Basic --cap-add and --cap-drop support for lxc
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
This commit is contained in:
Victor Vieux
parent
94e6dc9781
commit
21059af3ac
4 changed files with 33 additions and 3 deletions
|
|
@ -60,6 +60,8 @@ type InitArgs struct {
|
|||
Console string
|
||||
Pipe int
|
||||
Root string
|
||||
CapAdd string
|
||||
CapDrop string
|
||||
}
|
||||
|
||||
// Driver specific information based on
|
||||
|
|
|
|||
|
|
@ -122,6 +122,14 @@ func (d *driver) Run(c *execdriver.Command, pipes *execdriver.Pipes, startCallba
|
|||
params = append(params, "-w", c.WorkingDir)
|
||||
}
|
||||
|
||||
if len(c.CapAdd) > 0 {
|
||||
params = append(params, "-cap-add", strings.Join(c.CapAdd, " "))
|
||||
}
|
||||
|
||||
if len(c.CapDrop) > 0 {
|
||||
params = append(params, "-cap-drop", strings.Join(c.CapDrop, " "))
|
||||
}
|
||||
|
||||
params = append(params, "--", c.Entrypoint)
|
||||
params = append(params, c.Arguments...)
|
||||
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ package lxc
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"github.com/docker/libcontainer/namespaces"
|
||||
|
|
@ -12,6 +13,7 @@ import (
|
|||
"github.com/dotcloud/docker/daemon/execdriver"
|
||||
"github.com/dotcloud/docker/daemon/execdriver/native/template"
|
||||
"github.com/dotcloud/docker/pkg/system"
|
||||
utils2 "github.com/dotcloud/docker/utils"
|
||||
)
|
||||
|
||||
func setHostname(hostname string) error {
|
||||
|
|
@ -48,8 +50,21 @@ func finalizeNamespace(args *execdriver.InitArgs) error {
|
|||
return fmt.Errorf("clear keep caps %s", err)
|
||||
}
|
||||
|
||||
var caps []string
|
||||
for _, cap := range container.Capabilities {
|
||||
if !utils2.StringsContains(strings.Split(args.CapDrop, " "), cap) {
|
||||
caps = append(caps, cap)
|
||||
}
|
||||
}
|
||||
|
||||
for _, cap := range strings.Split(args.CapAdd, " ") {
|
||||
if !utils2.StringsContains(caps, cap) {
|
||||
caps = append(caps, cap)
|
||||
}
|
||||
}
|
||||
|
||||
// drop all other capabilities
|
||||
if err := capabilities.DropCapabilities(container.Capabilities); err != nil {
|
||||
if err := capabilities.DropCapabilities(caps); err != nil {
|
||||
return fmt.Errorf("drop capabilities %s", err)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,11 +3,12 @@ package sysinit
|
|||
import (
|
||||
"flag"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
|
||||
"github.com/dotcloud/docker/daemon/execdriver"
|
||||
_ "github.com/dotcloud/docker/daemon/execdriver/lxc"
|
||||
_ "github.com/dotcloud/docker/daemon/execdriver/native"
|
||||
"log"
|
||||
"os"
|
||||
)
|
||||
|
||||
func executeProgram(args *execdriver.InitArgs) error {
|
||||
|
|
@ -39,6 +40,8 @@ func SysInit() {
|
|||
pipe = flag.Int("pipe", 0, "sync pipe fd")
|
||||
console = flag.String("console", "", "console (pty slave) path")
|
||||
root = flag.String("root", ".", "root path for configuration files")
|
||||
capAdd = flag.String("cap-add", "", "capabilities to add")
|
||||
capDrop = flag.String("cap-drop", "", "capabilities to drop")
|
||||
)
|
||||
flag.Parse()
|
||||
|
||||
|
|
@ -54,6 +57,8 @@ func SysInit() {
|
|||
Console: *console,
|
||||
Pipe: *pipe,
|
||||
Root: *root,
|
||||
CapAdd: *capAdd,
|
||||
CapDrop: *capDrop,
|
||||
}
|
||||
|
||||
if err := executeProgram(args); err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue