projects / project / procd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b9b39e2) | patch
jail: add support for running OCI bundle
authorDaniel Golle <daniel@makrotopia.org>
Fri, 10 Jul 2020 09:56:58 +0000 (10:56 +0100)
committerDaniel Golle <daniel@makrotopia.org>
Fri, 10 Jul 2020 17:31:52 +0000 (18:31 +0100)
commitea7a790f210c6540d01e029cd6e93cea145ccf8b
tree04aaece2c053c798b0975b0bbe1709a50c6ec018tree | snapshot
parentb9b39e2061d7035a9d84eecbb4a4613deaf6d03fcommit | diff
jail: add support for running OCI bundle

Prepare ujail for running OCI bundled Linux containers.
This adds handling of most of the JSON schema defined by the
Open Container Initiative Runtime Specification.

What is supported by this commits:
 * basic OCI process definition
 * seccomp filters (no args yet)
 * capabilities (100%)
 * namespaces (100%)
 * uid/gid mappings for userns (100%)
 * mounts (no free form mounts yet)
 * env (100%, limited to a low number entries)
 * hostname (100%)
 * terminal (no consoleSize yet)

What is still missing:
 * complex mounts
 * maskedPaths, readonlyPaths
 * referencing existing namespaces
 * all hooks
 * rlimits
 * oomScoreAdj
 * additionalGids
 * cgroups
 * devices
 * sysctl
 * rootfsPropagation
 * personality and bi-arch (ie. 32-bit container on 64-bit host)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
CMakeLists.txt diff | blob | history
jail/capabilities.c diff | blob | history
jail/capabilities.h diff | blob | history
jail/jail.c diff | blob | history
jail/seccomp-bpf.h diff | blob | history
jail/seccomp-oci.c [new file with mode: 0644] blob
jail/seccomp-oci.h [new file with mode: 0644] blob
jail/seccomp-syscalls-helpers.h [new file with mode: 0644] blob
jail/seccomp.c diff | blob | history
service/instance.c diff | blob | history
service/instance.h diff | blob | history
OpenWrt service / process manager