mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
349 lines
8.4 KiB
JSON
349 lines
8.4 KiB
JSON
{
|
|
"ociVersion": "1.0.0",
|
|
|
|
"hostname" : "foo",
|
|
|
|
"root": {
|
|
"path": "rootfs",
|
|
"readonly": true
|
|
},
|
|
|
|
"process": {
|
|
"terminal": false,
|
|
"consoleSize": {
|
|
"height":6667,
|
|
"width":6668
|
|
},
|
|
|
|
"user": {
|
|
"uid": 14,
|
|
"gid": 14,
|
|
"additionalGids": [59, 81]
|
|
},
|
|
|
|
"args": [
|
|
"/tmp/verify.sh"
|
|
],
|
|
|
|
"env": [
|
|
"FOO=BAR",
|
|
"WITHSPACES=FOO BAR",
|
|
"WITHSHELLCHARS=$ASDF \\\"asdf asdf\\\" !",
|
|
"WITHCONTROLCHARS=\\123\\125\\010\\020",
|
|
"TERM=xterm"
|
|
],
|
|
|
|
"cwd": "/tmp/src",
|
|
|
|
"noNewPrivileges" : true,
|
|
"oomScoreAdj" : 20,
|
|
"capabilities" : {
|
|
"bounding" : [
|
|
"CAP_AUDIT_WRITE",
|
|
"CAP_KILL",
|
|
"CAP_NET_BIND_SERVICE"
|
|
],
|
|
"permitted" : [
|
|
"CAP_AUDIT_WRITE",
|
|
"CAP_KILL",
|
|
"CAP_NET_BIND_SERVICE"
|
|
],
|
|
"inheritable" : [
|
|
"CAP_AUDIT_WRITE",
|
|
"CAP_KILL",
|
|
"CAP_NET_BIND_SERVICE"
|
|
],
|
|
"effective" : [
|
|
"CAP_AUDIT_WRITE",
|
|
"CAP_KILL"
|
|
],
|
|
"ambient" : [
|
|
"CAP_NET_BIND_SERVICE"
|
|
]
|
|
},
|
|
"rlimits" : [
|
|
{
|
|
"type" : "RLIMIT_NOFILE",
|
|
"soft" : 1024,
|
|
"hard" : 1024
|
|
},
|
|
{
|
|
"type" : "RLIMIT_RTPRIO",
|
|
"soft" : 5,
|
|
"hard" : 10
|
|
}
|
|
]
|
|
},
|
|
|
|
"mounts": [
|
|
{
|
|
"destination": "/tmp/src",
|
|
"source": "src",
|
|
"options": ["ro"]
|
|
},
|
|
|
|
{
|
|
"destination": "/tmp/verify.sh",
|
|
"source": "verify.sh",
|
|
"options": ["ro"]
|
|
},
|
|
|
|
{
|
|
"destination": "/proc",
|
|
"type": "proc",
|
|
"source": "proc"
|
|
},
|
|
{
|
|
"destination": "/dev",
|
|
"type": "tmpfs",
|
|
"source": "tmpfs",
|
|
"options": [
|
|
"mode=777"
|
|
]
|
|
},
|
|
{
|
|
"destination": "/dev/pts",
|
|
"type": "devpts",
|
|
"source": "devpts",
|
|
"options": [
|
|
"mode=777"
|
|
]
|
|
},
|
|
{
|
|
"destination": "/dev/shm",
|
|
"type": "tmpfs",
|
|
"source": "shm",
|
|
"options": [
|
|
"mode=777"
|
|
]
|
|
},
|
|
{
|
|
"destination": "/dev/mqueue",
|
|
"type": "mqueue",
|
|
"source": "mqueue",
|
|
"options": [
|
|
"mode=777"
|
|
]
|
|
},
|
|
{
|
|
"destination": "/sys",
|
|
"type": "sysfs",
|
|
"source": "sysfs",
|
|
"options": [
|
|
"mode=777"
|
|
]
|
|
},
|
|
{
|
|
"destination": "/sys/fs/cgroup",
|
|
"type": "cgroup",
|
|
"source": "cgroup",
|
|
"options": [
|
|
"mode=777"
|
|
]
|
|
}
|
|
],
|
|
|
|
"linux" : {
|
|
"namespaces" : [
|
|
{
|
|
"type" : "mount"
|
|
},
|
|
{
|
|
"type" : "network",
|
|
"path" : "$NETNS"
|
|
},
|
|
{
|
|
"type" : "pid"
|
|
},
|
|
{
|
|
"type" : "uts"
|
|
}
|
|
],
|
|
"uidMappings" : [
|
|
{
|
|
"containerID" : 0,
|
|
"hostID" : 1000,
|
|
"size" : 100
|
|
}
|
|
],
|
|
"gidMappings" : [
|
|
{
|
|
"containerID" : 0,
|
|
"hostID" : 1000,
|
|
"size" : 100
|
|
}
|
|
],
|
|
"devices" : [
|
|
{
|
|
"type" : "c",
|
|
"path" : "/dev/zero",
|
|
"major" : 1,
|
|
"minor" : 5,
|
|
"fileMode" : 444
|
|
},
|
|
{
|
|
"type" : "b",
|
|
"path" : "$DEV",
|
|
"major" : 4,
|
|
"minor" : 2,
|
|
"fileMode" : 666,
|
|
"uid" : 0,
|
|
"gid" : 0
|
|
}
|
|
],
|
|
"resources" : {
|
|
"devices" : [
|
|
{
|
|
"allow" : false,
|
|
"access" : "m"
|
|
},
|
|
{
|
|
"allow" : true,
|
|
"type" : "b",
|
|
"major" : 4,
|
|
"minor" : 2,
|
|
"access" : "rwm"
|
|
}
|
|
],
|
|
"memory" : {
|
|
"limit" : 134217728,
|
|
"reservation" : 33554432,
|
|
"swap" : 268435456
|
|
},
|
|
"cpu" : {
|
|
"shares" : 1024,
|
|
"quota" : 1000000,
|
|
"period" : 500000,
|
|
"cpus" : "0-7"
|
|
},
|
|
"blockIO" : {
|
|
"weight" : 10,
|
|
"weightDevice" : [
|
|
{
|
|
"major" : 4,
|
|
"minor" : 2,
|
|
"weight" : 500
|
|
}
|
|
],
|
|
"throttleReadBpsDevice" : [
|
|
{
|
|
"major" : 4,
|
|
"minor" : 2,
|
|
"rate" : 500
|
|
}
|
|
],
|
|
"throttleWriteBpsDevice" : [
|
|
{
|
|
"major" : 4,
|
|
"minor" : 2,
|
|
"rate" : 500
|
|
}
|
|
],
|
|
"throttleReadIOPSDevice" : [
|
|
{
|
|
"major" : 4,
|
|
"minor" : 2,
|
|
"rate" : 500
|
|
}
|
|
],
|
|
"throttleWriteIOPSDevice" : [
|
|
{
|
|
"major" : 4,
|
|
"minor" : 2,
|
|
"rate" : 500
|
|
}
|
|
]
|
|
},
|
|
"pids" : {
|
|
"limit" : 1024
|
|
}
|
|
},
|
|
"sysctl" : {
|
|
"kernel.domainname" : "foo.bar",
|
|
"vm.swappiness" : "60"
|
|
},
|
|
"seccomp" : {
|
|
"defaultAction" : "SCMP_ACT_ALLOW",
|
|
"architectures" : [
|
|
"SCMP_ARCH_ARM",
|
|
"SCMP_ARCH_X86_64"
|
|
],
|
|
"syscalls" : [
|
|
{
|
|
"names" : [
|
|
"lchown",
|
|
"chmod"
|
|
],
|
|
"action" : "SCMP_ACT_ERRNO",
|
|
"args" : [
|
|
{
|
|
"index" : 0,
|
|
"value" : 1,
|
|
"op" : "SCMP_CMP_NE"
|
|
},
|
|
{
|
|
"index" : 1,
|
|
"value" : 2,
|
|
"valueTwo" : 3,
|
|
"op" : "SCMP_CMP_MASKED_EQ"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"rootfsPropagation" : "shared",
|
|
"maskedPaths" : [
|
|
"/proc/kcore",
|
|
"/root/nonexistent"
|
|
],
|
|
"readonlyPaths" : [
|
|
"/proc/sys",
|
|
"/opt/readonly"
|
|
]
|
|
},
|
|
"hooks" : {
|
|
"prestart" : [
|
|
{
|
|
"path" : "/bin/sh",
|
|
"args" : [
|
|
"-xec",
|
|
"echo $PRESTART_FOO >/prestart"
|
|
],
|
|
"env" : [
|
|
"PRESTART_FOO=prestart_bar",
|
|
"ALSO_FOO=also_bar"
|
|
],
|
|
"timeout" : 666
|
|
},
|
|
{
|
|
"path" : "/bin/touch",
|
|
"args" : [
|
|
"/tmp/also-prestart"
|
|
]
|
|
}
|
|
],
|
|
"poststart" : [
|
|
{
|
|
"path" : "/bin/sh",
|
|
"args" : [
|
|
"touch",
|
|
"/poststart"
|
|
]
|
|
}
|
|
],
|
|
"poststop" : [
|
|
{
|
|
"path" : "/bin/sh",
|
|
"args" : [
|
|
"touch",
|
|
"/poststop"
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"annotations" : {
|
|
"hello.world" : "1",
|
|
"foo" : "bar"
|
|
}
|
|
}
|