Eric Windisch
364d8e1505
Disable all mounts in AppArmor profile
...
Allowing mounts in containers is dangerous. Bugs in
mount namespaces or quirks of the container configuration
could allow for various breakouts.
By default, processes in containers will not be able to mount anyway,
rendering the allowances in the default AppArmor profile nearly
useless. Manually created sub-containers were able to mount, but
were yet restricted from performing most of the mounts flags indicated
in the profile.
Signed-off-by: Eric Windisch <eric@windisch.us>
2015-05-07 14:38:44 -07:00
Michael Crosby
2323c4c48d
Use filepath.Rel for subdirectory comparison
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:38:44 -07:00
Michael Crosby
c08e43409d
Move reopenDevNull until after rootfs jail
...
We need to do this incase /dev/null is a symlink pointing somewhere
outside the container's rootfs.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:38:44 -07:00
Michael Crosby
e3e7c47123
Prohibit bind mounts into /
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:38:44 -07:00
Michael Crosby
3c25c9b9cf
Eval mount destination after each mount
...
User specified mounts much be evaluated after each mount because
symlinks in nested mounts can invalidate the next mount.
Also check that any bind mounts are not inside /proc or /sys to ensure
that we are able to mask over certian paths inside.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:38:44 -07:00
Michael Crosby
08cf3beaf0
Merge pull request #572 from hqhq/hq_fix_spec
...
some fixes for SPEC
2015-05-06 11:00:51 -07:00
Mrunal Patel
654d44509d
Merge pull request #570 from hqhq/hq_add_gitignore
...
add vendor/pkg to gitignore
2015-05-06 10:20:23 -07:00
Qiang Huang
8377168545
some fixes for SPEC
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-05-06 22:47:50 +08:00
Alexander Morozov
f1d459dbbf
Merge pull request #569 from hqhq/hq_change_logrus
...
Replace aliased imports of logrus
2015-05-06 07:45:40 -07:00
Qiang Huang
280dd66d0c
add vendor/pkg to gitignore
...
It's auto generated by go install, we should ignore them.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-05-06 21:38:32 +08:00
Qiang Huang
e5a7aad7eb
Replace aliased imports of logrus
...
Docker already did this: https://github.com/docker/docker/issues/11762
libcontainer should also do it.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-05-06 21:14:04 +08:00
Mrunal Patel
a1fe3f1c7a
Merge pull request #560 from avagin/integration
...
integration: don't create a factory for each test case
2015-05-05 09:37:03 -07:00
Andrey Vagin
78f816d190
integration: don't create factories for each test case
...
We can do this only once.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-05-05 01:12:47 +03:00
Alexander Morozov
6607689b1d
Merge pull request #566 from tianon/logrus-0.7.3
...
Update logrus to 0.7.3
2015-05-03 10:30:06 -07:00
Tianon Gravi
d6a3a4e6c7
Update logrus to 0.7.3
...
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2015-05-03 00:24:36 -06:00
Alexander Morozov
83f0c1e580
Merge pull request #561 from avagin/logrus
...
Use logrus everywhere
2015-05-01 09:30:17 -07:00
Andrey Vagin
08af005e6b
Use logrus everywhere
...
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-05-01 18:41:28 +03:00
Michael Crosby
3e661186ba
Merge pull request #535 from mrunalp/sys_props
...
Adds support for setting system properties.
2015-04-30 11:46:33 -07:00
Michael Crosby
0654f88d03
Merge pull request #558 from hqhq/hq_remove_unused_func
...
remove unused functions
2015-04-28 10:21:29 -07:00
Qiang Huang
36633d3cb4
remove unused functions
...
Seems no one is using them.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-28 09:20:32 +08:00
Michael Crosby
d70569a238
Merge pull request #554 from estesp/namespace_linux_split
...
Split namespace syscall content for building on non-Linux
2015-04-27 17:47:19 -07:00
Michael Crosby
ee61c35f8f
Merge pull request #555 from avagin/cgroup
...
cgroups/systemd: remove useless code
2015-04-27 17:44:37 -07:00
Andrey Vagin
755bc77482
cgroups/systemd: remove useless code
...
I think the remove code and devices.Set do the same things.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-04-28 00:00:24 +03:00
Alexander Morozov
984ec36fa1
Merge pull request #539 from Mashimiao/cgroups-add-support-for-blkio-throttle
...
cgroups: add support blkio.throttle.read/write_*
2015-04-27 10:34:45 -07:00
Phil Estes
7f1bcd5ebf
Spit namespace syscall content for building on non-Linux
...
libcontainer/configs is used by the docker user namespace proposed
patchset to use IDMap for uid/gid maps across the codebase. Given the
client uses some of this code, it needs to build on non-Linux. This
separates out the Linux-only syscalls using build tags.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-04-24 18:09:56 -04:00
Daniel, Dao Quang Minh
1c43532155
Merge pull request #553 from crosbymichael/cgroup-mount
...
Add cgroup mount type for mounting container local cgroups
2015-04-23 15:59:09 -07:00
Mrunal Patel
30f055602b
Adds test for system properties.
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-04-22 22:18:08 -04:00
Mrunal Patel
60d3a49f6e
Adds functionality to set system properties.
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-04-22 22:17:30 -04:00
Michael Crosby
b806655f91
Merge pull request #492 from Mashimiao/cgroup-add-support-for-device-deny
...
cgroups: add support of devices deny for another use of cgroup devices
2015-04-22 18:43:22 -07:00
Mrunal Patel
c32142a807
Merge pull request #550 from LK4D4/fix_panic
...
Check for cmd.Process not-nilness in setnsProcess.terminate()
2015-04-22 11:40:34 -07:00
Alexander Morozov
d7aab179c1
Check for cmd.Process not-nilness in setnsProcess.terminate()
...
We already doing this in initProcess
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-04-22 11:30:42 -07:00
Michael Crosby
03bbb04f26
Implement mounting cgroups as readonly
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-04-20 12:21:11 -07:00
Mrunal Patel
bada39cf31
Merge pull request #495 from rhatdan/tmpfs
...
Add support for Premount and Postmount commands.
2015-04-20 09:20:52 -07:00
Mrunal Patel
d4cf37fee9
Merge pull request #546 from liubin/fixtypos
...
fix some typos in source code comments
2015-04-20 09:18:57 -07:00
bin liu
4a2ae107c8
fix some typos in source code comments
...
Signed-off-by: bin liu <liubin0329@gmail.com>
2015-04-20 02:35:51 +00:00
Michael Crosby
9dc17dc9b4
Merge pull request #537 from hqhq/hq_cleanup_cpushares_check
...
cleanup cpushares check
2015-04-17 14:32:07 -07:00
Michael Crosby
f2cf36412c
Merge pull request #538 from hqhq/hq_fix_freeze_test
...
fix freeze systemd test
2015-04-17 10:53:38 -07:00
Dan Walsh
dc480bc3ad
add integration test for premount/postmount hooks
...
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: rhatdan)
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2015-04-17 08:28:17 -04:00
Ma Shimiao
59eb58b640
cgroups: add support blkio.throttle.read/write_*
...
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2015-04-17 16:03:42 +08:00
Qiang Huang
f010150f7d
fix freeze systemd test
...
Made a mistake before, freeze test doesn't use newContainer,
systemd test doesn't actually work.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-17 14:20:16 +08:00
Qiang Huang
62fccb3e1e
add test case for cpuShares check
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-17 13:51:37 +08:00
Qiang Huang
e161ceccbe
cleanup duplicate code for cpuShares check
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-17 13:18:44 +08:00
Dan Walsh
59c5c3ac0f
Add support for Premount and Postmount commands.
...
We want to allow docker to mount tmpfs directories over existing directories
in the image. We will use this patch to pass commands from docker to
libcontainer. The first command we will use is the tar command to gather
all of the contents of the destination directory before mounting, then after
we mount the post mount command will untar the content.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2015-04-16 20:34:12 -04:00
Mrunal Patel
52e8fd3958
Merge pull request #526 from ZJU-SEL/nsenter_readme_add
...
Add more explanation for nsenter
2015-04-15 21:02:44 -07:00
Ma Shimiao
689afbcf66
cgroups: add support for devices deny
...
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2015-04-16 08:30:22 +08:00
Alexander Morozov
84f43cdfac
Merge pull request #500 from hqhq/hq_add_set_for_systemd
...
add Set support for systemd based cgroup
2015-04-15 12:23:39 -07:00
jianbosun
317686c673
Add more explanation for nsenter
...
Now the README in nsenter is a little confused
and hard for new commings to understand.
Signed-off-by: Sun Jianbo <wonderflow@zju.edu.cn>
2015-04-15 17:27:00 +08:00
Michael Crosby
32b8465dde
Merge pull request #533 from rhatdan/badrelabel
...
We want to prevent users from accidently attempting to relabel /, /etc and /usr
2015-04-14 13:47:34 -07:00
Mrunal Patel
ed5803ec62
Merge pull request #532 from tifayuki/master
...
check "/sbin/apparmor_parser" in apparmor.IsEnabled()
2015-04-14 13:39:21 -07:00
Dan Walsh
abd2a921d8
We want to prevent users from accidently attempting to relabel /, /etc and /usr
...
While we know this is by no means complete it at least stops users from
doing a common ignorant action.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2015-04-14 15:25:43 -04:00