libapparmor is integrated in libcontainer using cgo but is only used to
call a single function: aa_change_onexec. It turns out this function is
simple enough (writing a string to a file in /proc/<n>/attr/...) to be
re-implemented locally in libcontainer in plain Go.
This allows to drop the dependency on libapparmor and the corresponding
cgo integration.
Fixes#1674
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
The format of the capabilities section in config.json was changed in the
runtime spec 1.0.0.rc5 (pulled in through PR #1370). Update the example
in README.md correspondingly.
Also fix a small typo (though -> through).
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Add godoc links to README.md files for runc and libcontainer so its easy to access the golang documentation.
Signed-off-by: Steven Hartland <steven.hartland@multiplay.co.uk>
This moves the ambient capability support behind an `ambient` build tag
so that it is only compiled upon request.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Closes#532
This requires the container id to always be passed to all runc commands
as arg one on the cli. This was the result of the last OCI meeting and
how operations work with the spec.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Fixes: #429
We missed the former one and haven't got a new one, remove
it from README to avoid confusing.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
* version in the config example is advanced to 0.1.0
* rootfsPropagation in config.json is removed
(The same one is already in runtime.json)
* rlimit time is changed from magic number to name(string)
* add pids cgroup
* add cgroup path
After this change applied, the example config in this README.md
is consistent with the result of `runc spec`.
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
I deleted possibility to specify config file from commands for now.
Until we decide how it'll be done. Also I changed runc spec interface to
write config files instead of output them.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
When any non-global-flag parameter appears on the command line make sure
there's a "command" even in the 'start' (run) case to ensure its not
ambiguous as to what the arg is. For example, w/o this fix its not
clear if
runc foo
means 'foo' is the name of a config file or an unknown command. Or worse,
you can't name a config file the same a ANY command, even future (yet to
be created) commands.
We should fix this now before we ship 1.0 and are forced to support this
ambiguous case for a long time.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Now that the generated spec (and the example above in the README) use
uid/gid and don't have the hardcoded `daemon` entry, the statement about
changing `daemon` to `root` no longer applies. Also added a comment
about using the `runc spec` command to generate `config.json`.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)