From a2d49da1e7f744076db754fe8956e20e0030a486 Mon Sep 17 00:00:00 2001 From: Shikha Vyaghra Date: Wed, 12 Jul 2023 20:36:32 +0000 Subject: [PATCH 1/3] migrations: add migrations for 'settings.oci-defaults' This migration will handle the added capabilities and resource limits settings added for ecs variants. Signed-off-by: Shikha Vyaghra --- Release.toml | 2 ++ sources/Cargo.lock | 16 ++++++++++ sources/Cargo.toml | 2 ++ .../Cargo.toml | 15 +++++++++ .../build.rs | 6 ++++ .../src/main.rs | 29 +++++++++++++++++ .../oci-defaults-docker-setting/Cargo.toml | 15 +++++++++ .../oci-defaults-docker-setting/build.rs | 6 ++++ .../oci-defaults-docker-setting/src/main.rs | 31 +++++++++++++++++++ 9 files changed, 122 insertions(+) create mode 100644 sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/Cargo.toml create mode 100644 sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/build.rs create mode 100644 sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/src/main.rs create mode 100644 sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/Cargo.toml create mode 100644 sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/build.rs create mode 100644 sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/src/main.rs diff --git a/Release.toml b/Release.toml index e3ba81f891e..b8e842289d5 100644 --- a/Release.toml +++ b/Release.toml @@ -225,4 +225,6 @@ version = "1.15.0" "migrate_v1.15.0_oci-defaults-resource-setting.lz4", "migrate_v1.15.0_oci-defaults-max-open-files.lz4", "migrate_v1.15.0_seccomp-default-setting.lz4", + "migrate_v1.15.0_oci-defaults-docker-setting.lz4", + "migrate_v1.15.0_oci-defaults-docker-setting-metadata.lz4", ] diff --git a/sources/Cargo.lock b/sources/Cargo.lock index f9b652cff84..c3fe733bd15 100644 --- a/sources/Cargo.lock +++ b/sources/Cargo.lock @@ -2764,6 +2764,22 @@ dependencies = [ "memchr", ] +[[package]] +name = "oci-defaults-docker-setting" +version = "0.1.0" +dependencies = [ + "bottlerocket-variant", + "migration-helpers", +] + +[[package]] +name = "oci-defaults-docker-setting-metadata" +version = "0.1.0" +dependencies = [ + "bottlerocket-variant", + "migration-helpers", +] + [[package]] name = "oci-defaults-max-open-files" version = "0.1.0" diff --git a/sources/Cargo.toml b/sources/Cargo.toml index 2aa807dd112..9b34dabd62a 100644 --- a/sources/Cargo.toml +++ b/sources/Cargo.toml @@ -60,6 +60,8 @@ members = [ "api/migration/migrations/v1.15.0/oci-defaults-resource-setting", "api/migration/migrations/v1.15.0/oci-defaults-max-open-files", "api/migration/migrations/v1.15.0/seccomp-default-setting", + "api/migration/migrations/v1.15.0/oci-defaults-docker-setting", + "api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata", "bloodhound", diff --git a/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/Cargo.toml b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/Cargo.toml new file mode 100644 index 00000000000..bcbe9ef11b7 --- /dev/null +++ b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/Cargo.toml @@ -0,0 +1,15 @@ +[package] +name = "oci-defaults-docker-setting-metadata" +version = "0.1.0" +edition = "2021" +authors = ["Shikha Vyaghra "] +license = "Apache-2.0 OR MIT" +publish = false +# Don't rebuild crate just because of changes to README. +exclude = ["README.md"] + +[dependencies] +migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} + +[build-dependencies] +bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } diff --git a/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/build.rs b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/build.rs new file mode 100644 index 00000000000..51d16cf1b4c --- /dev/null +++ b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/build.rs @@ -0,0 +1,6 @@ +use bottlerocket_variant::Variant; + +fn main() { + let variant = Variant::from_env().unwrap(); + variant.emit_cfgs(); +} diff --git a/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/src/main.rs b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/src/main.rs new file mode 100644 index 00000000000..4531430df0d --- /dev/null +++ b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting-metadata/src/main.rs @@ -0,0 +1,29 @@ +use migration_helpers::common_migrations::{AddMetadataMigration, NoOpMigration, SettingMetadata}; +use migration_helpers::{migrate, Result}; +use std::process; + +/// We updated the 'affected-services' list metadata for 'settings.oci-defaults' +/// to include itself and containerd on upgrade, and to remove those values on +/// downgrade, depending on the running variant. +fn run() -> Result<()> { + if cfg!(variant_runtime = "ecs") { + migrate(AddMetadataMigration(&[SettingMetadata { + metadata: &["affected-services"], + setting: "settings.oci-defaults", + }]))? + } else { + migrate(NoOpMigration)?; + } + + Ok(()) +} + +// Returning a Result from main makes it print a Debug representation of the error, but with Snafu +// we have nice Display representations of the error, so we wrap "main" (run) and print any error. +// https://github.com/shepmaster/snafu/issues/110 +fn main() { + if let Err(e) = run() { + eprintln!("{}", e); + process::exit(1); + } +} diff --git a/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/Cargo.toml b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/Cargo.toml new file mode 100644 index 00000000000..22456d41377 --- /dev/null +++ b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/Cargo.toml @@ -0,0 +1,15 @@ +[package] +name = "oci-defaults-docker-setting" +version = "0.1.0" +edition = "2021" +authors = ["Shikha Vyaghra "] +license = "Apache-2.0 OR MIT" +publish = false +# Don't rebuild crate just because of changes to README. +exclude = ["README.md"] + +[dependencies] +migration-helpers = { path = "../../../migration-helpers", version = "0.1.0"} + +[build-dependencies] +bottlerocket-variant = { version = "0.1", path = "../../../../../bottlerocket-variant" } diff --git a/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/build.rs b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/build.rs new file mode 100644 index 00000000000..51d16cf1b4c --- /dev/null +++ b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/build.rs @@ -0,0 +1,6 @@ +use bottlerocket_variant::Variant; + +fn main() { + let variant = Variant::from_env().unwrap(); + variant.emit_cfgs(); +} diff --git a/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/src/main.rs b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/src/main.rs new file mode 100644 index 00000000000..6cb6d624a98 --- /dev/null +++ b/sources/api/migration/migrations/v1.15.0/oci-defaults-docker-setting/src/main.rs @@ -0,0 +1,31 @@ +use migration_helpers::common_migrations::{AddPrefixesMigration, NoOpMigration}; +use migration_helpers::{migrate, Result}; +use std::process; + +/// We added new settings for configuring the default OCI runtime spec for ECS, +/// `settings.oci-defaults`, which will initially contain +/// `settings.oci-defaults.capabilities` and +/// `settings.oci-defaults.resource-limits` +fn run() -> Result<()> { + if cfg!(variant_runtime = "ecs") { + migrate(AddPrefixesMigration(vec![ + "settings.oci-defaults", + "services.oci-defaults", + "configuration-files.oci-defaults", + ]))? + } else { + migrate(NoOpMigration)?; + } + + Ok(()) +} + +// Returning a Result from main makes it print a Debug representation of the error, but with Snafu +// we have nice Display representations of the error, so we wrap "main" (run) and print any error. +// https://github.com/shepmaster/snafu/issues/110 +fn main() { + if let Err(e) = run() { + eprintln!("{}", e); + process::exit(1); + } +} From e7e2a925ea8d19707d64c53357203eaa2f027ceb Mon Sep 17 00:00:00 2001 From: Shikha Vyaghra Date: Wed, 12 Jul 2023 20:29:32 +0000 Subject: [PATCH 2/3] packages: add patch to read default capabilities This patch is to override the capabilities in default runtime spec(that is embedded in moby package code) by reading a default-capabilities parameter passed using etc/docker/daemon.json file. We can update the default capabilities string array using api client, that in turn will take precedence over the default capabilities in OCI Spec. Signed-off-by: Shikha Vyaghra --- ...ult-capabilities-using-daemon-config.patch | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 packages/docker-engine/0001-Change-default-capabilities-using-daemon-config.patch diff --git a/packages/docker-engine/0001-Change-default-capabilities-using-daemon-config.patch b/packages/docker-engine/0001-Change-default-capabilities-using-daemon-config.patch new file mode 100644 index 00000000000..c7cf8a405b8 --- /dev/null +++ b/packages/docker-engine/0001-Change-default-capabilities-using-daemon-config.patch @@ -0,0 +1,102 @@ +From ccb69c8fbcbe272d663ad1c97de91a993a609c96 Mon Sep 17 00:00:00 2001 +From: Shikha Vyaghra +Date: Thu, 6 Jul 2023 17:26:45 +0000 +Subject: [PATCH] Change default capabilities using daemon config + +Default capabilities in spec can be changed by reading from daemon +configuration file using a parameter "default-capabilities". If +the capabilities will not be provided, then default capabilities +in Moby code will be used. + +Signed-off-by: Shikha Vyaghra +--- + cmd/dockerd/config_unix.go | 1 + + daemon/config/config.go | 13 +++++++------ + daemon/config/config_unix.go | 1 + + daemon/oci_linux.go | 13 ++++++++++--- + 4 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/cmd/dockerd/config_unix.go b/cmd/dockerd/config_unix.go +index f463686..862feff 100644 +--- a/cmd/dockerd/config_unix.go ++++ b/cmd/dockerd/config_unix.go +@@ -41,6 +41,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error { + flags.BoolVar(&conf.BridgeConfig.EnableIPv6, "ipv6", false, "Enable IPv6 networking") + flags.StringVar(&conf.BridgeConfig.FixedCIDRv6, "fixed-cidr-v6", "", "IPv6 subnet for fixed IPs") + flags.BoolVar(&conf.BridgeConfig.EnableUserlandProxy, "userland-proxy", true, "Use userland proxy for loopback traffic") ++ flags.Var(opts.NewNamedListOptsRef("default-capabilities", &conf.Capabilities, nil), "default-capabilities", "Default capabilities for containers") + defaultUserlandProxyPath := "" + if rootless.RunningWithRootlessKit() { + var err error +diff --git a/daemon/config/config.go b/daemon/config/config.go +index 4990727..d4909be 100644 +--- a/daemon/config/config.go ++++ b/daemon/config/config.go +@@ -67,12 +67,13 @@ var builtinRuntimes = map[string]bool{ + // Use this to differentiate these options + // with others like the ones in CommonTLSOptions. + var flatOptions = map[string]bool{ +- "cluster-store-opts": true, +- "log-opts": true, +- "runtimes": true, +- "default-ulimits": true, +- "features": true, +- "builder": true, ++ "cluster-store-opts": true, ++ "log-opts": true, ++ "runtimes": true, ++ "default-ulimits": true, ++ "features": true, ++ "builder": true, ++ "default-capabilities": true, + } + + // skipValidateOptions contains configuration keys +diff --git a/daemon/config/config_unix.go b/daemon/config/config_unix.go +index 96805d3..cd187a2 100644 +--- a/daemon/config/config_unix.go ++++ b/daemon/config/config_unix.go +@@ -39,6 +39,7 @@ type Config struct { + NoNewPrivileges bool `json:"no-new-privileges,omitempty"` + IpcMode string `json:"default-ipc-mode,omitempty"` + CgroupNamespaceMode string `json:"default-cgroupns-mode,omitempty"` ++ Capabilities []string `json:"default-capabilities,omitempty"` + // ResolvConf is the path to the configuration of the host resolver + ResolvConf string `json:"resolv-conf,omitempty"` + Rootless bool `json:"rootless,omitempty"` +diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go +index a5a5acf..d3d4acc 100644 +--- a/daemon/oci_linux.go ++++ b/daemon/oci_linux.go +@@ -156,10 +156,17 @@ func WithApparmor(c *container.Container) coci.SpecOpts { + } + + // WithCapabilities sets the container's capabilties +-func WithCapabilities(c *container.Container) coci.SpecOpts { ++func WithCapabilities(daemon *Daemon, c *container.Container) coci.SpecOpts { + return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { ++ var defCaps []string ++ if len(daemon.configStore.Capabilities) != 0 { ++ defCaps = daemon.configStore.Capabilities ++ } else { ++ defCaps = caps.DefaultCapabilities() ++ } ++ + capabilities, err := caps.TweakCapabilities( +- caps.DefaultCapabilities(), ++ defCaps, + c.HostConfig.CapAdd, + c.HostConfig.CapDrop, + c.HostConfig.Privileged, +@@ -1023,7 +1030,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e + WithUser(c), + WithRlimits(daemon, c), + WithNamespaces(daemon, c), +- WithCapabilities(c), ++ WithCapabilities(daemon, c), + WithSeccomp(daemon, c), + WithMounts(daemon, c), + WithLibnetwork(daemon, c), +-- +2.40.1 + From bd2619eaae0240ea0029495787c0e356997a07ae Mon Sep 17 00:00:00 2001 From: Shikha Vyaghra Date: Wed, 12 Jul 2023 20:32:49 +0000 Subject: [PATCH 3/3] api: enable setting rlimits and capabilities for ecs The fields default-capabilities and default-ulimits in etc/daemon.json holds the OCI default capabilities and resource limits that has been set using api-client respectively. These settings can be updated/added using api-client. --- packages/containerd/containerd-cri-base-json | 4 +- ...lt-capabilities-using-daemon-config.patch} | 0 packages/docker-engine/daemon-json | 9 +- packages/docker-engine/daemon-nvidia-json | 9 +- packages/docker-engine/docker-engine.spec | 1 + sources/api/schnauzer/src/helpers.rs | 255 ++++++++++++++---- ...es.toml => oci-defaults-capabilities.toml} | 3 +- .../oci-defaults-docker-resource-limits.toml | 3 + .../shared-defaults/oci-defaults-docker.toml | 2 + .../defaults.d/75-oci-defaults-docker.toml | 1 + .../76-oci-defaults-capabilities.toml | 1 + ...7-oci-defaults-docker-resource-limits.toml | 1 + sources/models/src/aws-ecs-1-nvidia/mod.rs | 3 +- .../defaults.d/75-oci-defaults-docker.toml | 1 + .../76-oci-defaults-capabilities.toml | 1 + ...7-oci-defaults-docker-resource-limits.toml | 1 + sources/models/src/aws-ecs-1/mod.rs | 3 +- .../defaults.d/75-oci-defaults-docker.toml | 1 + .../76-oci-defaults-capabilities.toml | 1 + ...7-oci-defaults-docker-resource-limits.toml | 1 + sources/models/src/aws-ecs-2-nvidia/mod.rs | 3 +- .../defaults.d/75-oci-defaults-docker.toml | 1 + .../76-oci-defaults-capabilities.toml | 1 + ...7-oci-defaults-docker-resource-limits.toml | 1 + sources/models/src/aws-ecs-2/mod.rs | 3 +- .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - sources/models/src/lib.rs | 17 -- .../86-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../86-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - .../76-oci-defaults-capabilities.toml | 1 + ...-defaults-containerd-cri-capabilities.toml | 1 - 50 files changed, 264 insertions(+), 87 deletions(-) rename packages/docker-engine/{0001-Change-default-capabilities-using-daemon-config.patch => 0002-Change-default-capabilities-using-daemon-config.patch} (100%) rename sources/models/shared-defaults/{oci-defaults-containerd-cri-capabilities.toml => oci-defaults-capabilities.toml} (73%) create mode 100644 sources/models/shared-defaults/oci-defaults-docker-resource-limits.toml create mode 100644 sources/models/shared-defaults/oci-defaults-docker.toml create mode 120000 sources/models/src/aws-ecs-1-nvidia/defaults.d/75-oci-defaults-docker.toml create mode 120000 sources/models/src/aws-ecs-1-nvidia/defaults.d/76-oci-defaults-capabilities.toml create mode 120000 sources/models/src/aws-ecs-1-nvidia/defaults.d/77-oci-defaults-docker-resource-limits.toml create mode 120000 sources/models/src/aws-ecs-1/defaults.d/75-oci-defaults-docker.toml create mode 120000 sources/models/src/aws-ecs-1/defaults.d/76-oci-defaults-capabilities.toml create mode 120000 sources/models/src/aws-ecs-1/defaults.d/77-oci-defaults-docker-resource-limits.toml create mode 120000 sources/models/src/aws-ecs-2-nvidia/defaults.d/75-oci-defaults-docker.toml create mode 120000 sources/models/src/aws-ecs-2-nvidia/defaults.d/76-oci-defaults-capabilities.toml create mode 120000 sources/models/src/aws-ecs-2-nvidia/defaults.d/77-oci-defaults-docker-resource-limits.toml create mode 120000 sources/models/src/aws-ecs-2/defaults.d/75-oci-defaults-docker.toml create mode 120000 sources/models/src/aws-ecs-2/defaults.d/76-oci-defaults-capabilities.toml create mode 120000 sources/models/src/aws-ecs-2/defaults.d/77-oci-defaults-docker-resource-limits.toml create mode 120000 sources/models/src/aws-k8s-1.24-nvidia/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/aws-k8s-1.24-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/aws-k8s-1.24/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/aws-k8s-1.24/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/aws-k8s-1.25-nvidia/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/aws-k8s-1.25-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/aws-k8s-1.25/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/aws-k8s-1.25/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/aws-k8s-1.26-nvidia/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/aws-k8s-1.26-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/aws-k8s-1.26/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/aws-k8s-1.26/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/aws-k8s-1.27-nvidia/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/aws-k8s-1.27-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/aws-k8s-1.27/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/aws-k8s-1.27/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/metal-k8s-1.24/defaults.d/86-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/metal-k8s-1.24/defaults.d/86-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/metal-k8s-1.27/defaults.d/86-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/metal-k8s-1.27/defaults.d/86-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/vmware-k8s-1.24/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/vmware-k8s-1.24/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml create mode 120000 sources/models/src/vmware-k8s-1.27/defaults.d/76-oci-defaults-capabilities.toml delete mode 120000 sources/models/src/vmware-k8s-1.27/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml diff --git a/packages/containerd/containerd-cri-base-json b/packages/containerd/containerd-cri-base-json index f34d21c1084..5cfdc65aa52 100644 --- a/packages/containerd/containerd-cri-base-json +++ b/packages/containerd/containerd-cri-base-json @@ -8,12 +8,12 @@ "cwd": "/", {{~#if settings.oci-defaults.capabilities~}} "capabilities": { - {{~oci_defaults settings.oci-defaults.capabilities~}} + {{~oci_defaults "containerd" settings.oci-defaults.capabilities~}} }, {{~/if~}} {{~#if settings.oci-defaults.resource-limits~}} "rlimits": [ - {{~oci_defaults settings.oci-defaults.resource-limits~}} + {{~oci_defaults "containerd" settings.oci-defaults.resource-limits~}} ], {{~/if~}} "noNewPrivileges": true diff --git a/packages/docker-engine/0001-Change-default-capabilities-using-daemon-config.patch b/packages/docker-engine/0002-Change-default-capabilities-using-daemon-config.patch similarity index 100% rename from packages/docker-engine/0001-Change-default-capabilities-using-daemon-config.patch rename to packages/docker-engine/0002-Change-default-capabilities-using-daemon-config.patch diff --git a/packages/docker-engine/daemon-json b/packages/docker-engine/daemon-json index 6ab96c043b0..979bb005655 100644 --- a/packages/docker-engine/daemon-json +++ b/packages/docker-engine/daemon-json @@ -7,7 +7,14 @@ "default-runtime": "shimpei", "runtimes": { "shimpei": { "path": "shimpei" } }, "selinux-enabled": true, - "default-ulimits": { "nofile": { "Name": "nofile", "Soft": 1024, "Hard": 4096 } } + {{~#if settings.oci-defaults.capabilities~}} + "default-capabilities": {{~oci_defaults "docker" settings.oci-defaults.capabilities~}} + {{~/if~}} + {{~#if settings.oci-defaults.resource-limits~}} + "default-ulimits": { + {{~oci_defaults "docker" settings.oci-defaults.resource-limits~}} + } + {{~/if~}} {{#if settings.container-registry.mirrors}} {{#each settings.container-registry.mirrors}} {{#if (eq registry "docker.io" )}}, diff --git a/packages/docker-engine/daemon-nvidia-json b/packages/docker-engine/daemon-nvidia-json index dd98b772f60..5b53a34d0d3 100644 --- a/packages/docker-engine/daemon-nvidia-json +++ b/packages/docker-engine/daemon-nvidia-json @@ -7,7 +7,14 @@ "default-runtime": "shimpei", "runtimes": { "shimpei": { "path": "shimpei" }, "nvidia": { "path": "nvidia-oci" } }, "selinux-enabled": true, - "default-ulimits": { "nofile": { "Name": "nofile", "Soft": 1024, "Hard": 4096 } } + {{~#if settings.oci-defaults.capabilities~}} + "default-capabilities": {{~oci_defaults "docker" settings.oci-defaults.capabilities~}} + {{~/if~}} + {{~#if settings.oci-defaults.resource-limits~}} + "default-ulimits": { + {{~oci_defaults "docker" settings.oci-defaults.resource-limits~}} + } + {{~/if~}} {{#if settings.container-registry.mirrors}} {{#each settings.container-registry.mirrors}} {{#if (eq registry "docker.io" )}}, diff --git a/packages/docker-engine/docker-engine.spec b/packages/docker-engine/docker-engine.spec index 4d5f08b2d50..8d4497fac47 100644 --- a/packages/docker-engine/docker-engine.spec +++ b/packages/docker-engine/docker-engine.spec @@ -31,6 +31,7 @@ Source1000: clarify.toml # Backport to fix host header issue when compiling with Go 1.20.6 or later Patch0001: 0001-non-tcp-host-header.patch +Patch0002: 0002-Change-default-capabilities-using-daemon-config.patch BuildRequires: git BuildRequires: %{_cross_os}glibc-devel diff --git a/sources/api/schnauzer/src/helpers.rs b/sources/api/schnauzer/src/helpers.rs index 441fd48bd71..04405075a7e 100644 --- a/sources/api/schnauzer/src/helpers.rs +++ b/sources/api/schnauzer/src/helpers.rs @@ -307,6 +307,12 @@ mod error { number: usize, source: std::num::TryFromIntError, }, + + #[snafu(display("Invalid output type '{}', expected 'docker' or 'containerd'", runtime))] + InvalidOutputType { + source: serde_plain::Error, + runtime: String, + }, } // Handlebars helpers are required to return a RenderError. @@ -1371,6 +1377,111 @@ enum OciSpecSection { derive_fromstr_from_deserialize!(OciSpecSection); +#[derive(Deserialize, Debug, Clone, Copy)] +#[serde(rename_all = "kebab-case")] +enum Runtime { + Docker, + Containerd, +} + +derive_fromstr_from_deserialize!(Runtime); + +impl Runtime { + fn get_capabilities(&self, caps: String) -> String { + match self { + Self::Docker => Docker::get_capabilities(caps), + Self::Containerd => Containerd::get_capabilities(caps), + } + } + + fn get_resource_limits( + &self, + rlimit_type: &OciDefaultsResourceLimitType, + values: &OciDefaultsResourceLimit, + ) -> String { + match self { + Self::Docker => Docker::get_resource_limits(rlimit_type, values), + Self::Containerd => Containerd::get_resource_limits(rlimit_type, values), + } + } +} + +struct Docker; +struct Containerd; + +impl Docker { + /// Formats capabilities for Docker + fn get_capabilities(caps: String) -> String { + format!( + concat!(r#"["#, "{capabilities}", "],\n",), + capabilities = caps, + ) + } + + /// Formats resource limits for Docker + fn get_resource_limits( + rlimit_type: &OciDefaultsResourceLimitType, + values: &OciDefaultsResourceLimit, + ) -> String { + format!( + r#" "{}":{{ "Name": "{}", "Hard": {}, "Soft": {} }}"#, + rlimit_type + .to_linux_string() + .replace("RLIMIT_", "") + .to_lowercase(), + rlimit_type + .to_linux_string() + .replace("RLIMIT_", "") + .to_lowercase(), + values.hard_limit, + values.soft_limit, + ) + } +} + +impl Containerd { + /// Formats capabilities for Containerd + fn get_capabilities(caps: String) -> String { + format!( + concat!( + r#""bounding": ["#, + "{capabilities_bounding}", + "],\n", + r#""effective": ["#, + "{capabilities_effective}", + "],\n", + r#""permitted": ["#, + "{capabilities_permitted}", + "]\n", + ), + capabilities_bounding = caps, + capabilities_effective = caps, + capabilities_permitted = caps, + ) + } + + /// Formats resource limits for Containerd + fn get_resource_limits( + rlimit_type: &OciDefaultsResourceLimitType, + values: &OciDefaultsResourceLimit, + ) -> String { + format!( + r#"{{ "type": "{}", "hard": {}, "soft": {} }}"#, + rlimit_type.to_linux_string(), + Self::get_limit(values.hard_limit), + Self::get_limit(values.soft_limit), + ) + } + + /// Converts I64 values to u64 for Containerd + fn get_limit(limit: i64) -> u64 { + match limit { + -1 => u64::MAX, + _ => limit as u64, + } + } +} + /// This helper writes out the default OCI runtime spec. /// /// The calling pattern is `{{ oci_defaults settings.oci-defaults.resource-limits }}`, @@ -1398,14 +1509,28 @@ pub fn oci_defaults( // Check number of parameters, must be exactly two (OCI spec section to render and settings values for the section) debug!("Number of params: {}", helper.params().len()); - check_param_count(helper, template_name, 1)?; + check_param_count(helper, template_name, 2)?; debug!("params: {:?}", helper.params()); + debug!("Getting the requested output type to render"); + let runtime_val = get_param(helper, 0)?; + let runtime_str = runtime_val + .as_str() + .with_context(|| error::InvalidTemplateValueSnafu { + expected: "string", + value: runtime_val.to_owned(), + template: template_name.to_owned(), + })?; + + let runtime = Runtime::from_str(runtime_str).context(error::InvalidOutputTypeSnafu { + runtime: runtime_str.to_owned(), + })?; + debug!("Getting the requested OCI spec section to render"); - let oci_defaults_values = get_param(helper, 0)?; + let oci_defaults_values = get_param(helper, 1)?; // We want the settings path so we know which OCI spec section we are rendering. // e.g. settings.oci-defaults.resource-limits - let settings_path = get_param_key_name(helper, 0)?; + let settings_path = get_param_key_name(helper, 1)?; // Extract the last part of the settings path, which is the OCI spec section we want to render. let oci_spec_section = settings_path .split('.') @@ -1416,10 +1541,22 @@ pub fn oci_defaults( let section = OciSpecSection::from_str(oci_spec_section).context(error::InvalidOciSpecSectionSnafu)?; let result_lines = match section { - OciSpecSection::Capabilities => oci_spec_capabilities(oci_defaults_values)?, - OciSpecSection::ResourceLimits => oci_spec_resource_limits(oci_defaults_values)?, + OciSpecSection::Capabilities => { + let capabilities = oci_spec_capabilities(oci_defaults_values)?; + runtime.get_capabilities(capabilities) + } + OciSpecSection::ResourceLimits => { + let rlimits = oci_spec_resource_limits(oci_defaults_values)?; + rlimits + .iter() + .map(|(rlimit_type, values)| runtime.get_resource_limits(rlimit_type, values)) + .collect::>() + .join(",\n") + } }; + debug!("{}_section: \n{}", oci_spec_section, result_lines); + // Write out the final values to the configuration file out.write(result_lines.as_str()) .context(error::TemplateWriteSnafu { @@ -1454,26 +1591,7 @@ fn oci_spec_capabilities(value: &Value) -> Result { capabilities_lines.sort(); let capabilities_lines_joined = capabilities_lines.join(",\n"); - let capabilities_section = format!( - concat!( - r#""bounding": ["#, - "{capabilities_bounding}", - "],\n", - r#""effective": ["#, - "{capabilities_effective}", - "],\n", - r#""permitted": ["#, - "{capabilities_permitted}", - "]\n", - ), - capabilities_bounding = capabilities_lines_joined, - capabilities_effective = capabilities_lines_joined, - capabilities_permitted = capabilities_lines_joined, - ); - - debug!("capabilities_section: \n{}", capabilities_section); - - Ok(capabilities_section) + Ok(capabilities_lines_joined) } /// This helper writes out the resource limits section of the default @@ -1486,25 +1604,10 @@ fn oci_spec_capabilities(value: &Value) -> Result { /// This helper function generates the resource limits section of /// the OCI runtime spec from the provided `value` parameter, which is /// the settings data from the datastore (`settings.oci-defaults.resource-limits`). -fn oci_spec_resource_limits(value: &Value) -> Result { - let oci_default_rlimits: HashMap = - serde_json::from_value(value.clone())?; - - let result_lines = oci_default_rlimits - .iter() - .map(|(rlimit_type, values)| { - format!( - r#"{{ "type": "{}", "hard": {}, "soft": {} }}"#, - rlimit_type.to_linux_string(), - values.get_hard_limit(), - values.get_soft_limit(), - ) - }) - .collect::>() - .join(",\n"); - - debug!("resource_limits result_lines: \n{}", result_lines); - Ok(result_lines) +fn oci_spec_resource_limits( + value: &Value, +) -> Result, RenderError> { + Ok(serde_json::from_value(value.clone())?) } // =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= @@ -2701,6 +2804,7 @@ mod test_any_enabled { #[cfg(test)] mod test_oci_spec { + use super::{Containerd, Docker}; use crate::helpers::*; use serde_json::json; use OciDefaultsResourceLimitType::*; @@ -2713,7 +2817,8 @@ mod test_oci_spec { "mac-admin": true, "mknod": true }); - let rendered = oci_spec_capabilities(&json).unwrap(); + let capabilities = oci_spec_capabilities(&json).unwrap(); + let rendered = Containerd::get_capabilities(capabilities); assert_eq!( rendered, r#""bounding": ["CAP_KILL", @@ -2733,7 +2838,8 @@ mod test_oci_spec { (cap, bottlerocket, hard_limit, soft_limit): (OciDefaultsResourceLimitType, &str, i64, i64), ) { let json = json!({bottlerocket: {"hard-limit": hard_limit, "soft-limit": soft_limit}}); - let rendered = oci_spec_resource_limits(&json).unwrap(); + let rlimits = oci_spec_resource_limits(&json).unwrap(); + let rendered = Containerd::get_resource_limits(&cap, rlimits.get(&cap).unwrap()); let result = format!( r#"{{ "type": "{}", "hard": {}, "soft": {} }}"#, cap.to_linux_string(), @@ -2772,7 +2878,12 @@ mod test_oci_spec { #[test] fn oci_spec_max_locked_memory_as_unlimited_resource_limit_test() { let json = json!({"max-locked-memory": {"hard-limit": "unlimited", "soft-limit": 18}}); - let rendered = oci_spec_resource_limits(&json).unwrap(); + let rlimits = oci_spec_resource_limits(&json).unwrap(); + let rendered = Containerd::get_resource_limits( + &MaxLockedMemory, + rlimits.get(&MaxLockedMemory).unwrap(), + ); + assert_eq!( rendered, r#"{ "type": "RLIMIT_MEMLOCK", "hard": 18446744073709551615, "soft": 18 }"# @@ -2782,10 +2893,58 @@ mod test_oci_spec { #[test] fn oci_spec_max_locked_memory_as_minus_one_resource_limit_test() { let json = json!({"max-locked-memory": {"hard-limit": -1, "soft-limit": 18}}); - let rendered = oci_spec_resource_limits(&json).unwrap(); + let rlimits = oci_spec_resource_limits(&json).unwrap(); + let rendered = Containerd::get_resource_limits( + &MaxLockedMemory, + rlimits.get(&MaxLockedMemory).unwrap(), + ); assert_eq!( rendered, r#"{ "type": "RLIMIT_MEMLOCK", "hard": 18446744073709551615, "soft": 18 }"# ); } + + #[test] + fn oci_spec_capabilities_docker_test() { + let json = json!({ + "kill": true, + "lease": false, + "mac-admin": true, + "mknod": true + }); + let capabilities = oci_spec_capabilities(&json).unwrap(); + let rendered = Docker::get_capabilities(capabilities); + assert_eq!( + rendered, + r#"["CAP_KILL", +"CAP_MAC_ADMIN", +"CAP_MKNOD"], +"# + ); + } + + #[test] + fn oci_spec_resource_limits_test_docker() { + let json = json!({"max-open-files": {"hard-limit": 1, "soft-limit": 2}}); + let rlimits = oci_spec_resource_limits(&json).unwrap(); + let rendered = + Docker::get_resource_limits(&MaxOpenFiles, rlimits.get(&MaxOpenFiles).unwrap()); + assert_eq!( + rendered, + r#" "nofile":{ "Name": "nofile", "Hard": 1, "Soft": 2 }"# + ); + } + + #[test] + fn oci_spec_max_locked_memory_as_unlimited_docker_resource_limit_test() { + let json = json!({"max-locked-memory": {"hard-limit": "unlimited", "soft-limit": 18}}); + let rlimits = oci_spec_resource_limits(&json).unwrap(); + let rendered = + Docker::get_resource_limits(&MaxLockedMemory, rlimits.get(&MaxLockedMemory).unwrap()); + + assert_eq!( + rendered, + r#" "memlock":{ "Name": "memlock", "Hard": -1, "Soft": 18 }"# + ); + } } diff --git a/sources/models/shared-defaults/oci-defaults-containerd-cri-capabilities.toml b/sources/models/shared-defaults/oci-defaults-capabilities.toml similarity index 73% rename from sources/models/shared-defaults/oci-defaults-containerd-cri-capabilities.toml rename to sources/models/shared-defaults/oci-defaults-capabilities.toml index ef36e49437f..5a8e98136a7 100644 --- a/sources/models/shared-defaults/oci-defaults-containerd-cri-capabilities.toml +++ b/sources/models/shared-defaults/oci-defaults-capabilities.toml @@ -1,6 +1,5 @@ [settings.oci-defaults.capabilities] -# These values represent the default capabilities in the default -# OCI spec for containerd. +# These values represent the default capabilities for Docker and Containerd. audit-write = true chown = true dac-override = true diff --git a/sources/models/shared-defaults/oci-defaults-docker-resource-limits.toml b/sources/models/shared-defaults/oci-defaults-docker-resource-limits.toml new file mode 100644 index 00000000000..437739b7992 --- /dev/null +++ b/sources/models/shared-defaults/oci-defaults-docker-resource-limits.toml @@ -0,0 +1,3 @@ +[settings.oci-defaults.resource-limits.max-open-files] +hard-limit = 4096 +soft-limit = 1024 diff --git a/sources/models/shared-defaults/oci-defaults-docker.toml b/sources/models/shared-defaults/oci-defaults-docker.toml new file mode 100644 index 00000000000..b1f89695d22 --- /dev/null +++ b/sources/models/shared-defaults/oci-defaults-docker.toml @@ -0,0 +1,2 @@ +[metadata.settings.oci-defaults] +affected-services = ["docker"] diff --git a/sources/models/src/aws-ecs-1-nvidia/defaults.d/75-oci-defaults-docker.toml b/sources/models/src/aws-ecs-1-nvidia/defaults.d/75-oci-defaults-docker.toml new file mode 120000 index 00000000000..deb7cd4f616 --- /dev/null +++ b/sources/models/src/aws-ecs-1-nvidia/defaults.d/75-oci-defaults-docker.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-docker.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-1-nvidia/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-ecs-1-nvidia/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-ecs-1-nvidia/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-1-nvidia/defaults.d/77-oci-defaults-docker-resource-limits.toml b/sources/models/src/aws-ecs-1-nvidia/defaults.d/77-oci-defaults-docker-resource-limits.toml new file mode 120000 index 00000000000..24b077b8362 --- /dev/null +++ b/sources/models/src/aws-ecs-1-nvidia/defaults.d/77-oci-defaults-docker-resource-limits.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-docker-resource-limits.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-1-nvidia/mod.rs b/sources/models/src/aws-ecs-1-nvidia/mod.rs index 4ab3064d508..f4cd1113192 100644 --- a/sources/models/src/aws-ecs-1-nvidia/mod.rs +++ b/sources/models/src/aws-ecs-1-nvidia/mod.rs @@ -6,7 +6,7 @@ use crate::modeled_types::Identifier; use crate::{ AutoScalingSettings, AwsSettings, BootstrapContainer, CloudFormationSettings, DnsSettings, ECSSettings, HostContainer, KernelSettings, MetricsSettings, NetworkSettings, NtpSettings, - OciHooks, PemCertificate, RegistrySettings, UpdatesSettings, + OciDefaults, OciHooks, PemCertificate, RegistrySettings, UpdatesSettings, }; // Note: we have to use 'rename' here because the top-level Settings structure is the only one @@ -25,6 +25,7 @@ struct Settings { metrics: MetricsSettings, pki: HashMap, container_registry: RegistrySettings, + oci_defaults: OciDefaults, oci_hooks: OciHooks, cloudformation: CloudFormationSettings, autoscaling: AutoScalingSettings, diff --git a/sources/models/src/aws-ecs-1/defaults.d/75-oci-defaults-docker.toml b/sources/models/src/aws-ecs-1/defaults.d/75-oci-defaults-docker.toml new file mode 120000 index 00000000000..deb7cd4f616 --- /dev/null +++ b/sources/models/src/aws-ecs-1/defaults.d/75-oci-defaults-docker.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-docker.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-1/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-ecs-1/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-ecs-1/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-1/defaults.d/77-oci-defaults-docker-resource-limits.toml b/sources/models/src/aws-ecs-1/defaults.d/77-oci-defaults-docker-resource-limits.toml new file mode 120000 index 00000000000..24b077b8362 --- /dev/null +++ b/sources/models/src/aws-ecs-1/defaults.d/77-oci-defaults-docker-resource-limits.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-docker-resource-limits.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-1/mod.rs b/sources/models/src/aws-ecs-1/mod.rs index 4ab3064d508..f4cd1113192 100644 --- a/sources/models/src/aws-ecs-1/mod.rs +++ b/sources/models/src/aws-ecs-1/mod.rs @@ -6,7 +6,7 @@ use crate::modeled_types::Identifier; use crate::{ AutoScalingSettings, AwsSettings, BootstrapContainer, CloudFormationSettings, DnsSettings, ECSSettings, HostContainer, KernelSettings, MetricsSettings, NetworkSettings, NtpSettings, - OciHooks, PemCertificate, RegistrySettings, UpdatesSettings, + OciDefaults, OciHooks, PemCertificate, RegistrySettings, UpdatesSettings, }; // Note: we have to use 'rename' here because the top-level Settings structure is the only one @@ -25,6 +25,7 @@ struct Settings { metrics: MetricsSettings, pki: HashMap, container_registry: RegistrySettings, + oci_defaults: OciDefaults, oci_hooks: OciHooks, cloudformation: CloudFormationSettings, autoscaling: AutoScalingSettings, diff --git a/sources/models/src/aws-ecs-2-nvidia/defaults.d/75-oci-defaults-docker.toml b/sources/models/src/aws-ecs-2-nvidia/defaults.d/75-oci-defaults-docker.toml new file mode 120000 index 00000000000..deb7cd4f616 --- /dev/null +++ b/sources/models/src/aws-ecs-2-nvidia/defaults.d/75-oci-defaults-docker.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-docker.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-2-nvidia/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-ecs-2-nvidia/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-ecs-2-nvidia/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-2-nvidia/defaults.d/77-oci-defaults-docker-resource-limits.toml b/sources/models/src/aws-ecs-2-nvidia/defaults.d/77-oci-defaults-docker-resource-limits.toml new file mode 120000 index 00000000000..24b077b8362 --- /dev/null +++ b/sources/models/src/aws-ecs-2-nvidia/defaults.d/77-oci-defaults-docker-resource-limits.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-docker-resource-limits.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-2-nvidia/mod.rs b/sources/models/src/aws-ecs-2-nvidia/mod.rs index 7ed211b06dd..aad3dd7eaec 100644 --- a/sources/models/src/aws-ecs-2-nvidia/mod.rs +++ b/sources/models/src/aws-ecs-2-nvidia/mod.rs @@ -6,7 +6,7 @@ use crate::modeled_types::Identifier; use crate::{ AutoScalingSettings, AwsSettings, BootSettings, BootstrapContainer, CloudFormationSettings, DnsSettings, ECSSettings, HostContainer, KernelSettings, MetricsSettings, NetworkSettings, - NtpSettings, OciHooks, PemCertificate, RegistrySettings, UpdatesSettings, + NtpSettings, OciDefaults, OciHooks, PemCertificate, RegistrySettings, UpdatesSettings, }; // Note: we have to use 'rename' here because the top-level Settings structure is the only one @@ -26,6 +26,7 @@ struct Settings { metrics: MetricsSettings, pki: HashMap, container_registry: RegistrySettings, + oci_defaults: OciDefaults, oci_hooks: OciHooks, cloudformation: CloudFormationSettings, autoscaling: AutoScalingSettings, diff --git a/sources/models/src/aws-ecs-2/defaults.d/75-oci-defaults-docker.toml b/sources/models/src/aws-ecs-2/defaults.d/75-oci-defaults-docker.toml new file mode 120000 index 00000000000..deb7cd4f616 --- /dev/null +++ b/sources/models/src/aws-ecs-2/defaults.d/75-oci-defaults-docker.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-docker.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-2/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-ecs-2/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-ecs-2/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-2/defaults.d/77-oci-defaults-docker-resource-limits.toml b/sources/models/src/aws-ecs-2/defaults.d/77-oci-defaults-docker-resource-limits.toml new file mode 120000 index 00000000000..24b077b8362 --- /dev/null +++ b/sources/models/src/aws-ecs-2/defaults.d/77-oci-defaults-docker-resource-limits.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-docker-resource-limits.toml \ No newline at end of file diff --git a/sources/models/src/aws-ecs-2/mod.rs b/sources/models/src/aws-ecs-2/mod.rs index 7ed211b06dd..aad3dd7eaec 100644 --- a/sources/models/src/aws-ecs-2/mod.rs +++ b/sources/models/src/aws-ecs-2/mod.rs @@ -6,7 +6,7 @@ use crate::modeled_types::Identifier; use crate::{ AutoScalingSettings, AwsSettings, BootSettings, BootstrapContainer, CloudFormationSettings, DnsSettings, ECSSettings, HostContainer, KernelSettings, MetricsSettings, NetworkSettings, - NtpSettings, OciHooks, PemCertificate, RegistrySettings, UpdatesSettings, + NtpSettings, OciDefaults, OciHooks, PemCertificate, RegistrySettings, UpdatesSettings, }; // Note: we have to use 'rename' here because the top-level Settings structure is the only one @@ -26,6 +26,7 @@ struct Settings { metrics: MetricsSettings, pki: HashMap, container_registry: RegistrySettings, + oci_defaults: OciDefaults, oci_hooks: OciHooks, cloudformation: CloudFormationSettings, autoscaling: AutoScalingSettings, diff --git a/sources/models/src/aws-k8s-1.24-nvidia/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-k8s-1.24-nvidia/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-k8s-1.24-nvidia/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.24-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/aws-k8s-1.24-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/aws-k8s-1.24-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.24/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-k8s-1.24/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-k8s-1.24/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.24/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/aws-k8s-1.24/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/aws-k8s-1.24/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.25-nvidia/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-k8s-1.25-nvidia/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-k8s-1.25-nvidia/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.25-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/aws-k8s-1.25-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/aws-k8s-1.25-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.25/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-k8s-1.25/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-k8s-1.25/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.25/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/aws-k8s-1.25/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/aws-k8s-1.25/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.26-nvidia/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-k8s-1.26-nvidia/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-k8s-1.26-nvidia/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.26-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/aws-k8s-1.26-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/aws-k8s-1.26-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.26/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-k8s-1.26/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-k8s-1.26/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.26/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/aws-k8s-1.26/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/aws-k8s-1.26/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.27-nvidia/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-k8s-1.27-nvidia/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-k8s-1.27-nvidia/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.27-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/aws-k8s-1.27-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/aws-k8s-1.27-nvidia/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.27/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/aws-k8s-1.27/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/aws-k8s-1.27/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/aws-k8s-1.27/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/aws-k8s-1.27/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/aws-k8s-1.27/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/lib.rs b/sources/models/src/lib.rs index 37379073248..c20d9296110 100644 --- a/sources/models/src/lib.rs +++ b/sources/models/src/lib.rs @@ -540,23 +540,6 @@ struct OciDefaultsResourceLimit { soft_limit: i64, } -impl OciDefaultsResourceLimit { - pub fn get_hard_limit(self) -> u64 { - Self::get_limit(self.hard_limit) - } - - pub fn get_soft_limit(self) -> u64 { - Self::get_limit(self.soft_limit) - } - - fn get_limit(limit: i64) -> u64 { - match limit { - -1 => u64::MAX, - _ => limit as u64, - } - } -} - #[model(add_option = false)] struct Report { name: String, diff --git a/sources/models/src/metal-k8s-1.24/defaults.d/86-oci-defaults-capabilities.toml b/sources/models/src/metal-k8s-1.24/defaults.d/86-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/metal-k8s-1.24/defaults.d/86-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/metal-k8s-1.24/defaults.d/86-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/metal-k8s-1.24/defaults.d/86-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/metal-k8s-1.24/defaults.d/86-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/metal-k8s-1.27/defaults.d/86-oci-defaults-capabilities.toml b/sources/models/src/metal-k8s-1.27/defaults.d/86-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/metal-k8s-1.27/defaults.d/86-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/metal-k8s-1.27/defaults.d/86-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/metal-k8s-1.27/defaults.d/86-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/metal-k8s-1.27/defaults.d/86-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/vmware-k8s-1.24/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/vmware-k8s-1.24/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/vmware-k8s-1.24/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/vmware-k8s-1.24/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/vmware-k8s-1.24/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/vmware-k8s-1.24/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/vmware-k8s-1.27/defaults.d/76-oci-defaults-capabilities.toml b/sources/models/src/vmware-k8s-1.27/defaults.d/76-oci-defaults-capabilities.toml new file mode 120000 index 00000000000..100c2874090 --- /dev/null +++ b/sources/models/src/vmware-k8s-1.27/defaults.d/76-oci-defaults-capabilities.toml @@ -0,0 +1 @@ +../../../shared-defaults/oci-defaults-capabilities.toml \ No newline at end of file diff --git a/sources/models/src/vmware-k8s-1.27/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml b/sources/models/src/vmware-k8s-1.27/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml deleted file mode 120000 index 2e5d1c32f8d..00000000000 --- a/sources/models/src/vmware-k8s-1.27/defaults.d/76-oci-defaults-containerd-cri-capabilities.toml +++ /dev/null @@ -1 +0,0 @@ -../../../shared-defaults/oci-defaults-containerd-cri-capabilities.toml \ No newline at end of file