Google Git
Sign in
fuchsia / third_party / github.com / moby / moby / 27e3acbed08ec1f3645421c6d276620df2dd18cf / . / execdriver / native / default_template.go
blob: 62d804016ae937bc17a225b64641f747e42c3907 [file] [log] [blame]
package native
import (
"fmt"
"github.com/dotcloud/docker/execdriver"
"github.com/dotcloud/docker/pkg/cgroups"
"github.com/dotcloud/docker/pkg/libcontainer"
"os"
)
// createContainer populates and configures the container type with the
// data provided by the execdriver.Command
func createContainer(c *execdriver.Command) *libcontainer.Container {
container := getDefaultTemplate()
container.Hostname = getEnv("HOSTNAME", c.Env)
container.Tty = c.Tty
container.User = c.User
container.WorkingDir = c.WorkingDir
container.Env = c.Env
loopbackNetwork := libcontainer.Network{
Mtu: c.Network.Mtu,
Address: fmt.Sprintf("%s/%d", "127.0.0.1", 0),
Gateway: "localhost",
Type: "loopback",
Context: libcontainer.Context{},
}
container.Networks = []*libcontainer.Network{
&loopbackNetwork,
}
if c.Network.Interface != nil {
vethNetwork := libcontainer.Network{
Mtu: c.Network.Mtu,
Address: fmt.Sprintf("%s/%d", c.Network.Interface.IPAddress, c.Network.Interface.IPPrefixLen),
Gateway: c.Network.Interface.Gateway,
Type: "veth",
Context: libcontainer.Context{
"prefix": "veth",
"bridge": c.Network.Interface.Bridge,
},
}
container.Networks = append(container.Networks, &vethNetwork)
}
container.Cgroups.Name = c.ID
if c.Privileged {
container.Capabilities = nil
container.Cgroups.DeviceAccess = true
container.Context["apparmor_profile"] = "unconfined"
}
if c.Resources != nil {
container.Cgroups.CpuShares = c.Resources.CpuShares
container.Cgroups.Memory = c.Resources.Memory
container.Cgroups.MemorySwap = c.Resources.MemorySwap
}
// check to see if we are running in ramdisk to disable pivot root
container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""
return container
}
// getDefaultTemplate returns the docker default for
// the libcontainer configuration file
func getDefaultTemplate() *libcontainer.Container {
return &libcontainer.Container{
Capabilities: libcontainer.Capabilities{
libcontainer.GetCapability("SETPCAP"),
libcontainer.GetCapability("SYS_MODULE"),
libcontainer.GetCapability("SYS_RAWIO"),
libcontainer.GetCapability("SYS_PACCT"),
libcontainer.GetCapability("SYS_ADMIN"),
libcontainer.GetCapability("SYS_NICE"),
libcontainer.GetCapability("SYS_RESOURCE"),
libcontainer.GetCapability("SYS_TIME"),
libcontainer.GetCapability("SYS_TTY_CONFIG"),
libcontainer.GetCapability("MKNOD"),
libcontainer.GetCapability("AUDIT_WRITE"),
libcontainer.GetCapability("AUDIT_CONTROL"),
libcontainer.GetCapability("MAC_OVERRIDE"),
libcontainer.GetCapability("MAC_ADMIN"),
libcontainer.GetCapability("NET_ADMIN"),
},
Namespaces: libcontainer.Namespaces{
libcontainer.GetNamespace("NEWNS"),
libcontainer.GetNamespace("NEWUTS"),
libcontainer.GetNamespace("NEWIPC"),
libcontainer.GetNamespace("NEWPID"),
libcontainer.GetNamespace("NEWNET"),
},
Cgroups: &cgroups.Cgroup{
Parent: "docker",
DeviceAccess: false,
},
Context: libcontainer.Context{
"apparmor_profile": "docker-default",
},
}
}