123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268 |
- {
- "ociVersion": "1.0.0[% IF !c("var_p/runc_spec100") %]-rc1[% END %]",
- "platform": {
- "os": "linux",
- "arch": "amd64"
- },
- "process": {
- "terminal": [% IF c("interactive") %]true[% ELSE %]false[% END %],
- "user": {
- "uid": 0,
- "gid": 0
- },
- "args": [
- "/rbm/run"
- ],
- "env": [
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
- "TERM=xterm"
- ],
- "cwd": "/",
- [% IF c("var_p/runc_spec100") -%]
- "capabilities": {
- "bounding": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_MKNOD",
- "CAP_SYS_CHROOT",
- [% IF c("var/container/CAP_SYS_ADMIN") -%]
- "CAP_SYS_ADMIN",
- [% END -%]
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_DAC_OVERRIDE",
- "CAP_CHOWN"
- ],
- "effective": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_MKNOD",
- "CAP_SYS_CHROOT",
- [% IF c("var/container/CAP_SYS_ADMIN") -%]
- "CAP_SYS_ADMIN",
- [% END -%]
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_DAC_OVERRIDE",
- "CAP_CHOWN"
- ],
- "inheritable": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_MKNOD",
- "CAP_SYS_CHROOT",
- [% IF c("var/container/CAP_SYS_ADMIN") -%]
- "CAP_SYS_ADMIN",
- [% END -%]
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_DAC_OVERRIDE",
- "CAP_CHOWN"
- ],
- "permitted": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_MKNOD",
- "CAP_SYS_CHROOT",
- [% IF c("var/container/CAP_SYS_ADMIN") -%]
- "CAP_SYS_ADMIN",
- [% END -%]
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_DAC_OVERRIDE",
- "CAP_CHOWN"
- ],
- "ambient": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_MKNOD",
- "CAP_SYS_CHROOT",
- [% IF c("var/container/CAP_SYS_ADMIN") -%]
- "CAP_SYS_ADMIN",
- [% END -%]
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_DAC_OVERRIDE",
- "CAP_CHOWN"
- ]
- },
- [% ELSE -%]
- "capabilities": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_MKNOD",
- "CAP_SYS_CHROOT",
- [% IF c("var/container/CAP_SYS_ADMIN") -%]
- "CAP_SYS_ADMIN",
- [% END -%]
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_DAC_OVERRIDE",
- "CAP_CHOWN"
- ],
- [% END -%]
- "noNewPrivileges": true
- },
- "root": {
- "path": "rootfs",
- "readonly": false
- },
- "hostname": "runc",
- "mounts": [
- {
- "destination": "/proc",
- "type": "proc",
- "source": "proc"
- },
- {
- "type": "bind",
- "source": "/etc/resolv.conf",
- "destination": "/etc/resolv.conf",
- "options": [
- "rbind",
- "ro"
- ]
- },
- {
- "destination": "/dev",
- "type": "tmpfs",
- "source": "tmpfs",
- "options": [
- "nosuid",
- "strictatime",
- "mode=755",
- "size=65536k"
- ]
- },
- {
- "destination": "/dev/pts",
- "type": "devpts",
- "source": "devpts",
- "options": [
- "nosuid",
- "noexec",
- "newinstance",
- "ptmxmode=0666",
- "mode=0620",
- "gid=5"
- ]
- },
- {
- "destination": "/dev/shm",
- "type": "tmpfs",
- "source": "shm",
- "options": [
- "nosuid",
- "noexec",
- "nodev",
- "mode=1777",
- "size=65536k"
- ]
- },
- {
- "destination": "/dev/mqueue",
- "type": "mqueue",
- "source": "mqueue",
- "options": [
- "nosuid",
- "noexec",
- "nodev"
- ]
- },
- {
- "destination": "/sys",
- "type": "sysfs",
- "source": "sysfs",
- "options": [
- "nosuid",
- "noexec",
- "nodev",
- "ro"
- ]
- },
- {
- "destination": "/sys/fs/cgroup",
- "type": "cgroup",
- "source": "cgroup",
- "options": [
- "nosuid",
- "noexec",
- "nodev",
- "relatime",
- "ro"
- ]
- }
- ],
- "hooks": {},
- "linux": {
- "resources": {
- "devices": [
- {
- "allow": false,
- "access": "rwm"
- }
- ]
- },
- "namespaces": [
- {
- "type": "pid"
- },
- {
- "type": "ipc"
- },
- {
- "type": "uts"
- },
- [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
- {
- "type": "network",
- "path": "/var/run/netns/rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]"
- },
- [% END -%]
- {
- "type": "mount"
- }
- ],
- "maskedPaths": [
- "/proc/kcore",
- "/proc/latency_stats",
- "/proc/timer_stats",
- [% IF c("var_p/runc_spec100") -%]
- "/proc/timer_list",
- "/sys/firmware",
- [% END -%]
- "/proc/sched_debug"
- ],
- "readonlyPaths": [
- "/proc/asound",
- "/proc/bus",
- "/proc/fs",
- "/proc/irq",
- "/proc/sys",
- "/proc/sysrq-trigger"
- ]
- },
- "solaris": {
- "cappedCPU": {},
- "cappedMemory": {}
- }
- }
|