Currently if a user does a command like
docker: Error response from daemon: operation not supported.
With this fix they should see a much more informative error message.
docker run -ti -v /proc:/proc:Z fedora sh
docker: Error response from daemon: SELinux Relabeling of /proc is not allowed: operation not supported.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This will print out the error on stderr when loading a container but
still list everything that was sucessful.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Error sent from child process is already genericError, if
we don't allow recrusive generic error, we won't get any
cause infomation from parent process.
Before, we got:
WARN[0000] exit status 1
ERRO[0000] operation not permitted
After, we got:
WARN[0000] exit status 1
ERRO[0000] container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"operation not permitted\""
it's not pretty but useful for detecting root causes.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This allows older state files to be loaded without the unmarshal error
of the string to int conversion.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
After #1009, we don't always set `cgroup.Paths`, so
`getCgroupPath()` will return wrong cgroup path because
it'll take current process's cgroup as the parent, which
would be wrong when we try to find the cgroup path in
`runc ps` and `runc kill`.
Fix it by using `m.GetPath()` to get the true cgroup
paths.
Reported-by: Yang Shukui <yangshukui@huawei.com>
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
runc currently fails to build against the upstream version of
runtime-spec/specs-go.
```
# github.com/opencontainers/runc
./spec.go:189: cannot use specs.Linux literal (type specs.Linux) as type *specs.Linux in field value
```
on account of 63231576ec (diff-7f24d60f0cbb9c433e165467e3d34838R25)
This commit updates the dependency to current runtime-spec master and
fixes the type mismatch.
Fixes#1035
Signed-off-by: Adam Thomason <ad@mthomason.net>
If user run current script whthout argument, the script will search
config in default dir list, but output following message:
| # script/check-config.sh
| warning: /proc/config.gz seems not a kernel config, searching other paths for kernel config ...
^^^^^^^^^^^^^^^
| info: reading kernel config from /boot/config-4.7.0_HEAD_523d939ef98fd712632d93a5a2b588e477a7565e_ ...
| ...
We can make output better by restruct the code struct:
1: Specify nothing
Show info, and search default dir
2: Specify a config file
Use it directly
3: Specify a wrong config file
Show warning, and search default dir
4: Specify a dir
Info, and search specified dir
Test:
| # script/check-config.sh
| info: no config specified, searching for kernel config ...
| info: reading kernel config from /boot/config-4.7.0_HEAD_523d939ef98fd712632d93a5a2b588e477a7565e_ ...
|
| # script/check-config.sh /linux/.config
| info: reading kernel config from /linux/.config ...
|
| # script/check-config.sh /linux/.configgg
| warning: /linux/.configgg seems not a kernel config, searching other paths for kernel config ...
| info: reading kernel config from /boot/config-4.7.0_HEAD_523d939ef98fd712632d93a5a2b588e477a7565e_ ...
|
| # script/check-config.sh /linux
| info: input is a directory, searching for kernel config in this directory...
| info: reading kernel config from /linux/.config ...
|
Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
So we can make all types of release binary with combination
of following flags:
seccomp
selinux
apparmor
static
All binary files are put in release/ dir, like:
[root@zlosvm1 runc]# ls -l release
total 53556
-rwxr-xr-x 1 root root 9517965 Aug 24 16:59 runc
-rwxr-xr-x 1 root root 9673533 Aug 24 17:00 runc.seccomp
-rwxr-xr-x 1 root root 9705839 Aug 24 17:00 runc.seccomp.selinux
-rwxr-xr-x 1 root root 9546175 Aug 24 16:59 runc.selinux
-rwxr-xr-x 1 root root 8205015 Aug 24 16:59 runc.selinux.static
-rwxr-xr-x 1 root root 8181789 Aug 24 16:59 runc.static
...
Closes#899
Signed-off-by: Zhao Lei <zhaolei@cn.fujitsu.com>
If runc binary is compiled from codes with modified but not commited
files, git commits should report "COMMIT-dirty" instead of single
"COMMIT" to warn users.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Alternative of #895 , part of #892
The intension of current behavior if to create cgroup in
parent cgroup of current process, but we did this in a
wrong way, we used devices cgroup path of current process
as the default parent path for all subsystems, this is
wrong because we don't always have the same cgroup path
for all subsystems.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Mrunal Patel
Michael Crosby
Mrunal Patel
Dan Walsh
Qiang Huang
Wang Long
rajasec
Shukui Yang
Adam Thomason
Aleksa Sarai
Yuanhong Peng
Daniel, Dao Quang Minh
Zhang Wei
Zhao Lei
Jiuyue Ma
Jonathan Boulle