Issue with cmd.Wait is that it is waiting for closing pipes and if we
have forked processes which inherited pipes from parent, then we need to
kill them to unblock cmd.Wait.
Should fixdocker/docker#10303
Now idea is next:
- cmd.Process.Wait for init process dead
- Kill remaining processes in cgroup (pipes closed as side effect)
- use cmd.Wait for waiting pipes flushed to client
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
A non-zero Path field for a namespace says that a process should attach to an
existing namespace, so the process can be forked without the flag for this
namespace.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
this allows the parent to place the process into cgroup first so it can track
the children properly
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
Test the process WaitStatus for a signal, and return an exit code of 128
+ signal which killed the process. Fixesdocker/docker#9979.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
It also kills all processes in a cgroup if you are not using the pid namespace
If we stop using the PID namespace, and more then one process is running
when the pid 1 exits, docker will hang since the cgroups do not disappear.
This code will kill all remaining processes
Add Tests for handing of Pid Namespaces
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This removes the unsued namespace types from the namespace package
and simplifies getting the values for the namespaces.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This changes the namespace configuration on the config to include the
name of the namespace along with an optional path. This path is used to
point to a file of another namespace for the namespace so that it can be
joined in place of the empty, initialized namespace.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Adds a new item to the config struct []*Rlimit
Rlimit takes a type (ie, syscall.RLIMIT_NOFILE) and the hard/soft limit
(As max/cur)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
There is no reason to have a special type returned from the cgroups
Apply function for getting the paths and cleanup. With access to the
paths we can just delete what we need.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
because `LoadContainerEnvironment` is already run, os.Environ() will return the
correct environment variables for the exec command (i.e. removed duplicated
envs, set HOME for user etc...)
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
This patch adds an os/user-like user lookup API, implemented in pure Go.
It also has some features not present in the standard library
implementation (such as group lookups).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This patch refactors most of GetUserGroupSupplementaryHome and its
signature, to make using it much simpler. The private parsing ftunctions
have also been exposed (parsePasswdFile, parseGroupFile) to allow custom
data source to be used (increasing the versatility of the user/ tools).
In addition, file path wrappers around the formerly private API
functions have been added to make usage of the API for callers easier if
the files that are being parsed are on the filesystem (while the
io.Reader APIs are exposed for non-traditional usecases).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This removes the entire syncpipe package and replaces it with standard
operations on the pipes. The syncpipe type just never felt right and
probably should not have been there.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Some workloads rely on IPC for communications with other processes. We
would like to split workloads between two container but still allow them
to communicate though shared IPC.
This patch allows us to mimic the --net code to allow --ipc=host to not split off
the IPC Namespace. ipc=container:CONTAINERID to share ipc between containers
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
The set of the apparmor profile for the setns codepath was missing.
Selinux was being called but apparmor was forgotten. This was causing
no profiles to be applied to the extra process spawn inside an existing
container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>
Michael Crosby
Alexander Morozov
guoxiuyan
Mrunal Patel
Mrunal Patel
Andrey Vagin
Daniel, Dao Quang Minh
Arnaud Porterie
Michael Crosby
Dan Walsh
Aleksa Sarai
Brian Goff
Vishnu Kannan
unclejack
Saied Kazemi