Commit Graph

1157 Commits

Author SHA1 Message Date
Mrunal Patel 21ed4766b1 Merge pull request #366 from icecrime/hairpin-nat
Resurrect hairpin NAT
2015-02-10 15:35:43 -08:00
Arnaud Porterie 190e50b08d Selectively enable hairpin NAT
Offer the ability to enable hairpin NAT on a per network basis, while
keeping it disable by default as it is unsupported by older kernel.

Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
2015-02-10 15:30:36 -08:00
Mrunal Patel d6fae7bb26 Merge pull request #369 from dqminh/exec-reap-zombie
handle SIGCHLD when running as child subreaper
2015-02-10 11:11:07 -08:00
Daniel, Dao Quang Minh 770e258390 handle SIGCHLD when running as child subreaper
When running under child subreaper mode, it's useful for nsenter to be able to
reap child processes. We have seen cases where spawned user processes wasnt
reaped properly (https://github.com/creationix/nvm/issues/650)

Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
2015-02-10 04:50:22 -05:00
Patrick Hemmer da109f3af0 enable hairpin mode on virtual interface bridge port
This is to support being able to DNAT/MASQ traffic from a container back into itself (dotcloud/docker#4442)

Docker-DCO-1.1-Signed-off-by: Patrick Hemmer <patrick.hemmer@gmail.com> (github: phemmer)
2015-02-09 14:56:27 -08:00
Michael Crosby da32455210 Merge pull request #343 from dqminh/dqminh
add dqminh as maintainer
2015-02-09 12:11:06 -08:00
Rohit Jnagal 623fe598e4 Merge pull request #361 from hqhq/hq_typo_for_userns
fix typo for GetHostRootGid
2015-02-07 11:05:40 -08:00
Qiang Huang f115a5f6c8 fix typo and outdated comments in exec.go
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-02-07 08:52:50 +08:00
Mrunal Patel 62bdfc482d Merge pull request #362 from vmarmol/cgroup
Retry getting the cgroup root at apply time.
2015-02-06 12:25:01 -08:00
Victor Marmol e0de51f53c Retry getting the cgroup root at apply time.
This will allow late-binding of the cgroup hierarchy.

Fixes docker/docker#8791

Signed-off-by: Victor Marmol <vmarmol@google.com>
2015-02-06 11:04:25 -08:00
Mrunal Patel 4bd39999a0 Merge pull request #359 from philips/systemd-default-dependencies-false
cgroups: systemd: set DefaultDependencies=false if possible
2015-02-05 10:41:32 -08:00
Andrey Vagin c6f5420bed integration: check a container with userns
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-02-04 14:21:05 +03:00
Brandon Philips 99233fde8c cgroups: systemd: set DefaultDependencies=false if possible
The root problem this fixes is the docker daemon uses DefaulDependencies
for all of its scopes which means that the containers get killed by
systemd before the docker daemon is notified to shutdown. This means
that a docker run in a service file won't get ordered properly on
shutdown! This has affected many CoreOS users and is documented in
systemd as so:

"Unless DefaultDependencies=false is used, scope units will implicitly
have dependencies of type Conflicts= and Before= on shutdown.target."

Unfortunately, systemd didn't allow setting DefaultDependencies=false on
transient units until today:

    systemd-run --scope --property="DefaultDependencies=false" /usr/bin/sleep 50000
    Unknown assignment DefaultDependencies=false.
    Failed to create message: Invalid argument

Fixed here:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=261420ba2a20305ad271b6f5f380aa74c5c9dd50

Discussion with systemd upstream:
http://lists.freedesktop.org/archives/systemd-devel/2014-December/026313.html
http://lists.freedesktop.org/archives/systemd-devel/2015-February/027890.html

Tested with docker and systemd master as of today and it work for me.

Signed-off-by: Brandon Philips <brandon.philips@coreos.com>
2015-02-03 22:25:27 -05:00
Victor Marmol 2da44f8c7b Merge pull request #358 from avagin/capabilities
namespaces: allow to use pid namespace without mount namespace
2015-02-03 15:05:54 -08:00
Andrey Vagin 21c344a479 update vendor/src/github.com/syndtr/gocapability/
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-02-04 01:22:25 +03:00
Andrey Vagin 444cc2989a namespaces: allow to use pid namespace without mount namespace
The gocapability package uses /proc/PID/status to get a bounding set.
If a container uses pidns without mntns, it sees /proc from the host
namespace, but the process doesn't know its own pid in this namespace.

In this case it can use /proc/self/status, which is always the right one.

Signed-off-by: Andrew Vagin <avagin@openvz.org>
2015-02-04 01:01:43 +03:00
Mrunal Patel 5d25c7262e Merge pull request #357 from crosbymichael/api
Flatten config structures and remove namespace package
2015-02-03 10:55:06 -08:00
Michael Crosby ab76a88d6b Remove Wait() on container interface
Since we return the pid for the started process we do not need this
method on the interface.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-02-03 10:50:18 -08:00
Andrey Vagin bcd0222be5 api: fix config tests
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-02-03 10:00:21 -08:00
Andrey Vagin daca745c4c api: fix integration tests
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-02-03 09:59:58 -08:00
Michael Crosby bbeae7445a Remove namespaces package
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-02-02 15:41:32 -08:00
Michael Crosby 8191d4d60f Refactory container interface
This removes a new unused methods from the container interface and types
parameters such as os.Signal and WaitStatus

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-01-31 20:51:12 -08:00
Michael Crosby 935d81f23d Flatten configuration structs
Change the various config structs into one package and have a flatter
structure for easier use.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-01-31 19:56:27 -08:00
Michael Crosby 77f255a544 Add missing initializers
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-01-31 14:05:53 -08:00
Mrunal Patel e59984353a Merge pull request #356 from LK4D4/vet_checks
Add vet check to .drone.yml
2015-01-30 14:31:55 -08:00
Alexander Morozov 0890cc54a9 Add vet check to .drone.yml
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-01-30 14:18:33 -08:00
Mrunal Patel 60f6310b2d Merge pull request #355 from avagin/api-next
namespaces: send config, network state and other arguments in one packet
2015-01-30 13:59:40 -08:00
Andrey Vagin c3f3db724a namespaces: don't unroll process arguments
It looks better.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-30 10:39:51 +03:00
Andrey Vagin df52d63854 namespaces: send config, network state and other arguments in one packet
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-30 10:38:35 +03:00
Mrunal Patel e31ef02610 Merge pull request #351 from avagin/api-rebase-2
Merge remote-tracking branch 'origin/master' into api-rebase
2015-01-29 19:20:09 -08:00
Victor Marmol 3c52181f61 Merge pull request #353 from LK4D4/update_dbus
Update github.com/godbus/dbus to v2
2015-01-29 15:46:05 -08:00
Alexander Morozov 689e8ec949 Update github.com/godbus/dbus to v2
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-01-29 15:35:22 -08:00
Rohit Jnagal 2fac2dad91 Merge pull request #341 from shishir-a412ed/master
Created man page for nsinit
2015-01-29 14:00:07 -08:00
Shishir Mahajan e9f8f8528a Created man page for nsinit
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-01-29 16:33:08 -05:00
Victor Marmol c37b9125ec Merge pull request #344 from hqhq/hq_fix_systemd_device
cgroups: always create device cgroup on systemd
2015-01-29 11:39:07 -08:00
Andrey Vagin ca633b2f29 Merge remote-tracking branch 'origin/master' into api
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-28 14:37:40 +03:00
Michael Crosby 904bae3247 Merge pull request #348 from avagin/api-nsexec
nsenter: remove a proxy process
2015-01-26 13:08:02 -08:00
Michael Crosby e05f807a89 Merge pull request #349 from LK4D4/replace_wait_for_wait4
Use Wait4 instead of cmd.Wait
2015-01-26 13:07:54 -08:00
Alexander Morozov 39fbf0a904 Use cmd.Process.Wait instead of cmd.Wait
Issue with cmd.Wait is that it is waiting for closing pipes and if we
have forked processes which inherited pipes from parent, then we need to
kill them to unblock cmd.Wait.

Should fix docker/docker#10303

Now idea is next:
- cmd.Process.Wait for init process dead
- Kill remaining processes in cgroup (pipes closed as side effect)
- use cmd.Wait for waiting pipes flushed to client

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-01-26 12:54:52 -08:00
Andrey Vagin 8d8242aa8a nsenter: add tests
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-26 23:12:50 +03:00
Andrey Vagin 82367938b7 nsenter: remove a proxy process
Currently nsexec() creates a proxy process to enter into a pid namespace.
It isn't good, because we need to proxy an exit code and signals.
We can use CLONE_PARENT to fork a process with the right parent.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-26 23:12:50 +03:00
Andrey Vagin 11b2dab1c5 nsenter: add a macros to print errors
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-26 19:44:44 +03:00
Andrey Vagin e77b238a83 namespaces: don't send a container config twice
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-26 19:44:44 +03:00
Mrunal Patel 045e9ae4a0 Merge pull request #347 from guoxiuyan/master
Fix a minor typo
2015-01-25 18:44:12 -08:00
guoxiuyan 7d9244eab2 Fix a minor typo
Signed-off-by: Guo Xiuyan <guoxiuyan@huawei.com>
2015-01-26 09:41:22 +08:00
Mrunal Patel cab4b9bce1 Merge pull request #345 from fabiokung/allow-readonly-rootfs
Support read-only root filesystems
2015-01-22 16:02:57 -08:00
Fabio Kung 2a452c17aa Support read-only root filesystems
The only place I could find where libcontainer tries to write to the
container's root FS is when setting up the pivot dir, to be used on
pivot_root(2).

This makes the pivot base dir configurable, so a read-only FS can be
used as root FS of containers. Users can then specify a writeable
subpath to be used as pivot inside the container.

Signed-off-by: Fabio Kung <fabio@heroku.com> (github: fabiokung)
2015-01-22 13:58:41 -08:00
Qiang Huang 46573774a2 cgroups: simplify the join_memory check
If c.Memory=0, there is no point to set memoryswap.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-22 12:19:40 +08:00
Qiang Huang c4821b6f3e cgroups: always create device cgroup on systemd
This is the same behavior as fs does.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-22 09:53:30 +08:00
Daniel, Dao Quang Minh eb84dd1b73 add dqminh as maintainer
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
2015-01-21 20:37:37 -05:00