github.com/alexandrev/docker@v1.9.0/daemon/execdriver/native/template/default_template.go

github.com/alexandrev/docker@v1.9.0/daemon/execdriver/native/template/default_template.go (about)

     1  package template
     2  
     3  import (
     4  	"syscall"
     5  
     6  	"github.com/opencontainers/runc/libcontainer/apparmor"
     7  	"github.com/opencontainers/runc/libcontainer/configs"
     8  )
     9  
    10  const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
    11  
    12  // New returns the docker default configuration for libcontainer
    13  func New() *configs.Config {
    14  	container := &configs.Config{
    15  		Capabilities: []string{
    16  			"CHOWN",
    17  			"DAC_OVERRIDE",
    18  			"FSETID",
    19  			"FOWNER",
    20  			"MKNOD",
    21  			"NET_RAW",
    22  			"SETGID",
    23  			"SETUID",
    24  			"SETFCAP",
    25  			"SETPCAP",
    26  			"NET_BIND_SERVICE",
    27  			"SYS_CHROOT",
    28  			"KILL",
    29  			"AUDIT_WRITE",
    30  		},
    31  		Namespaces: configs.Namespaces([]configs.Namespace{
    32  			{Type: "NEWNS"},
    33  			{Type: "NEWUTS"},
    34  			{Type: "NEWIPC"},
    35  			{Type: "NEWPID"},
    36  			{Type: "NEWNET"},
    37  			{Type: "NEWUSER"},
    38  		}),
    39  		Cgroups: &configs.Cgroup{
    40  			Parent:           "docker",
    41  			AllowAllDevices:  false,
    42  			MemorySwappiness: -1,
    43  		},
    44  		Mounts: []*configs.Mount{
    45  			{
    46  				Source:      "proc",
    47  				Destination: "/proc",
    48  				Device:      "proc",
    49  				Flags:       defaultMountFlags,
    50  			},
    51  			{
    52  				Source:      "tmpfs",
    53  				Destination: "/dev",
    54  				Device:      "tmpfs",
    55  				Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
    56  				Data:        "mode=755",
    57  			},
    58  			{
    59  				Source:      "devpts",
    60  				Destination: "/dev/pts",
    61  				Device:      "devpts",
    62  				Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
    63  				Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
    64  			},
    65  			{
    66  				Source:      "sysfs",
    67  				Destination: "/sys",
    68  				Device:      "sysfs",
    69  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    70  			},
    71  			{
    72  				Source:      "cgroup",
    73  				Destination: "/sys/fs/cgroup",
    74  				Device:      "cgroup",
    75  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    76  			},
    77  		},
    78  		MaskPaths: []string{
    79  			"/proc/kcore",
    80  			"/proc/latency_stats",
    81  			"/proc/timer_stats",
    82  		},
    83  		ReadonlyPaths: []string{
    84  			"/proc/asound",
    85  			"/proc/bus",
    86  			"/proc/fs",
    87  			"/proc/irq",
    88  			"/proc/sys",
    89  			"/proc/sysrq-trigger",
    90  		},
    91  	}
    92  
    93  	if apparmor.IsEnabled() {
    94  		container.AppArmorProfile = "docker-default"
    95  	}
    96  
    97  	return container
    98  }