From 205f1027e6beb84101439172b3c776c2671b5be8 Mon Sep 17 00:00:00 2001 From: Nicolas Lacasse Date: Tue, 15 May 2018 10:17:19 -0700 Subject: Refactor the Sandbox package into Sandbox + Container. This is a necessary prerequisite for supporting multiple containers in a single sandbox. All the commands (in cmd package) now call operations on Containers (container package). When a Container first starts, it will create a Sandbox with the same ID. The Sandbox class is now simpler, as it only knows how to create boot/gofer processes, and how to forward commands into the running boot process. There are TODOs sprinkled around for additional support for multiple containers. Most notably, we need to detect when a container is intended to run in an existing sandbox (by reading the metadata), and then have some way to signal to the sandbox to start a new container. Other urpc calls into the sandbox need to pass the container ID, so the sandbox can run the operation on the given container. These are only half-plummed through right now. PiperOrigin-RevId: 196688269 Change-Id: I1ecf4abbb9dd8987a53ae509df19341aaf42b5b0 --- runsc/specutils/specutils.go | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'runsc/specutils/specutils.go') diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go index dcb4b20db..5f455dec4 100644 --- a/runsc/specutils/specutils.go +++ b/runsc/specutils/specutils.go @@ -41,9 +41,28 @@ func LogSpec(spec *specs.Spec) { log.Debugf("Spec.Root: %+v", spec.Root) } +// ValidateSpec validates that the spec is compatible with runsc. +func ValidateSpec(spec *specs.Spec) error { + if spec.Process == nil { + return fmt.Errorf("Process must be defined") + } + if spec.Process.SelinuxLabel != "" { + return fmt.Errorf("SELinux is not supported: %s", spec.Process.SelinuxLabel) + } + + // Docker uses AppArmor by default, so just log that it's being ignored. + if spec.Process.ApparmorProfile != "" { + log.Warningf("AppArmor profile %q is being ignored", spec.Process.ApparmorProfile) + } + + // TODO: Apply seccomp to application inside sandbox. + if spec.Linux != nil && spec.Linux.Seccomp != nil { + log.Warningf("Seccomp spec is being ignored") + } + return nil +} + // ReadSpec reads an OCI runtime spec from the given bundle directory. -// -// TODO: This should validate the spec. func ReadSpec(bundleDir string) (*specs.Spec, error) { // The spec file must be in "config.json" inside the bundle directory. specFile := filepath.Join(bundleDir, "config.json") -- cgit v1.2.3