When any non-global-flag parameter appears on the command line make sure
there's a "command" even in the 'start' (run) case to ensure its not
ambiguous as to what the arg is. For example, w/o this fix its not
clear if
runc foo
means 'foo' is the name of a config file or an unknown command. Or worse,
you can't name a config file the same a ANY command, even future (yet to
be created) commands.
We should fix this now before we ship 1.0 and are forced to support this
ambiguous case for a long time.
Signed-off-by: Doug Davis <dug@us.ibm.com>
When we use ```cat | runc``` or ```runc /dev/stdin < config.json```,
it will fail and output ```FATA[0000] Container start failed: inappropriate ioctl for device```.
It is hard for the users to find out the reason from the message:
the config.json enables the terminal but the user redirect the stdin
to an non-terminal file.
After this patch, the output will be
```FATA[0000] Container start failed: Failed to set the terminal from the stdin: inappropriate ioctl for device```
So the user can disable the terminal in the config.json.
See the #202
Cc: W. Trevor King <wking@tremily.us> (@wking)
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
Again. It looks like a build tag was somehow dropped between
the PR here: https://github.com/docker/libcontainer/pull/625
and the move to runc.
Signed-off-by: Christy Perez <clnperez@linux.vnet.ibm.com>
As v2.1.0 is no longer required for successful testing, do not build it in the
Dockerfile - instead just use the version Ubuntu ships.
Signed-off-by: Matthew Heon <mheon@redhat.com>
This removes the existing, native Go seccomp filter generation and replaces it
with Libseccomp. Libseccomp is a C library which provides architecture
independent generation of Seccomp filters for the Linux kernel.
This adds a dependency on v2.2.1 or above of Libseccomp.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Simplify the code introduced by the commit d1f0d5705deb:
Return actual ProcessState on Wait error
Cc: Alexander Morozov <lk4d4@docker.com>
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
Without this, multiple runc containers can accidentally share the same cgroup(s)
(and change each other's limits), when runc is invoked from the same directory
(i.e.: same cwd on multiple runc executions).
After these changes, each runc container will run on its own cgroup(s). Before,
the only workaround was to invoke runc from an unique (temporary?) cwd for each
container.
Common cgroup configuration (and hierarchical limits) can be set by having
multiple runc containers share the same cgroup parent, which is the cgroup of
the process executing runc.
Signed-off-by: Fabio Kung <fabio.kung@gmail.com>
Mrunal Patel
Marcos Lilljedahl
Michael Crosby
Doug Davis
boucher
Lai Jiangshan
Tonis Tiigi
rajasec
Mrunal Patel
Shijiang Wei
Michael Chase-Salerno
Matthew Heon
Alexander Morozov
Alexander Morozov
Fabio Kung
William Temple