Merge pull request #193 from tonistiigi/update-device-specs
Update device specs
This commit is contained in:
commit
d6ae10ada4
|
@ -53,7 +53,7 @@
|
|||
},
|
||||
{
|
||||
"ImportPath": "github.com/opencontainers/specs",
|
||||
"Rev": "5b31bb2b7771e5074a4eb14eca432da1ca5182d6"
|
||||
"Rev": "da9240a7125f601aef46f66ea615177607b00d39"
|
||||
},
|
||||
{
|
||||
"ImportPath": "github.com/syndtr/gocapability/capability",
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
language: go
|
||||
go:
|
||||
- 1.4.2
|
||||
- 1.3.3
|
||||
|
||||
sudo: false
|
||||
|
||||
before_install:
|
||||
- go get golang.org/x/tools/cmd/vet
|
||||
- go get github.com/golang/lint/golint
|
||||
|
||||
install: true
|
||||
|
||||
script:
|
||||
- go vet -x ./...
|
||||
- $HOME/gopath/bin/golint ./...
|
||||
|
|
@ -8,6 +8,7 @@ Table of Contents
|
|||
- [Container Configuration](config.md)
|
||||
- [Linux Specific Configuration](config-linux.md)
|
||||
- [Runtime and Lifecycle](runtime.md)
|
||||
- [Implementations](implementations.md)
|
||||
|
||||
## Use Cases
|
||||
|
||||
|
@ -63,10 +64,16 @@ the `LICENSE` file of this repository.
|
|||
## Weekly Call
|
||||
|
||||
The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST.
|
||||
Everyone is welcome to participate in the call. The link to the call will be posted on the mailing
|
||||
list each week along with set topics for discussion.
|
||||
The link to the call will be posted on the mailing list each week along with set topics for discussion.
|
||||
Everyone is welcome to participate in the call, although there can only be speaking members on the Google Hangout.
|
||||
Participants who don't get a speaking slot can watch the live broadcast on [this YouTube channel][youtube] and post feedback and questions on [the IRC channel](#irc).
|
||||
Everyone is welcome to propose additional topics, suggest other agenda alterations, or request a speaking slot via the mailing list.
|
||||
Minutes for the call will be posted to the mailing list for those who are unable to join the call.
|
||||
|
||||
## IRC
|
||||
|
||||
OCI discussion happens on #opencontainers on Freenode.
|
||||
|
||||
## Markdown style
|
||||
|
||||
To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line.
|
||||
|
@ -127,3 +134,5 @@ then you just add a line to every git commit message:
|
|||
using your real name (sorry, no pseudonyms or anonymous contributions.)
|
||||
|
||||
You can add the sign off when creating the git commit via `git commit -s`.
|
||||
|
||||
[youtube]: https://www.youtube.com/channel/UC1wmLdEYmwWcsFg7bt1s5nw
|
||||
|
|
|
@ -55,20 +55,82 @@ within the container.
|
|||
|
||||
### Access to devices
|
||||
|
||||
Devices is an array specifying the list of devices from the host to make available in the container.
|
||||
By providing a device name within the list the runtime should look up the same device on the host's `/dev`
|
||||
and collect information about the device node so that it can be recreated for the container. The runtime
|
||||
should not only create the device inside the container but ensure that the root user inside
|
||||
the container has access rights for the device.
|
||||
Devices is an array specifying the list of devices to be created in the container.
|
||||
Next parameters can be specified:
|
||||
|
||||
* type - type of device: 'c', 'b', 'u' or 'p'. More info in `man mknod`
|
||||
* path - full path to device inside container
|
||||
* major, minor - major, minor numbers for device. More info in `man mknod`.
|
||||
There is special value: `-1`, which means `*` for `device`
|
||||
cgroup setup.
|
||||
* permissions - cgroup permissions for device. A composition of 'r'
|
||||
(read), 'w' (write), and 'm' (mknod).
|
||||
* fileMode - file mode for device file
|
||||
* uid - uid of device owner
|
||||
* gid - gid of device owner
|
||||
|
||||
```json
|
||||
"devices": [
|
||||
"null",
|
||||
"random",
|
||||
"full",
|
||||
"tty",
|
||||
"zero",
|
||||
"urandom"
|
||||
{
|
||||
"path": "/dev/random",
|
||||
"type": "c",
|
||||
"major": 1,
|
||||
"minor": 8,
|
||||
"permissions": "rwm",
|
||||
"fileMode": 0666,
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
},
|
||||
{
|
||||
"path": "/dev/urandom",
|
||||
"type": "c",
|
||||
"major": 1,
|
||||
"minor": 9,
|
||||
"permissions": "rwm",
|
||||
"fileMode": 0666,
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
},
|
||||
{
|
||||
"path": "/dev/null",
|
||||
"type": "c",
|
||||
"major": 1,
|
||||
"minor": 3,
|
||||
"permissions": "rwm",
|
||||
"fileMode": 0666,
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
},
|
||||
{
|
||||
"path": "/dev/zero",
|
||||
"type": "c",
|
||||
"major": 1,
|
||||
"minor": 5,
|
||||
"permissions": "rwm",
|
||||
"fileMode": 0666,
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
},
|
||||
{
|
||||
"path": "/dev/tty",
|
||||
"type": "c",
|
||||
"major": 5,
|
||||
"minor": 0,
|
||||
"permissions": "rwm",
|
||||
"fileMode": 0666,
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
},
|
||||
{
|
||||
"path": "/dev/full",
|
||||
"type": "c",
|
||||
"major": 1,
|
||||
"minor": 7,
|
||||
"permissions": "rwm",
|
||||
"fileMode": 0666,
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
}
|
||||
]
|
||||
```
|
||||
|
||||
|
@ -81,7 +143,7 @@ the container. For more information, see the [kernel cgroups documentation](http
|
|||
## Linux capabilities
|
||||
|
||||
Capabilities is an array that specifies Linux capabilities that can be provided to the process
|
||||
inside the container. Valid values are the string after `CAP_` for capabilities defined
|
||||
inside the container. Valid values are the string after `CAP_` for capabilities defined
|
||||
in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
|
||||
|
||||
```json
|
||||
|
@ -146,7 +208,39 @@ rootfsPropagation sets the rootfs's mount propagation. Its value is either slave
|
|||
"rootfsPropagation": "slave",
|
||||
```
|
||||
|
||||
## Security
|
||||
## Selinux process label
|
||||
|
||||
**TODO:** security profiles
|
||||
Selinux process label specifies the label with which the processes in a container are run.
|
||||
For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page)
|
||||
```json
|
||||
"selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675"
|
||||
```
|
||||
|
||||
## Apparmor profile
|
||||
|
||||
Apparmor profile specifies the name of the apparmor profile that will be used for the container.
|
||||
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)
|
||||
|
||||
```json
|
||||
"apparmorProfile": "acme_secure_profile"
|
||||
```
|
||||
|
||||
## Seccomp
|
||||
|
||||
Seccomp provides application sandboxing mechanism in the Linux kernel.
|
||||
Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows
|
||||
matching on values passed as arguments to syscalls.
|
||||
For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
|
||||
The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.
|
||||
|
||||
```json
|
||||
"seccomp": {
|
||||
"defaultAction": "SCMP_ACT_ALLOW",
|
||||
"syscalls": [
|
||||
{
|
||||
"name": "getcwd",
|
||||
"action": "SCMP_ACT_ERRNO"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
|
16
Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md
generated
vendored
Normal file
16
Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md
generated
vendored
Normal file
|
@ -0,0 +1,16 @@
|
|||
# Implementations
|
||||
|
||||
The following sections link to associated projects, some of which are maintained by the OCI and some of which are maintained by external organizations.
|
||||
If you know of any associated projects that are not listed here, please file a pull request adding a link to that project.
|
||||
|
||||
## Runtime (Container)
|
||||
|
||||
* [opencontainers/runc](https://github.com/opencontainers/runc) - Reference implementation of OCI runtime
|
||||
|
||||
## Runtime (Virtual Machine)
|
||||
|
||||
* [hyperhq/runv](https://github.com/hyperhq/runv) - Hypervisor-based runtime for OCI
|
||||
|
||||
## Testing
|
||||
|
||||
* [huawei-openlab/oct](https://github.com/huawei-openlab/oct) - Open Container Testing framework for OCI configuration and runtime
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
package specs
|
||||
|
||||
import "os"
|
||||
|
||||
// LinuxSpec is the full specification for Linux containers
|
||||
type LinuxSpec struct {
|
||||
Spec
|
||||
|
@ -27,7 +29,13 @@ type Linux struct {
|
|||
// Capabilities are Linux capabilities that are kept for the container
|
||||
Capabilities []string `json:"capabilities"`
|
||||
// Devices are a list of device nodes that are created and enabled for the container
|
||||
Devices []string `json:"devices"`
|
||||
Devices []Device `json:"devices"`
|
||||
// ApparmorProfile specified the apparmor profile for the container.
|
||||
ApparmorProfile string `json:"apparmorProfile"`
|
||||
// SelinuxProcessLabel specifies the selinux context that the container process is run as.
|
||||
SelinuxProcessLabel string `json:"selinuxProcessLabel"`
|
||||
// Seccomp specifies the seccomp security settings for the container.
|
||||
Seccomp Seccomp `json:"seccomp"`
|
||||
// RootfsPropagation is the rootfs mount propagation mode for the container
|
||||
RootfsPropagation string `json:"rootfsPropagation"`
|
||||
}
|
||||
|
@ -157,3 +165,49 @@ type Resources struct {
|
|||
// Network restriction configuration
|
||||
Network Network `json:"network"`
|
||||
}
|
||||
|
||||
type Device struct {
|
||||
// Device type, block, char, etc.
|
||||
Type rune `json:"type"`
|
||||
// Path to the device.
|
||||
Path string `json:"path"`
|
||||
// Major is the device's major number.
|
||||
Major int64 `json:"major"`
|
||||
// Minor is the device's minor number.
|
||||
Minor int64 `json:"minor"`
|
||||
// Cgroup permissions format, rwm.
|
||||
Permissions string `json:"permissions"`
|
||||
// FileMode permission bits for the device.
|
||||
FileMode os.FileMode `json:"fileMode"`
|
||||
// UID of the device.
|
||||
UID uint32 `json:"uid"`
|
||||
// Gid of the device.
|
||||
GID uint32 `json:"gid"`
|
||||
}
|
||||
|
||||
// Seccomp represents syscall restrictions
|
||||
type Seccomp struct {
|
||||
DefaultAction Action `json:"defaultAction"`
|
||||
Syscalls []*Syscall `json:"syscalls"`
|
||||
}
|
||||
|
||||
// Action taken upon Seccomp rule match
|
||||
type Action string
|
||||
|
||||
// Operator used to match syscall arguments in Seccomp
|
||||
type Operator string
|
||||
|
||||
// Arg used for matching specific syscall arguments in Seccomp
|
||||
type Arg struct {
|
||||
Index uint `json:"index"`
|
||||
Value uint64 `json:"value"`
|
||||
ValueTwo uint64 `json:"valueTwo"`
|
||||
Op Operator `json:"op"`
|
||||
}
|
||||
|
||||
// Syscall is used to match a syscall in Seccomp
|
||||
type Syscall struct {
|
||||
Name string `json:"name"`
|
||||
Action Action `json:"action"`
|
||||
Args []*Arg `json:"args"`
|
||||
}
|
||||
|
|
85
spec.go
85
spec.go
|
@ -15,7 +15,6 @@ import (
|
|||
"github.com/codegangsta/cli"
|
||||
"github.com/opencontainers/runc/libcontainer/cgroups"
|
||||
"github.com/opencontainers/runc/libcontainer/configs"
|
||||
"github.com/opencontainers/runc/libcontainer/devices"
|
||||
"github.com/opencontainers/specs"
|
||||
)
|
||||
|
||||
|
@ -114,13 +113,67 @@ var specCommand = cli.Command{
|
|||
"KILL",
|
||||
"NET_BIND_SERVICE",
|
||||
},
|
||||
Devices: []string{
|
||||
"null",
|
||||
"random",
|
||||
"full",
|
||||
"tty",
|
||||
"zero",
|
||||
"urandom",
|
||||
Devices: []specs.Device{
|
||||
{
|
||||
Type: 'c',
|
||||
Path: "/dev/null",
|
||||
Major: 1,
|
||||
Minor: 3,
|
||||
Permissions: "rwm",
|
||||
FileMode: 0666,
|
||||
UID: 0,
|
||||
GID: 0,
|
||||
},
|
||||
{
|
||||
Type: 'c',
|
||||
Path: "/dev/random",
|
||||
Major: 1,
|
||||
Minor: 8,
|
||||
Permissions: "rwm",
|
||||
FileMode: 0666,
|
||||
UID: 0,
|
||||
GID: 0,
|
||||
},
|
||||
{
|
||||
Type: 'c',
|
||||
Path: "/dev/full",
|
||||
Major: 1,
|
||||
Minor: 7,
|
||||
Permissions: "rwm",
|
||||
FileMode: 0666,
|
||||
UID: 0,
|
||||
GID: 0,
|
||||
},
|
||||
{
|
||||
Type: 'c',
|
||||
Path: "/dev/tty",
|
||||
Major: 5,
|
||||
Minor: 0,
|
||||
Permissions: "rwm",
|
||||
FileMode: 0666,
|
||||
UID: 0,
|
||||
GID: 0,
|
||||
},
|
||||
{
|
||||
Type: 'c',
|
||||
Path: "/dev/zero",
|
||||
Major: 1,
|
||||
Minor: 5,
|
||||
Permissions: "rwm",
|
||||
FileMode: 0666,
|
||||
UID: 0,
|
||||
GID: 0,
|
||||
},
|
||||
{
|
||||
Type: 'c',
|
||||
Path: "/dev/urandom",
|
||||
Major: 1,
|
||||
Minor: 9,
|
||||
Permissions: "rwm",
|
||||
FileMode: 0666,
|
||||
UID: 0,
|
||||
GID: 0,
|
||||
},
|
||||
},
|
||||
Resources: specs.Resources{
|
||||
Memory: specs.Memory{
|
||||
|
@ -297,12 +350,18 @@ func createCgroupConfig(name string, spec *specs.LinuxSpec, devices []*configs.D
|
|||
}
|
||||
|
||||
func createDevices(spec *specs.LinuxSpec, config *configs.Config) error {
|
||||
for _, name := range spec.Linux.Devices {
|
||||
d, err := devices.DeviceFromPath(filepath.Join("/dev", name), "rwm")
|
||||
if err != nil {
|
||||
return err
|
||||
for _, d := range spec.Linux.Devices {
|
||||
device := &configs.Device{
|
||||
Type: d.Type,
|
||||
Path: d.Path,
|
||||
Major: d.Major,
|
||||
Minor: d.Minor,
|
||||
Permissions: d.Permissions,
|
||||
FileMode: d.FileMode,
|
||||
Uid: d.UID,
|
||||
Gid: d.GID,
|
||||
}
|
||||
config.Devices = append(config.Devices, d)
|
||||
config.Devices = append(config.Devices, device)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue