Some of the code was quite confusing inside libcontainer/user, so
refactor and comment it so future maintainers can understand what's
going and what edge cases we have to deal with.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Most shadow-related tools don't treat numeric ids as potential
usernames, so change our behaviour to match that. Previously, using an
explicit specification like 111:222 could result in the UID and GID not
being 111 and 222 respectively (which is confusing).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This adds a `--no-pivot` cli flag to runc so that a container's rootfs
can be located ontop of ramdisk/tmpfs and not fail because you cannot
pivot root.
This should be a cli flag and not part of the spec because this is a
detail of the host/runtime environment and not an attribute of a
container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Since runC requires root in order to run, it makes more sense to put it
in /usr/local/sbin (which is traditionally for root-only utilities).
This also fixes the section number mismatch (man8 is usually for
administrative utilities in /usr/local/sbin).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
If runc was SIGKILL'd or something happened and the container was not
able to start and runc died as well then we could get into the state
where `$root/<containerid>` exists but `$root/<containerid>/state.json`
does not. This will not allow libcontainer to load the container to
call the delete function as it has no data on the container other than
its id. We should just remove it in runc so that that system matches
what runc sees for the container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Currently, if we start a container with:
`docker run -ti --name foo --memory 300M --memory-swap 500M busybox sh`
Then we want to update it with:
`docker update --memory 600M --memory-swap 800M foo`
It'll get error because we can't set memory to 600M with
the 500M limit of swap memory.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Based on Golang document, %s is for "the uninterpreted bytes of the
string or slice", so %v is more appropriate.
Signed-off-by: Peng Gao <peng.gao.dut@gmail.com>
Users of libcontainer other than runc may also require parsing and
converting specification configuration files.
Since runc cannot be imported, move the relevant functions and
definitions to a separate package, libcontainer/specconv.
Signed-off-by: Ido Yariv <ido@wizery.com>
Fixes#680
This changes setupRlimit to use the Prlimit syscall (rather than
Setrlimit) and moves the call to the parent process. This is necessary
because Setrlimit would affect the libcontainer consumer if called in
the parent, and would fail if called from the child if the
child process is in a user namespace and the requested rlimit is higher
than that in the parent.
Signed-off-by: Julian Friedman <julz.friedman@uk.ibm.com>
systemd expects cgroupsPath to be of form "slice:prefix:name".
So dont call cleanPath on it anymore.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Qiang Huang
Mrunal Patel
Mrunal Patel
Alexander Morozov
Aleksa Sarai
Aleksa Sarai
Dan Walsh
Michael Crosby
Marcos Lilljedahl
Peng Gao
Matt Hartzler
Ido Yariv
Julian Friedman
allencloud
Thomas Tanaka
Anusha Ragunathan
Tonis Tiigi