Commit Graph

64 Commits

Author SHA1 Message Date
Guillaume J. Charmes 70fef1460a Merge pull request #4441 from crosbymichael/add-net-flag
Add --net flag to docker run and allow host network stack
2014-05-05 13:54:55 -07:00
Michael Crosby db5f6b4aa0 Improve libcontainer namespace and cap format
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-05 12:34:21 -07:00
Michael Crosby a785882b29 Setup host networking for lxc and native
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-05 10:08:59 -07:00
Johan Euphrosine a60159f3b1 runconfig: add -net container:name option
Docker-DCO-1.1-Signed-off-by: Johan Euphrosine <proppy@google.com> (github: proppy)
2014-05-05 10:08:59 -07:00
Michael Crosby f5139233b9 Update restrictions for better handling of mounts
This also cleans up some of the left over restriction paths code from
before.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
Jérôme Petazzoni 1c4202a614 Mount /proc and /sys read-only, except in privileged containers.
It has been pointed out that some files in /proc and /sys can be used
to break out of containers. However, if those filesystems are mounted
read-only, most of the known exploits are mitigated, since they rely
on writing some file in those filesystems.

This does not replace security modules (like SELinux or AppArmor), it
is just another layer of security. Likewise, it doesn't mean that the
other mitigations (shadowing parts of /proc or /sys with bind mounts)
are useless. Those measures are still useful. As such, the shadowing
of /proc/kcore is still enabled with both LXC and native drivers.

Special care has to be taken with /proc/1/attr, which still needs to
be mounted read-write in order to enable the AppArmor profile. It is
bind-mounted from a private read-write mount of procfs.

All that enforcement is done in dockerinit. The code doing the real
work is in libcontainer. The init function for the LXC driver calls
the function from libcontainer to avoid code duplication.

Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
2014-05-01 15:26:58 -07:00
Michael Crosby f0e6e135a8 Initial work on selinux patch
This has every container using the docker daemon's pid for the processes
label so it does not work correctly.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-29 03:40:05 -07:00
unclejack 44140f7909 Merge pull request #5411 from crosbymichael/lockdown
Update default restrictions for exec drivers
2014-04-26 03:27:56 +03:00
Victor Marmol f188b9f623 Separating cgroup Memory and MemoryReservation.
This will allow for these to be set independently. Keep the current Docker behavior where Memory and MemoryReservation are set to the value of Memory.

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-04-24 11:09:38 -07:00
Michael Crosby 5ba1242bdc Mount over dev and only copy allowed nodes in
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby 81e5026a6a No not mount sysfs by default for non privilged containers
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby 60a90970bc Add restrictions to proc in libcontainer
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:19 -07:00
Guillaume J. Charmes 813cebc64f
Merge branch 'master' into load-profile
Conflicts:
	daemon/execdriver/native/create.go
	daemon/execdriver/native/driver.go

Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-04-21 10:32:13 -07:00
Alexander Larsson 359b7df5d2 Rename runtime/* to daemon/*
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-17 14:43:01 -07:00