newTemplateConfig returns a base template for running a container. It uses a network strategy of just setting a loopback interface and the default setup for devices. If p is nil, a default container is created.
(t testing.TB, p *tParam)
| 34 | // |
| 35 | // If p is nil, a default container is created. |
| 36 | func newTemplateConfig(t testing.TB, p *tParam) *configs.Config { |
| 37 | var allowedDevices []*devices.Rule |
| 38 | for _, device := range specconv.AllowedDevices { |
| 39 | allowedDevices = append(allowedDevices, &device.Rule) |
| 40 | } |
| 41 | if p == nil { |
| 42 | p = &tParam{} |
| 43 | } |
| 44 | config := &configs.Config{ |
| 45 | Rootfs: newRootfs(t), |
| 46 | Capabilities: &configs.Capabilities{ |
| 47 | Bounding: []string{ |
| 48 | "CAP_CHOWN", |
| 49 | "CAP_DAC_OVERRIDE", |
| 50 | "CAP_FSETID", |
| 51 | "CAP_FOWNER", |
| 52 | "CAP_MKNOD", |
| 53 | "CAP_NET_RAW", |
| 54 | "CAP_SETGID", |
| 55 | "CAP_SETUID", |
| 56 | "CAP_SETFCAP", |
| 57 | "CAP_SETPCAP", |
| 58 | "CAP_NET_BIND_SERVICE", |
| 59 | "CAP_SYS_CHROOT", |
| 60 | "CAP_KILL", |
| 61 | "CAP_AUDIT_WRITE", |
| 62 | }, |
| 63 | Permitted: []string{ |
| 64 | "CAP_CHOWN", |
| 65 | "CAP_DAC_OVERRIDE", |
| 66 | "CAP_FSETID", |
| 67 | "CAP_FOWNER", |
| 68 | "CAP_MKNOD", |
| 69 | "CAP_NET_RAW", |
| 70 | "CAP_SETGID", |
| 71 | "CAP_SETUID", |
| 72 | "CAP_SETFCAP", |
| 73 | "CAP_SETPCAP", |
| 74 | "CAP_NET_BIND_SERVICE", |
| 75 | "CAP_SYS_CHROOT", |
| 76 | "CAP_KILL", |
| 77 | "CAP_AUDIT_WRITE", |
| 78 | }, |
| 79 | Effective: []string{ |
| 80 | "CAP_CHOWN", |
| 81 | "CAP_DAC_OVERRIDE", |
| 82 | "CAP_FSETID", |
| 83 | "CAP_FOWNER", |
| 84 | "CAP_MKNOD", |
| 85 | "CAP_NET_RAW", |
| 86 | "CAP_SETGID", |
| 87 | "CAP_SETUID", |
| 88 | "CAP_SETFCAP", |
| 89 | "CAP_SETPCAP", |
| 90 | "CAP_NET_BIND_SERVICE", |
| 91 | "CAP_SYS_CHROOT", |
| 92 | "CAP_KILL", |
| 93 | "CAP_AUDIT_WRITE", |
no test coverage detected
searching dependent graphs…