kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Export all spec generation opts

Browse source 
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
Michael Crosby 2019-04-10 14:45:14 -04:00
parent cb902f4430
commit c478553640
6 changed files with 543 additions and 511 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
daemon/daemon_linux_test.go
View file

@ -10,10 +10,7 @@ import (
"testing" "testing"
containertypes "github.com/docker/docker/api/types/container" containertypes "github.com/docker/docker/api/types/container"
"github.com/docker/docker/container"
"github.com/docker/docker/daemon/config" "github.com/docker/docker/daemon/config"
"github.com/docker/docker/oci"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/mount" "github.com/docker/docker/pkg/mount"
"gotest.tools/assert" "gotest.tools/assert"
is "gotest.tools/assert/cmp" is "gotest.tools/assert/cmp"
@ -115,54 +112,6 @@ func TestNotCleanupMounts(t *testing.T) {
} }
} }
// TestTmpfsDevShmSizeOverride checks that user-specified /dev/tmpfs mount
// size is not overridden by the default shmsize (that should only be used
// for default /dev/shm (as in "shareable" and "private" ipc modes).
// https://github.com/moby/moby/issues/35271
func TestTmpfsDevShmSizeOverride(t *testing.T) {
size := "777m"
mnt := "/dev/shm"
d := Daemon{
idMapping: &idtools.IdentityMapping{},
}
c := &container.Container{
HostConfig: &containertypes.HostConfig{
ShmSize: 48 * 1024, // size we should NOT end up with
},
}
ms := []container.Mount{
{
Source: "tmpfs",
Destination: mnt,
Data: "size=" + size,
},
}
// convert ms to spec
spec := oci.DefaultSpec()
err := setMounts(&d, &spec, c, ms)
assert.Check(t, err)
// Check the resulting spec for the correct size
found := false
for _, m := range spec.Mounts {
if m.Destination == mnt {
for _, o := range m.Options {
if !strings.HasPrefix(o, "size=") {
continue
}
t.Logf("%+v\n", m.Options)
assert.Check(t, is.Equal("size="+size, o))
found = true
}
}
}
if !found {
t.Fatal("/dev/shm not found in spec, or size option missing")
}
}
func TestValidateContainerIsolationLinux(t *testing.T) { func TestValidateContainerIsolationLinux(t *testing.T) {
d := Daemon{} d := Daemon{}

6
daemon/exec_linux.go
View file

@ -1,6 +1,8 @@
package daemon // import "github.com/docker/docker/daemon" package daemon // import "github.com/docker/docker/daemon"
import ( import (
"context"
"github.com/docker/docker/container" "github.com/docker/docker/container"
"github.com/docker/docker/daemon/exec" "github.com/docker/docker/daemon/exec"
"github.com/docker/docker/oci/caps" "github.com/docker/docker/oci/caps"
@ -54,6 +56,6 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
} }
p.ApparmorProfile = appArmorProfile p.ApparmorProfile = appArmorProfile
} }
daemon.setRlimits(&specs.Spec{Process: p}, c) s := &specs.Spec{Process: p}
return nil return WithRlimits(daemon, c)(context.Background(), nil, nil, s)
} }

905
daemon/oci_linux.go
View file

File diff suppressed because it is too large Load diff

15
daemon/seccomp_disabled.go
View file

@ -3,17 +3,22 @@
package daemon // import "github.com/docker/docker/daemon" package daemon // import "github.com/docker/docker/daemon"
import ( import (
"context"
"fmt" "fmt"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container" "github.com/docker/docker/container"
"github.com/opencontainers/runtime-spec/specs-go"
) )
var supportsSeccomp = false var supportsSeccomp = false
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error { // WithSeccomp sets the seccomp profile
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" { func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile") return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
return fmt.Errorf("seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile")
}
return nil
} }
return nil
} }

62
daemon/seccomp_linux.go
View file

@ -3,8 +3,11 @@
package daemon // import "github.com/docker/docker/daemon" package daemon // import "github.com/docker/docker/daemon"
import ( import (
"context"
"fmt" "fmt"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container" "github.com/docker/docker/container"
"github.com/docker/docker/profiles/seccomp" "github.com/docker/docker/profiles/seccomp"
"github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-spec/specs-go"
@ -13,43 +16,46 @@ import (
var supportsSeccomp = true var supportsSeccomp = true
func setSeccomp(daemon *Daemon, rs *specs.Spec, c *container.Container) error { // WithSeccomp sets the seccomp profile
var profile *specs.LinuxSeccomp func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
var err error return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
var profile *specs.LinuxSeccomp
var err error
if c.HostConfig.Privileged { if c.HostConfig.Privileged {
return nil return nil
} }
if !daemon.seccompEnabled { if !daemon.seccompEnabled {
if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" { if c.SeccompProfile != "" && c.SeccompProfile != "unconfined" {
return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.") return fmt.Errorf("Seccomp is not enabled in your kernel, cannot run a custom seccomp profile.")
}
logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.")
c.SeccompProfile = "unconfined"
} }
logrus.Warn("Seccomp is not enabled in your kernel, running container without default profile.") if c.SeccompProfile == "unconfined" {
c.SeccompProfile = "unconfined" return nil
}
if c.SeccompProfile == "unconfined" {
return nil
}
if c.SeccompProfile != "" {
profile, err = seccomp.LoadProfile(c.SeccompProfile, rs)
if err != nil {
return err
} }
} else { if c.SeccompProfile != "" {
if daemon.seccompProfile != nil { profile, err = seccomp.LoadProfile(c.SeccompProfile, s)
profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), rs)
if err != nil { if err != nil {
return err return err
} }
} else { } else {
profile, err = seccomp.GetDefaultProfile(rs) if daemon.seccompProfile != nil {
if err != nil { profile, err = seccomp.LoadProfile(string(daemon.seccompProfile), s)
return err if err != nil {
return err
}
} else {
profile, err = seccomp.GetDefaultProfile(s)
if err != nil {
return err
}
} }
} }
}
rs.Linux.Seccomp = profile s.Linux.Seccomp = profile
return nil return nil
}
} }

15
daemon/seccomp_unsupported.go
View file

@ -2,4 +2,19 @@
package daemon // import "github.com/docker/docker/daemon" package daemon // import "github.com/docker/docker/daemon"
import (
"context"
"github.com/containerd/containerd/containers"
coci "github.com/containerd/containerd/oci"
"github.com/docker/docker/container"
)
var supportsSeccomp = false var supportsSeccomp = false
// WithSeccomp sets the seccomp profile
func WithSeccomp(daemon *Daemon, c *container.Container) coci.SpecOpts {
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
return nil
}
}