From 14b2a9de874ab80aaaa942b7b8a226bb56dfcd7f Mon Sep 17 00:00:00 2001 From: Rohit Jnagal Date: Fri, 25 Apr 2014 00:17:45 +0000 Subject: [PATCH 1/6] Fix container.json sample to be loadable by nsinit. Docker-DCO-1.1-Signed-off-by: Rohit Jnagal (github: rjnagal) --- pkg/libcontainer/README.md | 40 ++++++++++---------- pkg/libcontainer/container.json | 43 ++++++++++----------- pkg/libcontainer/container_test.go | 60 ++++++++++++++++++++++++++++++ 3 files changed, 102 insertions(+), 41 deletions(-) create mode 100644 pkg/libcontainer/container_test.go diff --git a/pkg/libcontainer/README.md b/pkg/libcontainer/README.md index d6d0fbae44..224465ce1c 100644 --- a/pkg/libcontainer/README.md +++ b/pkg/libcontainer/README.md @@ -41,21 +41,21 @@ Sample `container.json` file: "TERM=xterm" ], "capabilities_mask" : [ - "SETPCAP", - "SYS_MODULE", - "SYS_RAWIO", - "SYS_PACCT", - "SYS_ADMIN", - "SYS_NICE", - "SYS_RESOURCE", - "SYS_TIME", - "SYS_TTY_CONFIG", - "MKNOD", - "AUDIT_WRITE", - "AUDIT_CONTROL", - "MAC_OVERRIDE", - "MAC_ADMIN", - "NET_ADMIN" + { "key": "SETPCAP" }, + { "key": "SYS_MODULE" }, + { "key": "SYS_RAWIO" }, + { "key": "SYS_PACCT" }, + { "key": "SYS_ADMIN" }, + { "key": "SYS_NICE" }, + { "key": "SYS_RESOURCE" }, + { "key": "SYS_TIME" }, + { "key": "SYS_TTY_CONFIG" }, + { "key": "MKNOD" }, + { "key": "AUDIT_WRITE" }, + { "key": "AUDIT_CONTROL" }, + { "key": "MAC_OVERRIDE" }, + { "key": "MAC_ADMIN" }, + { "key": "NET_ADMIN" } ], "context" : { "apparmor_profile" : "docker-default" @@ -81,11 +81,11 @@ Sample `container.json` file: } ], "namespaces" : [ - "NEWNS", - "NEWUTS", - "NEWIPC", - "NEWPID", - "NEWNET" + { "key": "NEWNS" }, + { "key": "NEWUTS" }, + { "key": "NEWIPC" }, + { "key": "NEWPID" }, + { "key": "NEWNET" } ] } ``` diff --git a/pkg/libcontainer/container.json b/pkg/libcontainer/container.json index f045315a41..b0465d4890 100644 --- a/pkg/libcontainer/container.json +++ b/pkg/libcontainer/container.json @@ -8,28 +8,28 @@ "TERM=xterm-256color" ], "namespaces": [ - "NEWIPC", - "NEWNS", - "NEWPID", - "NEWUTS", - "NEWNET" + { "key": "NEWIPC" }, + { "key": "NEWNS" }, + { "key": "NEWPID" }, + { "key": "NEWUTS" }, + { "key": "NEWNET" } ], "capabilities_mask": [ - "SETPCAP", - "SYS_MODULE", - "SYS_RAWIO", - "SYS_PACCT", - "SYS_ADMIN", - "SYS_NICE", - "SYS_RESOURCE", - "SYS_TIME", - "SYS_TTY_CONFIG", - "MKNOD", - "AUDIT_WRITE", - "AUDIT_CONTROL", - "MAC_OVERRIDE", - "MAC_ADMIN", - "NET_ADMIN" + { "key": "SETPCAP" }, + { "key": "SYS_MODULE" }, + { "key": "SYS_RAWIO" }, + { "key": "SYS_PACCT" }, + { "key": "SYS_ADMIN" }, + { "key": "SYS_NICE" }, + { "key": "SYS_RESOURCE" }, + { "key": "SYS_TIME" }, + { "key": "SYS_TTY_CONFIG" }, + { "key": "MKNOD" }, + { "key": "AUDIT_WRITE" }, + { "key": "AUDIT_CONTROL" }, + { "key": "MAC_OVERRIDE" }, + { "key": "MAC_ADMIN" }, + { "key": "NET_ADMIN" } ], "networks": [{ "type": "veth", @@ -45,6 +45,7 @@ "cgroups": { "name": "docker-koye", "parent": "docker", - "memory": 5248000 + "memory": 5248000, + "cpu_shares": 1024 } } diff --git a/pkg/libcontainer/container_test.go b/pkg/libcontainer/container_test.go new file mode 100644 index 0000000000..06e7979b0a --- /dev/null +++ b/pkg/libcontainer/container_test.go @@ -0,0 +1,60 @@ +package libcontainer + +import ( + "encoding/json" + "os" + "testing" +) + +func TestContainerJsonFormat(t *testing.T) { + f, err := os.Open("container.json") + if err != nil { + t.Fatal("Unable to open container.json") + } + defer f.Close() + + var container *Container + if err := json.NewDecoder(f).Decode(&container); err != nil { + t.Log("failed to decode container config") + t.FailNow() + } + if container.Hostname != "koye" { + t.Log("hostname is not set") + t.Fail() + } + + if !container.Tty { + t.Log("tty should be set to true") + t.Fail() + } + + if !container.Namespaces.Contains("NEWNET") { + t.Log("namespaces should contain NEWNET") + t.Fail() + } + + if container.Namespaces.Contains("NEWUSER") { + t.Log("namespaces should not contain NEWUSER") + t.Fail() + } + + if !container.CapabilitiesMask.Contains("SYS_ADMIN") { + t.Log("capabilities should contain SYS_ADMIN") + t.Fail() + } + + if container.CapabilitiesMask.Contains("SYS_CHROOT") { + t.Log("capabitlies should not contain SYS_CHROOT") + t.Fail() + } + + if container.Cgroups.CpuShares != 1024 { + t.Log("cpu shares not set correctly") + t.Fail() + } + + if container.Cgroups.Memory != 5248000 { + t.Log("memory limit not set correctly") + t.Fail() + } +} From 0aacca3ae6fa7d46a3e2c4e60e71f67c9a4c64e5 Mon Sep 17 00:00:00 2001 From: Rohit Jnagal Date: Fri, 25 Apr 2014 00:20:14 +0000 Subject: [PATCH 2/6] Fix typos in nsinit logs. Docker-DCO-1.1-Signed-off-by: Rohit Jnagal (github: rjnagal) --- pkg/libcontainer/nsinit/exec.go | 2 +- pkg/libcontainer/nsinit/nsinit/main.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/libcontainer/nsinit/exec.go b/pkg/libcontainer/nsinit/exec.go index e76e060d1c..430dd89ff3 100644 --- a/pkg/libcontainer/nsinit/exec.go +++ b/pkg/libcontainer/nsinit/exec.go @@ -57,7 +57,7 @@ func (ns *linuxNs) Exec(container *libcontainer.Container, term Terminal, args [ if err != nil { return -1, err } - ns.logger.Printf("writting pid %d to file\n", command.Process.Pid) + ns.logger.Printf("writing pid %d to file\n", command.Process.Pid) if err := ns.stateWriter.WritePid(command.Process.Pid, started); err != nil { command.Process.Kill() return -1, err diff --git a/pkg/libcontainer/nsinit/nsinit/main.go b/pkg/libcontainer/nsinit/nsinit/main.go index 37aa784981..0965c1c8ca 100644 --- a/pkg/libcontainer/nsinit/nsinit/main.go +++ b/pkg/libcontainer/nsinit/nsinit/main.go @@ -32,7 +32,7 @@ func main() { registerFlags() if flag.NArg() < 1 { - log.Fatalf("wrong number of argments %d", flag.NArg()) + log.Fatalf("wrong number of arguments %d", flag.NArg()) } container, err := loadContainer() if err != nil { @@ -73,7 +73,7 @@ func main() { l.Fatal(err) } if flag.NArg() < 2 { - l.Fatalf("wrong number of argments %d", flag.NArg()) + l.Fatalf("wrong number of arguments %d", flag.NArg()) } syncPipe, err := nsinit.NewSyncPipeFromFd(0, uintptr(pipeFd)) if err != nil { From 569b23413502713342b605abaf917f664d206a4b Mon Sep 17 00:00:00 2001 From: Rohit Jnagal Date: Fri, 25 Apr 2014 01:10:11 +0000 Subject: [PATCH 3/6] Add enabled option to namespaces and capabilities spec in container.json. Although we don't yet check for enabled everywhere. Docker-DCO-1.1-Signed-off-by: Rohit Jnagal (github: rjnagal) --- pkg/libcontainer/README.md | 81 +++++++++++++++++++------- pkg/libcontainer/container.json | 100 +++++++++++++++++++++++++------- 2 files changed, 141 insertions(+), 40 deletions(-) diff --git a/pkg/libcontainer/README.md b/pkg/libcontainer/README.md index 224465ce1c..1ab2a48ea5 100644 --- a/pkg/libcontainer/README.md +++ b/pkg/libcontainer/README.md @@ -41,21 +41,52 @@ Sample `container.json` file: "TERM=xterm" ], "capabilities_mask" : [ - { "key": "SETPCAP" }, - { "key": "SYS_MODULE" }, - { "key": "SYS_RAWIO" }, - { "key": "SYS_PACCT" }, - { "key": "SYS_ADMIN" }, - { "key": "SYS_NICE" }, - { "key": "SYS_RESOURCE" }, - { "key": "SYS_TIME" }, - { "key": "SYS_TTY_CONFIG" }, - { "key": "MKNOD" }, - { "key": "AUDIT_WRITE" }, - { "key": "AUDIT_CONTROL" }, - { "key": "MAC_OVERRIDE" }, - { "key": "MAC_ADMIN" }, - { "key": "NET_ADMIN" } + { + "key": "SETPCAP", + "enabled": true + }, + { "key": "SYS_MODULE", + "enabled": true + }, + { "key": "SYS_RAWIO", + "enabled": true + }, + { "key": "SYS_PACCT", + "enabled": true + }, + { "key": "SYS_ADMIN", + "enabled": true + }, + { "key": "SYS_NICE", + "enabled": true + }, + { "key": "SYS_RESOURCE", + "enabled": true + }, + { "key": "SYS_TIME", + "enabled": true + }, + { "key": "SYS_TTY_CONFIG", + "enabled": true + }, + { "key": "MKNOD", + "enabled": true + }, + { "key": "AUDIT_WRITE", + "enabled": true + }, + { "key": "AUDIT_CONTROL", + "enabled": true + }, + { "key": "MAC_OVERRIDE", + "enabled": true + }, + { "key": "MAC_ADMIN", + "enabled": true + }, + { "key": "NET_ADMIN", + "enabled": true + } ], "context" : { "apparmor_profile" : "docker-default" @@ -81,11 +112,21 @@ Sample `container.json` file: } ], "namespaces" : [ - { "key": "NEWNS" }, - { "key": "NEWUTS" }, - { "key": "NEWIPC" }, - { "key": "NEWPID" }, - { "key": "NEWNET" } + { "key": "NEWNS", + "enabled": true + }, + { "key": "NEWUTS", + "enabled": true + }, + { "key": "NEWIPC", + "enabled": true + }, + { "key": "NEWPID", + "enabled": true + }, + { "key": "NEWNET", + "enabled": true + } ] } ``` diff --git a/pkg/libcontainer/container.json b/pkg/libcontainer/container.json index b0465d4890..03a5091efa 100644 --- a/pkg/libcontainer/container.json +++ b/pkg/libcontainer/container.json @@ -8,28 +8,88 @@ "TERM=xterm-256color" ], "namespaces": [ - { "key": "NEWIPC" }, - { "key": "NEWNS" }, - { "key": "NEWPID" }, - { "key": "NEWUTS" }, - { "key": "NEWNET" } + { + "key": "NEWIPC", + "enabled": true + }, + { + "key": "NEWNS", + "enabled": true + }, + { + "key": "NEWPID", + "enabled": true + }, + { + "key": "NEWUTS", + "enabled": true + }, + { + "key": "NEWNET", + "enabled": true + } ], "capabilities_mask": [ - { "key": "SETPCAP" }, - { "key": "SYS_MODULE" }, - { "key": "SYS_RAWIO" }, - { "key": "SYS_PACCT" }, - { "key": "SYS_ADMIN" }, - { "key": "SYS_NICE" }, - { "key": "SYS_RESOURCE" }, - { "key": "SYS_TIME" }, - { "key": "SYS_TTY_CONFIG" }, - { "key": "MKNOD" }, - { "key": "AUDIT_WRITE" }, - { "key": "AUDIT_CONTROL" }, - { "key": "MAC_OVERRIDE" }, - { "key": "MAC_ADMIN" }, - { "key": "NET_ADMIN" } + { + "key": "SETPCAP", + "enabled": true + }, + { + "key": "SYS_MODULE", + "enabled": true + }, + { + "key": "SYS_RAWIO", + "enabled": false + }, + { + "key": "SYS_PACCT", + "enabled": true + }, + { + "key": "SYS_ADMIN", + "enabled": true + }, + { + "key": "SYS_NICE", + "enabled": true + }, + { + "key": "SYS_RESOURCE", + "enabled": true + }, + { + "key": "SYS_TIME", + "enabled": true + }, + { + "key": "SYS_TTY_CONFIG", + "enabled": true + }, + { + "key": "MKNOD", + "enabled": true + }, + { + "key": "AUDIT_WRITE", + "enabled": true + }, + { + "key": "AUDIT_CONTROL", + "enabled": true + }, + { + "key": "MAC_OVERRIDE", + "enabled": true + }, + { + "key": "MAC_ADMIN", + "enabled": true + }, + { + "key": "NET_ADMIN", + "enabled": true + } ], "networks": [{ "type": "veth", From 580c2620e7b92d9aee7c1cd033ca987dda161cf1 Mon Sep 17 00:00:00 2001 From: Rohit Jnagal Date: Fri, 25 Apr 2014 01:23:48 +0000 Subject: [PATCH 4/6] Improved README formatting. Docker-DCO-1.1-Signed-off-by: Rohit Jnagal (github: rjnagal) --- pkg/libcontainer/README.md | 99 +++++++++++++++++++++++--------------- 1 file changed, 59 insertions(+), 40 deletions(-) diff --git a/pkg/libcontainer/README.md b/pkg/libcontainer/README.md index 1ab2a48ea5..b58b789d73 100644 --- a/pkg/libcontainer/README.md +++ b/pkg/libcontainer/README.md @@ -42,50 +42,64 @@ Sample `container.json` file: ], "capabilities_mask" : [ { - "key": "SETPCAP", - "enabled": true + "key": "SETPCAP", + "enabled": true }, - { "key": "SYS_MODULE", - "enabled": true + { + "key": "SYS_MODULE", + "enabled": true }, - { "key": "SYS_RAWIO", - "enabled": true + { + "key": "SYS_RAWIO", + "enabled": false }, - { "key": "SYS_PACCT", - "enabled": true + { + "key": "SYS_PACCT", + "enabled": true }, - { "key": "SYS_ADMIN", - "enabled": true + { + "key": "SYS_ADMIN", + "enabled": true }, - { "key": "SYS_NICE", - "enabled": true + { + "key": "SYS_NICE", + "enabled": true }, - { "key": "SYS_RESOURCE", - "enabled": true + { + "key": "SYS_RESOURCE", + "enabled": true }, - { "key": "SYS_TIME", - "enabled": true + { + "key": "SYS_TIME", + "enabled": true }, - { "key": "SYS_TTY_CONFIG", - "enabled": true + { + "key": "SYS_TTY_CONFIG", + "enabled": true }, - { "key": "MKNOD", - "enabled": true + { + "key": "MKNOD", + "enabled": true }, - { "key": "AUDIT_WRITE", - "enabled": true + { + "key": "AUDIT_WRITE", + "enabled": true }, - { "key": "AUDIT_CONTROL", - "enabled": true + { + "key": "AUDIT_CONTROL", + "enabled": true }, - { "key": "MAC_OVERRIDE", - "enabled": true + { + "key": "MAC_OVERRIDE", + "enabled": true }, - { "key": "MAC_ADMIN", - "enabled": true + { + "key": "MAC_ADMIN", + "enabled": true }, - { "key": "NET_ADMIN", - "enabled": true + { + "key": "NET_ADMIN", + "enabled": true } ], "context" : { @@ -112,20 +126,25 @@ Sample `container.json` file: } ], "namespaces" : [ - { "key": "NEWNS", - "enabled": true + { + "key": "NEWNS", + "enabled": true }, - { "key": "NEWUTS", - "enabled": true + { + "key": "NEWUTS", + "enabled": true }, - { "key": "NEWIPC", - "enabled": true + { + "key": "NEWIPC", + "enabled": true }, - { "key": "NEWPID", - "enabled": true + { + "key": "NEWPID", + "enabled": true }, - { "key": "NEWNET", - "enabled": true + { + "key": "NEWNET", + "enabled": true } ] } From 24f978094dc5c9eae0ca60001b65256b2b30f2c8 Mon Sep 17 00:00:00 2001 From: Rohit Jnagal Date: Fri, 25 Apr 2014 06:02:30 +0000 Subject: [PATCH 5/6] Updated sample config and README to match the default template for native execdriver. Docker-DCO-1.1-Signed-off-by: Rohit Jnagal (github: rjnagal) --- pkg/libcontainer/README.md | 26 +++++++++++++------------- pkg/libcontainer/container.json | 26 +++++++++++++------------- pkg/libcontainer/container_test.go | 17 +++++++++++++---- 3 files changed, 39 insertions(+), 30 deletions(-) diff --git a/pkg/libcontainer/README.md b/pkg/libcontainer/README.md index b58b789d73..70f22f5639 100644 --- a/pkg/libcontainer/README.md +++ b/pkg/libcontainer/README.md @@ -43,11 +43,11 @@ Sample `container.json` file: "capabilities_mask" : [ { "key": "SETPCAP", - "enabled": true + "enabled": false }, { "key": "SYS_MODULE", - "enabled": true + "enabled": false }, { "key": "SYS_RAWIO", @@ -55,27 +55,27 @@ Sample `container.json` file: }, { "key": "SYS_PACCT", - "enabled": true + "enabled": false }, { "key": "SYS_ADMIN", - "enabled": true + "enabled": false }, { "key": "SYS_NICE", - "enabled": true + "enabled": false }, { "key": "SYS_RESOURCE", - "enabled": true + "enabled": false }, { "key": "SYS_TIME", - "enabled": true + "enabled": false }, { "key": "SYS_TTY_CONFIG", - "enabled": true + "enabled": false }, { "key": "MKNOD", @@ -83,23 +83,23 @@ Sample `container.json` file: }, { "key": "AUDIT_WRITE", - "enabled": true + "enabled": false }, { "key": "AUDIT_CONTROL", - "enabled": true + "enabled": false }, { "key": "MAC_OVERRIDE", - "enabled": true + "enabled": false }, { "key": "MAC_ADMIN", - "enabled": true + "enabled": false }, { "key": "NET_ADMIN", - "enabled": true + "enabled": false } ], "context" : { diff --git a/pkg/libcontainer/container.json b/pkg/libcontainer/container.json index 03a5091efa..68f9504f99 100644 --- a/pkg/libcontainer/container.json +++ b/pkg/libcontainer/container.json @@ -32,11 +32,11 @@ "capabilities_mask": [ { "key": "SETPCAP", - "enabled": true + "enabled": false }, { "key": "SYS_MODULE", - "enabled": true + "enabled": false }, { "key": "SYS_RAWIO", @@ -44,27 +44,27 @@ }, { "key": "SYS_PACCT", - "enabled": true + "enabled": false }, { "key": "SYS_ADMIN", - "enabled": true + "enabled": false }, { "key": "SYS_NICE", - "enabled": true + "enabled": false }, { "key": "SYS_RESOURCE", - "enabled": true + "enabled": false }, { "key": "SYS_TIME", - "enabled": true + "enabled": false }, { "key": "SYS_TTY_CONFIG", - "enabled": true + "enabled": false }, { "key": "MKNOD", @@ -72,23 +72,23 @@ }, { "key": "AUDIT_WRITE", - "enabled": true + "enabled": false }, { "key": "AUDIT_CONTROL", - "enabled": true + "enabled": false }, { "key": "MAC_OVERRIDE", - "enabled": true + "enabled": false }, { "key": "MAC_ADMIN", - "enabled": true + "enabled": false }, { "key": "NET_ADMIN", - "enabled": true + "enabled": false } ], "networks": [{ diff --git a/pkg/libcontainer/container_test.go b/pkg/libcontainer/container_test.go index 06e7979b0a..c413c7c34a 100644 --- a/pkg/libcontainer/container_test.go +++ b/pkg/libcontainer/container_test.go @@ -15,8 +15,7 @@ func TestContainerJsonFormat(t *testing.T) { var container *Container if err := json.NewDecoder(f).Decode(&container); err != nil { - t.Log("failed to decode container config") - t.FailNow() + t.Fatal("failed to decode container config") } if container.Hostname != "koye" { t.Log("hostname is not set") @@ -39,12 +38,22 @@ func TestContainerJsonFormat(t *testing.T) { } if !container.CapabilitiesMask.Contains("SYS_ADMIN") { - t.Log("capabilities should contain SYS_ADMIN") + t.Log("capabilities mask should contain SYS_ADMIN") + t.Fail() + } + + if container.CapabilitiesMask.Get("SYS_ADMIN").Enabled { + t.Log("SYS_ADMIN should not be enabled in capabilities mask") + t.Fail() + } + + if !container.CapabilitiesMask.Get("MKNOD").Enabled { + t.Log("MKNOD should be enabled in capabilities mask") t.Fail() } if container.CapabilitiesMask.Contains("SYS_CHROOT") { - t.Log("capabitlies should not contain SYS_CHROOT") + t.Log("capabilities mask should not contain SYS_CHROOT") t.Fail() } From 8cdb720d26197e448587a21894069ee8a20e8aa0 Mon Sep 17 00:00:00 2001 From: Rohit Jnagal Date: Fri, 25 Apr 2014 21:10:23 +0000 Subject: [PATCH 6/6] Updated sample config to be usable. We should change the namespace config to not need "value" later. Docker-DCO-1.1-Signed-off-by: Rohit Jnagal (github: rjnagal) --- pkg/libcontainer/container.json | 48 ++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 15 deletions(-) diff --git a/pkg/libcontainer/container.json b/pkg/libcontainer/container.json index 68f9504f99..7c69a180fe 100644 --- a/pkg/libcontainer/container.json +++ b/pkg/libcontainer/container.json @@ -9,24 +9,34 @@ ], "namespaces": [ { - "key": "NEWIPC", - "enabled": true + "file": "ipc", + "value": 134217728, + "enabled": true, + "key": "NEWIPC" }, { - "key": "NEWNS", - "enabled": true + "file": "mnt", + "value": 131072, + "enabled": true, + "key": "NEWNS" }, { - "key": "NEWPID", - "enabled": true + "file": "pid", + "value": 536870912, + "enabled": true, + "key": "NEWPID" }, { - "key": "NEWUTS", - "enabled": true + "file": "uts", + "value": 67108864, + "enabled": true, + "key": "NEWUTS" }, { - "key": "NEWNET", - "enabled": true + "file": "net", + "value": 1073741824, + "enabled": true, + "key": "NEWNET" } ], "capabilities_mask": [ @@ -91,14 +101,21 @@ "enabled": false } ], - "networks": [{ + "networks": [ + { + "type": "loopback", + "gateway": "localhost", + "address": "127.0.0.1/0", + "mtu": 1500 + }, + { "type": "veth", + "gateway": "172.17.42.1", + "address": "172.17.0.4/16", "context": { - "bridge": "docker0", - "prefix": "dock" + "prefix": "dock", + "bridge": "docker0" }, - "address": "172.17.0.100/16", - "gateway": "172.17.42.1", "mtu": 1500 } ], @@ -106,6 +123,7 @@ "name": "docker-koye", "parent": "docker", "memory": 5248000, + "memory_swap": -1, "cpu_shares": 1024 } }