Fixed getDeviceNodes() so it won't add /dev/console to the device node
list.
This fixes an issue where containers wouldn't start if
/dev/console is a pts (which is the case when running docker inside
docker), because devpts inodes are special and cannot be created with
mknod: attempting to open the result of doing so will return EIO.
Since later libcontainer would attempt to open the file to mount --bind
over it and fail because of the EIO error, the container wouldn't start
if the /dev/console was a pts, which is the case inside a docker
that was started from a pts.
getDeviceNodes() already filters pts so this change is consistent
with the current behavior.
Signed-off-by: Alejandro Ojeda <alex@x3y.org>
This integration pkg adds a framework for writing integration tests
aginst the libcontainer APIs
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
We need to do this because it's a big dep. While we remove this
recursive dep this is the best that we can do right now.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
For our work on adding dynamic device support to Docker we needed to be
able to call this to update the list of allowed devices. This works for
both systemd and fs based cgroups implementations.
Co-Authored-By: Chris Alfonso <calfonso@redhat.com> (github: calfonso)
Docker-DCO-1.1-Signed-off-by: Ian Main <imain@redhat.com> (github: imain)
The set of the apparmor profile for the setns codepath was missing.
Selinux was being called but apparmor was forgotten. This was causing
no profiles to be applied to the extra process spawn inside an existing
container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
docker exec changes the mount namespace which fools selinux bindings
into thinking SELinux is disabled. Bindings should just check if
a label is passed in and attempt to use it. Docker will not call these
functions with a label if SELinux is disabled.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This is needed for the libvirt exec driver.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
- Add Llistxattr() support
- Additionally cleanup Lgetxattr() and implement it properly
in accordance with getxattr() syscall behavior.
Signed-off-by: Harshavardhana <fharshav@redhat.com>
You can now create VLAN and MAC VLAN devices using netlink.
I've also added tests for both VLAN and MAC VLAN stuff.
Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com> (github: milosgajdos83)
I've refactored NetworkSetNsPid and NetworkSetNsFd following
what we already have in place for Add/Del Ip and Add/Del Link.
I've reimplemented NetworkChangeName function which is now
using netlink for changing the interface name. I added tests too.
I've moved the original syscall implementation at the bottom
to keep it together with the other non-netlink functions.
Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com> (github: milosgajdos83)
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>