From f6c0fc1aa854ae5ce73d57ecb09d47c0d4dd2cc3 Mon Sep 17 00:00:00 2001 From: baude Date: Tue, 26 Jun 2018 13:50:12 -0500 Subject: Vendor in latest runtime-tools Newer runtime tools separates syscalls by OS so we can build darwin. Signed-off-by: baude Closes: #1007 Approved by: baude --- .../opencontainers/runtime-tools/README.md | 142 +-- .../opencontainers/runtime-tools/error/error.go | 30 + .../runtime-tools/generate/config.go | 173 +++ .../runtime-tools/generate/generate.go | 1148 ++++++++++---------- .../generate/seccomp/seccomp_default.go | 3 +- .../generate/seccomp/seccomp_default_linux.go | 15 + .../seccomp/seccomp_default_unsupported.go | 15 + .../opencontainers/runtime-tools/generate/spec.go | 172 --- .../runtime-tools/specerror/config.go | 6 +- .../runtime-tools/specerror/error.go | 37 +- .../runtime-tools/specerror/runtime.go | 12 +- .../runtime-tools/validate/validate.go | 278 ++--- .../runtime-tools/validate/validate_linux.go | 230 ++++ .../runtime-tools/validate/validate_unsupported.go | 17 + 14 files changed, 1208 insertions(+), 1070 deletions(-) create mode 100644 vendor/github.com/opencontainers/runtime-tools/generate/config.go create mode 100644 vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go create mode 100644 vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go delete mode 100644 vendor/github.com/opencontainers/runtime-tools/generate/spec.go create mode 100644 vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go create mode 100644 vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go diff --git a/vendor/github.com/opencontainers/runtime-tools/README.md b/vendor/github.com/opencontainers/runtime-tools/README.md index 5f16436bc..93c901f05 100644 --- a/vendor/github.com/opencontainers/runtime-tools/README.md +++ b/vendor/github.com/opencontainers/runtime-tools/README.md @@ -37,58 +37,28 @@ If your distribution does not package node-tap, you can install [npm][] (for exa $ npm install tap ``` +Build the validation executables: + ```console $ make runtimetest validation-executables -RUNTIME=runc tap validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t -validation/linux_rootfs_propagation_shared.t ........ 18/19 - not ok rootfs propagation - -validation/create.t ................................... 4/4 -validation/default.t ................................ 19/19 -validation/linux_readonly_paths.t ................... 19/19 -validation/linux_masked_paths.t ..................... 18/19 - not ok masked paths - -validation/mounts.t ................................... 0/1 - Skipped: 1 - TODO: mounts generation options have not been implemented - -validation/process.t ................................ 19/19 -validation/root_readonly_false.t .................... 19/19 -validation/linux_sysctl.t ........................... 19/19 -validation/linux_devices.t .......................... 19/19 -validation/linux_gid_mappings.t ..................... 18/19 - not ok gid mappings - -validation/process_oom_score_adj.t .................. 19/19 -validation/process_capabilities.t ................... 19/19 -validation/process_rlimits.t ........................ 19/19 -validation/root_readonly_true.t ...................failed to create the container -rootfsPropagation=unbindable is not supported -exit status 1 -validation/root_readonly_true.t ..................... 19/19 -validation/linux_rootfs_propagation_unbindable.t ...... 0/1 - not ok validation/linux_rootfs_propagation_unbindable.t - timeout: 30000 - file: validation/linux_rootfs_propagation_unbindable.t - command: validation/linux_rootfs_propagation_unbindable.t - args: [] - stdio: - - 0 - - pipe - - 2 - cwd: /…/go/src/github.com/opencontainers/runtime-tools - exitCode: 1 +``` -validation/hostname.t ...................failed to create the container -User namespace mappings specified, but USER namespace isn't enabled in the config +Runtime validation currently [only supports](docs/runtime-compliance-testing.md) the [OCI Runtime Command Line Interface](docs/command-line-interface.md). +If we add support for alternative APIs in the future, runtime validation will gain an option to select the desired runtime API. +For the command line interface, the `RUNTIME` option selects the runtime command (`funC` in the [OCI Runtime Command Line Interface](docs/command-line-interface.md)). + +``` +$ sudo make RUNTIME=runc localvalidation +RUNTIME=runc tap validation/pidfile.t validation/linux_cgroups_hugetlb.t validation/linux_cgroups_memory.t validation/linux_rootfs_propagation_shared.t validation/kill.t validation/create.t validation/poststart.t validation/linux_cgroups_network.t validation/poststop_fail.t validation/linux_readonly_paths.t validation/prestart_fail.t validation/hooks_stdin.t validation/default.t validation/linux_masked_paths.t validation/poststop.t validation/misc_props.t validation/prestart.t validation/poststart_fail.t validation/mounts.t validation/linux_cgroups_relative_pids.t validation/process_user.t validation/process.t validation/hooks.t validation/process_capabilities_fail.t validation/process_rlimits_fail.t validation/linux_cgroups_relative_cpus.t validation/process_rlimits.t validation/linux_cgroups_relative_blkio.t validation/linux_sysctl.t validation/linux_seccomp.t validation/linux_devices.t validation/start.t validation/linux_cgroups_pids.t validation/process_capabilities.t validation/process_oom_score_adj.t validation/linux_cgroups_relative_hugetlb.t validation/linux_cgroups_cpus.t validation/linux_cgroups_relative_memory.t validation/state.t validation/root_readonly_true.t validation/linux_cgroups_blkio.t validation/linux_rootfs_propagation_unbindable.t validation/delete.t validation/linux_cgroups_relative_network.t validation/hostname.t validation/killsig.t validation/linux_uid_mappings.t +validation/pidfile.t .failed to create the container +container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"process_linux.go:367: setting cgroup config for procHooks process caused \\\"failed to write 56892210544640 to hugetlb.1GB.limit_in_bytes: open /sys/fs/cgroup/hugetlb/cgrouptest/hugetlb.1GB.limit_in_bytes: permission denied\\\"\"" exit status 1 -validation/hostname.t ............................... 19/19 -validation/linux_uid_mappings.t ....................... 0/1 - not ok validation/linux_uid_mappings.t +validation/pidfile.t .................................. 1/1 315ms +validation/linux_cgroups_hugetlb.t .................... 0/1 + not ok validation/linux_cgroups_hugetlb.t timeout: 30000 - file: validation/linux_uid_mappings.t - command: validation/linux_uid_mappings.t + file: validation/linux_cgroups_hugetlb.t + command: validation/linux_cgroups_hugetlb.t args: [] stdio: - 0 @@ -97,14 +67,21 @@ validation/linux_uid_mappings.t ....................... 0/1 cwd: /…/go/src/github.com/opencontainers/runtime-tools exitCode: 1 -total ............................................. 267/273 +validation/linux_cgroups_memory.t ..................... 9/9 +validation/linux_rootfs_propagation_shared.t ...... 252/282 + not ok shared root propogation exposes "/target348456609/mount892511628/example376408222" + Skipped: 29 + /dev/null (default device) has unconfigured permissions +… +total ........................................... 4381/4962 - 267 passing (31s) - 1 pending - 5 failing -make: *** [Makefile:43: localvalidation] Error 1 + 4381 passing (1m) + 567 pending + 14 failing + +make: *** [Makefile:44: localvalidation] Error 1 ``` You can also run an individual test executable directly: @@ -112,58 +89,27 @@ You can also run an individual test executable directly: ```console $ RUNTIME=runc validation/default.t TAP version 13 -ok 1 - root filesystem -ok 2 - hostname -ok 3 - process -ok 4 - mounts -ok 5 - user -ok 6 - rlimits -ok 7 - capabilities -ok 8 - default symlinks -ok 9 - default file system -ok 10 - default devices -ok 11 - linux devices -ok 12 - linux process -ok 13 - masked paths -ok 14 - oom score adj -ok 15 - read only paths -ok 16 - rootfs propagation -ok 17 - sysctls -ok 18 - uid mappings -ok 19 - gid mappings -1..19 +ok 1 - has expected hostname + --- + { + "actual": "mrsdalloway", + "expected": "mrsdalloway" + } + ... +… +ok 287 # SKIP linux.gidMappings not set +1..287 ``` If you cannot install node-tap, you can probably run the test suite with another [TAP consumer][tap-consumers]. For example, with [`prove`][prove]: ```console -$ sudo make TAP='prove -Q -j9' RUNTIME=runc localvalidation -RUNTIME=runc prove -Q -j9 validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t -failed to create the container -rootfsPropagation=unbindable is not supported -exit status 1 -failed to create the container -User namespace mappings specified, but USER namespace isn't enabled in the config -exit status 1 - -Test Summary Report -------------------- -validation/linux_rootfs_propagation_shared.t (Wstat: 0 Tests: 19 Failed: 1) - Failed test: 16 -validation/linux_masked_paths.t (Wstat: 0 Tests: 19 Failed: 1) - Failed test: 13 -validation/linux_rootfs_propagation_unbindable.t (Wstat: 256 Tests: 0 Failed: 0) - Non-zero exit status: 1 - Parse errors: No plan found in TAP output -validation/linux_uid_mappings.t (Wstat: 256 Tests: 0 Failed: 0) - Non-zero exit status: 1 - Parse errors: No plan found in TAP output -validation/linux_gid_mappings.t (Wstat: 0 Tests: 19 Failed: 1) - Failed test: 19 -Files=18, Tests=271, 6 wallclock secs ( 0.06 usr 0.01 sys + 0.59 cusr 0.24 csys = 0.90 CPU) -Result: FAIL -make: *** [Makefile:43: localvalidation] Error 1 +$ sudo make TAP='prove -Q -j9' RUNTIME=runc VALIDATION_TESTS=validation/pidfile.t localvalidation +RUNTIME=runc prove -Q -j9 validation/pidfile.t +All tests successful. +Files=1, Tests=1, 0 wallclock secs ( 0.01 usr 0.01 sys + 0.03 cusr 0.03 csys = 0.08 CPU) +Result: PASS ``` [bundle]: https://github.com/opencontainers/runtime-spec/blob/master/bundle.md diff --git a/vendor/github.com/opencontainers/runtime-tools/error/error.go b/vendor/github.com/opencontainers/runtime-tools/error/error.go index f5a90800e..f7eac6639 100644 --- a/vendor/github.com/opencontainers/runtime-tools/error/error.go +++ b/vendor/github.com/opencontainers/runtime-tools/error/error.go @@ -86,6 +86,36 @@ func ParseLevel(level string) (Level, error) { return l, fmt.Errorf("%q is not a valid compliance level", level) } +// String takes a RFC 2119 compliance level constant and returns a string representation. +func (level Level) String() string { + switch level { + case May: + return "MAY" + case Optional: + return "OPTIONAL" + case Should: + return "SHOULD" + case ShouldNot: + return "SHOULD NOT" + case Recommended: + return "RECOMMENDED" + case NotRecommended: + return "NOT RECOMMENDED" + case Must: + return "MUST" + case MustNot: + return "MUST NOT" + case Shall: + return "SHALL" + case ShallNot: + return "SHALL NOT" + case Required: + return "REQUIRED" + } + + panic(fmt.Sprintf("%d is not a valid compliance level", level)) +} + // Error returns the error message with specification reference. func (err *Error) Error() string { return fmt.Sprintf("%s\nRefer to: %s", err.Err.Error(), err.Reference) diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/config.go b/vendor/github.com/opencontainers/runtime-tools/generate/config.go new file mode 100644 index 000000000..164fdf141 --- /dev/null +++ b/vendor/github.com/opencontainers/runtime-tools/generate/config.go @@ -0,0 +1,173 @@ +package generate + +import ( + rspec "github.com/opencontainers/runtime-spec/specs-go" +) + +func (g *Generator) initConfig() { + if g.Config == nil { + g.Config = &rspec.Spec{} + } +} + +func (g *Generator) initConfigProcess() { + g.initConfig() + if g.Config.Process == nil { + g.Config.Process = &rspec.Process{} + } +} + +func (g *Generator) initConfigProcessConsoleSize() { + g.initConfigProcess() + if g.Config.Process.ConsoleSize == nil { + g.Config.Process.ConsoleSize = &rspec.Box{} + } +} + +func (g *Generator) initConfigProcessCapabilities() { + g.initConfigProcess() + if g.Config.Process.Capabilities == nil { + g.Config.Process.Capabilities = &rspec.LinuxCapabilities{} + } +} + +func (g *Generator) initConfigRoot() { + g.initConfig() + if g.Config.Root == nil { + g.Config.Root = &rspec.Root{} + } +} + +func (g *Generator) initConfigAnnotations() { + g.initConfig() + if g.Config.Annotations == nil { + g.Config.Annotations = make(map[string]string) + } +} + +func (g *Generator) initConfigHooks() { + g.initConfig() + if g.Config.Hooks == nil { + g.Config.Hooks = &rspec.Hooks{} + } +} + +func (g *Generator) initConfigLinux() { + g.initConfig() + if g.Config.Linux == nil { + g.Config.Linux = &rspec.Linux{} + } +} + +func (g *Generator) initConfigLinuxIntelRdt() { + g.initConfigLinux() + if g.Config.Linux.IntelRdt == nil { + g.Config.Linux.IntelRdt = &rspec.LinuxIntelRdt{} + } +} + +func (g *Generator) initConfigLinuxSysctl() { + g.initConfigLinux() + if g.Config.Linux.Sysctl == nil { + g.Config.Linux.Sysctl = make(map[string]string) + } +} + +func (g *Generator) initConfigLinuxSeccomp() { + g.initConfigLinux() + if g.Config.Linux.Seccomp == nil { + g.Config.Linux.Seccomp = &rspec.LinuxSeccomp{} + } +} + +func (g *Generator) initConfigLinuxResources() { + g.initConfigLinux() + if g.Config.Linux.Resources == nil { + g.Config.Linux.Resources = &rspec.LinuxResources{} + } +} + +func (g *Generator) initConfigLinuxResourcesBlockIO() { + g.initConfigLinuxResources() + if g.Config.Linux.Resources.BlockIO == nil { + g.Config.Linux.Resources.BlockIO = &rspec.LinuxBlockIO{} + } +} + +// InitConfigLinuxResourcesCPU initializes CPU of Linux resources +func (g *Generator) InitConfigLinuxResourcesCPU() { + g.initConfigLinuxResources() + if g.Config.Linux.Resources.CPU == nil { + g.Config.Linux.Resources.CPU = &rspec.LinuxCPU{} + } +} + +func (g *Generator) initConfigLinuxResourcesMemory() { + g.initConfigLinuxResources() + if g.Config.Linux.Resources.Memory == nil { + g.Config.Linux.Resources.Memory = &rspec.LinuxMemory{} + } +} + +func (g *Generator) initConfigLinuxResourcesNetwork() { + g.initConfigLinuxResources() + if g.Config.Linux.Resources.Network == nil { + g.Config.Linux.Resources.Network = &rspec.LinuxNetwork{} + } +} + +func (g *Generator) initConfigLinuxResourcesPids() { + g.initConfigLinuxResources() + if g.Config.Linux.Resources.Pids == nil { + g.Config.Linux.Resources.Pids = &rspec.LinuxPids{} + } +} + +func (g *Generator) initConfigSolaris() { + g.initConfig() + if g.Config.Solaris == nil { + g.Config.Solaris = &rspec.Solaris{} + } +} + +func (g *Generator) initConfigSolarisCappedCPU() { + g.initConfigSolaris() + if g.Config.Solaris.CappedCPU == nil { + g.Config.Solaris.CappedCPU = &rspec.SolarisCappedCPU{} + } +} + +func (g *Generator) initConfigSolarisCappedMemory() { + g.initConfigSolaris() + if g.Config.Solaris.CappedMemory == nil { + g.Config.Solaris.CappedMemory = &rspec.SolarisCappedMemory{} + } +} + +func (g *Generator) initConfigWindows() { + g.initConfig() + if g.Config.Windows == nil { + g.Config.Windows = &rspec.Windows{} + } +} + +func (g *Generator) initConfigWindowsHyperV() { + g.initConfigWindows() + if g.Config.Windows.HyperV == nil { + g.Config.Windows.HyperV = &rspec.WindowsHyperV{} + } +} + +func (g *Generator) initConfigWindowsResources() { + g.initConfigWindows() + if g.Config.Windows.Resources == nil { + g.Config.Windows.Resources = &rspec.WindowsResources{} + } +} + +func (g *Generator) initConfigWindowsResourcesMemory() { + g.initConfigWindowsResources() + if g.Config.Windows.Resources.Memory == nil { + g.Config.Windows.Resources.Memory = &rspec.WindowsMemoryResources{} + } +} diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go index d2951b52d..900278f9f 100644 --- a/vendor/github.com/opencontainers/runtime-tools/generate/generate.go +++ b/vendor/github.com/opencontainers/runtime-tools/generate/generate.go @@ -25,9 +25,9 @@ var ( } ) -// Generator represents a generator for a container spec. +// Generator represents a generator for a container config. type Generator struct { - spec *rspec.Spec + Config *rspec.Spec HostSpecific bool } @@ -36,9 +36,14 @@ type ExportOptions struct { Seccomp bool // seccomp toggles if only seccomp should be exported } -// New creates a spec Generator with the default spec. -func New() Generator { - spec := rspec.Spec{ +// New creates a configuration Generator with the default +// configuration for the target operating system. +func New(os string) (generator Generator, err error) { + if os != "linux" && os != "solaris" { + return generator, fmt.Errorf("no defaults configured for %s", os) + } + + config := rspec.Spec{ Version: rspec.Version, Root: &rspec.Root{ Path: "rootfs", @@ -46,107 +51,113 @@ func New() Generator { }, Process: &rspec.Process{ Terminal: false, - User: rspec.User{}, Args: []string{ "sh", }, - Env: []string{ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "TERM=xterm", + }, + Hostname: "mrsdalloway", + } + + if os == "linux" || os == "solaris" { + config.Process.User = rspec.User{} + config.Process.Env = []string{ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm", + } + config.Process.Cwd = "/" + config.Process.Rlimits = []rspec.POSIXRlimit{ + { + Type: "RLIMIT_NOFILE", + Hard: uint64(1024), + Soft: uint64(1024), }, - Cwd: "/", - Capabilities: &rspec.LinuxCapabilities{ - Bounding: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, - Permitted: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, - Inheritable: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, - Effective: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, - Ambient: []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - }, + } + } + + if os == "linux" { + config.Process.Capabilities = &rspec.LinuxCapabilities{ + Bounding: []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE", }, - Rlimits: []rspec.POSIXRlimit{ - { - Type: "RLIMIT_NOFILE", - Hard: uint64(1024), - Soft: uint64(1024), - }, + Permitted: []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE", }, - }, - Hostname: "mrsdalloway", - Mounts: []rspec.Mount{ + Inheritable: []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE", + }, + Effective: []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE", + }, + Ambient: []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE", + }, + } + config.Mounts = []rspec.Mount{ { Destination: "/proc", Type: "proc", @@ -183,8 +194,8 @@ func New() Generator { Source: "sysfs", Options: []string{"nosuid", "noexec", "nodev", "ro"}, }, - }, - Linux: &rspec.Linux{ + } + config.Linux = &rspec.Linux{ Resources: &rspec.LinuxResources{ Devices: []rspec.LinuxDeviceCgroup{ { @@ -210,23 +221,27 @@ func New() Generator { Type: "mount", }, }, - Devices: []rspec.LinuxDevice{}, - }, - } - spec.Linux.Seccomp = seccomp.DefaultProfile(&spec) - return Generator{ - spec: &spec, + Seccomp: seccomp.DefaultProfile(&config), + } } + + return Generator{Config: &config}, nil } -// NewFromSpec creates a spec Generator from a given spec. -func NewFromSpec(spec *rspec.Spec) Generator { +// NewFromSpec creates a configuration Generator from a given +// configuration. +// +// Deprecated: Replace with: +// +// generator := Generator{Config: config} +func NewFromSpec(config *rspec.Spec) Generator { return Generator{ - spec: spec, + Config: config, } } -// NewFromFile loads the template specified in a file into a spec Generator. +// NewFromFile loads the template specified in a file into a +// configuration Generator. func NewFromFile(path string) (Generator, error) { cf, err := os.Open(path) if err != nil { @@ -240,45 +255,52 @@ func NewFromFile(path string) (Generator, error) { return NewFromTemplate(cf) } -// NewFromTemplate loads the template from io.Reader into a spec Generator. +// NewFromTemplate loads the template from io.Reader into a +// configuration Generator. func NewFromTemplate(r io.Reader) (Generator, error) { - var spec rspec.Spec - if err := json.NewDecoder(r).Decode(&spec); err != nil { + var config rspec.Spec + if err := json.NewDecoder(r).Decode(&config); err != nil { return Generator{}, err } return Generator{ - spec: &spec, + Config: &config, }, nil } -// SetSpec sets the spec in the Generator g. -func (g *Generator) SetSpec(spec *rspec.Spec) { - g.spec = spec +// SetSpec sets the configuration in the Generator g. +// +// Deprecated: Replace with: +// +// Use generator.Config = config +func (g *Generator) SetSpec(config *rspec.Spec) { + g.Config = config } -// Spec gets the spec in the Generator g. +// Spec gets the configuration from the Generator g. +// +// Deprecated: Replace with generator.Config. func (g *Generator) Spec() *rspec.Spec { - return g.spec + return g.Config } -// Save writes the spec into w. +// Save writes the configuration into w. func (g *Generator) Save(w io.Writer, exportOpts ExportOptions) (err error) { var data []byte - if g.spec.Linux != nil { - buf, err := json.Marshal(g.spec.Linux) + if g.Config.Linux != nil { + buf, err := json.Marshal(g.Config.Linux) if err != nil { return err } if string(buf) == "{}" { - g.spec.Linux = nil + g.Config.Linux = nil } } if exportOpts.Seccomp { - data, err = json.MarshalIndent(g.spec.Linux.Seccomp, "", "\t") + data, err = json.MarshalIndent(g.Config.Linux.Seccomp, "", "\t") } else { - data, err = json.MarshalIndent(g.spec, "", "\t") + data, err = json.MarshalIndent(g.Config, "", "\t") } if err != nil { return err @@ -292,7 +314,7 @@ func (g *Generator) Save(w io.Writer, exportOpts ExportOptions) (err error) { return nil } -// SaveToFile writes the spec into a file. +// SaveToFile writes the configuration into a file. func (g *Generator) SaveToFile(path string, exportOpts ExportOptions) error { f, err := os.Create(path) if err != nil { @@ -302,131 +324,145 @@ func (g *Generator) SaveToFile(path string, exportOpts ExportOptions) error { return g.Save(f, exportOpts) } -// SetVersion sets g.spec.Version. +// SetVersion sets g.Config.Version. func (g *Generator) SetVersion(version string) { - g.initSpec() - g.spec.Version = version + g.initConfig() + g.Config.Version = version } -// SetRootPath sets g.spec.Root.Path. +// SetRootPath sets g.Config.Root.Path. func (g *Generator) SetRootPath(path string) { - g.initSpecRoot() - g.spec.Root.Path = path + g.initConfigRoot() + g.Config.Root.Path = path } -// SetRootReadonly sets g.spec.Root.Readonly. +// SetRootReadonly sets g.Config.Root.Readonly. func (g *Generator) SetRootReadonly(b bool) { - g.initSpecRoot() - g.spec.Root.Readonly = b + g.initConfigRoot() + g.Config.Root.Readonly = b } -// SetHostname sets g.spec.Hostname. +// SetHostname sets g.Config.Hostname. func (g *Generator) SetHostname(s string) { - g.initSpec() - g.spec.Hostname = s + g.initConfig() + g.Config.Hostname = s } -// ClearAnnotations clears g.spec.Annotations. +// ClearAnnotations clears g.Config.Annotations. func (g *Generator) ClearAnnotations() { - if g.spec == nil { + if g.Config == nil { return } - g.spec.Annotations = make(map[string]string) + g.Config.Annotations = make(map[string]string) } -// AddAnnotation adds an annotation into g.spec.Annotations. +// AddAnnotation adds an annotation into g.Config.Annotations. func (g *Generator) AddAnnotation(key, value string) { - g.initSpecAnnotations() - g.spec.Annotations[key] = value + g.initConfigAnnotations() + g.Config.Annotations[key] = value } -// RemoveAnnotation remove an annotation from g.spec.Annotations. +// RemoveAnnotation remove an annotation from g.Config.Annotations. func (g *Generator) RemoveAnnotation(key string) { - if g.spec == nil || g.spec.Annotations == nil { + if g.Config == nil || g.Config.Annotations == nil { + return + } + delete(g.Config.Annotations, key) +} + +// RemoveHostname removes g.Config.Hostname, setting it to an empty string. +func (g *Generator) RemoveHostname() { + if g.Config == nil { return } - delete(g.spec.Annotations, key) + g.Config.Hostname = "" } -// SetProcessConsoleSize sets g.spec.Process.ConsoleSize. +// SetProcessConsoleSize sets g.Config.Process.ConsoleSize. func (g *Generator) SetProcessConsoleSize(width, height uint) { - g.initSpecProcessConsoleSize() - g.spec.Process.ConsoleSize.Width = width - g.spec.Process.ConsoleSize.Height = height + g.initConfigProcessConsoleSize() + g.Config.Process.ConsoleSize.Width = width + g.Config.Process.ConsoleSize.Height = height } -// SetProcessUID sets g.spec.Process.User.UID. +// SetProcessUID sets g.Config.Process.User.UID. func (g *Generator) SetProcessUID(uid uint32) { - g.initSpecProcess() - g.spec.Process.User.UID = uid + g.initConfigProcess() + g.Config.Process.User.UID = uid } -// SetProcessGID sets g.spec.Process.User.GID. +// SetProcessUsername sets g.Config.Process.User.Username. +func (g *Generator) SetProcessUsername(username string) { + g.initConfigProcess() + g.Config.Process.User.Username = username +} + +// SetProcessGID sets g.Config.Process.User.GID. func (g *Generator) SetProcessGID(gid uint32) { - g.initSpecProcess() - g.spec.Process.User.GID = gid + g.initConfigProcess() + g.Config.Process.User.GID = gid } -// SetProcessCwd sets g.spec.Process.Cwd. +// SetProcessCwd sets g.Config.Process.Cwd. func (g *Generator) SetProcessCwd(cwd string) { - g.initSpecProcess() - g.spec.Process.Cwd = cwd + g.initConfigProcess() + g.Config.Process.Cwd = cwd } -// SetProcessNoNewPrivileges sets g.spec.Process.NoNewPrivileges. +// SetProcessNoNewPrivileges sets g.Config.Process.NoNewPrivileges. func (g *Generator) SetProcessNoNewPrivileges(b bool) { - g.initSpecProcess() - g.spec.Process.NoNewPrivileges = b + g.initConfigProcess() + g.Config.Process.NoNewPrivileges = b } -// SetProcessTerminal sets g.spec.Process.Terminal. +// SetProcessTerminal sets g.Config.Process.Terminal. func (g *Generator) SetProcessTerminal(b bool) { - g.initSpecProcess() - g.spec.Process.Terminal = b + g.initConfigProcess() + g.Config.Process.Terminal = b } -// SetProcessApparmorProfile sets g.spec.Process.ApparmorProfile. +// SetProcessApparmorProfile sets g.Config.Process.ApparmorProfile. func (g *Generator) SetProcessApparmorProfile(prof string) { - g.initSpecProcess() - g.spec.Process.ApparmorProfile = prof + g.initConfigProcess() + g.Config.Process.ApparmorProfile = prof } -// SetProcessArgs sets g.spec.Process.Args. +// SetProcessArgs sets g.Config.Process.Args. func (g *Generator) SetProcessArgs(args []string) { - g.initSpecProcess() - g.spec.Process.Args = args + g.initConfigProcess() + g.Config.Process.Args = args } -// ClearProcessEnv clears g.spec.Process.Env. +// ClearProcessEnv clears g.Config.Process.Env. func (g *Generator) ClearProcessEnv() { - if g.spec == nil || g.spec.Process == nil { + if g.Config == nil || g.Config.Process == nil { return } - g.spec.Process.Env = []string{} + g.Config.Process.Env = []string{} } -// AddProcessEnv adds name=value into g.spec.Process.Env, or replaces an +// AddProcessEnv adds name=value into g.Config.Process.Env, or replaces an // existing entry with the given name. func (g *Generator) AddProcessEnv(name, value string) { - g.initSpecProcess() + g.initConfigProcess() env := fmt.Sprintf("%s=%s", name, value) - for idx := range g.spec.Process.Env { - if strings.HasPrefix(g.spec.Process.Env[idx], name+"=") { - g.spec.Process.Env[idx] = env + for idx := range g.Config.Process.Env { + if strings.HasPrefix(g.Config.Process.Env[idx], name+"=") { + g.Config.Process.Env[idx] = env return } } - g.spec.Process.Env = append(g.spec.Process.Env, env) + g.Config.Process.Env = append(g.Config.Process.Env, env) } -// AddProcessRlimits adds rlimit into g.spec.Process.Rlimits. +// AddProcessRlimits adds rlimit into g.Config.Process.Rlimits. func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64) { - g.initSpecProcess() - for i, rlimit := range g.spec.Process.Rlimits { + g.initConfigProcess() + for i, rlimit := range g.Config.Process.Rlimits { if rlimit.Type == rType { - g.spec.Process.Rlimits[i].Hard = rHard - g.spec.Process.Rlimits[i].Soft = rSoft + g.Config.Process.Rlimits[i].Hard = rHard + g.Config.Process.Rlimits[i].Soft = rSoft return } } @@ -436,91 +472,91 @@ func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64) Hard: rHard, Soft: rSoft, } - g.spec.Process.Rlimits = append(g.spec.Process.Rlimits, newRlimit) + g.Config.Process.Rlimits = append(g.Config.Process.Rlimits, newRlimit) } -// RemoveProcessRlimits removes a rlimit from g.spec.Process.Rlimits. +// RemoveProcessRlimits removes a rlimit from g.Config.Process.Rlimits. func (g *Generator) RemoveProcessRlimits(rType string) { - if g.spec == nil || g.spec.Process == nil { + if g.Config == nil || g.Config.Process == nil { return } - for i, rlimit := range g.spec.Process.Rlimits { + for i, rlimit := range g.Config.Process.Rlimits { if rlimit.Type == rType { - g.spec.Process.Rlimits = append(g.spec.Process.Rlimits[:i], g.spec.Process.Rlimits[i+1:]...) + g.Config.Process.Rlimits = append(g.Config.Process.Rlimits[:i], g.Config.Process.Rlimits[i+1:]...) return } } } -// ClearProcessRlimits clear g.spec.Process.Rlimits. +// ClearProcessRlimits clear g.Config.Process.Rlimits. func (g *Generator) ClearProcessRlimits() { - if g.spec == nil || g.spec.Process == nil { + if g.Config == nil || g.Config.Process == nil { return } - g.spec.Process.Rlimits = []rspec.POSIXRlimit{} + g.Config.Process.Rlimits = []rspec.POSIXRlimit{} } -// ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids. +// ClearProcessAdditionalGids clear g.Config.Process.AdditionalGids. func (g *Generator) ClearProcessAdditionalGids() { - if g.spec == nil || g.spec.Process == nil { + if g.Config == nil || g.Config.Process == nil { return } - g.spec.Process.User.AdditionalGids = []uint32{} + g.Config.Process.User.AdditionalGids = []uint32{} } -// AddProcessAdditionalGid adds an additional gid into g.spec.Process.AdditionalGids. +// AddProcessAdditionalGid adds an additional gid into g.Config.Process.AdditionalGids. func (g *Generator) AddProcessAdditionalGid(gid uint32) { - g.initSpecProcess() - for _, group := range g.spec.Process.User.AdditionalGids { + g.initConfigProcess() + for _, group := range g.Config.Process.User.AdditionalGids { if group == gid { return } } - g.spec.Process.User.AdditionalGids = append(g.spec.Process.User.AdditionalGids, gid) + g.Config.Process.User.AdditionalGids = append(g.Config.Process.User.AdditionalGids, gid) } -// SetProcessSelinuxLabel sets g.spec.Process.SelinuxLabel. +// SetProcessSelinuxLabel sets g.Config.Process.SelinuxLabel. func (g *Generator) SetProcessSelinuxLabel(label string) { - g.initSpecProcess() - g.spec.Process.SelinuxLabel = label + g.initConfigProcess() + g.Config.Process.SelinuxLabel = label } -// SetLinuxCgroupsPath sets g.spec.Linux.CgroupsPath. +// SetLinuxCgroupsPath sets g.Config.Linux.CgroupsPath. func (g *Generator) SetLinuxCgroupsPath(path string) { - g.initSpecLinux() - g.spec.Linux.CgroupsPath = path + g.initConfigLinux() + g.Config.Linux.CgroupsPath = path } -// SetLinuxIntelRdtL3CacheSchema sets g.spec.Linux.IntelRdt.L3CacheSchema +// SetLinuxIntelRdtL3CacheSchema sets g.Config.Linux.IntelRdt.L3CacheSchema func (g *Generator) SetLinuxIntelRdtL3CacheSchema(schema string) { - g.initSpecLinuxIntelRdt() - g.spec.Linux.IntelRdt.L3CacheSchema = schema + g.initConfigLinuxIntelRdt() + g.Config.Linux.IntelRdt.L3CacheSchema = schema } -// SetLinuxMountLabel sets g.spec.Linux.MountLabel. +// SetLinuxMountLabel sets g.Config.Linux.MountLabel. func (g *Generator) SetLinuxMountLabel(label string) { - g.initSpecLinux() - g.spec.Linux.MountLabel = label + g.initConfigLinux() + g.Config.Linux.MountLabel = label } -// SetProcessOOMScoreAdj sets g.spec.Process.OOMScoreAdj. +// SetProcessOOMScoreAdj sets g.Config.Process.OOMScoreAdj. func (g *Generator) SetProcessOOMScoreAdj(adj int) { - g.initSpecProcess() - g.spec.Process.OOMScoreAdj = &adj + g.initConfigProcess() + g.Config.Process.OOMScoreAdj = &adj } -// SetLinuxResourcesBlockIOLeafWeight sets g.spec.Linux.Resources.BlockIO.LeafWeight. +// SetLinuxResourcesBlockIOLeafWeight sets g.Config.Linux.Resources.BlockIO.LeafWeight. func (g *Generator) SetLinuxResourcesBlockIOLeafWeight(weight uint16) { - g.initSpecLinuxResourcesBlockIO() - g.spec.Linux.Resources.BlockIO.LeafWeight = &weight + g.initConfigLinuxResourcesBlockIO() + g.Config.Linux.Resources.BlockIO.LeafWeight = &weight } -// AddLinuxResourcesBlockIOLeafWeightDevice adds or sets g.spec.Linux.Resources.BlockIO.WeightDevice.LeafWeight. +// AddLinuxResourcesBlockIOLeafWeightDevice adds or sets g.Config.Linux.Resources.BlockIO.WeightDevice.LeafWeight. func (g *Generator) AddLinuxResourcesBlockIOLeafWeightDevice(major int64, minor int64, weight uint16) { - g.initSpecLinuxResourcesBlockIO() - for i, weightDevice := range g.spec.Linux.Resources.BlockIO.WeightDevice { + g.initConfigLinuxResourcesBlockIO() + for i, weightDevice := range g.Config.Linux.Resources.BlockIO.WeightDevice { if weightDevice.Major == major && weightDevice.Minor == minor { - g.spec.Linux.Resources.BlockIO.WeightDevice[i].LeafWeight = &weight + g.Config.Linux.Resources.BlockIO.WeightDevice[i].LeafWeight = &weight return } } @@ -528,43 +564,43 @@ func (g *Generator) AddLinuxResourcesBlockIOLeafWeightDevice(major int64, minor weightDevice.Major = major weightDevice.Minor = minor weightDevice.LeafWeight = &weight - g.spec.Linux.Resources.BlockIO.WeightDevice = append(g.spec.Linux.Resources.BlockIO.WeightDevice, *weightDevice) + g.Config.Linux.Resources.BlockIO.WeightDevice = append(g.Config.Linux.Resources.BlockIO.WeightDevice, *weightDevice) } -// DropLinuxResourcesBlockIOLeafWeightDevice drops a item form g.spec.Linux.Resources.BlockIO.WeightDevice.LeafWeight +// DropLinuxResourcesBlockIOLeafWeightDevice drops a item form g.Config.Linux.Resources.BlockIO.WeightDevice.LeafWeight func (g *Generator) DropLinuxResourcesBlockIOLeafWeightDevice(major int64, minor int64) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil { return } - for i, weightDevice := range g.spec.Linux.Resources.BlockIO.WeightDevice { + for i, weightDevice := range g.Config.Linux.Resources.BlockIO.WeightDevice { if weightDevice.Major == major && weightDevice.Minor == minor { if weightDevice.Weight != nil { newWeightDevice := new(rspec.LinuxWeightDevice) newWeightDevice.Major = major newWeightDevice.Minor = minor newWeightDevice.Weight = weightDevice.Weight - g.spec.Linux.Resources.BlockIO.WeightDevice[i] = *newWeightDevice + g.Config.Linux.Resources.BlockIO.WeightDevice[i] = *newWeightDevice } else { - g.spec.Linux.Resources.BlockIO.WeightDevice = append(g.spec.Linux.Resources.BlockIO.WeightDevice[:i], g.spec.Linux.Resources.BlockIO.WeightDevice[i+1:]...) + g.Config.Linux.Resources.BlockIO.WeightDevice = append(g.Config.Linux.Resources.BlockIO.WeightDevice[:i], g.Config.Linux.Resources.BlockIO.WeightDevice[i+1:]...) } return } } } -// SetLinuxResourcesBlockIOWeight sets g.spec.Linux.Resources.BlockIO.Weight. +// SetLinuxResourcesBlockIOWeight sets g.Config.Linux.Resources.BlockIO.Weight. func (g *Generator) SetLinuxResourcesBlockIOWeight(weight uint16) { - g.initSpecLinuxResourcesBlockIO() - g.spec.Linux.Resources.BlockIO.Weight = &weight + g.initConfigLinuxResourcesBlockIO() + g.Config.Linux.Resources.BlockIO.Weight = &weight } -// AddLinuxResourcesBlockIOWeightDevice adds or sets g.spec.Linux.Resources.BlockIO.WeightDevice.Weight. +// AddLinuxResourcesBlockIOWeightDevice adds or sets g.Config.Linux.Resources.BlockIO.WeightDevice.Weight. func (g *Generator) AddLinuxResourcesBlockIOWeightDevice(major int64, minor int64, weight uint16) { - g.initSpecLinuxResourcesBlockIO() - for i, weightDevice := range g.spec.Linux.Resources.BlockIO.WeightDevice { + g.initConfigLinuxResourcesBlockIO() + for i, weightDevice := range g.Config.Linux.Resources.BlockIO.WeightDevice { if weightDevice.Major == major && weightDevice.Minor == minor { - g.spec.Linux.Resources.BlockIO.WeightDevice[i].Weight = &weight + g.Config.Linux.Resources.BlockIO.WeightDevice[i].Weight = &weight return } } @@ -572,286 +608,286 @@ func (g *Generator) AddLinuxResourcesBlockIOWeightDevice(major int64, minor int6 weightDevice.Major = major weightDevice.Minor = minor weightDevice.Weight = &weight - g.spec.Linux.Resources.BlockIO.WeightDevice = append(g.spec.Linux.Resources.BlockIO.WeightDevice, *weightDevice) + g.Config.Linux.Resources.BlockIO.WeightDevice = append(g.Config.Linux.Resources.BlockIO.WeightDevice, *weightDevice) } -// DropLinuxResourcesBlockIOWeightDevice drops a item form g.spec.Linux.Resources.BlockIO.WeightDevice.Weight +// DropLinuxResourcesBlockIOWeightDevice drops a item form g.Config.Linux.Resources.BlockIO.WeightDevice.Weight func (g *Generator) DropLinuxResourcesBlockIOWeightDevice(major int64, minor int64) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil { return } - for i, weightDevice := range g.spec.Linux.Resources.BlockIO.WeightDevice { + for i, weightDevice := range g.Config.Linux.Resources.BlockIO.WeightDevice { if weightDevice.Major == major && weightDevice.Minor == minor { if weightDevice.LeafWeight != nil { newWeightDevice := new(rspec.LinuxWeightDevice) newWeightDevice.Major = major newWeightDevice.Minor = minor newWeightDevice.LeafWeight = weightDevice.LeafWeight - g.spec.Linux.Resources.BlockIO.WeightDevice[i] = *newWeightDevice + g.Config.Linux.Resources.BlockIO.WeightDevice[i] = *newWeightDevice } else { - g.spec.Linux.Resources.BlockIO.WeightDevice = append(g.spec.Linux.Resources.BlockIO.WeightDevice[:i], g.spec.Linux.Resources.BlockIO.WeightDevice[i+1:]...) + g.Config.Linux.Resources.BlockIO.WeightDevice = append(g.Config.Linux.Resources.BlockIO.WeightDevice[:i], g.Config.Linux.Resources.BlockIO.WeightDevice[i+1:]...) } return } } } -// AddLinuxResourcesBlockIOThrottleReadBpsDevice adds or sets g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice. +// AddLinuxResourcesBlockIOThrottleReadBpsDevice adds or sets g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice. func (g *Generator) AddLinuxResourcesBlockIOThrottleReadBpsDevice(major int64, minor int64, rate uint64) { - g.initSpecLinuxResourcesBlockIO() - throttleDevices := addOrReplaceBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice, major, minor, rate) - g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice = throttleDevices + g.initConfigLinuxResourcesBlockIO() + throttleDevices := addOrReplaceBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice, major, minor, rate) + g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice = throttleDevices } -// DropLinuxResourcesBlockIOThrottleReadBpsDevice drops a item from g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice. +// DropLinuxResourcesBlockIOThrottleReadBpsDevice drops a item from g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice. func (g *Generator) DropLinuxResourcesBlockIOThrottleReadBpsDevice(major int64, minor int64) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil { return } - throttleDevices := dropBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice, major, minor) - g.spec.Linux.Resources.BlockIO.ThrottleReadBpsDevice = throttleDevices + throttleDevices := dropBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice, major, minor) + g.Config.Linux.Resources.BlockIO.ThrottleReadBpsDevice = throttleDevices } -// AddLinuxResourcesBlockIOThrottleReadIOPSDevice adds or sets g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice. +// AddLinuxResourcesBlockIOThrottleReadIOPSDevice adds or sets g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice. func (g *Generator) AddLinuxResourcesBlockIOThrottleReadIOPSDevice(major int64, minor int64, rate uint64) { - g.initSpecLinuxResourcesBlockIO() - throttleDevices := addOrReplaceBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, major, minor, rate) - g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice = throttleDevices + g.initConfigLinuxResourcesBlockIO() + throttleDevices := addOrReplaceBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, major, minor, rate) + g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice = throttleDevices } -// DropLinuxResourcesBlockIOThrottleReadIOPSDevice drops a item from g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice. +// DropLinuxResourcesBlockIOThrottleReadIOPSDevice drops a item from g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice. func (g *Generator) DropLinuxResourcesBlockIOThrottleReadIOPSDevice(major int64, minor int64) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil { return } - throttleDevices := dropBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, major, minor) - g.spec.Linux.Resources.BlockIO.ThrottleReadIOPSDevice = throttleDevices + throttleDevices := dropBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice, major, minor) + g.Config.Linux.Resources.BlockIO.ThrottleReadIOPSDevice = throttleDevices } -// AddLinuxResourcesBlockIOThrottleWriteBpsDevice adds or sets g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice. +// AddLinuxResourcesBlockIOThrottleWriteBpsDevice adds or sets g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice. func (g *Generator) AddLinuxResourcesBlockIOThrottleWriteBpsDevice(major int64, minor int64, rate uint64) { - g.initSpecLinuxResourcesBlockIO() - throttleDevices := addOrReplaceBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, major, minor, rate) - g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice = throttleDevices + g.initConfigLinuxResourcesBlockIO() + throttleDevices := addOrReplaceBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, major, minor, rate) + g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice = throttleDevices } -// DropLinuxResourcesBlockIOThrottleWriteBpsDevice drops a item from g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice. +// DropLinuxResourcesBlockIOThrottleWriteBpsDevice drops a item from g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice. func (g *Generator) DropLinuxResourcesBlockIOThrottleWriteBpsDevice(major int64, minor int64) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil { return } - throttleDevices := dropBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, major, minor) - g.spec.Linux.Resources.BlockIO.ThrottleWriteBpsDevice = throttleDevices + throttleDevices := dropBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice, major, minor) + g.Config.Linux.Resources.BlockIO.ThrottleWriteBpsDevice = throttleDevices } -// AddLinuxResourcesBlockIOThrottleWriteIOPSDevice adds or sets g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice. +// AddLinuxResourcesBlockIOThrottleWriteIOPSDevice adds or sets g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice. func (g *Generator) AddLinuxResourcesBlockIOThrottleWriteIOPSDevice(major int64, minor int64, rate uint64) { - g.initSpecLinuxResourcesBlockIO() - throttleDevices := addOrReplaceBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, major, minor, rate) - g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice = throttleDevices + g.initConfigLinuxResourcesBlockIO() + throttleDevices := addOrReplaceBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, major, minor, rate) + g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice = throttleDevices } -// DropLinuxResourcesBlockIOThrottleWriteIOPSDevice drops a item from g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice. +// DropLinuxResourcesBlockIOThrottleWriteIOPSDevice drops a item from g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice. func (g *Generator) DropLinuxResourcesBlockIOThrottleWriteIOPSDevice(major int64, minor int64) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.BlockIO == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.BlockIO == nil { return } - throttleDevices := dropBlockIOThrottleDevice(g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, major, minor) - g.spec.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice = throttleDevices + throttleDevices := dropBlockIOThrottleDevice(g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice, major, minor) + g.Config.Linux.Resources.BlockIO.ThrottleWriteIOPSDevice = throttleDevices } -// SetLinuxResourcesCPUShares sets g.spec.Linux.Resources.CPU.Shares. +// SetLinuxResourcesCPUShares sets g.Config.Linux.Resources.CPU.Shares. func (g *Generator) SetLinuxResourcesCPUShares(shares uint64) { - g.initSpecLinuxResourcesCPU() - g.spec.Linux.Resources.CPU.Shares = &shares + g.InitConfigLinuxResourcesCPU() + g.Config.Linux.Resources.CPU.Shares = &shares } -// SetLinuxResourcesCPUQuota sets g.spec.Linux.Resources.CPU.Quota. +// SetLinuxResourcesCPUQuota sets g.Config.Linux.Resources.CPU.Quota. func (g *Generator) SetLinuxResourcesCPUQuota(quota int64) { - g.initSpecLinuxResourcesCPU() - g.spec.Linux.Resources.CPU.Quota = "a + g.InitConfigLinuxResourcesCPU() + g.Config.Linux.Resources.CPU.Quota = "a } -// SetLinuxResourcesCPUPeriod sets g.spec.Linux.Resources.CPU.Period. +// SetLinuxResourcesCPUPeriod sets g.Config.Linux.Resources.CPU.Period. func (g *Generator) SetLinuxResourcesCPUPeriod(period uint64) { - g.initSpecLinuxResourcesCPU() - g.spec.Linux.Resources.CPU.Period = &period + g.InitConfigLinuxResourcesCPU() + g.Config.Linux.Resources.CPU.Period = &period } -// SetLinuxResourcesCPURealtimeRuntime sets g.spec.Linux.Resources.CPU.RealtimeRuntime. +// SetLinuxResourcesCPURealtimeRuntime sets g.Config.Linux.Resources.CPU.RealtimeRuntime. func (g *Generator) SetLinuxResourcesCPURealtimeRuntime(time int64) { - g.initSpecLinuxResourcesCPU() - g.spec.Linux.Resources.CPU.RealtimeRuntime = &time + g.InitConfigLinuxResourcesCPU() + g.Config.Linux.Resources.CPU.RealtimeRuntime = &time } -// SetLinuxResourcesCPURealtimePeriod sets g.spec.Linux.Resources.CPU.RealtimePeriod. +// SetLinuxResourcesCPURealtimePeriod sets g.Config.Linux.Resources.CPU.RealtimePeriod. func (g *Generator) SetLinuxResourcesCPURealtimePeriod(period uint64) { - g.initSpecLinuxResourcesCPU() - g.spec.Linux.Resources.CPU.RealtimePeriod = &period + g.InitConfigLinuxResourcesCPU() + g.Config.Linux.Resources.CPU.RealtimePeriod = &period } -// SetLinuxResourcesCPUCpus sets g.spec.Linux.Resources.CPU.Cpus. +// SetLinuxResourcesCPUCpus sets g.Config.Linux.Resources.CPU.Cpus. func (g *Generator) SetLinuxResourcesCPUCpus(cpus string) { - g.initSpecLinuxResourcesCPU() - g.spec.Linux.Resources.CPU.Cpus = cpus + g.InitConfigLinuxResourcesCPU() + g.Config.Linux.Resources.CPU.Cpus = cpus } -// SetLinuxResourcesCPUMems sets g.spec.Linux.Resources.CPU.Mems. +// SetLinuxResourcesCPUMems sets g.Config.Linux.Resources.CPU.Mems. func (g *Generator) SetLinuxResourcesCPUMems(mems string) { - g.initSpecLinuxResourcesCPU() - g.spec.Linux.Resources.CPU.Mems = mems + g.InitConfigLinuxResourcesCPU() + g.Config.Linux.Resources.CPU.Mems = mems } -// AddLinuxResourcesHugepageLimit adds or sets g.spec.Linux.Resources.HugepageLimits. +// AddLinuxResourcesHugepageLimit adds or sets g.Config.Linux.Resources.HugepageLimits. func (g *Generator) AddLinuxResourcesHugepageLimit(pageSize string, limit uint64) { hugepageLimit := rspec.LinuxHugepageLimit{ Pagesize: pageSize, Limit: limit, } - g.initSpecLinuxResources() - for i, pageLimit := range g.spec.Linux.Resources.HugepageLimits { + g.initConfigLinuxResources() + for i, pageLimit := range g.Config.Linux.Resources.HugepageLimits { if pageLimit.Pagesize == pageSize { - g.spec.Linux.Resources.HugepageLimits[i].Limit = limit + g.Config.Linux.Resources.HugepageLimits[i].Limit = limit return } } - g.spec.Linux.Resources.HugepageLimits = append(g.spec.Linux.Resources.HugepageLimits, hugepageLimit) + g.Config.Linux.Resources.HugepageLimits = append(g.Config.Linux.Resources.HugepageLimits, hugepageLimit) } -// DropLinuxResourcesHugepageLimit drops a hugepage limit from g.spec.Linux.Resources.HugepageLimits. +// DropLinuxResourcesHugepageLimit drops a hugepage limit from g.Config.Linux.Resources.HugepageLimits. func (g *Generator) DropLinuxResourcesHugepageLimit(pageSize string) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil { return } - for i, pageLimit := range g.spec.Linux.Resources.HugepageLimits { + for i, pageLimit := range g.Config.Linux.Resources.HugepageLimits { if pageLimit.Pagesize == pageSize { - g.spec.Linux.Resources.HugepageLimits = append(g.spec.Linux.Resources.HugepageLimits[:i], g.spec.Linux.Resources.HugepageLimits[i+1:]...) + g.Config.Linux.Resources.HugepageLimits = append(g.Config.Linux.Resources.HugepageLimits[:i], g.Config.Linux.Resources.HugepageLimits[i+1:]...) return } } } -// SetLinuxResourcesMemoryLimit sets g.spec.Linux.Resources.Memory.Limit. +// SetLinuxResourcesMemoryLimit sets g.Config.Linux.Resources.Memory.Limit. func (g *Generator) SetLinuxResourcesMemoryLimit(limit int64) { - g.initSpecLinuxResourcesMemory() - g.spec.Linux.Resources.Memory.Limit = &limit + g.initConfigLinuxResourcesMemory() + g.Config.Linux.Resources.Memory.Limit = &limit } -// SetLinuxResourcesMemoryReservation sets g.spec.Linux.Resources.Memory.Reservation. +// SetLinuxResourcesMemoryReservation sets g.Config.Linux.Resources.Memory.Reservation. func (g *Generator) SetLinuxResourcesMemoryReservation(reservation int64) { - g.initSpecLinuxResourcesMemory() - g.spec.Linux.Resources.Memory.Reservation = &reservation + g.initConfigLinuxResourcesMemory() + g.Config.Linux.Resources.Memory.Reservation = &reservation } -// SetLinuxResourcesMemorySwap sets g.spec.Linux.Resources.Memory.Swap. +// SetLinuxResourcesMemorySwap sets g.Config.Linux.Resources.Memory.Swap. func (g *Generator) SetLinuxResourcesMemorySwap(swap int64) { - g.initSpecLinuxResourcesMemory() - g.spec.Linux.Resources.Memory.Swap = &swap + g.initConfigLinuxResourcesMemory() + g.Config.Linux.Resources.Memory.Swap = &swap } -// SetLinuxResourcesMemoryKernel sets g.spec.Linux.Resources.Memory.Kernel. +// SetLinuxResourcesMemoryKernel sets g.Config.Linux.Resources.Memory.Kernel. func (g *Generator) SetLinuxResourcesMemoryKernel(kernel int64) { - g.initSpecLinuxResourcesMemory() - g.spec.Linux.Resources.Memory.Kernel = &kernel + g.initConfigLinuxResourcesMemory() + g.Config.Linux.Resources.Memory.Kernel = &kernel } -// SetLinuxResourcesMemoryKernelTCP sets g.spec.Linux.Resources.Memory.KernelTCP. +// SetLinuxResourcesMemoryKernelTCP sets g.Config.Linux.Resources.Memory.KernelTCP. func (g *Generator) SetLinuxResourcesMemoryKernelTCP(kernelTCP int64) { - g.initSpecLinuxResourcesMemory() - g.spec.Linux.Resources.Memory.KernelTCP = &kernelTCP + g.initConfigLinuxResourcesMemory() + g.Config.Linux.Resources.Memory.KernelTCP = &kernelTCP } -// SetLinuxResourcesMemorySwappiness sets g.spec.Linux.Resources.Memory.Swappiness. +// SetLinuxResourcesMemorySwappiness sets g.Config.Linux.Resources.Memory.Swappiness. func (g *Generator) SetLinuxResourcesMemorySwappiness(swappiness uint64) { - g.initSpecLinuxResourcesMemory() - g.spec.Linux.Resources.Memory.Swappiness = &swappiness + g.initConfigLinuxResourcesMemory() + g.Config.Linux.Resources.Memory.Swappiness = &swappiness } -// SetLinuxResourcesMemoryDisableOOMKiller sets g.spec.Linux.Resources.Memory.DisableOOMKiller. +// SetLinuxResourcesMemoryDisableOOMKiller sets g.Config.Linux.Resources.Memory.DisableOOMKiller. func (g *Generator) SetLinuxResourcesMemoryDisableOOMKiller(disable bool) { - g.initSpecLinuxResourcesMemory() - g.spec.Linux.Resources.Memory.DisableOOMKiller = &disable + g.initConfigLinuxResourcesMemory() + g.Config.Linux.Resources.Memory.DisableOOMKiller = &disable } -// SetLinuxResourcesNetworkClassID sets g.spec.Linux.Resources.Network.ClassID. +// SetLinuxResourcesNetworkClassID sets g.Config.Linux.Resources.Network.ClassID. func (g *Generator) SetLinuxResourcesNetworkClassID(classid uint32) { - g.initSpecLinuxResourcesNetwork() - g.spec.Linux.Resources.Network.ClassID = &classid + g.initConfigLinuxResourcesNetwork() + g.Config.Linux.Resources.Network.ClassID = &classid } -// AddLinuxResourcesNetworkPriorities adds or sets g.spec.Linux.Resources.Network.Priorities. +// AddLinuxResourcesNetworkPriorities adds or sets g.Config.Linux.Resources.Network.Priorities. func (g *Generator) AddLinuxResourcesNetworkPriorities(name string, prio uint32) { - g.initSpecLinuxResourcesNetwork() - for i, netPriority := range g.spec.Linux.Resources.Network.Priorities { + g.initConfigLinuxResourcesNetwork() + for i, netPriority := range g.Config.Linux.Resources.Network.Priorities { if netPriority.Name == name { - g.spec.Linux.Resources.Network.Priorities[i].Priority = prio + g.Config.Linux.Resources.Network.Priorities[i].Priority = prio return } } interfacePrio := new(rspec.LinuxInterfacePriority) interfacePrio.Name = name interfacePrio.Priority = prio - g.spec.Linux.Resources.Network.Priorities = append(g.spec.Linux.Resources.Network.Priorities, *interfacePrio) + g.Config.Linux.Resources.Network.Priorities = append(g.Config.Linux.Resources.Network.Priorities, *interfacePrio) } -// DropLinuxResourcesNetworkPriorities drops one item from g.spec.Linux.Resources.Network.Priorities. +// DropLinuxResourcesNetworkPriorities drops one item from g.Config.Linux.Resources.Network.Priorities. func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil || g.spec.Linux.Resources.Network == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil || g.Config.Linux.Resources.Network == nil { return } - for i, netPriority := range g.spec.Linux.Resources.Network.Priorities { + for i, netPriority := range g.Config.Linux.Resources.Network.Priorities { if netPriority.Name == name { - g.spec.Linux.Resources.Network.Priorities = append(g.spec.Linux.Resources.Network.Priorities[:i], g.spec.Linux.Resources.Network.Priorities[i+1:]...) + g.Config.Linux.Resources.Network.Priorities = append(g.Config.Linux.Resources.Network.Priorities[:i], g.Config.Linux.Resources.Network.Priorities[i+1:]...) return } } } -// SetLinuxResourcesPidsLimit sets g.spec.Linux.Resources.Pids.Limit. +// SetLinuxResourcesPidsLimit sets g.Config.Linux.Resources.Pids.Limit. func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) { - g.initSpecLinuxResourcesPids() - g.spec.Linux.Resources.Pids.Limit = limit + g.initConfigLinuxResourcesPids() + g.Config.Linux.Resources.Pids.Limit = limit } -// ClearLinuxSysctl clears g.spec.Linux.Sysctl. +// ClearLinuxSysctl clears g.Config.Linux.Sysctl. func (g *Generator) ClearLinuxSysctl() { - if g.spec == nil || g.spec.Linux == nil { + if g.Config == nil || g.Config.Linux == nil { return } - g.spec.Linux.Sysctl = make(map[string]string) + g.Config.Linux.Sysctl = make(map[string]string) } -// AddLinuxSysctl adds a new sysctl config into g.spec.Linux.Sysctl. +// AddLinuxSysctl adds a new sysctl config into g.Config.Linux.Sysctl. func (g *Generator) AddLinuxSysctl(key, value string) { - g.initSpecLinuxSysctl() - g.spec.Linux.Sysctl[key] = value + g.initConfigLinuxSysctl() + g.Config.Linux.Sysctl[key] = value } -// RemoveLinuxSysctl removes a sysctl config from g.spec.Linux.Sysctl. +// RemoveLinuxSysctl removes a sysctl config from g.Config.Linux.Sysctl. func (g *Generator) RemoveLinuxSysctl(key string) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Sysctl == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Sysctl == nil { return } - delete(g.spec.Linux.Sysctl, key) + delete(g.Config.Linux.Sysctl, key) } -// ClearLinuxUIDMappings clear g.spec.Linux.UIDMappings. +// ClearLinuxUIDMappings clear g.Config.Linux.UIDMappings. func (g *Generator) ClearLinuxUIDMappings() { - if g.spec == nil || g.spec.Linux == nil { + if g.Config == nil || g.Config.Linux == nil { return } - g.spec.Linux.UIDMappings = []rspec.LinuxIDMapping{} + g.Config.Linux.UIDMappings = []rspec.LinuxIDMapping{} } -// AddLinuxUIDMapping adds uidMap into g.spec.Linux.UIDMappings. +// AddLinuxUIDMapping adds uidMap into g.Config.Linux.UIDMappings. func (g *Generator) AddLinuxUIDMapping(hid, cid, size uint32) { idMapping := rspec.LinuxIDMapping{ HostID: hid, @@ -859,19 +895,19 @@ func (g *Generator) AddLinuxUIDMapping(hid, cid, size uint32) { Size: size, } - g.initSpecLinux() - g.spec.Linux.UIDMappings = append(g.spec.Linux.UIDMappings, idMapping) + g.initConfigLinux() + g.Config.Linux.UIDMappings = append(g.Config.Linux.UIDMappings, idMapping) } -// ClearLinuxGIDMappings clear g.spec.Linux.GIDMappings. +// ClearLinuxGIDMappings clear g.Config.Linux.GIDMappings. func (g *Generator) ClearLinuxGIDMappings() { - if g.spec == nil || g.spec.Linux == nil { + if g.Config == nil || g.Config.Linux == nil { return } - g.spec.Linux.GIDMappings = []rspec.LinuxIDMapping{} + g.Config.Linux.GIDMappings = []rspec.LinuxIDMapping{} } -// AddLinuxGIDMapping adds gidMap into g.spec.Linux.GIDMappings. +// AddLinuxGIDMapping adds gidMap into g.Config.Linux.GIDMappings. func (g *Generator) AddLinuxGIDMapping(hid, cid, size uint32) { idMapping := rspec.LinuxIDMapping{ HostID: hid, @@ -879,11 +915,11 @@ func (g *Generator) AddLinuxGIDMapping(hid, cid, size uint32) { Size: size, } - g.initSpecLinux() - g.spec.Linux.GIDMappings = append(g.spec.Linux.GIDMappings, idMapping) + g.initConfigLinux() + g.Config.Linux.GIDMappings = append(g.Config.Linux.GIDMappings, idMapping) } -// SetLinuxRootPropagation sets g.spec.Linux.RootfsPropagation. +// SetLinuxRootPropagation sets g.Config.Linux.RootfsPropagation. func (g *Generator) SetLinuxRootPropagation(rp string) error { switch rp { case "": @@ -898,88 +934,70 @@ func (g *Generator) SetLinuxRootPropagation(rp string) error { default: return fmt.Errorf("rootfs-propagation %q must be empty or one of (r)private|(r)slave|(r)shared|(r)unbindable", rp) } - g.initSpecLinux() - g.spec.Linux.RootfsPropagation = rp + g.initConfigLinux() + g.Config.Linux.RootfsPropagation = rp return nil } -// ClearPreStartHooks clear g.spec.Hooks.Prestart. +// ClearPreStartHooks clear g.Config.Hooks.Prestart. func (g *Generator) ClearPreStartHooks() { - if g.spec == nil || g.spec.Hooks == nil { + if g.Config == nil || g.Config.Hooks == nil { return } - g.spec.Hooks.Prestart = []rspec.Hook{} + g.Config.Hooks.Prestart = []rspec.Hook{} } -// AddPreStartHook add a prestart hook into g.spec.Hooks.Prestart. +// AddPreStartHook add a prestart hook into g.Config.Hooks.Prestart. func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) error { - g.initSpecHooks() - for i, hook := range g.spec.Hooks.Prestart { - if hook.Path == preStartHook.Path { - g.spec.Hooks.Prestart[i] = preStartHook - return nil - } - } - g.spec.Hooks.Prestart = append(g.spec.Hooks.Prestart, preStartHook) + g.initConfigHooks() + g.Config.Hooks.Prestart = append(g.Config.Hooks.Prestart, preStartHook) return nil } -// ClearPostStopHooks clear g.spec.Hooks.Poststop. +// ClearPostStopHooks clear g.Config.Hooks.Poststop. func (g *Generator) ClearPostStopHooks() { - if g.spec == nil || g.spec.Hooks == nil { + if g.Config == nil || g.Config.Hooks == nil { return } - g.spec.Hooks.Poststop = []rspec.Hook{} + g.Config.Hooks.Poststop = []rspec.Hook{} } -// AddPostStopHook adds a poststop hook into g.spec.Hooks.Poststop. +// AddPostStopHook adds a poststop hook into g.Config.Hooks.Poststop. func (g *Generator) AddPostStopHook(postStopHook rspec.Hook) error { - g.initSpecHooks() - for i, hook := range g.spec.Hooks.Poststop { - if hook.Path == postStopHook.Path { - g.spec.Hooks.Poststop[i] = postStopHook - return nil - } - } - g.spec.Hooks.Poststop = append(g.spec.Hooks.Poststop, postStopHook) + g.initConfigHooks() + g.Config.Hooks.Poststop = append(g.Config.Hooks.Poststop, postStopHook) return nil } -// ClearPostStartHooks clear g.spec.Hooks.Poststart. +// ClearPostStartHooks clear g.Config.Hooks.Poststart. func (g *Generator) ClearPostStartHooks() { - if g.spec == nil || g.spec.Hooks == nil { + if g.Config == nil || g.Config.Hooks == nil { return } - g.spec.Hooks.Poststart = []rspec.Hook{} + g.Config.Hooks.Poststart = []rspec.Hook{} } -// AddPostStartHook adds a poststart hook into g.spec.Hooks.Poststart. +// AddPostStartHook adds a poststart hook into g.Config.Hooks.Poststart. func (g *Generator) AddPostStartHook(postStartHook rspec.Hook) error { - g.initSpecHooks() - for i, hook := range g.spec.Hooks.Poststart { - if hook.Path == postStartHook.Path { - g.spec.Hooks.Poststart[i] = postStartHook - return nil - } - } - g.spec.Hooks.Poststart = append(g.spec.Hooks.Poststart, postStartHook) + g.initConfigHooks() + g.Config.Hooks.Poststart = append(g.Config.Hooks.Poststart, postStartHook) return nil } -// AddMount adds a mount into g.spec.Mounts. +// AddMount adds a mount into g.Config.Mounts. func (g *Generator) AddMount(mnt rspec.Mount) { - g.initSpec() + g.initConfig() - g.spec.Mounts = append(g.spec.Mounts, mnt) + g.Config.Mounts = append(g.Config.Mounts, mnt) } // RemoveMount removes a mount point on the dest directory func (g *Generator) RemoveMount(dest string) { - g.initSpec() + g.initConfig() - for index, mount := range g.spec.Mounts { + for index, mount := range g.Config.Mounts { if mount.Destination == dest { - g.spec.Mounts = append(g.spec.Mounts[:index], g.spec.Mounts[index+1:]...) + g.Config.Mounts = append(g.Config.Mounts[:index], g.Config.Mounts[index+1:]...) return } } @@ -987,20 +1005,20 @@ func (g *Generator) RemoveMount(dest string) { // Mounts returns the list of mounts func (g *Generator) Mounts() []rspec.Mount { - g.initSpec() + g.initConfig() - return g.spec.Mounts + return g.Config.Mounts } -// ClearMounts clear g.spec.Mounts +// ClearMounts clear g.Config.Mounts func (g *Generator) ClearMounts() { - if g.spec == nil { + if g.Config == nil { return } - g.spec.Mounts = []rspec.Mount{} + g.Config.Mounts = []rspec.Mount{} } -// SetupPrivileged sets up the privilege-related fields inside g.spec. +// SetupPrivileged sets up the privilege-related fields inside g.Config. func (g *Generator) SetupPrivileged(privileged bool) { if privileged { // Add all capabilities in privileged mode. var finalCapList []string @@ -1010,43 +1028,43 @@ func (g *Generator) SetupPrivileged(privileged bool) { } finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))) } - g.initSpecLinux() - g.initSpecProcessCapabilities() + g.initConfigLinux() + g.initConfigProcessCapabilities() g.ClearProcessCapabilities() - g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, finalCapList...) - g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, finalCapList...) - g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, finalCapList...) - g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, finalCapList...) - g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, finalCapList...) - g.spec.Process.SelinuxLabel = "" - g.spec.Process.ApparmorProfile = "" - g.spec.Linux.Seccomp = nil + g.Config.Process.Capabilities.Bounding = append(g.Config.Process.Capabilities.Bounding, finalCapList...) + g.Config.Process.Capabilities.Effective = append(g.Config.Process.Capabilities.Effective, finalCapList...) + g.Config.Process.Capabilities.Inheritable = append(g.Config.Process.Capabilities.Inheritable, finalCapList...) + g.Config.Process.Capabilities.Permitted = append(g.Config.Process.Capabilities.Permitted, finalCapList...) + g.Config.Process.Capabilities.Ambient = append(g.Config.Process.Capabilities.Ambient, finalCapList...) + g.Config.Process.SelinuxLabel = "" + g.Config.Process.ApparmorProfile = "" + g.Config.Linux.Seccomp = nil } } -// ClearProcessCapabilities clear g.spec.Process.Capabilities. +// ClearProcessCapabilities clear g.Config.Process.Capabilities. func (g *Generator) ClearProcessCapabilities() { - if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil { + if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil { return } - g.spec.Process.Capabilities.Bounding = []string{} - g.spec.Process.Capabilities.Effective = []string{} - g.spec.Process.Capabilities.Inheritable = []string{} - g.spec.Process.Capabilities.Permitted = []string{} - g.spec.Process.Capabilities.Ambient = []string{} + g.Config.Process.Capabilities.Bounding = []string{} + g.Config.Process.Capabilities.Effective = []string{} + g.Config.Process.Capabilities.Inheritable = []string{} + g.Config.Process.Capabilities.Permitted = []string{} + g.Config.Process.Capabilities.Ambient = []string{} } -// AddProcessCapabilityAmbient adds a process capability into g.spec.Process.Capabilities.Ambient. +// AddProcessCapabilityAmbient adds a process capability into g.Config.Process.Capabilities.Ambient. func (g *Generator) AddProcessCapabilityAmbient(c string) error { cp := strings.ToUpper(c) if err := validate.CapValid(cp, g.HostSpecific); err != nil { return err } - g.initSpecProcessCapabilities() + g.initConfigProcessCapabilities() var foundAmbient bool - for _, cap := range g.spec.Process.Capabilities.Ambient { + for _, cap := range g.Config.Process.Capabilities.Ambient { if strings.ToUpper(cap) == cp { foundAmbient = true break @@ -1054,178 +1072,178 @@ func (g *Generator) AddProcessCapabilityAmbient(c string) error { } if !foundAmbient { - g.spec.Process.Capabilities.Ambient = append(g.spec.Process.Capabilities.Ambient, cp) + g.Config.Process.Capabilities.Ambient = append(g.Config.Process.Capabilities.Ambient, cp) } return nil } -// AddProcessCapabilityBounding adds a process capability into g.spec.Process.Capabilities.Bounding. +// AddProcessCapabilityBounding adds a process capability into g.Config.Process.Capabilities.Bounding. func (g *Generator) AddProcessCapabilityBounding(c string) error { cp := strings.ToUpper(c) if err := validate.CapValid(cp, g.HostSpecific); err != nil { return err } - g.initSpecProcessCapabilities() + g.initConfigProcessCapabilities() var foundBounding bool - for _, cap := range g.spec.Process.Capabilities.Bounding { + for _, cap := range g.Config.Process.Capabilities.Bounding { if strings.ToUpper(cap) == cp { foundBounding = true break } } if !foundBounding { - g.spec.Process.Capabilities.Bounding = append(g.spec.Process.Capabilities.Bounding, cp) + g.Config.Process.Capabilities.Bounding = append(g.Config.Process.Capabilities.Bounding, cp) } return nil } -// AddProcessCapabilityEffective adds a process capability into g.spec.Process.Capabilities.Effective. +// AddProcessCapabilityEffective adds a process capability into g.Config.Process.Capabilities.Effective. func (g *Generator) AddProcessCapabilityEffective(c string) error { cp := strings.ToUpper(c) if err := validate.CapValid(cp, g.HostSpecific); err != nil { return err } - g.initSpecProcessCapabilities() + g.initConfigProcessCapabilities() var foundEffective bool - for _, cap := range g.spec.Process.Capabilities.Effective { + for _, cap := range g.Config.Process.Capabilities.Effective { if strings.ToUpper(cap) == cp { foundEffective = true break } } if !foundEffective { - g.spec.Process.Capabilities.Effective = append(g.spec.Process.Capabilities.Effective, cp) + g.Config.Process.Capabilities.Effective = append(g.Config.Process.Capabilities.Effective, cp) } return nil } -// AddProcessCapabilityInheritable adds a process capability into g.spec.Process.Capabilities.Inheritable. +// AddProcessCapabilityInheritable adds a process capability into g.Config.Process.Capabilities.Inheritable. func (g *Generator) AddProcessCapabilityInheritable(c string) error { cp := strings.ToUpper(c) if err := validate.CapValid(cp, g.HostSpecific); err != nil { return err } - g.initSpecProcessCapabilities() + g.initConfigProcessCapabilities() var foundInheritable bool - for _, cap := range g.spec.Process.Capabilities.Inheritable { + for _, cap := range g.Config.Process.Capabilities.Inheritable { if strings.ToUpper(cap) == cp { foundInheritable = true break } } if !foundInheritable { - g.spec.Process.Capabilities.Inheritable = append(g.spec.Process.Capabilities.Inheritable, cp) + g.Config.Process.Capabilities.Inheritable = append(g.Config.Process.Capabilities.Inheritable, cp) } return nil } -// AddProcessCapabilityPermitted adds a process capability into g.spec.Process.Capabilities.Permitted. +// AddProcessCapabilityPermitted adds a process capability into g.Config.Process.Capabilities.Permitted. func (g *Generator) AddProcessCapabilityPermitted(c string) error { cp := strings.ToUpper(c) if err := validate.CapValid(cp, g.HostSpecific); err != nil { return err } - g.initSpecProcessCapabilities() + g.initConfigProcessCapabilities() var foundPermitted bool - for _, cap := range g.spec.Process.Capabilities.Permitted { + for _, cap := range g.Config.Process.Capabilities.Permitted { if strings.ToUpper(cap) == cp { foundPermitted = true break } } if !foundPermitted { - g.spec.Process.Capabilities.Permitted = append(g.spec.Process.Capabilities.Permitted, cp) + g.Config.Process.Capabilities.Permitted = append(g.Config.Process.Capabilities.Permitted, cp) } return nil } -// DropProcessCapabilityAmbient drops a process capability from g.spec.Process.Capabilities.Ambient. +// DropProcessCapabilityAmbient drops a process capability from g.Config.Process.Capabilities.Ambient. func (g *Generator) DropProcessCapabilityAmbient(c string) error { - if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil { + if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil { return nil } cp := strings.ToUpper(c) - for i, cap := range g.spec.Process.Capabilities.Ambient { + for i, cap := range g.Config.Process.Capabilities.Ambient { if strings.ToUpper(cap) == cp { - g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i) + g.Config.Process.Capabilities.Ambient = removeFunc(g.Config.Process.Capabilities.Ambient, i) } } return validate.CapValid(cp, false) } -// DropProcessCapabilityBounding drops a process capability from g.spec.Process.Capabilities.Bounding. +// DropProcessCapabilityBounding drops a process capability from g.Config.Process.Capabilities.Bounding. func (g *Generator) DropProcessCapabilityBounding(c string) error { - if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil { + if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil { return nil } cp := strings.ToUpper(c) - for i, cap := range g.spec.Process.Capabilities.Bounding { + for i, cap := range g.Config.Process.Capabilities.Bounding { if strings.ToUpper(cap) == cp { - g.spec.Process.Capabilities.Bounding = removeFunc(g.spec.Process.Capabilities.Bounding, i) + g.Config.Process.Capabilities.Bounding = removeFunc(g.Config.Process.Capabilities.Bounding, i) } } return validate.CapValid(cp, false) } -// DropProcessCapabilityEffective drops a process capability from g.spec.Process.Capabilities.Effective. +// DropProcessCapabilityEffective drops a process capability from g.Config.Process.Capabilities.Effective. func (g *Generator) DropProcessCapabilityEffective(c string) error { - if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil { + if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil { return nil } cp := strings.ToUpper(c) - for i, cap := range g.spec.Process.Capabilities.Effective { + for i, cap := range g.Config.Process.Capabilities.Effective { if strings.ToUpper(cap) == cp { - g.spec.Process.Capabilities.Effective = removeFunc(g.spec.Process.Capabilities.Effective, i) + g.Config.Process.Capabilities.Effective = removeFunc(g.Config.Process.Capabilities.Effective, i) } } return validate.CapValid(cp, false) } -// DropProcessCapabilityInheritable drops a process capability from g.spec.Process.Capabilities.Inheritable. +// DropProcessCapabilityInheritable drops a process capability from g.Config.Process.Capabilities.Inheritable. func (g *Generator) DropProcessCapabilityInheritable(c string) error { - if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil { + if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil { return nil } cp := strings.ToUpper(c) - for i, cap := range g.spec.Process.Capabilities.Inheritable { + for i, cap := range g.Config.Process.Capabilities.Inheritable { if strings.ToUpper(cap) == cp { - g.spec.Process.Capabilities.Inheritable = removeFunc(g.spec.Process.Capabilities.Inheritable, i) + g.Config.Process.Capabilities.Inheritable = removeFunc(g.Config.Process.Capabilities.Inheritable, i) } } return validate.CapValid(cp, false) } -// DropProcessCapabilityPermitted drops a process capability from g.spec.Process.Capabilities.Permitted. +// DropProcessCapabilityPermitted drops a process capability from g.Config.Process.Capabilities.Permitted. func (g *Generator) DropProcessCapabilityPermitted(c string) error { - if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil { + if g.Config == nil || g.Config.Process == nil || g.Config.Process.Capabilities == nil { return nil } cp := strings.ToUpper(c) - for i, cap := range g.spec.Process.Capabilities.Permitted { + for i, cap := range g.Config.Process.Capabilities.Permitted { if strings.ToUpper(cap) == cp { - g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i) + g.Config.Process.Capabilities.Permitted = removeFunc(g.Config.Process.Capabilities.Permitted, i) } } @@ -1253,59 +1271,59 @@ func mapStrToNamespace(ns string, path string) (rspec.LinuxNamespace, error) { } } -// ClearLinuxNamespaces clear g.spec.Linux.Namespaces. +// ClearLinuxNamespaces clear g.Config.Linux.Namespaces. func (g *Generator) ClearLinuxNamespaces() { - if g.spec == nil || g.spec.Linux == nil { + if g.Config == nil || g.Config.Linux == nil { return } - g.spec.Linux.Namespaces = []rspec.LinuxNamespace{} + g.Config.Linux.Namespaces = []rspec.LinuxNamespace{} } // AddOrReplaceLinuxNamespace adds or replaces a namespace inside -// g.spec.Linux.Namespaces. +// g.Config.Linux.Namespaces. func (g *Generator) AddOrReplaceLinuxNamespace(ns string, path string) error { namespace, err := mapStrToNamespace(ns, path) if err != nil { return err } - g.initSpecLinux() - for i, ns := range g.spec.Linux.Namespaces { + g.initConfigLinux() + for i, ns := range g.Config.Linux.Namespaces { if ns.Type == namespace.Type { - g.spec.Linux.Namespaces[i] = namespace + g.Config.Linux.Namespaces[i] = namespace return nil } } - g.spec.Linux.Namespaces = append(g.spec.Linux.Namespaces, namespace) + g.Config.Linux.Namespaces = append(g.Config.Linux.Namespaces, namespace) return nil } -// RemoveLinuxNamespace removes a namespace from g.spec.Linux.Namespaces. +// RemoveLinuxNamespace removes a namespace from g.Config.Linux.Namespaces. func (g *Generator) RemoveLinuxNamespace(ns string) error { namespace, err := mapStrToNamespace(ns, "") if err != nil { return err } - if g.spec == nil || g.spec.Linux == nil { + if g.Config == nil || g.Config.Linux == nil { return nil } - for i, ns := range g.spec.Linux.Namespaces { + for i, ns := range g.Config.Linux.Namespaces { if ns.Type == namespace.Type { - g.spec.Linux.Namespaces = append(g.spec.Linux.Namespaces[:i], g.spec.Linux.Namespaces[i+1:]...) + g.Config.Linux.Namespaces = append(g.Config.Linux.Namespaces[:i], g.Config.Linux.Namespaces[i+1:]...) return nil } } return nil } -// AddDevice - add a device into g.spec.Linux.Devices +// AddDevice - add a device into g.Config.Linux.Devices func (g *Generator) AddDevice(device rspec.LinuxDevice) { - g.initSpecLinux() + g.initConfigLinux() - for i, dev := range g.spec.Linux.Devices { + for i, dev := range g.Config.Linux.Devices { if dev.Path == device.Path { - g.spec.Linux.Devices[i] = device + g.Config.Linux.Devices[i] = device return } if dev.Type == device.Type && dev.Major == device.Major && dev.Minor == device.Minor { @@ -1313,35 +1331,35 @@ func (g *Generator) AddDevice(device rspec.LinuxDevice) { } } - g.spec.Linux.Devices = append(g.spec.Linux.Devices, device) + g.Config.Linux.Devices = append(g.Config.Linux.Devices, device) } -// RemoveDevice remove a device from g.spec.Linux.Devices +// RemoveDevice remove a device from g.Config.Linux.Devices func (g *Generator) RemoveDevice(path string) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Devices == nil { return } - for i, device := range g.spec.Linux.Devices { + for i, device := range g.Config.Linux.Devices { if device.Path == path { - g.spec.Linux.Devices = append(g.spec.Linux.Devices[:i], g.spec.Linux.Devices[i+1:]...) + g.Config.Linux.Devices = append(g.Config.Linux.Devices[:i], g.Config.Linux.Devices[i+1:]...) return } } } -// ClearLinuxDevices clears g.spec.Linux.Devices +// ClearLinuxDevices clears g.Config.Linux.Devices func (g *Generator) ClearLinuxDevices() { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Devices == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Devices == nil { return } - g.spec.Linux.Devices = []rspec.LinuxDevice{} + g.Config.Linux.Devices = []rspec.LinuxDevice{} } -// AddLinuxResourcesDevice - add a device into g.spec.Linux.Resources.Devices +// AddLinuxResourcesDevice - add a device into g.Config.Linux.Resources.Devices func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) { - g.initSpecLinuxResources() + g.initConfigLinuxResources() device := rspec.LinuxDeviceCgroup{ Allow: allow, @@ -1350,22 +1368,22 @@ func (g *Generator) AddLinuxResourcesDevice(allow bool, devType string, major, m Major: major, Minor: minor, } - g.spec.Linux.Resources.Devices = append(g.spec.Linux.Resources.Devices, device) + g.Config.Linux.Resources.Devices = append(g.Config.Linux.Resources.Devices, device) } -// RemoveLinuxResourcesDevice - remove a device from g.spec.Linux.Resources.Devices +// RemoveLinuxResourcesDevice - remove a device from g.Config.Linux.Resources.Devices func (g *Generator) RemoveLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) { - if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Resources == nil { + if g.Config == nil || g.Config.Linux == nil || g.Config.Linux.Resources == nil { return } - for i, device := range g.spec.Linux.Resources.Devices { + for i, device := range g.Config.Linux.Resources.Devices { if device.Allow == allow && (devType == device.Type || (devType != "" && device.Type != "" && devType == device.Type)) && (access == device.Access || (access != "" && device.Access != "" && access == device.Access)) && (major == device.Major || (major != nil && device.Major != nil && *major == *device.Major)) && (minor == device.Minor || (minor != nil && device.Minor != nil && *minor == *device.Minor)) { - g.spec.Linux.Resources.Devices = append(g.spec.Linux.Resources.Devices[:i], g.spec.Linux.Resources.Devices[i+1:]...) + g.Config.Linux.Resources.Devices = append(g.Config.Linux.Resources.Devices[:i], g.Config.Linux.Resources.Devices[i+1:]...) return } } @@ -1377,51 +1395,51 @@ func strPtr(s string) *string { return &s } // SetSyscallAction adds rules for syscalls with the specified action func (g *Generator) SetSyscallAction(arguments seccomp.SyscallOpts) error { - g.initSpecLinuxSeccomp() - return seccomp.ParseSyscallFlag(arguments, g.spec.Linux.Seccomp) + g.initConfigLinuxSeccomp() + return seccomp.ParseSyscallFlag(arguments, g.Config.Linux.Seccomp) } // SetDefaultSeccompAction sets the default action for all syscalls not defined // and then removes any syscall rules with this action already specified. func (g *Generator) SetDefaultSeccompAction(action string) error { - g.initSpecLinuxSeccomp() - return seccomp.ParseDefaultAction(action, g.spec.Linux.Seccomp) + g.initConfigLinuxSeccomp() + return seccomp.ParseDefaultAction(action, g.Config.Linux.Seccomp) } // SetDefaultSeccompActionForce only sets the default action for all syscalls not defined func (g *Generator) SetDefaultSeccompActionForce(action string) error { - g.initSpecLinuxSeccomp() - return seccomp.ParseDefaultActionForce(action, g.spec.Linux.Seccomp) + g.initConfigLinuxSeccomp() + return seccomp.ParseDefaultActionForce(action, g.Config.Linux.Seccomp) } // SetSeccompArchitecture sets the supported seccomp architectures func (g *Generator) SetSeccompArchitecture(architecture string) error { - g.initSpecLinuxSeccomp() - return seccomp.ParseArchitectureFlag(architecture, g.spec.Linux.Seccomp) + g.initConfigLinuxSeccomp() + return seccomp.ParseArchitectureFlag(architecture, g.Config.Linux.Seccomp) } // RemoveSeccompRule removes rules for any specified syscalls func (g *Generator) RemoveSeccompRule(arguments string) error { - g.initSpecLinuxSeccomp() - return seccomp.RemoveAction(arguments, g.spec.Linux.Seccomp) + g.initConfigLinuxSeccomp() + return seccomp.RemoveAction(arguments, g.Config.Linux.Seccomp) } // RemoveAllSeccompRules removes all syscall rules func (g *Generator) RemoveAllSeccompRules() error { - g.initSpecLinuxSeccomp() - return seccomp.RemoveAllSeccompRules(g.spec.Linux.Seccomp) + g.initConfigLinuxSeccomp() + return seccomp.RemoveAllSeccompRules(g.Config.Linux.Seccomp) } -// AddLinuxMaskedPaths adds masked paths into g.spec.Linux.MaskedPaths. +// AddLinuxMaskedPaths adds masked paths into g.Config.Linux.MaskedPaths. func (g *Generator) AddLinuxMaskedPaths(path string) { - g.initSpecLinux() - g.spec.Linux.MaskedPaths = append(g.spec.Linux.MaskedPaths, path) + g.initConfigLinux() + g.Config.Linux.MaskedPaths = append(g.Config.Linux.MaskedPaths, path) } -// AddLinuxReadonlyPaths adds readonly paths into g.spec.Linux.MaskedPaths. +// AddLinuxReadonlyPaths adds readonly paths into g.Config.Linux.MaskedPaths. func (g *Generator) AddLinuxReadonlyPaths(path string) { - g.initSpecLinux() - g.spec.Linux.ReadonlyPaths = append(g.spec.Linux.ReadonlyPaths, path) + g.initConfigLinux() + g.Config.Linux.ReadonlyPaths = append(g.Config.Linux.ReadonlyPaths, path) } func addOrReplaceBlockIOThrottleDevice(tmpList []rspec.LinuxThrottleDevice, major int64, minor int64, rate uint64) []rspec.LinuxThrottleDevice { @@ -1453,92 +1471,92 @@ func dropBlockIOThrottleDevice(tmpList []rspec.LinuxThrottleDevice, major int64, return throttleDevices } -// AddSolarisAnet adds network into g.spec.Solaris.Anet +// AddSolarisAnet adds network into g.Config.Solaris.Anet func (g *Generator) AddSolarisAnet(anet rspec.SolarisAnet) { - g.initSpecSolaris() - g.spec.Solaris.Anet = append(g.spec.Solaris.Anet, anet) + g.initConfigSolaris() + g.Config.Solaris.Anet = append(g.Config.Solaris.Anet, anet) } -// SetSolarisCappedCPUNcpus sets g.spec.Solaris.CappedCPU.Ncpus +// SetSolarisCappedCPUNcpus sets g.Config.Solaris.CappedCPU.Ncpus func (g *Generator) SetSolarisCappedCPUNcpus(ncpus string) { - g.initSpecSolarisCappedCPU() - g.spec.Solaris.CappedCPU.Ncpus = ncpus + g.initConfigSolarisCappedCPU() + g.Config.Solaris.CappedCPU.Ncpus = ncpus } -// SetSolarisCappedMemoryPhysical sets g.spec.Solaris.CappedMemory.Physical +// SetSolarisCappedMemoryPhysical sets g.Config.Solaris.CappedMemory.Physical func (g *Generator) SetSolarisCappedMemoryPhysical(physical string) { - g.initSpecSolarisCappedMemory() - g.spec.Solaris.CappedMemory.Physical = physical + g.initConfigSolarisCappedMemory() + g.Config.Solaris.CappedMemory.Physical = physical } -// SetSolarisCappedMemorySwap sets g.spec.Solaris.CappedMemory.Swap +// SetSolarisCappedMemorySwap sets g.Config.Solaris.CappedMemory.Swap func (g *Generator) SetSolarisCappedMemorySwap(swap string) { - g.initSpecSolarisCappedMemory() - g.spec.Solaris.CappedMemory.Swap = swap + g.initConfigSolarisCappedMemory() + g.Config.Solaris.CappedMemory.Swap = swap } -// SetSolarisLimitPriv sets g.spec.Solaris.LimitPriv +// SetSolarisLimitPriv sets g.Config.Solaris.LimitPriv func (g *Generator) SetSolarisLimitPriv(limitPriv string) { - g.initSpecSolaris() - g.spec.Solaris.LimitPriv = limitPriv + g.initConfigSolaris() + g.Config.Solaris.LimitPriv = limitPriv } -// SetSolarisMaxShmMemory sets g.spec.Solaris.MaxShmMemory +// SetSolarisMaxShmMemory sets g.Config.Solaris.MaxShmMemory func (g *Generator) SetSolarisMaxShmMemory(memory string) { - g.initSpecSolaris() - g.spec.Solaris.MaxShmMemory = memory + g.initConfigSolaris() + g.Config.Solaris.MaxShmMemory = memory } -// SetSolarisMilestone sets g.spec.Solaris.Milestone +// SetSolarisMilestone sets g.Config.Solaris.Milestone func (g *Generator) SetSolarisMilestone(milestone string) { - g.initSpecSolaris() - g.spec.Solaris.Milestone = milestone + g.initConfigSolaris() + g.Config.Solaris.Milestone = milestone } -// SetWindowsHypervUntilityVMPath sets g.spec.Windows.HyperV.UtilityVMPath. +// SetWindowsHypervUntilityVMPath sets g.Config.Windows.HyperV.UtilityVMPath. func (g *Generator) SetWindowsHypervUntilityVMPath(path string) { - g.initSpecWindowsHyperV() - g.spec.Windows.HyperV.UtilityVMPath = path + g.initConfigWindowsHyperV() + g.Config.Windows.HyperV.UtilityVMPath = path } -// SetWinodwsIgnoreFlushesDuringBoot sets g.spec.Winodws.IgnoreFlushesDuringBoot. +// SetWinodwsIgnoreFlushesDuringBoot sets g.Config.Winodws.IgnoreFlushesDuringBoot. func (g *Generator) SetWinodwsIgnoreFlushesDuringBoot(ignore bool) { - g.initSpecWindows() - g.spec.Windows.IgnoreFlushesDuringBoot = ignore + g.initConfigWindows() + g.Config.Windows.IgnoreFlushesDuringBoot = ignore } -// AddWindowsLayerFolders adds layer folders into g.spec.Windows.LayerFolders. +// AddWindowsLayerFolders adds layer folders into g.Config.Windows.LayerFolders. func (g *Generator) AddWindowsLayerFolders(folder string) { - g.initSpecWindows() - g.spec.Windows.LayerFolders = append(g.spec.Windows.LayerFolders, folder) + g.initConfigWindows() + g.Config.Windows.LayerFolders = append(g.Config.Windows.LayerFolders, folder) } -// SetWindowsNetwork sets g.spec.Windows.Network. +// SetWindowsNetwork sets g.Config.Windows.Network. func (g *Generator) SetWindowsNetwork(network rspec.WindowsNetwork) { - g.initSpecWindows() - g.spec.Windows.Network = &network + g.initConfigWindows() + g.Config.Windows.Network = &network } -// SetWindowsResourcesCPU sets g.spec.Windows.Resources.CPU. +// SetWindowsResourcesCPU sets g.Config.Windows.Resources.CPU. func (g *Generator) SetWindowsResourcesCPU(cpu rspec.WindowsCPUResources) { - g.initSpecWindowsResources() - g.spec.Windows.Resources.CPU = &cpu + g.initConfigWindowsResources() + g.Config.Windows.Resources.CPU = &cpu } -// SetWindowsResourcesMemoryLimit sets g.spec.Windows.Resources.Memory.Limit. +// SetWindowsResourcesMemoryLimit sets g.Config.Windows.Resources.Memory.Limit. func (g *Generator) SetWindowsResourcesMemoryLimit(limit uint64) { - g.initSpecWindowsResourcesMemory() - g.spec.Windows.Resources.Memory.Limit = &limit + g.initConfigWindowsResourcesMemory() + g.Config.Windows.Resources.Memory.Limit = &limit } -// SetWindowsResourcesStorage sets g.spec.Windows.Resources.Storage. +// SetWindowsResourcesStorage sets g.Config.Windows.Resources.Storage. func (g *Generator) SetWindowsResourcesStorage(storage rspec.WindowsStorageResources) { - g.initSpecWindowsResources() - g.spec.Windows.Resources.Storage = &storage + g.initConfigWindowsResources() + g.Config.Windows.Resources.Storage = &storage } -// SetWinodwsServicing sets g.spec.Winodws.Servicing. +// SetWinodwsServicing sets g.Config.Winodws.Servicing. func (g *Generator) SetWinodwsServicing(servicing bool) { - g.initSpecWindows() - g.spec.Windows.Servicing = servicing + g.initConfigWindows() + g.Config.Windows.Servicing = servicing } diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go index 35b12cd65..5fee5a3b2 100644 --- a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go +++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go @@ -2,7 +2,6 @@ package seccomp import ( "runtime" - "syscall" "github.com/opencontainers/runtime-spec/specs-go" rspec "github.com/opencontainers/runtime-spec/specs-go" @@ -513,7 +512,7 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp { Args: []rspec.LinuxSeccompArg{ { Index: sysCloneFlagsIndex, - Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, + Value: CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet, ValueTwo: 0, Op: rspec.OpMaskedEqual, }, diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go new file mode 100644 index 000000000..311587437 --- /dev/null +++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go @@ -0,0 +1,15 @@ +// +build linux + +package seccomp + +import "syscall" + +// System values passed through on linux +const ( + CloneNewIPC = syscall.CLONE_NEWIPC + CloneNewNet = syscall.CLONE_NEWNET + CloneNewNS = syscall.CLONE_NEWNS + CloneNewPID = syscall.CLONE_NEWPID + CloneNewUser = syscall.CLONE_NEWUSER + CloneNewUTS = syscall.CLONE_NEWUTS +) diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go new file mode 100644 index 000000000..589b81c16 --- /dev/null +++ b/vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go @@ -0,0 +1,15 @@ +// +build !linux + +package seccomp + +// These are copied from linux/amd64 syscall values, as a reference for other +// platforms to have access to +const ( + CloneNewIPC = 0x8000000 + CloneNewNet = 0x40000000 + CloneNewNS = 0x20000 + CloneNewPID = 0x20000000 + CloneNewUser = 0x10000000 + CloneNewUTS = 0x4000000 + CloneNewCgroup = 0x02000000 +) diff --git a/vendor/github.com/opencontainers/runtime-tools/generate/spec.go b/vendor/github.com/opencontainers/runtime-tools/generate/spec.go deleted file mode 100644 index d7a6da81d..000000000 --- a/vendor/github.com/opencontainers/runtime-tools/generate/spec.go +++ /dev/null @@ -1,172 +0,0 @@ -package generate - -import ( - rspec "github.com/opencontainers/runtime-spec/specs-go" -) - -func (g *Generator) initSpec() { - if g.spec == nil { - g.spec = &rspec.Spec{} - } -} - -func (g *Generator) initSpecProcess() { - g.initSpec() - if g.spec.Process == nil { - g.spec.Process = &rspec.Process{} - } -} - -func (g *Generator) initSpecProcessConsoleSize() { - g.initSpecProcess() - if g.spec.Process.ConsoleSize == nil { - g.spec.Process.ConsoleSize = &rspec.Box{} - } -} - -func (g *Generator) initSpecProcessCapabilities() { - g.initSpecProcess() - if g.spec.Process.Capabilities == nil { - g.spec.Process.Capabilities = &rspec.LinuxCapabilities{} - } -} - -func (g *Generator) initSpecRoot() { - g.initSpec() - if g.spec.Root == nil { - g.spec.Root = &rspec.Root{} - } -} - -func (g *Generator) initSpecAnnotations() { - g.initSpec() - if g.spec.Annotations == nil { - g.spec.Annotations = make(map[string]string) - } -} - -func (g *Generator) initSpecHooks() { - g.initSpec() - if g.spec.Hooks == nil { - g.spec.Hooks = &rspec.Hooks{} - } -} - -func (g *Generator) initSpecLinux() { - g.initSpec() - if g.spec.Linux == nil { - g.spec.Linux = &rspec.Linux{} - } -} - -func (g *Generator) initSpecLinuxIntelRdt() { - g.initSpecLinux() - if g.spec.Linux.IntelRdt == nil { - g.spec.Linux.IntelRdt = &rspec.LinuxIntelRdt{} - } -} - -func (g *Generator) initSpecLinuxSysctl() { - g.initSpecLinux() - if g.spec.Linux.Sysctl == nil { - g.spec.Linux.Sysctl = make(map[string]string) - } -} - -func (g *Generator) initSpecLinuxSeccomp() { - g.initSpecLinux() - if g.spec.Linux.Seccomp == nil { - g.spec.Linux.Seccomp = &rspec.LinuxSeccomp{} - } -} - -func (g *Generator) initSpecLinuxResources() { - g.initSpecLinux() - if g.spec.Linux.Resources == nil { - g.spec.Linux.Resources = &rspec.LinuxResources{} - } -} - -func (g *Generator) initSpecLinuxResourcesBlockIO() { - g.initSpecLinuxResources() - if g.spec.Linux.Resources.BlockIO == nil { - g.spec.Linux.Resources.BlockIO = &rspec.LinuxBlockIO{} - } -} - -func (g *Generator) initSpecLinuxResourcesCPU() { - g.initSpecLinuxResources() - if g.spec.Linux.Resources.CPU == nil { - g.spec.Linux.Resources.CPU = &rspec.LinuxCPU{} - } -} - -func (g *Generator) initSpecLinuxResourcesMemory() { - g.initSpecLinuxResources() - if g.spec.Linux.Resources.Memory == nil { - g.spec.Linux.Resources.Memory = &rspec.LinuxMemory{} - } -} - -func (g *Generator) initSpecLinuxResourcesNetwork() { - g.initSpecLinuxResources() - if g.spec.Linux.Resources.Network == nil { - g.spec.Linux.Resources.Network = &rspec.LinuxNetwork{} - } -} - -func (g *Generator) initSpecLinuxResourcesPids() { - g.initSpecLinuxResources() - if g.spec.Linux.Resources.Pids == nil { - g.spec.Linux.Resources.Pids = &rspec.LinuxPids{} - } -} - -func (g *Generator) initSpecSolaris() { - g.initSpec() - if g.spec.Solaris == nil { - g.spec.Solaris = &rspec.Solaris{} - } -} - -func (g *Generator) initSpecSolarisCappedCPU() { - g.initSpecSolaris() - if g.spec.Solaris.CappedCPU == nil { - g.spec.Solaris.CappedCPU = &rspec.SolarisCappedCPU{} - } -} - -func (g *Generator) initSpecSolarisCappedMemory() { - g.initSpecSolaris() - if g.spec.Solaris.CappedMemory == nil { - g.spec.Solaris.CappedMemory = &rspec.SolarisCappedMemory{} - } -} - -func (g *Generator) initSpecWindows() { - g.initSpec() - if g.spec.Windows == nil { - g.spec.Windows = &rspec.Windows{} - } -} - -func (g *Generator) initSpecWindowsHyperV() { - g.initSpecWindows() - if g.spec.Windows.HyperV == nil { - g.spec.Windows.HyperV = &rspec.WindowsHyperV{} - } -} - -func (g *Generator) initSpecWindowsResources() { - g.initSpecWindows() - if g.spec.Windows.Resources == nil { - g.spec.Windows.Resources = &rspec.WindowsResources{} - } -} - -func (g *Generator) initSpecWindowsResourcesMemory() { - g.initSpecWindowsResources() - if g.spec.Windows.Resources.Memory == nil { - g.spec.Windows.Resources.Memory = &rspec.WindowsMemoryResources{} - } -} diff --git a/vendor/github.com/opencontainers/runtime-tools/specerror/config.go b/vendor/github.com/opencontainers/runtime-tools/specerror/config.go index 8a73f47fc..5357ab59f 100644 --- a/vendor/github.com/opencontainers/runtime-tools/specerror/config.go +++ b/vendor/github.com/opencontainers/runtime-tools/specerror/config.go @@ -14,8 +14,8 @@ const ( RootOnWindowsRequired // RootOnHyperVNotSet represents "For Hyper-V Containers, this field MUST NOT be set." RootOnHyperVNotSet - // RootOnNonHyperVRequired represents "On all other platforms, this field is REQUIRED." - RootOnNonHyperVRequired + // RootOnNonWindowsRequired represents "On all other platforms, this field is REQUIRED." + RootOnNonWindowsRequired // RootPathOnWindowsGUID represents "On Windows, `path` MUST be a volume GUID path." RootPathOnWindowsGUID // RootPathOnPosixConvention represents "The value SHOULD be the conventional `rootfs`." @@ -145,7 +145,7 @@ func init() { register(SpecVersionInSemVer, rfc2119.Must, specificationVersionRef) register(RootOnWindowsRequired, rfc2119.Required, rootRef) register(RootOnHyperVNotSet, rfc2119.Must, rootRef) - register(RootOnNonHyperVRequired, rfc2119.Required, rootRef) + register(RootOnNonWindowsRequired, rfc2119.Required, rootRef) register(RootPathOnWindowsGUID, rfc2119.Must, rootRef) register(RootPathOnPosixConvention, rfc2119.Should, rootRef) register(RootPathExist, rfc2119.Must, rootRef) diff --git a/vendor/github.com/opencontainers/runtime-tools/specerror/error.go b/vendor/github.com/opencontainers/runtime-tools/specerror/error.go index 0300f7df2..5de9492d9 100644 --- a/vendor/github.com/opencontainers/runtime-tools/specerror/error.go +++ b/vendor/github.com/opencontainers/runtime-tools/specerror/error.go @@ -61,6 +61,34 @@ func (err *Error) Error() string { return err.Err.Error() } +// NewRFCError creates an rfc2119.Error referencing a spec violation. +// +// A version string (for the version of the spec that was violated) +// must be set to get a working URL. +func NewRFCError(code Code, err error, version string) (*rfc2119.Error, error) { + template := ociErrors[code] + reference, err2 := template.Reference(version) + if err2 != nil { + return nil, err2 + } + return &rfc2119.Error{ + Level: template.Level, + Reference: reference, + Err: err, + }, nil +} + +// NewRFCErrorOrPanic creates an rfc2119.Error referencing a spec +// violation and panics on failure. This is handy for situations +// where you can't be bothered to check NewRFCError for failure. +func NewRFCErrorOrPanic(code Code, err error, version string) *rfc2119.Error { + rfcError, err2 := NewRFCError(code, err, version) + if err2 != nil { + panic(err2.Error()) + } + return rfcError +} + // NewError creates an Error referencing a spec violation. The error // can be cast to an *Error for extracting structured information // about the level of the violation and a reference to the violated @@ -69,17 +97,12 @@ func (err *Error) Error() string { // A version string (for the version of the spec that was violated) // must be set to get a working URL. func NewError(code Code, err error, version string) error { - template := ociErrors[code] - reference, err2 := template.Reference(version) + rfcError, err2 := NewRFCError(code, err, version) if err2 != nil { return err2 } return &Error{ - Err: rfc2119.Error{ - Level: template.Level, - Reference: reference, - Err: err, - }, + Err: *rfcError, Code: code, } } diff --git a/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go b/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go index 0144f6696..383aea63c 100644 --- a/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go +++ b/vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go @@ -68,10 +68,10 @@ const ( PropApplyFailNotCreate // StartWithoutIDGenError represents "`start` operation MUST generate an error if it is not provided the container ID." StartWithoutIDGenError - // StartNonCreateHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container." - StartNonCreateHaveNoEffect - // StartNonCreateGenError represents "Attempting to `start` a container that is not `created` MUST generate an error." - StartNonCreateGenError + // StartNotCreatedHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container." + StartNotCreatedHaveNoEffect + // StartNotCreatedGenError represents "Attempting to `start` a container that is not `created` MUST generate an error." + StartNotCreatedGenError // StartProcImplement represents "`start` operation MUST run the user-specified program as specified by `process`." StartProcImplement // StartWithProcUnsetGenError represents "`start` operation MUST generate an error if `process` was not set." @@ -163,8 +163,8 @@ func init() { register(PropApplyFailGenError, rfc2119.Must, createRef) register(PropApplyFailNotCreate, rfc2119.Must, createRef) register(StartWithoutIDGenError, rfc2119.Must, startRef) - register(StartNonCreateHaveNoEffect, rfc2119.Must, startRef) - register(StartNonCreateGenError, rfc2119.Must, startRef) + register(StartNotCreatedHaveNoEffect, rfc2119.Must, startRef) + register(StartNotCreatedGenError, rfc2119.Must, startRef) register(StartProcImplement, rfc2119.Must, startRef) register(StartWithProcUnsetGenError, rfc2119.Must, startRef) register(KillWithoutIDGenError, rfc2119.Must, killRef) diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go index 1030099df..e2e820979 100644 --- a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go +++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go @@ -13,7 +13,6 @@ import ( "regexp" "runtime" "strings" - "syscall" "unicode" "unicode/utf8" @@ -115,6 +114,7 @@ func (v *Validator) CheckAll() error { errs = multierror.Append(errs, v.CheckMounts()) errs = multierror.Append(errs, v.CheckProcess()) errs = multierror.Append(errs, v.CheckLinux()) + errs = multierror.Append(errs, v.CheckAnnotations()) if v.platform == "linux" || v.platform == "solaris" { errs = multierror.Append(errs, v.CheckHooks()) } @@ -142,6 +142,8 @@ func JSONSchemaURL(version string) (url string, err error) { // runtime-spec JSON Schema, using the version of the schema that // matches the configuration's declared version. func (v *Validator) CheckJSONSchema() (errs error) { + logrus.Debugf("check JSON schema") + url, err := JSONSchemaURL(v.spec.Version) if err != nil { errs = multierror.Append(errs, err) @@ -169,16 +171,21 @@ func (v *Validator) CheckJSONSchema() (errs error) { func (v *Validator) CheckRoot() (errs error) { logrus.Debugf("check root") - if v.platform == "windows" && v.spec.Windows != nil && v.spec.Windows.HyperV != nil { - if v.spec.Root != nil { + if v.platform == "windows" && v.spec.Windows != nil { + if v.spec.Windows.HyperV != nil { + if v.spec.Root != nil { + errs = multierror.Append(errs, + specerror.NewError(specerror.RootOnHyperVNotSet, fmt.Errorf("for Hyper-V containers, Root must not be set"), rspec.Version)) + } + return + } else if v.spec.Root == nil { errs = multierror.Append(errs, - specerror.NewError(specerror.RootOnHyperVNotSet, fmt.Errorf("for Hyper-V containers, Root must not be set"), rspec.Version)) + specerror.NewError(specerror.RootOnWindowsRequired, fmt.Errorf("on Windows, for Windows Server Containers, this field is REQUIRED"), rspec.Version)) return } - return - } else if v.spec.Root == nil { + } else if v.platform != "windows" && v.spec.Root == nil { errs = multierror.Append(errs, - specerror.NewError(specerror.RootOnNonHyperVRequired, fmt.Errorf("for non-Hyper-V containers, Root must be set"), rspec.Version)) + specerror.NewError(specerror.RootOnNonWindowsRequired, fmt.Errorf("on all other platforms, this field is REQUIRED"), rspec.Version)) return } @@ -570,6 +577,11 @@ func (v *Validator) CheckPlatform() (errs error) { return } + if v.HostSpecific && v.platform != runtime.GOOS { + errs = multierror.Append(errs, fmt.Errorf("platform %q differs from the host %q, skipping host-specific checks", v.platform, runtime.GOOS)) + v.HostSpecific = false + } + if v.platform == "windows" { if v.spec.Windows == nil { errs = multierror.Append(errs, @@ -583,189 +595,6 @@ func (v *Validator) CheckPlatform() (errs error) { return } -// CheckLinux checks v.spec.Linux -func (v *Validator) CheckLinux() (errs error) { - logrus.Debugf("check linux") - - if v.spec.Linux == nil { - return - } - - var nsTypeList = map[rspec.LinuxNamespaceType]struct { - num int - newExist bool - }{ - rspec.PIDNamespace: {0, false}, - rspec.NetworkNamespace: {0, false}, - rspec.MountNamespace: {0, false}, - rspec.IPCNamespace: {0, false}, - rspec.UTSNamespace: {0, false}, - rspec.UserNamespace: {0, false}, - rspec.CgroupNamespace: {0, false}, - } - - for index := 0; index < len(v.spec.Linux.Namespaces); index++ { - ns := v.spec.Linux.Namespaces[index] - if ns.Path != "" && !osFilepath.IsAbs(v.platform, ns.Path) { - errs = multierror.Append(errs, specerror.NewError(specerror.NSPathAbs, fmt.Errorf("namespace.path %q is not an absolute path", ns.Path), rspec.Version)) - } - - tmpItem := nsTypeList[ns.Type] - tmpItem.num = tmpItem.num + 1 - if tmpItem.num > 1 { - errs = multierror.Append(errs, specerror.NewError(specerror.NSErrorOnDup, fmt.Errorf("duplicated namespace %q", ns.Type), rspec.Version)) - } - - if len(ns.Path) == 0 { - tmpItem.newExist = true - } - nsTypeList[ns.Type] = tmpItem - } - - if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !nsTypeList[rspec.UserNamespace].newExist { - errs = multierror.Append(errs, errors.New("the UID/GID mappings requires a new User namespace to be specified as well")) - } - - for k := range v.spec.Linux.Sysctl { - if strings.HasPrefix(k, "net.") && !nsTypeList[rspec.NetworkNamespace].newExist { - errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new Network namespace to be specified as well", k)) - } - if strings.HasPrefix(k, "fs.mqueue.") { - if !nsTypeList[rspec.MountNamespace].newExist || !nsTypeList[rspec.IPCNamespace].newExist { - errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new IPC namespace and Mount namespace to be specified as well", k)) - } - } - } - - if v.platform == "linux" && !nsTypeList[rspec.UTSNamespace].newExist && v.spec.Hostname != "" { - errs = multierror.Append(errs, fmt.Errorf("on Linux, hostname requires a new UTS namespace to be specified as well")) - } - - // Linux devices validation - devList := make(map[string]bool) - devTypeList := make(map[string]bool) - for index := 0; index < len(v.spec.Linux.Devices); index++ { - device := v.spec.Linux.Devices[index] - if !deviceValid(device) { - errs = multierror.Append(errs, fmt.Errorf("device %v is invalid", device)) - } - - if _, exists := devList[device.Path]; exists { - errs = multierror.Append(errs, fmt.Errorf("device %s is duplicated", device.Path)) - } else { - var rootfsPath string - if filepath.IsAbs(v.spec.Root.Path) { - rootfsPath = v.spec.Root.Path - } else { - rootfsPath = filepath.Join(v.bundlePath, v.spec.Root.Path) - } - absPath := filepath.Join(rootfsPath, device.Path) - fi, err := os.Stat(absPath) - if os.IsNotExist(err) { - devList[device.Path] = true - } else if err != nil { - errs = multierror.Append(errs, err) - } else { - fStat, ok := fi.Sys().(*syscall.Stat_t) - if !ok { - errs = multierror.Append(errs, specerror.NewError(specerror.DevicesAvailable, - fmt.Errorf("cannot determine state for device %s", device.Path), rspec.Version)) - continue - } - var devType string - switch fStat.Mode & syscall.S_IFMT { - case syscall.S_IFCHR: - devType = "c" - case syscall.S_IFBLK: - devType = "b" - case syscall.S_IFIFO: - devType = "p" - default: - devType = "unmatched" - } - if devType != device.Type || (devType == "c" && device.Type == "u") { - errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, - fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) - continue - } - if devType != "p" { - dev := fStat.Rdev - major := (dev >> 8) & 0xfff - minor := (dev & 0xff) | ((dev >> 12) & 0xfff00) - if int64(major) != device.Major || int64(minor) != device.Minor { - errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, - fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) - continue - } - } - if device.FileMode != nil { - expectedPerm := *device.FileMode & os.ModePerm - actualPerm := fi.Mode() & os.ModePerm - if expectedPerm != actualPerm { - errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, - fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) - continue - } - } - if device.UID != nil { - if *device.UID != fStat.Uid { - errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, - fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) - continue - } - } - if device.GID != nil { - if *device.GID != fStat.Gid { - errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, - fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) - continue - } - } - } - } - - // unify u->c when comparing, they are synonyms - var devID string - if device.Type == "u" { - devID = fmt.Sprintf("%s:%d:%d", "c", device.Major, device.Minor) - } else { - devID = fmt.Sprintf("%s:%d:%d", device.Type, device.Major, device.Minor) - } - - if _, exists := devTypeList[devID]; exists { - logrus.Warnf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor) - } else { - devTypeList[devID] = true - } - } - - if v.spec.Linux.Resources != nil { - errs = multierror.Append(errs, v.CheckLinuxResources()) - } - - for _, maskedPath := range v.spec.Linux.MaskedPaths { - if !strings.HasPrefix(maskedPath, "/") { - errs = multierror.Append(errs, - specerror.NewError( - specerror.MaskedPathsAbs, - fmt.Errorf("maskedPath %v is not an absolute path", maskedPath), - rspec.Version)) - } - } - - for _, readonlyPath := range v.spec.Linux.ReadonlyPaths { - if !strings.HasPrefix(readonlyPath, "/") { - errs = multierror.Append(errs, - specerror.NewError( - specerror.ReadonlyPathsAbs, - fmt.Errorf("readonlyPath %v is not an absolute path", readonlyPath), - rspec.Version)) - } - } - - return -} - // CheckLinuxResources checks v.spec.Linux.Resources func (v *Validator) CheckLinuxResources() (errs error) { logrus.Debugf("check linux resources") @@ -817,6 +646,44 @@ func (v *Validator) CheckLinuxResources() (errs error) { } } + if r.BlockIO != nil && r.BlockIO.WeightDevice != nil { + for i, weightDevice := range r.BlockIO.WeightDevice { + if weightDevice.Weight == nil && weightDevice.LeafWeight == nil { + errs = multierror.Append(errs, + specerror.NewError( + specerror.BlkIOWeightOrLeafWeightExist, + fmt.Errorf("linux.resources.blockIO.weightDevice[%d] specifies neither weight nor leafWeight", i), + rspec.Version)) + } + } + } + + return +} + +// CheckAnnotations checks v.spec.Annotations +func (v *Validator) CheckAnnotations() (errs error) { + logrus.Debugf("check annotations") + + reversedDomain := regexp.MustCompile(`^[A-Za-z]{2,6}(\.[A-Za-z0-9-]{1,63})+$`) + for key := range v.spec.Annotations { + if strings.HasPrefix(key, "org.opencontainers") { + errs = multierror.Append(errs, + specerror.NewError( + specerror.AnnotationsKeyReservedNS, + fmt.Errorf("key %q is reserved", key), + rspec.Version)) + } + + if !reversedDomain.MatchString(key) { + errs = multierror.Append(errs, + specerror.NewError( + specerror.AnnotationsKeyReversedDomain, + fmt.Errorf("key %q SHOULD be named using a reverse domain notation", key), + rspec.Version)) + } + } + return } @@ -843,17 +710,6 @@ func CapValid(c string, hostSpecific bool) error { return nil } -// LastCap return last cap of system -func LastCap() capability.Cap { - last := capability.CAP_LAST_CAP - // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap - if last == capability.Cap(63) { - last = capability.CAP_BLOCK_SUSPEND - } - - return last -} - func envValid(env string) bool { items := strings.Split(env, "=") if len(items) < 2 { @@ -896,22 +752,6 @@ func (v *Validator) rlimitValid(rlimit rspec.POSIXRlimit) (errs error) { return } -func deviceValid(d rspec.LinuxDevice) bool { - switch d.Type { - case "b", "c", "u": - if d.Major <= 0 || d.Minor <= 0 { - return false - } - case "p": - if d.Major != 0 || d.Minor != 0 { - return false - } - default: - return false - } - return true -} - func isStruct(t reflect.Type) bool { return t.Kind() == reflect.Struct } @@ -990,5 +830,9 @@ func checkMandatory(obj interface{}) (errs error) { func (v *Validator) CheckMandatoryFields() error { logrus.Debugf("check mandatory fields") + if v.spec == nil { + return fmt.Errorf("Spec can't be nil") + } + return checkMandatory(v.spec) } diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go new file mode 100644 index 000000000..8d452c209 --- /dev/null +++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go @@ -0,0 +1,230 @@ +// +build linux + +package validate + +import ( + "errors" + "fmt" + "os" + "path/filepath" + "strings" + "syscall" + + "github.com/syndtr/gocapability/capability" + + multierror "github.com/hashicorp/go-multierror" + rspec "github.com/opencontainers/runtime-spec/specs-go" + osFilepath "github.com/opencontainers/runtime-tools/filepath" + "github.com/opencontainers/runtime-tools/specerror" + "github.com/sirupsen/logrus" +) + +// LastCap return last cap of system +func LastCap() capability.Cap { + last := capability.CAP_LAST_CAP + // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap + if last == capability.Cap(63) { + last = capability.CAP_BLOCK_SUSPEND + } + + return last +} + +func deviceValid(d rspec.LinuxDevice) bool { + switch d.Type { + case "b", "c", "u": + if d.Major <= 0 || d.Minor <= 0 { + return false + } + case "p": + if d.Major != 0 || d.Minor != 0 { + return false + } + default: + return false + } + return true +} + +// CheckLinux checks v.spec.Linux +func (v *Validator) CheckLinux() (errs error) { + logrus.Debugf("check linux") + + if v.spec.Linux == nil { + return + } + + var nsTypeList = map[rspec.LinuxNamespaceType]struct { + num int + newExist bool + }{ + rspec.PIDNamespace: {0, false}, + rspec.NetworkNamespace: {0, false}, + rspec.MountNamespace: {0, false}, + rspec.IPCNamespace: {0, false}, + rspec.UTSNamespace: {0, false}, + rspec.UserNamespace: {0, false}, + rspec.CgroupNamespace: {0, false}, + } + + for index := 0; index < len(v.spec.Linux.Namespaces); index++ { + ns := v.spec.Linux.Namespaces[index] + if ns.Path != "" && !osFilepath.IsAbs(v.platform, ns.Path) { + errs = multierror.Append(errs, specerror.NewError(specerror.NSPathAbs, fmt.Errorf("namespace.path %q is not an absolute path", ns.Path), rspec.Version)) + } + + tmpItem := nsTypeList[ns.Type] + tmpItem.num = tmpItem.num + 1 + if tmpItem.num > 1 { + errs = multierror.Append(errs, specerror.NewError(specerror.NSErrorOnDup, fmt.Errorf("duplicated namespace %q", ns.Type), rspec.Version)) + } + + if len(ns.Path) == 0 { + tmpItem.newExist = true + } + nsTypeList[ns.Type] = tmpItem + } + + if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !nsTypeList[rspec.UserNamespace].newExist { + errs = multierror.Append(errs, errors.New("the UID/GID mappings requires a new User namespace to be specified as well")) + } + + for k := range v.spec.Linux.Sysctl { + if strings.HasPrefix(k, "net.") && !nsTypeList[rspec.NetworkNamespace].newExist { + errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new Network namespace to be specified as well", k)) + } + if strings.HasPrefix(k, "fs.mqueue.") { + if !nsTypeList[rspec.MountNamespace].newExist || !nsTypeList[rspec.IPCNamespace].newExist { + errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new IPC namespace and Mount namespace to be specified as well", k)) + } + } + } + + if v.platform == "linux" && !nsTypeList[rspec.UTSNamespace].newExist && v.spec.Hostname != "" { + errs = multierror.Append(errs, fmt.Errorf("on Linux, hostname requires a new UTS namespace to be specified as well")) + } + + // Linux devices validation + devList := make(map[string]bool) + devTypeList := make(map[string]bool) + for index := 0; index < len(v.spec.Linux.Devices); index++ { + device := v.spec.Linux.Devices[index] + if !deviceValid(device) { + errs = multierror.Append(errs, fmt.Errorf("device %v is invalid", device)) + } + + if _, exists := devList[device.Path]; exists { + errs = multierror.Append(errs, fmt.Errorf("device %s is duplicated", device.Path)) + } else { + var rootfsPath string + if filepath.IsAbs(v.spec.Root.Path) { + rootfsPath = v.spec.Root.Path + } else { + rootfsPath = filepath.Join(v.bundlePath, v.spec.Root.Path) + } + absPath := filepath.Join(rootfsPath, device.Path) + fi, err := os.Stat(absPath) + if os.IsNotExist(err) { + devList[device.Path] = true + } else if err != nil { + errs = multierror.Append(errs, err) + } else { + fStat, ok := fi.Sys().(*syscall.Stat_t) + if !ok { + errs = multierror.Append(errs, specerror.NewError(specerror.DevicesAvailable, + fmt.Errorf("cannot determine state for device %s", device.Path), rspec.Version)) + continue + } + var devType string + switch fStat.Mode & syscall.S_IFMT { + case syscall.S_IFCHR: + devType = "c" + case syscall.S_IFBLK: + devType = "b" + case syscall.S_IFIFO: + devType = "p" + default: + devType = "unmatched" + } + if devType != device.Type || (devType == "c" && device.Type == "u") { + errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, + fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) + continue + } + if devType != "p" { + dev := fStat.Rdev + major := (dev >> 8) & 0xfff + minor := (dev & 0xff) | ((dev >> 12) & 0xfff00) + if int64(major) != device.Major || int64(minor) != device.Minor { + errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, + fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) + continue + } + } + if device.FileMode != nil { + expectedPerm := *device.FileMode & os.ModePerm + actualPerm := fi.Mode() & os.ModePerm + if expectedPerm != actualPerm { + errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, + fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) + continue + } + } + if device.UID != nil { + if *device.UID != fStat.Uid { + errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, + fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) + continue + } + } + if device.GID != nil { + if *device.GID != fStat.Gid { + errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch, + fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version)) + continue + } + } + } + } + + // unify u->c when comparing, they are synonyms + var devID string + if device.Type == "u" { + devID = fmt.Sprintf("%s:%d:%d", "c", device.Major, device.Minor) + } else { + devID = fmt.Sprintf("%s:%d:%d", device.Type, device.Major, device.Minor) + } + + if _, exists := devTypeList[devID]; exists { + logrus.Warnf("%v", specerror.NewError(specerror.DevicesErrorOnDup, fmt.Errorf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor), rspec.Version)) + } else { + devTypeList[devID] = true + } + } + + if v.spec.Linux.Resources != nil { + errs = multierror.Append(errs, v.CheckLinuxResources()) + } + + for _, maskedPath := range v.spec.Linux.MaskedPaths { + if !strings.HasPrefix(maskedPath, "/") { + errs = multierror.Append(errs, + specerror.NewError( + specerror.MaskedPathsAbs, + fmt.Errorf("maskedPath %v is not an absolute path", maskedPath), + rspec.Version)) + } + } + + for _, readonlyPath := range v.spec.Linux.ReadonlyPaths { + if !strings.HasPrefix(readonlyPath, "/") { + errs = multierror.Append(errs, + specerror.NewError( + specerror.ReadonlyPathsAbs, + fmt.Errorf("readonlyPath %v is not an absolute path", readonlyPath), + rspec.Version)) + } + } + + return +} diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go new file mode 100644 index 000000000..f150c326c --- /dev/null +++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go @@ -0,0 +1,17 @@ +// +build !linux + +package validate + +import ( + "github.com/syndtr/gocapability/capability" +) + +// LastCap return last cap of system +func LastCap() capability.Cap { + return capability.Cap(-1) +} + +// CheckLinux is a noop on this platform +func (v *Validator) CheckLinux() (errs error) { + return nil +} -- cgit v1.2.3-54-g00ecf