diff --git a/moby/config.go b/moby/config.go new file mode 100644 index 000000000..4128005d6 --- /dev/null +++ b/moby/config.go @@ -0,0 +1,69 @@ +package main + +import ( + "strconv" + "strings" + + "gopkg.in/yaml.v2" +) + +type Moby struct { + Kernel string + Init string + System []MobyImage + Database []struct { + File string + Value string + } +} + +type MobyImage struct { + Name string + Image string + Capabilities []string + Binds []string + OomScoreAdj int64 `yaml:"oom_score_adj"` + Command []string + NetworkMode string `yaml:"network_mode"` +} + +const riddler = "mobylinux/riddler:7d4545d8b8ac2700971a83f12a3446a76db28c14@sha256:11b7310df6482fc38aa52b419c2ef1065d7b9207c633d47554e13aa99f6c0b72" + +func NewConfig(config []byte) (*Moby, error) { + m := Moby{} + + err := yaml.Unmarshal(config, &m) + if err != nil { + return &m, err + } + + return &m, nil +} + +func ConfigToRun(image *MobyImage) []string { + // riddler arguments + args := []string{"run", "--rm", "-v", "/var/run/docker.sock:/var/run/docker.sock", riddler, image.Image, "/containers/" + image.Name} + // docker arguments + args = append(args, "--cap-drop", "all") + for _, cap := range image.Capabilities { + if strings.ToUpper(cap)[0:4] == "CAP_" { + cap = cap[4:] + } + args = append(args, "--cap-add", cap) + } + if image.OomScoreAdj != 0 { + args = append(args, "--oom-score-adj", strconv.FormatInt(image.OomScoreAdj, 10)) + } + if image.NetworkMode != "" { + args = append(args, "--net", image.NetworkMode) + } + for _, bind := range image.Binds { + args = append(args, "-v", bind) + } + // image + args = append(args, image.Image) + // command + args = append(args, image.Command...) + + return args +} diff --git a/moby/main.go b/moby/main.go index bf3e70aac..013f6144d 100644 --- a/moby/main.go +++ b/moby/main.go @@ -9,32 +9,11 @@ import ( "log" "os" "os/exec" - "syscall" "github.com/docker/moby/pkg/initrd" - "gopkg.in/yaml.v2" ) -type moby struct { - Kernel string - Init string - System []struct { - Name string - Image string - CapDrop []string `yaml:"cap_drop"` - CapAdd []string `yaml:"cap_add"` - Bind string - OomScoreAdj int64 `yaml:"oom_score_adj"` - Command []string - } - Database []struct { - File string - Value string - } -} - const ( - riddler = "mobylinux/riddler:7d4545d8b8ac2700971a83f12a3446a76db28c14@sha256:11b7310df6482fc38aa52b419c2ef1065d7b9207c633d47554e13aa99f6c0b72" docker2tar = "mobylinux/docker2tar:82a3f11f70b2959c7100dd6e184b511ebfc65908@sha256:e4fd36febc108477a2e5316d263ac257527779409891c7ac10d455a162df05c1" ) @@ -96,11 +75,9 @@ func build() { log.Fatalf("Cannot open config file: %v", err) } - m := moby{} - - err = yaml.Unmarshal(config, &m) + m, err := NewConfig(config) if err != nil { - log.Fatalf("Yaml parse error: %v", err) + log.Fatalf("Invalid config: %v", err) } // TODO switch to using Docker client API not exec - just a quick prototype @@ -142,19 +119,7 @@ func build() { containers = append(containers, buffer) for _, image := range m.System { - // riddler arguments - args := []string{"run", "--rm", "-v", "/var/run/docker.sock:/var/run/docker.sock", riddler, image.Image, "/containers/" + image.Name} - // docker arguments - for _, cap := range image.CapDrop { - args = append(args, "--cap-drop", cap) - } - for _, cap := range image.CapAdd { - args = append(args, "--cap-add", cap) - } - // image - args = append(args, image.Image) - // command - args = append(args, image.Command...) + args := ConfigToRun(&image) cmd := exec.Command(docker, args...) // get output tarball @@ -182,19 +147,6 @@ func build() { } } -func run() { - env := os.Environ() - args := []string{} - err := syscall.Exec("./hyperkit.sh", args, env) - if err != nil { - log.Fatalf("Could not run") - } -} - func main() { - if len(os.Args) >= 2 && os.Args[1] == "run" { - run() - } build() - } diff --git a/moby/moby.yaml b/moby/moby.yaml index fe3412462..9d03690a8 100644 --- a/moby/moby.yaml +++ b/moby/moby.yaml @@ -3,18 +3,23 @@ init: "mobylinux/init:1f283250ba0f8e2f7ac0a9d7543719dd1a3b761b" system: - name: binfmt image: "mobylinux/binfmt:a94e0587b702edaa95cc6f303464959d0eb2311c@sha256:432732b90cbe0498f5ca148d75b90bb1eabd8fbfe8c872df8b23906c225091b1" - cap_drop: - - all - bind: /proc/sys/fs/binfmt_misc:/binfmt_misc + binds: + - /proc/sys/fs/binfmt_misc:/binfmt_misc command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc] - name: rngd image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92" - cap_drop: - - all - cap_add: - - SYS_ADMIN + capabilities: + - CAP_SYS_ADMIN oom_score_adj: -800 command: [/bin/tini, /usr/sbin/rngd, -f] + - name: nginx + image: "nginx" + capabilities: + - CAP_NET_BIND_SERVICE + - CAP_CHOWN + - CAP_SETUID + - CAP_SETGID + network_mode: host database: - file: etc/docker/daemon.json value: '{"debug": true}'