blob: 1d8766983fe3abdae65da0e4fac2e50327286d8c [file] [log] [blame]
Jonathan Amsterdamf93fc572023-02-08 14:54:37 -05001# Copyright 2022 The Go Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style
3# license that can be found in the LICENSE file.
4#
5# This file is JSON with comments.
6# A comment is any line whose first non-whitespace character is #.
7# A sed script in the Makefile and in deploy/worker.yaml removes
8# the comments to produce valid JSON.
9#
10# This is a bundle config file for runsc, as specified by the
11# Open Container Initiative: see
12# https://github.com/opencontainers/runtime-spec/blob/main/config.md.
13# Most of this file is generated by "runsc spec"; see
14# https://gvisor.dev/docs/user_guide/quick_start/oci.
15# The few important tweaks are commented.
16{
17 "ociVersion": "1.0.0",
18 "process": {
19 "user": {
20 "uid": 0,
21 "gid": 0
22 },
23 "args": [
24 # This is the command that "runsc run" will execute in the sandbox.
25 # See the internal/sandbox package.
26 # runsc will pipe the stdout and stderr to its caller,
27 # and will exit with the same return code.
28 "/runner"
29 ],
30 "env": [
31 "PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
32 "TERM=xterm"
33 ],
34 "cwd": "/",
35 "capabilities": {
36 "bounding": [
37 "CAP_AUDIT_WRITE",
38 "CAP_KILL",
39 "CAP_NET_BIND_SERVICE"
40 ],
41 "effective": [
42 "CAP_AUDIT_WRITE",
43 "CAP_KILL",
44 "CAP_NET_BIND_SERVICE"
45 ],
46 "inheritable": [
47 "CAP_AUDIT_WRITE",
48 "CAP_KILL",
49 "CAP_NET_BIND_SERVICE"
50 ],
51 "permitted": [
52 "CAP_AUDIT_WRITE",
53 "CAP_KILL",
54 "CAP_NET_BIND_SERVICE"
55 ]
56 },
57 "rlimits": [
58 {
59 "type": "RLIMIT_NOFILE",
60 "hard": 10024,
61 "soft": 10024
62 }
63 ]
64 },
65 "root": {
66 "path": "rootfs",
67 # The filesystem must be writeable so
68 # the go command can write to its caches.
69 "readonly": false
70 },
71 "hostname": "runsc",
72 "mounts": [
73 {
74 "destination": "/proc",
75 "type": "proc",
76 "source": "proc"
77 },
78 {
79 "destination": "/dev",
80 "type": "tmpfs",
81 "source": "tmpfs"
82 },
83 {
84 "destination": "/sys",
85 "type": "sysfs",
86 "source": "sysfs",
87 "options": [
88 "nosuid",
89 "noexec",
90 "nodev",
91 "ro"
92 ]
Jonathan Amsterdam3a446922023-03-14 12:23:08 -040093 },
Jonathan Amsterdam0f7c9ab2023-03-14 13:15:08 -040094 # Bind mounts. These let us map directories inside the sandbox
95 # (the destination) to directories outside (the source).
96 # If the source doesn't exist, you'll get the (obscure) error
97 # "cannot read client sync file".
98 # If the destination already exists, that's not an error, but the
99 # files in that directory will be hidden to code running inside the
100 # sandbox.
Jonathan Amsterdam3a446922023-03-14 12:23:08 -0400101 {
Jonathan Amsterdam1168a822023-03-18 09:08:32 -0400102 # Mount /app/binaries inside the sandbox to
Jonathan Amsterdam0f7c9ab2023-03-14 13:15:08 -0400103 # the same directory outside.
Jonathan Amsterdam1168a822023-03-18 09:08:32 -0400104 "destination": "/app/binaries",
Jonathan Amsterdam3a446922023-03-14 12:23:08 -0400105 "type": "none",
Jonathan Amsterdam1168a822023-03-18 09:08:32 -0400106 "source": "/app/binaries",
Jonathan Amsterdam3a446922023-03-14 12:23:08 -0400107 "options": ["bind"]
Jonathan Amsterdam30928132023-03-14 12:46:28 -0400108 },
109 {
110 # Mount /tmp/modules inside the sandbox to
Jonathan Amsterdam0f7c9ab2023-03-14 13:15:08 -0400111 # the same directory outside.
Jonathan Amsterdam30928132023-03-14 12:46:28 -0400112 "destination": "/tmp/modules",
113 "type": "none",
114 "source": "/tmp/modules",
115 "options": ["bind"]
Jonathan Amsterdamf93fc572023-02-08 14:54:37 -0500116 }
117 ],
118 "linux": {
119 "namespaces": [
120 {
121 "type": "pid"
122 },
123 {
124 "type": "network"
125 },
126 {
127 "type": "ipc"
128 },
129 {
130 "type": "uts"
131 },
132 {
133 "type": "mount"
134 }
135 ]
136 }
137}