github.com/rentongzhang/docker@v1.8.2-rc1/daemon/execdriver/native/template/default_template.go

github.com/rentongzhang/docker@v1.8.2-rc1/daemon/execdriver/native/template/default_template.go (about)

     1  package template
     2  
     3  import (
     4  	"syscall"
     5  
     6  	"github.com/opencontainers/runc/libcontainer/apparmor"
     7  	"github.com/opencontainers/runc/libcontainer/configs"
     8  )
     9  
    10  const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
    11  
    12  // New returns the docker default configuration for libcontainer
    13  func New() *configs.Config {
    14  	container := &configs.Config{
    15  		Capabilities: []string{
    16  			"CHOWN",
    17  			"DAC_OVERRIDE",
    18  			"FSETID",
    19  			"FOWNER",
    20  			"MKNOD",
    21  			"NET_RAW",
    22  			"SETGID",
    23  			"SETUID",
    24  			"SETFCAP",
    25  			"SETPCAP",
    26  			"NET_BIND_SERVICE",
    27  			"SYS_CHROOT",
    28  			"KILL",
    29  			"AUDIT_WRITE",
    30  		},
    31  		Namespaces: configs.Namespaces([]configs.Namespace{
    32  			{Type: "NEWNS"},
    33  			{Type: "NEWUTS"},
    34  			{Type: "NEWIPC"},
    35  			{Type: "NEWPID"},
    36  			{Type: "NEWNET"},
    37  		}),
    38  		Cgroups: &configs.Cgroup{
    39  			Parent:           "docker",
    40  			AllowAllDevices:  false,
    41  			MemorySwappiness: -1,
    42  		},
    43  		Mounts: []*configs.Mount{
    44  			{
    45  				Source:      "proc",
    46  				Destination: "/proc",
    47  				Device:      "proc",
    48  				Flags:       defaultMountFlags,
    49  			},
    50  			{
    51  				Source:      "tmpfs",
    52  				Destination: "/dev",
    53  				Device:      "tmpfs",
    54  				Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
    55  				Data:        "mode=755",
    56  			},
    57  			{
    58  				Source:      "devpts",
    59  				Destination: "/dev/pts",
    60  				Device:      "devpts",
    61  				Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
    62  				Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
    63  			},
    64  			{
    65  				Device:      "tmpfs",
    66  				Source:      "shm",
    67  				Destination: "/dev/shm",
    68  				Data:        "mode=1777,size=65536k",
    69  				Flags:       defaultMountFlags,
    70  			},
    71  			{
    72  				Source:      "mqueue",
    73  				Destination: "/dev/mqueue",
    74  				Device:      "mqueue",
    75  				Flags:       defaultMountFlags,
    76  			},
    77  			{
    78  				Source:      "sysfs",
    79  				Destination: "/sys",
    80  				Device:      "sysfs",
    81  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    82  			},
    83  			{
    84  				Source:      "cgroup",
    85  				Destination: "/sys/fs/cgroup",
    86  				Device:      "cgroup",
    87  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    88  			},
    89  		},
    90  		MaskPaths: []string{
    91  			"/proc/kcore",
    92  			"/proc/latency_stats",
    93  			"/proc/timer_stats",
    94  		},
    95  		ReadonlyPaths: []string{
    96  			"/proc/asound",
    97  			"/proc/bus",
    98  			"/proc/fs",
    99  			"/proc/irq",
   100  			"/proc/sys",
   101  			"/proc/sysrq-trigger",
   102  		},
   103  	}
   104  
   105  	if apparmor.IsEnabled() {
   106  		container.AppArmorProfile = "docker-default"
   107  	}
   108  
   109  	return container
   110  }