blob: 73997a09bfdb4728b4328d37cca246af3d8376dd [file] [log] [blame]
# Copyright 2022 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
#
# This file is JSON with comments.
# A comment is any line whose first non-whitespace character is #.
# A sed script in the Makefile and in deploy/worker.yaml removes
# the comments to produce valid JSON.
#
# This is a bundle config file for runsc, as specified by the
# Open Container Initiative: see
# https://github.com/opencontainers/runtime-spec/blob/main/config.md.
# Most of this file is generated by "runsc spec"; see
# https://gvisor.dev/docs/user_guide/quick_start/oci.
# The few important tweaks are commented.
{
"ociVersion": "1.0.0",
"process": {
"user": {
"uid": 0,
"gid": 0
},
"args": [
# This is the command that "runsc run" will execute in the sandbox.
# See the internal/sandbox package.
# runsc will pipe the stdout and stderr to its caller,
# and will exit with the same return code.
"/runner"
],
"env": [
"PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"inheritable": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1048576,
"soft": 1048576
}
]
},
"root": {
"path": "rootfs",
# The filesystem must be writeable so
# the go command can write to its caches.
"readonly": false
},
"hostname": "runsc",
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs"
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
# Bind mounts. These let us map directories inside the sandbox
# (the destination) to directories outside (the source).
# If the source doesn't exist, you'll get the (obscure) error
# "cannot read client sync file".
# If the destination already exists, that's not an error, but the
# files in that directory will be hidden to code running inside the
# sandbox.
{
# Mount /app/binaries inside the sandbox to
# the same directory outside.
"destination": "/app/binaries",
"type": "none",
"source": "/app/binaries",
"options": ["bind"]
},
{
# Mount /app/go-vulndb inside the sandbox to
# the same directory outside.
"destination": "/app/go-vulndb",
"type": "none",
"source": "/app/go-vulndb",
"options": ["bind"]
},
{
# Mount /tmp/modules inside the sandbox to
# the same directory outside.
"destination": "/tmp/modules",
"type": "none",
"source": "/tmp/modules",
"options": ["bind"]
}
],
"linux": {
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
]
}
}