Merge pull request #462 from hqhq/hq_fix_libcontainer_readme

LK4D4 · LK4D4 · commit f2f8f0e4e6fa · 2016-01-15T13:00:44.000-08:00
Update README of libcontainer
diff --git a/libcontainer/README.md b/libcontainer/README.md
@@ -10,104 +10,176 @@ host system and which is (optionally) isolated from other containers in the syst
 
 #### Using libcontainer
 
-To create a container you first have to initialize an instance of a factory
-that will handle the creation and initialization for a container.
+Because containers are spawned in a two step process you will need a binary that
+will be executed as the init process for the container. In libcontainer, we use
+the current binary (/proc/self/exe) to be executed as the init process, and use
+arg "init", we call the first step process "bootstrap", so you always need a "init"
+function as the entry of "bootstrap".
 
-Because containers are spawned in a two step process you will need to provide
-arguments to a binary that will be executed as the init process for the container.
-To use the current binary that is spawning the containers and acting as the parent
-you can use `os.Args[0]` and we have a command called `init` setup.
+```go
+func init() {
+	if len(os.Args) > 1 && os.Args[1] == "init" {
+		runtime.GOMAXPROCS(1)
+		runtime.LockOSThread()
+		factory, _ := libcontainer.New("")
+		if err := factory.StartInitialization(); err != nil {
+			logrus.Fatal(err)
+		}
+		panic("--this line should have never been executed, congratulations--")
+	}
+}
+```
+
+Then to create a container you first have to initialize an instance of a factory
+that will handle the creation and initialization for a container.
 
 ```go
-root, err := libcontainer.New("/var/lib/container", libcontainer.InitArgs(os.Args[0], "init"))
+factory, err := libcontainer.New("/var/lib/container", libcontainer.Cgroupfs, libcontainer.InitArgs(os.Args[0], "init"))
 if err != nil {
-    log.Fatal(err)
+	logrus.Fatal(err)
+	return
 }
 ```
 
 Once you have an instance of the factory created we can create a configuration
-struct describing how the container is to be created.  A sample would look similar to this:
+struct describing how the container is to be created. A sample would look similar to this:
 
 ```go
+defaultMountFlags := syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
 config := &configs.Config{
-    Rootfs: rootfs,
-    Capabilities: []string{
-        "CAP_CHOWN",
-        "CAP_DAC_OVERRIDE",
-        "CAP_FSETID",
-        "CAP_FOWNER",
-        "CAP_MKNOD",
-        "CAP_NET_RAW",
-        "CAP_SETGID",
-        "CAP_SETUID",
-        "CAP_SETFCAP",
-        "CAP_SETPCAP",
-        "CAP_NET_BIND_SERVICE",
-        "CAP_SYS_CHROOT",
-        "CAP_KILL",
-        "CAP_AUDIT_WRITE",
-    },
-    Namespaces: configs.Namespaces([]configs.Namespace{
-        {Type: configs.NEWNS},
-        {Type: configs.NEWUTS},
-        {Type: configs.NEWIPC},
-        {Type: configs.NEWPID},
-        {Type: configs.NEWNET},
-    }),
-    Cgroups: &configs.Cgroup{
-        Name:            "test-container",
-        Parent:          "system",
-        AllowAllDevices: false,
-        AllowedDevices:  configs.DefaultAllowedDevices,
-    },
-
-    Devices:  configs.DefaultAutoCreatedDevices,
-    Hostname: "testing",
-    Networks: []*configs.Network{
-        {
-            Type:    "loopback",
-            Address: "127.0.0.1/0",
-            Gateway: "localhost",
-        },
-    },
-    Rlimits: []configs.Rlimit{
-        {
-            Type: syscall.RLIMIT_NOFILE,
-            Hard: uint64(1024),
-            Soft: uint64(1024),
-        },
-    },
+	Rootfs: "/your/path/to/rootfs",
+	Capabilities: []string{
+		"CAP_CHOWN",
+		"CAP_DAC_OVERRIDE",
+		"CAP_FSETID",
+		"CAP_FOWNER",
+		"CAP_MKNOD",
+		"CAP_NET_RAW",
+		"CAP_SETGID",
+		"CAP_SETUID",
+		"CAP_SETFCAP",
+		"CAP_SETPCAP",
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_KILL",
+		"CAP_AUDIT_WRITE",
+	},
+	Namespaces: configs.Namespaces([]configs.Namespace{
+		{Type: configs.NEWNS},
+		{Type: configs.NEWUTS},
+		{Type: configs.NEWIPC},
+		{Type: configs.NEWPID},
+		{Type: configs.NEWNET},
+	}),
+	Cgroups: &configs.Cgroup{
+		Name:   "test-container",
+		Parent: "system",
+		Resources: &configs.Resources{
+			MemorySwappiness: -1,
+			AllowAllDevices:  false,
+			AllowedDevices:   configs.DefaultAllowedDevices,
+		},
+	},
+	MaskPaths: []string{
+		"/proc/kcore",
+	},
+	ReadonlyPaths: []string{
+		"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
+	},
+	Devices:  configs.DefaultAutoCreatedDevices,
+	Hostname: "testing",
+	Mounts: []*configs.Mount{
+		{
+			Source:      "proc",
+			Destination: "/proc",
+			Device:      "proc",
+			Flags:       defaultMountFlags,
+		},
+		{
+			Source:      "tmpfs",
+			Destination: "/dev",
+			Device:      "tmpfs",
+			Flags:       syscall.MS_NOSUID | syscall.MS_STRICTATIME,
+			Data:        "mode=755",
+		},
+		{
+			Source:      "devpts",
+			Destination: "/dev/pts",
+			Device:      "devpts",
+			Flags:       syscall.MS_NOSUID | syscall.MS_NOEXEC,
+			Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
+		},
+		{
+			Device:      "tmpfs",
+			Source:      "shm",
+			Destination: "/dev/shm",
+			Data:        "mode=1777,size=65536k",
+			Flags:       defaultMountFlags,
+		},
+		{
+			Source:      "mqueue",
+			Destination: "/dev/mqueue",
+			Device:      "mqueue",
+			Flags:       defaultMountFlags,
+		},
+		{
+			Source:      "sysfs",
+			Destination: "/sys",
+			Device:      "sysfs",
+			Flags:       defaultMountFlags | syscall.MS_RDONLY,
+		},
+	},
+	Networks: []*configs.Network{
+		{
+			Type:    "loopback",
+			Address: "127.0.0.1/0",
+			Gateway: "localhost",
+		},
+	},
+	Rlimits: []configs.Rlimit{
+		{
+			Type: syscall.RLIMIT_NOFILE,
+			Hard: uint64(1025),
+			Soft: uint64(1025),
+		},
+	},
 }
 ```
 
 Once you have the configuration populated you can create a container:
 
 ```go
-container, err := root.Create("container-id", config)
+container, err := factory.Create("container-id", config)
+if err != nil {
+	logrus.Fatal(err)
+	return
+}
 ```
 
 To spawn bash as the initial process inside the container and have the
 processes pid returned in order to wait, signal, or kill the process:
 
 ```go
 process := &libcontainer.Process{
-    Args:   []string{"/bin/bash"},
-    Env:    []string{"PATH=/bin"},
-    User:   "daemon",
-    Stdin:  os.Stdin,
-    Stdout: os.Stdout,
-    Stderr: os.Stderr,
+	Args:   []string{"/bin/bash"},
+	Env:    []string{"PATH=/bin"},
+	User:   "daemon",
+	Stdin:  os.Stdin,
+	Stdout: os.Stdout,
+	Stderr: os.Stderr,
 }
 
 err := container.Start(process)
 if err != nil {
-    log.Fatal(err)
+	logrus.Fatal(err)
+	container.Destroy()
+	return
 }
 
 // wait for the process to finish.
-status, err := process.Wait()
+_, err := process.Wait()
 if err != nil {
-    log.Fatal(err)
+	logrus.Fatal(err)
 }
 
 // destroy the container.
@@ -124,7 +196,6 @@ processes, err := container.Processes()
 // it's processes.
 stats, err := container.Stats()
 
-
 // pause all processes inside the container.
 container.Pause()
 
