At some point InitLabels was changed to look for SecuritOptions
separated by a ":" rather then an "=", but DupSecOpt was never
changed to match this default.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
With this patch, `runc start` command can start mulit-containers
at one command this patch also checks the argument of the `start`
command.
root@ubuntu:# runc list
ID PID STATUS BUNDLE CREATED
a 0 stopped /mycontainer 2016-09-23T08:56:42.754026567Z
b 62979 created /mycontainer 2016-09-23T09:01:36.421976458Z
c 62993 running /mycontainer 2016-09-23T09:01:38.105940389Z
d 63006 created /mycontainer 2016-09-23T09:01:39.65441942Z
e 63020 created /mycontainer 2016-09-23T09:01:40.989995515Z
root@ubuntu:# runc start
runc: "start" requires a minimum of 1 argument
root@ubuntu:# runc start a b c d e f
cannot start a container that has run and stopped
cannot start an already running container
container f is not exist
all or part of the containers start failed
root@ubuntu:# runc list
ID PID STATUS BUNDLE CREATED
a 0 stopped /mycontainer 2016-09-23T08:56:42.754026567Z
b 62979 running /mycontainer 2016-09-23T09:01:36.421976458Z
c 62993 running /mycontainer 2016-09-23T09:01:38.105940389Z
d 63006 running /mycontainer 2016-09-23T09:01:39.65441942Z
e 63020 running /mycontainer 2016-09-23T09:01:40.989995515Z
Signed-off-by: Wang Long <long.wanglong@huawei.com>
If copyup is specified for a tmpfs mount, then the contents of the
underlying directory are copied into the tmpfs mounted over it.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Depending on your SELinux setup, the order in which you join namespaces
can be important. In general, user namespaces should *always* be joined
and unshared first because then the other namespaces are correctly
pinned and you have the right priviliges within them. This also is very
useful for rootless containers, as well as older kernels that had
essentially broken unshare(2) and clone(2) implementations.
This also includes huge refactorings in how we spawn processes for
complicated reasons that I don't want to get into because it will make
me spiral into a cloud of rage. The reasoning is in the giant comment in
clone_parent. Have fun.
In addition, because we now create multiple children with CLONE_PARENT,
we cannot wait for them to SIGCHLD us in the case of a death. Thus, we
have to resort to having a child kindly send us their exit code before
they die. Hopefully this all works okay, but at this point there's not
much more than we can do.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This avoids us from running into cases where libcontainer thinks that a
particular namespace file is a different type, and makes it a fatal
error rather than causing broken functionality.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
`urfave/cli` now takes upon itself to log the error returned by the
command action directly. This means that by default the `--log` option
was ignored upon error.
This commit ensure that `urfave/cli.ErrWriter` will use logrus
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
the `-p pidlist` flag of `ps` command selects the process whose process
ID numbers apper in `pidlist`.[1]
This patch use `-p pidlist` to filter process which we want.
[1]: http://man7.org/linux/man-pages/man1/ps.1.html
Signed-off-by: Wang Long <long.wanglong@huawei.com>
In order to mount root filesystems inside the container's mount
namespace as part of the spec we need to have the ability to do a bind
mount to / as the destination.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.
With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.
The code falls back to the existing behaviour if ambient capabilities are not supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
grep -r "range map" showw 3 parts use map to
range enum types, use slice instead can get
better performance and less memory usage.
Signed-off-by: Peng Gao <peng.gao.dut@gmail.com>
Dan Walsh
Daniel, Dao Quang Minh
Shukui Yang
Mrunal Patel
Qiang Huang
Wang Long
Xianglin Gao
Michael Crosby
Aleksa Sarai
Mrunal Patel
Kenfe-Mickael Laventure
William Martin
Justin Cormack
Peng Gao
derekwaynecarr