Merge pull request #5922 from crosbymichael/host-dev-priv

Mount /dev in tmpfs for privileged containers
2014-05-21 18:56:24 -07:00 · 2014-05-21 18:56:24 -07:00 · a0841ff1eb
commit a0841ff1eb
parent c3c5ddfc50 3d95e5cf7b
6 changed files with 131 additions and 40 deletions
--- a/libcontainer/mount/init.go
+++ b/libcontainer/mount/init.go
@ -48,11 +48,11 @@ func InitializeMountNamespace(rootfs, console string, container *libcontainer.Co
 	if err := setupBindmounts(rootfs, container.Mounts); err != nil {
 		return fmt.Errorf("bind mounts %s", err)
 	}
-	if err := nodes.CopyN(rootfs, nodes.DefaultNodes, true); err != nil {
-		return fmt.Errorf("copy dev nodes %s", err)
+	if err := nodes.CopyN(rootfs, container.RequiredDeviceNodes, true); err != nil {
+		return fmt.Errorf("copy required dev nodes %s", err)
 	}
-	if err := nodes.CopyN(rootfs, nodes.AdditionalNodes, false); err != nil {
-		return fmt.Errorf("copy additional dev nodes %s", err)
+	if err := nodes.CopyN(rootfs, container.OptionalDeviceNodes, false); err != nil {
+		return fmt.Errorf("copy optional dev nodes %s", err)
 	}
 	if err := SetupPtmx(rootfs, console, container.Context["mount_label"]); err != nil {
 		return err
@ -195,12 +195,10 @@ func newSystemMounts(rootfs, mountLabel string, mounts libcontainer.Mounts) []mo
 	systemMounts := []mount{
 		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},
 		{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags},
+		{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)},
 		{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
 		{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
 	}

-	if len(mounts.OfType("devtmpfs")) == 1 {
-		systemMounts = append([]mount{{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)}}, systemMounts...)
-	}
 	return systemMounts
 }
--- a/libcontainer/mount/nodes/nodes.go
+++ b/libcontainer/mount/nodes/nodes.go
@ -4,6 +4,7 @@ package nodes

 import (
 	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"syscall"
@ -21,11 +22,6 @@ var DefaultNodes = []string{
 	"tty",
 }

-// AdditionalNodes includes nodes that are not required
-var AdditionalNodes = []string{
-	"fuse",
-}
-
 // CopyN copies the device node from the host into the rootfs
 func CopyN(rootfs string, nodesToCopy []string, shouldExist bool) error {
 	oldMask := system.Umask(0000)
@ -61,3 +57,18 @@ func Copy(rootfs, node string, shouldExist bool) error {
 	}
 	return nil
 }
+
+func GetHostDeviceNodes() ([]string, error) {
+	files, err := ioutil.ReadDir("/dev")
+	if err != nil {
+		return nil, err
+	}
+
+	out := []string{}
+	for _, f := range files {
+		if f.Mode()&os.ModeDevice == os.ModeDevice {
+			out = append(out, f.Name())
+		}
+	}
+	return out, nil
+}
--- a/libcontainer/mount/nodes/nodes_unsupported.go
+++ b/libcontainer/mount/nodes/nodes_unsupported.go
@ -0,0 +1,11 @@
+// +build !linux
+
+package nodes
+
+import "github.com/dotcloud/docker/pkg/libcontainer"
+
+var DefaultNodes = []string{}
+
+func GetHostDeviceNodes() ([]string, error) {
+	return nil, libcontainer.ErrUnsupported
+}