vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

Add enabled option to namespaces and capabilities spec in

Browse source 
container.json. Although we don't yet check for enabled everywhere.

Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
This commit is contained in:
Rohit Jnagal 2014-04-25 01:10:11 +00:00
parent 8173da962b
commit 35c12256c7
2 changed files with 141 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
libcontainer/README.md
View file

@ -41,21 +41,52 @@ Sample `container.json` file:
"TERM=xterm"
],
"capabilities_mask" : [
{ "key": "SETPCAP" },
{ "key": "SYS_MODULE" },
{ "key": "SYS_RAWIO" },
{ "key": "SYS_PACCT" },
{ "key": "SYS_ADMIN" },
{ "key": "SYS_NICE" },
{ "key": "SYS_RESOURCE" },
{ "key": "SYS_TIME" },
{ "key": "SYS_TTY_CONFIG" },
{ "key": "MKNOD" },
{ "key": "AUDIT_WRITE" },
{ "key": "AUDIT_CONTROL" },
{ "key": "MAC_OVERRIDE" },
{ "key": "MAC_ADMIN" },
{ "key": "NET_ADMIN" }
{
"key": "SETPCAP",
"enabled": true
},
{ "key": "SYS_MODULE",
"enabled": true
},
{ "key": "SYS_RAWIO",
"enabled": true
},
{ "key": "SYS_PACCT",
"enabled": true
},
{ "key": "SYS_ADMIN",
"enabled": true
},
{ "key": "SYS_NICE",
"enabled": true
},
{ "key": "SYS_RESOURCE",
"enabled": true
},
{ "key": "SYS_TIME",
"enabled": true
},
{ "key": "SYS_TTY_CONFIG",
"enabled": true
},
{ "key": "MKNOD",
"enabled": true
},
{ "key": "AUDIT_WRITE",
"enabled": true
},
{ "key": "AUDIT_CONTROL",
"enabled": true
},
{ "key": "MAC_OVERRIDE",
"enabled": true
},
{ "key": "MAC_ADMIN",
"enabled": true
},
{ "key": "NET_ADMIN",
"enabled": true
}
],
"context" : {
"apparmor_profile" : "docker-default"
@ -81,11 +112,21 @@ Sample `container.json` file:
}
],
"namespaces" : [
{ "key": "NEWNS" },
{ "key": "NEWUTS" },
{ "key": "NEWIPC" },
{ "key": "NEWPID" },
{ "key": "NEWNET" }
{ "key": "NEWNS",
"enabled": true
},
{ "key": "NEWUTS",
"enabled": true
},
{ "key": "NEWIPC",
"enabled": true
},
{ "key": "NEWPID",
"enabled": true
},
{ "key": "NEWNET",
"enabled": true
}
]
}
```

100
libcontainer/container.json
View file

@ -8,28 +8,88 @@
"TERM=xterm-256color"
],
"namespaces": [
{ "key": "NEWIPC" },
{ "key": "NEWNS" },
{ "key": "NEWPID" },
{ "key": "NEWUTS" },
{ "key": "NEWNET" }
{
"key": "NEWIPC",
"enabled": true
},
{
"key": "NEWNS",
"enabled": true
},
{
"key": "NEWPID",
"enabled": true
},
{
"key": "NEWUTS",
"enabled": true
},
{
"key": "NEWNET",
"enabled": true
}
],
"capabilities_mask": [
{ "key": "SETPCAP" },
{ "key": "SYS_MODULE" },
{ "key": "SYS_RAWIO" },
{ "key": "SYS_PACCT" },
{ "key": "SYS_ADMIN" },
{ "key": "SYS_NICE" },
{ "key": "SYS_RESOURCE" },
{ "key": "SYS_TIME" },
{ "key": "SYS_TTY_CONFIG" },
{ "key": "MKNOD" },
{ "key": "AUDIT_WRITE" },
{ "key": "AUDIT_CONTROL" },
{ "key": "MAC_OVERRIDE" },
{ "key": "MAC_ADMIN" },
{ "key": "NET_ADMIN" }
{
"key": "SETPCAP",
"enabled": true
},
{
"key": "SYS_MODULE",
"enabled": true
},
{
"key": "SYS_RAWIO",
"enabled": false
},
{
"key": "SYS_PACCT",
"enabled": true
},
{
"key": "SYS_ADMIN",
"enabled": true
},
{
"key": "SYS_NICE",
"enabled": true
},
{
"key": "SYS_RESOURCE",
"enabled": true
},
{
"key": "SYS_TIME",
"enabled": true
},
{
"key": "SYS_TTY_CONFIG",
"enabled": true
},
{
"key": "MKNOD",
"enabled": true
},
{
"key": "AUDIT_WRITE",
"enabled": true
},
{
"key": "AUDIT_CONTROL",
"enabled": true
},
{
"key": "MAC_OVERRIDE",
"enabled": true
},
{
"key": "MAC_ADMIN",
"enabled": true
},
{
"key": "NET_ADMIN",
"enabled": true
}
],
"networks": [{
"type": "veth",