github.com/hustcat/docker@v1.3.3-0.20160314103604-901c67a8eeab/daemon/execdriver/native/template/default_template_linux.go

github.com/hustcat/docker@v1.3.3-0.20160314103604-901c67a8eeab/daemon/execdriver/native/template/default_template_linux.go (about)

     1  package template
     2  
     3  import (
     4  	"syscall"
     5  
     6  	"github.com/opencontainers/runc/libcontainer/apparmor"
     7  	"github.com/opencontainers/runc/libcontainer/configs"
     8  )
     9  
    10  const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
    11  
    12  // New returns the docker default configuration for libcontainer
    13  func New() *configs.Config {
    14  	container := &configs.Config{
    15  		Capabilities: []string{
    16  			"CHOWN",
    17  			"DAC_OVERRIDE",
    18  			"FSETID",
    19  			"FOWNER",
    20  			"MKNOD",
    21  			"NET_RAW",
    22  			"SETGID",
    23  			"SETUID",
    24  			"SETFCAP",
    25  			"SETPCAP",
    26  			"NET_BIND_SERVICE",
    27  			"SYS_CHROOT",
    28  			"KILL",
    29  			"AUDIT_WRITE",
    30  		},
    31  		Namespaces: configs.Namespaces([]configs.Namespace{
    32  			{Type: "NEWNS"},
    33  			{Type: "NEWUTS"},
    34  			{Type: "NEWIPC"},
    35  			{Type: "NEWPID"},
    36  			{Type: "NEWNET"},
    37  			{Type: "NEWUSER"},
    38  		}),
    39  		Cgroups: &configs.Cgroup{
    40  			ScopePrefix: "docker", // systemd only
    41  			Resources: &configs.Resources{
    42  				AllowAllDevices:  false,
    43  				MemorySwappiness: -1,
    44  			},
    45  		},
    46  		Mounts: []*configs.Mount{
    47  			{
    48  				Source:      "proc",
    49  				Destination: "/proc",
    50  				Device:      "proc",
    51  				Flags:       defaultMountFlags,
    52  			},
    53  			{
    54  				Source:      "tmpfs",
    55  				Destination: "/dev",
    56  				Device:      "tmpfs",
    57  				Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
    58  				Data:        "mode=755",
    59  			},
    60  			{
    61  				Source:      "devpts",
    62  				Destination: "/dev/pts",
    63  				Device:      "devpts",
    64  				Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
    65  				Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
    66  			},
    67  			{
    68  				Source:      "mqueue",
    69  				Destination: "/dev/mqueue",
    70  				Device:      "mqueue",
    71  				Flags:       defaultMountFlags,
    72  			},
    73  			{
    74  				Source:      "sysfs",
    75  				Destination: "/sys",
    76  				Device:      "sysfs",
    77  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    78  			},
    79  			{
    80  				Source:      "cgroup",
    81  				Destination: "/sys/fs/cgroup",
    82  				Device:      "cgroup",
    83  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    84  			},
    85  		},
    86  		MaskPaths: []string{
    87  			"/proc/kcore",
    88  			"/proc/latency_stats",
    89  			"/proc/timer_stats",
    90  		},
    91  		ReadonlyPaths: []string{
    92  			"/proc/asound",
    93  			"/proc/bus",
    94  			"/proc/fs",
    95  			"/proc/irq",
    96  			"/proc/sys",
    97  			"/proc/sysrq-trigger",
    98  		},
    99  	}
   100  
   101  	if apparmor.IsEnabled() {
   102  		container.AppArmorProfile = "docker-default"
   103  	}
   104  
   105  	return container
   106  }