spec

package

v6.7.3-0...-1f455d7 Latest Latest Go to latest Published: Dec 7, 2020 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/pf-qiu/concourse

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func AllowSyscall(syscall string, args ...specs.LinuxSeccompArg) specs.LinuxSyscall
func AnyContainerMounts(initBinPath string) []specs.Mount
func OciCapabilities(privileged bool) specs.LinuxCapabilities
func OciCgroupsPath(basePath, handle string, privileged bool) string
func OciIDMappings(privileged bool, max uint32) []specs.LinuxIDMapping
func OciNamespaces(privileged bool) []specs.LinuxNamespace
func OciResources(limits garden.Limits) *specs.LinuxResources
func OciSpec(initBinPath string, gdn garden.ContainerSpec, maxUid, maxGid uint32) (oci *specs.Spec, err error)
func OciSpecBindMounts(bindMounts []garden.BindMount) (mounts []specs.Mount, err error)

Constants ¶

View Source

const (
	SuperuserPath = "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
	Path          = "PATH=/usr/local/bin:/usr/bin:/bin"
)

View Source

const DefaultInitBinPath = "/usr/local/concourse/bin/init"

Variables ¶

View Source

var (
	PrivilegedContainerCapabilities = specs.LinuxCapabilities{
		Effective:   privilegedCaps,
		Bounding:    privilegedCaps,
		Inheritable: privilegedCaps,
		Permitted:   privilegedCaps,
	}

	UnprivilegedContainerCapabilities = specs.LinuxCapabilities{
		Effective:   unprivilegedCaps,
		Bounding:    unprivilegedCaps,
		Inheritable: unprivilegedCaps,
		Permitted:   unprivilegedCaps,
	}
)

View Source

var (
	AnyContainerDevices = []specs.LinuxDeviceCgroup{

		{Access: "m", Type: "c", Major: deviceWildcard(), Minor: deviceWildcard(), Allow: true},
		{Access: "m", Type: "b", Major: deviceWildcard(), Minor: deviceWildcard(), Allow: true},

		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(3), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(8), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(7), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(5), Minor: intRef(0), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(5), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(9), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(136), Minor: deviceWildcard(), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(5), Minor: intRef(2), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(10), Minor: intRef(200), Allow: true},

		{Access: "rwm", Type: "c", Major: intRef(10), Minor: intRef(229), Allow: true},
	}

	PrivilegedOnlyDevices = []specs.LinuxDeviceCgroup{
		{Allow: false, Access: "rwm"},
	}
)

View Source

var (
	PrivilegedContainerNamespaces = []specs.LinuxNamespace{
		{Type: specs.PIDNamespace},
		{Type: specs.IPCNamespace},
		{Type: specs.UTSNamespace},
		{Type: specs.MountNamespace},
		{Type: specs.NetworkNamespace},
	}

	UnprivilegedContainerNamespaces = append(PrivilegedContainerNamespaces,
		specs.LinuxNamespace{Type: specs.UserNamespace},
	)
)

View Source

var (
	DefaultContainerMounts = []specs.Mount{
		{
			Destination: "/proc",
			Type:        "proc",
			Source:      "proc",
			Options:     []string{"nosuid", "noexec", "nodev"},
		},
		{
			Destination: "/dev",
			Type:        "tmpfs",
			Source:      "tmpfs",
			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
		},
		{
			Destination: "/dev/pts",
			Type:        "devpts",
			Source:      "devpts",
			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
		},
		{
			Destination: "/dev/shm",
			Type:        "tmpfs",
			Source:      "shm",
			Options:     []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
		},
		{
			Destination: "/dev/mqueue",
			Type:        "mqueue",
			Source:      "mqueue",
			Options:     []string{"nosuid", "noexec", "nodev"},
		},
		{
			Destination: "/sys",
			Type:        "sysfs",
			Source:      "sysfs",
			Options:     []string{"nosuid", "noexec", "nodev", "ro"},
		},
		{
			Destination: "/sys/fs/cgroup",
			Type:        "cgroup",
			Source:      "cgroup",
			Options:     []string{"ro", "nosuid", "noexec", "nodev"},
		},
		{
			Destination: "/run",
			Type:        "tmpfs",
			Source:      "tmpfs",
			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
		},
	}
)

Functions ¶

func AllowSyscall ¶

func AllowSyscall(syscall string, args ...specs.LinuxSeccompArg) specs.LinuxSyscall

func AnyContainerMounts ¶

func AnyContainerMounts(initBinPath string) []specs.Mount

func OciCapabilities ¶

func OciCapabilities(privileged bool) specs.LinuxCapabilities

func OciCgroupsPath ¶

func OciCgroupsPath(basePath, handle string, privileged bool) string

func OciIDMappings ¶

func OciIDMappings(privileged bool, max uint32) []specs.LinuxIDMapping

OciIDMappings provides the uid/gid mappings for user namespaces (if necessary, based on `privileged`).

func OciNamespaces ¶

func OciNamespaces(privileged bool) []specs.LinuxNamespace

func OciResources ¶

func OciResources(limits garden.Limits) *specs.LinuxResources

func OciSpec ¶

func OciSpec(initBinPath string, gdn garden.ContainerSpec, maxUid, maxGid uint32) (oci *specs.Spec, err error)

OciSpec converts a given `garden` container specification to an OCI spec.

func OciSpecBindMounts ¶

func OciSpecBindMounts(bindMounts []garden.BindMount) (mounts []specs.Mount, err error)

OciSpecBindMounts converts garden bindmounts to oci spec mounts.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL