internal/sandbox/config.json.commented - oscar - Git at Google

 # Copyright 2025 The Go Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 #
 # This file is JSON with comments.
 # A comment is any line whose first non-whitespace character is #.
 # A sed script in the Makefile and in deploy/worker.yaml removes
 # the comments to produce valid JSON.
 #
 # This is a bundle config file for runsc, as specified by the
 # Open Container Initiative: see
 # https://github.com/opencontainers/runtime-spec/blob/main/config.md.
 # Most of this file is generated by "runsc spec"; see
 # https://gvisor.dev/docs/user_guide/quick_start/oci.
 # The few important tweaks are commented.
 {
     "ociVersion": "1.0.0",
     "process": {
         "user": {
             "uid": 0,
             "gid": 0
         },
             # This is the command that "runsc run" will execute in the sandbox.
             # runsc will pipe the stdout and stderr to its caller,
             # and will exit with the same return code.
         "args": [
             "/runner"
         ],
         "env": [
             "PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
             "TERM=xterm"
         ],
         "cwd": "/",
         "capabilities": {
             "bounding": [
                 "CAP_AUDIT_WRITE",
                 "CAP_KILL",
                 "CAP_NET_BIND_SERVICE"
             ],
             "effective": [
                 "CAP_AUDIT_WRITE",
                 "CAP_KILL",
                 "CAP_NET_BIND_SERVICE"
             ],
             "inheritable": [
                 "CAP_AUDIT_WRITE",
                 "CAP_KILL",
                 "CAP_NET_BIND_SERVICE"
             ],
             "permitted": [
                 "CAP_AUDIT_WRITE",
                 "CAP_KILL",
                 "CAP_NET_BIND_SERVICE"
             ]
         },
         "rlimits": [
             {
                 "type": "RLIMIT_NOFILE",
                 "hard": 1048576,
                 "soft": 1048576
             }
         ]
     },
     "root": {
         # This is the path to the directory that will be the root
 	# of the sandbox. Runsc will intercept system calls, but
 	# this directory should contain everything else needed for
 	# the sandboxed program to execute, an example being directories
 	# that contain executable files such as "echo" and "ls".
         "path": "rootfs",
         "readonly": false
     },
     "hostname": "runsc",
     "mounts": [
         {
             "destination": "/proc",
             "type": "proc",
             "source": "proc"
         },
         {
             "destination": "/dev",
             "type": "tmpfs",
             "source": "tmpfs"
         },
         {
             "destination": "/sys",
             "type": "sysfs",
             "source": "sysfs",
             "options": [
                 "nosuid",
                 "noexec",
                 "nodev",
                 "ro"
             ]
         }
     ],
     "linux": {
         "namespaces": [
             {
                 "type": "pid"
             },
             {
                 "type": "network"
             },
             {
                 "type": "ipc"
             },
             {
                 "type": "uts"
             },
             {
                 "type": "mount"
             }
         ]
     }
 }
	# Copyright 2025 The Go Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style
	# license that can be found in the LICENSE file.
	#
	# This file is JSON with comments.
	# A comment is any line whose first non-whitespace character is #.
	# A sed script in the Makefile and in deploy/worker.yaml removes
	# the comments to produce valid JSON.
	#
	# This is a bundle config file for runsc, as specified by the
	# Open Container Initiative: see
	# https://github.com/opencontainers/runtime-spec/blob/main/config.md.
	# Most of this file is generated by "runsc spec"; see
	# https://gvisor.dev/docs/user_guide/quick_start/oci.
	# The few important tweaks are commented.
	{
	"ociVersion": "1.0.0",
	"process": {
	"user": {
	"uid": 0,
	"gid": 0
	},
	# This is the command that "runsc run" will execute in the sandbox.
	# runsc will pipe the stdout and stderr to its caller,
	# and will exit with the same return code.
	"args": [
	"/runner"
	],
	"env": [
	"PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
	"TERM=xterm"
	],
	"cwd": "/",
	"capabilities": {
	"bounding": [
	"CAP_AUDIT_WRITE",
	"CAP_KILL",
	"CAP_NET_BIND_SERVICE"
	],
	"effective": [
	"CAP_AUDIT_WRITE",
	"CAP_KILL",
	"CAP_NET_BIND_SERVICE"
	],
	"inheritable": [
	"CAP_AUDIT_WRITE",
	"CAP_KILL",
	"CAP_NET_BIND_SERVICE"
	],
	"permitted": [
	"CAP_AUDIT_WRITE",
	"CAP_KILL",
	"CAP_NET_BIND_SERVICE"
	]
	},
	"rlimits": [
	{
	"type": "RLIMIT_NOFILE",
	"hard": 1048576,
	"soft": 1048576
	}
	]
	},
	"root": {
	# This is the path to the directory that will be the root
	# of the sandbox. Runsc will intercept system calls, but
	# this directory should contain everything else needed for
	# the sandboxed program to execute, an example being directories
	# that contain executable files such as "echo" and "ls".
	"path": "rootfs",
	"readonly": false
	},
	"hostname": "runsc",
	"mounts": [
	{
	"destination": "/proc",
	"type": "proc",
	"source": "proc"
	},
	{
	"destination": "/dev",
	"type": "tmpfs",
	"source": "tmpfs"
	},
	{
	"destination": "/sys",
	"type": "sysfs",
	"source": "sysfs",
	"options": [
	"nosuid",
	"noexec",
	"nodev",
	"ro"
	]
	}
	],
	"linux": {
	"namespaces": [
	{
	"type": "pid"
	},
	{
	"type": "network"
	},
	{
	"type": "ipc"
	},
	{
	"type": "uts"
	},
	{
	"type": "mount"
	}
	]
	}
	}