Commit Graph

3483 Commits

Author SHA1 Message Date
Vincent Demeester 03ca562be1
Remove github.com/docker/docker from vendor
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-11-08 16:27:06 +01:00
Vincent Demeester 3ca4c78b1a
Import docker/docker/pkg/mount into runc
This will help get rid of docker/docker dependency in runc 👼

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-11-08 16:25:58 +01:00
Michael Crosby ababa2d2ce
Merge pull request #1645 from vdemeester/build-1.9
Add build 1.9 to travis
2017-11-08 10:07:43 -05:00
Michael Crosby 2f010ecf19
Merge pull request #1622 from vdemeester/import-symlink-from-docker
Remove pkg/symlink from docker/docker and use cyphar/filepath-securejoin
2017-11-08 10:07:00 -05:00
Vincent Demeester ab0a6dd295
Add build 1.9 to travis
`tip` should point to 1.10 already ? (or soon-ish)

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-11-08 15:42:59 +01:00
Daniel, Dao Quang Minh c4f49e2499
Merge pull request #1640 from jongwu/jongwu-armEnable-patch
enable unit test on arm64 platform
2017-11-06 17:14:52 +00:00
Michael Crosby cc0cd1ae64
Merge pull request #1641 from AkihiroSuda/proc-scsi
specconv.Example(): add /proc/scsi to masked paths
2017-11-06 09:41:10 -05:00
Akihiro Suda 0aac2368e4 specconv.Example(): add /proc/scsi to masked paths
Port over https://github.com/moby/moby/pull/35399

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2017-11-04 17:38:14 +00:00
Jianyong Wu dc609cc5d1 enable unit test on arm64 platform
Currently, unit test can't be done on arm64 platform
due to multi-arch issue.

Fix points:
golang:1.8.0 doesn't support arm64.
We use golang:1.8 to replace it.

Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
2017-11-03 16:45:52 +08:00
Michael Crosby 0232e38342
Merge pull request #1629 from masters-of-cats/busybox-inflation
Avoid disk usage explosion when copying busybox
2017-11-01 09:15:22 -04:00
Danail Branekov fdbb9e3e55 Avoid disk usage explosion when copying busybox
When running runc tests with temp directory with size 500M copying
busybox without preserving hardlinks causes the folder to inflate to
roughly 330M. Copying busybox twice in certain tests causes the /tmp
directory to overfill. Using `-a` preserves links which busybox uses to
implement its choice of binary to run.

Signed-off-by: Tom Godkin <tgodkin@pivotal.io>
2017-11-01 09:52:05 +00:00
Vincent Demeester 594501475e
Use cyphar/filepath-securejoin instead of docker pkg/symlink
runc shouldn't depend on docker and be more self-contained.
Removing github.com/pkg/symlink dep is the first step to not depend on docker anymore

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-10-31 16:53:45 +01:00
Michael Crosby 8211e8a266
Merge pull request #1626 from fntlnz/specconv-test-hooks-seccomp
Specconv: Test create command hooks and seccomp setup
2017-10-31 09:26:04 -04:00
Michael Crosby 6464a1c27e
Merge pull request #1621 from monstermunchkin/fix-tests
tests: add missing cgroups_kmem requirement
2017-10-30 10:13:07 -04:00
Lorenzo Fontana 780f8ef567
Specconv: Test create command hooks and seccomp setup
Signed-off-by: Lorenzo Fontana <lo@linux.com>
2017-10-28 21:46:46 +02:00
Thomas Hipp 1cda65c39b
tests: add missing cgroups_kmem requirement
Since the defined config.json contains kmem settings, the test will try
writing to memory.kmem.* and fail. Therefore, it needs to require
cgroups_kmem.

Signed-off-by: Thomas Hipp <thipp@suse.de>
2017-10-26 19:48:52 +02:00
Mrunal Patel 9a1186d128 Merge pull request #1619 from fntlnz/spec-linux-testing
WIP: Better testsuite for specconv
2017-10-25 15:23:19 -07:00
Qiang Huang c9b649ddcc Merge pull request #1357 from cyphar/noterminal-io-tests
tests: add various !terminal tests
2017-10-25 09:54:35 +08:00
Lorenzo Fontana c0e6e12f9d
Test Cgroup creation and memory allocations
Signed-off-by: Lorenzo Fontana <lo@linux.com>
2017-10-25 01:58:10 +02:00
Aleksa Sarai ffe5cdc4f1
tests: add various !terminal tests
Previously we weren't testing that detached io works properly -- which
will be quite important in the case for rootless containers.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-10-25 00:12:21 +11:00
Aleksa Sarai ff5075c33f
init: correctly handle unmapped stdio with multiple mappings
Previously we would handle the "unmapped stdio" case by just doing a
simple check, however this didn't handle cases where the overflow_uid
was actually mapped in the user namespace. Instead of doing some
userspace checks, just try to do the fchown(2) and ignore EINVAL
(unmapped) or EPERM (lacking privilege over inode) errors.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-10-25 00:12:21 +11:00
Qiang Huang 74a1729647 Merge pull request #1607 from crosbymichael/term-err
libcontainer: handler errors from terminate
2017-10-20 15:15:38 +08:00
Qiang Huang e8b9b92f57 Merge pull request #1206 from YuPengZTE/devMD026
trailing punctuation in header
2017-10-20 14:47:09 +08:00
Mrunal Patel 80ee9e50b5 Merge pull request #1616 from mheon/seccomp_fix_breakage
Fix breaking change in Seccomp profile behavior
2017-10-19 14:15:04 -07:00
Aleksa Sarai c05f6368af
merge branch 'pr-1615'
libcontainer: intelrdt: fix a GetStats() issue

LGTMs: @crosbymichael @cyphar
Closes #1615
2017-10-19 03:41:16 +11:00
Matthew Heon e9193ba6e6 Fix breaking change in Seccomp profile behavior
Multiple conditions were previously allowed to be placed upon the
same syscall argument. Restore this behavior.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-10-18 11:53:56 -04:00
Qiang Huang 3409d5c555 Merge pull request #1606 from cyphar/rootfs-propagation-no-pivot
specconv: emit an error when using MS_PRIVATE with --no-pivot
2017-10-18 09:52:04 +08:00
Michael Crosby 4edd9fb215 Merge pull request #1614 from tklauser/device-numbers
libcontainer: use Major/Minor from x/sys/unix
2017-10-17 10:45:22 -04:00
Xiaochen Shen d89217515b libcontainer: intelrdt: fix a GetStats() issue
This fixes a GetStats() issue introduced in #1590:
If Intel RDT is enabled by hardware and kernel, but intelRdt is not
specified in original config, GetStats() will return error unexpectedly
because we haven't called Apply() to create intelrdt group or attach
tasks for this container. As a result, runc events command will have no
output.

Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
2017-10-17 17:37:07 +08:00
Tobias Klauser 0eed453b21 libcontainer: use Major/Minor from x/sys/unix
The Major and Minor functions were added for Linux in golang/sys@85d1495
which is already vendored in. Use these functions instead of the local
re-implementation.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-10-17 09:06:42 +02:00
Mrunal Patel d5fc10a011 Merge pull request #1608 from crosbymichael/gids
add additional-gids to runc exec
2017-10-16 09:18:52 -07:00
Aleksa Sarai 9b13f5cc7f
merge branch 'pr-1453'
propagate argv0 when re-execing from /proc/self/exe

LGTMs: @crosbymichael @cyphar
Closes #1453
2017-10-17 03:12:22 +11:00
Michael Crosby ff4481dbf6 Merge pull request #1540 from cloudfoundry-incubator/rootless-cgroups
Support cgroups with limits as rootless
2017-10-16 12:03:49 -04:00
Aleksa Sarai 0eafdc3382
merge branch 'pr-1613'
libcontainer: merge common syscall implementations

LGTMs: @crosbymichael @cyphar
Closes #1613
2017-10-17 03:03:04 +11:00
Petros Angelatos 8098828680
propagate argv0 when re-execing from /proc/self/exe
This allows runc to be used as a target for docker's reexec module that
depends on a correct argv0 to select which process entrypoint to invoke.
Without this patch, when runc re-execs argv0 is set to "/proc/self/exe"
and the reexec module doesn't know what to do with it.

Signed-off-by: Petros Angelatos <petrosagg@gmail.com>
2017-10-16 14:00:26 +02:00
Aleksa Sarai 23f4d3161b
tests: improve rootless_cg testing
This ensures that we don't hard-code the set of cgroups on the host, as
well as making the permissions granted by rootless.sh much more
restrictive (to improve the scope of testing).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-10-16 20:46:17 +11:00
Tobias Klauser d2bc081420 libcontainer: merge common syscall implementations
There are essentially two possible implementations for Setuid/Setgid on
Linux, either using SYS_SETUID32/SYS_SETGID32 or SYS_SETUID/SYS_SETGID,
depending on the architecture (see golang/go#1435 for why Setuid/Setgid
aren currently implemented for Linux neither in syscall nor in
golang.org/x/sys/unix).

Reduce duplication by merging the currently implemented variants and
adjusting the build tags accordingly.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2017-10-16 11:11:18 +02:00
Aleksa Sarai 6d30f7a01b
merge branch 'pr-1424'
Update Travis config to use trusty-backports libseccomp
  Add integration tests for multi-argument Seccomp filters
  Vendor updated libseccomp-golang for bugfix

LGTMs: @crosbymichael @cyphar
Closes #1424
2017-10-16 03:01:37 +11:00
Aleksa Sarai d2ac52fe52
merge branch 'pr-1475'
Add support for mips/mips64
  Put signalMap in a separate file, so it may be arch-specific

LGTMs: @crosbymichael @cyphar
Closes #1475
2017-10-16 02:59:34 +11:00
Aleksa Sarai 2430a98e64
merge branch 'pr-1500'
rootfs: switch ms_private remount of oldroot to ms_slave

LGTMs: @crosbymichael @hqhq
Closes opencontainers/runc#1500
2017-10-14 09:32:59 +11:00
Mrunal Patel 7c7d38bfe8 Merge pull request #1610 from sboeuf/fix_freezer_state
libcontainer: cgroups: Write freezer state after every state check
2017-10-12 07:55:10 -07:00
Sebastien Boeuf acb93c9c62 libcontainer: cgroups: Write freezer state after every state check
This commit ensures we write the expected freezer cgroup state after
every state check, in case the state check does not give the expected
result. This can happen when a new task is created and prevents the
whole cgroup to be FROZEN, leaving the state into FREEZING instead.

This patch prevents the case of an infinite loop to happen.

Fixes https://github.com/opencontainers/runc/issues/1609

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
2017-10-12 07:07:28 -07:00
Michael Crosby 5f9284cb98 Check for negative gid
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-10-11 11:10:12 -04:00
Sumit Sanghrajka f55f79d6ba Use Int64SliceFlag instead of StringFlag to get additional gids.
Signed-off-by: Sumit Sanghrajka <sumit.sanghrajka@gmail.com>
2017-10-10 15:56:17 -04:00
Sumit Sanghrajka 7a386c2b60 Add --additional-gids to runc exec.
This flag allows specifying additional gids for the process.
Without this flag, the user will have to provide process.json which allows additional gids.
Closes #1306

Signed-off-by: Sumit Sanghrajka <sumit.sanghrajka@gmail.com>
2017-10-10 15:56:04 -04:00
Matthew Heon 472fa3d054 Update Travis config to use trusty-backports libseccomp
Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-10-10 15:49:08 -04:00
Matthew Heon bbc847a457 Add integration tests for multi-argument Seccomp filters
Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-10-10 15:49:08 -04:00
Matthew Heon 03a5a7476e Vendor updated libseccomp-golang for bugfix
Syscall argument handling was bugged in previous releases.
Per-argument match rules were handled with OR logic when they
should have used AND logic. The updated version of the bindings
resolves this issue.

As a side effect, the minimum supported version of Libseccomp has
been raised from v2.1.0 to v2.2.0.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2017-10-10 15:49:08 -04:00
Mrunal Patel beb8716fcb Merge pull request #1528 from leitwolf7/fix-integration
make localintegration fails on Ubuntu 17.04
2017-10-10 12:41:40 -07:00
Michael Crosby bfe3058fc9 Make process check more forgiving
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-10-10 15:36:19 -04:00