forked from cri-o/cri-o
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rootless.go
48 lines (41 loc) · 1.03 KB
/
rootless.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package server
import (
"strings"
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate"
)
func hasNamespace(config *rspec.Spec, ns string) bool {
for _, n := range config.Linux.Namespaces {
if string(n.Type) == ns {
return true
}
}
return false
}
func makeOCIConfigurationRootless(g *generate.Generator) error {
g.Config.Linux.Resources = nil
g.Config.Process.OOMScoreAdj = nil
g.Config.Process.ApparmorProfile = ""
for i := range g.Config.Mounts {
var newOptions []string
for _, o := range g.Config.Mounts[i].Options {
if strings.HasPrefix(o, "gid=") {
continue
}
newOptions = append(newOptions, o)
}
g.Config.Mounts[i].Options = newOptions
}
if !hasNamespace(g.Config, rspec.NetworkNamespace) {
g.RemoveMount("/sys")
sysMnt := rspec.Mount{
Destination: "/sys",
Type: "bind",
Source: "/sys",
Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"},
}
g.AddMount(sysMnt)
}
g.SetLinuxCgroupsPath("")
return nil
}