diff --git a/exec.go b/exec.go index 62b78ba0..0f7fe881 100644 --- a/exec.go +++ b/exec.go @@ -10,7 +10,7 @@ import ( "strings" "github.com/codegangsta/cli" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" ) var execCommand = cli.Command{ diff --git a/main.go b/main.go index 1bfa9a3a..cdff4e12 100644 --- a/main.go +++ b/main.go @@ -6,7 +6,7 @@ import ( "github.com/Sirupsen/logrus" "github.com/codegangsta/cli" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" ) const ( @@ -59,7 +59,7 @@ func main() { }, cli.StringFlag{ Name: "root", - Value: specs.LinuxStateDirectory, + Value: "/run/runc", Usage: "root directory for storage of container state (this should be located in tmpfs)", }, cli.StringFlag{ diff --git a/restore.go b/restore.go index 3a644f1f..6883d917 100644 --- a/restore.go +++ b/restore.go @@ -10,7 +10,7 @@ import ( "github.com/codegangsta/cli" "github.com/opencontainers/runc/libcontainer" "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" ) var restoreCommand = cli.Command{ @@ -100,7 +100,7 @@ using the runc checkpoint command.`, }, } -func restoreContainer(context *cli.Context, spec *specs.LinuxSpec, config *configs.Config, imagePath string) (code int, err error) { +func restoreContainer(context *cli.Context, spec *specs.Spec, config *configs.Config, imagePath string) (code int, err error) { var ( rootuid = 0 id = context.Args().First() diff --git a/spec.go b/spec.go index 9c05a6dc..d1f0f2ca 100644 --- a/spec.go +++ b/spec.go @@ -18,7 +18,7 @@ import ( "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/seccomp" libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" ) var specCommand = cli.Command{ @@ -34,79 +34,84 @@ var specCommand = cli.Command{ }, }, Action: func(context *cli.Context) { - spec := specs.LinuxSpec{ - Spec: specs.Spec{ - Version: specs.Version, - Platform: specs.Platform{ - OS: runtime.GOOS, - Arch: runtime.GOARCH, + spec := specs.Spec{ + Version: specs.Version, + Platform: specs.Platform{ + OS: runtime.GOOS, + Arch: runtime.GOARCH, + }, + Root: specs.Root{ + Path: "rootfs", + Readonly: true, + }, + Process: specs.Process{ + Terminal: true, + User: specs.User{}, + Args: []string{ + "sh", }, - Root: specs.Root{ - Path: "rootfs", - Readonly: true, + Env: []string{ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm", }, - Process: specs.Process{ - Terminal: true, - User: specs.User{}, - Args: []string{ - "sh", - }, - Env: []string{ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "TERM=xterm", - }, - Cwd: "/", - NoNewPrivileges: true, - Capabilities: []string{ - "CAP_AUDIT_WRITE", - "CAP_KILL", - "CAP_NET_BIND_SERVICE", + Cwd: "/", + NoNewPrivileges: true, + Capabilities: []string{ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + }, + Rlimits: []specs.Rlimit{ + { + Type: "RLIMIT_NOFILE", + Hard: uint64(1024), + Soft: uint64(1024), }, }, - Hostname: "shell", - Mounts: []specs.Mount{ - { - Destination: "/proc", - Type: "proc", - Source: "proc", - Options: nil, - }, - { - Destination: "/dev", - Type: "tmpfs", - Source: "tmpfs", - Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, - }, - { - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, - }, - { - Destination: "/dev/shm", - Type: "tmpfs", - Source: "shm", - Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"}, - }, - { - Destination: "/dev/mqueue", - Type: "mqueue", - Source: "mqueue", - Options: []string{"nosuid", "noexec", "nodev"}, - }, - { - Destination: "/sys", - Type: "sysfs", - Source: "sysfs", - Options: []string{"nosuid", "noexec", "nodev", "ro"}, - }, - { - Destination: "/sys/fs/cgroup", - Type: "cgroup", - Source: "cgroup", - Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, - }, + }, + Hostname: "runc", + Mounts: []specs.Mount{ + { + Destination: "/proc", + Type: "proc", + Source: "proc", + Options: nil, + }, + { + Destination: "/dev", + Type: "tmpfs", + Source: "tmpfs", + Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, + }, + { + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, + }, + { + Destination: "/dev/shm", + Type: "tmpfs", + Source: "shm", + Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"}, + }, + { + Destination: "/dev/mqueue", + Type: "mqueue", + Source: "mqueue", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + { + Destination: "/sys", + Type: "sysfs", + Source: "sysfs", + Options: []string{"nosuid", "noexec", "nodev", "ro"}, + }, + { + Destination: "/sys/fs/cgroup", + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, }, }, Linux: specs.Linux{ @@ -135,13 +140,6 @@ var specCommand = cli.Command{ Type: "mount", }, }, - Rlimits: []specs.Rlimit{ - { - Type: "RLIMIT_NOFILE", - Hard: uint64(1024), - Soft: uint64(1024), - }, - }, }, } @@ -201,7 +199,7 @@ var mountPropagationMapping = map[string]int{ // validateSpec validates the fields in the spec // TODO: Add validation for other fields where applicable -func validateSpec(spec *specs.LinuxSpec) error { +func validateSpec(spec *specs.Spec) error { if spec.Process.Cwd == "" { return fmt.Errorf("Cwd property must not be empty") } @@ -213,7 +211,7 @@ func validateSpec(spec *specs.LinuxSpec) error { // loadSpec loads the specification from the provided path. // If the path is empty then the default path will be "config.json" -func loadSpec(cPath string) (spec *specs.LinuxSpec, err error) { +func loadSpec(cPath string) (spec *specs.Spec, err error) { cf, err := os.Open(cPath) if err != nil { if os.IsNotExist(err) { @@ -229,7 +227,7 @@ func loadSpec(cPath string) (spec *specs.LinuxSpec, err error) { return spec, validateSpec(spec) } -func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*configs.Config, error) { +func createLibcontainerConfig(cgroupName string, spec *specs.Spec) (*configs.Config, error) { // runc's cwd will always be the bundle path rcwd, err := os.Getwd() if err != nil { @@ -280,7 +278,7 @@ func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*config if err := setupUserNamespace(spec, config); err != nil { return nil, err } - for _, rlimit := range spec.Linux.Rlimits { + for _, rlimit := range spec.Process.Rlimits { rl, err := createLibContainerRlimit(rlimit) if err != nil { return nil, err @@ -295,11 +293,13 @@ func createLibcontainerConfig(cgroupName string, spec *specs.LinuxSpec) (*config // set extra path masking for libcontainer for the various unsafe places in proc config.MaskPaths = maskedPaths config.ReadonlyPaths = readonlyPaths - seccomp, err := setupSeccomp(&spec.Linux.Seccomp) - if err != nil { - return nil, err + if spec.Linux.Seccomp != nil { + seccomp, err := setupSeccomp(spec.Linux.Seccomp) + if err != nil { + return nil, err + } + config.Seccomp = seccomp } - config.Seccomp = seccomp config.Sysctl = spec.Linux.Sysctl if oomScoreAdj := spec.Linux.Resources.OOMScoreAdj; oomScoreAdj != nil { config.OomScoreAdj = *oomScoreAdj @@ -330,7 +330,7 @@ func createLibcontainerMount(cwd string, m specs.Mount) *configs.Mount { } } -func createCgroupConfig(name string, spec *specs.LinuxSpec) (*configs.Cgroup, error) { +func createCgroupConfig(name string, spec *specs.Spec) (*configs.Cgroup, error) { var ( err error myCgroupPath string @@ -506,7 +506,7 @@ func stringToDeviceRune(s string) (rune, error) { } } -func createDevices(spec *specs.LinuxSpec, config *configs.Config) error { +func createDevices(spec *specs.Spec, config *configs.Config) error { // add whitelisted devices config.Devices = []*configs.Device{ { @@ -591,7 +591,7 @@ func createDevices(spec *specs.LinuxSpec, config *configs.Config) error { return nil } -func setupUserNamespace(spec *specs.LinuxSpec, config *configs.Config) error { +func setupUserNamespace(spec *specs.Spec, config *configs.Config) error { if len(spec.Linux.UIDMappings) == 0 { return nil } @@ -776,7 +776,7 @@ func setupSeccomp(config *specs.Seccomp) (*configs.Seccomp, error) { return newConfig, nil } -func createHooks(rspec *specs.LinuxSpec, config *configs.Config) { +func createHooks(rspec *specs.Spec, config *configs.Config) { config.Hooks = &configs.Hooks{} for _, h := range rspec.Hooks.Prestart { cmd := configs.Command{ diff --git a/spec_test.go b/spec_test.go index 6905d301..156ee62c 100644 --- a/spec_test.go +++ b/spec_test.go @@ -6,13 +6,13 @@ import ( "strings" "testing" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" ) func TestLinuxCgroupsPathSpecified(t *testing.T) { cgroupsPath := "/user/cgroups/path/id" - spec := &specs.LinuxSpec{} + spec := &specs.Spec{} spec.Linux.CgroupsPath = &cgroupsPath cgroup, err := createCgroupConfig("ContainerID", spec) @@ -26,7 +26,7 @@ func TestLinuxCgroupsPathSpecified(t *testing.T) { } func TestLinuxCgroupsPathNotSpecified(t *testing.T) { - spec := &specs.LinuxSpec{} + spec := &specs.Spec{} cgroup, err := createCgroupConfig("ContainerID", spec) if err != nil { diff --git a/start.go b/start.go index ec8f217c..f846bd1e 100644 --- a/start.go +++ b/start.go @@ -9,7 +9,7 @@ import ( "github.com/codegangsta/cli" "github.com/coreos/go-systemd/activation" "github.com/opencontainers/runc/libcontainer" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" ) // default action is to start a container @@ -91,7 +91,7 @@ var initCommand = cli.Command{ }, } -func startContainer(context *cli.Context, spec *specs.LinuxSpec) (int, error) { +func startContainer(context *cli.Context, spec *specs.Spec) (int, error) { id := context.Args().First() if id == "" { return -1, errEmptyID diff --git a/state.go b/state.go index eb60aeae..0b1fbc9b 100644 --- a/state.go +++ b/state.go @@ -12,7 +12,7 @@ import ( // cState represents the platform agnostic pieces relating to a running // container's status and state. Note: The fields in this structure adhere to -// the opencontainers/specs requirement for json fields that must be returned +// the opencontainers/specs/specs-go requirement for json fields that must be returned // in a state command. type cState struct { // Version is the OCI version for the container diff --git a/utils.go b/utils.go index c2cf1f2c..6468c6e6 100644 --- a/utils.go +++ b/utils.go @@ -15,7 +15,7 @@ import ( "github.com/codegangsta/cli" "github.com/opencontainers/runc/libcontainer" "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/specs" + "github.com/opencontainers/specs/specs-go" ) const wildcard = -1 @@ -264,7 +264,7 @@ func dupStdio(process *libcontainer.Process, rootuid int) error { // If systemd is supporting sd_notify protocol, this function will add support // for sd_notify protocol from within the container. -func setupSdNotify(spec *specs.LinuxSpec, notifySocket string) { +func setupSdNotify(spec *specs.Spec, notifySocket string) { spec.Mounts = append(spec.Mounts, specs.Mount{Destination: notifySocket, Type: "bind", Source: notifySocket, Options: []string{"bind"}}) spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", notifySocket)) } @@ -309,7 +309,7 @@ func createPidFile(path string, process *libcontainer.Process) error { return err } -func createContainer(context *cli.Context, id string, spec *specs.LinuxSpec) (libcontainer.Container, error) { +func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcontainer.Container, error) { config, err := createLibcontainerConfig(id, spec) if err != nil { return nil, err