diff --git a/libcontainer/nsinit/command.go b/libcontainer/nsinit/command.go index 153a48a..3c7a035 100644 --- a/libcontainer/nsinit/command.go +++ b/libcontainer/nsinit/command.go @@ -1,10 +1,11 @@ package nsinit import ( - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/system" "os" "os/exec" + + "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/dotcloud/docker/pkg/system" ) // CommandFactory takes the container's configuration and options passed by the @@ -34,14 +35,3 @@ func (c *DefaultCommandFactory) Create(container *libcontainer.Container, consol command.ExtraFiles = []*os.File{pipe} return command } - -// GetNamespaceFlags parses the container's Namespaces options to set the correct -// flags on clone, unshare, and setns -func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) { - for _, ns := range namespaces { - if ns.Enabled { - flag |= ns.Value - } - } - return flag -} diff --git a/libcontainer/nsinit/exec.go b/libcontainer/nsinit/exec.go index 64d35e5..45a2a8b 100644 --- a/libcontainer/nsinit/exec.go +++ b/libcontainer/nsinit/exec.go @@ -142,3 +142,14 @@ func DeletePid(path string) error { } return err } + +// GetNamespaceFlags parses the container's Namespaces options to set the correct +// flags on clone, unshare, and setns +func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) { + for _, ns := range namespaces { + if ns.Enabled { + flag |= ns.Value + } + } + return flag +} diff --git a/libcontainer/nsinit/execin.go b/libcontainer/nsinit/execin.go index c4ddb78..8507d9b 100644 --- a/libcontainer/nsinit/execin.go +++ b/libcontainer/nsinit/execin.go @@ -82,7 +82,7 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s os.Exit(state.Sys().(syscall.WaitStatus).ExitStatus()) } dropAndExec: - if err := finalizeNamespace(container); err != nil { + if err := FinalizeNamespace(container); err != nil { return -1, err } err = label.SetProcessLabel(processLabel) diff --git a/libcontainer/nsinit/init.go b/libcontainer/nsinit/init.go index 52708f4..02785bf 100644 --- a/libcontainer/nsinit/init.go +++ b/libcontainer/nsinit/init.go @@ -54,23 +54,22 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol } label.Init() + if err := mount.InitializeMountNamespace(rootfs, consolePath, container); err != nil { return fmt.Errorf("setup mount namespace %s", err) } if err := system.Sethostname(container.Hostname); err != nil { return fmt.Errorf("sethostname %s", err) } - if err := finalizeNamespace(container); err != nil { + if err := FinalizeNamespace(container); err != nil { return fmt.Errorf("finalize namespace %s", err) } - if profile := container.Context["apparmor_profile"]; profile != "" { - if err := apparmor.ApplyProfile(os.Getpid(), profile); err != nil { - return err - } - } runtime.LockOSThread() + if err := apparmor.ApplyProfile(os.Getpid(), container.Context["apparmor_profile"]); err != nil { + return err + } if err := label.SetProcessLabel(container.Context["process_label"]); err != nil { return fmt.Errorf("set process label %s", err) } @@ -113,10 +112,10 @@ func setupNetwork(container *libcontainer.Container, context libcontainer.Contex return nil } -// finalizeNamespace drops the caps, sets the correct user +// FinalizeNamespace drops the caps, sets the correct user // and working dir, and closes any leaky file descriptors // before execing the command inside the namespace -func finalizeNamespace(container *libcontainer.Container) error { +func FinalizeNamespace(container *libcontainer.Container) error { if err := capabilities.DropCapabilities(container); err != nil { return fmt.Errorf("drop capabilities %s", err) } diff --git a/libcontainer/nsinit/unsupported.go b/libcontainer/nsinit/unsupported.go index 135c0ef..6274870 100644 --- a/libcontainer/nsinit/unsupported.go +++ b/libcontainer/nsinit/unsupported.go @@ -17,3 +17,7 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, console string, syncPipe *SyncPipe, args []string) error { return libcontainer.ErrUnsupported } + +func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) { + return 0 +}