diff --git a/trash.yml b/trash.yml index dd8b52a2..b499e802 100644 --- a/trash.yml +++ b/trash.yml @@ -66,7 +66,7 @@ import: version: 1349b37bd56f4f5ce2690b5b2c0f53f88a261c67 - package: github.com/rancher/docker-from-scratch - version: v1.10.1 + version: 62ceebcf43725e484e598b2879d1aa33b4a5133a - package: github.com/rancher/netconf version: d7d620ef4ea62a9d04b51c7b3d9dc83fe7ffaa1b diff --git a/vendor/github.com/rancher/docker-from-scratch/Dockerfile.dapper b/vendor/github.com/rancher/docker-from-scratch/Dockerfile.dapper index 3894f875..a2e06377 100644 --- a/vendor/github.com/rancher/docker-from-scratch/Dockerfile.dapper +++ b/vendor/github.com/rancher/docker-from-scratch/Dockerfile.dapper @@ -1,5 +1,6 @@ FROM golang:1.5.3 +RUN apt-get update && apt-get -y install libselinux-dev pkg-config RUN curl -o /usr/local/bin/docker -L https://get.docker.com/builds/Linux/x86_64/docker-1.9.1 && \ chmod +x /usr/local/bin/docker diff --git a/vendor/github.com/rancher/docker-from-scratch/scratch.go b/vendor/github.com/rancher/docker-from-scratch/scratch.go index 6ded8bf7..3a5ecf09 100644 --- a/vendor/github.com/rancher/docker-from-scratch/scratch.go +++ b/vendor/github.com/rancher/docker-from-scratch/scratch.go @@ -14,6 +14,7 @@ import ( log "github.com/Sirupsen/logrus" "github.com/docker/libnetwork/resolvconf" + "github.com/rancher/docker-from-scratch/selinux" "github.com/rancher/docker-from-scratch/util" "github.com/rancher/netconf" ) @@ -37,6 +38,9 @@ var ( {"none", "/sys", "sysfs", ""}, {"none", "/sys/fs/cgroup", "tmpfs", ""}, } + optionalMounts = [][]string{ + {"none", "/sys/fs/selinux", "selinuxfs", ""}, + } systemdMounts = [][]string{ {"systemd", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd"}, } @@ -56,6 +60,7 @@ type Config struct { EmulateSystemd bool NoFiles uint64 Environment []string + GraphDirectory string } func createMounts(mounts ...[]string) error { @@ -70,6 +75,16 @@ func createMounts(mounts ...[]string) error { return nil } +func createOptionalMounts(mounts ...[]string) { + for _, mount := range mounts { + log.Debugf("Mounting %s %s %s %s", mount[0], mount[1], mount[2], mount[3]) + err := util.Mount(mount[0], mount[1], mount[2], mount[3]) + if err != nil { + log.Debugf("Unable to mount %s %s %s %s: %s", mount[0], mount[1], mount[2], mount[3], err) + } + } +} + func createDirs(dirs ...string) error { for _, dir := range dirs { if _, err := os.Stat(dir); os.IsNotExist(err) { @@ -213,6 +228,22 @@ func copyDefault(folder, name string) error { return nil } +func copyDefaultFolder(folder string) error { + defaultFolder := path.Join(defaultPrefix, folder) + files, _ := ioutil.ReadDir(defaultFolder) + for _, file := range files { + if file.IsDir() { + continue + } + + if err := copyDefault(folder, file.Name()); err != nil { + return err + } + } + + return nil +} + func defaultFiles(files ...string) error { for _, file := range files { dir := path.Dir(file) @@ -225,6 +256,14 @@ func defaultFiles(files ...string) error { return nil } +func defaultFolders(folders ...string) error { + for _, folder := range folders { + copyDefaultFolder(folder) + } + + return nil +} + func CopyFile(src, folder, name string) error { if _, err := os.Stat(src); os.IsNotExist(err) { return nil @@ -330,6 +369,8 @@ func ParseConfig(config *Config, args ...string) []string { if err != nil { config.BridgeMtu = mtu } + } else if strings.HasPrefix(arg, "-g") || strings.HasPrefix(arg, "--graph") { + config.GraphDirectory = util.GetValue(i, args) } } @@ -363,11 +404,17 @@ func PrepareFs(config *Config) error { return err } + createOptionalMounts(optionalMounts...) + if err := mountCgroups(config.CgroupHierarchy); err != nil { return err } - if err := createLayout(); err != nil { + if err := createLayout(config); err != nil { + return err + } + + if err := firstPrepare(); err != nil { return err } @@ -405,11 +452,23 @@ func touchSockets(args ...string) error { return nil } -func createLayout() error { +func createLayout(config *Config) error { if err := createDirs("/tmp", "/root/.ssh", "/var"); err != nil { return err } + graphDirectory := config.GraphDirectory + + if config.GraphDirectory == "" { + graphDirectory = "/var/lib/docker" + } + + if err := createDirs(graphDirectory); err != nil { + return err + } + + selinux.SetFileContext(graphDirectory, "system_u:object_r:var_lib_t:s0") + return CreateSymlinks([][]string{ {"usr/lib", "/lib"}, {"usr/sbin", "/sbin"}, @@ -417,7 +476,7 @@ func createLayout() error { }) } -func prepare(config *Config, docker string, args ...string) error { +func firstPrepare() error { os.Setenv("PATH", "/sbin:/usr/sbin:/usr/bin") if err := defaultFiles( @@ -428,6 +487,15 @@ func prepare(config *Config, docker string, args ...string) error { return err } + if err := defaultFolders( + "/etc/selinux", + "/etc/selinux/ros", + "/etc/selinux/ros/policy", + "/etc/selinux/ros/contexts", + ); err != nil { + return err + } + if err := createPasswd(); err != nil { return err } @@ -436,6 +504,11 @@ func prepare(config *Config, docker string, args ...string) error { return err } + return nil +} + +func secondPrepare(config *Config, docker string, args ...string) error { + if err := setupNetworking(config); err != nil { return err } @@ -548,7 +621,7 @@ func setUlimit(cfg *Config) error { } func runOrExec(config *Config, docker string, args ...string) (*exec.Cmd, error) { - if err := prepare(config, docker, args...); err != nil { + if err := secondPrepare(config, docker, args...); err != nil { return nil, err } diff --git a/vendor/github.com/rancher/docker-from-scratch/selinux/selinux.go b/vendor/github.com/rancher/docker-from-scratch/selinux/selinux.go new file mode 100644 index 00000000..fe46d482 --- /dev/null +++ b/vendor/github.com/rancher/docker-from-scratch/selinux/selinux.go @@ -0,0 +1,10 @@ +package selinux + +// #cgo pkg-config: libselinux +// #include +import "C" + +func SetFileContext(path string, context string) (int, error) { + ret, err := C.setfilecon(C.CString(path), C.CString(context)) + return int(ret), err +}