Update runtime-spec to v1.0.0.rc5
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
This commit is contained in:
Mrunal Patel
Mrunal Patel
parent
b6c022caae
commit
24df2538db
166 changed files with 3544 additions and 15322 deletions
336
vendor/github.com/opencontainers/runtime-tools/validate/validate.go
generated
vendored
336
vendor/github.com/opencontainers/runtime-tools/validate/validate.go
generated
vendored
|
|
@ -5,6 +5,7 @@ import (
|
|||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"reflect"
|
||||
|
|
@ -15,28 +16,29 @@ import (
|
|||
"github.com/Sirupsen/logrus"
|
||||
"github.com/blang/semver"
|
||||
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/syndtr/gocapability/capability"
|
||||
)
|
||||
|
||||
const specConfig = "config.json"
|
||||
|
||||
var (
|
||||
defaultRlimits = []string{
|
||||
"RLIMIT_CPU",
|
||||
"RLIMIT_FSIZE",
|
||||
"RLIMIT_DATA",
|
||||
"RLIMIT_STACK",
|
||||
"RLIMIT_CORE",
|
||||
"RLIMIT_RSS",
|
||||
"RLIMIT_NPROC",
|
||||
"RLIMIT_NOFILE",
|
||||
"RLIMIT_MEMLOCK",
|
||||
"RLIMIT_AS",
|
||||
"RLIMIT_CORE",
|
||||
"RLIMIT_CPU",
|
||||
"RLIMIT_DATA",
|
||||
"RLIMIT_FSIZE",
|
||||
"RLIMIT_LOCKS",
|
||||
"RLIMIT_SIGPENDING",
|
||||
"RLIMIT_MEMLOCK",
|
||||
"RLIMIT_MSGQUEUE",
|
||||
"RLIMIT_NICE",
|
||||
"RLIMIT_NOFILE",
|
||||
"RLIMIT_NPROC",
|
||||
"RLIMIT_RSS",
|
||||
"RLIMIT_RTPRIO",
|
||||
"RLIMIT_RTTIME",
|
||||
"RLIMIT_SIGPENDING",
|
||||
"RLIMIT_STACK",
|
||||
}
|
||||
defaultCaps = []string{
|
||||
"CAP_CHOWN",
|
||||
|
|
@ -56,16 +58,19 @@ var (
|
|||
}
|
||||
)
|
||||
|
||||
// Validator represents a validator for runtime bundle
|
||||
type Validator struct {
|
||||
spec *rspec.Spec
|
||||
bundlePath string
|
||||
HostSpecific bool
|
||||
}
|
||||
|
||||
// NewValidator creates a Validator
|
||||
func NewValidator(spec *rspec.Spec, bundlePath string, hostSpecific bool) Validator {
|
||||
return Validator{spec: spec, bundlePath: bundlePath, HostSpecific: hostSpecific}
|
||||
}
|
||||
|
||||
// NewValidatorFromPath creates a Validator with specified bundle path
|
||||
func NewValidatorFromPath(bundlePath string, hostSpecific bool) (Validator, error) {
|
||||
if bundlePath == "" {
|
||||
return Validator{}, fmt.Errorf("Bundle path shouldn't be empty")
|
||||
|
|
@ -91,6 +96,7 @@ func NewValidatorFromPath(bundlePath string, hostSpecific bool) (Validator, erro
|
|||
return NewValidator(&spec, bundlePath, hostSpecific), nil
|
||||
}
|
||||
|
||||
// CheckAll checks all parts of runtime bundle
|
||||
func (v *Validator) CheckAll() (msgs []string) {
|
||||
msgs = append(msgs, v.CheckRootfsPath()...)
|
||||
msgs = append(msgs, v.CheckMandatoryFields()...)
|
||||
|
|
@ -98,20 +104,34 @@ func (v *Validator) CheckAll() (msgs []string) {
|
|||
msgs = append(msgs, v.CheckMounts()...)
|
||||
msgs = append(msgs, v.CheckPlatform()...)
|
||||
msgs = append(msgs, v.CheckProcess()...)
|
||||
msgs = append(msgs, v.CheckOS()...)
|
||||
msgs = append(msgs, v.CheckLinux()...)
|
||||
msgs = append(msgs, v.CheckHooks()...)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// CheckRootfsPath checks status of v.spec.Root.Path
|
||||
func (v *Validator) CheckRootfsPath() (msgs []string) {
|
||||
logrus.Debugf("check rootfs path")
|
||||
|
||||
absBundlePath, err := filepath.Abs(v.bundlePath)
|
||||
if err != nil {
|
||||
msgs = append(msgs, fmt.Sprintf("unable to convert %q to an absolute path", v.bundlePath))
|
||||
}
|
||||
|
||||
var rootfsPath string
|
||||
var absRootPath string
|
||||
if filepath.IsAbs(v.spec.Root.Path) {
|
||||
rootfsPath = v.spec.Root.Path
|
||||
absRootPath = filepath.Clean(rootfsPath)
|
||||
} else {
|
||||
var err error
|
||||
rootfsPath = filepath.Join(v.bundlePath, v.spec.Root.Path)
|
||||
absRootPath, err = filepath.Abs(rootfsPath)
|
||||
if err != nil {
|
||||
msgs = append(msgs, fmt.Sprintf("unable to convert %q to an absolute path", rootfsPath))
|
||||
}
|
||||
}
|
||||
|
||||
if fi, err := os.Stat(rootfsPath); err != nil {
|
||||
|
|
@ -120,9 +140,16 @@ func (v *Validator) CheckRootfsPath() (msgs []string) {
|
|||
msgs = append(msgs, fmt.Sprintf("The root path %q is not a directory.", rootfsPath))
|
||||
}
|
||||
|
||||
rootParent := filepath.Dir(absRootPath)
|
||||
if absRootPath == string(filepath.Separator) || rootParent != absBundlePath {
|
||||
msgs = append(msgs, fmt.Sprintf("root.path is %q, but it MUST be a child of %q", v.spec.Root.Path, absBundlePath))
|
||||
}
|
||||
|
||||
return
|
||||
|
||||
}
|
||||
|
||||
// CheckSemVer checks v.spec.Version
|
||||
func (v *Validator) CheckSemVer() (msgs []string) {
|
||||
logrus.Debugf("check semver")
|
||||
|
||||
|
|
@ -138,6 +165,7 @@ func (v *Validator) CheckSemVer() (msgs []string) {
|
|||
return
|
||||
}
|
||||
|
||||
// CheckPlatform checks v.spec.Platform
|
||||
func (v *Validator) CheckPlatform() (msgs []string) {
|
||||
logrus.Debugf("check platform")
|
||||
|
||||
|
|
@ -168,12 +196,15 @@ func (v *Validator) CheckPlatform() (msgs []string) {
|
|||
return
|
||||
}
|
||||
|
||||
// CheckHooks check v.spec.Hooks
|
||||
func (v *Validator) CheckHooks() (msgs []string) {
|
||||
logrus.Debugf("check hooks")
|
||||
|
||||
msgs = append(msgs, checkEventHooks("pre-start", v.spec.Hooks.Prestart, v.HostSpecific)...)
|
||||
msgs = append(msgs, checkEventHooks("post-start", v.spec.Hooks.Poststart, v.HostSpecific)...)
|
||||
msgs = append(msgs, checkEventHooks("post-stop", v.spec.Hooks.Poststop, v.HostSpecific)...)
|
||||
if v.spec.Hooks != nil {
|
||||
msgs = append(msgs, checkEventHooks("pre-start", v.spec.Hooks.Prestart, v.HostSpecific)...)
|
||||
msgs = append(msgs, checkEventHooks("post-start", v.spec.Hooks.Poststart, v.HostSpecific)...)
|
||||
msgs = append(msgs, checkEventHooks("post-stop", v.spec.Hooks.Poststop, v.HostSpecific)...)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
|
@ -204,6 +235,7 @@ func checkEventHooks(hookType string, hooks []rspec.Hook, hostSpecific bool) (ms
|
|||
return
|
||||
}
|
||||
|
||||
// CheckProcess checks v.spec.Process
|
||||
func (v *Validator) CheckProcess() (msgs []string) {
|
||||
logrus.Debugf("check process")
|
||||
|
||||
|
|
@ -218,27 +250,96 @@ func (v *Validator) CheckProcess() (msgs []string) {
|
|||
}
|
||||
}
|
||||
|
||||
for index := 0; index < len(process.Capabilities); index++ {
|
||||
capability := process.Capabilities[index]
|
||||
if !capValid(capability) {
|
||||
msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", process.Capabilities[index]))
|
||||
if len(process.Args) == 0 {
|
||||
msgs = append(msgs, fmt.Sprintf("args must not be empty"))
|
||||
} else {
|
||||
if filepath.IsAbs(process.Args[0]) {
|
||||
var rootfsPath string
|
||||
if filepath.IsAbs(v.spec.Root.Path) {
|
||||
rootfsPath = v.spec.Root.Path
|
||||
} else {
|
||||
rootfsPath = filepath.Join(v.bundlePath, v.spec.Root.Path)
|
||||
}
|
||||
absPath := filepath.Join(rootfsPath, process.Args[0])
|
||||
fileinfo, err := os.Stat(absPath)
|
||||
if os.IsNotExist(err) {
|
||||
logrus.Warnf("executable %q is not available in rootfs currently", process.Args[0])
|
||||
} else if err != nil {
|
||||
msgs = append(msgs, err.Error())
|
||||
} else {
|
||||
m := fileinfo.Mode()
|
||||
if m.IsDir() || m&0111 == 0 {
|
||||
msgs = append(msgs, fmt.Sprintf("arg %q is not executable", process.Args[0]))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for index := 0; index < len(process.Rlimits); index++ {
|
||||
if !rlimitValid(process.Rlimits[index].Type) {
|
||||
msgs = append(msgs, fmt.Sprintf("rlimit type %q is invalid.", process.Rlimits[index].Type))
|
||||
}
|
||||
if process.Rlimits[index].Hard < process.Rlimits[index].Soft {
|
||||
msgs = append(msgs, fmt.Sprintf("hard limit of rlimit %s should not be less than soft limit.", process.Rlimits[index].Type))
|
||||
msgs = append(msgs, v.CheckCapablities()...)
|
||||
msgs = append(msgs, v.CheckRlimits()...)
|
||||
|
||||
if v.spec.Platform.OS == "linux" {
|
||||
|
||||
if len(process.ApparmorProfile) > 0 {
|
||||
profilePath := filepath.Join(v.bundlePath, v.spec.Root.Path, "/etc/apparmor.d", process.ApparmorProfile)
|
||||
_, err := os.Stat(profilePath)
|
||||
if err != nil {
|
||||
msgs = append(msgs, err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if len(process.ApparmorProfile) > 0 {
|
||||
profilePath := filepath.Join(v.bundlePath, v.spec.Root.Path, "/etc/apparmor.d", process.ApparmorProfile)
|
||||
_, err := os.Stat(profilePath)
|
||||
if err != nil {
|
||||
msgs = append(msgs, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
func (v *Validator) CheckCapablities() (msgs []string) {
|
||||
process := v.spec.Process
|
||||
if v.spec.Platform.OS == "linux" {
|
||||
var caps []string
|
||||
|
||||
for _, cap := range process.Capabilities.Bounding {
|
||||
caps = append(caps, cap)
|
||||
}
|
||||
for _, cap := range process.Capabilities.Effective {
|
||||
caps = append(caps, cap)
|
||||
}
|
||||
for _, cap := range process.Capabilities.Inheritable {
|
||||
caps = append(caps, cap)
|
||||
}
|
||||
for _, cap := range process.Capabilities.Permitted {
|
||||
caps = append(caps, cap)
|
||||
}
|
||||
for _, cap := range process.Capabilities.Ambient {
|
||||
caps = append(caps, cap)
|
||||
}
|
||||
|
||||
for _, capability := range caps {
|
||||
if err := CapValid(capability, v.HostSpecific); err != nil {
|
||||
msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
|
||||
}
|
||||
}
|
||||
} else {
|
||||
logrus.Warnf("process.capabilities validation not yet implemented for OS %q", v.spec.Platform.OS)
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (v *Validator) CheckRlimits() (msgs []string) {
|
||||
process := v.spec.Process
|
||||
for index, rlimit := range process.Rlimits {
|
||||
for i := index + 1; i < len(process.Rlimits); i++ {
|
||||
if process.Rlimits[index].Type == process.Rlimits[i].Type {
|
||||
msgs = append(msgs, fmt.Sprintf("rlimit can not contain the same type %q.", process.Rlimits[index].Type))
|
||||
}
|
||||
}
|
||||
|
||||
if v.spec.Platform.OS == "linux" {
|
||||
if err := rlimitValid(rlimit); err != nil {
|
||||
msgs = append(msgs, err.Error())
|
||||
}
|
||||
} else {
|
||||
logrus.Warnf("process.rlimits validation not yet implemented for OS %q", v.spec.Platform.OS)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -286,6 +387,7 @@ func supportedMountTypes(OS string, hostSpecific bool) (map[string]bool, error)
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
// CheckMounts checks v.spec.Mounts
|
||||
func (v *Validator) CheckMounts() (msgs []string) {
|
||||
logrus.Debugf("check mounts")
|
||||
|
||||
|
|
@ -310,35 +412,67 @@ func (v *Validator) CheckMounts() (msgs []string) {
|
|||
return
|
||||
}
|
||||
|
||||
//Linux only
|
||||
func (v *Validator) CheckLinux() (msgs []string) {
|
||||
logrus.Debugf("check linux")
|
||||
// CheckOS checks v.spec.Platform.OS
|
||||
func (v *Validator) CheckOS() (msgs []string) {
|
||||
logrus.Debugf("check os")
|
||||
|
||||
utsExists := false
|
||||
ipcExists := false
|
||||
mountExists := false
|
||||
netExists := false
|
||||
userExists := false
|
||||
|
||||
for index := 0; index < len(v.spec.Linux.Namespaces); index++ {
|
||||
if !namespaceValid(v.spec.Linux.Namespaces[index]) {
|
||||
msgs = append(msgs, fmt.Sprintf("namespace %v is invalid.", v.spec.Linux.Namespaces[index]))
|
||||
} else if len(v.spec.Linux.Namespaces[index].Path) == 0 {
|
||||
if v.spec.Linux.Namespaces[index].Type == rspec.UTSNamespace {
|
||||
utsExists = true
|
||||
} else if v.spec.Linux.Namespaces[index].Type == rspec.IPCNamespace {
|
||||
ipcExists = true
|
||||
} else if v.spec.Linux.Namespaces[index].Type == rspec.NetworkNamespace {
|
||||
netExists = true
|
||||
} else if v.spec.Linux.Namespaces[index].Type == rspec.MountNamespace {
|
||||
mountExists = true
|
||||
} else if v.spec.Linux.Namespaces[index].Type == rspec.UserNamespace {
|
||||
userExists = true
|
||||
}
|
||||
if v.spec.Platform.OS != "linux" {
|
||||
if v.spec.Linux != nil {
|
||||
msgs = append(msgs, fmt.Sprintf("'linux' MUST NOT be set when platform.os is %q", v.spec.Platform.OS))
|
||||
}
|
||||
}
|
||||
|
||||
if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !userExists {
|
||||
if v.spec.Platform.OS != "solaris" {
|
||||
if v.spec.Solaris != nil {
|
||||
msgs = append(msgs, fmt.Sprintf("'solaris' MUST NOT be set when platform.os is %q", v.spec.Platform.OS))
|
||||
}
|
||||
}
|
||||
|
||||
if v.spec.Platform.OS != "windows" {
|
||||
if v.spec.Windows != nil {
|
||||
msgs = append(msgs, fmt.Sprintf("'windows' MUST NOT be set when platform.os is %q", v.spec.Platform.OS))
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// CheckLinux checks v.spec.Linux
|
||||
func (v *Validator) CheckLinux() (msgs []string) {
|
||||
logrus.Debugf("check linux")
|
||||
|
||||
var typeList = map[rspec.LinuxNamespaceType]struct {
|
||||
num int
|
||||
newExist bool
|
||||
}{
|
||||
rspec.PIDNamespace: {0, false},
|
||||
rspec.NetworkNamespace: {0, false},
|
||||
rspec.MountNamespace: {0, false},
|
||||
rspec.IPCNamespace: {0, false},
|
||||
rspec.UTSNamespace: {0, false},
|
||||
rspec.UserNamespace: {0, false},
|
||||
rspec.CgroupNamespace: {0, false},
|
||||
}
|
||||
|
||||
for index := 0; index < len(v.spec.Linux.Namespaces); index++ {
|
||||
ns := v.spec.Linux.Namespaces[index]
|
||||
if !namespaceValid(ns) {
|
||||
msgs = append(msgs, fmt.Sprintf("namespace %v is invalid.", ns))
|
||||
}
|
||||
|
||||
tmpItem := typeList[ns.Type]
|
||||
tmpItem.num = tmpItem.num + 1
|
||||
if tmpItem.num > 1 {
|
||||
msgs = append(msgs, fmt.Sprintf("duplicated namespace %q", ns.Type))
|
||||
}
|
||||
|
||||
if len(ns.Path) == 0 {
|
||||
tmpItem.newExist = true
|
||||
}
|
||||
typeList[ns.Type] = tmpItem
|
||||
}
|
||||
|
||||
if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !typeList[rspec.UserNamespace].newExist {
|
||||
msgs = append(msgs, "UID/GID mappings requires a new User namespace to be specified as well")
|
||||
} else if len(v.spec.Linux.UIDMappings) > 5 {
|
||||
msgs = append(msgs, "Only 5 UID mappings are allowed (linux kernel restriction).")
|
||||
|
|
@ -347,17 +481,17 @@ func (v *Validator) CheckLinux() (msgs []string) {
|
|||
}
|
||||
|
||||
for k := range v.spec.Linux.Sysctl {
|
||||
if strings.HasPrefix(k, "net.") && !netExists {
|
||||
if strings.HasPrefix(k, "net.") && !typeList[rspec.NetworkNamespace].newExist {
|
||||
msgs = append(msgs, fmt.Sprintf("Sysctl %v requires a new Network namespace to be specified as well", k))
|
||||
}
|
||||
if strings.HasPrefix(k, "fs.mqueue.") {
|
||||
if !mountExists || !ipcExists {
|
||||
if !typeList[rspec.MountNamespace].newExist || !typeList[rspec.IPCNamespace].newExist {
|
||||
msgs = append(msgs, fmt.Sprintf("Sysctl %v requires a new IPC namespace and Mount namespace to be specified as well", k))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if v.spec.Platform.OS == "linux" && !utsExists && v.spec.Hostname != "" {
|
||||
if v.spec.Platform.OS == "linux" && !typeList[rspec.UTSNamespace].newExist && v.spec.Hostname != "" {
|
||||
msgs = append(msgs, fmt.Sprintf("On Linux, hostname requires a new UTS namespace to be specified as well"))
|
||||
}
|
||||
|
||||
|
|
@ -404,6 +538,7 @@ func (v *Validator) CheckLinux() (msgs []string) {
|
|||
return
|
||||
}
|
||||
|
||||
// CheckLinuxResources checks v.spec.Linux.Resources
|
||||
func (v *Validator) CheckLinuxResources() (msgs []string) {
|
||||
logrus.Debugf("check linux resources")
|
||||
|
||||
|
|
@ -416,10 +551,31 @@ func (v *Validator) CheckLinuxResources() (msgs []string) {
|
|||
msgs = append(msgs, fmt.Sprintf("Minimum memory limit should be larger than memory reservation"))
|
||||
}
|
||||
}
|
||||
if r.Network != nil && v.HostSpecific {
|
||||
var exist bool
|
||||
interfaces, err := net.Interfaces()
|
||||
if err != nil {
|
||||
msgs = append(msgs, err.Error())
|
||||
return
|
||||
}
|
||||
for _, prio := range r.Network.Priorities {
|
||||
exist = false
|
||||
for _, ni := range interfaces {
|
||||
if prio.Name == ni.Name {
|
||||
exist = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !exist {
|
||||
msgs = append(msgs, fmt.Sprintf("Interface %s does not exist currently", prio.Name))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// CheckSeccomp checkc v.spec.Linux.Seccomp
|
||||
func (v *Validator) CheckSeccomp() (msgs []string) {
|
||||
logrus.Debugf("check linux seccomp")
|
||||
|
||||
|
|
@ -450,6 +606,8 @@ func (v *Validator) CheckSeccomp() (msgs []string) {
|
|||
case rspec.ArchPPC64LE:
|
||||
case rspec.ArchS390:
|
||||
case rspec.ArchS390X:
|
||||
case rspec.ArchPARISC:
|
||||
case rspec.ArchPARISC64:
|
||||
default:
|
||||
msgs = append(msgs, fmt.Sprintf("seccomp architecture %q is invalid", s.Architectures[index]))
|
||||
}
|
||||
|
|
@ -458,6 +616,40 @@ func (v *Validator) CheckSeccomp() (msgs []string) {
|
|||
return
|
||||
}
|
||||
|
||||
// CapValid checks whether a capability is valid
|
||||
func CapValid(c string, hostSpecific bool) error {
|
||||
isValid := false
|
||||
|
||||
if !strings.HasPrefix(c, "CAP_") {
|
||||
return fmt.Errorf("capability %s must start with CAP_", c)
|
||||
}
|
||||
for _, cap := range capability.List() {
|
||||
if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
|
||||
if hostSpecific && cap > LastCap() {
|
||||
return fmt.Errorf("CAP_%s is not supported on the current host", c)
|
||||
}
|
||||
isValid = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if !isValid {
|
||||
return fmt.Errorf("Invalid capability: %s", c)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// LastCap return last cap of system
|
||||
func LastCap() capability.Cap {
|
||||
last := capability.CAP_LAST_CAP
|
||||
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
|
||||
if last == capability.Cap(63) {
|
||||
last = capability.CAP_BLOCK_SUSPEND
|
||||
}
|
||||
|
||||
return last
|
||||
}
|
||||
|
||||
func envValid(env string) bool {
|
||||
items := strings.Split(env, "=")
|
||||
if len(items) < 2 {
|
||||
|
|
@ -474,25 +666,19 @@ func envValid(env string) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func capValid(capability string) bool {
|
||||
for _, val := range defaultCaps {
|
||||
if val == capability {
|
||||
return true
|
||||
}
|
||||
func rlimitValid(rlimit rspec.LinuxRlimit) error {
|
||||
if rlimit.Hard < rlimit.Soft {
|
||||
return fmt.Errorf("hard limit of rlimit %s should not be less than soft limit", rlimit.Type)
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func rlimitValid(rlimit string) bool {
|
||||
for _, val := range defaultRlimits {
|
||||
if val == rlimit {
|
||||
return true
|
||||
if val == rlimit.Type {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
return false
|
||||
return fmt.Errorf("rlimit type %q is invalid", rlimit.Type)
|
||||
}
|
||||
|
||||
func namespaceValid(ns rspec.Namespace) bool {
|
||||
func namespaceValid(ns rspec.LinuxNamespace) bool {
|
||||
switch ns.Type {
|
||||
case rspec.PIDNamespace:
|
||||
case rspec.NetworkNamespace:
|
||||
|
|
@ -504,10 +690,15 @@ func namespaceValid(ns rspec.Namespace) bool {
|
|||
default:
|
||||
return false
|
||||
}
|
||||
|
||||
if ns.Path != "" && !filepath.IsAbs(ns.Path) {
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func deviceValid(d rspec.Device) bool {
|
||||
func deviceValid(d rspec.LinuxDevice) bool {
|
||||
switch d.Type {
|
||||
case "b":
|
||||
case "c":
|
||||
|
|
@ -528,7 +719,7 @@ func deviceValid(d rspec.Device) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func seccompActionValid(secc rspec.Action) bool {
|
||||
func seccompActionValid(secc rspec.LinuxSeccompAction) bool {
|
||||
switch secc {
|
||||
case "":
|
||||
case rspec.ActKill:
|
||||
|
|
@ -542,7 +733,7 @@ func seccompActionValid(secc rspec.Action) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func syscallValid(s rspec.Syscall) bool {
|
||||
func syscallValid(s rspec.LinuxSyscall) bool {
|
||||
if !seccompActionValid(s.Action) {
|
||||
return false
|
||||
}
|
||||
|
|
@ -637,6 +828,7 @@ func checkMandatory(obj interface{}) (msgs []string) {
|
|||
return
|
||||
}
|
||||
|
||||
// CheckMandatoryFields checks mandatory field of container's config file
|
||||
func (v *Validator) CheckMandatoryFields() []string {
|
||||
logrus.Debugf("check mandatory fields")
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue