Commit Graph

2435 Commits

Author SHA1 Message Date
Michael Crosby 7d23639138 Merge pull request #789 from justincormack/unprivseccomp
If possible, apply seccomp rules immediately before exec
2016-04-27 17:08:16 -07:00
Justin Cormack e18de63108 If possible, apply seccomp rules immediately before exec
See https://github.com/docker/docker/issues/22252

Previously we would apply seccomp rules before applying
capabilities, because it requires CAP_SYS_ADMIN. This
however means that a seccomp profile needs to allow
operations such as setcap() and setuid() which you
might reasonably want to disallow.

If prctl(PR_SET_NO_NEW_PRIVS) has been applied however
setting a seccomp filter is an unprivileged operation.
Therefore if this has been set, apply the seccomp
filter as late as possible, after capabilities have
been dropped and the uid set.

Note a small number of syscalls will take place
after the filter is applied, such as `futex`,
`stat` and `execve`, so these still need to be allowed
in addition to any the program itself needs.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-04-27 20:06:14 +01:00
Aleksa Sarai 07d062bb7b Merge pull request #782 from hqhq/hq_specs_name
Change specs to runtime-spec in integration test
2016-04-26 23:08:38 +00:00
Mrunal Patel 7605fce790 Merge pull request #786 from hqhq/hq_fix_event_test
Fix integration test for events
2016-04-26 12:07:53 -07:00
Mrunal Patel 9c89737e6e Merge pull request #785 from hqhq/hq_remove_sniffTest
Remove sniffTest
2016-04-26 09:31:15 -07:00
Qiang Huang fb7dcac662 Fix integration test for events
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-26 19:00:21 +08:00
Qiang Huang 5c1ea321df Merge pull request #780 from crosbymichael/stats-format
Improve stats output format for stability
2016-04-26 17:16:53 +08:00
Qiang Huang 18612e6c7f Remove sniffTest
We have integration test now, not ideal though, but it
surely can replace sniffTest.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-26 16:20:45 +08:00
Qiang Huang 38271a38be Change specs to runtime-spec in integration test
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-26 15:59:00 +08:00
Qiang Huang 6d1c115b10 Merge pull request #779 from crosbymichael/ps-json
Add json format to ps command
2016-04-26 09:34:27 +08:00
Michael Crosby a62dbf48b0 Improve stats output
This adds specific types and improves the json format for the marshaled
structure so that it is inline with the output that the spec produce,
camelCase not snake_case.

This should be the last change needed for people to really depend on the
output of this command and ensure that it does not change with any
internal changes instead of just marshaling the libcontainer structure.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-25 16:15:48 -07:00
Michael Crosby bb8591138b Add json format to ps command
For programatic parsing add a json format option to the new `runc ps`
command.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-25 15:21:07 -07:00
Michael Crosby e559f7aebb Merge pull request #767 from hqhq/hq_add_ps
Add ps command
2016-04-25 14:51:43 -07:00
Mrunal Patel 6b4da4fff1 Merge pull request #778 from opencontainers/mount-label-release
Bump to v0.1.1 for selinux mount label fix
2016-04-25 14:28:22 -07:00
Michael Crosby baf6536d62 Bump to 0.1.1
This includes a fix for selinux mount labels in the spec.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-25 14:18:35 -07:00
Mrunal Patel 9d16d9472e Bump up spec and add support for mount label
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-25 14:14:15 -07:00
Michael Crosby ee42f8bbb6 Merge pull request #768 from rajasec/events-destroy
Not showing up the events for destroyed container
2016-04-25 10:51:58 -07:00
Mrunal Patel 091ed0b043 Merge pull request #777 from cyphar/fix-null-pointer-deref
libcontainer: specconv: fix nil dereference in resource setup
2016-04-24 19:09:30 -07:00
Aleksa Sarai 4b710d33d2 Merge pull request #776 from rajasec/runc-path
Updating README for runc path
2016-04-25 01:56:37 +00:00
Aleksa Sarai a939c7ecd9 libcontainer: specconv: fix nil dereference in resource setup
This caused issues if someone omitted or set "resources": null, in the
runC config. The panic follows.

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x20 pc=0x545b53]

goroutine 1 [running]:
panic(0x7aed40, 0xc820014260)
        /usr/lib64/go/src/runtime/panic.go:464 +0x3e6
github.com/opencontainers/runc/libcontainer/specconv.CreateLibcontainerConfig(0xc8200b0e30, 0x836480, 0x0, 0x0)
        /home/cyphar/src/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/specconv/spec_linux.go:222 +0xe83
main.createContainer(0xc82007eb40, 0x7ffd8024e439, 0x4, 0xc82008e780, 0x0, 0x0, 0x0, 0x0)
        /home/cyphar/src/runc/utils_linux.go:174 +0x105
main.startContainer(0xc82007eb40, 0xc82008e780, 0x0, 0x0, 0x0)
        /home/cyphar/src/runc/start.go:114 +0x189
main.glob.func11(0xc82007eb40)
        /home/cyphar/src/runc/start.go:78 +0x13e
github.com/codegangsta/cli.Command.Run(0x829a58, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x87ada0, 0x1a, 0x8dff80, ...)
        /home/cyphar/src/runc/Godeps/_workspace/src/github.com/codegangsta/cli/command.go:137 +0x1081
github.com/codegangsta/cli.(*App).Run(0xc82007e900, 0xc82000a050, 0x5, 0x5, 0x0, 0x0)
        /home/cyphar/src/runc/Godeps/_workspace/src/github.com/codegangsta/cli/app.go:176 +0xffa
main.main()
        /home/cyphar/src/runc/main.go:123 +0xc8e

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-04-25 11:52:22 +10:00
Aleksa Sarai 399175c227 Merge pull request #679 from rajasec/selinux-errorcheck
Adding selinux check during container start
2016-04-24 16:24:26 +00:00
Alexander Morozov ae0fc15b1e Merge pull request #608 from inatatsu/reduce-parsing-mountinfo
Eliminate redundant parsing of mountinfo
2016-04-23 22:30:54 -07:00
rajasec 0015f86cf3 Updating README for runc path
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-23 22:00:08 +05:30
rajasec 9adc142404 Updated as per review comments by moving to caller
Signed-off-by: rajasec <rajasec79@gmail.com>

Changing to container ID as per comments

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-23 20:31:05 +05:30
rajasec fb53190389 Not showing up the events for destroyed container
Signed-off-by: rajasec <rajasec79@gmail.com>

Updated as per review comments by moving to caller

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-23 20:25:57 +05:30
Qiang Huang 45605bb48d Merge pull request #773 from mrunalp/mount_label
Bump up spec and add support for mount label
2016-04-23 08:09:26 +08:00
Mrunal Patel 94acd98156 Merge pull request #766 from hqhq/hq_makefile_man
Add target man in Makefile
2016-04-22 15:51:46 -07:00
Mrunal Patel e25811108b Bump up spec and add support for mount label
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-22 15:31:39 -07:00
Michael Crosby 3041475491 Merge pull request #659 from mikebrow/integration-test-bats
adds client api integration tests for runc using bash w/bats
2016-04-22 15:29:57 -07:00
Michael Crosby e0a1d18050 Merge pull request #772 from rajasec/validate-kcore
Updating kcore in validator test
2016-04-22 14:47:16 -07:00
Qiang Huang 3dadcf02f6 Add target man in Makefile
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-22 14:37:42 +08:00
Qiang Huang 9a69882ab9 Merge pull request #740 from rajasec/process-argscheck
Fixing index out of range during exec of container
2016-04-22 11:09:27 +08:00
Tatsushi Inagaki eb0a144b5e Rootfs: reduce redundant parsing of mountinfo
Postpone parsing mountinfo until pivot_root() actually failed

Signed-off-by: Tatsushi Inagaki <e29253@jp.ibm.com>
2016-04-22 09:41:28 +09:00
Tatsushi Inagaki 78e1a4fc2e Selinux: reduce redundant parsing of mountinfo
Avoid parsing the whole lines of mountinfo after the mountpoint
is found.

Signed-off-by: Tatsushi Inagaki <e29253@jp.ibm.com>
2016-04-22 09:41:28 +09:00
Tatsushi Inagaki 2a1a6cdf44 Cgroup: reduce redundant parsing of mountinfo
Avoid parsing the whole lines of mountinfo after all mountpoints
of the target subsytems are found, or when the target subsystem
is not enabled.

Signed-off-by: Tatsushi Inagaki <e29253@jp.ibm.com>
2016-04-22 09:41:28 +09:00
Mike Brown e9f89e163f adds integration tests
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-04-21 19:09:27 -05:00
Qiang Huang 8cf9ca4bcf Add ps command
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-22 08:06:35 +08:00
Mrunal Patel 1d2bea3d46 Merge pull request #765 from hqhq/hq_link_ocitools
Add infomation about ocitools in runc spec
2016-04-21 09:53:30 -07:00
rajasec 733ff99f6d Updating kcore in validator test
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-21 15:29:19 +05:30
Qiang Huang 8b0d5831b8 Add infomation about ocitools in runc spec
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-21 12:57:26 +08:00
rajasec c3cc4b36ba Fixing index out of range during exec of container
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed review comments

Signed-off-by: rajasec <rajasec79@gmail.com>

updated the arguments check as per review comment

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-20 14:25:50 +05:30
Michael Crosby d14b04a331 Merge pull request #738 from codido/makefile_fixes
Makefile fixes
2016-04-19 16:17:42 -07:00
Michael Crosby 7dd87976ed Merge pull request #758 from rajasec/container-pause-comment
Update the comment for container pause
2016-04-19 16:16:41 -07:00
Michael Crosby 616ad448e1 Merge pull request #751 from mrunalp/list_quiet
Add -q to list to print only container IDs
2016-04-19 16:16:09 -07:00
Michael Crosby 76261a4854 Merge pull request #762 from ncopa/musl-fix-headers
nsexec: fix build against musl libc
2016-04-19 15:29:13 -07:00
Michael Crosby 27fd0575ee Merge pull request #763 from mrunalp/userns_cgroups_ro
Allow mounting cgroups as read-only when user namespace is configured
2016-04-19 10:36:00 -07:00
Mrunal Patel a6104c3bbe Allow mounting cgroups as read-only when user namespace is configured
We use bind mount to achieve this as other file system remounts are disallowed
in a user namespace.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-19 10:12:09 -07:00
rajasec d0bf80e481 Adding selinux check during container start
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed review comments and rebased

Signed-off-by: rajasec <rajasec79@gmail.com>

updated the message as per review comment

Signed-off-by: Rajasekaran <rajasec79@gmail.com>
2016-04-19 22:22:04 +05:30
Natanael Copa ac6bd95319 nsexec: fix build against musl libc
Remove a wrongly added include which was added in commit 3c2e77ee (Add a
compatibility header for CentOS/RHEL 6, 2016-01-29) apparently to
fix this compile error on centos 6:

> In file included from
> Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c:20:
> /usr/include/linux/netlink.h:35: error: expected specifier-qualifier-list before 'sa_family_t'

The glibc bits/sockaddr.h says that this header should never be included
directly[1]. Instead, sys/socket.h should be used.

The problem was correctly fixed later, in commit 394fb55 (Fix build
error on centos6, 2016-03-02) so the incorrect bits/sockaddr.h can
safely be removed.

This is needed to build musl libc.

Fixes #761

[1]: 20003c4988/bits/sockaddr.h (L20)

Signed-off-by: Natanael Copa <natanael.copa@docker.com>
2016-04-19 10:58:17 +02:00
Aleksa Sarai 9384f484ff Merge pull request #759 from crosbymichael/err-context
Add cause to error messages
2016-04-19 01:52:43 +00:00