runc-config.json 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275
  1. {
  2. "ociVersion": "1.0.0[% IF !c("var_p/runc_spec100") %]-rc1[% END %]",
  3. "platform": {
  4. "os": "linux",
  5. "arch": "amd64"
  6. },
  7. "process": {
  8. "terminal": [% IF c("interactive") %]true[% ELSE %]false[% END %],
  9. "user": {
  10. "uid": 0,
  11. "gid": 0
  12. },
  13. "args": [
  14. "/rbm/run"
  15. ],
  16. "env": [
  17. "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  18. "TERM=xterm"
  19. ],
  20. "cwd": "/",
  21. [% IF c("var_p/runc_spec100") -%]
  22. "capabilities": {
  23. "bounding": [
  24. "CAP_AUDIT_WRITE",
  25. "CAP_KILL",
  26. "CAP_NET_BIND_SERVICE",
  27. "CAP_SETGID",
  28. "CAP_SETUID",
  29. "CAP_MKNOD",
  30. "CAP_SYS_CHROOT",
  31. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  32. "CAP_SYS_ADMIN",
  33. [% END -%]
  34. "CAP_FSETID",
  35. "CAP_FOWNER",
  36. "CAP_DAC_OVERRIDE",
  37. "CAP_CHOWN"
  38. ],
  39. "effective": [
  40. "CAP_AUDIT_WRITE",
  41. "CAP_KILL",
  42. "CAP_NET_BIND_SERVICE",
  43. "CAP_SETGID",
  44. "CAP_SETUID",
  45. "CAP_MKNOD",
  46. "CAP_SYS_CHROOT",
  47. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  48. "CAP_SYS_ADMIN",
  49. [% END -%]
  50. "CAP_FSETID",
  51. "CAP_FOWNER",
  52. "CAP_DAC_OVERRIDE",
  53. "CAP_CHOWN"
  54. ],
  55. "inheritable": [
  56. "CAP_AUDIT_WRITE",
  57. "CAP_KILL",
  58. "CAP_NET_BIND_SERVICE",
  59. "CAP_SETGID",
  60. "CAP_SETUID",
  61. "CAP_MKNOD",
  62. "CAP_SYS_CHROOT",
  63. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  64. "CAP_SYS_ADMIN",
  65. [% END -%]
  66. "CAP_FSETID",
  67. "CAP_FOWNER",
  68. "CAP_DAC_OVERRIDE",
  69. "CAP_CHOWN"
  70. ],
  71. "permitted": [
  72. "CAP_AUDIT_WRITE",
  73. "CAP_KILL",
  74. "CAP_NET_BIND_SERVICE",
  75. "CAP_SETGID",
  76. "CAP_SETUID",
  77. "CAP_MKNOD",
  78. "CAP_SYS_CHROOT",
  79. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  80. "CAP_SYS_ADMIN",
  81. [% END -%]
  82. "CAP_FSETID",
  83. "CAP_FOWNER",
  84. "CAP_DAC_OVERRIDE",
  85. "CAP_CHOWN"
  86. ],
  87. "ambient": [
  88. "CAP_AUDIT_WRITE",
  89. "CAP_KILL",
  90. "CAP_NET_BIND_SERVICE",
  91. "CAP_SETGID",
  92. "CAP_SETUID",
  93. "CAP_MKNOD",
  94. "CAP_SYS_CHROOT",
  95. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  96. "CAP_SYS_ADMIN",
  97. [% END -%]
  98. "CAP_FSETID",
  99. "CAP_FOWNER",
  100. "CAP_DAC_OVERRIDE",
  101. "CAP_CHOWN"
  102. ]
  103. },
  104. [% ELSE -%]
  105. "capabilities": [
  106. "CAP_AUDIT_WRITE",
  107. "CAP_KILL",
  108. "CAP_NET_BIND_SERVICE",
  109. "CAP_SETGID",
  110. "CAP_SETUID",
  111. "CAP_MKNOD",
  112. "CAP_SYS_CHROOT",
  113. [% IF c("var/container/CAP_SYS_ADMIN") -%]
  114. "CAP_SYS_ADMIN",
  115. [% END -%]
  116. "CAP_FSETID",
  117. "CAP_FOWNER",
  118. "CAP_DAC_OVERRIDE",
  119. "CAP_CHOWN"
  120. ],
  121. [% END -%]
  122. "rlimits": [
  123. {
  124. "type": "RLIMIT_NOFILE",
  125. "hard": 1024,
  126. "soft": 1024
  127. }
  128. ],
  129. "noNewPrivileges": true
  130. },
  131. "root": {
  132. "path": "rootfs",
  133. "readonly": false
  134. },
  135. "hostname": "runc",
  136. "mounts": [
  137. {
  138. "destination": "/proc",
  139. "type": "proc",
  140. "source": "proc"
  141. },
  142. {
  143. "type": "bind",
  144. "source": "/etc/resolv.conf",
  145. "destination": "/etc/resolv.conf",
  146. "options": [
  147. "rbind",
  148. "ro"
  149. ]
  150. },
  151. {
  152. "destination": "/dev",
  153. "type": "tmpfs",
  154. "source": "tmpfs",
  155. "options": [
  156. "nosuid",
  157. "strictatime",
  158. "mode=755",
  159. "size=65536k"
  160. ]
  161. },
  162. {
  163. "destination": "/dev/pts",
  164. "type": "devpts",
  165. "source": "devpts",
  166. "options": [
  167. "nosuid",
  168. "noexec",
  169. "newinstance",
  170. "ptmxmode=0666",
  171. "mode=0620",
  172. "gid=5"
  173. ]
  174. },
  175. {
  176. "destination": "/dev/shm",
  177. "type": "tmpfs",
  178. "source": "shm",
  179. "options": [
  180. "nosuid",
  181. "noexec",
  182. "nodev",
  183. "mode=1777",
  184. "size=65536k"
  185. ]
  186. },
  187. {
  188. "destination": "/dev/mqueue",
  189. "type": "mqueue",
  190. "source": "mqueue",
  191. "options": [
  192. "nosuid",
  193. "noexec",
  194. "nodev"
  195. ]
  196. },
  197. {
  198. "destination": "/sys",
  199. "type": "sysfs",
  200. "source": "sysfs",
  201. "options": [
  202. "nosuid",
  203. "noexec",
  204. "nodev",
  205. "ro"
  206. ]
  207. },
  208. {
  209. "destination": "/sys/fs/cgroup",
  210. "type": "cgroup",
  211. "source": "cgroup",
  212. "options": [
  213. "nosuid",
  214. "noexec",
  215. "nodev",
  216. "relatime",
  217. "ro"
  218. ]
  219. }
  220. ],
  221. "hooks": {},
  222. "linux": {
  223. "resources": {
  224. "devices": [
  225. {
  226. "allow": false,
  227. "access": "rwm"
  228. }
  229. ]
  230. },
  231. "namespaces": [
  232. {
  233. "type": "pid"
  234. },
  235. {
  236. "type": "ipc"
  237. },
  238. {
  239. "type": "uts"
  240. },
  241. [% IF c("var/container/disable_network/" _ c("exec_name")) -%]
  242. {
  243. "type": "network",
  244. "path": "/var/run/netns/rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]"
  245. },
  246. [% END -%]
  247. {
  248. "type": "mount"
  249. }
  250. ],
  251. "maskedPaths": [
  252. "/proc/kcore",
  253. "/proc/latency_stats",
  254. "/proc/timer_stats",
  255. [% IF c("var_p/runc_spec100") -%]
  256. "/proc/timer_list",
  257. "/sys/firmware",
  258. [% END -%]
  259. "/proc/sched_debug"
  260. ],
  261. "readonlyPaths": [
  262. "/proc/asound",
  263. "/proc/bus",
  264. "/proc/fs",
  265. "/proc/irq",
  266. "/proc/sys",
  267. "/proc/sysrq-trigger"
  268. ]
  269. },
  270. "solaris": {
  271. "cappedCPU": {},
  272. "cappedMemory": {}
  273. }
  274. }