kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity

Move caps and device spec utils to `oci` pkg 

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
Michael Crosby 2018-12-10 15:40:40 -05:00
parent 6e3113f700
commit b940cc5cff
5 changed files with 20 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
daemon/exec_linux.go
View File

@ -2,8 +2,8 @@ package daemon // import "github.com/docker/docker/daemon"
import (
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/caps"
"github.com/docker/docker/daemon/exec"
"github.com/docker/docker/oci/caps"
"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runtime-spec/specs-go"
)

4
daemon/oci_linux.go
View File

@ -113,7 +113,7 @@ func setDevices(s *specs.Spec, c *container.Container) error {
}
var err error
devPermissions, err = appendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
devPermissions, err = oci.AppendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
if err != nil {
return err
}
@ -762,7 +762,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
if err := setNamespaces(daemon, &s, c); err != nil {
return nil, fmt.Errorf("linux spec namespaces: %v", err)
}
if err := setCapabilities(&s, c); err != nil {
if err := oci.SetCapabilities(&s, c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged); err != nil {
return nil, fmt.Errorf("linux spec capabilities: %v", err)
}
if err := setSeccomp(daemon, &s, c); err != nil {

4
daemon/oci_windows.go
View File

@ -368,10 +368,10 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe
}
s.Root.Path = "rootfs"
s.Root.Readonly = c.HostConfig.ReadonlyRootfs
if err := setCapabilities(s, c); err != nil {
if err := oci.SetCapabilities(s, c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged); err != nil {
return fmt.Errorf("linux spec capabilities: %v", err)
}
devPermissions, err := appendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
devPermissions, err := oci.AppendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
if err != nil {
return fmt.Errorf("linux runtime spec devices: %v", err)
}

2
daemon/caps/utils.go → oci/caps/utils.go
View File

@ -1,4 +1,4 @@
package caps // import "github.com/docker/docker/daemon/caps"
package caps // import "github.com/docker/docker/oci/caps"
import (
"fmt"

26
daemon/oci.go → oci/oci.go
View File

@ -1,27 +1,28 @@
package daemon // import "github.com/docker/docker/daemon"
package oci // import "github.com/docker/docker/oci"
import (
"fmt"
"regexp"
"strconv"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/caps"
"github.com/docker/docker/oci/caps"
specs "github.com/opencontainers/runtime-spec/specs-go"
)
// nolint: gosimple
var (
deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
)
var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
func setCapabilities(s *specs.Spec, c *container.Container) error {
var caplist []string
var err error
if c.HostConfig.Privileged {
// SetCapabilities sets the provided capabilities on the spec
// All capabilities are added if privileged is true
func SetCapabilities(s *specs.Spec, add, drop []string, privileged bool) error {
var (
caplist []string
err error
)
if privileged {
caplist = caps.GetAllCapabilities()
} else {
caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, add, drop)
if err != nil {
return err
}
@ -39,7 +40,8 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
return nil
}
func appendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
// AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set
func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
for _, deviceCgroupRule := range rules {
ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
if len(ss[0]) != 5 {