Remove generic context and replace with fields

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-06-24 17:31:03 -07:00
parent 5210a236b9
commit 5c86dd962f
3 changed files with 21 additions and 12 deletions

View File

@ -51,12 +51,17 @@ type Config struct {
// placed into to limit the resources the container has available // placed into to limit the resources the container has available
Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"`
// Context is a generic key value format that allows for additional settings to be passed // AppArmorProfile specifies the profile to apply to the process running in the container and is
// on the container's creation // change at the time the process is execed
// This is commonly used to specify apparmor profiles, selinux labels, and different restrictions AppArmorProfile string `json:"apparmor_profile,omitempty"`
// placed on the container's processes
// TODO(vishh): Avoid overloading this field with params for different subsystems. Strongtype this. // ProcessLabel specifies the label to apply to the process running in the container. It is
Context map[string]string `json:"context,omitempty"` // commonly used by selinux
ProcessLabel string `json:"process_label,omitempty"`
// RestrictSys will remount /proc/sys, /sys, and mask over sysrq-trigger as well as /proc/irq and
// /proc/bus
RestrictSys bool `json:"restrict_sys,omitempty"`
} }
// Routes can be specified to create entries in the route table as the container is started // Routes can be specified to create entries in the route table as the container is started

View File

@ -41,8 +41,8 @@ func NsEnter(container *libcontainer.Config, nspid int, args []string) error {
return err return err
} }
if process_label, ok := container.Context["process_label"]; ok { if container.ProcessLabel != "" {
if err := label.SetProcessLabel(process_label); err != nil { if err := label.SetProcessLabel(container.ProcessLabel); err != nil {
return err return err
} }
} }

View File

@ -74,6 +74,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
(*mount.MountConfig)(container.MountConfig)); err != nil { (*mount.MountConfig)(container.MountConfig)); err != nil {
return fmt.Errorf("setup mount namespace %s", err) return fmt.Errorf("setup mount namespace %s", err)
} }
if container.Hostname != "" { if container.Hostname != "" {
if err := system.Sethostname(container.Hostname); err != nil { if err := system.Sethostname(container.Hostname); err != nil {
return fmt.Errorf("sethostname %s", err) return fmt.Errorf("sethostname %s", err)
@ -82,13 +83,16 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
runtime.LockOSThread() runtime.LockOSThread()
if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil { if err := apparmor.ApplyProfile(container.AppArmorProfile); err != nil {
return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err) return fmt.Errorf("set apparmor profile %s: %s", container.AppArmorProfile, err)
} }
if err := label.SetProcessLabel(container.Context["process_label"]); err != nil {
if err := label.SetProcessLabel(container.ProcessLabel); err != nil {
return fmt.Errorf("set process label %s", err) return fmt.Errorf("set process label %s", err)
} }
if container.Context["restrictions"] != "" {
// TODO: (crosbymichael) make this configurable at the Config level
if container.RestrictSys {
if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus", "sys"); err != nil { if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus", "sys"); err != nil {
return err return err
} }