Commit Graph

102 Commits

Author SHA1 Message Date
Akihiro Suda 53179559a1 MaskPaths: support directory
For example, the /sys/firmware directory should be masked because it can contain some sensitive files:
  - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information:
  - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-09-23 16:14:41 +00:00
Adam Thomason fcbde0ce9f Update runtime-spec to current upstream
runc currently fails to build against the upstream version of
runtime-spec/specs-go.

```
# github.com/opencontainers/runc
./spec.go:189: cannot use specs.Linux literal (type specs.Linux) as type *specs.Linux in field value
```

on account of 63231576ec (diff-7f24d60f0cbb9c433e165467e3d34838R25)

This commit updates the dependency to current runtime-spec master and
fixes the type mismatch.

Fixes #1035

Signed-off-by: Adam Thomason <ad@mthomason.net>
2016-09-11 15:17:14 -07:00
Davanum Srinivas 27915db384 Adding /proc/timer_list to the masked paths list
/proc/timer_list seems to leak information about the host. Here is
an example from a busybox container running on docker+kubernetes.

 # cat /proc/timer_list | grep -i -e kube
 <ffff8800b8cc3db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kubelet/2497
 <ffff880129ac3db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kube-proxy/3478
 <ffff8800b1b77db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kube-proxy/3470
 <ffff8800bb6abdb0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kubelet/2499

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2016-08-11 19:02:02 -04:00
Mrunal Patel a753b06645 Replace github.com/codegangsta/cli by github.com/urfave/cli
The package got moved to a different repository

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-06-06 11:47:20 -07:00
rajasec 0307c88ee9 Updating README for starting the container
Signed-off-by: rajasec <rajasec79@gmail.com>

Updating README for starting the container

Signed-off-by: rajasec <rajasec79@gmail.com>

Updating README files for container start

Signed-off-by: rajasec <rajasec79@gmail.com>

updating README files for container start

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-06-05 14:41:58 +05:30
Mrunal Patel 60eb77dd3c Merge pull request #810 from hqhq/hq_update_cli
Update cli package
2016-05-20 20:46:59 -07:00
Zhao Lei 198e2771ac Fix outdated comment for loadSpec
loadSpec() is not support blank path now, remove relative comments.

Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
2016-05-20 19:05:00 +08:00
Zhao Lei a0096535a6 Fix some spelling typo in manual and source
infomation -> information
transfered -> transferred

Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
2016-05-20 15:04:40 +08:00
Qiang Huang 8477638aab Update cli package
The old one has bug when showing help message for IntFlags.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-10 13:58:09 +08:00
Qiang Huang 8b0d5831b8 Add infomation about ocitools in runc spec
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-21 12:57:26 +08:00
Michael Crosby f417e993d0 Update spec to v0.5.0
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-12 14:11:40 -07:00
Michael Crosby df25eddce6 Add spec support for masked and readonly paths
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-01 13:04:47 -07:00
Ido Yariv 28b21a5988 Export CreateLibcontainerConfig
Users of libcontainer other than runc may also require parsing and
converting specification configuration files.

Since runc cannot be imported, move the relevant functions and
definitions to a separate package, libcontainer/specconv.

Signed-off-by: Ido Yariv <ido@wizery.com>
2016-03-25 12:19:18 -04:00
Anusha Ragunathan 89abd91694 Dont cleanPath for systemd cgroup paths.
systemd expects cgroupsPath to be of form "slice:prefix:name".
So dont call cleanPath on it anymore.

Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-03-24 10:52:41 -07:00
Michael Crosby 24950964ec Merge pull request #667 from mrunalp/systemd_cgroups
Add support for enabling systemd cgroups
2016-03-23 16:14:03 -07:00
Mrunal Patel 7e91a96605 Add support for systemd cgroups in runc
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-03-22 17:08:07 -07:00
rajasec 945ef1d51f fixing typo in device access error
Signed-off-by: rajasec <rajasec79@gmail.com>

fixing typo in device access error

Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed review comments

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-03-21 22:45:53 +05:30
Mrunal Patel 4856ed1d53 Merge pull request #665 from cyphar/cgroup-kmem-tcp-limit
libcontainer: cgroups: add support for kmem.tcp limits
2016-03-21 14:51:10 -07:00
Aleksa Sarai 1448fe9568 libcontainer: cgroups: add support for kmem.tcp limits
Kernel TCP memory has its own special knobs inside the cgroup.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-20 22:03:52 +11:00
Mike Brown fdf9ef46b2 adds detail to runc start and spec help text
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-03-18 13:54:06 -05:00
Rajasekaran d1faa82a0a Adding spec validation for exec and start
Signed-off-by: Rajasekaran <rajasec79@gmail.com>

Fixed review comments

Signed-off-by: rajasec <rajasec79@gmail.com>

Rebased with latest spec version

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-03-13 21:58:00 +05:30
Michael Crosby 20422c9bd9 Update libcontainer to support rlimit per process
This updates runc and libcontainer to handle rlimits per process and set
them correctly for the container.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-10 14:35:16 -08:00
Michael Crosby 47eaa08f5a Update runc usage for new specs changes
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-10 14:18:39 -08:00
Michael Crosby 044e298507 Improve error handling in runc
The error handling on the runc cli is currenly pretty messy because
messages to the user are split between regular stderr format and logrus
message format.  This changes all the error reporting to the cli to only
output on stderr and exit(1) for consumers of the api.

By default logrus logs to /dev/null so that it is not seen by the user.
If the user wants extra and/or structured loggging/errors from runc they
can use the `--log` flag to provide a path to the file where they want
this information.  This allows a consistent behavior on the cli but
extra power and information when debugging with logs.

This also includes a change to enable the same logging information
inside the container's init by adding an init cli command that can share
the existing flags for all other runc commands.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-09 11:08:30 -08:00
Rajasekaran 335f63a282 Handling error condition in loadspec
Signed-off-by: Rajasekaran <rajasec79@gmail.com>
2016-03-06 09:22:26 +05:30
Michael Crosby 3cc90bd2d8 Add support for process overrides of settings
This commit adds support to libcontainer to allow caps, no new privs,
apparmor, and selinux process label to the process struct so that it can
be used together of override the base settings on the container config
per individual process.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-03 11:41:33 -08:00
Michael Crosby aa9660027b Update spec version
This bump of the spec includes a change to the deivce type to be a
string so that it is more readable in the json serialization.

It also includes the change were caps, no new privs, and process
labeling features are moved from the container config onto the process.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-03 10:26:38 -08:00
Qiang Huang bbd97cc98e Set sysfs readonly in config
It is what we hard coded in runC, now we do it in config,
also removed the legacy function.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-03-01 10:23:08 +08:00
Qiang Huang 146643f1f9 Merge pull request #595 from crosbymichael/masking
Update masked and ro paths
2016-03-01 11:14:20 +08:00
Mrunal Patel b1872a068e Merge pull request #454 from mlaventure/libcontainer-pidns
Move setns within nsexec
2016-02-29 15:34:19 -08:00
Mrunal Patel 8f7d5fe376 Merge pull request #590 from tonistiigi/fix-oomscoreadj
Fix setting OomScoreAdj from OCI spec
2016-02-28 21:52:21 -08:00
Daniel, Dao Quang Minh 4217b9c121 Do not override the specified userns path
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
2016-02-28 11:59:48 -08:00
Michael Crosby a12336eb3e Update masked and ro paths
This updates the current list to what we have now in docker and also
makes these always added so that these are masked out.  Privileged
containers can always unmount these if they want to read from kcore or
something like that.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-26 15:54:53 -08:00
Tonis Tiigi 30534f979b Fix setting OomScoreAdj from OCI spec
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-02-25 12:01:18 -08:00
Michael Crosby ac43d4a0ab Save bundle path in labels
This saves and returns the bundle path for the container in the
container's config and state.  It also returns the information via runc
list.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-24 11:11:10 -08:00
Phil Estes 0b5581fd28 Handle memory swappiness as a pointer to handle default/unset case
This prior fix to set "-1" explicitly was lost, and it is simpler to use
the same pointer type from the OCI spec to handle nil pointer == -1 ==
unset case.

Also, as a nearly humorous aside, there was a test for MemorySwappiness
that was actually setting Memory, and it was passing because of this
bug (as it was always setting everyone's MemorySwappiness to zero!)

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2016-02-24 09:02:06 -06:00
Alexander Morozov 382880b250 Merge pull request #569 from mlaventure/fix-cgroupspath-as-cgroupsparent
Fix CgroupsPath interpretation
2016-02-17 12:54:51 -08:00
Kenfe-Mickael Laventure 3ceff76f64 Fix CgroupsPath interpretation
When CgroupsPath code was introduced with #497 it was mistakenly made
to act as the equivalent of docker CgroupsParent. This ensure that it
is taken as the final cgroup path.

A couple of unit tests have been added to prevent future regression.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-17 08:33:46 -08:00
Mrunal Patel 90472aeb9e Merge pull request #546 from mikebrow/usage-updates
updating usage for runc, and all runc commands that now use <container id> as the first argument
2016-02-17 21:13:22 +05:30
Mike Brown f4e37ab63e updating usage for runc and runc commands
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-17 09:00:39 -06:00
Mrunal Patel af400b90c3 Hook up the support to the OCI specification config
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 06:57:51 -08:00
Kenfe-Mickael Laventure 256f3a8ebc Add support for CgroupsPath field
Fixes #396

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-10 11:26:51 -08:00
Michael Crosby 3baae2d525 Update runc for devices changes
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-08 13:15:12 -08:00
Mike Brown c2c0458598 merges latest spec with runc
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-05 12:47:09 -08:00
Michael Crosby 1a4a49bf42 Remove version check in runc
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-01-28 10:51:25 -08:00
Mrunal Patel 9cd641486a Update github.com/opencontainers/specs to a7b50925d8
This leaves out the internal conversions as we may need to consider
docker backward compatibility for those changes.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-25 19:19:15 -05:00
Mrunal Patel c323574797 Check that cwd is absolute
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-15 19:06:27 -05:00
Mrunal Patel 269a717555 Make cwd required
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-14 19:06:56 -05:00
Aleksa Sarai db3159c9d9 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:32 +11:00
Mrunal Patel 4124ba9468 Revert "cgroups: add pids controller support"
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-19 07:48:48 -08:00