Documentation
¶
Index ¶
- Constants
- Variables
- func AllowSyscall(syscall string, args ...specs.LinuxSeccompArg) specs.LinuxSyscall
- func AnyContainerMounts(initBinPath string) []specs.Mount
- func OciCapabilities(privileged bool) specs.LinuxCapabilities
- func OciCgroupsPath(basePath, handle string, privileged bool) string
- func OciIDMappings(privileged bool, max uint32) []specs.LinuxIDMapping
- func OciNamespaces(privileged bool) []specs.LinuxNamespace
- func OciResources(limits garden.Limits) *specs.LinuxResources
- func OciSpec(initBinPath string, gdn garden.ContainerSpec, maxUid, maxGid uint32) (oci *specs.Spec, err error)
- func OciSpecBindMounts(bindMounts []garden.BindMount) (mounts []specs.Mount, err error)
Constants ¶
View Source
const ( SuperuserPath = "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" Path = "PATH=/usr/local/bin:/usr/bin:/bin" )
View Source
const DefaultInitBinPath = "/usr/local/concourse/bin/init"
Variables ¶
View Source
var ( PrivilegedContainerCapabilities = specs.LinuxCapabilities{ Effective: privilegedCaps, Bounding: privilegedCaps, Inheritable: privilegedCaps, Permitted: privilegedCaps, } UnprivilegedContainerCapabilities = specs.LinuxCapabilities{ Effective: unprivilegedCaps, Bounding: unprivilegedCaps, Inheritable: unprivilegedCaps, Permitted: unprivilegedCaps, } )
View Source
var ( AnyContainerDevices = []specs.LinuxDeviceCgroup{ {Access: "m", Type: "c", Major: deviceWildcard(), Minor: deviceWildcard(), Allow: true}, {Access: "m", Type: "b", Major: deviceWildcard(), Minor: deviceWildcard(), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(3), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(8), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(7), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(5), Minor: intRef(0), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(5), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(9), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(136), Minor: deviceWildcard(), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(5), Minor: intRef(2), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(10), Minor: intRef(200), Allow: true}, {Access: "rwm", Type: "c", Major: intRef(10), Minor: intRef(229), Allow: true}, } PrivilegedOnlyDevices = []specs.LinuxDeviceCgroup{ {Allow: false, Access: "rwm"}, } )
View Source
var ( PrivilegedContainerNamespaces = []specs.LinuxNamespace{ {Type: specs.PIDNamespace}, {Type: specs.IPCNamespace}, {Type: specs.UTSNamespace}, {Type: specs.MountNamespace}, {Type: specs.NetworkNamespace}, } UnprivilegedContainerNamespaces = append(PrivilegedContainerNamespaces, specs.LinuxNamespace{Type: specs.UserNamespace}, ) )
View Source
var ( DefaultContainerMounts = []specs.Mount{ { Destination: "/proc", Type: "proc", Source: "proc", Options: []string{"nosuid", "noexec", "nodev"}, }, { Destination: "/dev", Type: "tmpfs", Source: "tmpfs", Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, }, { Destination: "/dev/pts", Type: "devpts", Source: "devpts", Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, }, { Destination: "/dev/shm", Type: "tmpfs", Source: "shm", Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"}, }, { Destination: "/dev/mqueue", Type: "mqueue", Source: "mqueue", Options: []string{"nosuid", "noexec", "nodev"}, }, { Destination: "/sys", Type: "sysfs", Source: "sysfs", Options: []string{"nosuid", "noexec", "nodev", "ro"}, }, { Destination: "/sys/fs/cgroup", Type: "cgroup", Source: "cgroup", Options: []string{"ro", "nosuid", "noexec", "nodev"}, }, { Destination: "/run", Type: "tmpfs", Source: "tmpfs", Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, }, } )
Functions ¶
func AllowSyscall ¶
func AllowSyscall(syscall string, args ...specs.LinuxSeccompArg) specs.LinuxSyscall
func AnyContainerMounts ¶
func AnyContainerMounts(initBinPath string) []specs.Mount
func OciCapabilities ¶
func OciCapabilities(privileged bool) specs.LinuxCapabilities
func OciCgroupsPath ¶
func OciIDMappings ¶
func OciIDMappings(privileged bool, max uint32) []specs.LinuxIDMapping
OciIDMappings provides the uid/gid mappings for user namespaces (if necessary, based on `privileged`).
func OciNamespaces ¶
func OciNamespaces(privileged bool) []specs.LinuxNamespace
func OciResources ¶
func OciResources(limits garden.Limits) *specs.LinuxResources
Types ¶
This section is empty.
Click to show internal directories.
Click to hide internal directories.