From 9c3863b7277e9e9ec3a25ada1e92cdb4a8fe90e7 Mon Sep 17 00:00:00 2001 From: zhouhao Date: Mon, 24 Apr 2017 15:05:25 +0800 Subject: [PATCH] generate: rectify the arguments Signed-off-by: zhouhao --- cmd/oci-runtime-tool/generate.go | 230 ++++++++++---------- completions/bash/oci-runtime-tool | 84 ++++---- man/oci-runtime-tool-generate.1.md | 333 +++++++++++++++-------------- 3 files changed, 326 insertions(+), 321 deletions(-) diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go index 482256268..54ab9238c 100644 --- a/cmd/oci-runtime-tool/generate.go +++ b/cmd/oci-runtime-tool/generate.go @@ -17,29 +17,26 @@ import ( ) var generateFlags = []cli.Flag{ - cli.StringFlag{Name: "apparmor", Usage: "specifies the the apparmor profile for the container"}, cli.StringSliceFlag{Name: "args", Usage: "command to run in the container"}, - cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"}, - cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"}, - cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"}, - cli.BoolFlag{Name: "cap-drop-all", Usage: "drop all Linux capabilities"}, - cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"}, - cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"}, - cli.StringSliceFlag{Name: "device-add", Usage: "add a device which must be made available in the container"}, - cli.StringSliceFlag{Name: "device-remove", Usage: "remove a device which must be made available in the container"}, - cli.BoolFlag{Name: "device-remove-all", Usage: "remove all devices which must be made available in the container"}, - cli.BoolFlag{Name: "disable-oom-kill", Usage: "disable OOM Killer"}, cli.StringSliceFlag{Name: "env", Usage: "add environment variable e.g. key=value"}, cli.StringSliceFlag{Name: "env-file", Usage: "read in a file of environment variables"}, - cli.IntFlag{Name: "gid", Usage: "gid for the process"}, - cli.StringSliceFlag{Name: "gidmappings", Usage: "add GIDMappings e.g HostID:ContainerID:Size"}, - cli.StringSliceFlag{Name: "groups", Usage: "supplementary groups for the process"}, cli.StringFlag{Name: "hostname", Usage: "hostname value for the container"}, + cli.StringSliceFlag{Name: "hooks-poststart", Usage: "set command to run in poststart hooks"}, + cli.StringSliceFlag{Name: "hooks-poststop", Usage: "set command to run in poststop hooks"}, + cli.StringSliceFlag{Name: "hooks-prestart", Usage: "set command to run in prestart hooks"}, cli.StringSliceFlag{Name: "label", Usage: "add annotations to the configuration e.g. key=value"}, + cli.StringFlag{Name: "linux-apparmor", Usage: "specifies the the apparmor profile for the container"}, + cli.StringFlag{Name: "linux-cgroups-path", Usage: "specify the path to the cgroups"}, cli.Uint64Flag{Name: "linux-cpu-shares", Usage: "the relative share of CPU time available to the tasks in a cgroup"}, cli.Uint64Flag{Name: "linux-cpu-period", Usage: "the CPU period to be used for hardcapping (in usecs)"}, cli.Uint64Flag{Name: "linux-cpu-quota", Usage: "the allowed CPU time in a given period (in usecs)"}, cli.StringFlag{Name: "linux-cpus", Usage: "CPUs to use within the cpuset (default is to use any CPU available)"}, + cli.StringSliceFlag{Name: "linux-device-add", Usage: "add a device which must be made available in the container"}, + cli.StringSliceFlag{Name: "linux-device-remove", Usage: "remove a device which must be made available in the container"}, + cli.BoolFlag{Name: "linux-device-remove-all", Usage: "remove all devices which must be made available in the container"}, + cli.BoolFlag{Name: "linux-disable-oom-kill", Usage: "disable OOM Killer"}, + cli.StringSliceFlag{Name: "linux-gidmappings", Usage: "add GIDMappings e.g HostID:ContainerID:Size"}, + cli.StringSliceFlag{Name: "linux-masked-paths", Usage: "specifies paths can not be read inside container"}, cli.Uint64Flag{Name: "linux-mem-kernel-limit", Usage: "kernel memory limit (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-kernel-tcp", Usage: "kernel memory limit for tcp (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-limit", Usage: "memory limit (in bytes)"}, @@ -47,49 +44,52 @@ var generateFlags = []cli.Flag{ cli.Uint64Flag{Name: "linux-mem-swap", Usage: "total memory limit (memory + swap) (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-swappiness", Usage: "how aggressive the kernel will swap memory pages (Range from 0 to 100)"}, cli.StringFlag{Name: "linux-mems", Usage: "list of memory nodes in the cpuset (default is to use any available memory node)"}, + cli.StringFlag{Name: "linux-mount-label", Usage: "selinux mount context label"}, cli.StringSliceFlag{Name: "linux-namespace-add", Usage: "adds a namespace to the set of namespaces to create or join of the form 'ns[:path]'"}, cli.StringSliceFlag{Name: "linux-namespace-remove", Usage: "removes a namespace from the set of namespaces to create or join of the form 'ns'"}, cli.BoolFlag{Name: "linux-namespace-remove-all", Usage: "removes all namespaces from the set of namespaces created or joined"}, cli.IntFlag{Name: "linux-network-classid", Usage: "specifies class identifier tagged by container's network packets"}, cli.StringSliceFlag{Name: "linux-network-priorities", Usage: "specifies priorities of network traffic"}, + cli.IntFlag{Name: "linux-oom-score-adj", Usage: "oom_score_adj for the container"}, cli.Int64Flag{Name: "linux-pids-limit", Usage: "maximum number of PIDs"}, + cli.StringSliceFlag{Name: "linux-readonly-paths", Usage: "specifies paths readonly inside container"}, cli.Int64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"}, cli.Int64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"}, - cli.StringSliceFlag{Name: "masked-paths", Usage: "specifies paths can not be read inside container"}, + cli.StringFlag{Name: "linux-rootfs-propagation", Usage: "mount propagation for rootfs"}, + cli.StringFlag{Name: "linux-seccomp-allow", Usage: "specifies syscalls to respond with allow"}, + cli.StringFlag{Name: "linux-seccomp-arch", Usage: "specifies additional architectures permitted to be used for system calls"}, + cli.StringFlag{Name: "linux-seccomp-default", Usage: "specifies default action to be used for system calls and removes existing rules with specified action"}, + cli.StringFlag{Name: "linux-seccomp-default-force", Usage: "same as seccomp-default but does not remove existing rules with specified action"}, + cli.StringFlag{Name: "linux-seccomp-errno", Usage: "specifies syscalls to respond with errno"}, + cli.StringFlag{Name: "linux-seccomp-kill", Usage: "specifies syscalls to respond with kill"}, + cli.BoolFlag{Name: "linux-seccomp-only", Usage: "specifies to export just a seccomp configuration file"}, + cli.StringFlag{Name: "linux-seccomp-remove", Usage: "specifies syscalls to remove seccomp rules for"}, + cli.BoolFlag{Name: "linux-seccomp-remove-all", Usage: "removes all syscall rules from seccomp configuration"}, + cli.StringFlag{Name: "linux-seccomp-trace", Usage: "specifies syscalls to respond with trace"}, + cli.StringFlag{Name: "linux-seccomp-trap", Usage: "specifies syscalls to respond with trap"}, + cli.StringFlag{Name: "linux-selinux-label", Usage: "process selinux label"}, + cli.StringSliceFlag{Name: "linux-sysctl", Usage: "add sysctl settings e.g net.ipv4.forward=1"}, + cli.StringSliceFlag{Name: "linux-uidmappings", Usage: "add UIDMappings e.g HostID:ContainerID:Size"}, + cli.StringSliceFlag{Name: "mount-bind", Usage: "bind mount directories src:dest[:options...]"}, cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"}, - cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"}, - cli.BoolFlag{Name: "no-new-privileges", Usage: "set no new privileges bit for the container process"}, - cli.IntFlag{Name: "oom-score-adj", Usage: "oom_score_adj for the container"}, cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"}, - cli.StringSliceFlag{Name: "poststart", Usage: "set command to run in poststart hooks"}, - cli.StringSliceFlag{Name: "poststop", Usage: "set command to run in poststop hooks"}, - cli.StringSliceFlag{Name: "prestart", Usage: "set command to run in prestart hooks"}, cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"}, - cli.StringSliceFlag{Name: "readonly-paths", Usage: "specifies paths readonly inside container"}, + cli.StringSliceFlag{Name: "process-cap-add", Usage: "add Linux capabilities"}, + cli.StringSliceFlag{Name: "process-cap-drop", Usage: "drop Linux capabilities"}, + cli.BoolFlag{Name: "process-cap-drop-all", Usage: "drop all Linux capabilities"}, + cli.StringFlag{Name: "process-cwd", Value: "/", Usage: "current working directory for the process"}, + cli.IntFlag{Name: "process-gid", Usage: "gid for the process"}, + cli.StringSliceFlag{Name: "process-groups", Usage: "supplementary groups for the process"}, + cli.BoolFlag{Name: "process-no-new-privileges", Usage: "set no new privileges bit for the container process"}, + cli.StringSliceFlag{Name: "process-rlimits-add", Usage: "specifies resource limits for processes inside the container. "}, + cli.StringSliceFlag{Name: "process-rlimits-remove", Usage: "remove specified resource limits for processes inside the container. "}, + cli.BoolFlag{Name: "process-rlimits-remove-all", Usage: "remove all resource limits for processes inside the container. "}, + cli.BoolFlag{Name: "process-tty", Usage: "allocate a new tty for the container process"}, + cli.IntFlag{Name: "process-uid", Usage: "uid for the process"}, cli.StringFlag{Name: "rootfs-path", Value: "rootfs", Usage: "path to the root filesystem"}, - cli.StringFlag{Name: "rootfs-propagation", Usage: "mount propagation for rootfs"}, cli.BoolFlag{Name: "rootfs-readonly", Usage: "make the container's rootfs readonly"}, - cli.StringSliceFlag{Name: "rlimits-add", Usage: "specifies resource limits for processes inside the container. "}, - cli.StringSliceFlag{Name: "rlimits-remove", Usage: "remove specified resource limits for processes inside the container. "}, - cli.BoolFlag{Name: "rlimits-remove-all", Usage: "remove all resource limits for processes inside the container. "}, - cli.StringFlag{Name: "seccomp-allow", Usage: "specifies syscalls to respond with allow"}, - cli.StringFlag{Name: "seccomp-arch", Usage: "specifies additional architectures permitted to be used for system calls"}, - cli.StringFlag{Name: "seccomp-default", Usage: "specifies default action to be used for system calls and removes existing rules with specified action"}, - cli.StringFlag{Name: "seccomp-default-force", Usage: "same as seccomp-default but does not remove existing rules with specified action"}, - cli.StringFlag{Name: "seccomp-errno", Usage: "specifies syscalls to respond with errno"}, - cli.StringFlag{Name: "seccomp-kill", Usage: "specifies syscalls to respond with kill"}, - cli.BoolFlag{Name: "seccomp-only", Usage: "specifies to export just a seccomp configuration file"}, - cli.StringFlag{Name: "seccomp-remove", Usage: "specifies syscalls to remove seccomp rules for"}, - cli.BoolFlag{Name: "seccomp-remove-all", Usage: "removes all syscall rules from seccomp configuration"}, - cli.StringFlag{Name: "seccomp-trace", Usage: "specifies syscalls to respond with trace"}, - cli.StringFlag{Name: "seccomp-trap", Usage: "specifies syscalls to respond with trap"}, - cli.StringFlag{Name: "selinux-label", Usage: "process selinux label"}, - cli.StringSliceFlag{Name: "sysctl", Usage: "add sysctl settings e.g net.ipv4.forward=1"}, cli.StringFlag{Name: "template", Usage: "base template to use for creating the configuration"}, cli.StringSliceFlag{Name: "tmpfs", Usage: "mount tmpfs e.g. ContainerDIR[:OPTIONS...]"}, - cli.BoolFlag{Name: "tty", Usage: "allocate a new tty for the container process"}, - cli.IntFlag{Name: "uid", Usage: "uid for the process"}, - cli.StringSliceFlag{Name: "uidmappings", Usage: "add UIDMappings e.g HostID:ContainerID:Size"}, } var generateCommand = cli.Command{ @@ -119,7 +119,7 @@ var generateCommand = cli.Command{ } var exportOpts generate.ExportOptions - exportOpts.Seccomp = context.Bool("seccomp-only") + exportOpts.Seccomp = context.Bool("linux-seccomp-only") if context.IsSet("output") { err = specgen.SaveToFile(context.String("output"), exportOpts) @@ -165,30 +165,30 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { g.SetRootReadonly(context.Bool("rootfs-readonly")) } - if context.IsSet("uid") { - g.SetProcessUID(uint32(context.Int("uid"))) + if context.IsSet("process-uid") { + g.SetProcessUID(uint32(context.Int("process-uid"))) } - if context.IsSet("gid") { - g.SetProcessGID(uint32(context.Int("gid"))) + if context.IsSet("process-gid") { + g.SetProcessGID(uint32(context.Int("process-gid"))) } - if context.IsSet("selinux-label") { - g.SetProcessSelinuxLabel(context.String("selinux-label")) + if context.IsSet("linux-selinux-label") { + g.SetProcessSelinuxLabel(context.String("linux-selinux-label")) } - g.SetProcessCwd(context.String("cwd")) + g.SetProcessCwd(context.String("process-cwd")) - if context.IsSet("apparmor") { - g.SetProcessApparmorProfile(context.String("apparmor")) + if context.IsSet("linux-apparmor") { + g.SetProcessApparmorProfile(context.String("linux-apparmor")) } - if context.IsSet("no-new-privileges") { - g.SetProcessNoNewPrivileges(context.Bool("no-new-privileges")) + if context.IsSet("process-no-new-privileges") { + g.SetProcessNoNewPrivileges(context.Bool("process-no-new-privileges")) } - if context.IsSet("tty") { - g.SetProcessTerminal(context.Bool("tty")) + if context.IsSet("process-tty") { + g.SetProcessTerminal(context.Bool("process-tty")) } if context.IsSet("args") { @@ -210,8 +210,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("groups") { - groups := context.StringSlice("groups") + if context.IsSet("process-groups") { + groups := context.StringSlice("process-groups") for _, group := range groups { groupID, err := strconv.Atoi(group) if err != nil { @@ -221,30 +221,30 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("cgroups-path") { - g.SetLinuxCgroupsPath(context.String("cgroups-path")) + if context.IsSet("linux-cgroups-path") { + g.SetLinuxCgroupsPath(context.String("linux-cgroups-path")) } - if context.IsSet("masked-paths") { - paths := context.StringSlice("masked-paths") + if context.IsSet("linux-masked-paths") { + paths := context.StringSlice("linux-masked-paths") for _, path := range paths { g.AddLinuxMaskedPaths(path) } } - if context.IsSet("readonly-paths") { - paths := context.StringSlice("readonly-paths") + if context.IsSet("linux-readonly-paths") { + paths := context.StringSlice("linux-readonly-paths") for _, path := range paths { g.AddLinuxReadonlyPaths(path) } } - if context.IsSet("mount-label") { - g.SetLinuxMountLabel(context.String("mount-label")) + if context.IsSet("linux-mount-label") { + g.SetLinuxMountLabel(context.String("linux-mount-label")) } - if context.IsSet("sysctl") { - sysctls := context.StringSlice("sysctl") + if context.IsSet("linux-sysctl") { + sysctls := context.StringSlice("linux-sysctl") for _, s := range sysctls { pair := strings.Split(s, "=") if len(pair) != 2 { @@ -256,8 +256,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { g.SetupPrivileged(context.Bool("privileged")) - if context.IsSet("cap-add") { - addCaps := context.StringSlice("cap-add") + if context.IsSet("process-cap-add") { + addCaps := context.StringSlice("process-cap-add") for _, cap := range addCaps { if err := g.AddProcessCapability(cap); err != nil { return err @@ -265,8 +265,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("cap-drop") { - dropCaps := context.StringSlice("cap-drop") + if context.IsSet("process-cap-drop") { + dropCaps := context.StringSlice("process-cap-drop") for _, cap := range dropCaps { if err := g.DropProcessCapability(cap); err != nil { return err @@ -274,18 +274,18 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.Bool("cap-drop-all") { + if context.Bool("process-cap-drop-all") { g.ClearProcessCapabilities() } var uidMaps, gidMaps []string - if context.IsSet("uidmappings") { - uidMaps = context.StringSlice("uidmappings") + if context.IsSet("linux-uidmappings") { + uidMaps = context.StringSlice("linux-uidmappings") } - if context.IsSet("gidmappings") { - gidMaps = context.StringSlice("gidmappings") + if context.IsSet("linux-gidmappings") { + gidMaps = context.StringSlice("linux-gidmappings") } // Add default user namespace. @@ -309,8 +309,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { return err } - if context.IsSet("bind") { - binds := context.StringSlice("bind") + if context.IsSet("mount-bind") { + binds := context.StringSlice("mount-bind") for _, bind := range binds { source, dest, options, err := parseBindMount(bind) if err != nil { @@ -320,8 +320,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("prestart") { - preStartHooks := context.StringSlice("prestart") + if context.IsSet("hooks-prestart") { + preStartHooks := context.StringSlice("hooks-prestart") for _, hook := range preStartHooks { path, args, err := parseHook(hook) if err != nil { @@ -331,8 +331,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("poststop") { - postStopHooks := context.StringSlice("poststop") + if context.IsSet("hooks-poststop") { + postStopHooks := context.StringSlice("hooks-poststop") for _, hook := range postStopHooks { path, args, err := parseHook(hook) if err != nil { @@ -342,8 +342,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("poststart") { - postStartHooks := context.StringSlice("poststart") + if context.IsSet("hooks-poststart") { + postStartHooks := context.StringSlice("hooks-poststart") for _, hook := range postStartHooks { path, args, err := parseHook(hook) if err != nil { @@ -353,8 +353,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("rootfs-propagation") { - rp := context.String("rootfs-propagation") + if context.IsSet("linux-rootfs-propagation") { + rp := context.String("linux-rootfs-propagation") if err := g.SetLinuxRootPropagation(rp); err != nil { return err } @@ -378,12 +378,12 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { g.AddLinuxGIDMapping(hid, cid, size) } - if context.IsSet("disable-oom-kill") { - g.SetLinuxResourcesDisableOOMKiller(context.Bool("disable-oom-kill")) + if context.IsSet("linux-disable-oom-kill") { + g.SetLinuxResourcesDisableOOMKiller(context.Bool("linux-disable-oom-kill")) } - if context.IsSet("oom-score-adj") { - g.SetLinuxResourcesOOMScoreAdj(context.Int("oom-score-adj")) + if context.IsSet("linux-oom-score-adj") { + g.SetLinuxResourcesOOMScoreAdj(context.Int("linux-oom-score-adj")) } if context.IsSet("linux-cpu-shares") { @@ -487,8 +487,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { g.ClearLinuxNamespaces() } - if context.IsSet("rlimits-add") { - rlimits := context.StringSlice("rlimits-add") + if context.IsSet("process-rlimits-add") { + rlimits := context.StringSlice("process-rlimits-add") for _, rlimit := range rlimits { rType, rHard, rSoft, err := parseRlimit(rlimit) if err != nil { @@ -498,8 +498,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("rlimits-remove") { - rlimits := context.StringSlice("rlimits-remove") + if context.IsSet("process-rlimits-remove") { + rlimits := context.StringSlice("process-rlimits-remove") for _, rlimit := range rlimits { err := g.RemoveProcessRlimits(rlimit) if err != nil { @@ -508,12 +508,12 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.Bool("rlimits-remove-all") { + if context.Bool("process-rlimits-remove-all") { g.ClearProcessRlimits() } - if context.IsSet("device-add") { - devices := context.StringSlice("device-add") + if context.IsSet("linux-device-add") { + devices := context.StringSlice("linux-device-add") for _, deviceArg := range devices { dev, err := parseDevice(deviceArg, g) if err != nil { @@ -523,8 +523,8 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.IsSet("device-remove") { - devices := context.StringSlice("device-remove") + if context.IsSet("linux-device-remove") { + devices := context.StringSlice("linux-device-remove") for _, device := range devices { err := g.RemoveDevice(device) if err != nil { @@ -533,7 +533,7 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { } } - if context.Bool("device-remove-all") { + if context.Bool("linux-device-remove-all") { g.ClearLinuxDevices() } @@ -749,14 +749,14 @@ func parseDevice(device string, g *generate.Generator) (rspec.LinuxDevice, error func addSeccomp(context *cli.Context, g *generate.Generator) error { // Set the DefaultAction of seccomp - if context.IsSet("seccomp-default") { - seccompDefault := context.String("seccomp-default") + if context.IsSet("linux-seccomp-default") { + seccompDefault := context.String("linux-seccomp-default") err := g.SetDefaultSeccompAction(seccompDefault) if err != nil { return err } - } else if context.IsSet("seccomp-default-force") { - seccompDefaultForced := context.String("seccomp-default-force") + } else if context.IsSet("linux-seccomp-default-force") { + seccompDefaultForced := context.String("linux-seccomp-default-force") err := g.SetDefaultSeccompActionForce(seccompDefaultForced) if err != nil { return err @@ -764,8 +764,8 @@ func addSeccomp(context *cli.Context, g *generate.Generator) error { } // Add the additional architectures permitted to be used for system calls - if context.IsSet("seccomp-arch") { - seccompArch := context.String("seccomp-arch") + if context.IsSet("linux-seccomp-arch") { + seccompArch := context.String("linux-seccomp-arch") architectureArgs := strings.Split(seccompArch, ",") for _, arg := range architectureArgs { err := g.SetSeccompArchitecture(arg) @@ -775,50 +775,50 @@ func addSeccomp(context *cli.Context, g *generate.Generator) error { } } - if context.IsSet("seccomp-errno") { + if context.IsSet("linux-seccomp-errno") { err := seccompSet(context, "errno", g) if err != nil { return err } } - if context.IsSet("seccomp-kill") { + if context.IsSet("linux-seccomp-kill") { err := seccompSet(context, "kill", g) if err != nil { return err } } - if context.IsSet("seccomp-trace") { + if context.IsSet("linux-seccomp-trace") { err := seccompSet(context, "trace", g) if err != nil { return err } } - if context.IsSet("seccomp-trap") { + if context.IsSet("linux-seccomp-trap") { err := seccompSet(context, "trap", g) if err != nil { return err } } - if context.IsSet("seccomp-allow") { + if context.IsSet("linux-seccomp-allow") { err := seccompSet(context, "allow", g) if err != nil { return err } } - if context.IsSet("seccomp-remove") { - seccompRemove := context.String("seccomp-remove") + if context.IsSet("linux-seccomp-remove") { + seccompRemove := context.String("linux-seccomp-remove") err := g.RemoveSeccompRule(seccompRemove) if err != nil { return err } } - if context.Bool("seccomp-remove-all") { + if context.Bool("linux-seccomp-remove-all") { err := g.RemoveAllSeccompRules() if err != nil { return err diff --git a/completions/bash/oci-runtime-tool b/completions/bash/oci-runtime-tool index c34eb5925..1c91b4e5a 100644 --- a/completions/bash/oci-runtime-tool +++ b/completions/bash/oci-runtime-tool @@ -283,26 +283,24 @@ _oci-runtime-tool_help() { _oci-runtime-tool_generate() { local options_with_args=" - --apparmor --args - --bind - --cap-add - --cap-drop - --cgroups-path - --cwd - --device-add - --device-remove --env --env-file - --gid - --gidmappings - --groups --hostname + --hooks-poststart + --hooks-poststop + --hooks-prestart --label + --linux-apparmor + --linux-cgroups-path --linux-cpu-shares --linux-cpu-period --linux-cpu-quota --linux-cpus + --linux-device-add + --linux-device-remove + --linux-gidmappings + --linux-masked-paths --linux-mem-kernel-limit --linux-mem-kernel-tcp --linux-mem-limit @@ -310,56 +308,62 @@ _oci-runtime-tool_generate() { --linux-mem-swap --linux-mem-swappiness --linux-mems + --linux-mount-label --linux-namespace-add --linux-namespace-remove --linux-network-classid --linux-network-priorities + --linux-oom-score-adj --linux-pids-limit + --linux-readonly-paths --linux-realtime-period --linux-realtime-runtime - --masked-paths + --linux-rootfs-propagation + --linux-seccomp-allow + --linux-seccomp-arch + --linux-seccomp-default + --linux-seccomp-default-force + --linux-seccomp-errno + --linux-seccomp-kill + --linux-seccomp-remove + --linux-seccomp-trace + --linux-seccomp-trap + --linux-selinux-label + --linux-sysctl + --linux-uidmappings + --mount-bind --mount-cgroups +<<<<<<< c1b5a024416a8eeae3984360e6eb61bec47f115f --mount-label --oom-score-adj +======= + --os +>>>>>>> generate: rectify the arguments --output - --poststart - --poststop - --prestart - --readonly-paths + --process-cwd + --process-gid + --process-groups + --process-rlimits-add + --process-rlimits-remove + --process-uid --rootfs-path - --rootfs-propagation - --rlimits-add - --rlimits-remove - --seccomp-allow - --seccomp-arch - --seccomp-default - --seccomp-default-force - --seccomp-errno - --seccomp-kill - --seccomp-remove - --seccomp-trace - --seccomp-trap - --selinux-label - --sysctl --template --tmpfs - --uid - --uidmappings " local boolean_options=" - --cap-drop-all - --device-remove-all - --disable-oom-kill --help -h + --linux-device-remove-all + --linux-disable-oom-kill --linux-namespace-remove-all - --no-new-privileges + --linux-seccomp-only + --linux-seccomp-remove-all --privileged - --rlimits-remove-all + --process-cap-drop-all + --process-no-new-privileges + --process-rlimits-remove-all + --process-tty --rootfs-readonly - --seccomp-only - --seccomp-remove-all - --tty " local all_options="$options_with_args $boolean_options" diff --git a/man/oci-runtime-tool-generate.1.md b/man/oci-runtime-tool-generate.1.md index 8df2d37d5..7ff09edbc 100644 --- a/man/oci-runtime-tool-generate.1.md +++ b/man/oci-runtime-tool-generate.1.md @@ -15,9 +15,6 @@ to direct it to a file. OCI-compatible runtimes like runC expect to read the configuration from `config.json`. # OPTIONS -**--apparmor**=PROFILE - Specifies the apparmor profile for the container - **--args**=OPTION Arguments to run within the container. Can be specified multiple times. If you were going to run a command with multiple options, you would need @@ -25,52 +22,6 @@ read the configuration from `config.json`. --args "/usr/bin/httpd" --args "-D" --args "FOREGROUND" -**--bind**=*[[HOST-DIR:CONTAINER-DIR][:OPTIONS...]]* - Bind mount directories src:dest:(rw,ro) If you specify, ` --bind - /HOST-DIR:/CONTAINER-DIR`, runc bind mounts `/HOST-DIR` in the host - to `/CONTAINER-DIR` in the OCI container. The `OPTIONS` are a colon - delimited list and can be any mount option support by the runtime such - as [rw|ro|rbind|bind|...]. The `HOST_DIR` and `CONTAINER-DIR` must be - absolute paths such as `/src/docs`. You can set the `ro` or `rw` - options to a bind-mount to mount it read-only or read-write mode, - respectively. By default, bind-mounts are mounted read-write. - -**--cap-add**=[] - Add Linux capabilities - -**--cap-drop**=[] - Drop Linux capabilities - -**--cap-drop-all**true|false - Drop all Linux capabilities - -**--cgroups-path**="" - Specifies the path to the cgroups relative to the cgroups mount point. - -**--cwd**=PATH - Current working directory for the process. The default is */*. - -**--device-add**=*TYPE:MAJOR:MINOR:PATH[:OPTIONS...]* - Add a device file in container. e.g. --device=c:10:229:/dev/fuse:fileMode=438:uid=0:gid=0 - The *TYPE*, *MAJOR*, *MINOR*, *PATH* are required. - *TYPE* is the device type. The acceptable values are b (block), c (character), u (unbuffered), p (FIFO). - *MAJOR*/*MINOR* is the major/minor device id. - *PATH* is the device path. - The *fileMode*, *uid*, *gid* are optional. - *fileMode* is the file mode of the device file. - *uid*/*gid* is the user/group id of the device file. - This option can be specified multiple times. - -**--device-remove**=*PATH* - Remove a device file in container. - This option can be specified multiple times. - -**--device-remove-all**=true|false - Remove all devices for linux inside the container. The default is *false*. - -**--disable-oom-kill**=true|false - Whether to disable OOM Killer for the container or not. - **--env**=[] Set environment variables e.g. key=value. This option allows you to specify arbitrary environment variables @@ -84,25 +35,38 @@ read the configuration from `config.json`. When specified multiple times, files are loaded in order with duplicate keys overwriting previous ones. -**--gid**=GID - Gid for the process inside of container - -**--gidmappings**=GIDMAPPINGS - Add GIDMappings e.g HostID:ContainerID:Size. Implies **-user=**. - -**--groups**=GROUP - Supplementary groups for the processes inside of container - **--help** Print usage statement **--hostname**="" Set the container host name that is available inside the container. +**--hooks-poststart**=CMD[:ARGS...] + Set command to run in poststart hooks. Can be specified multiple times. + The multiple commands will be run in order before the container process + gets launched but after the container environment and main process has been + created. + +**--hooks-poststop**=CMD[:ARGS...] + Set command to run in poststop hooks. Can be specified multiple times. + The multiple commands will be run in order after the container process + is stopped. + +**--hooks-prestart**=CMD[:ARGS...] + Set command to run in prestart hooks. Can be specified multiple times. + The multiple commands will be run in order after the container process + has been created but before it executes the user-configured code. + **--label**=[] Add annotations to the configuration e.g. key=value. Currently, key containing equals sign is not supported. +**--linux-apparmor**=PROFILE + Specifies the apparmor profile for the container + +**--linux-cgroups-path**="" + Specifies the path to the cgroups relative to the cgroups mount point. + **--linux-cpu-shares**=CPUSHARES Specifies a relative share of CPU time available to the tasks in a cgroup. @@ -115,6 +79,34 @@ read the configuration from `config.json`. **--linux-cpus**=CPUS Sets the CPUs to use within the cpuset (default is to use any CPU available). +**--linux-device-add**=*TYPE:MAJOR:MINOR:PATH[:OPTIONS...]* + Add a device file in container. e.g. --device=c:10:229:/dev/fuse:fileMode=438:uid=0:gid=0 + The *TYPE*, *MAJOR*, *MINOR*, *PATH* are required. + *TYPE* is the device type. The acceptable values are b (block), c (character), u (unbuffered), p (FIFO). + *MAJOR*/*MINOR* is the major/minor device id. + *PATH* is the device path. + The *fileMode*, *uid*, *gid* are optional. + *fileMode* is the file mode of the device file. + *uid*/*gid* is the user/group id of the device file. + This option can be specified multiple times. + +**--linux-device-remove**=*PATH* + Remove a device file in container. + This option can be specified multiple times. + +**--linux-device-remove-all**=true|false + Remove all devices for linux inside the container. The default is *false*. + +**--linux-disable-oom-kill**=true|false + Whether to disable OOM Killer for the container or not. + +**--linux-gidmappings**=GIDMAPPINGS + Add GIDMappings e.g HostID:ContainerID:Size. Implies **-user=**. + +**--linux-masked-paths**=[] + Specifies paths can not be read inside container. e.g. --linux-masked-paths=/proc/kcore + This option can be specified multiple times. + **--linux-mem-kernel-limit**=MEMKERNELLIMIT Sets the hard limit of kernel memory in bytes. @@ -136,6 +128,18 @@ read the configuration from `config.json`. **--linux-mems**=MEMS Sets the list of memory nodes in the cpuset (default is to use any available memory node). +**--linux-mount-label**=MOUNTLABEL + Mount Label + Depending on your SELinux policy, you would specify a label that looks like + this: + "system_u:object_r:svirt_sandbox_file_t:s0:c1,c2" + + Note you would want your ROOTFS directory to be labeled with a context that + this process type can use. + + "system_u:object_r:usr_t:s0" might be a good label for a readonly container, + "system_u:system_r:svirt_sandbox_file_t:s0:c1,c2" for a read/write container. + **--linux-namespace-add**=NSNAME[:PATH] Adds or replaces the given linux namespace NSNAME with a namespace entry that has a path of PATH. Omitting PATH means that a new namespace will be created @@ -159,64 +163,101 @@ read the configuration from `config.json`. This option can be specified multiple times. If a interface name was specified more than once, the last PRIORITY makes sense. The special *PRIORITY* -1 removes existing setting for interface NAME. +**--linux-oom-score-adj**=adj + Specifies oom_score_adj for the container. + **--linux-pids-limit**=PIDSLIMIT Set maximum number of PIDs. +**--linux-readonly-paths**=[] + Specifies paths readonly inside container. e.g. --readonly-paths=/proc/sys + This option can be specified multiple times. + **--linux-realtime-period**=REALTIMEPERIOD Sets the CPU period to be used for realtime scheduling (in usecs). Same as **--linux-cpu-period** but applies to realtime scheduler only. **--linux-realtime-runtime**=REALTIMERUNTIME Specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. -**--masked-paths**=[] - Specifies paths can not be read inside container. e.g. --masked-paths=/proc/kcore - This option can be specified multiple times. +**--linux-rootfs-propagation**=PROPOGATIONMODE + Mount propagation for root filesystem. + Values are "shared, rshared, private, rprivate, slave, rslave" -**--mount-cgroups**=[rw|ro|no] - Mount cgroups. The default is *no*. +**--linux-eccomp-allow**=SYSCALL + Specifies syscalls to be added to the ALLOW list. + See --linux-seccomp-syscalls for setting limits on arguments. -**--mount-label**=MOUNTLABEL - Mount Label +**--linux-seccomp-arch**=ARCH + Specifies Additional architectures permitted to be used for system calls. + By default if you turn on seccomp, only the host architecture will be allowed. + +**--linux-seccomp-default**=ACTION + Specifies the the default action of Seccomp syscall restrictions and removes existing restrictions with the specified action + Values: KILL,ERRNO,TRACE,ALLOW + +**--linux-seccomp-default-force**=ACTION + Specifies the the default action of Seccomp syscall restrictions + Values: KILL,ERRNO,TRACE,ALLOW + +**--linux-seccomp-errno**=SYSCALL + Specifies syscalls to create seccomp rule to respond with ERRNO. + +**--linux-seccomp-kill**=SYSCALL + Specifies syscalls to create seccomp rule to respond with KILL. + +**--linux-seccomp-only** + Option to only export the seccomp section of output + +**--linux-seccomp-remove** + Specifies syscall restrictions to remove from the configuration. + +**--linux-seccomp-remove-all** + Option to remove all syscall restrictions. + +**--linux-seccomp-trace**=SYSCALL + Specifies syscalls to create seccomp rule to respond with TRACE. + +**--linux-seccomp-trap**=SYSCALL + Specifies syscalls to create seccomp rule to respond with TRAP. + +**--linux-selinux-label**=PROCESSLABEL + SELinux Label Depending on your SELinux policy, you would specify a label that looks like this: - "system_u:object_r:svirt_sandbox_file_t:s0:c1,c2" + "system_u:system_r:svirt_lxc_net_t:s0:c1,c2" Note you would want your ROOTFS directory to be labeled with a context that this process type can use. "system_u:object_r:usr_t:s0" might be a good label for a readonly container, - "system_u:system_r:svirt_sandbox_file_t:s0:c1,c2" for a read/write container. + "system_u:object_r:svirt_sandbox_file_t:s0:c1,c2" for a read/write container. -**--no-new-privileges**=true|false - Set no new privileges bit for the container process. Setting this flag - will block the container processes from gaining any additional privileges - using tools like setuid apps. It is a good idea to run unprivileged - containers with this flag. +**--linux-sysctl**=SYSCTLSETTING + Add sysctl settings e.g net.ipv4.forward=1, only allowed if the syctl is + namespaced. -**--oom-score-adj**=adj - Specifies oom_score_adj for the container. +**--linux-uidmappings** + + Add UIDMappings e.g HostUID:ContainerID:Size. Implies **--user=**. + +**--mount-bind**=*[[HOST-DIR:CONTAINER-DIR][:OPTIONS...]]* + Bind mount directories src:dest:(rw,ro) If you specify, ` --mount-bind + /HOST-DIR:/CONTAINER-DIR`, runc bind mounts `/HOST-DIR` in the host + to `/CONTAINER-DIR` in the OCI container. The `OPTIONS` are a colon + delimited list and can be any mount option support by the runtime such + as [rw|ro|rbind|bind|...]. The `HOST_DIR` and `CONTAINER-DIR` must be + absolute paths such as `/src/docs`. You can set the `ro` or `rw` + options to a bind-mount to mount it read-only or read-write mode, + respectively. By default, bind-mounts are mounted read-write. + +**--mount-cgroups**=[rw|ro|no] + Mount cgroups. The default is *no*. **--output**=PATH Instead of writing the configuration JSON to stdout, write it to a file at *PATH* (overwriting the existing content if a file already exists at *PATH*). -**--poststart**=CMD[:ARGS...] - Set command to run in poststart hooks. Can be specified multiple times. - The multiple commands will be run in order before the container process - gets launched but after the container environment and main process has been - created. - -**--poststop**=CMD[:ARGS...] - Set command to run in poststop hooks. Can be specified multiple times. - The multiple commands will be run in order after the container process - is stopped. - -**--prestart**=CMD[:ARGS...] - Set command to run in prestart hooks. Can be specified multiple times. - The multiple commands will be run in order after the container process - has been created but before it executes the user-configured code. - **--privileged**=true|false Give extended privileges to this container. The default is *false*. @@ -225,87 +266,56 @@ read the configuration from `config.json`. When the operator executes **oci-runtime-tool generate --privileged**, OCI will enable access to all devices on the host as well as disable some of the confinement mechanisms like AppArmor, SELinux, and seccomp from blocking access to privileged processes. This gives the container processes nearly all the same access to the host as processes generating outside of a container on the host. -**--readonly-paths**=[] - Specifies paths readonly inside container. e.g. --readonly-paths=/proc/sys - This option can be specified multiple times. +**--process-cap-add**=[] + Add Linux capabilities -**--rootfs-path**=ROOTFSPATH - Path to the rootfs, which can be an absolute path or relative to bundle path. - e.g the absolute path of rootfs is /to/bundle/rootfs, bundle path is /to/bundle, - then the value set as ROOTFSPATH should be `/to/bundle/rootfs` or `rootfs`. The default is *rootfs*. +**--process-cap-drop**=[] + Drop Linux capabilities -**--rootfs-propagation**=PROPOGATIONMODE - Mount propagation for root filesystem. - Values are "shared, rshared, private, rprivate, slave, rslave" +**--process-cap-drop-all**true|false + Drop all Linux capabilities -**--rootfs-readonly**=true|false - Mount the container's root filesystem as read only. +**--process-cwd**=PATH + Current working directory for the process. The default is */*. - By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the `--rootfs-readonly` flag the container will have its root filesystem mounted as read only prohibiting any writes. +**--process-gid**=GID + Gid for the process inside of container + +**--process-groups**=GROUP + Supplementary groups for the processes inside of container -**--rlimits-add**=[] +**--process-no-new-privileges**=true|false + Set no new privileges bit for the container process. Setting this flag + will block the container processes from gaining any additional privileges + using tools like setuid apps. It is a good idea to run unprivileged + containers with this flag. + +**--process-rlimits-add**=[] Specifies resource limits, format is RLIMIT:HARD:SOFT. e.g. --rlimits-add=RLIMIT_NOFILE:1024:1024 This option can be specified multiple times. When same RLIMIT specified over once, the last one make sense. -**--rlimits-remove**=[] +**--process-rlimits-remove**=[] Remove the specified resource limits for process inside the container. This option can be specified multiple times. -**--rlimits-remove-all**=true|false +**--process-rlimits-remove-all**=true|false Remove all resource limits for process inside the container. The default is *false*. -**--seccomp-allow**=SYSCALL - Specifies syscalls to be added to the ALLOW list. - See --seccomp-syscalls for setting limits on arguments. - -**--seccomp-arch**=ARCH - Specifies Additional architectures permitted to be used for system calls. - By default if you turn on seccomp, only the host architecture will be allowed. - -**--seccomp-default**=ACTION - Specifies the the default action of Seccomp syscall restrictions and removes existing restrictions with the specified action - Values: KILL,ERRNO,TRACE,ALLOW - -**--seccomp-default-force**=ACTION - Specifies the the default action of Seccomp syscall restrictions - Values: KILL,ERRNO,TRACE,ALLOW - -**--seccomp-errno**=SYSCALL - Specifies syscalls to create seccomp rule to respond with ERRNO. - -**--seccomp-kill**=SYSCALL - Specifies syscalls to create seccomp rule to respond with KILL. - -**--seccomp-only** - Option to only export the seccomp section of output - -**--seccomp-remove** - Specifies syscall restrictions to remove from the configuration. - -**--seccomp-remove-all** - Option to remove all syscall restrictions. - -**--seccomp-trace**=SYSCALL - Specifies syscalls to create seccomp rule to respond with TRACE. - -**--seccomp-trap**=SYSCALL - Specifies syscalls to create seccomp rule to respond with TRAP. +**--process-tty**=true|false + Allocate a new tty for the container process. The default is *false*. -**--selinux-label**=PROCESSLABEL - SELinux Label - Depending on your SELinux policy, you would specify a label that looks like - this: - "system_u:system_r:svirt_lxc_net_t:s0:c1,c2" +**--process-uid**=UID + Sets the UID used within the container. - Note you would want your ROOTFS directory to be labeled with a context that - this process type can use. +**--rootfs-path**=ROOTFSPATH + Path to the rootfs, which can be an absolute path or relative to bundle path. + e.g the absolute path of rootfs is /to/bundle/rootfs, bundle path is /to/bundle, + then the value set as ROOTFSPATH should be `/to/bundle/rootfs` or `rootfs`. The default is *rootfs*. - "system_u:object_r:usr_t:s0" might be a good label for a readonly container, - "system_u:object_r:svirt_sandbox_file_t:s0:c1,c2" for a read/write container. +**--rootfs-readonly**=true|false + Mount the container's root filesystem as read only. -**--sysctl**=SYSCTLSETTING - Add sysctl settings e.g net.ipv4.forward=1, only allowed if the syctl is - namespaced. + By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the `--rootfs-readonly` flag the container will have its root filesystem mounted as read only prohibiting any writes. **--template**=PATH Override the default template with your own. @@ -320,15 +330,6 @@ read the configuration from `config.json`. This command mounts a `tmpfs` at `/tmp` within the container. The supported mount options are the same as the Linux default `mount` flags. If you do not specify any options, the systems uses the following options: `rw,noexec,nosuid,nodev,size=65536k`. -**--tty**=true|false - Allocate a new tty for the container process. The default is *false*. - -**--uid**=UID - Sets the UID used within the container. - -**--uidmappings** - Add UIDMappings e.g HostUID:ContainerID:Size. Implies **--user=**. - # EXAMPLES ## Generating container in read-only mode @@ -369,13 +370,13 @@ To mount a host directory as a container volume, specify the absolute path to the directory and the absolute path for the container directory separated by a colon: - $ oci-runtime-tool generate --bind /var/db:/data1 --rootfs-path /var/lib/containers/fedora --args bash + $ oci-runtime-tool generate --mount-bind /var/db:/data1 --rootfs-path /var/lib/containers/fedora --args bash ## Using SELinux -You can use SELinux to add security to the container. You must specify the process label to run the init process inside of the container using the --selinux-label. +You can use SELinux to add security to the container. You must specify the process label to run the init process inside of the container using the --process-selinux-label. - $ oci-runtime-tool generate --bind /var/db:/data1 --selinux-label system_u:system_r:svirt_lxc_net_t:s0:c1,c2 --mount-label system_u:object_r:svirt_sandbox_file_t:s0:c1,c2 --rootfs-path /var/lib/containers/fedora --args bash + $ oci-runtime-tool generate --mount-bind /var/db:/data1 --process-selinux-label system_u:system_r:svirt_lxc_net_t:s0:c1,c2 --mount-label system_u:object_r:svirt_sandbo x_file_t:s0:c1,c2 --rootfs-path /var/lib/containers/fedora --args bash Not in the above example we used a type of svirt_lxc_net_t and an MCS Label of s0:c1,c2. If you want to guarantee separation between containers, you need to make sure that each container gets launched with a different MCS Label pair.