2013-01-18 19:13:39 -05:00
|
|
|
package docker
|
|
|
|
|
|
|
|
import (
|
|
|
|
"text/template"
|
|
|
|
)
|
|
|
|
|
|
|
|
const LxcTemplate = `
|
|
|
|
# hostname
|
|
|
|
{{if .Config.Hostname}}
|
|
|
|
lxc.utsname = {{.Config.Hostname}}
|
|
|
|
{{else}}
|
2013-01-21 21:39:52 -05:00
|
|
|
lxc.utsname = {{.Id}}
|
2013-01-18 19:13:39 -05:00
|
|
|
{{end}}
|
|
|
|
|
2013-07-22 22:00:35 -04:00
|
|
|
{{if .Config.NetworkDisabled}}
|
|
|
|
# network is disabled (-n=false)
|
|
|
|
lxc.network.type = empty
|
|
|
|
{{else}}
|
2013-01-18 19:13:39 -05:00
|
|
|
# network configuration
|
2013-02-20 20:47:09 -05:00
|
|
|
lxc.network.type = veth
|
|
|
|
lxc.network.flags = up
|
2013-04-03 18:05:03 -04:00
|
|
|
lxc.network.link = {{.NetworkSettings.Bridge}}
|
2013-02-20 20:47:09 -05:00
|
|
|
lxc.network.name = eth0
|
|
|
|
lxc.network.mtu = 1500
|
2013-06-04 14:00:22 -04:00
|
|
|
lxc.network.ipv4 = {{.NetworkSettings.IPAddress}}/{{.NetworkSettings.IPPrefixLen}}
|
2013-07-21 20:11:47 -04:00
|
|
|
{{end}}
|
2013-01-18 19:13:39 -05:00
|
|
|
|
|
|
|
# root filesystem
|
2013-03-21 03:25:00 -04:00
|
|
|
{{$ROOTFS := .RootfsPath}}
|
2013-02-13 16:56:19 -05:00
|
|
|
lxc.rootfs = {{$ROOTFS}}
|
2013-01-18 19:13:39 -05:00
|
|
|
|
2013-09-16 13:53:24 -04:00
|
|
|
{{if and .HostnamePath .HostsPath}}
|
2013-09-09 14:57:25 -04:00
|
|
|
# enable domain name support
|
|
|
|
lxc.mount.entry = {{.HostnamePath}} {{$ROOTFS}}/etc/hostname none bind,ro 0 0
|
|
|
|
lxc.mount.entry = {{.HostsPath}} {{$ROOTFS}}/etc/hosts none bind,ro 0 0
|
2013-09-16 13:53:24 -04:00
|
|
|
{{end}}
|
2013-09-09 14:57:25 -04:00
|
|
|
|
2013-01-18 19:13:39 -05:00
|
|
|
# use a dedicated pts for the container (and limit the number of pseudo terminal
|
|
|
|
# available)
|
|
|
|
lxc.pts = 1024
|
|
|
|
|
|
|
|
# disable the main console
|
|
|
|
lxc.console = none
|
|
|
|
|
|
|
|
# no controlling tty at all
|
|
|
|
lxc.tty = 1
|
|
|
|
|
2013-10-31 17:58:43 -04:00
|
|
|
{{if (getHostConfig .).Privileged}}
|
2013-08-09 18:53:02 -04:00
|
|
|
lxc.cgroup.devices.allow = a
|
|
|
|
{{else}}
|
2013-01-18 19:13:39 -05:00
|
|
|
# no implicit access to devices
|
|
|
|
lxc.cgroup.devices.deny = a
|
|
|
|
|
|
|
|
# /dev/null and zero
|
|
|
|
lxc.cgroup.devices.allow = c 1:3 rwm
|
|
|
|
lxc.cgroup.devices.allow = c 1:5 rwm
|
|
|
|
|
|
|
|
# consoles
|
|
|
|
lxc.cgroup.devices.allow = c 5:1 rwm
|
|
|
|
lxc.cgroup.devices.allow = c 5:0 rwm
|
|
|
|
lxc.cgroup.devices.allow = c 4:0 rwm
|
|
|
|
lxc.cgroup.devices.allow = c 4:1 rwm
|
|
|
|
|
|
|
|
# /dev/urandom,/dev/random
|
|
|
|
lxc.cgroup.devices.allow = c 1:9 rwm
|
|
|
|
lxc.cgroup.devices.allow = c 1:8 rwm
|
|
|
|
|
2013-10-31 17:58:43 -04:00
|
|
|
# /dev/pts/ - pts namespaces are "coming soon"
|
2013-01-18 19:13:39 -05:00
|
|
|
lxc.cgroup.devices.allow = c 136:* rwm
|
|
|
|
lxc.cgroup.devices.allow = c 5:2 rwm
|
|
|
|
|
|
|
|
# tuntap
|
|
|
|
lxc.cgroup.devices.allow = c 10:200 rwm
|
|
|
|
|
|
|
|
# fuse
|
|
|
|
#lxc.cgroup.devices.allow = c 10:229 rwm
|
|
|
|
|
|
|
|
# rtc
|
|
|
|
#lxc.cgroup.devices.allow = c 254:0 rwm
|
2013-08-09 18:53:02 -04:00
|
|
|
{{end}}
|
2013-01-18 19:13:39 -05:00
|
|
|
|
|
|
|
# standard mount point
|
2013-10-09 16:40:46 -04:00
|
|
|
# Use mnt.putold as per https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/986385
|
|
|
|
lxc.pivotdir = lxc_putold
|
2013-06-19 13:37:08 -04:00
|
|
|
# WARNING: procfs is a known attack vector and should probably be disabled
|
|
|
|
# if your userspace allows it. eg. see http://blog.zx2c4.com/749
|
2013-02-13 16:56:19 -05:00
|
|
|
lxc.mount.entry = proc {{$ROOTFS}}/proc proc nosuid,nodev,noexec 0 0
|
2013-06-19 13:37:08 -04:00
|
|
|
# WARNING: sysfs is a known attack vector and should probably be disabled
|
|
|
|
# if your userspace allows it. eg. see http://bit.ly/T9CkqJ
|
2013-02-13 16:56:19 -05:00
|
|
|
lxc.mount.entry = sysfs {{$ROOTFS}}/sys sysfs nosuid,nodev,noexec 0 0
|
|
|
|
lxc.mount.entry = devpts {{$ROOTFS}}/dev/pts devpts newinstance,ptmxmode=0666,nosuid,noexec 0 0
|
|
|
|
#lxc.mount.entry = varrun {{$ROOTFS}}/var/run tmpfs mode=755,size=4096k,nosuid,nodev,noexec 0 0
|
|
|
|
#lxc.mount.entry = varlock {{$ROOTFS}}/var/lock tmpfs size=1024k,nosuid,nodev,noexec 0 0
|
2013-07-05 19:16:58 -04:00
|
|
|
lxc.mount.entry = shm {{$ROOTFS}}/dev/shm tmpfs size=65536k,nosuid,nodev,noexec 0 0
|
2013-01-18 19:13:39 -05:00
|
|
|
|
2013-10-18 01:39:57 -04:00
|
|
|
# Inject dockerinit
|
2013-06-14 19:56:08 -04:00
|
|
|
lxc.mount.entry = {{.SysInitPath}} {{$ROOTFS}}/.dockerinit none bind,ro 0 0
|
2013-02-13 17:01:44 -05:00
|
|
|
|
2013-08-13 18:40:23 -04:00
|
|
|
# Inject env
|
|
|
|
lxc.mount.entry = {{.EnvConfigPath}} {{$ROOTFS}}/.dockerenv none bind,ro 0 0
|
|
|
|
|
2013-01-28 20:32:15 -05:00
|
|
|
# In order to get a working DNS environment, mount bind (ro) the host's /etc/resolv.conf into the container
|
2013-04-10 21:23:34 -04:00
|
|
|
lxc.mount.entry = {{.ResolvConfPath}} {{$ROOTFS}}/etc/resolv.conf none bind,ro 0 0
|
2013-04-10 19:10:53 -04:00
|
|
|
{{if .Volumes}}
|
2013-06-26 11:43:53 -04:00
|
|
|
{{ $rw := .VolumesRW }}
|
|
|
|
{{range $virtualPath, $realPath := .Volumes}}
|
|
|
|
lxc.mount.entry = {{$realPath}} {{$ROOTFS}}/{{$virtualPath}} none bind,{{ if index $rw $virtualPath }}rw{{else}}ro{{end}} 0 0
|
2013-05-13 19:39:54 -04:00
|
|
|
{{end}}
|
|
|
|
{{end}}
|
2013-01-18 19:13:39 -05:00
|
|
|
|
2013-10-31 17:58:43 -04:00
|
|
|
{{if (getHostConfig .).Privileged}}
|
2013-08-09 18:53:02 -04:00
|
|
|
# retain all capabilities; no lxc.cap.drop line
|
2013-10-31 17:58:43 -04:00
|
|
|
{{if (getCapabilities .).AppArmor}}
|
|
|
|
lxc.aa_profile = unconfined
|
|
|
|
{{else}}
|
|
|
|
#lxc.aa_profile = unconfined
|
|
|
|
{{end}}
|
2013-08-09 18:53:02 -04:00
|
|
|
{{else}}
|
2013-01-18 19:13:39 -05:00
|
|
|
# drop linux capabilities (apply mainly to the user root in the container)
|
2013-06-19 13:39:35 -04:00
|
|
|
# (Note: 'lxc.cap.keep' is coming soon and should replace this under the
|
|
|
|
# security principle 'deny all unless explicitly permitted', see
|
|
|
|
# http://sourceforge.net/mailarchive/message.php?msg_id=31054627 )
|
2013-10-25 12:41:03 -04:00
|
|
|
lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config
|
2013-08-09 18:53:02 -04:00
|
|
|
{{end}}
|
2013-01-18 19:13:39 -05:00
|
|
|
|
|
|
|
# limits
|
2013-03-11 22:25:02 -04:00
|
|
|
{{if .Config.Memory}}
|
|
|
|
lxc.cgroup.memory.limit_in_bytes = {{.Config.Memory}}
|
|
|
|
lxc.cgroup.memory.soft_limit_in_bytes = {{.Config.Memory}}
|
2013-03-11 22:55:14 -04:00
|
|
|
{{with $memSwap := getMemorySwap .Config}}
|
|
|
|
lxc.cgroup.memory.memsw.limit_in_bytes = {{$memSwap}}
|
2013-03-11 20:40:54 -04:00
|
|
|
{{end}}
|
2013-01-18 19:13:39 -05:00
|
|
|
{{end}}
|
2013-05-07 14:16:30 -04:00
|
|
|
{{if .Config.CpuShares}}
|
|
|
|
lxc.cgroup.cpu.shares = {{.Config.CpuShares}}
|
|
|
|
{{end}}
|
2013-01-18 19:13:39 -05:00
|
|
|
|
2013-10-31 17:58:43 -04:00
|
|
|
{{if (getHostConfig .).LxcConf}}
|
|
|
|
{{range $pair := (getHostConfig .).LxcConf}}
|
2013-08-15 19:35:03 -04:00
|
|
|
{{$pair.Key}} = {{$pair.Value}}
|
|
|
|
{{end}}
|
|
|
|
{{end}}
|
|
|
|
`
|
|
|
|
|
2013-01-18 19:13:39 -05:00
|
|
|
var LxcTemplateCompiled *template.Template
|
|
|
|
|
2013-03-11 22:25:02 -04:00
|
|
|
func getMemorySwap(config *Config) int64 {
|
|
|
|
// By default, MemorySwap is set to twice the size of RAM.
|
|
|
|
// If you want to omit MemorySwap, set it to `-1'.
|
|
|
|
if config.MemorySwap < 0 {
|
2013-03-11 20:40:54 -04:00
|
|
|
return 0
|
|
|
|
}
|
2013-03-11 22:25:02 -04:00
|
|
|
return config.Memory * 2
|
2013-03-11 20:40:54 -04:00
|
|
|
}
|
|
|
|
|
2013-10-31 17:58:43 -04:00
|
|
|
func getHostConfig(container *Container) *HostConfig {
|
|
|
|
return container.hostConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
func getCapabilities(container *Container) *Capabilities {
|
|
|
|
return container.runtime.capabilities
|
|
|
|
}
|
|
|
|
|
2013-01-18 19:13:39 -05:00
|
|
|
func init() {
|
|
|
|
var err error
|
2013-03-11 20:40:54 -04:00
|
|
|
funcMap := template.FuncMap{
|
2013-10-31 17:58:43 -04:00
|
|
|
"getMemorySwap": getMemorySwap,
|
|
|
|
"getHostConfig": getHostConfig,
|
|
|
|
"getCapabilities": getCapabilities,
|
2013-03-11 20:40:54 -04:00
|
|
|
}
|
|
|
|
LxcTemplateCompiled, err = template.New("lxc").Funcs(funcMap).Parse(LxcTemplate)
|
2013-01-18 19:13:39 -05:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}
|