Commit Graph

92 Commits

Author SHA1 Message Date
Michael Crosby fef3aced0e Merge pull request #1460 from wking/mount-option-lazytime
libcontainer/specconv/spec_linux: Add support for (no)lazytime
2017-06-29 10:06:23 -07:00
Justin Cormack e1146182a8 Remove Platform as no longer in OCI spec
This was never used, just validated, so was removed from spec.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-06-27 12:16:07 +01:00
W. Trevor King 4f81337e95 libcontainer/specconv/spec_linux: Add support for (no)lazytime
And also silent, loud, (no)iversion, and (no)acl.  This is part of
catching runC up with the spec, which punts valid options to mount(8)
[1,2].

(no)acl is a filesystem-specific entry in mount(8), but it's
represented by a MS_* flag in mount(2) so we need an entry in the
translation table.

[1]: https://github.com/opencontainers/runtime-spec/blame/v1.0.0-rc5/config.md#L68
[2]: https://github.com/opencontainers/runtime-spec/pull/771

Signed-off-by: W. Trevor King <wking@tremily.us>
2017-06-01 20:43:35 -07:00
Michael Crosby 854b41d81e Update spec to 239c4e44f2
This provides updates to runc for the spec changes with *Process and
OOMScoreAdj

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-06-01 16:29:47 -07:00
Christy Perez 3d7cb4293c Move libcontainer to x/sys/unix
Since syscall is outdated and broken for some architectures,
use x/sys/unix instead.

There are still some dependencies on the syscall package that will
remain in syscall for the forseeable future:

Errno
Signal
SysProcAttr

Additionally:
- os still uses syscall, so it needs to be kept for anything
returning *os.ProcessState, such as process.Wait.

Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
2017-05-22 17:35:20 -05:00
Aleksa Sarai d04cbc49d2
rootless: add autogenerated rootless config from `runc spec`
Since this is a runC-specific feature, this belongs here over in
opencontainers/ocitools (which is for generic OCI runtimes).

In addition, we don't create a new network namespace. This is because
currently if you want to set up a veth bridge you need CAP_NET_ADMIN in
both network namespaces' pinned user namespace to create the necessary
interfaces in each network namespace.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-23 20:46:21 +11:00
Aleksa Sarai f0876b0427
libcontainer: configs: add proper HostUID and HostGID
Previously Host{U,G}ID only gave you the root mapping, which isn't very
useful if you are trying to do other things with the IDMaps.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-23 20:46:20 +11:00
Aleksa Sarai d2f49696b0
runc: add support for rootless containers
This enables the support for the rootless container mode. There are many
restrictions on what rootless containers can do, so many different runC
commands have been disabled:

* runc checkpoint
* runc events
* runc pause
* runc ps
* runc restore
* runc resume
* runc update

The following commands work:

* runc create
* runc delete
* runc exec
* runc kill
* runc list
* runc run
* runc spec
* runc state

In addition, any specification options that imply joining cgroups have
also been disabled. This is due to support for unprivileged subtree
management not being available from Linux upstream.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-03-23 20:45:24 +11:00
Qiang Huang 8430cc4f48 Use uint64 for resources to keep consistency with runtime-spec
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2017-03-20 18:51:39 +08:00
Mrunal Patel 4f9cb13b64 Update runtime spec to 1.0.0.rc5
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-03-15 11:38:37 -07:00
Ma Shimiao 06e27471bb support create device with type p and u
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2017-02-10 14:45:15 +08:00
Zhang Wei 8eea644ccc Bump runtime-spec to v1.0.0-rc3
* Bump underlying runtime-spec to version 1.0.0-rc3
* Fix related changed struct names in config.go

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-12-17 14:02:35 +08:00
Zhang Wei a0f7977f0f Detect and forbid duplicated namespace in spec
When spec file contains duplicated namespaces, e.g.

specs: specs.Spec{
        Linux: &specs.Linux{
            Namespaces: []specs.Namespace{
                {
                    Type: "pid",
                },
                {
                    Type: "pid",
                    Path: "/proc/1/ns/pid",
                },
            },
        },
    }

runc should report malformed spec instead of using latest one by
default, because this spec could be quite confusing.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-10-27 00:44:36 +08:00
Alexander Morozov 1ab9d5e6f4 Merge pull request #845 from mrunalp/cp_tmpfs
Add support for copying up directories into tmpfs when a tmpfs is mounted over them
2016-10-21 13:47:16 -07:00
rajasec 034cba6af0 Fixing runc panic for missing file mode
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixing runc panic for missing file mode

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-10-16 20:39:44 +05:30
rajasec 4b263c9594 Fixing runc panic during hugetlb pages
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixing runc panic during hugetlb pages

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-10-15 19:47:33 +05:30
Shukui Yang affc105264 tiny fix, add a null check for specs.Resources.Pids.Limit
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-10-13 15:55:30 +08:00
Mrunal Patel 4356468f49 Parse the new extension flags
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-30 09:48:03 -07:00
Adam Thomason 83cbdbd64c Add checks for nil spec.Linux
Signed-off-by: Adam Thomason <ad@mthomason.net>
2016-09-11 16:31:34 -07:00
Zhang Wei 7303a9a720 Tiny refactor: remove unused local variables
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-09-06 23:41:40 +08:00
Qiang Huang aa2dd02f5a Fix null point reference panic
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-01 08:34:22 +08:00
Qiang Huang 220e5098a8 Fix default cgroup path
Alternative of #895 , part of #892

The intension of current behavior if to create cgroup in
parent cgroup of current process, but we did this in a
wrong way, we used devices cgroup path of current process
as the default parent path for all subsystems, this is
wrong because we don't always have the same cgroup path
for all subsystems.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-08-30 14:12:15 +08:00
Mrunal Patel 4dedd09396 Merge pull request #937 from hushan/net_cls-classid
fix setting net_cls classid
2016-07-18 17:18:23 -04:00
Yen-Lin Chen a318a2ae1b Fixed typo in build constraint.
Signed-off-by: Yenlin Chen <hencrice@gmail.com>
2016-07-15 19:24:22 -07:00
Hushan Jia bb42f80a86 fix setting net_cls classid
Setting classid of net_cls cgroup failed:

ERRO[0000] process_linux.go:291: setting cgroup config for ready process caused "failed to write 𐀁 to net_cls.classid: write /sys/fs/cgroup/net_cls,net_prio/user.slice/abc/net_cls.classid: invalid argument"
process_linux.go:291: setting cgroup config for ready process caused "failed to write 𐀁 to net_cls.classid: write /sys/fs/cgroup/net_cls,net_prio/user.slice/abc/net_cls.classid: invalid argument"

The spec has classid as a *uint32, the libcontainer configs should match the type.

Signed-off-by: Hushan Jia <hushan.jia@gmail.com>
2016-07-11 05:00:35 +08:00
Petar Petrov f9b72b1b46 Allow additional groups to be overridden in exec
Signed-off-by: Julian Friedman <julz.friedman@uk.ibm.com>
Signed-off-by: Petar Petrov <pppepito86@gmail.com>
Signed-off-by: Georgi Sabev <georgethebeatle@gmail.com>
2016-06-21 10:35:11 +03:00
Aleksa Sarai 0636bdd45b Merge pull request #874 from crosbymichael/keyring
Add option to disable new session keys
2016-06-12 21:44:45 +10:00
root 56abe735f2 bug fix, LeafWeight nil err
Signed-off-by: root <yangshukui@huawei.com>
2016-06-10 18:11:20 -07:00
Michael Crosby 8c9db3a7a5 Add option to disable new session keys
This adds an `--no-new-keyring` flag to run and create so that a new
session keyring is not created for the container and the calling
processes keyring is inherited.

Fixes #818

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-06-03 11:53:07 -07:00
Michael Crosby 5abffd3100 Add annotations to list and state output
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-06-02 12:44:43 -07:00
Mrunal Patel 091ed0b043 Merge pull request #777 from cyphar/fix-null-pointer-deref
libcontainer: specconv: fix nil dereference in resource setup
2016-04-24 19:09:30 -07:00
Aleksa Sarai a939c7ecd9 libcontainer: specconv: fix nil dereference in resource setup
This caused issues if someone omitted or set "resources": null, in the
runC config. The panic follows.

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x20 pc=0x545b53]

goroutine 1 [running]:
panic(0x7aed40, 0xc820014260)
        /usr/lib64/go/src/runtime/panic.go:464 +0x3e6
github.com/opencontainers/runc/libcontainer/specconv.CreateLibcontainerConfig(0xc8200b0e30, 0x836480, 0x0, 0x0)
        /home/cyphar/src/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/specconv/spec_linux.go:222 +0xe83
main.createContainer(0xc82007eb40, 0x7ffd8024e439, 0x4, 0xc82008e780, 0x0, 0x0, 0x0, 0x0)
        /home/cyphar/src/runc/utils_linux.go:174 +0x105
main.startContainer(0xc82007eb40, 0xc82008e780, 0x0, 0x0, 0x0)
        /home/cyphar/src/runc/start.go:114 +0x189
main.glob.func11(0xc82007eb40)
        /home/cyphar/src/runc/start.go:78 +0x13e
github.com/codegangsta/cli.Command.Run(0x829a58, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x87ada0, 0x1a, 0x8dff80, ...)
        /home/cyphar/src/runc/Godeps/_workspace/src/github.com/codegangsta/cli/command.go:137 +0x1081
github.com/codegangsta/cli.(*App).Run(0xc82007e900, 0xc82000a050, 0x5, 0x5, 0x0, 0x0)
        /home/cyphar/src/runc/Godeps/_workspace/src/github.com/codegangsta/cli/app.go:176 +0xffa
main.main()
        /home/cyphar/src/runc/main.go:123 +0xc8e

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-04-25 11:52:22 +10:00
Aleksa Sarai 399175c227 Merge pull request #679 from rajasec/selinux-errorcheck
Adding selinux check during container start
2016-04-24 16:24:26 +00:00
Mrunal Patel e25811108b Bump up spec and add support for mount label
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-22 15:31:39 -07:00
rajasec d0bf80e481 Adding selinux check during container start
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed review comments and rebased

Signed-off-by: rajasec <rajasec79@gmail.com>

updated the message as per review comment

Signed-off-by: Rajasekaran <rajasec79@gmail.com>
2016-04-19 22:22:04 +05:30
rajasec d663afe2a3 Rebased with spec changes
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-16 07:10:02 +05:30
Michael Crosby f417e993d0 Update spec to v0.5.0
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-12 14:11:40 -07:00
Michael Crosby df25eddce6 Add spec support for masked and readonly paths
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-01 13:04:47 -07:00
Mrunal Patel 79a2479099 Fixup incorrect pacakge name in a comment
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-03-30 14:48:19 -07:00
Michael Crosby 12bd4cffd0 Add --no-pivot option for containers on ramdisk
This adds a `--no-pivot` cli flag to runc so that a container's rootfs
can be located ontop of ramdisk/tmpfs and not fail because you cannot
pivot root.

This should be a cli flag and not part of the spec because this is a
detail of the host/runtime environment and not an attribute of a
container.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-30 12:02:17 -07:00
Michael Crosby 6f84d902ca Implement hook timeouts
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-29 11:14:59 -07:00
Ido Yariv 28b21a5988 Export CreateLibcontainerConfig
Users of libcontainer other than runc may also require parsing and
converting specification configuration files.

Since runc cannot be imported, move the relevant functions and
definitions to a separate package, libcontainer/specconv.

Signed-off-by: Ido Yariv <ido@wizery.com>
2016-03-25 12:19:18 -04:00