Commit Graph

3006 Commits

Author SHA1 Message Date
Justin Cormack 4e179bddca Set ambient capabilities where supported
Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.

With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.

The code falls back to the existing behaviour if ambient capabilities are not supported.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-09-28 09:13:56 +01:00
Peng Gao c5393da813 Refactor enum map range to slice range
grep -r "range map" showw 3 parts use map to
range enum types, use slice instead can get
better performance and less memory usage.

Signed-off-by: Peng Gao <peng.gao.dut@gmail.com>
2016-09-28 15:36:29 +08:00
derekwaynecarr 1a75f815d5 systemd cgroup driver supports slice management
Signed-off-by: derekwaynecarr <decarr@redhat.com>
2016-09-27 16:01:37 -04:00
Mrunal Patel 1359131f4a Merge pull request #1080 from hqhq/fix_user_test
Fix TestGetAdditionalGroups on i686
2016-09-27 10:18:27 -07:00
Qiang Huang 2940d2e2e9 Merge pull request #1069 from datawolf/add-unittest
[integration] add testcases for `runc delete` command
2016-09-27 19:20:36 +08:00
Qiang Huang dc0a4cf488 Fix TestGetAdditionalGroups on i686
Fixes: #941

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-27 18:25:53 +08:00
Daniel, Dao Quang Minh 6cbd8e20ef Merge pull request #1076 from rajasec/checkpoint-create
Container must not checkpoint in created state
2016-09-26 23:53:41 +01:00
Daniel, Dao Quang Minh cce5713940 Merge pull request #1077 from rajasec/readme-container-usage
Updating libcontainer README for container run
2016-09-26 23:52:06 +01:00
Mrunal Patel 282b254073 Merge pull request #1068 from AkihiroSuda/maskdir
MaskPaths: support directory
2016-09-26 13:10:40 -07:00
Michael Crosby 74317eaa20 Merge pull request #1072 from keloyang/dbuild
Bug fix for make dbuild
2016-09-26 10:57:59 -07:00
Shukui Yang 4853f3b628 Bug fix for make dbuild
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-09-26 12:04:50 +08:00
rajasec c1d967f055 Updating libcontainer README for container run
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-09-25 23:02:55 +05:30
rajasec a60040c62d Container must not checkpoint in created state
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-09-25 21:09:23 +05:30
Shukui Yang cc0e2d567f Remove the workaround which add a -- flag to runc exec command and add integration for exec ls -la
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-09-24 12:21:50 +08:00
Shukui Yang 993126259c Remove the workaround which add a -- flag to runc ps command and add integration for ps -eaf
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-09-24 12:20:52 +08:00
Akihiro Suda 53179559a1 MaskPaths: support directory
For example, the /sys/firmware directory should be masked because it can contain some sensitive files:
  - /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information:
  - /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2016-09-23 16:14:41 +00:00
Wang Long e72a4e5bd2 [integration] add testcases for `runc delete` command
this patch add two testcases for the `runc delete` with
multi-containers. see : https://github.com/opencontainers/runc/pull/1053

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-09-23 15:35:50 +08:00
Qiang Huang e83ccf62aa Merge pull request #1063 from datawolf/test-error-code
[unittest] add extra ErrorCode in TestErrorCode testcase
2016-09-23 11:55:44 +08:00
Aleksa Sarai 650c97a111
Merge branch 'pr-1051'
LGTM: @cyphar @crosbymichael
Closes #1051
2016-09-23 12:13:34 +10:00
Mrunal Patel 6b8f696614 Merge pull request #1053 from datawolf/enhance-runc-delete
enhance runc delete command
2016-09-22 16:51:10 -07:00
Mrunal Patel 5653ced544 Merge pull request #1059 from datawolf/use-WriteCgrougProc
cgroup: using WriteCgroupProc to write the specified pid into the cgroup's cgroup.procs file
2016-09-22 11:31:35 -07:00
Mrunal Patel bb792edd31 Merge pull request #1058 from datawolf/update-pause-comment
update the comment for container.Pause() method on linux
2016-09-22 11:31:07 -07:00
Michael Crosby 20c7c3bb37 Merge pull request #1049 from mrunalp/getcgroups_all
Add flag to allow getting all mounts for cgroups subsystems
2016-09-22 11:15:39 -07:00
Wang Long 132f5ee7d4 [unittest] add extra ErrorCode in TestErrorCode testcase
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-09-22 20:15:54 +08:00
Qiang Huang a2a6e828a9 Merge pull request #1048 from crosbymichael/state-json
Use same state object for state and list
2016-09-22 19:48:43 +08:00
Mrunal Patel 09fd10eb2d Merge pull request #1060 from YummyPeng/fix-typo
Fix typo
2016-09-21 12:31:04 -07:00
Yuanhong Peng 6ed0652ee0 Fix typo
Signed-off-by: Yuanhong Peng <pengyuanhong@huawei.com>
2016-09-21 20:13:32 +08:00
Wang Long ce9951834c cgroup: using WriteCgroupProc to write the specified pid into the cgroup's cgroup.procs file
cgroupData.join method using `WriteCgroupProc` to place the pid into
the proc file, it can avoid attach any pid to the cgroup if -1 is
specified as a pid.

so, replace `writeFile` with `WriteCgroupProc` like `cpuset.go`'s
ApplyDir method.

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-09-21 10:57:03 +00:00
Mrunal Patel ce5d8cf941 Merge pull request #1056 from datawolf/remove-duplicate-test
remove duplicate test command on integration
2016-09-20 09:57:39 -07:00
Wang Long 59a241f647 update the comment for container.Pause() method on linux
if a container state is running or created, the container.Pause()
method can set the state to pausing, and then paused.

this patch update the comment, so it can be consistent with the code.

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-09-20 10:49:04 +08:00
Mrunal Patel 52454cf908 Merge pull request #1052 from hqhq/fix_update_cpuset
Fix update cpuset on single processor box
2016-09-19 11:55:40 -07:00
Mrunal Patel 092e9fd731 Merge pull request #1055 from hqhq/upgrade_golang
Update golang to 1.7.1
2016-09-19 11:53:54 -07:00
Michael Crosby 4350d90043 Use same state object for state and list
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-19 09:18:24 -07:00
Wang Long d852210a7e remove duplicate test command on integration
Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-09-19 11:18:38 +00:00
Qiang Huang da32c187bf Update golang to 1.7.1
Fixes: #1021

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-19 17:45:33 +08:00
Wang Long d66ac3d9bd enhance runc delete command
This patch enhance the `runc delete` command as following

1) when `runc delete` without one container-id

```
$ runc delete
runc: "delete" requires a minimum of 1 argument
```

2) we can delete more containers at one command

for example:

```
$ runc list
ID          PID         STATUS      BUNDLE         CREATED
a           8490        created     /mycontainer   2016-09-18T03:49:32.259760434Z
b           8520        running     /mycontainer   2016-09-18T03:49:36.999299944Z
c           8535        created     /mycontainer   2016-09-18T03:49:40.975277538Z
d           8549        created     /mycontainer   2016-09-18T03:49:42.675282602Z
e           8562        running     /mycontainer   2016-09-18T03:49:44.175400931Z
$ runc delete a b cc
cannot delete container b that is not stopped: running
container cc is not exist
$ runc list
ID          PID         STATUS      BUNDLE         CREATED
b           8520        running     /mycontainer   2016-09-18T03:49:36.999299944Z
c           8535        created     /mycontainer   2016-09-18T03:49:40.975277538Z
d           8549        created     /mycontainer   2016-09-18T03:49:42.675282602Z
e           8562        running     /mycontainer   2016-09-18T03:49:44.175400931Z
$ runc delete -f b c d e
$ runc list
ID          PID         STATUS      BUNDLE      CREATED
```

Signed-off-by: Wang Long <long.wanglong@huawei.com>
2016-09-18 11:59:55 +08:00
Qiang Huang 38e0df9ec6 Merge pull request #1046 from rhatdan/relabel
Fix error messages to give information of relabeling failed
2016-09-18 11:18:07 +08:00
Qiang Huang c5d33b1ac7 Fix update cpuset on single processor box
Fixes: #1050

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-18 10:44:46 +08:00
Shukui Yang d5dd8931c5 fix ps/exec command parameter error
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-09-18 09:34:06 +08:00
Shukui Yang 1db7315287 update github.com/urfave/cli lib
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
2016-09-18 09:22:46 +08:00
Mrunal Patel 7ec24c513f Merge pull request #1023 from zhaoleidd/fix_check_config
Fix check config
2016-09-16 14:15:26 -07:00
Michael Crosby 8b4850b8cd Merge pull request #1045 from hqhq/recursive_generic_error
Allow recrusive generic error
2016-09-16 10:36:57 -07:00
Mrunal Patel f557996401 Add flag to allow getting all mounts for cgroups subsystems
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-09-15 15:19:27 -04:00
Dan Walsh d37c5be9ff Fix error messages to give information of relabeling failed
Currently if a user does a command like

docker: Error response from daemon: operation not supported.

With this fix they should see a much more informative error message.

 docker run -ti -v /proc:/proc:Z fedora sh
docker: Error response from daemon: SELinux Relabeling of /proc is not allowed: operation not supported.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2016-09-15 04:38:16 -04:00
Mrunal Patel b1e602e8ba Merge pull request #1039 from crosbymichael/list
Continue for list on errors
2016-09-14 15:10:50 -07:00
Michael Crosby 3ada88c9e7 Continue for list on errors
This will print out the error on stderr when loading a container but
still list everything that was sucessful.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-09-14 14:26:03 -07:00
Mrunal Patel d9ed595245 Merge pull request #1043 from rajasec/events-error
Removing fatal error from events in stopped state
2016-09-14 11:39:53 -07:00
Mrunal Patel 51c11a89f7 Merge pull request #1042 from datawolf/out-of-loop
move m.GetPaths out of the loop
2016-09-14 11:38:50 -07:00
Qiang Huang b2e811183b Allow recrusive generic error
Error sent from child process is already genericError, if
we don't allow recrusive generic error, we won't get any
cause infomation from parent process.

Before, we got:
WARN[0000] exit status 1
ERRO[0000] operation not permitted

After, we got:
WARN[0000] exit status 1
ERRO[0000] container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"operation not permitted\""

it's not pretty but useful for detecting root causes.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-09-14 15:55:46 +08:00
Mrunal Patel f516b5d082 Merge pull request #1022 from hqhq/add_privileged_for_dbuild
Add privileged to make dbuild
2016-09-13 10:07:10 -07:00