summaryrefslogtreecommitdiffhomepage
path: root/runsc/specutils
diff options
context:
space:
mode:
authorNicolas Lacasse <nlacasse@google.com>2018-05-15 10:17:19 -0700
committerShentubot <shentubot@google.com>2018-05-15 10:18:03 -0700
commit205f1027e6beb84101439172b3c776c2671b5be8 (patch)
tree10294e667ee529e140c474c475e7309cb72ea1d8 /runsc/specutils
parented02ac4f668ec41063cd51cbbd451baba9e9a6e7 (diff)
Refactor the Sandbox package into Sandbox + Container.
This is a necessary prerequisite for supporting multiple containers in a single sandbox. All the commands (in cmd package) now call operations on Containers (container package). When a Container first starts, it will create a Sandbox with the same ID. The Sandbox class is now simpler, as it only knows how to create boot/gofer processes, and how to forward commands into the running boot process. There are TODOs sprinkled around for additional support for multiple containers. Most notably, we need to detect when a container is intended to run in an existing sandbox (by reading the metadata), and then have some way to signal to the sandbox to start a new container. Other urpc calls into the sandbox need to pass the container ID, so the sandbox can run the operation on the given container. These are only half-plummed through right now. PiperOrigin-RevId: 196688269 Change-Id: I1ecf4abbb9dd8987a53ae509df19341aaf42b5b0
Diffstat (limited to 'runsc/specutils')
-rw-r--r--runsc/specutils/specutils.go23
1 files changed, 21 insertions, 2 deletions
diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go
index dcb4b20db..5f455dec4 100644
--- a/runsc/specutils/specutils.go
+++ b/runsc/specutils/specutils.go
@@ -41,9 +41,28 @@ func LogSpec(spec *specs.Spec) {
log.Debugf("Spec.Root: %+v", spec.Root)
}
+// ValidateSpec validates that the spec is compatible with runsc.
+func ValidateSpec(spec *specs.Spec) error {
+ if spec.Process == nil {
+ return fmt.Errorf("Process must be defined")
+ }
+ if spec.Process.SelinuxLabel != "" {
+ return fmt.Errorf("SELinux is not supported: %s", spec.Process.SelinuxLabel)
+ }
+
+ // Docker uses AppArmor by default, so just log that it's being ignored.
+ if spec.Process.ApparmorProfile != "" {
+ log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile)
+ }
+
+ // TODO: Apply seccomp to application inside sandbox.
+ if spec.Linux != nil && spec.Linux.Seccomp != nil {
+ log.Warningf("Seccomp spec is being ignored")
+ }
+ return nil
+}
+
// ReadSpec reads an OCI runtime spec from the given bundle directory.
-//
-// TODO: This should validate the spec.
func ReadSpec(bundleDir string) (*specs.Spec, error) {
// The spec file must be in "config.json" inside the bundle directory.
specFile := filepath.Join(bundleDir, "config.json")