From 84f7b51451f267a22769edf7ae267b4332ccc6a9 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 7 Feb 2021 01:27:32 +0100 Subject: runc: embed default spec --- Cargo.lock | 1 + Cargo.toml | 1 + src/runner/runc.rs | 1 + src/runner/runc/run.rs | 46 ++------------ src/runner/runc/spec.rs | 157 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 166 insertions(+), 40 deletions(-) create mode 100644 src/runner/runc/spec.rs diff --git a/Cargo.lock b/Cargo.lock index aa792f9..e1ceb83 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -383,6 +383,7 @@ dependencies = [ "nix", "oci-spec", "serde", + "serde_json", "serde_yaml", "tar", "users", diff --git a/Cargo.toml b/Cargo.toml index b91e375..bc34df3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,6 +13,7 @@ libc = "0.2.84" nix = "0.19.1" oci-spec = "0.2.8" serde = { version = "1", features = ["derive"] } +serde_json = "1.0.62" serde_yaml = "0.8" tar = "0.4.32" users = "0.11.0" diff --git a/src/runner/runc.rs b/src/runner/runc.rs index 789f7f2..62a3bf1 100644 --- a/src/runner/runc.rs +++ b/src/runner/runc.rs @@ -1,5 +1,6 @@ mod init; mod run; +mod spec; use std::{io, process}; diff --git a/src/runner/runc/run.rs b/src/runner/runc/run.rs index e7fb393..897fb47 100644 --- a/src/runner/runc/run.rs +++ b/src/runner/runc/run.rs @@ -4,14 +4,11 @@ use nix::{ mount::{self, MsFlags}, sched::{self, CloneFlags}, }; -use oci_spec::runtime; use serde::{Deserialize, Serialize}; -use crate::{ - types::*, - unshare, - util::{Checkable, ToIOResult}, -}; +use crate::{types::*, util::ToIOResult}; + +use super::spec; #[derive(Debug, Deserialize, Serialize)] pub enum Error { @@ -52,43 +49,12 @@ fn init_task() -> Result<(), Error> { Ok(()) } -fn configure_spec(path: &str, run: &str) { - let mut spec = runtime::Spec::load(path).unwrap(); - - let process = spec.process.as_mut().unwrap(); - process.terminal = Some(false); - process.user = runtime::User { - uid: unshare::BUILD_UID, - gid: unshare::BUILD_GID, - additional_gids: None, - username: None, - }; - process.args = Some( - vec!["sh", "-c", run] - .into_iter() - .map(str::to_string) - .collect(), - ); - process.cwd = "/rebel".to_string(); - - let root = spec.root.as_mut().unwrap(); - root.path = "../rootfs".to_string(); - - spec.hostname = Some("rebel-builder".to_string()); - - spec.save(path).unwrap(); -} - pub fn handle_task(task: TaskRef, task_def: Task) -> Result<(), Error> { init_task()?; - process::Command::new("runc") - .arg("spec") - .current_dir("build/tmp/runc") - .status()? - .check()?; - - configure_spec("build/tmp/runc/config.json", task_def.run.as_str()); + spec::generate_spec(task_def.run.as_str()) + .save("build/tmp/runc/config.json") + .expect("Saving runtime spec failed"); let output = process::Command::new("runc") .arg("--root") diff --git a/src/runner/runc/spec.rs b/src/runner/runc/spec.rs new file mode 100644 index 0000000..c549399 --- /dev/null +++ b/src/runner/runc/spec.rs @@ -0,0 +1,157 @@ +use oci_spec::runtime; +use serde::Deserialize; +use serde_json::json; + +use crate::unshare; + +pub fn generate_spec(run: &str) -> runtime::Spec { + runtime::Spec::deserialize(json!({ + "ociVersion": "1.0.2", + "process": { + "terminal": false, + "user": { + "uid": unshare::BUILD_UID, + "gid": unshare::BUILD_GID + }, + "args": [ + "sh", + "-c", + run + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm" + ], + "cwd": "/rebel", + "noNewPrivileges": true + }, + "root": { + "path": "../rootfs", + "readonly": true + }, + "hostname": "rebel-builder", + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "destination": "/dev", + "type": "tmpfs", + "source": "tmpfs", + "options": [ + "nosuid", + "strictatime", + "mode=755", + "size=65536k" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/dev/mqueue", + "type": "mqueue", + "source": "mqueue", + "options": [ + "nosuid", + "noexec", + "nodev" + ] + }, + { + "destination": "/sys", + "type": "sysfs", + "source": "sysfs", + "options": [ + "nosuid", + "noexec", + "nodev", + "ro" + ] + }, + { + "destination": "/sys/fs/cgroup", + "type": "cgroup", + "source": "cgroup", + "options": [ + "nosuid", + "noexec", + "nodev", + "relatime", + "ro" + ] + } + ], + "linux": { + "resources": { + "devices": [ + { + "allow": false, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "pid" + }, + { + "type": "network" + }, + { + "type": "ipc" + }, + { + "type": "uts" + }, + { + "type": "mount" + } + ], + "maskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "readonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + } + })) + .unwrap() +} -- cgit v1.2.3