Skip to content

Commit 25ae2f4

Browse files
author
Zhou Hao
authored
Merge pull request #194 from wking/tk/validate-host-platform
Respect the host platform
2 parents 8b973a6 + 2e6f6ab commit 25ae2f4

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

52 files changed

+385
-214
lines changed

cmd/oci-runtime-tool/generate.go

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"encoding/json"
77
"fmt"
88
"os"
9+
"runtime"
910
"strconv"
1011
"strings"
1112
"unicode"
@@ -90,6 +91,7 @@ var generateFlags = []cli.Flag{
9091
cli.StringSliceFlag{Name: "mounts-add", Usage: "configures additional mounts inside container"},
9192
cli.StringSliceFlag{Name: "mounts-remove", Usage: "remove destination mountpoints from inside container"},
9293
cli.BoolFlag{Name: "mounts-remove-all", Usage: "remove all mounts inside container"},
94+
cli.StringFlag{Name: "os", Value: runtime.GOOS, Usage: "operating system the container is created for"},
9395
cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"},
9496
cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"},
9597
cli.StringSliceFlag{Name: "process-cap-add-ambient", Usage: "add Linux ambient capabilities"},
@@ -141,21 +143,23 @@ var generateCommand = cli.Command{
141143
Before: before,
142144
Action: func(context *cli.Context) error {
143145
// Start from the default template.
144-
specgen := generate.New()
146+
specgen, err := generate.New(context.String("os"))
147+
if err != nil {
148+
return err
149+
}
145150

146151
var template string
147152
if context.IsSet("template") {
148153
template = context.String("template")
149154
}
150155
if template != "" {
151-
var err error
152156
specgen, err = generate.NewFromFile(template)
153157
if err != nil {
154158
return err
155159
}
156160
}
157161

158-
err := setupSpec(&specgen, context)
162+
err = setupSpec(&specgen, context)
159163
if err != nil {
160164
return err
161165
}

generate/generate.go

Lines changed: 115 additions & 106 deletions
Original file line numberDiff line numberDiff line change
@@ -36,117 +36,128 @@ type ExportOptions struct {
3636
Seccomp bool // seccomp toggles if only seccomp should be exported
3737
}
3838

39-
// New creates a spec Generator with the default spec.
40-
func New() Generator {
41-
spec := rspec.Spec{
39+
// New creates a spec Generator with the default spec for the target
40+
// OS.
41+
func New(os string) (generator Generator, err error) {
42+
if os != "linux" && os != "solaris" {
43+
return generator, fmt.Errorf("no defaults configured for %s", os)
44+
}
45+
46+
config := rspec.Spec{
4247
Version: rspec.Version,
4348
Root: &rspec.Root{
4449
Path: "rootfs",
4550
Readonly: false,
4651
},
4752
Process: &rspec.Process{
4853
Terminal: false,
49-
User: rspec.User{},
5054
Args: []string{
5155
"sh",
5256
},
53-
Env: []string{
54-
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
55-
"TERM=xterm",
57+
},
58+
Hostname: "mrsdalloway",
59+
}
60+
61+
if os == "linux" || os == "solaris" {
62+
config.Process.User = rspec.User{}
63+
config.Process.Env = []string{
64+
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
65+
"TERM=xterm",
66+
}
67+
config.Process.Cwd = "/"
68+
config.Process.Rlimits = []rspec.POSIXRlimit{
69+
{
70+
Type: "RLIMIT_NOFILE",
71+
Hard: uint64(1024),
72+
Soft: uint64(1024),
5673
},
57-
Cwd: "/",
58-
Capabilities: &rspec.LinuxCapabilities{
59-
Bounding: []string{
60-
"CAP_CHOWN",
61-
"CAP_DAC_OVERRIDE",
62-
"CAP_FSETID",
63-
"CAP_FOWNER",
64-
"CAP_MKNOD",
65-
"CAP_NET_RAW",
66-
"CAP_SETGID",
67-
"CAP_SETUID",
68-
"CAP_SETFCAP",
69-
"CAP_SETPCAP",
70-
"CAP_NET_BIND_SERVICE",
71-
"CAP_SYS_CHROOT",
72-
"CAP_KILL",
73-
"CAP_AUDIT_WRITE",
74-
},
75-
Permitted: []string{
76-
"CAP_CHOWN",
77-
"CAP_DAC_OVERRIDE",
78-
"CAP_FSETID",
79-
"CAP_FOWNER",
80-
"CAP_MKNOD",
81-
"CAP_NET_RAW",
82-
"CAP_SETGID",
83-
"CAP_SETUID",
84-
"CAP_SETFCAP",
85-
"CAP_SETPCAP",
86-
"CAP_NET_BIND_SERVICE",
87-
"CAP_SYS_CHROOT",
88-
"CAP_KILL",
89-
"CAP_AUDIT_WRITE",
90-
},
91-
Inheritable: []string{
92-
"CAP_CHOWN",
93-
"CAP_DAC_OVERRIDE",
94-
"CAP_FSETID",
95-
"CAP_FOWNER",
96-
"CAP_MKNOD",
97-
"CAP_NET_RAW",
98-
"CAP_SETGID",
99-
"CAP_SETUID",
100-
"CAP_SETFCAP",
101-
"CAP_SETPCAP",
102-
"CAP_NET_BIND_SERVICE",
103-
"CAP_SYS_CHROOT",
104-
"CAP_KILL",
105-
"CAP_AUDIT_WRITE",
106-
},
107-
Effective: []string{
108-
"CAP_CHOWN",
109-
"CAP_DAC_OVERRIDE",
110-
"CAP_FSETID",
111-
"CAP_FOWNER",
112-
"CAP_MKNOD",
113-
"CAP_NET_RAW",
114-
"CAP_SETGID",
115-
"CAP_SETUID",
116-
"CAP_SETFCAP",
117-
"CAP_SETPCAP",
118-
"CAP_NET_BIND_SERVICE",
119-
"CAP_SYS_CHROOT",
120-
"CAP_KILL",
121-
"CAP_AUDIT_WRITE",
122-
},
123-
Ambient: []string{
124-
"CAP_CHOWN",
125-
"CAP_DAC_OVERRIDE",
126-
"CAP_FSETID",
127-
"CAP_FOWNER",
128-
"CAP_MKNOD",
129-
"CAP_NET_RAW",
130-
"CAP_SETGID",
131-
"CAP_SETUID",
132-
"CAP_SETFCAP",
133-
"CAP_SETPCAP",
134-
"CAP_NET_BIND_SERVICE",
135-
"CAP_SYS_CHROOT",
136-
"CAP_KILL",
137-
"CAP_AUDIT_WRITE",
138-
},
74+
}
75+
}
76+
77+
if os == "linux" {
78+
config.Process.Capabilities = &rspec.LinuxCapabilities{
79+
Bounding: []string{
80+
"CAP_CHOWN",
81+
"CAP_DAC_OVERRIDE",
82+
"CAP_FSETID",
83+
"CAP_FOWNER",
84+
"CAP_MKNOD",
85+
"CAP_NET_RAW",
86+
"CAP_SETGID",
87+
"CAP_SETUID",
88+
"CAP_SETFCAP",
89+
"CAP_SETPCAP",
90+
"CAP_NET_BIND_SERVICE",
91+
"CAP_SYS_CHROOT",
92+
"CAP_KILL",
93+
"CAP_AUDIT_WRITE",
13994
},
140-
Rlimits: []rspec.POSIXRlimit{
141-
{
142-
Type: "RLIMIT_NOFILE",
143-
Hard: uint64(1024),
144-
Soft: uint64(1024),
145-
},
95+
Permitted: []string{
96+
"CAP_CHOWN",
97+
"CAP_DAC_OVERRIDE",
98+
"CAP_FSETID",
99+
"CAP_FOWNER",
100+
"CAP_MKNOD",
101+
"CAP_NET_RAW",
102+
"CAP_SETGID",
103+
"CAP_SETUID",
104+
"CAP_SETFCAP",
105+
"CAP_SETPCAP",
106+
"CAP_NET_BIND_SERVICE",
107+
"CAP_SYS_CHROOT",
108+
"CAP_KILL",
109+
"CAP_AUDIT_WRITE",
146110
},
147-
},
148-
Hostname: "mrsdalloway",
149-
Mounts: []rspec.Mount{
111+
Inheritable: []string{
112+
"CAP_CHOWN",
113+
"CAP_DAC_OVERRIDE",
114+
"CAP_FSETID",
115+
"CAP_FOWNER",
116+
"CAP_MKNOD",
117+
"CAP_NET_RAW",
118+
"CAP_SETGID",
119+
"CAP_SETUID",
120+
"CAP_SETFCAP",
121+
"CAP_SETPCAP",
122+
"CAP_NET_BIND_SERVICE",
123+
"CAP_SYS_CHROOT",
124+
"CAP_KILL",
125+
"CAP_AUDIT_WRITE",
126+
},
127+
Effective: []string{
128+
"CAP_CHOWN",
129+
"CAP_DAC_OVERRIDE",
130+
"CAP_FSETID",
131+
"CAP_FOWNER",
132+
"CAP_MKNOD",
133+
"CAP_NET_RAW",
134+
"CAP_SETGID",
135+
"CAP_SETUID",
136+
"CAP_SETFCAP",
137+
"CAP_SETPCAP",
138+
"CAP_NET_BIND_SERVICE",
139+
"CAP_SYS_CHROOT",
140+
"CAP_KILL",
141+
"CAP_AUDIT_WRITE",
142+
},
143+
Ambient: []string{
144+
"CAP_CHOWN",
145+
"CAP_DAC_OVERRIDE",
146+
"CAP_FSETID",
147+
"CAP_FOWNER",
148+
"CAP_MKNOD",
149+
"CAP_NET_RAW",
150+
"CAP_SETGID",
151+
"CAP_SETUID",
152+
"CAP_SETFCAP",
153+
"CAP_SETPCAP",
154+
"CAP_NET_BIND_SERVICE",
155+
"CAP_SYS_CHROOT",
156+
"CAP_KILL",
157+
"CAP_AUDIT_WRITE",
158+
},
159+
}
160+
config.Mounts = []rspec.Mount{
150161
{
151162
Destination: "/proc",
152163
Type: "proc",
@@ -183,8 +194,8 @@ func New() Generator {
183194
Source: "sysfs",
184195
Options: []string{"nosuid", "noexec", "nodev", "ro"},
185196
},
186-
},
187-
Linux: &rspec.Linux{
197+
}
198+
config.Linux = &rspec.Linux{
188199
Resources: &rspec.LinuxResources{
189200
Devices: []rspec.LinuxDeviceCgroup{
190201
{
@@ -210,13 +221,11 @@ func New() Generator {
210221
Type: "mount",
211222
},
212223
},
213-
Devices: []rspec.LinuxDevice{},
214-
},
215-
}
216-
spec.Linux.Seccomp = seccomp.DefaultProfile(&spec)
217-
return Generator{
218-
spec: &spec,
224+
Seccomp: seccomp.DefaultProfile(&config),
225+
}
219226
}
227+
228+
return Generator{spec: &config}, nil
220229
}
221230

222231
// NewFromSpec creates a spec Generator from a given spec.

man/oci-runtime-tool-generate.1.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -356,6 +356,9 @@ read the configuration from `config.json`.
356356
Remove all mounts inside the container. The default is *false*.
357357
When specified with --mount-add, this option will be parsed first.
358358

359+
**--os**=OS
360+
Operating system used within the container.
361+
359362
**--output**=PATH
360363
Instead of writing the configuration JSON to stdout, write it to a
361364
file at *PATH* (overwriting the existing content if a file already

validate/validate.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -577,6 +577,11 @@ func (v *Validator) CheckPlatform() (errs error) {
577577
return
578578
}
579579

580+
if v.HostSpecific && v.platform != runtime.GOOS {
581+
errs = multierror.Append(errs, fmt.Errorf("platform %q differs from the host %q, skipping host-specific checks", v.platform, runtime.GOOS))
582+
v.HostSpecific = false
583+
}
584+
580585
if v.platform == "windows" {
581586
if v.spec.Windows == nil {
582587
errs = multierror.Append(errs,

validation/create.go

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package main
33
import (
44
"fmt"
55
"os/exec"
6+
"runtime"
67

78
"github.com/mndrix/tap-go"
89
rspecs "github.com/opencontainers/runtime-spec/specs-go"
@@ -16,7 +17,10 @@ func main() {
1617
t := tap.New()
1718
t.Header(0)
1819

19-
g := generate.New()
20+
g, err := generate.New(runtime.GOOS)
21+
if err != nil {
22+
util.Fatal(err)
23+
}
2024
g.SetRootPath(".")
2125
g.SetProcessArgs([]string{"ls"})
2226

@@ -49,7 +53,7 @@ func main() {
4953

5054
for _, c := range cases {
5155
r.SetID(c.id)
52-
err := r.Create()
56+
err = r.Create()
5357
t.Ok((err == nil) == c.errExpected, c.err.(*specerror.Error).Err.Err.Error())
5458
diagnostic := map[string]string{
5559
"reference": c.err.(*specerror.Error).Err.Reference,

validation/default.go

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,11 @@ import (
55
)
66

77
func main() {
8-
g := util.GetDefaultGenerator()
9-
err := util.RuntimeInsideValidate(g, nil)
8+
g, err := util.GetDefaultGenerator()
9+
if err != nil {
10+
util.Fatal(err)
11+
}
12+
err = util.RuntimeInsideValidate(g, nil)
1013
if err != nil {
1114
util.Fatal(err)
1215
}

validation/delete.go

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,15 @@ func main() {
2222
}
2323
defer os.RemoveAll(bundleDir)
2424

25-
stoppedConfig := util.GetDefaultGenerator()
25+
stoppedConfig, err := util.GetDefaultGenerator()
26+
if err != nil {
27+
util.Fatal(err)
28+
}
2629
stoppedConfig.SetProcessArgs([]string{"true"})
27-
runningConfig := util.GetDefaultGenerator()
30+
runningConfig, err := util.GetDefaultGenerator()
31+
if err != nil {
32+
util.Fatal(err)
33+
}
2834
runningConfig.SetProcessArgs([]string{"sleep", "30"})
2935
containerID := uuid.NewV4().String()
3036
testRuntime, _ := util.NewRuntime(util.RuntimeCommand, bundleDir)
@@ -67,7 +73,7 @@ func main() {
6773
if c.effectCheck {
6874
// waiting for the error of State, just in case the delete operation takes time
6975
util.WaitingForStatus(testRuntime, util.LifecycleActionNone, time.Second*10, time.Second*1)
70-
_, err := testRuntime.State()
76+
_, err = testRuntime.State()
7177
// err == nil means the 'delete' operation does NOT take effect
7278
util.SpecErrorOK(t, err == nil, specerror.NewError(specerror.DeleteNonStopHaveNoEffect, fmt.Errorf("attempting to `delete` a container that is not `stopped` MUST have no effect on the container"), rspecs.Version), err)
7379
}

0 commit comments

Comments
 (0)