A new constructor function (like nsenter) is added in this patch. This
function gets arguments from environment variables and its behaviour doesn't
depend on a command line arguments.
A program which calls factory.StartInitialization() must import the nsenter
package. It looks ugly, but I don't know another way how to enter into CT from
a go code.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Use namespace.Exec() and namespace.Init() to execute processes in CT.
Now an init process is actually executed in a new container. This series
doesn't change code about creating containers, it only reworks code according
with new API.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
We are going to import the namespaces package into libcontainer,
so libcontainer should not be imported into namespaces.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
We are going to import the namespaces package into libcontainer,
so libcontainer should not be imported into namespaces.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
This removes the unsued namespace types from the namespace package
and simplifies getting the values for the namespaces.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This changes the namespace configuration on the config to include the
name of the namespace along with an optional path. This path is used to
point to a file of another namespace for the namespace so that it can be
joined in place of the empty, initialized namespace.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Adds a new item to the config struct []*Rlimit
Rlimit takes a type (ie, syscall.RLIMIT_NOFILE) and the hard/soft limit
(As max/cur)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
There is no reason to have a special type returned from the cgroups
Apply function for getting the paths and cleanup. With access to the
paths we can just delete what we need.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
because `LoadContainerEnvironment` is already run, os.Environ() will return the
correct environment variables for the exec command (i.e. removed duplicated
envs, set HOME for user etc...)
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
This patch adds an os/user-like user lookup API, implemented in pure Go.
It also has some features not present in the standard library
implementation (such as group lookups).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This patch refactors most of GetUserGroupSupplementaryHome and its
signature, to make using it much simpler. The private parsing ftunctions
have also been exposed (parsePasswdFile, parseGroupFile) to allow custom
data source to be used (increasing the versatility of the user/ tools).
In addition, file path wrappers around the formerly private API
functions have been added to make usage of the API for callers easier if
the files that are being parsed are on the filesystem (while the
io.Reader APIs are exposed for non-traditional usecases).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This removes the entire syncpipe package and replaces it with standard
operations on the pipes. The syncpipe type just never felt right and
probably should not have been there.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Some workloads rely on IPC for communications with other processes. We
would like to split workloads between two container but still allow them
to communicate though shared IPC.
This patch allows us to mimic the --net code to allow --ipc=host to not split off
the IPC Namespace. ipc=container:CONTAINERID to share ipc between containers
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
The set of the apparmor profile for the setns codepath was missing.
Selinux was being called but apparmor was forgotten. This was causing
no profiles to be applied to the extra process spawn inside an existing
container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>
The current paths for the different systemd cgroup subsystems that
systemd manages and that we have to manage are very inconsistent. This
patch cleans up those differences and allows consistent paths to be
used.
Signed-off-by: Michael Crosby <michael@docker.com>
This also changes the functionality of the default exec in to just be an
existing func that is called than handles the implementation to exec a
user user's process inside the container. This implements this
functionallity in nsinit but is a base for how we will be handling these
types of features inside docker.
Signed-off-by: Michael Crosby <michael@docker.com>
Docker does not require RunIn API. Hence that API has been removed.
nsinit CLI has been modified to work around the nsenter changes.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
namespaces.DefaultCreateCommand prepends the user-supplied command to
execute with "--", so that "nsinit init" does not attempt to interpret
it.
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
Andrey Vagin
Mrunal Patel
Michael Crosby
Brian Goff
Vishnu Kannan
Daniel, Dao Quang Minh
Aleksa Sarai
unclejack
Dan Walsh
Saied Kazemi
Michael Crosby
Mrunal Patel
Bernerd Schaefer
Tianon Gravi
Victor Marmol
maebashi