Skip to content

Commit e0d563b

Browse files
gizahNLgizahNL
committed
Mounts + jailconfig & spec
1 parent de37a70 commit e0d563b

2 files changed

Lines changed: 114 additions & 15 deletions

File tree

jail/conf.go

Lines changed: 63 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,59 +7,115 @@ import (
77
"path/filepath"
88
"text/template"
99

10+
"go.sbk.wtf/runj/runtimespec"
1011
"go.sbk.wtf/runj/state"
1112
)
1213

1314
const (
1415
confName = "jail.conf"
1516
configTemplate = `{{ .Name }} {
17+
allow.raw_sockets;
18+
allow.mlock;
19+
sysvmsg = new;
20+
sysvsem = new;
21+
sysvshm = new;
22+
1623
path = "{{ .Root }}";
17-
devfs_ruleset = 4;
18-
mount.devfs;
24+
mount.fstab = "{{ .Fstab }}";
25+
vnet;
1926
persist;
2027
}
2128
`
2229
)
2330

24-
func CreateConfig(id, root string) (string, error) {
31+
func CreateConfig(id, root string, mounts []runtimespec.Mount) (string, error) {
2532
config, err := renderConfig(id, root)
33+
fstab := renderFstab(root, mounts)
2634
if err != nil {
2735
return "", err
2836
}
2937
confPath := ConfPath(id)
38+
fstabPath := FstabPath(id)
3039
confFile, err := os.OpenFile(confPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0644)
3140
if err != nil {
3241
return "", fmt.Errorf("jail: config should not already exist: %w", err)
3342
}
43+
fstabFile, err := os.OpenFile(fstabPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0644)
44+
if err != nil {
45+
return "", fmt.Errorf("jail: fstab should not already exist: %w", err)
46+
}
3447
defer func() {
3548
confFile.Close()
3649
if err != nil {
3750
os.Remove(confFile.Name())
3851
}
52+
fstabFile.Close()
53+
if err != nil {
54+
os.Remove(fstabFile.Name())
55+
}
3956
}()
4057
_, err = confFile.Write([]byte(config))
4158
if err != nil {
4259
return "", err
4360
}
61+
_, err = fstabFile.Write([]byte(fstab))
62+
if err != nil {
63+
return "", err
64+
}
4465
return confFile.Name(), nil
4566
}
4667

4768
func ConfPath(id string) string {
4869
return filepath.Join(state.Dir(id), confName)
4970
}
5071

72+
func FstabPath(id string) string {
73+
return filepath.Join(state.Dir(id), "fstab")
74+
}
75+
76+
func renderFstab(root string, mounts []runtimespec.Mount) (fstab string) {
77+
for _, mount := range mounts {
78+
if mount.Type == "mqueue" {
79+
continue
80+
}
81+
fstab += mount.Source
82+
fstab += "\t"
83+
fstab += filepath.Join(root, mount.Destination)
84+
fstab += "\t"
85+
fstab += mount.Type
86+
fstab += "\t"
87+
88+
fstab += "rw,late"
89+
if mount.Destination == "/dev" {
90+
fstab+=",ruleset=5"
91+
} else if len(mount.Options) > 0 {
92+
for _, option := range mount.Options {
93+
if option == "strictatime" {
94+
continue
95+
}
96+
fstab += ","
97+
fstab += option
98+
}
99+
}
100+
fstab += "\t0 0\n"
101+
}
102+
return fstab
103+
}
104+
51105
func renderConfig(id, root string) (string, error) {
52106
config, err := template.New("config").Parse(configTemplate)
53107
if err != nil {
54108
return "", err
55109
}
56110
buf := bytes.Buffer{}
57111
config.Execute(&buf, struct {
58-
Name string
59-
Root string
112+
Name string
113+
Root string
114+
Fstab string
60115
}{
61-
Name: id,
62-
Root: root,
116+
Name: id,
117+
Root: root,
118+
Fstab: filepath.Join(state.Dir(id), "fstab"),
63119
})
64120
return buf.String(), nil
65121
}

runtimespec/config.go

Lines changed: 51 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -32,11 +32,11 @@ type Spec struct {
3232
// Modification by Samuel Karp
3333
/*
3434
// Hostname configures the container's hostname.
35-
Hostname string `json:"hostname,omitempty"`
36-
// Mounts configures additional mounts (on top of Root).
37-
Mounts []Mount `json:"mounts,omitempty"`
38-
// Hooks configures callbacks for container lifecycle events.
39-
Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris"`
35+
Hostname string `json:"hostname,omitempty"`*/
36+
// Mounts configures additional mounts (on top of Root).
37+
Mounts []Mount `json:"mounts,omitempty"`
38+
// Hooks configures callbacks for container lifecycle events.
39+
Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris"`/*
4040
// Annotations contains arbitrary metadata for the container.
4141
Annotations map[string]string `json:"annotations,omitempty"`
4242
@@ -86,11 +86,11 @@ type Process struct {
8686
// Env populates the process environment for the process.
8787
Env []string `json:"env,omitempty"`
8888

89+
// Cwd is the current working directory for the process and must be
90+
// relative to the container's root.
91+
Cwd string `json:"cwd"`
8992
// Modification by Samuel Karp`
9093
/*
91-
// Cwd is the current working directory for the process and must be
92-
// relative to the container's root.
93-
Cwd string `json:"cwd"`
9494
// Capabilities are Linux capabilities that are kept for the process.
9595
Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"`
9696
// Rlimits specifies rlimit options to apply to the process.
@@ -107,6 +107,18 @@ type Process struct {
107107
// End of modification
108108
}
109109

110+
// Mount specifies a mount for a container.
111+
type Mount struct {
112+
// Destination is the absolute path where the mount will be placed in the container.
113+
Destination string `json:"destination"`
114+
// Type specifies the mount kind.
115+
Type string `json:"type,omitempty" platform:"linux,solaris"`
116+
// Source specifies the source path of the mount.
117+
Source string `json:"source,omitempty"`
118+
// Options are fstab style mount options.
119+
Options []string `json:"options,omitempty"`
120+
}
121+
110122
// Root contains information about the container's root filesystem on the host.
111123
type Root struct {
112124
// Path is the absolute path to the container's root filesystem.
@@ -120,6 +132,37 @@ type Root struct {
120132
// End of modification
121133
}
122134

135+
// Hook specifies a command that is run at a particular event in the lifecycle of a container
136+
type Hook struct {
137+
Path string `json:"path"`
138+
Args []string `json:"args,omitempty"`
139+
Env []string `json:"env,omitempty"`
140+
Timeout *int `json:"timeout,omitempty"`
141+
}
142+
143+
// Hooks specifies a command that is run in the container at a particular event in the lifecycle of a container
144+
// Hooks for container setup and teardown
145+
type Hooks struct {
146+
// Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed.
147+
// It is called in the Runtime Namespace
148+
Prestart []Hook `json:"prestart,omitempty"`
149+
// CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
150+
// It is called in the Runtime Namespace
151+
CreateRuntime []Hook `json:"createRuntime,omitempty"`
152+
// CreateContainer is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
153+
// It is called in the Container Namespace
154+
CreateContainer []Hook `json:"createContainer,omitempty"`
155+
// StartContainer is a list of hooks to be run after the start operation is called but before the container process is started
156+
// It is called in the Container Namespace
157+
StartContainer []Hook `json:"startContainer,omitempty"`
158+
// Poststart is a list of hooks to be run after the container process is started.
159+
// It is called in the Runtime Namespace
160+
Poststart []Hook `json:"poststart,omitempty"`
161+
// Poststop is a list of hooks to be run after the container process exits.
162+
// It is called in the Runtime Namespace
163+
Poststop []Hook `json:"poststop,omitempty"`
164+
}
165+
123166
// Modification by Samuel Karp
124167
/*
125168
Omitted type definitions for:

0 commit comments

Comments
 (0)