Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
anbox
提交
6a62f752
A
anbox
项目概览
openeuler
/
anbox
通知
24
Star
1
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
A
anbox
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
6a62f752
编写于
1月 26, 2017
作者:
S
Simon Fels
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Allow privileged containers for systems without user namespace support
上级
b090f0a7
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
25 addition
and
20 deletion
+25
-20
src/anbox/cmds/container_manager.cpp
src/anbox/cmds/container_manager.cpp
+4
-1
src/anbox/cmds/container_manager.h
src/anbox/cmds/container_manager.h
+1
-0
src/anbox/container/lxc_container.cpp
src/anbox/container/lxc_container.cpp
+6
-6
src/anbox/container/lxc_container.h
src/anbox/container/lxc_container.h
+2
-1
src/anbox/container/service.cpp
src/anbox/container/service.cpp
+8
-10
src/anbox/container/service.h
src/anbox/container/service.h
+4
-2
未找到文件。
src/anbox/cmds/container_manager.cpp
浏览文件 @
6a62f752
...
...
@@ -45,6 +45,9 @@ anbox::cmds::ContainerManager::ContainerManager()
flag
(
cli
::
make_flag
(
cli
::
Name
{
"data-path"
},
cli
::
Description
{
"Path where the container and its data is stored"
},
data_path_
));
flag
(
cli
::
make_flag
(
cli
::
Name
{
"privileged"
},
cli
::
Description
{
"Run Android container in privileged mode"
},
privileged_
));
action
([
&
](
const
cli
::
Command
::
Context
&
)
{
try
{
...
...
@@ -62,7 +65,7 @@ anbox::cmds::ContainerManager::ContainerManager()
return
EXIT_FAILURE
;
auto
rt
=
Runtime
::
create
();
auto
service
=
container
::
Service
::
create
(
rt
);
auto
service
=
container
::
Service
::
create
(
rt
,
privileged_
);
rt
->
start
();
trap
->
run
();
...
...
src/anbox/cmds/container_manager.h
浏览文件 @
6a62f752
...
...
@@ -41,6 +41,7 @@ class ContainerManager : public cli::CommandWithFlagsAndAction {
std
::
string
data_path_
;
std
::
shared_ptr
<
common
::
LoopDevice
>
android_img_loop_dev_
;
std
::
vector
<
std
::
shared_ptr
<
common
::
MountEntry
>>
mounts_
;
bool
privileged_
=
false
;
};
}
// namespace cmds
}
// namespace anbox
...
...
src/anbox/container/lxc_container.cpp
浏览文件 @
6a62f752
...
...
@@ -35,8 +35,8 @@ namespace fs = boost::filesystem;
namespace
anbox
{
namespace
container
{
LxcContainer
::
LxcContainer
(
const
network
::
Credentials
&
creds
)
:
state_
(
State
::
inactive
),
container_
(
nullptr
),
creds_
(
creds
)
{
LxcContainer
::
LxcContainer
(
bool
privileged
,
const
network
::
Credentials
&
creds
)
:
state_
(
State
::
inactive
),
container_
(
nullptr
),
privileged_
(
privileged
),
creds_
(
creds
)
{
utils
::
ensure_paths
({
SystemConfiguration
::
instance
().
container_config_dir
(),
SystemConfiguration
::
instance
().
log_dir
(),
...
...
@@ -44,16 +44,15 @@ LxcContainer::LxcContainer(const network::Credentials &creds)
}
LxcContainer
::~
LxcContainer
()
{
DEBUG
(
""
);
stop
();
if
(
container_
)
lxc_container_put
(
container_
);
}
void
LxcContainer
::
setup_id_maps
()
{
// FIXME make these id sets configurable
const
auto
base_id
=
100000
;
const
auto
max_id
=
65536
;
set_config_item
(
"lxc.id_map"
,
utils
::
string_format
(
"u 0 %d %d"
,
base_id
,
creds_
.
uid
()
-
1
));
set_config_item
(
"lxc.id_map"
,
...
...
@@ -150,7 +149,8 @@ void LxcContainer::start(const Configuration &configuration) {
set_config_item
(
"lxc.aa_profile"
,
"unconfined"
);
#endif
setup_id_maps
();
if
(
!
privileged_
)
setup_id_maps
();
auto
bind_mounts
=
configuration
.
bind_mounts
;
...
...
src/anbox/container/lxc_container.h
浏览文件 @
6a62f752
...
...
@@ -29,7 +29,7 @@ namespace anbox {
namespace
container
{
class
LxcContainer
:
public
Container
{
public:
LxcContainer
(
const
network
::
Credentials
&
creds
);
LxcContainer
(
bool
privileged
,
const
network
::
Credentials
&
creds
);
~
LxcContainer
();
void
start
(
const
Configuration
&
configuration
)
override
;
...
...
@@ -42,6 +42,7 @@ class LxcContainer : public Container {
State
state_
;
lxc_container
*
container_
;
bool
privileged_
;
network
::
Credentials
creds_
;
};
}
// namespace container
...
...
src/anbox/container/service.cpp
浏览文件 @
6a62f752
...
...
@@ -30,8 +30,8 @@
namespace
anbox
{
namespace
container
{
std
::
shared_ptr
<
Service
>
Service
::
create
(
const
std
::
shared_ptr
<
Runtime
>
&
rt
)
{
auto
sp
=
std
::
make_shared
<
Service
>
(
rt
);
std
::
shared_ptr
<
Service
>
Service
::
create
(
const
std
::
shared_ptr
<
Runtime
>
&
rt
,
bool
privileged
)
{
auto
sp
=
std
::
shared_ptr
<
Service
>
(
new
Service
(
rt
,
privileged
)
);
auto
delegate_connector
=
std
::
make_shared
<
network
::
DelegateConnectionCreator
<
boost
::
asio
::
local
::
stream_protocol
>>
(
...
...
@@ -49,34 +49,32 @@ std::shared_ptr<Service> Service::create(const std::shared_ptr<Runtime> &rt) {
return
sp
;
}
Service
::
Service
(
const
std
::
shared_ptr
<
Runtime
>
&
rt
)
Service
::
Service
(
const
std
::
shared_ptr
<
Runtime
>
&
rt
,
bool
privileged
)
:
dispatcher_
(
anbox
::
common
::
create_dispatcher_for_runtime
(
rt
)),
next_connection_id_
(
0
),
connections_
(
std
::
make_shared
<
network
::
Connections
<
network
::
SocketConnection
>>
()
)
{
connections_
(
std
::
make_shared
<
network
::
Connections
<
network
::
SocketConnection
>>
()),
privileged_
(
privileged
)
{
}
Service
::~
Service
()
{}
int
Service
::
next_id
()
{
return
next_connection_id_
++
;
}
void
Service
::
new_client
(
std
::
shared_ptr
<
boost
::
asio
::
local
::
stream_protocol
::
socket
>
const
void
Service
::
new_client
(
std
::
shared_ptr
<
boost
::
asio
::
local
::
stream_protocol
::
socket
>
const
&
socket
)
{
if
(
connections_
->
size
()
>=
1
)
{
socket
->
close
();
return
;
}
auto
const
messenger
=
std
::
make_shared
<
network
::
LocalSocketMessenger
>
(
socket
);
auto
const
messenger
=
std
::
make_shared
<
network
::
LocalSocketMessenger
>
(
socket
);
DEBUG
(
"Got connection from pid %d"
,
messenger
->
creds
().
pid
());
auto
pending_calls
=
std
::
make_shared
<
rpc
::
PendingCallCache
>
();
auto
rpc_channel
=
std
::
make_shared
<
rpc
::
Channel
>
(
pending_calls
,
messenger
);
auto
server
=
std
::
make_shared
<
container
::
ManagementApiSkeleton
>
(
pending_calls
,
std
::
make_shared
<
LxcContainer
>
(
messenger
->
creds
()));
pending_calls
,
std
::
make_shared
<
LxcContainer
>
(
privileged_
,
messenger
->
creds
()));
auto
processor
=
std
::
make_shared
<
container
::
ManagementApiMessageProcessor
>
(
messenger
,
pending_calls
,
server
);
...
...
src/anbox/container/service.h
浏览文件 @
6a62f752
...
...
@@ -30,12 +30,13 @@ namespace anbox {
namespace
container
{
class
Service
:
public
std
::
enable_shared_from_this
<
Service
>
{
public:
static
std
::
shared_ptr
<
Service
>
create
(
const
std
::
shared_ptr
<
Runtime
>
&
rt
);
static
std
::
shared_ptr
<
Service
>
create
(
const
std
::
shared_ptr
<
Runtime
>
&
rt
,
bool
privileged
);
Service
(
const
std
::
shared_ptr
<
Runtime
>
&
rt
);
~
Service
();
private:
Service
(
const
std
::
shared_ptr
<
Runtime
>
&
rt
,
bool
privileged
);
int
next_id
();
void
new_client
(
std
::
shared_ptr
<
boost
::
asio
::
local
::
stream_protocol
::
socket
>
const
&
socket
);
...
...
@@ -45,6 +46,7 @@ class Service : public std::enable_shared_from_this<Service> {
std
::
atomic
<
int
>
next_connection_id_
;
std
::
shared_ptr
<
network
::
Connections
<
network
::
SocketConnection
>>
connections_
;
std
::
shared_ptr
<
Container
>
backend_
;
bool
privileged_
;
};
}
// namespace container
}
// namespace anbox
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录