Dan Walsh
6932807107
Add support for r/o mount labels
...
We need support for read/only mounts in SELinux to allow a bunch of
containers to share the same read/only image. In order to do this
we need a new label which allows container processes to read/execute
all files but not write them.
Existing mount label is either shared write or private write. This
label is shared read/execute.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-17 16:56:42 -04:00
Qiang Huang
509ddd6f11
Merge pull request #1075 from datawolf/pause-resume-multi-containers
...
pause and resume multi-containers
2016-10-17 22:53:22 +08:00
Wang Long
2f5c0afbbc
pause and resume multi-containers
...
With this patch, `runc pasue` and `runc resume` can
pause and resume multi-containers.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-17 19:44:08 +08:00
Qiang Huang
a6284a7bdb
Merge pull request #1116 from rajasec/hugetlb-panic
...
Fixing runc panic during hugetlb pages
2016-10-17 13:55:59 +08:00
Aleksa Sarai
7be6edaa60
merge branch 'pr-1114'
...
LGTMs: @hqhq @cyphar
Closes : #1114
2016-10-16 22:27:15 +11:00
rajasec
4b263c9594
Fixing runc panic during hugetlb pages
...
Signed-off-by: rajasec <rajasec79@gmail.com>
Fixing runc panic during hugetlb pages
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-10-15 19:47:33 +05:30
Mrunal Patel
3abefdff18
Merge pull request #1109 from rhatdan/dupsec
...
DupSecOpt needs to match InitLabels
2016-10-14 08:18:25 -07:00
Lei Jitang
1cd050244e
Valide platform on loading config.json
...
run an arm64 image on an amd64 platform, it will failed with
````
panic: standard_init_linux.go:175: exec user process caused "exec format error" [recovered]
panic: standard_init_linux.go:175: exec user process caused "exec format error"
goroutine 1 [running, locked to thread]:
panic(0x7e7e40, 0xc820124380)
/usr/local/go/src/runtime/panic.go:481 +0x3e6
github.com/urfave/cli.HandleAction.func1(0xc8200c52f8)
/home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/urfave/cli/app.go:478 +0x38e
panic(0x7e7e40, 0xc820124380)
/usr/local/go/src/runtime/panic.go:443 +0x4e9
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization.func1(0xc8200c4c08, 0xc8200220a0, 0xc8200c4d18)
/home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:259 +0x136
github.com/opencontainers/runc/libcontainer.(*LinuxFactory).StartInitialization(0xc82006c780, 0x7fb9124733f8, 0xc820124380)
/home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/factory_linux.go:277 +0x5b1
main.glob.func8(0xc820090780, 0x0, 0x0)
/home/lei/opencontainers/runc/main_unix.go:26 +0x68
reflect.Value.call(0x74ca00, 0x8fda40, 0x13, 0x844470, 0x4, 0xc8200c5278, 0x1, 0x1, 0x0, 0x0, ...)
/usr/local/go/src/reflect/value.go:435 +0x120d
reflect.Value.Call(0x74ca00, 0x8fda40, 0x13, 0xc8200c5278, 0x1, 0x1, 0x0, 0x0, 0x0)
/usr/local/go/src/reflect/value.go:303 +0xb1
github.com/urfave/cli.HandleAction(0x74ca00, 0x8fda40, 0xc820090780, 0x0, 0x0)
/home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/urfave/cli/app.go:487 +0x2ee
github.com/urfave/cli.Command.Run(0x847330, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8dcec0, 0x51, 0x0, ...)
/home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/urfave/cli/command.go:191 +0xfec
github.com/urfave/cli.(*App).Run(0xc820001980, 0xc82000a100, 0x2, 0x2, 0x0, 0x0)
/home/lei/opencontainers/runc/Godeps/_workspace/src/github.com/urfave/cli/app.go:240 +0xaa4
main.main()
/home/lei/opencontainers/runc/main.go:137 +0xe24
````
instead of throwing panic on execing the container process, we should
throw the platform mismatch at the very beginning, it's much more
clear and can tell user what's wrong.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2016-10-14 02:53:37 -04:00
Dan Walsh
491cadac92
DupSecOpt needs to match InitLabels
...
At some point InitLabels was changed to look for SecuritOptions
separated by a ":" rather then an "=", but DupSecOpt was never
changed to match this default.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-10-13 16:10:29 -04:00
Daniel, Dao Quang Minh
d186a7552b
Merge pull request #1111 from keloyang/rpid-limit-check
...
tiny fix, add a null check for specs.Resources.Pids.Limit
2016-10-13 18:04:49 +01:00
Shukui Yang
affc105264
tiny fix, add a null check for specs.Resources.Pids.Limit
...
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-10-13 15:55:30 +08:00
Mrunal Patel
3b4ff53867
Merge pull request #1097 from keloyang/remove-tmp-bats
...
remove /tmp/bats from dev_runc
2016-10-12 11:07:56 -07:00
Qiang Huang
ee992e5ff7
Merge pull request #1108 from dqminh/misspell
...
fix typos with misspell
2016-10-12 07:34:02 +02:00
Daniel Dao
1b876b0bf2
fix typos with misspell
...
pipe the source through https://github.com/client9/misspell . typos be gone!
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
2016-10-11 23:22:48 +00:00
Daniel, Dao Quang Minh
8d505cb9dc
Merge pull request #1107 from datawolf/fix-a-typo
...
just fix a typo
2016-10-12 00:15:51 +01:00
Daniel, Dao Quang Minh
89d025ff66
Merge pull request #1106 from xlgao-zju/tiny-fix
...
tiny fix
2016-10-12 00:15:35 +01:00
Wang Long
5eaa9ed5cd
just fix a typo
...
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-11 08:38:15 +00:00
Xianglin Gao
9df4847a23
tiny fix
...
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-10-11 16:32:56 +08:00
Qiang Huang
010274f2f5
Merge pull request #1078 from datawolf/delete-command
...
Delete: exit with non zero if one of the containers encountered an error
2016-10-11 08:51:29 +02:00
Qiang Huang
26ebd6ab63
Merge pull request #1102 from datawolf/Revert-simplify-ps-command
...
Revert "simplify ps command"
2016-10-11 03:53:28 +02:00
Wang Long
1a6391b03f
Revert "simplify ps command"
...
This reverts commit 067ce21f7a
.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-10 09:27:07 +08:00
Shukui Yang
dba9253d2b
remove /tmp/bats from dev_runc
...
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-10-09 09:43:22 +08:00
Wang Long
7e38b37e7c
Delete: exit with non zero if one of the containers encountered an error
...
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-10-08 11:28:56 +08:00
Michael Crosby
45c30e75ab
Merge pull request #784 from hqhq/hq_ps_following_up
...
Add integration test for ps command
2016-10-07 15:23:04 -07:00
Michael Crosby
2ad2cf7b28
Merge pull request #1092 from datawolf/simplify-ps-command
...
simplify ps command
2016-10-07 15:16:31 -07:00
Qiang Huang
d1fc802264
Merge pull request #1095 from crosbymichael/kmem
...
Don't enable kernel mem if not set
2016-10-07 21:59:56 +02:00
Michael Crosby
11222ee1f1
Don't enable kernel mem if not set
...
Don't enable the kmem limit if it is not specified in the config.
Fixes #1083
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-10-07 10:02:19 -07:00
Aleksa Sarai
b1eb19b4f3
merge branch 'pr-1084'
...
LGTMs: @mrunalp @cyphar
Closes #1084
2016-10-07 19:10:14 +11:00
Mrunal Patel
02f8fa7863
Merge pull request #1089 from mlaventure/fix-logging-on-error
...
Ensure we log into logrus on command error
2016-10-03 09:42:46 -07:00
Kenfe-Mickael Laventure
294d24fb1a
Ensure we log into logrus on command error
...
`urfave/cli` now takes upon itself to log the error returned by the
command action directly. This means that by default the `--log` option
was ignored upon error.
This commit ensure that `urfave/cli.ErrWriter` will use logrus
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-10-03 08:01:09 -07:00
Mrunal Patel
7b1bcb3762
Merge pull request #1090 from crosbymichael/bind-root
...
Remove check for binding to /
2016-09-30 14:42:30 -07:00
Wang Long
067ce21f7a
simplify ps command
...
the `-p pidlist` flag of `ps` command selects the process whose process
ID numbers apper in `pidlist`.[1]
This patch use `-p pidlist` to filter process which we want.
[1]: http://man7.org/linux/man-pages/man1/ps.1.html
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-09-30 14:54:30 +08:00
Michael Crosby
70b16a5ab9
Remove check for binding to /
...
In order to mount root filesystems inside the container's mount
namespace as part of the spec we need to have the ability to do a bind
mount to / as the destination.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-29 15:26:09 -07:00
Qiang Huang
98afb7390a
Add integration test for ps command
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-29 18:33:32 +08:00
Qiang Huang
3597b7b743
Merge pull request #1087 from williammartin/master
...
Fix typo when container does not exist
2016-09-29 09:19:45 +08:00
Qiang Huang
c91b5bea48
Merge pull request #1088 from crosbymichael/rc2
...
Bump spec and version to rc2
2016-09-29 09:18:37 +08:00
Mrunal Patel
b3833a00e6
Merge pull request #1086 from justincormack/ambient
...
Set ambient capabilities where supported
2016-09-28 10:00:00 -07:00
Michael Crosby
0f97ba469f
Bump spec and version to rc2
...
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-28 09:53:43 -07:00
Michael Crosby
3d777789a2
Merge pull request #1081 from ggaaooppeenngg/gaopeng/replace-range-map
...
Refactor enum map range to slice range
2016-09-28 09:50:38 -07:00
William Martin
152169ed34
Fix typo when container does not exist
...
Signed-off-by: William Martin <wmartin@pivotal.io>
2016-09-28 11:00:50 +00:00
Qiang Huang
d9fec4c63b
Merge pull request #1065 from keloyang/remove-ps-workaround
...
Remove the workaround which add a -- flag to runc ps command
2016-09-28 17:09:58 +08:00
Justin Cormack
4e179bddca
Set ambient capabilities where supported
...
Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.
With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.
The code falls back to the existing behaviour if ambient capabilities are not supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-09-28 09:13:56 +01:00
Peng Gao
c5393da813
Refactor enum map range to slice range
...
grep -r "range map" showw 3 parts use map to
range enum types, use slice instead can get
better performance and less memory usage.
Signed-off-by: Peng Gao <peng.gao.dut@gmail.com>
2016-09-28 15:36:29 +08:00
derekwaynecarr
1a75f815d5
systemd cgroup driver supports slice management
...
Signed-off-by: derekwaynecarr <decarr@redhat.com>
2016-09-27 16:01:37 -04:00
Mrunal Patel
1359131f4a
Merge pull request #1080 from hqhq/fix_user_test
...
Fix TestGetAdditionalGroups on i686
2016-09-27 10:18:27 -07:00
Qiang Huang
2940d2e2e9
Merge pull request #1069 from datawolf/add-unittest
...
[integration] add testcases for `runc delete` command
2016-09-27 19:20:36 +08:00
Qiang Huang
dc0a4cf488
Fix TestGetAdditionalGroups on i686
...
Fixes : #941
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-27 18:25:53 +08:00
Daniel, Dao Quang Minh
6cbd8e20ef
Merge pull request #1076 from rajasec/checkpoint-create
...
Container must not checkpoint in created state
2016-09-26 23:53:41 +01:00
Daniel, Dao Quang Minh
cce5713940
Merge pull request #1077 from rajasec/readme-container-usage
...
Updating libcontainer README for container run
2016-09-26 23:52:06 +01:00
Mrunal Patel
282b254073
Merge pull request #1068 from AkihiroSuda/maskdir
...
MaskPaths: support directory
2016-09-26 13:10:40 -07:00