| package integration |
| |
| import ( |
| "syscall" |
| |
| "github.com/opencontainers/runc/libcontainer/configs" |
| ) |
| |
| var standardEnvironment = []string{ |
| "HOME=/root", |
| "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", |
| "HOSTNAME=integration", |
| "TERM=xterm", |
| } |
| |
| const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV |
| |
| // newTemplateConfig returns a base template for running a container |
| // |
| // it uses a network strategy of just setting a loopback interface |
| // and the default setup for devices |
| func newTemplateConfig(rootfs string) *configs.Config { |
| return &configs.Config{ |
| Rootfs: rootfs, |
| Capabilities: []string{ |
| "CAP_CHOWN", |
| "CAP_DAC_OVERRIDE", |
| "CAP_FSETID", |
| "CAP_FOWNER", |
| "CAP_MKNOD", |
| "CAP_NET_RAW", |
| "CAP_SETGID", |
| "CAP_SETUID", |
| "CAP_SETFCAP", |
| "CAP_SETPCAP", |
| "CAP_NET_BIND_SERVICE", |
| "CAP_SYS_CHROOT", |
| "CAP_KILL", |
| "CAP_AUDIT_WRITE", |
| }, |
| Namespaces: configs.Namespaces([]configs.Namespace{ |
| {Type: configs.NEWNS}, |
| {Type: configs.NEWUTS}, |
| {Type: configs.NEWIPC}, |
| {Type: configs.NEWPID}, |
| {Type: configs.NEWNET}, |
| }), |
| Cgroups: &configs.Cgroup{ |
| Name: "test", |
| Parent: "integration", |
| MemorySwappiness: -1, |
| AllowAllDevices: false, |
| AllowedDevices: configs.DefaultAllowedDevices, |
| }, |
| MaskPaths: []string{ |
| "/proc/kcore", |
| }, |
| ReadonlyPaths: []string{ |
| "/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus", |
| }, |
| Devices: configs.DefaultAutoCreatedDevices, |
| Hostname: "integration", |
| Mounts: []*configs.Mount{ |
| { |
| Source: "proc", |
| Destination: "/proc", |
| Device: "proc", |
| Flags: defaultMountFlags, |
| }, |
| { |
| Source: "tmpfs", |
| Destination: "/dev", |
| Device: "tmpfs", |
| Flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, |
| Data: "mode=755", |
| }, |
| { |
| Source: "devpts", |
| Destination: "/dev/pts", |
| Device: "devpts", |
| Flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, |
| Data: "newinstance,ptmxmode=0666,mode=0620,gid=5", |
| }, |
| { |
| Device: "tmpfs", |
| Source: "shm", |
| Destination: "/dev/shm", |
| Data: "mode=1777,size=65536k", |
| Flags: defaultMountFlags, |
| }, |
| { |
| Source: "mqueue", |
| Destination: "/dev/mqueue", |
| Device: "mqueue", |
| Flags: defaultMountFlags, |
| }, |
| { |
| Source: "sysfs", |
| Destination: "/sys", |
| Device: "sysfs", |
| Flags: defaultMountFlags | syscall.MS_RDONLY, |
| }, |
| }, |
| Networks: []*configs.Network{ |
| { |
| Type: "loopback", |
| Address: "127.0.0.1/0", |
| Gateway: "localhost", |
| }, |
| }, |
| Rlimits: []configs.Rlimit{ |
| { |
| Type: syscall.RLIMIT_NOFILE, |
| Hard: uint64(1025), |
| Soft: uint64(1025), |
| }, |
| }, |
| } |
| } |