Michael Crosby
7d23639138
Merge pull request #789 from justincormack/unprivseccomp
...
If possible, apply seccomp rules immediately before exec
2016-04-27 17:08:16 -07:00
Justin Cormack
e18de63108
If possible, apply seccomp rules immediately before exec
...
See https://github.com/docker/docker/issues/22252
Previously we would apply seccomp rules before applying
capabilities, because it requires CAP_SYS_ADMIN. This
however means that a seccomp profile needs to allow
operations such as setcap() and setuid() which you
might reasonably want to disallow.
If prctl(PR_SET_NO_NEW_PRIVS) has been applied however
setting a seccomp filter is an unprivileged operation.
Therefore if this has been set, apply the seccomp
filter as late as possible, after capabilities have
been dropped and the uid set.
Note a small number of syscalls will take place
after the filter is applied, such as `futex`,
`stat` and `execve`, so these still need to be allowed
in addition to any the program itself needs.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-04-27 20:06:14 +01:00
Aleksa Sarai
07d062bb7b
Merge pull request #782 from hqhq/hq_specs_name
...
Change specs to runtime-spec in integration test
2016-04-26 23:08:38 +00:00
Mrunal Patel
7605fce790
Merge pull request #786 from hqhq/hq_fix_event_test
...
Fix integration test for events
2016-04-26 12:07:53 -07:00
Mrunal Patel
9c89737e6e
Merge pull request #785 from hqhq/hq_remove_sniffTest
...
Remove sniffTest
2016-04-26 09:31:15 -07:00
Qiang Huang
fb7dcac662
Fix integration test for events
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-26 19:00:21 +08:00
Qiang Huang
5c1ea321df
Merge pull request #780 from crosbymichael/stats-format
...
Improve stats output format for stability
2016-04-26 17:16:53 +08:00
Qiang Huang
18612e6c7f
Remove sniffTest
...
We have integration test now, not ideal though, but it
surely can replace sniffTest.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-26 16:20:45 +08:00
Qiang Huang
38271a38be
Change specs to runtime-spec in integration test
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-26 15:59:00 +08:00
Qiang Huang
6d1c115b10
Merge pull request #779 from crosbymichael/ps-json
...
Add json format to ps command
2016-04-26 09:34:27 +08:00
Michael Crosby
a62dbf48b0
Improve stats output
...
This adds specific types and improves the json format for the marshaled
structure so that it is inline with the output that the spec produce,
camelCase not snake_case.
This should be the last change needed for people to really depend on the
output of this command and ensure that it does not change with any
internal changes instead of just marshaling the libcontainer structure.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-25 16:15:48 -07:00
Michael Crosby
bb8591138b
Add json format to ps command
...
For programatic parsing add a json format option to the new `runc ps`
command.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-25 15:21:07 -07:00
Michael Crosby
e559f7aebb
Merge pull request #767 from hqhq/hq_add_ps
...
Add ps command
2016-04-25 14:51:43 -07:00
Mrunal Patel
6b4da4fff1
Merge pull request #778 from opencontainers/mount-label-release
...
Bump to v0.1.1 for selinux mount label fix
2016-04-25 14:28:22 -07:00
Michael Crosby
baf6536d62
Bump to 0.1.1
...
This includes a fix for selinux mount labels in the spec.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-25 14:18:35 -07:00
Mrunal Patel
9d16d9472e
Bump up spec and add support for mount label
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-25 14:14:15 -07:00
Michael Crosby
ee42f8bbb6
Merge pull request #768 from rajasec/events-destroy
...
Not showing up the events for destroyed container
2016-04-25 10:51:58 -07:00
Mrunal Patel
091ed0b043
Merge pull request #777 from cyphar/fix-null-pointer-deref
...
libcontainer: specconv: fix nil dereference in resource setup
2016-04-24 19:09:30 -07:00
Aleksa Sarai
4b710d33d2
Merge pull request #776 from rajasec/runc-path
...
Updating README for runc path
2016-04-25 01:56:37 +00:00
Aleksa Sarai
a939c7ecd9
libcontainer: specconv: fix nil dereference in resource setup
...
This caused issues if someone omitted or set "resources": null, in the
runC config. The panic follows.
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x20 pc=0x545b53]
goroutine 1 [running]:
panic(0x7aed40, 0xc820014260)
/usr/lib64/go/src/runtime/panic.go:464 +0x3e6
github.com/opencontainers/runc/libcontainer/specconv.CreateLibcontainerConfig(0xc8200b0e30, 0x836480, 0x0, 0x0)
/home/cyphar/src/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/specconv/spec_linux.go:222 +0xe83
main.createContainer(0xc82007eb40, 0x7ffd8024e439, 0x4, 0xc82008e780, 0x0, 0x0, 0x0, 0x0)
/home/cyphar/src/runc/utils_linux.go:174 +0x105
main.startContainer(0xc82007eb40, 0xc82008e780, 0x0, 0x0, 0x0)
/home/cyphar/src/runc/start.go:114 +0x189
main.glob.func11(0xc82007eb40)
/home/cyphar/src/runc/start.go:78 +0x13e
github.com/codegangsta/cli.Command.Run(0x829a58, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x87ada0, 0x1a, 0x8dff80, ...)
/home/cyphar/src/runc/Godeps/_workspace/src/github.com/codegangsta/cli/command.go:137 +0x1081
github.com/codegangsta/cli.(*App).Run(0xc82007e900, 0xc82000a050, 0x5, 0x5, 0x0, 0x0)
/home/cyphar/src/runc/Godeps/_workspace/src/github.com/codegangsta/cli/app.go:176 +0xffa
main.main()
/home/cyphar/src/runc/main.go:123 +0xc8e
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-04-25 11:52:22 +10:00
Aleksa Sarai
399175c227
Merge pull request #679 from rajasec/selinux-errorcheck
...
Adding selinux check during container start
2016-04-24 16:24:26 +00:00
Alexander Morozov
ae0fc15b1e
Merge pull request #608 from inatatsu/reduce-parsing-mountinfo
...
Eliminate redundant parsing of mountinfo
2016-04-23 22:30:54 -07:00
rajasec
0015f86cf3
Updating README for runc path
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-23 22:00:08 +05:30
rajasec
9adc142404
Updated as per review comments by moving to caller
...
Signed-off-by: rajasec <rajasec79@gmail.com>
Changing to container ID as per comments
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-23 20:31:05 +05:30
rajasec
fb53190389
Not showing up the events for destroyed container
...
Signed-off-by: rajasec <rajasec79@gmail.com>
Updated as per review comments by moving to caller
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-23 20:25:57 +05:30
Qiang Huang
45605bb48d
Merge pull request #773 from mrunalp/mount_label
...
Bump up spec and add support for mount label
2016-04-23 08:09:26 +08:00
Mrunal Patel
94acd98156
Merge pull request #766 from hqhq/hq_makefile_man
...
Add target man in Makefile
2016-04-22 15:51:46 -07:00
Mrunal Patel
e25811108b
Bump up spec and add support for mount label
...
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-22 15:31:39 -07:00
Michael Crosby
3041475491
Merge pull request #659 from mikebrow/integration-test-bats
...
adds client api integration tests for runc using bash w/bats
2016-04-22 15:29:57 -07:00
Michael Crosby
e0a1d18050
Merge pull request #772 from rajasec/validate-kcore
...
Updating kcore in validator test
2016-04-22 14:47:16 -07:00
Qiang Huang
3dadcf02f6
Add target man in Makefile
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-22 14:37:42 +08:00
Qiang Huang
9a69882ab9
Merge pull request #740 from rajasec/process-argscheck
...
Fixing index out of range during exec of container
2016-04-22 11:09:27 +08:00
Tatsushi Inagaki
eb0a144b5e
Rootfs: reduce redundant parsing of mountinfo
...
Postpone parsing mountinfo until pivot_root() actually failed
Signed-off-by: Tatsushi Inagaki <e29253@jp.ibm.com>
2016-04-22 09:41:28 +09:00
Tatsushi Inagaki
78e1a4fc2e
Selinux: reduce redundant parsing of mountinfo
...
Avoid parsing the whole lines of mountinfo after the mountpoint
is found.
Signed-off-by: Tatsushi Inagaki <e29253@jp.ibm.com>
2016-04-22 09:41:28 +09:00
Tatsushi Inagaki
2a1a6cdf44
Cgroup: reduce redundant parsing of mountinfo
...
Avoid parsing the whole lines of mountinfo after all mountpoints
of the target subsytems are found, or when the target subsystem
is not enabled.
Signed-off-by: Tatsushi Inagaki <e29253@jp.ibm.com>
2016-04-22 09:41:28 +09:00
Mike Brown
e9f89e163f
adds integration tests
...
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-04-21 19:09:27 -05:00
Qiang Huang
8cf9ca4bcf
Add ps command
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-22 08:06:35 +08:00
Mrunal Patel
1d2bea3d46
Merge pull request #765 from hqhq/hq_link_ocitools
...
Add infomation about ocitools in runc spec
2016-04-21 09:53:30 -07:00
rajasec
733ff99f6d
Updating kcore in validator test
...
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-21 15:29:19 +05:30
Qiang Huang
8b0d5831b8
Add infomation about ocitools in runc spec
...
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-21 12:57:26 +08:00
rajasec
c3cc4b36ba
Fixing index out of range during exec of container
...
Signed-off-by: rajasec <rajasec79@gmail.com>
Fixed review comments
Signed-off-by: rajasec <rajasec79@gmail.com>
updated the arguments check as per review comment
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-04-20 14:25:50 +05:30
Michael Crosby
d14b04a331
Merge pull request #738 from codido/makefile_fixes
...
Makefile fixes
2016-04-19 16:17:42 -07:00
Michael Crosby
7dd87976ed
Merge pull request #758 from rajasec/container-pause-comment
...
Update the comment for container pause
2016-04-19 16:16:41 -07:00
Michael Crosby
616ad448e1
Merge pull request #751 from mrunalp/list_quiet
...
Add -q to list to print only container IDs
2016-04-19 16:16:09 -07:00
Michael Crosby
76261a4854
Merge pull request #762 from ncopa/musl-fix-headers
...
nsexec: fix build against musl libc
2016-04-19 15:29:13 -07:00
Michael Crosby
27fd0575ee
Merge pull request #763 from mrunalp/userns_cgroups_ro
...
Allow mounting cgroups as read-only when user namespace is configured
2016-04-19 10:36:00 -07:00
Mrunal Patel
a6104c3bbe
Allow mounting cgroups as read-only when user namespace is configured
...
We use bind mount to achieve this as other file system remounts are disallowed
in a user namespace.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-19 10:12:09 -07:00
rajasec
d0bf80e481
Adding selinux check during container start
...
Signed-off-by: rajasec <rajasec79@gmail.com>
Fixed review comments and rebased
Signed-off-by: rajasec <rajasec79@gmail.com>
updated the message as per review comment
Signed-off-by: Rajasekaran <rajasec79@gmail.com>
2016-04-19 22:22:04 +05:30
Natanael Copa
ac6bd95319
nsexec: fix build against musl libc
...
Remove a wrongly added include which was added in commit 3c2e77ee
(Add a
compatibility header for CentOS/RHEL 6, 2016-01-29) apparently to
fix this compile error on centos 6:
> In file included from
> Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c:20:
> /usr/include/linux/netlink.h:35: error: expected specifier-qualifier-list before 'sa_family_t'
The glibc bits/sockaddr.h says that this header should never be included
directly[1]. Instead, sys/socket.h should be used.
The problem was correctly fixed later, in commit 394fb55
(Fix build
error on centos6, 2016-03-02) so the incorrect bits/sockaddr.h can
safely be removed.
This is needed to build musl libc.
Fixes #761
[1]: 20003c4988/bits/sockaddr.h (L20)
Signed-off-by: Natanael Copa <natanael.copa@docker.com>
2016-04-19 10:58:17 +02:00
Aleksa Sarai
9384f484ff
Merge pull request #759 from crosbymichael/err-context
...
Add cause to error messages
2016-04-19 01:52:43 +00:00