Cgroups allow devices for privileged containers
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby
parent
d50dc3cb7e
commit
c8ad8184ec
1 changed files with 1 additions and 8 deletions
|
|
@ -9,7 +9,6 @@ import (
|
||||||
"github.com/dotcloud/docker/pkg/libcontainer/network"
|
"github.com/dotcloud/docker/pkg/libcontainer/network"
|
||||||
"github.com/dotcloud/docker/pkg/system"
|
"github.com/dotcloud/docker/pkg/system"
|
||||||
"github.com/dotcloud/docker/pkg/user"
|
"github.com/dotcloud/docker/pkg/user"
|
||||||
"log"
|
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
@ -23,7 +22,6 @@ func Init(container *libcontainer.Container, uncleanRootfs, console string, sync
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
log.Printf("initializing namespace at %s", rootfs)
|
|
||||||
|
|
||||||
// We always read this as it is a way to sync with the parent as well
|
// We always read this as it is a way to sync with the parent as well
|
||||||
context, err := syncPipe.ReadFromParent()
|
context, err := syncPipe.ReadFromParent()
|
||||||
|
|
@ -32,10 +30,8 @@ func Init(container *libcontainer.Container, uncleanRootfs, console string, sync
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
syncPipe.Close()
|
syncPipe.Close()
|
||||||
log.Printf("received context from parent %v", context)
|
|
||||||
|
|
||||||
if console != "" {
|
if console != "" {
|
||||||
log.Printf("setting up console for %s", console)
|
|
||||||
// close pipes so that we can replace it with the pty
|
// close pipes so that we can replace it with the pty
|
||||||
closeStdPipes()
|
closeStdPipes()
|
||||||
slave, err := openTerminal(console, syscall.O_RDWR)
|
slave, err := openTerminal(console, syscall.O_RDWR)
|
||||||
|
|
@ -66,11 +62,9 @@ func Init(container *libcontainer.Container, uncleanRootfs, console string, sync
|
||||||
if err := system.Sethostname(container.Hostname); err != nil {
|
if err := system.Sethostname(container.Hostname); err != nil {
|
||||||
return fmt.Errorf("sethostname %s", err)
|
return fmt.Errorf("sethostname %s", err)
|
||||||
}
|
}
|
||||||
log.Printf("dropping capabilities")
|
|
||||||
if err := capabilities.DropCapabilities(container); err != nil {
|
if err := capabilities.DropCapabilities(container); err != nil {
|
||||||
return fmt.Errorf("drop capabilities %s", err)
|
return fmt.Errorf("drop capabilities %s", err)
|
||||||
}
|
}
|
||||||
log.Printf("setting user in namespace")
|
|
||||||
if err := setupUser(container); err != nil {
|
if err := setupUser(container); err != nil {
|
||||||
return fmt.Errorf("setup user %s", err)
|
return fmt.Errorf("setup user %s", err)
|
||||||
}
|
}
|
||||||
|
|
@ -87,7 +81,6 @@ func execArgs(args []string, env []string) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
log.Printf("execing %s goodbye", name)
|
|
||||||
if err := system.Exec(name, args[0:], env); err != nil {
|
if err := system.Exec(name, args[0:], env); err != nil {
|
||||||
return fmt.Errorf("exec %s", err)
|
return fmt.Errorf("exec %s", err)
|
||||||
}
|
}
|
||||||
|
|
@ -111,7 +104,7 @@ func resolveRootfs(uncleanRootfs string) (string, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func setupUser(container *libcontainer.Container) error {
|
func setupUser(container *libcontainer.Container) error {
|
||||||
if container.User != "" {
|
if container.User != "" && container.User != "root" {
|
||||||
uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
|
uid, gid, suppGids, err := user.GetUserGroupSupplementary(container.User, syscall.Getuid(), syscall.Getgid())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue