├── kubernetes-apiserver ├── sources ├── service.template ├── launch.sh ├── Dockerfile └── config.json.template ├── kubernetes-kubelet ├── sources ├── manifest.json ├── tmpfiles.template ├── service.template ├── launch.sh ├── Dockerfile └── config.json.template ├── kubernetes-proxy ├── sources ├── launch.sh ├── service.template ├── Dockerfile └── config.json.template ├── net-snmp ├── tmpfiles.template ├── manifest.json ├── run.sh ├── service.template ├── Dockerfile ├── help.md ├── README.md └── config.json.template ├── kubernetes-controller-manager ├── sources ├── launch.sh ├── service.template ├── Dockerfile └── config.json.template ├── docker-centos ├── tmpfiles.template ├── manifest.json ├── daemon.json ├── service.template ├── Dockerfile ├── init.sh ├── cccp.yml └── config.json.template ├── ovirt-guest-agent-centos ├── tmpfiles.template ├── ovirt-container-shutdown.sh ├── logger_conf ├── run.sh ├── service.template ├── Dockerfile ├── prep.sh └── config.json.template ├── ovirt-guest-agent-fedora ├── tmpfiles.template ├── ovirt-container-shutdown.sh ├── logger_conf ├── run.sh ├── service.template ├── Dockerfile ├── prep.sh └── config.json.template ├── lint ├── README.md └── syscontainers-lint ├── qemu-guest-agent ├── tmpfiles.template ├── qemu-ga.conf ├── service.template ├── Dockerfile └── config.json.template ├── docker-fedora ├── manifest.json ├── tmpfiles.template ├── set_mounts.sh ├── daemon.json ├── shim.sh ├── service.template ├── init.sh ├── Dockerfile ├── README.md └── config.json.template ├── hello-world ├── manifest.json ├── greet.sh ├── run.sh ├── service.template ├── Dockerfile └── config.json.template ├── flannel ├── tmpfiles.template ├── manifest.json ├── service.template ├── flanneld-run.sh ├── Dockerfile ├── README.md └── config.json.template ├── etcd ├── uninstall.sh ├── service.template ├── tmpfiles.template ├── etcd-env.sh ├── install.sh ├── README.md ├── Dockerfile ├── manifest.json └── config.json.template ├── kubernetes-scheduler ├── launch.sh ├── service.template ├── Dockerfile └── config.json.template ├── azure ├── Dockerfile └── exports │ └── service.template ├── kubeadm ├── service.template ├── launch.sh ├── Dockerfile └── config.json.template ├── open-vm-tools-centos ├── service.template ├── Dockerfile └── README.md ├── test.sh ├── kubernetes-node └── Dockerfile ├── kubernetes-master └── Dockerfile ├── .papr.yml ├── FILES.md ├── USAGE.md ├── README.md └── LABELS.md /kubernetes-apiserver/sources: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /kubernetes-kubelet/sources: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /kubernetes-proxy/sources: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /net-snmp/tmpfiles.template: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /kubernetes-controller-manager/sources: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docker-centos/tmpfiles.template: -------------------------------------------------------------------------------- 1 | d /var/lib/docker - - - - - 2 | -------------------------------------------------------------------------------- /net-snmp/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0" 3 | } 4 | 5 | -------------------------------------------------------------------------------- /ovirt-guest-agent-centos/tmpfiles.template: -------------------------------------------------------------------------------- 1 | d /var/log/ovirt-guest-agent - - - - - 2 | -------------------------------------------------------------------------------- /ovirt-guest-agent-fedora/tmpfiles.template: -------------------------------------------------------------------------------- 1 | d /var/log/ovirt-guest-agent - - - - - 2 | -------------------------------------------------------------------------------- /lint/README.md: -------------------------------------------------------------------------------- 1 | # syscontainers-lint 2 | 3 | Find common issues in a system container image 4 | -------------------------------------------------------------------------------- /qemu-guest-agent/tmpfiles.template: -------------------------------------------------------------------------------- 1 | d /var/log/qemu-ga - - - - - 2 | d /var/run - - - - - 3 | -------------------------------------------------------------------------------- /docker-centos/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "defaultValues": { 4 | "ADDTL_MOUNTS": "" 5 | } 6 | } 7 | 8 | -------------------------------------------------------------------------------- /docker-fedora/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "defaultValues": { 4 | "ADDTL_MOUNTS": "" 5 | } 6 | } 7 | 8 | -------------------------------------------------------------------------------- /kubernetes-kubelet/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "defaultValues": { 4 | "ADDTL_MOUNTS": "" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /ovirt-guest-agent-centos/ovirt-container-shutdown.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | /usr/bin/nsenter --mount=/proc/1/ns/mnt -- /sbin/shutdown $@ 4 | -------------------------------------------------------------------------------- /ovirt-guest-agent-fedora/ovirt-container-shutdown.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | /usr/bin/nsenter --mount=/proc/1/ns/mnt -- /sbin/shutdown $@ 4 | -------------------------------------------------------------------------------- /docker-fedora/tmpfiles.template: -------------------------------------------------------------------------------- 1 | d /var/lib/docker - - - - - 2 | d /var/run/docker - - - - - 3 | d /var/run/containerd - - - - - 4 | -------------------------------------------------------------------------------- /hello-world/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "defaultValues": { 4 | "PORT": "8081", 5 | "RECEIVER": "World" 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /kubernetes-kubelet/tmpfiles.template: -------------------------------------------------------------------------------- 1 | d ${STATE_DIRECTORY}/kubelet - - - - - 2 | d /var/lib/cni - - - - - 3 | d /var/run/secrets - - - - - 4 | -------------------------------------------------------------------------------- /hello-world/greet.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | printf "HTTP/1.1 200 OK\r\n" 4 | printf "Connection: Close\r\n" 5 | printf "\r\n" 6 | 7 | printf "Hi $RECEIVER\r\n" 8 | -------------------------------------------------------------------------------- /docker-fedora/set_mounts.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | mount --make-shared /run 4 | findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd 5 | -------------------------------------------------------------------------------- /flannel/tmpfiles.template: -------------------------------------------------------------------------------- 1 | D ${RUN_DIRECTORY}/${NAME} - - - - - 2 | d /etc/systemd/system/docker.service.d - - - - - 3 | r /etc/systemd/system/docker.service.d/$NAME.conf - - - - - 4 | -------------------------------------------------------------------------------- /etcd/uninstall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | chroot ${HOST} /usr/bin/systemctl disable /etc/systemd/system/etcd_container_${NAME}.service 3 | chroot ${HOST} rm /etc/systemd/system/etcd_container_${NAME}.service 4 | -------------------------------------------------------------------------------- /kubernetes-proxy/launch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /etc/kubernetes/proxy 4 | source /etc/kubernetes/config 5 | 6 | ARGS="$@ $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_PROXY_ARGS" 7 | 8 | exec /usr/bin/kube-proxy $ARGS 9 | -------------------------------------------------------------------------------- /hello-world/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | nc --verbose -k -l ${PORT:-8081} --sh-exec /usr/bin/greet.sh & 4 | 5 | cleanup () 6 | { 7 | kill -9 $! 8 | exit 0 9 | } 10 | 11 | trap cleanup SIGINT SIGTERM 12 | 13 | wait $! 14 | -------------------------------------------------------------------------------- /kubernetes-scheduler/launch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /etc/kubernetes/scheduler 4 | source /etc/kubernetes/config 5 | 6 | ARGS="$@ $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_SCHEDULER_ARGS" 7 | 8 | exec /usr/bin/kube-scheduler $ARGS 9 | -------------------------------------------------------------------------------- /ovirt-guest-agent-centos/logger_conf: -------------------------------------------------------------------------------- 1 | [handlers] 2 | keys=docker,console,syslog,logfile 3 | 4 | [logger_root] 5 | level=INFO 6 | handlers=docker 7 | propagate=0 8 | 9 | [handler_docker] 10 | class: StreamHandler 11 | args: [] 12 | formatter: long 13 | -------------------------------------------------------------------------------- /ovirt-guest-agent-fedora/logger_conf: -------------------------------------------------------------------------------- 1 | [handlers] 2 | keys=docker,console,syslog,logfile 3 | 4 | [logger_root] 5 | level=INFO 6 | handlers=docker 7 | propagate=0 8 | 9 | [handler_docker] 10 | class: StreamHandler 11 | args: [] 12 | formatter: long 13 | -------------------------------------------------------------------------------- /kubernetes-proxy/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=kubernetes-proxy 3 | 4 | [Service] 5 | ExecStart=$EXEC_START 6 | ExecStop=$EXEC_STOP 7 | Restart=on-failure 8 | WorkingDirectory=$DESTDIR 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | 13 | -------------------------------------------------------------------------------- /ovirt-guest-agent-centos/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py & 5 | 6 | cleanup () 7 | { 8 | kill -15 $! 9 | exit 0 10 | } 11 | 12 | trap cleanup SIGINT SIGTERM 13 | wait $! 14 | -------------------------------------------------------------------------------- /ovirt-guest-agent-fedora/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py & 5 | 6 | cleanup () 7 | { 8 | kill -15 $! 9 | exit 0 10 | } 11 | 12 | trap cleanup SIGINT SIGTERM 13 | wait $! 14 | -------------------------------------------------------------------------------- /hello-world/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Hello World System Container 3 | 4 | [Service] 5 | ExecStart=$EXEC_START 6 | ExecStop=$EXEC_STOP 7 | Restart=on-failure 8 | WorkingDirectory=$DESTDIR 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | 13 | -------------------------------------------------------------------------------- /kubernetes-apiserver/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=kubernetes-apiserver 3 | 4 | [Service] 5 | ExecStart=$EXEC_START 6 | ExecStop=$EXEC_STOP 7 | Restart=on-failure 8 | WorkingDirectory=$DESTDIR 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | 13 | -------------------------------------------------------------------------------- /kubernetes-scheduler/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=kubernetes-scheduler 3 | 4 | [Service] 5 | ExecStart=$EXEC_START 6 | ExecStop=$EXEC_STOP 7 | Restart=on-failure 8 | WorkingDirectory=$DESTDIR 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | 13 | -------------------------------------------------------------------------------- /qemu-guest-agent/qemu-ga.conf: -------------------------------------------------------------------------------- 1 | [general] 2 | daemon=false 3 | method=virtio-serial 4 | path=/dev/virtio-ports/org.qemu.guest_agent.0 5 | pidfile=/var/run/qemu-ga.pid 6 | logfile=/var/log/qemu-ga/qemu-ga.log 7 | statedir=/var/run 8 | verbose=false 9 | blacklist= 10 | -------------------------------------------------------------------------------- /qemu-guest-agent/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=QEMU Guest Agent Container 3 | 4 | [Service] 5 | ExecStart=$EXEC_START 6 | ExecStop=$EXEC_STOP 7 | Restart=on-failure 8 | WorkingDirectory=$DESTDIR 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | 13 | -------------------------------------------------------------------------------- /azure/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos:latest 2 | RUN yum -y --setopt=tsflags=nodocs install WALinuxAgent && yum -y clean all 3 | COPY exports/service.template /exports/ 4 | LABEL Name="azure" \ 5 | Version="0.1" \ 6 | atomic.type='system' \ 7 | Architecture="x86_64" 8 | -------------------------------------------------------------------------------- /flannel/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "defaultValues": { 4 | "FLANNELD_ETCD_PREFIX": "/atomic.io/network", 5 | "FLANNELD_ETCD_ENDPOINTS": "http://127.0.0.1:2379", 6 | "AFTER": "etcd.service", 7 | "REQUIRED_BY": "docker.service" 8 | } 9 | } 10 | 11 | -------------------------------------------------------------------------------- /net-snmp/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ( 4 | OPTIONS="-Lsd" 5 | . /etc/sysconfig/snmptrapd 6 | unset NOTIFY_SOCKET 7 | exec /usr/sbin/snmptrapd $OPTIONS -f 8 | ) & 9 | 10 | OPTIONS="-LS0-6d" 11 | . /etc/sysconfig/snmpd 12 | exec /usr/sbin/snmpd $OPTIONS -f 13 | -------------------------------------------------------------------------------- /ovirt-guest-agent-centos/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=oVirt Guest Agent Container 3 | 4 | [Service] 5 | ExecStart=$EXEC_START 6 | ExecStop=$EXEC_STOP 7 | Restart=on-failure 8 | WorkingDirectory=$DESTDIR 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | 13 | -------------------------------------------------------------------------------- /ovirt-guest-agent-fedora/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=oVirt Guest Agent Container 3 | 4 | [Service] 5 | ExecStart=$EXEC_START 6 | ExecStop=$EXEC_STOP 7 | Restart=on-failure 8 | WorkingDirectory=$DESTDIR 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | 13 | -------------------------------------------------------------------------------- /kubernetes-controller-manager/launch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /etc/kubernetes/controller-manager 4 | source /etc/kubernetes/config 5 | 6 | ARGS="$@ $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUBE_CONTROLLER_MANAGER_ARGS" 7 | 8 | exec /usr/bin/kube-controller-manager $ARGS 9 | -------------------------------------------------------------------------------- /kubernetes-controller-manager/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=kubernetes-controller-manager 3 | 4 | [Service] 5 | ExecStart=$EXEC_START 6 | ExecStop=$EXEC_STOP 7 | Restart=on-failure 8 | WorkingDirectory=$DESTDIR 9 | 10 | [Install] 11 | WantedBy=multi-user.target 12 | 13 | -------------------------------------------------------------------------------- /kubernetes-kubelet/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=kubernetes-kubelet 3 | After=docker.service 4 | 5 | [Service] 6 | ExecStart=$EXEC_START 7 | ExecStop=$EXEC_STOP 8 | Restart=on-failure 9 | WorkingDirectory=$DESTDIR 10 | 11 | [Install] 12 | WantedBy=multi-user.target 13 | 14 | -------------------------------------------------------------------------------- /etcd/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Etcd Server 3 | After=network.target 4 | 5 | [Service] 6 | ExecStart=$EXEC_START 7 | ExecStop=$EXEC_STOP 8 | Restart=on-failure 9 | WorkingDirectory=$DESTDIR 10 | RuntimeDirectory=${NAME} 11 | 12 | [Install] 13 | WantedBy=multi-user.target 14 | -------------------------------------------------------------------------------- /kubeadm/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=kubernetes-kubelet 3 | After=docker.service 4 | 5 | [Service] 6 | ExecStart=$EXEC_START 7 | ExecStop=$EXEC_STOP 8 | Restart=always 9 | StartLimitInterval=0 10 | RestartSec=10 11 | 12 | WorkingDirectory=$DESTDIR 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | 17 | -------------------------------------------------------------------------------- /etcd/tmpfiles.template: -------------------------------------------------------------------------------- 1 | d ${STATE_DIRECTORY}/etcd 0700 ${HOST_UID} ${HOST_GID} - - 2 | d ${STATE_DIRECTORY}/etcd/${NAME}.etcd 0700 ${HOST_UID} ${HOST_GID} - - 3 | Z ${STATE_DIRECTORY}/etcd/${NAME}.etcd 0700 ${HOST_UID} ${HOST_GID} - - 4 | d ${RUN_DIRECTORY}/${NAME} - - - - - 5 | -------------------------------------------------------------------------------- /docker-centos/daemon.json: -------------------------------------------------------------------------------- 1 | 2 | { 3 | "authorization-plugins": ["rhel-push-plugin"], 4 | "default-runtime": "oci", 5 | "containerd": "/run/containerd.sock", 6 | "exec-opts": ["native.cgroupdriver=systemd"], 7 | "runtimes": { 8 | "oci": { 9 | "path": "/usr/libexec/docker/docker-runc-current" 10 | } 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /net-snmp/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=net-snmp 3 | After=syslog.target network.target 4 | 5 | [Service] 6 | Type=notify 7 | NotifyAccess=all 8 | ExecStart=$EXEC_START 9 | ExecStop=$EXEC_STOP 10 | Restart=on-failure 11 | WorkingDirectory=$DESTDIR 12 | RuntimeDirectory=${NAME} 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /kubernetes-apiserver/launch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /etc/kubernetes/apiserver 4 | source /etc/kubernetes/config 5 | 6 | ARGS="$@ $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_ETCD_SERVERS $KUBE_API_ADDRESS $KUBE_API_PORT $KUBELET_PORT $KUBE_ALLOW_PRIV $KUBE_SERVICE_ADDRESSES $KUBE_ADMISSION_CONTROL $KUBE_API_ARGS" 7 | 8 | exec /usr/bin/kube-apiserver $ARGS 9 | -------------------------------------------------------------------------------- /open-vm-tools-centos/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Service for virtual machines hosted on VMware 3 | Documentation=http://github.com/vmware/open-vm-tools 4 | ConditionVirtualization=vmware 5 | 6 | [Service] 7 | ExecStart=$EXEC_START 8 | ExecStop=$EXEC_STOP 9 | WorkingDirectory=$DESTDIR 10 | 11 | [Install] 12 | WantedBy=multi-user.target 13 | -------------------------------------------------------------------------------- /docker-fedora/daemon.json: -------------------------------------------------------------------------------- 1 | { 2 | "default-runtime": "oci", 3 | "containerd": "/run/containerd.sock", 4 | "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current", 5 | "exec-opts": ["native.cgroupdriver=systemd"], 6 | "runtimes": { 7 | "oci": { 8 | "path": "/usr/libexec/docker/docker-runc-current" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /hello-world/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM fedora 2 | RUN dnf install --setopt=tsflags=nodocs -y nmap-ncat && dnf clean all 3 | 4 | COPY run.sh greet.sh /usr/bin/ 5 | COPY manifest.json service.template config.json.template /exports/ 6 | 7 | LABEL Name="gscrivano/hello-world" \ 8 | Version="1" \ 9 | atomic.type='system' \ 10 | Architecture="x86_64" \ 11 | Foo="bar" 12 | -------------------------------------------------------------------------------- /azure/exports/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=WALA Agent 3 | Wants=network-online.target sshd.service sshd-keygen.service 4 | After=network-online.target 5 | 6 | [Service] 7 | ExecStart=/usr/bin/python -u /usr/sbin/waagent -daemon 8 | Restart=always 9 | RestartSec=5 10 | WorkingDirectory=${DESTDIR}/rootfs 11 | RuntimeDirectory=${NAME} 12 | 13 | [Install] 14 | WantedBy=multi-user.target 15 | -------------------------------------------------------------------------------- /etcd/etcd-env.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ipaddress=$(hostname -I | cut -f1 -d' ') 4 | if test x$NAME == x; then 5 | NAME=$HOSTNAME 6 | fi 7 | export ETCD_NAME=${ETCD_NAME:-$HOSTNAME} 8 | export ETCD_DATA_DIR=/var/lib/etcd/${NAME}.etcd 9 | 10 | if test -e /etc/etcd/etcd.conf; then 11 | source /etc/etcd/etcd.conf 12 | fi 13 | 14 | # Execute the commands passed to this script 15 | exec "$@" 16 | -------------------------------------------------------------------------------- /test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | find . -name 'config.json*' -o -name 'manifest.json' | while read i; do 5 | echo Testing file $i 6 | MODE=PREPROCESS lint/syscontainers-lint $(dirname $i) $i | json_verify -s 7 | done 8 | 9 | find . -name Dockerfile -exec dirname \{\} \; | while read i; do 10 | echo Testing container $(basename $i) 11 | lint/syscontainers-lint $i 12 | echo 13 | done 14 | -------------------------------------------------------------------------------- /kubernetes-kubelet/launch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | source /etc/kubernetes/kubelet 4 | source /etc/kubernetes/config 5 | 6 | TEMP_KUBELET_ARGS='--cgroup-driver=systemd --cgroups-per-qos=false --enforce-node-allocatable=' 7 | 8 | ARGS="$@ $TEMP_KUBELET_ARGS $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBELET_API_SERVER $KUBELET_ADDRESS $KUBELET_PORT $KUBELET_HOSTNAME $KUBE_ALLOW_PRIV $KUBELET_ARGS" 9 | 10 | exec /usr/bin/kubelet $ARGS --containerized 11 | -------------------------------------------------------------------------------- /etcd/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Install systemd unit file for running container 4 | sed -e "s/TEMPLATE/${NAME}/g" /etc/systemd/system/etcd_container_template.service > ${HOST}/etc/systemd/system/etcd_container_${NAME}.service 5 | 6 | # restore selinux context 7 | chroot ${HOST} /usr/sbin/restorecon -v /etc/systemd/system/etcd_container_${NAME}.service 8 | 9 | # Enable systemd unit file 10 | chroot ${HOST} /usr/bin/systemctl enable etcd_container_${NAME}.service 11 | -------------------------------------------------------------------------------- /kubeadm/launch.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | [ -f /etc/kubernetes/kubeadm-env ] && source /etc/kubernetes/kubeadm-env 4 | [ -f /etc/kubernetes/crio-env ] && source /etc/kubernetes/crio-env 5 | 6 | TEMP_KUBELET_ARGS='--cgroups-per-qos=false --enforce-node-allocatable=' 7 | 8 | exec /usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CGROUP_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS $TEMP_KUBELET_ARGS --containerized 9 | -------------------------------------------------------------------------------- /kubernetes-node/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.fedoraproject.org/fedora:rawhide 2 | 3 | ENV NAME=kubernetes-node VERSION=0 RELEASE=0 ARCH=x86_64 4 | LABEL bzcomponent="$NAME" \ 5 | name="$FGC/$NAME" \ 6 | version="$VERSION" \ 7 | release="$RELEASE.$DISTTAG" \ 8 | architecture="$ARCH" \ 9 | maintainer="Jason Brooks " 10 | 11 | RUN dnf -y --setopt=tsflags=nodocs update && dnf clean all 12 | RUN dnf install -y --setopt=tsflags=nodocs kubernetes-node findutils && dnf clean all 13 | -------------------------------------------------------------------------------- /flannel/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Flanneld overlay address etcd agent 3 | After=network.target 4 | After=network-online.target 5 | Wants=network-online.target 6 | After=$AFTER 7 | Before=docker.service 8 | 9 | [Service] 10 | Type=notify 11 | NotifyAccess=all 12 | ExecStart=$EXEC_START 13 | ExecStop=$EXEC_STOP 14 | ExecStopPost=/bin/rm /etc/systemd/system/docker.service.d/$NAME.conf 15 | Restart=on-failure 16 | WorkingDirectory=$DESTDIR 17 | RuntimeDirectory=${NAME} 18 | 19 | [Install] 20 | WantedBy=multi-user.target 21 | RequiredBy=$REQUIRED_BY 22 | -------------------------------------------------------------------------------- /docker-fedora/shim.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | CONTAINER_PID=$(/usr/libexec/docker/docker-runc-current state $1 | python -c 'import sys; import json; print(json.loads(sys.stdin.read())["pid"])') 4 | 5 | if test -n "$CONTAINER_PID"; then 6 | WD=$(pwd) 7 | SHIM_PID=$(cat /proc/$CONTAINER_PID/status | grep PPid | awk '{print $2}') 8 | exec nsenter -C -F --wd=$WD -m -u -i -n -p -t $SHIM_PID /usr/libexec/docker/docker-containerd-shim-current $@ 9 | else 10 | exec systemd-run --slice $1 --scope -- /usr/libexec/docker/docker-containerd-shim-current $@ 11 | fi 12 | -------------------------------------------------------------------------------- /kubernetes-master/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.fedoraproject.org/fedora:rawhide 2 | 3 | ENV NAME=kubernetes-master VERSION=0 RELEASE=0 ARCH=x86_64 4 | LABEL bzcomponent="$NAME" \ 5 | name="$FGC/$NAME" \ 6 | version="$VERSION" \ 7 | release="$RELEASE.$DISTTAG" \ 8 | architecture="$ARCH" \ 9 | maintainer="Jason Brooks " 10 | 11 | RUN dnf -y --setopt=tsflags=nodocs update && dnf clean all 12 | RUN groupadd -g 994 kube && useradd -u 996 -g 994 kube 13 | RUN dnf install -y kubernetes-master findutils && dnf clean all 14 | -------------------------------------------------------------------------------- /.papr.yml: -------------------------------------------------------------------------------- 1 | container: 2 | image: registry.fedoraproject.org/fedora:26 3 | 4 | # temp workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1483553 5 | #packages: 6 | # - python 7 | # - findutils 8 | # - git 9 | # - golang-bin 10 | # - yajl 11 | 12 | tests: 13 | # temp workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1483553 14 | - if (dnf distro-sync -y || :) |& grep -q -e BDB1539; then 15 | rpm --rebuilddb; dnf distro-sync; 16 | fi; dnf install -y python findutils git golang-bin yajl 17 | - ./test.sh 18 | 19 | branches: 20 | - master 21 | - auto 22 | - try 23 | -------------------------------------------------------------------------------- /docker-centos/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Docker service 3 | After=network.target 4 | 5 | [Service] 6 | EnvironmentFile=-/etc/sysconfig/docker-storage 7 | EnvironmentFile=-/etc/sysconfig/docker-network 8 | Environment=GOTRACEBACK=crash 9 | SELinuxContext=system_u:system_r:container_runtime_t:s0 10 | ExecStartPre=/bin/bash -c 'export -p > /run/docker-bash-env' 11 | ExecStart=$EXEC_START 12 | ExecStop=$EXEC_STOP 13 | Restart=on-failure 14 | WorkingDirectory=$DESTDIR 15 | RuntimeDirectory=docker 16 | LimitNOFILE=1048576 17 | LimitNPROC=1048576 18 | LimitCORE=infinity 19 | TimeoutStartSec=0 20 | Type=notify 21 | NotifyAccess=all 22 | 23 | [Install] 24 | WantedBy=multi-user.target 25 | -------------------------------------------------------------------------------- /qemu-guest-agent/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos 2 | 3 | LABEL summary="The QEMU Guest Agent" \ 4 | io.k8s.description="This package provides an agent to run inside guests, which communicates with the host over a virtio-serial channel named 'org.qemu.guest_agent.0'" \ 5 | io.k8s.display-name="QEMU Guest Agent" \ 6 | license="GPLv2+ and LGPLv2+ and BSD" \ 7 | architecture="x86_64" \ 8 | maintainer="Vinzenz Feenstra " 9 | 10 | RUN yum -y --setopt=tsflags=nodocs install qemu-guest-agent 11 | RUN /bin/mkdir -p /etc/qemu 12 | COPY qemu-ga.conf /etc/qemu/ 13 | COPY service.template tmpfiles.template config.json.template /exports/ 14 | 15 | CMD /bin/bash /usr/bin/qemu-ga 16 | -------------------------------------------------------------------------------- /docker-fedora/service.template: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Docker service 3 | After=network.target 4 | 5 | [Service] 6 | EnvironmentFile=-/etc/sysconfig/docker-storage 7 | EnvironmentFile=-/etc/sysconfig/docker-network 8 | Environment=GOTRACEBACK=crash 9 | SELinuxContext=system_u:system_r:container_runtime_t:s0 10 | ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh 11 | ExecStartPre=/bin/bash -c 'export -p > /run/docker-bash-env' 12 | ExecStart=$EXEC_START 13 | ExecStop=$EXEC_STOP 14 | Restart=on-failure 15 | WorkingDirectory=$DESTDIR 16 | LimitNOFILE=1048576 17 | LimitNPROC=1048576 18 | LimitCORE=infinity 19 | TimeoutStartSec=0 20 | Type=notify 21 | NotifyAccess=all 22 | 23 | [Install] 24 | WantedBy=multi-user.target 25 | -------------------------------------------------------------------------------- /kubernetes-scheduler/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM kubernetes-master:rawhide 2 | ENV container=docker 3 | 4 | ENV NAME=kubernetes-scheduler VERSION=0.1 RELEASE=8 ARCH=x86_64 5 | LABEL bzcomponent="$NAME" \ 6 | name="$FGC/$NAME" \ 7 | version="$VERSION" \ 8 | release="$RELEASE.$DISTTAG" \ 9 | architecture="$ARCH" \ 10 | atomic.type='system' \ 11 | maintainer="Jason Brooks " 12 | 13 | COPY launch.sh /usr/bin/kube-scheduler-docker.sh 14 | 15 | LABEL RUN /usr/bin/docker run -d --net=host 16 | 17 | COPY service.template config.json.template /exports/ 18 | 19 | RUN mkdir -p /exports/hostfs/etc/kubernetes && cp /etc/kubernetes/{config,scheduler} /exports/hostfs/etc/kubernetes 20 | 21 | ENTRYPOINT ["/usr/bin/kube-scheduler-docker.sh"] 22 | -------------------------------------------------------------------------------- /kubernetes-controller-manager/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM kubernetes-master:rawhide 2 | 3 | ENV container=docker 4 | 5 | ENV NAME=kubernetes-controller-manager VERSION=0.1 RELEASE=8 ARCH=x86_64 6 | LABEL bzcomponent="$NAME" \ 7 | name="$FGC/$NAME" \ 8 | version="$VERSION" \ 9 | release="$RELEASE.$DISTTAG" \ 10 | architecture="$ARCH" \ 11 | atomic.type='system' \ 12 | maintainer="Jason Brooks " 13 | 14 | COPY launch.sh /usr/bin/kube-controller-manager-docker.sh 15 | 16 | LABEL RUN /usr/bin/docker run -d --net=host 17 | 18 | COPY service.template config.json.template /exports/ 19 | 20 | RUN mkdir -p /exports/hostfs/etc/kubernetes && cp /etc/kubernetes/{config,controller-manager} /exports/hostfs/etc/kubernetes 21 | 22 | ENTRYPOINT ["/usr/bin/kube-controller-manager-docker.sh"] 23 | -------------------------------------------------------------------------------- /kubernetes-proxy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM kubernetes-node:rawhide 2 | ENV container=docker 3 | 4 | ENV NAME=kubernetes-proxy VERSION=0 RELEASE=8 ARCH=x86_64 5 | LABEL bzcomponent="$NAME" \ 6 | name="$FGC/$NAME" \ 7 | version="$VERSION" \ 8 | release="$RELEASE.$DISTTAG" \ 9 | architecture="$ARCH" \ 10 | atomic.type='system' \ 11 | maintainer="Jason Brooks " 12 | 13 | RUN dnf install -y --setopt=tsflags=nodocs iptables conntrack-tools && dnf clean all 14 | 15 | LABEL RUN /usr/bin/docker run -d --privileged --net=host 16 | 17 | COPY launch.sh /usr/bin/kube-proxy-docker.sh 18 | 19 | COPY service.template config.json.template /exports/ 20 | 21 | RUN mkdir -p /exports/hostfs/etc/kubernetes && cp /etc/kubernetes/{config,proxy} /exports/hostfs/etc/kubernetes 22 | 23 | ENTRYPOINT ["/usr/bin/kube-proxy-docker.sh"] 24 | 25 | -------------------------------------------------------------------------------- /flannel/flanneld-run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Create flannel.conf for docker service 4 | echo "[Service]" > /etc/systemd/system/docker.service.d/$NAME.conf 5 | echo "EnvironmentFile=-/run/$NAME/docker" >> /etc/systemd/system/docker.service.d/$NAME.conf 6 | 7 | source /etc/sysconfig/flanneld 8 | 9 | # Ensure this file doesn't already exist. 10 | rm -f run/flannel/subnet.env 11 | 12 | NOTIFY_SOCKET=/dev/null /usr/bin/flanneld -etcd-endpoints=${FLANNEL_ETCD_ENDPOINTS} -etcd-prefix=${FLANNEL_ETCD_PREFIX} -etcd-cafile=${FLANNEL_ETCD_CAFILE} -etcd-certfile=${FLANNEL_ETCD_CERTFILE} -etcd-keyfile=${FLANNEL_ETCD_KEYFILE} $FLANNEL_OPTIONS & 13 | child=$! 14 | 15 | while test \! -e /run/flannel/subnet.env 16 | do 17 | sleep 0.1 18 | done 19 | 20 | /usr/libexec/flannel/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker 21 | 22 | systemd-notify --ready 23 | 24 | wait $child 25 | -------------------------------------------------------------------------------- /flannel/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.fedoraproject.org/fedora:rawhide 2 | 3 | ENV container=docker FLANNELD_ETCD_ENDPOINTS="http://127.0.0.1:2379" FLANNELD_ETCD_PREFIX="/atomic.io/network" 4 | 5 | ENV VERSION=0.1 RELEASE=8 ARCH=x86_64 6 | LABEL com.redhat.component="flannel" \ 7 | name="$FGC/flannel" \ 8 | version="$VERSION" \ 9 | release="$RELEASE.$DISTTAG" \ 10 | architecture="$ARCH" \ 11 | summary="An etcd driven address agent, intended to be run as a system container" \ 12 | maintainer="Giuseppe Scrivano " \ 13 | atomic.type='system' 14 | 15 | RUN dnf -y --setopt=tsflags=nodocs install flannel && dnf clean all 16 | 17 | ADD flanneld-run.sh /usr/bin/ 18 | 19 | RUN mkdir -p /exports/hostfs/etc/sysconfig/ && cp /etc/sysconfig/flanneld /exports/hostfs/etc/sysconfig/ 20 | RUN mkdir -p /exports/hostfs/etc/flanneld 21 | 22 | # System container files 23 | COPY tmpfiles.template service.template manifest.json \ 24 | config.json.template /exports/ 25 | 26 | CMD ["/usr/bin/flanneld-run.sh"] 27 | -------------------------------------------------------------------------------- /ovirt-guest-agent-fedora/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM fedora:rawhide 2 | 3 | LABEL summary="The oVirt Guest Agent" \ 4 | io.k8s.description="The ovirt-guest-agent is providing information about the virtual machine and allows to restart / shutdown the machine via the oVirt Portal. This image is intended to be used with virtual machines running Fedora Atomic Host." \ 5 | io.k8s.display-name="oVirt Guest Agent" \ 6 | license="ASL 2.0" \ 7 | architecture="x86_64" \ 8 | maintainer="Vinzenz Feenstra " 9 | 10 | ADD logger_conf /root/logger_conf 11 | 12 | RUN dnf -y install --setopt=tsflags=nodocs ovirt-guest-agent-common 13 | RUN cat /root/logger_conf >> /etc/ovirt-guest-agent.conf && rm /root/logger_conf 14 | 15 | COPY ovirt-container-shutdown.sh prep.sh /usr/local/bin/ 16 | COPY run.sh /usr/bin/ 17 | COPY service.template tmpfiles.template config.json.template /exports/ 18 | 19 | RUN /bin/bash /usr/local/bin/prep.sh 20 | RUN chmod a+x /usr/local/bin/ovirt-*.sh /usr/bin/run.sh 21 | 22 | CMD /bin/bash /usr/bin/run.sh 23 | 24 | -------------------------------------------------------------------------------- /net-snmp/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.fedoraproject.org/fedora:27 2 | 3 | 4 | LABEL maintainer="Giuseppe Scrivano " \ 5 | name="net-snmp" \ 6 | version="0.1" \ 7 | atomic.type="system" \ 8 | description="SNMP (Simple Network Management Protocol) is a protocol used \ 9 | for network management. The net-snmp container provides an easy means for \ 10 | monitoring Atomic Host." 11 | 12 | ENV INSTALLED_PACKAGES="net-snmp net-snmp-utils net-snmp-agent-libs" 13 | RUN yum -y install --setopt=tsflags=nodocs ${INSTALLED_PACKAGES} && \ 14 | rpm -V ${INSTALLED_PACKAGES} && \ 15 | yum clean all && \ 16 | mkdir -p /exports/hostfs/etc/{sysconfig,snmp} /exports/hostfs/var/lib/net-snmp/ && \ 17 | cp /etc/sysconfig/snmpd /etc/sysconfig/snmptrapd /exports/hostfs/etc/sysconfig/ && \ 18 | cp /etc/snmp/snmpd.conf /etc/snmp/snmptrapd.conf /exports/hostfs/etc/snmp/ 19 | 20 | COPY run.sh /usr/bin/ 21 | 22 | # System container files 23 | COPY tmpfiles.template service.template manifest.json config.json.template /exports/ 24 | 25 | CMD ["/usr/bin/run.sh"] 26 | -------------------------------------------------------------------------------- /ovirt-guest-agent-centos/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos 2 | 3 | LABEL summary="The oVirt Guest Agent" \ 4 | io.k8s.description="The ovirt-guest-agent is providing information about the virtual machine and allows to restart / shutdown the machine via the oVirt Portal. This image is intended to be used with virtual machines running Centos Atomic Host." \ 5 | io.k8s.display-name="oVirt Guest Agent" \ 6 | license="ASL 2.0" \ 7 | architecture="x86_64" \ 8 | maintainer="Vinzenz Feenstra " 9 | 10 | ADD logger_conf /root/logger_conf 11 | 12 | RUN yum install epel-release -y --setopt=tsflags=nodocs; yum -y --setopt=tsflags=nodocs install ovirt-guest-agent-common 13 | RUN cat /root/logger_conf >> /etc/ovirt-guest-agent.conf && rm /root/logger_conf 14 | 15 | COPY ovirt-container-shutdown.sh prep.sh /usr/local/bin/ 16 | COPY run.sh /usr/bin/ 17 | COPY service.template tmpfiles.template config.json.template /exports/ 18 | 19 | RUN /bin/bash /usr/local/bin/prep.sh 20 | RUN chmod a+x /usr/local/bin/ovirt-*.sh /usr/bin/run.sh 21 | 22 | CMD /bin/bash /usr/bin/run.sh 23 | -------------------------------------------------------------------------------- /flannel/README.md: -------------------------------------------------------------------------------- 1 | # flannel-container 2 | 3 | This container image is intended to be run as a system container 4 | with the atomic command line. 5 | 6 | Building flannel container for fedora and atomic host: 7 | 8 | ``` 9 | # git clone https://github.com/projectatomic/atomic-system-containers 10 | # cd atomic-system-containers/flannel 11 | # docker build -t flannel . 12 | ``` 13 | 14 | **Running as system container, with the atomic CLI:** 15 | 16 | Prerequisite: 17 | 18 | 1. etcd must be running 19 | 20 | 2. a network is configured in etcd 21 | 22 | (example with etcd installed as a system container: `runc exec etcd etcdctl set /atomic.io/network/config '{"Network":"172.17.0.0/16"}'`) 23 | 24 | Pull from local docker into ostree: 25 | 26 | ``` 27 | #atomic pull --storage ostree docker:flannel 28 | ``` 29 | 30 | Install the container: 31 | 32 | ``` 33 | #atomic install --system flannel 34 | ``` 35 | 36 | Start as a systemd service: 37 | 38 | ``` 39 | #systemctl start flannel 40 | ``` 41 | 42 | Stopping the service 43 | 44 | ``` 45 | #systemctl stop flannel 46 | ``` 47 | 48 | Removing the container 49 | 50 | ``` 51 | #atomic uninstall flannel 52 | ``` 53 | -------------------------------------------------------------------------------- /ovirt-guest-agent-centos/prep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | /bin/rm -f /usr/share/ovirt-guest-agent/LockActiveSession.py{c,o} 4 | /bin/rm -f /usr/share/ovirt-guest-agent/LogoutActiveUser.py{c,o} 5 | 6 | # Fake being the host - To show the Atomic Host release 7 | /bin/rm -f /etc/redhat-release 8 | # Replaced with bind mount 9 | #/bin/ln -sf /host/etc/redhat-release /etc/redhat-release 10 | 11 | echo '#!/usr/bin/python' > /usr/share/ovirt-guest-agent/LockActiveSession.py 12 | echo '#!/usr/bin/python' > /usr/share/ovirt-guest-agent/LogoutActiveUser.py 13 | 14 | /bin/rm -f /usr/share/ovirt-guest-agent/CredServer.py* 15 | 16 | /bin/ln -sf /usr/local/bin/ovirt-container-shutdown.sh /usr/share/ovirt-guest-agent/ovirt-shutdown 17 | 18 | /bin/ln -sf /usr/share/ovirt-guest-agent/LockActiveSession.py /usr/share/ovirt-guest-agent/ovirt-locksession 19 | /bin/ln -sf /usr/share/ovirt-guest-agent/LogoutActiveUser.py /usr/share/ovirt-guest-agent/ovirt-logout 20 | /bin/ln -sf /usr/share/ovirt-guest-agent/container-list /usr/share/ovirt-guest-agent/ovirt-container-list 21 | /bin/ln -sf /usr/share/ovirt-guest-agent/scripts/hooks/defaults/flush-caches /usr/share/ovirt-guest-agent/ovirt-flush-caches 22 | 23 | -------------------------------------------------------------------------------- /ovirt-guest-agent-fedora/prep.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | /bin/rm -f /usr/share/ovirt-guest-agent/LockActiveSession.py{c,o} 4 | /bin/rm -f /usr/share/ovirt-guest-agent/LogoutActiveUser.py{c,o} 5 | 6 | # Fake being the host - To show the Atomic Host release 7 | /bin/rm -f /etc/redhat-release 8 | # Replaced with bind mount 9 | #/bin/ln -sf /host/etc/redhat-release /etc/redhat-release 10 | 11 | echo '#!/usr/bin/python' > /usr/share/ovirt-guest-agent/LockActiveSession.py 12 | echo '#!/usr/bin/python' > /usr/share/ovirt-guest-agent/LogoutActiveUser.py 13 | 14 | /bin/rm -f /usr/share/ovirt-guest-agent/CredServer.py* 15 | 16 | /bin/ln -sf /usr/local/bin/ovirt-container-shutdown.sh /usr/share/ovirt-guest-agent/ovirt-shutdown 17 | 18 | /bin/ln -sf /usr/share/ovirt-guest-agent/LockActiveSession.py /usr/share/ovirt-guest-agent/ovirt-locksession 19 | /bin/ln -sf /usr/share/ovirt-guest-agent/LogoutActiveUser.py /usr/share/ovirt-guest-agent/ovirt-logout 20 | /bin/ln -sf /usr/share/ovirt-guest-agent/container-list /usr/share/ovirt-guest-agent/ovirt-container-list 21 | /bin/ln -sf /usr/share/ovirt-guest-agent/scripts/hooks/defaults/flush-caches /usr/share/ovirt-guest-agent/ovirt-flush-caches 22 | 23 | -------------------------------------------------------------------------------- /kubernetes-kubelet/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM kubernetes-node:rawhide 2 | 3 | ENV container=docker 4 | 5 | ENV NAME=kubernetes-kubelet VERSION=0 RELEASE=8 ARCH=x86_64 6 | LABEL bzcomponent="$NAME" \ 7 | name="$FGC/$NAME" \ 8 | version="$VERSION" \ 9 | release="$RELEASE.$DISTTAG" \ 10 | architecture="$ARCH" \ 11 | atomic.type='system' \ 12 | maintainer="Jason Brooks " 13 | 14 | # Containerized kubelet requires nsenter 15 | RUN dnf install -y --setopt=tsflags=nodocs util-linux ethtool systemd-udev e2fsprogs xfsprogs && dnf clean all 16 | 17 | LABEL RUN /usr/bin/docker run -d --privileged --net=host --pid=host -v /:/rootfs:ro -v /sys:/sys:rw -v /var/run:/var/run:rw -v /run:/run:rw -v /var/lib/docker:/var/lib/docker:rw -v /var/lib/kubelet:/var/lib/kubelet:slave -v /var/log/containers:/var/log/containers:rw 18 | 19 | COPY launch.sh /usr/bin/kubelet-docker.sh 20 | 21 | COPY manifest.json tmpfiles.template service.template config.json.template /exports/ 22 | 23 | RUN mkdir -p /exports/hostfs/etc/cni/net.d && \ 24 | mkdir -p /exports/hostfs/etc/kubernetes && \ 25 | cp /etc/kubernetes/{config,kubelet} /exports/hostfs/etc/kubernetes 26 | 27 | ENTRYPOINT ["/usr/bin/kubelet-docker.sh"] 28 | -------------------------------------------------------------------------------- /kubernetes-apiserver/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM kubernetes-master:rawhide 2 | 3 | ENV container=docker 4 | 5 | ENV NAME=kubernetes-apiserver VERSION=0.1 RELEASE=8 ARCH=x86_64 6 | LABEL bzcomponent="$NAME" \ 7 | name="$FGC/$NAME" \ 8 | version="$VERSION" \ 9 | release="$RELEASE.$DISTTAG" \ 10 | architecture="$ARCH" \ 11 | atomic.type='system' \ 12 | maintainer="Jason Brooks " 13 | 14 | COPY launch.sh /usr/bin/kube-apiserver-docker.sh 15 | 16 | RUN chmod +x /usr/bin/kube-apiserver 17 | 18 | LABEL RUN /usr/bin/docker/ run -d --net=host -p 443:443 19 | 20 | COPY service.template config.json.template /exports/ 21 | 22 | # copy kubectl into the host, another way to do this would be: 23 | # 24 | # echo "runc exec -- kube-apiserver /usr/bin/kubectl \$@" \ 25 | # > /exports/hostfs/usr/local/bin/kubectl && chmod +x \ 26 | # /exports/hostfs/usr/local/bin/kubectl 27 | # 28 | # however, this would require hard-coding the container name 29 | 30 | RUN mkdir -p /exports/hostfs/usr/local/bin/ && cp /usr/bin/kubectl /exports/hostfs/usr/local/bin/kubectl 31 | 32 | RUN mkdir -p /exports/hostfs/etc/kubernetes && cp /etc/kubernetes/{config,apiserver} /exports/hostfs/etc/kubernetes 33 | 34 | ENTRYPOINT ["/usr/bin/kube-apiserver-docker.sh"] 35 | -------------------------------------------------------------------------------- /docker-centos/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos 2 | 3 | LABEL maintainer="Giuseppe Scrivano " \ 4 | name="docker-centos" \ 5 | version="0.1" \ 6 | atomic.type="system" \ 7 | architecture="x86_64" 8 | 9 | 10 | RUN yum install --setopt=tsflags=nodocs -y docker container-selinux cloud-utils-growpart python-docker-py docker-novolume-plugin docker-lvm-plugin lvm2 iptables procps-ng xz oci-register-machine && \ 11 | rpm -V docker container-selinux cloud-utils-growpart python-docker-py docker-novolume-plugin docker-lvm-plugin lvm2 iptables procps-ng xz oci-register-machine && \ 12 | mkdir -p /usr/lib/modules && \ 13 | yum-config-manager --nogpgcheck --add-repo https://cbs.centos.org/repos/virt7-docker-common-candidate/x86_64/os/ && \ 14 | yum install --setopt=tsflags=nodocs -y --nogpgcheck docker-rhel-push-plugin && \ 15 | rpm -V docker-rhel-push-plugin && \ 16 | mkdir -p /exports/hostfs/etc/docker && \ 17 | yum clean all 18 | 19 | ADD init.sh /usr/bin 20 | 21 | # system container 22 | COPY service.template tmpfiles.template config.json.template manifest.json /exports/ 23 | COPY daemon.json /exports/hostfs/etc/docker/container-daemon.json 24 | # Copy /etc/oci-umount.conf over if it exists 25 | RUN (test -e /etc/oci-umount.conf && cp /etc/oci-umount.conf /exports/hostfs/etc) || true 26 | 27 | CMD ["/usr/bin/init.sh"] 28 | -------------------------------------------------------------------------------- /docker-fedora/init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Ensure that new process maintain this SELinux label 4 | PID=$$ 5 | LABEL=`tr -d '\000' < /proc/$PID/attr/current` 6 | printf %s $LABEL > /proc/self/attr/exec 7 | 8 | source /run/docker-bash-env 9 | 10 | # set storage first 11 | ( 12 | . /etc/sysconfig/docker-storage-setup 13 | /usr/bin/docker-storage-setup 14 | ) 15 | 16 | getent group docker || groupadd docker 17 | 18 | 19 | # Inhibit sd-notify for docker-containerd, we want to get the notification 20 | # from the docker process 21 | NOTIFY_SOCKET=/dev/null /usr/libexec/docker/docker-containerd-current \ 22 | --listen unix:///run/containerd.sock \ 23 | --shim /usr/bin/shim.sh & 24 | 25 | while test \! -e /run/containerd.sock; 26 | do 27 | sleep 0.1 28 | done 29 | 30 | # Run all the installed plugins 31 | mkdir -p /run/docker/plugins/ 32 | ls -1 /usr/libexec/docker/*plugin | \ 33 | while read i; 34 | do 35 | plugin=$(basename $i) 36 | test -e /run/docker/plugins/$plugin.sock || mkfifo /run/docker/plugins/$plugin.sock 37 | $i & 38 | done 39 | 40 | exec /usr/bin/dockerd-current \ 41 | --bind-mount-prefix=/host \ 42 | --config-file=/etc/docker/container-daemon.json \ 43 | $OPTIONS \ 44 | $DOCKER_STORAGE_OPTIONS \ 45 | $DOCKER_NETWORK_OPTIONS \ 46 | $ADD_REGISTRY \ 47 | $BLOCK_REGISTRY \ 48 | $INSECURE_REGISTRY 49 | -------------------------------------------------------------------------------- /open-vm-tools-centos/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos 2 | 3 | 4 | 5 | LABEL summary="The open-vm-tools guest agent" \ 6 | io.k8s.description="The open-vm-tools agent is providing information about the virtual machine and allows to restart / shutdown the machine via VMware products. This image is intended to be used with virtual machines running Centos Atomic Host." \ 7 | io.k8s.display-name="open-vm-tools guest agent" \ 8 | architecture="x86_64" \ 9 | BZComponent="open-vm-tools" \ 10 | maintainer="davis phillips " 11 | 12 | ENV SYSTEMD_IGNORE_CHROOT=1 13 | 14 | RUN yum -y --setopt=tsflags=nodocs install file open-vm-tools perl net-tools iproute systemd && \ 15 | yum clean all 16 | 17 | COPY service.template config.json.template /exports/ 18 | 19 | LABEL RUN="docker run --privileged -v /proc/:/hostproc/ -v /sys/fs/cgroup:/sys/fs/cgroup -v /var/log:/var/log -v /run/systemd:/run/systemd -v /sysroot:/sysroot -v=/var/lib/sss/pipes/:/var/lib/sss/pipes/:rw -v /etc/passwd:/etc/passwd -v /etc/shadow:/etc/shadow -v /tmp:/tmp:rw -v /etc/sysconfig:/etc/sysconfig:rw -v /etc/resolv.conf:/etc/resolv.conf:rw -v /etc/nsswitch.conf:/etc/nsswitch.conf:rw -v /etc/hosts:/etc/hosts:rw -v /etc/hostname:/etc/hostname:rw -v /etc/localtime:/etc/localtime:rw -v /etc/adjtime:/etc/adjtime --env container=docker --net=host --pid=host IMAGE" 20 | 21 | CMD /usr/bin/vmtoolsd 22 | -------------------------------------------------------------------------------- /etcd/README.md: -------------------------------------------------------------------------------- 1 | # etcd-container 2 | 3 | Building etcd container for fedora and atomic host: 4 | 5 | ``` 6 | # git clone https://github.com/projectatomic/atomic-system-containers 7 | # cd atomic-system-containers/etcd 8 | # docker build --rm -t etcd . 9 | ``` 10 | 11 | ## As a docker container: 12 | 13 | **Instructions for Fedora** 14 | 15 | Running etcd container 16 | 17 | ``` 18 | #docker run -d -p 4001:4001 -p 7001:7001 -p 2379:2379 -p 2380:2380 etcd 19 | ``` 20 | 21 | **Instructions for Atomic** 22 | 23 | Installing etcd container on atomic host: 24 | 25 | ``` 26 | #atomic install etcd 27 | ``` 28 | 29 | Running etcd container on atomic host: 30 | 31 | ``` 32 | #atomic run etcd 33 | ``` 34 | 35 | Stopping etcd container on atomic host: 36 | 37 | ``` 38 | #atomic stop etcd 39 | ``` 40 | 41 | Uninstalling etcd container on atomic host: 42 | 43 | ``` 44 | #atomic uninstall etcd 45 | ``` 46 | 47 | ## As a system container, with the atomic CLI: 48 | 49 | Pull from local docker into ostree: 50 | 51 | ``` 52 | #atomic pull --storage ostree docker:etcd 53 | ``` 54 | 55 | Install the container: 56 | 57 | ``` 58 | #atomic install --system etcd 59 | ``` 60 | 61 | Start as a systemd service: 62 | 63 | ``` 64 | #systemctl start etcd 65 | ``` 66 | 67 | Stopping the service 68 | 69 | ``` 70 | #systemctl stop etcd 71 | ``` 72 | 73 | Removing the container 74 | 75 | ``` 76 | #atomic uninstall etcd 77 | ``` 78 | -------------------------------------------------------------------------------- /docker-centos/init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Ensure that new process maintain this SELinux label 4 | PID=$$ 5 | LABEL=`tr -d '\000' < /proc/$PID/attr/current` 6 | printf %s $LABEL > /proc/self/attr/exec 7 | 8 | source /run/docker-bash-env 9 | 10 | # set storage first 11 | ( 12 | . /etc/sysconfig/docker-storage-setup 13 | /usr/bin/docker-storage-setup 14 | ) 15 | 16 | # Run all the installed plugins 17 | mkdir -p /run/docker/plugins/ 18 | ls -1 /usr/libexec/docker/*plugin | \ 19 | while read i; 20 | do 21 | plugin=$(basename $i) 22 | test -e /run/docker/plugins/$plugin.sock || mkfifo /run/docker/plugins/$plugin.sock 23 | $i & 24 | done 25 | 26 | # Inhibit sd-notify for docker-containerd, we want to get the notification 27 | # from the docker process 28 | NOTIFY_SOCKET=/dev/null /usr/bin/docker-containerd-current \ 29 | --listen unix:///run/containerd.sock \ 30 | --shim /usr/bin/docker-containerd-shim-current \ 31 | --start-timeout 2m & 32 | 33 | while test \! -e /run/containerd.sock; 34 | do 35 | sleep 0.1 36 | done 37 | 38 | exec /usr/bin/dockerd-current \ 39 | --bind-mount-prefix=/host \ 40 | --config-file=/etc/docker/container-daemon.json \ 41 | --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \ 42 | $OPTIONS \ 43 | $DOCKER_STORAGE_OPTIONS \ 44 | $DOCKER_NETWORK_OPTIONS \ 45 | $INSECURE_REGISTRY $ADD_REGISTRY \ 46 | $BLOCK_REGISTRY 47 | -------------------------------------------------------------------------------- /kubeadm/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.fedoraproject.org/fedora:rawhide 2 | 3 | ENV NAME=kubeadm VERSION=0 RELEASE=0 ARCH=x86_64 4 | LABEL bzcomponent="$NAME" \ 5 | name="$FGC/$NAME" \ 6 | version="$VERSION" \ 7 | release="$RELEASE.$DISTTAG" \ 8 | architecture="$ARCH" \ 9 | atomic.type="system" \ 10 | maintainer="Jason Brooks " 11 | 12 | RUN dnf install -y --setopt=tsflags=nodocs docker iproute kubernetes-kubeadm kubernetes-node kubernetes-client containernetworking-cni ethtool ebtables && dnf clean all 13 | 14 | LABEL RUN /usr/bin/docker run -d --privileged --net=host --pid=host -v /:/rootfs:ro -v /sys:/sys:rw -v /var/run:/var/run:rw -v /run:/run:rw -v /var/lib/docker:/var/lib/docker:rw -v /var/lib/kubelet:/var/lib/kubelet:slave -v /var/log/containers:/var/log/containers:rw 15 | 16 | COPY launch.sh /usr/bin/ 17 | 18 | COPY service.template config.json.template /exports/ 19 | 20 | RUN mkdir -p /exports/hostfs/usr/local/bin/ && cp /usr/bin/{kubectl,kubeadm} /exports/hostfs/usr/local/bin/ 21 | RUN mkdir -p /exports/hostfs/etc/{kubernetes,cni} 22 | RUN mkdir -p /exports/hostfs/etc/kubernetes/pki 23 | RUN mkdir -p /var/lib/kubelet 24 | 25 | # pluck out env vars from kubeadm drop-in and put them into a user-editable location 26 | 27 | RUN cat /etc/systemd/system/kubelet.service.d/kubeadm.conf | grep Environment | sed 's/Environment="//g' | sed 's/\=/\=\"/' > /exports/hostfs/etc/kubernetes/kubeadm-env 28 | 29 | ENTRYPOINT ["/usr/bin/launch.sh"] 30 | -------------------------------------------------------------------------------- /FILES.md: -------------------------------------------------------------------------------- 1 | # Files for System Containers 2 | 3 | ## Required 4 | 5 | These files must be present to be considered a valid system image. 6 | 7 | ### config.json.template 8 | 9 | This file used by runc and describes the container configuration. It defines mounts, capabilities, process options, etc. 10 | 11 | For more information see [the oci config documentation](https://github.com/opencontainers/runtime-spec/blob/master/config.md). 12 | 13 | Example: [hello-world/config.json.template](hello-world/config.json.template) 14 | 15 | ### service.template 16 | 17 | This file is used when creating a systemd service upon system container installation. 18 | 19 | For more information see [systemd unit documentation](https://www.freedesktop.org/software/systemd/man/systemd.unit.html). 20 | 21 | Example: [hello-world/service.template](hello-world/service.template) 22 | 23 | ## Optional 24 | 25 | The following files may be omitted if their additional features are not required. 26 | 27 | ### manifest.json 28 | 29 | Defines default values for variables used within the system image. Variables may be referenced in other system image files. 30 | 31 | Example: [hello-world/manifest.json](hello-world/manifest.json) 32 | 33 | ### tmpfiles.template 34 | 35 | Defines file/location creation, deletion, and purge operations for temporary storage. 36 | 37 | For more information see [systemd tmpfiles.d documentation](https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html). 38 | 39 | Example: [docker-fedora/tmpfiles.template](docker-fedora/tmpfiles.template) 40 | -------------------------------------------------------------------------------- /docker-fedora/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.fedoraproject.org/fedora:rawhide 2 | 3 | ENV VERSION=0 RELEASE=1 ARCH=x86_64 4 | LABEL com.redhat.component="docker" \ 5 | name="$FGC/docker" \ 6 | version="$VERSION" \ 7 | release="$RELEASE.$DISTTAG" \ 8 | architecture="$ARCH" \ 9 | usage="atomic install --system --system-package=no docker && systemctl start docker" \ 10 | summary="The docker daemon as a system container." \ 11 | maintainer="Giuseppe Scrivano " \ 12 | atomic.type="system" 13 | 14 | RUN dnf install --setopt=tsflags=nodocs -y docker container-storage-setup container-selinux cloud-utils-growpart docker-novolume-plugin lvm2 iptables procps-ng xz oci-register-machine \ 15 | && rpm -V --nofiles docker container-storage-setup container-selinux cloud-utils-growpart docker-novolume-plugin lvm2 iptables procps-ng xz oci-register-machine \ 16 | && mkdir -p /usr/lib/modules /exports/hostfs/etc/docker \ 17 | && dnf clean all 18 | 19 | RUN ln -s /usr/libexec/docker/docker-runc-current /usr/bin/docker-runc 20 | 21 | COPY README.md / 22 | COPY shim.sh init.sh /usr/bin/ 23 | 24 | # system container 25 | COPY set_mounts.sh / 26 | COPY config.json.template service.template tmpfiles.template manifest.json /exports/ 27 | COPY daemon.json /exports/hostfs/etc/docker/container-daemon.json 28 | # https://github.com/rhatdan/oci-umount/issues/2 29 | # Copy config if available 30 | RUN (test -e /etc/oci-umount.conf && cp /etc/oci-umount.conf /exports/hostfs/etc) || true 31 | 32 | 33 | CMD ["/usr/bin/init.sh"] 34 | -------------------------------------------------------------------------------- /etcd/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM registry.fedoraproject.org/fedora:rawhide 2 | 3 | ENV VERSION=0.1 RELEASE=10 ARCH=x86_64 4 | LABEL com.redhat.component="etcd" \ 5 | name="$FGC/etcd" \ 6 | version="$VERSION" \ 7 | release="$RELEASE.$DISTTAG" \ 8 | architecture="$ARCH" \ 9 | summary="A key-value store for shared configuration and service discovery." \ 10 | maintainer="Giuseppe Scrivano " 11 | 12 | RUN dnf -y --setopt=tsflags=nodocs install etcd hostname && \ 13 | dnf clean all 14 | 15 | LABEL INSTALL /usr/bin/docker run --rm \$OPT1 --privileged -v /:/host -e HOST=/host -e NAME=\$NAME -e IMAGE=\$IMAGE \$IMAGE \$OPT2 /usr/bin/install.sh \$OPT3 16 | LABEL UNINSTALL /usr/bin/docker run --rm \$OPT1 --privileged -v /:/host -e HOST=/host -e NAME=\$NAME -e IMAGE=\$IMAGE \$IMAGE \$OPT2 /usr/bin/uninstall.sh \$OPT3 17 | LABEL RUN /usr/bin/docker run -d \$OPT1 -p 4001:4001 -p 7001:7001 -p 2379:2379 -p 2380:2380 --name \$NAME \$IMAGE \$OPT2 \$OPT3 18 | 19 | COPY etcd-env.sh /usr/bin/etcd-env.sh 20 | COPY install.sh /usr/bin/install.sh 21 | COPY uninstall.sh /usr/bin/uninstall.sh 22 | 23 | COPY tmpfiles.template config.json.template service.template manifest.json /exports/ 24 | 25 | RUN mkdir -p /exports/hostfs/usr/local/bin/ && cp /usr/bin/etcdctl /exports/hostfs/usr/local/bin/etcdctl 26 | 27 | RUN mkdir -p /exports/hostfs/etc/etcd && sed -e "/^ETCD_DATA_DIR/d" -e s"|^ETCD_NAME=|#ETCD_NAME=|" < /etc/etcd/etcd.conf > /exports/hostfs/etc/etcd/etcd.conf 28 | 29 | EXPOSE 4001 7001 2379 2380 30 | 31 | CMD ["/usr/bin/etcd-env.sh", "/usr/bin/etcd"] 32 | -------------------------------------------------------------------------------- /USAGE.md: -------------------------------------------------------------------------------- 1 | # Installing System Containers 2 | 3 | Installing system containers requires the ``atomic`` command. 4 | 5 | ## First: Pull the image 6 | 7 | Pull from registry into ostree: 8 | 9 | ``` 10 | # atomic pull --storage ostree $REGISTRY/$IMAGE:$TAG 11 | ``` 12 | 13 | Or alternatively, pull from local docker: 14 | 15 | ``` 16 | # atomic pull --storage ostree docker:$IMAGE:$TAG 17 | ``` 18 | 19 | ## Install the container 20 | 21 | **Note**: Currently we recommend using --system-package=no to avoid having rpmbuild 22 | create an rpm file during installation. This flag will tell the atomic CLI to fall 23 | back to copying files to the host instead. 24 | 25 | 26 | ### Install without parameters 27 | ``` 28 | # atomic install --system --system-package=no --name=$NAME_FOR_SYSTEMD $REGISTRY/$IMAGE:$TAG 29 | ``` 30 | 31 | ### Install with parameters 32 | Some system containers can take in parameters. These parameters should be listed in 33 | the system containers own README.md file. If for some reason a README.md does not 34 | exist, one can check the ``defaultValues`` in the ``manifest.json`` file for 35 | parameters to override. 36 | 37 | ``` 38 | # atomic install --system --system-package=no --name=$NAME_FOR_SYSTEMD \ 39 | --set=KEY=VAL --set=FOO=BAR $REGISTRY/$IMAGE:$TAG 40 | ``` 41 | 42 | ## Running System Containers 43 | 44 | ### Start as a systemd service 45 | 46 | ``` 47 | # systemctl start $NAME_FOR_SYSTEMD 48 | ``` 49 | 50 | ### Stopping the service 51 | 52 | ``` 53 | # systemctl stop $NAME_FOR_SYSTEMD 54 | ``` 55 | 56 | ## Uninstalling System Containers 57 | 58 | ``` 59 | # atomic uninstall $NAME_FOR_SYSTEMD 60 | ``` 61 | -------------------------------------------------------------------------------- /docker-fedora/README.md: -------------------------------------------------------------------------------- 1 | # docker 2 | 3 | This is the docker daemon system container for Fedora systems based on the moby project. 4 | For more information refer to: https://github.com/moby/moby 5 | 6 | Note this only provides the *daemon process*, and does not include CLI tools. The current use 7 | case for this would be switching between different versions of docker by updating the container. 8 | 9 | ## Building the image from source: 10 | 11 | ``` 12 | # git clone https://github.com/projectatomic/atomic-system-containers 13 | # cd atomic-system-containers/docker-fedora 14 | # docker build -t docker . 15 | ``` 16 | 17 | ## Running the system container, with the atomic CLI: 18 | 19 | Pull from registry into ostree: 20 | 21 | ``` 22 | # atomic pull --storage ostree $REGISTRY/docker 23 | ``` 24 | 25 | Or alternatively, pull from local docker: 26 | 27 | ``` 28 | # atomic pull --storage ostree docker:docker:latest 29 | ``` 30 | 31 | Install the container: 32 | 33 | Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file 34 | during installation. This flag will tell the atomic CLI to fall back to copying files to the 35 | host instead. 36 | 37 | ``` 38 | # atomic install --system --system-package=no --name=docker ($REGISTRY)/docker 39 | 40 | Note that if you have the package docker locally, you would need to use another 41 | name for the service (i.e. --name=docker-system-container, etc.) 42 | ``` 43 | 44 | Start as a systemd service: 45 | 46 | ``` 47 | # systemctl start docker 48 | ``` 49 | 50 | Stopping the service 51 | 52 | ``` 53 | # systemctl stop docker 54 | ``` 55 | 56 | Removing the container 57 | 58 | ``` 59 | # atomic uninstall docker 60 | ``` 61 | -------------------------------------------------------------------------------- /etcd/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "defaultValues": { 4 | "CONF_DIRECTORY" : "/etc", 5 | "ETCD_NAME" : "", 6 | "ETCD_DATA_DIR" : "", 7 | "ETCD_ADVERTISE_CLIENT_URLS" : "", 8 | "ETCD_LISTEN_CLIENT_URLS" : "", 9 | "ETCD_INITIAL_ADVERTISE_PEER_URLS" : "", 10 | "ETCD_LISTEN_PEER_URLS" : "", 11 | "ETCD_INITIAL_CLUSTER" : "", 12 | "ETCD_INITIAL_CLUSTER_STATE" : "new", 13 | "ETCD_WAL_DIR" : "", 14 | "ETCD_SNAPSHOT_COUNT" : "10000", 15 | "ETCD_HEARTBEAT_INTERVAL" : "100", 16 | "ETCD_ELECTION_TIMEOUT" : "1000", 17 | "ETCD_MAX_SNAPSHOTS" : "5", 18 | "ETCD_MAX_WALS" : "5", 19 | "ETCD_CORS" : "", 20 | "ETCD_INITIAL_CLUSTER_TOKEN" : "etcd-cluster", 21 | "ETCD_DISCOVERY" : "", 22 | "ETCD_DISCOVERY_SRV" : "", 23 | "ETCD_DISCOVERY_FALLBACK" : "proxy", 24 | "ETCD_DISCOVERY_PROXY" : "", 25 | "ETCD_PROXY" : "off", 26 | "ETCD_PROXY_FAILURE_WAIT" : "5000", 27 | "ETCD_PROXY_REFRESH_INTERVAL" : "30000", 28 | "ETCD_PROXY_DIAL_TIMEOUT" : "1000", 29 | "ETCD_PROXY_WRITE_TIMEOUT" : "5000", 30 | "ETCD_PROXY_READ_TIMEOUT" : "0", 31 | "ETCD_CERT_FILE" : "", 32 | "ETCD_KEY_FILE" : "", 33 | "ETCD_CLIENT_CERT_AUTH" : "false", 34 | "ETCD_TRUSTED_CA_FILE" : "", 35 | "ETCD_PEER_CERT_FILE" : "", 36 | "ETCD_PEER_KEY_FILE" : "", 37 | "ETCD_PEER_CLIENT_CERT_AUTH" : "false", 38 | "ETCD_PEER_TRUSTED_CA_FILE" : "", 39 | "ETCD_DEBUG" : "false", 40 | "ETCD_LOG_PACKAGE_LEVELS" : "", 41 | "ETCD_STRICT_RECONFIG_CHECK" : "false", 42 | "ETCD_ENABLE_PPROF" : "false", 43 | "ADDTL_MOUNTS": "" 44 | }, 45 | "renameFiles" : { 46 | "/etc/etcd/etcd.conf" : "$CONF_DIRECTORY/$NAME/etcd.conf", 47 | "/usr/local/bin/etcdctl" : "/usr/local/bin/${NAME}ctl" 48 | } 49 | } 50 | 51 | -------------------------------------------------------------------------------- /docker-centos/cccp.yml: -------------------------------------------------------------------------------- 1 | # This is for the purpose of building containers on the CentOS Community Container 2 | # Pipeline. The containers are built, tested and delivered to registry.centos.org and 3 | # lifecycled as well. A corresponding entry must exist in the container index itself, 4 | # located at https://github.com/CentOS/container-index/tree/master/index.d 5 | # You can know more at the following links: 6 | # * https://github.com/CentOS/container-pipeline-service/blob/master/README.md 7 | # * https://github.com/CentOS/container-index/blob/master/README.rst 8 | # * https://wiki.centos.org/ContainerPipeline 9 | 10 | # This will be part of the name of the container. It should match the job-id in index entry 11 | job-id: docker 12 | 13 | #the following are optional, can be left blank 14 | #defaults, where applicable are filled in 15 | #nulecule-file : nulecule 16 | 17 | # This flag tells the container pipeline to skip user defined tests on their container 18 | test-skip : True 19 | 20 | # This is path of the script that initiates the user defined tests. It must be able to 21 | # return an exit code. 22 | test-script : null 23 | 24 | # This is the path of custom build script. 25 | build-script : null 26 | 27 | # This is the path of the custom delivery script 28 | delivery-script : null 29 | 30 | # This flag tells the pipeline to deliver this container to docker hub. 31 | docker-index : True 32 | 33 | # This flag can be used to enable or disable the custom delivery 34 | custom-delivery : False 35 | 36 | # This flag can be used to enable or disable delivery of container to local registry 37 | local-delivery : True 38 | 39 | Upstreams : 40 | - ref : 41 | url : 42 | -------------------------------------------------------------------------------- /net-snmp/help.md: -------------------------------------------------------------------------------- 1 | # NAME 2 | net-snmp - net-snmp as a system container 3 | 4 | 5 | # DESCRIPTION 6 | 7 | This container includes: 8 | 9 | * snmpd daemon 10 | * snmptrapd daemon 11 | * snmp tools 12 | 13 | 14 | # USAGE 15 | Pull from registry into ostree: 16 | 17 | ``` 18 | # atomic pull --storage ostree $REGISTRY/net-snmp 19 | ``` 20 | 21 | Or alternatively, pull from local docker: 22 | 23 | ``` 24 | # atomic pull --storage ostree docker:net-snmp:latest 25 | ``` 26 | 27 | Install the container: 28 | 29 | Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file 30 | during installation. This flag will tell the atomic CLI to fall back to copying files to the 31 | host instead. 32 | 33 | ``` 34 | # atomic install --system --system-package=no --name=net-snmp $REGISTRY/net-snmp 35 | ``` 36 | 37 | Start as a systemd service: 38 | 39 | ``` 40 | # systemctl start net-snmp 41 | ``` 42 | 43 | Stopping the service 44 | 45 | ``` 46 | # systemctl stop net-snmp 47 | ``` 48 | 49 | Removing the container 50 | 51 | ``` 52 | # atomic uninstall net-snmp 53 | ``` 54 | 55 | Executing Commands 56 | 57 | ``` 58 | # atomic run --storage ostree net-snmp $COMMAND $ARGS 59 | ``` 60 | 61 | Commands Provided 62 | 63 | * agentxtrap 64 | * encode_keychange 65 | * net-snmp-create-v3-user 66 | * snmpbulkget 67 | * snmpbulkwalk 68 | * snmpconf 69 | * snmpdelta 70 | * snmpdf 71 | * snmpget 72 | * snmpgetnext 73 | * snmpinform 74 | * snmpnetstat 75 | * snmpset 76 | * snmpstatus 77 | * snmptable 78 | * snmptest 79 | * snmptls 80 | * snmptranslate 81 | * snmptrap 82 | * snmpusm 83 | * snmpvacm 84 | * snmpwalk 85 | 86 | For more information see the [net-snmp website](http://www.net-snmp.org/). 87 | -------------------------------------------------------------------------------- /net-snmp/README.md: -------------------------------------------------------------------------------- 1 | # net-snmp 2 | 3 | This is net-snmp as a system container which includes: 4 | 5 | - snmpd daemon 6 | - snmptrapd daemon 7 | - snmp tools 8 | 9 | ## Building the image from source: 10 | 11 | ``` 12 | # git clone https://github.com/projectatomic/atomic-system-containers 13 | # cd atomic-system-containers/net-snmp 14 | # docker build -t net-snmp . 15 | ``` 16 | 17 | ## Running the system container, with the atomic CLI: 18 | 19 | Pull from registry into ostree: 20 | 21 | ``` 22 | # atomic pull --storage ostree $REGISTRY/net-snmp 23 | ``` 24 | 25 | Or alternatively, pull from local docker: 26 | 27 | ``` 28 | # atomic pull --storage ostree docker:net-snmp:latest 29 | ``` 30 | 31 | Install the container: 32 | 33 | Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file 34 | during installation. This flag will tell the atomic CLI to fall back to copying files to the 35 | host instead. 36 | 37 | ``` 38 | # atomic install --system --system-package=no --name=net-snmp ($REGISTRY)/net-snmp 39 | ``` 40 | 41 | Start as a systemd service: 42 | 43 | ``` 44 | # systemctl start net-snmp 45 | ``` 46 | 47 | Stopping the service 48 | 49 | ``` 50 | # systemctl stop net-snmp 51 | ``` 52 | 53 | Removing the container 54 | 55 | ``` 56 | # atomic uninstall net-snmp 57 | ``` 58 | 59 | Executing Commands 60 | ``` 61 | # atomic run --storage ostree net-snmp $COMMAND $ARGS 62 | ``` 63 | 64 | Commands Provided 65 | 66 | - agentxtrap 67 | - encode_keychange 68 | - net-snmp-create-v3-user 69 | - snmpbulkget 70 | - snmpbulkwalk 71 | - snmpconf 72 | - snmpdelta 73 | - snmpdf 74 | - snmpget 75 | - snmpgetnext 76 | - snmpinform 77 | - snmpnetstat 78 | - snmpset 79 | - snmpstatus 80 | - snmptable 81 | - snmptest 82 | - snmptls 83 | - snmptranslate 84 | - snmptrap 85 | - snmpusm 86 | - snmpvacm 87 | - snmpwalk 88 | 89 | For more information see the [net-snmp website](http://www.net-snmp.org/). 90 | -------------------------------------------------------------------------------- /open-vm-tools-centos/README.md: -------------------------------------------------------------------------------- 1 | # open-vm-tools-centos-container 2 | # This container is for use on a VMware virtual machine 3 | # It manages the VM for use with VMware's management suite with vCenter and vSphere 4 | 5 | Building open-vm-tools-centos container for fedora and atomic host: 6 | 7 | ``` 8 | # git clone https://github.com/projectatomic/atomic-system-containers 9 | # cd atomic-system-containers/open-vm-tools-centos 10 | # docker build --rm -t open-vm-tools-centos . 11 | ``` 12 | 13 | ## As a docker container: 14 | 15 | **Instructions for CentOS** 16 | 17 | Running open-vm-tools-centos container 18 | 19 | ``` 20 | # docker run --privileged -v /proc/:/hostproc/ -v /sys/fs/cgroup:/sys/fs/cgroup -v /var/log:/var/log -v /run/systemd:/run/systemd -v /sysroot:/sysroot -v=/var/lib/sss/pipes/:/var/lib/sss/pipes/:rw -v /etc/passwd:/etc/passwd -v /etc/shadow:/etc/shadow -v /tmp:/tmp:rw -v /etc/sysconfig:/etc/sysconfig:rw -v /etc/resolv.conf:/etc/resolv.conf:rw -v /etc/nsswitch.conf:/etc/nsswitch.conf:rw -v /etc/hosts:/etc/hosts:rw -v /etc/hostname:/etc/hostname:rw -v /etc/localtime:/etc/localtime:rw -v /etc/adjtime:/etc/adjtime --env container=docker --net=host --pid=host 21 | ``` 22 | 23 | **Instructions for Atomic** 24 | 25 | Installing open-vm-tools-centos container on atomic host: 26 | 27 | ``` 28 | # atomic install open-vm-tools-centos 29 | ``` 30 | 31 | Running open-vm-tools-centos container on atomic host: 32 | 33 | ``` 34 | # atomic run open-vm-tools-centos 35 | ``` 36 | 37 | Stopping open-vm-tools-centos container on atomic host: 38 | 39 | ``` 40 | # atomic stop open-vm-tools-centos 41 | ``` 42 | 43 | Uninstalling open-vm-tools-centos container on atomic host: 44 | 45 | ``` 46 | # atomic uninstall open-vm-tools-centos 47 | ``` 48 | 49 | ## As a system container, with the atomic CLI: 50 | 51 | Pull from local docker into ostree: 52 | 53 | ``` 54 | # atomic pull --storage ostree docker:open-vm-tools-centos:lastest 55 | ``` 56 | 57 | Install the container: 58 | 59 | ``` 60 | # atomic install --system open-vm-tools-centos 61 | ``` 62 | 63 | Start as a systemd service: 64 | 65 | ``` 66 | # systemctl start open-vm-tools-centos 67 | ``` 68 | 69 | Stopping the service 70 | 71 | ``` 72 | # systemctl stop open-vm-tools-centos 73 | ``` 74 | 75 | Removing the container 76 | 77 | ``` 78 | # atomic uninstall open-vm-tools-centos 79 | ``` 80 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # System Containers 2 | 3 | As part of our effort to reduce the number of packages that are shipped with 4 | the Atomic Host image, we faced the problem of how to containerize services 5 | that are needed to be run before a container runtime, like the upstream docker 6 | daemon, is running. The result: *system containers*: a way to run containers 7 | in production using read only images. 8 | 9 | A system container is a container that is executed out of an systemd unit file 10 | early in boot, using runc. The specified IMAGE must be a system image 11 | already fetched. If it is not already present, atomic will attempt to fetch it 12 | assuming it is an oci image. Installing a system container consists of 13 | checking it the image by default under /var/lib/containers/atomic/ and 14 | generating the configuration files for runc and systemd. OSTree and runc are 15 | required for this feature to be available. 16 | 17 | System containers use different technologies: 18 | 19 | * We use the [atomic](https://github.com/projectatomic/atomic) tool to install 20 | system containers. 21 | * [Labels](LABELS.md) can influence how the *atomic tool* uses a system container 22 | * Specific [files](FILES.md) are required to be part of a valid system image 23 | * For storage system containers do not need to use COW File systems, since 24 | they are in production. We default to using OSTree for storage of the 25 | container images. 26 | * The *atomic tool* does not use upstream docker to pull the container images, 27 | instead we use the [Skopeo](https://github.com/projectatomic/skopeo) tool to pull images from a container registry. 28 | * When you *atomic install* a system container the tool will look for a systemd unit file template in /exports directory and will create a systemd unit file to run the container on the host. 29 | * The unit files uses [runc](https://github.com/opencontainers/runc) to create and run the containers. 30 | * [systemd](https://github.com/systemd/systemd) manages the lifecycle of the container. 31 | 32 | To use system containers you must have Atomic CLI version 1.12 or later and the 33 | ostree utility installed. 34 | 35 | For more information on system containers see: 36 | 37 | - [Basic usage](USAGE.md) 38 | - http://www.projectatomic.io/blog/2016/09/intro-to-system-containers 39 | - http://www.projectatomic.io/blog/2017/06/creating-system-containers/ 40 | - http://www.projectatomic.io/blog/2017/09/running-kubernetes-on-fedora-atomic-26/ 41 | -------------------------------------------------------------------------------- /hello-world/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "0.3.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 0, 11 | "gid": 0 12 | }, 13 | "args": [ 14 | "/usr/bin/run.sh" 15 | ], 16 | "env": [ 17 | "PORT=$PORT", 18 | "RECEIVER=$RECEIVER", 19 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 20 | "TERM=xterm" 21 | ], 22 | "cwd": "/" 23 | }, 24 | "root": { 25 | "path": "rootfs", 26 | "readonly": true 27 | }, 28 | "mounts": [ 29 | { 30 | "destination": "/proc", 31 | "type": "proc", 32 | "source": "proc" 33 | }, 34 | { 35 | "destination": "/dev", 36 | "type": "tmpfs", 37 | "source": "tmpfs", 38 | "options": [ 39 | "nosuid", 40 | "strictatime", 41 | "mode=755", 42 | "size=65536k" 43 | ] 44 | }, 45 | { 46 | "destination": "/dev/pts", 47 | "type": "devpts", 48 | "source": "devpts", 49 | "options": [ 50 | "nosuid", 51 | "noexec", 52 | "newinstance", 53 | "ptmxmode=0666", 54 | "mode=0620", 55 | "gid=5" 56 | ] 57 | }, 58 | { 59 | "destination": "/dev/shm", 60 | "type": "tmpfs", 61 | "source": "shm", 62 | "options": [ 63 | "nosuid", 64 | "noexec", 65 | "nodev", 66 | "mode=1777", 67 | "size=65536k" 68 | ] 69 | }, 70 | { 71 | "destination": "/dev/mqueue", 72 | "type": "mqueue", 73 | "source": "mqueue", 74 | "options": [ 75 | "nosuid", 76 | "noexec", 77 | "nodev" 78 | ] 79 | }, 80 | { 81 | "destination": "/sys", 82 | "type": "sysfs", 83 | "source": "sysfs", 84 | "options": [ 85 | "nosuid", 86 | "noexec", 87 | "nodev" 88 | ] 89 | }, 90 | { 91 | "destination": "/sys/fs/cgroup", 92 | "type": "cgroup", 93 | "source": "cgroup", 94 | "options": [ 95 | "nosuid", 96 | "noexec", 97 | "nodev", 98 | "relatime", 99 | "ro" 100 | ] 101 | } 102 | ], 103 | "hooks": {}, 104 | "linux": { 105 | "capabilities": [ 106 | "CAP_AUDIT_WRITE", 107 | "CAP_KILL", 108 | "CAP_NET_BIND_SERVICE" 109 | ], 110 | "rlimits": [ 111 | { 112 | "type": "RLIMIT_NOFILE", 113 | "hard": 1024, 114 | "soft": 1024 115 | } 116 | ], 117 | "resources": { 118 | "devices": [ 119 | { 120 | "allow": false, 121 | "access": "rwm" 122 | } 123 | ] 124 | }, 125 | "namespaces": [ 126 | { 127 | "type": "pid" 128 | }, 129 | { 130 | "type": "ipc" 131 | }, 132 | { 133 | "type": "mount" 134 | } 135 | ] 136 | } 137 | } 138 | -------------------------------------------------------------------------------- /kubernetes-scheduler/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 996, 11 | "gid": 994 12 | }, 13 | "args": [ 14 | "/usr/bin/kube-scheduler-docker.sh" 15 | ], 16 | "env": [ 17 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 18 | "TERM=xterm" 19 | ], 20 | "cwd": "/", 21 | "capabilities": { 22 | "bounding": [ 23 | "CAP_AUDIT_WRITE", 24 | "CAP_KILL", 25 | "CAP_NET_BIND_SERVICE", 26 | "CAP_DAC_READ_SEARCH" 27 | ], 28 | "permitted": [ 29 | "CAP_AUDIT_WRITE", 30 | "CAP_KILL", 31 | "CAP_NET_BIND_SERVICE", 32 | "CAP_DAC_READ_SEARCH" 33 | ], 34 | "inheritable": [ 35 | "CAP_AUDIT_WRITE", 36 | "CAP_KILL", 37 | "CAP_NET_BIND_SERVICE", 38 | "CAP_DAC_READ_SEARCH" 39 | ], 40 | "effective": [ 41 | "CAP_AUDIT_WRITE", 42 | "CAP_KILL", 43 | "CAP_NET_BIND_SERVICE", 44 | "CAP_DAC_READ_SEARCH" 45 | ], 46 | "ambient": [ 47 | "CAP_AUDIT_WRITE", 48 | "CAP_KILL", 49 | "CAP_NET_BIND_SERVICE", 50 | "CAP_DAC_READ_SEARCH" 51 | ] 52 | }, 53 | "rlimits": [ 54 | { 55 | "type": "RLIMIT_NOFILE", 56 | "hard": 1024, 57 | "soft": 1024 58 | } 59 | ] 60 | }, 61 | "root": { 62 | "path": "rootfs", 63 | "readonly": true 64 | }, 65 | "mounts": [ 66 | { 67 | "destination": "/proc", 68 | "type": "proc", 69 | "source": "proc" 70 | }, 71 | { 72 | "destination": "/dev", 73 | "type": "tmpfs", 74 | "source": "tmpfs", 75 | "options": [ 76 | "nosuid", 77 | "strictatime", 78 | "mode=755", 79 | "size=65536k" 80 | ] 81 | }, 82 | { 83 | "destination": "/dev/pts", 84 | "type": "devpts", 85 | "source": "devpts", 86 | "options": [ 87 | "nosuid", 88 | "noexec", 89 | "newinstance", 90 | "ptmxmode=0666", 91 | "mode=0620", 92 | "gid=5" 93 | ] 94 | }, 95 | { 96 | "destination": "/dev/shm", 97 | "type": "tmpfs", 98 | "source": "shm", 99 | "options": [ 100 | "nosuid", 101 | "noexec", 102 | "nodev", 103 | "mode=1777", 104 | "size=65536k" 105 | ] 106 | }, 107 | { 108 | "destination": "/dev/mqueue", 109 | "type": "mqueue", 110 | "source": "mqueue", 111 | "options": [ 112 | "nosuid", 113 | "noexec", 114 | "nodev" 115 | ] 116 | }, 117 | { 118 | "destination": "/sys", 119 | "type": "sysfs", 120 | "source": "sysfs", 121 | "options": [ 122 | "nosuid", 123 | "noexec", 124 | "nodev" 125 | ] 126 | }, 127 | { 128 | "destination": "/sys/fs/cgroup", 129 | "type": "cgroup", 130 | "source": "cgroup", 131 | "options": [ 132 | "nosuid", 133 | "noexec", 134 | "nodev", 135 | "relatime", 136 | "ro" 137 | ] 138 | }, 139 | { 140 | "type": "bind", 141 | "source": "/etc/kubernetes", 142 | "destination": "/etc/kubernetes", 143 | "options": [ 144 | "rbind", 145 | "ro", 146 | "rprivate" 147 | ] 148 | }, 149 | { 150 | "destination": "/etc/resolv.conf", 151 | "type": "bind", 152 | "source": "/etc/resolv.conf", 153 | "options": [ 154 | "ro", 155 | "rbind", 156 | "rprivate" 157 | ] 158 | } 159 | ], 160 | "linux": { 161 | "resources": { 162 | "devices": [ 163 | { 164 | "allow": false, 165 | "access": "rwm" 166 | } 167 | ] 168 | }, 169 | "namespaces": [ 170 | { 171 | "type": "pid" 172 | }, 173 | { 174 | "type": "ipc" 175 | }, 176 | { 177 | "type": "mount" 178 | } 179 | ], 180 | "devices": null, 181 | "apparmorProfile": "" 182 | } 183 | } 184 | -------------------------------------------------------------------------------- /kubernetes-controller-manager/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 996, 11 | "gid": 994 12 | }, 13 | "args": [ 14 | "/usr/bin/kube-controller-manager-docker.sh" 15 | ], 16 | "env": [ 17 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 18 | "TERM=xterm" 19 | ], 20 | "cwd": "/", 21 | "capabilities": { 22 | "bounding": [ 23 | "CAP_AUDIT_WRITE", 24 | "CAP_KILL", 25 | "CAP_NET_BIND_SERVICE", 26 | "CAP_DAC_READ_SEARCH" 27 | ], 28 | "permitted": [ 29 | "CAP_AUDIT_WRITE", 30 | "CAP_KILL", 31 | "CAP_NET_BIND_SERVICE", 32 | "CAP_DAC_READ_SEARCH" 33 | ], 34 | "inheritable": [ 35 | "CAP_AUDIT_WRITE", 36 | "CAP_KILL", 37 | "CAP_NET_BIND_SERVICE", 38 | "CAP_DAC_READ_SEARCH" 39 | ], 40 | "effective": [ 41 | "CAP_AUDIT_WRITE", 42 | "CAP_KILL", 43 | "CAP_NET_BIND_SERVICE", 44 | "CAP_DAC_READ_SEARCH" 45 | ], 46 | "ambient": [ 47 | "CAP_AUDIT_WRITE", 48 | "CAP_KILL", 49 | "CAP_NET_BIND_SERVICE", 50 | "CAP_DAC_READ_SEARCH" 51 | ] 52 | }, 53 | "rlimits": [ 54 | { 55 | "type": "RLIMIT_NOFILE", 56 | "hard": 1024, 57 | "soft": 1024 58 | } 59 | ] 60 | }, 61 | "root": { 62 | "path": "rootfs", 63 | "readonly": true 64 | }, 65 | "mounts": [ 66 | { 67 | "destination": "/proc", 68 | "type": "proc", 69 | "source": "proc" 70 | }, 71 | { 72 | "destination": "/dev", 73 | "type": "tmpfs", 74 | "source": "tmpfs", 75 | "options": [ 76 | "nosuid", 77 | "strictatime", 78 | "mode=755", 79 | "size=65536k" 80 | ] 81 | }, 82 | { 83 | "destination": "/dev/pts", 84 | "type": "devpts", 85 | "source": "devpts", 86 | "options": [ 87 | "nosuid", 88 | "noexec", 89 | "newinstance", 90 | "ptmxmode=0666", 91 | "mode=0620", 92 | "gid=5" 93 | ] 94 | }, 95 | { 96 | "destination": "/dev/shm", 97 | "type": "tmpfs", 98 | "source": "shm", 99 | "options": [ 100 | "nosuid", 101 | "noexec", 102 | "nodev", 103 | "mode=1777", 104 | "size=65536k" 105 | ] 106 | }, 107 | { 108 | "destination": "/dev/mqueue", 109 | "type": "mqueue", 110 | "source": "mqueue", 111 | "options": [ 112 | "nosuid", 113 | "noexec", 114 | "nodev" 115 | ] 116 | }, 117 | { 118 | "destination": "/sys", 119 | "type": "sysfs", 120 | "source": "sysfs", 121 | "options": [ 122 | "nosuid", 123 | "noexec", 124 | "nodev" 125 | ] 126 | }, 127 | { 128 | "destination": "/sys/fs/cgroup", 129 | "type": "cgroup", 130 | "source": "cgroup", 131 | "options": [ 132 | "nosuid", 133 | "noexec", 134 | "nodev", 135 | "relatime", 136 | "ro" 137 | ] 138 | }, 139 | { 140 | "type": "bind", 141 | "source": "/etc/kubernetes", 142 | "destination": "/etc/kubernetes", 143 | "options": [ 144 | "rbind", 145 | "ro", 146 | "rprivate" 147 | ] 148 | }, 149 | { 150 | "destination": "/etc/resolv.conf", 151 | "type": "bind", 152 | "source": "/etc/resolv.conf", 153 | "options": [ 154 | "ro", 155 | "rbind", 156 | "rprivate" 157 | ] 158 | } 159 | ], 160 | "linux": { 161 | "resources": { 162 | "devices": [ 163 | { 164 | "allow": false, 165 | "access": "rwm" 166 | } 167 | ] 168 | }, 169 | "namespaces": [ 170 | { 171 | "type": "pid" 172 | }, 173 | { 174 | "type": "ipc" 175 | }, 176 | { 177 | "type": "mount" 178 | } 179 | ], 180 | "devices": null, 181 | "apparmorProfile": "" 182 | } 183 | } 184 | -------------------------------------------------------------------------------- /kubernetes-apiserver/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 996, 11 | "gid": 994 12 | }, 13 | "args": [ 14 | "/usr/bin/kube-apiserver-docker.sh" 15 | ], 16 | "env": [ 17 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 18 | "TERM=xterm" 19 | ], 20 | "cwd": "/", 21 | "capabilities": { 22 | "bounding": [ 23 | "CAP_AUDIT_WRITE", 24 | "CAP_KILL", 25 | "CAP_NET_BIND_SERVICE", 26 | "CAP_DAC_READ_SEARCH" 27 | ], 28 | "permitted": [ 29 | "CAP_AUDIT_WRITE", 30 | "CAP_KILL", 31 | "CAP_NET_BIND_SERVICE", 32 | "CAP_DAC_READ_SEARCH" 33 | ], 34 | "inheritable": [ 35 | "CAP_AUDIT_WRITE", 36 | "CAP_KILL", 37 | "CAP_NET_BIND_SERVICE", 38 | "CAP_DAC_READ_SEARCH" 39 | ], 40 | "effective": [ 41 | "CAP_AUDIT_WRITE", 42 | "CAP_KILL", 43 | "CAP_NET_BIND_SERVICE", 44 | "CAP_DAC_READ_SEARCH" 45 | ], 46 | "ambient": [ 47 | "CAP_AUDIT_WRITE", 48 | "CAP_KILL", 49 | "CAP_NET_BIND_SERVICE", 50 | "CAP_DAC_READ_SEARCH" 51 | ] 52 | }, 53 | "rlimits": [ 54 | { 55 | "type": "RLIMIT_NOFILE", 56 | "hard": 1024, 57 | "soft": 1024 58 | } 59 | ] 60 | }, 61 | "root": { 62 | "path": "rootfs", 63 | "readonly": true 64 | }, 65 | "mounts": [ 66 | { 67 | "destination": "/proc", 68 | "type": "proc", 69 | "source": "proc" 70 | }, 71 | { 72 | "destination": "/dev", 73 | "type": "tmpfs", 74 | "source": "tmpfs", 75 | "options": [ 76 | "nosuid", 77 | "strictatime", 78 | "mode=755", 79 | "size=65536k" 80 | ] 81 | }, 82 | { 83 | "destination": "/dev/pts", 84 | "type": "devpts", 85 | "source": "devpts", 86 | "options": [ 87 | "nosuid", 88 | "noexec", 89 | "newinstance", 90 | "ptmxmode=0666", 91 | "mode=0620", 92 | "gid=5" 93 | ] 94 | }, 95 | { 96 | "destination": "/dev/shm", 97 | "type": "tmpfs", 98 | "source": "shm", 99 | "options": [ 100 | "nosuid", 101 | "noexec", 102 | "nodev", 103 | "mode=1777", 104 | "size=65536k" 105 | ] 106 | }, 107 | { 108 | "destination": "/dev/mqueue", 109 | "type": "mqueue", 110 | "source": "mqueue", 111 | "options": [ 112 | "nosuid", 113 | "noexec", 114 | "nodev" 115 | ] 116 | }, 117 | { 118 | "destination": "/sys", 119 | "type": "sysfs", 120 | "source": "sysfs", 121 | "options": [ 122 | "nosuid", 123 | "noexec", 124 | "nodev" 125 | ] 126 | }, 127 | { 128 | "destination": "/sys/fs/cgroup", 129 | "type": "cgroup", 130 | "source": "cgroup", 131 | "options": [ 132 | "nosuid", 133 | "noexec", 134 | "nodev", 135 | "relatime", 136 | "ro" 137 | ] 138 | }, 139 | { 140 | "type": "bind", 141 | "source": "/etc/kubernetes", 142 | "destination": "/etc/kubernetes", 143 | "options": [ 144 | "rbind", 145 | "ro", 146 | "rprivate" 147 | ] 148 | }, 149 | { 150 | "destination": "/etc/resolv.conf", 151 | "type": "bind", 152 | "source": "/etc/resolv.conf", 153 | "options": [ 154 | "ro", 155 | "rbind", 156 | "rprivate" 157 | ] 158 | }, 159 | { 160 | "destination": "/var/run/kubernetes", 161 | "type": "bind", 162 | "source": "/var/run/kubernetes", 163 | "options": [ 164 | "rw", 165 | "rbind" 166 | ] 167 | } 168 | ], 169 | "linux": { 170 | "resources": { 171 | "devices": [ 172 | { 173 | "allow": false, 174 | "access": "rwm" 175 | } 176 | ] 177 | }, 178 | "namespaces": [ 179 | { 180 | "type": "pid" 181 | }, 182 | { 183 | "type": "ipc" 184 | }, 185 | { 186 | "type": "mount" 187 | } 188 | ], 189 | "devices": null, 190 | "apparmorProfile": "" 191 | } 192 | } 193 | -------------------------------------------------------------------------------- /qemu-guest-agent/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "ociVersion": "1.0.0-rc3", 4 | "platform": { 5 | "os": "linux", 6 | "arch": "amd64" 7 | }, 8 | "process": { 9 | "terminal": false, 10 | "user": { 11 | "uid": 0, 12 | "gid": 0 13 | }, 14 | "args": [ 15 | "/usr/bin/qemu-ga" 16 | ], 17 | "env": [ 18 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 19 | "TERM=xterm", 20 | "HOST=/host", 21 | "container=1", 22 | "IMAGE=qemu-guest-agent", 23 | "NAME=qemu-guest-agent" 24 | ], 25 | "cwd": "/", 26 | "capabilities": [ 27 | "CAP_CHOWN", 28 | "CAP_DAC_OVERRIDE", 29 | "CAP_DAC_READ_SEARCH", 30 | "CAP_FOWNER", 31 | "CAP_FSETID", 32 | "CAP_KILL", 33 | "CAP_SETGID", 34 | "CAP_SETUID", 35 | "CAP_SETPCAP", 36 | "CAP_LINUX_IMMUTABLE", 37 | "CAP_NET_BIND_SERVICE", 38 | "CAP_NET_BROADCAST", 39 | "CAP_NET_ADMIN", 40 | "CAP_NET_RAW", 41 | "CAP_IPC_LOCK", 42 | "CAP_IPC_OWNER", 43 | "CAP_SYS_MODULE", 44 | "CAP_SYS_RAWIO", 45 | "CAP_SYS_CHROOT", 46 | "CAP_SYS_PTRACE", 47 | "CAP_SYS_PACCT", 48 | "CAP_SYS_ADMIN", 49 | "CAP_SYS_BOOT", 50 | "CAP_SYS_NICE", 51 | "CAP_SYS_RESOURCE", 52 | "CAP_SYS_TIME", 53 | "CAP_SYS_TTY_CONFIG", 54 | "CAP_MKNOD", 55 | "CAP_LEASE", 56 | "CAP_SETFCAP", 57 | "CAP_MAC_OVERRIDE", 58 | "CAP_MAC_ADMIN", 59 | "CAP_SYSLOG", 60 | "CAP_WAKE_ALARM", 61 | "CAP_BLOCK_SUSPEND" 62 | ], 63 | "rlimits": [ 64 | { 65 | "type": "RLIMIT_NOFILE", 66 | "hard": 1024, 67 | "soft": 1024 68 | } 69 | ] 70 | }, 71 | "root": { 72 | "path": "rootfs", 73 | "readonly": true 74 | }, 75 | "mounts": [ 76 | { 77 | "destination": "/proc", 78 | "type": "proc", 79 | "source": "proc" 80 | }, 81 | { 82 | "destination": "/dev", 83 | "type": "tmpfs", 84 | "source": "tmpfs", 85 | "options": [ 86 | "nosuid", 87 | "strictatime", 88 | "mode=755", 89 | "size=65536k" 90 | ] 91 | }, 92 | { 93 | "destination": "/dev/pts", 94 | "type": "devpts", 95 | "source": "devpts", 96 | "options": [ 97 | "nosuid", 98 | "noexec", 99 | "newinstance", 100 | "ptmxmode=0666", 101 | "mode=0620", 102 | "gid=5" 103 | ] 104 | }, 105 | { 106 | "destination": "/dev/shm", 107 | "type": "tmpfs", 108 | "source": "shm", 109 | "options": [ 110 | "nosuid", 111 | "noexec", 112 | "nodev", 113 | "mode=1777", 114 | "size=65536k" 115 | ] 116 | }, 117 | { 118 | "destination": "/dev/mqueue", 119 | "type": "mqueue", 120 | "source": "mqueue", 121 | "options": [ 122 | "nosuid", 123 | "noexec", 124 | "nodev" 125 | ] 126 | }, 127 | { 128 | "destination": "/sys", 129 | "type": "sysfs", 130 | "source": "sysfs", 131 | "options": [ 132 | "nosuid", 133 | "noexec", 134 | "nodev", 135 | "rw" 136 | ] 137 | }, 138 | { 139 | "destination": "/tmp", 140 | "type": "tmpfs", 141 | "source": "tmpfs", 142 | "options": [ 143 | "rw", 144 | "noexec", 145 | "nosuid", 146 | "nodev", 147 | "size=65536k" 148 | ] 149 | }, 150 | { 151 | "destination": "/run", 152 | "type": "tmpfs", 153 | "source": "tmpfs", 154 | "options": [ 155 | "rw", 156 | "noexec", 157 | "nosuid", 158 | "nodev", 159 | "size=65536k" 160 | ] 161 | }, 162 | { 163 | "destination": "/dev/virtio-ports", 164 | "type": "bind", 165 | "source": "/dev/virtio-ports", 166 | "options": [ 167 | "rw", 168 | "bind" 169 | ] 170 | }, 171 | { 172 | "destination": "/host", 173 | "type": "bind", 174 | "source": "/", 175 | "options": [ 176 | "rw", 177 | "bind" 178 | ] 179 | }, 180 | { 181 | "source": "/etc/os-release", 182 | "destination": "/etc/os-release", 183 | "type": "bind", 184 | "options": [ 185 | "ro", 186 | "bind" 187 | ] 188 | }, 189 | { 190 | "source": "/etc/redhat-release", 191 | "destination": "/etc/redhat-release", 192 | "type": "bind", 193 | "options": [ 194 | "ro", 195 | "bind" 196 | ] 197 | }, 198 | { 199 | "source": "/var/log/qemu-ga", 200 | "destination": "/var/log/qemu-ga", 201 | "type": "bind", 202 | "options": [ 203 | "rw", 204 | "bind" 205 | ] 206 | }, 207 | { 208 | "destination": "/hostproc", 209 | "type": "bind", 210 | "source": "/proc", 211 | "options": [ 212 | "rw", 213 | "bind" 214 | ] 215 | }, 216 | { 217 | "destination": "/dev", 218 | "type": "bind", 219 | "source": "/dev", 220 | "options": [ 221 | "rw", 222 | "bind" 223 | ] 224 | }, 225 | { 226 | "destination": "/dev/pts", 227 | "type": "devpts", 228 | "source": "devpts", 229 | "options": [ 230 | "nosuid", 231 | "noexec", 232 | "newinstance", 233 | "ptmxmode=0666", 234 | "mode=0620", 235 | "gid=5" 236 | ] 237 | } 238 | ], 239 | "hooks": {}, 240 | "linux": { 241 | "resources": { 242 | "devices": [ 243 | { 244 | "allow": true, 245 | "access": "rwm" 246 | } 247 | ] 248 | }, 249 | "namespaces": [ 250 | { "type": "mount"} 251 | ], 252 | "devices": [ 253 | { 254 | "path": "/dev/vport2p1", 255 | "type": "c", 256 | "major": 249, 257 | "minor": 1, 258 | "fileMode": 8576, 259 | "uid": 0, 260 | "gid": 0 261 | }, 262 | { 263 | "path": "/dev/vport2p2", 264 | "type": "c", 265 | "major": 249, 266 | "minor": 2, 267 | "fileMode": 8576, 268 | "uid": 0, 269 | "gid": 0 270 | }, 271 | { 272 | "path": "/dev/vport2p3", 273 | "type": "c", 274 | "major": 249, 275 | "minor": 3, 276 | "fileMode": 8576, 277 | "uid": 0, 278 | "gid": 0 279 | } 280 | ] 281 | } 282 | } 283 | 284 | -------------------------------------------------------------------------------- /LABELS.md: -------------------------------------------------------------------------------- 1 | # Labels 2 | 3 | The following lays out common and recommended labels to use with 4 | System Containers. 5 | 6 | 7 | ## architecture 8 | 9 | Describes the architecture of the image. 10 | 11 | This label is RECOMMENDED. It is REQUIRED for Fedora. 12 | 13 | ### Example 14 | ``` 15 | architecture="x86_64" 16 | ``` 17 | 18 | 19 | ## atomic.run 20 | 21 | Denotes the type of run to the atomic command. This label should be provided 22 | and set to once if the resulting install of this image should be executed 23 | and then removed. 24 | 25 | **Options**: once 26 | 27 | ### Example 28 | ``` 29 | atomic.run="once" 30 | ``` 31 | 32 | 33 | ## atomic.type 34 | 35 | Denotes the type of image to the atomic command. If the image is to be used 36 | as a system container only, then this label should be provided and set to 37 | system. 38 | 39 | This label MUST be used if the image is for use as a system container only. 40 | 41 | **Options**: system 42 | 43 | ### Example 44 | ``` 45 | atomic.type="system" 46 | ``` 47 | 48 | ## authoritative-source-url 49 | 50 | The official location the image is published and available. 51 | 52 | ### Example 53 | ``` 54 | authoritative-source-url="https://example.org/registry/myimage" 55 | ``` 56 | 57 | 58 | ## build-date 59 | 60 | The RFC-3339 date the image was built. 61 | 62 | ### Example 63 | ``` 64 | build-date="2017-12-01T10:30:30Z" 65 | ``` 66 | 67 | 68 | ## com.redhat.component 69 | 70 | Denotes the [Red Hat Bugzilla](https://bugzilla.redhat.com) component 71 | related to this image. 72 | 73 | This label is REQUIRED for Fedora. 74 | 75 | ### Example 76 | ``` 77 | com.redhat.component="flannel" 78 | ``` 79 | 80 | 81 | ## debug 82 | 83 | Command executed to run the image with debugging. 84 | 85 | ### Example 86 | **TODO** 87 | ``` 88 | debug="" 89 | ``` 90 | 91 | 92 | ## distribution-scope 93 | 94 | Expected scope of distribution for the image. 95 | 96 | **Options**: private, authoritative-source-only, restricted, public 97 | 98 | ### Example 99 | ``` 100 | distribution-scope="private" 101 | ``` 102 | 103 | 104 | ## help 105 | 106 | Description on how to run the container. 107 | 108 | ### Example 109 | ``` 110 | help="The following options are valid..." 111 | ``` 112 | 113 | 114 | ## install 115 | 116 | Command executed to install the image. 117 | 118 | ### Example 119 | **TODO** 120 | ``` 121 | install="" 122 | ``` 123 | 124 | 125 | ## name 126 | 127 | The name of the image. 128 | 129 | This label is RECOMMENDED. 130 | 131 | ### Example 132 | ``` 133 | name="Azure" 134 | ``` 135 | 136 | 137 | ## license 138 | 139 | License the image is under. 140 | 141 | This label is RECOMMENDED. 142 | 143 | ### Example 144 | 145 | ``` 146 | license="ASL 2.0" 147 | ``` 148 | 149 | 150 | ## maintainer 151 | 152 | The maintainer of the image in "NAME " format. 153 | 154 | This label is RECOMMENDED. 155 | 156 | ### Example 157 | 158 | ``` 159 | maintainer="Giuseppe Scrivano " 160 | ``` 161 | 162 | 163 | ## pubkey-id 164 | 165 | Email address associated with the key. 166 | 167 | ### Example 168 | ``` 169 | pubkey-id="someaddress@example.org" 170 | ``` 171 | 172 | 173 | ## pubkey-fingerprint 174 | 175 | Fingerprint of the public key. 176 | 177 | ### Example 178 | ``` 179 | pubkey-fingerprint="F5451E00F128467EEEEECDED721CACC013E83AACC" 180 | ``` 181 | 182 | 183 | ## pubkey-url 184 | 185 | Link to the downloadable public key. 186 | 187 | ### Example 188 | ``` 189 | pubkey-url="https://pgp.mit.edu/pks/lookup?op=get&search=$KEYID" 190 | ``` 191 | 192 | 193 | ## sigstore-url 194 | 195 | Host and port of the signature server. 196 | 197 | ### Example 198 | ``` 199 | sigstore-url="example.org:8443" 200 | ``` 201 | 202 | 203 | ## sigstore-type 204 | 205 | Signature server type. 206 | 207 | **Options**: docker, atomic 208 | 209 | ### Example 210 | ``` 211 | sigstore-type="docker" 212 | ``` 213 | 214 | 215 | ## release 216 | 217 | The release of the image. 218 | 219 | This label is REQUIRED for Fedora. 220 | 221 | ### Example 222 | ``` 223 | release="10.f26" 224 | ``` 225 | 226 | 227 | ## run 228 | 229 | Command to execute the image 230 | 231 | ### Example 232 | **TODO** 233 | ``` 234 | run="" 235 | ``` 236 | 237 | 238 | ## run_opts_file 239 | 240 | Full path to a file listing switches for use in run. 241 | 242 | ### Example 243 | ``` 244 | run_opts_file="/conf/options.conf" 245 | ``` 246 | 247 | 248 | ## stop 249 | 250 | Command executed before stopping a running container 251 | 252 | ### Example 253 | **TODO** 254 | ``` 255 | stop="" 256 | ``` 257 | 258 | 259 | ## summary 260 | 261 | A short description of the image. 262 | 263 | This label is RECOMMENDED. 264 | 265 | ### Example 266 | ``` 267 | summary="An etcd driven address agent, intended to be run as a system container" 268 | ``` 269 | 270 | 271 | ## uninstall 272 | 273 | Command executed to uninstall the image 274 | 275 | This label is REQUIRED when the install label is used. 276 | 277 | ### Example 278 | **TODO** 279 | ``` 280 | uninstall="" 281 | ``` 282 | 283 | ## url 284 | 285 | Link to more information about the image. 286 | 287 | ### Example 288 | ``` 289 | url="https://projectatomic.io/" 290 | ``` 291 | 292 | 293 | ## vcs-type 294 | 295 | The source control type used for the image source code. 296 | 297 | ### Example 298 | ``` 299 | vcs-type="git" 300 | ``` 301 | 302 | ## vcs-url 303 | 304 | The link to the source control repository. 305 | 306 | ### Example 307 | ``` 308 | vcs-url="https://github.com/example/example.git" 309 | ``` 310 | 311 | ## vcs-ref 312 | 313 | The reference to the code change this image was built from. 314 | 315 | ### Example 316 | ``` 317 | vcs-ref='7ecddccf6ee49000b1fee3d90020a8a0ddd9a765' 318 | ``` 319 | 320 | 321 | ## vendor 322 | 323 | The owner of the image. 324 | 325 | ### Example 326 | ``` 327 | vendor="Me" 328 | ``` 329 | 330 | 331 | ## version 332 | 333 | The version of the image. 334 | 335 | This label is RECOMMENDED. It is REQUIRED for Fedora. 336 | 337 | ### Example 338 | ``` 339 | version="1.0" 340 | ``` 341 | -------------------------------------------------------------------------------- /flannel/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 0, 11 | "gid": 0 12 | }, 13 | "args": [ 14 | "/usr/bin/flanneld-run.sh" 15 | ], 16 | "env": [ 17 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 18 | "FLANNELD_ETCD_PREFIX=$FLANNELD_ETCD_PREFIX", 19 | "FLANNELD_ETCD_ENDPOINTS=$FLANNELD_ETCD_ENDPOINTS", 20 | "TERM=xterm", 21 | "NAME=$NAME" 22 | ], 23 | "cwd": "/", 24 | "capabilities": { 25 | "bounding": [ 26 | "CAP_DAC_READ_SEARCH", 27 | "CAP_AUDIT_WRITE", 28 | "CAP_KILL", 29 | "CAP_NET_BIND_SERVICE", 30 | "CAP_NET_ADMIN" 31 | ], 32 | "permitted": [ 33 | "CAP_DAC_READ_SEARCH", 34 | "CAP_AUDIT_WRITE", 35 | "CAP_KILL", 36 | "CAP_NET_BIND_SERVICE", 37 | "CAP_NET_ADMIN" 38 | ], 39 | "inheritable": [ 40 | "CAP_DAC_READ_SEARCH", 41 | "CAP_AUDIT_WRITE", 42 | "CAP_KILL", 43 | "CAP_NET_BIND_SERVICE", 44 | "CAP_NET_ADMIN" 45 | ], 46 | "effective": [ 47 | "CAP_DAC_READ_SEARCH", 48 | "CAP_AUDIT_WRITE", 49 | "CAP_KILL", 50 | "CAP_NET_BIND_SERVICE", 51 | "CAP_NET_ADMIN" 52 | ], 53 | "ambient": [ 54 | "CAP_DAC_READ_SEARCH", 55 | "CAP_AUDIT_WRITE", 56 | "CAP_KILL", 57 | "CAP_NET_BIND_SERVICE", 58 | "CAP_NET_ADMIN" 59 | ] 60 | }, 61 | "rlimits": [ 62 | { 63 | "type": "RLIMIT_NOFILE", 64 | "hard": 1024, 65 | "soft": 1024 66 | } 67 | ], 68 | "noNewPrivileges": false 69 | }, 70 | "root": { 71 | "path": "rootfs", 72 | "readonly": true 73 | }, 74 | "hostname": "flannel", 75 | "mounts": [ 76 | { 77 | "destination": "/proc", 78 | "type": "proc", 79 | "source": "proc" 80 | }, 81 | { 82 | "type": "bind", 83 | "source": "/dev", 84 | "destination": "/dev", 85 | "options": [ 86 | "rbind", 87 | "rw", 88 | "mode=755" 89 | ] 90 | }, 91 | { 92 | "destination": "/dev/pts", 93 | "type": "devpts", 94 | "source": "devpts", 95 | "options": [ 96 | "nosuid", 97 | "noexec", 98 | "newinstance", 99 | "ptmxmode=0666", 100 | "mode=0620", 101 | "gid=5" 102 | ] 103 | }, 104 | { 105 | "destination": "/dev/shm", 106 | "type": "tmpfs", 107 | "source": "shm", 108 | "options": [ 109 | "nosuid", 110 | "noexec", 111 | "nodev", 112 | "mode=1777", 113 | "size=65536k" 114 | ] 115 | }, 116 | { 117 | "destination": "/dev/mqueue", 118 | "type": "mqueue", 119 | "source": "mqueue", 120 | "options": [ 121 | "nosuid", 122 | "noexec", 123 | "nodev" 124 | ] 125 | }, 126 | { 127 | "destination": "/sys", 128 | "type": "sysfs", 129 | "source": "sysfs", 130 | "options": [ 131 | "nosuid", 132 | "noexec", 133 | "nodev", 134 | "ro" 135 | ] 136 | }, 137 | { 138 | "destination": "/sys/fs/cgroup", 139 | "type": "cgroup", 140 | "source": "cgroup", 141 | "options": [ 142 | "nosuid", 143 | "noexec", 144 | "nodev", 145 | "relatime", 146 | "ro" 147 | ] 148 | }, 149 | { 150 | "type": "bind", 151 | "source": "/etc/systemd/system/docker.service.d", 152 | "destination": "/etc/systemd/system/docker.service.d", 153 | "options": [ 154 | "rbind", 155 | "rw", 156 | "mode=755" 157 | ] 158 | }, 159 | { 160 | "source": "${RUN_DIRECTORY}/${NAME}", 161 | "destination": "/run/flannel", 162 | "type": "bind", 163 | "options": [ 164 | "rw", 165 | "rbind", 166 | "rprivate" 167 | ] 168 | }, 169 | { 170 | "destination": "/etc/resolv.conf", 171 | "type": "bind", 172 | "source": "/etc/resolv.conf", 173 | "options": [ 174 | "ro", 175 | "rbind", 176 | "rprivate" 177 | ] 178 | }, 179 | { 180 | "source": "/etc/sysconfig/flanneld", 181 | "destination": "/etc/sysconfig/flanneld", 182 | "type": "bind", 183 | "options": [ 184 | "rw", 185 | "rbind", 186 | "rprivate" 187 | ] 188 | }, 189 | { 190 | "source": "/etc/flanneld", 191 | "destination": "/etc/flanneld", 192 | "type": "bind", 193 | "options": [ 194 | "rw", 195 | "rbind", 196 | "rprivate" 197 | ] 198 | } 199 | ], 200 | "hooks": {}, 201 | "linux": { 202 | "resources": { 203 | "devices": [ 204 | { 205 | "allow": true, 206 | "access": "rwm" 207 | } 208 | ] 209 | }, 210 | "namespaces": [ 211 | { 212 | "type": "ipc" 213 | }, 214 | { 215 | "type": "uts" 216 | }, 217 | { 218 | "type": "mount" 219 | } 220 | ], 221 | "maskedPaths": [ 222 | "/proc/kcore", 223 | "/proc/latency_stats", 224 | "/proc/timer_stats", 225 | "/proc/sched_debug" 226 | ], 227 | "readonlyPaths": [ 228 | "/proc/asound", 229 | "/proc/bus", 230 | "/proc/fs", 231 | "/proc/irq", 232 | "/proc/sysrq-trigger" 233 | ] 234 | } 235 | } 236 | -------------------------------------------------------------------------------- /etcd/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 0, 11 | "gid": 0 12 | }, 13 | "args": [ 14 | "/usr/bin/etcd-env.sh", 15 | "/usr/bin/etcd" 16 | ], 17 | "env": [ 18 | "NAME=$NAME", 19 | "ETCD_NAME=$ETCD_NAME", 20 | "ETCD_DATA_DIR=$ETCD_DATA_DIR", 21 | "ETCD_ADVERTISE_CLIENT_URLS=$ETCD_ADVERTISE_CLIENT_URLS", 22 | "ETCD_LISTEN_CLIENT_URLS=$ETCD_LISTEN_CLIENT_URLS", 23 | "ETCD_INITIAL_ADVERTISE_PEER_URLS=$ETCD_INITIAL_ADVERTISE_PEER_URLS", 24 | "ETCD_LISTEN_PEER_URLS=$ETCD_LISTEN_PEER_URLS", 25 | "ETCD_INITIAL_CLUSTER=$ETCD_INITIAL_CLUSTER", 26 | "ETCD_INITIAL_CLUSTER_STATE=$ETCD_INITIAL_CLUSTER_STATE", 27 | "ETCD_WAL_DIR=$ETCD_WAL_DIR", 28 | "ETCD_SNAPSHOT_COUNT=$ETCD_SNAPSHOT_COUNT", 29 | "ETCD_HEARTBEAT_INTERVAL=$ETCD_HEARTBEAT_INTERVAL", 30 | "ETCD_ELECTION_TIMEOUT=$ETCD_ELECTION_TIMEOUT", 31 | "ETCD_MAX_SNAPSHOTS=$ETCD_MAX_SNAPSHOTS", 32 | "ETCD_MAX_WALS=$ETCD_MAX_WALS", 33 | "ETCD_CORS=$ETCD_CORS", 34 | "ETCD_INITIAL_CLUSTER_TOKEN=$ETCD_INITIAL_CLUSTER_TOKEN", 35 | "ETCD_DISCOVERY=$ETCD_DISCOVERY", 36 | "ETCD_DISCOVERY_SRV=$ETCD_DISCOVERY_SRV", 37 | "ETCD_DISCOVERY_FALLBACK=$ETCD_DISCOVERY_FALLBACK", 38 | "ETCD_DISCOVERY_PROXY=$ETCD_DISCOVERY_PROXY", 39 | "ETCD_PROXY=$ETCD_PROXY", 40 | "ETCD_PROXY_FAILURE_WAIT=$ETCD_PROXY_FAILURE_WAIT", 41 | "ETCD_PROXY_REFRESH_INTERVAL=$ETCD_PROXY_REFRESH_INTERVAL", 42 | "ETCD_PROXY_DIAL_TIMEOUT=$ETCD_PROXY_DIAL_TIMEOUT", 43 | "ETCD_PROXY_WRITE_TIMEOUT=$ETCD_PROXY_WRITE_TIMEOUT", 44 | "ETCD_PROXY_READ_TIMEOUT=$ETCD_PROXY_READ_TIMEOUT", 45 | "ETCD_CERT_FILE=$ETCD_CERT_FILE", 46 | "ETCD_KEY_FILE=$ETCD_KEY_FILE", 47 | "ETCD_CLIENT_CERT_AUTH=$ETCD_CLIENT_CERT_AUTH", 48 | "ETCD_TRUSTED_CA_FILE=$ETCD_TRUSTED_CA_FILE", 49 | "ETCD_PEER_CERT_FILE=$ETCD_PEER_CERT_FILE", 50 | "ETCD_PEER_KEY_FILE=$ETCD_PEER_KEY_FILE", 51 | "ETCD_PEER_CLIENT_CERT_AUTH=$ETCD_PEER_CLIENT_CERT_AUTH", 52 | "ETCD_PEER_TRUSTED_CA_FILE=$ETCD_PEER_TRUSTED_CA_FILE", 53 | "ETCD_DEBUG=$ETCD_DEBUG", 54 | "ETCD_LOG_PACKAGE_LEVELS=$ETCD_LOG_PACKAGE_LEVELS", 55 | "ETCD_STRICT_RECONFIG_CHECK=$ETCD_STRICT_RECONFIG_CHECK", 56 | "ETCD_ENABLE_PPROF=$ETCD_ENABLE_PPROF", 57 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 58 | "TERM=xterm" 59 | ], 60 | "cwd": "/", 61 | "capabilities": { 62 | "bounding": [ 63 | "CAP_DAC_READ_SEARCH", 64 | "CAP_AUDIT_WRITE", 65 | "CAP_KILL", 66 | "CAP_NET_BIND_SERVICE" 67 | ], 68 | "permitted": [ 69 | "CAP_DAC_READ_SEARCH", 70 | "CAP_AUDIT_WRITE", 71 | "CAP_KILL", 72 | "CAP_NET_BIND_SERVICE" 73 | ], 74 | "inheritable": [ 75 | "CAP_DAC_READ_SEARCH", 76 | "CAP_AUDIT_WRITE", 77 | "CAP_KILL", 78 | "CAP_NET_BIND_SERVICE" 79 | ], 80 | "effective": [ 81 | "CAP_DAC_READ_SEARCH", 82 | "CAP_AUDIT_WRITE", 83 | "CAP_KILL", 84 | "CAP_NET_BIND_SERVICE" 85 | ], 86 | "ambient": [ 87 | "CAP_DAC_READ_SEARCH", 88 | "CAP_AUDIT_WRITE", 89 | "CAP_KILL", 90 | "CAP_NET_BIND_SERVICE" 91 | ] 92 | }, 93 | "rlimits": [ 94 | { 95 | "type": "RLIMIT_NOFILE", 96 | "hard": 1024, 97 | "soft": 1024 98 | } 99 | ] 100 | }, 101 | "root": { 102 | "path": "rootfs", 103 | "readonly": true 104 | }, 105 | "mounts": [ 106 | { 107 | "destination": "/proc", 108 | "type": "proc", 109 | "source": "proc" 110 | }, 111 | { 112 | "destination": "/dev", 113 | "type": "tmpfs", 114 | "source": "tmpfs", 115 | "options": [ 116 | "nosuid", 117 | "strictatime", 118 | "mode=755", 119 | "size=65536k" 120 | ] 121 | }, 122 | { 123 | "destination": "/dev/pts", 124 | "type": "devpts", 125 | "source": "devpts", 126 | "options": [ 127 | "nosuid", 128 | "noexec", 129 | "newinstance", 130 | "ptmxmode=0666", 131 | "mode=0620", 132 | "gid=5" 133 | ] 134 | }, 135 | { 136 | "destination": "/dev/shm", 137 | "type": "tmpfs", 138 | "source": "shm", 139 | "options": [ 140 | "nosuid", 141 | "noexec", 142 | "nodev", 143 | "mode=1777", 144 | "size=65536k" 145 | ] 146 | }, 147 | { 148 | "destination": "/dev/mqueue", 149 | "type": "mqueue", 150 | "source": "mqueue", 151 | "options": [ 152 | "nosuid", 153 | "noexec", 154 | "nodev" 155 | ] 156 | }, 157 | { 158 | "destination": "/sys", 159 | "type": "sysfs", 160 | "source": "sysfs", 161 | "options": [ 162 | "nosuid", 163 | "noexec", 164 | "nodev" 165 | ] 166 | }, 167 | { 168 | "destination": "/sys/fs/cgroup", 169 | "type": "cgroup", 170 | "source": "cgroup", 171 | "options": [ 172 | "nosuid", 173 | "noexec", 174 | "nodev", 175 | "relatime", 176 | "ro" 177 | ] 178 | }, 179 | { 180 | "type": "bind", 181 | "source": "${STATE_DIRECTORY}/etcd/${NAME}.etcd", 182 | "destination": "/var/lib/etcd", 183 | "options": [ 184 | "rbind", 185 | "rw", 186 | "mode=755" 187 | ] 188 | }, 189 | { 190 | "type": "bind", 191 | "source": "${RUN_DIRECTORY}/${NAME}", 192 | "destination": "/var/run/etcd", 193 | "options": [ 194 | "rbind", 195 | "rw", 196 | "mode=755" 197 | ] 198 | }, 199 | { 200 | "destination": "/etc/resolv.conf", 201 | "type": "bind", 202 | "source": "/etc/resolv.conf", 203 | "options": [ 204 | "ro", 205 | "rbind", 206 | "rprivate" 207 | ] 208 | }, 209 | { 210 | "type": "bind", 211 | "source": "$CONF_DIRECTORY/$NAME", 212 | "destination": "/etc/etcd/", 213 | "options": [ 214 | "rbind", 215 | "ro", 216 | "rprivate" 217 | ] 218 | } 219 | $ADDTL_MOUNTS 220 | ], 221 | "linux": { 222 | "resources": { 223 | "devices": [ 224 | { 225 | "allow": false, 226 | "access": "rwm" 227 | } 228 | ] 229 | }, 230 | "namespaces": [ 231 | { 232 | "type": "pid" 233 | }, 234 | { 235 | "type": "ipc" 236 | }, 237 | { 238 | "type": "mount" 239 | } 240 | ], 241 | "devices": null, 242 | "apparmorProfile": "" 243 | } 244 | } 245 | -------------------------------------------------------------------------------- /net-snmp/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 0, 11 | "gid": 0 12 | }, 13 | "args": [ 14 | "/usr/bin/run.sh" 15 | ], 16 | "env": [ 17 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 18 | "TERM=xterm", 19 | "NAME=$NAME" 20 | ], 21 | "cwd": "/", 22 | "capabilities": { 23 | "bounding": [ 24 | "CAP_CHOWN", 25 | "CAP_FOWNER", 26 | "CAP_FSETID", 27 | "CAP_KILL", 28 | "CAP_SETGID", 29 | "CAP_SETUID", 30 | "CAP_SETPCAP", 31 | "CAP_LINUX_IMMUTABLE", 32 | "CAP_NET_BIND_SERVICE", 33 | "CAP_NET_BROADCAST", 34 | "CAP_NET_ADMIN", 35 | "CAP_NET_RAW", 36 | "CAP_IPC_LOCK", 37 | "CAP_IPC_OWNER", 38 | "CAP_SYS_MODULE", 39 | "CAP_SYS_RAWIO", 40 | "CAP_SYS_CHROOT", 41 | "CAP_SYS_PTRACE", 42 | "CAP_SYS_PACCT", 43 | "CAP_SYS_ADMIN", 44 | "CAP_SYS_BOOT", 45 | "CAP_SYS_NICE", 46 | "CAP_SYS_RESOURCE", 47 | "CAP_SYS_TIME", 48 | "CAP_SYS_TTY_CONFIG", 49 | "CAP_MKNOD", 50 | "CAP_LEASE", 51 | "CAP_AUDIT_WRITE", 52 | "CAP_AUDIT_CONTROL", 53 | "CAP_SETFCAP", 54 | "CAP_DAC_OVERRIDE", 55 | "CAP_MAC_OVERRIDE", 56 | "CAP_DAC_READ_SEARCH", 57 | "CAP_MAC_ADMIN", 58 | "CAP_SYSLOG", 59 | "CAP_WAKE_ALARM", 60 | "CAP_BLOCK_SUSPEND", 61 | "CAP_AUDIT_READ" 62 | ], 63 | "permitted": [ 64 | "CAP_CHOWN", 65 | "CAP_FOWNER", 66 | "CAP_FSETID", 67 | "CAP_KILL", 68 | "CAP_SETGID", 69 | "CAP_SETUID", 70 | "CAP_SETPCAP", 71 | "CAP_LINUX_IMMUTABLE", 72 | "CAP_NET_BIND_SERVICE", 73 | "CAP_NET_BROADCAST", 74 | "CAP_NET_ADMIN", 75 | "CAP_NET_RAW", 76 | "CAP_IPC_LOCK", 77 | "CAP_IPC_OWNER", 78 | "CAP_SYS_MODULE", 79 | "CAP_SYS_RAWIO", 80 | "CAP_SYS_CHROOT", 81 | "CAP_SYS_PTRACE", 82 | "CAP_SYS_PACCT", 83 | "CAP_SYS_ADMIN", 84 | "CAP_SYS_BOOT", 85 | "CAP_SYS_NICE", 86 | "CAP_SYS_RESOURCE", 87 | "CAP_SYS_TIME", 88 | "CAP_SYS_TTY_CONFIG", 89 | "CAP_MKNOD", 90 | "CAP_LEASE", 91 | "CAP_AUDIT_WRITE", 92 | "CAP_AUDIT_CONTROL", 93 | "CAP_SETFCAP", 94 | "CAP_DAC_OVERRIDE", 95 | "CAP_MAC_OVERRIDE", 96 | "CAP_DAC_READ_SEARCH", 97 | "CAP_MAC_ADMIN", 98 | "CAP_SYSLOG", 99 | "CAP_WAKE_ALARM", 100 | "CAP_BLOCK_SUSPEND", 101 | "CAP_AUDIT_READ" 102 | ], 103 | "inheritable": [ 104 | "CAP_CHOWN", 105 | "CAP_FOWNER", 106 | "CAP_FSETID", 107 | "CAP_KILL", 108 | "CAP_SETGID", 109 | "CAP_SETUID", 110 | "CAP_SETPCAP", 111 | "CAP_LINUX_IMMUTABLE", 112 | "CAP_NET_BIND_SERVICE", 113 | "CAP_NET_BROADCAST", 114 | "CAP_NET_ADMIN", 115 | "CAP_NET_RAW", 116 | "CAP_IPC_LOCK", 117 | "CAP_IPC_OWNER", 118 | "CAP_SYS_MODULE", 119 | "CAP_SYS_RAWIO", 120 | "CAP_SYS_CHROOT", 121 | "CAP_SYS_PTRACE", 122 | "CAP_SYS_PACCT", 123 | "CAP_SYS_ADMIN", 124 | "CAP_SYS_BOOT", 125 | "CAP_SYS_NICE", 126 | "CAP_SYS_RESOURCE", 127 | "CAP_SYS_TIME", 128 | "CAP_SYS_TTY_CONFIG", 129 | "CAP_MKNOD", 130 | "CAP_LEASE", 131 | "CAP_AUDIT_WRITE", 132 | "CAP_AUDIT_CONTROL", 133 | "CAP_SETFCAP", 134 | "CAP_DAC_OVERRIDE", 135 | "CAP_MAC_OVERRIDE", 136 | "CAP_DAC_READ_SEARCH", 137 | "CAP_MAC_ADMIN", 138 | "CAP_SYSLOG", 139 | "CAP_WAKE_ALARM", 140 | "CAP_BLOCK_SUSPEND", 141 | "CAP_AUDIT_READ" 142 | ], 143 | "effective": [ 144 | "CAP_CHOWN", 145 | "CAP_FOWNER", 146 | "CAP_FSETID", 147 | "CAP_KILL", 148 | "CAP_SETGID", 149 | "CAP_SETUID", 150 | "CAP_SETPCAP", 151 | "CAP_LINUX_IMMUTABLE", 152 | "CAP_NET_BIND_SERVICE", 153 | "CAP_NET_BROADCAST", 154 | "CAP_NET_ADMIN", 155 | "CAP_NET_RAW", 156 | "CAP_IPC_LOCK", 157 | "CAP_IPC_OWNER", 158 | "CAP_SYS_MODULE", 159 | "CAP_SYS_RAWIO", 160 | "CAP_SYS_CHROOT", 161 | "CAP_SYS_PTRACE", 162 | "CAP_SYS_PACCT", 163 | "CAP_SYS_ADMIN", 164 | "CAP_SYS_BOOT", 165 | "CAP_SYS_NICE", 166 | "CAP_SYS_RESOURCE", 167 | "CAP_SYS_TIME", 168 | "CAP_SYS_TTY_CONFIG", 169 | "CAP_MKNOD", 170 | "CAP_LEASE", 171 | "CAP_AUDIT_WRITE", 172 | "CAP_AUDIT_CONTROL", 173 | "CAP_SETFCAP", 174 | "CAP_DAC_OVERRIDE", 175 | "CAP_MAC_OVERRIDE", 176 | "CAP_DAC_READ_SEARCH", 177 | "CAP_MAC_ADMIN", 178 | "CAP_SYSLOG", 179 | "CAP_WAKE_ALARM", 180 | "CAP_BLOCK_SUSPEND", 181 | "CAP_AUDIT_READ" 182 | ], 183 | "ambient": [ 184 | "CAP_CHOWN", 185 | "CAP_FOWNER", 186 | "CAP_FSETID", 187 | "CAP_KILL", 188 | "CAP_SETGID", 189 | "CAP_SETUID", 190 | "CAP_SETPCAP", 191 | "CAP_LINUX_IMMUTABLE", 192 | "CAP_NET_BIND_SERVICE", 193 | "CAP_NET_BROADCAST", 194 | "CAP_NET_ADMIN", 195 | "CAP_NET_RAW", 196 | "CAP_IPC_LOCK", 197 | "CAP_IPC_OWNER", 198 | "CAP_SYS_MODULE", 199 | "CAP_SYS_RAWIO", 200 | "CAP_SYS_CHROOT", 201 | "CAP_SYS_PTRACE", 202 | "CAP_SYS_PACCT", 203 | "CAP_SYS_ADMIN", 204 | "CAP_SYS_BOOT", 205 | "CAP_SYS_NICE", 206 | "CAP_SYS_RESOURCE", 207 | "CAP_SYS_TIME", 208 | "CAP_SYS_TTY_CONFIG", 209 | "CAP_MKNOD", 210 | "CAP_LEASE", 211 | "CAP_AUDIT_WRITE", 212 | "CAP_AUDIT_CONTROL", 213 | "CAP_SETFCAP", 214 | "CAP_DAC_OVERRIDE", 215 | "CAP_MAC_OVERRIDE", 216 | "CAP_DAC_READ_SEARCH", 217 | "CAP_MAC_ADMIN", 218 | "CAP_SYSLOG", 219 | "CAP_WAKE_ALARM", 220 | "CAP_BLOCK_SUSPEND", 221 | "CAP_AUDIT_READ" 222 | ] 223 | }, 224 | "noNewPrivileges": false 225 | }, 226 | "root": { 227 | "path": "rootfs", 228 | "readonly": true 229 | }, 230 | "mounts": [ 231 | { 232 | "destination": "/proc", 233 | "type": "proc", 234 | "source": "proc" 235 | }, 236 | { 237 | "type": "bind", 238 | "source": "/dev", 239 | "destination": "/dev", 240 | "options": [ 241 | "rbind", 242 | "rw", 243 | "mode=755" 244 | ] 245 | }, 246 | { 247 | "type": "bind", 248 | "source": "/dev/log", 249 | "destination": "/dev/log", 250 | "options": [ 251 | "rbind", 252 | "rw", 253 | "mode=755" 254 | ] 255 | }, 256 | { 257 | "destination": "/dev/pts", 258 | "type": "devpts", 259 | "source": "devpts", 260 | "options": [ 261 | "nosuid", 262 | "noexec", 263 | "newinstance", 264 | "ptmxmode=0666", 265 | "mode=0620", 266 | "gid=5" 267 | ] 268 | }, 269 | { 270 | "destination": "/dev/shm", 271 | "type": "tmpfs", 272 | "source": "shm", 273 | "options": [ 274 | "nosuid", 275 | "noexec", 276 | "nodev", 277 | "mode=1777", 278 | "size=65536k" 279 | ] 280 | }, 281 | { 282 | "destination": "/sys", 283 | "type": "bind", 284 | "source": "/sys", 285 | "options": [ 286 | "rbind", 287 | "rw", 288 | "mode=755" 289 | ] 290 | }, 291 | { 292 | "type": "bind", 293 | "source": "/home", 294 | "destination": "/home", 295 | "options": [ 296 | "rbind", 297 | "rw", 298 | "mode=755" 299 | ] 300 | }, 301 | { 302 | "type": "bind", 303 | "source": "/root", 304 | "destination": "/root", 305 | "options": [ 306 | "rbind", 307 | "rw", 308 | "mode=755" 309 | ] 310 | }, 311 | { 312 | "type": "bind", 313 | "source": "/etc/snmp", 314 | "destination": "/etc/snmp", 315 | "options": [ 316 | "rbind", 317 | "rw", 318 | "mode=755" 319 | ] 320 | }, 321 | { 322 | "type": "bind", 323 | "source": "/etc/sysconfig/snmpd", 324 | "destination": "/etc/sysconfig/snmpd", 325 | "options": [ 326 | "rbind", 327 | "rw", 328 | "mode=755" 329 | ] 330 | }, 331 | { 332 | "type": "bind", 333 | "source": "/etc/sysconfig/snmptrapd", 334 | "destination": "/etc/sysconfig/snmptrapd", 335 | "options": [ 336 | "rbind", 337 | "rw", 338 | "mode=755" 339 | ] 340 | }, 341 | { 342 | "type": "bind", 343 | "source": "/var/lib/net-snmp", 344 | "destination": "/var/lib/net-snmp", 345 | "options": [ 346 | "rbind", 347 | "rw", 348 | "mode=755" 349 | ] 350 | }, 351 | { 352 | "type": "bind", 353 | "source": "${RUN_DIRECTORY}/${NAME}", 354 | "destination": "/var/run/net-snmp", 355 | "options": [ 356 | "rbind", 357 | "rw", 358 | "mode=755" 359 | ] 360 | }, 361 | { 362 | "destination": "/etc/resolv.conf", 363 | "type": "bind", 364 | "source": "/etc/resolv.conf", 365 | "options": [ 366 | "ro", 367 | "rbind", 368 | "rprivate" 369 | ] 370 | } 371 | ], 372 | "hooks": {}, 373 | "linux": { 374 | "resources": { 375 | "devices": [ 376 | { 377 | "allow": true, 378 | "access": "rwm" 379 | } 380 | ] 381 | }, 382 | "namespaces": [ 383 | { 384 | "type": "mount" 385 | } 386 | ] 387 | } 388 | } 389 | -------------------------------------------------------------------------------- /lint/syscontainers-lint: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright (C) 2016 Red Hat 3 | # AUTHOR: Giuseppe Scrivano 4 | 5 | # This program is free software; you can redistribute it and/or 6 | # modify it under the terms of the GNU General Public License as 7 | # published by the Free Software Foundation; either version 2 of 8 | # the License, or (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program; if not, write to the Free Software 17 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 18 | # 02110-1301 USA. 19 | 20 | import re 21 | import os 22 | import sys 23 | import subprocess 24 | import json 25 | 26 | from string import Template 27 | 28 | 29 | class LintRuntimeError(Exception): 30 | """ 31 | Lint specific error which causes the end of lint logic. 32 | """ 33 | def __init__(self, error): 34 | """ 35 | Creates a new instance of the LintRuntimeError. 36 | 37 | :param error: Error message 38 | :type error: str 39 | """ 40 | self.error = error 41 | 42 | 43 | #: All files which will be checked by the linter 44 | ALL_FILES = [ 45 | "config.json.template", 46 | "manifest.json", 47 | "service.template", 48 | "tmpfiles.template" 49 | ] 50 | 51 | 52 | #: If any warning was found during linting 53 | FOUND_ANY_WARNING = False 54 | #: If any error was found during linting 55 | FOUND_ANY_ERROR = False 56 | 57 | 58 | (COLOR_BLACK, 59 | COLOR_RED, 60 | COLOR_GREEN, 61 | COLOR_YELLOW, 62 | COLOR_BLUE, 63 | COLOR_MAGENTA, 64 | COLOR_CYAN, 65 | COLOR_WHITE) = range(30, 38) 66 | 67 | 68 | def colored(line, color): 69 | if sys.stdout.isatty(): 70 | return "\x1b[1;%dm%s\x1b[0m" % (color, line) 71 | else: 72 | return line 73 | 74 | 75 | def log(location, msg, is_error=False): 76 | global FOUND_ANY_WARNING, FOUND_ANY_ERROR 77 | FOUND_ANY_WARNING = True 78 | if is_error: 79 | FOUND_ANY_ERROR = True 80 | 81 | print(colored("%s: %s" % (location, msg), COLOR_RED if is_error else COLOR_YELLOW)) 82 | 83 | 84 | def check_dockerfile(path, dockerfile): 85 | with open(dockerfile, 'r') as f: 86 | content = f.read() 87 | content = re.sub("#.*\n", "", content) 88 | content = content.replace("\\\n", "") 89 | if re.search('\nMAINTAINER.*\n', content): 90 | log('Dockerfile', "Found MAINTAINER $NAME. Please use LABEL maintainer=$NAME") 91 | if re.search('(COPY|ADD) .* /export/?\n', content): 92 | log('Dockerfile', "Found /export. Did you mean /exports/?") 93 | if re.search('\nRUN.*(dnf|yum).*install', content): 94 | if not re.search('tsflags=nodocs', content): 95 | log('Dockerfile', "Found 'dnf/yum install' command without '--setopt=tsflags=nodocs'. " 96 | "Please add the flag to reduce image size unless there is need for documentation.") 97 | for i in ALL_FILES: 98 | if os.path.exists(os.path.join(path, i)): 99 | if re.search('ADD .*%s.* /exports/' % i, content): 100 | log('Dockerfile', "Found ADD for %s. Please use COPY" % i) 101 | elif re.search('COPY .*%s.* /exports$' % i, content): 102 | log('Dockerfile', "Missing trailing / after exports") 103 | elif not re.search('.*[^#].*(ADD|COPY) .*%s.* /exports/' % i, content): 104 | log('Dockerfile', "File %s present but not added in the Dockerfile" % i) 105 | 106 | 107 | def check_git(path): 108 | try: 109 | subprocess.check_output(["git", "-C", path, "status"]).decode('utf-8') 110 | except (OSError, subprocess.CalledProcessError): 111 | splits = os.path.split(path) 112 | log(splits[1] or os.path.split(splits[0])[1], "The project is not using git. Why?") 113 | return 114 | 115 | for i in ALL_FILES + ["Dockerfile"]: 116 | filepath = os.path.join(path, i) 117 | if os.path.exists(filepath): 118 | if "modified" in subprocess.check_output([ 119 | "git", "-C", path, "status", i]).decode('utf-8'): 120 | log(i, "file has not staged changes") 121 | 122 | 123 | def preprocess_from_manifest(path, content): 124 | manifest_path = os.path.join(path, 'manifest.json') 125 | if not os.path.exists(manifest_path): 126 | return content 127 | with open(manifest_path, 'r') as m: 128 | manifest = json.load(m) 129 | if 'defaultValues' not in manifest: 130 | return content 131 | values = manifest['defaultValues'] 132 | template = Template(content) 133 | return template.safe_substitute(values) 134 | 135 | 136 | def check_config_json(path): 137 | preprocess = False 138 | if os.path.exists(os.path.join(path, "config.json")): 139 | basename = "config.json" 140 | template = False 141 | log("config.json", ("file found, it does not support template " 142 | "substitutions. Use config.json.template instead."), 143 | True) 144 | elif not os.path.exists(os.path.join(path, "config.json.template")): 145 | log("config.json.template", "Missing config.json.template file. A default will be used.") 146 | return 147 | else: 148 | basename = "config.json.template" 149 | template = True 150 | preprocess = True 151 | 152 | with open(os.path.join(path, basename), 'r') as f: 153 | content = f.read() 154 | if preprocess: 155 | content = preprocess_from_manifest(path, content) 156 | 157 | config = json.loads(content) 158 | 159 | for b in config.get('mounts', {}): 160 | if 'source' not in b: 161 | continue 162 | if b['type'] == "rbind": 163 | log(basename, "Unknown mount type rbind. Use bind", is_error=True) 164 | if template and b['source'].startswith("/var/lib"): 165 | log(basename, "found mount point /var/lib. Use ${STATE_DIRECTORY} instead") 166 | if template and b['source'].startswith("/run"): 167 | log(basename, "found mount point /run. Use ${RUN_DIRECTORY} instead") 168 | 169 | if config.get('root', {}).get('path', '') != 'rootfs': 170 | log(basename, "root/path must be 'rootfs'") 171 | if not config.get('root', {}).get('readonly', False): 172 | log(basename, "root/readonly must be true", is_error=True) 173 | if config.get('process', {}).get('terminal', True): 174 | log(basename, "process/terminal must be false", is_error=True) 175 | if 'selinuxProcessLabel' in config.get('linux', {}): 176 | log(basename, "linux/selinuxProcessLabel not valid. Use process/selinuxLabel", is_error=True) 177 | 178 | 179 | def check_systemd_unit(path): 180 | basename = "service.template" 181 | if not os.path.exists(os.path.join(path, basename)): 182 | log(basename, "Missing service.template file. A default will be used.") 183 | return 184 | with open(os.path.join(path, basename), 'r') as f: 185 | content = preprocess_from_manifest(path, f.read()) 186 | match = re.search('ExecStart=(.*)', content) 187 | if not match: 188 | log(basename, "Could not find ExecStart=") 189 | elif "EXEC_START" not in match.group(1): 190 | log(basename, "ExecStart can be automatically generated. You can use ExecStart=$EXEC_START") 191 | 192 | match = re.search('ExecStop=(.*)', content) 193 | if not match: 194 | log(basename, "Could not find ExecStop=") 195 | elif "EXEC_STOP" not in match.group(1): 196 | log(basename, "ExecStop can be automatically generated. You can use ExecStop=$EXEC_STOP") 197 | 198 | match = re.search('WorkingDirectory=(.*)', content) 199 | if not match: 200 | log(basename, "Could not find WorkingDirectory=") 201 | elif "DESTDIR" not in match.group(1): 202 | log(basename, "WorkingDirectory should be the container checkout directory. WorkingDirectory=$DESTDIR") 203 | 204 | 205 | def check_manifest_json(path): 206 | basename = "manifest.json" 207 | if not os.path.exists(os.path.join(path, basename)): 208 | log(basename, "Missing manifest.json file. A default will be used.") 209 | return 210 | with open(os.path.join(path, basename), 'r') as f: 211 | content = f.read() 212 | 213 | values = { 214 | "DESTDIR": "1", 215 | "NAME": "1", 216 | "EXEC_START": "1", 217 | "EXEC_STOP": "1", 218 | "HOST_UID": "1", 219 | "HOST_GID": "1", 220 | "RUN_DIRECTORY": "1", 221 | "STATE_DIRECTORY": "1" 222 | } 223 | config = json.loads(content) 224 | if 'defaultValues' in config: 225 | for i in config['defaultValues'].keys(): 226 | values[i] = "1" 227 | all_missing = {} 228 | for i in ALL_FILES: 229 | if i.endswith(".template") and os.path.exists(os.path.join(path, i)): 230 | with open(os.path.join(path, i), 'r') as f: 231 | data = f.read() 232 | template = Template(data) 233 | for m in {"".join(x) for x in template.pattern.findall(data) if "".join(x) not in values}: 234 | all_missing[m] = True 235 | for i in all_missing: 236 | log(basename, "Missing default value for %s" % i) 237 | 238 | 239 | def check(path): 240 | global FOUND_ANY_WARNING 241 | if not os.path.exists(path): 242 | raise LintRuntimeError("The path %s does not exist" % path) 243 | dockerfilepath = os.path.join(path, "Dockerfile") 244 | if not os.path.exists(dockerfilepath): 245 | raise LintRuntimeError("The Dockerfile is missing") 246 | check_dockerfile(path, dockerfilepath) 247 | check_git(path) 248 | check_config_json(path) 249 | check_systemd_unit(path) 250 | check_manifest_json(path) 251 | if not FOUND_ANY_WARNING: 252 | print(colored("All Good!", COLOR_GREEN)) 253 | 254 | 255 | if __name__ == '__main__': 256 | if len(sys.argv) < 2: 257 | print("Usage %s [SYSTEM-CONTAINER-BUILD-PATH]" % sys.argv[0]) 258 | raise SystemExit(1) 259 | 260 | if os.getenv('MODE') == 'PREPROCESS': 261 | with open(sys.argv[2], 'r') as f: 262 | content = f.read() 263 | print(preprocess_from_manifest(sys.argv[1], content)) 264 | raise SystemExit(0) 265 | 266 | try: 267 | check(sys.argv[1]) 268 | except LintRuntimeError as e: 269 | print(e.error) 270 | raise SystemExit(1) 271 | 272 | if FOUND_ANY_ERROR: 273 | raise SystemExit(1) 274 | -------------------------------------------------------------------------------- /docker-centos/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "selinuxLabel": "system_u:system_r:container_runtime_t:s0", 9 | "terminal": false, 10 | "user": { 11 | "uid": 0, 12 | "gid": 0 13 | }, 14 | "args": [ 15 | "/usr/bin/init.sh" 16 | ], 17 | "env": [ 18 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 19 | "TERM=xterm", 20 | "NAME=$NAME" 21 | ], 22 | "cwd": "/", 23 | "capabilities": { 24 | "bounding": [ 25 | "CAP_CHOWN", 26 | "CAP_FOWNER", 27 | "CAP_FSETID", 28 | "CAP_KILL", 29 | "CAP_SETGID", 30 | "CAP_SETUID", 31 | "CAP_SETPCAP", 32 | "CAP_LINUX_IMMUTABLE", 33 | "CAP_NET_BIND_SERVICE", 34 | "CAP_NET_BROADCAST", 35 | "CAP_NET_ADMIN", 36 | "CAP_NET_RAW", 37 | "CAP_IPC_LOCK", 38 | "CAP_IPC_OWNER", 39 | "CAP_SYS_MODULE", 40 | "CAP_SYS_RAWIO", 41 | "CAP_SYS_CHROOT", 42 | "CAP_SYS_PTRACE", 43 | "CAP_SYS_PACCT", 44 | "CAP_SYS_ADMIN", 45 | "CAP_SYS_BOOT", 46 | "CAP_SYS_NICE", 47 | "CAP_SYS_RESOURCE", 48 | "CAP_SYS_TIME", 49 | "CAP_SYS_TTY_CONFIG", 50 | "CAP_MKNOD", 51 | "CAP_LEASE", 52 | "CAP_AUDIT_WRITE", 53 | "CAP_AUDIT_CONTROL", 54 | "CAP_SETFCAP", 55 | "CAP_DAC_OVERRIDE", 56 | "CAP_MAC_OVERRIDE", 57 | "CAP_DAC_READ_SEARCH", 58 | "CAP_MAC_ADMIN", 59 | "CAP_SYSLOG", 60 | "CAP_WAKE_ALARM", 61 | "CAP_BLOCK_SUSPEND" 62 | ], 63 | "permitted": [ 64 | "CAP_CHOWN", 65 | "CAP_FOWNER", 66 | "CAP_FSETID", 67 | "CAP_KILL", 68 | "CAP_SETGID", 69 | "CAP_SETUID", 70 | "CAP_SETPCAP", 71 | "CAP_LINUX_IMMUTABLE", 72 | "CAP_NET_BIND_SERVICE", 73 | "CAP_NET_BROADCAST", 74 | "CAP_NET_ADMIN", 75 | "CAP_NET_RAW", 76 | "CAP_IPC_LOCK", 77 | "CAP_IPC_OWNER", 78 | "CAP_SYS_MODULE", 79 | "CAP_SYS_RAWIO", 80 | "CAP_SYS_CHROOT", 81 | "CAP_SYS_PTRACE", 82 | "CAP_SYS_PACCT", 83 | "CAP_SYS_ADMIN", 84 | "CAP_SYS_BOOT", 85 | "CAP_SYS_NICE", 86 | "CAP_SYS_RESOURCE", 87 | "CAP_SYS_TIME", 88 | "CAP_SYS_TTY_CONFIG", 89 | "CAP_MKNOD", 90 | "CAP_LEASE", 91 | "CAP_AUDIT_WRITE", 92 | "CAP_AUDIT_CONTROL", 93 | "CAP_SETFCAP", 94 | "CAP_DAC_OVERRIDE", 95 | "CAP_MAC_OVERRIDE", 96 | "CAP_DAC_READ_SEARCH", 97 | "CAP_MAC_ADMIN", 98 | "CAP_SYSLOG", 99 | "CAP_WAKE_ALARM", 100 | "CAP_BLOCK_SUSPEND" 101 | ], 102 | "inheritable": [ 103 | "CAP_CHOWN", 104 | "CAP_FOWNER", 105 | "CAP_FSETID", 106 | "CAP_KILL", 107 | "CAP_SETGID", 108 | "CAP_SETUID", 109 | "CAP_SETPCAP", 110 | "CAP_LINUX_IMMUTABLE", 111 | "CAP_NET_BIND_SERVICE", 112 | "CAP_NET_BROADCAST", 113 | "CAP_NET_ADMIN", 114 | "CAP_NET_RAW", 115 | "CAP_IPC_LOCK", 116 | "CAP_IPC_OWNER", 117 | "CAP_SYS_MODULE", 118 | "CAP_SYS_RAWIO", 119 | "CAP_SYS_CHROOT", 120 | "CAP_SYS_PTRACE", 121 | "CAP_SYS_PACCT", 122 | "CAP_SYS_ADMIN", 123 | "CAP_SYS_BOOT", 124 | "CAP_SYS_NICE", 125 | "CAP_SYS_RESOURCE", 126 | "CAP_SYS_TIME", 127 | "CAP_SYS_TTY_CONFIG", 128 | "CAP_MKNOD", 129 | "CAP_LEASE", 130 | "CAP_AUDIT_WRITE", 131 | "CAP_AUDIT_CONTROL", 132 | "CAP_SETFCAP", 133 | "CAP_DAC_OVERRIDE", 134 | "CAP_MAC_OVERRIDE", 135 | "CAP_DAC_READ_SEARCH", 136 | "CAP_MAC_ADMIN", 137 | "CAP_SYSLOG", 138 | "CAP_WAKE_ALARM", 139 | "CAP_BLOCK_SUSPEND" 140 | ], 141 | "effective": [ 142 | "CAP_CHOWN", 143 | "CAP_FOWNER", 144 | "CAP_FSETID", 145 | "CAP_KILL", 146 | "CAP_SETGID", 147 | "CAP_SETUID", 148 | "CAP_SETPCAP", 149 | "CAP_LINUX_IMMUTABLE", 150 | "CAP_NET_BIND_SERVICE", 151 | "CAP_NET_BROADCAST", 152 | "CAP_NET_ADMIN", 153 | "CAP_NET_RAW", 154 | "CAP_IPC_LOCK", 155 | "CAP_IPC_OWNER", 156 | "CAP_SYS_MODULE", 157 | "CAP_SYS_RAWIO", 158 | "CAP_SYS_CHROOT", 159 | "CAP_SYS_PTRACE", 160 | "CAP_SYS_PACCT", 161 | "CAP_SYS_ADMIN", 162 | "CAP_SYS_BOOT", 163 | "CAP_SYS_NICE", 164 | "CAP_SYS_RESOURCE", 165 | "CAP_SYS_TIME", 166 | "CAP_SYS_TTY_CONFIG", 167 | "CAP_MKNOD", 168 | "CAP_LEASE", 169 | "CAP_AUDIT_WRITE", 170 | "CAP_AUDIT_CONTROL", 171 | "CAP_SETFCAP", 172 | "CAP_DAC_OVERRIDE", 173 | "CAP_MAC_OVERRIDE", 174 | "CAP_DAC_READ_SEARCH", 175 | "CAP_MAC_ADMIN", 176 | "CAP_SYSLOG", 177 | "CAP_WAKE_ALARM", 178 | "CAP_BLOCK_SUSPEND" 179 | ], 180 | "ambient": [ 181 | "CAP_CHOWN", 182 | "CAP_FOWNER", 183 | "CAP_FSETID", 184 | "CAP_KILL", 185 | "CAP_SETGID", 186 | "CAP_SETUID", 187 | "CAP_SETPCAP", 188 | "CAP_LINUX_IMMUTABLE", 189 | "CAP_NET_BIND_SERVICE", 190 | "CAP_NET_BROADCAST", 191 | "CAP_NET_ADMIN", 192 | "CAP_NET_RAW", 193 | "CAP_IPC_LOCK", 194 | "CAP_IPC_OWNER", 195 | "CAP_SYS_MODULE", 196 | "CAP_SYS_RAWIO", 197 | "CAP_SYS_CHROOT", 198 | "CAP_SYS_PTRACE", 199 | "CAP_SYS_PACCT", 200 | "CAP_SYS_ADMIN", 201 | "CAP_SYS_BOOT", 202 | "CAP_SYS_NICE", 203 | "CAP_SYS_RESOURCE", 204 | "CAP_SYS_TIME", 205 | "CAP_SYS_TTY_CONFIG", 206 | "CAP_MKNOD", 207 | "CAP_LEASE", 208 | "CAP_AUDIT_WRITE", 209 | "CAP_AUDIT_CONTROL", 210 | "CAP_SETFCAP", 211 | "CAP_DAC_OVERRIDE", 212 | "CAP_MAC_OVERRIDE", 213 | "CAP_DAC_READ_SEARCH", 214 | "CAP_MAC_ADMIN", 215 | "CAP_SYSLOG", 216 | "CAP_WAKE_ALARM", 217 | "CAP_BLOCK_SUSPEND" 218 | ] 219 | }, 220 | "noNewPrivileges": false 221 | }, 222 | "root": { 223 | "path": "rootfs", 224 | "readonly": true 225 | }, 226 | "mounts": [ 227 | { 228 | "source": "/tmp", 229 | "destination": "/tmp", 230 | "type": "bind", 231 | "options": [ 232 | "private", 233 | "bind", 234 | "rw", 235 | "mode=755" 236 | ] 237 | }, 238 | { 239 | "type": "bind", 240 | "source": "/etc", 241 | "destination": "/etc", 242 | "options": [ 243 | "rbind", 244 | "rprivate", 245 | "rw", 246 | "mode=755" 247 | ] 248 | }, 249 | { 250 | "type": "bind", 251 | "source": "/lib/modules", 252 | "destination": "/lib/modules", 253 | "options": [ 254 | "rbind", 255 | "rprivate", 256 | "rw", 257 | "mode=755" 258 | ] 259 | }, 260 | { 261 | "type": "bind", 262 | "source": "/root", 263 | "destination": "/root", 264 | "options": [ 265 | "rbind", 266 | "rprivate", 267 | "rw", 268 | "mode=755" 269 | ] 270 | }, 271 | { 272 | "type": "bind", 273 | "source": "/home", 274 | "destination": "/home", 275 | "options": [ 276 | "rbind", 277 | "rprivate", 278 | "rw", 279 | "mode=755" 280 | ] 281 | }, 282 | { 283 | "type": "bind", 284 | "source": "/opt", 285 | "destination": "/opt", 286 | "options": [ 287 | "rbind", 288 | "rslave", 289 | "rw", 290 | "mode=755" 291 | ] 292 | }, 293 | { 294 | "type": "bind", 295 | "source": "/mnt", 296 | "destination": "/mnt", 297 | "options": [ 298 | "rbind", 299 | "rw", 300 | "rprivate", 301 | "mode=755" 302 | ] 303 | }, 304 | { 305 | "type": "bind", 306 | "source": "${RUN_DIRECTORY}", 307 | "destination": "/run", 308 | "options": [ 309 | "rshared", 310 | "rbind", 311 | "rw", 312 | "mode=755" 313 | ] 314 | }, 315 | { 316 | "type": "bind", 317 | "source": "/var/log", 318 | "destination": "/var/log", 319 | "options": [ 320 | "rbind", 321 | "rslave", 322 | "rw" 323 | ] 324 | }, 325 | { 326 | "type": "bind", 327 | "source": "${STATE_DIRECTORY}", 328 | "destination": "/var/lib", 329 | "options": [ 330 | "rbind", 331 | "rshared", 332 | "rw" 333 | ] 334 | }, 335 | { 336 | "source": "/dev", 337 | "destination": "/dev", 338 | "type": "bind", 339 | "options": [ 340 | "rprivate", 341 | "rbind", 342 | "rw", 343 | "mode=755" 344 | ] 345 | }, 346 | { 347 | "destination": "/host", 348 | "options": [ 349 | "rbind", 350 | "rshared", 351 | "rw" 352 | ], 353 | "source": "/", 354 | "type": "bind" 355 | }, 356 | { 357 | "source": "/sys", 358 | "destination": "/sys", 359 | "type": "bind", 360 | "options": [ 361 | "rprivate", 362 | "rbind", 363 | "rw", 364 | "mode=755" 365 | ] 366 | }, 367 | { 368 | "source": "/proc", 369 | "destination": "/proc", 370 | "type": "proc", 371 | "options": [ 372 | "private" 373 | ] 374 | } 375 | $ADDTL_MOUNTS 376 | ], 377 | "hooks": {}, 378 | "linux": { 379 | "rootfsPropagation": "rslave", 380 | "resources": { 381 | "devices": [ 382 | { 383 | "allow": true, 384 | "access": "rwm" 385 | } 386 | ] 387 | }, 388 | "namespaces": [ 389 | { 390 | "type": "mount" 391 | } 392 | ] 393 | } 394 | } 395 | -------------------------------------------------------------------------------- /ovirt-guest-agent-centos/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "ociVersion": "1.0.0-rc3", 4 | "platform": { 5 | "os": "linux", 6 | "arch": "amd64" 7 | }, 8 | "process": { 9 | "terminal": false, 10 | "user": { 11 | "uid": 0, 12 | "gid": 0 13 | }, 14 | "args": [ 15 | "/usr/bin/run.sh" 16 | ], 17 | "env": [ 18 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 19 | "TERM=xterm", 20 | "HOST=/host", 21 | "container=docker", 22 | "IMAGE=rhev4/ovirt-guest-agent", 23 | "NAME=ovirt-guest-agent" 24 | ], 25 | "cwd": "/", 26 | "capabilities": { 27 | "ambient": [ 28 | "CAP_CHOWN", 29 | "CAP_DAC_OVERRIDE", 30 | "CAP_DAC_READ_SEARCH", 31 | "CAP_FOWNER", 32 | "CAP_FSETID", 33 | "CAP_KILL", 34 | "CAP_SETGID", 35 | "CAP_SETUID", 36 | "CAP_SETPCAP", 37 | "CAP_LINUX_IMMUTABLE", 38 | "CAP_NET_BIND_SERVICE", 39 | "CAP_NET_BROADCAST", 40 | "CAP_NET_ADMIN", 41 | "CAP_NET_RAW", 42 | "CAP_IPC_LOCK", 43 | "CAP_IPC_OWNER", 44 | "CAP_SYS_MODULE", 45 | "CAP_SYS_RAWIO", 46 | "CAP_SYS_CHROOT", 47 | "CAP_SYS_PTRACE", 48 | "CAP_SYS_PACCT", 49 | "CAP_SYS_ADMIN", 50 | "CAP_SYS_BOOT", 51 | "CAP_SYS_NICE", 52 | "CAP_SYS_RESOURCE", 53 | "CAP_SYS_TIME", 54 | "CAP_SYS_TTY_CONFIG", 55 | "CAP_MKNOD", 56 | "CAP_LEASE", 57 | "CAP_SETFCAP", 58 | "CAP_MAC_OVERRIDE", 59 | "CAP_MAC_ADMIN", 60 | "CAP_SYSLOG", 61 | "CAP_WAKE_ALARM", 62 | "CAP_BLOCK_SUSPEND" 63 | ], 64 | "bounding": [ 65 | "CAP_CHOWN", 66 | "CAP_DAC_OVERRIDE", 67 | "CAP_DAC_READ_SEARCH", 68 | "CAP_FOWNER", 69 | "CAP_FSETID", 70 | "CAP_KILL", 71 | "CAP_SETGID", 72 | "CAP_SETUID", 73 | "CAP_SETPCAP", 74 | "CAP_LINUX_IMMUTABLE", 75 | "CAP_NET_BIND_SERVICE", 76 | "CAP_NET_BROADCAST", 77 | "CAP_NET_ADMIN", 78 | "CAP_NET_RAW", 79 | "CAP_IPC_LOCK", 80 | "CAP_IPC_OWNER", 81 | "CAP_SYS_MODULE", 82 | "CAP_SYS_RAWIO", 83 | "CAP_SYS_CHROOT", 84 | "CAP_SYS_PTRACE", 85 | "CAP_SYS_PACCT", 86 | "CAP_SYS_ADMIN", 87 | "CAP_SYS_BOOT", 88 | "CAP_SYS_NICE", 89 | "CAP_SYS_RESOURCE", 90 | "CAP_SYS_TIME", 91 | "CAP_SYS_TTY_CONFIG", 92 | "CAP_MKNOD", 93 | "CAP_LEASE", 94 | "CAP_SETFCAP", 95 | "CAP_MAC_OVERRIDE", 96 | "CAP_MAC_ADMIN", 97 | "CAP_SYSLOG", 98 | "CAP_WAKE_ALARM", 99 | "CAP_BLOCK_SUSPEND" 100 | ], 101 | "effective": [ 102 | "CAP_CHOWN", 103 | "CAP_DAC_OVERRIDE", 104 | "CAP_DAC_READ_SEARCH", 105 | "CAP_FOWNER", 106 | "CAP_FSETID", 107 | "CAP_KILL", 108 | "CAP_SETGID", 109 | "CAP_SETUID", 110 | "CAP_SETPCAP", 111 | "CAP_LINUX_IMMUTABLE", 112 | "CAP_NET_BIND_SERVICE", 113 | "CAP_NET_BROADCAST", 114 | "CAP_NET_ADMIN", 115 | "CAP_NET_RAW", 116 | "CAP_IPC_LOCK", 117 | "CAP_IPC_OWNER", 118 | "CAP_SYS_MODULE", 119 | "CAP_SYS_RAWIO", 120 | "CAP_SYS_CHROOT", 121 | "CAP_SYS_PTRACE", 122 | "CAP_SYS_PACCT", 123 | "CAP_SYS_ADMIN", 124 | "CAP_SYS_BOOT", 125 | "CAP_SYS_NICE", 126 | "CAP_SYS_RESOURCE", 127 | "CAP_SYS_TIME", 128 | "CAP_SYS_TTY_CONFIG", 129 | "CAP_MKNOD", 130 | "CAP_LEASE", 131 | "CAP_SETFCAP", 132 | "CAP_MAC_OVERRIDE", 133 | "CAP_MAC_ADMIN", 134 | "CAP_SYSLOG", 135 | "CAP_WAKE_ALARM", 136 | "CAP_BLOCK_SUSPEND" 137 | ], 138 | "inheritable": [ 139 | "CAP_CHOWN", 140 | "CAP_DAC_OVERRIDE", 141 | "CAP_DAC_READ_SEARCH", 142 | "CAP_FOWNER", 143 | "CAP_FSETID", 144 | "CAP_KILL", 145 | "CAP_SETGID", 146 | "CAP_SETUID", 147 | "CAP_SETPCAP", 148 | "CAP_LINUX_IMMUTABLE", 149 | "CAP_NET_BIND_SERVICE", 150 | "CAP_NET_BROADCAST", 151 | "CAP_NET_ADMIN", 152 | "CAP_NET_RAW", 153 | "CAP_IPC_LOCK", 154 | "CAP_IPC_OWNER", 155 | "CAP_SYS_MODULE", 156 | "CAP_SYS_RAWIO", 157 | "CAP_SYS_CHROOT", 158 | "CAP_SYS_PTRACE", 159 | "CAP_SYS_PACCT", 160 | "CAP_SYS_ADMIN", 161 | "CAP_SYS_BOOT", 162 | "CAP_SYS_NICE", 163 | "CAP_SYS_RESOURCE", 164 | "CAP_SYS_TIME", 165 | "CAP_SYS_TTY_CONFIG", 166 | "CAP_MKNOD", 167 | "CAP_LEASE", 168 | "CAP_SETFCAP", 169 | "CAP_MAC_OVERRIDE", 170 | "CAP_MAC_ADMIN", 171 | "CAP_SYSLOG", 172 | "CAP_WAKE_ALARM", 173 | "CAP_BLOCK_SUSPEND" 174 | ], 175 | "permitted": [ 176 | "CAP_CHOWN", 177 | "CAP_DAC_OVERRIDE", 178 | "CAP_DAC_READ_SEARCH", 179 | "CAP_FOWNER", 180 | "CAP_FSETID", 181 | "CAP_KILL", 182 | "CAP_SETGID", 183 | "CAP_SETUID", 184 | "CAP_SETPCAP", 185 | "CAP_LINUX_IMMUTABLE", 186 | "CAP_NET_BIND_SERVICE", 187 | "CAP_NET_BROADCAST", 188 | "CAP_NET_ADMIN", 189 | "CAP_NET_RAW", 190 | "CAP_IPC_LOCK", 191 | "CAP_IPC_OWNER", 192 | "CAP_SYS_MODULE", 193 | "CAP_SYS_RAWIO", 194 | "CAP_SYS_CHROOT", 195 | "CAP_SYS_PTRACE", 196 | "CAP_SYS_PACCT", 197 | "CAP_SYS_ADMIN", 198 | "CAP_SYS_BOOT", 199 | "CAP_SYS_NICE", 200 | "CAP_SYS_RESOURCE", 201 | "CAP_SYS_TIME", 202 | "CAP_SYS_TTY_CONFIG", 203 | "CAP_MKNOD", 204 | "CAP_LEASE", 205 | "CAP_SETFCAP", 206 | "CAP_MAC_OVERRIDE", 207 | "CAP_MAC_ADMIN", 208 | "CAP_SYSLOG", 209 | "CAP_WAKE_ALARM", 210 | "CAP_BLOCK_SUSPEND" 211 | ] 212 | }, 213 | "rlimits": [ 214 | { 215 | "type": "RLIMIT_NOFILE", 216 | "hard": 1024, 217 | "soft": 1024 218 | } 219 | ] 220 | }, 221 | "root": { 222 | "path": "rootfs", 223 | "readonly": true 224 | }, 225 | "mounts": [ 226 | { 227 | "destination": "/proc", 228 | "type": "proc", 229 | "source": "proc" 230 | }, 231 | { 232 | "destination": "/dev", 233 | "type": "tmpfs", 234 | "source": "tmpfs", 235 | "options": [ 236 | "nosuid", 237 | "strictatime", 238 | "mode=755", 239 | "size=65536k" 240 | ] 241 | }, 242 | { 243 | "destination": "/dev/pts", 244 | "type": "devpts", 245 | "source": "devpts", 246 | "options": [ 247 | "nosuid", 248 | "noexec", 249 | "newinstance", 250 | "ptmxmode=0666", 251 | "mode=0620", 252 | "gid=5" 253 | ] 254 | }, 255 | { 256 | "destination": "/dev/shm", 257 | "type": "tmpfs", 258 | "source": "shm", 259 | "options": [ 260 | "nosuid", 261 | "noexec", 262 | "nodev", 263 | "mode=1777", 264 | "size=65536k" 265 | ] 266 | }, 267 | { 268 | "destination": "/dev/mqueue", 269 | "type": "mqueue", 270 | "source": "mqueue", 271 | "options": [ 272 | "nosuid", 273 | "noexec", 274 | "nodev" 275 | ] 276 | }, 277 | { 278 | "destination": "/sys", 279 | "type": "sysfs", 280 | "source": "sysfs", 281 | "options": [ 282 | "nosuid", 283 | "noexec", 284 | "nodev", 285 | "rw" 286 | ] 287 | }, 288 | { 289 | "destination": "/tmp", 290 | "type": "tmpfs", 291 | "source": "tmpfs", 292 | "options": [ 293 | "rw", 294 | "noexec", 295 | "nosuid", 296 | "nodev", 297 | "size=65536k" 298 | ] 299 | }, 300 | { 301 | "destination": "/run", 302 | "type": "tmpfs", 303 | "source": "tmpfs", 304 | "options": [ 305 | "rw", 306 | "noexec", 307 | "nosuid", 308 | "nodev", 309 | "size=65536k" 310 | ] 311 | }, 312 | { 313 | "destination": "/dev/virtio-ports", 314 | "type": "bind", 315 | "source": "/dev/virtio-ports", 316 | "options": [ 317 | "rw", 318 | "bind" 319 | ] 320 | }, 321 | { 322 | "destination": "/host", 323 | "type": "bind", 324 | "source": "/", 325 | "options": [ 326 | "rw", 327 | "bind" 328 | ] 329 | }, 330 | { 331 | "source": "/etc/redhat-release", 332 | "destination": "/etc-redhat-release", 333 | "type": "bind", 334 | "options": [ 335 | "ro", 336 | "bind" 337 | ] 338 | }, 339 | { 340 | "source": "/var/log/ovirt-guest-agent", 341 | "destination": "/var/log/ovirt-guest-agent", 342 | "type": "bind", 343 | "options": [ 344 | "rw", 345 | "bind" 346 | ] 347 | }, 348 | { 349 | "destination": "/hostproc", 350 | "type": "bind", 351 | "source": "/proc", 352 | "options": [ 353 | "rw", 354 | "bind" 355 | ] 356 | }, 357 | { 358 | "destination": "/dev", 359 | "type": "bind", 360 | "source": "/dev", 361 | "options": [ 362 | "rw", 363 | "bind" 364 | ] 365 | }, 366 | { 367 | "destination": "/dev/pts", 368 | "type": "devpts", 369 | "source": "devpts", 370 | "options": [ 371 | "nosuid", 372 | "noexec", 373 | "newinstance", 374 | "ptmxmode=0666", 375 | "mode=0620", 376 | "gid=5" 377 | ] 378 | } 379 | ], 380 | "hooks": {}, 381 | "linux": { 382 | "resources": { 383 | "devices": [ 384 | { 385 | "allow": true, 386 | "access": "rwm" 387 | } 388 | ] 389 | }, 390 | "namespaces": [ 391 | { "type": "mount"} 392 | ], 393 | "devices": [ 394 | { 395 | "path": "/dev/vport2p1", 396 | "type": "c", 397 | "major": 249, 398 | "minor": 1, 399 | "fileMode": 8576, 400 | "uid": 0, 401 | "gid": 0 402 | }, 403 | { 404 | "path": "/dev/vport2p2", 405 | "type": "c", 406 | "major": 249, 407 | "minor": 2, 408 | "fileMode": 8576, 409 | "uid": 0, 410 | "gid": 0 411 | }, 412 | { 413 | "path": "/dev/vport2p3", 414 | "type": "c", 415 | "major": 249, 416 | "minor": 3, 417 | "fileMode": 8576, 418 | "uid": 0, 419 | "gid": 0 420 | } 421 | ] 422 | } 423 | } 424 | 425 | -------------------------------------------------------------------------------- /ovirt-guest-agent-fedora/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | 3 | "ociVersion": "1.0.0-rc3", 4 | "platform": { 5 | "os": "linux", 6 | "arch": "amd64" 7 | }, 8 | "process": { 9 | "terminal": false, 10 | "user": { 11 | "uid": 0, 12 | "gid": 0 13 | }, 14 | "args": [ 15 | "/usr/bin/run.sh" 16 | ], 17 | "env": [ 18 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 19 | "TERM=xterm", 20 | "HOST=/host", 21 | "container=docker", 22 | "IMAGE=rhev4/ovirt-guest-agent", 23 | "NAME=ovirt-guest-agent" 24 | ], 25 | "cwd": "/", 26 | "capabilities": { 27 | "ambient": [ 28 | "CAP_CHOWN", 29 | "CAP_DAC_OVERRIDE", 30 | "CAP_DAC_READ_SEARCH", 31 | "CAP_FOWNER", 32 | "CAP_FSETID", 33 | "CAP_KILL", 34 | "CAP_SETGID", 35 | "CAP_SETUID", 36 | "CAP_SETPCAP", 37 | "CAP_LINUX_IMMUTABLE", 38 | "CAP_NET_BIND_SERVICE", 39 | "CAP_NET_BROADCAST", 40 | "CAP_NET_ADMIN", 41 | "CAP_NET_RAW", 42 | "CAP_IPC_LOCK", 43 | "CAP_IPC_OWNER", 44 | "CAP_SYS_MODULE", 45 | "CAP_SYS_RAWIO", 46 | "CAP_SYS_CHROOT", 47 | "CAP_SYS_PTRACE", 48 | "CAP_SYS_PACCT", 49 | "CAP_SYS_ADMIN", 50 | "CAP_SYS_BOOT", 51 | "CAP_SYS_NICE", 52 | "CAP_SYS_RESOURCE", 53 | "CAP_SYS_TIME", 54 | "CAP_SYS_TTY_CONFIG", 55 | "CAP_MKNOD", 56 | "CAP_LEASE", 57 | "CAP_SETFCAP", 58 | "CAP_MAC_OVERRIDE", 59 | "CAP_MAC_ADMIN", 60 | "CAP_SYSLOG", 61 | "CAP_WAKE_ALARM", 62 | "CAP_BLOCK_SUSPEND" 63 | ], 64 | "bounding": [ 65 | "CAP_CHOWN", 66 | "CAP_DAC_OVERRIDE", 67 | "CAP_DAC_READ_SEARCH", 68 | "CAP_FOWNER", 69 | "CAP_FSETID", 70 | "CAP_KILL", 71 | "CAP_SETGID", 72 | "CAP_SETUID", 73 | "CAP_SETPCAP", 74 | "CAP_LINUX_IMMUTABLE", 75 | "CAP_NET_BIND_SERVICE", 76 | "CAP_NET_BROADCAST", 77 | "CAP_NET_ADMIN", 78 | "CAP_NET_RAW", 79 | "CAP_IPC_LOCK", 80 | "CAP_IPC_OWNER", 81 | "CAP_SYS_MODULE", 82 | "CAP_SYS_RAWIO", 83 | "CAP_SYS_CHROOT", 84 | "CAP_SYS_PTRACE", 85 | "CAP_SYS_PACCT", 86 | "CAP_SYS_ADMIN", 87 | "CAP_SYS_BOOT", 88 | "CAP_SYS_NICE", 89 | "CAP_SYS_RESOURCE", 90 | "CAP_SYS_TIME", 91 | "CAP_SYS_TTY_CONFIG", 92 | "CAP_MKNOD", 93 | "CAP_LEASE", 94 | "CAP_SETFCAP", 95 | "CAP_MAC_OVERRIDE", 96 | "CAP_MAC_ADMIN", 97 | "CAP_SYSLOG", 98 | "CAP_WAKE_ALARM", 99 | "CAP_BLOCK_SUSPEND" 100 | ], 101 | "effective": [ 102 | "CAP_CHOWN", 103 | "CAP_DAC_OVERRIDE", 104 | "CAP_DAC_READ_SEARCH", 105 | "CAP_FOWNER", 106 | "CAP_FSETID", 107 | "CAP_KILL", 108 | "CAP_SETGID", 109 | "CAP_SETUID", 110 | "CAP_SETPCAP", 111 | "CAP_LINUX_IMMUTABLE", 112 | "CAP_NET_BIND_SERVICE", 113 | "CAP_NET_BROADCAST", 114 | "CAP_NET_ADMIN", 115 | "CAP_NET_RAW", 116 | "CAP_IPC_LOCK", 117 | "CAP_IPC_OWNER", 118 | "CAP_SYS_MODULE", 119 | "CAP_SYS_RAWIO", 120 | "CAP_SYS_CHROOT", 121 | "CAP_SYS_PTRACE", 122 | "CAP_SYS_PACCT", 123 | "CAP_SYS_ADMIN", 124 | "CAP_SYS_BOOT", 125 | "CAP_SYS_NICE", 126 | "CAP_SYS_RESOURCE", 127 | "CAP_SYS_TIME", 128 | "CAP_SYS_TTY_CONFIG", 129 | "CAP_MKNOD", 130 | "CAP_LEASE", 131 | "CAP_SETFCAP", 132 | "CAP_MAC_OVERRIDE", 133 | "CAP_MAC_ADMIN", 134 | "CAP_SYSLOG", 135 | "CAP_WAKE_ALARM", 136 | "CAP_BLOCK_SUSPEND" 137 | ], 138 | "inheritable": [ 139 | "CAP_CHOWN", 140 | "CAP_DAC_OVERRIDE", 141 | "CAP_DAC_READ_SEARCH", 142 | "CAP_FOWNER", 143 | "CAP_FSETID", 144 | "CAP_KILL", 145 | "CAP_SETGID", 146 | "CAP_SETUID", 147 | "CAP_SETPCAP", 148 | "CAP_LINUX_IMMUTABLE", 149 | "CAP_NET_BIND_SERVICE", 150 | "CAP_NET_BROADCAST", 151 | "CAP_NET_ADMIN", 152 | "CAP_NET_RAW", 153 | "CAP_IPC_LOCK", 154 | "CAP_IPC_OWNER", 155 | "CAP_SYS_MODULE", 156 | "CAP_SYS_RAWIO", 157 | "CAP_SYS_CHROOT", 158 | "CAP_SYS_PTRACE", 159 | "CAP_SYS_PACCT", 160 | "CAP_SYS_ADMIN", 161 | "CAP_SYS_BOOT", 162 | "CAP_SYS_NICE", 163 | "CAP_SYS_RESOURCE", 164 | "CAP_SYS_TIME", 165 | "CAP_SYS_TTY_CONFIG", 166 | "CAP_MKNOD", 167 | "CAP_LEASE", 168 | "CAP_SETFCAP", 169 | "CAP_MAC_OVERRIDE", 170 | "CAP_MAC_ADMIN", 171 | "CAP_SYSLOG", 172 | "CAP_WAKE_ALARM", 173 | "CAP_BLOCK_SUSPEND" 174 | ], 175 | "permitted": [ 176 | "CAP_CHOWN", 177 | "CAP_DAC_OVERRIDE", 178 | "CAP_DAC_READ_SEARCH", 179 | "CAP_FOWNER", 180 | "CAP_FSETID", 181 | "CAP_KILL", 182 | "CAP_SETGID", 183 | "CAP_SETUID", 184 | "CAP_SETPCAP", 185 | "CAP_LINUX_IMMUTABLE", 186 | "CAP_NET_BIND_SERVICE", 187 | "CAP_NET_BROADCAST", 188 | "CAP_NET_ADMIN", 189 | "CAP_NET_RAW", 190 | "CAP_IPC_LOCK", 191 | "CAP_IPC_OWNER", 192 | "CAP_SYS_MODULE", 193 | "CAP_SYS_RAWIO", 194 | "CAP_SYS_CHROOT", 195 | "CAP_SYS_PTRACE", 196 | "CAP_SYS_PACCT", 197 | "CAP_SYS_ADMIN", 198 | "CAP_SYS_BOOT", 199 | "CAP_SYS_NICE", 200 | "CAP_SYS_RESOURCE", 201 | "CAP_SYS_TIME", 202 | "CAP_SYS_TTY_CONFIG", 203 | "CAP_MKNOD", 204 | "CAP_LEASE", 205 | "CAP_SETFCAP", 206 | "CAP_MAC_OVERRIDE", 207 | "CAP_MAC_ADMIN", 208 | "CAP_SYSLOG", 209 | "CAP_WAKE_ALARM", 210 | "CAP_BLOCK_SUSPEND" 211 | ] 212 | }, 213 | "rlimits": [ 214 | { 215 | "type": "RLIMIT_NOFILE", 216 | "hard": 1024, 217 | "soft": 1024 218 | } 219 | ] 220 | }, 221 | "root": { 222 | "path": "rootfs", 223 | "readonly": true 224 | }, 225 | "mounts": [ 226 | { 227 | "destination": "/proc", 228 | "type": "proc", 229 | "source": "proc" 230 | }, 231 | { 232 | "destination": "/dev", 233 | "type": "tmpfs", 234 | "source": "tmpfs", 235 | "options": [ 236 | "nosuid", 237 | "strictatime", 238 | "mode=755", 239 | "size=65536k" 240 | ] 241 | }, 242 | { 243 | "destination": "/dev/pts", 244 | "type": "devpts", 245 | "source": "devpts", 246 | "options": [ 247 | "nosuid", 248 | "noexec", 249 | "newinstance", 250 | "ptmxmode=0666", 251 | "mode=0620", 252 | "gid=5" 253 | ] 254 | }, 255 | { 256 | "destination": "/dev/shm", 257 | "type": "tmpfs", 258 | "source": "shm", 259 | "options": [ 260 | "nosuid", 261 | "noexec", 262 | "nodev", 263 | "mode=1777", 264 | "size=65536k" 265 | ] 266 | }, 267 | { 268 | "destination": "/dev/mqueue", 269 | "type": "mqueue", 270 | "source": "mqueue", 271 | "options": [ 272 | "nosuid", 273 | "noexec", 274 | "nodev" 275 | ] 276 | }, 277 | { 278 | "destination": "/sys", 279 | "type": "sysfs", 280 | "source": "sysfs", 281 | "options": [ 282 | "nosuid", 283 | "noexec", 284 | "nodev", 285 | "rw" 286 | ] 287 | }, 288 | { 289 | "destination": "/tmp", 290 | "type": "tmpfs", 291 | "source": "tmpfs", 292 | "options": [ 293 | "rw", 294 | "noexec", 295 | "nosuid", 296 | "nodev", 297 | "size=65536k" 298 | ] 299 | }, 300 | { 301 | "destination": "/run", 302 | "type": "tmpfs", 303 | "source": "tmpfs", 304 | "options": [ 305 | "rw", 306 | "noexec", 307 | "nosuid", 308 | "nodev", 309 | "size=65536k" 310 | ] 311 | }, 312 | { 313 | "destination": "/dev/virtio-ports", 314 | "type": "bind", 315 | "source": "/dev/virtio-ports", 316 | "options": [ 317 | "rw", 318 | "bind" 319 | ] 320 | }, 321 | { 322 | "destination": "/host", 323 | "type": "bind", 324 | "source": "/", 325 | "options": [ 326 | "rw", 327 | "bind" 328 | ] 329 | }, 330 | { 331 | "source": "/etc/redhat-release", 332 | "destination": "/etc-redhat-release", 333 | "type": "bind", 334 | "options": [ 335 | "ro", 336 | "bind" 337 | ] 338 | }, 339 | { 340 | "source": "/var/log/ovirt-guest-agent", 341 | "destination": "/var/log/ovirt-guest-agent", 342 | "type": "bind", 343 | "options": [ 344 | "rw", 345 | "bind" 346 | ] 347 | }, 348 | { 349 | "destination": "/hostproc", 350 | "type": "bind", 351 | "source": "/proc", 352 | "options": [ 353 | "rw", 354 | "bind" 355 | ] 356 | }, 357 | { 358 | "destination": "/dev", 359 | "type": "bind", 360 | "source": "/dev", 361 | "options": [ 362 | "rw", 363 | "bind" 364 | ] 365 | }, 366 | { 367 | "destination": "/dev/pts", 368 | "type": "devpts", 369 | "source": "devpts", 370 | "options": [ 371 | "nosuid", 372 | "noexec", 373 | "newinstance", 374 | "ptmxmode=0666", 375 | "mode=0620", 376 | "gid=5" 377 | ] 378 | } 379 | ], 380 | "hooks": {}, 381 | "linux": { 382 | "resources": { 383 | "devices": [ 384 | { 385 | "allow": true, 386 | "access": "rwm" 387 | } 388 | ] 389 | }, 390 | "namespaces": [ 391 | { "type": "mount"} 392 | ], 393 | "devices": [ 394 | { 395 | "path": "/dev/vport2p1", 396 | "type": "c", 397 | "major": 249, 398 | "minor": 1, 399 | "fileMode": 8576, 400 | "uid": 0, 401 | "gid": 0 402 | }, 403 | { 404 | "path": "/dev/vport2p2", 405 | "type": "c", 406 | "major": 249, 407 | "minor": 2, 408 | "fileMode": 8576, 409 | "uid": 0, 410 | "gid": 0 411 | }, 412 | { 413 | "path": "/dev/vport2p3", 414 | "type": "c", 415 | "major": 249, 416 | "minor": 3, 417 | "fileMode": 8576, 418 | "uid": 0, 419 | "gid": 0 420 | } 421 | ] 422 | } 423 | } 424 | 425 | -------------------------------------------------------------------------------- /kubernetes-proxy/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": { 10 | "uid": 0, 11 | "gid": 0 12 | }, 13 | "args": [ 14 | "/usr/bin/kube-proxy-docker.sh" 15 | ], 16 | "env": [ 17 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 18 | "TERM=xterm" 19 | ], 20 | "cwd": "/", 21 | "capabilities": { 22 | "bounding": [ 23 | "CAP_CHOWN", 24 | "CAP_DAC_OVERRIDE", 25 | "CAP_DAC_READ_SEARCH", 26 | "CAP_FOWNER", 27 | "CAP_FSETID", 28 | "CAP_KILL", 29 | "CAP_SETGID", 30 | "CAP_SETUID", 31 | "CAP_SETPCAP", 32 | "CAP_LINUX_IMMUTABLE", 33 | "CAP_NET_BIND_SERVICE", 34 | "CAP_NET_BROADCAST", 35 | "CAP_NET_ADMIN", 36 | "CAP_NET_RAW", 37 | "CAP_IPC_LOCK", 38 | "CAP_IPC_OWNER", 39 | "CAP_SYS_MODULE", 40 | "CAP_SYS_RAWIO", 41 | "CAP_SYS_CHROOT", 42 | "CAP_SYS_PTRACE", 43 | "CAP_SYS_PACCT", 44 | "CAP_SYS_ADMIN", 45 | "CAP_SYS_BOOT", 46 | "CAP_SYS_NICE", 47 | "CAP_SYS_RESOURCE", 48 | "CAP_SYS_TIME", 49 | "CAP_SYS_TTY_CONFIG", 50 | "CAP_MKNOD", 51 | "CAP_LEASE", 52 | "CAP_AUDIT_WRITE", 53 | "CAP_AUDIT_CONTROL", 54 | "CAP_SETFCAP", 55 | "CAP_MAC_OVERRIDE", 56 | "CAP_MAC_ADMIN", 57 | "CAP_SYSLOG", 58 | "CAP_WAKE_ALARM", 59 | "CAP_BLOCK_SUSPEND" 60 | ], 61 | "permitted": [ 62 | "CAP_CHOWN", 63 | "CAP_DAC_OVERRIDE", 64 | "CAP_DAC_READ_SEARCH", 65 | "CAP_FOWNER", 66 | "CAP_FSETID", 67 | "CAP_KILL", 68 | "CAP_SETGID", 69 | "CAP_SETUID", 70 | "CAP_SETPCAP", 71 | "CAP_LINUX_IMMUTABLE", 72 | "CAP_NET_BIND_SERVICE", 73 | "CAP_NET_BROADCAST", 74 | "CAP_NET_ADMIN", 75 | "CAP_NET_RAW", 76 | "CAP_IPC_LOCK", 77 | "CAP_IPC_OWNER", 78 | "CAP_SYS_MODULE", 79 | "CAP_SYS_RAWIO", 80 | "CAP_SYS_CHROOT", 81 | "CAP_SYS_PTRACE", 82 | "CAP_SYS_PACCT", 83 | "CAP_SYS_ADMIN", 84 | "CAP_SYS_BOOT", 85 | "CAP_SYS_NICE", 86 | "CAP_SYS_RESOURCE", 87 | "CAP_SYS_TIME", 88 | "CAP_SYS_TTY_CONFIG", 89 | "CAP_MKNOD", 90 | "CAP_LEASE", 91 | "CAP_AUDIT_WRITE", 92 | "CAP_AUDIT_CONTROL", 93 | "CAP_SETFCAP", 94 | "CAP_MAC_OVERRIDE", 95 | "CAP_MAC_ADMIN", 96 | "CAP_SYSLOG", 97 | "CAP_WAKE_ALARM", 98 | "CAP_BLOCK_SUSPEND" 99 | ], 100 | "inheritable": [ 101 | "CAP_CHOWN", 102 | "CAP_DAC_OVERRIDE", 103 | "CAP_DAC_READ_SEARCH", 104 | "CAP_FOWNER", 105 | "CAP_FSETID", 106 | "CAP_KILL", 107 | "CAP_SETGID", 108 | "CAP_SETUID", 109 | "CAP_SETPCAP", 110 | "CAP_LINUX_IMMUTABLE", 111 | "CAP_NET_BIND_SERVICE", 112 | "CAP_NET_BROADCAST", 113 | "CAP_NET_ADMIN", 114 | "CAP_NET_RAW", 115 | "CAP_IPC_LOCK", 116 | "CAP_IPC_OWNER", 117 | "CAP_SYS_MODULE", 118 | "CAP_SYS_RAWIO", 119 | "CAP_SYS_CHROOT", 120 | "CAP_SYS_PTRACE", 121 | "CAP_SYS_PACCT", 122 | "CAP_SYS_ADMIN", 123 | "CAP_SYS_BOOT", 124 | "CAP_SYS_NICE", 125 | "CAP_SYS_RESOURCE", 126 | "CAP_SYS_TIME", 127 | "CAP_SYS_TTY_CONFIG", 128 | "CAP_MKNOD", 129 | "CAP_LEASE", 130 | "CAP_AUDIT_WRITE", 131 | "CAP_AUDIT_CONTROL", 132 | "CAP_SETFCAP", 133 | "CAP_MAC_OVERRIDE", 134 | "CAP_MAC_ADMIN", 135 | "CAP_SYSLOG", 136 | "CAP_WAKE_ALARM", 137 | "CAP_BLOCK_SUSPEND" 138 | ], 139 | "effective": [ 140 | "CAP_CHOWN", 141 | "CAP_DAC_OVERRIDE", 142 | "CAP_DAC_READ_SEARCH", 143 | "CAP_FOWNER", 144 | "CAP_FSETID", 145 | "CAP_KILL", 146 | "CAP_SETGID", 147 | "CAP_SETUID", 148 | "CAP_SETPCAP", 149 | "CAP_LINUX_IMMUTABLE", 150 | "CAP_NET_BIND_SERVICE", 151 | "CAP_NET_BROADCAST", 152 | "CAP_NET_ADMIN", 153 | "CAP_NET_RAW", 154 | "CAP_IPC_LOCK", 155 | "CAP_IPC_OWNER", 156 | "CAP_SYS_MODULE", 157 | "CAP_SYS_RAWIO", 158 | "CAP_SYS_CHROOT", 159 | "CAP_SYS_PTRACE", 160 | "CAP_SYS_PACCT", 161 | "CAP_SYS_ADMIN", 162 | "CAP_SYS_BOOT", 163 | "CAP_SYS_NICE", 164 | "CAP_SYS_RESOURCE", 165 | "CAP_SYS_TIME", 166 | "CAP_SYS_TTY_CONFIG", 167 | "CAP_MKNOD", 168 | "CAP_LEASE", 169 | "CAP_AUDIT_WRITE", 170 | "CAP_AUDIT_CONTROL", 171 | "CAP_SETFCAP", 172 | "CAP_MAC_OVERRIDE", 173 | "CAP_MAC_ADMIN", 174 | "CAP_SYSLOG", 175 | "CAP_WAKE_ALARM", 176 | "CAP_BLOCK_SUSPEND" 177 | ], 178 | "ambient": [ 179 | "CAP_CHOWN", 180 | "CAP_DAC_OVERRIDE", 181 | "CAP_DAC_READ_SEARCH", 182 | "CAP_FOWNER", 183 | "CAP_FSETID", 184 | "CAP_KILL", 185 | "CAP_SETGID", 186 | "CAP_SETUID", 187 | "CAP_SETPCAP", 188 | "CAP_LINUX_IMMUTABLE", 189 | "CAP_NET_BIND_SERVICE", 190 | "CAP_NET_BROADCAST", 191 | "CAP_NET_ADMIN", 192 | "CAP_NET_RAW", 193 | "CAP_IPC_LOCK", 194 | "CAP_IPC_OWNER", 195 | "CAP_SYS_MODULE", 196 | "CAP_SYS_RAWIO", 197 | "CAP_SYS_CHROOT", 198 | "CAP_SYS_PTRACE", 199 | "CAP_SYS_PACCT", 200 | "CAP_SYS_ADMIN", 201 | "CAP_SYS_BOOT", 202 | "CAP_SYS_NICE", 203 | "CAP_SYS_RESOURCE", 204 | "CAP_SYS_TIME", 205 | "CAP_SYS_TTY_CONFIG", 206 | "CAP_MKNOD", 207 | "CAP_LEASE", 208 | "CAP_AUDIT_WRITE", 209 | "CAP_AUDIT_CONTROL", 210 | "CAP_SETFCAP", 211 | "CAP_MAC_OVERRIDE", 212 | "CAP_MAC_ADMIN", 213 | "CAP_SYSLOG", 214 | "CAP_WAKE_ALARM", 215 | "CAP_BLOCK_SUSPEND" 216 | ] 217 | }, 218 | "rlimits": [ 219 | { 220 | "type": "RLIMIT_NOFILE", 221 | "hard": 1024, 222 | "soft": 1024 223 | } 224 | ] 225 | }, 226 | "root": { 227 | "path": "rootfs", 228 | "readonly": true 229 | }, 230 | "mounts": [ 231 | { 232 | "destination": "/proc", 233 | "type": "proc", 234 | "source": "proc" 235 | }, 236 | { 237 | "destination": "/dev", 238 | "type": "tmpfs", 239 | "source": "tmpfs", 240 | "options": [ 241 | "nosuid", 242 | "strictatime", 243 | "mode=755", 244 | "size=65536k" 245 | ] 246 | }, 247 | { 248 | "destination": "/dev/pts", 249 | "type": "devpts", 250 | "source": "devpts", 251 | "options": [ 252 | "nosuid", 253 | "noexec", 254 | "newinstance", 255 | "ptmxmode=0666", 256 | "mode=0620", 257 | "gid=5" 258 | ] 259 | }, 260 | { 261 | "destination": "/dev/shm", 262 | "type": "tmpfs", 263 | "source": "shm", 264 | "options": [ 265 | "nosuid", 266 | "noexec", 267 | "nodev", 268 | "mode=1777", 269 | "size=65536k" 270 | ] 271 | }, 272 | { 273 | "destination": "/dev/mqueue", 274 | "type": "mqueue", 275 | "source": "mqueue", 276 | "options": [ 277 | "nosuid", 278 | "noexec", 279 | "nodev" 280 | ] 281 | }, 282 | { 283 | "destination": "/sys", 284 | "type": "sysfs", 285 | "source": "sysfs", 286 | "options": [ 287 | "nosuid", 288 | "noexec", 289 | "nodev" 290 | ] 291 | }, 292 | { 293 | "destination": "/sys/fs/cgroup", 294 | "type": "cgroup", 295 | "source": "cgroup", 296 | "options": [ 297 | "nosuid", 298 | "noexec", 299 | "nodev", 300 | "relatime", 301 | "ro" 302 | ] 303 | }, 304 | { 305 | "type": "bind", 306 | "source": "/etc/kubernetes", 307 | "destination": "/etc/kubernetes", 308 | "options": [ 309 | "rbind", 310 | "ro", 311 | "rprivate" 312 | ] 313 | }, 314 | { 315 | "destination": "/etc/resolv.conf", 316 | "type": "bind", 317 | "source": "/etc/resolv.conf", 318 | "options": [ 319 | "ro", 320 | "rbind", 321 | "rprivate" 322 | ] 323 | }, 324 | { 325 | "type": "bind", 326 | "source": "/run", 327 | "destination": "/run", 328 | "options": [ 329 | "rbind", 330 | "rw", 331 | "mode=755" 332 | ] 333 | } 334 | ], 335 | "linux": { 336 | "resources": { 337 | "devices": [ 338 | { 339 | "allow": false, 340 | "access": "rwm" 341 | } 342 | ] 343 | }, 344 | "namespaces": [ 345 | { 346 | "type": "pid" 347 | }, 348 | { 349 | "type": "ipc" 350 | }, 351 | { 352 | "type": "mount" 353 | } 354 | ], 355 | "devices": null, 356 | "apparmorProfile": "" 357 | } 358 | } 359 | -------------------------------------------------------------------------------- /docker-fedora/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "selinuxLabel": "system_u:system_r:container_runtime_t:s0", 9 | "terminal": false, 10 | "user": { 11 | "uid": 0, 12 | "gid": 0 13 | }, 14 | "args": [ 15 | "/usr/bin/init.sh" 16 | ], 17 | "env": [ 18 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 19 | "TERM=xterm", 20 | "NAME=$NAME" 21 | ], 22 | "cwd": "/", 23 | "capabilities": { 24 | "bounding": [ 25 | "CAP_CHOWN", 26 | "CAP_FOWNER", 27 | "CAP_FSETID", 28 | "CAP_KILL", 29 | "CAP_SETGID", 30 | "CAP_SETUID", 31 | "CAP_SETPCAP", 32 | "CAP_LINUX_IMMUTABLE", 33 | "CAP_NET_BIND_SERVICE", 34 | "CAP_NET_BROADCAST", 35 | "CAP_NET_ADMIN", 36 | "CAP_NET_RAW", 37 | "CAP_IPC_LOCK", 38 | "CAP_IPC_OWNER", 39 | "CAP_SYS_MODULE", 40 | "CAP_SYS_RAWIO", 41 | "CAP_SYS_CHROOT", 42 | "CAP_SYS_PTRACE", 43 | "CAP_SYS_PACCT", 44 | "CAP_SYS_ADMIN", 45 | "CAP_SYS_BOOT", 46 | "CAP_SYS_NICE", 47 | "CAP_SYS_RESOURCE", 48 | "CAP_SYS_TIME", 49 | "CAP_SYS_TTY_CONFIG", 50 | "CAP_MKNOD", 51 | "CAP_LEASE", 52 | "CAP_AUDIT_WRITE", 53 | "CAP_AUDIT_CONTROL", 54 | "CAP_SETFCAP", 55 | "CAP_DAC_OVERRIDE", 56 | "CAP_MAC_OVERRIDE", 57 | "CAP_DAC_READ_SEARCH", 58 | "CAP_MAC_ADMIN", 59 | "CAP_SYSLOG", 60 | "CAP_WAKE_ALARM", 61 | "CAP_BLOCK_SUSPEND", 62 | "CAP_AUDIT_READ" 63 | ], 64 | "permitted": [ 65 | "CAP_CHOWN", 66 | "CAP_FOWNER", 67 | "CAP_FSETID", 68 | "CAP_KILL", 69 | "CAP_SETGID", 70 | "CAP_SETUID", 71 | "CAP_SETPCAP", 72 | "CAP_LINUX_IMMUTABLE", 73 | "CAP_NET_BIND_SERVICE", 74 | "CAP_NET_BROADCAST", 75 | "CAP_NET_ADMIN", 76 | "CAP_NET_RAW", 77 | "CAP_IPC_LOCK", 78 | "CAP_IPC_OWNER", 79 | "CAP_SYS_MODULE", 80 | "CAP_SYS_RAWIO", 81 | "CAP_SYS_CHROOT", 82 | "CAP_SYS_PTRACE", 83 | "CAP_SYS_PACCT", 84 | "CAP_SYS_ADMIN", 85 | "CAP_SYS_BOOT", 86 | "CAP_SYS_NICE", 87 | "CAP_SYS_RESOURCE", 88 | "CAP_SYS_TIME", 89 | "CAP_SYS_TTY_CONFIG", 90 | "CAP_MKNOD", 91 | "CAP_LEASE", 92 | "CAP_AUDIT_WRITE", 93 | "CAP_AUDIT_CONTROL", 94 | "CAP_SETFCAP", 95 | "CAP_DAC_OVERRIDE", 96 | "CAP_MAC_OVERRIDE", 97 | "CAP_DAC_READ_SEARCH", 98 | "CAP_MAC_ADMIN", 99 | "CAP_SYSLOG", 100 | "CAP_WAKE_ALARM", 101 | "CAP_BLOCK_SUSPEND", 102 | "CAP_AUDIT_READ" 103 | ], 104 | "inheritable": [ 105 | "CAP_CHOWN", 106 | "CAP_FOWNER", 107 | "CAP_FSETID", 108 | "CAP_KILL", 109 | "CAP_SETGID", 110 | "CAP_SETUID", 111 | "CAP_SETPCAP", 112 | "CAP_LINUX_IMMUTABLE", 113 | "CAP_NET_BIND_SERVICE", 114 | "CAP_NET_BROADCAST", 115 | "CAP_NET_ADMIN", 116 | "CAP_NET_RAW", 117 | "CAP_IPC_LOCK", 118 | "CAP_IPC_OWNER", 119 | "CAP_SYS_MODULE", 120 | "CAP_SYS_RAWIO", 121 | "CAP_SYS_CHROOT", 122 | "CAP_SYS_PTRACE", 123 | "CAP_SYS_PACCT", 124 | "CAP_SYS_ADMIN", 125 | "CAP_SYS_BOOT", 126 | "CAP_SYS_NICE", 127 | "CAP_SYS_RESOURCE", 128 | "CAP_SYS_TIME", 129 | "CAP_SYS_TTY_CONFIG", 130 | "CAP_MKNOD", 131 | "CAP_LEASE", 132 | "CAP_AUDIT_WRITE", 133 | "CAP_AUDIT_CONTROL", 134 | "CAP_SETFCAP", 135 | "CAP_DAC_OVERRIDE", 136 | "CAP_MAC_OVERRIDE", 137 | "CAP_DAC_READ_SEARCH", 138 | "CAP_MAC_ADMIN", 139 | "CAP_SYSLOG", 140 | "CAP_WAKE_ALARM", 141 | "CAP_BLOCK_SUSPEND", 142 | "CAP_AUDIT_READ" 143 | ], 144 | "effective": [ 145 | "CAP_CHOWN", 146 | "CAP_FOWNER", 147 | "CAP_FSETID", 148 | "CAP_KILL", 149 | "CAP_SETGID", 150 | "CAP_SETUID", 151 | "CAP_SETPCAP", 152 | "CAP_LINUX_IMMUTABLE", 153 | "CAP_NET_BIND_SERVICE", 154 | "CAP_NET_BROADCAST", 155 | "CAP_NET_ADMIN", 156 | "CAP_NET_RAW", 157 | "CAP_IPC_LOCK", 158 | "CAP_IPC_OWNER", 159 | "CAP_SYS_MODULE", 160 | "CAP_SYS_RAWIO", 161 | "CAP_SYS_CHROOT", 162 | "CAP_SYS_PTRACE", 163 | "CAP_SYS_PACCT", 164 | "CAP_SYS_ADMIN", 165 | "CAP_SYS_BOOT", 166 | "CAP_SYS_NICE", 167 | "CAP_SYS_RESOURCE", 168 | "CAP_SYS_TIME", 169 | "CAP_SYS_TTY_CONFIG", 170 | "CAP_MKNOD", 171 | "CAP_LEASE", 172 | "CAP_AUDIT_WRITE", 173 | "CAP_AUDIT_CONTROL", 174 | "CAP_SETFCAP", 175 | "CAP_DAC_OVERRIDE", 176 | "CAP_MAC_OVERRIDE", 177 | "CAP_DAC_READ_SEARCH", 178 | "CAP_MAC_ADMIN", 179 | "CAP_SYSLOG", 180 | "CAP_WAKE_ALARM", 181 | "CAP_BLOCK_SUSPEND", 182 | "CAP_AUDIT_READ" 183 | ], 184 | "ambient": [ 185 | "CAP_CHOWN", 186 | "CAP_FOWNER", 187 | "CAP_FSETID", 188 | "CAP_KILL", 189 | "CAP_SETGID", 190 | "CAP_SETUID", 191 | "CAP_SETPCAP", 192 | "CAP_LINUX_IMMUTABLE", 193 | "CAP_NET_BIND_SERVICE", 194 | "CAP_NET_BROADCAST", 195 | "CAP_NET_ADMIN", 196 | "CAP_NET_RAW", 197 | "CAP_IPC_LOCK", 198 | "CAP_IPC_OWNER", 199 | "CAP_SYS_MODULE", 200 | "CAP_SYS_RAWIO", 201 | "CAP_SYS_CHROOT", 202 | "CAP_SYS_PTRACE", 203 | "CAP_SYS_PACCT", 204 | "CAP_SYS_ADMIN", 205 | "CAP_SYS_BOOT", 206 | "CAP_SYS_NICE", 207 | "CAP_SYS_RESOURCE", 208 | "CAP_SYS_TIME", 209 | "CAP_SYS_TTY_CONFIG", 210 | "CAP_MKNOD", 211 | "CAP_LEASE", 212 | "CAP_AUDIT_WRITE", 213 | "CAP_AUDIT_CONTROL", 214 | "CAP_SETFCAP", 215 | "CAP_DAC_OVERRIDE", 216 | "CAP_MAC_OVERRIDE", 217 | "CAP_DAC_READ_SEARCH", 218 | "CAP_MAC_ADMIN", 219 | "CAP_SYSLOG", 220 | "CAP_WAKE_ALARM", 221 | "CAP_BLOCK_SUSPEND", 222 | "CAP_AUDIT_READ" 223 | ] 224 | }, 225 | "noNewPrivileges": false 226 | }, 227 | "root": { 228 | "path": "rootfs", 229 | "readonly": true 230 | }, 231 | "mounts": [ 232 | { 233 | "source": "/tmp", 234 | "destination": "/tmp", 235 | "type": "bind", 236 | "options": [ 237 | "private", 238 | "bind", 239 | "rw", 240 | "mode=755" 241 | ] 242 | }, 243 | { 244 | "type": "bind", 245 | "source": "/etc", 246 | "destination": "/etc", 247 | "options": [ 248 | "rbind", 249 | "rprivate", 250 | "rw", 251 | "mode=755" 252 | ] 253 | }, 254 | { 255 | "type": "bind", 256 | "source": "/lib/modules", 257 | "destination": "/lib/modules", 258 | "options": [ 259 | "rbind", 260 | "rprivate", 261 | "rw", 262 | "mode=755" 263 | ] 264 | }, 265 | { 266 | "type": "bind", 267 | "source": "/root", 268 | "destination": "/root", 269 | "options": [ 270 | "rbind", 271 | "rprivate", 272 | "rw", 273 | "mode=755" 274 | ] 275 | }, 276 | { 277 | "type": "bind", 278 | "source": "/home", 279 | "destination": "/home", 280 | "options": [ 281 | "rbind", 282 | "rprivate", 283 | "rw", 284 | "mode=755" 285 | ] 286 | }, 287 | { 288 | "type": "bind", 289 | "source": "/opt", 290 | "destination": "/opt", 291 | "options": [ 292 | "rbind", 293 | "rslave", 294 | "rw", 295 | "mode=755" 296 | ] 297 | }, 298 | { 299 | "type": "bind", 300 | "source": "/mnt", 301 | "destination": "/mnt", 302 | "options": [ 303 | "rbind", 304 | "rw", 305 | "rprivate", 306 | "mode=755" 307 | ] 308 | }, 309 | { 310 | "type": "bind", 311 | "source": "${RUN_DIRECTORY}", 312 | "destination": "/run", 313 | "options": [ 314 | "rshared", 315 | "rbind", 316 | "rw", 317 | "mode=755" 318 | ] 319 | }, 320 | { 321 | "type": "bind", 322 | "source": "/run/systemd", 323 | "destination": "/run/systemd", 324 | "options": [ 325 | "rslave", 326 | "bind", 327 | "rw", 328 | "mode=755" 329 | ] 330 | }, 331 | { 332 | "type": "bind", 333 | "source": "/var/log", 334 | "destination": "/var/log", 335 | "options": [ 336 | "rbind", 337 | "rslave", 338 | "rw" 339 | ] 340 | }, 341 | { 342 | "type": "bind", 343 | "source": "${STATE_DIRECTORY}", 344 | "destination": "/var/lib", 345 | "options": [ 346 | "rbind", 347 | "rshared", 348 | "rw" 349 | ] 350 | }, 351 | { 352 | "destination": "/host", 353 | "options": [ 354 | "rbind", 355 | "rshared", 356 | "rw" 357 | ], 358 | "source": "/", 359 | "type": "bind" 360 | }, 361 | { 362 | "source": "/dev", 363 | "destination": "/dev", 364 | "type": "bind", 365 | "options": [ 366 | "rprivate", 367 | "rbind", 368 | "rw", 369 | "mode=755" 370 | ] 371 | }, 372 | { 373 | "source": "/sys", 374 | "destination": "/sys", 375 | "type": "bind", 376 | "options": [ 377 | "rprivate", 378 | "rbind", 379 | "rw", 380 | "mode=755" 381 | ] 382 | }, 383 | { 384 | "source": "/proc", 385 | "destination": "/proc", 386 | "type": "proc", 387 | "options": [ 388 | "private" 389 | ] 390 | } 391 | $ADDTL_MOUNTS 392 | ], 393 | "hooks": {}, 394 | "linux": { 395 | "rootfsPropagation": "rslave", 396 | "resources": { 397 | "devices": [ 398 | { 399 | "allow": true, 400 | "access": "rwm" 401 | } 402 | ] 403 | }, 404 | "namespaces": [ 405 | { 406 | "type": "mount" 407 | } 408 | ] 409 | } 410 | } 411 | -------------------------------------------------------------------------------- /kubeadm/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": {}, 10 | "args": [ 11 | "/usr/bin/launch.sh" 12 | ], 13 | "env": [ 14 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 15 | "TERM=xterm" 16 | ], 17 | "noNewPrivileges": false, 18 | "cwd": "/", 19 | "capabilities": { 20 | "bounding": [ 21 | "CAP_CHOWN", 22 | "CAP_DAC_OVERRIDE", 23 | "CAP_DAC_READ_SEARCH", 24 | "CAP_FOWNER", 25 | "CAP_FSETID", 26 | "CAP_KILL", 27 | "CAP_SETGID", 28 | "CAP_SETUID", 29 | "CAP_SETPCAP", 30 | "CAP_LINUX_IMMUTABLE", 31 | "CAP_NET_BIND_SERVICE", 32 | "CAP_NET_BROADCAST", 33 | "CAP_NET_ADMIN", 34 | "CAP_NET_RAW", 35 | "CAP_IPC_LOCK", 36 | "CAP_IPC_OWNER", 37 | "CAP_SYS_MODULE", 38 | "CAP_SYS_RAWIO", 39 | "CAP_SYS_CHROOT", 40 | "CAP_SYS_PTRACE", 41 | "CAP_SYS_PACCT", 42 | "CAP_SYS_ADMIN", 43 | "CAP_SYS_BOOT", 44 | "CAP_SYS_NICE", 45 | "CAP_SYS_RESOURCE", 46 | "CAP_SYS_TIME", 47 | "CAP_SYS_TTY_CONFIG", 48 | "CAP_MKNOD", 49 | "CAP_LEASE", 50 | "CAP_AUDIT_WRITE", 51 | "CAP_AUDIT_CONTROL", 52 | "CAP_SETFCAP", 53 | "CAP_MAC_OVERRIDE", 54 | "CAP_MAC_ADMIN", 55 | "CAP_SYSLOG", 56 | "CAP_WAKE_ALARM", 57 | "CAP_BLOCK_SUSPEND" 58 | ], 59 | "permitted": [ 60 | "CAP_CHOWN", 61 | "CAP_DAC_OVERRIDE", 62 | "CAP_DAC_READ_SEARCH", 63 | "CAP_FOWNER", 64 | "CAP_FSETID", 65 | "CAP_KILL", 66 | "CAP_SETGID", 67 | "CAP_SETUID", 68 | "CAP_SETPCAP", 69 | "CAP_LINUX_IMMUTABLE", 70 | "CAP_NET_BIND_SERVICE", 71 | "CAP_NET_BROADCAST", 72 | "CAP_NET_ADMIN", 73 | "CAP_NET_RAW", 74 | "CAP_IPC_LOCK", 75 | "CAP_IPC_OWNER", 76 | "CAP_SYS_MODULE", 77 | "CAP_SYS_RAWIO", 78 | "CAP_SYS_CHROOT", 79 | "CAP_SYS_PTRACE", 80 | "CAP_SYS_PACCT", 81 | "CAP_SYS_ADMIN", 82 | "CAP_SYS_BOOT", 83 | "CAP_SYS_NICE", 84 | "CAP_SYS_RESOURCE", 85 | "CAP_SYS_TIME", 86 | "CAP_SYS_TTY_CONFIG", 87 | "CAP_MKNOD", 88 | "CAP_LEASE", 89 | "CAP_AUDIT_WRITE", 90 | "CAP_AUDIT_CONTROL", 91 | "CAP_SETFCAP", 92 | "CAP_MAC_OVERRIDE", 93 | "CAP_MAC_ADMIN", 94 | "CAP_SYSLOG", 95 | "CAP_WAKE_ALARM", 96 | "CAP_BLOCK_SUSPEND" 97 | ], 98 | "inheritable": [ 99 | "CAP_CHOWN", 100 | "CAP_DAC_OVERRIDE", 101 | "CAP_DAC_READ_SEARCH", 102 | "CAP_FOWNER", 103 | "CAP_FSETID", 104 | "CAP_KILL", 105 | "CAP_SETGID", 106 | "CAP_SETUID", 107 | "CAP_SETPCAP", 108 | "CAP_LINUX_IMMUTABLE", 109 | "CAP_NET_BIND_SERVICE", 110 | "CAP_NET_BROADCAST", 111 | "CAP_NET_ADMIN", 112 | "CAP_NET_RAW", 113 | "CAP_IPC_LOCK", 114 | "CAP_IPC_OWNER", 115 | "CAP_SYS_MODULE", 116 | "CAP_SYS_RAWIO", 117 | "CAP_SYS_CHROOT", 118 | "CAP_SYS_PTRACE", 119 | "CAP_SYS_PACCT", 120 | "CAP_SYS_ADMIN", 121 | "CAP_SYS_BOOT", 122 | "CAP_SYS_NICE", 123 | "CAP_SYS_RESOURCE", 124 | "CAP_SYS_TIME", 125 | "CAP_SYS_TTY_CONFIG", 126 | "CAP_MKNOD", 127 | "CAP_LEASE", 128 | "CAP_AUDIT_WRITE", 129 | "CAP_AUDIT_CONTROL", 130 | "CAP_SETFCAP", 131 | "CAP_MAC_OVERRIDE", 132 | "CAP_MAC_ADMIN", 133 | "CAP_SYSLOG", 134 | "CAP_WAKE_ALARM", 135 | "CAP_BLOCK_SUSPEND" 136 | ], 137 | "effective": [ 138 | "CAP_CHOWN", 139 | "CAP_DAC_OVERRIDE", 140 | "CAP_DAC_READ_SEARCH", 141 | "CAP_FOWNER", 142 | "CAP_FSETID", 143 | "CAP_KILL", 144 | "CAP_SETGID", 145 | "CAP_SETUID", 146 | "CAP_SETPCAP", 147 | "CAP_LINUX_IMMUTABLE", 148 | "CAP_NET_BIND_SERVICE", 149 | "CAP_NET_BROADCAST", 150 | "CAP_NET_ADMIN", 151 | "CAP_NET_RAW", 152 | "CAP_IPC_LOCK", 153 | "CAP_IPC_OWNER", 154 | "CAP_SYS_MODULE", 155 | "CAP_SYS_RAWIO", 156 | "CAP_SYS_CHROOT", 157 | "CAP_SYS_PTRACE", 158 | "CAP_SYS_PACCT", 159 | "CAP_SYS_ADMIN", 160 | "CAP_SYS_BOOT", 161 | "CAP_SYS_NICE", 162 | "CAP_SYS_RESOURCE", 163 | "CAP_SYS_TIME", 164 | "CAP_SYS_TTY_CONFIG", 165 | "CAP_MKNOD", 166 | "CAP_LEASE", 167 | "CAP_AUDIT_WRITE", 168 | "CAP_AUDIT_CONTROL", 169 | "CAP_SETFCAP", 170 | "CAP_MAC_OVERRIDE", 171 | "CAP_MAC_ADMIN", 172 | "CAP_SYSLOG", 173 | "CAP_WAKE_ALARM", 174 | "CAP_BLOCK_SUSPEND" 175 | ], 176 | "ambient": [ 177 | "CAP_CHOWN", 178 | "CAP_DAC_OVERRIDE", 179 | "CAP_DAC_READ_SEARCH", 180 | "CAP_FOWNER", 181 | "CAP_FSETID", 182 | "CAP_KILL", 183 | "CAP_SETGID", 184 | "CAP_SETUID", 185 | "CAP_SETPCAP", 186 | "CAP_LINUX_IMMUTABLE", 187 | "CAP_NET_BIND_SERVICE", 188 | "CAP_NET_BROADCAST", 189 | "CAP_NET_ADMIN", 190 | "CAP_NET_RAW", 191 | "CAP_IPC_LOCK", 192 | "CAP_IPC_OWNER", 193 | "CAP_SYS_MODULE", 194 | "CAP_SYS_RAWIO", 195 | "CAP_SYS_CHROOT", 196 | "CAP_SYS_PTRACE", 197 | "CAP_SYS_PACCT", 198 | "CAP_SYS_ADMIN", 199 | "CAP_SYS_BOOT", 200 | "CAP_SYS_NICE", 201 | "CAP_SYS_RESOURCE", 202 | "CAP_SYS_TIME", 203 | "CAP_SYS_TTY_CONFIG", 204 | "CAP_MKNOD", 205 | "CAP_LEASE", 206 | "CAP_AUDIT_WRITE", 207 | "CAP_AUDIT_CONTROL", 208 | "CAP_SETFCAP", 209 | "CAP_MAC_OVERRIDE", 210 | "CAP_MAC_ADMIN", 211 | "CAP_SYSLOG", 212 | "CAP_WAKE_ALARM", 213 | "CAP_BLOCK_SUSPEND" 214 | ] 215 | }, 216 | "rlimits": [ 217 | { 218 | "type": "RLIMIT_NOFILE", 219 | "hard": 1024, 220 | "soft": 1024 221 | } 222 | ] 223 | }, 224 | "root": { 225 | "path": "rootfs", 226 | "readonly": true 227 | }, 228 | "mounts": [ 229 | { 230 | "destination": "/proc", 231 | "type": "proc", 232 | "source": "proc" 233 | }, 234 | { 235 | "destination": "/dev", 236 | "type": "bind", 237 | "source": "/dev", 238 | "options": [ 239 | "rbind", 240 | "rslave" 241 | ] 242 | }, 243 | { 244 | "destination": "/dev/pts", 245 | "type": "devpts", 246 | "source": "devpts", 247 | "options": [ 248 | "nosuid", 249 | "noexec", 250 | "newinstance", 251 | "ptmxmode=0666", 252 | "mode=0620", 253 | "gid=5" 254 | ] 255 | }, 256 | { 257 | "destination": "/dev/shm", 258 | "type": "tmpfs", 259 | "source": "shm", 260 | "options": [ 261 | "nosuid", 262 | "noexec", 263 | "nodev", 264 | "mode=1777", 265 | "size=65536k" 266 | ] 267 | }, 268 | { 269 | "destination": "/sys", 270 | "type": "sysfs", 271 | "source": "sysfs", 272 | "options": [ 273 | "nosuid", 274 | "noexec", 275 | "nodev" 276 | ] 277 | }, 278 | { 279 | "destination": "/sys/fs/cgroup", 280 | "type": "cgroup", 281 | "source": "cgroup", 282 | "options": [ 283 | "nosuid", 284 | "noexec", 285 | "nodev", 286 | "relatime", 287 | "ro" 288 | ] 289 | }, 290 | { 291 | "type": "bind", 292 | "source": "/etc/kubernetes", 293 | "destination": "/etc/kubernetes", 294 | "options": [ 295 | "rbind", 296 | "ro", 297 | "rprivate" 298 | ] 299 | }, 300 | { 301 | "destination": "/etc/resolv.conf", 302 | "type": "bind", 303 | "source": "/etc/resolv.conf", 304 | "options": [ 305 | "ro", 306 | "rbind", 307 | "rprivate" 308 | ] 309 | }, 310 | { 311 | "type": "bind", 312 | "source": "/", 313 | "destination": "/rootfs", 314 | "options": [ 315 | "rbind", 316 | "rslave", 317 | "ro" 318 | ] 319 | }, 320 | { 321 | "type": "bind", 322 | "source": "/var/run/", 323 | "destination": "/var/run/", 324 | "options": [ 325 | "rbind", 326 | "rw", 327 | "mode=755" 328 | ] 329 | }, 330 | { 331 | "type": "bind", 332 | "source": "/run", 333 | "destination": "/run", 334 | "options": [ 335 | "rbind", 336 | "rw", 337 | "mode=755" 338 | ] 339 | }, 340 | { 341 | "type": "bind", 342 | "source": "/var/lib", 343 | "destination": "/var/lib", 344 | "options": [ 345 | "bind", 346 | "rw", 347 | "mode=755" 348 | ] 349 | }, 350 | { 351 | "type": "bind", 352 | "source": "/var/lib/kubelet", 353 | "destination": "/var/lib/kubelet", 354 | "options": [ 355 | "rbind", 356 | "rslave", 357 | "rw", 358 | "mode=755" 359 | ] 360 | }, 361 | { 362 | "type": "bind", 363 | "source": "/var/log", 364 | "destination": "/var/log", 365 | "options": [ 366 | "bind", 367 | "rw", 368 | "mode=755" 369 | ] 370 | }, 371 | { 372 | "type": "bind", 373 | "source": "/etc/cni", 374 | "destination": "/etc/cni", 375 | "options": [ 376 | "rbind", 377 | "ro", 378 | "rprivate" 379 | ] 380 | } 381 | ], 382 | "linux": { 383 | "rootfsPropagation": "rslave", 384 | "resources": { 385 | "devices": [ 386 | { 387 | "allow": true, 388 | "access": "rwm" 389 | } 390 | ] 391 | }, 392 | "namespaces": [ 393 | { 394 | "type": "mount" 395 | } 396 | ], 397 | "devices": null, 398 | "apparmorProfile": "" 399 | } 400 | } 401 | -------------------------------------------------------------------------------- /kubernetes-kubelet/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "user": {}, 10 | "args": [ 11 | "/usr/bin/kubelet-docker.sh" 12 | ], 13 | "env": [ 14 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 15 | "TERM=xterm" 16 | ], 17 | "noNewPrivileges": false, 18 | "cwd": "/", 19 | "capabilities": { 20 | "bounding": [ 21 | "CAP_CHOWN", 22 | "CAP_DAC_OVERRIDE", 23 | "CAP_DAC_READ_SEARCH", 24 | "CAP_FOWNER", 25 | "CAP_FSETID", 26 | "CAP_KILL", 27 | "CAP_SETGID", 28 | "CAP_SETUID", 29 | "CAP_SETPCAP", 30 | "CAP_LINUX_IMMUTABLE", 31 | "CAP_NET_BIND_SERVICE", 32 | "CAP_NET_BROADCAST", 33 | "CAP_NET_ADMIN", 34 | "CAP_NET_RAW", 35 | "CAP_IPC_LOCK", 36 | "CAP_IPC_OWNER", 37 | "CAP_SYS_MODULE", 38 | "CAP_SYS_RAWIO", 39 | "CAP_SYS_CHROOT", 40 | "CAP_SYS_PTRACE", 41 | "CAP_SYS_PACCT", 42 | "CAP_SYS_ADMIN", 43 | "CAP_SYS_BOOT", 44 | "CAP_SYS_NICE", 45 | "CAP_SYS_RESOURCE", 46 | "CAP_SYS_TIME", 47 | "CAP_SYS_TTY_CONFIG", 48 | "CAP_MKNOD", 49 | "CAP_LEASE", 50 | "CAP_AUDIT_WRITE", 51 | "CAP_AUDIT_CONTROL", 52 | "CAP_SETFCAP", 53 | "CAP_MAC_OVERRIDE", 54 | "CAP_MAC_ADMIN", 55 | "CAP_SYSLOG", 56 | "CAP_WAKE_ALARM", 57 | "CAP_BLOCK_SUSPEND" 58 | ], 59 | "permitted": [ 60 | "CAP_CHOWN", 61 | "CAP_DAC_OVERRIDE", 62 | "CAP_DAC_READ_SEARCH", 63 | "CAP_FOWNER", 64 | "CAP_FSETID", 65 | "CAP_KILL", 66 | "CAP_SETGID", 67 | "CAP_SETUID", 68 | "CAP_SETPCAP", 69 | "CAP_LINUX_IMMUTABLE", 70 | "CAP_NET_BIND_SERVICE", 71 | "CAP_NET_BROADCAST", 72 | "CAP_NET_ADMIN", 73 | "CAP_NET_RAW", 74 | "CAP_IPC_LOCK", 75 | "CAP_IPC_OWNER", 76 | "CAP_SYS_MODULE", 77 | "CAP_SYS_RAWIO", 78 | "CAP_SYS_CHROOT", 79 | "CAP_SYS_PTRACE", 80 | "CAP_SYS_PACCT", 81 | "CAP_SYS_ADMIN", 82 | "CAP_SYS_BOOT", 83 | "CAP_SYS_NICE", 84 | "CAP_SYS_RESOURCE", 85 | "CAP_SYS_TIME", 86 | "CAP_SYS_TTY_CONFIG", 87 | "CAP_MKNOD", 88 | "CAP_LEASE", 89 | "CAP_AUDIT_WRITE", 90 | "CAP_AUDIT_CONTROL", 91 | "CAP_SETFCAP", 92 | "CAP_MAC_OVERRIDE", 93 | "CAP_MAC_ADMIN", 94 | "CAP_SYSLOG", 95 | "CAP_WAKE_ALARM", 96 | "CAP_BLOCK_SUSPEND" 97 | ], 98 | "inheritable": [ 99 | "CAP_CHOWN", 100 | "CAP_DAC_OVERRIDE", 101 | "CAP_DAC_READ_SEARCH", 102 | "CAP_FOWNER", 103 | "CAP_FSETID", 104 | "CAP_KILL", 105 | "CAP_SETGID", 106 | "CAP_SETUID", 107 | "CAP_SETPCAP", 108 | "CAP_LINUX_IMMUTABLE", 109 | "CAP_NET_BIND_SERVICE", 110 | "CAP_NET_BROADCAST", 111 | "CAP_NET_ADMIN", 112 | "CAP_NET_RAW", 113 | "CAP_IPC_LOCK", 114 | "CAP_IPC_OWNER", 115 | "CAP_SYS_MODULE", 116 | "CAP_SYS_RAWIO", 117 | "CAP_SYS_CHROOT", 118 | "CAP_SYS_PTRACE", 119 | "CAP_SYS_PACCT", 120 | "CAP_SYS_ADMIN", 121 | "CAP_SYS_BOOT", 122 | "CAP_SYS_NICE", 123 | "CAP_SYS_RESOURCE", 124 | "CAP_SYS_TIME", 125 | "CAP_SYS_TTY_CONFIG", 126 | "CAP_MKNOD", 127 | "CAP_LEASE", 128 | "CAP_AUDIT_WRITE", 129 | "CAP_AUDIT_CONTROL", 130 | "CAP_SETFCAP", 131 | "CAP_MAC_OVERRIDE", 132 | "CAP_MAC_ADMIN", 133 | "CAP_SYSLOG", 134 | "CAP_WAKE_ALARM", 135 | "CAP_BLOCK_SUSPEND" 136 | ], 137 | "effective": [ 138 | "CAP_CHOWN", 139 | "CAP_DAC_OVERRIDE", 140 | "CAP_DAC_READ_SEARCH", 141 | "CAP_FOWNER", 142 | "CAP_FSETID", 143 | "CAP_KILL", 144 | "CAP_SETGID", 145 | "CAP_SETUID", 146 | "CAP_SETPCAP", 147 | "CAP_LINUX_IMMUTABLE", 148 | "CAP_NET_BIND_SERVICE", 149 | "CAP_NET_BROADCAST", 150 | "CAP_NET_ADMIN", 151 | "CAP_NET_RAW", 152 | "CAP_IPC_LOCK", 153 | "CAP_IPC_OWNER", 154 | "CAP_SYS_MODULE", 155 | "CAP_SYS_RAWIO", 156 | "CAP_SYS_CHROOT", 157 | "CAP_SYS_PTRACE", 158 | "CAP_SYS_PACCT", 159 | "CAP_SYS_ADMIN", 160 | "CAP_SYS_BOOT", 161 | "CAP_SYS_NICE", 162 | "CAP_SYS_RESOURCE", 163 | "CAP_SYS_TIME", 164 | "CAP_SYS_TTY_CONFIG", 165 | "CAP_MKNOD", 166 | "CAP_LEASE", 167 | "CAP_AUDIT_WRITE", 168 | "CAP_AUDIT_CONTROL", 169 | "CAP_SETFCAP", 170 | "CAP_MAC_OVERRIDE", 171 | "CAP_MAC_ADMIN", 172 | "CAP_SYSLOG", 173 | "CAP_WAKE_ALARM", 174 | "CAP_BLOCK_SUSPEND" 175 | ], 176 | "ambient": [ 177 | "CAP_CHOWN", 178 | "CAP_DAC_OVERRIDE", 179 | "CAP_DAC_READ_SEARCH", 180 | "CAP_FOWNER", 181 | "CAP_FSETID", 182 | "CAP_KILL", 183 | "CAP_SETGID", 184 | "CAP_SETUID", 185 | "CAP_SETPCAP", 186 | "CAP_LINUX_IMMUTABLE", 187 | "CAP_NET_BIND_SERVICE", 188 | "CAP_NET_BROADCAST", 189 | "CAP_NET_ADMIN", 190 | "CAP_NET_RAW", 191 | "CAP_IPC_LOCK", 192 | "CAP_IPC_OWNER", 193 | "CAP_SYS_MODULE", 194 | "CAP_SYS_RAWIO", 195 | "CAP_SYS_CHROOT", 196 | "CAP_SYS_PTRACE", 197 | "CAP_SYS_PACCT", 198 | "CAP_SYS_ADMIN", 199 | "CAP_SYS_BOOT", 200 | "CAP_SYS_NICE", 201 | "CAP_SYS_RESOURCE", 202 | "CAP_SYS_TIME", 203 | "CAP_SYS_TTY_CONFIG", 204 | "CAP_MKNOD", 205 | "CAP_LEASE", 206 | "CAP_AUDIT_WRITE", 207 | "CAP_AUDIT_CONTROL", 208 | "CAP_SETFCAP", 209 | "CAP_MAC_OVERRIDE", 210 | "CAP_MAC_ADMIN", 211 | "CAP_SYSLOG", 212 | "CAP_WAKE_ALARM", 213 | "CAP_BLOCK_SUSPEND" 214 | ] 215 | }, 216 | "rlimits": [ 217 | { 218 | "type": "RLIMIT_NOFILE", 219 | "hard": 1024, 220 | "soft": 1024 221 | } 222 | ] 223 | }, 224 | "root": { 225 | "path": "rootfs", 226 | "readonly": true 227 | }, 228 | "mounts": [ 229 | { 230 | "destination": "/proc", 231 | "type": "proc", 232 | "source": "proc" 233 | }, 234 | { 235 | "source": "/dev", 236 | "destination": "/dev", 237 | "type": "bind", 238 | "options": [ 239 | "rbind", 240 | "rslave" 241 | ] 242 | }, 243 | { 244 | "destination": "/dev/pts", 245 | "type": "devpts", 246 | "source": "devpts", 247 | "options": [ 248 | "nosuid", 249 | "noexec", 250 | "newinstance", 251 | "ptmxmode=0666", 252 | "mode=0620", 253 | "gid=5" 254 | ] 255 | }, 256 | { 257 | "destination": "/dev/shm", 258 | "type": "tmpfs", 259 | "source": "shm", 260 | "options": [ 261 | "nosuid", 262 | "noexec", 263 | "nodev", 264 | "mode=1777", 265 | "size=65536k" 266 | ] 267 | }, 268 | { 269 | "type": "bind", 270 | "source": "/sys", 271 | "destination": "/sys", 272 | "options": [ 273 | "rbind", 274 | "rw" 275 | ] 276 | }, 277 | { 278 | "type": "bind", 279 | "source": "/etc/cni/net.d", 280 | "destination": "/etc/cni/net.d", 281 | "options": [ 282 | "bind", 283 | "slave", 284 | "rw", 285 | "mode=777" 286 | ] 287 | }, 288 | { 289 | "type": "bind", 290 | "source": "/etc/kubernetes", 291 | "destination": "/etc/kubernetes", 292 | "options": [ 293 | "rbind", 294 | "ro", 295 | "rprivate" 296 | ] 297 | }, 298 | { 299 | "type": "bind", 300 | "source": "/etc/localtime", 301 | "destination": "/etc/localtime", 302 | "options": [ 303 | "rbind", 304 | "ro" 305 | ] 306 | }, 307 | { 308 | "type": "bind", 309 | "source": "/etc/pki", 310 | "destination": "/etc/pki", 311 | "options": [ 312 | "bind", 313 | "ro" 314 | ] 315 | }, 316 | { 317 | "destination": "/etc/resolv.conf", 318 | "type": "bind", 319 | "source": "/etc/resolv.conf", 320 | "options": [ 321 | "ro", 322 | "bind" 323 | ] 324 | }, 325 | { 326 | "type": "bind", 327 | "source": "/", 328 | "destination": "/rootfs", 329 | "options": [ 330 | "rbind", 331 | "rslave", 332 | "ro" 333 | ] 334 | }, 335 | { 336 | "type": "bind", 337 | "source": "/var/run/secrets", 338 | "destination": "/var/run/secrets", 339 | "options": [ 340 | "rbind", 341 | "rw", 342 | "mode=755" 343 | ] 344 | }, 345 | { 346 | "type": "bind", 347 | "source": "${RUN_DIRECTORY}", 348 | "destination": "/run", 349 | "options": [ 350 | "rbind", 351 | "rw", 352 | "mode=755" 353 | ] 354 | }, 355 | { 356 | "type": "bind", 357 | "source": "${STATE_DIRECTORY}", 358 | "destination": "/var/lib", 359 | "options": [ 360 | "bind", 361 | "rw", 362 | "mode=755" 363 | ] 364 | }, 365 | { 366 | "type": "bind", 367 | "source": "${STATE_DIRECTORY}/kubelet", 368 | "destination": "/var/lib/kubelet", 369 | "options": [ 370 | "rbind", 371 | "rshared", 372 | "rw", 373 | "mode=755" 374 | ] 375 | }, 376 | { 377 | "type": "bind", 378 | "source": "/var/log", 379 | "destination": "/var/log", 380 | "options": [ 381 | "bind", 382 | "rw", 383 | "mode=755" 384 | ] 385 | }, 386 | { 387 | "destination": "/tmp", 388 | "type": "tmpfs", 389 | "source": "tmpfs", 390 | "options": [ 391 | "mode=755", 392 | "size=65536k" 393 | ] 394 | } 395 | $ADDTL_MOUNTS 396 | ], 397 | "linux": { 398 | "rootfsPropagation": "rslave", 399 | "resources": { 400 | "devices": [ 401 | { 402 | "allow": true, 403 | "access": "rwm" 404 | } 405 | ] 406 | }, 407 | "namespaces": [ 408 | { 409 | "type": "mount" 410 | } 411 | ], 412 | "devices": null, 413 | "apparmorProfile": "" 414 | } 415 | } 416 | --------------------------------------------------------------------------------