the `-p pidlist` flag of `ps` command selects the process whose process
ID numbers apper in `pidlist`.[1]
This patch use `-p pidlist` to filter process which we want.
[1]: http://man7.org/linux/man-pages/man1/ps.1.html
Signed-off-by: Wang Long <long.wanglong@huawei.com>
In order to mount root filesystems inside the container's mount
namespace as part of the spec we need to have the ability to do a bind
mount to / as the destination.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.
With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.
The code falls back to the existing behaviour if ambient capabilities are not supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
grep -r "range map" showw 3 parts use map to
range enum types, use slice instead can get
better performance and less memory usage.
Signed-off-by: Peng Gao <peng.gao.dut@gmail.com>
For example, the /sys/firmware directory should be masked because it can contain some sensitive files:
- /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information:
- /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
cgroupData.join method using `WriteCgroupProc` to place the pid into
the proc file, it can avoid attach any pid to the cgroup if -1 is
specified as a pid.
so, replace `writeFile` with `WriteCgroupProc` like `cpuset.go`'s
ApplyDir method.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
if a container state is running or created, the container.Pause()
method can set the state to pausing, and then paused.
this patch update the comment, so it can be consistent with the code.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
This patch enhance the `runc delete` command as following
1) when `runc delete` without one container-id
```
$ runc delete
runc: "delete" requires a minimum of 1 argument
```
2) we can delete more containers at one command
for example:
```
$ runc list
ID PID STATUS BUNDLE CREATED
a 8490 created /mycontainer 2016-09-18T03:49:32.259760434Z
b 8520 running /mycontainer 2016-09-18T03:49:36.999299944Z
c 8535 created /mycontainer 2016-09-18T03:49:40.975277538Z
d 8549 created /mycontainer 2016-09-18T03:49:42.675282602Z
e 8562 running /mycontainer 2016-09-18T03:49:44.175400931Z
$ runc delete a b cc
cannot delete container b that is not stopped: running
container cc is not exist
$ runc list
ID PID STATUS BUNDLE CREATED
b 8520 running /mycontainer 2016-09-18T03:49:36.999299944Z
c 8535 created /mycontainer 2016-09-18T03:49:40.975277538Z
d 8549 created /mycontainer 2016-09-18T03:49:42.675282602Z
e 8562 running /mycontainer 2016-09-18T03:49:44.175400931Z
$ runc delete -f b c d e
$ runc list
ID PID STATUS BUNDLE CREATED
```
Signed-off-by: Wang Long <long.wanglong@huawei.com>