Better capability/namespace management
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume.charmes@docker.com> (github: creack)
This commit is contained in:
Guillaume J. Charmes
parent
6daf56799f
commit
357ca32831
4 changed files with 119 additions and 87 deletions
|
|
@ -14,7 +14,7 @@ import (
|
|||
// ExecIn uses an existing pid and joins the pid's namespaces with the new command.
|
||||
func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []string) (int, error) {
|
||||
for _, ns := range container.Namespaces {
|
||||
if err := system.Unshare(namespaceMap[ns]); err != nil {
|
||||
if err := system.Unshare(ns.Value); err != nil {
|
||||
return -1, err
|
||||
}
|
||||
}
|
||||
|
|
@ -42,8 +42,7 @@ func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []s
|
|||
|
||||
// if the container has a new pid and mount namespace we need to
|
||||
// remount proc and sys to pick up the changes
|
||||
if container.Namespaces.Contains(libcontainer.CLONE_NEWNS) &&
|
||||
container.Namespaces.Contains(libcontainer.CLONE_NEWPID) {
|
||||
if container.Namespaces.Contains("CLONE_NEWNS") && container.Namespaces.Contains("CLONE_NEWPID") {
|
||||
pid, err := system.Fork()
|
||||
if err != nil {
|
||||
return -1, err
|
||||
|
|
@ -84,7 +83,7 @@ dropAndExec:
|
|||
func (ns *linuxNs) getNsFds(pid int, container *libcontainer.Container) ([]uintptr, error) {
|
||||
fds := make([]uintptr, len(container.Namespaces))
|
||||
for i, ns := range container.Namespaces {
|
||||
f, err := os.OpenFile(filepath.Join("/proc/", strconv.Itoa(pid), "ns", namespaceFileMap[ns]), os.O_RDONLY, 0)
|
||||
f, err := os.OpenFile(filepath.Join("/proc/", strconv.Itoa(pid), "ns", ns.File), os.O_RDONLY, 0)
|
||||
if err != nil {
|
||||
return fds, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,35 +2,13 @@ package nsinit
|
|||
|
||||
import (
|
||||
"github.com/dotcloud/docker/pkg/libcontainer"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
var namespaceMap = map[libcontainer.Namespace]int{
|
||||
libcontainer.CLONE_NEWNS: syscall.CLONE_NEWNS,
|
||||
libcontainer.CLONE_NEWUTS: syscall.CLONE_NEWUTS,
|
||||
libcontainer.CLONE_NEWIPC: syscall.CLONE_NEWIPC,
|
||||
libcontainer.CLONE_NEWUSER: syscall.CLONE_NEWUSER,
|
||||
libcontainer.CLONE_NEWPID: syscall.CLONE_NEWPID,
|
||||
libcontainer.CLONE_NEWNET: syscall.CLONE_NEWNET,
|
||||
}
|
||||
|
||||
// namespaceFileMap is used to convert the libcontainer types
|
||||
// into the names of the files located in /proc/<pid>/ns/* for
|
||||
// each namespace
|
||||
var namespaceFileMap = map[libcontainer.Namespace]string{
|
||||
libcontainer.CLONE_NEWNS: "mnt",
|
||||
libcontainer.CLONE_NEWUTS: "uts",
|
||||
libcontainer.CLONE_NEWIPC: "ipc",
|
||||
libcontainer.CLONE_NEWUSER: "user",
|
||||
libcontainer.CLONE_NEWPID: "pid",
|
||||
libcontainer.CLONE_NEWNET: "net",
|
||||
}
|
||||
|
||||
// getNamespaceFlags parses the container's Namespaces options to set the correct
|
||||
// flags on clone, unshare, and setns
|
||||
func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
|
||||
for _, ns := range namespaces {
|
||||
flag |= namespaceMap[ns]
|
||||
flag |= ns.Value
|
||||
}
|
||||
return flag
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue