From c09db4c94313b02a0f3e6307746251f67634684f Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Mon, 6 Nov 2017 17:10:30 -0500 Subject: [PATCH] oci config: update version from 1.0.0-rc2-dev -> 1.0.0-rc5 (runc 1.0.0-rc2 -> 1.0.0-rc3) Signed-off-by: Vincent Batts --- config.json | 186 +++++++++++++++++++++------------------------------- 1 file changed, 74 insertions(+), 112 deletions(-) diff --git a/config.json b/config.json index e500204..adb3e26 100644 --- a/config.json +++ b/config.json @@ -1,5 +1,5 @@ { - "ociVersion": "1.0.0-rc2-dev", + "ociVersion": "1.0.0-rc5", "platform": { "os": "linux", "arch": "amd64" @@ -19,44 +19,55 @@ ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", - "HOSTNAME=helloctl", - "TERM=xterm", - "DISTTAG=f26container", - "FGC=f26" + "TERM=xterm" ], "cwd": "/", - "capabilities": [ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - "CAP_SYS_PTRACE" - ] + "capabilities": { + "bounding": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "effective": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "inheritable": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "permitted": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "ambient": [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ] + }, + "rlimits": [ + { + "type": "RLIMIT_NOFILE", + "hard": 1024, + "soft": 1024 + } + ], + "noNewPrivileges": true }, "root": { - "path": "./rootfs/" + "path": "rootfs", + "readonly": true }, "hostname": "helloctl", "mounts": [ { "destination": "/proc", "type": "proc", - "source": "proc", - "options": [ - "nosuid", - "noexec", - "nodev" - ] + "source": "proc" }, { "destination": "/dev", @@ -65,7 +76,8 @@ "options": [ "nosuid", "strictatime", - "mode=755" + "mode=755", + "size=65536k" ] }, { @@ -81,6 +93,28 @@ "gid=5" ] }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, { "destination": "/sys", "type": "sysfs", @@ -97,20 +131,11 @@ "type": "cgroup", "source": "cgroup", "options": [ - "ro", "nosuid", "noexec", - "nodev" - ] - }, - { - "destination": "/dev/mqueue", - "type": "mqueue", - "source": "mqueue", - "options": [ - "nosuid", - "noexec", - "nodev" + "nodev", + "relatime", + "ro" ] }, { @@ -134,10 +159,6 @@ ] } ], - "hooks": { - "prestart": [ ], - "poststop": [ ] - }, "linux": { "resources": { "devices": [ @@ -145,89 +166,30 @@ "allow": false, "access": "rwm" }, - { - "allow": true, - "type": "c", - "major": 1, - "minor": 5, - "access": "rwm" - }, - { - "allow": true, - "type": "c", - "major": 1, - "minor": 3, - "access": "rwm" - }, - { - "allow": true, - "type": "c", - "major": 1, - "minor": 9, - "access": "rwm" - }, - { - "allow": true, - "type": "c", - "major": 1, - "minor": 8, - "access": "rwm" - }, - { - "allow": true, - "type": "c", - "major": 5, - "minor": 0, - "access": "rwm" - }, - { - "allow": true, - "type": "c", - "major": 5, - "minor": 1, - "access": "rwm" - }, { "allow": true, "type": "c", "major": 10, - "minor": 57, - "access": "rwm" - }, - { - "allow": false, - "type": "c", - "major": 10, - "minor": 229, + "minor": 56, "access": "rwm" } - ], - "disableOOMKiller": false, - "oomScoreAdj": 0, - "cpu": {}, - "pids": { - "limit": 0 - }, - "blockIO": { - "blkioWeight": 0 - } + ] }, - "cgroupsPath": "system.slice:docker:8ad3dfde3644481046eace9cd586600f0416d3c43b4b9f4cc161c470859c0e17", "namespaces": [ { - "type": "mount" + "type": "pid" }, { "type": "network" }, + { + "type": "ipc" + }, { "type": "uts" }, { - "type": "pid" - }, - { - "type": "ipc" + "type": "mount" } ], "maskedPaths": [