2015-06-22 10:31:12 +08:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2015-11-18 06:14:02 +08:00
|
|
|
"fmt"
|
2016-09-30 05:43:50 +08:00
|
|
|
"io"
|
2015-06-22 10:31:12 +08:00
|
|
|
"os"
|
2016-03-12 05:49:45 +08:00
|
|
|
"strings"
|
2015-06-22 10:31:12 +08:00
|
|
|
|
2019-04-19 22:36:52 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/logs"
|
|
|
|
|
2016-04-13 04:35:51 +08:00
|
|
|
"github.com/opencontainers/runtime-spec/specs-go"
|
2017-07-19 22:28:59 +08:00
|
|
|
|
|
|
|
"github.com/sirupsen/logrus"
|
2016-06-07 02:45:46 +08:00
|
|
|
"github.com/urfave/cli"
|
2015-06-22 10:31:12 +08:00
|
|
|
)
|
|
|
|
|
2016-05-30 10:24:22 +08:00
|
|
|
// version will be populated by the Makefile, read from
|
|
|
|
// VERSION file of the source code.
|
|
|
|
var version = ""
|
|
|
|
|
2016-03-12 05:49:45 +08:00
|
|
|
// gitCommit will be the hash that the binary was built from
|
|
|
|
// and will be populated by the Makefile
|
|
|
|
var gitCommit = ""
|
|
|
|
|
2015-06-22 10:31:12 +08:00
|
|
|
const (
|
2016-02-06 02:46:12 +08:00
|
|
|
specConfig = "config.json"
|
|
|
|
usage = `Open Container Initiative runtime
|
2016-04-28 22:30:50 +08:00
|
|
|
|
2015-08-08 21:32:30 +08:00
|
|
|
runc is a command line client for running applications packaged according to
|
2016-05-04 07:02:39 +08:00
|
|
|
the Open Container Initiative (OCI) format and is a compliant implementation of the
|
2015-08-08 21:32:30 +08:00
|
|
|
Open Container Initiative specification.
|
2015-06-22 10:31:12 +08:00
|
|
|
|
2015-08-08 21:32:30 +08:00
|
|
|
runc integrates well with existing process supervisors to provide a production
|
|
|
|
container runtime environment for applications. It can be used with your
|
|
|
|
existing process monitoring tools and the container will be spawned as a
|
|
|
|
direct child of the process supervisor.
|
2015-06-22 10:31:12 +08:00
|
|
|
|
2016-02-11 01:30:06 +08:00
|
|
|
Containers are configured using bundles. A bundle for a container is a directory
|
|
|
|
that includes a specification file named "` + specConfig + `" and a root filesystem.
|
2016-04-28 22:30:50 +08:00
|
|
|
The root filesystem contains the contents of the container.
|
2016-02-11 01:30:06 +08:00
|
|
|
|
|
|
|
To start a new instance of a container:
|
2015-06-22 10:31:12 +08:00
|
|
|
|
2016-06-03 13:53:59 +08:00
|
|
|
# runc run [ -b bundle ] <container-id>
|
2015-08-18 09:30:17 +08:00
|
|
|
|
2016-02-11 01:30:06 +08:00
|
|
|
Where "<container-id>" is your name for the instance of the container that you
|
|
|
|
are starting. The name you provide for the container instance must be unique on
|
|
|
|
your host. Providing the bundle directory using "-b" is optional. The default
|
|
|
|
value for "bundle" is the current directory.`
|
2015-06-22 10:31:12 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
app := cli.NewApp()
|
|
|
|
app.Name = "runc"
|
|
|
|
app.Usage = usage
|
2016-05-30 10:24:22 +08:00
|
|
|
|
|
|
|
var v []string
|
|
|
|
if version != "" {
|
|
|
|
v = append(v, version)
|
2016-03-12 05:49:45 +08:00
|
|
|
}
|
|
|
|
if gitCommit != "" {
|
|
|
|
v = append(v, fmt.Sprintf("commit: %s", gitCommit))
|
|
|
|
}
|
|
|
|
v = append(v, fmt.Sprintf("spec: %s", specs.Version))
|
|
|
|
app.Version = strings.Join(v, "\n")
|
2017-07-20 23:44:06 +08:00
|
|
|
|
|
|
|
root := "/run/runc"
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
if shouldHonorXDGRuntimeDir() {
|
|
|
|
if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" {
|
2017-07-20 23:44:06 +08:00
|
|
|
root = runtimeDir + "/runc"
|
2018-03-19 07:59:57 +08:00
|
|
|
// According to the XDG specification, we need to set anything in
|
|
|
|
// XDG_RUNTIME_DIR to have a sticky bit if we don't want it to get
|
|
|
|
// auto-pruned.
|
|
|
|
if err := os.MkdirAll(root, 0700); err != nil {
|
|
|
|
fatal(err)
|
|
|
|
}
|
|
|
|
if err := os.Chmod(root, 0700|os.ModeSticky); err != nil {
|
|
|
|
fatal(err)
|
|
|
|
}
|
2017-07-20 23:44:06 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-06-22 10:31:12 +08:00
|
|
|
app.Flags = []cli.Flag{
|
|
|
|
cli.BoolFlag{
|
|
|
|
Name: "debug",
|
|
|
|
Usage: "enable debug output for logging",
|
|
|
|
},
|
2015-08-05 03:36:53 +08:00
|
|
|
cli.StringFlag{
|
|
|
|
Name: "log",
|
2019-04-23 22:02:31 +08:00
|
|
|
Value: "/dev/stderr",
|
2015-08-05 03:36:53 +08:00
|
|
|
Usage: "set the log file path where internal debug information is written",
|
|
|
|
},
|
2015-10-14 07:03:21 +08:00
|
|
|
cli.StringFlag{
|
|
|
|
Name: "log-format",
|
|
|
|
Value: "text",
|
|
|
|
Usage: "set the format used by logs ('text' (default), or 'json')",
|
|
|
|
},
|
2015-06-22 10:31:12 +08:00
|
|
|
cli.StringFlag{
|
|
|
|
Name: "root",
|
2017-07-20 23:44:06 +08:00
|
|
|
Value: root,
|
2015-06-22 10:31:12 +08:00
|
|
|
Usage: "root directory for storage of container state (this should be located in tmpfs)",
|
|
|
|
},
|
|
|
|
cli.StringFlag{
|
|
|
|
Name: "criu",
|
|
|
|
Value: "criu",
|
|
|
|
Usage: "path to the criu binary used for checkpoint and restore",
|
|
|
|
},
|
2016-03-22 03:53:15 +08:00
|
|
|
cli.BoolFlag{
|
|
|
|
Name: "systemd-cgroup",
|
|
|
|
Usage: "enable systemd cgroup support, expects cgroupsPath to be of form \"slice:prefix:name\" for e.g. \"system.slice:runc:434234\"",
|
|
|
|
},
|
2018-01-13 15:39:28 +08:00
|
|
|
cli.StringFlag{
|
|
|
|
Name: "rootless",
|
|
|
|
Value: "auto",
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
Usage: "ignore cgroup permission errors ('true', 'false', or 'auto')",
|
2018-01-13 15:39:28 +08:00
|
|
|
},
|
2015-06-22 10:31:12 +08:00
|
|
|
}
|
|
|
|
app.Commands = []cli.Command{
|
|
|
|
checkpointCommand,
|
2016-05-14 07:54:16 +08:00
|
|
|
createCommand,
|
2016-01-12 08:57:18 +08:00
|
|
|
deleteCommand,
|
2015-06-22 10:31:12 +08:00
|
|
|
eventsCommand,
|
2016-01-12 08:57:18 +08:00
|
|
|
execCommand,
|
2016-03-09 10:05:50 +08:00
|
|
|
initCommand,
|
2015-08-03 18:42:20 +08:00
|
|
|
killCommand,
|
2016-01-12 08:57:18 +08:00
|
|
|
listCommand,
|
2015-08-15 05:19:10 +08:00
|
|
|
pauseCommand,
|
2016-04-22 08:06:35 +08:00
|
|
|
psCommand,
|
2016-01-12 08:57:18 +08:00
|
|
|
restoreCommand,
|
2015-08-15 05:19:10 +08:00
|
|
|
resumeCommand,
|
2016-05-14 06:49:45 +08:00
|
|
|
runCommand,
|
2016-01-12 08:57:18 +08:00
|
|
|
specCommand,
|
|
|
|
startCommand,
|
2016-03-02 00:59:34 +08:00
|
|
|
stateCommand,
|
2016-04-28 22:30:50 +08:00
|
|
|
updateCommand,
|
2015-06-22 10:31:12 +08:00
|
|
|
}
|
|
|
|
app.Before = func(context *cli.Context) error {
|
2019-04-19 22:36:52 +08:00
|
|
|
return logs.ConfigureLogging(createLogConfig(context))
|
2015-06-22 10:31:12 +08:00
|
|
|
}
|
2019-04-04 19:57:28 +08:00
|
|
|
|
2016-09-30 05:43:50 +08:00
|
|
|
// If the command returns an error, cli takes upon itself to print
|
|
|
|
// the error on cli.ErrWriter and exit.
|
|
|
|
// Use our own writer here to ensure the log gets sent to the right location.
|
|
|
|
cli.ErrWriter = &FatalWriter{cli.ErrWriter}
|
2015-06-22 10:31:12 +08:00
|
|
|
if err := app.Run(os.Args); err != nil {
|
2016-03-09 10:05:50 +08:00
|
|
|
fatal(err)
|
2015-06-22 10:31:12 +08:00
|
|
|
}
|
|
|
|
}
|
2016-09-30 05:43:50 +08:00
|
|
|
|
|
|
|
type FatalWriter struct {
|
|
|
|
cliErrWriter io.Writer
|
|
|
|
}
|
|
|
|
|
|
|
|
func (f *FatalWriter) Write(p []byte) (n int, err error) {
|
|
|
|
logrus.Error(string(p))
|
|
|
|
return f.cliErrWriter.Write(p)
|
|
|
|
}
|
2019-04-04 19:57:28 +08:00
|
|
|
|
2019-04-19 22:36:52 +08:00
|
|
|
func createLogConfig(context *cli.Context) logs.Config {
|
|
|
|
config := logs.Config{
|
|
|
|
LogLevel: logrus.InfoLevel,
|
2019-04-04 19:57:28 +08:00
|
|
|
LogFilePath: context.GlobalString("log"),
|
|
|
|
LogFormat: context.GlobalString("log-format"),
|
|
|
|
}
|
2019-04-19 22:36:52 +08:00
|
|
|
if context.GlobalBool("debug") {
|
|
|
|
config.LogLevel = logrus.DebugLevel
|
2019-04-04 19:57:28 +08:00
|
|
|
}
|
|
|
|
|
2019-04-19 22:36:52 +08:00
|
|
|
return config
|
2019-04-04 19:57:28 +08:00
|
|
|
}
|