github.com/ld86/docker@v1.7.1-rc3/daemon/execdriver/native/template/default_template.go

github.com/ld86/docker@v1.7.1-rc3/daemon/execdriver/native/template/default_template.go (about)

     1  package template
     2  
     3  import (
     4  	"syscall"
     5  
     6  	"github.com/docker/libcontainer/apparmor"
     7  	"github.com/docker/libcontainer/configs"
     8  )
     9  
    10  const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
    11  
    12  // New returns the docker default configuration for libcontainer
    13  func New() *configs.Config {
    14  	container := &configs.Config{
    15  		Capabilities: []string{
    16  			"CHOWN",
    17  			"DAC_OVERRIDE",
    18  			"FSETID",
    19  			"FOWNER",
    20  			"MKNOD",
    21  			"NET_RAW",
    22  			"SETGID",
    23  			"SETUID",
    24  			"SETFCAP",
    25  			"SETPCAP",
    26  			"NET_BIND_SERVICE",
    27  			"SYS_CHROOT",
    28  			"KILL",
    29  			"AUDIT_WRITE",
    30  		},
    31  		Namespaces: configs.Namespaces([]configs.Namespace{
    32  			{Type: "NEWNS"},
    33  			{Type: "NEWUTS"},
    34  			{Type: "NEWIPC"},
    35  			{Type: "NEWPID"},
    36  			{Type: "NEWNET"},
    37  		}),
    38  		Cgroups: &configs.Cgroup{
    39  			Parent:          "docker",
    40  			AllowAllDevices: false,
    41  		},
    42  		Mounts: []*configs.Mount{
    43  			{
    44  				Source:      "proc",
    45  				Destination: "/proc",
    46  				Device:      "proc",
    47  				Flags:       defaultMountFlags,
    48  			},
    49  			{
    50  				Source:      "tmpfs",
    51  				Destination: "/dev",
    52  				Device:      "tmpfs",
    53  				Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
    54  				Data:        "mode=755",
    55  			},
    56  			{
    57  				Source:      "devpts",
    58  				Destination: "/dev/pts",
    59  				Device:      "devpts",
    60  				Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
    61  				Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
    62  			},
    63  			{
    64  				Device:      "tmpfs",
    65  				Source:      "shm",
    66  				Destination: "/dev/shm",
    67  				Data:        "mode=1777,size=65536k",
    68  				Flags:       defaultMountFlags,
    69  			},
    70  			{
    71  				Source:      "mqueue",
    72  				Destination: "/dev/mqueue",
    73  				Device:      "mqueue",
    74  				Flags:       defaultMountFlags,
    75  			},
    76  			{
    77  				Source:      "sysfs",
    78  				Destination: "/sys",
    79  				Device:      "sysfs",
    80  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    81  			},
    82  		},
    83  		MaskPaths: []string{
    84  			"/proc/kcore",
    85  			"/proc/latency_stats",
    86  			"/proc/timer_stats",
    87  		},
    88  		ReadonlyPaths: []string{
    89  			"/proc/asound",
    90  			"/proc/bus",
    91  			"/proc/fs",
    92  			"/proc/irq",
    93  			"/proc/sys",
    94  			"/proc/sysrq-trigger",
    95  		},
    96  	}
    97  
    98  	if apparmor.IsEnabled() {
    99  		container.AppArmorProfile = "docker-default"
   100  	}
   101  
   102  	return container
   103  }