0ct0pu5/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #12667 from ibuildthecloud/host-uts

Browse source 
Add --uts=host to allow sharing the UTS namespace
This commit is contained in:
Sebastiaan van Stijn 2015-05-13 18:30:32 -07:00
commit ed25742002
10 changed files with 119 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
daemon/container.go
View file

@ -335,6 +335,10 @@ func populateCommand(c *Container, env []string) error {
pid := &execdriver.Pid{} pid := &execdriver.Pid{}
pid.HostPid = c.hostConfig.PidMode.IsHost() pid.HostPid = c.hostConfig.PidMode.IsHost()
uts := &execdriver.UTS{
HostUTS: c.hostConfig.UTSMode.IsHost(),
}
// Build lists of devices allowed and created within the container. // Build lists of devices allowed and created within the container.
var userSpecifiedDevices []*configs.Device var userSpecifiedDevices []*configs.Device
for _, deviceMapping := range c.hostConfig.Devices { for _, deviceMapping := range c.hostConfig.Devices {
@ -410,6 +414,7 @@ func populateCommand(c *Container, env []string) error {
Network: en, Network: en,
Ipc: ipc, Ipc: ipc,
Pid: pid, Pid: pid,
UTS: uts,
Resources: resources, Resources: resources,
AllowedDevices: allowedDevices, AllowedDevices: allowedDevices,
AutoCreatedDevices: autoCreatedDevices, AutoCreatedDevices: autoCreatedDevices,

6
daemon/execdriver/driver.go
View file

@ -86,6 +86,11 @@ type Pid struct {
HostPid bool `json:"host_pid"` HostPid bool `json:"host_pid"`
} }
// UTS settings of the container
type UTS struct {
HostUTS bool `json:"host_uts"`
}
type NetworkInterface struct { type NetworkInterface struct {
Gateway string `json:"gateway"` Gateway string `json:"gateway"`
IPAddress string `json:"ip"` IPAddress string `json:"ip"`
@ -155,6 +160,7 @@ type Command struct {
Network *Network `json:"network"` Network *Network `json:"network"`
Ipc *Ipc `json:"ipc"` Ipc *Ipc `json:"ipc"`
Pid *Pid `json:"pid"` Pid *Pid `json:"pid"`
UTS *UTS `json:"uts"`
Resources *Resources `json:"resources"` Resources *Resources `json:"resources"`
Mounts []Mount `json:"mounts"` Mounts []Mount `json:"mounts"`
AllowedDevices []*configs.Device `json:"allowed_devices"` AllowedDevices []*configs.Device `json:"allowed_devices"`

14
daemon/execdriver/native/create.go
View file

@ -29,6 +29,10 @@ func (d *driver) createContainer(c *execdriver.Command) (*configs.Config, error)
return nil, err return nil, err
} }
if err := d.createUTS(container, c); err != nil {
return nil, err
}
if err := d.createNetwork(container, c); err != nil { if err := d.createNetwork(container, c); err != nil {
return nil, err return nil, err
} }
@ -173,6 +177,16 @@ func (d *driver) createPid(container *configs.Config, c *execdriver.Command) err
return nil return nil
} }
func (d *driver) createUTS(container *configs.Config, c *execdriver.Command) error {
if c.UTS.HostUTS {
container.Namespaces.Remove(configs.NEWUTS)
container.Hostname = ""
return nil
}
return nil
}
func (d *driver) setPrivileged(container *configs.Config) (err error) { func (d *driver) setPrivileged(container *configs.Config) (err error) {
container.Capabilities = execdriver.GetAllCapabilities() container.Capabilities = execdriver.GetAllCapabilities()
container.Cgroups.AllowAllDevices = true container.Cgroups.AllowAllDevices = true

6
docs/man/docker-create.1.md
View file

@ -42,6 +42,7 @@ docker-create - Create a new container
[**-P**|**--publish-all**[=*false*]] [**-P**|**--publish-all**[=*false*]]
[**-p**|**--publish**[=*[]*]] [**-p**|**--publish**[=*[]*]]
[**--pid**[=*[]*]] [**--pid**[=*[]*]]
[**--uts**[=*[]*]]
[**--privileged**[=*false*]] [**--privileged**[=*false*]]
[**--read-only**[=*false*]] [**--read-only**[=*false*]]
[**--restart**[=*RESTART*]] [**--restart**[=*RESTART*]]
@ -193,6 +194,11 @@ This value should always larger than **-m**, so you should alway use this with *
**host**: use the host's PID namespace inside the container. **host**: use the host's PID namespace inside the container.
Note: the host mode gives the container full access to local PID and is therefore considered insecure. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
**--uts**=host
Set the UTS mode for the container
**host**: use the host's UTS namespace inside the container.
Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
**--privileged**=*true*|*false* **--privileged**=*true*|*false*
Give extended privileges to this container. The default is *false*. Give extended privileges to this container. The default is *false*.

6
docs/man/docker-run.1.md
View file

@ -43,6 +43,7 @@ docker-run - Run a command in a new container
[**-P**|**--publish-all**[=*false*]] [**-P**|**--publish-all**[=*false*]]
[**-p**|**--publish**[=*[]*]] [**-p**|**--publish**[=*[]*]]
[**--pid**[=*[]*]] [**--pid**[=*[]*]]
[**--uts**[=*[]*]]
[**--privileged**[=*false*]] [**--privileged**[=*false*]]
[**--read-only**[=*false*]] [**--read-only**[=*false*]]
[**--restart**[=*RESTART*]] [**--restart**[=*RESTART*]]
@ -323,6 +324,11 @@ ports and the exposed ports, use `docker port`.
**host**: use the host's PID namespace inside the container. **host**: use the host's PID namespace inside the container.
Note: the host mode gives the container full access to local PID and is therefore considered insecure. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
**--uts**=host
Set the UTS mode for the container
**host**: use the host's UTS namespace inside the container.
Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
**--privileged**=*true*|*false* **--privileged**=*true*|*false*
Give extended privileges to this container. The default is *false*. Give extended privileges to this container. The default is *false*.

3
docs/sources/reference/commandline/cli.md
View file

@ -991,6 +991,8 @@ Creates a new container.
--oom-kill-disable=false Whether to disable OOM Killer for the container or not --oom-kill-disable=false Whether to disable OOM Killer for the container or not
-P, --publish-all=false Publish all exposed ports to random ports -P, --publish-all=false Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host -p, --publish=[] Publish a container's port(s) to the host
--pid="" PID namespace to use
--uts="" UTS namespace to use
--privileged=false Give extended privileges to this container --privileged=false Give extended privileges to this container
--read-only=false Mount the container's root filesystem as read only --read-only=false Mount the container's root filesystem as read only
--restart="no" Restart policy (no, on-failure[:max-retry], always) --restart="no" Restart policy (no, on-failure[:max-retry], always)
@ -1958,6 +1960,7 @@ To remove an image using its digest:
-P, --publish-all=false Publish all exposed ports to random ports -P, --publish-all=false Publish all exposed ports to random ports
-p, --publish=[] Publish a container's port(s) to the host -p, --publish=[] Publish a container's port(s) to the host
--pid="" PID namespace to use --pid="" PID namespace to use
--uts="" UTS namespace to use
--privileged=false Give extended privileges to this container --privileged=false Give extended privileges to this container
--read-only=false Mount the container's root filesystem as read only --read-only=false Mount the container's root filesystem as read only
--restart="no" Restart policy (no, on-failure[:max-retry], always) --restart="no" Restart policy (no, on-failure[:max-retry], always)

18
docs/sources/reference/run.md
View file

@ -157,6 +157,7 @@ called a digest. As long as the input used to generate the image is unchanged,
the digest value is predictable and referenceable. the digest value is predictable and referenceable.
## PID settings (--pid) ## PID settings (--pid)
--pid="" : Set the PID (Process) Namespace mode for the container, --pid="" : Set the PID (Process) Namespace mode for the container,
'host': use the host's PID namespace inside the container 'host': use the host's PID namespace inside the container
@ -177,6 +178,23 @@ within the container.
This command would allow you to use `strace` inside the container on pid 1234 on This command would allow you to use `strace` inside the container on pid 1234 on
the host. the host.
## UTS settings (--uts)
--uts="" : Set the UTS namespace mode for the container,
'host': use the host's UTS namespace inside the container
The UTS namespace is for setting the hostname and the domain that is visible
to running processes in that namespace. By default, all containers, including
those with `--net=host`, have their own UTS namespace. The `host` setting will
result in the container using the same UTS namespace as the host.
You may wish to share the UTS namespace with the host if you would like the
hostname of the container to change as the hostname of the host changes. A
more advanced use case would be changing the host's hostname from a container.
> **Note**: `--uts="host"` gives the container full access to change the
> hostname of the host and is therefore considered insecure.
## IPC settings (--ipc) ## IPC settings (--ipc)
--ipc="" : Set the IPC mode for the container, --ipc="" : Set the IPC mode for the container,

32
integration-cli/docker_cli_run_test.go
View file

@ -2765,6 +2765,38 @@ func (s *DockerSuite) TestRunModePidHost(c *check.C) {
} }
} }
func (s *DockerSuite) TestRunModeUTSHost(c *check.C) {
testRequires(c, NativeExecDriver, SameHostDaemon)
defer deleteAllContainers()
hostUTS, err := os.Readlink("/proc/1/ns/uts")
if err != nil {
c.Fatal(err)
}
cmd := exec.Command(dockerBinary, "run", "--uts=host", "busybox", "readlink", "/proc/self/ns/uts")
out2, _, err := runCommandWithOutput(cmd)
if err != nil {
c.Fatal(err, out2)
}
out2 = strings.Trim(out2, "\n")
if hostUTS != out2 {
c.Fatalf("UTS different with --uts=host %s != %s\n", hostUTS, out2)
}
cmd = exec.Command(dockerBinary, "run", "busybox", "readlink", "/proc/self/ns/uts")
out2, _, err = runCommandWithOutput(cmd)
if err != nil {
c.Fatal(err, out2)
}
out2 = strings.Trim(out2, "\n")
if hostUTS == out2 {
c.Fatalf("UTS should be different without --uts=host %s == %s\n", hostUTS, out2)
}
}
func (s *DockerSuite) TestRunTLSverify(c *check.C) { func (s *DockerSuite) TestRunTLSverify(c *check.C) {
cmd := exec.Command(dockerBinary, "ps") cmd := exec.Command(dockerBinary, "ps")
out, ec, err := runCommandWithOutput(cmd) out, ec, err := runCommandWithOutput(cmd)

22
runconfig/hostconfig.go
View file

@ -76,6 +76,27 @@ func (n IpcMode) Container() string {
return "" return ""
} }
type UTSMode string
// IsPrivate indicates whether container use it's private UTS namespace
func (n UTSMode) IsPrivate() bool {
return !(n.IsHost())
}
func (n UTSMode) IsHost() bool {
return n == "host"
}
func (n UTSMode) Valid() bool {
parts := strings.Split(string(n), ":")
switch mode := parts[0]; mode {
case "", "host":
default:
return false
}
return true
}
type PidMode string type PidMode string
// IsPrivate indicates whether container use it's private pid stack // IsPrivate indicates whether container use it's private pid stack
@ -187,6 +208,7 @@ type HostConfig struct {
NetworkMode NetworkMode NetworkMode NetworkMode
IpcMode IpcMode IpcMode IpcMode
PidMode PidMode PidMode PidMode
UTSMode UTSMode
CapAdd []string CapAdd []string
CapDrop []string CapDrop []string
RestartPolicy RestartPolicy RestartPolicy RestartPolicy

7
runconfig/parse.go
View file

@ -52,6 +52,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
flNetwork = cmd.Bool([]string{"#n", "#-networking"}, true, "Enable networking for this container") flNetwork = cmd.Bool([]string{"#n", "#-networking"}, true, "Enable networking for this container")
flPrivileged = cmd.Bool([]string{"#privileged", "-privileged"}, false, "Give extended privileges to this container") flPrivileged = cmd.Bool([]string{"#privileged", "-privileged"}, false, "Give extended privileges to this container")
flPidMode = cmd.String([]string{"-pid"}, "", "PID namespace to use") flPidMode = cmd.String([]string{"-pid"}, "", "PID namespace to use")
flUTSMode = cmd.String([]string{"-uts"}, "", "UTS namespace to use")
flPublishAll = cmd.Bool([]string{"P", "-publish-all"}, false, "Publish all exposed ports to random ports") flPublishAll = cmd.Bool([]string{"P", "-publish-all"}, false, "Publish all exposed ports to random ports")
flStdin = cmd.Bool([]string{"i", "-interactive"}, false, "Keep STDIN open even if not attached") flStdin = cmd.Bool([]string{"i", "-interactive"}, false, "Keep STDIN open even if not attached")
flTty = cmd.Bool([]string{"t", "-tty"}, false, "Allocate a pseudo-TTY") flTty = cmd.Bool([]string{"t", "-tty"}, false, "Allocate a pseudo-TTY")
@ -281,6 +282,11 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
return nil, nil, cmd, fmt.Errorf("--pid: invalid PID mode") return nil, nil, cmd, fmt.Errorf("--pid: invalid PID mode")
} }
utsMode := UTSMode(*flUTSMode)
if !utsMode.Valid() {
return nil, nil, cmd, fmt.Errorf("--uts: invalid UTS mode")
}
restartPolicy, err := ParseRestartPolicy(*flRestartPolicy) restartPolicy, err := ParseRestartPolicy(*flRestartPolicy)
if err != nil { if err != nil {
return nil, nil, cmd, err return nil, nil, cmd, err
@ -337,6 +343,7 @@ func Parse(cmd *flag.FlagSet, args []string) (*Config, *HostConfig, *flag.FlagSe
NetworkMode: netMode, NetworkMode: netMode,
IpcMode: ipcMode, IpcMode: ipcMode,
PidMode: pidMode, PidMode: pidMode,
UTSMode: utsMode,
Devices: deviceMappings, Devices: deviceMappings,
CapAdd: flCapAdd.GetAll(), CapAdd: flCapAdd.GetAll(),
CapDrop: flCapDrop.GetAll(), CapDrop: flCapDrop.GetAll(),