Merge pull request #4719 from philips/Capabilities-to-CapabilitiesMask

refactor(libcontainer): rename to CapabilitiesMask
This commit is contained in:
Guillaume J. Charmes 2014-03-17 11:15:29 -07:00
commit c838fc9266
5 changed files with 20 additions and 20 deletions

View file

@ -40,7 +40,7 @@ Sample `container.json` file:
"HOSTNAME=11bb30683fb0", "HOSTNAME=11bb30683fb0",
"TERM=xterm" "TERM=xterm"
], ],
"capabilities" : [ "capabilities_mask" : [
"SETPCAP", "SETPCAP",
"SYS_MODULE", "SYS_MODULE",
"SYS_RAWIO", "SYS_RAWIO",

View file

@ -9,7 +9,7 @@ import (
// DropCapabilities drops capabilities for the current process based // DropCapabilities drops capabilities for the current process based
// on the container's configuration. // on the container's configuration.
func DropCapabilities(container *libcontainer.Container) error { func DropCapabilities(container *libcontainer.Container) error {
if drop := getCapabilities(container); len(drop) > 0 { if drop := getCapabilitiesMask(container); len(drop) > 0 {
c, err := capability.NewPid(os.Getpid()) c, err := capability.NewPid(os.Getpid())
if err != nil { if err != nil {
return err return err
@ -23,10 +23,10 @@ func DropCapabilities(container *libcontainer.Container) error {
return nil return nil
} }
// getCapabilities returns the specific cap values for the libcontainer types // getCapabilitiesMask returns the specific cap mask values for the libcontainer types
func getCapabilities(container *libcontainer.Container) []capability.Cap { func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap {
drop := []capability.Cap{} drop := []capability.Cap{}
for _, c := range container.Capabilities { for _, c := range container.CapabilitiesMask {
drop = append(drop, c.Value) drop = append(drop, c.Value)
} }
return drop return drop

View file

@ -11,19 +11,19 @@ type Context map[string]string
// Container defines configuration options for how a // Container defines configuration options for how a
// container is setup inside a directory and how a process should be executed // container is setup inside a directory and how a process should be executed
type Container struct { type Container struct {
Hostname string `json:"hostname,omitempty"` // hostname Hostname string `json:"hostname,omitempty"` // hostname
ReadonlyFs bool `json:"readonly_fs,omitempty"` // set the containers rootfs as readonly ReadonlyFs bool `json:"readonly_fs,omitempty"` // set the containers rootfs as readonly
NoPivotRoot bool `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk NoPivotRoot bool `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk
User string `json:"user,omitempty"` // user to execute the process as User string `json:"user,omitempty"` // user to execute the process as
WorkingDir string `json:"working_dir,omitempty"` // current working directory WorkingDir string `json:"working_dir,omitempty"` // current working directory
Env []string `json:"environment,omitempty"` // environment to set Env []string `json:"environment,omitempty"` // environment to set
Tty bool `json:"tty,omitempty"` // setup a proper tty or not Tty bool `json:"tty,omitempty"` // setup a proper tty or not
Namespaces Namespaces `json:"namespaces,omitempty"` // namespaces to apply Namespaces Namespaces `json:"namespaces,omitempty"` // namespaces to apply
Capabilities Capabilities `json:"capabilities,omitempty"` // capabilities to drop CapabilitiesMask Capabilities `json:"capabilities_mask,omitempty"` // capabilities to drop
Networks []*Network `json:"networks,omitempty"` // nil for host's network stack Networks []*Network `json:"networks,omitempty"` // nil for host's network stack
Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` // cgroups Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` // cgroups
Context Context `json:"context,omitempty"` // generic context for specific options (apparmor, selinux) Context Context `json:"context,omitempty"` // generic context for specific options (apparmor, selinux)
Mounts []Mount `json:"mounts,omitempty"` Mounts []Mount `json:"mounts,omitempty"`
} }
// Network defines configuration for a container's networking stack // Network defines configuration for a container's networking stack

View file

@ -14,7 +14,7 @@
"NEWUTS", "NEWUTS",
"NEWNET" "NEWNET"
], ],
"capabilities": [ "capabilities_mask": [
"SETPCAP", "SETPCAP",
"SYS_MODULE", "SYS_MODULE",
"SYS_RAWIO", "SYS_RAWIO",

View file

@ -30,6 +30,6 @@ func TestCapabilitiesContains(t *testing.T) {
t.Fatal("capabilities should not contain SYS_ADMIN") t.Fatal("capabilities should not contain SYS_ADMIN")
} }
if !caps.Contains("MKNOD") { if !caps.Contains("MKNOD") {
t.Fatal("capabilities should container MKNOD but does not") t.Fatal("capabilities should contain MKNOD but does not")
} }
} }