910f9d50e2
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael) Upstream-commit: 3b7a19def609c8fbadc6559e7f47f8a5a7769a5b Component: engine
48 lines
1.1 KiB
Go
48 lines
1.1 KiB
Go
package template
|
|
|
|
import (
|
|
"github.com/dotcloud/docker/pkg/apparmor"
|
|
"github.com/dotcloud/docker/pkg/libcontainer"
|
|
"github.com/dotcloud/docker/pkg/libcontainer/cgroups"
|
|
)
|
|
|
|
// New returns the docker default configuration for libcontainer
|
|
func New() *libcontainer.Container {
|
|
container := &libcontainer.Container{
|
|
CapabilitiesMask: map[string]bool{
|
|
"SETPCAP": false,
|
|
"SYS_MODULE": false,
|
|
"SYS_RAWIO": false,
|
|
"SYS_PACCT": false,
|
|
"SYS_ADMIN": false,
|
|
"SYS_NICE": false,
|
|
"SYS_RESOURCE": false,
|
|
"SYS_TIME": false,
|
|
"SYS_TTY_CONFIG": false,
|
|
"AUDIT_WRITE": false,
|
|
"AUDIT_CONTROL": false,
|
|
"MAC_OVERRIDE": false,
|
|
"MAC_ADMIN": false,
|
|
"NET_ADMIN": false,
|
|
"MKNOD": true,
|
|
"SYSLOG": false,
|
|
},
|
|
Namespaces: map[string]bool{
|
|
"NEWNS": true,
|
|
"NEWUTS": true,
|
|
"NEWIPC": true,
|
|
"NEWPID": true,
|
|
"NEWNET": true,
|
|
},
|
|
Cgroups: &cgroups.Cgroup{
|
|
Parent: "docker",
|
|
DeviceAccess: false,
|
|
},
|
|
Context: libcontainer.Context{},
|
|
}
|
|
if apparmor.IsEnabled() {
|
|
container.Context["apparmor_profile"] = "docker-default"
|
|
}
|
|
return container
|
|
}
|