src/runner/container/spec.rs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

use oci_spec::runtime::{self, Capability};
use serde_json::json;

use crate::paths;

pub fn generate_spec(command: &[&str]) -> runtime::Spec {
	let capabilities: runtime::Capabilities =
		IntoIterator::into_iter([Capability::DacReadSearch, Capability::Setfcap]).collect();

	serde_json::from_value(json!({
		"ociVersion": "1.0.2",
		"process": {
			"terminal": false,
			"user": {
				"uid": 0,
				"gid": 0,
			},
			"args": command,
			"env": [
				"PATH=/usr/sbin:/usr/bin:/sbin:/bin",
				"HOME=/build",
			],
			"cwd": paths::abs(paths::TASK_WORKDIR),
			"noNewPrivileges": true,
			"capabilities": {
				"bounding": capabilities,
				"permitted": capabilities,
				"inheritable": capabilities,
				"effective": capabilities,
			},
		},
		"root": {
			"path": paths::TASK_TMP_ROOTFS_SUBDIR,
			"readonly": true
		},
		"hostname": "rebel-builder",
		"mounts": [
			{
				"destination": paths::abs(paths::TASK_BUILDDIR),
				"type": "none",
				"source": paths::TASK_BUILDDIR,
				"options": [
					"rbind"
				]
			},
			{
				"destination": "/tmp",
				"type": "tmpfs",
				"source": "tmp",
				"options": [
					"nodev",
					"nosuid",
					"mode=1777",
					"size=1048576k"
				]
			},
			{
				"destination": "/proc",
				"type": "proc",
				"source": "proc"
			},
			{
				"destination": "/dev",
				"type": "tmpfs",
				"source": "tmpfs",
				"options": [
					"nosuid",
					"strictatime",
					"mode=755",
					"size=65536k"
				]
			},
			{
				"destination": "/dev/pts",
				"type": "devpts",
				"source": "devpts",
				"options": [
					"nosuid",
					"noexec",
					"newinstance",
					"ptmxmode=0666",
					"mode=0620"
				]
			},
			{
				"destination": "/dev/shm",
				"type": "tmpfs",
				"source": "shm",
				"options": [
					"nosuid",
					"noexec",
					"nodev",
					"mode=1777",
					"size=65536k"
				]
			},
			{
				"destination": "/dev/mqueue",
				"type": "mqueue",
				"source": "mqueue",
				"options": [
					"nosuid",
					"noexec",
					"nodev"
				]
			},
		],
		"linux": {
			"namespaces": [
				{
					"type": "pid"
				},
				{
					"type": "network"
				},
				{
					"type": "ipc"
				},
				{
					"type": "uts"
				},
				{
					"type": "mount"
				},
			],
			"maskedPaths": [
				"/proc/acpi",
				"/proc/asound",
				"/proc/kcore",
				"/proc/keys",
				"/proc/latency_stats",
				"/proc/timer_list",
				"/proc/timer_stats",
				"/proc/sched_debug",
				"/proc/scsi"
			],
			"readonlyPaths": [
				"/proc/bus",
				"/proc/fs",
				"/proc/irq",
				"/proc/sys",
				"/proc/sysrq-trigger"
			]
		}
	}))
	.unwrap()
}