
|
|
|
return cmd
|
|
|
|
}
|