diff --git a/oci/spec_opts.go b/oci/spec_opts.go index 8aa15d688..942b6ad96 100644 --- a/oci/spec_opts.go +++ b/oci/spec_opts.go @@ -377,6 +377,7 @@ func WithImageConfigArgs(image Image, args []string) SpecOpts { return fmt.Errorf("unknown image config media type %s", ic.MediaType) } + appendOSMounts(s, ociimage.OS) setProcess(s) if s.Linux != nil { defaults := config.Env diff --git a/oci/spec_opts_darwin.go b/oci/spec_opts_darwin.go new file mode 100644 index 000000000..44cc1ec68 --- /dev/null +++ b/oci/spec_opts_darwin.go @@ -0,0 +1,21 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package oci + +func appendOSMounts(s *Spec, os string) error { + return nil +} diff --git a/oci/spec_opts_freebsd.go b/oci/spec_opts_freebsd.go new file mode 100644 index 000000000..8fb267ac0 --- /dev/null +++ b/oci/spec_opts_freebsd.go @@ -0,0 +1,50 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package oci + +import ( + specs "github.com/opencontainers/runtime-spec/specs-go" +) + +// appendOSMounts modifies the mount spec to mount emulated Linux filesystems on FreeBSD, +// as per: https://wiki.freebsd.org/LinuxJails +func appendOSMounts(s *Spec, os string) error { + // No-op for FreeBSD containers + if os != "linux" { + return nil + } + /* The nosuid noexec options are for consistency with Linux mounts: on FreeBSD it is + by default impossible to execute anything from these filesystems. + */ + var mounts = []specs.Mount{ + { + Destination: "/proc", + Type: "linprocfs", + Source: "linprocfs", + Options: []string{"nosuid", "noexec"}, + }, + { + Destination: "/sys", + Type: "linsysfs", + Source: "linsysfs", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + } + + s.Mounts = append(mounts, s.Mounts...) + return nil +} diff --git a/oci/spec_opts_linux.go b/oci/spec_opts_linux.go index 5b6052ab4..3bc9e5e11 100644 --- a/oci/spec_opts_linux.go +++ b/oci/spec_opts_linux.go @@ -203,3 +203,7 @@ func WithCDI(annotations map[string]string, cdiSpecDirs []string) SpecOpts { return nil } } + +func appendOSMounts(s *Spec, os string) error { + return nil +} diff --git a/oci/spec_opts_windows.go b/oci/spec_opts_windows.go index 94cb39312..d3ffdddba 100644 --- a/oci/spec_opts_windows.go +++ b/oci/spec_opts_windows.go @@ -115,3 +115,7 @@ func escapeAndCombineArgs(args []string) string { } return strings.Join(escaped, " ") } + +func appendOSMounts(s *Spec, os string) error { + return nil +} diff --git a/platforms/defaults_freebsd.go b/platforms/defaults_freebsd.go new file mode 100644 index 000000000..1828b7458 --- /dev/null +++ b/platforms/defaults_freebsd.go @@ -0,0 +1,42 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + specs "github.com/opencontainers/image-spec/specs-go/v1" + "runtime" +) + +// DefaultSpec returns the current platform's default platform specification. +func DefaultSpec() specs.Platform { + return specs.Platform{ + OS: runtime.GOOS, + Architecture: runtime.GOARCH, + // The Variant field will be empty if arch != ARM. + Variant: cpuVariant(), + } +} + +// Default returns the default matcher for the platform. +func Default() MatchComparer { + return Ordered(DefaultSpec(), specs.Platform{ + OS: "linux", + Architecture: runtime.GOARCH, + // The Variant field will be empty if arch != ARM. + Variant: cpuVariant(), + }) +} diff --git a/platforms/defaults_unix.go b/platforms/defaults_unix.go index 49690f1b3..34ae08131 100644 --- a/platforms/defaults_unix.go +++ b/platforms/defaults_unix.go @@ -1,5 +1,5 @@ -//go:build !windows && !darwin -// +build !windows,!darwin +//go:build !windows && !darwin && !freebsd +// +build !windows,!darwin,!freebsd /* Copyright The containerd Authors.