From cded9aa97fe2e4e1ce9fdc79cf46775365337b2f Mon Sep 17 00:00:00 2001 From: Long Liu Date: Wed, 26 Jun 2019 11:25:35 +0800 Subject: [PATCH] ACRN: dm: Modify the runC.json for NUC. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The path modify the configuration for the runC container. There have three changes for the configuration. 1、args [ "sh" ]: this is an example parameter and when the VM is started, the parameter will be replaced by the launch_UOS script. 2、The linux capabilities will guarantee the Acrn-dm have enough capabilities to run in container. For more infomation about the capalility you can refer http://man7.org/linux/man-pages/man7/capabilities.7.htm 3、Move the rootfs to the parent directory, so all the container can share the same rootfs. Tracked-On: projectacrn#2020 Signed-off-by: Long Liu Reviewed-by: Binbin Wu --- devicemodel/samples/nuc/runC.json | 194 ++++++++++++++++++++++++++++-- 1 file changed, 185 insertions(+), 9 deletions(-) diff --git a/devicemodel/samples/nuc/runC.json b/devicemodel/samples/nuc/runC.json index 7d359182d..c68d401b3 100644 --- a/devicemodel/samples/nuc/runC.json +++ b/devicemodel/samples/nuc/runC.json @@ -7,9 +7,7 @@ "gid": 0 }, "args": [ - "/usr/share/acrn/samples/apl-mrb/launch_uos.sh", - "-V", - "2" + "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", @@ -18,40 +16,215 @@ "cwd": "/", "capabilities": { "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", "CAP_WAKE_ALARM", - "CAP_SYS_MODULE" + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" ], "effective": [ + "CAP_AUDIT_WRITE", + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", "CAP_WAKE_ALARM", - "CAP_SYS_MODULE" + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" ], "inheritable": [ + "CAP_AUDIT_WRITE", + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", "CAP_WAKE_ALARM", - "CAP_SYS_MODULE" + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" ], "permitted": [ + "CAP_AUDIT_WRITE", + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", "CAP_WAKE_ALARM", - "CAP_SYS_MODULE" + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" ], "ambient": [ + "CAP_AUDIT_WRITE", + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", "CAP_WAKE_ALARM", - "CAP_SYS_MODULE" + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" ] } }, "root": { - "path": "rootfs", + "path": "../rootfs", "readonly": false }, "hostname": "runc", @@ -92,6 +265,9 @@ }, { "type": "uts" + }, + { + "type": "mount" } ] }