Merge branch 'v1.0.0.rc1' into master

wking · wking · commit 769a064ca0c0 · 2016-07-29T16:29:04.000-07:00
* v1.0.0.rc1:
  Add Travis CI badge to README
  generate: fix capability.List() for cap_last_cap not exist
  generate: remove unnecessary spec initialization
  generate: fix tmpfs adding based on manpage
  Check CAP_LAST_CAP while setting privileged
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# ocitools
+# ocitools [![Build Status](https://travis-ci.org/opencontainers/ocitools.svg?branch=master)](https://travis-ci.org/opencontainers/ocitools)
 
 ocitools is a collection of tools for working with the [OCI runtime specification][runtime-spec].
 
diff --git a/cmd/ocitools/generate.go b/cmd/ocitools/generate.go
@@ -78,7 +78,7 @@ var generateCommand = cli.Command{
 			}
 		}
 
-		err := setupSpec(specgen, context)
+		err := setupSpec(&specgen, context)
 		if err != nil {
 			return err
 		}
@@ -96,8 +96,12 @@ var generateCommand = cli.Command{
 	},
 }
 
-func setupSpec(g generate.Generator, context *cli.Context) error {
-	spec := g.GetSpec()
+func setupSpec(g *generate.Generator, context *cli.Context) error {
+	if context.GlobalBool("host-specific") {
+		g.HostSpecific = true
+	}
+
+	spec := g.Spec()
 
 	if len(spec.Version) == 0 {
 		g.SetVersion(rspec.Version)
@@ -369,7 +373,7 @@ func checkNs(nsMaps map[string]string, nsName string) bool {
 	return true
 }
 
-func setupLinuxNamespaces(g generate.Generator, needsNewUser bool, nsMaps map[string]string) {
+func setupLinuxNamespaces(g *generate.Generator, needsNewUser bool, nsMaps map[string]string) {
 	for _, nsName := range generate.Namespaces {
 		if !checkNs(nsMaps, nsName) && !(needsNewUser && nsName == "user") {
 			continue
diff --git a/cmd/ocitools/main.go b/cmd/ocitools/main.go
@@ -18,6 +18,10 @@ func main() {
 			Value: "error",
 			Usage: "Log level (panic, fatal, error, warn, info, or debug)",
 		},
+		cli.BoolFlag{
+			Name:  "host-specific",
+			Usage: "generate host-specific configs or do host-specific validations",
+		},
 	}
 
 	app.Commands = []cli.Command{
diff --git a/cmd/ocitools/validate.go b/cmd/ocitools/validate.go
@@ -24,7 +24,6 @@ type configCheck func(rspec.Spec, string, bool) []string
 
 var bundleValidateFlags = []cli.Flag{
 	cli.StringFlag{Name: "path", Value: ".", Usage: "path to a bundle"},
-	cli.BoolFlag{Name: "host-specific", Usage: "Check host specific configs."},
 }
 
 var (
@@ -99,7 +98,7 @@ var bundleValidateCommand = cli.Command{
 			return fmt.Errorf("The root path %q is not a directory.", rootfsPath)
 		}
 
-		hostCheck := context.Bool("host-specific")
+		hostCheck := context.GlobalBool("host-specific")
 
 		checks := []configCheck{
 			checkMandatoryFields,
diff --git a/generate/generate.go b/generate/generate.go
@@ -21,7 +21,8 @@ var (
 
 // Generator represents a generator for a container spec.
 type Generator struct {
-	spec *rspec.Spec
+	spec         *rspec.Spec
+	HostSpecific bool
 }
 
 // New creates a spec Generator with the default spec.
@@ -139,12 +140,16 @@ func New() Generator {
 			Devices: []rspec.Device{},
 		},
 	}
-	return Generator{&spec}
+	return Generator{
+		spec: &spec,
+	}
 }
 
 // NewFromSpec creates a spec Generator from a given spec.
 func NewFromSpec(spec *rspec.Spec) Generator {
-	return Generator{spec}
+	return Generator{
+		spec: spec,
+	}
 }
 
 // NewFromFile loads the template specifed in a file into a spec Generator.
@@ -166,16 +171,18 @@ func NewFromTemplate(r io.Reader) (Generator, error) {
 	if err := json.NewDecoder(r).Decode(&spec); err != nil {
 		return Generator{}, err
 	}
-	return Generator{&spec}, nil
+	return Generator{
+		spec: &spec,
+	}, nil
 }
 
 // SetSpec sets the spec in the Generator g.
 func (g *Generator) SetSpec(spec *rspec.Spec) {
 	g.spec = spec
 }
 
-// GetSpec gets the spec in the Generator g.
-func (g *Generator) GetSpec() *rspec.Spec {
+// Spec gets the spec in the Generator g.
+func (g *Generator) Spec() *rspec.Spec {
 	return g.spec
 }
 
@@ -230,7 +237,9 @@ func (g *Generator) SetHostname(s string) {
 
 // ClearAnnotations clears g.spec.Annotations.
 func (g *Generator) ClearAnnotations() {
-	g.initSpec()
+	if g.spec == nil {
+		return
+	}
 	g.spec.Annotations = make(map[string]string)
 }
 
@@ -310,7 +319,9 @@ func (g *Generator) SetProcessArgs(args []string) {
 
 // ClearProcessEnv clears g.spec.Process.Env.
 func (g *Generator) ClearProcessEnv() {
-	g.initSpec()
+	if g.spec == nil {
+		return
+	}
 	g.spec.Process.Env = []string{}
 }
 
@@ -322,7 +333,9 @@ func (g *Generator) AddProcessEnv(env string) {
 
 // ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids.
 func (g *Generator) ClearProcessAdditionalGids() {
-	g.initSpec()
+	if g.spec == nil {
+		return
+	}
 	g.spec.Process.User.AdditionalGids = []uint32{}
 }
 
@@ -886,11 +899,26 @@ func (g *Generator) AddPostStartHook(s string) error {
 
 // AddTmpfsMount adds a tmpfs mount into g.spec.Mounts.
 func (g *Generator) AddTmpfsMount(dest string) error {
-	mnt := rspec.Mount{
-		Destination: dest,
-		Type:        "tmpfs",
-		Source:      "tmpfs",
-		Options:     []string{"nosuid", "nodev", "mode=755"},
+	mnt := rspec.Mount{}
+
+	parts := strings.Split(dest, ":")
+	if len(parts) == 2 {
+		options := strings.Split(parts[1], ",")
+		mnt = rspec.Mount{
+			Destination: parts[0],
+			Type:        "tmpfs",
+			Source:      "tmpfs",
+			Options:     options,
+		}
+	} else if len(parts) == 1 {
+		mnt = rspec.Mount{
+			Destination: parts[0],
+			Type:        "tmpfs",
+			Source:      "tmpfs",
+			Options:     []string{"rw", "noexec", "nosuid", "nodev", "size=65536k"},
+		}
+	} else {
+		return fmt.Errorf("invalid value for --tmpfs")
 	}
 
 	g.initSpec()
@@ -953,6 +981,9 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 		// Add all capabilities in privileged mode.
 		var finalCapList []string
 		for _, cap := range capability.List() {
+			if g.HostSpecific && cap > lastCap() {
+				continue
+			}
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
 		}
 		g.initSpecLinux()
@@ -963,12 +994,25 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 	}
 }
 
-func checkCap(c string) error {
+func lastCap() capability.Cap {
+	last := capability.CAP_LAST_CAP
+	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
+	}
+
+	return last
+}
+
+func checkCap(c string, hostSpecific bool) error {
 	isValid := false
 	cp := strings.ToUpper(c)
 
 	for _, cap := range capability.List() {
 		if cp == strings.ToUpper(cap.String()) {
+			if hostSpecific && cap > lastCap() {
+				return fmt.Errorf("CAP_%s is not supported on the current host", cp)
+			}
 			isValid = true
 			break
 		}
@@ -990,7 +1034,7 @@ func (g *Generator) ClearProcessCapabilities() {
 
 // AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
 func (g *Generator) AddProcessCapability(c string) error {
-	if err := checkCap(c); err != nil {
+	if err := checkCap(c, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1009,7 +1053,7 @@ func (g *Generator) AddProcessCapability(c string) error {
 
 // DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
 func (g *Generator) DropProcessCapability(c string) error {
-	if err := checkCap(c); err != nil {
+	if err := checkCap(c, g.HostSpecific); err != nil {
 		return err
 	}
 
diff --git a/man/ocitools-validate.1.md b/man/ocitools-validate.1.md
@@ -18,16 +18,6 @@ Validate an OCI bundle
 **--path=PATH
   Path to bundle
 
-**--host-specific**
-  Check host specific configs.
-  By default, validation only tests for compatibility with a hypothetical host.
-  With this flag, validation will also run more specific tests to see whether
-  the current host is capable of launching a container from the configuration.
-  For example, validating a compliant Windows configuration on a Linux machine
-  will pass without this flag ("there may be a Windows host capable of
-  launching this container"), but will fail with it ("this host is not capable
-  of launching this container").
-
 # SEE ALSO
 **ocitools**(1)
 
diff --git a/man/ocitools.1.md b/man/ocitools.1.md
@@ -15,11 +15,26 @@ ocitools is a collection of tools for working with the [OCI runtime specificatio
 
 # OPTIONS
 **--help**
-  Print usage statement
+  Print usage statement.
 
 **-v**, **--version**
   Print version information.
 
+**--log-level**
+  Log level (panic, fatal, error, warn, info, or debug) (default: "error").
+
+**--host-specific**
+  Generate host-specific configs or do host-specific validations.
+
+  By default, generator generates configs without checking whether they are
+  supported on the current host. With this flag, generator will first check
+  whether each config is supported on the current host, and only add it into
+  the config file if it passes the checking.
+
+  By default, validation only tests for compatibility with a hypothetical host.
+  With this flag, validation will also run more specific tests to see whether
+  the current host is capable of launching a container from the configuration.
+
 # COMMANDS
 **validate**
   Validating OCI bundle

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# ocitools`
	`1`	`+# ocitools [![Build Status](https://travis-ci.org/opencontainers/ocitools.svg?branch=master)](https://travis-ci.org/opencontainers/ocitools)`
`2`	`2`
`3`	`3`	`ocitools is a collection of tools for working with the [OCI runtime specification][runtime-spec].`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ var generateCommand = cli.Command{`
`78`	`78`	`}`
`79`	`79`	`}`
`80`	`80`
`81`		`- err := setupSpec(specgen, context)`
	`81`	`+ err := setupSpec(&specgen, context)`
`82`	`82`	`if err != nil {`
`83`	`83`	`return err`
`84`	`84`	`}`
`@@ -96,8 +96,12 @@ var generateCommand = cli.Command{`
`96`	`96`	`},`
`97`	`97`	`}`
`98`	`98`
`99`		`-func setupSpec(g generate.Generator, context *cli.Context) error {`
`100`		`- spec := g.GetSpec()`
	`99`	`+func setupSpec(g generate.Generator, context cli.Context) error {`
	`100`	`+ if context.GlobalBool("host-specific") {`
	`101`	`+ g.HostSpecific = true`
	`102`	`+ }`
	`103`	`+`
	`104`	`+ spec := g.Spec()`
`101`	`105`
`102`	`106`	`if len(spec.Version) == 0 {`
`103`	`107`	`g.SetVersion(rspec.Version)`
`@@ -369,7 +373,7 @@ func checkNs(nsMaps map[string]string, nsName string) bool {`
`369`	`373`	`return true`
`370`	`374`	`}`
`371`	`375`
`372`		`-func setupLinuxNamespaces(g generate.Generator, needsNewUser bool, nsMaps map[string]string) {`
	`376`	`+func setupLinuxNamespaces(g *generate.Generator, needsNewUser bool, nsMaps map[string]string) {`
`373`	`377`	`for _, nsName := range generate.Namespaces {`
`374`	`378`	`if !checkNs(nsMaps, nsName) && !(needsNewUser && nsName == "user") {`
`375`	`379`	`continue`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,6 @@ type configCheck func(rspec.Spec, string, bool) []string`
`24`	`24`
`25`	`25`	`var bundleValidateFlags = []cli.Flag{`
`26`	`26`	`cli.StringFlag{Name: "path", Value: ".", Usage: "path to a bundle"},`
`27`		`- cli.BoolFlag{Name: "host-specific", Usage: "Check host specific configs."},`
`28`	`27`	`}`
`29`	`28`
`30`	`29`	`var (`
`@@ -99,7 +98,7 @@ var bundleValidateCommand = cli.Command{`
`99`	`98`	`return fmt.Errorf("The root path %q is not a directory.", rootfsPath)`
`100`	`99`	`}`
`101`	`100`
`102`		`- hostCheck := context.Bool("host-specific")`
	`101`	`+ hostCheck := context.GlobalBool("host-specific")`
`103`	`102`
`104`	`103`	`checks := []configCheck{`
`105`	`104`	`checkMandatoryFields,`