// InitializeMountNamespace setups up the devices, mount points, and filesystems for use inside a // new mount namepsace func InitializeMountNamespace(rootfs, console string, container *libcontainer.Container) error { var ( err error flag = syscall.MS_PRIVATE ) if container.NoPivotRoot { flag = syscall.MS_SLAVE } if err := system.Mount("", "/", "", uintptr(flag|syscall.MS_REC), ""); err != nil { return fmt.Errorf("mounting / as slave %s", err) } if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil { return fmt.Errorf("mouting %s as bind %s", rootfs, err) } if err := mountSystem(rootfs, container); err != nil { return fmt.Errorf("mount system %s", err) } if err := setupBindmounts(rootfs, container.Mounts); err != nil { return fmt.Errorf("bind mounts %s", err) } if err := nodes.CopyN(rootfs, nodes.DefaultNodes); err != nil { return fmt.Errorf("copy dev nodes %s", err) } if restrictionPath := container.Context["restriction_path"]; restrictionPath != "" { if err := restrict.Restrict(rootfs, restrictionPath); err != nil { return fmt.Errorf("restrict %s", err) } } if err := SetupPtmx(rootfs, console, container.Context["mount_label"]); err != nil { return err } if err := system.Chdir(rootfs); err != nil { return fmt.Errorf("chdir into %s %s", rootfs, err) } if container.NoPivotRoot { err = MsMoveRoot(rootfs) } else { err = PivotRoot(rootfs) } if err != nil { return err } if container.ReadonlyFs { if err := SetReadonly(); err != nil { return fmt.Errorf("set readonly %s", err) } } system.Umask(0022) return nil }
func init() { execdriver.RegisterInitFunc(DriverName, func(args *execdriver.InitArgs) error { if err := setupEnv(args); err != nil { return err } if err := setupHostname(args); err != nil { return err } if err := setupNetworking(args); err != nil { return err } if !args.Privileged { if err := restrict.Restrict(); err != nil { return err } } if err := setupCapabilities(args); err != nil { return err } if err := setupWorkingDirectory(args); err != nil { return err } if err := system.CloseFdsFrom(3); err != nil { return err } if err := changeUser(args); err != nil { return err } path, err := exec.LookPath(args.Args[0]) if err != nil { log.Printf("Unable to locate %v", args.Args[0]) os.Exit(127) } if err := syscall.Exec(path, args.Args, os.Environ()); err != nil { return fmt.Errorf("dockerinit unable to execute %s - %s", path, err) } panic("Unreachable") }) }
// Init is the init process that first runs inside a new namespace to setup mounts, users, networking, // and other options required for the new container. func Init(container *libcontainer.Container, uncleanRootfs, consolePath string, syncPipe *SyncPipe, args []string) error { rootfs, err := utils.ResolveRootfs(uncleanRootfs) if err != nil { return err } // clear the current processes env and replace it with the environment // defined on the container if err := LoadContainerEnvironment(container); err != nil { return err } // We always read this as it is a way to sync with the parent as well context, err := syncPipe.ReadFromParent() if err != nil { syncPipe.Close() return err } syncPipe.Close() if consolePath != "" { if err := console.OpenAndDup(consolePath); err != nil { return err } } if _, err := system.Setsid(); err != nil { return fmt.Errorf("setsid %s", err) } if consolePath != "" { if err := system.Setctty(); err != nil { return fmt.Errorf("setctty %s", err) } } if err := setupNetwork(container, context); err != nil { return fmt.Errorf("setup networking %s", err) } label.Init() if err := mount.InitializeMountNamespace(rootfs, consolePath, container); err != nil { return fmt.Errorf("setup mount namespace %s", err) } if container.Hostname != "" { if err := system.Sethostname(container.Hostname); err != nil { return fmt.Errorf("sethostname %s", err) } } runtime.LockOSThread() if err := apparmor.ApplyProfile(container.Context["apparmor_profile"]); err != nil { return fmt.Errorf("set apparmor profile %s: %s", container.Context["apparmor_profile"], err) } if err := label.SetProcessLabel(container.Context["process_label"]); err != nil { return fmt.Errorf("set process label %s", err) } if container.Context["restrictions"] != "" { if err := restrict.Restrict("proc", "sys"); err != nil { return err } } if err := FinalizeNamespace(container); err != nil { return fmt.Errorf("finalize namespace %s", err) } return system.Execv(args[0], args[0:], container.Env) }