Skip to content
OCI Testing Toolset
Branch: master
Clone or download
Pull request Compare This branch is 1155 commits behind opencontainers:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


ocitools is a collection of tools for working with the OCI specification.

Generating OCI spec configuration files

# ocitools generate --help
   generate - generate a OCI spec file

   command generate [command options] [arguments...]

   --rootfs                                             path to the rootfs
   --read-only                                          make the container's rootfs read-only
   --privileged                                         enabled privileged container settings
   --hostname "acme"                                    hostname value for the container
   --uid "0"                                            uid for the process
   --gid "0"                                            gid for the process
   --groups [--groups option --groups option]           supplementary groups for the process
   --cap-add [--cap-add option --cap-add option]        add capabilities
   --cap-drop [--cap-drop option --cap-drop option]     drop capabilities
   --network                                            network namespace
   --mount                                              mount namespace
   --pid                                                pid namespace
   --ipc                                                ipc namespace
   --uts                                                uts namespace
   --selinux-label                                      process selinux label
   --tmpfs [--tmpfs option --tmpfs option]              mount tmpfs
   --args                                               command to run in the container
   --env [--env option --env option]                    add environment variable
   --mount-cgroups "ro"                                 mount cgroups (rw,ro,no)
   --bind [--bind option --bind option]                 bind mount directories src:dest:(rw,ro)
   --prestart [--prestart option --prestart option]     path to prestart hooks
   --poststop [--poststop option --poststop option]     path to poststop hooks
   --root-propagation                                   mount propagation for root
   --os "linux"                                         operating system the container is created for
   --arch "amd64"                                       architecture the container is created for
   --cwd "/"                                            current working directory for the process
   --uidmappings [--uidmappings option ]                add UIDMappings  e.g HostID:ContainerID:Size
   --gidmappings [--gidmappings option ]                add GIDMappings  e.g HostID:ContainerID:Size
   --apparmor                                           specify the the apparmor profile for the container
   --seccomp-default                                    specify the the defaultaction of Seccomp syscall restrictions
   --seccomp-arch [--seccomp-arch option ]              specify Additional architectures permitted to be used 
                                                         for system calls
   --seccomp-syscalls [--seccomp-syscalls option]       specify syscalls used in Seccomp
                                                        e.g Name:Action:Arg1_index/Arg1_value/Arg1_valuetwo/Arg1_op, 

Testing OCI runtimes

$ make
$ sudo make install
$ sudo ./ -r runc
validating container process
validating capabilities
validating hostname
validating rlimits
validating sysctls
Runtime runc passed validation

Building rootfs.tar.gz

The root filesystem tarball is based on Gentoo's amd64 stage3 (which we check for a valid GnuPG signature), copying a minimal subset to the root filesytem, and adding symlinks for all BusyBox commands. To rebuild the tarball based on a newer stage3, just run:

$ touch
$ make rootfs.tar.gz

Getting Gentoo's Release Engineering public key

If make rootfs.tar.gz gives an error like:

gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc
gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910
gpg: Can't check signature: public key not found

you will need to add the missing public key to your keystore. One way to do that is by asking a keyserver:

$ gpg --keyserver --recv-keys 2D182910
You can’t perform that action at this time.