Commit Graph

2528 Commits

Author SHA1 Message Date
Mrunal Patel 419d5be191 Merge pull request #830 from rajasec/spec-descr
Updated description in SPEC
2016-05-19 08:00:36 -07:00
Mrunal Patel d1997d99cd Merge pull request #826 from hqhq/hq_add_check_config
Add check_config.sh for runc
2016-05-18 16:42:30 -07:00
Qiang Huang 396c88215c Fix update kernel memory test
Since kernel 4.6, we can update kernel memory without
initialization, because it's accounted by default.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-17 20:51:02 -04:00
rajasec e33c057114 Updating description in SPEC
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-05-17 22:57:43 +05:30
Aleksa Sarai fdc9fb841e Merge pull request #825 from hqhq/hq_fix_isrunning
Add comments for error cases in status functions
2016-05-17 05:04:25 +00:00
Mrunal Patel 0d8878a6c0 Merge pull request #812 from cyphar/integration-fix-cgroup-parsing
integration: fix cgroup parsing
2016-05-16 19:32:19 -07:00
Mrunal Patel b53e466d0c Merge pull request #824 from ggaaooppeenngg/update-nsenter-readme
Update nsenter README
2016-05-16 17:26:32 -07:00
Michael Crosby 734f6a7529 Merge pull request #822 from rajasec/update-manpage
Updating runc man page
2016-05-16 17:18:17 -07:00
Michael Crosby dd389fd665 Merge pull request #823 from mlaventure/alpine-getlongbit
Fix GetLongBit() returns value when _SC_LONG_BIT is not available
2016-05-16 17:15:52 -07:00
Mrunal Patel f0ec80b93c Merge pull request #821 from runcom/warnings
libcontainer: nsenter: nsexec.c: fix warnings
2016-05-16 09:38:45 -07:00
Aleksa Sarai f89dcc665b integration: remove pointless *_inroot invocations
--root invocations make tests harder to read, and they only serve a very
specific purpose. As such, remove them from the `runc update` tests
because they don't serve a purpose.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-17 01:48:29 +10:00
Aleksa Sarai c823933fe1 integration: fix cgroup parsing
On some systems, the cgroup hierarchies are grouped together
(cpu,cpuacct). In order to avoid fake failures, update the cgroup
parsing to just check whether or not the mountinfo options *contain* the
cgroup type.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-17 01:48:29 +10:00
Aleksa Sarai 39aa5d0b1a tests: remove trailing whitespace
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-17 01:48:29 +10:00
Qiang Huang a04c569b90 Add check_config.sh for runc
It copied from docker and removed unnecessary configs.

Closes: https://github.com/opencontainers/runc/issues/819

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-16 19:15:45 +08:00
Qiang Huang b6e23f8166 Add comments for error cases in status functions
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-16 18:24:07 +08:00
Peng Gao b7219cc2b3 Update nsenter README
Signed-off-by: Peng Gao <peng.gao.dut@gmail.com>
2016-05-14 22:38:43 +08:00
Antonio Murdaca 9d14efec4c libcontainer: nsenter: nsexec.c: fix warnings
Fix the following warnings when building runc with gcc 6+:

Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c:
In function ‘nsexec’:
Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c:322:6:
warning: ‘__s’ may be used uninitialized in this function
[-Wmaybe-uninitialized]
      pr_perror("Failed to open %s", ns);
Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c:273:30:
note: ‘__s’ was declared here
 static struct nsenter_config process_nl_attributes(int pipenum, char
*data, int data_size)
                              ^~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-05-14 11:19:44 +02:00
Kenfe-Mickael Laventure 10a3c26c9a Fix GetLongBit() returns value when _SC_LONG_BIT is not available
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-05-13 09:37:58 -07:00
rajasec ffd5002a18 Updating runc man page
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed the review comment

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-05-12 22:43:10 +05:30
Michael Crosby c6a791bef9 Merge pull request #816 from opencontainers/revert-796-relabeldev
Revert "Need to make sure labels applied to /dev"
2016-05-11 11:41:50 -07:00
Aleksa Sarai e991f041a1 Revert "Need to make sure labels applied to /dev"
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-11 23:28:01 +10:00
Aleksa Sarai 9bc97e2291 Merge pull request #813 from rajasec/update-kmem-tcp
Adding kernel mem tcp for update command
2016-05-11 08:31:47 +00:00
rajasec 8839f9f70b Adding kernel mem tcp for update command
Signed-off-by: rajasec <rajasec79@gmail.com>

Adding kernel mem tcp for update command

Signed-off-by: rajasec <rajasec79@gmail.com>

Fixing update.bats to reduce the TCP value

Signed-off-by: rajasec <rajasec79@gmail.com>

Updated the kernelTCP in bats as per json

Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed some minor issue in bats file

Signed-off-by: rajasec <rajasec79@gmail.com>

Rounded off to right bytes for kernel TCP

Signed-off-by: rajasec <rajasec79@gmail.com>

Updating man file for update command

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-05-10 14:11:36 +05:30
Qiang Huang 8477638aab Update cli package
The old one has bug when showing help message for IntFlags.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-10 13:58:09 +08:00
Mrunal Patel be46e644f6 Merge pull request #809 from hqhq/hq_add_update_man
Add man page and fix typo for update command
2016-05-09 19:17:10 -07:00
Qiang Huang e75465b1a3 Add man page and fix typo for update command
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-09 19:04:25 +08:00
Qiang Huang d49ece5a83 Merge pull request #790 from mlaventure/runc-update-cgroup-kmem-limit
Runc update cgroup kmem limit
2016-05-09 14:01:18 +08:00
Kenfe-Mickael Laventure d78ae51a2d Add test for cgroup memory.kmem.limit_in_bytes handling
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-05-06 08:05:15 -07:00
Kenfe-Mickael Laventure 4190e5a920 Add new `update` command to runc.
This command allow users to update some of a container cgroups
parameters.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-05-06 08:05:15 -07:00
Kenfe-Mickael Laventure 27814ee120 Allow updating kmem.limit_in_bytes if initialized at cgroup creation
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-05-06 08:05:15 -07:00
Michael Crosby 4ad7bbc172 Merge pull request #783 from cyphar/test-all-the-things
Use full test suite on make test
2016-05-05 17:26:47 -07:00
Mrunal Patel ec77200ceb Merge pull request #804 from rajasec/apparmor-error
Updating error condition in applying apparmor profile
2016-05-05 15:28:24 -07:00
Michael Crosby 03ef0a2f89 Merge pull request #800 from mrunalp/ocf_oci
Change OCF to OCI in help string and man page.
2016-05-05 14:11:59 -07:00
rajasec cb04f48486 Updating error condition in applying apparmor profile
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-05-04 19:10:55 +05:30
Mrunal Patel 8075a9ee6f Change OCF to OCI in help string and man page.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-05-03 16:05:20 -07:00
Aleksa Sarai dd4a897f5d *: enable full test suite on make test
Enable the full test suite to run on `make test`. They also all run
inside a Docker container for maximum reproducibility.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-05-03 17:15:49 +10:00
Mrunal Patel 89c3c97a84 Merge pull request #796 from rhatdan/relabeldev
Need to make sure labels applied to /dev
2016-05-02 09:50:26 -07:00
Dan Walsh 77f312c51c Need to make sure labels applied to /dev
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-05-02 08:17:49 -04:00
Michael Crosby e87c59e2e4 Merge pull request #793 from bboreham/label-sep
Use '=' instead of ':' separator on labels
2016-04-29 15:19:28 -07:00
Mrunal Patel a36c2b373a Merge pull request #795 from jimberlage/794-update-documentation
Correct outdated URL
2016-04-29 09:08:51 -07:00
Jim Berlage c5b0caf76d Correct outdated URL
`libcontainer/cgroups/utils.go` uses an incorrect path to the
documentation for cgroups.  This updates the comment to use the correct
URL.  Fixes #794.

Signed-off-by: Jim Berlage <james.berlage@gmail.com>
2016-04-29 10:44:27 -05:00
Bryan Boreham 4a87beb661 Use '=' instead of ':' separator on labels, which is now deprecated by Docker
Signed-off-by: Bryan Boreham <bjboreham@gmail.com>
2016-04-29 13:01:44 +01:00
Michael Crosby 7d23639138 Merge pull request #789 from justincormack/unprivseccomp
If possible, apply seccomp rules immediately before exec
2016-04-27 17:08:16 -07:00
Justin Cormack e18de63108 If possible, apply seccomp rules immediately before exec
See https://github.com/docker/docker/issues/22252

Previously we would apply seccomp rules before applying
capabilities, because it requires CAP_SYS_ADMIN. This
however means that a seccomp profile needs to allow
operations such as setcap() and setuid() which you
might reasonably want to disallow.

If prctl(PR_SET_NO_NEW_PRIVS) has been applied however
setting a seccomp filter is an unprivileged operation.
Therefore if this has been set, apply the seccomp
filter as late as possible, after capabilities have
been dropped and the uid set.

Note a small number of syscalls will take place
after the filter is applied, such as `futex`,
`stat` and `execve`, so these still need to be allowed
in addition to any the program itself needs.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-04-27 20:06:14 +01:00
Aleksa Sarai 07d062bb7b Merge pull request #782 from hqhq/hq_specs_name
Change specs to runtime-spec in integration test
2016-04-26 23:08:38 +00:00
Mrunal Patel 7605fce790 Merge pull request #786 from hqhq/hq_fix_event_test
Fix integration test for events
2016-04-26 12:07:53 -07:00
Mrunal Patel 9c89737e6e Merge pull request #785 from hqhq/hq_remove_sniffTest
Remove sniffTest
2016-04-26 09:31:15 -07:00
Qiang Huang fb7dcac662 Fix integration test for events
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-26 19:00:21 +08:00
Qiang Huang 5c1ea321df Merge pull request #780 from crosbymichael/stats-format
Improve stats output format for stability
2016-04-26 17:16:53 +08:00
Qiang Huang 18612e6c7f Remove sniffTest
We have integration test now, not ideal though, but it
surely can replace sniffTest.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-26 16:20:45 +08:00