try to use linux namespace to separate wide and client program

This commit is contained in:
Liang Ding 2014-12-17 15:38:02 +08:00
parent c906f6e5c6
commit 9dcda91ced
2 changed files with 12 additions and 1 deletions

View File

@ -3,7 +3,7 @@ MAINTAINER Liang Ding <dl88250@gmail.com>
ADD . /wide/gogogo/src/github.com/b3log/wide ADD . /wide/gogogo/src/github.com/b3log/wide
RUN useradd wide && chown -R wide:wide /wide RUN useradd wide && chown -R wide:wide /wide && wide_runner
USER wide USER wide

View File

@ -28,6 +28,7 @@ import (
"runtime" "runtime"
"strconv" "strconv"
"strings" "strings"
"syscall"
"time" "time"
"github.com/b3log/wide/conf" "github.com/b3log/wide/conf"
@ -95,6 +96,16 @@ func RunHandler(w http.ResponseWriter, r *http.Request) {
cmd := exec.Command(filePath) cmd := exec.Command(filePath)
cmd.Dir = curDir cmd.Dir = curDir
// XXX: keep move with Go 1.4 and later's
cmd.SysProcAttr = &syscall.SysProcAttr{}
cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWUSER | syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWIPC | syscall.CLONE_NEWNET
cmd.SysProcAttr.Credential = &syscall.Credential{
Uid: 1001, // user: wide_runner
Gid: 1001, // gourp: wide_runner
}
cmd.SysProcAttr.UidMappings = []syscall.SysProcIDMap{{ContainerID: 1001, HostID: 1000, Size: 1}}
cmd.SysProcAttr.GidMappings = []syscall.SysProcIDMap{{ContainerID: 1001, HostID: 1000, Size: 1}}
stdout, err := cmd.StdoutPipe() stdout, err := cmd.StdoutPipe()
if nil != err { if nil != err {