The "shell" rule in the Makefile uses docker to run a bash session,
however it was depending on the "all" rule which assumes non-docker local
development. This commit fixes it by making it depend on the "runcimage" rule.
Signed-off-by: Tibor Vass <tibor@docker.com>
The function is called even if the usernamespace is not set.
This results having wrong uid/gid set on devices.
This fix add a test to check if usernamespace is set befor calling
setupUserNamespace.
Fixes#1742
Signed-off-by: Julien Lavesque <julien.lavesque@gmail.com>
The current version of criu bundled in dockerfile failed to do checkpoint/restore test on my
system (v4.14.14). Upgrade to latest version v3.7 and also change the
repository name to point to the current official repo.
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
This fixes a bug in the console package for big-endian architectures.
When creating a new pty the returned path to the new pty slave was
wrong for the second und all subsequent ptys.
In runc the exec subcommand failed with an runtime error such as
`container_linux.go:265: starting container process caused "open
/dev/pts/4294967296: no such file or directory"`.
The number is shifted by 32.
Signed-off-by: Peter Morjan <peter.morjan@de.ibm.com>
gocapability has supported 0 as "the current PID" since
syndtr/gocapability@5e7cce49 (Allow to use the zero value for pid to
operate with the current task, 2015-01-15, syndtr/gocapability#2).
libcontainer was ported to that approach in 444cc298 (namespaces:
allow to use pid namespace without mount namespace, 2015-01-27,
docker/libcontainer#358), but the change was clobbered by 22df5551
(Merge branch 'master' into api, 2015-02-19, docker/libcontainer#388)
which landed via 5b73860e (Merge pull request #388 from docker/api,
2015-02-19, docker/libcontainer#388). This commit restores the
changes from 444cc298.
Signed-off-by: W. Trevor King <wking@tremily.us>
If 'go-md2man' is not installed,
an error can occur when running md2man-all.sh like below:
$ ./man/md2man-all.sh -q
./man/md2man-all.sh: line 21: go-md2man: command not found
So fix it.
Signed-off-by: Taeung Song <treeze.taeung@gmail.com>
... that prevent sending signals not mentioned in signal map.
Currently these are SIGRTMIN..SIGRTMAX.
Signed-off-by: Valentin Kulesh <valentin.kulesh@virtuozzo.com>
The helper DRYs up the transition tests and makes it easy to get
complete coverage for invalid transitions.
I'm also using t.Run() for subtests. Run() is new in Go 1.7 [1], but
runc dropped support for 1.6 back in e773f96b (update go version at
travis-ci, 2017-02-20, #1335).
[1]: https://blog.golang.org/subtests
Signed-off-by: W. Trevor King <wking@tremily.us>
Technically, this change should not be necessary, as the kernel
documentation claims that if you call clone(flags|CLONE_NEWUSER), the
new user namespace will be the owner of all other namespaces created in
@flags. Unfortunately this isn't always the case, due to various
additional semantics and kernel bugs.
One particular instance is SELinux, which acts very strangely towards
the IPC namespace and mqueue. If you unshare the IPC namespace *before*
you map a user in the user namespace, the IPC namespace's internal
kern-mount for mqueue will be labelled incorrectly and the container
won't be able to access it. The only way of solving this is to unshare
IPC *after* the user has been mapped and we have changed to that user.
I've also heard of this happening to the NET namespace while talking to
some LXC folks, though I haven't personally seen that issue.
This change matches our handling of user namespaces to be the same as
how LXC handles these problems.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
When starting a container with `runc start` or `runc run`, the stub
process (runc[2:INIT]) opens a fifo for writing. Its parent runc process
will open the same fifo for reading. In this way, they synchronize.
If the stub process exits at the wrong time, the parent runc process
will block forever.
This can happen when racing 2 runc operations against each other: `runc
run/start`, and `runc delete`. It could also happen for other reasons,
e.g. the kernel's OOM killer may select the stub process.
This commit resolves this race by racing the opening of the exec fifo
from the runc parent process against the stub process exiting. If the
stub process exits before we open the fifo, we return an error.
Another solution is to wait on the stub process. However, it seems it
would require more refactoring to avoid calling wait multiple times on
the same process, which is an error.
Signed-off-by: Craig Furman <cfurman@pivotal.io>
The commit 244c9fc ("*: console rewrite")
removed the --console option and the commit 7df64f8
("runc: implement --console-socket") create new option
--console-socket. However, the old --console option
still exists so fix it.
In addtion, add missing --preserve-fds option to
create and run manpages.
Signed-off-by: Taeung Song <treeze.taeung@gmail.com>
Signed-off-by: charsyam <charsyam@naver.com>
Annotations weren't passed to hooks. This patch fixes that by passing
annotations to stdin for hooks.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
libapparmor is integrated in libcontainer using cgo but is only used to
call a single function: aa_change_onexec. It turns out this function is
simple enough (writing a string to a file in /proc/<n>/attr/...) to be
re-implemented locally in libcontainer in plain Go.
This allows to drop the dependency on libapparmor and the corresponding
cgo integration.
Fixes#1674
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
When a subreaper is enabled, it might expect to reap a process and
retrieve its exit code. That's the reason why this patch is giving
the possibility to define the usage of a subreaper as a consumer of
libcontainer. Relying on this information, libcontainer will not
wait for signalled processes in case a subreaper has been set.
Fixes#1677
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Tibor Vass
Aleksa Sarai
Michael Crosby
ynirk
Daniel Dao
Allen Sun
Qiang Huang
vsoch
Peter Morjan
W. Trevor King
ravisantoshgudimetla
Mrunal Patel
Taeung Song
Valentin Kulesh
Akihiro Suda
Ed King
Will Martin
Antonio Murdaca
vikaschoudhary16
Tom Godkin
Tobias Klauser
Sebastien Boeuf
Ma Shimiao