1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Update libcontainer references

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-06-23 16:43:43 -07:00
parent 423a8f91d7
commit cee6f4506c
5 changed files with 45 additions and 45 deletions

View file

@ -29,7 +29,7 @@ func finalizeNamespace(args *execdriver.InitArgs) error {
if !args.Privileged {
// drop capabilities in bounding set before changing user
if err := capabilities.DropBoundingSet(container); err != nil {
if err := capabilities.DropBoundingSet(container.Capabilities); err != nil {
return fmt.Errorf("drop bounding set %s", err)
}
@ -49,7 +49,7 @@ func finalizeNamespace(args *execdriver.InitArgs) error {
}
// drop all other capabilities
if err := capabilities.DropCapabilities(container); err != nil {
if err := capabilities.DropCapabilities(container.Capabilities); err != nil {
return fmt.Errorf("drop capabilities %s", err)
}
}

View file

@ -138,9 +138,9 @@ func dropNamespace(container *libcontainer.Container, context interface{}, value
func readonlyFs(container *libcontainer.Container, context interface{}, value string) error {
switch value {
case "1", "true":
container.ReadonlyFs = true
container.MountConfig.ReadonlyFs = true
default:
container.ReadonlyFs = false
container.MountConfig.ReadonlyFs = false
}
return nil
}
@ -154,28 +154,13 @@ func joinNetNamespace(container *libcontainer.Container, context interface{}, va
if cmd == nil || cmd.Process == nil {
return fmt.Errorf("%s is not a valid running container to join", value)
}
nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net")
container.Networks = append(container.Networks, &libcontainer.Network{
Type: "netns",
Context: libcontainer.Context{
"nspath": nspath,
},
Type: "netns",
NsPath: nspath,
})
return nil
}
func vethMacAddress(container *libcontainer.Container, context interface{}, value string) error {
var veth *libcontainer.Network
for _, network := range container.Networks {
if network.Type == "veth" {
veth = network
break
}
}
if veth == nil {
return fmt.Errorf("not veth configured for container")
}
veth.Context["mac"] = value
return nil
}

View file

@ -3,7 +3,7 @@ package configuration
import (
"testing"
"github.com/docker/libcontainer"
"github.com/docker/libcontainer/security/capabilities"
"github.com/dotcloud/docker/daemon/execdriver/native/template"
)
@ -25,14 +25,14 @@ func TestSetReadonlyRootFs(t *testing.T) {
}
)
if container.ReadonlyFs {
if container.MountConfig.ReadonlyFs {
t.Fatal("container should not have a readonly rootfs by default")
}
if err := ParseConfiguration(container, nil, opts); err != nil {
t.Fatal(err)
}
if !container.ReadonlyFs {
if !container.MountConfig.ReadonlyFs {
t.Fatal("container should have a readonly rootfs")
}
}
@ -165,7 +165,7 @@ func TestDropCap(t *testing.T) {
}
)
// enabled all caps like in privileged mode
container.Capabilities = libcontainer.GetAllCapabilities()
container.Capabilities = capabilities.GetAllCapabilities()
if err := ParseConfiguration(container, nil, opts); err != nil {
t.Fatal(err)
}

View file

@ -9,6 +9,8 @@ import (
"github.com/docker/libcontainer"
"github.com/docker/libcontainer/apparmor"
"github.com/docker/libcontainer/devices"
"github.com/docker/libcontainer/mount"
"github.com/docker/libcontainer/security/capabilities"
"github.com/dotcloud/docker/daemon/execdriver"
"github.com/dotcloud/docker/daemon/execdriver/native/configuration"
"github.com/dotcloud/docker/daemon/execdriver/native/template"
@ -26,37 +28,45 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container
container.Env = c.Env
container.Cgroups.Name = c.ID
container.Cgroups.AllowedDevices = c.AllowedDevices
container.DeviceNodes = c.AutoCreatedDevices
container.MountConfig.DeviceNodes = c.AutoCreatedDevices
// check to see if we are running in ramdisk to disable pivot root
container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
container.MountConfig.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
container.Context["restrictions"] = "true"
if err := d.createNetwork(container, c); err != nil {
return nil, err
}
if c.Privileged {
if err := d.setPrivileged(container); err != nil {
return nil, err
}
}
if err := d.setupCgroups(container, c); err != nil {
return nil, err
}
if err := d.setupMounts(container, c); err != nil {
return nil, err
}
if err := d.setupLabels(container, c); err != nil {
return nil, err
}
cmds := make(map[string]*exec.Cmd)
d.Lock()
for k, v := range d.activeContainers {
cmds[k] = v.cmd
}
d.Unlock()
if err := configuration.ParseConfiguration(container, cmds, c.Config["native"]); err != nil {
return nil, err
}
return container, nil
}
@ -65,26 +75,24 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
container.Namespaces["NEWNET"] = false
return nil
}
container.Networks = []*libcontainer.Network{
{
Mtu: c.Network.Mtu,
Address: fmt.Sprintf("%s/%d", "127.0.0.1", 0),
Gateway: "localhost",
Type: "loopback",
Context: libcontainer.Context{},
},
}
if c.Network.Interface != nil {
vethNetwork := libcontainer.Network{
Mtu: c.Network.Mtu,
Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen),
Gateway: c.Network.Interface.Gateway,
Type: "veth",
Context: libcontainer.Context{
"prefix": "veth",
"bridge": c.Network.Interface.Bridge,
},
Mtu: c.Network.Mtu,
Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen),
Gateway: c.Network.Interface.Gateway,
Type: "veth",
Bridge: c.Network.Interface.Bridge,
VethPrefix: "veth",
}
container.Networks = append(container.Networks, &vethNetwork)
}
@ -93,6 +101,7 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
d.Lock()
active := d.activeContainers[c.Network.ContainerID]
d.Unlock()
if active == nil || active.cmd.Process == nil {
return fmt.Errorf("%s is not a valid running container to join", c.Network.ContainerID)
}
@ -100,30 +109,30 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net")
container.Networks = append(container.Networks, &libcontainer.Network{
Type: "netns",
Context: libcontainer.Context{
"nspath": nspath,
},
Type: "netns",
NsPath: nspath,
})
}
return nil
}
func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {
container.Capabilities = libcontainer.GetAllCapabilities()
container.Capabilities = capabilities.GetAllCapabilities()
container.Cgroups.AllowAllDevices = true
hostDeviceNodes, err := devices.GetHostDeviceNodes()
if err != nil {
return err
}
container.DeviceNodes = hostDeviceNodes
container.MountConfig.DeviceNodes = hostDeviceNodes
delete(container.Context, "restrictions")
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "unconfined"
}
return nil
}
@ -135,12 +144,13 @@ func (d *driver) setupCgroups(container *libcontainer.Container, c *execdriver.C
container.Cgroups.MemorySwap = c.Resources.MemorySwap
container.Cgroups.CpusetCpus = c.Resources.Cpuset
}
return nil
}
func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Command) error {
for _, m := range c.Mounts {
container.Mounts = append(container.Mounts, libcontainer.Mount{
container.MountConfig.Mounts = append(container.MountConfig.Mounts, mount.Mount{
Type: "bind",
Source: m.Source,
Destination: m.Destination,
@ -148,11 +158,13 @@ func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Co
Private: m.Private,
})
}
return nil
}
func (d *driver) setupLabels(container *libcontainer.Container, c *execdriver.Command) error {
container.Context["process_label"] = c.Config["process_label"][0]
container.Context["mount_label"] = c.Config["mount_label"][0]
return nil
}

View file

@ -34,10 +34,13 @@ func New() *libcontainer.Container {
Parent: "docker",
AllowAllDevices: false,
},
Context: libcontainer.Context{},
MountConfig: &libcontainer.MountConfig{},
Context: make(map[string]string),
}
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "docker-default"
}
return container
}