openshift
diff --git a/‎images/node/Dockerfile
+3 b/‎images/node/Dockerfile
+3
diff --git a/‎images/node/Dockerfile.centos7
+3 b/‎images/node/Dockerfile.centos7
+3
diff --git a/‎images/node/system-container/config.json.template
+347 b/‎images/node/system-container/config.json.template
+347
diff --git a/‎images/node/system-container/service.template
+24 b/‎images/node/system-container/service.template
+24
diff --git a/‎images/node/system-container/system-container-wrapper.sh
+4 b/‎images/node/system-container/system-container-wrapper.sh
+4
diff --git a/‎images/node/system-container/tmpfiles.template
+4 b/‎images/node/system-container/tmpfiles.template
+4
@@ -31,4 +31,7 @@ LABEL io.k8s.display-name="OpenShift Origin Node" \
       io.k8s.description="This is a component of OpenShift Origin and contains the software for individual nodes when using SDN."
 VOLUME /etc/origin/node
 ENV KUBECONFIG=/etc/origin/node/node.kubeconfig
+
+COPY system-container/config.json.template system-container/service.template system-containers/tmpfiles.template /exports/
+
 ENTRYPOINT [ "/usr/local/bin/origin-node-run.sh" ]
@@ -26,4 +26,7 @@ LABEL io.k8s.display-name="OpenShift Origin Node" \
       io.k8s.description="This is a component of OpenShift Origin and contains the software for individual nodes when using SDN."
 VOLUME /etc/origin/node
 ENV KUBECONFIG=/etc/origin/node/node.kubeconfig
+
+COPY system-container/config.json.template system-container/service.template system-containers/tmpfiles.template /exports/
+
 ENTRYPOINT [ "/usr/local/bin/origin-node-run.sh" ]
@@ -0,0 +1,347 @@
+{
+    "ociVersion": "1.0.0",
+    "platform": {
+	"os": "linux",
+	"arch": "amd64"
+    },
+    "process": {
+	"terminal": false,
+	"user": {},
+	"args": [
+	    "/usr/local/bin/system-container-wrapper.sh"
+	],
+	"env": [
+            "HOST=/rootfs",
+            "HOST_ETC=/host-etc",
+            "container=docker",
+            "PKGM=yum",
+            "NAME=$NAME",
+            "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin",
+            "HOME=/root",
+            "OPENSHIFT_CONTAINERIZED=true",
+            "KUBECONFIG=/etc/origin/node/node.kubeconfig",
+	    "TERM=xterm"
+	],
+	"cwd": "/var/lib/origin",
+	"capabilities": [
+            "CAP_CHOWN",
+            "CAP_DAC_OVERRIDE",
+            "CAP_DAC_READ_SEARCH",
+            "CAP_FOWNER",
+            "CAP_FSETID",
+            "CAP_KILL",
+            "CAP_SETGID",
+            "CAP_SETUID",
+            "CAP_SETPCAP",
+            "CAP_LINUX_IMMUTABLE",
+            "CAP_NET_BIND_SERVICE",
+            "CAP_NET_BROADCAST",
+            "CAP_NET_ADMIN",
+            "CAP_NET_RAW",
+            "CAP_IPC_LOCK",
+            "CAP_IPC_OWNER",
+            "CAP_SYS_MODULE",
+            "CAP_SYS_RAWIO",
+            "CAP_SYS_CHROOT",
+            "CAP_SYS_PTRACE",
+            "CAP_SYS_PACCT",
+            "CAP_SYS_ADMIN",
+            "CAP_SYS_BOOT",
+            "CAP_SYS_NICE",
+            "CAP_SYS_RESOURCE",
+            "CAP_SYS_TIME",
+            "CAP_SYS_TTY_CONFIG",
+            "CAP_MKNOD",
+            "CAP_LEASE",
+            "CAP_AUDIT_WRITE",
+            "CAP_AUDIT_CONTROL",
+            "CAP_SETFCAP",
+            "CAP_MAC_OVERRIDE",
+            "CAP_MAC_ADMIN",
+            "CAP_SYSLOG",
+            "CAP_WAKE_ALARM",
+            "CAP_BLOCK_SUSPEND"
+	],
+	"rlimits": [
+	    {
+		"type": "RLIMIT_NOFILE",
+		"hard": 1024,
+		"soft": 1024
+	    }
+	],
+	"noNewPrivileges": true
+    },
+    "root": {
+	"path": "rootfs",
+	"readonly": true
+    },
+    "mounts": [
+	{
+	    "destination": "/dev",
+	    "type": "tmpfs",
+	    "source": "tmpfs",
+	    "options": [
+		"nosuid",
+		"strictatime",
+		"mode=755",
+		"size=65536k"
+	    ]
+	},
+	{
+	    "destination": "/dev/pts",
+	    "type": "devpts",
+	    "source": "devpts",
+	    "options": [
+		"nosuid",
+		"noexec",
+		"newinstance",
+		"ptmxmode=0666",
+		"mode=0620",
+		"gid=5"
+	    ]
+	},
+	{
+	    "destination": "/dev/shm",
+	    "type": "tmpfs",
+	    "source": "shm",
+	    "options": [
+		"nosuid",
+		"noexec",
+		"nodev",
+		"mode=1777",
+		"size=65536k"
+	    ]
+	},
+	{
+	    "destination": "/dev/mqueue",
+	    "type": "mqueue",
+	    "source": "mqueue",
+	    "options": [
+		"nosuid",
+		"noexec",
+		"nodev"
+	    ]
+	},
+        {
+            "destination": "/proc",
+            "type": "proc",
+            "source": "proc"
+        },
+        {
+	    "type": "rbind",
+	    "source": "/sys",
+	    "destination": "/sys",
+	    "options": [
+		"rbind",
+		"rw"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/usr/bin/docker-current",
+	    "destination": "/usr/bin/docker-current",
+	    "options": [
+		"rbind",
+		"ro"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/etc/localtime",
+	    "destination": "/etc/localtime",
+	    "options": [
+		"rbind",
+		"ro"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/usr/bin/docker",
+	    "destination": "/usr/bin/docker",
+	    "options": [
+		"rbind",
+		"ro"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/etc/origin/sdn",
+	    "destination": "/etc/openshift-sdn",
+	    "options": [
+		"rbind",
+		"rw",
+		"mode=755"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/run",
+	    "destination": "/run",
+	    "options": [
+		"rbind",
+		"rw",
+		"mode=755"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/etc/systemd/system",
+	    "destination": "/host-etc/systemd/system",
+	    "options": [
+		"rbind",
+		"rw",
+		"mode=755"
+	    ]
+        },
+        {
+            "type": "bind",
+            "source": "/var/run/secrets",
+            "destination": "/var/run/secrets",
+            "options": [
+                "rbind",
+                "rw",
+                "mode=755"
+            ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/lib/modules",
+	    "destination": "/lib/modules",
+	    "options": [
+		"rbind",
+		"rw",
+		"mode=755"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/etc/origin/openvswitch",
+	    "destination": "/etc/openvswitch",
+	    "options": [
+		"rbind",
+		"rw",
+		"mode=755"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/var/lib/origin",
+	    "destination": "/var/lib/origin",
+	    "options": [
+		"rbind",
+		"rslave",
+		"rw",
+		"mode=755"
+	    ]
+        },
+        {
+            "type": "bind",
+            "source": "/var/lib/cni",
+            "destination": "/var/lib/cni",
+            "options": [
+                "bind",
+                "slave",
+                "rw",
+                "mode=777"
+            ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/etc/machine-id",
+	    "destination": "/etc/machine-id",
+	    "options": [
+		"rbind",
+		"ro"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/etc/resolv.conf",
+	    "destination": "/etc/resolv.conf",
+	    "options": [
+		"bind",
+		"ro"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/var/lib/docker",
+	    "destination": "/var/lib/docker",
+	    "options": [
+		"bind",
+		"rw",
+		"mode=755"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/var/log",
+	    "destination": "/var/log",
+	    "options": [
+		"rbind",
+		"rw",
+		"mode=755"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/",
+	    "destination": "/rootfs",
+	    "options": [
+		"rbind",
+                "rprivate",
+		"ro"
+	    ]
+        },
+        {
+	    "type": "bind",
+	    "source": "/etc/origin/node",
+	    "destination": "/etc/origin/node",
+	    "options": [
+		"rbind",
+		"rw",
+		"mode=755"
+	    ]
+        },
+	{
+	    "destination": "/tmp",
+	    "type": "tmpfs",
+	    "source": "tmpfs",
+	    "options": [
+		"mode=755",
+		"size=65536k"
+	    ]
+	}
+    ],
+    "hooks": {},
+    "linux": {
+	"rootfsPropagation" : "rslave",
+	"resources": {
+	    "devices": [
+		{
+		    "allow": false,
+		    "access": "rwm"
+		}
+	    ]
+	},
+	"namespaces": [
+	    {
+		"type": "mount"
+	    }
+	],
+	"maskedPaths": [
+	    "/proc/kcore",
+	    "/proc/latency_stats",
+	    "/proc/timer_stats",
+	    "/proc/sched_debug"
+	],
+	"readonlyPaths": [
+	    "/proc/asound",
+	    "/proc/bus",
+	    "/proc/fs",
+	    "/proc/irq",
+	    "/proc/sysrq-trigger"
+	]
+    }
+}
+
@@ -0,0 +1,24 @@
+[Unit]
+After=atomic-openshift-master.service
+After=docker.service
+After=openvswitch.service
+PartOf=docker.service
+Requires=docker.service
+Requires=openvswitch.service
+Requires=$NAME-dep.service
+After=$NAME-dep.service
+
+[Service]
+EnvironmentFile=/etc/sysconfig/$NAME
+EnvironmentFile=/etc/sysconfig/$NAME-dep
+ExecStartPre=/bin/bash -c 'export -p > /run/$NAME-env'
+ExecStart=$EXEC_START
+ExecStop=$EXEC_STOP
+SyslogIdentifier=$NAME
+Restart=always
+RestartSec=5s
+WorkingDirectory=$DESTDIR
+RuntimeDirectory=${NAME}
+
+[Install]
+WantedBy=docker.service
@@ -0,0 +1,4 @@
+#!/bin/sh
+source /run/$NAME-env
+
+exec /usr/local/bin/origin-node-run.sh
@@ -0,0 +1,4 @@
+d   /var/lib/origin - - - - -
+d   /var/lib/cni - - - - -
+d   /var/run/secrets - - - - -
+d   /etc/origin/sdn - - - - -