本文整理汇总了Golang中github.com/docker/docker/daemon/execdriver.TweakCapabilities函数的典型用法代码示例。如果您正苦于以下问题:Golang TweakCapabilities函数的具体用法?Golang TweakCapabilities怎么用?Golang TweakCapabilities使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了TweakCapabilities函数的6个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: finalizeNamespace
func finalizeNamespace(args *InitArgs) error {
if err := utils.CloseExecFrom(3); err != nil {
return err
}
// We use the native drivers default template so that things like caps are consistent
// across both drivers
container := template.New()
if !args.Privileged {
// drop capabilities in bounding set before changing user
if err := capabilities.DropBoundingSet(container.Capabilities); err != nil {
return fmt.Errorf("drop bounding set %s", err)
}
// preserve existing capabilities while we change users
if err := system.SetKeepCaps(); err != nil {
return fmt.Errorf("set keep caps %s", err)
}
}
if err := namespaces.SetupUser(args.User); err != nil {
return fmt.Errorf("setup user %s", err)
}
if !args.Privileged {
if err := system.ClearKeepCaps(); err != nil {
return fmt.Errorf("clear keep caps %s", err)
}
var (
adds []string
drops []string
)
if args.CapAdd != "" {
adds = strings.Split(args.CapAdd, ":")
}
if args.CapDrop != "" {
drops = strings.Split(args.CapDrop, ":")
}
caps, err := execdriver.TweakCapabilities(container.Capabilities, adds, drops)
if err != nil {
return err
}
// drop all other capabilities
if err := capabilities.DropCapabilities(caps); err != nil {
return fmt.Errorf("drop capabilities %s", err)
}
}
if err := setupWorkingDirectory(args); err != nil {
return err
}
return nil
}示例2: keepCapabilities
func keepCapabilities(adds []string, drops []string) []string {
container := nativeTemplate.New()
caps, err := execdriver.TweakCapabilities(container.Capabilities, adds, drops)
var newCaps []string
for _, cap := range caps {
newCaps = append(newCaps, strings.ToLower(cap))
}
if err != nil {
return []string{}
}
return newCaps
}示例3: keepCapabilities
func keepCapabilities(adds []string, drops []string) ([]string, error) {
container := nativeTemplate.New()
logrus.Debugf("adds %s drops %s\n", adds, drops)
caps, err := execdriver.TweakCapabilities(container.Capabilities, adds, drops)
if err != nil {
return nil, err
}
var newCaps []string
for _, cap := range caps {
logrus.Debugf("cap %s\n", cap)
realCap := execdriver.GetCapability(cap)
numCap := fmt.Sprintf("%d", realCap.Value)
newCaps = append(newCaps, numCap)
}
return newCaps, nil
}示例4: setCapabilities
func (d *Driver) setCapabilities(container *configs.Config, c *execdriver.Command) (err error) {
container.Capabilities, err = execdriver.TweakCapabilities(container.Capabilities, c.CapAdd, c.CapDrop)
return err
}示例5: Config
// Config takes ContainerJSON and Daemon Info and converts it into the opencontainers spec.
func Config(c types.ContainerJSON, info types.Info, capabilities []string) (config *specs.LinuxSpec, err error) {
config = &specs.LinuxSpec{
Spec: specs.Spec{
Version: SpecVersion,
Platform: specs.Platform{
OS: info.OSType,
Arch: info.Architecture,
},
Process: specs.Process{
Terminal: c.Config.Tty,
User: specs.User{
// TODO: user stuffs
},
Args: append([]string{c.Path}, c.Args...),
Env: c.Config.Env,
Cwd: c.Config.WorkingDir,
},
Root: specs.Root{
Path: "rootfs",
Readonly: c.HostConfig.ReadonlyRootfs,
},
Mounts: []specs.MountPoint{},
},
}
// make sure the current working directory is not blank
if config.Process.Cwd == "" {
config.Process.Cwd = DefaultCurrentWorkingDirectory
}
// get the user
if c.Config.User != "" {
u, err := user.LookupUser(c.Config.User)
if err != nil {
config.Spec.Process.User = specs.User{
UID: uint32(u.Uid),
GID: uint32(u.Gid),
}
} else {
//return nil, fmt.Errorf("Looking up user (%s) failed: %v", c.Config.User, err)
logrus.Warnf("Looking up user (%s) failed: %v", c.Config.User, err)
}
}
// add the additional groups
for _, group := range c.HostConfig.GroupAdd {
g, err := user.LookupGroup(group)
if err != nil {
return nil, fmt.Errorf("Looking up group (%s) failed: %v", group, err)
}
config.Spec.Process.User.AdditionalGids = append(config.Spec.Process.User.AdditionalGids, uint32(g.Gid))
}
// get the hostname, if the hostname is the name as the first 12 characters of the id,
// then set the hostname as the container name
if c.ID[:12] == c.Config.Hostname {
config.Hostname = strings.TrimPrefix(c.Name, "/")
}
// get mounts
mounts := map[string]bool{}
for _, mount := range c.Mounts {
mounts[mount.Destination] = true
config.Mounts = append(config.Mounts, specs.MountPoint{
Name: mount.Destination,
Path: mount.Destination,
})
}
// add /etc/hosts and /etc/resolv.conf if we should have networking
if c.HostConfig.NetworkMode != "none" && c.HostConfig.NetworkMode != "host" {
DefaultMounts = append(DefaultMounts, NetworkMounts...)
}
// if we aren't doing something crazy like mounting a default mount ourselves,
// the we can mount it the default way
for _, mount := range DefaultMounts {
if _, ok := mounts[mount.Path]; !ok {
config.Mounts = append(config.Mounts, mount)
}
}
// set privileged
if c.HostConfig.Privileged {
// allow all caps
capabilities = execdriver.GetAllCapabilities()
}
// get the capabilities
config.Linux.Capabilities, err = execdriver.TweakCapabilities(capabilities, c.HostConfig.CapAdd.Slice(), c.HostConfig.CapDrop.Slice())
if err != nil {
return nil, fmt.Errorf("setting capabilities failed: %v", err)
}
// add CAP_ prefix
// TODO: this is awful
for i, cap := range config.Linux.Capabilities {
if !strings.HasPrefix(cap, "CAP_") {
config.Linux.Capabilities[i] = fmt.Sprintf("CAP_%s", cap)
}
//.........这里部分代码省略.........
示例6: Config
//.........这里部分代码省略.........
u, err := user.LookupUser(c.Config.User)
if err != nil {
config.Process.User = specs.User{
UID: uint32(u.Uid),
GID: uint32(u.Gid),
}
} else {
//return nil, fmt.Errorf("Looking up user (%s) failed: %v", c.Config.User, err)
logrus.Warnf("Looking up user (%s) failed: %v", c.Config.User, err)
}
}
// add the additional groups
for _, group := range c.HostConfig.GroupAdd {
g, err := user.LookupGroup(group)
if err != nil {
return nil, fmt.Errorf("Looking up group (%s) failed: %v", group, err)
}
config.Process.User.AdditionalGids = append(config.Process.User.AdditionalGids, uint32(g.Gid))
}
// get the hostname, if the hostname is the name as the first 12 characters of the id,
// then set the hostname as the container name
if c.ID[:12] == c.Config.Hostname {
config.Hostname = strings.TrimPrefix(c.Name, "/")
}
// set privileged
if c.HostConfig.Privileged {
// allow all caps
capabilities = execdriver.GetAllCapabilities()
}
// get the capabilities
config.Process.Capabilities, err = execdriver.TweakCapabilities(capabilities, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
if err != nil {
return nil, fmt.Errorf("setting capabilities failed: %v", err)
}
// add CAP_ prefix
// TODO: this is awful
for i, cap := range config.Process.Capabilities {
if !strings.HasPrefix(cap, "CAP_") {
config.Process.Capabilities[i] = fmt.Sprintf("CAP_%s", cap)
}
}
// if we have a container that needs a terminal but no env vars, then set
// default env vars for the terminal to function
if config.Process.Terminal && len(config.Process.Env) <= 0 {
config.Process.Env = DefaultTerminalEnv
}
if config.Process.Terminal {
// make sure we have TERM set
var termSet bool
for _, env := range config.Process.Env {
if strings.HasPrefix(env, "TERM=") {
termSet = true
break
}
}
if !termSet {
// set the term variable
config.Process.Env = append(config.Process.Env, fmt.Sprintf("TERM=%s", DefaultTerminal))
}
}