mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Export all spec generation opts
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
parent
cb902f4430
commit
c478553640
6 changed files with 543 additions and 511 deletions
|
@ -10,10 +10,7 @@ import (
|
|||
"testing"
|
||||
|
||||
containertypes "github.com/docker/docker/api/types/container"
|
||||
"github.com/docker/docker/container"
|
||||
"github.com/docker/docker/daemon/config"
|
||||
"github.com/docker/docker/oci"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/mount"
|
||||
"gotest.tools/assert"
|
||||
is "gotest.tools/assert/cmp"
|
||||
|
@ -115,54 +112,6 @@ func TestNotCleanupMounts(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
// TestTmpfsDevShmSizeOverride checks that user-specified /dev/tmpfs mount
|
||||
// size is not overridden by the default shmsize (that should only be used
|
||||
// for default /dev/shm (as in "shareable" and "private" ipc modes).
|
||||
// https://github.com/moby/moby/issues/35271
|
||||
func TestTmpfsDevShmSizeOverride(t *testing.T) {
|
||||
size := "777m"
|
||||
mnt := "/dev/shm"
|
||||
|
||||
d := Daemon{
|
||||
idMapping: &idtools.IdentityMapping{},
|
||||
}
|
||||
c := &container.Container{
|
||||
HostConfig: &containertypes.HostConfig{
|
||||
ShmSize: 48 * 1024, // size we should NOT end up with
|
||||
},
|
||||
}
|
||||
ms := []container.Mount{
|
||||
{
|
||||
Source: "tmpfs",
|
||||
Destination: mnt,
|
||||
Data: "size=" + size,
|
||||
},
|
||||
}
|
||||
|
||||
// convert ms to spec
|
||||
spec := oci.DefaultSpec()
|
||||
err := setMounts(&d, &spec, c, ms)
|
||||
assert.Check(t, err)
|
||||
|
||||
// Check the resulting spec for the correct size
|
||||
found := false
|
||||
for _, m := range spec.Mounts {
|
||||
if m.Destination == mnt {
|
||||
for _, o := range m.Options {
|
||||
if !strings.HasPrefix(o, "size=") {
|
||||
continue
|
||||
}
|
||||
t.Logf("%+v\n", m.Options)
|
||||
assert.Check(t, is.Equal("size="+size, o))
|
||||
found = true
|
||||
}
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
t.Fatal("/dev/shm not found in spec, or size option missing")
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidateContainerIsolationLinux(t *testing.T) {
|
||||
d := Daemon{}
|
||||
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/docker/docker/container"
|
||||
"github.com/docker/docker/daemon/exec"
|
||||
"github.com/docker/docker/oci/caps"
|
||||
|
@ -54,6 +56,6 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
|
|||
}
|
||||
p.ApparmorProfile = appArmorProfile
|
||||
}
|
||||
daemon.setRlimits(&specs.Spec{Process: p}, c)
|
||||
return nil
|
||||
s := &specs.Spec{Process: p}
|
||||
return WithRlimits(daemon, c)(context.Background(), nil, nil, s)
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -3,17 +3,22 @@
|
|||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/containerd/containerd/containers"
|
||||
coci "github.com/containerd/containerd/oci"
|
||||
"github.com/docker/docker/container"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
)
|
||||
|
||||
var supportsSeccomp = false
|
||||
|
||||
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
|
||||
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
||||
return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
|
||||
// WithSeccomp sets the seccomp profile
|
||||
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
||||
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
||||
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
||||
return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -3,8 +3,11 @@
|
|||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/containerd/containerd/containers"
|
||||
coci "github.com/containerd/containerd/oci"
|
||||
"github.com/docker/docker/container"
|
||||
"github.com/docker/docker/profiles/seccomp"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
|
@ -13,43 +16,46 @@ import (
|
|||
|
||||
var supportsSeccomp = true
|
||||
|
||||
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error {
|
||||
var profile *specs.LinuxSeccomp
|
||||
var err error
|
||||
// WithSeccomp sets the seccomp profile
|
||||
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
||||
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
||||
var profile *specs.LinuxSeccomp
|
||||
var err error
|
||||
|
||||
if c.HostConfig.Privileged {
|
||||
return nil
|
||||
}
|
||||
if c.HostConfig.Privileged {
|
||||
return nil
|
||||
}
|
||||
|
||||
if !daemon.seccompEnabled {
|
||||
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
||||
return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
|
||||
if !daemon.seccompEnabled {
|
||||
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
|
||||
return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
|
||||
}
|
||||
logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
|
||||
c.SeccompProfile = "unconfined"
|
||||
}
|
||||
logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
|
||||
c.SeccompProfile = "unconfined"
|
||||
}
|
||||
if c.SeccompProfile == "unconfined" {
|
||||
return nil
|
||||
}
|
||||
if c.SeccompProfile != "" {
|
||||
profile, err = seccomp.LoadProfile(c.SeccompProfile, rs)
|
||||
if err != nil {
|
||||
return err
|
||||
if c.SeccompProfile == "unconfined" {
|
||||
return nil
|
||||
}
|
||||
} else {
|
||||
if daemon.seccompProfile != nil {
|
||||
profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), rs)
|
||||
if c.SeccompProfile != "" {
|
||||
profile, err = seccomp.LoadProfile(c.SeccompProfile, s)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
} else {
|
||||
profile, err = seccomp.GetDefaultProfile(rs)
|
||||
if err != nil {
|
||||
return err
|
||||
if daemon.seccompProfile != nil {
|
||||
profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
} else {
|
||||
profile, err = seccomp.GetDefaultProfile(s)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
rs.Linux.Seccomp = profile
|
||||
return nil
|
||||
s.Linux.Seccomp = profile
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2,4 +2,19 @@
|
|||
|
||||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/containerd/containerd/containers"
|
||||
coci "github.com/containerd/containerd/oci"
|
||||
"github.com/docker/docker/container"
|
||||
)
|
||||
|
||||
var supportsSeccomp = false
|
||||
|
||||
// WithSeccomp sets the seccomp profile
|
||||
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
||||
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue