aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2018-06-26 13:50:12 -0500
committerAtomic Bot <atomic-devel@projectatomic.io>2018-06-27 15:16:02 +0000
commitf6c0fc1aa854ae5ce73d57ecb09d47c0d4dd2cc3 (patch)
tree55a2c6e560625df8b8e176e4ac9cb2214480d3ab
parent19f5a504ffb1470991f331db412be456e41caab5 (diff)
downloadpodman-f6c0fc1aa854ae5ce73d57ecb09d47c0d4dd2cc3.tar.gz
podman-f6c0fc1aa854ae5ce73d57ecb09d47c0d4dd2cc3.tar.bz2
podman-f6c0fc1aa854ae5ce73d57ecb09d47c0d4dd2cc3.zip
Vendor in latest runtime-tools
Newer runtime tools separates syscalls by OS so we can build darwin. Signed-off-by: baude <bbaude@redhat.com> Closes: #1007 Approved by: baude
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/README.md142
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/error/error.go30
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/config.go173
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/generate.go1148
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go3
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go15
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go15
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/generate/spec.go172
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/specerror/config.go6
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/specerror/error.go37
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go12
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/validate/validate.go278
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go230
-rw-r--r--vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go17
14 files changed, 1208 insertions, 1070 deletions
diff --git a/vendor/github.com/opencontainers/runtime-tools/README.md b/vendor/github.com/opencontainers/runtime-tools/README.md
index 5f16436bc..93c901f05 100644
--- a/vendor/github.com/opencontainers/runtime-tools/README.md
+++ b/vendor/github.com/opencontainers/runtime-tools/README.md
@@ -37,58 +37,28 @@ If your distribution does not package node-tap, you can install [npm][] (for exa
$ npm install tap
```
+Build the validation executables:
+
```console
$ make runtimetest validation-executables
-RUNTIME=runc tap validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t
-validation/linux_rootfs_propagation_shared.t ........ 18/19
- not ok rootfs propagation
-
-validation/create.t ................................... 4/4
-validation/default.t ................................ 19/19
-validation/linux_readonly_paths.t ................... 19/19
-validation/linux_masked_paths.t ..................... 18/19
- not ok masked paths
-
-validation/mounts.t ................................... 0/1
- Skipped: 1
- TODO: mounts generation options have not been implemented
-
-validation/process.t ................................ 19/19
-validation/root_readonly_false.t .................... 19/19
-validation/linux_sysctl.t ........................... 19/19
-validation/linux_devices.t .......................... 19/19
-validation/linux_gid_mappings.t ..................... 18/19
- not ok gid mappings
-
-validation/process_oom_score_adj.t .................. 19/19
-validation/process_capabilities.t ................... 19/19
-validation/process_rlimits.t ........................ 19/19
-validation/root_readonly_true.t ...................failed to create the container
-rootfsPropagation=unbindable is not supported
-exit status 1
-validation/root_readonly_true.t ..................... 19/19
-validation/linux_rootfs_propagation_unbindable.t ...... 0/1
- not ok validation/linux_rootfs_propagation_unbindable.t
- timeout: 30000
- file: validation/linux_rootfs_propagation_unbindable.t
- command: validation/linux_rootfs_propagation_unbindable.t
- args: []
- stdio:
- - 0
- - pipe
- - 2
- cwd: /…/go/src/github.com/opencontainers/runtime-tools
- exitCode: 1
+```
-validation/hostname.t ...................failed to create the container
-User namespace mappings specified, but USER namespace isn't enabled in the config
+Runtime validation currently [only supports](docs/runtime-compliance-testing.md) the [OCI Runtime Command Line Interface](docs/command-line-interface.md).
+If we add support for alternative APIs in the future, runtime validation will gain an option to select the desired runtime API.
+For the command line interface, the `RUNTIME` option selects the runtime command (`funC` in the [OCI Runtime Command Line Interface](docs/command-line-interface.md)).
+
+```
+$ sudo make RUNTIME=runc localvalidation
+RUNTIME=runc tap validation/pidfile.t validation/linux_cgroups_hugetlb.t validation/linux_cgroups_memory.t validation/linux_rootfs_propagation_shared.t validation/kill.t validation/create.t validation/poststart.t validation/linux_cgroups_network.t validation/poststop_fail.t validation/linux_readonly_paths.t validation/prestart_fail.t validation/hooks_stdin.t validation/default.t validation/linux_masked_paths.t validation/poststop.t validation/misc_props.t validation/prestart.t validation/poststart_fail.t validation/mounts.t validation/linux_cgroups_relative_pids.t validation/process_user.t validation/process.t validation/hooks.t validation/process_capabilities_fail.t validation/process_rlimits_fail.t validation/linux_cgroups_relative_cpus.t validation/process_rlimits.t validation/linux_cgroups_relative_blkio.t validation/linux_sysctl.t validation/linux_seccomp.t validation/linux_devices.t validation/start.t validation/linux_cgroups_pids.t validation/process_capabilities.t validation/process_oom_score_adj.t validation/linux_cgroups_relative_hugetlb.t validation/linux_cgroups_cpus.t validation/linux_cgroups_relative_memory.t validation/state.t validation/root_readonly_true.t validation/linux_cgroups_blkio.t validation/linux_rootfs_propagation_unbindable.t validation/delete.t validation/linux_cgroups_relative_network.t validation/hostname.t validation/killsig.t validation/linux_uid_mappings.t
+validation/pidfile.t .failed to create the container
+container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"process_linux.go:367: setting cgroup config for procHooks process caused \\\"failed to write 56892210544640 to hugetlb.1GB.limit_in_bytes: open /sys/fs/cgroup/hugetlb/cgrouptest/hugetlb.1GB.limit_in_bytes: permission denied\\\"\""
exit status 1
-validation/hostname.t ............................... 19/19
-validation/linux_uid_mappings.t ....................... 0/1
- not ok validation/linux_uid_mappings.t
+validation/pidfile.t .................................. 1/1 315ms
+validation/linux_cgroups_hugetlb.t .................... 0/1
+ not ok validation/linux_cgroups_hugetlb.t
timeout: 30000
- file: validation/linux_uid_mappings.t
- command: validation/linux_uid_mappings.t
+ file: validation/linux_cgroups_hugetlb.t
+ command: validation/linux_cgroups_hugetlb.t
args: []
stdio:
- 0
@@ -97,14 +67,21 @@ validation/linux_uid_mappings.t ....................... 0/1
cwd: /…/go/src/github.com/opencontainers/runtime-tools
exitCode: 1
-total ............................................. 267/273
+validation/linux_cgroups_memory.t ..................... 9/9
+validation/linux_rootfs_propagation_shared.t ...... 252/282
+ not ok shared root propogation exposes "/target348456609/mount892511628/example376408222"
+ Skipped: 29
+ /dev/null (default device) has unconfigured permissions
+…
+total ........................................... 4381/4962
- 267 passing (31s)
- 1 pending
- 5 failing
-make: *** [Makefile:43: localvalidation] Error 1
+ 4381 passing (1m)
+ 567 pending
+ 14 failing
+
+make: *** [Makefile:44: localvalidation] Error 1
```
You can also run an individual test executable directly:
@@ -112,58 +89,27 @@ You can also run an individual test executable directly:
```console
$ RUNTIME=runc validation/default.t
TAP version 13
-ok 1 - root filesystem
-ok 2 - hostname
-ok 3 - process
-ok 4 - mounts
-ok 5 - user
-ok 6 - rlimits
-ok 7 - capabilities
-ok 8 - default symlinks
-ok 9 - default file system
-ok 10 - default devices
-ok 11 - linux devices
-ok 12 - linux process
-ok 13 - masked paths
-ok 14 - oom score adj
-ok 15 - read only paths
-ok 16 - rootfs propagation
-ok 17 - sysctls
-ok 18 - uid mappings
-ok 19 - gid mappings
-1..19
+ok 1 - has expected hostname
+ ---
+ {
+ "actual": "mrsdalloway",
+ "expected": "mrsdalloway"
+ }
+ ...
+…
+ok 287 # SKIP linux.gidMappings not set
+1..287
```
If you cannot install node-tap, you can probably run the test suite with another [TAP consumer][tap-consumers].
For example, with [`prove`][prove]:
```console
-$ sudo make TAP='prove -Q -j9' RUNTIME=runc localvalidation
-RUNTIME=runc prove -Q -j9 validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t
-failed to create the container
-rootfsPropagation=unbindable is not supported
-exit status 1
-failed to create the container
-User namespace mappings specified, but USER namespace isn't enabled in the config
-exit status 1
-
-Test Summary Report
--------------------
-validation/linux_rootfs_propagation_shared.t (Wstat: 0 Tests: 19 Failed: 1)
- Failed test: 16
-validation/linux_masked_paths.t (Wstat: 0 Tests: 19 Failed: 1)
- Failed test: 13
-validation/linux_rootfs_propagation_unbindable.t (Wstat: 256 Tests: 0 Failed: 0)
- Non-zero exit status: 1
- Parse errors: No plan found in TAP output
-validation/linux_uid_mappings.t (Wstat: 256 Tests: 0 Failed: 0)
- Non-zero exit status: 1
- Parse errors: No plan found in TAP output
-validation/linux_gid_mappings.t (Wstat: 0 Tests: 19 Failed: 1)
- Failed test: 19
-Files=18, Tests=271, 6 wallclock secs ( 0.06 usr 0.01 sys + 0.59 cusr 0.24 csys = 0.90 CPU)
-Result: FAIL
-make: *** [Makefile:43: localvalidation] Error 1
+$ sudo make TAP='prove -Q -j9' RUNTIME=runc VALIDATION_TESTS=validation/pidfile.t localvalidation
+RUNTIME=runc prove -Q -j9 validation/pidfile.t
+All tests successful.
+Files=1, Tests=1, 0 wallclock secs ( 0.01 usr 0.01 sys + 0.03 cusr 0.03 csys = 0.08 CPU)
+Result: PASS
```
[bundle]: https://github.com/opencontainers/runtime-spec/blob/master/bundle.md
diff --git a/vendor/github.com/opencontainers/runtime-tools/error/error.go b/vendor/github.com/opencontainers/runtime-tools/error/error.go
index f5a90800e..f7eac6639 100644
--- a/vendor/github.com/opencontainers/runtime-tools/error/error.go
+++ b/vendor/github.com/opencontainers/runtime-tools/error/error.go
@@ -86,6 +86,36 @@ func ParseLevel(level string) (Level, error) {
return l, fmt.Errorf("%q is not a valid compliance level", level)
}
+// String takes a RFC 2119 compliance level constant and returns a string representation.
+func (level Level) String() string {
+ switch level {
+ case May:
+ return "MAY"
+ case Optional:
+ return "OPTIONAL"
+ case Should:
+ return "SHOULD"
+ case ShouldNot:
+ return "SHOULD NOT"
+ case Recommended:
+ return "RECOMMENDED"
+ case NotRecommended:
+ return "NOT RECOMMENDED"
+ case Must:
+ return "MUST"
+ case MustNot:
+ return "MUST NOT"
+ case Shall:
+ return "SHALL"
+ case ShallNot:
+ return "SHALL NOT"
+ case Required:
+ return "REQUIRED"
+ }
+
+ panic(fmt.Sprintf("%d is not a valid compliance level", level))
+}
+
// Error returns the error message with specification reference.
func (err *Error) Error() string {
return fmt.Sprintf("%s\nRefer to: %s", err.Err.Error(), err.Reference)
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/config.go b/vendor/github.com/opencontainers/runtime-tools/generate/config.go
new file mode 100644
index 000000000..164fdf141
--- /dev/null
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/config.go
@@ -0,0 +1,173 @@
+package generate
+
+import (
+ rspec "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func (g *Generator) initConfig() {
+ if g.Config == nil {
+ g.Config = &rspec.Spec{}
+ }
+}
+
+func (g *Generator) initConfigProcess() {
+ g.initConfig()
+ if g.Config.Process == nil {
+ g.Config.Process = &rspec.Process{}
+ }
+}
+
+func (g *Generator) initConfigProcessConsoleSize() {
+ g.initConfigProcess()
+ if g.Config.Process.ConsoleSize == nil {
+ g.Config.Process.ConsoleSize = &rspec.Box{}
+ }
+}
+
+func (g *Generator) initConfigProcessCapabilities() {
+ g.initConfigProcess()
+ if g.Config.Process.Capabilities == nil {
+ g.Config.Process.Capabilities = &rspec.LinuxCapabilities{}
+ }
+}
+
+func (g *Generator) initConfigRoot() {
+ g.initConfig()
+ if g.Config.Root == nil {
+ g.Config.Root = &rspec.Root{}
+ }
+}
+
+func (g *Generator) initConfigAnnotations() {
+ g.initConfig()
+ if g.Config.Annotations == nil {
+ g.Config.Annotations = make(map[string]string)
+ }
+}
+
+func (g *Generator) initConfigHooks() {
+ g.initConfig()
+ if g.Config.Hooks == nil {
+ g.Config.Hooks = &rspec.Hooks{}
+ }
+}
+
+func (g *Generator) initConfigLinux() {
+ g.initConfig()
+ if g.Config.Linux == nil {
+ g.Config.Linux = &rspec.Linux{}
+ }
+}
+
+func (g *Generator) initConfigLinuxIntelRdt() {
+ g.initConfigLinux()
+ if g.Config.Linux.IntelRdt == nil {
+ g.Config.Linux.IntelRdt = &rspec.LinuxIntelRdt{}
+ }
+}
+
+func (g *Generator) initConfigLinuxSysctl() {
+ g.initConfigLinux()
+ if g.Config.Linux.Sysctl == nil {
+ g.Config.Linux.Sysctl = make(map[string]string)
+ }
+}
+
+func (g *Generator) initConfigLinuxSeccomp() {
+ g.initConfigLinux()
+ if g.Config.Linux.Seccomp == nil {
+ g.Config.Linux.Seccomp = &rspec.LinuxSeccomp{}
+ }
+}
+
+func (g *Generator) initConfigLinuxResources() {
+ g.initConfigLinux()
+ if g.Config.Linux.Resources == nil {
+ g.Config.Linux.Resources = &rspec.LinuxResources{}
+ }
+}
+
+func (g *Generator) initConfigLinuxResourcesBlockIO() {
+ g.initConfigLinuxResources()
+ if g.Config.Linux.Resources.BlockIO == nil {
+ g.Config.Linux.Resources.BlockIO = &rspec.LinuxBlockIO{}
+ }
+}
+
+// InitConfigLinuxResourcesCPU initializes CPU of Linux resources
+func (g *Generator) InitConfigLinuxResourcesCPU() {
+ g.initConfigLinuxResources()
+ if g.Config.Linux.Resources.CPU == nil {
+ g.Config.Linux.Resources.CPU = &rspec.LinuxCPU{}
+ }
+}
+
+func (g *Generator) initConfigLinuxResourcesMemory() {
+ g.initConfigLinuxResources()
+ if g.Config.Linux.Resources.Memory == nil {
+ g.Config.Linux.Resources.Memory = &rspec.LinuxMemory{}
+ }
+}
+
+func (g *Generator) initConfigLinuxResourcesNetwork() {
+ g.initConfigLinuxResources()
+ if g.Config.Linux.Resources.Network == nil {
+ g.Config.Linux.Resources.Network = &rspec.LinuxNetwork{}
+ }
+}
+
+func (g *Generator) initConfigLinuxResourcesPids() {
+ g.initConfigLinuxResources()
+ if g.Config.Linux.Resources.Pids == nil {
+ g.Config.Linux.Resources.Pids = &rspec.LinuxPids{}
+ }
+}
+
+func (g *Generator) initConfigSolaris() {
+ g.initConfig()
+ if g.Config.Solaris == nil {
+ g.Config.Solaris = &rspec.Solaris{}
+ }
+}
+
+func (g *Generator) initConfigSolarisCappedCPU() {
+ g.initConfigSolaris()
+ if g.Config.Solaris.CappedCPU == nil {
+ g.Config.Solaris.CappedCPU = &rspec.SolarisCappedCPU{}
+ }
+}
+
+func (g *Generator) initConfigSolarisCappedMemory() {
+ g.initConfigSolaris()
+ if g.Config.Solaris.CappedMemory == nil {
+ g.Config.Solaris.CappedMemory = &rspec.SolarisCappedMemory{}
+ }
+}
+
+func (g *Generator) initConfigWindows() {
+ g.initConfig()
+ if g.Config.Windows == nil {
+ g.Config.Windows = &rspec.Windows{}
+ }
+}
+
+func (g *Generator) initConfigWindowsHyperV() {
+ g.initConfigWindows()
+ if g.Config.Windows.HyperV == nil {
+ g.Config.Windows.HyperV = &rspec.WindowsHyperV{}
+ }
+}
+
+func (g *Generator) initConfigWindowsResources() {
+ g.initConfigWindows()
+ if g.Config.Windows.Resources == nil {
+ g.Config.Windows.Resources = &rspec.WindowsResources{}
+ }
+}
+
+func (g *Generator) initConfigWindowsResourcesMemory() {
+ g.initConfigWindowsResources()
+ if g.Config.Windows.Resources.Memory == nil {
+ g.Config.Windows.Resources.Memory = &rspec.WindowsMemoryResources{}
+ }
+}
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
index d2951b52d..900278f9f 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go
@@ -25,9 +25,9 @@ var (
}
)
-// Generator represents a generator for a container spec.
+// Generator represents a generator for a container config.
type Generator struct {
- spec *rspec.Spec
+ Config *rspec.Spec
HostSpecific bool
}
@@ -36,9 +36,14 @@ type ExportOptions struct {
Seccomp bool // seccomp toggles if only seccomp should be exported
}
-// New creates a spec Generator with the default spec.
-func New() Generator {
- spec := rspec.Spec{
+// New creates a configuration Generator with the default
+// configuration for the target operating system.
+func New(os string) (generator Generator, err error) {
+ if os != "linux" && os != "solaris" {
+ return generator, fmt.Errorf("no defaults configured for %s", os)
+ }
+
+ config := rspec.Spec{
Version: rspec.Version,
Root: &rspec.Root{
Path: "rootfs",
@@ -46,107 +51,113 @@ func New() Generator {
},
Process: &rspec.Process{
Terminal: false,
- User: rspec.User{},
Args: []string{
"sh",
},
- Env: []string{
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
- "TERM=xterm",
+ },
+ Hostname: "mrsdalloway",
+ }
+
+ if os == "linux" || os == "solaris" {
+ config.Process.User = rspec.User{}
+ config.Process.Env = []string{
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "TERM=xterm",
+ }
+ config.Process.Cwd = "/"
+ config.Process.Rlimits = []rspec.POSIXRlimit{
+ {
+ Type: "RLIMIT_NOFILE",
+ Hard: uint64(1024),
+ Soft: uint64(1024),
},
- Cwd: "/",
- Capabilities: &rspec.LinuxCapabilities{
- Bounding: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- Permitted: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- Inheritable: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- Effective: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- Ambient: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
+ }
+ }
+
+ if os == "linux" {
+ config.Process.Capabilities = &rspec.LinuxCapabilities{
+ Bounding: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
},
- Rlimits: []rspec.POSIXRlimit{
- {
- Type: "RLIMIT_NOFILE",
- Hard: uint64(1024),
- Soft: uint64(1024),
- },
+ Permitted: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
},
- },
- Hostname: "mrsdalloway",
- Mounts: []rspec.Mount{
+ Inheritable: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+ Effective: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+ Ambient: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+ }
+ config.Mounts = []rspec.Mount{
{
Destination: "/proc",
Type: "proc",
@@ -183,8 +194,8 @@ func New() Generator {
Source: "sysfs",
Options: []string{"nosuid", "noexec", "nodev", "ro"},
},
- },
- Linux: &rspec.Linux{
+ }
+ config.Linux = &rspec.Linux{
Resources: &rspec.LinuxResources{
Devices: []rspec.LinuxDeviceCgroup{
{
@@ -210,23 +221,27 @@ func New() Generator {
Type: "mount",
},
},
- Devices: []rspec.LinuxDevice{},
- },
- }
- spec.Linux.Seccomp = seccomp.DefaultProfile(&spec)
- return Generator{
- spec: &spec,
+ Seccomp: seccomp.DefaultProfile(&config),
+ }
}
+
+ return Generator{Config: &config}, nil
}
-// NewFromSpec creates a spec Generator from a given spec.
-func NewFromSpec(spec *rspec.Spec) Generator {
+// NewFromSpec creates a configuration Generator from a given
+// configuration.
+//
+// Deprecated: Replace with:
+//
+// generator := Generator{Config: config}
+func NewFromSpec(config *rspec.Spec) Generator {
return Generator{
- spec: spec,
+ Config: config,
}
}
-// NewFromFile loads the template specified in a file into a spec Generator.
+// NewFromFile loads the template specified in a file into a
+// configuration Generator.
func NewFromFile(path string) (Generator, error) {
cf, err := os.Open(path)
if err != nil {
@@ -240,45 +255,52 @@ func NewFromFile(path string) (Generator, error) {
return NewFromTemplate(cf)
}
-// NewFromTemplate loads the template from io.Reader into a spec Generator.
+// NewFromTemplate loads the template from io.Reader into a
+// configuration Generator.
func NewFromTemplate(r io.Reader) (Generator, error) {
- var spec rspec.Spec
- if err := json.NewDecoder(r).Decode(&spec); err != nil {
+ var config rspec.Spec
+ if err := json.NewDecoder(r).Decode(&config); err != nil {
return Generator{}, err
}
return Generator{
- spec: &spec,
+ Config: &config,
}, nil
}
-// SetSpec sets the spec in the Generator g.
-func (g *Generator) SetSpec(spec *rspec.Spec) {
- g.spec = spec
+// SetSpec sets the configuration in the Generator g.
+//
+// Deprecated: Replace with:
+//
+// Use generator.Config = config
+func (g *Generator) SetSpec(config *rspec.Spec) {
+ g.Config = config
}
-// Spec gets the spec in the Generator g.
+// Spec gets the configuration from the Generator g.
+//
+// Deprecated: Replace with generator.Config.
func (g *Generator) Spec() *rspec.Spec {
- return g.spec
+ return g.Config
}
-// Save writes the spec into w.
+// Save writes the configuration into w.
func (g *Generator) Save(w io.Writer, exportOpts ExportOptions) (err error) {
var data []byte
- if g.spec.Linux != nil {
- buf, err := json.Marshal(g.spec.Linux)
+ if g.Config.Linux != nil {
+ buf, err := json.Marshal(g.Config.Linux)
if err != nil {
return err
}
if string(buf) == "{}" {
- g.spec.Linux = nil
+ g.Config.Linux = nil
}
}
if exportOpts.Seccomp {
- data, err = json.MarshalIndent(g.spec.Linux.Seccomp, "", "\t")
+ data, err = json.MarshalIndent(g.Config.Linux.Seccomp, "", "\t")
} else {
- data, err = json.MarshalIndent(g.spec, "", "\t")
+ data, err = json.MarshalIndent(g.Config, "", "\t")
}
if err != nil {
return err
@@ -292,7 +314,7 @@ func (g *Generator) Save(w io.Writer, exportOpts ExportOptions) (err error) {
return nil
}
-// SaveToFile writes the spec into a file.
+// SaveToFile writes the configuration into a file.
func (g *Generator) SaveToFile(path string, exportOpts ExportOptions) error {
f, err := os.Create(path)
if err != nil {
@@ -302,131 +324,145 @@ func (g *Generator) SaveToFile(path string, exportOpts ExportOptions) error {
return g.Save(f, exportOpts)
}
-// SetVersion sets g.spec.Version.
+// SetVersion sets g.Config.Version.
func (g *Generator) SetVersion(version string) {
- g.initSpec()
- g.spec.Version = version
+ g.initConfig()
+ g.Config.Version = version
}
-// SetRootPath sets g.spec.Root.Path.
+// SetRootPath sets g.Config.Root.Path.
func (g *Generator) SetRootPath(path string) {
- g.initSpecRoot()
- g.spec.Root.Path = path
+ g.initConfigRoot()
+ g.Config.Root.Path = path
}
-// SetRootReadonly sets g.spec.Root.Readonly.
+// SetRootReadonly sets g.Config.Root.Readonly.
func (g *Generator) SetRootReadonly(b bool) {
- g.initSpecRoot()
- g.spec.Root.Readonly = b
+ g.initConfigRoot()
+ g.Config.Root.Readonly = b
}
-// SetHostname sets g.spec.Hostname.
+// SetHostname sets g.Config.Hostname.
func (g *Generator) SetHostname(s string) {
- g.initSpec()
- g.spec.Hostname = s
+ g.initConfig()
+ g.Config.Hostname = s
}
-// ClearAnnotations clears g.spec.Annotations.
+// ClearAnnotations clears g.Config.Annotations.
func (g *Generator) ClearAnnotations() {
- if g.spec == nil {
+ if g.Config == nil {
return
}
- g.spec.Annotations = make(map[string]string)
+ g.Config.Annotations = make(map[string]string)
}
-// AddAnnotation adds an annotation into g.spec.Annotations.
+// AddAnnotation adds an annotation into g.Config.Annotations.
func (g *Generator) AddAnnotation(key, value string) {
- g.initSpecAnnotations()
- g.spec.Annotations[key] = value
+ g.initConfigAnnotations()
+ g.Config.Annotations[key] = value
}
-// RemoveAnnotation remove an annotation from g.spec.Annotations.
+// RemoveAnnotation remove an annotation from g.Config.Annotations.
func (g *Generator) RemoveAnnotation(key string) {
- if g.spec == nil || g.spec.Annotations == nil {
+ if g.Config == nil || g.Config.Annotations == nil {
+ return
+ }
+ delete(g.Config.Annotations, key)
+}
+
+// RemoveHostname removes g.Config.Hostname, setting it to an empty string.
+func (g *Generator) RemoveHostname() {
+ if g.Config == nil {
return
}
- delete(g.spec.Annotations, key)
+ g.Config.Hostname = ""
}
-// SetProcessConsoleSize sets g.spec.Process.ConsoleSize.
+// SetProcessConsoleSize sets g.Config.Process.ConsoleSize.
func (g *Generator) SetProcessConsoleSize(width, height uint) {
- g.initSpecProcessConsoleSize()
- g.spec.Process.ConsoleSize.Width = width
- g.spec.Process.ConsoleSize.Height = height
+ g.initConfigProcessConsoleSize()
+ g.Config.Process.ConsoleSize.Width = width
+ g.Config.Process.ConsoleSize.Height = height
}
-// SetProcessUID sets g.spec.Process.User.UID.
+// SetProcessUID sets g.Config.Process.User.UID.
func (g *Generator) SetProcessUID(uid uint32) {
- g.initSpecProcess()
- g.spec.Process.User.UID = uid
+ g.initConfigProcess()
+ g.Config.Process.User.UID = uid
}
-// SetProcessGID sets g.spec.Process.User.GID.
+// SetProcessUsername sets g.Config.Process.User.Username.
+func (g *Generator) SetProcessUsername(username string) {
+ g.initConfigProcess()
+ g.Config.Process.User.Username = username
+}
+
+// SetProcessGID sets g.Config.Process.User.GID.
func (g *Generator) SetProcessGID(gid uint32) {
- g.initSpecProcess()
- g.spec.Process.User.GID = gid
+ g.initConfigProcess()
+ g.Config.Process.User.GID = gid
}
-// SetProcessCwd sets g.spec.Process.Cwd.
+// SetProcessCwd sets g.Config.Process.Cwd.
func (g *Generator) SetProcessCwd(cwd string) {
- g.initSpecProcess()
- g.spec.Process.Cwd = cwd
+ g.initConfigProcess()
+ g.Config.Process.Cwd = cwd
}
-// SetProcessNoNewPrivileges sets g.spec.Process.NoNewPrivileges.
+// SetProcessNoNewPrivileges sets g.Config.Process.NoNewPrivileges.
func (g *Generator) SetProcessNoNewPrivileges(b bool) {
- g.initSpecProcess()
- g.spec.Process.NoNewPrivileges = b
+ g.initConfigProcess()
+ g.Config.Process.NoNewPrivileges = b
}
-// SetProcessTerminal sets g.spec.Process.Terminal.
+// SetProcessTerminal sets g.Config.Process.Terminal.
func (g *Generator) SetProcessTerminal(b bool) {
- g.initSpecProcess()
- g.spec.Process.Terminal = b
+ g.initConfigProcess()
+ g.Config.Process.Terminal = b
}
-// SetProcessApparmorProfile sets g.spec.Process.ApparmorProfile.
+// SetProcessApparmorProfile sets g.Config.Process.ApparmorProfile.
func (g *Generator) SetProcessApparmorProfile(prof string) {
- g.initSpecProcess()
- g.spec.Process.ApparmorProfile = prof
+ g.initConfigProcess()
+ g.Config.Process.ApparmorProfile = prof
}
-// SetProcessArgs sets g.spec.Process.Args.
+// SetProcessArgs sets g.Config.Process.Args.
func (g *Generator) SetProcessArgs(args []string) {
- g.initSpecProcess()
- g.spec.Process.Args = args
+ g.initConfigProcess()
+ g.Config.Process.Args = args
}
-// ClearProcessEnv clears g.spec.Process.Env.
+// ClearProcessEnv clears g.Config.Process.Env.
func (g *Generator) ClearProcessEnv() {
- if g.spec == nil || g.spec.Process == nil {
+ if g.Config == nil || g.Config.Process == nil {
return
}
- g.spec.Process.Env = []string{}
+ g.Config.Process.Env = []string{}
}
-// AddProcessEnv adds name=value into g.spec.Process.Env, or replaces an
+// AddProcessEnv adds name=value into g.Config.Process.Env, or replaces an
// existing entry with the given name.
func (g *Generator) AddProcessEnv(name, value string) {
- g.initSpecProcess()
+ g.initConfigProcess()
env := fmt.Sprintf("%s=%s", name, value)
- for idx := range g.spec.Process.Env {
- if strings.HasPrefix(g.spec.Process.Env[idx], name+"=") {
- g.spec.Process.Env[idx] = env
+ for idx := range g.Config.Process.Env {
+ if strings.HasPrefix(g.Config.Process.Env[idx], name+"=") {
+ g.Config.Process.Env[idx] = env
return
}
}
- g.spec.Process.Env = append(g.spec.Process.Env, env)
+ g.Config.Process.Env = append(g.Config.Process.Env, env)
}
-// AddProcessRlimits adds rlimit into g.spec.Process.Rlimits.
+// AddProcessRlimits adds rlimit into g.Config.Process.Rlimits.
func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64) {
- g.initSpecProcess()
- for i, rlimit := range g.spec.Process.Rlimits {
+ g.initConfigProcess()
+ for i, rlimit := range g.Config.Process.Rlimits {
if rlimit.Type == rType {
- g.spec.Process.Rlimits[i].Hard = rHard
- g.spec.Process.Rlimits[i].Soft = rSoft
+ g.Config.Process.Rlimits[i].Hard = rHard
+ g.Config.Process.Rlimits[i].Soft = rSoft
return
}
}
@@ -436,91 +472,91 @@ func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64)
Hard: rHard,
Soft: rSoft,
}
- g.spec.Process.Rlimits = append(g.spec.Process.Rlimits, newRlimit)
+ g.Config.Process.Rlimits = append(g.Config.Process.Rlimits, newRlimit)
}
-// RemoveProcessRlimits removes a rlimit from g.spec.Process.Rlimits.
+// RemoveProcessRlimits removes a rlimit from g.Config.Process.Rlimits.
func (g *Generator) RemoveProcessRlimits(rType string) {
- if g.spec == nil || g.spec.Process == nil {
+ if g.Config == nil || g.Config.Process == nil {
return
}
- for i, rlimit := range g.spec.Process.Rlimits {
+ for i, rlimit := range g.Config.Process.Rlimits {
if rlimit.Type == rType {
- g.spec.Process.Rlimits = append(g.spec.Process.Rlimits[:i], g.spec.Process.Rlimits[i+1:]...)
+ g.Config.Process.Rlimits = append(g.Config.Process.Rlimits[:i], g.Config.Process.Rlimits[i+1:]...)
return
}
}
}
-// ClearProcessRlimits clear g.spec.Process.Rlimits.
+// ClearProcessRlimits clear g.Config.Process.Rlimits.
func (g *Generator) ClearProcessRlimits() {
- if g.spec == nil || g.spec.Process == nil {
+ if g.Config == nil || g.Config.Process == nil {
return
}
- g.spec.Process.Rlimits = []rspec.POSIXRlimit{}
+ g.Config.Process.Rlimits = []rspec.POSIXRlimit{}
}
-// ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids.
+// ClearProcessAdditionalGids clear g.Config.Process.AdditionalGids.
func (g *Generator) ClearProcessAdditionalGids() {
- if g.spec == nil || g.spec.Process == nil {
+ if g.Config == nil || g.Config.Process == nil {
return
}
- g.spec.Process.User.AdditionalGids = []uint32{}
+ g.Config.Process.User.AdditionalGids = []uint32{}
}
-// AddProcessAdditionalGid adds an additional gid into g.spec.Process.AdditionalGids.
+// AddProcessAdditionalGid adds an additional gid into g.Config.Process.AdditionalGids.
func (g *Generator) AddProcessAdditionalGid(gid uint32) {
- g.initSpecProcess()
- for _, group := range g.spec.Process.User.AdditionalGids {
+ g.initConfigProcess()
+ for _, group := range g.Config.Process.User.AdditionalGids {
if group == gid {
return
}
}
- g.spec.Process.User.AdditionalGids = append(g.spec.Process.User.AdditionalGids, gid)
+ g.Config.Process.User.AdditionalGids = append(g.Config.Process.User.AdditionalGids, gid)
}
-// SetProcessSelinuxLabel sets g.spec.Process.SelinuxLabel.
+// SetProcessSelinuxLabel sets g.Config.Process.SelinuxLabel.
func (g *Generator) SetProcessSelinuxLabel(label string) {
- g.initSpecProcess()
- g.spec.Process.SelinuxLabel = label
+ g.initConfigProcess()
+ g.Config.Process.SelinuxLabel = label
}
-// SetLinuxCgroupsPath sets g.spec.Linux.CgroupsPath.
+// SetLinuxCgroupsPath sets g.Config.Linux.CgroupsPath.
func (g *Generator) SetLinuxCgroupsPath(path string) {
- g.initSpecLinux()
- g.spec.Linux.CgroupsPath = path
+ g.initConfigLinux()
+ g.Config.Linux.CgroupsPath = path
}
-// SetLinuxIntelRdtL3CacheSchema sets g.spec.Linux.IntelRdt.L3CacheSchema
+// SetLinuxIntelRdtL3CacheSchema sets g.Config.Linux.IntelRdt.L3CacheSchema
func (g *Generator) SetLinuxIntelRdtL3CacheSchema(schema string) {
- g.initSpecLinuxIntelRdt()
- g.spec.Linux.IntelRdt.L3CacheSchema = schema
+ g.initConfigLinuxIntelRdt()
+ g.Config.Linux.IntelRdt.L3CacheSchema = schema
}
-// SetLinuxMountLabel sets g.spec.Linux.MountLabel.
+// SetLinuxMountLabel sets g.Config.Linux.MountLabel.
func (g *Generator) SetLinuxMountLabel(label string) {
- g.initSpecLinux()
- g.spec.Linux.MountLabel = label
+ g.initConfigLinux()
+ g.Config.Linux.MountLabel = label
}
-// SetProcessOOMScoreAdj sets g.spec.Process.OOMScoreAdj.
+// SetProcessOOMScoreAdj sets g.Config.Process.OOMScoreAdj.
func (g *Generator) SetProcessOOMScoreAdj(adj int) {
- g.initSpecProcess()
- g.spec.Process.OOMScoreAdj = &adj
+ g.initConfigProcess()
+ g.Config.Process.OOMScoreAdj = &adj
}
-// SetLinuxResourcesBlockIOLeafWeight sets g.spec.Linux.Resources.BlockIO.LeafWeight.
+// SetLinuxResourcesBlockIOLeafWeight sets g.Config.Linux.Resources.BlockIO.LeafWeight.
func (g *Generator) SetLinuxResourcesBlockIOLeafWeight(weight uint16) {
- g.initSpecLinuxResourcesBlockIO()
- g.spec.Linux.Resources.BlockIO.LeafWeight = &weight
+ g.initConfigLinuxResourcesBlockIO()
+ g.Config.Linux.Resources.BlockIO.LeafWeight = &weight
}
-// AddLinuxResourcesBlockIOLeafWeightDevice adds or sets g.spec.Linux.Resources.BlockIO.WeightDevice.LeafWeight.
+// AddLinuxResourcesBlockIOLeafWeightDevice adds or sets g.Config.Linux.Resources.BlockIO.WeightDevice.LeafWeight.
func (g *Generator) AddLinuxResourcesBlockIOLeafWeightDevice(major int64, minor int64, weight uint16) {
- g.initSpecLinuxResourcesBlockIO()
- for i, weightDevice := range g.spec.Linux.Resources.BlockIO.WeightDevice {
+ g.initConfigLinuxResourcesBlockIO()
+ for i, weightDevice := range g.Config.Linux.Resources.BlockIO.WeightDevice {
if weightDevice.Major == major && weightDevice.Minor == minor {
- g.spec.Linux.Resources.BlockIO.WeightDevice[i].LeafWeight = &weight
+ g.Config.Linux.Resources.BlockIO.WeightDevice[i].LeafWeight = &weight
return
}
}
@@ -528,43 +564,43 @@ func (g *Generator) AddLinuxResourcesBlockIOLeafWeightDevice(major int64, minor
weightDevice.Major = major
weightDevice.Minor = minor
weightDevice.LeafWeight = &weight
- g.spec.Linux.Resources.BlockIO.WeightDevice = append(g.spec.Linux.Resources.BlockIO.WeightDevice, *weightDevice)
+ g.Config.Linux.Resources.BlockIO.WeightDevice = append(g.Config.Linux.Resources.BlockIO.WeightDevice, *weightDevice)
}
-// DropLinuxResourcesBlockIOLeafWeightDevice drops a item form g.spec.Linux.Resources.BlockIO.WeightDevice.LeafWeight
+// DropLinuxResourcesBlockIOLeafWeightDevice drops a item form g.Config.Linux.Resources.BlockIO.WeightDevice.LeafWeight
func (g *Generator) DropLinuxResourcesBlockIOLeafWeightDevice(major int64, minor int64) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil {
return
}
- for i, weightDevice := range g.spec.Linux.Resources.BlockIO.WeightDevice {
+ for i, weightDevice := range g.Config.Linux.Resources.BlockIO.WeightDevice {
if weightDevice.Major == major && weightDevice.Minor == minor {
if weightDevice.Weight != nil {
newWeightDevice := new(rspec.LinuxWeightDevice)
newWeightDevice.Major = major
newWeightDevice.Minor = minor
newWeightDevice.Weight = weightDevice.Weight
- g.spec.Linux.Resources.BlockIO.WeightDevice[i] = *newWeightDevice
+ g.Config.Linux.Resources.BlockIO.WeightDevice[i] = *newWeightDevice
} else {
- g.spec.Linux.Resources.BlockIO.WeightDevice = append(g.spec.Linux.Resources.BlockIO.WeightDevice[:i], g.spec.Linux.Resources.BlockIO.WeightDevice[i+1:]...)
+ g.Config.Linux.Resources.BlockIO.WeightDevice = append(g.Config.Linux.Resources.BlockIO.WeightDevice[:i], g.Config.Linux.Resources.BlockIO.WeightDevice[i+1:]...)
}
return
}
}
}
-// SetLinuxResourcesBlockIOWeight sets g.spec.Linux.Resources.BlockIO.Weight.
+// SetLinuxResourcesBlockIOWeight sets g.Config.Linux.Resources.BlockIO.Weight.
func (g *Generator) SetLinuxResourcesBlockIOWeight(weight uint16) {
- g.initSpecLinuxResourcesBlockIO()
- g.spec.Linux.Resources.BlockIO.Weight = &weight
+ g.initConfigLinuxResourcesBlockIO()
+ g.Config.Linux.Resources.BlockIO.Weight = &weight
}
-// AddLinuxResourcesBlockIOWeightDevice adds or sets g.spec.Linux.Resources.BlockIO.WeightDevice.Weight.
+// AddLinuxResourcesBlockIOWeightDevice adds or sets g.Config.Linux.Resources.BlockIO.WeightDevice.Weight.
func (g *Generator) AddLinuxResourcesBlockIOWeightDevice(major int64, minor int64, weight uint16) {
- g.initSpecLinuxResourcesBlockIO()
- for i, weightDevice := range g.spec.Linux.Resources.BlockIO.WeightDevice {
+ g.initConfigLinuxResourcesBlockIO()
+ for i, weightDevice := range g.Config.Linux.Resources.BlockIO.WeightDevice {
if weightDevice.Major == major && weightDevice.Minor == minor {
- g.spec.Linux.Resources.BlockIO.WeightDevice[i].Weight = &weight
+ g.Config.Linux.Resources.BlockIO.WeightDevice[i].Weight = &weight
return
}
}
@@ -572,286 +608,286 @@ func (g *Generator) AddLinuxResourcesBlockIOWeightDevice(major int64, minor int6
weightDevice.Major = major
weightDevice.Minor = minor
weightDevice.Weight = &weight
- g.spec.Linux.Resources.BlockIO.WeightDevice = append(g.spec.Linux.Resources.BlockIO.WeightDevice, *weightDevice)
+ g.Config.Linux.Resources.BlockIO.WeightDevice = append(g.Config.Linux.Resources.BlockIO.WeightDevice, *weightDevice)
}
-// DropLinuxResourcesBlockIOWeightDevice drops a item form g.spec.Linux.Resources.BlockIO.WeightDevice.Weight
+// DropLinuxResourcesBlockIOWeightDevice drops a item form g.Config.Linux.Resources.BlockIO.WeightDevice.Weight
func (g *Generator) DropLinuxResourcesBlockIOWeightDevice(major int64, minor int64) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil {
return
}
- for i, weightDevice := range g.spec.Linux.Resources.BlockIO.WeightDevice {
+ for i, weightDevice := range g.Config.Linux.Resources.BlockIO.WeightDevice {
if weightDevice.Major == major && weightDevice.Minor == minor {
if weightDevice.LeafWeight != nil {
newWeightDevice := new(rspec.LinuxWeightDevice)
newWeightDevice.Major = major
newWeightDevice.Minor = minor
newWeightDevice.LeafWeight = weightDevice.LeafWeight
- g.spec.Linux.Resources.BlockIO.WeightDevice[i] = *newWeightDevice
+ g.Config.Linux.Resources.BlockIO.WeightDevice[i] = *newWeightDevice
} else {
- g.spec.Linux.Resources.BlockIO.WeightDevice = append(g.spec.Linux.Resources.BlockIO.WeightDevice[:i], g.spec.Linux.Resources.BlockIO.WeightDevice[i+1:]...)
+ g.Config.Linux.Resources.BlockIO.WeightDevice = append(g.Config.Linux.Resources.BlockIO.WeightDevice[:i], g.Config.Linux.Resources.BlockIO.WeightDevice[i+1:]...)
}
return
}
}
}
-// AddLinuxResourcesBlockIOThrottleReadBpsDevice adds or sets g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice.
+// AddLinuxResourcesBlockIOThrottleReadBpsDevice adds or sets g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice.
func (g *Generator) AddLinuxResourcesBlockIOThrottleReadBpsDevice(major int64, minor int64, rate uint64) {
- g.initSpecLinuxResourcesBlockIO()
- throttleDevices := addOrReplaceBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice, major, minor, rate)
- g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice = throttleDevices
+ g.initConfigLinuxResourcesBlockIO()
+ throttleDevices := addOrReplaceBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice, major, minor, rate)
+ g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice = throttleDevices
}
-// DropLinuxResourcesBlockIOThrottleReadBpsDevice drops a item from g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice.
+// DropLinuxResourcesBlockIOThrottleReadBpsDevice drops a item from g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice.
func (g *Generator) DropLinuxResourcesBlockIOThrottleReadBpsDevice(major int64, minor int64) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil {
return
}
- throttleDevices := dropBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice, major, minor)
- g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice = throttleDevices
+ throttleDevices := dropBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice, major, minor)
+ g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice = throttleDevices
}
-// AddLinuxResourcesBlockIOThrottleReadIOPSDevice adds or sets g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice.
+// AddLinuxResourcesBlockIOThrottleReadIOPSDevice adds or sets g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice.
func (g *Generator) AddLinuxResourcesBlockIOThrottleReadIOPSDevice(major int64, minor int64, rate uint64) {
- g.initSpecLinuxResourcesBlockIO()
- throttleDevices := addOrReplaceBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, major, minor, rate)
- g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice = throttleDevices
+ g.initConfigLinuxResourcesBlockIO()
+ throttleDevices := addOrReplaceBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, major, minor, rate)
+ g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice = throttleDevices
}
-// DropLinuxResourcesBlockIOThrottleReadIOPSDevice drops a item from g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice.
+// DropLinuxResourcesBlockIOThrottleReadIOPSDevice drops a item from g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice.
func (g *Generator) DropLinuxResourcesBlockIOThrottleReadIOPSDevice(major int64, minor int64) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil {
return
}
- throttleDevices := dropBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, major, minor)
- g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice = throttleDevices
+ throttleDevices := dropBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, major, minor)
+ g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice = throttleDevices
}
-// AddLinuxResourcesBlockIOThrottleWriteBpsDevice adds or sets g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice.
+// AddLinuxResourcesBlockIOThrottleWriteBpsDevice adds or sets g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice.
func (g *Generator) AddLinuxResourcesBlockIOThrottleWriteBpsDevice(major int64, minor int64, rate uint64) {
- g.initSpecLinuxResourcesBlockIO()
- throttleDevices := addOrReplaceBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, major, minor, rate)
- g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice = throttleDevices
+ g.initConfigLinuxResourcesBlockIO()
+ throttleDevices := addOrReplaceBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, major, minor, rate)
+ g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice = throttleDevices
}
-// DropLinuxResourcesBlockIOThrottleWriteBpsDevice drops a item from g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice.
+// DropLinuxResourcesBlockIOThrottleWriteBpsDevice drops a item from g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice.
func (g *Generator) DropLinuxResourcesBlockIOThrottleWriteBpsDevice(major int64, minor int64) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil {
return
}
- throttleDevices := dropBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, major, minor)
- g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice = throttleDevices
+ throttleDevices := dropBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, major, minor)
+ g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice = throttleDevices
}
-// AddLinuxResourcesBlockIOThrottleWriteIOPSDevice adds or sets g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice.
+// AddLinuxResourcesBlockIOThrottleWriteIOPSDevice adds or sets g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice.
func (g *Generator) AddLinuxResourcesBlockIOThrottleWriteIOPSDevice(major int64, minor int64, rate uint64) {
- g.initSpecLinuxResourcesBlockIO()
- throttleDevices := addOrReplaceBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, major, minor, rate)
- g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice = throttleDevices
+ g.initConfigLinuxResourcesBlockIO()
+ throttleDevices := addOrReplaceBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, major, minor, rate)
+ g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice = throttleDevices
}
-// DropLinuxResourcesBlockIOThrottleWriteIOPSDevice drops a item from g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice.
+// DropLinuxResourcesBlockIOThrottleWriteIOPSDevice drops a item from g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice.
func (g *Generator) DropLinuxResourcesBlockIOThrottleWriteIOPSDevice(major int64, minor int64) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil {
return
}
- throttleDevices := dropBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, major, minor)
- g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice = throttleDevices
+ throttleDevices := dropBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, major, minor)
+ g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice = throttleDevices
}
-// SetLinuxResourcesCPUShares sets g.spec.Linux.Resources.CPU.Shares.
+// SetLinuxResourcesCPUShares sets g.Config.Linux.Resources.CPU.Shares.
func (g *Generator) SetLinuxResourcesCPUShares(shares uint64) {
- g.initSpecLinuxResourcesCPU()
- g.spec.Linux.Resources.CPU.Shares = &shares
+ g.InitConfigLinuxResourcesCPU()
+ g.Config.Linux.Resources.CPU.Shares = &shares
}
-// SetLinuxResourcesCPUQuota sets g.spec.Linux.Resources.CPU.Quota.
+// SetLinuxResourcesCPUQuota sets g.Config.Linux.Resources.CPU.Quota.
func (g *Generator) SetLinuxResourcesCPUQuota(quota int64) {
- g.initSpecLinuxResourcesCPU()
- g.spec.Linux.Resources.CPU.Quota = &quota
+ g.InitConfigLinuxResourcesCPU()
+ g.Config.Linux.Resources.CPU.Quota = &quota
}
-// SetLinuxResourcesCPUPeriod sets g.spec.Linux.Resources.CPU.Period.
+// SetLinuxResourcesCPUPeriod sets g.Config.Linux.Resources.CPU.Period.
func (g *Generator) SetLinuxResourcesCPUPeriod(period uint64) {
- g.initSpecLinuxResourcesCPU()
- g.spec.Linux.Resources.CPU.Period = &period
+ g.InitConfigLinuxResourcesCPU()
+ g.Config.Linux.Resources.CPU.Period = &period
}
-// SetLinuxResourcesCPURealtimeRuntime sets g.spec.Linux.Resources.CPU.RealtimeRuntime.
+// SetLinuxResourcesCPURealtimeRuntime sets g.Config.Linux.Resources.CPU.RealtimeRuntime.
func (g *Generator) SetLinuxResourcesCPURealtimeRuntime(time int64) {
- g.initSpecLinuxResourcesCPU()
- g.spec.Linux.Resources.CPU.RealtimeRuntime = &time
+ g.InitConfigLinuxResourcesCPU()
+ g.Config.Linux.Resources.CPU.RealtimeRuntime = &time
}
-// SetLinuxResourcesCPURealtimePeriod sets g.spec.Linux.Resources.CPU.RealtimePeriod.
+// SetLinuxResourcesCPURealtimePeriod sets g.Config.Linux.Resources.CPU.RealtimePeriod.
func (g *Generator) SetLinuxResourcesCPURealtimePeriod(period uint64) {
- g.initSpecLinuxResourcesCPU()
- g.spec.Linux.Resources.CPU.RealtimePeriod = &period
+ g.InitConfigLinuxResourcesCPU()
+ g.Config.Linux.Resources.CPU.RealtimePeriod = &period
}
-// SetLinuxResourcesCPUCpus sets g.spec.Linux.Resources.CPU.Cpus.
+// SetLinuxResourcesCPUCpus sets g.Config.Linux.Resources.CPU.Cpus.
func (g *Generator) SetLinuxResourcesCPUCpus(cpus string) {
- g.initSpecLinuxResourcesCPU()
- g.spec.Linux.Resources.CPU.Cpus = cpus
+ g.InitConfigLinuxResourcesCPU()
+ g.Config.Linux.Resources.CPU.Cpus = cpus
}
-// SetLinuxResourcesCPUMems sets g.spec.Linux.Resources.CPU.Mems.
+// SetLinuxResourcesCPUMems sets g.Config.Linux.Resources.CPU.Mems.
func (g *Generator) SetLinuxResourcesCPUMems(mems string) {
- g.initSpecLinuxResourcesCPU()
- g.spec.Linux.Resources.CPU.Mems = mems
+ g.InitConfigLinuxResourcesCPU()
+ g.Config.Linux.Resources.CPU.Mems = mems
}
-// AddLinuxResourcesHugepageLimit adds or sets g.spec.Linux.Resources.HugepageLimits.
+// AddLinuxResourcesHugepageLimit adds or sets g.Config.Linux.Resources.HugepageLimits.
func (g *Generator) AddLinuxResourcesHugepageLimit(pageSize string, limit uint64) {
hugepageLimit := rspec.LinuxHugepageLimit{
Pagesize: pageSize,
Limit: limit,
}
- g.initSpecLinuxResources()
- for i, pageLimit := range g.spec.Linux.Resources.HugepageLimits {
+ g.initConfigLinuxResources()
+ for i, pageLimit := range g.Config.Linux.Resources.HugepageLimits {
if pageLimit.Pagesize == pageSize {
- g.spec.Linux.Resources.HugepageLimits[i].Limit = limit
+ g.Config.Linux.Resources.HugepageLimits[i].Limit = limit
return
}
}
- g.spec.Linux.Resources.HugepageLimits = append(g.spec.Linux.Resources.HugepageLimits, hugepageLimit)
+ g.Config.Linux.Resources.HugepageLimits = append(g.Config.Linux.Resources.HugepageLimits, hugepageLimit)
}
-// DropLinuxResourcesHugepageLimit drops a hugepage limit from g.spec.Linux.Resources.HugepageLimits.
+// DropLinuxResourcesHugepageLimit drops a hugepage limit from g.Config.Linux.Resources.HugepageLimits.
func (g *Generator) DropLinuxResourcesHugepageLimit(pageSize string) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil {
return
}
- for i, pageLimit := range g.spec.Linux.Resources.HugepageLimits {
+ for i, pageLimit := range g.Config.Linux.Resources.HugepageLimits {
if pageLimit.Pagesize == pageSize {
- g.spec.Linux.Resources.HugepageLimits = append(g.spec.Linux.Resources.HugepageLimits[:i], g.spec.Linux.Resources.HugepageLimits[i+1:]...)
+ g.Config.Linux.Resources.HugepageLimits = append(g.Config.Linux.Resources.HugepageLimits[:i], g.Config.Linux.Resources.HugepageLimits[i+1:]...)
return
}
}
}
-// SetLinuxResourcesMemoryLimit sets g.spec.Linux.Resources.Memory.Limit.
+// SetLinuxResourcesMemoryLimit sets g.Config.Linux.Resources.Memory.Limit.
func (g *Generator) SetLinuxResourcesMemoryLimit(limit int64) {
- g.initSpecLinuxResourcesMemory()
- g.spec.Linux.Resources.Memory.Limit = &limit
+ g.initConfigLinuxResourcesMemory()
+ g.Config.Linux.Resources.Memory.Limit = &limit
}
-// SetLinuxResourcesMemoryReservation sets g.spec.Linux.Resources.Memory.Reservation.
+// SetLinuxResourcesMemoryReservation sets g.Config.Linux.Resources.Memory.Reservation.
func (g *Generator) SetLinuxResourcesMemoryReservation(reservation int64) {
- g.initSpecLinuxResourcesMemory()
- g.spec.Linux.Resources.Memory.Reservation = &reservation
+ g.initConfigLinuxResourcesMemory()
+ g.Config.Linux.Resources.Memory.Reservation = &reservation
}
-// SetLinuxResourcesMemorySwap sets g.spec.Linux.Resources.Memory.Swap.
+// SetLinuxResourcesMemorySwap sets g.Config.Linux.Resources.Memory.Swap.
func (g *Generator) SetLinuxResourcesMemorySwap(swap int64) {
- g.initSpecLinuxResourcesMemory()
- g.spec.Linux.Resources.Memory.Swap = &swap
+ g.initConfigLinuxResourcesMemory()
+ g.Config.Linux.Resources.Memory.Swap = &swap
}
-// SetLinuxResourcesMemoryKernel sets g.spec.Linux.Resources.Memory.Kernel.
+// SetLinuxResourcesMemoryKernel sets g.Config.Linux.Resources.Memory.Kernel.
func (g *Generator) SetLinuxResourcesMemoryKernel(kernel int64) {
- g.initSpecLinuxResourcesMemory()
- g.spec.Linux.Resources.Memory.Kernel = &kernel
+ g.initConfigLinuxResourcesMemory()
+ g.Config.Linux.Resources.Memory.Kernel = &kernel
}
-// SetLinuxResourcesMemoryKernelTCP sets g.spec.Linux.Resources.Memory.KernelTCP.
+// SetLinuxResourcesMemoryKernelTCP sets g.Config.Linux.Resources.Memory.KernelTCP.
func (g *Generator) SetLinuxResourcesMemoryKernelTCP(kernelTCP int64) {
- g.initSpecLinuxResourcesMemory()
- g.spec.Linux.Resources.Memory.KernelTCP = &kernelTCP
+ g.initConfigLinuxResourcesMemory()
+ g.Config.Linux.Resources.Memory.KernelTCP = &kernelTCP
}
-// SetLinuxResourcesMemorySwappiness sets g.spec.Linux.Resources.Memory.Swappiness.
+// SetLinuxResourcesMemorySwappiness sets g.Config.Linux.Resources.Memory.Swappiness.
func (g *Generator) SetLinuxResourcesMemorySwappiness(swappiness uint64) {
- g.initSpecLinuxResourcesMemory()
- g.spec.Linux.Resources.Memory.Swappiness = &swappiness
+ g.initConfigLinuxResourcesMemory()
+ g.Config.Linux.Resources.Memory.Swappiness = &swappiness
}
-// SetLinuxResourcesMemoryDisableOOMKiller sets g.spec.Linux.Resources.Memory.DisableOOMKiller.
+// SetLinuxResourcesMemoryDisableOOMKiller sets g.Config.Linux.Resources.Memory.DisableOOMKiller.
func (g *Generator) SetLinuxResourcesMemoryDisableOOMKiller(disable bool) {
- g.initSpecLinuxResourcesMemory()
- g.spec.Linux.Resources.Memory.DisableOOMKiller = &disable
+ g.initConfigLinuxResourcesMemory()
+ g.Config.Linux.Resources.Memory.DisableOOMKiller = &disable
}
-// SetLinuxResourcesNetworkClassID sets g.spec.Linux.Resources.Network.ClassID.
+// SetLinuxResourcesNetworkClassID sets g.Config.Linux.Resources.Network.ClassID.
func (g *Generator) SetLinuxResourcesNetworkClassID(classid uint32) {
- g.initSpecLinuxResourcesNetwork()
- g.spec.Linux.Resources.Network.ClassID = &classid
+ g.initConfigLinuxResourcesNetwork()
+ g.Config.Linux.Resources.Network.ClassID = &classid
}
-// AddLinuxResourcesNetworkPriorities adds or sets g.spec.Linux.Resources.Network.Priorities.
+// AddLinuxResourcesNetworkPriorities adds or sets g.Config.Linux.Resources.Network.Priorities.
func (g *Generator) AddLinuxResourcesNetworkPriorities(name string, prio uint32) {
- g.initSpecLinuxResourcesNetwork()
- for i, netPriority := range g.spec.Linux.Resources.Network.Priorities {
+ g.initConfigLinuxResourcesNetwork()
+ for i, netPriority := range g.Config.Linux.Resources.Network.Priorities {
if netPriority.Name == name {
- g.spec.Linux.Resources.Network.Priorities[i].Priority = prio
+ g.Config.Linux.Resources.Network.Priorities[i].Priority = prio
return
}
}
interfacePrio := new(rspec.LinuxInterfacePriority)
interfacePrio.Name = name
interfacePrio.Priority = prio
- g.spec.Linux.Resources.Network.Priorities = append(g.spec.Linux.Resources.Network.Priorities, *interfacePrio)
+ g.Config.Linux.Resources.Network.Priorities = append(g.Config.Linux.Resources.Network.Priorities, *interfacePrio)
}
-// DropLinuxResourcesNetworkPriorities drops one item from g.spec.Linux.Resources.Network.Priorities.
+// DropLinuxResourcesNetworkPriorities drops one item from g.Config.Linux.Resources.Network.Priorities.
func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.Network == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.Network == nil {
return
}
- for i, netPriority := range g.spec.Linux.Resources.Network.Priorities {
+ for i, netPriority := range g.Config.Linux.Resources.Network.Priorities {
if netPriority.Name == name {
- g.spec.Linux.Resources.Network.Priorities = append(g.spec.Linux.Resources.Network.Priorities[:i], g.spec.Linux.Resources.Network.Priorities[i+1:]...)
+ g.Config.Linux.Resources.Network.Priorities = append(g.Config.Linux.Resources.Network.Priorities[:i], g.Config.Linux.Resources.Network.Priorities[i+1:]...)
return
}
}
}
-// SetLinuxResourcesPidsLimit sets g.spec.Linux.Resources.Pids.Limit.
+// SetLinuxResourcesPidsLimit sets g.Config.Linux.Resources.Pids.Limit.
func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) {
- g.initSpecLinuxResourcesPids()
- g.spec.Linux.Resources.Pids.Limit = limit
+ g.initConfigLinuxResourcesPids()
+ g.Config.Linux.Resources.Pids.Limit = limit
}
-// ClearLinuxSysctl clears g.spec.Linux.Sysctl.
+// ClearLinuxSysctl clears g.Config.Linux.Sysctl.
func (g *Generator) ClearLinuxSysctl() {
- if g.spec == nil || g.spec.Linux == nil {
+ if g.Config == nil || g.Config.Linux == nil {
return
}
- g.spec.Linux.Sysctl = make(map[string]string)
+ g.Config.Linux.Sysctl = make(map[string]string)
}
-// AddLinuxSysctl adds a new sysctl config into g.spec.Linux.Sysctl.
+// AddLinuxSysctl adds a new sysctl config into g.Config.Linux.Sysctl.
func (g *Generator) AddLinuxSysctl(key, value string) {
- g.initSpecLinuxSysctl()
- g.spec.Linux.Sysctl[key] = value
+ g.initConfigLinuxSysctl()
+ g.Config.Linux.Sysctl[key] = value
}
-// RemoveLinuxSysctl removes a sysctl config from g.spec.Linux.Sysctl.
+// RemoveLinuxSysctl removes a sysctl config from g.Config.Linux.Sysctl.
func (g *Generator) RemoveLinuxSysctl(key string) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Sysctl == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Sysctl == nil {
return
}
- delete(g.spec.Linux.Sysctl, key)
+ delete(g.Config.Linux.Sysctl, key)
}
-// ClearLinuxUIDMappings clear g.spec.Linux.UIDMappings.
+// ClearLinuxUIDMappings clear g.Config.Linux.UIDMappings.
func (g *Generator) ClearLinuxUIDMappings() {
- if g.spec == nil || g.spec.Linux == nil {
+ if g.Config == nil || g.Config.Linux == nil {
return
}
- g.spec.Linux.UIDMappings = []rspec.LinuxIDMapping{}
+ g.Config.Linux.UIDMappings = []rspec.LinuxIDMapping{}
}
-// AddLinuxUIDMapping adds uidMap into g.spec.Linux.UIDMappings.
+// AddLinuxUIDMapping adds uidMap into g.Config.Linux.UIDMappings.
func (g *Generator) AddLinuxUIDMapping(hid, cid, size uint32) {
idMapping := rspec.LinuxIDMapping{
HostID: hid,
@@ -859,19 +895,19 @@ func (g *Generator) AddLinuxUIDMapping(hid, cid, size uint32) {
Size: size,
}
- g.initSpecLinux()
- g.spec.Linux.UIDMappings = append(g.spec.Linux.UIDMappings, idMapping)
+ g.initConfigLinux()
+ g.Config.Linux.UIDMappings = append(g.Config.Linux.UIDMappings, idMapping)
}
-// ClearLinuxGIDMappings clear g.spec.Linux.GIDMappings.
+// ClearLinuxGIDMappings clear g.Config.Linux.GIDMappings.
func (g *Generator) ClearLinuxGIDMappings() {
- if g.spec == nil || g.spec.Linux == nil {
+ if g.Config == nil || g.Config.Linux == nil {
return
}
- g.spec.Linux.GIDMappings = []rspec.LinuxIDMapping{}
+ g.Config.Linux.GIDMappings = []rspec.LinuxIDMapping{}
}
-// AddLinuxGIDMapping adds gidMap into g.spec.Linux.GIDMappings.
+// AddLinuxGIDMapping adds gidMap into g.Config.Linux.GIDMappings.
func (g *Generator) AddLinuxGIDMapping(hid, cid, size uint32) {
idMapping := rspec.LinuxIDMapping{
HostID: hid,
@@ -879,11 +915,11 @@ func (g *Generator) AddLinuxGIDMapping(hid, cid, size uint32) {
Size: size,
}
- g.initSpecLinux()
- g.spec.Linux.GIDMappings = append(g.spec.Linux.GIDMappings, idMapping)
+ g.initConfigLinux()
+ g.Config.Linux.GIDMappings = append(g.Config.Linux.GIDMappings, idMapping)
}
-// SetLinuxRootPropagation sets g.spec.Linux.RootfsPropagation.
+// SetLinuxRootPropagation sets g.Config.Linux.RootfsPropagation.
func (g *Generator) SetLinuxRootPropagation(rp string) error {
switch rp {
case "":
@@ -898,88 +934,70 @@ func (g *Generator) SetLinuxRootPropagation(rp string) error {
default:
return fmt.Errorf("rootfs-propagation %q must be empty or one of (r)private|(r)slave|(r)shared|(r)unbindable", rp)
}
- g.initSpecLinux()
- g.spec.Linux.RootfsPropagation = rp
+ g.initConfigLinux()
+ g.Config.Linux.RootfsPropagation = rp
return nil
}
-// ClearPreStartHooks clear g.spec.Hooks.Prestart.
+// ClearPreStartHooks clear g.Config.Hooks.Prestart.
func (g *Generator) ClearPreStartHooks() {
- if g.spec == nil || g.spec.Hooks == nil {
+ if g.Config == nil || g.Config.Hooks == nil {
return
}
- g.spec.Hooks.Prestart = []rspec.Hook{}
+ g.Config.Hooks.Prestart = []rspec.Hook{}
}
-// AddPreStartHook add a prestart hook into g.spec.Hooks.Prestart.
+// AddPreStartHook add a prestart hook into g.Config.Hooks.Prestart.
func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) error {
- g.initSpecHooks()
- for i, hook := range g.spec.Hooks.Prestart {
- if hook.Path == preStartHook.Path {
- g.spec.Hooks.Prestart[i] = preStartHook
- return nil
- }
- }
- g.spec.Hooks.Prestart = append(g.spec.Hooks.Prestart, preStartHook)
+ g.initConfigHooks()
+ g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook)
return nil
}
-// ClearPostStopHooks clear g.spec.Hooks.Poststop.
+// ClearPostStopHooks clear g.Config.Hooks.Poststop.
func (g *Generator) ClearPostStopHooks() {
- if g.spec == nil || g.spec.Hooks == nil {
+ if g.Config == nil || g.Config.Hooks == nil {
return
}
- g.spec.Hooks.Poststop = []rspec.Hook{}
+ g.Config.Hooks.Poststop = []rspec.Hook{}
}
-// AddPostStopHook adds a poststop hook into g.spec.Hooks.Poststop.
+// AddPostStopHook adds a poststop hook into g.Config.Hooks.Poststop.
func (g *Generator) AddPostStopHook(postStopHook rspec.Hook) error {
- g.initSpecHooks()
- for i, hook := range g.spec.Hooks.Poststop {
- if hook.Path == postStopHook.Path {
- g.spec.Hooks.Poststop[i] = postStopHook
- return nil
- }
- }
- g.spec.Hooks.Poststop = append(g.spec.Hooks.Poststop, postStopHook)
+ g.initConfigHooks()
+ g.Config.Hooks.Poststop = append(g.Config.Hooks.Poststop, postStopHook)
return nil
}
-// ClearPostStartHooks clear g.spec.Hooks.Poststart.
+// ClearPostStartHooks clear g.Config.Hooks.Poststart.
func (g *Generator) ClearPostStartHooks() {
- if g.spec == nil || g.spec.Hooks == nil {
+ if g.Config == nil || g.Config.Hooks == nil {
return
}
- g.spec.Hooks.Poststart = []rspec.Hook{}
+ g.Config.Hooks.Poststart = []rspec.Hook{}
}
-// AddPostStartHook adds a poststart hook into g.spec.Hooks.Poststart.
+// AddPostStartHook adds a poststart hook into g.Config.Hooks.Poststart.
func (g *Generator) AddPostStartHook(postStartHook rspec.Hook) error {
- g.initSpecHooks()
- for i, hook := range g.spec.Hooks.Poststart {
- if hook.Path == postStartHook.Path {
- g.spec.Hooks.Poststart[i] = postStartHook
- return nil
- }
- }
- g.spec.Hooks.Poststart = append(g.spec.Hooks.Poststart, postStartHook)
+ g.initConfigHooks()
+ g.Config.Hooks.Poststart = append(g.Config.Hooks.Poststart, postStartHook)
return nil
}
-// AddMount adds a mount into g.spec.Mounts.
+// AddMount adds a mount into g.Config.Mounts.
func (g *Generator) AddMount(mnt rspec.Mount) {
- g.initSpec()
+ g.initConfig()
- g.spec.Mounts = append(g.spec.Mounts, mnt)
+ g.Config.Mounts = append(g.Config.Mounts, mnt)
}
// RemoveMount removes a mount point on the dest directory
func (g *Generator) RemoveMount(dest string) {
- g.initSpec()
+ g.initConfig()
- for index, mount := range g.spec.Mounts {
+ for index, mount := range g.Config.Mounts {
if mount.Destination == dest {
- g.spec.Mounts = append(g.spec.Mounts[:index], g.spec.Mounts[index+1:]...)
+ g.Config.Mounts = append(g.Config.Mounts[:index], g.Config.Mounts[index+1:]...)
return
}
}
@@ -987,20 +1005,20 @@ func (g *Generator) RemoveMount(dest string) {
// Mounts returns the list of mounts
func (g *Generator) Mounts() []rspec.Mount {
- g.initSpec()
+ g.initConfig()
- return g.spec.Mounts
+ return g.Config.Mounts
}
-// ClearMounts clear g.spec.Mounts
+// ClearMounts clear g.Config.Mounts
func (g *Generator) ClearMounts() {
- if g.spec == nil {
+ if g.Config == nil {
return
}
- g.spec.Mounts = []rspec.Mount{}
+ g.Config.Mounts = []rspec.Mount{}
}
-// SetupPrivileged sets up the privilege-related fields inside g.spec.
+// SetupPrivileged sets up the privilege-related fields inside g.Config.
func (g *Generator) SetupPrivileged(privileged bool) {
if privileged { // Add all capabilities in privileged mode.
var finalCapList []string
@@ -1010,43 +1028,43 @@ func (g *Generator) SetupPrivileged(privileged bool) {
}
finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
}
- g.initSpecLinux()
- g.initSpecProcessCapabilities()
+ g.initConfigLinux()
+ g.initConfigProcessCapabilities()
g.ClearProcessCapabilities()
- g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, finalCapList...)
- g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, finalCapList...)
- g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, finalCapList...)
- g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, finalCapList...)
- g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, finalCapList...)
- g.spec.Process.SelinuxLabel = ""
- g.spec.Process.ApparmorProfile = ""
- g.spec.Linux.Seccomp = nil
+ g.Config.Process.Capabilities.Bounding = append(g.Config.Process.Capabilities.Bounding, finalCapList...)
+ g.Config.Process.Capabilities.Effective = append(g.Config.Process.Capabilities.Effective, finalCapList...)
+ g.Config.Process.Capabilities.Inheritable = append(g.Config.Process.Capabilities.Inheritable, finalCapList...)
+ g.Config.Process.Capabilities.Permitted = append(g.Config.Process.Capabilities.Permitted, finalCapList...)
+ g.Config.Process.Capabilities.Ambient = append(g.Config.Process.Capabilities.Ambient, finalCapList...)
+ g.Config.Process.SelinuxLabel = ""
+ g.Config.Process.ApparmorProfile = ""
+ g.Config.Linux.Seccomp = nil
}
}
-// ClearProcessCapabilities clear g.spec.Process.Capabilities.
+// ClearProcessCapabilities clear g.Config.Process.Capabilities.
func (g *Generator) ClearProcessCapabilities() {
- if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil {
+ if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
return
}
- g.spec.Process.Capabilities.Bounding = []string{}
- g.spec.Process.Capabilities.Effective = []string{}
- g.spec.Process.Capabilities.Inheritable = []string{}
- g.spec.Process.Capabilities.Permitted = []string{}
- g.spec.Process.Capabilities.Ambient = []string{}
+ g.Config.Process.Capabilities.Bounding = []string{}
+ g.Config.Process.Capabilities.Effective = []string{}
+ g.Config.Process.Capabilities.Inheritable = []string{}
+ g.Config.Process.Capabilities.Permitted = []string{}
+ g.Config.Process.Capabilities.Ambient = []string{}
}
-// AddProcessCapabilityAmbient adds a process capability into g.spec.Process.Capabilities.Ambient.
+// AddProcessCapabilityAmbient adds a process capability into g.Config.Process.Capabilities.Ambient.
func (g *Generator) AddProcessCapabilityAmbient(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
return err
}
- g.initSpecProcessCapabilities()
+ g.initConfigProcessCapabilities()
var foundAmbient bool
- for _, cap := range g.spec.Process.Capabilities.Ambient {
+ for _, cap := range g.Config.Process.Capabilities.Ambient {
if strings.ToUpper(cap) == cp {
foundAmbient = true
break
@@ -1054,178 +1072,178 @@ func (g *Generator) AddProcessCapabilityAmbient(c string) error {
}
if !foundAmbient {
- g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp)
+ g.Config.Process.Capabilities.Ambient = append(g.Config.Process.Capabilities.Ambient, cp)
}
return nil
}
-// AddProcessCapabilityBounding adds a process capability into g.spec.Process.Capabilities.Bounding.
+// AddProcessCapabilityBounding adds a process capability into g.Config.Process.Capabilities.Bounding.
func (g *Generator) AddProcessCapabilityBounding(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
return err
}
- g.initSpecProcessCapabilities()
+ g.initConfigProcessCapabilities()
var foundBounding bool
- for _, cap := range g.spec.Process.Capabilities.Bounding {
+ for _, cap := range g.Config.Process.Capabilities.Bounding {
if strings.ToUpper(cap) == cp {
foundBounding = true
break
}
}
if !foundBounding {
- g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, cp)
+ g.Config.Process.Capabilities.Bounding = append(g.Config.Process.Capabilities.Bounding, cp)
}
return nil
}
-// AddProcessCapabilityEffective adds a process capability into g.spec.Process.Capabilities.Effective.
+// AddProcessCapabilityEffective adds a process capability into g.Config.Process.Capabilities.Effective.
func (g *Generator) AddProcessCapabilityEffective(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
return err
}
- g.initSpecProcessCapabilities()
+ g.initConfigProcessCapabilities()
var foundEffective bool
- for _, cap := range g.spec.Process.Capabilities.Effective {
+ for _, cap := range g.Config.Process.Capabilities.Effective {
if strings.ToUpper(cap) == cp {
foundEffective = true
break
}
}
if !foundEffective {
- g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, cp)
+ g.Config.Process.Capabilities.Effective = append(g.Config.Process.Capabilities.Effective, cp)
}
return nil
}
-// AddProcessCapabilityInheritable adds a process capability into g.spec.Process.Capabilities.Inheritable.
+// AddProcessCapabilityInheritable adds a process capability into g.Config.Process.Capabilities.Inheritable.
func (g *Generator) AddProcessCapabilityInheritable(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
return err
}
- g.initSpecProcessCapabilities()
+ g.initConfigProcessCapabilities()
var foundInheritable bool
- for _, cap := range g.spec.Process.Capabilities.Inheritable {
+ for _, cap := range g.Config.Process.Capabilities.Inheritable {
if strings.ToUpper(cap) == cp {
foundInheritable = true
break
}
}
if !foundInheritable {
- g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, cp)
+ g.Config.Process.Capabilities.Inheritable = append(g.Config.Process.Capabilities.Inheritable, cp)
}
return nil
}
-// AddProcessCapabilityPermitted adds a process capability into g.spec.Process.Capabilities.Permitted.
+// AddProcessCapabilityPermitted adds a process capability into g.Config.Process.Capabilities.Permitted.
func (g *Generator) AddProcessCapabilityPermitted(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
return err
}
- g.initSpecProcessCapabilities()
+ g.initConfigProcessCapabilities()
var foundPermitted bool
- for _, cap := range g.spec.Process.Capabilities.Permitted {
+ for _, cap := range g.Config.Process.Capabilities.Permitted {
if strings.ToUpper(cap) == cp {
foundPermitted = true
break
}
}
if !foundPermitted {
- g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, cp)
+ g.Config.Process.Capabilities.Permitted = append(g.Config.Process.Capabilities.Permitted, cp)
}
return nil
}
-// DropProcessCapabilityAmbient drops a process capability from g.spec.Process.Capabilities.Ambient.
+// DropProcessCapabilityAmbient drops a process capability from g.Config.Process.Capabilities.Ambient.
func (g *Generator) DropProcessCapabilityAmbient(c string) error {
- if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil {
+ if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
return nil
}
cp := strings.ToUpper(c)
- for i, cap := range g.spec.Process.Capabilities.Ambient {
+ for i, cap := range g.Config.Process.Capabilities.Ambient {
if strings.ToUpper(cap) == cp {
- g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i)
+ g.Config.Process.Capabilities.Ambient = removeFunc(g.Config.Process.Capabilities.Ambient, i)
}
}
return validate.CapValid(cp, false)
}
-// DropProcessCapabilityBounding drops a process capability from g.spec.Process.Capabilities.Bounding.
+// DropProcessCapabilityBounding drops a process capability from g.Config.Process.Capabilities.Bounding.
func (g *Generator) DropProcessCapabilityBounding(c string) error {
- if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil {
+ if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
return nil
}
cp := strings.ToUpper(c)
- for i, cap := range g.spec.Process.Capabilities.Bounding {
+ for i, cap := range g.Config.Process.Capabilities.Bounding {
if strings.ToUpper(cap) == cp {
- g.spec.Process.Capabilities.Bounding = removeFunc(g.spec.Process.Capabilities.Bounding, i)
+ g.Config.Process.Capabilities.Bounding = removeFunc(g.Config.Process.Capabilities.Bounding, i)
}
}
return validate.CapValid(cp, false)
}
-// DropProcessCapabilityEffective drops a process capability from g.spec.Process.Capabilities.Effective.
+// DropProcessCapabilityEffective drops a process capability from g.Config.Process.Capabilities.Effective.
func (g *Generator) DropProcessCapabilityEffective(c string) error {
- if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil {
+ if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
return nil
}
cp := strings.ToUpper(c)
- for i, cap := range g.spec.Process.Capabilities.Effective {
+ for i, cap := range g.Config.Process.Capabilities.Effective {
if strings.ToUpper(cap) == cp {
- g.spec.Process.Capabilities.Effective = removeFunc(g.spec.Process.Capabilities.Effective, i)
+ g.Config.Process.Capabilities.Effective = removeFunc(g.Config.Process.Capabilities.Effective, i)
}
}
return validate.CapValid(cp, false)
}
-// DropProcessCapabilityInheritable drops a process capability from g.spec.Process.Capabilities.Inheritable.
+// DropProcessCapabilityInheritable drops a process capability from g.Config.Process.Capabilities.Inheritable.
func (g *Generator) DropProcessCapabilityInheritable(c string) error {
- if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil {
+ if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
return nil
}
cp := strings.ToUpper(c)
- for i, cap := range g.spec.Process.Capabilities.Inheritable {
+ for i, cap := range g.Config.Process.Capabilities.Inheritable {
if strings.ToUpper(cap) == cp {
- g.spec.Process.Capabilities.Inheritable = removeFunc(g.spec.Process.Capabilities.Inheritable, i)
+ g.Config.Process.Capabilities.Inheritable = removeFunc(g.Config.Process.Capabilities.Inheritable, i)
}
}
return validate.CapValid(cp, false)
}
-// DropProcessCapabilityPermitted drops a process capability from g.spec.Process.Capabilities.Permitted.
+// DropProcessCapabilityPermitted drops a process capability from g.Config.Process.Capabilities.Permitted.
func (g *Generator) DropProcessCapabilityPermitted(c string) error {
- if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil {
+ if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil {
return nil
}
cp := strings.ToUpper(c)
- for i, cap := range g.spec.Process.Capabilities.Permitted {
+ for i, cap := range g.Config.Process.Capabilities.Permitted {
if strings.ToUpper(cap) == cp {
- g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i)
+ g.Config.Process.Capabilities.Permitted = removeFunc(g.Config.Process.Capabilities.Permitted, i)
}
}
@@ -1253,59 +1271,59 @@ func mapStrToNamespace(ns string, path string) (rspec.LinuxNamespace, error) {
}
}
-// ClearLinuxNamespaces clear g.spec.Linux.Namespaces.
+// ClearLinuxNamespaces clear g.Config.Linux.Namespaces.
func (g *Generator) ClearLinuxNamespaces() {
- if g.spec == nil || g.spec.Linux == nil {
+ if g.Config == nil || g.Config.Linux == nil {
return
}
- g.spec.Linux.Namespaces = []rspec.LinuxNamespace{}
+ g.Config.Linux.Namespaces = []rspec.LinuxNamespace{}
}
// AddOrReplaceLinuxNamespace adds or replaces a namespace inside
-// g.spec.Linux.Namespaces.
+// g.Config.Linux.Namespaces.
func (g *Generator) AddOrReplaceLinuxNamespace(ns string, path string) error {
namespace, err := mapStrToNamespace(ns, path)
if err != nil {
return err
}
- g.initSpecLinux()
- for i, ns := range g.spec.Linux.Namespaces {
+ g.initConfigLinux()
+ for i, ns := range g.Config.Linux.Namespaces {
if ns.Type == namespace.Type {
- g.spec.Linux.Namespaces[i] = namespace
+ g.Config.Linux.Namespaces[i] = namespace
return nil
}
}
- g.spec.Linux.Namespaces = append(g.spec.Linux.Namespaces, namespace)
+ g.Config.Linux.Namespaces = append(g.Config.Linux.Namespaces, namespace)
return nil
}
-// RemoveLinuxNamespace removes a namespace from g.spec.Linux.Namespaces.
+// RemoveLinuxNamespace removes a namespace from g.Config.Linux.Namespaces.
func (g *Generator) RemoveLinuxNamespace(ns string) error {
namespace, err := mapStrToNamespace(ns, "")
if err != nil {
return err
}
- if g.spec == nil || g.spec.Linux == nil {
+ if g.Config == nil || g.Config.Linux == nil {
return nil
}
- for i, ns := range g.spec.Linux.Namespaces {
+ for i, ns := range g.Config.Linux.Namespaces {
if ns.Type == namespace.Type {
- g.spec.Linux.Namespaces = append(g.spec.Linux.Namespaces[:i], g.spec.Linux.Namespaces[i+1:]...)
+ g.Config.Linux.Namespaces = append(g.Config.Linux.Namespaces[:i], g.Config.Linux.Namespaces[i+1:]...)
return nil
}
}
return nil
}
-// AddDevice - add a device into g.spec.Linux.Devices
+// AddDevice - add a device into g.Config.Linux.Devices
func (g *Generator) AddDevice(device rspec.LinuxDevice) {
- g.initSpecLinux()
+ g.initConfigLinux()
- for i, dev := range g.spec.Linux.Devices {
+ for i, dev := range g.Config.Linux.Devices {
if dev.Path == device.Path {
- g.spec.Linux.Devices[i] = device
+ g.Config.Linux.Devices[i] = device
return
}
if dev.Type == device.Type && dev.Major == device.Major && dev.Minor == device.Minor {
@@ -1313,35 +1331,35 @@ func (g *Generator) AddDevice(device rspec.LinuxDevice) {
}
}
- g.spec.Linux.Devices = append(g.spec.Linux.Devices, device)
+ g.Config.Linux.Devices = append(g.Config.Linux.Devices, device)
}
-// RemoveDevice remove a device from g.spec.Linux.Devices
+// RemoveDevice remove a device from g.Config.Linux.Devices
func (g *Generator) RemoveDevice(path string) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Devices == nil {
return
}
- for i, device := range g.spec.Linux.Devices {
+ for i, device := range g.Config.Linux.Devices {
if device.Path == path {
- g.spec.Linux.Devices = append(g.spec.Linux.Devices[:i], g.spec.Linux.Devices[i+1:]...)
+ g.Config.Linux.Devices = append(g.Config.Linux.Devices[:i], g.Config.Linux.Devices[i+1:]...)
return
}
}
}
-// ClearLinuxDevices clears g.spec.Linux.Devices
+// ClearLinuxDevices clears g.Config.Linux.Devices
func (g *Generator) ClearLinuxDevices() {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Devices == nil {
return
}
- g.spec.Linux.Devices = []rspec.LinuxDevice{}
+ g.Config.Linux.Devices = []rspec.LinuxDevice{}
}
-// AddLinuxResourcesDevice - add a device into g.spec.Linux.Resources.Devices
+// AddLinuxResourcesDevice - add a device into g.Config.Linux.Resources.Devices
func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) {
- g.initSpecLinuxResources()
+ g.initConfigLinuxResources()
device := rspec.LinuxDeviceCgroup{
Allow: allow,
@@ -1350,22 +1368,22 @@ func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, m
Major: major,
Minor: minor,
}
- g.spec.Linux.Resources.Devices = append(g.spec.Linux.Resources.Devices, device)
+ g.Config.Linux.Resources.Devices = append(g.Config.Linux.Resources.Devices, device)
}
-// RemoveLinuxResourcesDevice - remove a device from g.spec.Linux.Resources.Devices
+// RemoveLinuxResourcesDevice - remove a device from g.Config.Linux.Resources.Devices
func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) {
- if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil {
+ if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil {
return
}
- for i, device := range g.spec.Linux.Resources.Devices {
+ for i, device := range g.Config.Linux.Resources.Devices {
if device.Allow == allow &&
(devType == device.Type || (devType != "" && device.Type != "" && devType == device.Type)) &&
(access == device.Access || (access != "" && device.Access != "" && access == device.Access)) &&
(major == device.Major || (major != nil && device.Major != nil && *major == *device.Major)) &&
(minor == device.Minor || (minor != nil && device.Minor != nil && *minor == *device.Minor)) {
- g.spec.Linux.Resources.Devices = append(g.spec.Linux.Resources.Devices[:i], g.spec.Linux.Resources.Devices[i+1:]...)
+ g.Config.Linux.Resources.Devices = append(g.Config.Linux.Resources.Devices[:i], g.Config.Linux.Resources.Devices[i+1:]...)
return
}
}
@@ -1377,51 +1395,51 @@ func strPtr(s string) *string { return &s }
// SetSyscallAction adds rules for syscalls with the specified action
func (g *Generator) SetSyscallAction(arguments seccomp.SyscallOpts) error {
- g.initSpecLinuxSeccomp()
- return seccomp.ParseSyscallFlag(arguments, g.spec.Linux.Seccomp)
+ g.initConfigLinuxSeccomp()
+ return seccomp.ParseSyscallFlag(arguments, g.Config.Linux.Seccomp)
}
// SetDefaultSeccompAction sets the default action for all syscalls not defined
// and then removes any syscall rules with this action already specified.
func (g *Generator) SetDefaultSeccompAction(action string) error {
- g.initSpecLinuxSeccomp()
- return seccomp.ParseDefaultAction(action, g.spec.Linux.Seccomp)
+ g.initConfigLinuxSeccomp()
+ return seccomp.ParseDefaultAction(action, g.Config.Linux.Seccomp)
}
// SetDefaultSeccompActionForce only sets the default action for all syscalls not defined
func (g *Generator) SetDefaultSeccompActionForce(action string) error {
- g.initSpecLinuxSeccomp()
- return seccomp.ParseDefaultActionForce(action, g.spec.Linux.Seccomp)
+ g.initConfigLinuxSeccomp()
+ return seccomp.ParseDefaultActionForce(action, g.Config.Linux.Seccomp)
}
// SetSeccompArchitecture sets the supported seccomp architectures
func (g *Generator) SetSeccompArchitecture(architecture string) error {
- g.initSpecLinuxSeccomp()
- return seccomp.ParseArchitectureFlag(architecture, g.spec.Linux.Seccomp)
+ g.initConfigLinuxSeccomp()
+ return seccomp.ParseArchitectureFlag(architecture, g.Config.Linux.Seccomp)
}
// RemoveSeccompRule removes rules for any specified syscalls
func (g *Generator) RemoveSeccompRule(arguments string) error {
- g.initSpecLinuxSeccomp()
- return seccomp.RemoveAction(arguments, g.spec.Linux.Seccomp)
+ g.initConfigLinuxSeccomp()
+ return seccomp.RemoveAction(arguments, g.Config.Linux.Seccomp)
}
// RemoveAllSeccompRules removes all syscall rules
func (g *Generator) RemoveAllSeccompRules() error {
- g.initSpecLinuxSeccomp()
- return seccomp.RemoveAllSeccompRules(g.spec.Linux.Seccomp)
+ g.initConfigLinuxSeccomp()
+ return seccomp.RemoveAllSeccompRules(g.Config.Linux.Seccomp)
}
-// AddLinuxMaskedPaths adds masked paths into g.spec.Linux.MaskedPaths.
+// AddLinuxMaskedPaths adds masked paths into g.Config.Linux.MaskedPaths.
func (g *Generator) AddLinuxMaskedPaths(path string) {
- g.initSpecLinux()
- g.spec.Linux.MaskedPaths = append(g.spec.Linux.MaskedPaths, path)
+ g.initConfigLinux()
+ g.Config.Linux.MaskedPaths = append(g.Config.Linux.MaskedPaths, path)
}
-// AddLinuxReadonlyPaths adds readonly paths into g.spec.Linux.MaskedPaths.
+// AddLinuxReadonlyPaths adds readonly paths into g.Config.Linux.MaskedPaths.
func (g *Generator) AddLinuxReadonlyPaths(path string) {
- g.initSpecLinux()
- g.spec.Linux.ReadonlyPaths = append(g.spec.Linux.ReadonlyPaths, path)
+ g.initConfigLinux()
+ g.Config.Linux.ReadonlyPaths = append(g.Config.Linux.ReadonlyPaths, path)
}
func addOrReplaceBlockIOThrottleDevice(tmpList []rspec.LinuxThrottleDevice, major int64, minor int64, rate uint64) []rspec.LinuxThrottleDevice {
@@ -1453,92 +1471,92 @@ func dropBlockIOThrottleDevice(tmpList []rspec.LinuxThrottleDevice, major int64,
return throttleDevices
}
-// AddSolarisAnet adds network into g.spec.Solaris.Anet
+// AddSolarisAnet adds network into g.Config.Solaris.Anet
func (g *Generator) AddSolarisAnet(anet rspec.SolarisAnet) {
- g.initSpecSolaris()
- g.spec.Solaris.Anet = append(g.spec.Solaris.Anet, anet)
+ g.initConfigSolaris()
+ g.Config.Solaris.Anet = append(g.Config.Solaris.Anet, anet)
}
-// SetSolarisCappedCPUNcpus sets g.spec.Solaris.CappedCPU.Ncpus
+// SetSolarisCappedCPUNcpus sets g.Config.Solaris.CappedCPU.Ncpus
func (g *Generator) SetSolarisCappedCPUNcpus(ncpus string) {
- g.initSpecSolarisCappedCPU()
- g.spec.Solaris.CappedCPU.Ncpus = ncpus
+ g.initConfigSolarisCappedCPU()
+ g.Config.Solaris.CappedCPU.Ncpus = ncpus
}
-// SetSolarisCappedMemoryPhysical sets g.spec.Solaris.CappedMemory.Physical
+// SetSolarisCappedMemoryPhysical sets g.Config.Solaris.CappedMemory.Physical
func (g *Generator) SetSolarisCappedMemoryPhysical(physical string) {
- g.initSpecSolarisCappedMemory()
- g.spec.Solaris.CappedMemory.Physical = physical
+ g.initConfigSolarisCappedMemory()
+ g.Config.Solaris.CappedMemory.Physical = physical
}
-// SetSolarisCappedMemorySwap sets g.spec.Solaris.CappedMemory.Swap
+// SetSolarisCappedMemorySwap sets g.Config.Solaris.CappedMemory.Swap
func (g *Generator) SetSolarisCappedMemorySwap(swap string) {
- g.initSpecSolarisCappedMemory()
- g.spec.Solaris.CappedMemory.Swap = swap
+ g.initConfigSolarisCappedMemory()
+ g.Config.Solaris.CappedMemory.Swap = swap
}
-// SetSolarisLimitPriv sets g.spec.Solaris.LimitPriv
+// SetSolarisLimitPriv sets g.Config.Solaris.LimitPriv
func (g *Generator) SetSolarisLimitPriv(limitPriv string) {
- g.initSpecSolaris()
- g.spec.Solaris.LimitPriv = limitPriv
+ g.initConfigSolaris()
+ g.Config.Solaris.LimitPriv = limitPriv
}
-// SetSolarisMaxShmMemory sets g.spec.Solaris.MaxShmMemory
+// SetSolarisMaxShmMemory sets g.Config.Solaris.MaxShmMemory
func (g *Generator) SetSolarisMaxShmMemory(memory string) {
- g.initSpecSolaris()
- g.spec.Solaris.MaxShmMemory = memory
+ g.initConfigSolaris()
+ g.Config.Solaris.MaxShmMemory = memory
}
-// SetSolarisMilestone sets g.spec.Solaris.Milestone
+// SetSolarisMilestone sets g.Config.Solaris.Milestone
func (g *Generator) SetSolarisMilestone(milestone string) {
- g.initSpecSolaris()
- g.spec.Solaris.Milestone = milestone
+ g.initConfigSolaris()
+ g.Config.Solaris.Milestone = milestone
}
-// SetWindowsHypervUntilityVMPath sets g.spec.Windows.HyperV.UtilityVMPath.
+// SetWindowsHypervUntilityVMPath sets g.Config.Windows.HyperV.UtilityVMPath.
func (g *Generator) SetWindowsHypervUntilityVMPath(path string) {
- g.initSpecWindowsHyperV()
- g.spec.Windows.HyperV.UtilityVMPath = path
+ g.initConfigWindowsHyperV()
+ g.Config.Windows.HyperV.UtilityVMPath = path
}
-// SetWinodwsIgnoreFlushesDuringBoot sets g.spec.Winodws.IgnoreFlushesDuringBoot.
+// SetWinodwsIgnoreFlushesDuringBoot sets g.Config.Winodws.IgnoreFlushesDuringBoot.
func (g *Generator) SetWinodwsIgnoreFlushesDuringBoot(ignore bool) {
- g.initSpecWindows()
- g.spec.Windows.IgnoreFlushesDuringBoot = ignore
+ g.initConfigWindows()
+ g.Config.Windows.IgnoreFlushesDuringBoot = ignore
}
-// AddWindowsLayerFolders adds layer folders into g.spec.Windows.LayerFolders.
+// AddWindowsLayerFolders adds layer folders into g.Config.Windows.LayerFolders.
func (g *Generator) AddWindowsLayerFolders(folder string) {
- g.initSpecWindows()
- g.spec.Windows.LayerFolders = append(g.spec.Windows.LayerFolders, folder)
+ g.initConfigWindows()
+ g.Config.Windows.LayerFolders = append(g.Config.Windows.LayerFolders, folder)
}
-// SetWindowsNetwork sets g.spec.Windows.Network.
+// SetWindowsNetwork sets g.Config.Windows.Network.
func (g *Generator) SetWindowsNetwork(network rspec.WindowsNetwork) {
- g.initSpecWindows()
- g.spec.Windows.Network = &network
+ g.initConfigWindows()
+ g.Config.Windows.Network = &network
}
-// SetWindowsResourcesCPU sets g.spec.Windows.Resources.CPU.
+// SetWindowsResourcesCPU sets g.Config.Windows.Resources.CPU.
func (g *Generator) SetWindowsResourcesCPU(cpu rspec.WindowsCPUResources) {
- g.initSpecWindowsResources()
- g.spec.Windows.Resources.CPU = &cpu
+ g.initConfigWindowsResources()
+ g.Config.Windows.Resources.CPU = &cpu
}
-// SetWindowsResourcesMemoryLimit sets g.spec.Windows.Resources.Memory.Limit.
+// SetWindowsResourcesMemoryLimit sets g.Config.Windows.Resources.Memory.Limit.
func (g *Generator) SetWindowsResourcesMemoryLimit(limit uint64) {
- g.initSpecWindowsResourcesMemory()
- g.spec.Windows.Resources.Memory.Limit = &limit
+ g.initConfigWindowsResourcesMemory()
+ g.Config.Windows.Resources.Memory.Limit = &limit
}
-// SetWindowsResourcesStorage sets g.spec.Windows.Resources.Storage.
+// SetWindowsResourcesStorage sets g.Config.Windows.Resources.Storage.
func (g *Generator) SetWindowsResourcesStorage(storage rspec.WindowsStorageResources) {
- g.initSpecWindowsResources()
- g.spec.Windows.Resources.Storage = &storage
+ g.initConfigWindowsResources()
+ g.Config.Windows.Resources.Storage = &storage
}
-// SetWinodwsServicing sets g.spec.Winodws.Servicing.
+// SetWinodwsServicing sets g.Config.Winodws.Servicing.
func (g *Generator) SetWinodwsServicing(servicing bool) {
- g.initSpecWindows()
- g.spec.Windows.Servicing = servicing
+ g.initConfigWindows()
+ g.Config.Windows.Servicing = servicing
}
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
index 35b12cd65..5fee5a3b2 100644
--- a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go
@@ -2,7 +2,6 @@ package seccomp
import (
"runtime"
- "syscall"
"github.com/opencontainers/runtime-spec/specs-go"
rspec "github.com/opencontainers/runtime-spec/specs-go"
@@ -513,7 +512,7 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
Args: []rspec.LinuxSeccompArg{
{
Index: sysCloneFlagsIndex,
- Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET,
+ Value: CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet,
ValueTwo: 0,
Op: rspec.OpMaskedEqual,
},
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go
new file mode 100644
index 000000000..311587437
--- /dev/null
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go
@@ -0,0 +1,15 @@
+// +build linux
+
+package seccomp
+
+import "syscall"
+
+// System values passed through on linux
+const (
+ CloneNewIPC = syscall.CLONE_NEWIPC
+ CloneNewNet = syscall.CLONE_NEWNET
+ CloneNewNS = syscall.CLONE_NEWNS
+ CloneNewPID = syscall.CLONE_NEWPID
+ CloneNewUser = syscall.CLONE_NEWUSER
+ CloneNewUTS = syscall.CLONE_NEWUTS
+)
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go
new file mode 100644
index 000000000..589b81c16
--- /dev/null
+++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go
@@ -0,0 +1,15 @@
+// +build !linux
+
+package seccomp
+
+// These are copied from linux/amd64 syscall values, as a reference for other
+// platforms to have access to
+const (
+ CloneNewIPC = 0x8000000
+ CloneNewNet = 0x40000000
+ CloneNewNS = 0x20000
+ CloneNewPID = 0x20000000
+ CloneNewUser = 0x10000000
+ CloneNewUTS = 0x4000000
+ CloneNewCgroup = 0x02000000
+)
diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/spec.go b/vendor/github.com/opencontainers/runtime-tools/generate/spec.go
deleted file mode 100644
index d7a6da81d..000000000
--- a/vendor/github.com/opencontainers/runtime-tools/generate/spec.go
+++ /dev/null
@@ -1,172 +0,0 @@
-package generate
-
-import (
- rspec "github.com/opencontainers/runtime-spec/specs-go"
-)
-
-func (g *Generator) initSpec() {
- if g.spec == nil {
- g.spec = &rspec.Spec{}
- }
-}
-
-func (g *Generator) initSpecProcess() {
- g.initSpec()
- if g.spec.Process == nil {
- g.spec.Process = &rspec.Process{}
- }
-}
-
-func (g *Generator) initSpecProcessConsoleSize() {
- g.initSpecProcess()
- if g.spec.Process.ConsoleSize == nil {
- g.spec.Process.ConsoleSize = &rspec.Box{}
- }
-}
-
-func (g *Generator) initSpecProcessCapabilities() {
- g.initSpecProcess()
- if g.spec.Process.Capabilities == nil {
- g.spec.Process.Capabilities = &rspec.LinuxCapabilities{}
- }
-}
-
-func (g *Generator) initSpecRoot() {
- g.initSpec()
- if g.spec.Root == nil {
- g.spec.Root = &rspec.Root{}
- }
-}
-
-func (g *Generator) initSpecAnnotations() {
- g.initSpec()
- if g.spec.Annotations == nil {
- g.spec.Annotations = make(map[string]string)
- }
-}
-
-func (g *Generator) initSpecHooks() {
- g.initSpec()
- if g.spec.Hooks == nil {
- g.spec.Hooks = &rspec.Hooks{}
- }
-}
-
-func (g *Generator) initSpecLinux() {
- g.initSpec()
- if g.spec.Linux == nil {
- g.spec.Linux = &rspec.Linux{}
- }
-}
-
-func (g *Generator) initSpecLinuxIntelRdt() {
- g.initSpecLinux()
- if g.spec.Linux.IntelRdt == nil {
- g.spec.Linux.IntelRdt = &rspec.LinuxIntelRdt{}
- }
-}
-
-func (g *Generator) initSpecLinuxSysctl() {
- g.initSpecLinux()
- if g.spec.Linux.Sysctl == nil {
- g.spec.Linux.Sysctl = make(map[string]string)
- }
-}
-
-func (g *Generator) initSpecLinuxSeccomp() {
- g.initSpecLinux()
- if g.spec.Linux.Seccomp == nil {
- g.spec.Linux.Seccomp = &rspec.LinuxSeccomp{}
- }
-}
-
-func (g *Generator) initSpecLinuxResources() {
- g.initSpecLinux()
- if g.spec.Linux.Resources == nil {
- g.spec.Linux.Resources = &rspec.LinuxResources{}
- }
-}
-
-func (g *Generator) initSpecLinuxResourcesBlockIO() {
- g.initSpecLinuxResources()
- if g.spec.Linux.Resources.BlockIO == nil {
- g.spec.Linux.Resources.BlockIO = &rspec.LinuxBlockIO{}
- }
-}
-
-func (g *Generator) initSpecLinuxResourcesCPU() {
- g.initSpecLinuxResources()
- if g.spec.Linux.Resources.CPU == nil {
- g.spec.Linux.Resources.CPU = &rspec.LinuxCPU{}
- }
-}
-
-func (g *Generator) initSpecLinuxResourcesMemory() {
- g.initSpecLinuxResources()
- if g.spec.Linux.Resources.Memory == nil {
- g.spec.Linux.Resources.Memory = &rspec.LinuxMemory{}
- }
-}
-
-func (g *Generator) initSpecLinuxResourcesNetwork() {
- g.initSpecLinuxResources()
- if g.spec.Linux.Resources.Network == nil {
- g.spec.Linux.Resources.Network = &rspec.LinuxNetwork{}
- }
-}
-
-func (g *Generator) initSpecLinuxResourcesPids() {
- g.initSpecLinuxResources()
- if g.spec.Linux.Resources.Pids == nil {
- g.spec.Linux.Resources.Pids = &rspec.LinuxPids{}
- }
-}
-
-func (g *Generator) initSpecSolaris() {
- g.initSpec()
- if g.spec.Solaris == nil {
- g.spec.Solaris = &rspec.Solaris{}
- }
-}
-
-func (g *Generator) initSpecSolarisCappedCPU() {
- g.initSpecSolaris()
- if g.spec.Solaris.CappedCPU == nil {
- g.spec.Solaris.CappedCPU = &rspec.SolarisCappedCPU{}
- }
-}
-
-func (g *Generator) initSpecSolarisCappedMemory() {
- g.initSpecSolaris()
- if g.spec.Solaris.CappedMemory == nil {
- g.spec.Solaris.CappedMemory = &rspec.SolarisCappedMemory{}
- }
-}
-
-func (g *Generator) initSpecWindows() {
- g.initSpec()
- if g.spec.Windows == nil {
- g.spec.Windows = &rspec.Windows{}
- }
-}
-
-func (g *Generator) initSpecWindowsHyperV() {
- g.initSpecWindows()
- if g.spec.Windows.HyperV == nil {
- g.spec.Windows.HyperV = &rspec.WindowsHyperV{}
- }
-}
-
-func (g *Generator) initSpecWindowsResources() {
- g.initSpecWindows()
- if g.spec.Windows.Resources == nil {
- g.spec.Windows.Resources = &rspec.WindowsResources{}
- }
-}
-
-func (g *Generator) initSpecWindowsResourcesMemory() {
- g.initSpecWindowsResources()
- if g.spec.Windows.Resources.Memory == nil {
- g.spec.Windows.Resources.Memory = &rspec.WindowsMemoryResources{}
- }
-}
diff --git a/vendor/github.com/opencontainers/runtime-tools/specerror/config.go b/vendor/github.com/opencontainers/runtime-tools/specerror/config.go
index 8a73f47fc..5357ab59f 100644
--- a/vendor/github.com/opencontainers/runtime-tools/specerror/config.go
+++ b/vendor/github.com/opencontainers/runtime-tools/specerror/config.go
@@ -14,8 +14,8 @@ const (
RootOnWindowsRequired
// RootOnHyperVNotSet represents "For Hyper-V Containers, this field MUST NOT be set."
RootOnHyperVNotSet
- // RootOnNonHyperVRequired represents "On all other platforms, this field is REQUIRED."
- RootOnNonHyperVRequired
+ // RootOnNonWindowsRequired represents "On all other platforms, this field is REQUIRED."
+ RootOnNonWindowsRequired
// RootPathOnWindowsGUID represents "On Windows, `path` MUST be a volume GUID path."
RootPathOnWindowsGUID
// RootPathOnPosixConvention represents "The value SHOULD be the conventional `rootfs`."
@@ -145,7 +145,7 @@ func init() {
register(SpecVersionInSemVer, rfc2119.Must, specificationVersionRef)
register(RootOnWindowsRequired, rfc2119.Required, rootRef)
register(RootOnHyperVNotSet, rfc2119.Must, rootRef)
- register(RootOnNonHyperVRequired, rfc2119.Required, rootRef)
+ register(RootOnNonWindowsRequired, rfc2119.Required, rootRef)
register(RootPathOnWindowsGUID, rfc2119.Must, rootRef)
register(RootPathOnPosixConvention, rfc2119.Should, rootRef)
register(RootPathExist, rfc2119.Must, rootRef)
diff --git a/vendor/github.com/opencontainers/runtime-tools/specerror/error.go b/vendor/github.com/opencontainers/runtime-tools/specerror/error.go
index 0300f7df2..5de9492d9 100644
--- a/vendor/github.com/opencontainers/runtime-tools/specerror/error.go
+++ b/vendor/github.com/opencontainers/runtime-tools/specerror/error.go
@@ -61,6 +61,34 @@ func (err *Error) Error() string {
return err.Err.Error()
}
+// NewRFCError creates an rfc2119.Error referencing a spec violation.
+//
+// A version string (for the version of the spec that was violated)
+// must be set to get a working URL.
+func NewRFCError(code Code, err error, version string) (*rfc2119.Error, error) {
+ template := ociErrors[code]
+ reference, err2 := template.Reference(version)
+ if err2 != nil {
+ return nil, err2
+ }
+ return &rfc2119.Error{
+ Level: template.Level,
+ Reference: reference,
+ Err: err,
+ }, nil
+}
+
+// NewRFCErrorOrPanic creates an rfc2119.Error referencing a spec
+// violation and panics on failure. This is handy for situations
+// where you can't be bothered to check NewRFCError for failure.
+func NewRFCErrorOrPanic(code Code, err error, version string) *rfc2119.Error {
+ rfcError, err2 := NewRFCError(code, err, version)
+ if err2 != nil {
+ panic(err2.Error())
+ }
+ return rfcError
+}
+
// NewError creates an Error referencing a spec violation. The error
// can be cast to an *Error for extracting structured information
// about the level of the violation and a reference to the violated
@@ -69,17 +97,12 @@ func (err *Error) Error() string {
// A version string (for the version of the spec that was violated)
// must be set to get a working URL.
func NewError(code Code, err error, version string) error {
- template := ociErrors[code]
- reference, err2 := template.Reference(version)
+ rfcError, err2 := NewRFCError(code, err, version)
if err2 != nil {
return err2
}
return &Error{
- Err: rfc2119.Error{
- Level: template.Level,
- Reference: reference,
- Err: err,
- },
+ Err: *rfcError,
Code: code,
}
}
diff --git a/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go b/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go
index 0144f6696..383aea63c 100644
--- a/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go
+++ b/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go
@@ -68,10 +68,10 @@ const (
PropApplyFailNotCreate
// StartWithoutIDGenError represents "`start` operation MUST generate an error if it is not provided the container ID."
StartWithoutIDGenError
- // StartNonCreateHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
- StartNonCreateHaveNoEffect
- // StartNonCreateGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
- StartNonCreateGenError
+ // StartNotCreatedHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
+ StartNotCreatedHaveNoEffect
+ // StartNotCreatedGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
+ StartNotCreatedGenError
// StartProcImplement represents "`start` operation MUST run the user-specified program as specified by `process`."
StartProcImplement
// StartWithProcUnsetGenError represents "`start` operation MUST generate an error if `process` was not set."
@@ -163,8 +163,8 @@ func init() {
register(PropApplyFailGenError, rfc2119.Must, createRef)
register(PropApplyFailNotCreate, rfc2119.Must, createRef)
register(StartWithoutIDGenError, rfc2119.Must, startRef)
- register(StartNonCreateHaveNoEffect, rfc2119.Must, startRef)
- register(StartNonCreateGenError, rfc2119.Must, startRef)
+ register(StartNotCreatedHaveNoEffect, rfc2119.Must, startRef)
+ register(StartNotCreatedGenError, rfc2119.Must, startRef)
register(StartProcImplement, rfc2119.Must, startRef)
register(StartWithProcUnsetGenError, rfc2119.Must, startRef)
register(KillWithoutIDGenError, rfc2119.Must, killRef)
diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
index 1030099df..e2e820979 100644
--- a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
@@ -13,7 +13,6 @@ import (
"regexp"
"runtime"
"strings"
- "syscall"
"unicode"
"unicode/utf8"
@@ -115,6 +114,7 @@ func (v *Validator) CheckAll() error {
errs = multierror.Append(errs, v.CheckMounts())
errs = multierror.Append(errs, v.CheckProcess())
errs = multierror.Append(errs, v.CheckLinux())
+ errs = multierror.Append(errs, v.CheckAnnotations())
if v.platform == "linux" || v.platform == "solaris" {
errs = multierror.Append(errs, v.CheckHooks())
}
@@ -142,6 +142,8 @@ func JSONSchemaURL(version string) (url string, err error) {
// runtime-spec JSON Schema, using the version of the schema that
// matches the configuration's declared version.
func (v *Validator) CheckJSONSchema() (errs error) {
+ logrus.Debugf("check JSON schema")
+
url, err := JSONSchemaURL(v.spec.Version)
if err != nil {
errs = multierror.Append(errs, err)
@@ -169,16 +171,21 @@ func (v *Validator) CheckJSONSchema() (errs error) {
func (v *Validator) CheckRoot() (errs error) {
logrus.Debugf("check root")
- if v.platform == "windows" && v.spec.Windows != nil && v.spec.Windows.HyperV != nil {
- if v.spec.Root != nil {
+ if v.platform == "windows" && v.spec.Windows != nil {
+ if v.spec.Windows.HyperV != nil {
+ if v.spec.Root != nil {
+ errs = multierror.Append(errs,
+ specerror.NewError(specerror.RootOnHyperVNotSet, fmt.Errorf("for Hyper-V containers, Root must not be set"), rspec.Version))
+ }
+ return
+ } else if v.spec.Root == nil {
errs = multierror.Append(errs,
- specerror.NewError(specerror.RootOnHyperVNotSet, fmt.Errorf("for Hyper-V containers, Root must not be set"), rspec.Version))
+ specerror.NewError(specerror.RootOnWindowsRequired, fmt.Errorf("on Windows, for Windows Server Containers, this field is REQUIRED"), rspec.Version))
return
}
- return
- } else if v.spec.Root == nil {
+ } else if v.platform != "windows" && v.spec.Root == nil {
errs = multierror.Append(errs,
- specerror.NewError(specerror.RootOnNonHyperVRequired, fmt.Errorf("for non-Hyper-V containers, Root must be set"), rspec.Version))
+ specerror.NewError(specerror.RootOnNonWindowsRequired, fmt.Errorf("on all other platforms, this field is REQUIRED"), rspec.Version))
return
}
@@ -570,6 +577,11 @@ func (v *Validator) CheckPlatform() (errs error) {
return
}
+ if v.HostSpecific && v.platform != runtime.GOOS {
+ errs = multierror.Append(errs, fmt.Errorf("platform %q differs from the host %q, skipping host-specific checks", v.platform, runtime.GOOS))
+ v.HostSpecific = false
+ }
+
if v.platform == "windows" {
if v.spec.Windows == nil {
errs = multierror.Append(errs,
@@ -583,189 +595,6 @@ func (v *Validator) CheckPlatform() (errs error) {
return
}
-// CheckLinux checks v.spec.Linux
-func (v *Validator) CheckLinux() (errs error) {
- logrus.Debugf("check linux")
-
- if v.spec.Linux == nil {
- return
- }
-
- var nsTypeList = map[rspec.LinuxNamespaceType]struct {
- num int
- newExist bool
- }{
- rspec.PIDNamespace: {0, false},
- rspec.NetworkNamespace: {0, false},
- rspec.MountNamespace: {0, false},
- rspec.IPCNamespace: {0, false},
- rspec.UTSNamespace: {0, false},
- rspec.UserNamespace: {0, false},
- rspec.CgroupNamespace: {0, false},
- }
-
- for index := 0; index < len(v.spec.Linux.Namespaces); index++ {
- ns := v.spec.Linux.Namespaces[index]
- if ns.Path != "" && !osFilepath.IsAbs(v.platform, ns.Path) {
- errs = multierror.Append(errs, specerror.NewError(specerror.NSPathAbs, fmt.Errorf("namespace.path %q is not an absolute path", ns.Path), rspec.Version))
- }
-
- tmpItem := nsTypeList[ns.Type]
- tmpItem.num = tmpItem.num + 1
- if tmpItem.num > 1 {
- errs = multierror.Append(errs, specerror.NewError(specerror.NSErrorOnDup, fmt.Errorf("duplicated namespace %q", ns.Type), rspec.Version))
- }
-
- if len(ns.Path) == 0 {
- tmpItem.newExist = true
- }
- nsTypeList[ns.Type] = tmpItem
- }
-
- if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !nsTypeList[rspec.UserNamespace].newExist {
- errs = multierror.Append(errs, errors.New("the UID/GID mappings requires a new User namespace to be specified as well"))
- }
-
- for k := range v.spec.Linux.Sysctl {
- if strings.HasPrefix(k, "net.") && !nsTypeList[rspec.NetworkNamespace].newExist {
- errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new Network namespace to be specified as well", k))
- }
- if strings.HasPrefix(k, "fs.mqueue.") {
- if !nsTypeList[rspec.MountNamespace].newExist || !nsTypeList[rspec.IPCNamespace].newExist {
- errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new IPC namespace and Mount namespace to be specified as well", k))
- }
- }
- }
-
- if v.platform == "linux" && !nsTypeList[rspec.UTSNamespace].newExist && v.spec.Hostname != "" {
- errs = multierror.Append(errs, fmt.Errorf("on Linux, hostname requires a new UTS namespace to be specified as well"))
- }
-
- // Linux devices validation
- devList := make(map[string]bool)
- devTypeList := make(map[string]bool)
- for index := 0; index < len(v.spec.Linux.Devices); index++ {
- device := v.spec.Linux.Devices[index]
- if !deviceValid(device) {
- errs = multierror.Append(errs, fmt.Errorf("device %v is invalid", device))
- }
-
- if _, exists := devList[device.Path]; exists {
- errs = multierror.Append(errs, fmt.Errorf("device %s is duplicated", device.Path))
- } else {
- var rootfsPath string
- if filepath.IsAbs(v.spec.Root.Path) {
- rootfsPath = v.spec.Root.Path
- } else {
- rootfsPath = filepath.Join(v.bundlePath, v.spec.Root.Path)
- }
- absPath := filepath.Join(rootfsPath, device.Path)
- fi, err := os.Stat(absPath)
- if os.IsNotExist(err) {
- devList[device.Path] = true
- } else if err != nil {
- errs = multierror.Append(errs, err)
- } else {
- fStat, ok := fi.Sys().(*syscall.Stat_t)
- if !ok {
- errs = multierror.Append(errs, specerror.NewError(specerror.DevicesAvailable,
- fmt.Errorf("cannot determine state for device %s", device.Path), rspec.Version))
- continue
- }
- var devType string
- switch fStat.Mode & syscall.S_IFMT {
- case syscall.S_IFCHR:
- devType = "c"
- case syscall.S_IFBLK:
- devType = "b"
- case syscall.S_IFIFO:
- devType = "p"
- default:
- devType = "unmatched"
- }
- if devType != device.Type || (devType == "c" && device.Type == "u") {
- errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
- fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
- continue
- }
- if devType != "p" {
- dev := fStat.Rdev
- major := (dev >> 8) & 0xfff
- minor := (dev & 0xff) | ((dev >> 12) & 0xfff00)
- if int64(major) != device.Major || int64(minor) != device.Minor {
- errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
- fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
- continue
- }
- }
- if device.FileMode != nil {
- expectedPerm := *device.FileMode & os.ModePerm
- actualPerm := fi.Mode() & os.ModePerm
- if expectedPerm != actualPerm {
- errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
- fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
- continue
- }
- }
- if device.UID != nil {
- if *device.UID != fStat.Uid {
- errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
- fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
- continue
- }
- }
- if device.GID != nil {
- if *device.GID != fStat.Gid {
- errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
- fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
- continue
- }
- }
- }
- }
-
- // unify u->c when comparing, they are synonyms
- var devID string
- if device.Type == "u" {
- devID = fmt.Sprintf("%s:%d:%d", "c", device.Major, device.Minor)
- } else {
- devID = fmt.Sprintf("%s:%d:%d", device.Type, device.Major, device.Minor)
- }
-
- if _, exists := devTypeList[devID]; exists {
- logrus.Warnf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor)
- } else {
- devTypeList[devID] = true
- }
- }
-
- if v.spec.Linux.Resources != nil {
- errs = multierror.Append(errs, v.CheckLinuxResources())
- }
-
- for _, maskedPath := range v.spec.Linux.MaskedPaths {
- if !strings.HasPrefix(maskedPath, "/") {
- errs = multierror.Append(errs,
- specerror.NewError(
- specerror.MaskedPathsAbs,
- fmt.Errorf("maskedPath %v is not an absolute path", maskedPath),
- rspec.Version))
- }
- }
-
- for _, readonlyPath := range v.spec.Linux.ReadonlyPaths {
- if !strings.HasPrefix(readonlyPath, "/") {
- errs = multierror.Append(errs,
- specerror.NewError(
- specerror.ReadonlyPathsAbs,
- fmt.Errorf("readonlyPath %v is not an absolute path", readonlyPath),
- rspec.Version))
- }
- }
-
- return
-}
-
// CheckLinuxResources checks v.spec.Linux.Resources
func (v *Validator) CheckLinuxResources() (errs error) {
logrus.Debugf("check linux resources")
@@ -817,6 +646,44 @@ func (v *Validator) CheckLinuxResources() (errs error) {
}
}
+ if r.BlockIO != nil && r.BlockIO.WeightDevice != nil {
+ for i, weightDevice := range r.BlockIO.WeightDevice {
+ if weightDevice.Weight == nil && weightDevice.LeafWeight == nil {
+ errs = multierror.Append(errs,
+ specerror.NewError(
+ specerror.BlkIOWeightOrLeafWeightExist,
+ fmt.Errorf("linux.resources.blockIO.weightDevice[%d] specifies neither weight nor leafWeight", i),
+ rspec.Version))
+ }
+ }
+ }
+
+ return
+}
+
+// CheckAnnotations checks v.spec.Annotations
+func (v *Validator) CheckAnnotations() (errs error) {
+ logrus.Debugf("check annotations")
+
+ reversedDomain := regexp.MustCompile(`^[A-Za-z]{2,6}(\.[A-Za-z0-9-]{1,63})+$`)
+ for key := range v.spec.Annotations {
+ if strings.HasPrefix(key, "org.opencontainers") {
+ errs = multierror.Append(errs,
+ specerror.NewError(
+ specerror.AnnotationsKeyReservedNS,
+ fmt.Errorf("key %q is reserved", key),
+ rspec.Version))
+ }
+
+ if !reversedDomain.MatchString(key) {
+ errs = multierror.Append(errs,
+ specerror.NewError(
+ specerror.AnnotationsKeyReversedDomain,
+ fmt.Errorf("key %q SHOULD be named using a reverse domain notation", key),
+ rspec.Version))
+ }
+ }
+
return
}
@@ -843,17 +710,6 @@ func CapValid(c string, hostSpecific bool) error {
return nil
}
-// LastCap return last cap of system
-func LastCap() capability.Cap {
- last := capability.CAP_LAST_CAP
- // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
- if last == capability.Cap(63) {
- last = capability.CAP_BLOCK_SUSPEND
- }
-
- return last
-}
-
func envValid(env string) bool {
items := strings.Split(env, "=")
if len(items) < 2 {
@@ -896,22 +752,6 @@ func (v *Validator) rlimitValid(rlimit rspec.POSIXRlimit) (errs error) {
return
}
-func deviceValid(d rspec.LinuxDevice) bool {
- switch d.Type {
- case "b", "c", "u":
- if d.Major <= 0 || d.Minor <= 0 {
- return false
- }
- case "p":
- if d.Major != 0 || d.Minor != 0 {
- return false
- }
- default:
- return false
- }
- return true
-}
-
func isStruct(t reflect.Type) bool {
return t.Kind() == reflect.Struct
}
@@ -990,5 +830,9 @@ func checkMandatory(obj interface{}) (errs error) {
func (v *Validator) CheckMandatoryFields() error {
logrus.Debugf("check mandatory fields")
+ if v.spec == nil {
+ return fmt.Errorf("Spec can't be nil")
+ }
+
return checkMandatory(v.spec)
}
diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go
new file mode 100644
index 000000000..8d452c209
--- /dev/null
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go
@@ -0,0 +1,230 @@
+// +build linux
+
+package validate
+
+import (
+ "errors"
+ "fmt"
+ "os"
+ "path/filepath"
+ "strings"
+ "syscall"
+
+ "github.com/syndtr/gocapability/capability"
+
+ multierror "github.com/hashicorp/go-multierror"
+ rspec "github.com/opencontainers/runtime-spec/specs-go"
+ osFilepath "github.com/opencontainers/runtime-tools/filepath"
+ "github.com/opencontainers/runtime-tools/specerror"
+ "github.com/sirupsen/logrus"
+)
+
+// LastCap return last cap of system
+func LastCap() capability.Cap {
+ last := capability.CAP_LAST_CAP
+ // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+ if last == capability.Cap(63) {
+ last = capability.CAP_BLOCK_SUSPEND
+ }
+
+ return last
+}
+
+func deviceValid(d rspec.LinuxDevice) bool {
+ switch d.Type {
+ case "b", "c", "u":
+ if d.Major <= 0 || d.Minor <= 0 {
+ return false
+ }
+ case "p":
+ if d.Major != 0 || d.Minor != 0 {
+ return false
+ }
+ default:
+ return false
+ }
+ return true
+}
+
+// CheckLinux checks v.spec.Linux
+func (v *Validator) CheckLinux() (errs error) {
+ logrus.Debugf("check linux")
+
+ if v.spec.Linux == nil {
+ return
+ }
+
+ var nsTypeList = map[rspec.LinuxNamespaceType]struct {
+ num int
+ newExist bool
+ }{
+ rspec.PIDNamespace: {0, false},
+ rspec.NetworkNamespace: {0, false},
+ rspec.MountNamespace: {0, false},
+ rspec.IPCNamespace: {0, false},
+ rspec.UTSNamespace: {0, false},
+ rspec.UserNamespace: {0, false},
+ rspec.CgroupNamespace: {0, false},
+ }
+
+ for index := 0; index < len(v.spec.Linux.Namespaces); index++ {
+ ns := v.spec.Linux.Namespaces[index]
+ if ns.Path != "" && !osFilepath.IsAbs(v.platform, ns.Path) {
+ errs = multierror.Append(errs, specerror.NewError(specerror.NSPathAbs, fmt.Errorf("namespace.path %q is not an absolute path", ns.Path), rspec.Version))
+ }
+
+ tmpItem := nsTypeList[ns.Type]
+ tmpItem.num = tmpItem.num + 1
+ if tmpItem.num > 1 {
+ errs = multierror.Append(errs, specerror.NewError(specerror.NSErrorOnDup, fmt.Errorf("duplicated namespace %q", ns.Type), rspec.Version))
+ }
+
+ if len(ns.Path) == 0 {
+ tmpItem.newExist = true
+ }
+ nsTypeList[ns.Type] = tmpItem
+ }
+
+ if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !nsTypeList[rspec.UserNamespace].newExist {
+ errs = multierror.Append(errs, errors.New("the UID/GID mappings requires a new User namespace to be specified as well"))
+ }
+
+ for k := range v.spec.Linux.Sysctl {
+ if strings.HasPrefix(k, "net.") && !nsTypeList[rspec.NetworkNamespace].newExist {
+ errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new Network namespace to be specified as well", k))
+ }
+ if strings.HasPrefix(k, "fs.mqueue.") {
+ if !nsTypeList[rspec.MountNamespace].newExist || !nsTypeList[rspec.IPCNamespace].newExist {
+ errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new IPC namespace and Mount namespace to be specified as well", k))
+ }
+ }
+ }
+
+ if v.platform == "linux" && !nsTypeList[rspec.UTSNamespace].newExist && v.spec.Hostname != "" {
+ errs = multierror.Append(errs, fmt.Errorf("on Linux, hostname requires a new UTS namespace to be specified as well"))
+ }
+
+ // Linux devices validation
+ devList := make(map[string]bool)
+ devTypeList := make(map[string]bool)
+ for index := 0; index < len(v.spec.Linux.Devices); index++ {
+ device := v.spec.Linux.Devices[index]
+ if !deviceValid(device) {
+ errs = multierror.Append(errs, fmt.Errorf("device %v is invalid", device))
+ }
+
+ if _, exists := devList[device.Path]; exists {
+ errs = multierror.Append(errs, fmt.Errorf("device %s is duplicated", device.Path))
+ } else {
+ var rootfsPath string
+ if filepath.IsAbs(v.spec.Root.Path) {
+ rootfsPath = v.spec.Root.Path
+ } else {
+ rootfsPath = filepath.Join(v.bundlePath, v.spec.Root.Path)
+ }
+ absPath := filepath.Join(rootfsPath, device.Path)
+ fi, err := os.Stat(absPath)
+ if os.IsNotExist(err) {
+ devList[device.Path] = true
+ } else if err != nil {
+ errs = multierror.Append(errs, err)
+ } else {
+ fStat, ok := fi.Sys().(*syscall.Stat_t)
+ if !ok {
+ errs = multierror.Append(errs, specerror.NewError(specerror.DevicesAvailable,
+ fmt.Errorf("cannot determine state for device %s", device.Path), rspec.Version))
+ continue
+ }
+ var devType string
+ switch fStat.Mode & syscall.S_IFMT {
+ case syscall.S_IFCHR:
+ devType = "c"
+ case syscall.S_IFBLK:
+ devType = "b"
+ case syscall.S_IFIFO:
+ devType = "p"
+ default:
+ devType = "unmatched"
+ }
+ if devType != device.Type || (devType == "c" && device.Type == "u") {
+ errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
+ fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
+ continue
+ }
+ if devType != "p" {
+ dev := fStat.Rdev
+ major := (dev >> 8) & 0xfff
+ minor := (dev & 0xff) | ((dev >> 12) & 0xfff00)
+ if int64(major) != device.Major || int64(minor) != device.Minor {
+ errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
+ fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
+ continue
+ }
+ }
+ if device.FileMode != nil {
+ expectedPerm := *device.FileMode & os.ModePerm
+ actualPerm := fi.Mode() & os.ModePerm
+ if expectedPerm != actualPerm {
+ errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
+ fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
+ continue
+ }
+ }
+ if device.UID != nil {
+ if *device.UID != fStat.Uid {
+ errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
+ fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
+ continue
+ }
+ }
+ if device.GID != nil {
+ if *device.GID != fStat.Gid {
+ errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
+ fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
+ continue
+ }
+ }
+ }
+ }
+
+ // unify u->c when comparing, they are synonyms
+ var devID string
+ if device.Type == "u" {
+ devID = fmt.Sprintf("%s:%d:%d", "c", device.Major, device.Minor)
+ } else {
+ devID = fmt.Sprintf("%s:%d:%d", device.Type, device.Major, device.Minor)
+ }
+
+ if _, exists := devTypeList[devID]; exists {
+ logrus.Warnf("%v", specerror.NewError(specerror.DevicesErrorOnDup, fmt.Errorf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor), rspec.Version))
+ } else {
+ devTypeList[devID] = true
+ }
+ }
+
+ if v.spec.Linux.Resources != nil {
+ errs = multierror.Append(errs, v.CheckLinuxResources())
+ }
+
+ for _, maskedPath := range v.spec.Linux.MaskedPaths {
+ if !strings.HasPrefix(maskedPath, "/") {
+ errs = multierror.Append(errs,
+ specerror.NewError(
+ specerror.MaskedPathsAbs,
+ fmt.Errorf("maskedPath %v is not an absolute path", maskedPath),
+ rspec.Version))
+ }
+ }
+
+ for _, readonlyPath := range v.spec.Linux.ReadonlyPaths {
+ if !strings.HasPrefix(readonlyPath, "/") {
+ errs = multierror.Append(errs,
+ specerror.NewError(
+ specerror.ReadonlyPathsAbs,
+ fmt.Errorf("readonlyPath %v is not an absolute path", readonlyPath),
+ rspec.Version))
+ }
+ }
+
+ return
+}
diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go
new file mode 100644
index 000000000..f150c326c
--- /dev/null
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go
@@ -0,0 +1,17 @@
+// +build !linux
+
+package validate
+
+import (
+ "github.com/syndtr/gocapability/capability"
+)
+
+// LastCap return last cap of system
+func LastCap() capability.Cap {
+ return capability.Cap(-1)
+}
+
+// CheckLinux is a noop on this platform
+func (v *Validator) CheckLinux() (errs error) {
+ return nil
+}