new file mode 100644

@@ -0,0 +1,144 @@

+// +build linux

+

+package mount

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/label"

+	"github.com/dotcloud/docker/pkg/libcontainer"

+	"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"

+	"github.com/dotcloud/docker/pkg/libcontainer/security/restrict"

+	"github.com/dotcloud/docker/pkg/system"

+	"os"

+	"path/filepath"

+	"syscall"

+)

+

+// default mount point flags

+const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV

+

+type mount struct {

+	source string

+	path   string

+	device string

+	flags  int

+	data   string

+}

+

+// InitializeMountNamespace setups up the devices, mount points, and filesystems for use inside a

+// new mount namepsace

+func InitializeMountNamespace(rootfs, console string, container *libcontainer.Container) error {

+	var (

+		err  error

+		flag = syscall.MS_PRIVATE

+	)

+	if container.NoPivotRoot {

+		flag = syscall.MS_SLAVE

+	}

+	if err := system.Mount("", "/", "", uintptr(flag|syscall.MS_REC), ""); err != nil {

+		return fmt.Errorf("mounting / as slave %s", err)

+	}

+	if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {

+		return fmt.Errorf("mouting %s as bind %s", rootfs, err)

+	}

+	if err := mountSystem(rootfs, container); err != nil {

+		return fmt.Errorf("mount system %s", err)

+	}

+	if err := setupBindmounts(rootfs, container.Mounts); err != nil {

+		return fmt.Errorf("bind mounts %s", err)

+	}

+	if err := nodes.CopyN(rootfs, nodes.DefaultNodes); err != nil {

+		return fmt.Errorf("copy dev nodes %s", err)

+	}

+	if restrictionPath := container.Context["restriction_path"]; restrictionPath != "" {

+		if err := restrict.Restrict(rootfs, restrictionPath); err != nil {

+			return fmt.Errorf("restrict %s", err)

+		}

+	}

+	if err := SetupPtmx(rootfs, console, container.Context["mount_label"]); err != nil {

+		return err

+	}

+	if err := system.Chdir(rootfs); err != nil {

+		return fmt.Errorf("chdir into %s %s", rootfs, err)

+	}

+

+	if container.NoPivotRoot {

+		err = MsMoveRoot(rootfs)

+	} else {

+		err = PivotRoot(rootfs)

+	}

+	if err != nil {

+		return err

+	}

+

+	if container.ReadonlyFs {

+		if err := SetReadonly(); err != nil {

+			return fmt.Errorf("set readonly %s", err)

+		}

+	}

+

+	system.Umask(0022)

+

+	return nil

+}

+

+// mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts

+// inside the mount namespace

+func mountSystem(rootfs string, container *libcontainer.Container) error {

+	for _, m := range newSystemMounts(rootfs, container.Context["mount_label"], container.Mounts) {

+		if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {

+			return fmt.Errorf("mkdirall %s %s", m.path, err)

+		}

+		if err := system.Mount(m.source, m.path, m.device, uintptr(m.flags), m.data); err != nil {

+			return fmt.Errorf("mounting %s into %s %s", m.source, m.path, err)

+		}

+	}

+	return nil

+}

+

+func setupBindmounts(rootfs string, bindMounts libcontainer.Mounts) error {

+	for _, m := range bindMounts.OfType("bind") {

+		var (

+			flags = syscall.MS_BIND | syscall.MS_REC

+			dest  = filepath.Join(rootfs, m.Destination)

+		)

+		if !m.Writable {

+			flags = flags | syscall.MS_RDONLY

+		}

+		if err := system.Mount(m.Source, dest, "bind", uintptr(flags), ""); err != nil {

+			return fmt.Errorf("mounting %s into %s %s", m.Source, dest, err)

+		}

+		if !m.Writable {

+			if err := system.Mount(m.Source, dest, "bind", uintptr(flags|syscall.MS_REMOUNT), ""); err != nil {

+				return fmt.Errorf("remounting %s into %s %s", m.Source, dest, err)

+			}

+		}

+		if m.Private {

+			if err := system.Mount("", dest, "none", uintptr(syscall.MS_PRIVATE), ""); err != nil {

+				return fmt.Errorf("mounting %s private %s", dest, err)

+			}

+		}

+	}

+	return nil

+}

+

+func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mount {

+	devMounts := []mount{

+		{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},

+		{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},

+	}

+

+	systemMounts := []mount{

+		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},

+	}

+

+	if len(mounts.OfType("devtmpfs")) == 1 {

+		systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"})

+	}

+	systemMounts = append(systemMounts, devMounts...)

+

+	if len(mounts.OfType("sysfs")) == 1 {

+		systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags})

+	}

+	return systemMounts

+}

new file mode 100644

@@ -0,0 +1,19 @@

+// +build linux

+

+package mount

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/system"

+	"syscall"

+)

+

+func MsMoveRoot(rootfs string) error {

+	if err := system.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {

+		return fmt.Errorf("mount move %s into / %s", rootfs, err)

+	}

+	if err := system.Chroot("."); err != nil {

+		return fmt.Errorf("chroot . %s", err)

+	}

+	return system.Chdir("/")

+}

new file mode 100644

@@ -0,0 +1,49 @@

+// +build linux

+

+package nodes

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/system"

+	"os"

+	"path/filepath"

+	"syscall"

+)

+

+// Default list of device nodes to copy

+var DefaultNodes = []string{

+	"null",

+	"zero",

+	"full",

+	"random",

+	"urandom",

+	"tty",

+}

+

+// CopyN copies the device node from the host into the rootfs

+func CopyN(rootfs string, nodesToCopy []string) error {

+	oldMask := system.Umask(0000)

+	defer system.Umask(oldMask)

+

+	for _, node := range nodesToCopy {

+		if err := Copy(rootfs, node); err != nil {

+			return err

+		}

+	}

+	return nil

+}

+

+func Copy(rootfs, node string) error {

+	stat, err := os.Stat(filepath.Join("/dev", node))

+	if err != nil {

+		return err

+	}

+	var (

+		dest = filepath.Join(rootfs, "dev", node)

+		st   = stat.Sys().(*syscall.Stat_t)

+	)

+	if err := system.Mknod(dest, st.Mode, int(st.Rdev)); err != nil && !os.IsExist(err) {

+		return fmt.Errorf("copy %s %s", node, err)

+	}

+	return nil

+}

new file mode 100644

@@ -0,0 +1,31 @@

+// +build linux

+

+package mount

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/system"

+	"io/ioutil"

+	"os"

+	"path/filepath"

+	"syscall"

+)

+

+func PivotRoot(rootfs string) error {

+	pivotDir, err := ioutil.TempDir(rootfs, ".pivot_root")

+	if err != nil {

+		return fmt.Errorf("can't create pivot_root dir %s", pivotDir, err)

+	}

+	if err := system.Pivotroot(rootfs, pivotDir); err != nil {

+		return fmt.Errorf("pivot_root %s", err)

+	}

+	if err := system.Chdir("/"); err != nil {

+		return fmt.Errorf("chdir / %s", err)

+	}

+	// path to pivot dir now changed, update

+	pivotDir = filepath.Join("/", filepath.Base(pivotDir))

+	if err := system.Unmount(pivotDir, syscall.MNT_DETACH); err != nil {

+		return fmt.Errorf("unmount pivot_root dir %s", err)

+	}

+	return os.Remove(pivotDir)

+}

new file mode 100644

@@ -0,0 +1,26 @@

+// +build linux

+

+package mount

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/libcontainer/console"

+	"os"

+	"path/filepath"

+)

+

+func SetupPtmx(rootfs, consolePath, mountLabel string) error {

+	ptmx := filepath.Join(rootfs, "dev/ptmx")

+	if err := os.Remove(ptmx); err != nil && !os.IsNotExist(err) {

+		return err

+	}

+	if err := os.Symlink("pts/ptmx", ptmx); err != nil {

+		return fmt.Errorf("symlink dev ptmx %s", err)

+	}

+	if consolePath != "" {

+		if err := console.Setup(rootfs, consolePath, mountLabel); err != nil {

+			return err

+		}

+	}

+	return nil

+}

new file mode 100644

@@ -0,0 +1,12 @@

+// +build linux

+

+package mount

+

+import (

+	"github.com/dotcloud/docker/pkg/system"

+	"syscall"

+)

+

+func SetReadonly() error {

+	return system.Mount("/", "/", "bind", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, "")

+}

new file mode 100644

@@ -0,0 +1,31 @@

+// +build linux

+

+package mount

+

+import (

+	"github.com/dotcloud/docker/pkg/system"

+	"syscall"

+)

+

+func RemountProc() error {

+	if err := system.Unmount("/proc", syscall.MNT_DETACH); err != nil {

+		return err

+	}

+	if err := system.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil {

+		return err

+	}

+	return nil

+}

+

+func RemountSys() error {

+	if err := system.Unmount("/sys", syscall.MNT_DETACH); err != nil {

+		if err != syscall.EINVAL {

+			return err

+		}

+	} else {

+		if err := system.Mount("sysfs", "/sys", "sysfs", uintptr(defaultMountFlags), ""); err != nil {

+			return err

+		}

+	}

+	return nil

+}

@@ -6,6 +6,7 @@ import (

 	"fmt"

 	"github.com/dotcloud/docker/pkg/label"

 	"github.com/dotcloud/docker/pkg/libcontainer"

+	"github.com/dotcloud/docker/pkg/libcontainer/mount"

 	"github.com/dotcloud/docker/pkg/system"

 	"os"

 	"path/filepath"

@@ -63,10 +64,10 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s

 			if err := system.Unshare(syscall.CLONE_NEWNS); err != nil {

 				return -1, err

 			}

-			if err := remountProc(); err != nil {

+			if err := mount.RemountProc(); err != nil {

 				return -1, fmt.Errorf("remount proc %s", err)

 			}

-			if err := remountSys(); err != nil {

+			if err := mount.RemountSys(); err != nil {

 				return -1, fmt.Errorf("remount sys %s", err)

 			}

 			goto dropAndExec

@@ -12,6 +12,7 @@ import (

 	"github.com/dotcloud/docker/pkg/label"

 	"github.com/dotcloud/docker/pkg/libcontainer"

 	"github.com/dotcloud/docker/pkg/libcontainer/capabilities"

+	"github.com/dotcloud/docker/pkg/libcontainer/mount"

 	"github.com/dotcloud/docker/pkg/libcontainer/network"

 	"github.com/dotcloud/docker/pkg/libcontainer/security/apparmor"

 	"github.com/dotcloud/docker/pkg/libcontainer/utils"

@@ -61,7 +62,7 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol

 	label.Init()

 	ns.logger.Println("setup mount namespace")

-	if err := setupNewMountNamespace(rootfs, console, container); err != nil {

+	if err := mount.InitializeMountNamespace(rootfs, console, container); err != nil {

 		return fmt.Errorf("setup mount namespace %s", err)

 	}

 	if err := system.Sethostname(container.Hostname); err != nil {

deleted file mode 100644

@@ -1,261 +0,0 @@

-// +build linux

-

-package nsinit

-

-import (

-	"fmt"

-	"github.com/dotcloud/docker/pkg/label"

-	"github.com/dotcloud/docker/pkg/libcontainer"

-	"github.com/dotcloud/docker/pkg/libcontainer/console"

-	"github.com/dotcloud/docker/pkg/libcontainer/security/restrict"

-	"github.com/dotcloud/docker/pkg/system"

-	"io/ioutil"

-	"os"

-	"path/filepath"

-	"syscall"

-)

-

-// default mount point flags

-const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV

-

-type mount struct {

-	source string

-	path   string

-	device string

-	flags  int

-	data   string

-}

-

-// setupNewMountNamespace is used to initialize a new mount namespace for an new

-// container in the rootfs that is specified.

-//

-// There is no need to unmount the new mounts because as soon as the mount namespace

-// is no longer in use, the mounts will be removed automatically

-func setupNewMountNamespace(rootfs, console string, container *libcontainer.Container) error {

-	flag := syscall.MS_PRIVATE

-	if container.NoPivotRoot {

-		flag = syscall.MS_SLAVE

-	}

-	if err := system.Mount("", "/", "", uintptr(flag|syscall.MS_REC), ""); err != nil {

-		return fmt.Errorf("mounting / as slave %s", err)

-	}

-	if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {

-		return fmt.Errorf("mouting %s as bind %s", rootfs, err)

-	}

-	if err := mountSystem(rootfs, container); err != nil {

-		return fmt.Errorf("mount system %s", err)

-	}

-	if err := setupBindmounts(rootfs, container.Mounts); err != nil {

-		return fmt.Errorf("bind mounts %s", err)

-	}

-	if err := copyDevNodes(rootfs); err != nil {

-		return fmt.Errorf("copy dev nodes %s", err)

-	}

-	if restrictionPath := container.Context["restriction_path"]; restrictionPath != "" {

-		if err := restrict.Restrict(rootfs, restrictionPath); err != nil {

-			return fmt.Errorf("restrict %s", err)

-		}

-	}

-	if err := setupPtmx(rootfs, console, container.Context["mount_label"]); err != nil {

-		return err

-	}

-	if err := system.Chdir(rootfs); err != nil {

-		return fmt.Errorf("chdir into %s %s", rootfs, err)

-	}

-

-	if container.NoPivotRoot {

-		if err := rootMsMove(rootfs); err != nil {

-			return err

-		}

-	} else {

-		if err := rootPivot(rootfs); err != nil {

-			return err

-		}

-	}

-

-	if container.ReadonlyFs {

-		if err := system.Mount("/", "/", "bind", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, ""); err != nil {

-			return fmt.Errorf("mounting %s as readonly %s", rootfs, err)

-		}

-	}

-

-	system.Umask(0022)

-

-	return nil

-}

-

-// use a pivot root to setup the rootfs

-func rootPivot(rootfs string) error {

-	pivotDir, err := ioutil.TempDir(rootfs, ".pivot_root")

-	if err != nil {

-		return fmt.Errorf("can't create pivot_root dir %s", pivotDir, err)

-	}

-	if err := system.Pivotroot(rootfs, pivotDir); err != nil {

-		return fmt.Errorf("pivot_root %s", err)

-	}

-	if err := system.Chdir("/"); err != nil {

-		return fmt.Errorf("chdir / %s", err)

-	}

-	// path to pivot dir now changed, update

-	pivotDir = filepath.Join("/", filepath.Base(pivotDir))

-	if err := system.Unmount(pivotDir, syscall.MNT_DETACH); err != nil {

-		return fmt.Errorf("unmount pivot_root dir %s", err)

-	}

-	if err := os.Remove(pivotDir); err != nil {

-		return fmt.Errorf("remove pivot_root dir %s", err)

-	}

-	return nil

-}

-

-// use MS_MOVE and chroot to setup the rootfs

-func rootMsMove(rootfs string) error {

-	if err := system.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {

-		return fmt.Errorf("mount move %s into / %s", rootfs, err)

-	}

-	if err := system.Chroot("."); err != nil {

-		return fmt.Errorf("chroot . %s", err)

-	}

-	if err := system.Chdir("/"); err != nil {

-		return fmt.Errorf("chdir / %s", err)

-	}

-	return nil

-}

-

-// copyDevNodes mknods the hosts devices so the new container has access to them

-func copyDevNodes(rootfs string) error {

-	oldMask := system.Umask(0000)

-	defer system.Umask(oldMask)

-

-	for _, node := range []string{

-		"null",

-		"zero",

-		"full",

-		"random",

-		"urandom",

-		"tty",

-	} {

-		if err := copyDevNode(rootfs, node); err != nil {

-			return err

-		}

-	}

-	return nil

-}

-

-func copyDevNode(rootfs, node string) error {

-	stat, err := os.Stat(filepath.Join("/dev", node))

-	if err != nil {

-		return err

-	}

-	var (

-		dest = filepath.Join(rootfs, "dev", node)

-		st   = stat.Sys().(*syscall.Stat_t)

-	)

-	if err := system.Mknod(dest, st.Mode, int(st.Rdev)); err != nil && !os.IsExist(err) {

-		return fmt.Errorf("copy %s %s", node, err)

-	}

-	return nil

-}

-

-// mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts

-// inside the mount namespace

-func mountSystem(rootfs string, container *libcontainer.Container) error {

-	for _, m := range newSystemMounts(rootfs, container.Context["mount_label"], container.Mounts) {

-		if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {

-			return fmt.Errorf("mkdirall %s %s", m.path, err)

-		}

-		if err := system.Mount(m.source, m.path, m.device, uintptr(m.flags), m.data); err != nil {

-			return fmt.Errorf("mounting %s into %s %s", m.source, m.path, err)

-		}

-	}

-	return nil

-}

-

-// setupPtmx adds a symlink to pts/ptmx for /dev/ptmx and

-// finishes setting up /dev/console

-func setupPtmx(rootfs, consolePath, mountLabel string) error {

-	ptmx := filepath.Join(rootfs, "dev/ptmx")

-	if err := os.Remove(ptmx); err != nil && !os.IsNotExist(err) {

-		return err

-	}

-	if err := os.Symlink("pts/ptmx", ptmx); err != nil {

-		return fmt.Errorf("symlink dev ptmx %s", err)

-	}

-	if consolePath != "" {

-		if err := console.Setup(rootfs, consolePath, mountLabel); err != nil {

-			return err

-		}

-	}

-	return nil

-}

-

-// remountProc is used to detach and remount the proc filesystem

-// commonly needed with running a new process inside an existing container

-func remountProc() error {

-	if err := system.Unmount("/proc", syscall.MNT_DETACH); err != nil {

-		return err

-	}

-	if err := system.Mount("proc", "/proc", "proc", uintptr(defaultMountFlags), ""); err != nil {

-		return err

-	}

-	return nil

-}

-

-func remountSys() error {

-	if err := system.Unmount("/sys", syscall.MNT_DETACH); err != nil {

-		if err != syscall.EINVAL {

-			return err

-		}

-	} else {

-		if err := system.Mount("sysfs", "/sys", "sysfs", uintptr(defaultMountFlags), ""); err != nil {

-			return err

-		}

-	}

-	return nil

-}

-

-func setupBindmounts(rootfs string, bindMounts libcontainer.Mounts) error {

-	for _, m := range bindMounts.OfType("bind") {

-		var (

-			flags = syscall.MS_BIND | syscall.MS_REC

-			dest  = filepath.Join(rootfs, m.Destination)

-		)

-		if !m.Writable {

-			flags = flags | syscall.MS_RDONLY

-		}

-		if err := system.Mount(m.Source, dest, "bind", uintptr(flags), ""); err != nil {

-			return fmt.Errorf("mounting %s into %s %s", m.Source, dest, err)

-		}

-		if !m.Writable {

-			if err := system.Mount(m.Source, dest, "bind", uintptr(flags|syscall.MS_REMOUNT), ""); err != nil {

-				return fmt.Errorf("remounting %s into %s %s", m.Source, dest, err)

-			}

-		}

-		if m.Private {

-			if err := system.Mount("", dest, "none", uintptr(syscall.MS_PRIVATE), ""); err != nil {

-				return fmt.Errorf("mounting %s private %s", dest, err)

-			}

-		}

-	}

-	return nil

-}

-

-func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mount {

-	devMounts := []mount{

-		{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},

-		{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},

-	}

-

-	systemMounts := []mount{

-		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},

-	}

-

-	if len(mounts.OfType("devtmpfs")) == 1 {

-		systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"})

-	}

-	systemMounts = append(systemMounts, devMounts...)

-

-	if len(mounts.OfType("sysfs")) == 1 {

-		systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags})

-	}

-	return systemMounts

-}