vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

Add enabled option to namespaces and capabilities spec in

Browse source 
container.json. Although we don't yet check for enabled everywhere.

Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
This commit is contained in:
Rohit Jnagal 2014-04-25 01:10:11 +00:00
parent 8173da962b
commit 35c12256c7
2 changed files with 141 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
libcontainer/README.md
View file

@ -41,21 +41,52 @@ Sample `container.json` file:
"TERM=xterm" "TERM=xterm"
], ],
"capabilities_mask" : [ "capabilities_mask" : [
{ "key": "SETPCAP" }, {
{ "key": "SYS_MODULE" }, "key": "SETPCAP",
{ "key": "SYS_RAWIO" }, "enabled": true
{ "key": "SYS_PACCT" }, },
{ "key": "SYS_ADMIN" }, { "key": "SYS_MODULE",
{ "key": "SYS_NICE" }, "enabled": true
{ "key": "SYS_RESOURCE" }, },
{ "key": "SYS_TIME" }, { "key": "SYS_RAWIO",
{ "key": "SYS_TTY_CONFIG" }, "enabled": true
{ "key": "MKNOD" }, },
{ "key": "AUDIT_WRITE" }, { "key": "SYS_PACCT",
{ "key": "AUDIT_CONTROL" }, "enabled": true
{ "key": "MAC_OVERRIDE" }, },
{ "key": "MAC_ADMIN" }, { "key": "SYS_ADMIN",
{ "key": "NET_ADMIN" } "enabled": true
},
{ "key": "SYS_NICE",
"enabled": true
},
{ "key": "SYS_RESOURCE",
"enabled": true
},
{ "key": "SYS_TIME",
"enabled": true
},
{ "key": "SYS_TTY_CONFIG",
"enabled": true
},
{ "key": "MKNOD",
"enabled": true
},
{ "key": "AUDIT_WRITE",
"enabled": true
},
{ "key": "AUDIT_CONTROL",
"enabled": true
},
{ "key": "MAC_OVERRIDE",
"enabled": true
},
{ "key": "MAC_ADMIN",
"enabled": true
},
{ "key": "NET_ADMIN",
"enabled": true
}
], ],
"context" : { "context" : {
"apparmor_profile" : "docker-default" "apparmor_profile" : "docker-default"
@ -81,11 +112,21 @@ Sample `container.json` file:
} }
], ],
"namespaces" : [ "namespaces" : [
{ "key": "NEWNS" }, { "key": "NEWNS",
{ "key": "NEWUTS" }, "enabled": true
{ "key": "NEWIPC" }, },
{ "key": "NEWPID" }, { "key": "NEWUTS",
{ "key": "NEWNET" } "enabled": true
},
{ "key": "NEWIPC",
"enabled": true
},
{ "key": "NEWPID",
"enabled": true
},
{ "key": "NEWNET",
"enabled": true
}
] ]
} }
``` ```

100
libcontainer/container.json
View file

@ -8,28 +8,88 @@
"TERM=xterm-256color" "TERM=xterm-256color"
], ],
"namespaces": [ "namespaces": [
{ "key": "NEWIPC" }, {
{ "key": "NEWNS" }, "key": "NEWIPC",
{ "key": "NEWPID" }, "enabled": true
{ "key": "NEWUTS" }, },
{ "key": "NEWNET" } {
"key": "NEWNS",
"enabled": true
},
{
"key": "NEWPID",
"enabled": true
},
{
"key": "NEWUTS",
"enabled": true
},
{
"key": "NEWNET",
"enabled": true
}
], ],
"capabilities_mask": [ "capabilities_mask": [
{ "key": "SETPCAP" }, {
{ "key": "SYS_MODULE" }, "key": "SETPCAP",
{ "key": "SYS_RAWIO" }, "enabled": true
{ "key": "SYS_PACCT" }, },
{ "key": "SYS_ADMIN" }, {
{ "key": "SYS_NICE" }, "key": "SYS_MODULE",
{ "key": "SYS_RESOURCE" }, "enabled": true
{ "key": "SYS_TIME" }, },
{ "key": "SYS_TTY_CONFIG" }, {
{ "key": "MKNOD" }, "key": "SYS_RAWIO",
{ "key": "AUDIT_WRITE" }, "enabled": false
{ "key": "AUDIT_CONTROL" }, },
{ "key": "MAC_OVERRIDE" }, {
{ "key": "MAC_ADMIN" }, "key": "SYS_PACCT",
{ "key": "NET_ADMIN" } "enabled": true
},
{
"key": "SYS_ADMIN",
"enabled": true
},
{
"key": "SYS_NICE",
"enabled": true
},
{
"key": "SYS_RESOURCE",
"enabled": true
},
{
"key": "SYS_TIME",
"enabled": true
},
{
"key": "SYS_TTY_CONFIG",
"enabled": true
},
{
"key": "MKNOD",
"enabled": true
},
{
"key": "AUDIT_WRITE",
"enabled": true
},
{
"key": "AUDIT_CONTROL",
"enabled": true
},
{
"key": "MAC_OVERRIDE",
"enabled": true
},
{
"key": "MAC_ADMIN",
"enabled": true
},
{
"key": "NET_ADMIN",
"enabled": true
}
], ],
"networks": [{ "networks": [{
"type": "veth", "type": "veth",