// createContainer populates and configures the container type with the // data provided by the execdriver.Command func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Container, error) { container := template.New() container.Hostname = getEnv("HOSTNAME", c.Env) container.Tty = c.Tty container.User = c.User container.WorkingDir = c.WorkingDir container.Env = c.Env container.Cgroups.Name = c.ID // check to see if we are running in ramdisk to disable pivot root container.NoPivotRoot = os.Getenv("DOCKER_RAMDISK") != "" if err := d.createNetwork(container, c); err != nil { return nil, err } if c.Privileged { if err := d.setPrivileged(container); err != nil { return nil, err } } if err := d.setupCgroups(container, c); err != nil { return nil, err } if err := d.setupMounts(container, c); err != nil { return nil, err } if err := d.setupLabels(container, c); err != nil { return nil, err } if err := configuration.ParseConfiguration(container, d.activeContainers, c.Config["native"]); err != nil { return nil, err } return container, nil }
func TestConfigurationsDoNotConflict(t *testing.T) { var ( container1 = template.New() container2 = template.New() opts = []string{ "cap.add=NET_ADMIN", } ) if err := ParseConfiguration(container1, nil, opts); err != nil { t.Fatal(err) } if !container1.CapabilitiesMask.Get("NET_ADMIN").Enabled { t.Fatal("container one should have NET_ADMIN enabled") } if container2.CapabilitiesMask.Get("NET_ADMIN").Enabled { t.Fatal("container two should not have NET_ADMIN enabled") } }
func TestAppArmorProfile(t *testing.T) { var ( container = template.New() opts = []string{ "apparmor_profile=koye-the-protector", } ) if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if expected := "koye-the-protector"; container.Context["apparmor_profile"] != expected { t.Fatalf("expected profile %s got %s", expected, container.Context["apparmor_profile"]) } }
func TestCgroupMemory(t *testing.T) { var ( container = template.New() opts = []string{ "cgroups.memory=500m", } ) if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if expected := int64(500 * 1024 * 1024); container.Cgroups.Memory != expected { t.Fatalf("expected memory %d got %d", expected, container.Cgroups.Memory) } }
func TestCpuShares(t *testing.T) { var ( container = template.New() opts = []string{ "cgroups.cpu_shares=1048", } ) if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if expected := int64(1048); container.Cgroups.CpuShares != expected { t.Fatalf("expected cpu shares %d got %d", expected, container.Cgroups.CpuShares) } }
func TestCpusetCpus(t *testing.T) { var ( container = template.New() opts = []string{ "cgroups.cpuset.cpus=1,2", } ) if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if expected := "1,2"; container.Cgroups.CpusetCpus != expected { t.Fatalf("expected %s got %s for cpuset.cpus", expected, container.Cgroups.CpusetCpus) } }
func TestDropNamespace(t *testing.T) { var ( container = template.New() opts = []string{ "ns.drop=NEWNET", } ) if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if container.Namespaces.Get("NEWNET").Enabled { t.Fatal("container should not have NEWNET enabled") } }
func TestSetReadonlyRootFs(t *testing.T) { var ( container = template.New() opts = []string{ "fs.readonly=true", } ) if container.ReadonlyFs { t.Fatal("container should not have a readonly rootfs by default") } if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if !container.ReadonlyFs { t.Fatal("container should have a readonly rootfs") } }
func TestDropCap(t *testing.T) { var ( container = template.New() opts = []string{ "cap.drop=MKNOD", } ) // enabled all caps like in privileged mode for _, c := range container.CapabilitiesMask { c.Enabled = true } if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if container.CapabilitiesMask.Get("MKNOD").Enabled { t.Fatal("container should not have MKNOD enabled") } }
func TestAddCap(t *testing.T) { var ( container = template.New() opts = []string{ "cap.add=MKNOD", "cap.add=SYS_ADMIN", } ) if err := ParseConfiguration(container, nil, opts); err != nil { t.Fatal(err) } if !container.CapabilitiesMask.Get("MKNOD").Enabled { t.Fatal("container should have MKNOD enabled") } if !container.CapabilitiesMask.Get("SYS_ADMIN").Enabled { t.Fatal("container should have SYS_ADMIN enabled") } }