forked from cloudfoundry/guardian
-
Notifications
You must be signed in to change notification settings - Fork 1
/
process_builder.go
80 lines (71 loc) · 2.11 KB
/
process_builder.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
package runrunc
import (
"code.cloudfoundry.org/guardian/rundmc/goci"
specs "github.com/opencontainers/runtime-spec/specs-go"
)
type ProcBuilder struct {
envDeterminer EnvDeterminer
nonRootMaxCaps []string
}
func NewProcessBuilder(envDeterminer EnvDeterminer, nonRootMaxCaps []string) *ProcBuilder {
return &ProcBuilder{
envDeterminer: envDeterminer,
nonRootMaxCaps: nonRootMaxCaps,
}
}
func (p *ProcBuilder) BuildProcess(bndl goci.Bndl, spec ProcessSpec) *PreparedSpec {
return &PreparedSpec{
ContainerRootHostUID: containerRootHostID(bndl.Spec.Linux.UIDMappings),
ContainerRootHostGID: containerRootHostID(bndl.Spec.Linux.GIDMappings),
Process: specs.Process{
Args: append([]string{spec.Path}, spec.Args...),
ConsoleSize: console(spec),
Env: p.envDeterminer.EnvFor(bndl, spec),
User: specs.User{
UID: uint32(spec.ContainerUID),
GID: uint32(spec.ContainerGID),
AdditionalGids: []uint32{},
Username: spec.User,
},
Cwd: spec.Dir,
Capabilities: p.capabilities(bndl, spec.ContainerUID),
Rlimits: toRlimits(spec.Limits),
Terminal: spec.TTY != nil,
ApparmorProfile: bndl.Process().ApparmorProfile,
},
}
}
func (p *ProcBuilder) capabilities(bndl goci.Bndl, containerUID int) *specs.LinuxCapabilities {
capsToSet := bndl.Capabilities()
if containerUID != 0 {
capsToSet = intersect(capsToSet, p.nonRootMaxCaps)
}
// TODO centralize knowledge of garden -> runc capability schema translation
if len(capsToSet) > 0 {
return &specs.LinuxCapabilities{
Bounding: capsToSet,
Inheritable: capsToSet,
Permitted: capsToSet,
}
}
return nil
}
func console(spec ProcessSpec) *specs.Box {
consoleBox := &specs.Box{
Width: 80,
Height: 24,
}
if spec.TTY != nil && spec.TTY.WindowSize != nil {
consoleBox.Width = uint(spec.TTY.WindowSize.Columns)
consoleBox.Height = uint(spec.TTY.WindowSize.Rows)
}
return consoleBox
}
func containerRootHostID(mappings []specs.LinuxIDMapping) uint32 {
for _, mapping := range mappings {
if mapping.ContainerID == 0 {
return mapping.HostID
}
}
return 0
}