The set of the apparmor profile for the setns codepath was missing.
Selinux was being called but apparmor was forgotten. This was causing
no profiles to be applied to the extra process spawn inside an existing
container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>
The current paths for the different systemd cgroup subsystems that
systemd manages and that we have to manage are very inconsistent. This
patch cleans up those differences and allows consistent paths to be
used.
Signed-off-by: Michael Crosby <michael@docker.com>
This also changes the functionality of the default exec in to just be an
existing func that is called than handles the implementation to exec a
user user's process inside the container. This implements this
functionallity in nsinit but is a base for how we will be handling these
types of features inside docker.
Signed-off-by: Michael Crosby <michael@docker.com>
Docker does not require RunIn API. Hence that API has been removed.
nsinit CLI has been modified to work around the nsenter changes.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
namespaces.DefaultCreateCommand prepends the user-supplied command to
execute with "--", so that "nsinit init" does not attempt to interpret
it.
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
If a particular kernel doesn't have namespace directories that
libcontainer tries to attain during nsenter(), ignore the error (this is
consistent with the previous implementation of nsenter()).
Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
RunIn will connect to a user specified Terminal before running the command.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
The issue with doing a remount as ro with sysfs is that if a container
is still in one of the hosts namepsaces, commonly with the NET
namespace, the remount will cause the host's systems sysfs to be
remounted as ro also. We can fix this correctly by not doing the
remount and just mount sys as ro in the first place.
The other remounts are individual files within proc so they will not
have this issue.
For context please see:
https://github.com/dotcloud/docker/issues/7101
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
This is no longer needed and is not properly built with the cross
compile scripts anyways.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
This moves the sync pipe into a separate package to help the changes
when moving the API around.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
Ensure that the command is killed if we receive an error from the child
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
We use a unix domain socketpair instead of a pipe for the sync pipe,
which allows us to use two-way shutdown. After sending the
context we shut down the write side which lets the child know
it finished reading.
We then block on a read in the parent for the child closing the file
(ensuring we close our version of it too) to sync for when the child
is finished initializing. If the read is non-empty we assume this
is an error report and fail with an error. Otherwise we continue as
before.
This also means we're now calling back the start callback later,
meaning at that point its more likely to have succeeded, as well as
having consumed all the container resources (like volume mounts,
making it safe to e.g. unmount them when the start callback is
called).
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
nsinit must be run as root.
Tidy up the README somewhat to clarify the distinction between
libcontainer and the nsinit CLI.
Fix some typos in other files.
Docker-DCO-1.1-Signed-off-by: Glyn Normington <gnormington@gopivotal.com> (github: glyn)
Michael Crosby
Saied Kazemi
Michael Crosby
Vishnu Kannan
Mrunal Patel
Bernerd Schaefer
Tianon Gravi
Victor Marmol
maebashi
Aleksa Sarai
Paul Morie
Alexander Larsson
Glyn Normington