github.com/walkingsparrow/docker@v1.4.2-0.20151218153551-b708a2249bfa/daemon/execdriver/native/template/default_template_linux.go

github.com/walkingsparrow/docker@v1.4.2-0.20151218153551-b708a2249bfa/daemon/execdriver/native/template/default_template_linux.go (about)

     1  package template
     2  
     3  import (
     4  	"syscall"
     5  
     6  	"github.com/opencontainers/runc/libcontainer/apparmor"
     7  	"github.com/opencontainers/runc/libcontainer/configs"
     8  )
     9  
    10  const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
    11  
    12  // SystemdCgroups indicates whether systemd cgroup implemenation is in use or not
    13  var SystemdCgroups = false
    14  
    15  // New returns the docker default configuration for libcontainer
    16  func New() *configs.Config {
    17  	container := &configs.Config{
    18  		Capabilities: []string{
    19  			"CHOWN",
    20  			"DAC_OVERRIDE",
    21  			"FSETID",
    22  			"FOWNER",
    23  			"MKNOD",
    24  			"NET_RAW",
    25  			"SETGID",
    26  			"SETUID",
    27  			"SETFCAP",
    28  			"SETPCAP",
    29  			"NET_BIND_SERVICE",
    30  			"SYS_CHROOT",
    31  			"KILL",
    32  			"AUDIT_WRITE",
    33  		},
    34  		Namespaces: configs.Namespaces([]configs.Namespace{
    35  			{Type: "NEWNS"},
    36  			{Type: "NEWUTS"},
    37  			{Type: "NEWIPC"},
    38  			{Type: "NEWPID"},
    39  			{Type: "NEWNET"},
    40  			{Type: "NEWUSER"},
    41  		}),
    42  		Cgroups: &configs.Cgroup{
    43  			Parent:           "/docker",
    44  			AllowAllDevices:  false,
    45  			MemorySwappiness: -1,
    46  		},
    47  		Mounts: []*configs.Mount{
    48  			{
    49  				Source:      "proc",
    50  				Destination: "/proc",
    51  				Device:      "proc",
    52  				Flags:       defaultMountFlags,
    53  			},
    54  			{
    55  				Source:      "tmpfs",
    56  				Destination: "/dev",
    57  				Device:      "tmpfs",
    58  				Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
    59  				Data:        "mode=755",
    60  			},
    61  			{
    62  				Source:      "devpts",
    63  				Destination: "/dev/pts",
    64  				Device:      "devpts",
    65  				Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
    66  				Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
    67  			},
    68  			{
    69  				Source:      "sysfs",
    70  				Destination: "/sys",
    71  				Device:      "sysfs",
    72  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    73  			},
    74  			{
    75  				Source:      "cgroup",
    76  				Destination: "/sys/fs/cgroup",
    77  				Device:      "cgroup",
    78  				Flags:       defaultMountFlags | syscall.MS_RDONLY,
    79  			},
    80  		},
    81  		MaskPaths: []string{
    82  			"/proc/kcore",
    83  			"/proc/latency_stats",
    84  			"/proc/timer_stats",
    85  		},
    86  		ReadonlyPaths: []string{
    87  			"/proc/asound",
    88  			"/proc/bus",
    89  			"/proc/fs",
    90  			"/proc/irq",
    91  			"/proc/sys",
    92  			"/proc/sysrq-trigger",
    93  		},
    94  	}
    95  
    96  	if apparmor.IsEnabled() {
    97  		container.AppArmorProfile = "docker-default"
    98  	}
    99  
   100  	if SystemdCgroups {
   101  		container.Cgroups.Parent = "system.slice"
   102  		container.Cgroups.ScopePrefix = "docker"
   103  	}
   104  
   105  	return container
   106  }