func installDefaultAppArmorProfile() { if apparmor.IsEnabled() { if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { apparmorProfiles := []string{defaultApparmorProfile} // Allow daemon to run if loading failed, but are active // (possibly through another run, manually, or via system startup) for _, policy := range apparmorProfiles { if err := aaprofile.IsLoaded(policy); err != nil { logrus.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", policy) } } } } }
func ensureDefaultAppArmorProfile() error { if apparmor.IsEnabled() { loaded, err := aaprofile.IsLoaded(defaultApparmorProfile) if err != nil { return fmt.Errorf("Could not check if %s AppArmor profile was loaded: %s", defaultApparmorProfile, err) } // Nothing to do. if loaded { return nil } // Load the profile. if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", defaultApparmorProfile) } } return nil }
// NewDriver returns a new native driver, called from NewDriver of execdriver. func NewDriver(root string, options []string) (*Driver, error) { meminfo, err := sysinfo.ReadMemInfo() if err != nil { return nil, err } if err := sysinfo.MkdirAll(root, 0700); err != nil { return nil, err } if apparmor.IsEnabled() { if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil { apparmorProfiles := []string{defaultApparmorProfile} // Allow daemon to run if loading failed, but are active // (possibly through another run, manually, or via system startup) for _, policy := range apparmorProfiles { if err := aaprofile.IsLoaded(policy); err != nil { return nil, fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded.", policy) } } } } // choose cgroup manager // this makes sure there are no breaking changes to people // who upgrade from versions without native.cgroupdriver opt cgm := libcontainer.Cgroupfs // parse the options for _, option := range options { key, val, err := parsers.ParseKeyValueOpt(option) if err != nil { return nil, err } key = strings.ToLower(key) switch key { case "native.cgroupdriver": // override the default if they set options switch val { case "systemd": if systemd.UseSystemd() { cgm = libcontainer.SystemdCgroups } else { // warn them that they chose the wrong driver logrus.Warn("You cannot use systemd as native.cgroupdriver, using cgroupfs instead") } case "cgroupfs": cgm = libcontainer.Cgroupfs default: return nil, fmt.Errorf("Unknown native.cgroupdriver given %q. try cgroupfs or systemd", val) } default: return nil, fmt.Errorf("Unknown option %s\n", key) } } f, err := libcontainer.New( root, cgm, libcontainer.InitPath(reexec.Self(), DriverName), ) if err != nil { return nil, err } return &Driver{ root: root, activeContainers: make(map[string]libcontainer.Container), machineMemory: meminfo.MemTotal, factory: f, }, nil }
//go:generate go run generate.go func main() { if len(os.Args) > 1 && os.Args[1] == "init" { runInit() return } notifySocket := os.Getenv("NOTIFY_SOCKET") if notifySocket != "" { setupSdNotify(spec, notifySocket) } // override the cmd in the spec with any args specified if len(flag.Args()) > 0 { spec.Process.Args = flag.Args() } // setup readonly fs in spec spec.Root.Readonly = readonly // setup tty in spec spec.Process.Terminal = allocateTty // pass in any hooks spec.Hooks = hooks // install the default apparmor profile if apparmor.IsEnabled() { // check if we have the docker-default apparmor profile loaded if err := aaprofile.IsLoaded(defaultApparmorProfile); err != nil { logrus.Warnf("AppArmor enabled on system but the %s profile is not loaded. apparmor_parser needs root to load a profile so we can't do it for you.", defaultApparmorProfile) } else { spec.Process.ApparmorProfile = defaultApparmorProfile } } // set the CgroupsPath as this user u, err := user.CurrentUser() if err != nil { logrus.Fatal(err) } spec.Linux.CgroupsPath = sPtr(u.Name) // setup UID mappings spec.Linux.UIDMappings = []specs.IDMapping{ { HostID: uint32(u.Uid), ContainerID: 0, Size: 1, }, } // setup GID mappings spec.Linux.GIDMappings = []specs.IDMapping{ { HostID: uint32(u.Gid), ContainerID: 0, Size: 1, }, } if err := unpackRootfs(spec); err != nil { logrus.Fatal(err) } status, err := startContainer(spec, containerID, pidFile, detach, useSystemdCgroup) if err != nil { logrus.Fatal(err) } if err := os.RemoveAll(defaultRootfsDir); err != nil { logrus.Warnf("removing rootfs failed: %v", err) } // exit with the container's exit status os.Exit(status) }