@@ -10,6 +10,7 @@ import (

 	"github.com/dotcloud/docker/daemon/execdriver/native/template"

 	"github.com/dotcloud/docker/pkg/apparmor"

 	"github.com/dotcloud/docker/pkg/libcontainer"

+	"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"

 )

 // createContainer populates and configures the container type with the

@@ -34,8 +35,6 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container

 		if err := d.setPrivileged(container); err != nil {

 			return nil, err

 		}

-	} else {

-		container.Mounts = append(container.Mounts, libcontainer.Mount{Type: "devtmpfs"})

 	}

 	if err := d.setupCgroups(container, c); err != nil {

 		return nil, err

@@ -97,11 +96,16 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.

 	return nil

 }

-func (d *driver) setPrivileged(container *libcontainer.Container) error {

+func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {

 	container.Capabilities = libcontainer.GetAllCapabilities()

 	container.Cgroups.DeviceAccess = true

 	delete(container.Context, "restrictions")

+	delete(container.DeviceNodes, "additional")

+

+	if container.DeviceNodes["required"], err = nodes.GetHostDeviceNodes(); err != nil {

+		return err

+	}

 	if apparmor.IsEnabled() {

 		container.Context["apparmor_profile"] = "unconfined"

@@ -4,6 +4,7 @@ import (

 	"github.com/dotcloud/docker/pkg/apparmor"

 	"github.com/dotcloud/docker/pkg/libcontainer"

 	"github.com/dotcloud/docker/pkg/libcontainer/cgroups"

+	"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"

 )

 // New returns the docker default configuration for libcontainer

@@ -33,6 +34,10 @@ func New() *libcontainer.Container {

 			DeviceAccess: false,

 		},

 		Context: libcontainer.Context{},

+		DeviceNodes: map[string][]string{

+			"required":   nodes.DefaultNodes,

+			"additional": {"fuse"},

+		},

 	}

 	if apparmor.IsEnabled() {

 		container.Context["apparmor_profile"] = "docker-default"

@@ -11,19 +11,20 @@ type Context map[string]string

 // Container defines configuration options for how a

 // container is setup inside a directory and how a process should be executed

 type Container struct {

-	Hostname     string          `json:"hostname,omitempty"`      // hostname

-	ReadonlyFs   bool            `json:"readonly_fs,omitempty"`   // set the containers rootfs as readonly

-	NoPivotRoot  bool            `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk

-	User         string          `json:"user,omitempty"`          // user to execute the process as

-	WorkingDir   string          `json:"working_dir,omitempty"`   // current working directory

-	Env          []string        `json:"environment,omitempty"`   // environment to set

-	Tty          bool            `json:"tty,omitempty"`           // setup a proper tty or not

-	Namespaces   map[string]bool `json:"namespaces,omitempty"`    // namespaces to apply

-	Capabilities []string        `json:"capabilities,omitempty"`  // capabilities given to the container

-	Networks     []*Network      `json:"networks,omitempty"`      // nil for host's network stack

-	Cgroups      *cgroups.Cgroup `json:"cgroups,omitempty"`       // cgroups

-	Context      Context         `json:"context,omitempty"`       // generic context for specific options (apparmor, selinux)

-	Mounts       Mounts          `json:"mounts,omitempty"`

+	Hostname     string              `json:"hostname,omitempty"`      // hostname

+	ReadonlyFs   bool                `json:"readonly_fs,omitempty"`   // set the containers rootfs as readonly

+	NoPivotRoot  bool                `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk

+	User         string              `json:"user,omitempty"`          // user to execute the process as

+	WorkingDir   string              `json:"working_dir,omitempty"`   // current working directory

+	Env          []string            `json:"environment,omitempty"`   // environment to set

+	Tty          bool                `json:"tty,omitempty"`           // setup a proper tty or not

+	Namespaces   map[string]bool     `json:"namespaces,omitempty"`    // namespaces to apply

+	Capabilities []string            `json:"capabilities,omitempty"`  // capabilities given to the container

+	Networks     []*Network          `json:"networks,omitempty"`      // nil for host's network stack

+	Cgroups      *cgroups.Cgroup     `json:"cgroups,omitempty"`       // cgroups

+	Context      Context             `json:"context,omitempty"`       // generic context for specific options (apparmor, selinux)

+	Mounts       Mounts              `json:"mounts,omitempty"`

+	DeviceNodes  map[string][]string `json:"device_nodes,omitempty"` // device nodes to add to the container's /dev

 }

 // Network defines configuration for a container's networking stack

@@ -43,5 +43,15 @@

     {

       "type": "devtmpfs"

     }

-  ]

+  ],

+  "device_nodes": {

+      "required": [

+          "null",

+          "zero",

+          "full",

+          "random",

+          "urandom",

+          "tty"

+      ]

+  }

 }

@@ -4,12 +4,14 @@ import (

 	"encoding/json"

 	"os"

 	"testing"

+

+	"github.com/dotcloud/docker/pkg/libcontainer/mount/nodes"

 )

 // Checks whether the expected capability is specified in the capabilities.

-func hasCapability(expected string, capabilities []string) bool {

-	for _, capability := range capabilities {

-		if capability == expected {

+func contains(expected string, values []string) bool {

+	for _, v := range values {

+		if v == expected {

 			return true

 		}

 	}

@@ -47,18 +49,25 @@ func TestContainerJsonFormat(t *testing.T) {

 		t.Fail()

 	}

-	if hasCapability("SYS_ADMIN", container.Capabilities) {

+	if contains("SYS_ADMIN", container.Capabilities) {

 		t.Log("SYS_ADMIN should not be enabled in capabilities mask")

 		t.Fail()

 	}

-	if !hasCapability("MKNOD", container.Capabilities) {

+	if !contains("MKNOD", container.Capabilities) {

 		t.Log("MKNOD should be enabled in capabilities mask")

 		t.Fail()

 	}

-	if hasCapability("SYS_CHROOT", container.Capabilities) {

+	if contains("SYS_CHROOT", container.Capabilities) {

 		t.Log("capabilities mask should not contain SYS_CHROOT")

 		t.Fail()

 	}

+

+	for _, n := range nodes.DefaultNodes {

+		if !contains(n, container.DeviceNodes["required"]) {

+			t.Logf("devices should contain %s", n)

+			t.Fail()

+		}

+	}

 }

@@ -48,10 +48,10 @@ func InitializeMountNamespace(rootfs, console string, container *libcontainer.Co

 	if err := setupBindmounts(rootfs, container.Mounts); err != nil {

 		return fmt.Errorf("bind mounts %s", err)

 	}

-	if err := nodes.CopyN(rootfs, nodes.DefaultNodes, true); err != nil {

-		return fmt.Errorf("copy dev nodes %s", err)

+	if err := nodes.CopyN(rootfs, container.DeviceNodes["required"], true); err != nil {

+		return fmt.Errorf("copy required dev nodes %s", err)

 	}

-	if err := nodes.CopyN(rootfs, nodes.AdditionalNodes, false); err != nil {

+	if err := nodes.CopyN(rootfs, container.DeviceNodes["additional"], false); err != nil {

 		return fmt.Errorf("copy additional dev nodes %s", err)

 	}

 	if err := SetupPtmx(rootfs, console, container.Context["mount_label"]); err != nil {

@@ -195,13 +195,11 @@ func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mo

 	systemMounts := []mount{

 		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},

 		{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags},

+		{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)},

 		{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},

 		{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},

 		{source: "tmpfs", path: filepath.Join(rootfs, "run"), device: "tmpfs", flags: defaultMountFlags},

 	}

-	if len(mounts.OfType("devtmpfs")) == 1 {

-		systemMounts = append([]mount{{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)}}, systemMounts...)

-	}

 	return systemMounts

 }

@@ -4,6 +4,7 @@ package nodes

 import (

 	"fmt"

+	"io/ioutil"

 	"os"

 	"path/filepath"

 	"syscall"

@@ -21,11 +22,6 @@ var DefaultNodes = []string{

 	"tty",

 }

-// AdditionalNodes includes nodes that are not required

-var AdditionalNodes = []string{

-	"fuse",

-}

-

 // CopyN copies the device node from the host into the rootfs

 func CopyN(rootfs string, nodesToCopy []string, shouldExist bool) error {

 	oldMask := system.Umask(0000)

@@ -61,3 +57,18 @@ func Copy(rootfs, node string, shouldExist bool) error {

 	}

 	return nil

 }

+

+func GetHostDeviceNodes() ([]string, error) {

+	files, err := ioutil.ReadDir("/dev")

+	if err != nil {

+		return nil, err

+	}

+

+	out := []string{}

+	for _, f := range files {

+		if f.Mode()&os.ModeDevice == os.ModeDevice {

+			out = append(out, f.Name())

+		}

+	}

+	return out, nil

+}

new file mode 100644

@@ -0,0 +1,11 @@

+// +build !linux

+

+package nodes

+

+import "github.com/dotcloud/docker/pkg/libcontainer"

+

+var DefaultNodes = []string{}

+

+func GetHostDeviceNodes() ([]string, error) {

+	return nil, libcontainer.ErrUnsupported

+}