2015-09-06 01:22:14 +02:00
|
|
|
%{
|
2017-11-19 19:06:10 +01:00
|
|
|
#if __GNUC__ >= 7
|
|
|
|
_Pragma("GCC diagnostic ignored \"-Wimplicit-fallthrough\"")
|
|
|
|
#endif
|
2015-09-06 01:22:14 +02:00
|
|
|
#include <stddef.h>
|
|
|
|
#include "conf-parser.h"
|
|
|
|
#include "nspawn-settings.h"
|
2015-09-07 16:52:24 +02:00
|
|
|
#include "nspawn-expose-ports.h"
|
2015-09-06 01:22:14 +02:00
|
|
|
%}
|
|
|
|
struct ConfigPerfItem;
|
|
|
|
%null_strings
|
|
|
|
%language=ANSI-C
|
|
|
|
%define slot-name section_and_lvalue
|
|
|
|
%define hash-function-name nspawn_gperf_hash
|
|
|
|
%define lookup-function-name nspawn_gperf_lookup
|
|
|
|
%readonly-tables
|
|
|
|
%omit-struct-type
|
|
|
|
%struct-type
|
|
|
|
%includes
|
|
|
|
%%
|
2018-05-07 17:59:18 +02:00
|
|
|
Exec.Boot, config_parse_boot, 0, 0
|
2018-10-22 19:26:05 +02:00
|
|
|
Exec.Ephemeral, config_parse_bool, 0, offsetof(Settings, ephemeral)
|
2018-05-07 17:59:18 +02:00
|
|
|
Exec.ProcessTwo, config_parse_pid2, 0, 0
|
|
|
|
Exec.Parameters, config_parse_strv, 0, offsetof(Settings, parameters)
|
|
|
|
Exec.Environment, config_parse_strv, 0, offsetof(Settings, environment)
|
|
|
|
Exec.User, config_parse_string, 0, offsetof(Settings, user)
|
|
|
|
Exec.Capability, config_parse_capability, 0, offsetof(Settings, capability)
|
2020-12-04 11:27:12 +01:00
|
|
|
Exec.AmbientCapability, config_parse_capability, 0, offsetof(Settings, ambient_capability)
|
2018-05-07 17:59:18 +02:00
|
|
|
Exec.DropCapability, config_parse_capability, 0, offsetof(Settings, drop_capability)
|
|
|
|
Exec.KillSignal, config_parse_signal, 0, offsetof(Settings, kill_signal)
|
|
|
|
Exec.Personality, config_parse_personality, 0, offsetof(Settings, personality)
|
|
|
|
Exec.MachineID, config_parse_id128, 0, offsetof(Settings, machine_id)
|
|
|
|
Exec.WorkingDirectory, config_parse_path, 0, offsetof(Settings, working_directory)
|
|
|
|
Exec.PivotRoot, config_parse_pivot_root, 0, 0
|
|
|
|
Exec.PrivateUsers, config_parse_private_users, 0, 0
|
|
|
|
Exec.NotifyReady, config_parse_bool, 0, offsetof(Settings, notify_ready)
|
|
|
|
Exec.SystemCallFilter, config_parse_syscall_filter, 0, 0,
|
|
|
|
Exec.LimitCPU, config_parse_rlimit, RLIMIT_CPU, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitFSIZE, config_parse_rlimit, RLIMIT_FSIZE, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitDATA, config_parse_rlimit, RLIMIT_DATA, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitSTACK, config_parse_rlimit, RLIMIT_STACK, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitCORE, config_parse_rlimit, RLIMIT_CORE, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitRSS, config_parse_rlimit, RLIMIT_RSS, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitNOFILE, config_parse_rlimit, RLIMIT_NOFILE, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitAS, config_parse_rlimit, RLIMIT_AS, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitNPROC, config_parse_rlimit, RLIMIT_NPROC, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitMEMLOCK, config_parse_rlimit, RLIMIT_MEMLOCK, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitLOCKS, config_parse_rlimit, RLIMIT_LOCKS, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitSIGPENDING, config_parse_rlimit, RLIMIT_SIGPENDING, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitMSGQUEUE, config_parse_rlimit, RLIMIT_MSGQUEUE, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitNICE, config_parse_rlimit, RLIMIT_NICE, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitRTPRIO, config_parse_rlimit, RLIMIT_RTPRIO, offsetof(Settings, rlimit)
|
|
|
|
Exec.LimitRTTIME, config_parse_rlimit, RLIMIT_RTTIME, offsetof(Settings, rlimit)
|
2018-05-07 18:37:32 +02:00
|
|
|
Exec.Hostname, config_parse_hostname, 0, offsetof(Settings, hostname)
|
2018-05-07 19:35:48 +02:00
|
|
|
Exec.NoNewPrivileges, config_parse_tristate, 0, offsetof(Settings, no_new_privileges)
|
2018-05-07 21:17:09 +02:00
|
|
|
Exec.OOMScoreAdjust, config_parse_oom_score_adjust, 0, 0
|
2018-05-07 21:47:15 +02:00
|
|
|
Exec.CPUAffinity, config_parse_cpu_affinity, 0, 0
|
2018-05-12 21:50:57 +02:00
|
|
|
Exec.ResolvConf, config_parse_resolv_conf, 0, offsetof(Settings, resolv_conf)
|
2018-05-12 22:17:16 +02:00
|
|
|
Exec.LinkJournal, config_parse_link_journal, 0, 0
|
2018-05-17 05:43:03 +02:00
|
|
|
Exec.Timezone, config_parse_timezone, 0, offsetof(Settings, timezone)
|
2018-05-07 17:59:18 +02:00
|
|
|
Files.ReadOnly, config_parse_tristate, 0, offsetof(Settings, read_only)
|
|
|
|
Files.Volatile, config_parse_volatile_mode, 0, offsetof(Settings, volatile_mode)
|
|
|
|
Files.Bind, config_parse_bind, 0, 0
|
|
|
|
Files.BindReadOnly, config_parse_bind, 1, 0
|
|
|
|
Files.TemporaryFileSystem, config_parse_tmpfs, 0, 0
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
Files.Inaccessible, config_parse_inaccessible, 0, 0
|
2018-05-07 17:59:18 +02:00
|
|
|
Files.Overlay, config_parse_overlay, 0, 0
|
|
|
|
Files.OverlayReadOnly, config_parse_overlay, 1, 0
|
|
|
|
Files.PrivateUsersChown, config_parse_tristate, 0, offsetof(Settings, userns_chown)
|
|
|
|
Network.Private, config_parse_tristate, 0, offsetof(Settings, private_network)
|
|
|
|
Network.Interface, config_parse_strv, 0, offsetof(Settings, network_interfaces)
|
|
|
|
Network.MACVLAN, config_parse_strv, 0, offsetof(Settings, network_macvlan)
|
|
|
|
Network.IPVLAN, config_parse_strv, 0, offsetof(Settings, network_ipvlan)
|
|
|
|
Network.VirtualEthernet, config_parse_tristate, 0, offsetof(Settings, network_veth)
|
|
|
|
Network.VirtualEthernetExtra, config_parse_veth_extra, 0, 0
|
|
|
|
Network.Bridge, config_parse_ifname, 0, offsetof(Settings, network_bridge)
|
|
|
|
Network.Zone, config_parse_network_zone, 0, 0
|
|
|
|
Network.Port, config_parse_expose_port, 0, 0
|