kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity
moby--moby/daemon/execdriver/native/template/default_template.go

47 lines
909 B
Go
Raw Normal View History

Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-03-24 07:16:40 +00:00
package template
Initial commit of libcontainer running docker Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-22 01:11:57 +00:00
import (
Update libcontainer imports Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-06-11 02:58:15 +00:00
"github.com/docker/libcontainer"
"github.com/docker/libcontainer/apparmor"
"github.com/docker/libcontainer/cgroups"
Initial commit of libcontainer running docker Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-22 01:11:57 +00:00
)
Add unit test for lxc conf merge and native opts Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-03-24 07:16:40 +00:00
// New returns the docker default configuration for libcontainer
Rename libcontainer.Container to libcontainer.Config Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-24 18:22:25 +00:00
func New() *libcontainer.Config {
container := &libcontainer.Config{
Make libcontainer's CapabilitiesMask into a []string (Capabilities). Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-17 00:44:10 +00:00
Capabilities: []string{
"CHOWN",
"DAC_OVERRIDE",
Don't drop CAP_FOWNER in the container. Also sorts the list of allowed capabilities. Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-19 16:45:52 +00:00
"FOWNER",
"MKNOD",
"NET_RAW",
"SETGID",
"SETUID",
native driver: Add required capabilities We need SETFCAP to be able to mark files as having caps, which is heavily used by fedora. See https://github.com/dotcloud/docker/issues/5928 We also need SETPCAP, for instance systemd needs this to set caps on its childen. Both of these are safe in the sense that they can never ever result in a process with a capability not in the bounding set of the container. We also add NET_BIND_SERVICE caps, to be able to bind to ports lower than 1024. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-05-20 07:58:30 +00:00
"SETFCAP",
"SETPCAP",
"NET_BIND_SERVICE",
Add SYS_CHROOT cap to unprivileged containers Fixes #6103 Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-06-03 01:23:47 +00:00
"SYS_CHROOT",
Add CAP_KILL to unprivileged containers Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-06-07 22:18:18 +00:00
"KILL",
Initial commit of libcontainer running docker Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-22 01:11:57 +00:00
},
Improve libcontainer namespace and cap format Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-05 19:34:21 +00:00
Namespaces: map[string]bool{
"NEWNS": true,
"NEWUTS": true,
"NEWIPC": true,
"NEWPID": true,
"NEWNET": true,
Initial commit of libcontainer running docker Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-22 01:11:57 +00:00
},
Cgroups: &cgroups.Cgroup{
Refactor device handling code We now have one place that keeps track of (most) devices that are allowed and created within the container. That place is pkg/libcontainer/devices/devices.go This fixes several inconsistencies between which devices were created in the lxc backend and the native backend. It also fixes inconsistencies between wich devices were created and which were allowed. For example, /dev/full was being created but it was not allowed within the cgroup. It also declares the file modes and permissions of the default devices, rather than copying them from the host. This is in line with docker's philosphy of not being host dependent. Docker-DCO-1.1-Signed-off-by: Timothy Hobbs <timothyhobbs@seznam.cz> (github: https://github.com/timthelion)
2014-02-17 23:14:30 +00:00
Parent: "docker",
AllowAllDevices: false,
Initial commit of libcontainer running docker Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-22 01:11:57 +00:00
},
Update libcontainer references Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-23 23:43:43 +00:00
MountConfig: &libcontainer.MountConfig{},
Context: make(map[string]string),
Initial commit of libcontainer running docker Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-22 01:11:57 +00:00
}
Update libcontainer references Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-23 23:43:43 +00:00
Check for apparmor enabled on host to populate profile Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-09 10:22:17 +00:00
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "docker-default"
}
Update libcontainer references Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-23 23:43:43 +00:00
Fix configuration test for MKNOD Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-02 13:07:11 +00:00
return container
Initial commit of libcontainer running docker Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-02-22 01:11:57 +00:00
}