runc-config.json 4.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268
  1. {
  2. "ociVersion": "1.0.0[% IF !c("var_p/runc_spec100") %]-rc1[% END %]",
  3. "platform": {
  4. "os": "linux",
  5. "arch": "amd64"
  6. },
  7. "process": {
  8. "terminal": [% IF c("interactive") %]true[% ELSE %]false[% END %],
  9. "user": {
  10. "uid": 0,
  11. "gid": 0
  12. },
  13. "args": [
  14. "/rbm/run"
  15. ],
  16. "env": [
  17. "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  18. "TERM=xterm"
  19. ],
  20. "cwd": "/",
  21. [% IF c("var_p/runc_spec100") -%]
  22. "capabilities": {
  23. "bounding": [
  24. "CAP_AUDIT_WRITE",
  25. "CAP_KILL",
  26. "CAP_NET_BIND_SERVICE",
  27. "CAP_SETGID",
  28. "CAP_SETUID",
  29. "CAP_MKNOD",
  30. "CAP_SYS_CHROOT",
  31. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  32. "CAP_SYS_ADMIN",
  33. [% END -%]
  34. "CAP_FSETID",
  35. "CAP_FOWNER",
  36. "CAP_DAC_OVERRIDE",
  37. "CAP_CHOWN"
  38. ],
  39. "effective": [
  40. "CAP_AUDIT_WRITE",
  41. "CAP_KILL",
  42. "CAP_NET_BIND_SERVICE",
  43. "CAP_SETGID",
  44. "CAP_SETUID",
  45. "CAP_MKNOD",
  46. "CAP_SYS_CHROOT",
  47. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  48. "CAP_SYS_ADMIN",
  49. [% END -%]
  50. "CAP_FSETID",
  51. "CAP_FOWNER",
  52. "CAP_DAC_OVERRIDE",
  53. "CAP_CHOWN"
  54. ],
  55. "inheritable": [
  56. "CAP_AUDIT_WRITE",
  57. "CAP_KILL",
  58. "CAP_NET_BIND_SERVICE",
  59. "CAP_SETGID",
  60. "CAP_SETUID",
  61. "CAP_MKNOD",
  62. "CAP_SYS_CHROOT",
  63. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  64. "CAP_SYS_ADMIN",
  65. [% END -%]
  66. "CAP_FSETID",
  67. "CAP_FOWNER",
  68. "CAP_DAC_OVERRIDE",
  69. "CAP_CHOWN"
  70. ],
  71. "permitted": [
  72. "CAP_AUDIT_WRITE",
  73. "CAP_KILL",
  74. "CAP_NET_BIND_SERVICE",
  75. "CAP_SETGID",
  76. "CAP_SETUID",
  77. "CAP_MKNOD",
  78. "CAP_SYS_CHROOT",
  79. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  80. "CAP_SYS_ADMIN",
  81. [% END -%]
  82. "CAP_FSETID",
  83. "CAP_FOWNER",
  84. "CAP_DAC_OVERRIDE",
  85. "CAP_CHOWN"
  86. ],
  87. "ambient": [
  88. "CAP_AUDIT_WRITE",
  89. "CAP_KILL",
  90. "CAP_NET_BIND_SERVICE",
  91. "CAP_SETGID",
  92. "CAP_SETUID",
  93. "CAP_MKNOD",
  94. "CAP_SYS_CHROOT",
  95. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  96. "CAP_SYS_ADMIN",
  97. [% END -%]
  98. "CAP_FSETID",
  99. "CAP_FOWNER",
  100. "CAP_DAC_OVERRIDE",
  101. "CAP_CHOWN"
  102. ]
  103. },
  104. [% ELSE -%]
  105. "capabilities": [
  106. "CAP_AUDIT_WRITE",
  107. "CAP_KILL",
  108. "CAP_NET_BIND_SERVICE",
  109. "CAP_SETGID",
  110. "CAP_SETUID",
  111. "CAP_MKNOD",
  112. "CAP_SYS_CHROOT",
  113. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  114. "CAP_SYS_ADMIN",
  115. [% END -%]
  116. "CAP_FSETID",
  117. "CAP_FOWNER",
  118. "CAP_DAC_OVERRIDE",
  119. "CAP_CHOWN"
  120. ],
  121. [% END -%]
  122. "noNewPrivileges": true
  123. },
  124. "root": {
  125. "path": "rootfs",
  126. "readonly": false
  127. },
  128. "hostname": "runc",
  129. "mounts": [
  130. {
  131. "destination": "/proc",
  132. "type": "proc",
  133. "source": "proc"
  134. },
  135. {
  136. "type": "bind",
  137. "source": "/etc/resolv.conf",
  138. "destination": "/etc/resolv.conf",
  139. "options": [
  140. "rbind",
  141. "ro"
  142. ]
  143. },
  144. {
  145. "destination": "/dev",
  146. "type": "tmpfs",
  147. "source": "tmpfs",
  148. "options": [
  149. "nosuid",
  150. "strictatime",
  151. "mode=755",
  152. "size=65536k"
  153. ]
  154. },
  155. {
  156. "destination": "/dev/pts",
  157. "type": "devpts",
  158. "source": "devpts",
  159. "options": [
  160. "nosuid",
  161. "noexec",
  162. "newinstance",
  163. "ptmxmode=0666",
  164. "mode=0620",
  165. "gid=5"
  166. ]
  167. },
  168. {
  169. "destination": "/dev/shm",
  170. "type": "tmpfs",
  171. "source": "shm",
  172. "options": [
  173. "nosuid",
  174. "noexec",
  175. "nodev",
  176. "mode=1777",
  177. "size=65536k"
  178. ]
  179. },
  180. {
  181. "destination": "/dev/mqueue",
  182. "type": "mqueue",
  183. "source": "mqueue",
  184. "options": [
  185. "nosuid",
  186. "noexec",
  187. "nodev"
  188. ]
  189. },
  190. {
  191. "destination": "/sys",
  192. "type": "sysfs",
  193. "source": "sysfs",
  194. "options": [
  195. "nosuid",
  196. "noexec",
  197. "nodev",
  198. "ro"
  199. ]
  200. },
  201. {
  202. "destination": "/sys/fs/cgroup",
  203. "type": "cgroup",
  204. "source": "cgroup",
  205. "options": [
  206. "nosuid",
  207. "noexec",
  208. "nodev",
  209. "relatime",
  210. "ro"
  211. ]
  212. }
  213. ],
  214. "hooks": {},
  215. "linux": {
  216. "resources": {
  217. "devices": [
  218. {
  219. "allow": false,
  220. "access": "rwm"
  221. }
  222. ]
  223. },
  224. "namespaces": [
  225. {
  226. "type": "pid"
  227. },
  228. {
  229. "type": "ipc"
  230. },
  231. {
  232. "type": "uts"
  233. },
  234. [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
  235. {
  236. "type": "network",
  237. "path": "/var/run/netns/rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]"
  238. },
  239. [% END -%]
  240. {
  241. "type": "mount"
  242. }
  243. ],
  244. "maskedPaths": [
  245. "/proc/kcore",
  246. "/proc/latency_stats",
  247. "/proc/timer_stats",
  248. [% IF c("var_p/runc_spec100") -%]
  249. "/proc/timer_list",
  250. "/sys/firmware",
  251. [% END -%]
  252. "/proc/sched_debug"
  253. ],
  254. "readonlyPaths": [
  255. "/proc/asound",
  256. "/proc/bus",
  257. "/proc/fs",
  258. "/proc/irq",
  259. "/proc/sys",
  260. "/proc/sysrq-trigger"
  261. ]
  262. },
  263. "solaris": {
  264. "cappedCPU": {},
  265. "cappedMemory": {}
  266. }
  267. }