config.json.commented: add
This file is needed to configure the sandbox, which is part
of the worker.
Change-Id: I9203614f2382f3bbd90089573ef06eeba6903397
Reviewed-on: https://go-review.googlesource.com/c/pkgsite-metrics/+/466655
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/config.json.commented b/config.json.commented
new file mode 100644
index 0000000..ad9abc2
--- /dev/null
+++ b/config.json.commented
@@ -0,0 +1,114 @@
+# Copyright 2022 The Go Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+#
+# This file is JSON with comments.
+# A comment is any line whose first non-whitespace character is #.
+# A sed script in the Makefile and in deploy/worker.yaml removes
+# the comments to produce valid JSON.
+#
+# This is a bundle config file for runsc, as specified by the
+# Open Container Initiative: see
+# https://github.com/opencontainers/runtime-spec/blob/main/config.md.
+# Most of this file is generated by "runsc spec"; see
+# https://gvisor.dev/docs/user_guide/quick_start/oci.
+# The few important tweaks are commented.
+{
+ "ociVersion": "1.0.0",
+ "process": {
+ "user": {
+ "uid": 0,
+ "gid": 0
+ },
+ "args": [
+ # This is the command that "runsc run" will execute in the sandbox.
+ # See the internal/sandbox package.
+ # runsc will pipe the stdout and stderr to its caller,
+ # and will exit with the same return code.
+ "/runner"
+ ],
+ "env": [
+ "PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "TERM=xterm"
+ ],
+ "cwd": "/",
+ "capabilities": {
+ "bounding": [
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE"
+ ],
+ "effective": [
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE"
+ ],
+ "inheritable": [
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE"
+ ],
+ "permitted": [
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE"
+ ]
+ },
+ "rlimits": [
+ {
+ "type": "RLIMIT_NOFILE",
+ "hard": 10024,
+ "soft": 10024
+ }
+ ]
+ },
+ "root": {
+ "path": "rootfs",
+ # The filesystem must be writeable so
+ # the go command can write to its caches.
+ "readonly": false
+ },
+ "hostname": "runsc",
+ "mounts": [
+ {
+ "destination": "/proc",
+ "type": "proc",
+ "source": "proc"
+ },
+ {
+ "destination": "/dev",
+ "type": "tmpfs",
+ "source": "tmpfs"
+ },
+ {
+ "destination": "/sys",
+ "type": "sysfs",
+ "source": "sysfs",
+ "options": [
+ "nosuid",
+ "noexec",
+ "nodev",
+ "ro"
+ ]
+ }
+ ],
+ "linux": {
+ "namespaces": [
+ {
+ "type": "pid"
+ },
+ {
+ "type": "network"
+ },
+ {
+ "type": "ipc"
+ },
+ {
+ "type": "uts"
+ },
+ {
+ "type": "mount"
+ }
+ ]
+ }
+}
