opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-24 03:08:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Vendor in latest runtime-tools

Browse Source 
Newer runtime tools separates syscalls by OS so we can build darwin.

Signed-off-by: baude <bbaude@redhat.com>

Closes: #1007
Approved by: baude
This commit is contained in:
baude
2018-06-26 13:50:12 -05:00
committed by Atomic Bot
parent 19f5a504ff
commit f6c0fc1aa8
14 changed files with 1209 additions and 1071 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
vendor/github.com/opencontainers/runtime-tools/README.md generated vendored
View File

@ -37,41 +37,28 @@ If your distribution does not package node-tap, you can install [npm][] (for exa
$ npm install tap $ npm install tap
``` ```
Build the validation executables:
```console ```console
$ make runtimetest validation-executables $ make runtimetest validation-executables
RUNTIME=runc tap validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t ```
validation/linux_rootfs_propagation_shared.t ........ 18/19
not ok rootfs propagation
validation/create.t ................................... 4/4 Runtime validation currently [only supports](docs/runtime-compliance-testing.md) the [OCI Runtime Command Line Interface](docs/command-line-interface.md).
validation/default.t ................................ 19/19 If we add support for alternative APIs in the future, runtime validation will gain an option to select the desired runtime API.
validation/linux_readonly_paths.t ................... 19/19 For the command line interface, the `RUNTIME` option selects the runtime command (`funC` in the [OCI Runtime Command Line Interface](docs/command-line-interface.md)).
validation/linux_masked_paths.t ..................... 18/19
not ok masked paths
validation/mounts.t ................................... 0/1 ```
Skipped: 1 $ sudo make RUNTIME=runc localvalidation
TODO: mounts generation options have not been implemented RUNTIME=runc tap validation/pidfile.t validation/linux_cgroups_hugetlb.t validation/linux_cgroups_memory.t validation/linux_rootfs_propagation_shared.t validation/kill.t validation/create.t validation/poststart.t validation/linux_cgroups_network.t validation/poststop_fail.t validation/linux_readonly_paths.t validation/prestart_fail.t validation/hooks_stdin.t validation/default.t validation/linux_masked_paths.t validation/poststop.t validation/misc_props.t validation/prestart.t validation/poststart_fail.t validation/mounts.t validation/linux_cgroups_relative_pids.t validation/process_user.t validation/process.t validation/hooks.t validation/process_capabilities_fail.t validation/process_rlimits_fail.t validation/linux_cgroups_relative_cpus.t validation/process_rlimits.t validation/linux_cgroups_relative_blkio.t validation/linux_sysctl.t validation/linux_seccomp.t validation/linux_devices.t validation/start.t validation/linux_cgroups_pids.t validation/process_capabilities.t validation/process_oom_score_adj.t validation/linux_cgroups_relative_hugetlb.t validation/linux_cgroups_cpus.t validation/linux_cgroups_relative_memory.t validation/state.t validation/root_readonly_true.t validation/linux_cgroups_blkio.t validation/linux_rootfs_propagation_unbindable.t validation/delete.t validation/linux_cgroups_relative_network.t validation/hostname.t validation/killsig.t validation/linux_uid_mappings.t
validation/pidfile.t .failed to create the container
validation/process.t ................................ 19/19 container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"process_linux.go:367: setting cgroup config for procHooks process caused \\\"failed to write 56892210544640 to hugetlb.1GB.limit_in_bytes: open /sys/fs/cgroup/hugetlb/cgrouptest/hugetlb.1GB.limit_in_bytes: permission denied\\\"\""
validation/root_readonly_false.t .................... 19/19
validation/linux_sysctl.t ........................... 19/19
validation/linux_devices.t .......................... 19/19
validation/linux_gid_mappings.t ..................... 18/19
not ok gid mappings
validation/process_oom_score_adj.t .................. 19/19
validation/process_capabilities.t ................... 19/19
validation/process_rlimits.t ........................ 19/19
validation/root_readonly_true.t ...................failed to create the container
rootfsPropagation=unbindable is not supported
exit status 1 exit status 1
validation/root_readonly_true.t ..................... 19/19 validation/pidfile.t .................................. 1/1 315ms
validation/linux_rootfs_propagation_unbindable.t ...... 0/1 validation/linux_cgroups_hugetlb.t .................... 0/1
not ok validation/linux_rootfs_propagation_unbindable.t not ok validation/linux_cgroups_hugetlb.t
timeout: 30000 timeout: 30000
file: validation/linux_rootfs_propagation_unbindable.t file: validation/linux_cgroups_hugetlb.t
command: validation/linux_rootfs_propagation_unbindable.t command: validation/linux_cgroups_hugetlb.t
args: [] args: []
stdio: stdio:
- 0 - 0
@ -80,31 +67,21 @@ validation/linux_rootfs_propagation_unbindable.t ...... 0/1
cwd: /…/go/src/github.com/opencontainers/runtime-tools cwd: /…/go/src/github.com/opencontainers/runtime-tools
exitCode: 1 exitCode: 1
validation/hostname.t ...................failed to create the container validation/linux_cgroups_memory.t ..................... 9/9
User namespace mappings specified, but USER namespace isn't enabled in the config validation/linux_rootfs_propagation_shared.t ...... 252/282
exit status 1 not ok shared root propogation exposes "/target348456609/mount892511628/example376408222"
validation/hostname.t ............................... 19/19
validation/linux_uid_mappings.t ....................... 0/1
not ok validation/linux_uid_mappings.t
timeout: 30000
file: validation/linux_uid_mappings.t
command: validation/linux_uid_mappings.t
args: []
stdio:
- 0
- pipe
- 2
cwd: /…/go/src/github.com/opencontainers/runtime-tools
exitCode: 1
total ............................................. 267/273 Skipped: 29
/dev/null (default device) has unconfigured permissions
total ........................................... 4381/4962
267 passing (31s) 4381 passing (1m)
1 pending 567 pending
5 failing 14 failing
make: *** [Makefile:43: localvalidation] Error 1 make: *** [Makefile:44: localvalidation] Error 1
``` ```
You can also run an individual test executable directly: You can also run an individual test executable directly:
@ -112,58 +89,27 @@ You can also run an individual test executable directly:
```console ```console
$ RUNTIME=runc validation/default.t $ RUNTIME=runc validation/default.t
TAP version 13 TAP version 13
ok 1 - root filesystem ok 1 - has expected hostname
ok 2 - hostname ---
ok 3 - process {
ok 4 - mounts "actual": "mrsdalloway",
ok 5 - user "expected": "mrsdalloway"
ok 6 - rlimits }
ok 7 - capabilities ...
ok 8 - default symlinks
ok 9 - default file system ok 287 # SKIP linux.gidMappings not set
ok 10 - default devices 1..287
ok 11 - linux devices
ok 12 - linux process
ok 13 - masked paths
ok 14 - oom score adj
ok 15 - read only paths
ok 16 - rootfs propagation
ok 17 - sysctls
ok 18 - uid mappings
ok 19 - gid mappings
1..19
``` ```
If you cannot install node-tap, you can probably run the test suite with another [TAP consumer][tap-consumers]. If you cannot install node-tap, you can probably run the test suite with another [TAP consumer][tap-consumers].
For example, with [`prove`][prove]: For example, with [`prove`][prove]:
```console ```console
$ sudo make TAP='prove -Q -j9' RUNTIME=runc localvalidation $ sudo make TAP='prove -Q -j9' RUNTIME=runc VALIDATION_TESTS=validation/pidfile.t localvalidation
RUNTIME=runc prove -Q -j9 validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t RUNTIME=runc prove -Q -j9 validation/pidfile.t
failed to create the container All tests successful.
rootfsPropagation=unbindable is not supported Files=1, Tests=1, 0 wallclock secs ( 0.01 usr 0.01 sys + 0.03 cusr 0.03 csys = 0.08 CPU)
exit status 1 Result: PASS
failed to create the container
User namespace mappings specified, but USER namespace isn't enabled in the config
exit status 1
Test Summary Report
-------------------
validation/linux_rootfs_propagation_shared.t (Wstat: 0 Tests: 19 Failed: 1)
Failed test: 16
validation/linux_masked_paths.t (Wstat: 0 Tests: 19 Failed: 1)
Failed test: 13
validation/linux_rootfs_propagation_unbindable.t (Wstat: 256 Tests: 0 Failed: 0)
Non-zero exit status: 1
Parse errors: No plan found in TAP output
validation/linux_uid_mappings.t (Wstat: 256 Tests: 0 Failed: 0)
Non-zero exit status: 1
Parse errors: No plan found in TAP output
validation/linux_gid_mappings.t (Wstat: 0 Tests: 19 Failed: 1)
Failed test: 19
Files=18, Tests=271, 6 wallclock secs ( 0.06 usr 0.01 sys + 0.59 cusr 0.24 csys = 0.90 CPU)
Result: FAIL
make: *** [Makefile:43: localvalidation] Error 1
``` ```
[bundle]: https://github.com/opencontainers/runtime-spec/blob/master/bundle.md [bundle]: https://github.com/opencontainers/runtime-spec/blob/master/bundle.md

30
vendor/github.com/opencontainers/runtime-tools/error/error.go generated vendored
View File

@ -86,6 +86,36 @@ func ParseLevel(level string) (Level, error) {
return l, fmt.Errorf("%q is not a valid compliance level", level) return l, fmt.Errorf("%q is not a valid compliance level", level)
} }
// String takes a RFC 2119 compliance level constant and returns a string representation.
func (level Level) String() string {
switch level {
case May:
return "MAY"
case Optional:
return "OPTIONAL"
case Should:
return "SHOULD"
case ShouldNot:
return "SHOULD NOT"
case Recommended:
return "RECOMMENDED"
case NotRecommended:
return "NOT RECOMMENDED"
case Must:
return "MUST"
case MustNot:
return "MUST NOT"
case Shall:
return "SHALL"
case ShallNot:
return "SHALL NOT"
case Required:
return "REQUIRED"
}
panic(fmt.Sprintf("%d is not a valid compliance level", level))
}
// Error returns the error message with specification reference. // Error returns the error message with specification reference.
func (err *Error) Error() string { func (err *Error) Error() string {
return fmt.Sprintf("%s\nRefer to: %s", err.Err.Error(), err.Reference) return fmt.Sprintf("%s\nRefer to: %s", err.Err.Error(), err.Reference)

173
vendor/github.com/opencontainers/runtime-tools/generate/config.go generated vendored Normal file
View File

@ -0,0 +1,173 @@
package generate
import (
rspec "github.com/opencontainers/runtime-spec/specs-go"
)
func (g *Generator) initConfig() {
if g.Config == nil {
g.Config = &rspec.Spec{}
}
}
func (g *Generator) initConfigProcess() {
g.initConfig()
if g.Config.Process == nil {
g.Config.Process = &rspec.Process{}
}
}
func (g *Generator) initConfigProcessConsoleSize() {
g.initConfigProcess()
if g.Config.Process.ConsoleSize == nil {
g.Config.Process.ConsoleSize = &rspec.Box{}
}
}
func (g *Generator) initConfigProcessCapabilities() {
g.initConfigProcess()
if g.Config.Process.Capabilities == nil {
g.Config.Process.Capabilities = &rspec.LinuxCapabilities{}
}
}
func (g *Generator) initConfigRoot() {
g.initConfig()
if g.Config.Root == nil {
g.Config.Root = &rspec.Root{}
}
}
func (g *Generator) initConfigAnnotations() {
g.initConfig()
if g.Config.Annotations == nil {
g.Config.Annotations = make(map[string]string)
}
}
func (g *Generator) initConfigHooks() {
g.initConfig()
if g.Config.Hooks == nil {
g.Config.Hooks = &rspec.Hooks{}
}
}
func (g *Generator) initConfigLinux() {
g.initConfig()
if g.Config.Linux == nil {
g.Config.Linux = &rspec.Linux{}
}
}
func (g *Generator) initConfigLinuxIntelRdt() {
g.initConfigLinux()
if g.Config.Linux.IntelRdt == nil {
g.Config.Linux.IntelRdt = &rspec.LinuxIntelRdt{}
}
}
func (g *Generator) initConfigLinuxSysctl() {
g.initConfigLinux()
if g.Config.Linux.Sysctl == nil {
g.Config.Linux.Sysctl = make(map[string]string)
}
}
func (g *Generator) initConfigLinuxSeccomp() {
g.initConfigLinux()
if g.Config.Linux.Seccomp == nil {
g.Config.Linux.Seccomp = &rspec.LinuxSeccomp{}
}
}
func (g *Generator) initConfigLinuxResources() {
g.initConfigLinux()
if g.Config.Linux.Resources == nil {
g.Config.Linux.Resources = &rspec.LinuxResources{}
}
}
func (g *Generator) initConfigLinuxResourcesBlockIO() {
g.initConfigLinuxResources()
if g.Config.Linux.Resources.BlockIO == nil {
g.Config.Linux.Resources.BlockIO = &rspec.LinuxBlockIO{}
}
}
// InitConfigLinuxResourcesCPU initializes CPU of Linux resources
func (g *Generator) InitConfigLinuxResourcesCPU() {
g.initConfigLinuxResources()
if g.Config.Linux.Resources.CPU == nil {
g.Config.Linux.Resources.CPU = &rspec.LinuxCPU{}
}
}
func (g *Generator) initConfigLinuxResourcesMemory() {
g.initConfigLinuxResources()
if g.Config.Linux.Resources.Memory == nil {
g.Config.Linux.Resources.Memory = &rspec.LinuxMemory{}
}
}
func (g *Generator) initConfigLinuxResourcesNetwork() {
g.initConfigLinuxResources()
if g.Config.Linux.Resources.Network == nil {
g.Config.Linux.Resources.Network = &rspec.LinuxNetwork{}
}
}
func (g *Generator) initConfigLinuxResourcesPids() {
g.initConfigLinuxResources()
if g.Config.Linux.Resources.Pids == nil {
g.Config.Linux.Resources.Pids = &rspec.LinuxPids{}
}
}
func (g *Generator) initConfigSolaris() {
g.initConfig()
if g.Config.Solaris == nil {
g.Config.Solaris = &rspec.Solaris{}
}
}
func (g *Generator) initConfigSolarisCappedCPU() {
g.initConfigSolaris()
if g.Config.Solaris.CappedCPU == nil {
g.Config.Solaris.CappedCPU = &rspec.SolarisCappedCPU{}
}
}
func (g *Generator) initConfigSolarisCappedMemory() {
g.initConfigSolaris()
if g.Config.Solaris.CappedMemory == nil {
g.Config.Solaris.CappedMemory = &rspec.SolarisCappedMemory{}
}
}
func (g *Generator) initConfigWindows() {
g.initConfig()
if g.Config.Windows == nil {
g.Config.Windows = &rspec.Windows{}
}
}
func (g *Generator) initConfigWindowsHyperV() {
g.initConfigWindows()
if g.Config.Windows.HyperV == nil {
g.Config.Windows.HyperV = &rspec.WindowsHyperV{}
}
}
func (g *Generator) initConfigWindowsResources() {
g.initConfigWindows()
if g.Config.Windows.Resources == nil {
g.Config.Windows.Resources = &rspec.WindowsResources{}
}
}
func (g *Generator) initConfigWindowsResourcesMemory() {
g.initConfigWindowsResources()
if g.Config.Windows.Resources.Memory == nil {
g.Config.Windows.Resources.Memory = &rspec.WindowsMemoryResources{}
}
}

1154
vendor/github.com/opencontainers/runtime-tools/generate/generate.go generated vendored
View File

File diff suppressed because it is too large Load Diff

3
vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go generated vendored
View File

@ -2,7 +2,6 @@ package seccomp
import ( import (
"runtime" "runtime"
"syscall"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-spec/specs-go"
rspec "github.com/opencontainers/runtime-spec/specs-go" rspec "github.com/opencontainers/runtime-spec/specs-go"
@ -513,7 +512,7 @@ func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
Args: []rspec.LinuxSeccompArg{ Args: []rspec.LinuxSeccompArg{
{ {
Index: sysCloneFlagsIndex, Index: sysCloneFlagsIndex,
Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, Value: CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet,
ValueTwo: 0, ValueTwo: 0,
Op: rspec.OpMaskedEqual, Op: rspec.OpMaskedEqual,
}, },

15
vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_linux.go generated vendored Normal file
View File

@ -0,0 +1,15 @@
// +build linux
package seccomp
import "syscall"
// System values passed through on linux
const (
CloneNewIPC = syscall.CLONE_NEWIPC
CloneNewNet = syscall.CLONE_NEWNET
CloneNewNS = syscall.CLONE_NEWNS
CloneNewPID = syscall.CLONE_NEWPID
CloneNewUser = syscall.CLONE_NEWUSER
CloneNewUTS = syscall.CLONE_NEWUTS
)

15
vendor/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default_unsupported.go generated vendored Normal file
View File

@ -0,0 +1,15 @@
// +build !linux
package seccomp
// These are copied from linux/amd64 syscall values, as a reference for other
// platforms to have access to
const (
CloneNewIPC = 0x8000000
CloneNewNet = 0x40000000
CloneNewNS = 0x20000
CloneNewPID = 0x20000000
CloneNewUser = 0x10000000
CloneNewUTS = 0x4000000
CloneNewCgroup = 0x02000000
)

172
vendor/github.com/opencontainers/runtime-tools/generate/spec.go generated vendored
View File

@ -1,172 +0,0 @@
package generate
import (
rspec "github.com/opencontainers/runtime-spec/specs-go"
)
func (g *Generator) initSpec() {
if g.spec == nil {
g.spec = &rspec.Spec{}
}
}
func (g *Generator) initSpecProcess() {
g.initSpec()
if g.spec.Process == nil {
g.spec.Process = &rspec.Process{}
}
}
func (g *Generator) initSpecProcessConsoleSize() {
g.initSpecProcess()
if g.spec.Process.ConsoleSize == nil {
g.spec.Process.ConsoleSize = &rspec.Box{}
}
}
func (g *Generator) initSpecProcessCapabilities() {
g.initSpecProcess()
if g.spec.Process.Capabilities == nil {
g.spec.Process.Capabilities = &rspec.LinuxCapabilities{}
}
}
func (g *Generator) initSpecRoot() {
g.initSpec()
if g.spec.Root == nil {
g.spec.Root = &rspec.Root{}
}
}
func (g *Generator) initSpecAnnotations() {
g.initSpec()
if g.spec.Annotations == nil {
g.spec.Annotations = make(map[string]string)
}
}
func (g *Generator) initSpecHooks() {
g.initSpec()
if g.spec.Hooks == nil {
g.spec.Hooks = &rspec.Hooks{}
}
}
func (g *Generator) initSpecLinux() {
g.initSpec()
if g.spec.Linux == nil {
g.spec.Linux = &rspec.Linux{}
}
}
func (g *Generator) initSpecLinuxIntelRdt() {
g.initSpecLinux()
if g.spec.Linux.IntelRdt == nil {
g.spec.Linux.IntelRdt = &rspec.LinuxIntelRdt{}
}
}
func (g *Generator) initSpecLinuxSysctl() {
g.initSpecLinux()
if g.spec.Linux.Sysctl == nil {
g.spec.Linux.Sysctl = make(map[string]string)
}
}
func (g *Generator) initSpecLinuxSeccomp() {
g.initSpecLinux()
if g.spec.Linux.Seccomp == nil {
g.spec.Linux.Seccomp = &rspec.LinuxSeccomp{}
}
}
func (g *Generator) initSpecLinuxResources() {
g.initSpecLinux()
if g.spec.Linux.Resources == nil {
g.spec.Linux.Resources = &rspec.LinuxResources{}
}
}
func (g *Generator) initSpecLinuxResourcesBlockIO() {
g.initSpecLinuxResources()
if g.spec.Linux.Resources.BlockIO == nil {
g.spec.Linux.Resources.BlockIO = &rspec.LinuxBlockIO{}
}
}
func (g *Generator) initSpecLinuxResourcesCPU() {
g.initSpecLinuxResources()
if g.spec.Linux.Resources.CPU == nil {
g.spec.Linux.Resources.CPU = &rspec.LinuxCPU{}
}
}
func (g *Generator) initSpecLinuxResourcesMemory() {
g.initSpecLinuxResources()
if g.spec.Linux.Resources.Memory == nil {
g.spec.Linux.Resources.Memory = &rspec.LinuxMemory{}
}
}
func (g *Generator) initSpecLinuxResourcesNetwork() {
g.initSpecLinuxResources()
if g.spec.Linux.Resources.Network == nil {
g.spec.Linux.Resources.Network = &rspec.LinuxNetwork{}
}
}
func (g *Generator) initSpecLinuxResourcesPids() {
g.initSpecLinuxResources()
if g.spec.Linux.Resources.Pids == nil {
g.spec.Linux.Resources.Pids = &rspec.LinuxPids{}
}
}
func (g *Generator) initSpecSolaris() {
g.initSpec()
if g.spec.Solaris == nil {
g.spec.Solaris = &rspec.Solaris{}
}
}
func (g *Generator) initSpecSolarisCappedCPU() {
g.initSpecSolaris()
if g.spec.Solaris.CappedCPU == nil {
g.spec.Solaris.CappedCPU = &rspec.SolarisCappedCPU{}
}
}
func (g *Generator) initSpecSolarisCappedMemory() {
g.initSpecSolaris()
if g.spec.Solaris.CappedMemory == nil {
g.spec.Solaris.CappedMemory = &rspec.SolarisCappedMemory{}
}
}
func (g *Generator) initSpecWindows() {
g.initSpec()
if g.spec.Windows == nil {
g.spec.Windows = &rspec.Windows{}
}
}
func (g *Generator) initSpecWindowsHyperV() {
g.initSpecWindows()
if g.spec.Windows.HyperV == nil {
g.spec.Windows.HyperV = &rspec.WindowsHyperV{}
}
}
func (g *Generator) initSpecWindowsResources() {
g.initSpecWindows()
if g.spec.Windows.Resources == nil {
g.spec.Windows.Resources = &rspec.WindowsResources{}
}
}
func (g *Generator) initSpecWindowsResourcesMemory() {
g.initSpecWindowsResources()
if g.spec.Windows.Resources.Memory == nil {
g.spec.Windows.Resources.Memory = &rspec.WindowsMemoryResources{}
}
}

6
vendor/github.com/opencontainers/runtime-tools/specerror/config.go generated vendored
View File

@ -14,8 +14,8 @@ const (
RootOnWindowsRequired RootOnWindowsRequired
// RootOnHyperVNotSet represents "For Hyper-V Containers, this field MUST NOT be set." // RootOnHyperVNotSet represents "For Hyper-V Containers, this field MUST NOT be set."
RootOnHyperVNotSet RootOnHyperVNotSet
// RootOnNonHyperVRequired represents "On all other platforms, this field is REQUIRED." // RootOnNonWindowsRequired represents "On all other platforms, this field is REQUIRED."
RootOnNonHyperVRequired RootOnNonWindowsRequired
// RootPathOnWindowsGUID represents "On Windows, `path` MUST be a volume GUID path." // RootPathOnWindowsGUID represents "On Windows, `path` MUST be a volume GUID path."
RootPathOnWindowsGUID RootPathOnWindowsGUID
// RootPathOnPosixConvention represents "The value SHOULD be the conventional `rootfs`." // RootPathOnPosixConvention represents "The value SHOULD be the conventional `rootfs`."
@ -145,7 +145,7 @@ func init() {
register(SpecVersionInSemVer, rfc2119.Must, specificationVersionRef) register(SpecVersionInSemVer, rfc2119.Must, specificationVersionRef)
register(RootOnWindowsRequired, rfc2119.Required, rootRef) register(RootOnWindowsRequired, rfc2119.Required, rootRef)
register(RootOnHyperVNotSet, rfc2119.Must, rootRef) register(RootOnHyperVNotSet, rfc2119.Must, rootRef)
register(RootOnNonHyperVRequired, rfc2119.Required, rootRef) register(RootOnNonWindowsRequired, rfc2119.Required, rootRef)
register(RootPathOnWindowsGUID, rfc2119.Must, rootRef) register(RootPathOnWindowsGUID, rfc2119.Must, rootRef)
register(RootPathOnPosixConvention, rfc2119.Should, rootRef) register(RootPathOnPosixConvention, rfc2119.Should, rootRef)
register(RootPathExist, rfc2119.Must, rootRef) register(RootPathExist, rfc2119.Must, rootRef)

37
vendor/github.com/opencontainers/runtime-tools/specerror/error.go generated vendored
View File

@ -61,6 +61,34 @@ func (err *Error) Error() string {
return err.Err.Error() return err.Err.Error()
} }
// NewRFCError creates an rfc2119.Error referencing a spec violation.
//
// A version string (for the version of the spec that was violated)
// must be set to get a working URL.
func NewRFCError(code Code, err error, version string) (*rfc2119.Error, error) {
template := ociErrors[code]
reference, err2 := template.Reference(version)
if err2 != nil {
return nil, err2
}
return &rfc2119.Error{
Level: template.Level,
Reference: reference,
Err: err,
}, nil
}
// NewRFCErrorOrPanic creates an rfc2119.Error referencing a spec
// violation and panics on failure. This is handy for situations
// where you can't be bothered to check NewRFCError for failure.
func NewRFCErrorOrPanic(code Code, err error, version string) *rfc2119.Error {
rfcError, err2 := NewRFCError(code, err, version)
if err2 != nil {
panic(err2.Error())
}
return rfcError
}
// NewError creates an Error referencing a spec violation. The error // NewError creates an Error referencing a spec violation. The error
// can be cast to an *Error for extracting structured information // can be cast to an *Error for extracting structured information
// about the level of the violation and a reference to the violated // about the level of the violation and a reference to the violated
@ -69,17 +97,12 @@ func (err *Error) Error() string {
// A version string (for the version of the spec that was violated) // A version string (for the version of the spec that was violated)
// must be set to get a working URL. // must be set to get a working URL.
func NewError(code Code, err error, version string) error { func NewError(code Code, err error, version string) error {
template := ociErrors[code] rfcError, err2 := NewRFCError(code, err, version)
reference, err2 := template.Reference(version)
if err2 != nil { if err2 != nil {
return err2 return err2
} }
return &Error{ return &Error{
Err: rfc2119.Error{ Err: *rfcError,
Level: template.Level,
Reference: reference,
Err: err,
},
Code: code, Code: code,
} }
} }

12
vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go generated vendored
View File

@ -68,10 +68,10 @@ const (
PropApplyFailNotCreate PropApplyFailNotCreate
// StartWithoutIDGenError represents "`start` operation MUST generate an error if it is not provided the container ID." // StartWithoutIDGenError represents "`start` operation MUST generate an error if it is not provided the container ID."
StartWithoutIDGenError StartWithoutIDGenError
// StartNonCreateHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container." // StartNotCreatedHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
StartNonCreateHaveNoEffect StartNotCreatedHaveNoEffect
// StartNonCreateGenError represents "Attempting to `start` a container that is not `created` MUST generate an error." // StartNotCreatedGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
StartNonCreateGenError StartNotCreatedGenError
// StartProcImplement represents "`start` operation MUST run the user-specified program as specified by `process`." // StartProcImplement represents "`start` operation MUST run the user-specified program as specified by `process`."
StartProcImplement StartProcImplement
// StartWithProcUnsetGenError represents "`start` operation MUST generate an error if `process` was not set." // StartWithProcUnsetGenError represents "`start` operation MUST generate an error if `process` was not set."
@ -163,8 +163,8 @@ func init() {
register(PropApplyFailGenError, rfc2119.Must, createRef) register(PropApplyFailGenError, rfc2119.Must, createRef)
register(PropApplyFailNotCreate, rfc2119.Must, createRef) register(PropApplyFailNotCreate, rfc2119.Must, createRef)
register(StartWithoutIDGenError, rfc2119.Must, startRef) register(StartWithoutIDGenError, rfc2119.Must, startRef)
register(StartNonCreateHaveNoEffect, rfc2119.Must, startRef) register(StartNotCreatedHaveNoEffect, rfc2119.Must, startRef)
register(StartNonCreateGenError, rfc2119.Must, startRef) register(StartNotCreatedGenError, rfc2119.Must, startRef)
register(StartProcImplement, rfc2119.Must, startRef) register(StartProcImplement, rfc2119.Must, startRef)
register(StartWithProcUnsetGenError, rfc2119.Must, startRef) register(StartWithProcUnsetGenError, rfc2119.Must, startRef)
register(KillWithoutIDGenError, rfc2119.Must, killRef) register(KillWithoutIDGenError, rfc2119.Must, killRef)

278
vendor/github.com/opencontainers/runtime-tools/validate/validate.go generated vendored
View File

@ -13,7 +13,6 @@ import (
"regexp" "regexp"
"runtime" "runtime"
"strings" "strings"
"syscall"
"unicode" "unicode"
"unicode/utf8" "unicode/utf8"
@ -115,6 +114,7 @@ func (v *Validator) CheckAll() error {
errs = multierror.Append(errs, v.CheckMounts()) errs = multierror.Append(errs, v.CheckMounts())
errs = multierror.Append(errs, v.CheckProcess()) errs = multierror.Append(errs, v.CheckProcess())
errs = multierror.Append(errs, v.CheckLinux()) errs = multierror.Append(errs, v.CheckLinux())
errs = multierror.Append(errs, v.CheckAnnotations())
if v.platform == "linux" || v.platform == "solaris" { if v.platform == "linux" || v.platform == "solaris" {
errs = multierror.Append(errs, v.CheckHooks()) errs = multierror.Append(errs, v.CheckHooks())
} }
@ -142,6 +142,8 @@ func JSONSchemaURL(version string) (url string, err error) {
// runtime-spec JSON Schema, using the version of the schema that // runtime-spec JSON Schema, using the version of the schema that
// matches the configuration's declared version. // matches the configuration's declared version.
func (v *Validator) CheckJSONSchema() (errs error) { func (v *Validator) CheckJSONSchema() (errs error) {
logrus.Debugf("check JSON schema")
url, err := JSONSchemaURL(v.spec.Version) url, err := JSONSchemaURL(v.spec.Version)
if err != nil { if err != nil {
errs = multierror.Append(errs, err) errs = multierror.Append(errs, err)
@ -169,16 +171,21 @@ func (v *Validator) CheckJSONSchema() (errs error) {
func (v *Validator) CheckRoot() (errs error) { func (v *Validator) CheckRoot() (errs error) {
logrus.Debugf("check root") logrus.Debugf("check root")
if v.platform == "windows" && v.spec.Windows != nil && v.spec.Windows.HyperV != nil { if v.platform == "windows" && v.spec.Windows != nil {
if v.spec.Root != nil { if v.spec.Windows.HyperV != nil {
if v.spec.Root != nil {
errs = multierror.Append(errs,
specerror.NewError(specerror.RootOnHyperVNotSet, fmt.Errorf("for Hyper-V containers, Root must not be set"), rspec.Version))
}
return
} else if v.spec.Root == nil {
errs = multierror.Append(errs, errs = multierror.Append(errs,
specerror.NewError(specerror.RootOnHyperVNotSet, fmt.Errorf("for Hyper-V containers, Root must not be set"), rspec.Version)) specerror.NewError(specerror.RootOnWindowsRequired, fmt.Errorf("on Windows, for Windows Server Containers, this field is REQUIRED"), rspec.Version))
return return
} }
return } else if v.platform != "windows" && v.spec.Root == nil {
} else if v.spec.Root == nil {
errs = multierror.Append(errs, errs = multierror.Append(errs,
specerror.NewError(specerror.RootOnNonHyperVRequired, fmt.Errorf("for non-Hyper-V containers, Root must be set"), rspec.Version)) specerror.NewError(specerror.RootOnNonWindowsRequired, fmt.Errorf("on all other platforms, this field is REQUIRED"), rspec.Version))
return return
} }
@ -570,6 +577,11 @@ func (v *Validator) CheckPlatform() (errs error) {
return return
} }
if v.HostSpecific && v.platform != runtime.GOOS {
errs = multierror.Append(errs, fmt.Errorf("platform %q differs from the host %q, skipping host-specific checks", v.platform, runtime.GOOS))
v.HostSpecific = false
}
if v.platform == "windows" { if v.platform == "windows" {
if v.spec.Windows == nil { if v.spec.Windows == nil {
errs = multierror.Append(errs, errs = multierror.Append(errs,
@ -583,189 +595,6 @@ func (v *Validator) CheckPlatform() (errs error) {
return return
} }
// CheckLinux checks v.spec.Linux
func (v *Validator) CheckLinux() (errs error) {
logrus.Debugf("check linux")
if v.spec.Linux == nil {
return
}
var nsTypeList = map[rspec.LinuxNamespaceType]struct {
num int
newExist bool
}{
rspec.PIDNamespace: {0, false},
rspec.NetworkNamespace: {0, false},
rspec.MountNamespace: {0, false},
rspec.IPCNamespace: {0, false},
rspec.UTSNamespace: {0, false},
rspec.UserNamespace: {0, false},
rspec.CgroupNamespace: {0, false},
}
for index := 0; index < len(v.spec.Linux.Namespaces); index++ {
ns := v.spec.Linux.Namespaces[index]
if ns.Path != "" && !osFilepath.IsAbs(v.platform, ns.Path) {
errs = multierror.Append(errs, specerror.NewError(specerror.NSPathAbs, fmt.Errorf("namespace.path %q is not an absolute path", ns.Path), rspec.Version))
}
tmpItem := nsTypeList[ns.Type]
tmpItem.num = tmpItem.num + 1
if tmpItem.num > 1 {
errs = multierror.Append(errs, specerror.NewError(specerror.NSErrorOnDup, fmt.Errorf("duplicated namespace %q", ns.Type), rspec.Version))
}
if len(ns.Path) == 0 {
tmpItem.newExist = true
}
nsTypeList[ns.Type] = tmpItem
}
if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !nsTypeList[rspec.UserNamespace].newExist {
errs = multierror.Append(errs, errors.New("the UID/GID mappings requires a new User namespace to be specified as well"))
}
for k := range v.spec.Linux.Sysctl {
if strings.HasPrefix(k, "net.") && !nsTypeList[rspec.NetworkNamespace].newExist {
errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new Network namespace to be specified as well", k))
}
if strings.HasPrefix(k, "fs.mqueue.") {
if !nsTypeList[rspec.MountNamespace].newExist || !nsTypeList[rspec.IPCNamespace].newExist {
errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new IPC namespace and Mount namespace to be specified as well", k))
}
}
}
if v.platform == "linux" && !nsTypeList[rspec.UTSNamespace].newExist && v.spec.Hostname != "" {
errs = multierror.Append(errs, fmt.Errorf("on Linux, hostname requires a new UTS namespace to be specified as well"))
}
// Linux devices validation
devList := make(map[string]bool)
devTypeList := make(map[string]bool)
for index := 0; index < len(v.spec.Linux.Devices); index++ {
device := v.spec.Linux.Devices[index]
if !deviceValid(device) {
errs = multierror.Append(errs, fmt.Errorf("device %v is invalid", device))
}
if _, exists := devList[device.Path]; exists {
errs = multierror.Append(errs, fmt.Errorf("device %s is duplicated", device.Path))
} else {
var rootfsPath string
if filepath.IsAbs(v.spec.Root.Path) {
rootfsPath = v.spec.Root.Path
} else {
rootfsPath = filepath.Join(v.bundlePath, v.spec.Root.Path)
}
absPath := filepath.Join(rootfsPath, device.Path)
fi, err := os.Stat(absPath)
if os.IsNotExist(err) {
devList[device.Path] = true
} else if err != nil {
errs = multierror.Append(errs, err)
} else {
fStat, ok := fi.Sys().(*syscall.Stat_t)
if !ok {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesAvailable,
fmt.Errorf("cannot determine state for device %s", device.Path), rspec.Version))
continue
}
var devType string
switch fStat.Mode & syscall.S_IFMT {
case syscall.S_IFCHR:
devType = "c"
case syscall.S_IFBLK:
devType = "b"
case syscall.S_IFIFO:
devType = "p"
default:
devType = "unmatched"
}
if devType != device.Type || (devType == "c" && device.Type == "u") {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
if devType != "p" {
dev := fStat.Rdev
major := (dev >> 8) & 0xfff
minor := (dev & 0xff) | ((dev >> 12) & 0xfff00)
if int64(major) != device.Major || int64(minor) != device.Minor {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
}
if device.FileMode != nil {
expectedPerm := *device.FileMode & os.ModePerm
actualPerm := fi.Mode() & os.ModePerm
if expectedPerm != actualPerm {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
}
if device.UID != nil {
if *device.UID != fStat.Uid {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
}
if device.GID != nil {
if *device.GID != fStat.Gid {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
}
}
}
// unify u->c when comparing, they are synonyms
var devID string
if device.Type == "u" {
devID = fmt.Sprintf("%s:%d:%d", "c", device.Major, device.Minor)
} else {
devID = fmt.Sprintf("%s:%d:%d", device.Type, device.Major, device.Minor)
}
if _, exists := devTypeList[devID]; exists {
logrus.Warnf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor)
} else {
devTypeList[devID] = true
}
}
if v.spec.Linux.Resources != nil {
errs = multierror.Append(errs, v.CheckLinuxResources())
}
for _, maskedPath := range v.spec.Linux.MaskedPaths {
if !strings.HasPrefix(maskedPath, "/") {
errs = multierror.Append(errs,
specerror.NewError(
specerror.MaskedPathsAbs,
fmt.Errorf("maskedPath %v is not an absolute path", maskedPath),
rspec.Version))
}
}
for _, readonlyPath := range v.spec.Linux.ReadonlyPaths {
if !strings.HasPrefix(readonlyPath, "/") {
errs = multierror.Append(errs,
specerror.NewError(
specerror.ReadonlyPathsAbs,
fmt.Errorf("readonlyPath %v is not an absolute path", readonlyPath),
rspec.Version))
}
}
return
}
// CheckLinuxResources checks v.spec.Linux.Resources // CheckLinuxResources checks v.spec.Linux.Resources
func (v *Validator) CheckLinuxResources() (errs error) { func (v *Validator) CheckLinuxResources() (errs error) {
logrus.Debugf("check linux resources") logrus.Debugf("check linux resources")
@ -817,6 +646,44 @@ func (v *Validator) CheckLinuxResources() (errs error) {
} }
} }
if r.BlockIO != nil && r.BlockIO.WeightDevice != nil {
for i, weightDevice := range r.BlockIO.WeightDevice {
if weightDevice.Weight == nil && weightDevice.LeafWeight == nil {
errs = multierror.Append(errs,
specerror.NewError(
specerror.BlkIOWeightOrLeafWeightExist,
fmt.Errorf("linux.resources.blockIO.weightDevice[%d] specifies neither weight nor leafWeight", i),
rspec.Version))
}
}
}
return
}
// CheckAnnotations checks v.spec.Annotations
func (v *Validator) CheckAnnotations() (errs error) {
logrus.Debugf("check annotations")
reversedDomain := regexp.MustCompile(`^[A-Za-z]{2,6}(\.[A-Za-z0-9-]{1,63})+$`)
for key := range v.spec.Annotations {
if strings.HasPrefix(key, "org.opencontainers") {
errs = multierror.Append(errs,
specerror.NewError(
specerror.AnnotationsKeyReservedNS,
fmt.Errorf("key %q is reserved", key),
rspec.Version))
}
if !reversedDomain.MatchString(key) {
errs = multierror.Append(errs,
specerror.NewError(
specerror.AnnotationsKeyReversedDomain,
fmt.Errorf("key %q SHOULD be named using a reverse domain notation", key),
rspec.Version))
}
}
return return
} }
@ -843,17 +710,6 @@ func CapValid(c string, hostSpecific bool) error {
return nil return nil
} }
// LastCap return last cap of system
func LastCap() capability.Cap {
last := capability.CAP_LAST_CAP
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
return last
}
func envValid(env string) bool { func envValid(env string) bool {
items := strings.Split(env, "=") items := strings.Split(env, "=")
if len(items) < 2 { if len(items) < 2 {
@ -896,22 +752,6 @@ func (v *Validator) rlimitValid(rlimit rspec.POSIXRlimit) (errs error) {
return return
} }
func deviceValid(d rspec.LinuxDevice) bool {
switch d.Type {
case "b", "c", "u":
if d.Major <= 0 || d.Minor <= 0 {
return false
}
case "p":
if d.Major != 0 || d.Minor != 0 {
return false
}
default:
return false
}
return true
}
func isStruct(t reflect.Type) bool { func isStruct(t reflect.Type) bool {
return t.Kind() == reflect.Struct return t.Kind() == reflect.Struct
} }
@ -990,5 +830,9 @@ func checkMandatory(obj interface{}) (errs error) {
func (v *Validator) CheckMandatoryFields() error { func (v *Validator) CheckMandatoryFields() error {
logrus.Debugf("check mandatory fields") logrus.Debugf("check mandatory fields")
if v.spec == nil {
return fmt.Errorf("Spec can't be nil")
}
return checkMandatory(v.spec) return checkMandatory(v.spec)
} }

230
vendor/github.com/opencontainers/runtime-tools/validate/validate_linux.go generated vendored Normal file
View File

@ -0,0 +1,230 @@
// +build linux
package validate
import (
"errors"
"fmt"
"os"
"path/filepath"
"strings"
"syscall"
"github.com/syndtr/gocapability/capability"
multierror "github.com/hashicorp/go-multierror"
rspec "github.com/opencontainers/runtime-spec/specs-go"
osFilepath "github.com/opencontainers/runtime-tools/filepath"
"github.com/opencontainers/runtime-tools/specerror"
"github.com/sirupsen/logrus"
)
// LastCap return last cap of system
func LastCap() capability.Cap {
last := capability.CAP_LAST_CAP
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
return last
}
func deviceValid(d rspec.LinuxDevice) bool {
switch d.Type {
case "b", "c", "u":
if d.Major <= 0 || d.Minor <= 0 {
return false
}
case "p":
if d.Major != 0 || d.Minor != 0 {
return false
}
default:
return false
}
return true
}
// CheckLinux checks v.spec.Linux
func (v *Validator) CheckLinux() (errs error) {
logrus.Debugf("check linux")
if v.spec.Linux == nil {
return
}
var nsTypeList = map[rspec.LinuxNamespaceType]struct {
num int
newExist bool
}{
rspec.PIDNamespace: {0, false},
rspec.NetworkNamespace: {0, false},
rspec.MountNamespace: {0, false},
rspec.IPCNamespace: {0, false},
rspec.UTSNamespace: {0, false},
rspec.UserNamespace: {0, false},
rspec.CgroupNamespace: {0, false},
}
for index := 0; index < len(v.spec.Linux.Namespaces); index++ {
ns := v.spec.Linux.Namespaces[index]
if ns.Path != "" && !osFilepath.IsAbs(v.platform, ns.Path) {
errs = multierror.Append(errs, specerror.NewError(specerror.NSPathAbs, fmt.Errorf("namespace.path %q is not an absolute path", ns.Path), rspec.Version))
}
tmpItem := nsTypeList[ns.Type]
tmpItem.num = tmpItem.num + 1
if tmpItem.num > 1 {
errs = multierror.Append(errs, specerror.NewError(specerror.NSErrorOnDup, fmt.Errorf("duplicated namespace %q", ns.Type), rspec.Version))
}
if len(ns.Path) == 0 {
tmpItem.newExist = true
}
nsTypeList[ns.Type] = tmpItem
}
if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !nsTypeList[rspec.UserNamespace].newExist {
errs = multierror.Append(errs, errors.New("the UID/GID mappings requires a new User namespace to be specified as well"))
}
for k := range v.spec.Linux.Sysctl {
if strings.HasPrefix(k, "net.") && !nsTypeList[rspec.NetworkNamespace].newExist {
errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new Network namespace to be specified as well", k))
}
if strings.HasPrefix(k, "fs.mqueue.") {
if !nsTypeList[rspec.MountNamespace].newExist || !nsTypeList[rspec.IPCNamespace].newExist {
errs = multierror.Append(errs, fmt.Errorf("sysctl %v requires a new IPC namespace and Mount namespace to be specified as well", k))
}
}
}
if v.platform == "linux" && !nsTypeList[rspec.UTSNamespace].newExist && v.spec.Hostname != "" {
errs = multierror.Append(errs, fmt.Errorf("on Linux, hostname requires a new UTS namespace to be specified as well"))
}
// Linux devices validation
devList := make(map[string]bool)
devTypeList := make(map[string]bool)
for index := 0; index < len(v.spec.Linux.Devices); index++ {
device := v.spec.Linux.Devices[index]
if !deviceValid(device) {
errs = multierror.Append(errs, fmt.Errorf("device %v is invalid", device))
}
if _, exists := devList[device.Path]; exists {
errs = multierror.Append(errs, fmt.Errorf("device %s is duplicated", device.Path))
} else {
var rootfsPath string
if filepath.IsAbs(v.spec.Root.Path) {
rootfsPath = v.spec.Root.Path
} else {
rootfsPath = filepath.Join(v.bundlePath, v.spec.Root.Path)
}
absPath := filepath.Join(rootfsPath, device.Path)
fi, err := os.Stat(absPath)
if os.IsNotExist(err) {
devList[device.Path] = true
} else if err != nil {
errs = multierror.Append(errs, err)
} else {
fStat, ok := fi.Sys().(*syscall.Stat_t)
if !ok {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesAvailable,
fmt.Errorf("cannot determine state for device %s", device.Path), rspec.Version))
continue
}
var devType string
switch fStat.Mode & syscall.S_IFMT {
case syscall.S_IFCHR:
devType = "c"
case syscall.S_IFBLK:
devType = "b"
case syscall.S_IFIFO:
devType = "p"
default:
devType = "unmatched"
}
if devType != device.Type || (devType == "c" && device.Type == "u") {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
if devType != "p" {
dev := fStat.Rdev
major := (dev >> 8) & 0xfff
minor := (dev & 0xff) | ((dev >> 12) & 0xfff00)
if int64(major) != device.Major || int64(minor) != device.Minor {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
}
if device.FileMode != nil {
expectedPerm := *device.FileMode & os.ModePerm
actualPerm := fi.Mode() & os.ModePerm
if expectedPerm != actualPerm {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
}
if device.UID != nil {
if *device.UID != fStat.Uid {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
}
if device.GID != nil {
if *device.GID != fStat.Gid {
errs = multierror.Append(errs, specerror.NewError(specerror.DevicesFileNotMatch,
fmt.Errorf("unmatched %s already exists in filesystem", device.Path), rspec.Version))
continue
}
}
}
}
// unify u->c when comparing, they are synonyms
var devID string
if device.Type == "u" {
devID = fmt.Sprintf("%s:%d:%d", "c", device.Major, device.Minor)
} else {
devID = fmt.Sprintf("%s:%d:%d", device.Type, device.Major, device.Minor)
}
if _, exists := devTypeList[devID]; exists {
logrus.Warnf("%v", specerror.NewError(specerror.DevicesErrorOnDup, fmt.Errorf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor), rspec.Version))
} else {
devTypeList[devID] = true
}
}
if v.spec.Linux.Resources != nil {
errs = multierror.Append(errs, v.CheckLinuxResources())
}
for _, maskedPath := range v.spec.Linux.MaskedPaths {
if !strings.HasPrefix(maskedPath, "/") {
errs = multierror.Append(errs,
specerror.NewError(
specerror.MaskedPathsAbs,
fmt.Errorf("maskedPath %v is not an absolute path", maskedPath),
rspec.Version))
}
}
for _, readonlyPath := range v.spec.Linux.ReadonlyPaths {
if !strings.HasPrefix(readonlyPath, "/") {
errs = multierror.Append(errs,
specerror.NewError(
specerror.ReadonlyPathsAbs,
fmt.Errorf("readonlyPath %v is not an absolute path", readonlyPath),
rspec.Version))
}
}
return
}

17
vendor/github.com/opencontainers/runtime-tools/validate/validate_unsupported.go generated vendored Normal file
View File

@ -0,0 +1,17 @@
// +build !linux
package validate
import (
"github.com/syndtr/gocapability/capability"
)
// LastCap return last cap of system
func LastCap() capability.Cap {
return capability.Cap(-1)
}
// CheckLinux is a noop on this platform
func (v *Validator) CheckLinux() (errs error) {
return nil
}