Exemple #1
0
// createContainer populates and configures the container type with the
// data provided by the execdriver.Command
func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container, error) {
	container := template.New()

	container.Hostname = getEnv("HOSTNAME", c.Env)
	container.Tty = c.Tty
	container.User = c.User
	container.WorkingDir = c.WorkingDir
	container.Env = c.Env
	container.Cgroups.Name = c.ID
	// check to see if we are running in ramdisk to disable pivot root
	container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != ""

	if err := d.createNetwork(container, c); err != nil {
		return nil, err
	}
	if c.Privileged {
		if err := d.setPrivileged(container); err != nil {
			return nil, err
		}
	}
	if err := d.setupCgroups(container, c); err != nil {
		return nil, err
	}
	if err := d.setupMounts(container, c); err != nil {
		return nil, err
	}
	if err := d.setupLabels(container, c); err != nil {
		return nil, err
	}
	if err := configuration.ParseConfiguration(container, d.activeContainers, c.Config["native"]); err != nil {
		return nil, err
	}
	return container, nil
}
Exemple #2
0
func TestConfigurationsDoNotConflict(t *testing.T) {
	var (
		container1 = template.New()
		container2 = template.New()
		opts       = []string{
			"cap.add=NET_ADMIN",
		}
	)

	if err := ParseConfiguration(container1, nil, opts); err != nil {
		t.Fatal(err)
	}

	if !container1.CapabilitiesMask.Get("NET_ADMIN").Enabled {
		t.Fatal("container one should have NET_ADMIN enabled")
	}
	if container2.CapabilitiesMask.Get("NET_ADMIN").Enabled {
		t.Fatal("container two should not have NET_ADMIN enabled")
	}
}
Exemple #3
0
func TestAppArmorProfile(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"apparmor_profile=koye-the-protector",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}
	if expected := "koye-the-protector"; container.Context["apparmor_profile"] != expected {
		t.Fatalf("expected profile %s got %s", expected, container.Context["apparmor_profile"])
	}
}
Exemple #4
0
func TestCgroupMemory(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cgroups.memory=500m",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if expected := int64(500 * 1024 * 1024); container.Cgroups.Memory != expected {
		t.Fatalf("expected memory %d got %d", expected, container.Cgroups.Memory)
	}
}
Exemple #5
0
func TestCpuShares(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cgroups.cpu_shares=1048",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if expected := int64(1048); container.Cgroups.CpuShares != expected {
		t.Fatalf("expected cpu shares %d got %d", expected, container.Cgroups.CpuShares)
	}
}
Exemple #6
0
func TestCpusetCpus(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cgroups.cpuset.cpus=1,2",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if expected := "1,2"; container.Cgroups.CpusetCpus != expected {
		t.Fatalf("expected %s got %s for cpuset.cpus", expected, container.Cgroups.CpusetCpus)
	}
}
Exemple #7
0
func TestDropNamespace(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"ns.drop=NEWNET",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if container.Namespaces.Get("NEWNET").Enabled {
		t.Fatal("container should not have NEWNET enabled")
	}
}
Exemple #8
0
func TestSetReadonlyRootFs(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"fs.readonly=true",
		}
	)

	if container.ReadonlyFs {
		t.Fatal("container should not have a readonly rootfs by default")
	}
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if !container.ReadonlyFs {
		t.Fatal("container should have a readonly rootfs")
	}
}
Exemple #9
0
func TestDropCap(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cap.drop=MKNOD",
		}
	)
	// enabled all caps like in privileged mode
	for _, c := range container.CapabilitiesMask {
		c.Enabled = true
	}
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if container.CapabilitiesMask.Get("MKNOD").Enabled {
		t.Fatal("container should not have MKNOD enabled")
	}
}
Exemple #10
0
func TestAddCap(t *testing.T) {
	var (
		container = template.New()
		opts      = []string{
			"cap.add=MKNOD",
			"cap.add=SYS_ADMIN",
		}
	)
	if err := ParseConfiguration(container, nil, opts); err != nil {
		t.Fatal(err)
	}

	if !container.CapabilitiesMask.Get("MKNOD").Enabled {
		t.Fatal("container should have MKNOD enabled")
	}
	if !container.CapabilitiesMask.Get("SYS_ADMIN").Enabled {
		t.Fatal("container should have SYS_ADMIN enabled")
	}
}