зеркало из https://github.com/microsoft/docker.git
Update libcontainer references
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
This commit is contained in:
Родитель
423a8f91d7
Коммит
cee6f4506c
|
@ -29,7 +29,7 @@ func finalizeNamespace(args *execdriver.InitArgs) error {
|
|||
|
||||
if !args.Privileged {
|
||||
// drop capabilities in bounding set before changing user
|
||||
if err := capabilities.DropBoundingSet(container); err != nil {
|
||||
if err := capabilities.DropBoundingSet(container.Capabilities); err != nil {
|
||||
return fmt.Errorf("drop bounding set %s", err)
|
||||
}
|
||||
|
||||
|
@ -49,7 +49,7 @@ func finalizeNamespace(args *execdriver.InitArgs) error {
|
|||
}
|
||||
|
||||
// drop all other capabilities
|
||||
if err := capabilities.DropCapabilities(container); err != nil {
|
||||
if err := capabilities.DropCapabilities(container.Capabilities); err != nil {
|
||||
return fmt.Errorf("drop capabilities %s", err)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -138,9 +138,9 @@ func dropNamespace(container *libcontainer.Container, context interface{}, value
|
|||
func readonlyFs(container *libcontainer.Container, context interface{}, value string) error {
|
||||
switch value {
|
||||
case "1", "true":
|
||||
container.ReadonlyFs = true
|
||||
container.MountConfig.ReadonlyFs = true
|
||||
default:
|
||||
container.ReadonlyFs = false
|
||||
container.MountConfig.ReadonlyFs = false
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
@ -154,28 +154,13 @@ func joinNetNamespace(container *libcontainer.Container, context interface{}, va
|
|||
if cmd == nil || cmd.Process == nil {
|
||||
return fmt.Errorf("%s is not a valid running container to join", value)
|
||||
}
|
||||
|
||||
nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net")
|
||||
container.Networks = append(container.Networks, &libcontainer.Network{
|
||||
Type: "netns",
|
||||
Context: libcontainer.Context{
|
||||
"nspath": nspath,
|
||||
},
|
||||
Type: "netns",
|
||||
NsPath: nspath,
|
||||
})
|
||||
return nil
|
||||
}
|
||||
|
||||
func vethMacAddress(container *libcontainer.Container, context interface{}, value string) error {
|
||||
var veth *libcontainer.Network
|
||||
for _, network := range container.Networks {
|
||||
if network.Type == "veth" {
|
||||
veth = network
|
||||
break
|
||||
}
|
||||
}
|
||||
if veth == nil {
|
||||
return fmt.Errorf("not veth configured for container")
|
||||
}
|
||||
veth.Context["mac"] = value
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@ package configuration
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/docker/libcontainer"
|
||||
"github.com/docker/libcontainer/security/capabilities"
|
||||
"github.com/dotcloud/docker/daemon/execdriver/native/template"
|
||||
)
|
||||
|
||||
|
@ -25,14 +25,14 @@ func TestSetReadonlyRootFs(t *testing.T) {
|
|||
}
|
||||
)
|
||||
|
||||
if container.ReadonlyFs {
|
||||
if container.MountConfig.ReadonlyFs {
|
||||
t.Fatal("container should not have a readonly rootfs by default")
|
||||
}
|
||||
if err := ParseConfiguration(container, nil, opts); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if !container.ReadonlyFs {
|
||||
if !container.MountConfig.ReadonlyFs {
|
||||
t.Fatal("container should have a readonly rootfs")
|
||||
}
|
||||
}
|
||||
|
@ -165,7 +165,7 @@ func TestDropCap(t *testing.T) {
|
|||
}
|
||||
)
|
||||
// enabled all caps like in privileged mode
|
||||
container.Capabilities = libcontainer.GetAllCapabilities()
|
||||
container.Capabilities = capabilities.GetAllCapabilities()
|
||||
if err := ParseConfiguration(container, nil, opts); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
|
|
@ -9,6 +9,8 @@ import (
|
|||
"github.com/docker/libcontainer"
|
||||
"github.com/docker/libcontainer/apparmor"
|
||||
"github.com/docker/libcontainer/devices"
|
||||
"github.com/docker/libcontainer/mount"
|
||||
"github.com/docker/libcontainer/security/capabilities"
|
||||
"github.com/dotcloud/docker/daemon/execdriver"
|
||||
"github.com/dotcloud/docker/daemon/execdriver/native/configuration"
|
||||
"github.com/dotcloud/docker/daemon/execdriver/native/template"
|
||||
|
@ -26,37 +28,45 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container
|
|||
container.Env = c.Env
|
||||
container.Cgroups.Name = c.ID
|
||||
container.Cgroups.AllowedDevices = c.AllowedDevices
|
||||
container.DeviceNodes = c.AutoCreatedDevices
|
||||
container.MountConfig.DeviceNodes = c.AutoCreatedDevices
|
||||
|
||||
// check to see if we are running in ramdisk to disable pivot root
|
||||
container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
|
||||
container.MountConfig.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
|
||||
container.Context["restrictions"] = "true"
|
||||
|
||||
if err := d.createNetwork(container, c); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if c.Privileged {
|
||||
if err := d.setPrivileged(container); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
if err := d.setupCgroups(container, c); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := d.setupMounts(container, c); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := d.setupLabels(container, c); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cmds := make(map[string]*exec.Cmd)
|
||||
d.Lock()
|
||||
for k, v := range d.activeContainers {
|
||||
cmds[k] = v.cmd
|
||||
}
|
||||
d.Unlock()
|
||||
|
||||
if err := configuration.ParseConfiguration(container, cmds, c.Config["native"]); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return container, nil
|
||||
}
|
||||
|
||||
|
@ -65,26 +75,24 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
|
|||
container.Namespaces["NEWNET"] = false
|
||||
return nil
|
||||
}
|
||||
|
||||
container.Networks = []*libcontainer.Network{
|
||||
{
|
||||
Mtu: c.Network.Mtu,
|
||||
Address: fmt.Sprintf("%s/%d", "127.0.0.1", 0),
|
||||
Gateway: "localhost",
|
||||
Type: "loopback",
|
||||
Context: libcontainer.Context{},
|
||||
},
|
||||
}
|
||||
|
||||
if c.Network.Interface != nil {
|
||||
vethNetwork := libcontainer.Network{
|
||||
Mtu: c.Network.Mtu,
|
||||
Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen),
|
||||
Gateway: c.Network.Interface.Gateway,
|
||||
Type: "veth",
|
||||
Context: libcontainer.Context{
|
||||
"prefix": "veth",
|
||||
"bridge": c.Network.Interface.Bridge,
|
||||
},
|
||||
Mtu: c.Network.Mtu,
|
||||
Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen),
|
||||
Gateway: c.Network.Interface.Gateway,
|
||||
Type: "veth",
|
||||
Bridge: c.Network.Interface.Bridge,
|
||||
VethPrefix: "veth",
|
||||
}
|
||||
container.Networks = append(container.Networks, &vethNetwork)
|
||||
}
|
||||
|
@ -93,6 +101,7 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
|
|||
d.Lock()
|
||||
active := d.activeContainers[c.Network.ContainerID]
|
||||
d.Unlock()
|
||||
|
||||
if active == nil || active.cmd.Process == nil {
|
||||
return fmt.Errorf("%s is not a valid running container to join", c.Network.ContainerID)
|
||||
}
|
||||
|
@ -100,30 +109,30 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
|
|||
|
||||
nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net")
|
||||
container.Networks = append(container.Networks, &libcontainer.Network{
|
||||
Type: "netns",
|
||||
Context: libcontainer.Context{
|
||||
"nspath": nspath,
|
||||
},
|
||||
Type: "netns",
|
||||
NsPath: nspath,
|
||||
})
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {
|
||||
container.Capabilities = libcontainer.GetAllCapabilities()
|
||||
container.Capabilities = capabilities.GetAllCapabilities()
|
||||
container.Cgroups.AllowAllDevices = true
|
||||
|
||||
hostDeviceNodes, err := devices.GetHostDeviceNodes()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
container.DeviceNodes = hostDeviceNodes
|
||||
container.MountConfig.DeviceNodes = hostDeviceNodes
|
||||
|
||||
delete(container.Context, "restrictions")
|
||||
|
||||
if apparmor.IsEnabled() {
|
||||
container.Context["apparmor_profile"] = "unconfined"
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -135,12 +144,13 @@ func (d *driver) setupCgroups(container *libcontainer.Container, c *execdriver.C
|
|||
container.Cgroups.MemorySwap = c.Resources.MemorySwap
|
||||
container.Cgroups.CpusetCpus = c.Resources.Cpuset
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Command) error {
|
||||
for _, m := range c.Mounts {
|
||||
container.Mounts = append(container.Mounts, libcontainer.Mount{
|
||||
container.MountConfig.Mounts = append(container.MountConfig.Mounts, mount.Mount{
|
||||
Type: "bind",
|
||||
Source: m.Source,
|
||||
Destination: m.Destination,
|
||||
|
@ -148,11 +158,13 @@ func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Co
|
|||
Private: m.Private,
|
||||
})
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *driver) setupLabels(container *libcontainer.Container, c *execdriver.Command) error {
|
||||
container.Context["process_label"] = c.Config["process_label"][0]
|
||||
container.Context["mount_label"] = c.Config["mount_label"][0]
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -34,10 +34,13 @@ func New() *libcontainer.Container {
|
|||
Parent: "docker",
|
||||
AllowAllDevices: false,
|
||||
},
|
||||
Context: libcontainer.Context{},
|
||||
MountConfig: &libcontainer.MountConfig{},
|
||||
Context: make(map[string]string),
|
||||
}
|
||||
|
||||
if apparmor.IsEnabled() {
|
||||
container.Context["apparmor_profile"] = "docker-default"
|
||||
}
|
||||
|
||||
return container
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче