f27c4e15f6
Fix the value corresponding to rlimitmap [key]
...
These values depend on the specific arch
Signed-off-by: wanghuaiqing <wanghuaiqing@loongson.cn>
2020-02-07 13:02:14 +08:00
dc7d0bfa0f
travis: update configuration
...
Update the set of Go versions (and use 1.x to always test the latest
release), as well as making the cgroupv2 tests allowable failures (the
vagrant setup seems to break pretty often, causing flaky failures).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-02-05 13:41:28 +11:00
3b992087b8
Fix skip message for cgroupv2
...
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-02-03 14:27:12 +02:00
e6555cc01a
merge branch 'pr-2184'
...
Kenta Tada (1):
README.md: modify the explanation of make flags
LGTMs: @hqhq @cyphar
Closes #2184
2020-02-03 22:41:07 +11:00
e03859022a
README.md: modify the explanation of make flags
...
Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2020-02-03 15:03:26 +09:00
ff107ee0c1
merge branch 'pr-2190'
...
Amye Scavarda Perrin (2):
Update README.md
Adding .pdf of audit
LGTMs: @caniszczyk @cyphar
Closes #2190
2020-01-31 11:17:42 +11:00
7d23d1e172
Update README.md
...
Signed-off-by: Amye Scavarda Perrin <amye@linuxfoundation.org>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2020-01-31 10:59:57 +11:00
0061cad878
Adding .pdf of audit
...
Signed-off-by: Amye Scavarda Perrin <amye@linuxfoundation.org>
2020-01-31 10:59:43 +11:00
2b5730a5a6
Merge pull request #2221 from inductor/feature/fix_path_security
...
Fix path for security report line
2020-01-27 14:40:21 -08:00
e4c4935a78
Merge pull request #2217 from cyphar/release-rc10
...
VERSION: release 1.0.0~rc10
2020-01-27 14:39:52 -08:00
ed4a3e9bc6
Apply review
...
Signed-off-by: Kohei Ota <kela@inductor.me>
2020-01-26 23:03:13 +09:00
c8ba985325
Fix path for security report line
...
Signed-off-by: Kohei Ota <kela@inductor.me>
2020-01-26 16:13:05 +09:00
e4de2b2555
VERSION: back to development
...
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-01-23 03:19:29 +11:00
dc9208a330
VERSION: update to 1.0.0~rc10
...
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-01-23 03:19:15 +11:00
2fc03cc11c
Merge pull request #2207 from cyphar/fix-double-volume-attack
...
rootfs: do not permit /proc mounts to non-directories
2020-01-22 08:06:10 -08:00
3291d66b98
rootfs: do not permit /proc mounts to non-directories
...
mount(2) will blindly follow symlinks, which is a problem because it
allows a malicious container to trick runc into mounting /proc to an
entirely different location (and thus within the attacker's control for
a rename-exchange attack).
This is just a hotfix (to "stop the bleeding"), and the more complete
fix would be finish libpathrs and port runc to it (to avoid these types
of attacks entirely, and defend against a variety of other /proc-related
attacks). It can be bypased by someone having "/" be a volume controlled
by another container.
Fixes: CVE-2019-19921
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-01-17 14:00:30 +11:00
f6fb7a0338
merge branch 'pr-2133'
...
Julia Nedialkova (1):
Handle ENODEV when accessing the freezer.state file
LGTMs: @crosbymichael @cyphar
Closes #2133
2020-01-17 02:07:19 +11:00
5b96f314ba
Exchanged deprecated systemd resources with the appropriate for cgroupv2
...
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-01-15 18:09:33 +02:00
cf9b7c33e1
Fix MAJ:MIN io.stat parsing order
...
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-01-15 14:39:14 +02:00
709377ca55
Merge pull request #2198 from AkihiroSuda/criu-master
...
temporarily disable CRIU tests
2020-01-14 18:57:19 +08:00
55f8c254be
temporarily disable CRIU tests
...
Ubuntu kernel is temporarily broken: https://github.com/opencontainers/runc/pull/2198#issuecomment-571124087
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-14 11:18:44 +09:00
5c20ea1472
fix merging #2177 and #2169
...
A new method was added to the cgroup interface when #2177 was merged.
After #2177 got merged, #2169 was merged without rebase (sorry!) and compilation was failing:
libcontainer/cgroups/fs2/fs2.go:208:22: container.Cgroup undefined (type *configs.Config has no field or method Cgroup)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-14 11:13:25 +09:00
5cc0deaf7a
Merge pull request #2169 from AkihiroSuda/split-fs
...
cgroup2: split fs2 from fs
2020-01-13 16:23:27 -08:00
2b52db7527
Merge pull request #2177 from devimc/topic/libcontainer/kata-containers
...
libcontainer: export and add new methods to allow cgroups manipulation
2020-01-02 11:47:12 -05:00
a88592a634
Merge pull request #2185 from liggitt/exec-race
...
Fix race checking for process exit and waiting for exec fifo
2019-12-26 10:41:07 -05:00
8541d9cf3d
Fix race checking for process exit and waiting for exec fifo
...
Signed-off-by: Jordan Liggitt <liggitt@google.com>
2019-12-18 18:48:18 +00:00
52951a7c19
Fix race in tty integration test with slow startup
...
Signed-off-by: Jordan Liggitt <liggitt@google.com>
2019-12-18 16:54:54 +00:00
8ddd892072
libcontainer: add method to get cgroup config from cgroup Manager
...
`configs.Cgroup` contains the configuration used to create cgroups. This
configuration must be saved to disk, since it's required to restore the
cgroup manager that was used to create the cgroups.
Add method to get cgroup configuration from cgroup Manager to allow API users
save it to disk and restore a cgroup manager later.
fixes #2176
Signed-off-by: Julio Montes <julio.montes@intel.com>
2019-12-17 22:46:03 +00:00
cd7c59d042
libcontainer: export createCgroupConfig
...
A `config.Cgroups` object is required to manipulate cgroups v1 and v2 using
libcontainer.
Export `createCgroupConfig` to allow API users to create `config.Cgroups`
objects using directly libcontainer API.
Signed-off-by: Julio Montes <julio.montes@intel.com>
2019-12-17 22:46:03 +00:00
7496a96825
merge branch 'pr-2086'
...
* Kurnia D Win (1):
fix permission denied
LGTMs: @crosbymichael @cyphar
Closes #2086
2019-12-17 20:49:52 +11:00
201b063745
merge branch 'pr-2141'
...
Radostin Stoyanov (1):
criu: Ensure other users cannot read c/r files
LGTMs: @crosbymichael @cyphar
Closes #2141
2019-12-07 09:32:58 +11:00
e1b5af0652
Merge pull request #2161 from AkihiroSuda/makefile-overrride-docker
...
Makefile: allow overriding `docker` command
2019-12-06 10:42:24 -05:00
ec49f98d72
fs2: support legacy device spec (to pass CI)
...
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-06 15:53:07 +09:00
88e8350de2
cgroup2: split fs2 from fs
...
split fs2 package from fs, as mixing up fs and fs2 is very likely to result in
unmaintainable code.
Inspired by containerd/cgroups#109
Fix #2157
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-06 15:42:10 +09:00
5e63695384
merge branch 'pr-2174'
...
Sascha Grunert (1):
Expose network interfaces via runc events
LGTMs: @cyphar @mrunalp
Closes #2174
2019-12-06 13:07:44 +11:00
8bb10af481
Merge pull request #2165 from AkihiroSuda/travis-f31
...
.travis.yml: add Fedora 31 vagrant box (for cgroup2)
2019-12-05 16:26:51 -05:00
41a20b5852
Expose network interfaces via runc events
...
The libcontainer network statistics are unreachable without manually
creating a libcontainer instance. To retrieve them via the CLI interface
of runc, we now expose them as well.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2019-12-05 13:20:51 +01:00
48b055c40a
Makefile: allow overriding `docker` command
...
e.g. `make CONTAINER_ENGINE="sudo podman" unittest` (for ease of cgroup2 testing)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-03 23:59:14 +09:00
c35c2c9cec
merge branch 'pr-2172'
...
Sascha Grunert (1):
Make event types public
LGTMs: @crosbymichael @cyphar
Closes #2172
2019-12-03 02:10:37 +11:00
42690e6853
Make event types public
...
The event types are now part of a dedicated public `types` package
within runc to be able to unmarshal the output `runc events` directly.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2019-11-26 14:47:31 +01:00
2186cfa3cd
Merge pull request #2168 from AkihiroSuda/ebpf-fix-rlimit
...
cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error
2019-11-16 11:33:40 +08:00
faf1e44ea9
cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error
...
Fix #2167
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-11-07 15:43:27 +09:00
46def4cc4c
Merge pull request #2154 from jpeach/2008-remove-static-build-tag
...
Remove the static_build build tag.
2019-11-04 17:10:59 -08:00
b133feaeeb
Merge pull request #2145 from AkihiroSuda/ebpf
...
cgroup2: port over eBPF device controller from crun
2019-10-31 13:10:55 -04:00
ccd4436fc4
.travis.yml: add Fedora 31 vagrant box (for cgroup2)
...
As the baby step, only unit tests are executed.
Failing tests are currently skipped and will be fixed in follow-up PRs.
Fix #2124
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-31 16:53:01 +09:00
faf673ee45
cgroup2: port over eBPF device controller from crun
...
The implementation is based on https://github.com/containers/crun/blob/0.10.2/src/libcrun/ebpf.c
Although ebpf.c is originally licensed under LGPL-3.0-or-later, the author
Giuseppe Scrivano agreed to relicense the file in Apache License 2.0:
https://github.com/opencontainers/runc/issues/2144#issuecomment-543116397
See libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go for tested configurations.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-31 14:01:46 +09:00
e57a774066
Merge pull request #2149 from AkihiroSuda/cgroup2-ps
...
cgroup2: implement `runc ps`
2019-10-31 09:44:39 +08:00
d239ca8425
Merge pull request #2148 from AkihiroSuda/cg2-ignore-cpuset-when-no-config
...
cgroup2: cpuset_v2: skip Apply when no limit is specified
2019-10-29 21:57:58 +08:00
03cf145f5a
Merge pull request #2159 from AkihiroSuda/cgroup2-mount-in-userns
...
cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing CgroupNS
2019-10-28 19:19:09 -07:00
f04fb9980c
Merge pull request #2160 from AkihiroSuda/cgroup2-no-proc-cgroups
...
cgroup2: do not parse /proc/cgroups
2019-10-28 19:18:59 -07:00
wanghuaiqing
Aleksa Sarai
Boris Popovschi
Kenta Tada
Amye Scavarda Perrin
Mrunal Patel
Kohei Ota
Qiang Huang
Akihiro Suda
Michael Crosby
Jordan Liggitt
Julio Montes
Sascha Grunert