Mrunal Patel
2f27649848
Move pre-start hooks after container mounts
...
Today mounts in pre-start hooks get overriden by the default mounts.
Moving the pre-start hooks to after the container mounts and before
the pivot/move root gives better flexiblity in the hooks.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-23 02:50:35 -08:00
Mrunal Patel
2c489ce2d9
Merge pull request #564 from hallyn/2016-02-16/userns.devicecg
...
Do not set devices cgroup entries if in a user namespace
2016-02-17 09:25:24 +05:30
Serge Hallyn
655f8ea808
Do not set devices cgroup entries if in a user namespace
...
When in a non-initial user namespace you cannot update the devices
cgroup whitelist (or blacklist). The kernel won't allow it. So
detect that case and don't try.
This is a step to being able to run docker/runc containers inside a user
namespaced container.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-02-16 19:39:43 -08:00
Mrunal Patel
d854d8fcc2
Merge pull request #553 from cyphar/fix-pids-limit-tests
...
libcontainer: integration: fix flaky pids limit tests
2016-02-17 08:36:05 +05:30
Mrunal Patel
a86e44cf8f
Merge pull request #556 from hqhq/hq_remove_unneeded_cleanup
...
Remove unneeded cgroups path removal
2016-02-17 08:31:35 +05:30
Michael Crosby
ce72f86a2b
Merge pull request #558 from rajasec/tty-panic
...
panic during start of failed detached container
2016-02-16 16:01:08 -08:00
Alexander Morozov
8ce2413986
Merge pull request #563 from mlaventure/notty-detach-panic
...
Prevent a panic when container fails to start
2016-02-16 15:22:50 -08:00
Kenfe-Mickael Laventure
b011f80451
Prevent a panic when container fails to start
...
This occurs when the container was requested to be started in detached
mode and without a tty.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-16 15:18:49 -08:00
Alexander Morozov
533ee4d688
Merge pull request #557 from mrunalp/nonewprivs
...
Add support for NoNewPrivileges
2016-02-16 11:18:02 -08:00
Michael Crosby
4f33b03703
Merge pull request #561 from rajasec/kcore-link
...
Change softlink name to /dev/core
2016-02-16 11:03:37 -08:00
Michael Crosby
15eb206d76
Merge pull request #562 from cloudfoundry-incubator/avoid-sigchld-hang
...
Register signal handlers earlier to avoid zombies
2016-02-16 10:55:20 -08:00
Michael Crosby
2b0a53b9a4
Merge pull request #552 from cyphar/fix-cgroup-path
...
libcontainer: cgroups: fs: fix innerPath
2016-02-16 10:41:44 -08:00
Julian Friedman
5fbdf6c3fc
Register signal handlers earlier to avoid zombies
...
newSignalHandler needs to be called before the process is started, otherwise when
the process exits quickly the SIGCHLD is recieved (and ignored) before the
handler is set up. When this happens the reaper never runs, the
process becomes a zombie, and the exit code isn't returned to the user.
Signed-off-by: Julian Friedman <julz.friedman@uk.ibm.com>
2016-02-16 18:38:54 +00:00
Alexander Morozov
c6d18308b8
Merge pull request #526 from hqhq/hq_remove_procStart
...
Remove procStart
2016-02-16 09:12:04 -08:00
Mrunal Patel
af400b90c3
Hook up the support to the OCI specification config
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 06:57:51 -08:00
Mrunal Patel
38b39645d9
Implement NoNewPrivileges support in libcontainer
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 06:57:50 -08:00
Mrunal Patel
e898a30e34
Merge pull request #560 from chenchun/fix_valid_dest
...
It's /proc/stat, not /proc/stats
2016-02-16 17:44:14 +05:30
Mrunal Patel
61bfcfd82a
Add libcontainer configuration for NoNewPrivileges
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 03:59:43 -08:00
Chun Chen
2ee9cbbd12
It's /proc/stat, not /proc/stats
...
Also adds /proc/net/dev to the valid mount destination white list
Signed-off-by: Chun Chen <ramichen@tencent.com>
2016-02-16 15:59:27 +08:00
rajasec
4cd31f63c5
Change softlink name to /dev/core
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-15 17:52:19 +05:30
Qiang Huang
7b88f34d6e
Remove unneeded cgroups path removal
...
It's handled in `destroy()`, no need to do this in
`Apply()`. I found this because systemd cgroup didn't
do this removal and it works well.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-15 11:22:13 +08:00
rajasec
321b842404
panic during start of failed detached container
...
Signed-off-by: rajasec <rajasec79@gmail.com>
Adding nil check before closing tty for restore operation
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-14 19:11:09 +05:30
Aleksa Sarai
21dc85c4b8
libcontainer: cgroups: fs: add cgroup path safety unit tests
...
In order to avoid problems with security regressions going unnoticed,
add some unit tests that should make sure security regressions in cgroup
path safety cause tests to fail in runC.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai
b8dc5213e8
libcontainer: cgroups: fs: fix path safety
...
Ensure that path safety is maintained, this essentially reapplies
c0cad6aa5e
("cgroups: fs: fix cgroup.Parent path sanitisation"), which
was accidentally removed in 256f3a8ebc
("Add support for CgroupsPath
field").
Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai
90140a5688
libcontainer: cgroups: fs: fix innerPath
...
Fix m.Path legacy code to actually work.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Michael Crosby
361f9b7921
Merge pull request #550 from rajasec/restoretty
...
Adding tty closure for restore operation
2016-02-11 10:27:58 -08:00
Aleksa Sarai
1f8711751e
libcontainer: integration: fix flaky pids limit tests
...
Because we are implemented in Go, the number of pids present in a
container is not very well-defined (other than it not being /much/
bigger than the limit you'd want to set). As a result, we need to make
the tests a bit less flaky in this regard.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-12 00:14:22 +11:00
Alexander Morozov
1a124e9c2d
Merge pull request #549 from crosbymichael/tty-close
...
Close tty on error before handler
2016-02-10 14:11:47 -08:00
Michael Crosby
45675581c1
Close tty on error before handler
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-10 13:41:35 -08:00
Alexander Morozov
4678b01e64
Merge pull request #497 from mlaventure/cgroups-path
...
Replace Cgroup Parent and Name fields by CgroupsPath
2016-02-10 13:00:49 -08:00
Kenfe-Mickael Laventure
256f3a8ebc
Add support for CgroupsPath field
...
Fixes #396
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-10 11:26:51 -08:00
Michael Crosby
71db82baef
Merge pull request #545 from rajasec/specupdateforpids
...
Adding pids subsystem in SPEC.md
2016-02-10 11:17:15 -08:00
Mrunal Patel
4d9d4866b5
Merge pull request #537 from duglin/ReorgContainer
...
Create some util funcs that are common between start and exec
2016-02-10 23:00:20 +05:30
rajasec
a7ee55b716
Adding tty closure for restore operation
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-10 09:48:12 +05:30
Mrunal Patel
bfd3345be9
Merge pull request #541 from crosbymichael/ids
...
Require container id as arg1
2016-02-10 08:14:36 +05:30
Mrunal Patel
025a84a2fb
Merge pull request #542 from runcom/use-coreos-systemd
...
*: use coreos/go-systemd/activation for socket activation
2016-02-10 08:07:21 +05:30
Kenfe-Mickael Laventure
dceeb0d0df
Move pathClean to libcontainer/utils.CleanPath
...
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-09 16:21:58 -08:00
Antonio Murdaca
0dea09bce7
*: use coreos/go-systemd/activation for socket activation
...
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-02-09 23:44:09 +01:00
Michael Crosby
8eb1dcb916
Bump to version 0.0.8
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-09 11:35:55 -08:00
Michael Crosby
a7278cad98
Require containerd id as arg 1
...
Closes #532
This requires the container id to always be passed to all runc commands
as arg one on the cli. This was the result of the last OCI meeting and
how operations work with the spec.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-09 11:20:55 -08:00
Alexander Morozov
8e8d01d38d
Merge pull request #536 from crosbymichael/update-spec
...
Update spec to v0.3.0
2016-02-09 10:53:46 -08:00
Doug Davis
ad26ef1afc
Create some util funcs that are common between start and exec
...
and it'll really help my start/create PR when I need to rebase :-)
Signed-off-by: Doug Davis <dug@us.ibm.com>
2016-02-09 10:22:44 -08:00
rajasec
241e66dbe7
Adding pids subsystem in SPEC.md
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-09 20:42:11 +05:30
Michael Crosby
ee1aac06a0
Merge pull request #540 from rajasec/specupdate
...
Fixing capabilities name in SPEC.md
2016-02-08 13:15:46 -08:00
Michael Crosby
3baae2d525
Update runc for devices changes
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-08 13:15:12 -08:00
Michael Crosby
fb3f69e097
Merge pull request #539 from rajasec/resume-usage
...
Fixing usage in resume command
2016-02-08 13:13:08 -08:00
rajasec
f1cde33ed7
Fixing capabilities name in SPEC.md
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-07 21:57:28 +05:30
rajasec
7b24b9a826
Fixing usage in resume command
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-07 19:27:58 +05:30
Mike Brown
c2c0458598
merges latest spec with runc
...
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-05 12:47:09 -08:00
Alexander Morozov
4f601205d4
Merge pull request #525 from crosbymichael/exec
...
Load process.json for exec and add detach
2016-02-05 12:37:56 -08:00