mirror of
https://github.com/moby/moby.git
synced 2025-12-13 22:02:25 +03:00
50905a6d6c
This commit contains changes for docker: * user.GetGroupFile to user.GetGroupPath docker/libcontainer#301 * Add systemd support for OOM docker/libcontainer#307 * Support for custom namespaces docker/libcontainer#279, docker/libcontainer#312 * Fixes #9699 docker/libcontainer#308 Signed-off-by: Alexander Morozov <lk4d4@docker.com>
48 lines
905 B
Go
48 lines
905 B
Go
package template
|
|
|
|
import (
|
|
"github.com/docker/libcontainer"
|
|
"github.com/docker/libcontainer/apparmor"
|
|
"github.com/docker/libcontainer/cgroups"
|
|
)
|
|
|
|
// New returns the docker default configuration for libcontainer
|
|
func New() *libcontainer.Config {
|
|
container := &libcontainer.Config{
|
|
Capabilities: []string{
|
|
"CHOWN",
|
|
"DAC_OVERRIDE",
|
|
"FSETID",
|
|
"FOWNER",
|
|
"MKNOD",
|
|
"NET_RAW",
|
|
"SETGID",
|
|
"SETUID",
|
|
"SETFCAP",
|
|
"SETPCAP",
|
|
"NET_BIND_SERVICE",
|
|
"SYS_CHROOT",
|
|
"KILL",
|
|
"AUDIT_WRITE",
|
|
},
|
|
Namespaces: libcontainer.Namespaces{
|
|
{Type: "NEWNS"},
|
|
{Type: "NEWUTS"},
|
|
{Type: "NEWIPC"},
|
|
{Type: "NEWPID"},
|
|
{Type: "NEWNET"},
|
|
},
|
|
Cgroups: &cgroups.Cgroup{
|
|
Parent: "docker",
|
|
AllowAllDevices: false,
|
|
},
|
|
MountConfig: &libcontainer.MountConfig{},
|
|
}
|
|
|
|
if apparmor.IsEnabled() {
|
|
container.AppArmorProfile = "docker-default"
|
|
}
|
|
|
|
return container
|
|
}
|