Commit Graph

4097 Commits

Author SHA1 Message Date
Akihiro Suda 492d525e55 vendor: update go-systemd and godbus
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-16 13:26:03 +09:00
Mrunal Patel 981dbef514
Merge pull request #2226 from avagin/runsc-restore-cmd-wait
restore: fix a race condition in process.Wait()
2020-03-15 18:48:16 -07:00
Aleksa Sarai a15d2c3ca0
merge branch 'pr-2073'
Odin Ugedal (7):
  Run verify-dependencies only on go1.x
  Don't add git utils to go.mod in CI
  Remove refrences to vndr
  Make CI script to verify that vendor is in sync
  Fix file permissions for mounts.bats
  Update spec test to use go.mod
  Add support for GO Modules

LGTMs: @hqhq @AkihiroSuda @cyphar
Closes #2073
2020-03-16 12:38:40 +11:00
Aleksa Sarai 9167393cb8
merge branch 'pr-2254'
Kir Kolyshkin (2):
  Makefile: add selinux and apparmor build tags
  README, travis.yml: rm ambient tag

LGTMs: @AkihiroSuda @cyphar
Closes #2254
2020-03-16 12:26:23 +11:00
Kir Kolyshkin 89c108b1be Makefile: add selinux and apparmor build tags
Both selinux and apparmor subsystem can detect whether it is enabled,
and act accordingly. Compiling it in by default should help avoid
some frustration cased by missing build tags.

This should not change anything in case BUILDTAGS is already set.

README.md is amended to clarify what BUILDTAGS are enabled by
default.

[v2: add apparmor]
[v3: add it unconditionally, fix README]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-03-15 10:29:35 -07:00
Kir Kolyshkin 69f6f32f6b README, travis.yml: rm ambient tag
This build tag was removed in commit 4f903a21c4 (PR #1370)
quite some time ago.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-03-15 10:25:33 -07:00
Michael Crosby 8615da6f7b
Merge pull request #1999 from lifubang/rootlesspath
fix rootless container: unrelated error with root flag
2020-03-13 16:06:54 -04:00
Mrunal Patel 167e33ca50
Merge pull request #1807 from giuseppe/notify-no-block
sd-notify: do not hang when NOTIFY_SOCKET is used with create
2020-03-13 10:40:13 -07:00
Giuseppe Scrivano 25fd4a6757
sd-notify: do not hang when NOTIFY_SOCKET is used with create
if NOTIFY_SOCKET is used, do not block the main runc process waiting
for events on the notify socket.  Bind mount the parent directory of
the notify socket, so that "start" can create the socket and it is
still accessible from the container.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2020-03-12 21:21:05 +01:00
Akihiro Suda aa269315a4 cgroup2: add CpuMax conversion
Fix #2243

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-13 02:58:39 +09:00
Akihiro Suda 64e9a97981 cgroup2: fix conversion
* TestConvertCPUSharesToCgroupV2Value(0) was returning 70369281052672, while the correct value is 0
* ConvertBlkIOToCgroupV2Value(0) was returning 32, while the correct value is 0
* ConvertBlkIOToCgroupV2Value(1000) was returning 4, while the correct value is 10000

Fix #2244
Follow-up to #2212 #2213

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-13 02:57:07 +09:00
Sascha Grunert b477a159db
Remove unreachable code paths
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-03-12 09:13:03 +01:00
lifubang 7d6e091fe0 fix error when there is --root and XDG_RUNTIME_DIR env
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Lifubang <lifubang@acmcoder.com>
Signed-off-by: lifubang <lifubang@acmcoder.com>
Signed-off-by: Lifubang <lifubang@acmcoder.com>
2020-03-12 10:16:53 +08:00
Mrunal Patel 0ff53526a4
Merge pull request #2252 from pkagrawal/2251-fix
Synchronize the call to linuxContainer.Signal()
2020-03-11 11:11:56 -07:00
Akihiro Suda 71dfb559d6
Merge pull request #2238 from tedyu/init-proc-err-ret
Use named error return for initProcess#start
2020-03-11 01:03:13 +09:00
l00397676 62cfad97ca specconv: add a test case to check null spec.Process
Signed-off-by: l00397676 <lujingxiao@huawei.com>
2020-03-10 11:43:51 +08:00
Pradyumna Agrawal 5b2b138d24 Synchronize the call to linuxContainer.Signal()
linuxContainer.Signal() can race with another call to say Destroy()
which clears the container's initProcess. This can cause a nil pointer
dereference in Signal().

This patch will synchronize Signal() and Destroy() by grabbing the
container's mutex as part of the Signal() call.

Signed-off-by: Pradyumna Agrawal <pradyumnaa@vmware.com>
2020-03-09 11:15:22 -07:00
zyu 957da1f9ab Use named error return for initProcess#start
Signed-off-by: zyu <yuzhihong@gmail.com>
2020-03-09 09:29:03 -07:00
Akihiro Suda bbaba4c081
Merge pull request #2228 from cpuguy83/no_whiches
Use "command -v" shell builtin instead of "which"
2020-03-10 01:16:05 +09:00
Michael Crosby 2864bf46d6
Merge pull request #1877 from KentaTada/add-rootless-testpath-in-makefile
Add rootless testpath in Makefile
2020-03-09 11:10:18 -04:00
Odin Ugedal 777f97d8de
Run verify-dependencies only on go1.x
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 10:46:34 +01:00
Odin Ugedal 83f9b8890f
Don't add git utils to go.mod in CI
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:33 +01:00
Odin Ugedal f7edcc3a89
Remove refrences to vndr
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:33 +01:00
Odin Ugedal a08ab87fe9
Make CI script to verify that vendor is in sync
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:33 +01:00
Odin Ugedal df583b4c51
Fix file permissions for mounts.bats
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:33 +01:00
Odin Ugedal 382735469c
Update spec test to use go.mod
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:32 +01:00
Odin Ugedal 69e8fb2a74
Add support for GO Modules
This removes vndr, and swiches to native Go Modules instead. All modules
are kept on the old version.

Keeps the vendor/ dir, so everything is backwards compatible.

Signed-off-by: Odin Ugedal <odin@ugedal.com>
2020-03-07 09:29:29 +01:00
Michael Crosby fc5759cf4f
Merge pull request #2222 from cyphar/update-travis
travis: update configuration
2020-03-06 10:55:04 -05:00
Kenta Tada af3a81e48e Add rootless testpath in Makefile
This commit modifies Makefile for rootless test to select testpath.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2020-03-06 17:02:33 +09:00
Akihiro Suda 6503438fd6
Merge pull request #2212 from Zyqsempai/2211-convert-blkio-weight-properly
Convert blkioWeight to io.weight properly
2020-03-05 09:32:45 +09:00
Akihiro Suda c4730fa669
Merge pull request #2230 from thaJeztah/update_selinux_v1.3.1
vendor: opencontainers/selinux v1.3.3, and update golang.org/x/sys
2020-03-04 13:54:54 +09:00
Brian Goff 42bfdf5f2d Use "command -v" shell builtin instead of "which"
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-03-03 16:28:54 -08:00
Aleksa Sarai 93e5c4d320
merge branch 'pr-2232'
Aleksa Sarai (1):
  libcontainer: dual-license nsenter/cloned_binary.c

LGTMs: @mrunalp @AkihiroSuda
Closes #2232
2020-03-04 11:10:49 +11:00
Michael Crosby b6657fc365
Merge pull request #2231 from thaJeztah/nominate_akihiro
MAINTAINERS: add Akihiro Suda to maintainers
2020-03-03 11:46:05 -05:00
Sebastiaan van Stijn d8953334bb
vendor: update opencontainers/selinux v1.3.3
full diff: https://github.com/opencontainers/selinux/compare/v1.3.1...v1.3.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-02 12:41:07 +01:00
Sebastiaan van Stijn 22e00ddc03
vendor: update golang.org/x/sys 52ab431487773bc9dd1b0766228b1cf3944126bf
full diff: 9eafafc0a8...52ab431487

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-02 12:41:05 +01:00
Sebastiaan van Stijn c295a6339c
vendor: update opencontainers/selinux v1.3.1
full diff: 5215b1806f...v1.3.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-02 12:41:01 +01:00
Qiang Huang 3b7e32feba
Merge pull request #2210 from Zyqsempai/2164-remove-deprecated-systemd-resources
Exchange deprecated systemd resources with the appropriate for cgroupv2
2020-02-29 10:13:55 +08:00
Aleksa Sarai 98de84265d
libcontainer: dual-license nsenter/cloned_binary.c
The new license is Apache-2.0 OR LPGL-2.1-or-later. This is necessary
for libcrun to be relicensed under the LGPL-2.1[1], and all of the
relevant copyright holders have agreed to relicense this code under the
dual license:

  * Aleksa Sarai [2]
  * Christian Brauner [3]
  * Justin Cormack [4]

Because it is still dual-licensed as an Apache-2.0 work, this doesn't
affect it's usability within runc or any other dependent projects.

[1]: https://github.com/containers/crun/issues/256
[2]: https://github.com/containers/crun/issues/256#issuecomment-589498088
[3]: https://github.com/containers/crun/issues/256#issuecomment-589605034
[4]: https://github.com/containers/crun/issues/256#issuecomment-589504231

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-02-22 00:17:07 +11:00
Sebastiaan van Stijn bc43c4bd16
MAINTAINERS: add Akihiro Suda to maintainers
I'm nominating Akihiro to be added as a maintainer for runc. Akihiro has been a
frequent contributor to this project, bringing expertise in important areas, such
as cgroups v2 and rootless containers.

Akihiro has experience with collaborating on, and maintaining various mainstream
open source projects in the container ecosystem, and as such would be a great
addition to the list of maintainers to help this project moving forward.

With this pull request, I invite the maintainers to vote on this PR, as described
in the maintainers guide;
602c85fdc6/MAINTAINERS_GUIDE.md (how-are-maintainers-added)

> The final vote to add a new maintainer should be approved by over 66% of the
> current maintainers with the chief maintainer having veto power. In case of a
> veto, conflict resolution rules expressed above apply. The voting period is
> five business days on the Pull Request to add the new maintainer.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-21 10:03:08 +01:00
Aleksa Sarai 688cf6d43c
merge branch 'pr-2223'
wanghuaiqing (1):
  Fix the value corresponding to rlimitmap [key]

LGTMs: @hqhq @cyphar
Closes #2223
2020-02-21 16:12:41 +11:00
Aleksa Sarai 0f32b03dda
merge branch 'pr-2192'
Boris Popovschi (2):
  Fix skip message for cgroupv2
  Fix MAJ:MIN io.stat parsing order

LGTMs: @hqhq @cyphar
Closes #2192
2020-02-21 16:00:17 +11:00
Qiang Huang 13b1603fd0
Merge pull request #2224 from kolyshkin/systemd-props
Allow to set systemd scope properties via annotations
2020-02-21 09:07:56 +08:00
Boris Popovschi 4b8134f63b Convert blkioWeight to io.weight properly
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-02-18 15:44:07 +02:00
Kir Kolyshkin 1cd71dfd71 systemd properties: support for *Sec values
Some systemd properties are documented as having "Sec" suffix
(e.g. "TimeoutStopSec") but are expected to have "USec" suffix
when passed over dbus, so let's provide appropriate conversion
to improve compatibility.

This means, one can specify TimeoutStopSec with a numeric argument,
in seconds, and it will be properly converted to TimeoutStopUsec
with the argument in microseconds. As a side bonus, even float
values are converted, so e.g. TimeoutStopSec=1.5 is possible.

This turned out a bit more tricky to implement when I was
originally expected, since there are a handful of numeric
types in dbus and each one requires explicit conversion.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-02-17 16:07:19 -08:00
Kir Kolyshkin 2a81236e89 Document using annotations to set systemd props
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-02-17 16:07:19 -08:00
Kir Kolyshkin 4c5c3fb960 Support for setting systemd properties via annotations
In case systemd is used to set cgroups for the container,
it creates a scope unit dedicated to it (usually named
`runc-$ID.scope`).

This patch adds an ability to set arbitrary systemd properties
for the systemd unit via runtime spec annotations.

Initially this was developed as an ability to specify the
`TimeoutStopUSec` property, but later generalized to work with
arbitrary ones.

Example usage: add the following to runtime spec (config.json):

```
	"annotations": {
		"org.systemd.property.TimeoutStopUSec": "uint64 123456789",
		"org.systemd.property.CollectMode":"'inactive-or-failed'"
	},
```

and start the container (e.g. `runc --systemd-cgroup run $ID`).

The above will set the following systemd parameters:
* `TimeoutStopSec` to 2 minutes and 3 seconds,
* `CollectMode` to "inactive-or-failed".

The values are in the gvariant format (see [1]). To figure out
which type systemd expects for a particular parameter, see
systemd sources.

In particular, parameters with `USec` suffix require an `uint64`
typed argument, while gvariant assumes int32 for a numeric values,
therefore the explicit type is required.

NOTE that systemd receives the time-typed parameters as *USec
but shows them (in `systemctl show`) as *Sec. For example,
the stop timeout should be set as `TimeoutStopUSec` but
is shown as `TimeoutStopSec`.

[1] https://developer.gnome.org/glib/stable/gvariant-text.html

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-02-17 16:07:19 -08:00
Mrunal Patel 81ef5024f8
Merge pull request #2213 from Zyqsempai/2166-convert-cpu-weight-poperly
Added conversion for cpu.weight v2
2020-02-17 07:49:39 -08:00
Boris Popovschi 7c439cc6f6 Added conversion for cpu.weight v2
Signed-off-by: Boris Popovschi <zyqsempai@mail.ru>
2020-02-12 11:32:34 +02:00
Andrei Vagin 269ea385a4 restore: fix a race condition in process.Wait()
Adrian reported that the checkpoint test stated failing:
=== RUN   TestCheckpoint
--- FAIL: TestCheckpoint (0.38s)
    checkpoint_test.go:297: Did not restore the pipe correctly:

The problem here is when we start exec.Cmd, we don't call its wait
method. This means that we don't wait cmd.goroutines ans so we don't
know when all data will be read from process pipes.

Signed-off-by: Andrei Vagin <avagin@gmail.com>
2020-02-10 10:21:08 -08:00