há 11 anos atrás · f042c3c157
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@@ -101,9 +101,9 @@ func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {
 
				 	container.Cgroups.DeviceAccess = true
			
 
				 
			
 
				 	delete(container.Context, "restrictions")
			
 
				-	delete(container.DeviceNodes, "additional")
			
 
				 
			
 
				-	if container.DeviceNodes["required"], err = nodes.GetHostDeviceNodes(); err != nil {
			
 
				+	container.OptionalDeviceNodes = nil
			
 
				+	if container.RequiredDeviceNodes, err = nodes.GetHostDeviceNodes(); err != nil {
			
 
				 		return err
			
 
				 	}
			
 
				 
			
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@@ -33,11 +33,9 @@ func New() *libcontainer.Container {
 
				 			Parent:       "docker",
			
 
				 			DeviceAccess: false,
			
 
				 		},
			
 
				-		Context: libcontainer.Context{},
			
 
				-		DeviceNodes: map[string][]string{
			
 
				-			"required":   nodes.DefaultNodes,
			
 
				-			"additional": {"fuse"},
			
 
				-		},
			
 
				+		Context:             libcontainer.Context{},
			
 
				+		RequiredDeviceNodes: nodes.DefaultNodes,
			
 
				+		OptionalDeviceNodes: []string{"fuse"},
			
 
				 	}
			
 
				 	if apparmor.IsEnabled() {
			
 
				 		container.Context["apparmor_profile"] = "docker-default"
			
--- a/pkg/libcontainer/container.go
+++ b/pkg/libcontainer/container.go
@@ -43,7 +43,7 @@ type Container struct {
 
				 	// All capbilities not specified will be dropped from the processes capability mask
			
 
				 	Capabilities []string `json:"capabilities,omitempty"`
			
 
				 
			
 
				-	// Networks specifies the container's network stop to be created
			
 
				+	// Networks specifies the container's network setup to be created
			
 
				 	Networks []*Network `json:"networks,omitempty"`
			
 
				 
			
 
				 	// Cgroups specifies specific cgroup settings for the various subsystems that the container is
			
@@ -60,14 +60,13 @@ type Container struct {
 
				 	// rootfs and mount namespace if specified
			
 
				 	Mounts Mounts `json:"mounts,omitempty"`
			
 
				 
			
 
				-	// DeviceNodes are a list of 'required' and 'additional' nodes that will be mknod into the container's
			
 
				-	// rootfs at /dev
			
 
				-	//
			
 
				-	// Required device nodes will return an error if the host system does not have this device available
			
 
				-	//
			
 
				-	// Additional device nodes are created but no error is returned if the host system does not have the
			
 
				-	// device avaliable for use by the container
			
 
				-	DeviceNodes map[string][]string `json:"device_nodes,omitempty"`
			
 
				+	// RequiredDeviceNodes are a list of device nodes that will be mknod into the container's rootfs at /dev
			
 
				+	// If the host system does not support the device that the container requests an error is returned
			
 
				+	RequiredDeviceNodes []string `json:"required_device_nodes,omitempty"`
			
 
				+
			
 
				+	// OptionalDeviceNodes are a list of device nodes that will be mknod into the container's rootfs at /dev
			
 
				+	// If the host system does not support the device that the container requests the error is ignored
			
 
				+	OptionalDeviceNodes []string `json:"optional_device_nodes,omitempty"`
			
 
				 }
			
 
				 
			
 
				 // Network defines configuration for a container's networking stack
			
--- a/pkg/libcontainer/container.json
+++ b/pkg/libcontainer/container.json
@@ -44,14 +44,12 @@
 
				       "type": "devtmpfs"
			
 
				     }
			
 
				   ],
			
 
				-  "device_nodes": {
			
 
				-      "required": [
			
 
				-          "null",
			
 
				-          "zero",
			
 
				-          "full",
			
 
				-          "random",
			
 
				-          "urandom",
			
 
				-          "tty"
			
 
				-      ]
			
 
				-  }
			
 
				+  "required_device_nodes": [
			
 
				+      "null",
			
 
				+      "zero",
			
 
				+      "full",
			
 
				+      "random",
			
 
				+      "urandom",
			
 
				+      "tty"
			
 
				+  ]
			
 
				 }
			
--- a/pkg/libcontainer/container_test.go
+++ b/pkg/libcontainer/container_test.go
@@ -65,7 +65,7 @@ func TestContainerJsonFormat(t *testing.T) {
 
				 	}
			
 
				 
			
 
				 	for _, n := range nodes.DefaultNodes {
			
 
				-		if !contains(n, container.DeviceNodes["required"]) {
			
 
				+		if !contains(n, container.RequiredDeviceNodes) {
			
 
				 			t.Logf("devices should contain %s", n)
			
 
				 			t.Fail()
			
 
				 		}
			
--- a/pkg/libcontainer/mount/init.go
+++ b/pkg/libcontainer/mount/init.go
@@ -48,11 +48,11 @@ func InitializeMountNamespace(rootfs, console string, container *libcontainer.Co
 
				 	if err := setupBindmounts(rootfs, container.Mounts); err != nil {
			
 
				 		return fmt.Errorf("bind mounts %s", err)
			
 
				 	}
			
 
				-	if err := nodes.CopyN(rootfs, container.DeviceNodes["required"], true); err != nil {
			
 
				+	if err := nodes.CopyN(rootfs, container.RequiredDeviceNodes, true); err != nil {
			
 
				 		return fmt.Errorf("copy required dev nodes %s", err)
			
 
				 	}
			
 
				-	if err := nodes.CopyN(rootfs, container.DeviceNodes["additional"], false); err != nil {
			
 
				-		return fmt.Errorf("copy additional dev nodes %s", err)
			
 
				+	if err := nodes.CopyN(rootfs, container.OptionalDeviceNodes, false); err != nil {
			
 
				+		return fmt.Errorf("copy optional dev nodes %s", err)
			
 
				 	}
			
 
				 	if err := SetupPtmx(rootfs, console, container.Context["mount_label"]); err != nil {
			
 
				 		return err