Michael Crosby
ee6a72df4e
Merge pull request #577 from crosbymichael/m-named-cgroup
...
Move the process outside of the systemd cgroup
2016-02-19 13:51:58 -08:00
Michael Crosby
47f16e89df
Move the process outside of the systemd cgroup
...
If you don't move the process out of the named cgroup for systemd then
systemd will try to delete all the cgroups that the process is currently
in.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-19 11:26:46 -08:00
Mike Brown
160daf293e
adding --format json to list command
...
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-18 22:07:04 -06:00
Mrunal Patel
0107c7fb6c
Merge pull request #573 from LK4D4/fix_dash_cgroup
...
Look for " - " instead of just - as separator
2016-02-19 08:57:39 +05:30
Michael Crosby
e28cfafa6d
Merge pull request #567 from rajasec/tty-remove
...
Removing tty0 tty1 from allowed devices
2016-02-18 13:56:32 -08:00
Alexander Morozov
98cbce80fb
Look for " - " instead of just - as separator
...
- symbol can appear in any path
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-02-18 09:58:29 -08:00
Alexander Morozov
488e315c21
Merge pull request #570 from crosbymichael/tty-nil
...
Check if tty is nil in handler
2016-02-17 13:37:21 -08:00
Michael Crosby
546af43fbc
Check if tty is nil in handler
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-17 13:20:22 -08:00
Alexander Morozov
382880b250
Merge pull request #569 from mlaventure/fix-cgroupspath-as-cgroupsparent
...
Fix CgroupsPath interpretation
2016-02-17 12:54:51 -08:00
Kenfe-Mickael Laventure
3ceff76f64
Fix CgroupsPath interpretation
...
When CgroupsPath code was introduced with #497 it was mistakenly made
to act as the equivalent of docker CgroupsParent. This ensure that it
is taken as the final cgroup path.
A couple of unit tests have been added to prevent future regression.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-17 08:33:46 -08:00
Mrunal Patel
90472aeb9e
Merge pull request #546 from mikebrow/usage-updates
...
updating usage for runc, and all runc commands that now use <container id> as the first argument
2016-02-17 21:13:22 +05:30
Mike Brown
f4e37ab63e
updating usage for runc and runc commands
...
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-17 09:00:39 -06:00
Mike Brown
80495833ae
adding format options to list command
...
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-17 08:46:06 -06:00
Mrunal Patel
2c489ce2d9
Merge pull request #564 from hallyn/2016-02-16/userns.devicecg
...
Do not set devices cgroup entries if in a user namespace
2016-02-17 09:25:24 +05:30
Serge Hallyn
655f8ea808
Do not set devices cgroup entries if in a user namespace
...
When in a non-initial user namespace you cannot update the devices
cgroup whitelist (or blacklist). The kernel won't allow it. So
detect that case and don't try.
This is a step to being able to run docker/runc containers inside a user
namespaced container.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-02-16 19:39:43 -08:00
Mrunal Patel
d854d8fcc2
Merge pull request #553 from cyphar/fix-pids-limit-tests
...
libcontainer: integration: fix flaky pids limit tests
2016-02-17 08:36:05 +05:30
Mrunal Patel
a86e44cf8f
Merge pull request #556 from hqhq/hq_remove_unneeded_cleanup
...
Remove unneeded cgroups path removal
2016-02-17 08:31:35 +05:30
Michael Crosby
ce72f86a2b
Merge pull request #558 from rajasec/tty-panic
...
panic during start of failed detached container
2016-02-16 16:01:08 -08:00
Alexander Morozov
8ce2413986
Merge pull request #563 from mlaventure/notty-detach-panic
...
Prevent a panic when container fails to start
2016-02-16 15:22:50 -08:00
Kenfe-Mickael Laventure
b011f80451
Prevent a panic when container fails to start
...
This occurs when the container was requested to be started in detached
mode and without a tty.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-16 15:18:49 -08:00
Alexander Morozov
533ee4d688
Merge pull request #557 from mrunalp/nonewprivs
...
Add support for NoNewPrivileges
2016-02-16 11:18:02 -08:00
Michael Crosby
4f33b03703
Merge pull request #561 from rajasec/kcore-link
...
Change softlink name to /dev/core
2016-02-16 11:03:37 -08:00
Michael Crosby
15eb206d76
Merge pull request #562 from cloudfoundry-incubator/avoid-sigchld-hang
...
Register signal handlers earlier to avoid zombies
2016-02-16 10:55:20 -08:00
Michael Crosby
2b0a53b9a4
Merge pull request #552 from cyphar/fix-cgroup-path
...
libcontainer: cgroups: fs: fix innerPath
2016-02-16 10:41:44 -08:00
Julian Friedman
5fbdf6c3fc
Register signal handlers earlier to avoid zombies
...
newSignalHandler needs to be called before the process is started, otherwise when
the process exits quickly the SIGCHLD is recieved (and ignored) before the
handler is set up. When this happens the reaper never runs, the
process becomes a zombie, and the exit code isn't returned to the user.
Signed-off-by: Julian Friedman <julz.friedman@uk.ibm.com>
2016-02-16 18:38:54 +00:00
Alexander Morozov
c6d18308b8
Merge pull request #526 from hqhq/hq_remove_procStart
...
Remove procStart
2016-02-16 09:12:04 -08:00
Mrunal Patel
af400b90c3
Hook up the support to the OCI specification config
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 06:57:51 -08:00
Mrunal Patel
38b39645d9
Implement NoNewPrivileges support in libcontainer
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 06:57:50 -08:00
Mrunal Patel
e898a30e34
Merge pull request #560 from chenchun/fix_valid_dest
...
It's /proc/stat, not /proc/stats
2016-02-16 17:44:14 +05:30
Mrunal Patel
61bfcfd82a
Add libcontainer configuration for NoNewPrivileges
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 03:59:43 -08:00
Chun Chen
2ee9cbbd12
It's /proc/stat, not /proc/stats
...
Also adds /proc/net/dev to the valid mount destination white list
Signed-off-by: Chun Chen <ramichen@tencent.com>
2016-02-16 15:59:27 +08:00
rajasec
b3661f4115
Removing tty0 tty1 from allowed devices
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-16 11:21:00 +05:30
rajasec
4cd31f63c5
Change softlink name to /dev/core
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-15 17:52:19 +05:30
Qiang Huang
bda7742019
Cleanup systemd apply
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-15 15:56:59 +08:00
Qiang Huang
7b88f34d6e
Remove unneeded cgroups path removal
...
It's handled in `destroy()`, no need to do this in
`Apply()`. I found this because systemd cgroup didn't
do this removal and it works well.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-15 11:22:13 +08:00
rajasec
321b842404
panic during start of failed detached container
...
Signed-off-by: rajasec <rajasec79@gmail.com>
Adding nil check before closing tty for restore operation
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-14 19:11:09 +05:30
Aleksa Sarai
21dc85c4b8
libcontainer: cgroups: fs: add cgroup path safety unit tests
...
In order to avoid problems with security regressions going unnoticed,
add some unit tests that should make sure security regressions in cgroup
path safety cause tests to fail in runC.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai
b8dc5213e8
libcontainer: cgroups: fs: fix path safety
...
Ensure that path safety is maintained, this essentially reapplies
c0cad6aa5e
("cgroups: fs: fix cgroup.Parent path sanitisation"), which
was accidentally removed in 256f3a8ebc
("Add support for CgroupsPath
field").
Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai
90140a5688
libcontainer: cgroups: fs: fix innerPath
...
Fix m.Path legacy code to actually work.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Michael Crosby
361f9b7921
Merge pull request #550 from rajasec/restoretty
...
Adding tty closure for restore operation
2016-02-11 10:27:58 -08:00
Aleksa Sarai
1f8711751e
libcontainer: integration: fix flaky pids limit tests
...
Because we are implemented in Go, the number of pids present in a
container is not very well-defined (other than it not being /much/
bigger than the limit you'd want to set). As a result, we need to make
the tests a bit less flaky in this regard.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-12 00:14:22 +11:00
Alexander Morozov
1a124e9c2d
Merge pull request #549 from crosbymichael/tty-close
...
Close tty on error before handler
2016-02-10 14:11:47 -08:00
Michael Crosby
45675581c1
Close tty on error before handler
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-10 13:41:35 -08:00
Alexander Morozov
4678b01e64
Merge pull request #497 from mlaventure/cgroups-path
...
Replace Cgroup Parent and Name fields by CgroupsPath
2016-02-10 13:00:49 -08:00
Kenfe-Mickael Laventure
256f3a8ebc
Add support for CgroupsPath field
...
Fixes #396
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-10 11:26:51 -08:00
Michael Crosby
71db82baef
Merge pull request #545 from rajasec/specupdateforpids
...
Adding pids subsystem in SPEC.md
2016-02-10 11:17:15 -08:00
Mrunal Patel
4d9d4866b5
Merge pull request #537 from duglin/ReorgContainer
...
Create some util funcs that are common between start and exec
2016-02-10 23:00:20 +05:30
rajasec
a7ee55b716
Adding tty closure for restore operation
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-10 09:48:12 +05:30
Mrunal Patel
bfd3345be9
Merge pull request #541 from crosbymichael/ids
...
Require container id as arg1
2016-02-10 08:14:36 +05:30
Mrunal Patel
025a84a2fb
Merge pull request #542 from runcom/use-coreos-systemd
...
*: use coreos/go-systemd/activation for socket activation
2016-02-10 08:07:21 +05:30