1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Export all spec generation opts

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
Michael Crosby 2019-04-10 14:45:14 -04:00
parent cb902f4430
commit c478553640
6 changed files with 543 additions and 511 deletions

View file

@ -10,10 +10,7 @@ import (
"testing"
containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/config"
"github.com/docker/docker/oci"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/mount"
"gotest.tools/assert"
is "gotest.tools/assert/cmp"
@ -115,54 +112,6 @@ func TestNotCleanupMounts(t *testing.T) {
}
}
// TestTmpfsDevShmSizeOverride checks that user-specified /dev/tmpfs mount
// size is not overridden by the default shmsize (that should only be used
// for default /dev/shm (as in "shareable" and "private" ipc modes).
// https://github.com/moby/moby/issues/35271
func TestTmpfsDevShmSizeOverride(t *testing.T) {
size := "777m"
mnt := "/dev/shm"
d := Daemon{
idMapping: &idtools.IdentityMapping{},
}
c := &container.Container{
HostConfig: &containertypes.HostConfig{
ShmSize: 48 * 1024, // size we should NOT end up with
},
}
ms := []container.Mount{
{
Source: "tmpfs",
Destination: mnt,
Data: "size=" + size,
},
}
// convert ms to spec
spec := oci.DefaultSpec()
err := setMounts(&d, &spec, c, ms)
assert.Check(t, err)
// Check the resulting spec for the correct size
found := false
for _, m := range spec.Mounts {
if m.Destination == mnt {
for _, o := range m.Options {
if !strings.HasPrefix(o, "size=") {
continue
}
t.Logf("%+v\n", m.Options)
assert.Check(t, is.Equal("size="+size, o))
found = true
}
}
}
if !found {
t.Fatal("/dev/shm not found in spec, or size option missing")
}
}
func TestValidateContainerIsolationLinux(t *testing.T) {
d := Daemon{}

View file

@ -1,6 +1,8 @@
package daemon // import "github.com/docker/docker/daemon"
import (
"context"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/exec"
"github.com/docker/docker/oci/caps"
@ -54,6 +56,6 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
}
p.ApparmorProfile = appArmorProfile
}
daemon.setRlimits(&specs.Spec{Process: p}, c)
return nil
s := &specs.Spec{Process: p}
return WithRlimits(daemon, c)(context.Background(), nil, nil, s)
}

File diff suppressed because it is too large Load diff

View file

@ -3,17 +3,22 @@
package daemon // import "github.com/docker/docker/daemon"
import (
"context"
"fmt"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container"
"github.com/opencontainers/runtime-spec/specs-go"
)
var supportsSeccomp = false
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
}
return nil
}
return nil
}

View file

@ -3,8 +3,11 @@
package daemon // import "github.com/docker/docker/daemon"
import (
"context"
"fmt"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container"
"github.com/docker/docker/profiles/seccomp"
"github.com/opencontainers/runtime-spec/specs-go"
@ -13,43 +16,46 @@ import (
var supportsSeccomp = true
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
var profile *specs.LinuxSeccomp
var err error
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
var profile *specs.LinuxSeccomp
var err error
if c.HostConfig.Privileged {
return nil
}
if c.HostConfig.Privileged {
return nil
}
if !daemon.seccompEnabled {
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
if !daemon.seccompEnabled {
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
}
logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
c.SeccompProfile = "unconfined"
}
logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
c.SeccompProfile = "unconfined"
}
if c.SeccompProfile == "unconfined" {
return nil
}
if c.SeccompProfile != "" {
profile, err = seccomp.LoadProfile(c.SeccompProfile, rs)
if err != nil {
return err
if c.SeccompProfile == "unconfined" {
return nil
}
} else {
if daemon.seccompProfile != nil {
profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), rs)
if c.SeccompProfile != "" {
profile, err = seccomp.LoadProfile(c.SeccompProfile, s)
if err != nil {
return err
}
} else {
profile, err = seccomp.GetDefaultProfile(rs)
if err != nil {
return err
if daemon.seccompProfile != nil {
profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
if err != nil {
return err
}
} else {
profile, err = seccomp.GetDefaultProfile(s)
if err != nil {
return err
}
}
}
}
rs.Linux.Seccomp = profile
return nil
s.Linux.Seccomp = profile
return nil
}
}

View file

@ -2,4 +2,19 @@
package daemon // import "github.com/docker/docker/daemon"
import (
"context"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container"
)
var supportsSeccomp = false
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
return nil
}
}