Merge pull request #5602 from crosbymichael/libcontainer-enable

Improve libcontainer namespace and cap format

daemon/execdriver/native/configuration/parse.go

@@ -2,12 +2,13 @@ package configuration
 
 import (
 	"fmt"
-	"github.com/dotcloud/docker/pkg/libcontainer"
-	"github.com/dotcloud/docker/utils"
 	"os/exec"
 	"path/filepath"
 	"strconv"
 	"strings"
+
+	"github.com/dotcloud/docker/pkg/libcontainer"
+	"github.com/dotcloud/docker/utils"
 )
 
 type Action func(*libcontainer.Container, interface{}, string) error
@@ -97,38 +98,22 @@ func memorySwap(container *libcontainer.Container, context interface{}, value st
 }
 
 func addCap(container *libcontainer.Container, context interface{}, value string) error {
-	c := container.CapabilitiesMask.Get(value)
+	container.CapabilitiesMask[value] = true
-	if c == nil {
-		return fmt.Errorf("%s is not a valid capability", value)
-	}
-	c.Enabled = true
 	return nil
 }
 
 func dropCap(container *libcontainer.Container, context interface{}, value string) error {
-	c := container.CapabilitiesMask.Get(value)
+	container.CapabilitiesMask[value] = false
-	if c == nil {
-		return fmt.Errorf("%s is not a valid capability", value)
-	}
-	c.Enabled = false
 	return nil
 }
 
 func addNamespace(container *libcontainer.Container, context interface{}, value string) error {
-	ns := container.Namespaces.Get(value)
+	container.Namespaces[value] = true
-	if ns == nil {
-		return fmt.Errorf("%s is not a valid namespace", value[1:])
-	}
-	ns.Enabled = true
 	return nil
 }
 
 func dropNamespace(container *libcontainer.Container, context interface{}, value string) error {
-	ns := container.Namespaces.Get(value)
+	container.Namespaces[value] = false
-	if ns == nil {
-		return fmt.Errorf("%s is not a valid namespace", value[1:])
-	}
-	ns.Enabled = false
 	return nil
 }
 

daemon/execdriver/native/configuration/parse_test.go

@@ -1,8 +1,9 @@
 package configuration
 
 import (
-	"github.com/dotcloud/docker/daemon/execdriver/native/template"
 	"testing"
+
+	"github.com/dotcloud/docker/daemon/execdriver/native/template"
 )
 
 func TestSetReadonlyRootFs(t *testing.T) {
@@ -38,10 +39,10 @@ func TestConfigurationsDoNotConflict(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if !container1.CapabilitiesMask.Get("NET_ADMIN").Enabled {
+	if !container1.CapabilitiesMask["NET_ADMIN"] {
 		t.Fatal("container one should have NET_ADMIN enabled")
 	}
-	if container2.CapabilitiesMask.Get("NET_ADMIN").Enabled {
+	if container2.CapabilitiesMask["NET_ADMIN"] {
 		t.Fatal("container two should not have NET_ADMIN enabled")
 	}
 }
@@ -137,10 +138,10 @@ func TestAddCap(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if !container.CapabilitiesMask.Get("MKNOD").Enabled {
+	if !container.CapabilitiesMask["MKNOD"] {
 		t.Fatal("container should have MKNOD enabled")
 	}
-	if !container.CapabilitiesMask.Get("SYS_ADMIN").Enabled {
+	if !container.CapabilitiesMask["SYS_ADMIN"] {
 		t.Fatal("container should have SYS_ADMIN enabled")
 	}
 }
@@ -153,14 +154,14 @@ func TestDropCap(t *testing.T) {
 		}
 	)
 	// enabled all caps like in privileged mode
-	for _, c := range container.CapabilitiesMask {
+	for key := range container.CapabilitiesMask {
-		c.Enabled = true
+		container.CapabilitiesMask[key] = true
 	}
 	if err := ParseConfiguration(container, nil, opts); err != nil {
 		t.Fatal(err)
 	}
 
-	if container.CapabilitiesMask.Get("MKNOD").Enabled {
+	if container.CapabilitiesMask["MKNOD"] {
 		t.Fatal("container should not have MKNOD enabled")
 	}
 }
@@ -176,7 +177,7 @@ func TestDropNamespace(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if container.Namespaces.Get("NEWNET").Enabled {
+	if container.Namespaces["NEWNET"] {
 		t.Fatal("container should not have NEWNET enabled")
 	}
 }

daemon/execdriver/native/create.go

@@ -79,8 +79,8 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
 }
 
 func (d *driver) setPrivileged(container *libcontainer.Container) error {
-	for _, c := range container.CapabilitiesMask {
+	for key := range container.CapabilitiesMask {
-		c.Enabled = true
+		container.CapabilitiesMask[key] = true
 	}
 	container.Cgroups.DeviceAccess = true
 

daemon/execdriver/native/template/default_template.go

@@ -9,30 +9,30 @@ import (
 // New returns the docker default configuration for libcontainer
 func New() *libcontainer.Container {
 	container := &libcontainer.Container{
-		CapabilitiesMask: libcontainer.Capabilities{
+		CapabilitiesMask: map[string]bool{
-			libcontainer.GetCapability("SETPCAP"),
+			"SETPCAP":        false,
-			libcontainer.GetCapability("SYS_MODULE"),
+			"SYS_MODULE":     false,
-			libcontainer.GetCapability("SYS_RAWIO"),
+			"SYS_RAWIO":      false,
-			libcontainer.GetCapability("SYS_PACCT"),
+			"SYS_PACCT":      false,
-			libcontainer.GetCapability("SYS_ADMIN"),
+			"SYS_ADMIN":      false,
-			libcontainer.GetCapability("SYS_NICE"),
+			"SYS_NICE":       false,
-			libcontainer.GetCapability("SYS_RESOURCE"),
+			"SYS_RESOURCE":   false,
-			libcontainer.GetCapability("SYS_TIME"),
+			"SYS_TIME":       false,
-			libcontainer.GetCapability("SYS_TTY_CONFIG"),
+			"SYS_TTY_CONFIG": false,
-			libcontainer.GetCapability("AUDIT_WRITE"),
+			"AUDIT_WRITE":    false,
-			libcontainer.GetCapability("AUDIT_CONTROL"),
+			"AUDIT_CONTROL":  false,
-			libcontainer.GetCapability("MAC_OVERRIDE"),
+			"MAC_OVERRIDE":   false,
-			libcontainer.GetCapability("MAC_ADMIN"),
+			"MAC_ADMIN":      false,
-			libcontainer.GetCapability("NET_ADMIN"),
+			"NET_ADMIN":      false,
-			libcontainer.GetCapability("MKNOD"),
+			"MKNOD":          true,
-			libcontainer.GetCapability("SYSLOG"),
+			"SYSLOG":         false,
 		},
-		Namespaces: libcontainer.Namespaces{
+		Namespaces: map[string]bool{
-			libcontainer.GetNamespace("NEWNS"),
+			"NEWNS":  true,
-			libcontainer.GetNamespace("NEWUTS"),
+			"NEWUTS": true,
-			libcontainer.GetNamespace("NEWIPC"),
+			"NEWIPC": true,
-			libcontainer.GetNamespace("NEWPID"),
+			"NEWPID": true,
-			libcontainer.GetNamespace("NEWNET"),
+			"NEWNET": true,
 		},
 		Cgroups: &cgroups.Cgroup{
 			Parent:       "docker",
@@ -40,7 +40,6 @@ func New() *libcontainer.Container {
 		},
 		Context: libcontainer.Context{},
 	}
-	container.CapabilitiesMask.Get("MKNOD").Enabled = true
 	if apparmor.IsEnabled() {
 		container.Context["apparmor_profile"] = "docker-default"
 	}

pkg/libcontainer/container.go

@@ -18,8 +18,8 @@ type Container struct {
 	WorkingDir       string          `json:"working_dir,omitempty"`       // current working directory
 	Env              []string        `json:"environment,omitempty"`       // environment to set
 	Tty              bool            `json:"tty,omitempty"`               // setup a proper tty or not
-	Namespaces       Namespaces      `json:"namespaces,omitempty"`        // namespaces to apply
+	Namespaces       map[string]bool `json:"namespaces,omitempty"`        // namespaces to apply
-	CapabilitiesMask Capabilities    `json:"capabilities_mask,omitempty"` // capabilities to drop
+	CapabilitiesMask map[string]bool `json:"capabilities_mask,omitempty"` // capabilities to drop
 	Networks         []*Network      `json:"networks,omitempty"`          // nil for host's network stack
 	Cgroups          *cgroups.Cgroup `json:"cgroups,omitempty"`           // cgroups
 	Context          Context         `json:"context,omitempty"`           // generic context for specific options (apparmor, selinux)

pkg/libcontainer/container.json

@@ -1,151 +1,62 @@
 {
-   "mounts" : [
+  "namespaces": {
-      {
+    "NEWNET": true,
-         "type" : "devtmpfs"
+    "NEWPID": true,
-      }
+    "NEWIPC": true,
-   ],
+    "NEWUTS": true,
-   "tty" : true,
+    "NEWNS": true
-   "environment" : [
+  },
-      "HOME=/",
+  "networks": [
-      "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin",
+    {
-      "container=docker",
+      "gateway": "localhost",
-      "TERM=xterm-256color"
+      "type": "loopback",
-   ],
+      "address": "127.0.0.1/0",
-   "hostname" : "koye",
+      "mtu": 1500
-   "cgroups" : {
+    },
-      "parent" : "docker",
+    {
-      "name" : "docker-koye"
+      "gateway": "172.17.42.1",
-   },
+      "context": {
-   "capabilities_mask" : [
+        "prefix": "veth",
-      {
+        "bridge": "docker0"
-         "value" : 8,
-         "key" : "SETPCAP",
-         "enabled" : false
       },
-      {
+      "type": "veth",
-         "enabled" : false,
+      "address": "172.17.42.2/16",
-         "value" : 16,
+      "mtu": 1500
-         "key" : "SYS_MODULE"
+    }
-      },
+  ],
-      {
+  "capabilities_mask": {
-         "value" : 17,
+    "SYSLOG": false,
-         "key" : "SYS_RAWIO",
+    "MKNOD": true,
-         "enabled" : false
+    "NET_ADMIN": false,
-      },
+    "MAC_ADMIN": false,
-      {
+    "MAC_OVERRIDE": false,
-         "key" : "SYS_PACCT",
+    "AUDIT_CONTROL": false,
-         "value" : 20,
+    "AUDIT_WRITE": false,
-         "enabled" : false
+    "SYS_TTY_CONFIG": false,
-      },
+    "SETPCAP": false,
-      {
+    "SYS_MODULE": false,
-         "value" : 21,
+    "SYS_RAWIO": false,
-         "key" : "SYS_ADMIN",
+    "SYS_PACCT": false,
-         "enabled" : false
+    "SYS_ADMIN": false,
-      },
+    "SYS_NICE": false,
-      {
+    "SYS_RESOURCE": false,
-         "value" : 23,
+    "SYS_TIME": false
-         "key" : "SYS_NICE",
+  },
-         "enabled" : false
+  "cgroups": {
-      },
+    "name": "docker-koye",
-      {
+    "parent": "docker"
-         "value" : 24,
+  },
-         "key" : "SYS_RESOURCE",
+  "hostname": "koye",
-         "enabled" : false
+  "environment": [
-      },
+    "HOME=/",
-      {
+    "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin",
-         "key" : "SYS_TIME",
+    "container=docker",
-         "value" : 25,
+    "TERM=xterm-256color"
-         "enabled" : false
+  ],
-      },
+  "tty": true,
-      {
+  "mounts": [
-         "enabled" : false,
+    {
-         "value" : 26,
+      "type": "devtmpfs"
-         "key" : "SYS_TTY_CONFIG"
+    }
-      },
+  ]
-      {
-         "key" : "AUDIT_WRITE",
-         "value" : 29,
-         "enabled" : false
-      },
-      {
-         "value" : 30,
-         "key" : "AUDIT_CONTROL",
-         "enabled" : false
-      },
-      {
-         "enabled" : false,
-         "key" : "MAC_OVERRIDE",
-         "value" : 32
-      },
-      {
-         "enabled" : false,
-         "key" : "MAC_ADMIN",
-         "value" : 33
-      },
-      {
-         "key" : "NET_ADMIN",
-         "value" : 12,
-         "enabled" : false
-      },
-      {
-         "value" : 27,
-         "key" : "MKNOD",
-         "enabled" : true
-      },
-      {
-         "value" : 34,
-         "key" : "SYSLOG",
-         "enabled" : false
-      }
-   ],
-   "networks" : [
-      {
-         "mtu" : 1500,
-         "address" : "127.0.0.1/0",
-         "type" : "loopback",
-         "gateway" : "localhost"
-      },
-      {
-         "mtu" : 1500,
-         "address" : "172.17.42.2/16",
-         "type" : "veth",
-         "context" : {
-            "bridge" : "docker0",
-            "prefix" : "veth"
-         },
-         "gateway" : "172.17.42.1"
-      }
-   ],
-   "namespaces" : [
-      {
-         "key" : "NEWNS",
-         "value" : 131072,
-         "enabled" : true,
-         "file" : "mnt"
-      },
-      {
-         "key" : "NEWUTS",
-         "value" : 67108864,
-         "enabled" : true,
-         "file" : "uts"
-      },
-      {
-         "enabled" : true,
-         "file" : "ipc",
-         "key" : "NEWIPC",
-         "value" : 134217728
-      },
-      {
-         "file" : "pid",
-         "enabled" : true,
-         "value" : 536870912,
-         "key" : "NEWPID"
-      },
-      {
-         "enabled" : true,
-         "file" : "net",
-         "key" : "NEWNET",
-         "value" : 1073741824
-      }
-   ]
 }

pkg/libcontainer/container_test.go

@@ -15,7 +15,7 @@ func TestContainerJsonFormat(t *testing.T) {
 
 	var container *Container
 	if err := json.NewDecoder(f).Decode(&container); err != nil {
-		t.Fatal("failed to decode container config")
+		t.Fatalf("failed to decode container config: %s", err)
 	}
 	if container.Hostname != "koye" {
 		t.Log("hostname is not set")
@@ -27,32 +27,32 @@ func TestContainerJsonFormat(t *testing.T) {
 		t.Fail()
 	}
 
-	if !container.Namespaces.Contains("NEWNET") {
+	if !container.Namespaces["NEWNET"] {
 		t.Log("namespaces should contain NEWNET")
 		t.Fail()
 	}
 
-	if container.Namespaces.Contains("NEWUSER") {
+	if container.Namespaces["NEWUSER"] {
 		t.Log("namespaces should not contain NEWUSER")
 		t.Fail()
 	}
 
-	if !container.CapabilitiesMask.Contains("SYS_ADMIN") {
+	if _, exists := container.CapabilitiesMask["SYS_ADMIN"]; !exists {
 		t.Log("capabilities mask should contain SYS_ADMIN")
 		t.Fail()
 	}
 
-	if container.CapabilitiesMask.Get("SYS_ADMIN").Enabled {
+	if container.CapabilitiesMask["SYS_ADMIN"] {
 		t.Log("SYS_ADMIN should not be enabled in capabilities mask")
 		t.Fail()
 	}
 
-	if !container.CapabilitiesMask.Get("MKNOD").Enabled {
+	if !container.CapabilitiesMask["MKNOD"] {
 		t.Log("MKNOD should be enabled in capabilities mask")
 		t.Fail()
 	}
 
-	if container.CapabilitiesMask.Contains("SYS_CHROOT") {
+	if container.CapabilitiesMask["SYS_CHROOT"] {
 		t.Log("capabilities mask should not contain SYS_CHROOT")
 		t.Fail()
 	}

pkg/libcontainer/nsinit/exec.go

@@ -159,10 +159,12 @@ func InitializeNetworking(container *libcontainer.Container, nspid int, pipe *Sy
 
 // GetNamespaceFlags parses the container's Namespaces options to set the correct
 // flags on clone, unshare, and setns
-func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
+func GetNamespaceFlags(namespaces map[string]bool) (flag int) {
-	for _, ns := range namespaces {
+	for key, enabled := range namespaces {
-		if ns.Enabled {
+		if enabled {
-			flag |= ns.Value
+			if ns := libcontainer.GetNamespace(key); ns != nil {
+				flag |= ns.Value
+			}
 		}
 	}
 	return flag

pkg/libcontainer/nsinit/execin.go

@@ -23,11 +23,13 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) (int, e
 		return -1, err
 	}
 
-	for _, nsv := range container.Namespaces {
+	for key, enabled := range container.Namespaces {
 		// skip the PID namespace on unshare because it it not supported
-		if nsv.Enabled && nsv.Key != "NEWPID" {
+		if enabled && key != "NEWPID" {
-			if err := system.Unshare(nsv.Value); err != nil {
+			if ns := libcontainer.GetNamespace(key); ns != nil {
-				return -1, err
+				if err := system.Unshare(ns.Value); err != nil {
+					return -1, err
+				}
 			}
 		}
 	}
@@ -59,7 +61,7 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) (int, e
 
 	// if the container has a new pid and mount namespace we need to
 	// remount proc and sys to pick up the changes
-	if container.Namespaces.Contains("NEWNS") && container.Namespaces.Contains("NEWPID") {
+	if container.Namespaces["NEWNS"] && container.Namespaces["NEWPID"] {
 		pid, err := system.Fork()
 		if err != nil {
 			return -1, err
@@ -102,13 +104,18 @@ dropAndExec:
 }
 
 func getNsFds(pid int, container *libcontainer.Container) ([]uintptr, error) {
-	fds := make([]uintptr, len(container.Namespaces))
+	fds := []uintptr{}
-	for i, ns := range container.Namespaces {
+
-		f, err := os.OpenFile(filepath.Join("/proc/", strconv.Itoa(pid), "ns", ns.File), os.O_RDONLY, 0)
+	for key, enabled := range container.Namespaces {
-		if err != nil {
+		if enabled {
-			return fds, err
+			if ns := libcontainer.GetNamespace(key); ns != nil {
+				f, err := os.OpenFile(filepath.Join("/proc/", strconv.Itoa(pid), "ns", ns.File), os.O_RDONLY, 0)
+				if err != nil {
+					return fds, err
+				}
+				fds = append(fds, f.Fd())
+			}
 		}
-		fds[i] = f.Fd()
 	}
 	return fds, nil
 }

pkg/libcontainer/nsinit/unsupported.go

@@ -23,6 +23,6 @@ func SetupCgroups(container *libcontainer.Container, nspid int) (cgroups.ActiveC
 	return nil, libcontainer.ErrUnsupported
 }
 
-func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
+func GetNamespaceFlags(namespaces map[string]bool) (flag int) {
 	return 0
 }

pkg/libcontainer/security/capabilities/capabilities.go

@@ -1,9 +1,10 @@
 package capabilities
 
 import (
+	"os"
+
 	"github.com/dotcloud/docker/pkg/libcontainer"
 	"github.com/syndtr/gocapability/capability"
-	"os"
 )
 
 // DropCapabilities drops capabilities for the current process based
@@ -26,9 +27,11 @@ func DropCapabilities(container *libcontainer.Container) error {
 // getCapabilitiesMask returns the specific cap mask values for the libcontainer types
 func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap {
 	drop := []capability.Cap{}
-	for _, c := range container.CapabilitiesMask {
+	for key, enabled := range container.CapabilitiesMask {
-		if !c.Enabled {
+		if !enabled {
-			drop = append(drop, c.Value)
+			if c := libcontainer.GetCapability(key); c != nil {
+				drop = append(drop, c.Value)
+			}
 		}
 	}
 	return drop

pkg/libcontainer/types.go

@@ -2,6 +2,7 @@ package libcontainer
 
 import (
 	"errors"
+
 	"github.com/syndtr/gocapability/capability"
 )
 
@@ -38,31 +39,30 @@ var (
 	namespaceList = Namespaces{}
 
 	capabilityList = Capabilities{
-		{Key: "SETPCAP", Value: capability.CAP_SETPCAP, Enabled: false},
+		{Key: "SETPCAP", Value: capability.CAP_SETPCAP},
-		{Key: "SYS_MODULE", Value: capability.CAP_SYS_MODULE, Enabled: false},
+		{Key: "SYS_MODULE", Value: capability.CAP_SYS_MODULE},
-		{Key: "SYS_RAWIO", Value: capability.CAP_SYS_RAWIO, Enabled: false},
+		{Key: "SYS_RAWIO", Value: capability.CAP_SYS_RAWIO},
-		{Key: "SYS_PACCT", Value: capability.CAP_SYS_PACCT, Enabled: false},
+		{Key: "SYS_PACCT", Value: capability.CAP_SYS_PACCT},
-		{Key: "SYS_ADMIN", Value: capability.CAP_SYS_ADMIN, Enabled: false},
+		{Key: "SYS_ADMIN", Value: capability.CAP_SYS_ADMIN},
-		{Key: "SYS_NICE", Value: capability.CAP_SYS_NICE, Enabled: false},
+		{Key: "SYS_NICE", Value: capability.CAP_SYS_NICE},
-		{Key: "SYS_RESOURCE", Value: capability.CAP_SYS_RESOURCE, Enabled: false},
+		{Key: "SYS_RESOURCE", Value: capability.CAP_SYS_RESOURCE},
-		{Key: "SYS_TIME", Value: capability.CAP_SYS_TIME, Enabled: false},
+		{Key: "SYS_TIME", Value: capability.CAP_SYS_TIME},
-		{Key: "SYS_TTY_CONFIG", Value: capability.CAP_SYS_TTY_CONFIG, Enabled: false},
+		{Key: "SYS_TTY_CONFIG", Value: capability.CAP_SYS_TTY_CONFIG},
-		{Key: "MKNOD", Value: capability.CAP_MKNOD, Enabled: false},
+		{Key: "MKNOD", Value: capability.CAP_MKNOD},
-		{Key: "AUDIT_WRITE", Value: capability.CAP_AUDIT_WRITE, Enabled: false},
+		{Key: "AUDIT_WRITE", Value: capability.CAP_AUDIT_WRITE},
-		{Key: "AUDIT_CONTROL", Value: capability.CAP_AUDIT_CONTROL, Enabled: false},
+		{Key: "AUDIT_CONTROL", Value: capability.CAP_AUDIT_CONTROL},
-		{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE, Enabled: false},
+		{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE},
-		{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN, Enabled: false},
+		{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN},
-		{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN, Enabled: false},
+		{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN},
-		{Key: "SYSLOG", Value: capability.CAP_SYSLOG, Enabled: false},
+		{Key: "SYSLOG", Value: capability.CAP_SYSLOG},
 	}
 )
 
 type (
 	Namespace struct {
-		Key     string `json:"key,omitempty"`
+		Key   string `json:"key,omitempty"`
-		Enabled bool   `json:"enabled,omitempty"`
+		Value int    `json:"value,omitempty"`
-		Value   int    `json:"value,omitempty"`
+		File  string `json:"file,omitempty"`
-		File    string `json:"file,omitempty"`
 	}
 	Namespaces []*Namespace
 )
@@ -98,9 +98,8 @@ func (n Namespaces) Get(ns string) *Namespace {
 
 type (
 	Capability struct {
-		Key     string         `json:"key,omitempty"`
+		Key   string         `json:"key,omitempty"`
-		Enabled bool           `json:"enabled"`
+		Value capability.Cap `json:"value,omitempty"`
-		Value   capability.Cap `json:"value,omitempty"`
 	}
 	Capabilities []*Capability
 )

pkg/libcontainer/types_linux.go

@@ -6,11 +6,11 @@ import (
 
 func init() {
 	namespaceList = Namespaces{
-		{Key: "NEWNS", Value: syscall.CLONE_NEWNS, File: "mnt", Enabled: true},
+		{Key: "NEWNS", Value: syscall.CLONE_NEWNS, File: "mnt"},
-		{Key: "NEWUTS", Value: syscall.CLONE_NEWUTS, File: "uts", Enabled: true},
+		{Key: "NEWUTS", Value: syscall.CLONE_NEWUTS, File: "uts"},
-		{Key: "NEWIPC", Value: syscall.CLONE_NEWIPC, File: "ipc", Enabled: true},
+		{Key: "NEWIPC", Value: syscall.CLONE_NEWIPC, File: "ipc"},
-		{Key: "NEWUSER", Value: syscall.CLONE_NEWUSER, File: "user", Enabled: true},
+		{Key: "NEWUSER", Value: syscall.CLONE_NEWUSER, File: "user"},
-		{Key: "NEWPID", Value: syscall.CLONE_NEWPID, File: "pid", Enabled: true},
+		{Key: "NEWPID", Value: syscall.CLONE_NEWPID, File: "pid"},
-		{Key: "NEWNET", Value: syscall.CLONE_NEWNET, File: "net", Enabled: true},
+		{Key: "NEWNET", Value: syscall.CLONE_NEWNET, File: "net"},
 	}
 }