Commit Graph

2847 Commits

Author SHA1 Message Date
Dan Walsh 6932807107 Add support for r/o mount labels
We need support for read/only mounts in SELinux to allow a bunch of
containers to share the same read/only image.  In order to do this
we need a new label which allows container processes to read/execute
all files but not write them.

Existing mount label is either shared write or private write.  This
label is shared read/execute.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-17 16:56:42 -04:00
Qiang Huang 509ddd6f11 Merge pull request #1075 from datawolf/pause-resume-multi-containers
pause and resume multi-containers
2016-10-17 22:53:22 +08:00
Wang Long 2f5c0afbbc pause and resume multi-containers
With this patch, `runc pasue` and `runc resume` can
pause and resume multi-containers.

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-17 19:44:08 +08:00
Qiang Huang a6284a7bdb Merge pull request #1116 from rajasec/hugetlb-panic
Fixing runc panic during hugetlb pages
2016-10-17 13:55:59 +08:00
Aleksa Sarai 7be6edaa60
merge branch 'pr-1114'
LGTMs: @hqhq @cyphar
Closes: #1114
2016-10-16 22:27:15 +11:00
rajasec 4b263c9594 Fixing runc panic during hugetlb pages
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixing runc panic during hugetlb pages

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-10-15 19:47:33 +05:30
Mrunal Patel 3abefdff18 Merge pull request #1109 from rhatdan/dupsec
DupSecOpt needs to match InitLabels
2016-10-14 08:18:25 -07:00
Lei Jitang 1cd050244e Valide platform on loading config.json
run an arm64 image on an amd64 platform, it will failed with
````
panic: standard_init_linux.go:175: exec user process caused "exec format error" [recovered]
        panic: standard_init_linux.go:175: exec user process caused "exec format error"

goroutine 1 [running, locked to thread]:
panic(0x7e7e40, 0xc820124380)
        /usr/local/go/src/runtime/panic.go:481 +0x3e6
github.com/urfave/cli.HandleAction.func1(0xc8200c52f8)
        /home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x38e
panic(0x7e7e40, 0xc820124380)
        /usr/local/go/src/runtime/panic.go:443 +0x4e9
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc8200c4c08, 0xc8200220a0, 0xc8200c4d18)
        /home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x136
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc82006c780, 0x7fb9124733f8, 0xc820124380)
        /home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x5b1
main.glob.func8(0xc820090780, 0x0, 0x0)
        /home/lei/opencontainers/runc/main_unix.go:26 +0x68
reflect.Value.call(0x74ca00, 0x8fda40, 0x13, 0x844470, 0x4, 0xc8200c5278, 0x1, 0x1, 0x0, 0x0, ...)
        /usr/local/go/src/reflect/value.go:435 +0x120d
reflect.Value.Call(0x74ca00, 0x8fda40, 0x13, 0xc8200c5278, 0x1, 0x1, 0x0, 0x0, 0x0)
        /usr/local/go/src/reflect/value.go:303 +0xb1
github.com/urfave/cli.HandleAction(0x74ca00, 0x8fda40, 0xc820090780, 0x0, 0x0)
        /home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x2ee
github.com/urfave/cli.Command.Run(0x847330, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8dcec0, 0x51, 0x0, ...)
        /home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xfec
github.com/urfave/cli.(*App).Run(0xc820001980, 0xc82000a100, 0x2, 0x2, 0x0, 0x0)
        /home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0xaa4
main.main()
        /home/lei/opencontainers/runc/main.go:137 +0xe24

````
instead of throwing panic on execing the container process, we should
throw the platform mismatch at the very beginning, it's much more
clear and can tell user what's wrong.

Signed-off-by: Lei Jitang <leijitang@huawei.com>
2016-10-14 02:53:37 -04:00
Dan Walsh 491cadac92 DupSecOpt needs to match InitLabels
At some point InitLabels was changed to look for SecuritOptions
separated by a ":" rather then an "=", but DupSecOpt was never
changed to match this default.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-13 16:10:29 -04:00
Daniel, Dao Quang Minh d186a7552b Merge pull request #1111 from keloyang/rpid-limit-check
tiny fix, add a null check for specs.Resources.Pids.Limit
2016-10-13 18:04:49 +01:00
Shukui Yang affc105264 tiny fix, add a null check for specs.Resources.Pids.Limit
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-10-13 15:55:30 +08:00
Mrunal Patel 3b4ff53867 Merge pull request #1097 from keloyang/remove-tmp-bats
remove /tmp/bats from dev_runc
2016-10-12 11:07:56 -07:00
Qiang Huang ee992e5ff7 Merge pull request #1108 from dqminh/misspell
fix typos with misspell
2016-10-12 07:34:02 +02:00
Daniel Dao 1b876b0bf2 fix typos with misspell
pipe the source through https://github.com/client9/misspell. typos be gone!

Signed-off-by: Daniel Dao <dqminh89@gmail.com>
2016-10-11 23:22:48 +00:00
Daniel, Dao Quang Minh 8d505cb9dc Merge pull request #1107 from datawolf/fix-a-typo
just fix a typo
2016-10-12 00:15:51 +01:00
Daniel, Dao Quang Minh 89d025ff66 Merge pull request #1106 from xlgao-zju/tiny-fix
tiny fix
2016-10-12 00:15:35 +01:00
Wang Long 5eaa9ed5cd just fix a typo
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-11 08:38:15 +00:00
Xianglin Gao 9df4847a23 tiny fix
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-10-11 16:32:56 +08:00
Qiang Huang 010274f2f5 Merge pull request #1078 from datawolf/delete-command
Delete: exit with non zero if one of the containers encountered an error
2016-10-11 08:51:29 +02:00
Qiang Huang 26ebd6ab63 Merge pull request #1102 from datawolf/Revert-simplify-ps-command
Revert "simplify ps command"
2016-10-11 03:53:28 +02:00
Wang Long 1a6391b03f Revert "simplify ps command"
This reverts commit 067ce21f7a.

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-10 09:27:07 +08:00
Shukui Yang dba9253d2b remove /tmp/bats from dev_runc
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-10-09 09:43:22 +08:00
Wang Long 7e38b37e7c Delete: exit with non zero if one of the containers encountered an error
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-08 11:28:56 +08:00
Michael Crosby 45c30e75ab Merge pull request #784 from hqhq/hq_ps_following_up
Add integration test for ps command
2016-10-07 15:23:04 -07:00
Michael Crosby 2ad2cf7b28 Merge pull request #1092 from datawolf/simplify-ps-command
simplify ps command
2016-10-07 15:16:31 -07:00
Qiang Huang d1fc802264 Merge pull request #1095 from crosbymichael/kmem
Don't enable kernel mem if not set
2016-10-07 21:59:56 +02:00
Michael Crosby 11222ee1f1 Don't enable kernel mem if not set
Don't enable the kmem limit if it is not specified in the config.

Fixes #1083

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-10-07 10:02:19 -07:00
Aleksa Sarai b1eb19b4f3
merge branch 'pr-1084'
LGTMs: @mrunalp @cyphar

Closes #1084
2016-10-07 19:10:14 +11:00
Mrunal Patel 02f8fa7863 Merge pull request #1089 from mlaventure/fix-logging-on-error
Ensure we log into logrus on command error
2016-10-03 09:42:46 -07:00
Kenfe-Mickael Laventure 294d24fb1a Ensure we log into logrus on command error
`urfave/cli` now takes upon itself to log the error returned by the
command action directly. This means that by default the `--log` option
was ignored upon error.

This commit ensure that `urfave/cli.ErrWriter` will use logrus

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-10-03 08:01:09 -07:00
Mrunal Patel 7b1bcb3762 Merge pull request #1090 from crosbymichael/bind-root
Remove check for binding to /
2016-09-30 14:42:30 -07:00
Wang Long 067ce21f7a simplify ps command
the `-p pidlist` flag of `ps` command selects the process whose process
ID numbers apper in `pidlist`.[1]

This patch use `-p pidlist` to filter process which we want.

[1]: http://man7.org/linux/man-pages/man1/ps.1.html

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-09-30 14:54:30 +08:00
Michael Crosby 70b16a5ab9 Remove check for binding to /
In order to mount root filesystems inside the container's mount
namespace as part of the spec we need to have the ability to do a bind
mount to / as the destination.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-29 15:26:09 -07:00
Qiang Huang 98afb7390a Add integration test for ps command
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-29 18:33:32 +08:00
Qiang Huang 3597b7b743 Merge pull request #1087 from williammartin/master
Fix typo when container does not exist
2016-09-29 09:19:45 +08:00
Qiang Huang c91b5bea48 Merge pull request #1088 from crosbymichael/rc2
Bump spec and version to rc2
2016-09-29 09:18:37 +08:00
Mrunal Patel b3833a00e6 Merge pull request #1086 from justincormack/ambient
Set ambient capabilities where supported
2016-09-28 10:00:00 -07:00
Michael Crosby 0f97ba469f Bump spec and version to rc2
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-28 09:53:43 -07:00
Michael Crosby 3d777789a2 Merge pull request #1081 from ggaaooppeenngg/gaopeng/replace-range-map
Refactor enum map range to slice range
2016-09-28 09:50:38 -07:00
William Martin 152169ed34 Fix typo when container does not exist
Signed-off-by: William Martin <wmartin@pivotal.io>
2016-09-28 11:00:50 +00:00
Qiang Huang d9fec4c63b Merge pull request #1065 from keloyang/remove-ps-workaround
Remove the workaround which add a -- flag to runc ps command
2016-09-28 17:09:58 +08:00
Justin Cormack 4e179bddca Set ambient capabilities where supported
Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.

With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.

The code falls back to the existing behaviour if ambient capabilities are not supported.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-09-28 09:13:56 +01:00
Peng Gao c5393da813 Refactor enum map range to slice range
grep -r "range map" showw 3 parts use map to
range enum types, use slice instead can get
better performance and less memory usage.

Signed-off-by: Peng Gao <peng.gao.dut@gmail.com>
2016-09-28 15:36:29 +08:00
derekwaynecarr 1a75f815d5 systemd cgroup driver supports slice management
Signed-off-by: derekwaynecarr <decarr@redhat.com>
2016-09-27 16:01:37 -04:00
Mrunal Patel 1359131f4a Merge pull request #1080 from hqhq/fix_user_test
Fix TestGetAdditionalGroups on i686
2016-09-27 10:18:27 -07:00
Qiang Huang 2940d2e2e9 Merge pull request #1069 from datawolf/add-unittest
[integration] add testcases for `runc delete` command
2016-09-27 19:20:36 +08:00
Qiang Huang dc0a4cf488 Fix TestGetAdditionalGroups on i686
Fixes: #941

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-27 18:25:53 +08:00
Daniel, Dao Quang Minh 6cbd8e20ef Merge pull request #1076 from rajasec/checkpoint-create
Container must not checkpoint in created state
2016-09-26 23:53:41 +01:00
Daniel, Dao Quang Minh cce5713940 Merge pull request #1077 from rajasec/readme-container-usage
Updating libcontainer README for container run
2016-09-26 23:52:06 +01:00
Mrunal Patel 282b254073 Merge pull request #1068 from AkihiroSuda/maskdir
MaskPaths: support directory
2016-09-26 13:10:40 -07:00