GitList

@@ -34,6 +34,8 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container
 		if err := d.setPrivileged(container); err != nil {
 			return nil, err
 		}
+	} else {
+		container.Mounts = append(container.Mounts, libcontainer.Mount{Type: "devtmpfs"})
 	}
 	if err := d.setupCgroups(container, c); err != nil {
 		return nil, err

pkg/libcontainer/nsinit/mount.go

History View file @ 5ba1242

@@ -47,14 +47,14 @@ func setupNewMountNamespace(rootfs, console string, container *libcontainer.Cont
                      	if err := setupBindmounts(rootfs, container.Mounts); err != nil {
                      		return fmt.Errorf("bind mounts %s", err)
+                     	}
                     +	if err := copyDevNodes(rootfs); err != nil {
                     +		return fmt.Errorf("copy dev nodes %s", err)
                     +	}
                      	if restrictionPath := container.Context["restriction_path"]; restrictionPath != "" {
                      		if err := restrict.Restrict(rootfs, restrictionPath); err != nil {
                      			return fmt.Errorf("restrict %s", err)
+                     		}
+                     	}
                     -	if err := copyDevNodes(rootfs); err != nil {
                     -		return fmt.Errorf("copy dev nodes %s", err)
                     -	}
                      	if err := setupPtmx(rootfs, console, container.Context["mount_label"]); err != nil {
                      		return err
+                     	}
@@ -273,12 +273,20 @@ func setupBindmounts(rootfs string, bindMounts libcontainer.Mounts) error {
+                     }
                      func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mount {
                     -	systemMounts := []mount{
                     -		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},
                     +	devMounts := []mount{
                      		{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
                      		{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
+                     	}
                     +	systemMounts := []mount{
                     +		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},
                     +	}
+                    +
                     +	if len(mounts.OfType("devtmpfs")) == 1 {
                     +		systemMounts = append(systemMounts, mount{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"})
                     +	}
                     +	systemMounts = append(systemMounts, devMounts...)
+                    +
                      	if len(mounts.OfType("sysfs")) == 1 {
                      		systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags})
+                     	}

...	...	@@ -34,6 +34,8 @@ func (d driver) createContainer(c execdriver.Command) (*libcontainer.Container
34	34	if err := d.setPrivileged(container); err != nil {
35	35	return nil, err
36	36	}
	37	+ } else {
	38	+ container.Mounts = append(container.Mounts, libcontainer.Mount{Type: "devtmpfs"})
37	39	}
38	40	if err := d.setupCgroups(container, c); err != nil {
39	41	return nil, err

Mount over dev and only copy allowed nodes in Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)