-
Notifications
You must be signed in to change notification settings - Fork 6
/
config.json.commented
145 lines (145 loc) · 4.21 KB
/
config.json.commented
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
#
# This file is JSON with comments.
# A comment is any line whose first non-whitespace character is #.
# A sed script in the Makefile and in deploy/worker.yaml removes
# the comments to produce valid JSON.
#
# This is a bundle config file for runsc, as specified by the
# Open Container Initiative: see
# https://github.com/opencontainers/runtime-spec/blob/main/config.md.
# Most of this file is generated by "runsc spec"; see
# https://gvisor.dev/docs/user_guide/quick_start/oci.
# The few important tweaks are commented.
{
"ociVersion": "1.0.0",
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [
# This is the command that "runsc run" will execute in the sandbox.
# See the internal/sandbox package.
# runsc will pipe the stdout and stderr to its caller,
# and will exit with the same return code.
"/runner"
],
"env": [
"PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"inheritable": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1048576,
"soft": 1048576
}
]
},
"root": {
"path": "rootfs",
# The filesystem must be writeable so
# the go command can write to its caches.
"readonly": false
},
"hostname": "runsc",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs"
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
# Bind mounts. These let us map directories inside the sandbox
# (the destination) to directories outside (the source).
# If the source doesn't exist, you'll get the (obscure) error
# "cannot read client sync file".
# If the destination already exists, that's not an error, but the
# files in that directory will be hidden to code running inside the
# sandbox.
{
# Mount /app/binaries inside the sandbox to
# the same directory outside.
"destination": "/app/binaries",
"type": "none",
"source": "/app/binaries",
"options": ["bind"]
},
{
# Mount /app/go-vulndb inside the sandbox to
# the same directory outside.
"destination": "/app/go-vulndb",
"type": "none",
"source": "/app/go-vulndb",
"options": ["bind"]
},
{
# Mount /tmp/modules inside the sandbox to
# the same directory outside.
"destination": "/tmp/modules",
"type": "none",
"source": "/tmp/modules",
"options": ["bind"]
}
],
"linux": {
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
]
}
}