()
| 23 | ) |
| 24 | |
| 25 | func Example_container() { |
| 26 | const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV |
| 27 | |
| 28 | // Default set of allowed devices. |
| 29 | var devices []*config.Rule |
| 30 | for _, device := range specconv.AllowedDevices { |
| 31 | devices = append(devices, &device.Rule) |
| 32 | } |
| 33 | // To create a container you first have to create a configuration |
| 34 | // struct describing how the container is to be created. |
| 35 | config := &configs.Config{ |
| 36 | Rootfs: "/your/path/to/rootfs", |
| 37 | Capabilities: &configs.Capabilities{ |
| 38 | Bounding: []string{ |
| 39 | "CAP_KILL", |
| 40 | "CAP_AUDIT_WRITE", |
| 41 | }, |
| 42 | Effective: []string{ |
| 43 | "CAP_KILL", |
| 44 | "CAP_AUDIT_WRITE", |
| 45 | }, |
| 46 | Permitted: []string{ |
| 47 | "CAP_KILL", |
| 48 | "CAP_AUDIT_WRITE", |
| 49 | }, |
| 50 | }, |
| 51 | Namespaces: configs.Namespaces([]configs.Namespace{ |
| 52 | {Type: configs.NEWNS}, |
| 53 | {Type: configs.NEWUTS}, |
| 54 | {Type: configs.NEWIPC}, |
| 55 | {Type: configs.NEWPID}, |
| 56 | {Type: configs.NEWUSER}, |
| 57 | {Type: configs.NEWNET}, |
| 58 | {Type: configs.NEWCGROUP}, |
| 59 | }), |
| 60 | Cgroups: &cgroups.Cgroup{ |
| 61 | Name: "test-container", |
| 62 | Parent: "system", |
| 63 | Resources: &cgroups.Resources{ |
| 64 | MemorySwappiness: nil, |
| 65 | Devices: devices, |
| 66 | }, |
| 67 | }, |
| 68 | MaskPaths: []string{ |
| 69 | "/proc/kcore", |
| 70 | "/sys/firmware", |
| 71 | }, |
| 72 | ReadonlyPaths: []string{ |
| 73 | "/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus", |
| 74 | }, |
| 75 | Devices: specconv.AllowedDevices, |
| 76 | Hostname: "testing", |
| 77 | Mounts: []*configs.Mount{ |
| 78 | { |
| 79 | Source: "proc", |
| 80 | Destination: "/proc", |
| 81 | Device: "proc", |
| 82 | Flags: defaultMountFlags, |
nothing calls this directly
no test coverage detected
searching dependent graphs…