|
|
@@ -9,6 +9,8 @@ import (
|
|
|
"github.com/docker/libcontainer"
|
|
|
"github.com/docker/libcontainer/apparmor"
|
|
|
"github.com/docker/libcontainer/devices"
|
|
|
+ "github.com/docker/libcontainer/mount"
|
|
|
+ "github.com/docker/libcontainer/security/capabilities"
|
|
|
"github.com/dotcloud/docker/daemon/execdriver"
|
|
|
"github.com/dotcloud/docker/daemon/execdriver/native/configuration"
|
|
|
"github.com/dotcloud/docker/daemon/execdriver/native/template"
|
|
|
@@ -26,37 +28,45 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container
|
|
|
container.Env = c.Env
|
|
|
container.Cgroups.Name = c.ID
|
|
|
container.Cgroups.AllowedDevices = c.AllowedDevices
|
|
|
- container.DeviceNodes = c.AutoCreatedDevices
|
|
|
+ container.MountConfig.DeviceNodes = c.AutoCreatedDevices
|
|
|
+
|
|
|
// check to see if we are running in ramdisk to disable pivot root
|
|
|
- container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
|
|
|
+ container.MountConfig.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
|
|
|
container.Context["restrictions"] = "true"
|
|
|
|
|
|
if err := d.createNetwork(container, c); err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
+
|
|
|
if c.Privileged {
|
|
|
if err := d.setPrivileged(container); err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
}
|
|
|
+
|
|
|
if err := d.setupCgroups(container, c); err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
+
|
|
|
if err := d.setupMounts(container, c); err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
+
|
|
|
if err := d.setupLabels(container, c); err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
+
|
|
|
cmds := make(map[string]*exec.Cmd)
|
|
|
d.Lock()
|
|
|
for k, v := range d.activeContainers {
|
|
|
cmds[k] = v.cmd
|
|
|
}
|
|
|
d.Unlock()
|
|
|
+
|
|
|
if err := configuration.ParseConfiguration(container, cmds, c.Config["native"]); err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
+
|
|
|
return container, nil
|
|
|
}
|
|
|
|
|
|
@@ -65,26 +75,24 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
|
|
|
container.Namespaces["NEWNET"] = false
|
|
|
return nil
|
|
|
}
|
|
|
+
|
|
|
container.Networks = []*libcontainer.Network{
|
|
|
{
|
|
|
Mtu: c.Network.Mtu,
|
|
|
Address: fmt.Sprintf("%s/%d", "127.0.0.1", 0),
|
|
|
Gateway: "localhost",
|
|
|
Type: "loopback",
|
|
|
- Context: libcontainer.Context{},
|
|
|
},
|
|
|
}
|
|
|
|
|
|
if c.Network.Interface != nil {
|
|
|
vethNetwork := libcontainer.Network{
|
|
|
- Mtu: c.Network.Mtu,
|
|
|
- Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen),
|
|
|
- Gateway: c.Network.Interface.Gateway,
|
|
|
- Type: "veth",
|
|
|
- Context: libcontainer.Context{
|
|
|
- "prefix": "veth",
|
|
|
- "bridge": c.Network.Interface.Bridge,
|
|
|
- },
|
|
|
+ Mtu: c.Network.Mtu,
|
|
|
+ Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen),
|
|
|
+ Gateway: c.Network.Interface.Gateway,
|
|
|
+ Type: "veth",
|
|
|
+ Bridge: c.Network.Interface.Bridge,
|
|
|
+ VethPrefix: "veth",
|
|
|
}
|
|
|
container.Networks = append(container.Networks, &vethNetwork)
|
|
|
}
|
|
|
@@ -93,6 +101,7 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
|
|
|
d.Lock()
|
|
|
active := d.activeContainers[c.Network.ContainerID]
|
|
|
d.Unlock()
|
|
|
+
|
|
|
if active == nil || active.cmd.Process == nil {
|
|
|
return fmt.Errorf("%s is not a valid running container to join", c.Network.ContainerID)
|
|
|
}
|
|
|
@@ -100,30 +109,30 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
|
|
|
|
|
|
nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net")
|
|
|
container.Networks = append(container.Networks, &libcontainer.Network{
|
|
|
- Type: "netns",
|
|
|
- Context: libcontainer.Context{
|
|
|
- "nspath": nspath,
|
|
|
- },
|
|
|
+ Type: "netns",
|
|
|
+ NsPath: nspath,
|
|
|
})
|
|
|
}
|
|
|
+
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {
|
|
|
- container.Capabilities = libcontainer.GetAllCapabilities()
|
|
|
+ container.Capabilities = capabilities.GetAllCapabilities()
|
|
|
container.Cgroups.AllowAllDevices = true
|
|
|
|
|
|
hostDeviceNodes, err := devices.GetHostDeviceNodes()
|
|
|
if err != nil {
|
|
|
return err
|
|
|
}
|
|
|
- container.DeviceNodes = hostDeviceNodes
|
|
|
+ container.MountConfig.DeviceNodes = hostDeviceNodes
|
|
|
|
|
|
delete(container.Context, "restrictions")
|
|
|
|
|
|
if apparmor.IsEnabled() {
|
|
|
container.Context["apparmor_profile"] = "unconfined"
|
|
|
}
|
|
|
+
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
@@ -135,12 +144,13 @@ func (d *driver) setupCgroups(container *libcontainer.Container, c *execdriver.C
|
|
|
container.Cgroups.MemorySwap = c.Resources.MemorySwap
|
|
|
container.Cgroups.CpusetCpus = c.Resources.Cpuset
|
|
|
}
|
|
|
+
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Command) error {
|
|
|
for _, m := range c.Mounts {
|
|
|
- container.Mounts = append(container.Mounts, libcontainer.Mount{
|
|
|
+ container.MountConfig.Mounts = append(container.MountConfig.Mounts, mount.Mount{
|
|
|
Type: "bind",
|
|
|
Source: m.Source,
|
|
|
Destination: m.Destination,
|
|
|
@@ -148,11 +158,13 @@ func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Co
|
|
|
Private: m.Private,
|
|
|
})
|
|
|
}
|
|
|
+
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
func (d *driver) setupLabels(container *libcontainer.Container, c *execdriver.Command) error {
|
|
|
container.Context["process_label"] = c.Config["process_label"][0]
|
|
|
container.Context["mount_label"] = c.Config["mount_label"][0]
|
|
|
+
|
|
|
return nil
|
|
|
}
|
Michael Crosby