github/linuxkit
1
0
Fork 0
mirror of https://github.com/linuxkit/linuxkit.git synced 2025-07-21 10:09:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3716 from djs55/containup-devices2

Browse Source 
Add OCI devices to yaml (needed by getty with runc v1.0.0-rc95)
This commit is contained in:
Rolf Neugebauer 2021-10-16 10:35:35 +01:00 committed by GitHub
commit d71299a2c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
60 changed files with 229 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/yaml.md
View File

@ -232,6 +232,31 @@ services:
- CAP_DAC_OVERRIDE
```
## `devices`
To access the console, it's necessary to explicitly add a "device" definition, for example:
```
devices:
- path: "/dev/console"
type: c
major: 5
minor: 1
mode: 0666
```
See the [getty package](../pkg/getty/build.yml) for a more complete example
and see [runc](https://github.com/opencontainers/runc/commit/60e21ec26e15945259d4b1e790e8fd119ee86467) for context.
To grant access to all block devices use:
```
devices:
- path: all
type: b
```
See the [format package](../pkg/format/build.yml) for an example.
### Mount Options
When mounting filesystem paths into a container - whether as part of `onboot` or `services` - there are several options of which you need to be aware. Using them properly is necessary for your containers to function properly.

2
examples/addbinds.yml
View File

@ -14,7 +14,7 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
binds.add:
# this will keep all of the existing ones as well
- /var/tmp:/var/tmp

6
examples/cadvisor.yml
View File

@ -15,14 +15,14 @@ onboot:
- name: sysfs
image: linuxkit/sysfs:3498aa99c90a29439b5a1926f6ffcd75c270372c
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

8
examples/dm-crypt-loop.yml
View File

@ -13,10 +13,10 @@ onboot:
image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "/dev/sda"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/dev/sda1", "/var/external"]
- name: loop
image: linuxkit/losetup:db35344a21e44a55195540a8670886f60aa77201
@ -25,7 +25,7 @@ onboot:
image: linuxkit/dm-crypt:4daf2010d088955b42ba50db813226e4b3f773cb
command: ["/usr/bin/crypto", "crypt_loop_dev", "/dev/loop0"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/dev/mapper/crypt_loop_dev", "/var/secure_storage"]
- name: bbox
image: busybox
@ -34,7 +34,7 @@ onboot:
- /var:/var
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

6
examples/dm-crypt.yml
View File

@ -13,13 +13,13 @@ onboot:
image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "/dev/sda"]
- name: dm-crypt
image: linuxkit/dm-crypt:4daf2010d088955b42ba50db813226e4b3f773cb
command: ["/usr/bin/crypto", "crypt_dev", "/dev/sda1"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/dev/mapper/crypt_dev", "/var/secure_storage"]
- name: bbox
image: busybox
@ -28,7 +28,7 @@ onboot:
- /var:/var
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

8
examples/docker-for-mac.yml
View File

@ -20,13 +20,13 @@ onboot:
image: linuxkit/binfmt:5567917e7de481e4867d31c7490a0ebdb70e04a5
# Format and mount the disk image in /var/lib/docker
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib"]
# make a swap file on the mounted disk
- name: swap
image: linuxkit/swap:0028aeae2741d28120e4d2c6efcc5af003eae395
image: linuxkit/swap:7f7074c05bad414af39f2374301b72bc67314715
command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"]
# mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding
- name: mount-vpnkit
@ -52,7 +52,7 @@ services:
image: linuxkit/acpid:d2ddd88c7918466f875e7c5c3e527b51dfb0b0ea
# Enable getty for easier debugging
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
# Run ntpd to keep time synchronised in the VM

6
examples/docker.yml
View File

@ -12,13 +12,13 @@ onboot:
- name: sysfs
image: linuxkit/sysfs:3498aa99c90a29439b5a1926f6ffcd75c270372c
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/getty.yml
View File

@ -14,7 +14,7 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
# to make insecure with passwordless root login, uncomment following lines
#env:
# - INSECURE=true

2
examples/hostmount-writeable-overlay.yml
View File

@ -18,7 +18,7 @@ onshutdown:
command: ["/bin/echo", "so long and thanks for all the fish"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
runtime:

2
examples/influxdb-os.yml
View File

@ -12,7 +12,7 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: influxdb

2
examples/logging.yml
View File

@ -17,7 +17,7 @@ onboot:
services:
# Inside the getty type `/proc/1/root/usr/bin/logread -F` to follow the log
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
# A service which generates log messages for testing

2
examples/minimal.yml
View File

@ -11,6 +11,6 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true

2
examples/node_exporter.yml
View File

@ -7,7 +7,7 @@ init:
- linuxkit/containerd:cc02c2af9c928c2faeccbe4edc78bd297ad91866
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/platform-gcp.yml
View File

@ -16,7 +16,7 @@ onboot:
image: linuxkit/metadata:91125438842110e7709811997815b7b33dc18d1d
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/platform-hetzner.yml
View File

@ -24,7 +24,7 @@ services:
- name: rngd
image: linuxkit/rngd:bdabfe138f05f7d48396d2f435af16f5a6ccaa45
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: sshd

2
examples/platform-packet.yml
View File

@ -24,7 +24,7 @@ services:
- name: rngd
image: linuxkit/rngd:bdabfe138f05f7d48396d2f435af16f5a6ccaa45
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: sshd

2
examples/platform-rt-for-vmware.yml
View File

@ -11,7 +11,7 @@ onboot:
image: linuxkit/sysctl:02d2bd74509fd063857ceb4c4f502f09ee4f2e0a
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/platform-scaleway.yml
View File

@ -19,7 +19,7 @@ onboot:
image: linuxkit/metadata:91125438842110e7709811997815b7b33dc18d1d
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/platform-vmware.yml
View File

@ -11,7 +11,7 @@ onboot:
image: linuxkit/sysctl:02d2bd74509fd063857ceb4c4f502f09ee4f2e0a
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/platform-vultr.yml
View File

@ -17,7 +17,7 @@ onboot:
command: ["/usr/bin/metadata", "vultr"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/redis-os.yml
View File

@ -13,7 +13,7 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
# Currently redis:4.0.6-alpine has trust issue with multi-arch

2
examples/sshd.yml
View File

@ -14,7 +14,7 @@ onboot:
command: ["/sbin/rngd", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/static-ip.yml
View File

@ -13,7 +13,7 @@ onboot:
command: ["ip", "-b", "/etc/ip/eth0.conf"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
files:

8
examples/swap.yml
View File

@ -13,18 +13,18 @@ onboot:
image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/external"]
- name: swap
image: linuxkit/swap:0028aeae2741d28120e4d2c6efcc5af003eae395
image: linuxkit/swap:7f7074c05bad414af39f2374301b72bc67314715
# to use unencrypted swap, use:
# command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
examples/tpm.yml
View File

@ -14,7 +14,7 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: tss

2
examples/wireguard.yml
View File

@ -40,7 +40,7 @@ onboot:
net: /run/netns/wg1
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
net: /run/netns/wg1

2
linuxkit.yml
View File

@ -18,7 +18,7 @@ onshutdown:
command: ["/bin/echo", "so long and thanks for all the fish"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

4
pkg/format/build.yml
View File

@ -2,6 +2,10 @@ image: format
config:
binds:
- /dev:/dev
devices:
# all block devices
- path: all
type: b
capabilities:
- CAP_SYS_ADMIN
- CAP_MKNOD

22
pkg/getty/build.yml
View File

@ -14,5 +14,27 @@ config:
- /var/lib/containerd:/var/lib/containerd
- /dev:/dev
- /sys:/sys
devices:
# individual console / tty character devices
- path: "/dev/console"
type: c
major: 5
minor: 1
mode: 0666
- path: "/dev/tty0"
type: c
major: 4
minor: 0
mode: 0666
- path: "/dev/ttyS0"
type: c
major: 4
minor: 64
mode: 0666
- path: "/dev/ttyAMA0"
type: c
major: 204
minor: 64
mode: 0666
capabilities:
- all

4
pkg/mount/build.yml
View File

@ -4,6 +4,10 @@ config:
- /dev:/dev
- /var:/var:rshared,rbind
- /:/hostroot
devices:
# all block devices
- path: all
type: b
capabilities:
- CAP_SYS_ADMIN
rootfsPropagation: shared

4
pkg/swap/build.yml
View File

@ -3,6 +3,10 @@ config:
binds:
- /dev:/dev
- /var:/var
devices:
# all devices (/dev/mapper is a character device)
- path: all
type: a
capabilities:
- CAP_SYS_ADMIN
- CAP_MKNOD

6
projects/compose/compose-dynamic.yml
View File

@ -15,13 +15,13 @@ onboot:
image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

6
projects/compose/compose-static.yml
View File

@ -15,13 +15,13 @@ onboot:
image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
projects/memorizer/memorizer.yml
View File

@ -11,7 +11,7 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
trust:

2
projects/miragesdk/examples/fdd.yml
View File

@ -12,7 +12,7 @@ onboot:
image: linuxkit/sysctl:02d2bd74509fd063857ceb4c4f502f09ee4f2e0a
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

2
projects/miragesdk/examples/mirage-dhcp.yml
View File

@ -30,7 +30,7 @@ services:
- name: sshd
image: linuxkit/sshd:add8c094a9a253870b0a596796628fd4ec220b70
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
files:

2
projects/okernel/examples/okernel_simple.yaml
View File

@ -13,7 +13,7 @@ services:
- name: dhcpcd
image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
trust:

2
projects/shiftfs/shiftfs.yml
View File

@ -14,7 +14,7 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
env:
- INSECURE=true
- name: rngd

64
src/cmd/linuxkit/moby/config.go
View File

@ -2,6 +2,7 @@ package moby
import (
"fmt"
"os"
"sort"
"strconv"
"strings"
@ -70,6 +71,7 @@ type ImageConfig struct {
Mounts *[]specs.Mount `yaml:"mounts,omitempty" json:"mounts,omitempty"`
Binds *[]string `yaml:"binds,omitempty" json:"binds,omitempty"`
BindsAdd *[]string `yaml:"binds.add,omitempty" json:"binds.add,omitempty"`
Devices *[]Device `yaml:"devices,omitempty" json:"devices,omitempty"`
Tmpfs *[]string `yaml:"tmpfs,omitempty" json:"tmpfs,omitempty"`
Command *[]string `yaml:"command,omitempty" json:"command,omitempty"`
Env *[]string `yaml:"env,omitempty" json:"env,omitempty"`
@ -102,6 +104,15 @@ type ImageConfig struct {
ref *reference.Spec
}
// Device specifies a device to be exposed to the container.
type Device struct {
Path string `yaml:"path" json:"path"`
Type string `yaml:"type" json:"type"`
Major int64 `yaml:"major" json:"major"`
Minor int64 `yaml:"minor" json:"minor"`
Mode string `yaml:"mode,omitempty" json:"mode,omitempty"`
}
// Runtime is the type of config processed at runtime, not used to build the OCI spec
type Runtime struct {
Cgroups *[]string `yaml:"cgroups,omitempty" json:"cgroups,omitempty"`
@ -561,6 +572,17 @@ func assignResources(v1, v2 *specs.LinuxResources) specs.LinuxResources {
return specs.LinuxResources{}
}
// assignDevices does ordered overrides from Devices
func assignDevices(v1, v2 *[]Device) []Device {
if v2 != nil {
return *v2
}
if v1 != nil {
return *v1
}
return []Device{}
}
// assignRuntime does ordered overrides from Runtime
func assignRuntime(v1, v2 *Runtime) Runtime {
if v1 == nil {
@ -1021,6 +1043,36 @@ func ConfigToOCI(yaml *Image, config imagespec.ImageConfig, idMap map[string]uin
resources := assignResources(label.Resources, yaml.Resources)
devices := assignDevices(label.Devices, yaml.Devices)
var linuxDevices []specs.LinuxDevice
for _, device := range devices {
if device.Path == "all" {
// add a category of devices to the device whitelist cgroup controller
resources.Devices = append(resources.Devices, specs.LinuxDeviceCgroup{
Allow: true,
Type: device.Type,
Access: "rwm", // read, write, mknod
})
continue
}
mode, err := strconv.ParseInt(device.Mode, 8, 32)
if err != nil {
return oci, runtime, fmt.Errorf("Cannot parse device mode as octal value: %v", err)
}
fileMode := os.FileMode(mode)
linuxDevice := specs.LinuxDevice{
Path: device.Path,
Type: device.Type,
Major: device.Major,
Minor: device.Minor,
FileMode: &fileMode,
}
linuxDevices = append(linuxDevices, linuxDevice)
// to access the device it must be added to the device whitelist cgroup controller
// see https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html
resources.Devices = append(resources.Devices, deviceCgroup(linuxDevice))
}
oci.Linux = &specs.Linux{
UIDMappings: assignMappings(label.UIDMappings, yaml.UIDMappings),
GIDMappings: assignMappings(label.GIDMappings, yaml.GIDMappings),
@ -1028,7 +1080,7 @@ func ConfigToOCI(yaml *Image, config imagespec.ImageConfig, idMap map[string]uin
Resources: &resources,
CgroupsPath: assignString(label.CgroupsPath, yaml.CgroupsPath),
Namespaces: namespaces,
// Devices
Devices: linuxDevices,
// Seccomp
RootfsPropagation: assignString(label.RootfsPropagation, yaml.RootfsPropagation),
MaskedPaths: assignStrings(label.MaskedPaths, yaml.MaskedPaths),
@ -1041,3 +1093,13 @@ func ConfigToOCI(yaml *Image, config imagespec.ImageConfig, idMap map[string]uin
return oci, runtime, nil
}
func deviceCgroup(device specs.LinuxDevice) specs.LinuxDeviceCgroup {
return specs.LinuxDeviceCgroup{
Allow: true,
Type: device.Type,
Major: &device.Major,
Minor: &device.Minor,
Access: "rwm", // read, write, mknod
}
}

16
src/cmd/linuxkit/moby/schema.go
View File

@ -67,6 +67,21 @@ var schema = string(`
"type": "array",
"items": { "$ref": "#/definitions/mount" }
},
"device": {
"type": "object",
"additionalProperties": false,
"properties": {
"path": { "type": "string" },
"type": { "type": "string" },
"major": { "type": "integer" },
"minor": { "type": "integer" },
"mode": { "type": "string" }
}
},
"devices": {
"type": "array",
"items": { "$ref": "#/definitions/device" }
},
"idmapping": {
"type": "object",
"additionalProperties": false,
@ -265,6 +280,7 @@ var schema = string(`
"mounts": { "$ref": "#/definitions/mounts" },
"binds": { "$ref": "#/definitions/strings" },
"binds.add": { "$ref": "#/definitions/strings" },
"devices": { "$ref": "#/definitions/devices" },
"tmpfs": { "$ref": "#/definitions/strings" },
"command": { "$ref": "#/definitions/strings" },
"env": { "$ref": "#/definitions/strings" },

2
test/cases/000_build/020_binds/test.yml
View File

@ -6,7 +6,7 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
binds.add:
- /check.sh:/check.sh
- /var/tmp:/var/tmp

4
test/cases/030_security/000_docker-bench/test.yml
View File

@ -12,9 +12,9 @@ onboot:
- name: sysfs
image: linuxkit/sysfs:3498aa99c90a29439b5a1926f6ffcd75c270372c
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
services:
- name: rngd

4
test/cases/040_packages/003_containerd/test.yml
View File

@ -13,9 +13,9 @@ onboot:
- name: sysctl
image: linuxkit/sysctl:02d2bd74509fd063857ceb4c4f502f09ee4f2e0a
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib"]
- name: test
image: linuxkit/test-containerd:701421314e1b114c4787255431e066a681e80f16

4
test/cases/040_packages/005_extend/000_ext4/test-create.yml
View File

@ -6,9 +6,9 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

2
test/cases/040_packages/005_extend/000_ext4/test.yml
View File

@ -8,7 +8,7 @@ onboot:
- name: extend
image: linuxkit/extend:d0d5e69ba5716bd48d260b15510ca258ae17f990
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

4
test/cases/040_packages/005_extend/001_btrfs/test-create.yml
View File

@ -9,10 +9,10 @@ onboot:
image: linuxkit/modprobe:e2045c96cd2d3ef08eaf452396462d9205667690
command: ["modprobe", "btrfs"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-type", "btrfs" ]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

2
test/cases/040_packages/005_extend/001_btrfs/test.yml
View File

@ -12,7 +12,7 @@ onboot:
image: linuxkit/extend:d0d5e69ba5716bd48d260b15510ca258ae17f990
command: ["/usr/bin/extend", "-type", "btrfs"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

4
test/cases/040_packages/005_extend/002_xfs/test-create.yml
View File

@ -6,10 +6,10 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-type", "xfs"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

2
test/cases/040_packages/005_extend/002_xfs/test.yml
View File

@ -9,7 +9,7 @@ onboot:
image: linuxkit/extend:d0d5e69ba5716bd48d260b15510ca258ae17f990
command: ["/usr/bin/extend", "-type", "xfs"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

4
test/cases/040_packages/005_extend/003_gpt/test-create.yml
View File

@ -6,10 +6,10 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-partition", "gpt"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

2
test/cases/040_packages/005_extend/003_gpt/test.yml
View File

@ -8,7 +8,7 @@ onboot:
- name: extend
image: linuxkit/extend:d0d5e69ba5716bd48d260b15510ca258ae17f990
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

4
test/cases/040_packages/006_format_mount/000_auto/test.yml
View File

@ -6,10 +6,10 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

4
test/cases/040_packages/006_format_mount/001_by_label/test.yml
View File

@ -6,10 +6,10 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-label", "docker"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "-label", "docker", "/var/lib/docker"]
- name: test
image: alpine:3.13

4
test/cases/040_packages/006_format_mount/002_by_name/test.yml.in
View File

@ -6,10 +6,10 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "@DEVICE@"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "-device", "@DEVICE@1", "/var/lib/docker"]
- name: test
image: alpine:3.13

4
test/cases/040_packages/006_format_mount/003_btrfs/test.yml
View File

@ -9,10 +9,10 @@ onboot:
image: linuxkit/modprobe:e2045c96cd2d3ef08eaf452396462d9205667690
command: ["modprobe", "btrfs"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-type", "btrfs" ]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

4
test/cases/040_packages/006_format_mount/004_xfs/test.yml
View File

@ -6,10 +6,10 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-type", "xfs" ]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

10
test/cases/040_packages/006_format_mount/005_by_device_force/test.yml
View File

@ -6,19 +6,19 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-verbose", "-type", "ext4", "/dev/sda"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-verbose", "-type", "ext4", "/dev/sdb"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-verbose", "-type", "xfs", "/dev/sda"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-verbose", "-force", "-type", "xfs", "/dev/sdb"]
- name: test
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
binds:
- /check.sh:/check.sh
command: ["sh", "./check.sh"]

4
test/cases/040_packages/006_format_mount/006_gpt/test.yml
View File

@ -6,10 +6,10 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-partition", "gpt"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "/var/lib/docker"]
- name: test
image: alpine:3.13

8
test/cases/040_packages/006_format_mount/010_multiple/test.yml
View File

@ -6,16 +6,16 @@ init:
- linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d
onboot:
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-label", "docker"]
- name: format
image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3
image: linuxkit/format:cf335053c7d0b4cd8cc2d136e9392ea5904a71dc
command: ["/usr/bin/format", "-label", "foo"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "-label", "docker", "/var/lib/docker"]
- name: mount
image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb
image: linuxkit/mount:a9a5f731261891bd880e108e6fa2be5bac2f63ba
command: ["/usr/bin/mountie", "-label", "foo", "/var/foo"]
- name: test
image: alpine:3.13

2
test/cases/040_packages/007_getty-containerd/test.yml
View File

@ -12,7 +12,7 @@ onboot:
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
services:
- name: getty
image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101
image: linuxkit/getty:ebe3397aa9b08e8f310121fdb0aac9406e1c8e73
files:
- path: etc/getty.shadow
# sample sets password for root to "abcdefgh" (without quotes)