From cee6f4506c79c6fc21769d427ac4dd51c28450c3 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Mon, 23 Jun 2014 16:43:43 -0700 Subject: [PATCH] Update libcontainer references Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) --- daemon/execdriver/lxc/lxc_init_linux.go | 4 +- .../execdriver/native/configuration/parse.go | 25 ++-------- .../native/configuration/parse_test.go | 8 ++-- daemon/execdriver/native/create.go | 48 ++++++++++++------- .../native/template/default_template.go | 5 +- 5 files changed, 45 insertions(+), 45 deletions(-) diff --git a/daemon/execdriver/lxc/lxc_init_linux.go b/daemon/execdriver/lxc/lxc_init_linux.go index 3b15d096af..1fd497e9aa 100644 --- a/daemon/execdriver/lxc/lxc_init_linux.go +++ b/daemon/execdriver/lxc/lxc_init_linux.go @@ -29,7 +29,7 @@ func finalizeNamespace(args *execdriver.InitArgs) error { if !args.Privileged { // drop capabilities in bounding set before changing user - if err := capabilities.DropBoundingSet(container); err != nil { + if err := capabilities.DropBoundingSet(container.Capabilities); err != nil { return fmt.Errorf("drop bounding set %s", err) } @@ -49,7 +49,7 @@ func finalizeNamespace(args *execdriver.InitArgs) error { } // drop all other capabilities - if err := capabilities.DropCapabilities(container); err != nil { + if err := capabilities.DropCapabilities(container.Capabilities); err != nil { return fmt.Errorf("drop capabilities %s", err) } } diff --git a/daemon/execdriver/native/configuration/parse.go b/daemon/execdriver/native/configuration/parse.go index 77d4b297cb..6abf79ef8a 100644 --- a/daemon/execdriver/native/configuration/parse.go +++ b/daemon/execdriver/native/configuration/parse.go @@ -138,9 +138,9 @@ func dropNamespace(container *libcontainer.Container, context interface{}, value func readonlyFs(container *libcontainer.Container, context interface{}, value string) error { switch value { case "1", "true": - container.ReadonlyFs = true + container.MountConfig.ReadonlyFs = true default: - container.ReadonlyFs = false + container.MountConfig.ReadonlyFs = false } return nil } @@ -154,28 +154,13 @@ func joinNetNamespace(container *libcontainer.Container, context interface{}, va if cmd == nil || cmd.Process == nil { return fmt.Errorf("%s is not a valid running container to join", value) } + nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net") container.Networks = append(container.Networks, &libcontainer.Network{ - Type: "netns", - Context: libcontainer.Context{ - "nspath": nspath, - }, + Type: "netns", + NsPath: nspath, }) - return nil -} -func vethMacAddress(container *libcontainer.Container, context interface{}, value string) error { - var veth *libcontainer.Network - for _, network := range container.Networks { - if network.Type == "veth" { - veth = network - break - } - } - if veth == nil { - return fmt.Errorf("not veth configured for container") - } - veth.Context["mac"] = value return nil } diff --git a/daemon/execdriver/native/configuration/parse_test.go b/daemon/execdriver/native/configuration/parse_test.go index c561f5e2d3..886a42cf8b 100644 --- a/daemon/execdriver/native/configuration/parse_test.go +++ b/daemon/execdriver/native/configuration/parse_test.go @@ -3,7 +3,7 @@ package configuration import ( "testing" - "github.com/docker/libcontainer" + "github.com/docker/libcontainer/security/capabilities" "github.com/dotcloud/docker/daemon/execdriver/native/template" ) @@ -25,14 +25,14 @@ func TestSetReadonlyRootFs(t *testing.T) { } ) - if container.ReadonlyFs { + if container.MountConfig.ReadonlyFs { t.Fatal("container should not have a readonly rootfs by default") } if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } - if !container.ReadonlyFs { + if !container.MountConfig.ReadonlyFs { t.Fatal("container should have a readonly rootfs") } } @@ -165,7 +165,7 @@ func TestDropCap(t *testing.T) { } ) // enabled all caps like in privileged mode - container.Capabilities = libcontainer.GetAllCapabilities() + container.Capabilities = capabilities.GetAllCapabilities() if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index b19620514e..bc726aab9a 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -9,6 +9,8 @@ import ( "github.com/docker/libcontainer" "github.com/docker/libcontainer/apparmor" "github.com/docker/libcontainer/devices" + "github.com/docker/libcontainer/mount" + "github.com/docker/libcontainer/security/capabilities" "github.com/dotcloud/docker/daemon/execdriver" "github.com/dotcloud/docker/daemon/execdriver/native/configuration" "github.com/dotcloud/docker/daemon/execdriver/native/template" @@ -26,37 +28,45 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container container.Env = c.Env container.Cgroups.Name = c.ID container.Cgroups.AllowedDevices = c.AllowedDevices - container.DeviceNodes = c.AutoCreatedDevices + container.MountConfig.DeviceNodes = c.AutoCreatedDevices + // check to see if we are running in ramdisk to disable pivot root - container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != "" + container.MountConfig.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != "" container.Context["restrictions"] = "true" if err := d.createNetwork(container, c); err != nil { return nil, err } + if c.Privileged { if err := d.setPrivileged(container); err != nil { return nil, err } } + if err := d.setupCgroups(container, c); err != nil { return nil, err } + if err := d.setupMounts(container, c); err != nil { return nil, err } + if err := d.setupLabels(container, c); err != nil { return nil, err } + cmds := make(map[string]*exec.Cmd) d.Lock() for k, v := range d.activeContainers { cmds[k] = v.cmd } d.Unlock() + if err := configuration.ParseConfiguration(container, cmds, c.Config["native"]); err != nil { return nil, err } + return container, nil } @@ -65,26 +75,24 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver. container.Namespaces["NEWNET"] = false return nil } + container.Networks = []*libcontainer.Network{ { Mtu: c.Network.Mtu, Address: fmt.Sprintf("%s/%d", "127.0.0.1", 0), Gateway: "localhost", Type: "loopback", - Context: libcontainer.Context{}, }, } if c.Network.Interface != nil { vethNetwork := libcontainer.Network{ - Mtu: c.Network.Mtu, - Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen), - Gateway: c.Network.Interface.Gateway, - Type: "veth", - Context: libcontainer.Context{ - "prefix": "veth", - "bridge": c.Network.Interface.Bridge, - }, + Mtu: c.Network.Mtu, + Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen), + Gateway: c.Network.Interface.Gateway, + Type: "veth", + Bridge: c.Network.Interface.Bridge, + VethPrefix: "veth", } container.Networks = append(container.Networks, &vethNetwork) } @@ -93,6 +101,7 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver. d.Lock() active := d.activeContainers[c.Network.ContainerID] d.Unlock() + if active == nil || active.cmd.Process == nil { return fmt.Errorf("%s is not a valid running container to join", c.Network.ContainerID) } @@ -100,30 +109,30 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver. nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net") container.Networks = append(container.Networks, &libcontainer.Network{ - Type: "netns", - Context: libcontainer.Context{ - "nspath": nspath, - }, + Type: "netns", + NsPath: nspath, }) } + return nil } func (d *driver) setPrivileged(container *libcontainer.Container) (err error) { - container.Capabilities = libcontainer.GetAllCapabilities() + container.Capabilities = capabilities.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDeviceNodes, err := devices.GetHostDeviceNodes() if err != nil { return err } - container.DeviceNodes = hostDeviceNodes + container.MountConfig.DeviceNodes = hostDeviceNodes delete(container.Context, "restrictions") if apparmor.IsEnabled() { container.Context["apparmor_profile"] = "unconfined" } + return nil } @@ -135,12 +144,13 @@ func (d *driver) setupCgroups(container *libcontainer.Container, c *execdriver.C container.Cgroups.MemorySwap = c.Resources.MemorySwap container.Cgroups.CpusetCpus = c.Resources.Cpuset } + return nil } func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Command) error { for _, m := range c.Mounts { - container.Mounts = append(container.Mounts, libcontainer.Mount{ + container.MountConfig.Mounts = append(container.MountConfig.Mounts, mount.Mount{ Type: "bind", Source: m.Source, Destination: m.Destination, @@ -148,11 +158,13 @@ func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Co Private: m.Private, }) } + return nil } func (d *driver) setupLabels(container *libcontainer.Container, c *execdriver.Command) error { container.Context["process_label"] = c.Config["process_label"][0] container.Context["mount_label"] = c.Config["mount_label"][0] + return nil } diff --git a/daemon/execdriver/native/template/default_template.go b/daemon/execdriver/native/template/default_template.go index e2f52f4445..b4d6fcb7c5 100644 --- a/daemon/execdriver/native/template/default_template.go +++ b/daemon/execdriver/native/template/default_template.go @@ -34,10 +34,13 @@ func New() *libcontainer.Container { Parent: "docker", AllowAllDevices: false, }, - Context: libcontainer.Context{}, + MountConfig: &libcontainer.MountConfig{}, + Context: make(map[string]string), } + if apparmor.IsEnabled() { container.Context["apparmor_profile"] = "docker-default" } + return container }