Commit Graph

1268 Commits

Author SHA1 Message Date
Michael Crosby 8ef205cd1c Update mnt command test path
You cannot use an abs path inside the conatiner's rootfs.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:46:19 -07:00
Eric Windisch 364d8e1505 Disable all mounts in AppArmor profile
Allowing mounts in containers is dangerous. Bugs in
mount namespaces or quirks of the container configuration
could allow for various breakouts.

By default, processes in containers will not be able to mount anyway,
rendering the allowances in the default AppArmor profile nearly
useless. Manually created sub-containers were able to mount, but
were yet restricted from performing most of the mounts flags indicated
in the profile.

Signed-off-by: Eric Windisch <eric@windisch.us>
2015-05-07 14:38:44 -07:00
Michael Crosby 2323c4c48d Use filepath.Rel for subdirectory comparison
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:38:44 -07:00
Michael Crosby c08e43409d Move reopenDevNull until after rootfs jail
We need to do this incase /dev/null is a symlink pointing somewhere
outside the container's rootfs.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:38:44 -07:00
Michael Crosby e3e7c47123 Prohibit bind mounts into /
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:38:44 -07:00
Michael Crosby 3c25c9b9cf Eval mount destination after each mount
User specified mounts much be evaluated after each mount because
symlinks in nested mounts can invalidate the next mount.

Also check that any bind mounts are not inside /proc or /sys to ensure
that we are able to mask over certian paths inside.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-05-07 14:38:44 -07:00
Michael Crosby 08cf3beaf0 Merge pull request #572 from hqhq/hq_fix_spec
some fixes for SPEC
2015-05-06 11:00:51 -07:00
Mrunal Patel 654d44509d Merge pull request #570 from hqhq/hq_add_gitignore
add vendor/pkg to gitignore
2015-05-06 10:20:23 -07:00
Qiang Huang 8377168545 some fixes for SPEC
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-05-06 22:47:50 +08:00
Alexander Morozov f1d459dbbf Merge pull request #569 from hqhq/hq_change_logrus
Replace aliased imports of logrus
2015-05-06 07:45:40 -07:00
Qiang Huang 280dd66d0c add vendor/pkg to gitignore
It's auto generated by go install, we should ignore them.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-05-06 21:38:32 +08:00
Qiang Huang e5a7aad7eb Replace aliased imports of logrus
Docker already did this: https://github.com/docker/docker/issues/11762
libcontainer should also do it.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-05-06 21:14:04 +08:00
Mrunal Patel a1fe3f1c7a Merge pull request #560 from avagin/integration
integration: don't create a factory for each test case
2015-05-05 09:37:03 -07:00
Andrey Vagin 78f816d190 integration: don't create factories for each test case
We can do this only once.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-05-05 01:12:47 +03:00
Alexander Morozov 6607689b1d Merge pull request #566 from tianon/logrus-0.7.3
Update logrus to 0.7.3
2015-05-03 10:30:06 -07:00
Tianon Gravi d6a3a4e6c7 Update logrus to 0.7.3
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2015-05-03 00:24:36 -06:00
Alexander Morozov 83f0c1e580 Merge pull request #561 from avagin/logrus
Use logrus everywhere
2015-05-01 09:30:17 -07:00
Andrey Vagin 08af005e6b Use logrus everywhere
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-05-01 18:41:28 +03:00
Michael Crosby 3e661186ba Merge pull request #535 from mrunalp/sys_props
Adds support for setting system properties.
2015-04-30 11:46:33 -07:00
Michael Crosby 0654f88d03 Merge pull request #558 from hqhq/hq_remove_unused_func
remove unused functions
2015-04-28 10:21:29 -07:00
Qiang Huang 36633d3cb4 remove unused functions
Seems no one is using them.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-28 09:20:32 +08:00
Michael Crosby d70569a238 Merge pull request #554 from estesp/namespace_linux_split
Split namespace syscall content for building on non-Linux
2015-04-27 17:47:19 -07:00
Michael Crosby ee61c35f8f Merge pull request #555 from avagin/cgroup
cgroups/systemd: remove useless code
2015-04-27 17:44:37 -07:00
Andrey Vagin 755bc77482 cgroups/systemd: remove useless code
I think the remove code and devices.Set do the same things.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-04-28 00:00:24 +03:00
Alexander Morozov 984ec36fa1 Merge pull request #539 from Mashimiao/cgroups-add-support-for-blkio-throttle
cgroups: add support blkio.throttle.read/write_*
2015-04-27 10:34:45 -07:00
Phil Estes 7f1bcd5ebf Spit namespace syscall content for building on non-Linux
libcontainer/configs is used by the docker user namespace proposed
patchset to use IDMap for uid/gid maps across the codebase.  Given the
client uses some of this code, it needs to build on non-Linux.  This
separates out the Linux-only syscalls using build tags.

Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-04-24 18:09:56 -04:00
Daniel, Dao Quang Minh 1c43532155 Merge pull request #553 from crosbymichael/cgroup-mount
Add cgroup mount type for mounting container local cgroups
2015-04-23 15:59:09 -07:00
Mrunal Patel 30f055602b Adds test for system properties.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-04-22 22:18:08 -04:00
Mrunal Patel 60d3a49f6e Adds functionality to set system properties.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-04-22 22:17:30 -04:00
Michael Crosby b806655f91 Merge pull request #492 from Mashimiao/cgroup-add-support-for-device-deny
cgroups: add support of devices deny for another use of cgroup devices
2015-04-22 18:43:22 -07:00
Mrunal Patel c32142a807 Merge pull request #550 from LK4D4/fix_panic
Check for cmd.Process not-nilness in setnsProcess.terminate()
2015-04-22 11:40:34 -07:00
Alexander Morozov d7aab179c1 Check for cmd.Process not-nilness in setnsProcess.terminate()
We already doing this in initProcess

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-04-22 11:30:42 -07:00
Michael Crosby 03bbb04f26 Implement mounting cgroups as readonly
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-04-20 12:21:11 -07:00
Mrunal Patel bada39cf31 Merge pull request #495 from rhatdan/tmpfs
Add support for Premount and Postmount commands.
2015-04-20 09:20:52 -07:00
Mrunal Patel d4cf37fee9 Merge pull request #546 from liubin/fixtypos
fix some typos in source code comments
2015-04-20 09:18:57 -07:00
bin liu 4a2ae107c8 fix some typos in source code comments
Signed-off-by: bin liu <liubin0329@gmail.com>
2015-04-20 02:35:51 +00:00
Michael Crosby 9dc17dc9b4 Merge pull request #537 from hqhq/hq_cleanup_cpushares_check
cleanup cpushares check
2015-04-17 14:32:07 -07:00
Michael Crosby f2cf36412c Merge pull request #538 from hqhq/hq_fix_freeze_test
fix freeze systemd test
2015-04-17 10:53:38 -07:00
Dan Walsh dc480bc3ad add integration test for premount/postmount hooks
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: rhatdan)

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2015-04-17 08:28:17 -04:00
Ma Shimiao 59eb58b640 cgroups: add support blkio.throttle.read/write_*
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2015-04-17 16:03:42 +08:00
Qiang Huang f010150f7d fix freeze systemd test
Made a mistake before, freeze test doesn't use newContainer,
systemd test doesn't actually work.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-17 14:20:16 +08:00
Qiang Huang 62fccb3e1e add test case for cpuShares check
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-17 13:51:37 +08:00
Qiang Huang e161ceccbe cleanup duplicate code for cpuShares check
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-17 13:18:44 +08:00
Dan Walsh 59c5c3ac0f Add support for Premount and Postmount commands.
We want to allow docker to mount tmpfs directories over existing directories
in the image. We will use this patch to pass commands from docker to
libcontainer. The first command we will use is the tar command to gather
all of the contents of the destination directory before mounting, then after
we mount the post mount command will untar the content.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2015-04-16 20:34:12 -04:00
Mrunal Patel 52e8fd3958 Merge pull request #526 from ZJU-SEL/nsenter_readme_add
Add more explanation for nsenter
2015-04-15 21:02:44 -07:00
Ma Shimiao 689afbcf66 cgroups: add support for devices deny
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2015-04-16 08:30:22 +08:00
Alexander Morozov 84f43cdfac Merge pull request #500 from hqhq/hq_add_set_for_systemd
add Set support for systemd based cgroup
2015-04-15 12:23:39 -07:00
jianbosun 317686c673 Add more explanation for nsenter
Now the README in nsenter is a little confused
and hard for new commings to understand.

Signed-off-by: Sun Jianbo <wonderflow@zju.edu.cn>
2015-04-15 17:27:00 +08:00
Michael Crosby 32b8465dde Merge pull request #533 from rhatdan/badrelabel
We want to prevent users from accidently attempting to relabel /, /etc and /usr
2015-04-14 13:47:34 -07:00
Mrunal Patel ed5803ec62 Merge pull request #532 from tifayuki/master
check "/sbin/apparmor_parser" in apparmor.IsEnabled()
2015-04-14 13:39:21 -07:00