| 1004 | } |
| 1005 | |
| 1006 | func (daemon *Daemon) createSpec(ctx context.Context, daemonCfg *configStore, c *container.Container, mounts []container.Mount) (retSpec *specs.Spec, _ error) { |
| 1007 | var ( |
| 1008 | opts []coci.SpecOpts |
| 1009 | s = oci.DefaultSpec() |
| 1010 | ) |
| 1011 | opts = append(opts, |
| 1012 | withCommonOptions(daemon, &daemonCfg.Config, c), |
| 1013 | withCgroups(daemon, &daemonCfg.Config, c), |
| 1014 | WithResources(c), |
| 1015 | WithSysctls(c), |
| 1016 | // Set the user before CDI device injection, which may append supplementary groups. |
| 1017 | WithUser(c), |
| 1018 | WithDevices(daemon, c), |
| 1019 | withRlimits(daemon, &daemonCfg.Config, c), |
| 1020 | WithNamespaces(daemon, c), |
| 1021 | WithCapabilities(c), |
| 1022 | WithSeccomp(daemon, c), |
| 1023 | withMounts(daemon, daemonCfg, c, mounts), |
| 1024 | WithApparmor(c), |
| 1025 | WithSelinux(c), |
| 1026 | WithOOMScore(&c.HostConfig.OomScoreAdj), |
| 1027 | coci.WithAnnotations(c.HostConfig.Annotations), |
| 1028 | ) |
| 1029 | |
| 1030 | if c.NoNewPrivileges { |
| 1031 | opts = append(opts, coci.WithNoNewPrivileges) |
| 1032 | } |
| 1033 | if c.Config.Tty { |
| 1034 | opts = append(opts, WithConsoleSize(c)) |
| 1035 | } |
| 1036 | // Set the masked and readonly paths with regard to the host config options if they are set. |
| 1037 | if c.HostConfig.MaskedPaths != nil { |
| 1038 | opts = append(opts, coci.WithMaskedPaths(c.HostConfig.MaskedPaths)) |
| 1039 | } |
| 1040 | if c.HostConfig.ReadonlyPaths != nil { |
| 1041 | opts = append(opts, coci.WithReadonlyPaths(c.HostConfig.ReadonlyPaths)) |
| 1042 | } |
| 1043 | if daemonCfg.Rootless { |
| 1044 | opts = append(opts, withRootless(daemon, &daemonCfg.Config)) |
| 1045 | } else if userns.RunningInUserNS() { |
| 1046 | opts = append(opts, withRootfulInRootless(daemon, &daemonCfg.Config)) |
| 1047 | } |
| 1048 | |
| 1049 | var snapshotter, snapshotKey string |
| 1050 | if daemon.UsesSnapshotter() { |
| 1051 | snapshotter = daemon.imageService.StorageDriver() |
| 1052 | snapshotKey = c.ID |
| 1053 | } |
| 1054 | |
| 1055 | return &s, coci.ApplyOpts(ctx, daemon.containerdClient, &containers.Container{ |
| 1056 | ID: c.ID, |
| 1057 | Snapshotter: snapshotter, |
| 1058 | SnapshotKey: snapshotKey, |
| 1059 | }, &s, opts...) |
| 1060 | } |
| 1061 | |
| 1062 | func clearReadOnly(m *specs.Mount) { |
| 1063 | var opt []string |