kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

plugins: misc fixes

Browse source 
Rename variable to reflect manifest -> config renaming
Populate Description fields when computing privileges.
Refactor/reuse code from daemon/oci_linux.go

Signed-off-by: Tibor Vass <tibor@docker.com>
This commit is contained in:
Tibor Vass 2016-11-22 13:42:11 -08:00
parent 53b9b99e5c
commit 6547609870
4 changed files with 55 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
daemon/oci_linux.go
View file

@ -221,18 +221,6 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
return nil return nil
} }
func delNamespace(s *specs.Spec, nsType specs.NamespaceType) {
idx := -1
for i, n := range s.Linux.Namespaces {
if n.Type == nsType {
idx = i
}
}
if idx >= 0 {
s.Linux.Namespaces = append(s.Linux.Namespaces[:idx], s.Linux.Namespaces[idx+1:]...)
}
}
func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error { func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error {
userNS := false userNS := false
// user // user
@ -283,7 +271,7 @@ func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error
setNamespace(s, nsUser) setNamespace(s, nsUser)
} }
} else if c.HostConfig.IpcMode.IsHost() { } else if c.HostConfig.IpcMode.IsHost() {
delNamespace(s, specs.NamespaceType("ipc")) oci.RemoveNamespace(s, specs.NamespaceType("ipc"))
} else { } else {
ns := specs.Namespace{Type: "ipc"} ns := specs.Namespace{Type: "ipc"}
setNamespace(s, ns) setNamespace(s, ns)
@ -304,14 +292,14 @@ func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error
setNamespace(s, nsUser) setNamespace(s, nsUser)
} }
} else if c.HostConfig.PidMode.IsHost() { } else if c.HostConfig.PidMode.IsHost() {
delNamespace(s, specs.NamespaceType("pid")) oci.RemoveNamespace(s, specs.NamespaceType("pid"))
} else { } else {
ns := specs.Namespace{Type: "pid"} ns := specs.Namespace{Type: "pid"}
setNamespace(s, ns) setNamespace(s, ns)
} }
// uts // uts
if c.HostConfig.UTSMode.IsHost() { if c.HostConfig.UTSMode.IsHost() {
delNamespace(s, specs.NamespaceType("uts")) oci.RemoveNamespace(s, specs.NamespaceType("uts"))
s.Hostname = "" s.Hostname = ""
} }

42
docs/extend/config.md
View file

@ -16,6 +16,7 @@ keywords: "API, Usage, plugins, documentation, developer"
will be rejected. will be rejected.
--> -->
# Plugin Config Version 0 of Plugin V2 # Plugin Config Version 0 of Plugin V2
This document outlines the format of the V0 plugin configuration. The plugin This document outlines the format of the V0 plugin configuration. The plugin
@ -85,10 +86,6 @@ Config provides the base accessible fields for working with V0 plugin format
- **host** - **host**
- **none** - **none**
- **`capabilities`** *array*
capabilities of the plugin (*Linux only*), see list [`here`](https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md#security)
- **`mounts`** *PluginMount array* - **`mounts`** *PluginMount array*
mount of the plugin, struct consisting of the following fields, see [`MOUNTS`](https://github.com/opencontainers/runtime-spec/blob/master/config.md#mounts) mount of the plugin, struct consisting of the following fields, see [`MOUNTS`](https://github.com/opencontainers/runtime-spec/blob/master/config.md#mounts)
@ -117,22 +114,6 @@ Config provides the base accessible fields for working with V0 plugin format
options of the mount. options of the mount.
- **`devices`** *PluginDevice array*
device of the plugin, (*Linux only*), struct consisting of the following fields, see [`DEVICES`](https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#devices)
- **`name`** *string*
name of the device.
- **`description`** *string*
description of the device.
- **`path`** *string*
path of the device.
- **`env`** *PluginEnv array* - **`env`** *PluginEnv array*
env of the plugin, struct consisting of the following fields env of the plugin, struct consisting of the following fields
@ -165,6 +146,27 @@ Config provides the base accessible fields for working with V0 plugin format
values of the args. values of the args.
- **`linux`** *PluginLinux*
- **`capabilities`** *string array*
capabilities of the plugin (*Linux only*), see list [`here`](https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md#security)
- **`devices`** *PluginDevice array*
device of the plugin, (*Linux only*), struct consisting of the following fields, see [`DEVICES`](https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#devices)
- **`name`** *string*
name of the device.
- **`description`** *string*
description of the device.
- **`path`** *string*
path of the device.
## Example Config ## Example Config

16
oci/namespaces.go Normal file
View file

@ -0,0 +1,16 @@
package oci
import specs "github.com/opencontainers/runtime-spec/specs-go"
// RemoveNamespace removes the `nsType` namespace from OCI spec `s`
func RemoveNamespace(s *specs.Spec, nsType specs.NamespaceType) {
idx := -1
for i, n := range s.Linux.Namespaces {
if n.Type == nsType {
idx = i
}
}
if idx >= 0 {
s.Linux.Namespaces = append(s.Linux.Namespaces[:idx], s.Linux.Namespaces[idx+1:]...)
}
}

35
plugin/v2/plugin.go
View file

@ -218,45 +218,45 @@ next:
// ComputePrivileges takes the config file and computes the list of access necessary // ComputePrivileges takes the config file and computes the list of access necessary
// for the plugin on the host. // for the plugin on the host.
func (p *Plugin) ComputePrivileges() types.PluginPrivileges { func (p *Plugin) ComputePrivileges() types.PluginPrivileges {
m := p.PluginObj.Config c := p.PluginObj.Config
var privileges types.PluginPrivileges var privileges types.PluginPrivileges
if m.Network.Type != "null" && m.Network.Type != "bridge" { if c.Network.Type != "null" && c.Network.Type != "bridge" {
privileges = append(privileges, types.PluginPrivilege{ privileges = append(privileges, types.PluginPrivilege{
Name: "network", Name: "network",
Description: "", Description: "permissions to access a network",
Value: []string{m.Network.Type}, Value: []string{c.Network.Type},
}) })
} }
for _, mount := range m.Mounts { for _, mount := range c.Mounts {
if mount.Source != nil { if mount.Source != nil {
privileges = append(privileges, types.PluginPrivilege{ privileges = append(privileges, types.PluginPrivilege{
Name: "mount", Name: "mount",
Description: "", Description: "host path to mount",
Value: []string{*mount.Source}, Value: []string{*mount.Source},
}) })
} }
} }
for _, device := range m.Linux.Devices { for _, device := range c.Linux.Devices {
if device.Path != nil { if device.Path != nil {
privileges = append(privileges, types.PluginPrivilege{ privileges = append(privileges, types.PluginPrivilege{
Name: "device", Name: "device",
Description: "", Description: "host device to access",
Value: []string{*device.Path}, Value: []string{*device.Path},
}) })
} }
} }
if m.Linux.DeviceCreation { if c.Linux.DeviceCreation {
privileges = append(privileges, types.PluginPrivilege{ privileges = append(privileges, types.PluginPrivilege{
Name: "device-creation", Name: "device-creation",
Description: "", Description: "allow creating devices inside plugin",
Value: []string{"true"}, Value: []string{"true"},
}) })
} }
if len(m.Linux.Capabilities) > 0 { if len(c.Linux.Capabilities) > 0 {
privileges = append(privileges, types.PluginPrivilege{ privileges = append(privileges, types.PluginPrivilege{
Name: "capabilities", Name: "capabilities",
Description: "", Description: "list of additional capabilities required",
Value: m.Linux.Capabilities, Value: c.Linux.Capabilities,
}) })
} }
return privileges return privileges
@ -317,12 +317,7 @@ func (p *Plugin) InitSpec(s specs.Spec, libRoot string) (*specs.Spec, error) {
if p.PluginObj.Config.Network.Type != "" { if p.PluginObj.Config.Network.Type != "" {
// TODO: if net == bridge, use libnetwork controller to create a new plugin-specific bridge, bind mount /etc/hosts and /etc/resolv.conf look at the docker code (allocateNetwork, initialize) // TODO: if net == bridge, use libnetwork controller to create a new plugin-specific bridge, bind mount /etc/hosts and /etc/resolv.conf look at the docker code (allocateNetwork, initialize)
if p.PluginObj.Config.Network.Type == "host" { if p.PluginObj.Config.Network.Type == "host" {
for i, n := range s.Linux.Namespaces { oci.RemoveNamespace(&s, specs.NamespaceType("network"))
if n.Type == "network" {
s.Linux.Namespaces = append(s.Linux.Namespaces[:i], s.Linux.Namespaces[i+1:]...)
break
}
}
} }
etcHosts := "/etc/hosts" etcHosts := "/etc/hosts"
resolvConf := "/etc/resolv.conf" resolvConf := "/etc/resolv.conf"
@ -401,8 +396,6 @@ func (p *Plugin) InitSpec(s specs.Spec, libRoot string) (*specs.Spec, error) {
s.Process.Cwd = cwd s.Process.Cwd = cwd
s.Process.Env = envs s.Process.Env = envs
// TODO: what about duplicates?
// TODO: Should not need CAP_ prefix in manifest?
s.Process.Capabilities = append(s.Process.Capabilities, p.PluginObj.Config.Linux.Capabilities...) s.Process.Capabilities = append(s.Process.Capabilities, p.PluginObj.Config.Linux.Capabilities...)
return &s, nil return &s, nil