From eadda1f774e0993ea4b517c9543430eb14517c43 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 13 Jul 2020 05:15:30 -0400 Subject: [PATCH] Add missing interface to set init processes Umask Umask is a field specified in the runtime spec, but we don't have a method to set it in runtime-tools. Some users might want to modify the default Umask of a container. Signed-off-by: Daniel J Walsh --- Godeps/Godeps.json | 2 +- cmd/oci-runtime-tool/generate.go | 5 ++ generate/generate.go | 6 ++ validation/process_user/process_user.go | 1 + vendor/github.com/mndrix/tap-go/tap.go | 2 +- .../runtime-spec/specs-go/config.go | 83 +++++++++++++++---- .../runtime-spec/specs-go/state.go | 18 ++++ .../runtime-spec/specs-go/version.go | 4 +- vendor/golang.org/x/sys/unix/syscall.go | 2 +- 9 files changed, 102 insertions(+), 21 deletions(-) diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index 0749fe0ec..6d58ee239 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -36,7 +36,7 @@ { "ImportPath": "github.com/opencontainers/runtime-spec/specs-go", "Comment": "v1.0.1-57-g1722abf", - "Rev": "1722abf79c2f8f2675f47367f827c6491472cf27" + "Rev": "3e4195d924451bd6b61f017b72aa682f0d3ed2ec" }, { "ImportPath": "github.com/pmezard/go-difflib/difflib", diff --git a/cmd/oci-runtime-tool/generate.go b/cmd/oci-runtime-tool/generate.go index 9a3d4cf36..3a182e4cc 100644 --- a/cmd/oci-runtime-tool/generate.go +++ b/cmd/oci-runtime-tool/generate.go @@ -118,6 +118,7 @@ var generateFlags = []cli.Flag{ cli.BoolFlag{Name: "process-rlimits-remove-all", Usage: "remove all resource limits for processes inside the container. "}, cli.BoolFlag{Name: "process-terminal", Usage: "specifies whether a terminal is attached to the process"}, cli.IntFlag{Name: "process-uid", Usage: "uid for the process"}, + cli.StringFlag{Name: "process-umask", Usage: "umask for the process"}, cli.StringFlag{Name: "process-username", Usage: "username for the process"}, cli.StringFlag{Name: "rootfs-path", Value: "rootfs", Usage: "path to the root filesystem"}, cli.BoolFlag{Name: "rootfs-readonly", Usage: "make the container's rootfs readonly"}, @@ -234,6 +235,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error { g.SetProcessUsername(context.String("process-username")) } + if context.IsSet("process-umask") { + g.SetProcessUsername(context.String("process-umask")) + } + if context.IsSet("process-gid") { g.SetProcessGID(uint32(context.Int("process-gid"))) } diff --git a/generate/generate.go b/generate/generate.go index aa6036399..c757c20e0 100644 --- a/generate/generate.go +++ b/generate/generate.go @@ -444,6 +444,12 @@ func (g *Generator) SetProcessUsername(username string) { g.Config.Process.User.Username = username } +// SetProcessUmask sets g.Config.Process.User.Umask. +func (g *Generator) SetProcessUmask(umask uint32) { + g.initConfigProcess() + g.Config.Process.User.Umask = umask +} + // SetProcessGID sets g.Config.Process.User.GID. func (g *Generator) SetProcessGID(gid uint32) { g.initConfigProcess() diff --git a/validation/process_user/process_user.go b/validation/process_user/process_user.go index 7d8eed541..ae6e526b5 100644 --- a/validation/process_user/process_user.go +++ b/validation/process_user/process_user.go @@ -17,6 +17,7 @@ func main() { g.SetProcessUID(10) g.SetProcessGID(10) g.AddProcessAdditionalGid(5) + g.SetProcessUmask(002) case "windows": g.SetProcessUsername("test") default: diff --git a/vendor/github.com/mndrix/tap-go/tap.go b/vendor/github.com/mndrix/tap-go/tap.go index 88df22d16..3be970656 100644 --- a/vendor/github.com/mndrix/tap-go/tap.go +++ b/vendor/github.com/mndrix/tap-go/tap.go @@ -18,7 +18,7 @@ // 1..2 // ok 1 - first test // ok 2 - second test -package tap +package tap // import "github.com/mndrix/tap-go" import ( "fmt" diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go index 6d791e7e9..08af67798 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go @@ -38,7 +38,9 @@ type Process struct { // User specifies user information for the process. User User `json:"user"` // Args specifies the binary and arguments for the application to execute. - Args []string `json:"args"` + Args []string `json:"args,omitempty"` + // CommandLine specifies the full command line for the application to execute on Windows. + CommandLine string `json:"commandLine,omitempty" platform:"windows"` // Env populates the process environment for the process. Env []string `json:"env,omitempty"` // Cwd is the current working directory for the process and must be @@ -87,6 +89,8 @@ type User struct { UID uint32 `json:"uid" platform:"linux,solaris"` // GID is the group id. GID uint32 `json:"gid" platform:"linux,solaris"` + // Umask is the umask for the init process. + Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"` // AdditionalGids are additional group ids set for the container's process. AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"` // Username is the user name. @@ -121,13 +125,26 @@ type Hook struct { Timeout *int `json:"timeout,omitempty"` } +// Hooks specifies a command that is run in the container at a particular event in the lifecycle of a container // Hooks for container setup and teardown type Hooks struct { - // Prestart is a list of hooks to be run before the container process is executed. + // Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed. + // It is called in the Runtime Namespace Prestart []Hook `json:"prestart,omitempty"` + // CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called + // It is called in the Runtime Namespace + CreateRuntime []Hook `json:"createRuntime,omitempty"` + // CreateContainer is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called + // It is called in the Container Namespace + CreateContainer []Hook `json:"createContainer,omitempty"` + // StartContainer is a list of hooks to be run after the start operation is called but before the container process is started + // It is called in the Container Namespace + StartContainer []Hook `json:"startContainer,omitempty"` // Poststart is a list of hooks to be run after the container process is started. + // It is called in the Runtime Namespace Poststart []Hook `json:"poststart,omitempty"` // Poststop is a list of hooks to be run after the container process exits. + // It is called in the Runtime Namespace Poststop []Hook `json:"poststop,omitempty"` } @@ -163,6 +180,8 @@ type Linux struct { // IntelRdt contains Intel Resource Director Technology (RDT) information for // handling resource constraints (e.g., L3 cache, memory bandwidth) for the container IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` + // Personality contains configuration for the Linux personality syscall + Personality *LinuxPersonality `json:"personality,omitempty"` } // LinuxNamespace is the configuration for a Linux namespace @@ -181,17 +200,17 @@ const ( // PIDNamespace for isolating process IDs PIDNamespace LinuxNamespaceType = "pid" // NetworkNamespace for isolating network devices, stacks, ports, etc - NetworkNamespace = "network" + NetworkNamespace LinuxNamespaceType = "network" // MountNamespace for isolating mount points - MountNamespace = "mount" + MountNamespace LinuxNamespaceType = "mount" // IPCNamespace for isolating System V IPC, POSIX message queues - IPCNamespace = "ipc" + IPCNamespace LinuxNamespaceType = "ipc" // UTSNamespace for isolating hostname and NIS domain name - UTSNamespace = "uts" + UTSNamespace LinuxNamespaceType = "uts" // UserNamespace for isolating user and group IDs - UserNamespace = "user" + UserNamespace LinuxNamespaceType = "user" // CgroupNamespace for isolating cgroup hierarchies - CgroupNamespace = "cgroup" + CgroupNamespace LinuxNamespaceType = "cgroup" ) // LinuxIDMapping specifies UID/GID mappings @@ -217,6 +236,7 @@ type POSIXRlimit struct { // LinuxHugepageLimit structure corresponds to limiting kernel hugepages type LinuxHugepageLimit struct { // Pagesize is the hugepage size + // Format: "B' (e.g. 64KB, 2MB, 1GB, etc.) Pagesize string `json:"pageSize"` // Limit is the limit of "hugepagesize" hugetlb usage Limit uint64 `json:"limit"` @@ -288,6 +308,8 @@ type LinuxMemory struct { Swappiness *uint64 `json:"swappiness,omitempty"` // DisableOOMKiller disables the OOM killer for out of memory conditions DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"` + // Enables hierarchical memory accounting + UseHierarchy *bool `json:"useHierarchy,omitempty"` } // LinuxCPU for Linux cgroup 'cpu' resource management @@ -384,6 +406,28 @@ type LinuxDeviceCgroup struct { Access string `json:"access,omitempty"` } +// LinuxPersonalityDomain refers to a personality domain. +type LinuxPersonalityDomain string + +// LinuxPersonalityFlag refers to an additional personality flag. None are currently defined. +type LinuxPersonalityFlag string + +// Define domain and flags for Personality +const ( + // PerLinux is the standard Linux personality + PerLinux LinuxPersonalityDomain = "LINUX" + // PerLinux32 sets personality to 32 bit + PerLinux32 LinuxPersonalityDomain = "LINUX32" +) + +// LinuxPersonality represents the Linux personality syscall input +type LinuxPersonality struct { + // Domain for the personality + Domain LinuxPersonalityDomain `json:"domain"` + // Additional flags + Flags []LinuxPersonalityFlag `json:"flags,omitempty"` +} + // Solaris contains platform-specific configuration for Solaris application containers. type Solaris struct { // SMF FMRI which should go "online" before we start the container process. @@ -553,12 +597,16 @@ type VMImage struct { type LinuxSeccomp struct { DefaultAction LinuxSeccompAction `json:"defaultAction"` Architectures []Arch `json:"architectures,omitempty"` + Flags []LinuxSeccompFlag `json:"flags,omitempty"` Syscalls []LinuxSyscall `json:"syscalls,omitempty"` } // Arch used for additional architectures type Arch string +// LinuxSeccompFlag is a flag to pass to seccomp(2). +type LinuxSeccompFlag string + // Additional architectures permitted to be used for system calls // By default only the native architecture of the kernel is permitted const ( @@ -587,11 +635,13 @@ type LinuxSeccompAction string // Define actions for Seccomp rules const ( - ActKill LinuxSeccompAction = "SCMP_ACT_KILL" - ActTrap LinuxSeccompAction = "SCMP_ACT_TRAP" - ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO" - ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE" - ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW" + ActKill LinuxSeccompAction = "SCMP_ACT_KILL" + ActKillProcess LinuxSeccompAction = "SCMP_ACT_KILL_PROCESS" + ActTrap LinuxSeccompAction = "SCMP_ACT_TRAP" + ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO" + ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE" + ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW" + ActLog LinuxSeccompAction = "SCMP_ACT_LOG" ) // LinuxSeccompOperator used to match syscall arguments in Seccomp @@ -618,9 +668,10 @@ type LinuxSeccompArg struct { // LinuxSyscall is used to match a syscall in Seccomp type LinuxSyscall struct { - Names []string `json:"names"` - Action LinuxSeccompAction `json:"action"` - Args []LinuxSeccompArg `json:"args,omitempty"` + Names []string `json:"names"` + Action LinuxSeccompAction `json:"action"` + ErrnoRet *uint `json:"errnoRet,omitempty"` + Args []LinuxSeccompArg `json:"args,omitempty"` } // LinuxIntelRdt has container runtime resource constraints for Intel RDT diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go index 89dce34be..765300f4d 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go @@ -1,5 +1,23 @@ package specs +// ContainerState represents the state of a container. +type ContainerState string + +const ( + // StateCreating indicates that the container is being created + StateCreating ContainerState = "creating" + + // StateCreated indicates that the runtime has finished the create operation + StateCreated ContainerState = "created" + + // StateRunning indicates that the container process has executed the + // user-specified program but has not exited + StateRunning ContainerState = "running" + + // StateStopped indicates that the container process has exited + StateStopped ContainerState = "stopped" +) + // State holds information about the runtime state of the container. type State struct { // Version is the version of the specification that is supported. diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go index ff0cb6a80..596af0c2f 100644 --- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go @@ -8,10 +8,10 @@ const ( // VersionMinor is for functionality in a backwards-compatible manner VersionMinor = 0 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 1 + VersionPatch = 2 // VersionDev indicates development branch. Releases will be empty string. - VersionDev = "" + VersionDev = "-dev" ) // Version is the specification version that the package types support. diff --git a/vendor/golang.org/x/sys/unix/syscall.go b/vendor/golang.org/x/sys/unix/syscall.go index e2ee36452..85e35020e 100644 --- a/vendor/golang.org/x/sys/unix/syscall.go +++ b/vendor/golang.org/x/sys/unix/syscall.go @@ -19,7 +19,7 @@ // These calls return err == nil to indicate success; otherwise // err represents an operating system error describing the failure and // holds a value of type syscall.Errno. -package unix +package unix // import "golang.org/x/sys/unix" // ByteSliceFromString returns a NUL-terminated slice of bytes // containing the text of s. If s contains a NUL byte at any