mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #38342 from crosbymichael/oci-refactor
Move caps and device spec utils to `oci` pkg
This commit is contained in:
Akihiro Suda
GitHub
commit
62d80835ab
5 changed files with 20 additions and 18 deletions
|
|
@ -2,8 +2,8 @@ package daemon // import "github.com/docker/docker/daemon"
|
|||
|
||||
import (
|
||||
"github.com/docker/docker/container"
|
||||
"github.com/docker/docker/daemon/caps"
|
||||
"github.com/docker/docker/daemon/exec"
|
||||
"github.com/docker/docker/oci/caps"
|
||||
"github.com/opencontainers/runc/libcontainer/apparmor"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -113,7 +113,7 @@ func setDevices(s *specs.Spec, c *container.Container) error {
|
|||
}
|
||||
|
||||
var err error
|
||||
devPermissions, err = appendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
|
||||
devPermissions, err = oci.AppendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -762,7 +762,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
|
|||
if err := setNamespaces(daemon, &s, c); err != nil {
|
||||
return nil, fmt.Errorf("linux spec namespaces: %v", err)
|
||||
}
|
||||
if err := setCapabilities(&s, c); err != nil {
|
||||
if err := oci.SetCapabilities(&s, c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged); err != nil {
|
||||
return nil, fmt.Errorf("linux spec capabilities: %v", err)
|
||||
}
|
||||
if err := setSeccomp(daemon, &s, c); err != nil {
|
||||
|
|
|
|||
|
|
@ -368,10 +368,10 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe
|
|||
}
|
||||
s.Root.Path = "rootfs"
|
||||
s.Root.Readonly = c.HostConfig.ReadonlyRootfs
|
||||
if err := setCapabilities(s, c); err != nil {
|
||||
if err := oci.SetCapabilities(s, c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged); err != nil {
|
||||
return fmt.Errorf("linux spec capabilities: %v", err)
|
||||
}
|
||||
devPermissions, err := appendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
|
||||
devPermissions, err := oci.AppendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
|
||||
if err != nil {
|
||||
return fmt.Errorf("linux runtime spec devices: %v", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
package caps // import "github.com/docker/docker/daemon/caps"
|
||||
package caps // import "github.com/docker/docker/oci/caps"
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
|
@ -1,27 +1,28 @@
|
|||
package daemon // import "github.com/docker/docker/daemon"
|
||||
package oci // import "github.com/docker/docker/oci"
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"regexp"
|
||||
"strconv"
|
||||
|
||||
"github.com/docker/docker/container"
|
||||
"github.com/docker/docker/daemon/caps"
|
||||
"github.com/docker/docker/oci/caps"
|
||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||
)
|
||||
|
||||
// nolint: gosimple
|
||||
var (
|
||||
deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
|
||||
)
|
||||
var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
|
||||
|
||||
func setCapabilities(s *specs.Spec, c *container.Container) error {
|
||||
var caplist []string
|
||||
var err error
|
||||
if c.HostConfig.Privileged {
|
||||
// SetCapabilities sets the provided capabilities on the spec
|
||||
// All capabilities are added if privileged is true
|
||||
func SetCapabilities(s *specs.Spec, add, drop []string, privileged bool) error {
|
||||
var (
|
||||
caplist []string
|
||||
err error
|
||||
)
|
||||
if privileged {
|
||||
caplist = caps.GetAllCapabilities()
|
||||
} else {
|
||||
caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
|
||||
caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, add, drop)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -39,7 +40,8 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func appendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
|
||||
// AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set
|
||||
func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
|
||||
for _, deviceCgroupRule := range rules {
|
||||
ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
|
||||
if len(ss[0]) != 5 {
|
||||
Loading…
Reference in a new issue