open-nomad/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go

package configs

import (
	"bytes"
	"encoding/json"
	"fmt"
	"os/exec"
	"time"

	"github.com/Sirupsen/logrus"
)

type Rlimit struct {
	Type int    `json:"type"`
	Hard uint64 `json:"hard"`
	Soft uint64 `json:"soft"`
}

// IDMap represents UID/GID Mappings for User Namespaces.
type IDMap struct {
	ContainerID int `json:"container_id"`
	HostID      int `json:"host_id"`
	Size        int `json:"size"`
}

// Seccomp represents syscall restrictions
// By default, only the native architecture of the kernel is allowed to be used
// for syscalls. Additional architectures can be added by specifying them in
// Architectures.
type Seccomp struct {
	DefaultAction Action     `json:"default_action"`
	Architectures []string   `json:"architectures"`
	Syscalls      []*Syscall `json:"syscalls"`
}

// An action to be taken upon rule match in Seccomp
type Action int

const (
	Kill Action = iota + 1
	Errno
	Trap
	Allow
	Trace
)

// A comparison operator to be used when matching syscall arguments in Seccomp
type Operator int

const (
	EqualTo Operator = iota + 1
	NotEqualTo
	GreaterThan
	GreaterThanOrEqualTo
	LessThan
	LessThanOrEqualTo
	MaskEqualTo
)

// A rule to match a specific syscall argument in Seccomp
type Arg struct {
	Index    uint     `json:"index"`
	Value    uint64   `json:"value"`
	ValueTwo uint64   `json:"value_two"`
	Op       Operator `json:"op"`
}

// An rule to match a syscall in Seccomp
type Syscall struct {
	Name   string `json:"name"`
	Action Action `json:"action"`
	Args   []*Arg `json:"args"`
}

// TODO Windows. Many of these fields should be factored out into those parts
// which are common across platforms, and those which are platform specific.

// Config defines configuration options for executing a process inside a contained environment.
type Config struct {
	// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs
	// This is a common option when the container is running in ramdisk
	NoPivotRoot bool `json:"no_pivot_root"`

	// ParentDeathSignal specifies the signal that is sent to the container's process in the case
	// that the parent process dies.
	ParentDeathSignal int `json:"parent_death_signal"`

	// PivotDir allows a custom directory inside the container's root filesystem to be used as pivot, when NoPivotRoot is not set.
	// When a custom PivotDir not set, a temporary dir inside the root filesystem will be used. The pivot dir needs to be writeable.
	// This is required when using read only root filesystems. In these cases, a read/writeable path can be (bind) mounted somewhere inside the root filesystem to act as pivot.
	PivotDir string `json:"pivot_dir"`

	// Path to a directory containing the container's root filesystem.
	Rootfs string `json:"rootfs"`

	// Readonlyfs will remount the container's rootfs as readonly where only externally mounted
	// bind mounts are writtable.
	Readonlyfs bool `json:"readonlyfs"`

	// Specifies the mount propagation flags to be applied to /.
	RootPropagation int `json:"rootPropagation"`

	// Mounts specify additional source and destination paths that will be mounted inside the container's
	// rootfs and mount namespace if specified
	Mounts []*Mount `json:"mounts"`

	// The device nodes that should be automatically created within the container upon container start.  Note, make sure that the node is marked as allowed in the cgroup as well!
	Devices []*Device `json:"devices"`

	MountLabel string `json:"mount_label"`

	// Hostname optionally sets the container's hostname if provided
	Hostname string `json:"hostname"`

	// Namespaces specifies the container's namespaces that it should setup when cloning the init process
	// If a namespace is not provided that namespace is shared from the container's parent process
	Namespaces Namespaces `json:"namespaces"`

	// Capabilities specify the capabilities to keep when executing the process inside the container
	// All capbilities not specified will be dropped from the processes capability mask
	Capabilities []string `json:"capabilities"`

	// Networks specifies the container's network setup to be created
	Networks []*Network `json:"networks"`

	// Routes can be specified to create entries in the route table as the container is started
	Routes []*Route `json:"routes"`

	// Cgroups specifies specific cgroup settings for the various subsystems that the container is
	// placed into to limit the resources the container has available
	Cgroups *Cgroup `json:"cgroups"`

	// AppArmorProfile specifies the profile to apply to the process running in the container and is
	// change at the time the process is execed
	AppArmorProfile string `json:"apparmor_profile,omitempty"`

	// ProcessLabel specifies the label to apply to the process running in the container.  It is
	// commonly used by selinux
	ProcessLabel string `json:"process_label,omitempty"`

	// Rlimits specifies the resource limits, such as max open files, to set in the container
	// If Rlimits are not set, the container will inherit rlimits from the parent process
	Rlimits []Rlimit `json:"rlimits,omitempty"`

	// OomScoreAdj specifies the adjustment to be made by the kernel when calculating oom scores
	// for a process. Valid values are between the range [-1000, '1000'], where processes with
	// higher scores are preferred for being killed.
	// More information about kernel oom score calculation here: https://lwn.net/Articles/317814/
	OomScoreAdj int `json:"oom_score_adj"`

	// AdditionalGroups specifies the gids that should be added to supplementary groups
	// in addition to those that the user belongs to.
	AdditionalGroups []string `json:"additional_groups"`

	// UidMappings is an array of User ID mappings for User Namespaces
	UidMappings []IDMap `json:"uid_mappings"`

	// GidMappings is an array of Group ID mappings for User Namespaces
	GidMappings []IDMap `json:"gid_mappings"`

	// MaskPaths specifies paths within the container's rootfs to mask over with a bind
	// mount pointing to /dev/null as to prevent reads of the file.
	MaskPaths []string `json:"mask_paths"`

	// ReadonlyPaths specifies paths within the container's rootfs to remount as read-only
	// so that these files prevent any writes.
	ReadonlyPaths []string `json:"readonly_paths"`

	// Sysctl is a map of properties and their values. It is the equivalent of using
	// sysctl -w my.property.name value in Linux.
	Sysctl map[string]string `json:"sysctl"`

	// Seccomp allows actions to be taken whenever a syscall is made within the container.
	// A number of rules are given, each having an action to be taken if a syscall matches it.
	// A default action to be taken if no rules match is also given.
	Seccomp *Seccomp `json:"seccomp"`

	// NoNewPrivileges controls whether processes in the container can gain additional privileges.
	NoNewPrivileges bool `json:"no_new_privileges,omitempty"`

	// Hooks are a collection of actions to perform at various container lifecycle events.
	// CommandHooks are serialized to JSON, but other hooks are not.
	Hooks *Hooks

	// Version is the version of opencontainer specification that is supported.
	Version string `json:"version"`

	// Labels are user defined metadata that is stored in the config and populated on the state
	Labels []string `json:"labels"`
}

type Hooks struct {
	// Prestart commands are executed after the container namespaces are created,
	// but before the user supplied command is executed from init.
	Prestart []Hook

	// Poststart commands are executed after the container init process starts.
	Poststart []Hook

	// Poststop commands are executed after the container init process exits.
	Poststop []Hook
}

func (hooks *Hooks) UnmarshalJSON(b []byte) error {
	var state struct {
		Prestart  []CommandHook
		Poststart []CommandHook
		Poststop  []CommandHook
	}

	if err := json.Unmarshal(b, &state); err != nil {
		return err
	}

	deserialize := func(shooks []CommandHook) (hooks []Hook) {
		for _, shook := range shooks {
			hooks = append(hooks, shook)
		}

		return hooks
	}

	hooks.Prestart = deserialize(state.Prestart)
	hooks.Poststart = deserialize(state.Poststart)
	hooks.Poststop = deserialize(state.Poststop)
	return nil
}

func (hooks Hooks) MarshalJSON() ([]byte, error) {
	serialize := func(hooks []Hook) (serializableHooks []CommandHook) {
		for _, hook := range hooks {
			switch chook := hook.(type) {
			case CommandHook:
				serializableHooks = append(serializableHooks, chook)
			default:
				logrus.Warnf("cannot serialize hook of type %T, skipping", hook)
			}
		}

		return serializableHooks
	}

	return json.Marshal(map[string]interface{}{
		"prestart":  serialize(hooks.Prestart),
		"poststart": serialize(hooks.Poststart),
		"poststop":  serialize(hooks.Poststop),
	})
}

// HookState is the payload provided to a hook on execution.
type HookState struct {
	Version string `json:"version"`
	ID      string `json:"id"`
	Pid     int    `json:"pid"`
	Root    string `json:"root"`
}

type Hook interface {
	// Run executes the hook with the provided state.
	Run(HookState) error
}

// NewFunctionHooks will call the provided function when the hook is run.
func NewFunctionHook(f func(HookState) error) FuncHook {
	return FuncHook{
		run: f,
	}
}

type FuncHook struct {
	run func(HookState) error
}

func (f FuncHook) Run(s HookState) error {
	return f.run(s)
}

type Command struct {
	Path    string         `json:"path"`
	Args    []string       `json:"args"`
	Env     []string       `json:"env"`
	Dir     string         `json:"dir"`
	Timeout *time.Duration `json:"timeout"`
}

// NewCommandHooks will execute the provided command when the hook is run.
func NewCommandHook(cmd Command) CommandHook {
	return CommandHook{
		Command: cmd,
	}
}

type CommandHook struct {
	Command
}

func (c Command) Run(s HookState) error {
	b, err := json.Marshal(s)
	if err != nil {
		return err
	}
	cmd := exec.Cmd{
		Path:  c.Path,
		Args:  c.Args,
		Env:   c.Env,
		Stdin: bytes.NewReader(b),
	}
	errC := make(chan error, 1)
	go func() {
		errC <- cmd.Run()
	}()
	if c.Timeout != nil {
		select {
		case err := <-errC:
			return err
		case <-time.After(*c.Timeout):
			cmd.Process.Kill()
			cmd.Wait()
			return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
		}
	}
	return <-errC
}
Using godeps to build 2016-02-12 18:02:16 +00:00			`package configs`

			`import (`
			`"bytes"`
			`"encoding/json"`
Updated libcontainer 2016-04-02 03:18:22 +00:00			`"fmt"`
Using godeps to build 2016-02-12 18:02:16 +00:00			`"os/exec"`
Updated libcontainer 2016-04-02 03:18:22 +00:00			`"time"`

			`"github.com/Sirupsen/logrus"`
Using godeps to build 2016-02-12 18:02:16 +00:00			`)`

			`type Rlimit struct {`
			Type int `json:"type"`
			Hard uint64 `json:"hard"`
			Soft uint64 `json:"soft"`
			`}`

			`// IDMap represents UID/GID Mappings for User Namespaces.`
			`type IDMap struct {`
			ContainerID int `json:"container_id"`
			HostID int `json:"host_id"`
			Size int `json:"size"`
			`}`

			`// Seccomp represents syscall restrictions`
			`// By default, only the native architecture of the kernel is allowed to be used`
			`// for syscalls. Additional architectures can be added by specifying them in`
			`// Architectures.`
			`type Seccomp struct {`
			DefaultAction Action `json:"default_action"`
			Architectures []string `json:"architectures"`
			Syscalls []*Syscall `json:"syscalls"`
			`}`

			`// An action to be taken upon rule match in Seccomp`
			`type Action int`

			`const (`
			`Kill Action = iota + 1`
			`Errno`
			`Trap`
			`Allow`
			`Trace`
			`)`

			`// A comparison operator to be used when matching syscall arguments in Seccomp`
			`type Operator int`

			`const (`
			`EqualTo Operator = iota + 1`
			`NotEqualTo`
			`GreaterThan`
			`GreaterThanOrEqualTo`
			`LessThan`
			`LessThanOrEqualTo`
			`MaskEqualTo`
			`)`

			`// A rule to match a specific syscall argument in Seccomp`
			`type Arg struct {`
			Index uint `json:"index"`
			Value uint64 `json:"value"`
			ValueTwo uint64 `json:"value_two"`
			Op Operator `json:"op"`
			`}`

			`// An rule to match a syscall in Seccomp`
			`type Syscall struct {`
			Name string `json:"name"`
			Action Action `json:"action"`
			Args []*Arg `json:"args"`
			`}`

			`// TODO Windows. Many of these fields should be factored out into those parts`
			`// which are common across platforms, and those which are platform specific.`

			`// Config defines configuration options for executing a process inside a contained environment.`
			`type Config struct {`
			`// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs`
			`// This is a common option when the container is running in ramdisk`
			NoPivotRoot bool `json:"no_pivot_root"`

			`// ParentDeathSignal specifies the signal that is sent to the container's process in the case`
			`// that the parent process dies.`
			ParentDeathSignal int `json:"parent_death_signal"`

			`// PivotDir allows a custom directory inside the container's root filesystem to be used as pivot, when NoPivotRoot is not set.`
			`// When a custom PivotDir not set, a temporary dir inside the root filesystem will be used. The pivot dir needs to be writeable.`
			`// This is required when using read only root filesystems. In these cases, a read/writeable path can be (bind) mounted somewhere inside the root filesystem to act as pivot.`
			PivotDir string `json:"pivot_dir"`

			`// Path to a directory containing the container's root filesystem.`
			Rootfs string `json:"rootfs"`

			`// Readonlyfs will remount the container's rootfs as readonly where only externally mounted`
			`// bind mounts are writtable.`
			Readonlyfs bool `json:"readonlyfs"`

			`// Specifies the mount propagation flags to be applied to /.`
			RootPropagation int `json:"rootPropagation"`

			`// Mounts specify additional source and destination paths that will be mounted inside the container's`
			`// rootfs and mount namespace if specified`
			Mounts []*Mount `json:"mounts"`

			`// The device nodes that should be automatically created within the container upon container start. Note, make sure that the node is marked as allowed in the cgroup as well!`
			Devices []*Device `json:"devices"`

			MountLabel string `json:"mount_label"`

			`// Hostname optionally sets the container's hostname if provided`
			Hostname string `json:"hostname"`

			`// Namespaces specifies the container's namespaces that it should setup when cloning the init process`
			`// If a namespace is not provided that namespace is shared from the container's parent process`
			Namespaces Namespaces `json:"namespaces"`

			`// Capabilities specify the capabilities to keep when executing the process inside the container`
			`// All capbilities not specified will be dropped from the processes capability mask`
			Capabilities []string `json:"capabilities"`

			`// Networks specifies the container's network setup to be created`
			Networks []*Network `json:"networks"`

			`// Routes can be specified to create entries in the route table as the container is started`
			Routes []*Route `json:"routes"`

			`// Cgroups specifies specific cgroup settings for the various subsystems that the container is`
			`// placed into to limit the resources the container has available`
			Cgroups *Cgroup `json:"cgroups"`

			`// AppArmorProfile specifies the profile to apply to the process running in the container and is`
			`// change at the time the process is execed`
Updated libcontainer 2016-04-02 03:18:22 +00:00			AppArmorProfile string `json:"apparmor_profile,omitempty"`
Using godeps to build 2016-02-12 18:02:16 +00:00
			`// ProcessLabel specifies the label to apply to the process running in the container. It is`
			`// commonly used by selinux`
Updated libcontainer 2016-04-02 03:18:22 +00:00			ProcessLabel string `json:"process_label,omitempty"`
Using godeps to build 2016-02-12 18:02:16 +00:00
			`// Rlimits specifies the resource limits, such as max open files, to set in the container`
			`// If Rlimits are not set, the container will inherit rlimits from the parent process`
Updated libcontainer 2016-04-02 03:18:22 +00:00			Rlimits []Rlimit `json:"rlimits,omitempty"`
Using godeps to build 2016-02-12 18:02:16 +00:00
			`// OomScoreAdj specifies the adjustment to be made by the kernel when calculating oom scores`
			`// for a process. Valid values are between the range [-1000, '1000'], where processes with`
			`// higher scores are preferred for being killed.`
			`// More information about kernel oom score calculation here: https://lwn.net/Articles/317814/`
			OomScoreAdj int `json:"oom_score_adj"`

			`// AdditionalGroups specifies the gids that should be added to supplementary groups`
			`// in addition to those that the user belongs to.`
			AdditionalGroups []string `json:"additional_groups"`

			`// UidMappings is an array of User ID mappings for User Namespaces`
			UidMappings []IDMap `json:"uid_mappings"`

			`// GidMappings is an array of Group ID mappings for User Namespaces`
			GidMappings []IDMap `json:"gid_mappings"`

			`// MaskPaths specifies paths within the container's rootfs to mask over with a bind`
			`// mount pointing to /dev/null as to prevent reads of the file.`
			MaskPaths []string `json:"mask_paths"`

			`// ReadonlyPaths specifies paths within the container's rootfs to remount as read-only`
			`// so that these files prevent any writes.`
			ReadonlyPaths []string `json:"readonly_paths"`

			`// Sysctl is a map of properties and their values. It is the equivalent of using`
			`// sysctl -w my.property.name value in Linux.`
			Sysctl map[string]string `json:"sysctl"`

			`// Seccomp allows actions to be taken whenever a syscall is made within the container.`
			`// A number of rules are given, each having an action to be taken if a syscall matches it.`
			`// A default action to be taken if no rules match is also given.`
			Seccomp *Seccomp `json:"seccomp"`

Updated libcontainer 2016-02-27 01:11:00 +00:00			`// NoNewPrivileges controls whether processes in the container can gain additional privileges.`
Updated libcontainer 2016-04-02 03:18:22 +00:00			NoNewPrivileges bool `json:"no_new_privileges,omitempty"`
Updated libcontainer 2016-02-27 01:11:00 +00:00
Using godeps to build 2016-02-12 18:02:16 +00:00			`// Hooks are a collection of actions to perform at various container lifecycle events.`
Updated libcontainer 2016-04-02 03:18:22 +00:00			`// CommandHooks are serialized to JSON, but other hooks are not.`
			`Hooks *Hooks`
Using godeps to build 2016-02-12 18:02:16 +00:00
			`// Version is the version of opencontainer specification that is supported.`
			Version string `json:"version"`
Updated libcontainer 2016-04-02 03:18:22 +00:00
			`// Labels are user defined metadata that is stored in the config and populated on the state`
			Labels []string `json:"labels"`
Using godeps to build 2016-02-12 18:02:16 +00:00			`}`

			`type Hooks struct {`
			`// Prestart commands are executed after the container namespaces are created,`
			`// but before the user supplied command is executed from init.`
			`Prestart []Hook`

			`// Poststart commands are executed after the container init process starts.`
			`Poststart []Hook`

			`// Poststop commands are executed after the container init process exits.`
			`Poststop []Hook`
			`}`

Updated libcontainer 2016-04-02 03:18:22 +00:00			`func (hooks *Hooks) UnmarshalJSON(b []byte) error {`
			`var state struct {`
			`Prestart []CommandHook`
			`Poststart []CommandHook`
			`Poststop []CommandHook`
			`}`

			`if err := json.Unmarshal(b, &state); err != nil {`
			`return err`
			`}`

			`deserialize := func(shooks []CommandHook) (hooks []Hook) {`
			`for _, shook := range shooks {`
			`hooks = append(hooks, shook)`
			`}`

			`return hooks`
			`}`

			`hooks.Prestart = deserialize(state.Prestart)`
			`hooks.Poststart = deserialize(state.Poststart)`
			`hooks.Poststop = deserialize(state.Poststop)`
			`return nil`
			`}`

			`func (hooks Hooks) MarshalJSON() ([]byte, error) {`
			`serialize := func(hooks []Hook) (serializableHooks []CommandHook) {`
			`for _, hook := range hooks {`
			`switch chook := hook.(type) {`
			`case CommandHook:`
			`serializableHooks = append(serializableHooks, chook)`
			`default:`
			`logrus.Warnf("cannot serialize hook of type %T, skipping", hook)`
			`}`
			`}`

			`return serializableHooks`
			`}`

			`return json.Marshal(map[string]interface{}{`
			`"prestart": serialize(hooks.Prestart),`
			`"poststart": serialize(hooks.Poststart),`
			`"poststop": serialize(hooks.Poststop),`
			`})`
			`}`

Using godeps to build 2016-02-12 18:02:16 +00:00			`// HookState is the payload provided to a hook on execution.`
			`type HookState struct {`
			Version string `json:"version"`
			ID string `json:"id"`
			Pid int `json:"pid"`
			Root string `json:"root"`
			`}`

			`type Hook interface {`
			`// Run executes the hook with the provided state.`
			`Run(HookState) error`
			`}`

			`// NewFunctionHooks will call the provided function when the hook is run.`
			`func NewFunctionHook(f func(HookState) error) FuncHook {`
			`return FuncHook{`
			`run: f,`
			`}`
			`}`

			`type FuncHook struct {`
			`run func(HookState) error`
			`}`

			`func (f FuncHook) Run(s HookState) error {`
			`return f.run(s)`
			`}`

			`type Command struct {`
Updated libcontainer 2016-04-02 03:18:22 +00:00			Path string `json:"path"`
			Args []string `json:"args"`
			Env []string `json:"env"`
			Dir string `json:"dir"`
			Timeout *time.Duration `json:"timeout"`
Using godeps to build 2016-02-12 18:02:16 +00:00			`}`

			`// NewCommandHooks will execute the provided command when the hook is run.`
			`func NewCommandHook(cmd Command) CommandHook {`
			`return CommandHook{`
			`Command: cmd,`
			`}`
			`}`

			`type CommandHook struct {`
			`Command`
			`}`

			`func (c Command) Run(s HookState) error {`
			`b, err := json.Marshal(s)`
			`if err != nil {`
			`return err`
			`}`
			`cmd := exec.Cmd{`
			`Path: c.Path,`
			`Args: c.Args,`
			`Env: c.Env,`
			`Stdin: bytes.NewReader(b),`
			`}`
Updated libcontainer 2016-04-02 03:18:22 +00:00			`errC := make(chan error, 1)`
			`go func() {`
			`errC <- cmd.Run()`
			`}()`
			`if c.Timeout != nil {`
			`select {`
			`case err := <-errC:`
			`return err`
			`case <-time.After(*c.Timeout):`
			`cmd.Process.Kill()`
			`cmd.Wait()`
			`return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())`
			`}`
			`}`
			`return <-errC`
Using godeps to build 2016-02-12 18:02:16 +00:00			`}`