Merge pull request #4833 from crosbymichael/pluginflag

Add opts flag for fine grained control over drivers
This commit is contained in:
Guillaume J. Charmes 2014-04-01 13:34:08 -07:00
commit 345365e7b0
12 changed files with 134 additions and 89 deletions

View file

@ -49,6 +49,9 @@ func rawApply(c *Cgroup, pid int) (ActiveCgroup, error) {
if err := raw.setupCpu(c, pid); err != nil { if err := raw.setupCpu(c, pid); err != nil {
return nil, err return nil, err
} }
if err := raw.setupCpuset(c, pid); err != nil {
return nil, err
}
return raw, nil return raw, nil
} }
@ -170,6 +173,25 @@ func (raw *rawCgroup) setupCpu(c *Cgroup, pid int) (err error) {
return nil return nil
} }
func (raw *rawCgroup) setupCpuset(c *Cgroup, pid int) (err error) {
if c.CpusetCpus != "" {
dir, err := raw.join("cpuset", pid)
if err != nil {
return err
}
defer func() {
if err != nil {
os.RemoveAll(dir)
}
}()
if err := writeFile(dir, "cpuset.cpus", c.CpusetCpus); err != nil {
return err
}
}
return nil
}
func (raw *rawCgroup) Cleanup() error { func (raw *rawCgroup) Cleanup() error {
get := func(subsystem string) string { get := func(subsystem string) string {
path, _ := raw.path(subsystem) path, _ := raw.path(subsystem)
@ -180,6 +202,7 @@ func (raw *rawCgroup) Cleanup() error {
get("memory"), get("memory"),
get("devices"), get("devices"),
get("cpu"), get("cpu"),
get("cpuset"),
} { } {
if path != "" { if path != "" {
os.RemoveAll(path) os.RemoveAll(path)

View file

@ -15,10 +15,11 @@ type Cgroup struct {
Name string `json:"name,omitempty"` Name string `json:"name,omitempty"`
Parent string `json:"parent,omitempty"` Parent string `json:"parent,omitempty"`
DeviceAccess bool `json:"device_access,omitempty"` // name of parent cgroup or slice DeviceAccess bool `json:"device_access,omitempty"` // name of parent cgroup or slice
Memory int64 `json:"memory,omitempty"` // Memory limit (in bytes) Memory int64 `json:"memory,omitempty"` // Memory limit (in bytes)
MemorySwap int64 `json:"memory_swap,omitempty"` // Total memory usage (memory + swap); set `-1' to disable swap MemorySwap int64 `json:"memory_swap,omitempty"` // Total memory usage (memory + swap); set `-1' to disable swap
CpuShares int64 `json:"cpu_shares,omitempty"` // CPU shares (relative weight vs. other containers) CpuShares int64 `json:"cpu_shares,omitempty"` // CPU shares (relative weight vs. other containers)
CpusetCpus string `json:"cpuset_cpus,omitempty"` // CPU to use
UnitProperties [][2]string `json:"unit_properties,omitempty"` // systemd unit properties UnitProperties [][2]string `json:"unit_properties,omitempty"` // systemd unit properties
} }

View file

@ -27,7 +27,9 @@ func DropCapabilities(container *libcontainer.Container) error {
func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap { func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap {
drop := []capability.Cap{} drop := []capability.Cap{}
for _, c := range container.CapabilitiesMask { for _, c := range container.CapabilitiesMask {
drop = append(drop, c.Value) if !c.Enabled {
drop = append(drop, c.Value)
}
} }
return drop return drop
} }

View file

@ -0,0 +1,34 @@
package network
import (
"fmt"
"os"
"syscall"
"github.com/dotcloud/docker/pkg/libcontainer"
"github.com/dotcloud/docker/pkg/system"
)
// crosbymichael: could make a network strategy that instead of returning veth pair names it returns a pid to an existing network namespace
type NetNS struct {
}
func (v *NetNS) Create(n *libcontainer.Network, nspid int, context libcontainer.Context) error {
context["nspath"] = n.Context["nspath"]
return nil
}
func (v *NetNS) Initialize(config *libcontainer.Network, context libcontainer.Context) error {
nspath, exists := context["nspath"]
if !exists {
return fmt.Errorf("nspath does not exist in network context")
}
f, err := os.OpenFile(nspath, os.O_RDONLY, 0)
if err != nil {
return fmt.Errorf("failed get network namespace fd: %v", err)
}
if err := system.Setns(f.Fd(), syscall.CLONE_NEWNET); err != nil {
return fmt.Errorf("failed to setns current network namespace: %v", err)
}
return nil
}

View file

@ -2,6 +2,7 @@ package network
import ( import (
"errors" "errors"
"github.com/dotcloud/docker/pkg/libcontainer" "github.com/dotcloud/docker/pkg/libcontainer"
) )
@ -12,6 +13,7 @@ var (
var strategies = map[string]NetworkStrategy{ var strategies = map[string]NetworkStrategy{
"veth": &Veth{}, "veth": &Veth{},
"loopback": &Loopback{}, "loopback": &Loopback{},
"netns": &NetNS{},
} }
// NetworkStrategy represents a specific network configuration for // NetworkStrategy represents a specific network configuration for

View file

@ -39,7 +39,9 @@ func (c *DefaultCommandFactory) Create(container *libcontainer.Container, consol
// flags on clone, unshare, and setns // flags on clone, unshare, and setns
func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) { func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
for _, ns := range namespaces { for _, ns := range namespaces {
flag |= ns.Value if ns.Enabled {
flag |= ns.Value
}
} }
return flag return flag
} }

View file

@ -3,13 +3,14 @@
package nsinit package nsinit
import ( import (
"os"
"os/exec"
"syscall"
"github.com/dotcloud/docker/pkg/cgroups" "github.com/dotcloud/docker/pkg/cgroups"
"github.com/dotcloud/docker/pkg/libcontainer" "github.com/dotcloud/docker/pkg/libcontainer"
"github.com/dotcloud/docker/pkg/libcontainer/network" "github.com/dotcloud/docker/pkg/libcontainer/network"
"github.com/dotcloud/docker/pkg/system" "github.com/dotcloud/docker/pkg/system"
"os"
"os/exec"
"syscall"
) )
// Exec performes setup outside of a namespace so that a container can be // Exec performes setup outside of a namespace so that a container can be

View file

@ -4,6 +4,10 @@ package nsinit
import ( import (
"fmt" "fmt"
"os"
"runtime"
"syscall"
"github.com/dotcloud/docker/pkg/label" "github.com/dotcloud/docker/pkg/label"
"github.com/dotcloud/docker/pkg/libcontainer" "github.com/dotcloud/docker/pkg/libcontainer"
"github.com/dotcloud/docker/pkg/libcontainer/apparmor" "github.com/dotcloud/docker/pkg/libcontainer/apparmor"
@ -12,9 +16,6 @@ import (
"github.com/dotcloud/docker/pkg/libcontainer/utils" "github.com/dotcloud/docker/pkg/libcontainer/utils"
"github.com/dotcloud/docker/pkg/system" "github.com/dotcloud/docker/pkg/system"
"github.com/dotcloud/docker/pkg/user" "github.com/dotcloud/docker/pkg/user"
"os"
"runtime"
"syscall"
) )
// Init is the init process that first runs inside a new namespace to setup mounts, users, networking, // Init is the init process that first runs inside a new namespace to setup mounts, users, networking,
@ -58,13 +59,13 @@ func (ns *linuxNs) Init(container *libcontainer.Container, uncleanRootfs, consol
if err := system.ParentDeathSignal(uintptr(syscall.SIGTERM)); err != nil { if err := system.ParentDeathSignal(uintptr(syscall.SIGTERM)); err != nil {
return fmt.Errorf("parent death signal %s", err) return fmt.Errorf("parent death signal %s", err)
} }
if err := setupNetwork(container, context); err != nil {
return fmt.Errorf("setup networking %s", err)
}
ns.logger.Println("setup mount namespace") ns.logger.Println("setup mount namespace")
if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil { if err := setupNewMountNamespace(rootfs, container.Mounts, console, container.ReadonlyFs, container.NoPivotRoot, container.Context["mount_label"]); err != nil {
return fmt.Errorf("setup mount namespace %s", err) return fmt.Errorf("setup mount namespace %s", err)
} }
if err := setupNetwork(container, context); err != nil {
return fmt.Errorf("setup networking %s", err)
}
if err := system.Sethostname(container.Hostname); err != nil { if err := system.Sethostname(container.Hostname); err != nil {
return fmt.Errorf("sethostname %s", err) return fmt.Errorf("sethostname %s", err)
} }

View file

@ -32,11 +32,6 @@ func setupNewMountNamespace(rootfs string, bindMounts []libcontainer.Mount, cons
if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil { if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {
return fmt.Errorf("mouting %s as bind %s", rootfs, err) return fmt.Errorf("mouting %s as bind %s", rootfs, err)
} }
if readonly {
if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, ""); err != nil {
return fmt.Errorf("mounting %s as readonly %s", rootfs, err)
}
}
if err := mountSystem(rootfs, mountLabel); err != nil { if err := mountSystem(rootfs, mountLabel); err != nil {
return fmt.Errorf("mount system %s", err) return fmt.Errorf("mount system %s", err)
} }
@ -82,6 +77,12 @@ func setupNewMountNamespace(rootfs string, bindMounts []libcontainer.Mount, cons
} }
} }
if readonly {
if err := system.Mount("/", "/", "bind", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, ""); err != nil {
return fmt.Errorf("mounting %s as readonly %s", rootfs, err)
}
}
system.Umask(0022) system.Umask(0022)
return nil return nil

View file

@ -3,14 +3,15 @@ package main
import ( import (
"encoding/json" "encoding/json"
"flag" "flag"
"github.com/dotcloud/docker/pkg/libcontainer"
"github.com/dotcloud/docker/pkg/libcontainer/nsinit"
"io" "io"
"io/ioutil" "io/ioutil"
"log" "log"
"os" "os"
"path/filepath" "path/filepath"
"strconv" "strconv"
"github.com/dotcloud/docker/pkg/libcontainer"
"github.com/dotcloud/docker/pkg/libcontainer/nsinit"
) )
var ( var (

View file

@ -1,7 +1,6 @@
package libcontainer package libcontainer
import ( import (
"encoding/json"
"errors" "errors"
"github.com/syndtr/gocapability/capability" "github.com/syndtr/gocapability/capability"
) )
@ -19,29 +18,30 @@ var (
namespaceList = Namespaces{} namespaceList = Namespaces{}
capabilityList = Capabilities{ capabilityList = Capabilities{
{Key: "SETPCAP", Value: capability.CAP_SETPCAP}, {Key: "SETPCAP", Value: capability.CAP_SETPCAP, Enabled: false},
{Key: "SYS_MODULE", Value: capability.CAP_SYS_MODULE}, {Key: "SYS_MODULE", Value: capability.CAP_SYS_MODULE, Enabled: false},
{Key: "SYS_RAWIO", Value: capability.CAP_SYS_RAWIO}, {Key: "SYS_RAWIO", Value: capability.CAP_SYS_RAWIO, Enabled: false},
{Key: "SYS_PACCT", Value: capability.CAP_SYS_PACCT}, {Key: "SYS_PACCT", Value: capability.CAP_SYS_PACCT, Enabled: false},
{Key: "SYS_ADMIN", Value: capability.CAP_SYS_ADMIN}, {Key: "SYS_ADMIN", Value: capability.CAP_SYS_ADMIN, Enabled: false},
{Key: "SYS_NICE", Value: capability.CAP_SYS_NICE}, {Key: "SYS_NICE", Value: capability.CAP_SYS_NICE, Enabled: false},
{Key: "SYS_RESOURCE", Value: capability.CAP_SYS_RESOURCE}, {Key: "SYS_RESOURCE", Value: capability.CAP_SYS_RESOURCE, Enabled: false},
{Key: "SYS_TIME", Value: capability.CAP_SYS_TIME}, {Key: "SYS_TIME", Value: capability.CAP_SYS_TIME, Enabled: false},
{Key: "SYS_TTY_CONFIG", Value: capability.CAP_SYS_TTY_CONFIG}, {Key: "SYS_TTY_CONFIG", Value: capability.CAP_SYS_TTY_CONFIG, Enabled: false},
{Key: "MKNOD", Value: capability.CAP_MKNOD}, {Key: "MKNOD", Value: capability.CAP_MKNOD, Enabled: false},
{Key: "AUDIT_WRITE", Value: capability.CAP_AUDIT_WRITE}, {Key: "AUDIT_WRITE", Value: capability.CAP_AUDIT_WRITE, Enabled: false},
{Key: "AUDIT_CONTROL", Value: capability.CAP_AUDIT_CONTROL}, {Key: "AUDIT_CONTROL", Value: capability.CAP_AUDIT_CONTROL, Enabled: false},
{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE}, {Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE, Enabled: false},
{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN}, {Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN, Enabled: false},
{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN}, {Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN, Enabled: false},
} }
) )
type ( type (
Namespace struct { Namespace struct {
Key string Key string `json:"key,omitempty"`
Value int Enabled bool `json:"enabled,omitempty"`
File string Value int `json:"value,omitempty"`
File string `json:"file,omitempty"`
} }
Namespaces []*Namespace Namespaces []*Namespace
) )
@ -50,27 +50,11 @@ func (ns *Namespace) String() string {
return ns.Key return ns.Key
} }
func (ns *Namespace) MarshalJSON() ([]byte, error) {
return json.Marshal(ns.Key)
}
func (ns *Namespace) UnmarshalJSON(src []byte) error {
var nsName string
if err := json.Unmarshal(src, &nsName); err != nil {
return err
}
ret := GetNamespace(nsName)
if ret == nil {
return ErrUnkownNamespace
}
*ns = *ret
return nil
}
func GetNamespace(key string) *Namespace { func GetNamespace(key string) *Namespace {
for _, ns := range namespaceList { for _, ns := range namespaceList {
if ns.Key == key { if ns.Key == key {
return ns cpy := *ns
return &cpy
} }
} }
return nil return nil
@ -79,18 +63,23 @@ func GetNamespace(key string) *Namespace {
// Contains returns true if the specified Namespace is // Contains returns true if the specified Namespace is
// in the slice // in the slice
func (n Namespaces) Contains(ns string) bool { func (n Namespaces) Contains(ns string) bool {
return n.Get(ns) != nil
}
func (n Namespaces) Get(ns string) *Namespace {
for _, nsp := range n { for _, nsp := range n {
if nsp.Key == ns { if nsp.Key == ns {
return true return nsp
} }
} }
return false return nil
} }
type ( type (
Capability struct { Capability struct {
Key string Key string `json:"key,omitempty"`
Value capability.Cap Enabled bool `json:"enabled"`
Value capability.Cap `json:"value,omitempty"`
} }
Capabilities []*Capability Capabilities []*Capability
) )
@ -99,27 +88,11 @@ func (c *Capability) String() string {
return c.Key return c.Key
} }
func (c *Capability) MarshalJSON() ([]byte, error) {
return json.Marshal(c.Key)
}
func (c *Capability) UnmarshalJSON(src []byte) error {
var capName string
if err := json.Unmarshal(src, &capName); err != nil {
return err
}
ret := GetCapability(capName)
if ret == nil {
return ErrUnkownCapability
}
*c = *ret
return nil
}
func GetCapability(key string) *Capability { func GetCapability(key string) *Capability {
for _, capp := range capabilityList { for _, capp := range capabilityList {
if capp.Key == key { if capp.Key == key {
return capp cpy := *capp
return &cpy
} }
} }
return nil return nil
@ -128,10 +101,14 @@ func GetCapability(key string) *Capability {
// Contains returns true if the specified Capability is // Contains returns true if the specified Capability is
// in the slice // in the slice
func (c Capabilities) Contains(capp string) bool { func (c Capabilities) Contains(capp string) bool {
return c.Get(capp) != nil
}
func (c Capabilities) Get(capp string) *Capability {
for _, cap := range c { for _, cap := range c {
if cap.Key == capp { if cap.Key == capp {
return true return cap
} }
} }
return false return nil
} }

View file

@ -6,11 +6,11 @@ import (
func init() { func init() {
namespaceList = Namespaces{ namespaceList = Namespaces{
{Key: "NEWNS", Value: syscall.CLONE_NEWNS, File: "mnt"}, {Key: "NEWNS", Value: syscall.CLONE_NEWNS, File: "mnt", Enabled: true},
{Key: "NEWUTS", Value: syscall.CLONE_NEWUTS, File: "uts"}, {Key: "NEWUTS", Value: syscall.CLONE_NEWUTS, File: "uts", Enabled: true},
{Key: "NEWIPC", Value: syscall.CLONE_NEWIPC, File: "ipc"}, {Key: "NEWIPC", Value: syscall.CLONE_NEWIPC, File: "ipc", Enabled: true},
{Key: "NEWUSER", Value: syscall.CLONE_NEWUSER, File: "user"}, {Key: "NEWUSER", Value: syscall.CLONE_NEWUSER, File: "user", Enabled: true},
{Key: "NEWPID", Value: syscall.CLONE_NEWPID, File: "pid"}, {Key: "NEWPID", Value: syscall.CLONE_NEWPID, File: "pid", Enabled: true},
{Key: "NEWNET", Value: syscall.CLONE_NEWNET, File: "net"}, {Key: "NEWNET", Value: syscall.CLONE_NEWNET, File: "net", Enabled: true},
} }
} }