diff options
Diffstat (limited to 'daemon/execdriver/native/create.go')
-rw-r--r-- | daemon/execdriver/native/create.go | 70 |
1 files changed, 41 insertions, 29 deletions
diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index b19620514e..f28507b046 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -9,6 +9,8 @@ import ( "github.com/docker/libcontainer" "github.com/docker/libcontainer/apparmor" "github.com/docker/libcontainer/devices" + "github.com/docker/libcontainer/mount" + "github.com/docker/libcontainer/security/capabilities" "github.com/dotcloud/docker/daemon/execdriver" "github.com/dotcloud/docker/daemon/execdriver/native/configuration" "github.com/dotcloud/docker/daemon/execdriver/native/template" @@ -16,7 +18,7 @@ import ( // createContainer populates and configures the container type with the // data provided by the execdriver.Command -func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container, error) { +func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Config, error) { container := template.New() container.Hostname = getEnv("HOSTNAME", c.Env) @@ -26,65 +28,71 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container container.Env = c.Env container.Cgroups.Name = c.ID container.Cgroups.AllowedDevices = c.AllowedDevices - container.DeviceNodes = c.AutoCreatedDevices + container.MountConfig.DeviceNodes = c.AutoCreatedDevices + // check to see if we are running in ramdisk to disable pivot root - container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != "" - container.Context["restrictions"] = "true" + container.MountConfig.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != "" + container.RestrictSys = true if err := d.createNetwork(container, c); err != nil { return nil, err } + if c.Privileged { if err := d.setPrivileged(container); err != nil { return nil, err } } + if err := d.setupCgroups(container, c); err != nil { return nil, err } + if err := d.setupMounts(container, c); err != nil { return nil, err } + if err := d.setupLabels(container, c); err != nil { return nil, err } + cmds := make(map[string]*exec.Cmd) d.Lock() for k, v := range d.activeContainers { cmds[k] = v.cmd } d.Unlock() + if err := configuration.ParseConfiguration(container, cmds, c.Config["native"]); err != nil { return nil, err } + return container, nil } -func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.Command) error { +func (d *driver) createNetwork(container *libcontainer.Config, c *execdriver.Command) error { if c.Network.HostNetworking { container.Namespaces["NEWNET"] = false return nil } + container.Networks = []*libcontainer.Network{ { Mtu: c.Network.Mtu, Address: fmt.Sprintf("%s/%d", "127.0.0.1", 0), Gateway: "localhost", Type: "loopback", - Context: libcontainer.Context{}, }, } if c.Network.Interface != nil { vethNetwork := libcontainer.Network{ - Mtu: c.Network.Mtu, - Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen), - Gateway: c.Network.Interface.Gateway, - Type: "veth", - Context: libcontainer.Context{ - "prefix": "veth", - "bridge": c.Network.Interface.Bridge, - }, + Mtu: c.Network.Mtu, + Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen), + Gateway: c.Network.Interface.Gateway, + Type: "veth", + Bridge: c.Network.Interface.Bridge, + VethPrefix: "veth", } container.Networks = append(container.Networks, &vethNetwork) } @@ -93,6 +101,7 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver. d.Lock() active := d.activeContainers[c.Network.ContainerID] d.Unlock() + if active == nil || active.cmd.Process == nil { return fmt.Errorf("%s is not a valid running container to join", c.Network.ContainerID) } @@ -100,34 +109,34 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver. nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net") container.Networks = append(container.Networks, &libcontainer.Network{ - Type: "netns", - Context: libcontainer.Context{ - "nspath": nspath, - }, + Type: "netns", + NsPath: nspath, }) } + return nil } -func (d *driver) setPrivileged(container *libcontainer.Container) (err error) { - container.Capabilities = libcontainer.GetAllCapabilities() +func (d *driver) setPrivileged(container *libcontainer.Config) (err error) { + container.Capabilities = capabilities.GetAllCapabilities() container.Cgroups.AllowAllDevices = true hostDeviceNodes, err := devices.GetHostDeviceNodes() if err != nil { return err } - container.DeviceNodes = hostDeviceNodes + container.MountConfig.DeviceNodes = hostDeviceNodes - delete(container.Context, "restrictions") + container.RestrictSys = false if apparmor.IsEnabled() { - container.Context["apparmor_profile"] = "unconfined" + container.AppArmorProfile = "unconfined" } + return nil } -func (d *driver) setupCgroups(container *libcontainer.Container, c *execdriver.Command) error { +func (d *driver) setupCgroups(container *libcontainer.Config, c *execdriver.Command) error { if c.Resources != nil { container.Cgroups.CpuShares = c.Resources.CpuShares container.Cgroups.Memory = c.Resources.Memory @@ -135,12 +144,13 @@ func (d *driver) setupCgroups(container *libcontainer.Container, c *execdriver.C container.Cgroups.MemorySwap = c.Resources.MemorySwap container.Cgroups.CpusetCpus = c.Resources.Cpuset } + return nil } -func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Command) error { +func (d *driver) setupMounts(container *libcontainer.Config, c *execdriver.Command) error { for _, m := range c.Mounts { - container.Mounts = append(container.Mounts, libcontainer.Mount{ + container.MountConfig.Mounts = append(container.MountConfig.Mounts, mount.Mount{ Type: "bind", Source: m.Source, Destination: m.Destination, @@ -148,11 +158,13 @@ func (d *driver) setupMounts(container *libcontainer.Container, c *execdriver.Co Private: m.Private, }) } + return nil } -func (d *driver) setupLabels(container *libcontainer.Container, c *execdriver.Command) error { - container.Context["process_label"] = c.Config["process_label"][0] - container.Context["mount_label"] = c.Config["mount_label"][0] +func (d *driver) setupLabels(container *libcontainer.Config, c *execdriver.Command) error { + container.ProcessLabel = c.Config["process_label"][0] + container.MountConfig.MountLabel = c.Config["mount_label"][0] + return nil } |