Commit Graph

77 Commits

Author SHA1 Message Date
Michael Crosby 3cc90bd2d8 Add support for process overrides of settings
This commit adds support to libcontainer to allow caps, no new privs,
apparmor, and selinux process label to the process struct so that it can
be used together of override the base settings on the container config
per individual process.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-03 11:41:33 -08:00
Michael Crosby aa9660027b Update spec version
This bump of the spec includes a change to the deivce type to be a
string so that it is more readable in the json serialization.

It also includes the change were caps, no new privs, and process
labeling features are moved from the container config onto the process.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-03-03 10:26:38 -08:00
Qiang Huang bbd97cc98e Set sysfs readonly in config
It is what we hard coded in runC, now we do it in config,
also removed the legacy function.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-03-01 10:23:08 +08:00
Qiang Huang 146643f1f9 Merge pull request #595 from crosbymichael/masking
Update masked and ro paths
2016-03-01 11:14:20 +08:00
Mrunal Patel b1872a068e Merge pull request #454 from mlaventure/libcontainer-pidns
Move setns within nsexec
2016-02-29 15:34:19 -08:00
Mrunal Patel 8f7d5fe376 Merge pull request #590 from tonistiigi/fix-oomscoreadj
Fix setting OomScoreAdj from OCI spec
2016-02-28 21:52:21 -08:00
Daniel, Dao Quang Minh 4217b9c121 Do not override the specified userns path
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
2016-02-28 11:59:48 -08:00
Michael Crosby a12336eb3e Update masked and ro paths
This updates the current list to what we have now in docker and also
makes these always added so that these are masked out.  Privileged
containers can always unmount these if they want to read from kcore or
something like that.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-26 15:54:53 -08:00
Tonis Tiigi 30534f979b Fix setting OomScoreAdj from OCI spec
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-02-25 12:01:18 -08:00
Michael Crosby ac43d4a0ab Save bundle path in labels
This saves and returns the bundle path for the container in the
container's config and state.  It also returns the information via runc
list.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-24 11:11:10 -08:00
Phil Estes 0b5581fd28 Handle memory swappiness as a pointer to handle default/unset case
This prior fix to set "-1" explicitly was lost, and it is simpler to use
the same pointer type from the OCI spec to handle nil pointer == -1 ==
unset case.

Also, as a nearly humorous aside, there was a test for MemorySwappiness
that was actually setting Memory, and it was passing because of this
bug (as it was always setting everyone's MemorySwappiness to zero!)

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2016-02-24 09:02:06 -06:00
Alexander Morozov 382880b250 Merge pull request #569 from mlaventure/fix-cgroupspath-as-cgroupsparent
Fix CgroupsPath interpretation
2016-02-17 12:54:51 -08:00
Kenfe-Mickael Laventure 3ceff76f64 Fix CgroupsPath interpretation
When CgroupsPath code was introduced with #497 it was mistakenly made
to act as the equivalent of docker CgroupsParent. This ensure that it
is taken as the final cgroup path.

A couple of unit tests have been added to prevent future regression.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-17 08:33:46 -08:00
Mrunal Patel 90472aeb9e Merge pull request #546 from mikebrow/usage-updates
updating usage for runc, and all runc commands that now use <container id> as the first argument
2016-02-17 21:13:22 +05:30
Mike Brown f4e37ab63e updating usage for runc and runc commands
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-17 09:00:39 -06:00
Mrunal Patel af400b90c3 Hook up the support to the OCI specification config
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 06:57:51 -08:00
Kenfe-Mickael Laventure 256f3a8ebc Add support for CgroupsPath field
Fixes #396

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-10 11:26:51 -08:00
Michael Crosby 3baae2d525 Update runc for devices changes
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-08 13:15:12 -08:00
Mike Brown c2c0458598 merges latest spec with runc
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-05 12:47:09 -08:00
Michael Crosby 1a4a49bf42 Remove version check in runc
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-01-28 10:51:25 -08:00
Mrunal Patel 9cd641486a Update github.com/opencontainers/specs to a7b50925d8
This leaves out the internal conversions as we may need to consider
docker backward compatibility for those changes.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-25 19:19:15 -05:00
Mrunal Patel c323574797 Check that cwd is absolute
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-15 19:06:27 -05:00
Mrunal Patel 269a717555 Make cwd required
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-14 19:06:56 -05:00
Aleksa Sarai db3159c9d9 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:32 +11:00
Mrunal Patel 4124ba9468 Revert "cgroups: add pids controller support"
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-19 07:48:48 -08:00
Aleksa Sarai 37789f5bf1 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-19 11:30:38 +11:00
Mrunal Patel 55a49f2110 Move the cgroups setting into a Resources struct
This allows us to distinguish cases where a container
needs to just join the paths or also additionally
set cgroups settings. This will help in implementing
cgroupsPath support in the spec.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-16 15:53:31 -05:00
Mrunal Patel b28ec60b0e Merge pull request #373 from mikebrow/bundle-dir-310
adding support for --bundle
2015-11-16 12:07:01 -08:00
Mike Brown 8b19581694 adding support for --bundle -b to start, restore, and spec; fixes issue #310
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2015-11-13 09:13:57 -06:00
Mrunal Patel 452e8a73c5 Integrate poststart hooks with spec
* Call poststart hooks after the container is started
* Tie in with spec configuration

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-11-06 18:03:32 -05:00
Alexander Morozov db21ac7750 Merge pull request #355 from keloyang/nake
Remove naked return
2015-10-25 19:50:41 -07:00
yangshukui e5ef8d239a Add the conversion of architectures for seccomp config
Signed-off-by: yangshukui <yangshukui@huawei.com>
2015-10-23 10:17:39 +08:00
yangshukui 4584a4e762 Remove naked return
Signed-off-by: yangshukui <yangshukui@huawei.com>
2015-10-22 14:31:15 +08:00
Mrunal Patel 546c5c80dc Add additional gids support
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-10-07 16:51:53 -04:00
Antonio Murdaca c6e406af24 Adjust runc to new opencontainers/specs version
Godeps: Vendor opencontainers/specs 96bcd043aa

Fix a bug where it's impossible to pass multiple devices to blkio
cgroup controller files. See https://github.com/opencontainers/runc/issues/274

Signed-off-by: Antonio Murdaca <runcom@linux.com>
2015-10-03 12:25:33 +02:00
Vivek Goyal f6fadd2ffe Start parsing rootfsPropagation and make it effective
spec introduced a new field rootfsPropagation. Right now that field
is not parsed by runc and it does not take effect. Starting parsing
it and for now allow only limited propagation flags. More can be
opened as new use cases show up. 

We are apply propagation flags on / and not rootfs. So ideally
we should introduce another field in spec say rootPropagation. For
now I am parsing rootfsPropagation. Once we agree on design, we
can discuss if we need another field in spec or not.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-10-01 17:03:02 -04:00
Vivek Goyal 5dd6caf6cf Replace config.Privatefs with config.RootPropagation
Right now config.Privatefs is a boolean which determines if / is applied
with propagation flag syscall.MS_PRIVATE | syscall.MS_REC or not.

Soon we want to represent other propagation states like private, [r]slave,
and [r]shared. So either we can introduce more boolean variable or keep
track of propagation flags in an integer variable. Keeping an integer
variable is more versatile and can allow various kind of propagation flags
to be specified. So replace Privatefs with RootPropagation which is an
integer.

Note, this will require changes in docker. Instead of setting Privatefs
to true, they will need to set.

config.RootPropagation = syscall.MS_PRIVATE | syscall.MS_REC
 
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-10-01 17:03:02 -04:00
Mrunal Patel dcafe48737 Add version to HookState to make it json-compatible with spec State
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-09-23 17:13:00 -07:00
Mrunal Patel 9964fcde37 hooks: Integrate spec hooks with libcontainer
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-09-23 16:29:10 -07:00
Mrunal Patel 18c461301d Merge pull request #270 from laijs/spec-options-refactor
simple refactor for the options of `runc spec`
2015-09-23 16:26:01 -07:00
Vivek Goyal d1f4a5b8b5 libcontainer: Allow passing mount propagation flags
Right now if one passes a mount propagation flag in spec file, it
does not take effect. For example, try following in spec json file.

{
  "type": "bind",
  "source": "/root/mnt-source",
  "destination": "/root/mnt-dest",
  "options": "rbind,shared"
}

One would expect that /root/mnt-dest will be shared inside the container
but that's not the case.

#findmnt -o TARGET,PROPAGATION
`-/root/mnt-dest                      private

Reason being that propagation flags can't be passed in along with other
regular flags. They need to be passed in a separate call to mount syscall.
That too, one propagation flag at a time. (from mount man page).

Hence, store propagation flags separately in a slice and apply these
in that order after the mount call wherever appropriate. This allows
user to control the propagation property of mount point inside
the container.

Storing them separately also solves another problem where recursive flag
(syscall.MS_REC) can get mixed up. For example, options "rbind,private"
and "bind,rprivate" will be same and there will be no way to differentiate
between these if all the flags are stored in a single integer.

This patch would allow one to pass propagation flags "[r]shared,[r]slave,
[r]private,[r]unbindable" in spec file as per mount property.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-09-16 15:53:23 -04:00
Alexander Morozov dae4560ec2 Merge pull request #257 from mrunalp/cap_prefix
Add CAP prefix for capabilities
2015-09-16 11:39:39 -07:00
Lai Jiangshan 8132f4d797 close config file after loaded
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-09-16 10:54:53 +08:00
Lai Jiangshan 66f152d6dd simple refactor for the options of `runc spec`
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-09-16 10:06:59 +08:00
Mrunal Patel 859abee0c8 Add CAP prefix for capabilities
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-09-15 14:43:03 -04:00
Alexander Morozov ea5032bc5e Adjust runc to new opencontainers/specs version
I deleted possibility to specify config file from commands for now.
Until we decide how it'll be done. Also I changed runc spec interface to
write config files instead of output them.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-09-15 08:35:25 -07:00
Michael Crosby b9c32b3869 Merge pull request #223 from rajasec/rlimitspec
Adding rlimit in spec
2015-08-28 10:34:59 -07:00
Matthew Heon 2ee6d1e8b6 Connect Seccomp configuration in Spec to configuration in Libcontainer
Signed-off-by: Matthew Heon <mheon@redhat.com>
2015-08-25 17:35:06 -04:00
Rajasekaran ab4b825f8c Adding rlimit in spec
Signed-off-by: Rajasekaran <rajasec79@gmail.com>

Removing return type

Signed-off-by: Rajasekaran <rajasec79@gmail.com>
2015-08-24 21:33:36 +05:30
Mrunal Patel 31f88daf91 Integrate security settings
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-08-18 20:10:23 -04:00