a27b4b8c |
package docker
import ( |
f16c45f8 |
"strings" |
a27b4b8c |
"text/template"
)
const LxcTemplate = ` |
bc172e5e |
{{if .Config.NetworkDisabled}}
# network is disabled (-n=false)
lxc.network.type = empty
{{else}} |
a27b4b8c |
# network configuration |
5cecd548 |
lxc.network.type = veth |
d9a9bfc9 |
lxc.network.link = {{.NetworkSettings.Bridge}} |
5cecd548 |
lxc.network.name = eth0 |
3342bdb3 |
{{end}} |
a27b4b8c |
# root filesystem |
7c57a4cf |
{{$ROOTFS := .RootfsPath}} |
2416edd4 |
lxc.rootfs = {{$ROOTFS}} |
a27b4b8c |
# use a dedicated pts for the container (and limit the number of pseudo terminal
# available)
lxc.pts = 1024
# disable the main console
lxc.console = none
# no controlling tty at all
lxc.tty = 1
|
31638ab2 |
{{if (getHostConfig .).Privileged}} |
280901e5 |
lxc.cgroup.devices.allow = a
{{else}} |
a27b4b8c |
# no implicit access to devices
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/urandom,/dev/random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
|
31638ab2 |
# /dev/pts/ - pts namespaces are "coming soon" |
a27b4b8c |
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# tuntap
lxc.cgroup.devices.allow = c 10:200 rwm
# fuse
#lxc.cgroup.devices.allow = c 10:229 rwm
# rtc
#lxc.cgroup.devices.allow = c 254:0 rwm |
280901e5 |
{{end}} |
a27b4b8c |
# standard mount point |
aa369752 |
# Use mnt.putold as per https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/986385
lxc.pivotdir = lxc_putold |
45d7dcfe |
# NOTICE: These mounts must be applied within the namespace
|
96988a37 |
# WARNING: procfs is a known attack vector and should probably be disabled
# if your userspace allows it. eg. see http://blog.zx2c4.com/749 |
f16c45f8 |
lxc.mount.entry = proc {{escapeFstabSpaces $ROOTFS}}/proc proc nosuid,nodev,noexec 0 0 |
45d7dcfe |
# WARNING: sysfs is a known attack vector and should probably be disabled
# if your userspace allows it. eg. see http://bit.ly/T9CkqJ |
f16c45f8 |
lxc.mount.entry = sysfs {{escapeFstabSpaces $ROOTFS}}/sys sysfs nosuid,nodev,noexec 0 0 |
45d7dcfe |
|
f16c45f8 |
lxc.mount.entry = devpts {{escapeFstabSpaces $ROOTFS}}/dev/pts devpts newinstance,ptmxmode=0666,nosuid,noexec 0 0
lxc.mount.entry = shm {{escapeFstabSpaces $ROOTFS}}/dev/shm tmpfs size=65536k,nosuid,nodev,noexec 0 0 |
a27b4b8c |
|
31638ab2 |
{{if (getHostConfig .).Privileged}}
{{if (getCapabilities .).AppArmor}}
lxc.aa_profile = unconfined
{{else}}
#lxc.aa_profile = unconfined
{{end}} |
280901e5 |
{{end}} |
a27b4b8c |
# limits |
94896183 |
{{if .Config.Memory}}
lxc.cgroup.memory.limit_in_bytes = {{.Config.Memory}}
lxc.cgroup.memory.soft_limit_in_bytes = {{.Config.Memory}} |
f8fee421 |
{{with $memSwap := getMemorySwap .Config}}
lxc.cgroup.memory.memsw.limit_in_bytes = {{$memSwap}} |
75d04a5a |
{{end}} |
a27b4b8c |
{{end}} |
efd9becb |
{{if .Config.CpuShares}}
lxc.cgroup.cpu.shares = {{.Config.CpuShares}}
{{end}} |
a27b4b8c |
|
31638ab2 |
{{if (getHostConfig .).LxcConf}}
{{range $pair := (getHostConfig .).LxcConf}} |
551092f9 |
{{$pair.Key}} = {{$pair.Value}}
{{end}}
{{end}}
`
|
a27b4b8c |
var LxcTemplateCompiled *template.Template
|
f16c45f8 |
// Escape spaces in strings according to the fstab documentation, which is the
// format for "lxc.mount.entry" lines in lxc.conf. See also "man 5 fstab".
func escapeFstabSpaces(field string) string {
return strings.Replace(field, " ", "\\040", -1)
}
|
94896183 |
func getMemorySwap(config *Config) int64 {
// By default, MemorySwap is set to twice the size of RAM.
// If you want to omit MemorySwap, set it to `-1'.
if config.MemorySwap < 0 { |
75d04a5a |
return 0
} |
94896183 |
return config.Memory * 2 |
75d04a5a |
}
|
31638ab2 |
func getHostConfig(container *Container) *HostConfig {
return container.hostConfig
}
func getCapabilities(container *Container) *Capabilities {
return container.runtime.capabilities
}
|
a27b4b8c |
func init() {
var err error |
75d04a5a |
funcMap := template.FuncMap{ |
b702edad |
"getMemorySwap": getMemorySwap,
"getHostConfig": getHostConfig,
"getCapabilities": getCapabilities, |
f16c45f8 |
"escapeFstabSpaces": escapeFstabSpaces, |
75d04a5a |
}
LxcTemplateCompiled, err = template.New("lxc").Funcs(funcMap).Parse(LxcTemplate) |
a27b4b8c |
if err != nil {
panic(err)
}
} |