Browse code
Export more functions from libcontainer Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Michael Crosby authored on 2014/05/01 09:18:07Showing 5 changed files
- pkg/libcontainer/nsinit/command.go
- pkg/libcontainer/nsinit/exec.go
- pkg/libcontainer/nsinit/execin.go
- pkg/libcontainer/nsinit/init.go
- pkg/libcontainer/nsinit/unsupported.go
| ... | ... |
@@ -1,10 +1,11 @@ |
| 1 | 1 |
package nsinit |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 |
- "github.com/dotcloud/docker/pkg/libcontainer" |
|
| 5 |
- "github.com/dotcloud/docker/pkg/system" |
|
| 6 | 4 |
"os" |
| 7 | 5 |
"os/exec" |
| 6 |
+ |
|
| 7 |
+ "github.com/dotcloud/docker/pkg/libcontainer" |
|
| 8 |
+ "github.com/dotcloud/docker/pkg/system" |
|
| 8 | 9 |
) |
| 9 | 10 |
|
| 10 | 11 |
// CommandFactory takes the container's configuration and options passed by the |
| ... | ... |
@@ -34,14 +35,3 @@ func (c *DefaultCommandFactory) Create(container *libcontainer.Container, consol |
| 34 | 34 |
command.ExtraFiles = []*os.File{pipe}
|
| 35 | 35 |
return command |
| 36 | 36 |
} |
| 37 |
- |
|
| 38 |
-// GetNamespaceFlags parses the container's Namespaces options to set the correct |
|
| 39 |
-// flags on clone, unshare, and setns |
|
| 40 |
-func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
|
|
| 41 |
- for _, ns := range namespaces {
|
|
| 42 |
- if ns.Enabled {
|
|
| 43 |
- flag |= ns.Value |
|
| 44 |
- } |
|
| 45 |
- } |
|
| 46 |
- return flag |
|
| 47 |
-} |
| ... | ... |
@@ -142,3 +142,14 @@ func DeletePid(path string) error {
|
| 142 | 142 |
} |
| 143 | 143 |
return err |
| 144 | 144 |
} |
| 145 |
+ |
|
| 146 |
+// GetNamespaceFlags parses the container's Namespaces options to set the correct |
|
| 147 |
+// flags on clone, unshare, and setns |
|
| 148 |
+func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
|
|
| 149 |
+ for _, ns := range namespaces {
|
|
| 150 |
+ if ns.Enabled {
|
|
| 151 |
+ flag |= ns.Value |
|
| 152 |
+ } |
|
| 153 |
+ } |
|
| 154 |
+ return flag |
|
| 155 |
+} |
| ... | ... |
@@ -82,7 +82,7 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s |
| 82 | 82 |
os.Exit(state.Sys().(syscall.WaitStatus).ExitStatus()) |
| 83 | 83 |
} |
| 84 | 84 |
dropAndExec: |
| 85 |
- if err := finalizeNamespace(container); err != nil {
|
|
| 85 |
+ if err := FinalizeNamespace(container); err != nil {
|
|
| 86 | 86 |
return -1, err |
| 87 | 87 |
} |
| 88 | 88 |
err = label.SetProcessLabel(processLabel) |
| ... | ... |
@@ -54,23 +54,22 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol |
| 54 | 54 |
} |
| 55 | 55 |
|
| 56 | 56 |
label.Init() |
| 57 |
+ |
|
| 57 | 58 |
if err := mount.InitializeMountNamespace(rootfs, consolePath, container); err != nil {
|
| 58 | 59 |
return fmt.Errorf("setup mount namespace %s", err)
|
| 59 | 60 |
} |
| 60 | 61 |
if err := system.Sethostname(container.Hostname); err != nil {
|
| 61 | 62 |
return fmt.Errorf("sethostname %s", err)
|
| 62 | 63 |
} |
| 63 |
- if err := finalizeNamespace(container); err != nil {
|
|
| 64 |
+ if err := FinalizeNamespace(container); err != nil {
|
|
| 64 | 65 |
return fmt.Errorf("finalize namespace %s", err)
|
| 65 | 66 |
} |
| 66 | 67 |
|
| 67 |
- if profile := container.Context["apparmor_profile"]; profile != "" {
|
|
| 68 |
- if err := apparmor.ApplyProfile(os.Getpid(), profile); err != nil {
|
|
| 69 |
- return err |
|
| 70 |
- } |
|
| 71 |
- } |
|
| 72 | 68 |
runtime.LockOSThread() |
| 73 | 69 |
|
| 70 |
+ if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil {
|
|
| 71 |
+ return err |
|
| 72 |
+ } |
|
| 74 | 73 |
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
|
| 75 | 74 |
return fmt.Errorf("set process label %s", err)
|
| 76 | 75 |
} |
| ... | ... |
@@ -113,10 +112,10 @@ func setupNetwork(container *libcontainer.Container, context libcontainer.Contex |
| 113 | 113 |
return nil |
| 114 | 114 |
} |
| 115 | 115 |
|
| 116 |
-// finalizeNamespace drops the caps, sets the correct user |
|
| 116 |
+// FinalizeNamespace drops the caps, sets the correct user |
|
| 117 | 117 |
// and working dir, and closes any leaky file descriptors |
| 118 | 118 |
// before execing the command inside the namespace |
| 119 |
-func finalizeNamespace(container *libcontainer.Container) error {
|
|
| 119 |
+func FinalizeNamespace(container *libcontainer.Container) error {
|
|
| 120 | 120 |
if err := capabilities.DropCapabilities(container); err != nil {
|
| 121 | 121 |
return fmt.Errorf("drop capabilities %s", err)
|
| 122 | 122 |
} |
| ... | ... |
@@ -17,3 +17,7 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s |
| 17 | 17 |
func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, console string, syncPipe *SyncPipe, args []string) error {
|
| 18 | 18 |
return libcontainer.ErrUnsupported |
| 19 | 19 |
} |
| 20 |
+ |
|
| 21 |
+func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
|
|
| 22 |
+ return 0 |
|
| 23 |
+} |