Documentation
¶
Overview ¶
Package specconv implements conversion of specifications to libcontainer configurations
Index ¶
- Variables
- func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*devices.Device) (*configs.Cgroup, error)
- func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error)
- func Example() *specs.Spec
- func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error)
- func ToRootless(spec *specs.Spec)
- type CreateOpts
Constants ¶
This section is empty.
Variables ¶
View Source
var AllowedDevices = []*devices.Device{ { Rule: devices.Rule{ Type: devices.CharDevice, Major: devices.Wildcard, Minor: devices.Wildcard, Permissions: "m", Allow: true, }, }, { Rule: devices.Rule{ Type: devices.BlockDevice, Major: devices.Wildcard, Minor: devices.Wildcard, Permissions: "m", Allow: true, }, }, { Path: "/dev/null", FileMode: 0666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 3, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/random", FileMode: 0666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 8, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/full", FileMode: 0666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 7, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/tty", FileMode: 0666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 5, Minor: 0, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/zero", FileMode: 0666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 5, Permissions: "rwm", Allow: true, }, }, { Path: "/dev/urandom", FileMode: 0666, Uid: 0, Gid: 0, Rule: devices.Rule{ Type: devices.CharDevice, Major: 1, Minor: 9, Permissions: "rwm", Allow: true, }, }, { Rule: devices.Rule{ Type: devices.CharDevice, Major: 136, Minor: devices.Wildcard, Permissions: "rwm", Allow: true, }, }, { Rule: devices.Rule{ Type: devices.CharDevice, Major: 5, Minor: 2, Permissions: "rwm", Allow: true, }, }, { Rule: devices.Rule{ Type: devices.CharDevice, Major: 10, Minor: 200, Permissions: "rwm", Allow: true, }, }, }
AllowedDevices is the set of devices which are automatically included for all containers.
XXX (cyphar)
This behaviour is at the very least "questionable" (if not outright wrong) according to the runtime-spec. Yes, we have to include certain devices other than the ones the user specifies, but several devices listed here are not part of the spec (including "mknod for any device"?!). In addition, these rules are appended to the user-provided set which means that users *cannot disable this behaviour*. ... unfortunately I'm too scared to change this now because who knows how many people depend on this (incorrect and arguably insecure) behaviour.
Functions ¶
func CreateCgroupConfig ¶
func CreateLibcontainerConfig ¶
func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error)
CreateLibcontainerConfig creates a new libcontainer configuration from a given specification and a cgroup name
func Example ¶
func Example() *specs.Spec
Example returns an example spec file, with many options set so a user can see what a standard spec file looks like.
func SetupSeccomp ¶
func ToRootless ¶
func ToRootless(spec *specs.Spec)
ToRootless converts the given spec file into one that should work with rootless containers (euid != 0), by removing incompatible options and adding others that are needed.
Types ¶
type CreateOpts ¶
type CreateOpts struct {
CgroupName string
UseSystemdCgroup bool
NoPivotRoot bool
NoNewKeyring bool
Spec *specs.Spec
RootlessEUID bool
RootlessCgroups bool
RootfsUidShiftType sh.IDShiftType
BindMntUidShiftType sh.IDShiftType
SwitchDockerDns bool
RootfsCloned bool
FsuidMapFailOnErr bool
IDshiftIgnoreList []string
}
Source Files
Click to show internal directories.
Click to hide internal directories.