2014-03-24 07:16:40 +00:00
|
|
|
package template
|
2014-02-22 01:11:57 +00:00
|
|
|
|
|
|
|
import (
|
2015-03-05 17:55:14 +00:00
|
|
|
"syscall"
|
|
|
|
|
2015-07-16 23:00:55 +00:00
|
|
|
"github.com/opencontainers/runc/libcontainer/apparmor"
|
|
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
2014-02-22 01:11:57 +00:00
|
|
|
)
|
|
|
|
|
2015-03-05 17:55:14 +00:00
|
|
|
const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
|
|
|
|
|
2015-12-11 20:18:39 +00:00
|
|
|
// SystemdCgroups indicates whether systemd cgroup implemenation is in use or not
|
|
|
|
var SystemdCgroups = false
|
|
|
|
|
2014-03-24 07:16:40 +00:00
|
|
|
// New returns the docker default configuration for libcontainer
|
2015-03-05 17:55:14 +00:00
|
|
|
func New() *configs.Config {
|
|
|
|
container := &configs.Config{
|
2014-05-17 00:44:10 +00:00
|
|
|
Capabilities: []string{
|
|
|
|
"CHOWN",
|
|
|
|
"DAC_OVERRIDE",
|
2014-07-11 00:30:56 +00:00
|
|
|
"FSETID",
|
2014-05-19 16:45:52 +00:00
|
|
|
"FOWNER",
|
|
|
|
"MKNOD",
|
|
|
|
"NET_RAW",
|
|
|
|
"SETGID",
|
|
|
|
"SETUID",
|
2014-05-20 07:58:30 +00:00
|
|
|
"SETFCAP",
|
|
|
|
"SETPCAP",
|
|
|
|
"NET_BIND_SERVICE",
|
2014-06-03 01:23:47 +00:00
|
|
|
"SYS_CHROOT",
|
2014-06-07 22:18:18 +00:00
|
|
|
"KILL",
|
2014-07-23 05:57:41 +00:00
|
|
|
"AUDIT_WRITE",
|
2014-02-22 01:11:57 +00:00
|
|
|
},
|
2015-03-05 17:55:14 +00:00
|
|
|
Namespaces: configs.Namespaces([]configs.Namespace{
|
2014-12-23 20:10:03 +00:00
|
|
|
{Type: "NEWNS"},
|
|
|
|
{Type: "NEWUTS"},
|
|
|
|
{Type: "NEWIPC"},
|
|
|
|
{Type: "NEWPID"},
|
|
|
|
{Type: "NEWNET"},
|
2015-10-08 15:51:41 +00:00
|
|
|
{Type: "NEWUSER"},
|
2015-01-14 22:01:36 +00:00
|
|
|
}),
|
2015-03-05 17:55:14 +00:00
|
|
|
Cgroups: &configs.Cgroup{
|
2015-12-03 16:42:39 +00:00
|
|
|
Parent: "/docker",
|
2015-06-18 23:27:04 +00:00
|
|
|
AllowAllDevices: false,
|
|
|
|
MemorySwappiness: -1,
|
2014-02-22 01:11:57 +00:00
|
|
|
},
|
2015-03-05 17:55:14 +00:00
|
|
|
Mounts: []*configs.Mount{
|
2015-03-19 18:42:23 +00:00
|
|
|
{
|
|
|
|
Source: "proc",
|
|
|
|
Destination: "/proc",
|
|
|
|
Device: "proc",
|
|
|
|
Flags: defaultMountFlags,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Source: "tmpfs",
|
|
|
|
Destination: "/dev",
|
|
|
|
Device: "tmpfs",
|
|
|
|
Flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME,
|
|
|
|
Data: "mode=755",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Source: "devpts",
|
|
|
|
Destination: "/dev/pts",
|
|
|
|
Device: "devpts",
|
|
|
|
Flags: syscall.MS_NOSUID | syscall.MS_NOEXEC,
|
|
|
|
Data: "newinstance,ptmxmode=0666,mode=0620,gid=5",
|
|
|
|
},
|
2015-03-05 17:55:14 +00:00
|
|
|
{
|
|
|
|
Source: "sysfs",
|
|
|
|
Destination: "/sys",
|
|
|
|
Device: "sysfs",
|
|
|
|
Flags: defaultMountFlags | syscall.MS_RDONLY,
|
|
|
|
},
|
2015-07-10 05:12:09 +00:00
|
|
|
{
|
|
|
|
Source: "cgroup",
|
|
|
|
Destination: "/sys/fs/cgroup",
|
|
|
|
Device: "cgroup",
|
|
|
|
Flags: defaultMountFlags | syscall.MS_RDONLY,
|
|
|
|
},
|
2015-03-05 17:55:14 +00:00
|
|
|
},
|
|
|
|
MaskPaths: []string{
|
|
|
|
"/proc/kcore",
|
2015-04-29 18:20:31 +00:00
|
|
|
"/proc/latency_stats",
|
|
|
|
"/proc/timer_stats",
|
2015-03-05 17:55:14 +00:00
|
|
|
},
|
|
|
|
ReadonlyPaths: []string{
|
2015-04-20 18:58:24 +00:00
|
|
|
"/proc/asound",
|
|
|
|
"/proc/bus",
|
2015-04-20 20:33:51 +00:00
|
|
|
"/proc/fs",
|
2015-04-20 18:58:24 +00:00
|
|
|
"/proc/irq",
|
|
|
|
"/proc/sys",
|
|
|
|
"/proc/sysrq-trigger",
|
2015-03-05 17:55:14 +00:00
|
|
|
},
|
2014-02-22 01:11:57 +00:00
|
|
|
}
|
2014-06-23 23:43:43 +00:00
|
|
|
|
2014-04-09 10:22:17 +00:00
|
|
|
if apparmor.IsEnabled() {
|
2014-06-26 19:23:53 +00:00
|
|
|
container.AppArmorProfile = "docker-default"
|
2014-04-09 10:22:17 +00:00
|
|
|
}
|
2014-06-23 23:43:43 +00:00
|
|
|
|
2015-12-11 20:18:39 +00:00
|
|
|
if SystemdCgroups {
|
|
|
|
container.Cgroups.Parent = "system.slice"
|
|
|
|
container.Cgroups.ScopePrefix = "docker"
|
|
|
|
}
|
|
|
|
|
2014-04-02 13:07:11 +00:00
|
|
|
return container
|
2014-02-22 01:11:57 +00:00
|
|
|
}
|