From 0f99c20fd015343ad8536a531c57926002709bfd Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Tue, 11 Aug 2015 13:50:57 -0700 Subject: [PATCH 1/2] Update specs Signed-off-by: Tonis Tiigi --- Godeps/Godeps.json | 2 +- .../opencontainers/specs/.travis.yml | 17 +++ .../github.com/opencontainers/specs/README.md | 13 +- .../opencontainers/specs/config-linux.md | 122 ++++++++++++++++-- .../opencontainers/specs/implementations.md | 16 +++ .../opencontainers/specs/spec_linux.go | 56 +++++++- 6 files changed, 208 insertions(+), 18 deletions(-) create mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml create mode 100644 Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index e355c3e7..f7733ac4 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -53,7 +53,7 @@ }, { "ImportPath": "github.com/opencontainers/specs", - "Rev": "5b31bb2b7771e5074a4eb14eca432da1ca5182d6" + "Rev": "da9240a7125f601aef46f66ea615177607b00d39" }, { "ImportPath": "github.com/syndtr/gocapability/capability", diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml b/Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml new file mode 100644 index 00000000..3e0114d8 --- /dev/null +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/.travis.yml @@ -0,0 +1,17 @@ +language: go +go: + - 1.4.2 + - 1.3.3 + +sudo: false + +before_install: + - go get golang.org/x/tools/cmd/vet + - go get github.com/golang/lint/golint + +install: true + +script: + - go vet -x ./... + - $HOME/gopath/bin/golint ./... + diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/README.md b/Godeps/_workspace/src/github.com/opencontainers/specs/README.md index f5e57d9b..f85d5fff 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/README.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/README.md @@ -8,6 +8,7 @@ Table of Contents - [Container Configuration](config.md) - [Linux Specific Configuration](config-linux.md) - [Runtime and Lifecycle](runtime.md) +- [Implementations](implementations.md) ## Use Cases @@ -63,10 +64,16 @@ the `LICENSE` file of this repository. ## Weekly Call The contributors and maintainers of the project have a weekly meeting Wednesdays at 10:00 AM PST. -Everyone is welcome to participate in the call. The link to the call will be posted on the mailing -list each week along with set topics for discussion. +The link to the call will be posted on the mailing list each week along with set topics for discussion. +Everyone is welcome to participate in the call, although there can only be speaking members on the Google Hangout. +Participants who don't get a speaking slot can watch the live broadcast on [this YouTube channel][youtube] and post feedback and questions on [the IRC channel](#irc). +Everyone is welcome to propose additional topics, suggest other agenda alterations, or request a speaking slot via the mailing list. Minutes for the call will be posted to the mailing list for those who are unable to join the call. +## IRC + +OCI discussion happens on #opencontainers on Freenode. + ## Markdown style To keep consistency throughout the Markdown files in the Open Container spec all files should be formatted one sentence per line. @@ -127,3 +134,5 @@ then you just add a line to every git commit message: using your real name (sorry, no pseudonyms or anonymous contributions.) You can add the sign off when creating the git commit via `git commit -s`. + +[youtube]: https://www.youtube.com/channel/UC1wmLdEYmwWcsFg7bt1s5nw diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md b/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md index 1927dae5..d6ff6831 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/config-linux.md @@ -55,20 +55,82 @@ within the container. ### Access to devices -Devices is an array specifying the list of devices from the host to make available in the container. -By providing a device name within the list the runtime should look up the same device on the host's `/dev` -and collect information about the device node so that it can be recreated for the container. The runtime -should not only create the device inside the container but ensure that the root user inside -the container has access rights for the device. +Devices is an array specifying the list of devices to be created in the container. +Next parameters can be specified: + +* type - type of device: 'c', 'b', 'u' or 'p'. More info in `man mknod` +* path - full path to device inside container +* major, minor - major, minor numbers for device. More info in `man mknod`. + There is special value: `-1`, which means `*` for `device` + cgroup setup. +* permissions - cgroup permissions for device. A composition of 'r' + (read), 'w' (write), and 'm' (mknod). +* fileMode - file mode for device file +* uid - uid of device owner +* gid - gid of device owner ```json "devices": [ - "null", - "random", - "full", - "tty", - "zero", - "urandom" + { + "path": "/dev/random", + "type": "c", + "major": 1, + "minor": 8, + "permissions": "rwm", + "fileMode": 0666, + "uid": 0, + "gid": 0 + }, + { + "path": "/dev/urandom", + "type": "c", + "major": 1, + "minor": 9, + "permissions": "rwm", + "fileMode": 0666, + "uid": 0, + "gid": 0 + }, + { + "path": "/dev/null", + "type": "c", + "major": 1, + "minor": 3, + "permissions": "rwm", + "fileMode": 0666, + "uid": 0, + "gid": 0 + }, + { + "path": "/dev/zero", + "type": "c", + "major": 1, + "minor": 5, + "permissions": "rwm", + "fileMode": 0666, + "uid": 0, + "gid": 0 + }, + { + "path": "/dev/tty", + "type": "c", + "major": 5, + "minor": 0, + "permissions": "rwm", + "fileMode": 0666, + "uid": 0, + "gid": 0 + }, + { + "path": "/dev/full", + "type": "c", + "major": 1, + "minor": 7, + "permissions": "rwm", + "fileMode": 0666, + "uid": 0, + "gid": 0 + } ] ``` @@ -81,7 +143,7 @@ the container. For more information, see the [kernel cgroups documentation](http ## Linux capabilities Capabilities is an array that specifies Linux capabilities that can be provided to the process -inside the container. Valid values are the string after `CAP_` for capabilities defined +inside the container. Valid values are the string after `CAP_` for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html) ```json @@ -146,7 +208,39 @@ rootfsPropagation sets the rootfs's mount propagation. Its value is either slave "rootfsPropagation": "slave", ``` -## Security +## Selinux process label -**TODO:** security profiles +Selinux process label specifies the label with which the processes in a container are run. +For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page) +```json + "selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675" +``` +## Apparmor profile + +Apparmor profile specifies the name of the apparmor profile that will be used for the container. +For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor) + +```json + "apparmorProfile": "acme_secure_profile" +``` + +## Seccomp + +Seccomp provides application sandboxing mechanism in the Linux kernel. +Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows +matching on values passed as arguments to syscalls. +For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt) +The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values. + +```json + "seccomp": { + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "name": "getcwd", + "action": "SCMP_ACT_ERRNO" + } + ] + } +``` diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md b/Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md new file mode 100644 index 00000000..b9401e5b --- /dev/null +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/implementations.md @@ -0,0 +1,16 @@ +# Implementations + +The following sections link to associated projects, some of which are maintained by the OCI and some of which are maintained by external organizations. +If you know of any associated projects that are not listed here, please file a pull request adding a link to that project. + +## Runtime (Container) + +* [opencontainers/runc](https://github.com/opencontainers/runc) - Reference implementation of OCI runtime + +## Runtime (Virtual Machine) + +* [hyperhq/runv](https://github.com/hyperhq/runv) - Hypervisor-based runtime for OCI + +## Testing + +* [huawei-openlab/oct](https://github.com/huawei-openlab/oct) - Open Container Testing framework for OCI configuration and runtime diff --git a/Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go b/Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go index 3c82db4b..9319c99a 100644 --- a/Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go +++ b/Godeps/_workspace/src/github.com/opencontainers/specs/spec_linux.go @@ -2,6 +2,8 @@ package specs +import "os" + // LinuxSpec is the full specification for Linux containers type LinuxSpec struct { Spec @@ -27,7 +29,13 @@ type Linux struct { // Capabilities are Linux capabilities that are kept for the container Capabilities []string `json:"capabilities"` // Devices are a list of device nodes that are created and enabled for the container - Devices []string `json:"devices"` + Devices []Device `json:"devices"` + // ApparmorProfile specified the apparmor profile for the container. + ApparmorProfile string `json:"apparmorProfile"` + // SelinuxProcessLabel specifies the selinux context that the container process is run as. + SelinuxProcessLabel string `json:"selinuxProcessLabel"` + // Seccomp specifies the seccomp security settings for the container. + Seccomp Seccomp `json:"seccomp"` // RootfsPropagation is the rootfs mount propagation mode for the container RootfsPropagation string `json:"rootfsPropagation"` } @@ -157,3 +165,49 @@ type Resources struct { // Network restriction configuration Network Network `json:"network"` } + +type Device struct { + // Device type, block, char, etc. + Type rune `json:"type"` + // Path to the device. + Path string `json:"path"` + // Major is the device's major number. + Major int64 `json:"major"` + // Minor is the device's minor number. + Minor int64 `json:"minor"` + // Cgroup permissions format, rwm. + Permissions string `json:"permissions"` + // FileMode permission bits for the device. + FileMode os.FileMode `json:"fileMode"` + // UID of the device. + UID uint32 `json:"uid"` + // Gid of the device. + GID uint32 `json:"gid"` +} + +// Seccomp represents syscall restrictions +type Seccomp struct { + DefaultAction Action `json:"defaultAction"` + Syscalls []*Syscall `json:"syscalls"` +} + +// Action taken upon Seccomp rule match +type Action string + +// Operator used to match syscall arguments in Seccomp +type Operator string + +// Arg used for matching specific syscall arguments in Seccomp +type Arg struct { + Index uint `json:"index"` + Value uint64 `json:"value"` + ValueTwo uint64 `json:"valueTwo"` + Op Operator `json:"op"` +} + +// Syscall is used to match a syscall in Seccomp +type Syscall struct { + Name string `json:"name"` + Action Action `json:"action"` + Args []*Arg `json:"args"` +} From b5eed4a246377fc11294a8dd9951f8660049a106 Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Tue, 11 Aug 2015 14:24:00 -0700 Subject: [PATCH 2/2] Update runc to use device structs from updated spec Signed-off-by: Tonis Tiigi --- spec.go | 85 ++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 72 insertions(+), 13 deletions(-) diff --git a/spec.go b/spec.go index 444bc625..89633b0b 100644 --- a/spec.go +++ b/spec.go @@ -15,7 +15,6 @@ import ( "github.com/codegangsta/cli" "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/configs" - "github.com/opencontainers/runc/libcontainer/devices" "github.com/opencontainers/specs" ) @@ -114,13 +113,67 @@ var specCommand = cli.Command{ "KILL", "NET_BIND_SERVICE", }, - Devices: []string{ - "null", - "random", - "full", - "tty", - "zero", - "urandom", + Devices: []specs.Device{ + { + Type: 'c', + Path: "/dev/null", + Major: 1, + Minor: 3, + Permissions: "rwm", + FileMode: 0666, + UID: 0, + GID: 0, + }, + { + Type: 'c', + Path: "/dev/random", + Major: 1, + Minor: 8, + Permissions: "rwm", + FileMode: 0666, + UID: 0, + GID: 0, + }, + { + Type: 'c', + Path: "/dev/full", + Major: 1, + Minor: 7, + Permissions: "rwm", + FileMode: 0666, + UID: 0, + GID: 0, + }, + { + Type: 'c', + Path: "/dev/tty", + Major: 5, + Minor: 0, + Permissions: "rwm", + FileMode: 0666, + UID: 0, + GID: 0, + }, + { + Type: 'c', + Path: "/dev/zero", + Major: 1, + Minor: 5, + Permissions: "rwm", + FileMode: 0666, + UID: 0, + GID: 0, + }, + { + Type: 'c', + Path: "/dev/urandom", + Major: 1, + Minor: 9, + Permissions: "rwm", + FileMode: 0666, + UID: 0, + GID: 0, + }, }, Resources: specs.Resources{ Memory: specs.Memory{ @@ -297,12 +350,18 @@ func createCgroupConfig(name string, spec *specs.LinuxSpec, devices []*configs.D } func createDevices(spec *specs.LinuxSpec, config *configs.Config) error { - for _, name := range spec.Linux.Devices { - d, err := devices.DeviceFromPath(filepath.Join("/dev", name), "rwm") - if err != nil { - return err + for _, d := range spec.Linux.Devices { + device := &configs.Device{ + Type: d.Type, + Path: d.Path, + Major: d.Major, + Minor: d.Minor, + Permissions: d.Permissions, + FileMode: d.FileMode, + Uid: d.UID, + Gid: d.GID, } - config.Devices = append(config.Devices, d) + config.Devices = append(config.Devices, device) } return nil }