Commit Graph

2289 Commits

Author SHA1 Message Date
Chun Chen 2ee9cbbd12 It's /proc/stat, not /proc/stats
Also adds /proc/net/dev to the valid mount destination white list

Signed-off-by: Chun Chen <ramichen@tencent.com>
2016-02-16 15:59:27 +08:00
rajasec b3661f4115 Removing tty0 tty1 from allowed devices
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-16 11:21:00 +05:30
rajasec 4cd31f63c5 Change softlink name to /dev/core
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-15 17:52:19 +05:30
Qiang Huang bda7742019 Cleanup systemd apply
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-15 15:56:59 +08:00
Qiang Huang 7b88f34d6e Remove unneeded cgroups path removal
It's handled in `destroy()`, no need to do this in
`Apply()`. I found this because systemd cgroup didn't
do this removal and it works well.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-15 11:22:13 +08:00
rajasec 321b842404 panic during start of failed detached container
Signed-off-by: rajasec <rajasec79@gmail.com>

Adding nil check before closing tty for restore operation

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-14 19:11:09 +05:30
Aleksa Sarai 21dc85c4b8 libcontainer: cgroups: fs: add cgroup path safety unit tests
In order to avoid problems with security regressions going unnoticed,
add some unit tests that should make sure security regressions in cgroup
path safety cause tests to fail in runC.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai b8dc5213e8 libcontainer: cgroups: fs: fix path safety
Ensure that path safety is maintained, this essentially reapplies
c0cad6aa5e ("cgroups: fs: fix cgroup.Parent path sanitisation"), which
was accidentally removed in 256f3a8ebc ("Add support for CgroupsPath
field").

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai 90140a5688 libcontainer: cgroups: fs: fix innerPath
Fix m.Path legacy code to actually work.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Michael Crosby 361f9b7921 Merge pull request #550 from rajasec/restoretty
Adding tty closure for restore operation
2016-02-11 10:27:58 -08:00
Aleksa Sarai 1f8711751e libcontainer: integration: fix flaky pids limit tests
Because we are implemented in Go, the number of pids present in a
container is not very well-defined (other than it not being /much/
bigger than the limit you'd want to set). As a result, we need to make
the tests a bit less flaky in this regard.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-12 00:14:22 +11:00
Alexander Morozov 1a124e9c2d Merge pull request #549 from crosbymichael/tty-close
Close tty on error before handler
2016-02-10 14:11:47 -08:00
Michael Crosby 45675581c1 Close tty on error before handler
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-10 13:41:35 -08:00
Alexander Morozov 4678b01e64 Merge pull request #497 from mlaventure/cgroups-path
Replace Cgroup Parent and Name fields by CgroupsPath
2016-02-10 13:00:49 -08:00
Kenfe-Mickael Laventure 256f3a8ebc Add support for CgroupsPath field
Fixes #396

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-10 11:26:51 -08:00
Michael Crosby 71db82baef Merge pull request #545 from rajasec/specupdateforpids
Adding pids subsystem in SPEC.md
2016-02-10 11:17:15 -08:00
Mrunal Patel 4d9d4866b5 Merge pull request #537 from duglin/ReorgContainer
Create some util funcs that are common between start and exec
2016-02-10 23:00:20 +05:30
rajasec a7ee55b716 Adding tty closure for restore operation
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-10 09:48:12 +05:30
Mrunal Patel bfd3345be9 Merge pull request #541 from crosbymichael/ids
Require container id as arg1
2016-02-10 08:14:36 +05:30
Mrunal Patel 025a84a2fb Merge pull request #542 from runcom/use-coreos-systemd
*: use coreos/go-systemd/activation for socket activation
2016-02-10 08:07:21 +05:30
Kenfe-Mickael Laventure dceeb0d0df Move pathClean to libcontainer/utils.CleanPath
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-09 16:21:58 -08:00
Antonio Murdaca 0dea09bce7 *: use coreos/go-systemd/activation for socket activation
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-02-09 23:44:09 +01:00
Michael Crosby 8eb1dcb916 Bump to version 0.0.8
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-09 11:35:55 -08:00
Michael Crosby a7278cad98 Require containerd id as arg 1
Closes #532

This requires the container id to always be passed to all runc commands
as arg one on the cli.  This was the result of the last OCI meeting and
how operations work with the spec.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-09 11:20:55 -08:00
Alexander Morozov 8e8d01d38d Merge pull request #536 from crosbymichael/update-spec
Update spec to v0.3.0
2016-02-09 10:53:46 -08:00
Doug Davis ad26ef1afc Create some util funcs that are common between start and exec
and it'll really help my start/create PR when I need to rebase  :-)

Signed-off-by: Doug Davis <dug@us.ibm.com>
2016-02-09 10:22:44 -08:00
rajasec 241e66dbe7 Adding pids subsystem in SPEC.md
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-09 20:42:11 +05:30
Michael Crosby ee1aac06a0 Merge pull request #540 from rajasec/specupdate
Fixing capabilities name in SPEC.md
2016-02-08 13:15:46 -08:00
Michael Crosby 3baae2d525 Update runc for devices changes
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-08 13:15:12 -08:00
Michael Crosby fb3f69e097 Merge pull request #539 from rajasec/resume-usage
Fixing usage in resume command
2016-02-08 13:13:08 -08:00
rajasec f1cde33ed7 Fixing capabilities name in SPEC.md
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-07 21:57:28 +05:30
rajasec 7b24b9a826 Fixing usage in resume command
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-07 19:27:58 +05:30
Mike Brown c2c0458598 merges latest spec with runc
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-05 12:47:09 -08:00
Alexander Morozov 4f601205d4 Merge pull request #525 from crosbymichael/exec
Load process.json for exec and add detach
2016-02-05 12:37:56 -08:00
Michael Crosby fbc74c0eba Add detach and pid-file to restore
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-05 11:56:21 -08:00
Michael Crosby 92ab7309d5 Add detach to exec
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-05 11:53:45 -08:00
Michael Crosby e838be38d2 Add load process.json for exec command
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-05 11:53:45 -08:00
Michael Crosby 9c9f8eeb4b Merge pull request #488 from stefanberger/new_session_keyring
Create a new session key for every container
2016-02-05 10:48:26 -08:00
Michael Crosby 106e4777f7 Merge pull request #493 from rajasec/processops
Added error string for process operations
2016-02-05 10:44:33 -08:00
Stefan Berger ad22e23aee Create a new session key for every container
Create a new session key ring '_ses' for every container. This avoids sharing
the key structure with the process that created the container and the
container inherits from.

This patch fixes it init and exec.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2016-02-04 22:05:50 -05:00
Michael Crosby 5fe15a53b6 Merge pull request #496 from LK4D4/remove_sscanf
Remove usage of GetMounts from GetCgroupMounts
2016-02-04 14:55:41 -08:00
Michael Crosby 67cca27798 Merge pull request #529 from mlaventure/memory-limit-stat
Add limit value to memory stats
2016-02-04 11:21:35 -08:00
rajasec 298cd1b285 Added error string for process operations
Signed-off-by: rajasec <rajasec79@gmail.com>

Changing the error code string name as per review comments

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-04 11:54:50 +05:30
Qiang Huang d66c9632bf Merge pull request #524 from adfernandes/master
Add a compatibility header for CentOS/RHEL 6
2016-02-04 14:24:01 +08:00
Mrunal Patel 11a238b891 Merge pull request #522 from crosbymichael/created
Update list command and created methods
2016-02-04 09:47:10 +05:30
Mrunal Patel 98f72fe399 Merge pull request #521 from crosbymichael/version-validation
Remove version check in runc
2016-02-04 09:45:02 +05:30
Kenfe-Mickael Laventure 7a12c92dbe Add limit value to memory stats
The value is populated with the content of `limit_in_bytes`.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-03 11:54:09 -08:00
Alexander Morozov 97146f4dc6 Remove usage of GetMounts from GetCgroupMounts
GetMounts is very cpu-expensive. I'll change other funcs in this package
to reuse code from GetCgroupMounts later.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-02-01 11:00:23 -08:00
Qiang Huang 13e8f6e589 Remove procStart
It's never used and not needed. Our pipe is created with
syscall.SOCK_CLOEXEC, so pipe will be closed once container
process executed successfully, parent process will read EOF
and continue. If container process got error before executed,
we'll write procError to sync with parent.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-01-30 13:41:21 +08:00
Andrew Fernandes 3c2e77eed5 Add a compatibility header for CentOS/RHEL 6
Signed-off-by: Andrew Fernandes <andrew@fernandes.org>
2016-01-29 20:46:50 +00:00