We use cookies to ensure you get the best experience on our website
Inicio Explorar Ayuda
Registro Iniciar sesión
0ct0pu5
/
moby
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Explorar el Código

Merge pull request #38342 from crosbymichael/oci-refactor

Move caps and device spec utils to `oci` pkg
Akihiro Suda hace 6 años
padre
560ac1c996 b940cc5cff
commit
62d80835ab
Se han modificado 5 ficheros con 20 adiciones y 18 borrados
Dividir vista Mostrar estadísticas de diff
  1. 1 1
      daemon/exec_linux.go
  2. 2 2
      daemon/oci_linux.go
  3. 2 2
      daemon/oci_windows.go
  4. 1 1
      oci/caps/utils.go
  5. 14 12
      oci/oci.go

+ 1 - 1
daemon/exec_linux.go
Ver fichero 

@@ -2,8 +2,8 @@ package daemon // import "github.com/docker/docker/daemon"
 
 
 import (
 
 	"github.com/docker/docker/container"
 
-	"github.com/docker/docker/daemon/caps"
 
 	"github.com/docker/docker/daemon/exec"
 
+	"github.com/docker/docker/oci/caps"
 
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
 
 )

+ 2 - 2
daemon/oci_linux.go
Ver fichero 

@@ -113,7 +113,7 @@ func setDevices(s *specs.Spec, c *container.Container) error {
 
 		}
 
 
 		var err error
 
-		devPermissions, err = appendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
 
+		devPermissions, err = oci.AppendDevicePermissionsFromCgroupRules(devPermissions, c.HostConfig.DeviceCgroupRules)
 
 		if err != nil {
 
 			return err
 
 		}
 
@@ -762,7 +762,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
 
 	if err := setNamespaces(daemon, &s, c); err != nil {
 
 		return nil, fmt.Errorf("linux spec namespaces: %v", err)
 
 	}
 
-	if err := setCapabilities(&s, c); err != nil {
 
+	if err := oci.SetCapabilities(&s, c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged); err != nil {
 
 		return nil, fmt.Errorf("linux spec capabilities: %v", err)
 
 	}
 
 	if err := setSeccomp(daemon, &s, c); err != nil {

+ 2 - 2
daemon/oci_windows.go
Ver fichero 

@@ -368,10 +368,10 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe
 
 	}
 
 	s.Root.Path = "rootfs"
 
 	s.Root.Readonly = c.HostConfig.ReadonlyRootfs
 
-	if err := setCapabilities(s, c); err != nil {
 
+	if err := oci.SetCapabilities(s, c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Privileged); err != nil {
 
 		return fmt.Errorf("linux spec capabilities: %v", err)
 
 	}
 
-	devPermissions, err := appendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
 
+	devPermissions, err := oci.AppendDevicePermissionsFromCgroupRules(nil, c.HostConfig.DeviceCgroupRules)
 
 	if err != nil {
 
 		return fmt.Errorf("linux runtime spec devices: %v", err)
 
 	}

+ 1 - 1
daemon/caps/utils.go → oci/caps/utils.go
Ver fichero 

@@ -1,4 +1,4 @@
 
-package caps // import "github.com/docker/docker/daemon/caps"
 
+package caps // import "github.com/docker/docker/oci/caps"
 
 
 import (
 
 	"fmt"

+ 14 - 12
daemon/oci.go → oci/oci.go
Ver fichero 

@@ -1,27 +1,28 @@
 
-package daemon // import "github.com/docker/docker/daemon"
 
+package oci // import "github.com/docker/docker/oci"
 
 
 import (
 
 	"fmt"
 
 	"regexp"
 
 	"strconv"
 
 
-	"github.com/docker/docker/container"
 
-	"github.com/docker/docker/daemon/caps"
 
+	"github.com/docker/docker/oci/caps"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 
 )
 
 
 // nolint: gosimple
 
-var (
 
-	deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
 
-)
 
+var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
 
 
-func setCapabilities(s *specs.Spec, c *container.Container) error {
 
-	var caplist []string
 
-	var err error
 
-	if c.HostConfig.Privileged {
 
+// SetCapabilities sets the provided capabilities on the spec
 
+// All capabilities are added if privileged is true
 
+func SetCapabilities(s *specs.Spec, add, drop []string, privileged bool) error {
 
+	var (
 
+		caplist []string
 
+		err     error
 
+	)
 
+	if privileged {
 
 		caplist = caps.GetAllCapabilities()
 
 	} else {
 
-		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
 
+		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, add, drop)
 
 		if err != nil {
 
 			return err
 
 		}
 
@@ -39,7 +40,8 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
 
 	return nil
 
 }
 
 
-func appendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
 
+// AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set
 
+func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
 
 	for _, deviceCgroupRule := range rules {
 
 		ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
 
 		if len(ss[0]) != 5 {

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5