// New returns the docker default configuration for libcontainer
func New() *libcontainer.Container {
container := &libcontainer.Container{
Capabilities: []string{
"MKNOD",
"SETUID",
"SETGID",
"CHOWN",
"NET_RAW",
"DAC_OVERRIDE",
},
Namespaces: map[string]bool{
"NEWNS": true,
"NEWUTS": true,
"NEWIPC": true,
"NEWPID": true,
"NEWNET": true,
},
Cgroups: &cgroups.Cgroup{
Parent: "docker",
DeviceAccess: false,
},
Context: libcontainer.Context{},
}
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "docker-default"
}
return container
}
// New returns the docker default configuration for libcontainer
func New() *libcontainer.Container {
container := &libcontainer.Container{
Capabilities: []string{
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"MKNOD",
"NET_RAW",
"SETGID",
"SETUID",
"SETFCAP",
"SETPCAP",
"NET_BIND_SERVICE",
},
Namespaces: map[string]bool{
"NEWNS": true,
"NEWUTS": true,
"NEWIPC": true,
"NEWPID": true,
"NEWNET": true,
},
Cgroups: &cgroups.Cgroup{
Parent: "docker",
DeviceAccess: false,
},
Context: libcontainer.Context{},
RequiredDeviceNodes: nodes.DefaultNodes,
OptionalDeviceNodes: []string{"fuse"},
}
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "docker-default"
}
return container
}
func (d *driver) setPrivileged(container *libcontainer.Container) error {
for _, c := range container.CapabilitiesMask {
c.Enabled = true
}
container.Cgroups.DeviceAccess = true
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "unconfined"
}
return nil
}
func (d *driver) setPrivileged(container *libcontainer.Container) error {
container.Capabilities = libcontainer.GetAllCapabilities()
container.Cgroups.DeviceAccess = true
delete(container.Context, "restrictions")
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "unconfined"
}
return nil
}
func (d *driver) setPrivileged(container *libcontainer.Container) error {
for key := range container.CapabilitiesMask {
container.CapabilitiesMask[key] = true
}
container.Cgroups.DeviceAccess = true
delete(container.Context, "restrictions")
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "unconfined"
}
return nil
}
func (d *driver) setPrivileged(container *libcontainer.Container) error {
for _, c := range container.CapabilitiesMask {
c.Enabled = true
}
container.Cgroups.DeviceAccess = true
// add sysfs as a mount for privileged containers
container.Mounts = append(container.Mounts, libcontainer.Mount{Type: "sysfs"})
delete(container.Context, "restriction_path")
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "unconfined"
}
return nil
}
func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {
container.Capabilities = libcontainer.GetAllCapabilities()
container.Cgroups.DeviceAccess = true
delete(container.Context, "restrictions")
container.OptionalDeviceNodes = nil
if container.RequiredDeviceNodes, err = nodes.GetHostDeviceNodes(); err != nil {
return err
}
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "unconfined"
}
return nil
}
func (d *driver) setPrivileged(container *libcontainer.Container) (err error) {
container.Capabilities = libcontainer.GetAllCapabilities()
container.Cgroups.AllowAllDevices = true
hostDeviceNodes, err := devices.GetHostDeviceNodes()
if err != nil {
return err
}
container.DeviceNodes = hostDeviceNodes
delete(container.Context, "restrictions")
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "unconfined"
}
return nil
}
// New returns the docker default configuration for libcontainer
func New() *libcontainer.Container {
container := &libcontainer.Container{
CapabilitiesMask: libcontainer.Capabilities{
libcontainer.GetCapability("SETPCAP"),
libcontainer.GetCapability("SYS_MODULE"),
libcontainer.GetCapability("SYS_RAWIO"),
libcontainer.GetCapability("SYS_PACCT"),
libcontainer.GetCapability("SYS_ADMIN"),
libcontainer.GetCapability("SYS_NICE"),
libcontainer.GetCapability("SYS_RESOURCE"),
libcontainer.GetCapability("SYS_TIME"),
libcontainer.GetCapability("SYS_TTY_CONFIG"),
libcontainer.GetCapability("AUDIT_WRITE"),
libcontainer.GetCapability("AUDIT_CONTROL"),
libcontainer.GetCapability("MAC_OVERRIDE"),
libcontainer.GetCapability("MAC_ADMIN"),
libcontainer.GetCapability("NET_ADMIN"),
libcontainer.GetCapability("MKNOD"),
libcontainer.GetCapability("SYSLOG"),
},
Namespaces: libcontainer.Namespaces{
libcontainer.GetNamespace("NEWNS"),
libcontainer.GetNamespace("NEWUTS"),
libcontainer.GetNamespace("NEWIPC"),
libcontainer.GetNamespace("NEWPID"),
libcontainer.GetNamespace("NEWNET"),
},
Cgroups: &cgroups.Cgroup{
Parent: "docker",
DeviceAccess: false,
},
Context: libcontainer.Context{},
}
container.CapabilitiesMask.Get("MKNOD").Enabled = true
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "docker-default"
}
return container
}
// New returns the docker default configuration for libcontainer
func New() *libcontainer.Container {
container := &libcontainer.Container{
CapabilitiesMask: map[string]bool{
"SETPCAP": false,
"SYS_MODULE": false,
"SYS_RAWIO": false,
"SYS_PACCT": false,
"SYS_ADMIN": false,
"SYS_NICE": false,
"SYS_RESOURCE": false,
"SYS_TIME": false,
"SYS_TTY_CONFIG": false,
"AUDIT_WRITE": false,
"AUDIT_CONTROL": false,
"MAC_OVERRIDE": false,
"MAC_ADMIN": false,
"NET_ADMIN": false,
"MKNOD": true,
"SYSLOG": false,
},
Namespaces: map[string]bool{
"NEWNS": true,
"NEWUTS": true,
"NEWIPC": true,
"NEWPID": true,
"NEWNET": true,
},
Cgroups: &cgroups.Cgroup{
Parent: "docker",
DeviceAccess: false,
},
Context: libcontainer.Context{},
}
if apparmor.IsEnabled() {
container.Context["apparmor_profile"] = "docker-default"
}
return container
}