For example, the /sys/firmware directory should be masked because it can contain some sensitive files:
- /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information:
- /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
cgroupData.join method using `WriteCgroupProc` to place the pid into
the proc file, it can avoid attach any pid to the cgroup if -1 is
specified as a pid.
so, replace `writeFile` with `WriteCgroupProc` like `cpuset.go`'s
ApplyDir method.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
if a container state is running or created, the container.Pause()
method can set the state to pausing, and then paused.
this patch update the comment, so it can be consistent with the code.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
This patch enhance the `runc delete` command as following
1) when `runc delete` without one container-id
```
$ runc delete
runc: "delete" requires a minimum of 1 argument
```
2) we can delete more containers at one command
for example:
```
$ runc list
ID PID STATUS BUNDLE CREATED
a 8490 created /mycontainer 2016-09-18T03:49:32.259760434Z
b 8520 running /mycontainer 2016-09-18T03:49:36.999299944Z
c 8535 created /mycontainer 2016-09-18T03:49:40.975277538Z
d 8549 created /mycontainer 2016-09-18T03:49:42.675282602Z
e 8562 running /mycontainer 2016-09-18T03:49:44.175400931Z
$ runc delete a b cc
cannot delete container b that is not stopped: running
container cc is not exist
$ runc list
ID PID STATUS BUNDLE CREATED
b 8520 running /mycontainer 2016-09-18T03:49:36.999299944Z
c 8535 created /mycontainer 2016-09-18T03:49:40.975277538Z
d 8549 created /mycontainer 2016-09-18T03:49:42.675282602Z
e 8562 running /mycontainer 2016-09-18T03:49:44.175400931Z
$ runc delete -f b c d e
$ runc list
ID PID STATUS BUNDLE CREATED
```
Signed-off-by: Wang Long <long.wanglong@huawei.com>
Currently if a user does a command like
docker: Error response from daemon: operation not supported.
With this fix they should see a much more informative error message.
docker run -ti -v /proc:/proc:Z fedora sh
docker: Error response from daemon: SELinux Relabeling of /proc is not allowed: operation not supported.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This will print out the error on stderr when loading a container but
still list everything that was sucessful.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Error sent from child process is already genericError, if
we don't allow recrusive generic error, we won't get any
cause infomation from parent process.
Before, we got:
WARN[0000] exit status 1
ERRO[0000] operation not permitted
After, we got:
WARN[0000] exit status 1
ERRO[0000] container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"operation not permitted\""
it's not pretty but useful for detecting root causes.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This allows older state files to be loaded without the unmarshal error
of the string to int conversion.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Mrunal Patel
Michael Crosby
Shukui Yang
rajasec
Akihiro Suda
Wang Long
Qiang Huang
Aleksa Sarai
Yuanhong Peng
Mrunal Patel
Dan Walsh