mirror of
https://github.com/containers/youki
synced 2024-05-10 09:36:13 +02:00
Upgrade oci-spec-rs to 0.4.0 for youki
1. Fix capability type (Capability type change: Vec -> HashSet) 2. Implement functions equivalent to LinuxDeviceType::to_sflag in youki. 3. Fix crate path: use oci_spec::XXX -> use oci_spec::runtime::XXX Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
This commit is contained in:
parent
3c57eabd62
commit
8d3ff9b5f2
|
@ -84,7 +84,7 @@ dependencies = [
|
|||
"dbus",
|
||||
"log",
|
||||
"nix",
|
||||
"oci_spec",
|
||||
"oci-spec",
|
||||
"procfs",
|
||||
"serde",
|
||||
"systemd",
|
||||
|
@ -578,17 +578,16 @@ dependencies = [
|
|||
]
|
||||
|
||||
[[package]]
|
||||
name = "oci_spec"
|
||||
version = "0.1.0"
|
||||
source = "git+https://github.com/containers/oci-spec-rs?rev=e0de21b89dc1e65f69a5f45a08bbe426787c7fa1#e0de21b89dc1e65f69a5f45a08bbe426787c7fa1"
|
||||
name = "oci-spec"
|
||||
version = "0.4.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "648c6fbe66119beec0480447679616806a100de8b8818c7458052222660b6188"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"caps",
|
||||
"nix",
|
||||
"cfg-if 1.0.0",
|
||||
"quickcheck",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"tempfile",
|
||||
"thiserror",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -646,12 +645,6 @@ version = "0.3.19"
|
|||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c"
|
||||
|
||||
[[package]]
|
||||
name = "ppv-lite86"
|
||||
version = "0.2.10"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857"
|
||||
|
||||
[[package]]
|
||||
name = "prctl"
|
||||
version = "1.0.0"
|
||||
|
@ -748,19 +741,6 @@ version = "0.8.3"
|
|||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0ef9e7e66b4468674bfcb0c81af8b7fa0bb154fa9f28eb840da5c447baeb8d7e"
|
||||
dependencies = [
|
||||
"libc",
|
||||
"rand_chacha",
|
||||
"rand_core",
|
||||
"rand_hc",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "rand_chacha"
|
||||
version = "0.3.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
|
||||
dependencies = [
|
||||
"ppv-lite86",
|
||||
"rand_core",
|
||||
]
|
||||
|
||||
|
@ -773,15 +753,6 @@ dependencies = [
|
|||
"getrandom",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "rand_hc"
|
||||
version = "0.3.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7"
|
||||
dependencies = [
|
||||
"rand_core",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "redox_syscall"
|
||||
version = "0.2.9"
|
||||
|
@ -808,15 +779,6 @@ version = "0.6.25"
|
|||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
|
||||
|
||||
[[package]]
|
||||
name = "remove_dir_all"
|
||||
version = "0.5.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
|
||||
dependencies = [
|
||||
"winapi",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "ryu"
|
||||
version = "1.0.5"
|
||||
|
@ -831,18 +793,18 @@ checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
|
|||
|
||||
[[package]]
|
||||
name = "serde"
|
||||
version = "1.0.126"
|
||||
version = "1.0.130"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ec7505abeacaec74ae4778d9d9328fe5a5d04253220a85c4ee022239fc996d03"
|
||||
checksum = "f12d06de37cf59146fbdecab66aa99f9fe4f78722e3607577a5375d66bd0c913"
|
||||
dependencies = [
|
||||
"serde_derive",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde_derive"
|
||||
version = "1.0.126"
|
||||
version = "1.0.130"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "963a7dbc9895aeac7ac90e74f34a5d5261828f79df35cbed41e10189d3804d43"
|
||||
checksum = "d7bc1a1ab1961464eae040d96713baa5a724a8152c1222492465b54322ec508b"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
|
@ -851,9 +813,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "serde_json"
|
||||
version = "1.0.64"
|
||||
version = "1.0.67"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "799e97dc9fdae36a5c8b8f2cae9ce2ee9fdce2058c57a93e6099d919fd982f79"
|
||||
checksum = "a7f9e390c27c3c0ce8bc5d725f6e4d30a29d26659494aa4b17535f7522c5c950"
|
||||
dependencies = [
|
||||
"itoa",
|
||||
"ryu",
|
||||
|
@ -935,20 +897,6 @@ dependencies = [
|
|||
"unicode-width",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "tempfile"
|
||||
version = "3.2.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22"
|
||||
dependencies = [
|
||||
"cfg-if 1.0.0",
|
||||
"libc",
|
||||
"rand",
|
||||
"redox_syscall",
|
||||
"remove_dir_all",
|
||||
"winapi",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "textwrap"
|
||||
version = "0.12.1"
|
||||
|
@ -960,18 +908,18 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "thiserror"
|
||||
version = "1.0.25"
|
||||
version = "1.0.29"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "fa6f76457f59514c7eeb4e59d891395fab0b2fd1d40723ae737d64153392e9c6"
|
||||
checksum = "602eca064b2d83369e2b2f34b09c70b605402801927c65c11071ac911d299b88"
|
||||
dependencies = [
|
||||
"thiserror-impl",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "thiserror-impl"
|
||||
version = "1.0.25"
|
||||
version = "1.0.29"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8a36768c0fbf1bb15eca10defa29526bda730a2376c2ab4393ccfa16fb1a318d"
|
||||
checksum = "bad553cc2c78e8de258400763a647e80e6d1b31ee237275d756f6836d204494c"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
|
@ -1069,7 +1017,7 @@ dependencies = [
|
|||
"log",
|
||||
"mio",
|
||||
"nix",
|
||||
"oci_spec",
|
||||
"oci-spec",
|
||||
"once_cell",
|
||||
"prctl",
|
||||
"procfs",
|
||||
|
|
|
@ -29,7 +29,7 @@ mio = { version = "0.7.13", features = ["os-ext", "os-poll"] }
|
|||
chrono = { version="0.4", features = ["serde"] }
|
||||
once_cell = "1.6.0"
|
||||
futures = { version = "0.3", features = ["thread-pool"] }
|
||||
oci_spec = { git = "https://github.com/containers/oci-spec-rs", rev = "e0de21b89dc1e65f69a5f45a08bbe426787c7fa1"}
|
||||
oci-spec = "0.4.0"
|
||||
cgroups = { version = "0.1.0", path = "./cgroups" }
|
||||
systemd = { version = "0.8", default-features = false, optional = true }
|
||||
dbus = "0.9.2"
|
||||
|
@ -38,9 +38,9 @@ fastrand = "1.4.1"
|
|||
crossbeam-channel = "0.5"
|
||||
|
||||
[dev-dependencies]
|
||||
oci_spec = { git = "https://github.com/containers/oci-spec-rs", rev = "e0de21b89dc1e65f69a5f45a08bbe426787c7fa1", features = ["proptests"]}
|
||||
oci-spec = { version = "0.4.0", features = ["proptests"] }
|
||||
quickcheck = "1"
|
||||
serial_test = "0.5.1"
|
||||
|
||||
[profile.release]
|
||||
lto = true
|
||||
lto = true
|
||||
|
|
|
@ -1,19 +1,117 @@
|
|||
//! Handles Management of Capabilities
|
||||
use crate::syscall::Syscall;
|
||||
use caps::Capability as CapsCapability;
|
||||
use caps::*;
|
||||
|
||||
use anyhow::Result;
|
||||
use oci_spec::LinuxCapabilities;
|
||||
use oci_spec::runtime::{Capabilities, Capability as SpecCapability, LinuxCapabilities};
|
||||
|
||||
/// Converts a list of capability types to capabilities has set
|
||||
fn to_set(caps: &[Capability]) -> CapsHashSet {
|
||||
fn to_set(caps: &Capabilities) -> CapsHashSet {
|
||||
let mut capabilities = CapsHashSet::new();
|
||||
|
||||
for c in caps {
|
||||
capabilities.insert(*c);
|
||||
let cap = to_cap(*c);
|
||||
capabilities.insert(cap);
|
||||
}
|
||||
capabilities
|
||||
}
|
||||
|
||||
/// Convert oci::runtime::Capability to caps::Capability
|
||||
pub fn to_cap(cap: SpecCapability) -> caps::Capability {
|
||||
match cap {
|
||||
SpecCapability::AuditControl => CapsCapability::CAP_AUDIT_CONTROL,
|
||||
SpecCapability::AuditRead => CapsCapability::CAP_AUDIT_READ,
|
||||
SpecCapability::AuditWrite => CapsCapability::CAP_AUDIT_WRITE,
|
||||
SpecCapability::BlockSuspend => CapsCapability::CAP_BLOCK_SUSPEND,
|
||||
SpecCapability::Bpf => CapsCapability::CAP_BPF,
|
||||
SpecCapability::CheckpointRestore => CapsCapability::CAP_CHECKPOINT_RESTORE,
|
||||
SpecCapability::Chown => CapsCapability::CAP_CHOWN,
|
||||
SpecCapability::DacOverride => CapsCapability::CAP_DAC_OVERRIDE,
|
||||
SpecCapability::DacReadSearch => CapsCapability::CAP_DAC_READ_SEARCH,
|
||||
SpecCapability::Fowner => CapsCapability::CAP_FOWNER,
|
||||
SpecCapability::Fsetid => CapsCapability::CAP_FSETID,
|
||||
SpecCapability::IpcLock => CapsCapability::CAP_IPC_LOCK,
|
||||
SpecCapability::IpcOwner => CapsCapability::CAP_IPC_OWNER,
|
||||
SpecCapability::Kill => CapsCapability::CAP_KILL,
|
||||
SpecCapability::Lease => CapsCapability::CAP_LEASE,
|
||||
SpecCapability::LinuxImmutable => CapsCapability::CAP_LINUX_IMMUTABLE,
|
||||
SpecCapability::MacAdmin => CapsCapability::CAP_MAC_ADMIN,
|
||||
SpecCapability::MacOverride => CapsCapability::CAP_MAC_OVERRIDE,
|
||||
SpecCapability::Mknod => CapsCapability::CAP_MKNOD,
|
||||
SpecCapability::NetAdmin => CapsCapability::CAP_NET_ADMIN,
|
||||
SpecCapability::NetBindService => CapsCapability::CAP_NET_BIND_SERVICE,
|
||||
SpecCapability::NetBroadcast => CapsCapability::CAP_NET_BROADCAST,
|
||||
SpecCapability::NetRaw => CapsCapability::CAP_NET_RAW,
|
||||
SpecCapability::Perfmon => CapsCapability::CAP_PERFMON,
|
||||
SpecCapability::Setgid => CapsCapability::CAP_SETGID,
|
||||
SpecCapability::Setfcap => CapsCapability::CAP_SETFCAP,
|
||||
SpecCapability::Setpcap => CapsCapability::CAP_SETPCAP,
|
||||
SpecCapability::Setuid => CapsCapability::CAP_SETUID,
|
||||
SpecCapability::SysAdmin => CapsCapability::CAP_SYS_ADMIN,
|
||||
SpecCapability::SysBoot => CapsCapability::CAP_SYS_BOOT,
|
||||
SpecCapability::SysChroot => CapsCapability::CAP_SYS_CHROOT,
|
||||
SpecCapability::SysModule => CapsCapability::CAP_SYS_MODULE,
|
||||
SpecCapability::SysNice => CapsCapability::CAP_SYS_NICE,
|
||||
SpecCapability::SysPacct => CapsCapability::CAP_SYS_PACCT,
|
||||
SpecCapability::SysPtrace => CapsCapability::CAP_SYS_PTRACE,
|
||||
SpecCapability::SysRawio => CapsCapability::CAP_SYS_RAWIO,
|
||||
SpecCapability::SysResource => CapsCapability::CAP_SYS_RESOURCE,
|
||||
SpecCapability::SysTime => CapsCapability::CAP_SYS_TIME,
|
||||
SpecCapability::SysTtyConfig => CapsCapability::CAP_SYS_TTY_CONFIG,
|
||||
SpecCapability::Syslog => CapsCapability::CAP_SYSLOG,
|
||||
SpecCapability::WakeAlarm => CapsCapability::CAP_WAKE_ALARM,
|
||||
}
|
||||
}
|
||||
|
||||
/// Convert oci::runtime::Capability to caps::Capability
|
||||
pub fn from_cap(c: CapsCapability) -> SpecCapability {
|
||||
match c {
|
||||
CapsCapability::CAP_AUDIT_CONTROL => SpecCapability::AuditControl,
|
||||
CapsCapability::CAP_AUDIT_READ => SpecCapability::AuditRead,
|
||||
CapsCapability::CAP_AUDIT_WRITE => SpecCapability::AuditWrite,
|
||||
CapsCapability::CAP_BLOCK_SUSPEND => SpecCapability::BlockSuspend,
|
||||
CapsCapability::CAP_BPF => SpecCapability::Bpf,
|
||||
CapsCapability::CAP_CHECKPOINT_RESTORE => SpecCapability::CheckpointRestore,
|
||||
CapsCapability::CAP_CHOWN => SpecCapability::Chown,
|
||||
CapsCapability::CAP_DAC_OVERRIDE => SpecCapability::DacOverride,
|
||||
CapsCapability::CAP_DAC_READ_SEARCH => SpecCapability::DacReadSearch,
|
||||
CapsCapability::CAP_FOWNER => SpecCapability::Fowner,
|
||||
CapsCapability::CAP_FSETID => SpecCapability::Fsetid,
|
||||
CapsCapability::CAP_IPC_LOCK => SpecCapability::IpcLock,
|
||||
CapsCapability::CAP_IPC_OWNER => SpecCapability::IpcOwner,
|
||||
CapsCapability::CAP_KILL => SpecCapability::Kill,
|
||||
CapsCapability::CAP_LEASE => SpecCapability::Lease,
|
||||
CapsCapability::CAP_LINUX_IMMUTABLE => SpecCapability::LinuxImmutable,
|
||||
CapsCapability::CAP_MAC_ADMIN => SpecCapability::MacAdmin,
|
||||
CapsCapability::CAP_MAC_OVERRIDE => SpecCapability::MacOverride,
|
||||
CapsCapability::CAP_MKNOD => SpecCapability::Mknod,
|
||||
CapsCapability::CAP_NET_ADMIN => SpecCapability::NetAdmin,
|
||||
CapsCapability::CAP_NET_BIND_SERVICE => SpecCapability::NetBindService,
|
||||
CapsCapability::CAP_NET_BROADCAST => SpecCapability::NetBroadcast,
|
||||
CapsCapability::CAP_NET_RAW => SpecCapability::NetRaw,
|
||||
CapsCapability::CAP_PERFMON => SpecCapability::Perfmon,
|
||||
CapsCapability::CAP_SETGID => SpecCapability::Setgid,
|
||||
CapsCapability::CAP_SETFCAP => SpecCapability::Setfcap,
|
||||
CapsCapability::CAP_SETPCAP => SpecCapability::Setpcap,
|
||||
CapsCapability::CAP_SETUID => SpecCapability::Setuid,
|
||||
CapsCapability::CAP_SYS_ADMIN => SpecCapability::SysAdmin,
|
||||
CapsCapability::CAP_SYS_BOOT => SpecCapability::SysBoot,
|
||||
CapsCapability::CAP_SYS_CHROOT => SpecCapability::SysChroot,
|
||||
CapsCapability::CAP_SYS_MODULE => SpecCapability::SysModule,
|
||||
CapsCapability::CAP_SYS_NICE => SpecCapability::SysNice,
|
||||
CapsCapability::CAP_SYS_PACCT => SpecCapability::SysPacct,
|
||||
CapsCapability::CAP_SYS_PTRACE => SpecCapability::SysPtrace,
|
||||
CapsCapability::CAP_SYS_RAWIO => SpecCapability::SysRawio,
|
||||
CapsCapability::CAP_SYS_RESOURCE => SpecCapability::SysResource,
|
||||
CapsCapability::CAP_SYS_TIME => SpecCapability::SysTime,
|
||||
CapsCapability::CAP_SYS_TTY_CONFIG => SpecCapability::SysTtyConfig,
|
||||
CapsCapability::CAP_SYSLOG => SpecCapability::Syslog,
|
||||
CapsCapability::CAP_WAKE_ALARM => SpecCapability::WakeAlarm,
|
||||
CapsCapability::__Nonexhaustive => unreachable!("invalid capability"),
|
||||
}
|
||||
}
|
||||
|
||||
/// reset capabilities of process calling this to effective capabilities
|
||||
/// effective capability set is set of capabilities used by kernel to perform checks
|
||||
/// see https://man7.org/linux/man-pages/man7/capabilities.7.html for more information
|
||||
|
@ -68,4 +166,12 @@ mod tests {
|
|||
.collect();
|
||||
assert_eq!(set_capability_args, vec![caps::all()]);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_convert_oci_spec_to_caps_type() {
|
||||
let chown = oci_spec::runtime::Capability::Chown;
|
||||
|
||||
let cap = to_cap(chown);
|
||||
assert_eq!(cap, Capability::CAP_CHOWN);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -44,7 +44,7 @@ impl Delete {
|
|||
if container.root.exists() {
|
||||
let config_absolute_path = container.root.join("config.json");
|
||||
log::debug!("load spec from {:?}", config_absolute_path);
|
||||
let spec = oci_spec::Spec::load(config_absolute_path)?;
|
||||
let spec = oci_spec::runtime::Spec::load(config_absolute_path)?;
|
||||
log::debug!("spec: {:?}", spec);
|
||||
|
||||
// remove the directory storing container state
|
||||
|
|
|
@ -9,7 +9,7 @@ use crate::container::Container;
|
|||
use crate::container::ContainerStatus;
|
||||
use crate::utils;
|
||||
use cgroups;
|
||||
use oci_spec::FreezerState;
|
||||
use cgroups::common::FreezerState;
|
||||
|
||||
/// Structure to implement pause command
|
||||
#[derive(Clap, Debug)]
|
||||
|
|
|
@ -25,7 +25,7 @@ impl Ps {
|
|||
if container.root.exists() {
|
||||
let config_absolute_path = container.root.join("config.json");
|
||||
log::debug!("load spec from {:?}", config_absolute_path);
|
||||
let spec = oci_spec::Spec::load(config_absolute_path)?;
|
||||
let spec = oci_spec::runtime::Spec::load(config_absolute_path)?;
|
||||
log::debug!("spec: {:?}", spec);
|
||||
let cgroups_path = utils::get_cgroup_path(
|
||||
&spec.linux.context("no linux in spec")?.cgroups_path,
|
||||
|
|
|
@ -9,7 +9,7 @@ use crate::container::Container;
|
|||
use crate::container::ContainerStatus;
|
||||
use crate::utils;
|
||||
use cgroups;
|
||||
use oci_spec::FreezerState;
|
||||
use cgroups::common::FreezerState;
|
||||
|
||||
/// Structure to implement resume command
|
||||
#[derive(Clap, Debug)]
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
use anyhow::Result;
|
||||
use clap::Clap;
|
||||
use oci_spec::Spec;
|
||||
use oci_spec::runtime::Spec;
|
||||
use serde_json::to_writer_pretty;
|
||||
use std::fs::File;
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ impl Start {
|
|||
}
|
||||
|
||||
let spec_path = container.root.join("config.json");
|
||||
let spec = oci_spec::Spec::load(spec_path).context("failed to load spec")?;
|
||||
let spec = oci_spec::runtime::Spec::load(spec_path).context("failed to load spec")?;
|
||||
if let Some(hooks) = spec.hooks.as_ref() {
|
||||
// While prestart is marked as deprecated in the OCI spec, the docker and integration test still
|
||||
// uses it.
|
||||
|
|
|
@ -8,7 +8,7 @@ use crate::{
|
|||
};
|
||||
use anyhow::{Context, Result};
|
||||
use cgroups;
|
||||
use oci_spec::Spec;
|
||||
use oci_spec::runtime::Spec;
|
||||
use std::{fs, os::unix::prelude::RawFd, path::PathBuf};
|
||||
|
||||
use super::{Container, ContainerStatus};
|
||||
|
@ -123,9 +123,14 @@ impl<'a> ContainerBuilderImpl<'a> {
|
|||
cmanager
|
||||
.add_task(init_pid)
|
||||
.context("Failed to add tasks to cgroup manager")?;
|
||||
|
||||
if self.rootless.is_none() && linux.resources.is_some() && self.init {
|
||||
let controller_opt = cgroups::common::ControllerOpt {
|
||||
resources: linux.resources.clone().unwrap(),
|
||||
..Default::default()
|
||||
};
|
||||
cmanager
|
||||
.apply(linux.resources.as_ref().unwrap())
|
||||
.apply(&controller_opt)
|
||||
.context("Failed to apply resource limits through cgroup")?;
|
||||
}
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ use chrono::DateTime;
|
|||
use nix::unistd::Pid;
|
||||
|
||||
use chrono::Utc;
|
||||
use oci_spec::Spec;
|
||||
use oci_spec::runtime::Spec;
|
||||
use procfs::process::Process;
|
||||
|
||||
use crate::syscall::syscall::create_syscall;
|
||||
|
@ -197,6 +197,7 @@ impl Container {
|
|||
}
|
||||
|
||||
pub fn spec(&self) -> Result<Spec> {
|
||||
Spec::load(self.root.join("config.json"))
|
||||
let spec = Spec::load(self.root.join("config.json"))?;
|
||||
Ok(spec)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
use anyhow::{bail, Context, Result};
|
||||
use nix::unistd;
|
||||
use oci_spec::Spec;
|
||||
use oci_spec::runtime::Spec;
|
||||
use rootless::detect_rootless;
|
||||
use std::{
|
||||
fs,
|
||||
|
@ -99,7 +99,7 @@ impl InitContainerBuilder {
|
|||
|
||||
fn load_spec(&self) -> Result<Spec> {
|
||||
let source_spec_path = self.bundle.join("config.json");
|
||||
let mut spec = oci_spec::Spec::load(&source_spec_path)?;
|
||||
let mut spec = Spec::load(&source_spec_path)?;
|
||||
if !spec.version.starts_with("1.0") {
|
||||
bail!(
|
||||
"runtime spec has incompatible version '{}'. Only 1.0.X is supported",
|
||||
|
@ -110,7 +110,7 @@ impl InitContainerBuilder {
|
|||
Ok(spec)
|
||||
}
|
||||
|
||||
fn save_spec(&self, spec: &oci_spec::Spec, container_dir: &Path) -> Result<()> {
|
||||
fn save_spec(&self, spec: &Spec, container_dir: &Path) -> Result<()> {
|
||||
let target_spec_path = container_dir.join("config.json");
|
||||
spec.save(target_spec_path)?;
|
||||
Ok(())
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
use anyhow::{bail, Context, Result};
|
||||
use caps::Capability;
|
||||
use nix::unistd;
|
||||
use oci_spec::{LinuxCapabilities, LinuxNamespace, LinuxNamespaceType, Process, Spec};
|
||||
use oci_spec::runtime::{
|
||||
Capabilities as SpecCapabilities, LinuxCapabilities, LinuxNamespace, LinuxNamespaceType,
|
||||
Process, Spec,
|
||||
};
|
||||
|
||||
use std::{
|
||||
collections::HashMap,
|
||||
|
@ -13,6 +16,7 @@ use std::{
|
|||
str::FromStr,
|
||||
};
|
||||
|
||||
use crate::capabilities::from_cap;
|
||||
use crate::{notify_socket::NotifySocket, rootless::detect_rootless, tty, utils};
|
||||
|
||||
use super::{builder::ContainerBuilder, builder_impl::ContainerBuilderImpl, Container};
|
||||
|
@ -136,7 +140,7 @@ impl TenantContainerBuilder {
|
|||
fn load_init_spec(&self, container_dir: &Path) -> Result<Spec> {
|
||||
let spec_path = container_dir.join("config.json");
|
||||
|
||||
let spec = oci_spec::Spec::load(spec_path).context("failed to load spec")?;
|
||||
let spec = Spec::load(spec_path).context("failed to load spec")?;
|
||||
Ok(spec)
|
||||
}
|
||||
|
||||
|
@ -196,8 +200,7 @@ impl TenantContainerBuilder {
|
|||
);
|
||||
}
|
||||
|
||||
spec.process.as_mut().context("no process in spec")?.cwd =
|
||||
cwd.to_string_lossy().to_string();
|
||||
spec.process.as_mut().context("no process in spec")?.cwd = cwd.to_path_buf();
|
||||
}
|
||||
|
||||
Ok(())
|
||||
|
@ -247,6 +250,8 @@ impl TenantContainerBuilder {
|
|||
caps.push(Capability::from_str(cap)?);
|
||||
}
|
||||
|
||||
let caps: SpecCapabilities = caps.iter().map(|c| from_cap(*c)).collect();
|
||||
|
||||
if let Some(ref mut spec_caps) = spec
|
||||
.process
|
||||
.as_mut()
|
||||
|
@ -257,27 +262,27 @@ impl TenantContainerBuilder {
|
|||
.ambient
|
||||
.as_mut()
|
||||
.context("no ambient caps in process spec")?
|
||||
.append(&mut caps.clone());
|
||||
.extend(&caps);
|
||||
spec_caps
|
||||
.bounding
|
||||
.as_mut()
|
||||
.context("no bounding caps in process spec")?
|
||||
.append(&mut caps.clone());
|
||||
.extend(&caps);
|
||||
spec_caps
|
||||
.effective
|
||||
.as_mut()
|
||||
.context("no effective caps in process spec")?
|
||||
.append(&mut caps.clone());
|
||||
.extend(&caps);
|
||||
spec_caps
|
||||
.inheritable
|
||||
.as_mut()
|
||||
.context("no inheritable caps in process spec")?
|
||||
.append(&mut caps.clone());
|
||||
.extend(&caps);
|
||||
spec_caps
|
||||
.permitted
|
||||
.as_mut()
|
||||
.context("no permitted caps in process spec")?
|
||||
.append(&mut caps);
|
||||
.extend(&caps);
|
||||
} else {
|
||||
spec.process
|
||||
.as_mut()
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
use anyhow::{bail, Context, Result};
|
||||
use nix::{sys::signal, unistd::Pid};
|
||||
use oci_spec::Hook;
|
||||
use oci_spec::runtime::Hook;
|
||||
use std::{collections::HashMap, fmt, os::unix::prelude::CommandExt, process, thread, time};
|
||||
|
||||
use crate::{container::Container, utils};
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
use crate::syscall::{syscall::create_syscall, Syscall};
|
||||
use anyhow::{Context, Result};
|
||||
use nix::{fcntl, sched::CloneFlags, sys::stat, unistd};
|
||||
use oci_spec::{LinuxNamespace, LinuxNamespaceType};
|
||||
use oci_spec::runtime::{LinuxNamespace, LinuxNamespaceType};
|
||||
use std::collections;
|
||||
|
||||
/// Holds information about namespaces
|
||||
|
@ -87,7 +87,7 @@ impl Namespaces {
|
|||
mod tests {
|
||||
use super::*;
|
||||
use crate::syscall::test::TestHelperSyscall;
|
||||
use oci_spec::LinuxNamespaceType;
|
||||
use oci_spec::runtime::LinuxNamespaceType;
|
||||
|
||||
fn gen_sample_linux_namespaces() -> Vec<LinuxNamespace> {
|
||||
vec![
|
||||
|
|
|
@ -7,7 +7,7 @@ use nix::{
|
|||
sys::statfs,
|
||||
unistd::{self, Gid, Uid},
|
||||
};
|
||||
use oci_spec::{LinuxNamespaceType, Spec};
|
||||
use oci_spec::runtime::{LinuxNamespaceType, Spec};
|
||||
use std::collections::HashMap;
|
||||
use std::{
|
||||
env,
|
||||
|
@ -179,8 +179,8 @@ pub fn container_intermidiate(
|
|||
// value for the current process check
|
||||
// https://dev.to/rrampage/surviving-the-linux-oom-killer-2ki9 for some more
|
||||
// information
|
||||
if let Some(ref resource) = linux.resources {
|
||||
if let Some(oom_score_adj) = resource.oom_score_adj {
|
||||
if let Some(ref process) = spec.process {
|
||||
if let Some(oom_score_adj) = process.oom_score_adj {
|
||||
let mut f = fs::File::create("/proc/self/oom_score_adj")?;
|
||||
f.write_all(oom_score_adj.to_string().as_bytes())?;
|
||||
}
|
||||
|
@ -362,7 +362,8 @@ pub fn container_init(
|
|||
}
|
||||
}
|
||||
|
||||
let do_chdir = if proc.cwd.is_empty() {
|
||||
let cwd = format!("{}", proc.cwd.display());
|
||||
let do_chdir = if cwd.is_empty() {
|
||||
false
|
||||
} else {
|
||||
// This chdir must run before setting up the user.
|
||||
|
@ -429,7 +430,8 @@ pub fn container_init(
|
|||
|
||||
// change directory to process.cwd if process.cwd is not empty
|
||||
if do_chdir {
|
||||
unistd::chdir(&*proc.cwd).with_context(|| format!("Failed to chdir {}", proc.cwd))?;
|
||||
unistd::chdir(&*proc.cwd)
|
||||
.with_context(|| format!("Failed to chdir {}", proc.cwd.display()))?;
|
||||
}
|
||||
|
||||
// Reset the process env based on oci spec.
|
||||
|
|
|
@ -7,11 +7,11 @@ use nix::errno::Errno;
|
|||
use nix::fcntl::{open, OFlag};
|
||||
use nix::mount::mount as nix_mount;
|
||||
use nix::mount::MsFlags;
|
||||
use nix::sys::stat::Mode;
|
||||
use nix::sys::stat::{mknod, umask};
|
||||
use nix::sys::stat::{Mode, SFlag};
|
||||
use nix::unistd::{chdir, chown, close, getcwd};
|
||||
use nix::unistd::{Gid, Uid};
|
||||
use oci_spec::{LinuxDevice, LinuxDeviceType, Mount, Spec};
|
||||
use oci_spec::runtime::{LinuxDevice, LinuxDeviceType, Mount, Spec};
|
||||
use std::fs::OpenOptions;
|
||||
use std::fs::{canonicalize, create_dir_all, remove_file};
|
||||
use std::os::unix::fs::symlink;
|
||||
|
@ -220,6 +220,14 @@ fn bind_dev(dev: &LinuxDevice) -> Result<()> {
|
|||
Ok(())
|
||||
}
|
||||
|
||||
fn to_sflag(dev_type: LinuxDeviceType) -> SFlag {
|
||||
match dev_type {
|
||||
LinuxDeviceType::B => SFlag::S_IFBLK,
|
||||
LinuxDeviceType::C | LinuxDeviceType::U => SFlag::S_IFCHR,
|
||||
LinuxDeviceType::P => SFlag::S_IFIFO,
|
||||
}
|
||||
}
|
||||
|
||||
fn mknod_dev(dev: &LinuxDevice) -> Result<()> {
|
||||
fn makedev(major: i64, minor: i64) -> u64 {
|
||||
((minor & 0xff)
|
||||
|
@ -229,7 +237,7 @@ fn mknod_dev(dev: &LinuxDevice) -> Result<()> {
|
|||
}
|
||||
mknod(
|
||||
&dev.path.as_in_container()?,
|
||||
dev.typ.to_sflag()?,
|
||||
to_sflag(dev.typ),
|
||||
Mode::from_bits_truncate(dev.file_mode.unwrap_or(0)),
|
||||
makedev(dev.major, dev.minor),
|
||||
)?;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
use crate::{namespaces::Namespaces, utils};
|
||||
use anyhow::{bail, Context, Result};
|
||||
use nix::unistd::Pid;
|
||||
use oci_spec::{Linux, LinuxIdMapping, LinuxNamespace, LinuxNamespaceType, Mount, Spec};
|
||||
use oci_spec::runtime::{Linux, LinuxIdMapping, LinuxNamespace, LinuxNamespaceType, Mount, Spec};
|
||||
use std::path::Path;
|
||||
use std::process::Command;
|
||||
use std::{env, path::PathBuf};
|
||||
|
@ -206,7 +206,7 @@ pub fn write_gid_mapping(target_pid: Pid, rootless: Option<&Rootless>) -> Result
|
|||
|
||||
fn write_id_mapping(
|
||||
map_file: &str,
|
||||
mappings: &[oci_spec::LinuxIdMapping],
|
||||
mappings: &[LinuxIdMapping],
|
||||
map_binary: Option<&Path>,
|
||||
) -> Result<()> {
|
||||
let mappings: Vec<String> = mappings
|
||||
|
|
|
@ -22,7 +22,7 @@ use nix::{
|
|||
};
|
||||
use nix::{sched::unshare, sys::stat::Mode};
|
||||
|
||||
use oci_spec::LinuxRlimit;
|
||||
use oci_spec::runtime::LinuxRlimit;
|
||||
|
||||
use super::Syscall;
|
||||
use crate::capabilities;
|
||||
|
|
|
@ -10,7 +10,7 @@ use nix::{
|
|||
unistd::{Gid, Uid},
|
||||
};
|
||||
|
||||
use oci_spec::LinuxRlimit;
|
||||
use oci_spec::runtime::LinuxRlimit;
|
||||
|
||||
use crate::syscall::{linux::LinuxSyscall, test::TestHelperSyscall};
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ use std::{any::Any, cell::RefCell, ffi::OsStr, sync::Arc};
|
|||
|
||||
use caps::{errors::CapsError, CapSet, CapsHashSet};
|
||||
use nix::sched::CloneFlags;
|
||||
use oci_spec::LinuxRlimit;
|
||||
use oci_spec::runtime::LinuxRlimit;
|
||||
|
||||
use super::Syscall;
|
||||
|
||||
|
|
Loading…
Reference in New Issue