Commit Graph

2182 Commits

Author SHA1 Message Date
Mrunal Patel 1cb571f800 Merge pull request #228 from mheon/seccomp_config
Connect Seccomp configuration in Spec to backend
2015-08-28 10:32:42 -07:00
Mrunal Patel 7797873f1b Merge pull request #230 from shishir-a412ed/error_check_load_spec
Error should be checked after loadSpec
2015-08-27 08:18:47 -07:00
Shishir Mahajan 432dcede36 Error should be checked after loadSpec
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-08-27 11:03:43 -04:00
Mark Sta Ana a491b93ff3 Add caveat will only build on Linux as per #9
Signed-off-by: Mark Sta Ana <booyaabooyaabooyaa@gmail.com>
2015-08-27 08:50:46 +01:00
Matthew Heon 2ee6d1e8b6 Connect Seccomp configuration in Spec to configuration in Libcontainer
Signed-off-by: Matthew Heon <mheon@redhat.com>
2015-08-25 17:35:06 -04:00
Mrunal Patel 7291a52148 Merge pull request #210 from duglin/AddExecCmd
Add a 'start' command
2015-08-25 08:21:23 -07:00
Mrunal Patel 2f4c229a8c Merge pull request #215 from boucher/huikang-patch
Add hooks for passing explicit veth pairs for forwarding to CRIU
2015-08-24 21:23:29 -07:00
Rajasekaran fc97aa44e1 Updating README for rlimit
Signed-off-by: Rajasekaran <rajasec79@gmail.com>

Fixing indentation issue in README

Signed-off-by: Rajasekaran <rajasec79@gmail.com>
2015-08-25 06:02:59 +05:30
Hui Kang 7f23085c82 Add hooks for passing explicit veth pairs for forwarding to CRIU.
Signed-off-by: Hui Kang <hkang.sunysb@gmail.com>
2015-08-24 09:26:39 -07:00
Rajasekaran ab4b825f8c Adding rlimit in spec
Signed-off-by: Rajasekaran <rajasec79@gmail.com>

Removing return type

Signed-off-by: Rajasekaran <rajasec79@gmail.com>
2015-08-24 21:33:36 +05:30
Mrunal Patel ca2f4925c9 Merge pull request #219 from boucher/criu-logs
Add the criu log file path to the failure message.
2015-08-24 08:21:24 -07:00
Marcos Lilljedahl 241306b95c Update README config file devices
Signed-off-by: Marcos Lilljedahl <marcosnils@gmail.com>
2015-08-23 12:52:50 -03:00
Michael Crosby ba56afde7b Remove hard-coded default for tcp connections
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-08-21 15:59:43 -07:00
Doug Davis 714ae2acc9 Add a 'start' command
When any non-global-flag parameter appears on the command line make sure
there's a "command" even in the 'start' (run) case to ensure its not
ambiguous as to what the arg is. For example, w/o this fix its not
clear if
   runc foo
means 'foo' is the name of a config file or an unknown command.  Or worse,
you can't name a config file the same a ANY command, even future (yet to
be created) commands.

We should fix this now before we ship 1.0 and are forced to support this
ambiguous case for a long time.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-08-21 15:26:34 -07:00
boucher 8c812d0f50 Add the criu log file path to the failure message.
Signed-off-by: Ross Boucher <rboucher@gmail.com>
2015-08-21 14:20:59 -07:00
Mrunal Patel e7663a673e Merge pull request #70 from mheon/seccomp
Convert Seccomp support to use Libseccomp
2015-08-21 12:25:33 -07:00
Mrunal Patel 6d0f60bb94 Merge pull request #205 from tonistiigi/exec
Add exec command
2015-08-21 10:45:28 -07:00
Mrunal Patel 90e6d3763e Merge pull request #212 from laijs/cleanup
Simple Cleanups
2015-08-19 20:16:21 -07:00
Mrunal Patel e98d8e8ae2 Merge pull request #213 from laijs/error-message
richer information error message for terminal
2015-08-19 20:15:19 -07:00
Lai Jiangshan 29ced936a6 richer information error message for terminal
When we use ```cat | runc``` or ```runc /dev/stdin < config.json```,
it will fail and output ```FATA[0000] Container start failed: inappropriate ioctl for device```.
It is hard for the users to find out the reason from the message:
the config.json enables the terminal but the user redirect the stdin
to an non-terminal file.

After this patch, the output will be
```FATA[0000] Container start failed: Failed to set the terminal from the stdin: inappropriate ioctl for device```
So the user can disable the terminal in the config.json.

See the #202

Cc: W. Trevor King <wking@tremily.us> (@wking)
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-08-20 08:25:40 +08:00
Lai Jiangshan e48363d777 simplify a variable declaration
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-08-20 08:21:44 +08:00
Tonis Tiigi 47f294d0ed Add exec command
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-08-19 12:01:38 -07:00
Michael Crosby 2b9673deb9 Merge pull request #211 from mrunalp/sec_integration
Integrate security settings
2015-08-19 11:52:57 -07:00
rajasec 0c0dedd73c Restore container cleanup
Signed-off-by: rajasec <rajasec79@gmail.com>
2015-08-19 15:00:57 +05:30
Mrunal Patel 31f88daf91 Integrate security settings
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-08-18 20:10:23 -04:00
Mrunal Patel d6ae10ada4 Merge pull request #193 from tonistiigi/update-device-specs
Update device specs
2015-08-18 14:30:54 -07:00
Mrunal Patel ca8831fa75 Merge pull request #183 from rajasec/securityfs
Adding securityfs mount
2015-08-18 14:24:38 -07:00
Mrunal Patel c20bda3f71 Merge pull request #206 from mountkin/ensure-cleanup
Ensure the cleanup jobs in the deferrer are executed on error
2015-08-18 14:16:31 -07:00
Michael Crosby b0ca535f75 Merge pull request #194 from LK4D4/fix_cgroups_again
Fix cgroups again
2015-08-18 13:49:31 -07:00
Michael Crosby c6b6be21c5 Merge pull request #199 from clnperez/ifrdatabyte-sign-pr
Fixing netlink build error on ppc64le with gccgo
2015-08-18 13:48:59 -07:00
Michael Crosby face52c223 Merge pull request #204 from tonistiigi/pause-unpause
Add pause/resume commands
2015-08-18 13:40:51 -07:00
Tonis Tiigi bc38c9d1b0 Add pause/resume commands
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-08-18 13:37:36 -07:00
Mrunal Patel 4a478a9775 Merge pull request #209 from rajasec/tmpfsunmount
make localtest fills up /tmp with /tmp/libcontainer
2015-08-18 10:24:44 -07:00
Mrunal Patel ee3ebc9842 Merge pull request #197 from laijs/kill-default
Add the default signal (SIGTERM) for runc kill
2015-08-17 20:28:49 -07:00
rajasec 8cdc409715 Fixing tmpfs
Signed-off-by: rajasec <rajasec79@gmail.com>
2015-08-17 06:22:48 +05:30
Shijiang Wei f0679089b9 Ensure the cleanup jobs in the deferrer are executed on error
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
2015-08-16 12:29:04 +08:00
Michael Chase-Salerno 9bc81d1699 Fixing netlink build error on ppc64le with gccgo
Again. It looks like a build tag was somehow dropped between
the PR here: https://github.com/docker/libcontainer/pull/625
and the move to runc.

Signed-off-by: Christy Perez <clnperez@linux.vnet.ibm.com>
2015-08-13 17:52:47 -05:00
Matthew Heon a6b73dbc73 Remove Seccomp build tag to fix godep
Signed-off-by: Matthew Heon <mheon@redhat.com>
2015-08-13 15:23:43 -04:00
Lai Jiangshan 6abd42c1b6 Add the default signal (SIGTERM) for runc kill
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-08-13 23:42:54 +08:00
Matthew Heon 59264040bd Update tests to not error on library v2.2.0 and lower
As v2.1.0 is no longer required for successful testing, do not build it in the
Dockerfile - instead just use the version Ubuntu ships.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2015-08-13 09:36:21 -04:00
Matthew Heon 8da24a5447 Update vendored Libseccomp bindings
Signed-off-by: Matthew Heon <mheon@redhat.com>
2015-08-13 09:36:09 -04:00
Matthew Heon 2ae581ae62 Convert Seccomp support to use Libseccomp
This removes the existing, native Go seccomp filter generation and replaces it
with Libseccomp. Libseccomp is a C library which provides architecture
independent generation of Seccomp filters for the Linux kernel.

This adds a dependency on v2.2.1 or above of Libseccomp.

Signed-off-by: Matthew Heon <mheon@redhat.com>
2015-08-13 07:56:27 -04:00
Mrunal Patel 744a6b0e7b Merge pull request #196 from laijs/simplify-return
Simplify the return on process wait
2015-08-12 21:17:35 -07:00
Lai Jiangshan e8817e1104 Simplify the return on process wait
Simplify the code introduced by the commit d1f0d5705deb:
    Return actual ProcessState on Wait error

Cc: Alexander Morozov <lk4d4@docker.com>
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-08-12 22:37:34 +08:00
Alexander Morozov 2b28b3c276 Always use cgroup root of current process
Because for host PID namespace /proc/1/cgroup can point to whole other
world of cgroups.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-08-11 18:04:59 -07:00
Alexander Morozov 5aa6005498 Revert "Fix cgroup parent searching"
This reverts commit 2f9052ca29.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-08-11 18:04:55 -07:00
Tonis Tiigi b5eed4a246 Update runc to use device structs from updated spec
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-08-11 14:24:00 -07:00
Tonis Tiigi 0f99c20fd0 Update specs
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-08-11 13:50:57 -07:00
Alexander Morozov 15c709ed73 Merge pull request #192 from fabiokung/cgroup-per-container
container id is the cgroup name
2015-08-10 20:40:57 -07:00
Fabio Kung 85f40c2bc7 container id is the cgroup name
Without this, multiple runc containers can accidentally share the same cgroup(s)
(and change each other's limits), when runc is invoked from the same directory
(i.e.: same cwd on multiple runc executions).

After these changes, each runc container will run on its own cgroup(s). Before,
the only workaround was to invoke runc from an unique (temporary?) cwd for each
container.

Common cgroup configuration (and hierarchical limits) can be set by having
multiple runc containers share the same cgroup parent, which is the cgroup of
the process executing runc.

Signed-off-by: Fabio Kung <fabio.kung@gmail.com>
2015-08-10 16:41:39 -07:00