opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-08-06 19:44:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

vendor: update opencontainers/runtime-spec

Browse Source 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2020-08-19 13:18:19 +02:00
parent 4828455055
commit 3967c46544
8 changed files with 52 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
go.mod
View File

@ -40,8 +40,8 @@ require (
github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6
github.com/opencontainers/runc v1.0.0-rc91.0.20200708210054-ce54a9d4d79b github.com/opencontainers/runc v1.0.0-rc91.0.20200708210054-ce54a9d4d79b
github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 github.com/opencontainers/runtime-spec v1.0.3-0.20200817204227-f9c09b4ea1df
github.com/opencontainers/runtime-tools v0.9.1-0.20200714183735-07406c5828aa github.com/opencontainers/runtime-tools v0.9.0
github.com/opencontainers/selinux v1.6.0 github.com/opencontainers/selinux v1.6.0
github.com/opentracing/opentracing-go v1.2.0 github.com/opentracing/opentracing-go v1.2.0
github.com/pkg/errors v0.9.1 github.com/pkg/errors v0.9.1

5
go.sum
View File

@ -344,10 +344,11 @@ github.com/opencontainers/runc v1.0.0-rc91.0.20200708210054-ce54a9d4d79b/go.mod
github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 h1:9mv9SC7GWmRWE0J/+oD8w3GsN2KYGKtg6uwLN7hfP5E= github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 h1:9mv9SC7GWmRWE0J/+oD8w3GsN2KYGKtg6uwLN7hfP5E=
github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-spec v1.0.3-0.20200817204227-f9c09b4ea1df h1:5AW5dMFSXVH4Mg3WYe4z7ui64bK8n66IoWK8i6T4QZ8=
github.com/opencontainers/runtime-spec v1.0.3-0.20200817204227-f9c09b4ea1df/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK5zsQavY8NPMkU=
github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
github.com/opencontainers/runtime-tools v0.9.1-0.20200714183735-07406c5828aa h1:iyj+fFHVBn0xOalz9UChYzSU1K0HJ+d75b4YqShBRhI=
github.com/opencontainers/runtime-tools v0.9.1-0.20200714183735-07406c5828aa/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
github.com/opencontainers/selinux v1.3.0/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs= github.com/opencontainers/selinux v1.3.0/go.mod h1:+BLncwf63G4dgOzykXAxcmnFlUaOlkDdmw/CqsW6pjs=
github.com/opencontainers/selinux v1.5.1/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g= github.com/opencontainers/selinux v1.5.1/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g=
github.com/opencontainers/selinux v1.5.2/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g= github.com/opencontainers/selinux v1.5.2/go.mod h1:yTcKuYAh6R95iDpefGLQaPaRwJFwyzAJufJyiTt7s0g=

3
libpod/container_internal_linux.go
View File

@ -385,7 +385,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
if err != nil { if err != nil {
return nil, errors.Wrapf(err, "Invalid Umask Value") return nil, errors.Wrapf(err, "Invalid Umask Value")
} }
g.SetProcessUmask(uint32(decVal)) umask := uint32(decVal)
g.Config.Process.User.Umask = &umask
} }
// Add addition groups if c.config.GroupAdd is not empty // Add addition groups if c.config.GroupAdd is not empty

13
vendor/github.com/opencontainers/runtime-spec/specs-go/config.go generated vendored
View File

@ -60,7 +60,7 @@ type Process struct {
SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"` SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
} }
// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process. // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process.
// http://man7.org/linux/man-pages/man7/capabilities.7.html // http://man7.org/linux/man-pages/man7/capabilities.7.html
type LinuxCapabilities struct { type LinuxCapabilities struct {
// Bounding is the set of capabilities checked by the kernel. // Bounding is the set of capabilities checked by the kernel.
@ -90,7 +90,7 @@ type User struct {
// GID is the group id. // GID is the group id.
GID uint32 `json:"gid" platform:"linux,solaris"` GID uint32 `json:"gid" platform:"linux,solaris"`
// Umask is the umask for the init process. // Umask is the umask for the init process.
Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"` Umask *uint32 `json:"umask,omitempty" platform:"linux,solaris"`
// AdditionalGids are additional group ids set for the container's process. // AdditionalGids are additional group ids set for the container's process.
AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"` AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`
// Username is the user name. // Username is the user name.
@ -354,7 +354,7 @@ type LinuxRdma struct {
// LinuxResources has container runtime resource constraints // LinuxResources has container runtime resource constraints
type LinuxResources struct { type LinuxResources struct {
// Devices configures the device whitelist. // Devices configures the device allowlist.
Devices []LinuxDeviceCgroup `json:"devices,omitempty"` Devices []LinuxDeviceCgroup `json:"devices,omitempty"`
// Memory restriction configuration // Memory restriction configuration
Memory *LinuxMemory `json:"memory,omitempty"` Memory *LinuxMemory `json:"memory,omitempty"`
@ -372,6 +372,8 @@ type LinuxResources struct {
// Limits are a set of key value pairs that define RDMA resource limits, // Limits are a set of key value pairs that define RDMA resource limits,
// where the key is device name and value is resource limits. // where the key is device name and value is resource limits.
Rdma map[string]LinuxRdma `json:"rdma,omitempty"` Rdma map[string]LinuxRdma `json:"rdma,omitempty"`
// Unified resources.
Unified map[string]string `json:"unified,omitempty"`
} }
// LinuxDevice represents the mknod information for a Linux special device file // LinuxDevice represents the mknod information for a Linux special device file
@ -392,7 +394,8 @@ type LinuxDevice struct {
GID *uint32 `json:"gid,omitempty"` GID *uint32 `json:"gid,omitempty"`
} }
// LinuxDeviceCgroup represents a device rule for the whitelist controller // LinuxDeviceCgroup represents a device rule for the devices specified to
// the device controller
type LinuxDeviceCgroup struct { type LinuxDeviceCgroup struct {
// Allow or deny // Allow or deny
Allow bool `json:"allow"` Allow bool `json:"allow"`
@ -628,6 +631,7 @@ const (
ArchS390X Arch = "SCMP_ARCH_S390X" ArchS390X Arch = "SCMP_ARCH_S390X"
ArchPARISC Arch = "SCMP_ARCH_PARISC" ArchPARISC Arch = "SCMP_ARCH_PARISC"
ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" ArchPARISC64 Arch = "SCMP_ARCH_PARISC64"
ArchRISCV64 Arch = "SCMP_ARCH_RISCV64"
) )
// LinuxSeccompAction taken upon Seccomp rule match // LinuxSeccompAction taken upon Seccomp rule match
@ -636,6 +640,7 @@ type LinuxSeccompAction string
// Define actions for Seccomp rules // Define actions for Seccomp rules
const ( const (
ActKill LinuxSeccompAction = "SCMP_ACT_KILL" ActKill LinuxSeccompAction = "SCMP_ACT_KILL"
ActKillProcess LinuxSeccompAction = "SCMP_ACT_KILL_PROCESS"
ActTrap LinuxSeccompAction = "SCMP_ACT_TRAP" ActTrap LinuxSeccompAction = "SCMP_ACT_TRAP"
ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO" ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO"
ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE" ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE"

20
vendor/github.com/opencontainers/runtime-spec/specs-go/state.go generated vendored
View File

@ -1,5 +1,23 @@
package specs package specs
// ContainerState represents the state of a container.
type ContainerState string
const (
// StateCreating indicates that the container is being created
StateCreating ContainerState = "creating"
// StateCreated indicates that the runtime has finished the create operation
StateCreated ContainerState = "created"
// StateRunning indicates that the container process has executed the
// user-specified program but has not exited
StateRunning ContainerState = "running"
// StateStopped indicates that the container process has exited
StateStopped ContainerState = "stopped"
)
// State holds information about the runtime state of the container. // State holds information about the runtime state of the container.
type State struct { type State struct {
// Version is the version of the specification that is supported. // Version is the version of the specification that is supported.
@ -7,7 +25,7 @@ type State struct {
// ID is the container ID // ID is the container ID
ID string `json:"id"` ID string `json:"id"`
// Status is the runtime status of the container. // Status is the runtime status of the container.
Status string `json:"status"` Status ContainerState `json:"status"`
// Pid is the process ID for the container process. // Pid is the process ID for the container process.
Pid int `json:"pid,omitempty"` Pid int `json:"pid,omitempty"`
// Bundle is the path to the container's bundle directory. // Bundle is the path to the container's bundle directory.

75
vendor/github.com/opencontainers/runtime-tools/generate/generate.go generated vendored
View File

@ -29,9 +29,6 @@ var (
type Generator struct { type Generator struct {
Config *rspec.Spec Config *rspec.Spec
HostSpecific bool HostSpecific bool
// This is used to keep a cache of the ENVs added to improve
// performance when adding a huge number of ENV variables
envMap map[string]int
} }
// ExportOptions have toggles for exporting only certain parts of the specification // ExportOptions have toggles for exporting only certain parts of the specification
@ -239,12 +236,7 @@ func New(os string) (generator Generator, err error) {
} }
} }
envCache := map[string]int{} return Generator{Config: &config}, nil
if config.Process != nil {
envCache = createEnvCacheMap(config.Process.Env)
}
return Generator{Config: &config, envMap: envCache}, nil
} }
// NewFromSpec creates a configuration Generator from a given // NewFromSpec creates a configuration Generator from a given
@ -254,14 +246,8 @@ func New(os string) (generator Generator, err error) {
// //
// generator := Generator{Config: config} // generator := Generator{Config: config}
func NewFromSpec(config *rspec.Spec) Generator { func NewFromSpec(config *rspec.Spec) Generator {
envCache := map[string]int{}
if config != nil && config.Process != nil {
envCache = createEnvCacheMap(config.Process.Env)
}
return Generator{ return Generator{
Config: config, Config: config,
envMap: envCache,
} }
} }
@ -287,27 +273,11 @@ func NewFromTemplate(r io.Reader) (Generator, error) {
if err := json.NewDecoder(r).Decode(&config); err != nil { if err := json.NewDecoder(r).Decode(&config); err != nil {
return Generator{}, err return Generator{}, err
} }
envCache := map[string]int{}
if config.Process != nil {
envCache = createEnvCacheMap(config.Process.Env)
}
return Generator{ return Generator{
Config: &config, Config: &config,
envMap: envCache,
}, nil }, nil
} }
// createEnvCacheMap creates a hash map with the ENV variables given by the config
func createEnvCacheMap(env []string) map[string]int {
envMap := make(map[string]int, len(env))
for i, val := range env {
envMap[val] = i
}
return envMap
}
// SetSpec sets the configuration in the Generator g. // SetSpec sets the configuration in the Generator g.
// //
// Deprecated: Replace with: // Deprecated: Replace with:
@ -444,12 +414,6 @@ func (g *Generator) SetProcessUsername(username string) {
g.Config.Process.User.Username = username g.Config.Process.User.Username = username
} }
// SetProcessUmask sets g.Config.Process.User.Umask.
func (g *Generator) SetProcessUmask(umask uint32) {
g.initConfigProcess()
g.Config.Process.User.Umask = umask
}
// SetProcessGID sets g.Config.Process.User.GID. // SetProcessGID sets g.Config.Process.User.GID.
func (g *Generator) SetProcessGID(gid uint32) { func (g *Generator) SetProcessGID(gid uint32) {
g.initConfigProcess() g.initConfigProcess()
@ -492,44 +456,21 @@ func (g *Generator) ClearProcessEnv() {
return return
} }
g.Config.Process.Env = []string{} g.Config.Process.Env = []string{}
// Clear out the env cache map as well
g.envMap = map[string]int{}
} }
// AddProcessEnv adds name=value into g.Config.Process.Env, or replaces an // AddProcessEnv adds name=value into g.Config.Process.Env, or replaces an
// existing entry with the given name. // existing entry with the given name.
func (g *Generator) AddProcessEnv(name, value string) { func (g *Generator) AddProcessEnv(name, value string) {
if name == "" { g.initConfigProcess()
env := fmt.Sprintf("%s=%s", name, value)
for idx := range g.Config.Process.Env {
if strings.HasPrefix(g.Config.Process.Env[idx], name+"=") {
g.Config.Process.Env[idx] = env
return return
} }
g.initConfigProcess()
g.addEnv(fmt.Sprintf("%s=%s", name, value), name)
}
// AddMultipleProcessEnv adds multiple name=value into g.Config.Process.Env, or replaces
// existing entries with the given name.
func (g *Generator) AddMultipleProcessEnv(envs []string) {
g.initConfigProcess()
for _, val := range envs {
split := strings.SplitN(val, "=", 2)
g.addEnv(val, split[0])
} }
}
// addEnv looks through adds ENV to the Process and checks envMap for
// any duplicates
// This is called by both AddMultipleProcessEnv and AddProcessEnv
func (g *Generator) addEnv(env, key string) {
if idx, ok := g.envMap[key]; ok {
// The ENV exists in the cache, so change its value in g.Config.Process.Env
g.Config.Process.Env[idx] = env
} else {
// else the env doesn't exist, so add it and add it's index to g.envMap
g.Config.Process.Env = append(g.Config.Process.Env, env) g.Config.Process.Env = append(g.Config.Process.Env, env)
g.envMap[key] = len(g.Config.Process.Env) - 1
}
} }
// AddProcessRlimits adds rlimit into g.Config.Process.Rlimits. // AddProcessRlimits adds rlimit into g.Config.Process.Rlimits.
@ -1502,7 +1443,7 @@ func (g *Generator) AddDevice(device rspec.LinuxDevice) {
return return
} }
if dev.Type == device.Type && dev.Major == device.Major && dev.Minor == device.Minor { if dev.Type == device.Type && dev.Major == device.Major && dev.Minor == device.Minor {
fmt.Fprintf(os.Stderr, "WARNING: Creating device %q with same type, major and minor as existing %q.\n", device.Path, dev.Path) fmt.Fprintln(os.Stderr, "WARNING: The same type, major and minor should not be used for multiple devices.")
} }
} }

14
vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go generated vendored
View File

@ -566,20 +566,6 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
}, },
}...) }...)
/* Flags parameter of the clone syscall is the 2nd on s390 */ /* Flags parameter of the clone syscall is the 2nd on s390 */
syscalls = append(syscalls, []rspec.LinuxSyscall{
{
Names: []string{"clone"},
Action: rspec.ActAllow,
Args: []rspec.LinuxSeccompArg{
{
Index: 1,
Value: 2080505856,
ValueTwo: 0,
Op: rspec.OpMaskedEqual,
},
},
},
}...)
} }
return &rspec.LinuxSeccomp{ return &rspec.LinuxSeccomp{

4
vendor/modules.txt vendored
View File

@ -418,9 +418,9 @@ github.com/opencontainers/runc/libcontainer/devices
github.com/opencontainers/runc/libcontainer/system github.com/opencontainers/runc/libcontainer/system
github.com/opencontainers/runc/libcontainer/user github.com/opencontainers/runc/libcontainer/user
github.com/opencontainers/runc/libcontainer/utils github.com/opencontainers/runc/libcontainer/utils
# github.com/opencontainers/runtime-spec v1.0.3-0.20200520003142-237cc4f519e2 # github.com/opencontainers/runtime-spec v1.0.3-0.20200817204227-f9c09b4ea1df
github.com/opencontainers/runtime-spec/specs-go github.com/opencontainers/runtime-spec/specs-go
# github.com/opencontainers/runtime-tools v0.9.1-0.20200714183735-07406c5828aa # github.com/opencontainers/runtime-tools v0.9.0
github.com/opencontainers/runtime-tools/error github.com/opencontainers/runtime-tools/error
github.com/opencontainers/runtime-tools/filepath github.com/opencontainers/runtime-tools/filepath
github.com/opencontainers/runtime-tools/generate github.com/opencontainers/runtime-tools/generate