Beispiel #1
0
func modify(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
	spec.Root.Path = context.String("rootfs")
	spec.Root.Readonly = context.Bool("read-only")
	spec.Hostname = context.String("hostname")
	spec.Process.User.UID = uint32(context.Int("uid"))
	spec.Process.User.GID = uint32(context.Int("gid"))
	rspec.Linux.SelinuxProcessLabel = context.String("selinux-label")

	args := context.String("args")
	if args != "" {
		spec.Process.Args = []string{args}
	}

	for _, e := range context.StringSlice("env") {
		spec.Process.Env = append(spec.Process.Env, e)
	}

	groups := context.StringSlice("groups")
	if groups != nil {
		for _, g := range groups {
			groupId, err := strconv.Atoi(g)
			if err != nil {
				return err
			}
			spec.Process.User.AdditionalGids = append(spec.Process.User.AdditionalGids, uint32(groupId))
		}
	}

	if err := setupCapabilities(spec, rspec, context); err != nil {
		return err
	}
	setupNamespaces(spec, rspec, context)
	if err := addTmpfsMounts(spec, rspec, context); err != nil {
		return err
	}
	if err := mountCgroups(spec, rspec, context); err != nil {
		return err
	}
	if err := addBindMounts(spec, rspec, context); err != nil {
		return err
	}
	if err := addHooks(spec, rspec, context); err != nil {
		return err
	}
	if err := addRootPropagation(spec, rspec, context); err != nil {
		return err
	}

	return nil
}
func modify(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
	spec.Root.Path = context.String("rootfs")
	spec.Root.Readonly = context.Bool("read-only")
	spec.Hostname = context.String("hostname")
	spec.Process.User.UID = uint32(context.Int("uid"))
	spec.Process.User.GID = uint32(context.Int("gid"))
	rspec.Linux.SelinuxProcessLabel = context.String("selinux-label")
	spec.Version = context.String("version")
	spec.Platform.OS = context.String("os")
	spec.Platform.Arch = context.String("arch")
	spec.Process.Cwd = context.String("cwd")
	spec.Process.Terminal = context.Bool("terminal")
	rspec.Linux.CgroupsPath = context.String("cgroupspath")
	rspec.Linux.ApparmorProfile = context.String("apparmor")
	rspec.Linux.Resources.DisableOOMKiller = context.Bool("disableoomiller")
	rspec.Linux.Resources.Pids.Limit = int64(context.Int("pids"))
	rspec.Linux.Resources.Network.ClassID = context.String("networkid")

	for i, a := range context.StringSlice("args") {
		if i == 0 {
			//Replace "sh" from getDefaultTemplate()
			spec.Process.Args[0] = a
		} else {
			spec.Process.Args = append(spec.Process.Args, a)
		}
	}

	for _, e := range context.StringSlice("env") {

		spec.Process.Env = append(spec.Process.Env, e)
	}

	groups := context.StringSlice("groups")
	if groups != nil {
		for _, g := range groups {
			groupId, err := strconv.Atoi(g)
			if err != nil {
				return err
			}
			spec.Process.User.AdditionalGids = append(spec.Process.User.AdditionalGids, uint32(groupId))
		}
	}
	if err := setupCapabilities(spec, rspec, context); err != nil {
		return err
	}
	setupNamespaces(spec, rspec, context)
	if err := addTmpfsMounts(spec, rspec, context); err != nil {
		return err
	}
	if err := mountCgroups(spec, rspec, context); err != nil {
		return err
	}
	if err := addBindMounts(spec, rspec, context); err != nil {
		return err
	}
	if err := addHooks(spec, rspec, context); err != nil {
		return err
	}
	if err := addRootPropagation(spec, rspec, context); err != nil {
		return err
	}
	if err := addMountPoint(spec, rspec, context); err != nil {
		return err
	}
	if err := setUIDMappings(spec, rspec, context); err != nil {
		return err
	}
	if err := setGIDMappings(spec, rspec, context); err != nil {
		return err
	}
	if err := setRlimits(spec, rspec, context); err != nil {
		return err
	}
	if err := setSysctl(spec, rspec, context); err != nil {
		return err
	}
	if err := addDevice(spec, rspec, context); err != nil {
		return err
	}
	if err := setSeccompDefaultAction(spec, rspec, context); err != nil {
		return err
	}
	if err := addSeccompArchitectures(spec, rspec, context); err != nil {
		return err
	}
	if err := addSeccompSyscalls(spec, rspec, context); err != nil {
		return err
	}
	if err := addHugepageLimit(spec, rspec, context); err != nil {
		return err
	}
	if err := addNetworkPriority(spec, rspec, context); err != nil {
		return err
	}
	if err := addMounts(spec, rspec, context); err != nil {
		return err
	}
	if err := addBlockIO(spec, rspec, context); err != nil {
		return err
	}
	if err := setResourceMemory(spec, rspec, context); err != nil {
		return err
	}
	if err := setResourceCPU(spec, rspec, context); err != nil {
		return err
	}
	return nil
}
Beispiel #3
0
func modify(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec, context *cli.Context) error {
	spec.Root.Path = context.String("rootfs")
	spec.Root.Readonly = context.Bool("read-only")
	spec.Hostname = context.String("hostname")
	spec.Process.User.UID = uint32(context.Int("uid"))
	spec.Process.User.GID = uint32(context.Int("gid"))
	rspec.Linux.SelinuxProcessLabel = context.String("selinux-label")
	spec.Platform.OS = context.String("os")
	spec.Platform.Arch = context.String("arch")
	spec.Process.Cwd = context.String("cwd")

	for i, a := range context.StringSlice("args") {
		if a != "" {
			if i == 0 {
				//Replace "sh" from getDefaultTemplate()
				spec.Process.Args[0] = a
			} else {
				spec.Process.Args = append(spec.Process.Args, a)
			}
		}
	}

	for _, e := range context.StringSlice("env") {
		spec.Process.Env = append(spec.Process.Env, e)
	}

	groups := context.StringSlice("groups")
	if groups != nil {
		for _, g := range groups {
			groupId, err := strconv.Atoi(g)
			if err != nil {
				return err
			}
			spec.Process.User.AdditionalGids = append(spec.Process.User.AdditionalGids, uint32(groupId))
		}
	}

	if err := setupCapabilities(spec, rspec, context); err != nil {
		return err
	}
	setupNamespaces(spec, rspec, context)
	if err := addTmpfsMounts(spec, rspec, context); err != nil {
		return err
	}
	if err := mountCgroups(spec, rspec, context); err != nil {
		return err
	}
	if err := addBindMounts(spec, rspec, context); err != nil {
		return err
	}
	if err := addHooks(spec, rspec, context); err != nil {
		return err
	}
	if err := addRootPropagation(spec, rspec, context); err != nil {
		return err
	}
	if err := addIDMappings(spec, rspec, context); err != nil {
		return err
	}

	return nil
}