spec

package

v6.4.2 Latest Latest Go to latest Published: Aug 17, 2020 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/chenbh/concourse

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func AllowSyscall(syscall string, args ...specs.LinuxSeccompArg) specs.LinuxSyscall
func OciCapabilities(privileged bool) specs.LinuxCapabilities
func OciCgroupsPath(basePath, handle string, privileged bool) string
func OciIDMappings(privileged bool, max uint32) []specs.LinuxIDMapping
func OciNamespaces(privileged bool) []specs.LinuxNamespace
func OciResources(limits garden.Limits) *specs.LinuxResources
func OciSpec(gdn garden.ContainerSpec, maxUid, maxGid uint32) (oci *specs.Spec, err error)
func OciSpecBindMounts(bindMounts []garden.BindMount) (mounts []specs.Mount, err error)

Constants ¶

View Source

const (
	SuperuserPath = "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
	Path          = "PATH=/usr/local/bin:/usr/bin:/bin"
)

Variables ¶

View Source

var (
	PrivilegedContainerCapabilities = specs.LinuxCapabilities{
		Effective:   privilegedCaps,
		Bounding:    privilegedCaps,
		Inheritable: privilegedCaps,
		Permitted:   privilegedCaps,
	}

	UnprivilegedContainerCapabilities = specs.LinuxCapabilities{
		Effective:   unprivilegedCaps,
		Bounding:    unprivilegedCaps,
		Inheritable: unprivilegedCaps,
		Permitted:   unprivilegedCaps,
	}
)

View Source

var (
	AnyContainerDevices = []specs.LinuxDeviceCgroup{

		{Access: "m", Type: "c", Major: deviceWildcard(), Minor: deviceWildcard(), Allow: true},
		{Access: "m", Type: "b", Major: deviceWildcard(), Minor: deviceWildcard(), Allow: true},

		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(3), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(8), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(7), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(5), Minor: intRef(0), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(5), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(1), Minor: intRef(9), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(5), Minor: intRef(1), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(136), Minor: deviceWildcard(), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(5), Minor: intRef(2), Allow: true},
		{Access: "rwm", Type: "c", Major: intRef(10), Minor: intRef(200), Allow: true},

		{Access: "rwm", Type: "c", Major: intRef(10), Minor: intRef(229), Allow: true},
	}

	PrivilegedOnlyDevices = []specs.LinuxDeviceCgroup{
		{Allow: false, Access: "rwm"},
	}
)

View Source

var (
	InitMount = specs.Mount{
		Source:      "/usr/local/concourse/bin/init",
		Destination: "/tmp/gdn-init",
		Type:        "bind",
		Options:     []string{"bind"},
	}

	AnyContainerMounts = []specs.Mount{
		InitMount,

		{
			Destination: "/proc",
			Type:        "proc",
			Source:      "proc",
			Options:     []string{"nosuid", "noexec", "nodev"},
		},
		{
			Destination: "/dev",
			Type:        "tmpfs",
			Source:      "tmpfs",
			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
		},
		{
			Destination: "/dev/pts",
			Type:        "devpts",
			Source:      "devpts",
			Options:     []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
		},
		{
			Destination: "/dev/shm",
			Type:        "tmpfs",
			Source:      "shm",
			Options:     []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
		},
		{
			Destination: "/dev/mqueue",
			Type:        "mqueue",
			Source:      "mqueue",
			Options:     []string{"nosuid", "noexec", "nodev"},
		},
		{
			Destination: "/sys",
			Type:        "sysfs",
			Source:      "sysfs",
			Options:     []string{"nosuid", "noexec", "nodev", "ro"},
		},
		{
			Destination: "/sys/fs/cgroup",
			Type:        "cgroup",
			Source:      "cgroup",
			Options:     []string{"ro", "nosuid", "noexec", "nodev"},
		},
		{
			Destination: "/run",
			Type:        "tmpfs",
			Source:      "tmpfs",
			Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
		},
	}
)

View Source

var (
	PrivilegedContainerNamespaces = []specs.LinuxNamespace{
		{Type: specs.PIDNamespace},
		{Type: specs.IPCNamespace},
		{Type: specs.UTSNamespace},
		{Type: specs.MountNamespace},
		{Type: specs.NetworkNamespace},
	}

	UnprivilegedContainerNamespaces = append(PrivilegedContainerNamespaces,
		specs.LinuxNamespace{Type: specs.UserNamespace},
	)
)

Functions ¶

func AllowSyscall ¶

func AllowSyscall(syscall string, args ...specs.LinuxSeccompArg) specs.LinuxSyscall

func OciCapabilities ¶

func OciCapabilities(privileged bool) specs.LinuxCapabilities

func OciCgroupsPath ¶

func OciCgroupsPath(basePath, handle string, privileged bool) string

func OciIDMappings ¶

func OciIDMappings(privileged bool, max uint32) []specs.LinuxIDMapping

OciIDMappings provides the uid/gid mappings for user namespaces (if necessary, based on `privileged`).

func OciNamespaces ¶

func OciNamespaces(privileged bool) []specs.LinuxNamespace

func OciResources ¶

func OciResources(limits garden.Limits) *specs.LinuxResources

func OciSpec ¶

func OciSpec(gdn garden.ContainerSpec, maxUid, maxGid uint32) (oci *specs.Spec, err error)

OciSpec converts a given `garden` container specification to an OCI spec.

func OciSpecBindMounts ¶

func OciSpecBindMounts(bindMounts []garden.BindMount) (mounts []specs.Mount, err error)

OciSpecBindMounts converts garden bindmounts to oci spec mounts.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL