Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.
With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.
The code falls back to the existing behaviour if ambient capabilities are not supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
runc currently fails to build against the upstream version of
runtime-spec/specs-go.
```
# github.com/opencontainers/runc
./spec.go:189: cannot use specs.Linux literal (type specs.Linux) as type *specs.Linux in field value
```
on account of 63231576ec (diff-7f24d60f0cbb9c433e165467e3d34838R25)
This commit updates the dependency to current runtime-spec master and
fixes the type mismatch.
Fixes#1035
Signed-off-by: Adam Thomason <ad@mthomason.net>
This update allows more distributions to build runC with seccomp out of
the box (the include path and library paths are not always the Go
defaults). In addition, update the test's Dockerfile to have pkg-config
installed.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This bumps specs to version 93ca97e83c
which fixes the json marshal/unmarshal issue with blkio major/minor and
adds masked and readonly paths to the spec.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This bump of the spec includes a change to the deivce type to be a
string so that it is more readable in the json serialization.
It also includes the change were caps, no new privs, and process
labeling features are moved from the container config onto the process.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This leaves out the internal conversions as we may need to consider
docker backward compatibility for those changes.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Docker pkgs were updated while golinting the whole docker code base.
Now when trying to bump libcontainer/runc in docker, it fails compiling
with the following error:
``
vendor/src/github.com/opencontainers/runc/libcontainer/rootfs_linux.go:424:
undefined: mount.MountInfo
``
This is because, for instance, the mount pkg was updated here
0f5c9d301b (diff-49294d05afa48e2f7c0d2f02c6f7614c)
and now that type is only `mount.Info`.
This patch bump docker pkgs commit and adapt code to it.
Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
Godeps: Vendor opencontainers/specs 96bcd043aa
Fix a bug where it's impossible to pass multiple devices to blkio
cgroup controller files. See https://github.com/opencontainers/runc/issues/274
Signed-off-by: Antonio Murdaca <runcom@linux.com>
I deleted possibility to specify config file from commands for now.
Until we decide how it'll be done. Also I changed runc spec interface to
write config files instead of output them.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
This removes the existing, native Go seccomp filter generation and replaces it
with Libseccomp. Libseccomp is a C library which provides architecture
independent generation of Seccomp filters for the Linux kernel.
This adds a dependency on v2.2.1 or above of Libseccomp.
Signed-off-by: Matthew Heon <mheon@redhat.com>
Mrunal Patel
Qiang Huang
Michael Crosby
Justin Cormack
Shukui Yang
Adam Thomason
Aleksa Sarai
Antonio Murdaca
Mike Brown
Jessica Frazelle
David Calavera
Antonio Murdaca
Antonio Murdaca
Alexander Morozov
Mrunal Patel
Matthew Heon
Tonis Tiigi
W. Trevor King