Adds ctr run --memory-limit for all platforms.
Adds ctr run --cpu-count for Windows platforms.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.
This can lead to two information leaks.
---
**Leak of media playback status of the host**
Steps to reproduce the issue:
- Listen to music/Play a YouTube video/Do anything else that involves sound
output
- Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
/proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 | grep
RUNNING || echo 'not running'"
- See that the containerized process is able to check whether someone on the
host is playing music as it prints RUNNING
- Stop the music output
- Execute the command again (The sleep is delaying the output because
information regarding playback status isn't propagated instantly)
- See that it outputs not running
**Describe the results you received:**
A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.
The description above is in regard to media playback - when examining
`/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.
Reported-by: Philipp Schmied <pschmied@mailbox.org>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1. Fixes bugs in ctr run that were introduced by 1d9b969
2. Adds support for the --isolated flag that runs Windows HyperV
cotainers instead of process isolated containers on Windows.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
If we are using an image config, we should by default add any additional
GIDs that are found from reading /etc/group, even if the default user is
root.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Add flag and With-helper to set NoNewPrivileges to false since it is on
by default in the default UNIX spec for containerd, but off by default
in Docker and CRI plugin use. This allows for easy testing with it off
for comparison.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Can be used to conform to Docker engine behavior of adding additional
GIDs to spec when found in /etc/group of image filesystem
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
When creating a default OCI spec on Windows that is targeting the LCOW
platform it needs to contain a Windows section as well. This adds the
Windows section by default. It also protects against this case for all
OCI creation that doesnt use the OCI package in the runhcs-shim.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
On Windows we need to be able to create both Linux and Windows OCI spec
files by default to support WCOW and LCOW scenarios. This merges the
compile time differences into runtime differences between the two based
on the spec and platform the user sets.
It maintains the old behavior with Default specs resulting in the
platform default the binary is compiled for.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
These opts either inherit the parent cgroup device.list or append the
default unix devices like /dev/null /dev/random so that the container
has access.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The behaviour was changed in 99df1a9e11 ("Set gid 0 when no group is
specified"), part of #2529.
Take the opportunity to tighten up the grammar a bit too.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
This change is to match Docker's implementaion of setting gid and groups
to 0 when no gid is specified but an explicit uid is set.
Fixes#2527
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
We introduce a WithSpecFromFile option combinator to allow creation
simpler creation of OCI specs from a file name. Often used as the first
option in a `SpecOpts` slice, it simplifies choosing between a local
file and the built-in default.
The code in `ctr run` has been updated to use the new option, with out
changing the order of operations or functionality present there.
Signed-off-by: Stephen Day <stephen.day@getcruise.com>
This allows users to provide args for the process arguments while
creating the base spec with an image. It provides the same symantics as
Docker where additional args replace the CMD while leaving the
ENTRYPOINT the same.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This change allows implementations to resolve the location of the actual data
using OCI descriptor fields such as MediaType.
No OCI descriptor field is written to the store.
No change on gRPC API.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This allows Go to build third party packages correctly without vendoring
issues what want to create their own SpecOpts.
Fixes#2289
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
In a few places we check for nil types when modifying a spec,
but in many cases we do not so we could get a panic if the
passed in type was not filled. Because the generated spec is
filled we will not notice this but users may get unexpected
panics.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Export as a tar (Note: "-" can be used for stdout):
$ ctr images export /tmp/oci-busybox.tar docker.io/library/busybox:latest
Import a tar (Note: "-" can be used for stdin):
$ ctr images import foo/new:latest /tmp/oci-busybox.tar
Note: media types are not converted at the moment: e.g.
application/vnd.docker.image.rootfs.diff.tar.gzip
-> application/vnd.oci.image.layer.v1.tar+gzip
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
