From 4f5c96a769f756ab428a4ad9ffedd8458113c4bc Mon Sep 17 00:00:00 2001 From: Brandon Philips Date: Mon, 17 Mar 2014 10:16:34 -0700 Subject: [PATCH 1/2] refactor(libcontainer): rename to CapabilitiesMask The Capabilities field on libcontainer is actually used as a mask. Rename the field so that this is more clear. Docker-DCO-1.1-Signed-off-by: Brandon Philips (github: philips) --- libcontainer/README.md | 2 +- libcontainer/capabilities/capabilities.go | 8 +++---- libcontainer/container.go | 26 +++++++++++------------ libcontainer/container.json | 2 +- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/libcontainer/README.md b/libcontainer/README.md index 2c85111..e967f6d 100644 --- a/libcontainer/README.md +++ b/libcontainer/README.md @@ -40,7 +40,7 @@ Sample `container.json` file: "HOSTNAME=11bb30683fb0", "TERM=xterm" ], - "capabilities" : [ + "capabilities_mask" : [ "SETPCAP", "SYS_MODULE", "SYS_RAWIO", diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go index 3c6d752..fbf7353 100644 --- a/libcontainer/capabilities/capabilities.go +++ b/libcontainer/capabilities/capabilities.go @@ -9,7 +9,7 @@ import ( // DropCapabilities drops capabilities for the current process based // on the container's configuration. func DropCapabilities(container *libcontainer.Container) error { - if drop := getCapabilities(container); len(drop) > 0 { + if drop := getCapabilitiesMask(container); len(drop) > 0 { c, err := capability.NewPid(os.Getpid()) if err != nil { return err @@ -23,10 +23,10 @@ func DropCapabilities(container *libcontainer.Container) error { return nil } -// getCapabilities returns the specific cap values for the libcontainer types -func getCapabilities(container *libcontainer.Container) []capability.Cap { +// getCapabilitiesMask returns the specific cap mask values for the libcontainer types +func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap { drop := []capability.Cap{} - for _, c := range container.Capabilities { + for _, c := range container.CapabilitiesMask { drop = append(drop, c.Value) } return drop diff --git a/libcontainer/container.go b/libcontainer/container.go index 14b4b65..c7cac35 100644 --- a/libcontainer/container.go +++ b/libcontainer/container.go @@ -11,19 +11,19 @@ type Context map[string]string // Container defines configuration options for how a // container is setup inside a directory and how a process should be executed type Container struct { - Hostname string `json:"hostname,omitempty"` // hostname - ReadonlyFs bool `json:"readonly_fs,omitempty"` // set the containers rootfs as readonly - NoPivotRoot bool `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk - User string `json:"user,omitempty"` // user to execute the process as - WorkingDir string `json:"working_dir,omitempty"` // current working directory - Env []string `json:"environment,omitempty"` // environment to set - Tty bool `json:"tty,omitempty"` // setup a proper tty or not - Namespaces Namespaces `json:"namespaces,omitempty"` // namespaces to apply - Capabilities Capabilities `json:"capabilities,omitempty"` // capabilities to drop - Networks []*Network `json:"networks,omitempty"` // nil for host's network stack - Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` // cgroups - Context Context `json:"context,omitempty"` // generic context for specific options (apparmor, selinux) - Mounts []Mount `json:"mounts,omitempty"` + Hostname string `json:"hostname,omitempty"` // hostname + ReadonlyFs bool `json:"readonly_fs,omitempty"` // set the containers rootfs as readonly + NoPivotRoot bool `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk + User string `json:"user,omitempty"` // user to execute the process as + WorkingDir string `json:"working_dir,omitempty"` // current working directory + Env []string `json:"environment,omitempty"` // environment to set + Tty bool `json:"tty,omitempty"` // setup a proper tty or not + Namespaces Namespaces `json:"namespaces,omitempty"` // namespaces to apply + CapabilitiesMask Capabilities `json:"capabilities_mask,omitempty"` // capabilities to drop + Networks []*Network `json:"networks,omitempty"` // nil for host's network stack + Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` // cgroups + Context Context `json:"context,omitempty"` // generic context for specific options (apparmor, selinux) + Mounts []Mount `json:"mounts,omitempty"` } // Network defines configuration for a container's networking stack diff --git a/libcontainer/container.json b/libcontainer/container.json index 83e4074..f045315 100644 --- a/libcontainer/container.json +++ b/libcontainer/container.json @@ -14,7 +14,7 @@ "NEWUTS", "NEWNET" ], - "capabilities": [ + "capabilities_mask": [ "SETPCAP", "SYS_MODULE", "SYS_RAWIO", From c6b2c2f6b07b5c5690a08169aa73f1624bf9517b Mon Sep 17 00:00:00 2001 From: Brandon Philips Date: Mon, 17 Mar 2014 11:07:29 -0700 Subject: [PATCH 2/2] chore(libcontainer): small grammar fix in types_test Someone probably got really used to typing er on the end of contain :) Docker-DCO-1.1-Signed-off-by: Brandon Philips (github: philips) --- libcontainer/types_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcontainer/types_test.go b/libcontainer/types_test.go index 52b85a4..9735937 100644 --- a/libcontainer/types_test.go +++ b/libcontainer/types_test.go @@ -30,6 +30,6 @@ func TestCapabilitiesContains(t *testing.T) { t.Fatal("capabilities should not contain SYS_ADMIN") } if !caps.Contains("MKNOD") { - t.Fatal("capabilities should container MKNOD but does not") + t.Fatal("capabilities should contain MKNOD but does not") } }