Commit Graph

3035 Commits

Author SHA1 Message Date
Michael Crosby 5d93fed3d2 Set init processes as non-dumpable
This sets the init processes that join and setup the container's
namespaces as non-dumpable before they setns to the container's pid (or
any other ) namespace.

This settings is automatically reset to the default after the Exec in
the container so that it does not change functionality for the
applications that are running inside, just our init processes.

This prevents parent processes, the pid 1 of the container, to ptrace
the init process before it drops caps and other sets LSMs.

This patch also ensures that the stateDirFD being used is still closed
prior to exec, even though it is set as O_CLOEXEC, because of the order
in the kernel.

https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318

The order during the exec syscall is that the process is set back to
dumpable before O_CLOEXEC are processed.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-01-11 09:56:56 -08:00
Daniel, Dao Quang Minh 2cc5a91249 Merge pull request #1260 from coolljt0725/remove_redundant
Cleanup: remove redundant code
2017-01-11 17:18:15 +00:00
Mrunal Patel eedebb8c40 Merge pull request #1265 from WeiZhang555/fix-exec-regression
Fix regression of exec command
2017-01-10 11:08:59 -08:00
Zhang Wei 7719dca0ae Fix regression of exec command
Set minimal required args to 1 for `exec` command to roll back to
previous behavior, also modify help message a little bit.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2017-01-10 22:52:05 +08:00
Qiang Huang db99936a0e Merge pull request #1110 from avagin/cpt-in-userns
checkpoint: handle config.Devices and config.MaskPaths
2017-01-10 00:34:40 -06:00
Mrunal Patel 11f6c37e75 Merge pull request #1248 from datawolf/fix-the-outdated-comment
Fix the outdated comment for Error interface
2017-01-09 11:14:07 -08:00
Mrunal Patel 7ae521cef0 Merge pull request #1251 from datawolf/update-cgroup-comment
cgroups: update the comments
2017-01-09 11:13:39 -08:00
Michael Crosby 54a4439700 Merge pull request #1252 from FengtuWang/remove-i
remove `-i` option to avoid failure of jenkins in non-interactive mode.
2017-01-09 10:51:13 -08:00
Michael Crosby 9100e5f1f9 Merge pull request #1254 from hqhq/fix_go_vet
Fix go_vet errors
2017-01-09 10:49:45 -08:00
Michael Crosby 9adbb6cbf0 Merge pull request #1255 from hqhq/fix_typo
Fix typos
2017-01-09 10:49:16 -08:00
Michael Crosby 70672da684 Merge pull request #1257 from mrunalp/fix_warnings
Simplify error handling on function return
2017-01-09 10:48:17 -08:00
Michael Crosby d8bf8b2e5a Merge pull request #1258 from mrunalp/remove_dead_code
Remove unused code and unnecessary conversion
2017-01-09 10:47:02 -08:00
Michael Crosby fb0beac48f Merge pull request #1259 from mrunalp/fix_err_chk_shadow
Fix error shadow and error check warnings
2017-01-09 10:46:18 -08:00
Michael Crosby 5b8d1ecb4a Merge pull request #1232 from Mashimiao/fix-makefile-add-pages-cleanup
Makefile: add manpage cleanup
2017-01-09 10:35:19 -08:00
Michael Crosby 44e60af49d Merge pull request #1196 from hqhq/fix_cgroup_leftover
Fix leftover cgroup directory issue
2017-01-09 10:31:04 -08:00
Lei Jitang 689a116d18 Cleanup: remove redundant code
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2017-01-09 01:56:14 -05:00
Mrunal Patel c54f1495e3 Fix error shadow and error check warnings
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-01-06 16:21:23 -08:00
Mrunal Patel a47e433428 Remove unused code and unnecessary conversion
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-01-06 16:10:13 -08:00
Mrunal Patel 87d08d1ac2 Simplify loop to a simple array append
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-01-06 16:02:05 -08:00
Mrunal Patel 84a3bd250c Simplify error handling on function return
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-01-06 15:57:31 -08:00
Qiang Huang 20f0ca7306 Fix typos
Found by:
https://goreportcard.com/report/github.com/opencontainers/runc#misspell

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2017-01-06 10:54:33 +08:00
Qiang Huang f3c16acd47 Fix go_vet errors
runc/libcontainer/configs/namespaces_syscall_unsupported.go
Line 7: error: unreachable code (vet)
Line 14: error: unreachable code (vet)

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2017-01-06 10:20:27 +08:00
Daniel, Dao Quang Minh 1a9dd2678d Merge pull request #1253 from xlgao-zju/add-goreport-badge
Add badge for Go Report Card
2017-01-05 12:52:09 +00:00
Xianglin Gao 27f7490b7e Add badge for Go Report Card
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2017-01-04 16:52:29 +08:00
Fengtu Wang b5d4da872c remove `-i` option to avoid failure of jenkins in non-interactive mode.
Signed-off-by: Fengtu Wang <wangfengtu@huawei.com>
2017-01-04 16:33:05 +08:00
Qiang Huang 1e4ca86a72 Merge pull request #1250 from caniszczyk/add-travis-badge
Add Travis CI badge to README
2017-01-04 14:12:12 +08:00
Mrunal Patel 7b500a373d Merge pull request #1243 from cyphar/govet-cleanup
*: fix go-vet failures
2017-01-03 17:59:07 -08:00
Chris Aniszczyk 165fba9e4b Add Travis CI badge to README
https://travis-ci.org/opencontainers/runc

Signed-off-by: Chris Aniszczyk <caniszczyk@gmail.com>
2017-01-03 19:31:29 -06:00
Aleksa Sarai 816efe0abd
*: fix go-vet failures
Previously, we would get failures with go-vet with test files.

% go vet ./...
libcontainer/integration/exec_test.go:42: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/exec_test.go:43: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/exec_test.go:184: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/exec_test.go:185: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/exec_test.go:1568: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/exec_test.go:1569: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/exec_test.go:1600: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/exec_test.go:1601: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/execin_test.go:92: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/execin_test.go:93: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/execin_test.go:506: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields
libcontainer/integration/execin_test.go:507: github.com/opencontainers/runc/libcontainer/configs.IDMap composite literal uses unkeyed fields

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2017-01-04 09:48:32 +11:00
Wang Long 4dfd350a38 cgroups: update the comments
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2017-01-03 22:40:12 +08:00
Wang Long 61640b099a Fix the outdated comment for Error interface
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2017-01-03 15:06:47 +08:00
Qiang Huang c441a2fe0c Merge pull request #1246 from cyphar/travis-ci
travis: add travis-ci
2017-01-03 10:53:17 +08:00
Aleksa Sarai 4a7934d86f
travis: add travis-ci
This sets up a working Travis CI configuration, that runs all of our
integration and unit tests (and also checks a simple raw-build on the
Travis server).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-12-31 05:15:29 +11:00
Aleksa Sarai db25629d46
merge branch 'pr-1203'
Closes #1203
LGTMs: @cyphar @hqhq
2016-12-31 04:15:12 +11:00
Zhang Wei 51baedf3f3 Add integration for update rt period and runtime
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-12-27 17:57:13 +08:00
Qiang Huang f376b8033d Merge pull request #1222 from justincormack/remount-fixes
Split the code for remounting mount points and mounting paths.
2016-12-27 15:24:56 +08:00
Aleksa Sarai c6d8a2f26f
merge branch 'pr-1158'
Closes #1158
LGTMs: @hqhq @cyphar
2016-12-26 13:59:47 +11:00
Aleksa Sarai cae7979d1f
merge branch 'pr-1217'
Closes #1217
LGTMs: @cyphar @hqhq
2016-12-24 09:31:38 +11:00
Aleksa Sarai 303f9a5ebb
merge branch 'pr-1201'
Closes #1201
LGTMs: @cyphar @hqhq
2016-12-23 09:32:30 +11:00
Zhang Wei a344b2d6a8 sync up `HookState` with OCI spec `State`
`HookState` struct should follow definition of `State` in runtime-spec:

* modify json name of `version` to `ociVersion`.
* Remove redundant `Rootfs` field as rootfs can be retrived from
`bundlePath/config.json`.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-12-20 00:00:43 +08:00
Qiang Huang 9a1e53eafc Merge pull request #1233 from WeiZhang555/bump-runtime-spec
Bump runtime-spec to v1.0.0-rc3
2016-12-19 15:35:08 +08:00
Qiang Huang 6222318e93 Merge pull request #1231 from Mashimiao/fix-rename-ocitools
rename ocitools to oci-runtime-tool
2016-12-19 15:27:45 +08:00
Zhang Wei 8eea644ccc Bump runtime-spec to v1.0.0-rc3
* Bump underlying runtime-spec to version 1.0.0-rc3
* Fix related changed struct names in config.go

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2016-12-17 14:02:35 +08:00
Qiang Huang 27a67c9aa0 Merge pull request #1226 from nhlfr/dockerfile-cleanup
Clean apt archives and source directories in Dockerfile
2016-12-17 09:47:55 +08:00
Justin Cormack 50acb55233 Split the code for remounting mount points and mounting paths.
A remount of a mount point must include all the current flags or
these will be cleared:

```
The mountflags and data arguments should match the values used in the
original mount() call, except for those parameters that are being
deliberately changed.
```

The current code does not do this; the bug manifests in the specified
flags for `/dev` being lost on remount read only at present. As we
need to specify flags, split the code path for this from remounting
paths which are not mount points, as these can only inherit the
existing flags of the path, and these cannot be changed.

In the bind case, remove extra flags from the bind remount. A bind
mount can only be remounted read only, no other flags can be set,
all other flags are inherited from the parent. From the man page:

```
Since Linux 2.6.26, this flag can also be used to make an existing
bind mount read-only by specifying mountflags as:

MS_REMOUNT | MS_BIND | MS_RDONLY

Note that only the MS_RDONLY setting of the bind mount can be changed
in this manner.
```

MS_REC can only be set on the original bind, so move this. See note
in man page on bind mounts:

```
The remaining bits in the mountflags argument are also ignored, with
the exception of MS_REC.
```

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-12-16 14:01:17 -08:00
Ma Shimiao 9befe82cde Makefile: add manpage cleanup
I think generated manpages should also need cleanup

Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2016-12-16 14:33:05 +08:00
Ma Shimiao f22230a79d rename ocitools to oci-runtime-tool
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2016-12-16 14:04:50 +08:00
Michal Rostecki 5032f434f3 Clean apt archives and source directories in Dockerfile
Signed-off-by: Michal Rostecki <michal@kinvolk.io>
2016-12-14 23:42:32 +01:00
Mrunal Patel 083933fb90 Merge pull request #1221 from sameo/topic/validator
validate: Check that the given namespace path is a symlink
2016-12-10 16:12:31 -08:00
Samuel Ortiz f19aa2d04d
validate: Check that the given namespace path is a symlink
When checking if the provided networking namespace is the host
one or not, we should first check if it's a symbolic link or not
as in some cases we can use persistent networking namespace under
e.g. /var/run/netns/.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-12-10 11:14:49 +01:00