binctr/container/spec.go

package container

import (
	aaprofile "github.com/docker/docker/profiles/apparmor"
	"github.com/opencontainers/runc/libcontainer/apparmor"
	"github.com/opencontainers/runc/libcontainer/specconv"
	specs "github.com/opencontainers/runtime-spec/specs-go"
)

const (
	// DefaultApparmorProfile is the default apparmor profile for the containers.
	DefaultApparmorProfile = "docker-default"
)

// SpecOpts defines the options available for a spec.
type SpecOpts struct {
	Rootless bool
	Readonly bool
	Terminal bool
	Args     []string
	Mounts   []specs.Mount
	Hooks    *specs.Hooks
}

// Spec returns a default oci spec with some options being passed.
func Spec(opts SpecOpts) *specs.Spec {
	// Initialize the spec.
	spec := specconv.Example()

	// Set the spec to be rootless.
	if opts.Rootless {
		specconv.ToRootless(spec)
	}

	// Setup readonly fs in spec.
	spec.Root.Readonly = opts.Readonly

	// Setup tty in spec.
	spec.Process.Terminal = opts.Terminal

	// Pass in any hooks to the spec.
	spec.Hooks = opts.Hooks

	// Set the default seccomp profile.
	spec.Linux.Seccomp = DefaultSeccompProfile

	// Install the default apparmor profile.
	if apparmor.IsEnabled() {
		// Check if we have the docker-default apparmor profile loaded.
		if _, err := aaprofile.IsLoaded(DefaultApparmorProfile); err == nil {
			spec.Process.ApparmorProfile = DefaultApparmorProfile
		}
	}

	if opts.Args != nil {
		spec.Process.Args = opts.Args
	}

	if opts.Mounts != nil {
		spec.Mounts = append(spec.Mounts, opts.Mounts...)
	}

	return spec
}
add better generate Signed-off-by: Jess Frazelle <acidburn@microsoft.com> 2018-03-20 05:33:56 +00:00			`package container`

			`import (`
			`aaprofile "github.com/docker/docker/profiles/apparmor"`
			`"github.com/opencontainers/runc/libcontainer/apparmor"`
			`"github.com/opencontainers/runc/libcontainer/specconv"`
			`specs "github.com/opencontainers/runtime-spec/specs-go"`
			`)`

			`const (`
			`// DefaultApparmorProfile is the default apparmor profile for the containers.`
			`DefaultApparmorProfile = "docker-default"`
			`)`

			`// SpecOpts defines the options available for a spec.`
			`type SpecOpts struct {`
			`Rootless bool`
			`Readonly bool`
			`Terminal bool`
updates ; Signed-off-by: Jess Frazelle <acidburn@microsoft.com> 2018-03-20 05:54:27 +00:00			`Args []string`
add cl-k8s Signed-off-by: Jess Frazelle <acidburn@microsoft.com> add attributes Signed-off-by: Jess Frazelle <acidburn@microsoft.com> 2018-03-20 06:02:00 +00:00			`Mounts []specs.Mount`
add better generate Signed-off-by: Jess Frazelle <acidburn@microsoft.com> 2018-03-20 05:33:56 +00:00			`Hooks *specs.Hooks`
			`}`

			`// Spec returns a default oci spec with some options being passed.`
			`func Spec(opts SpecOpts) *specs.Spec {`
			`// Initialize the spec.`
			`spec := specconv.Example()`

			`// Set the spec to be rootless.`
			`if opts.Rootless {`
			`specconv.ToRootless(spec)`
			`}`

			`// Setup readonly fs in spec.`
			`spec.Root.Readonly = opts.Readonly`

			`// Setup tty in spec.`
			`spec.Process.Terminal = opts.Terminal`

			`// Pass in any hooks to the spec.`
			`spec.Hooks = opts.Hooks`

			`// Set the default seccomp profile.`
			`spec.Linux.Seccomp = DefaultSeccompProfile`

			`// Install the default apparmor profile.`
			`if apparmor.IsEnabled() {`
			`// Check if we have the docker-default apparmor profile loaded.`
			`if _, err := aaprofile.IsLoaded(DefaultApparmorProfile); err == nil {`
			`spec.Process.ApparmorProfile = DefaultApparmorProfile`
			`}`
			`}`

updates ; Signed-off-by: Jess Frazelle <acidburn@microsoft.com> 2018-03-20 05:54:27 +00:00			`if opts.Args != nil {`
			`spec.Process.Args = opts.Args`
			`}`

add cl-k8s Signed-off-by: Jess Frazelle <acidburn@microsoft.com> add attributes Signed-off-by: Jess Frazelle <acidburn@microsoft.com> 2018-03-20 06:02:00 +00:00			`if opts.Mounts != nil {`
			`spec.Mounts = append(spec.Mounts, opts.Mounts...)`
			`}`

add better generate Signed-off-by: Jess Frazelle <acidburn@microsoft.com> 2018-03-20 05:33:56 +00:00			`return spec`
			`}`