--root invocations make tests harder to read, and they only serve a very
specific purpose. As such, remove them from the `runc update` tests
because they don't serve a purpose.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
On some systems, the cgroup hierarchies are grouped together
(cpu,cpuacct). In order to avoid fake failures, update the cgroup
parsing to just check whether or not the mountinfo options *contain* the
cgroup type.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Fix the following warnings when building runc with gcc 6+:
Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c:
In function ‘nsexec’:
Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c:322:6:
warning: ‘__s’ may be used uninitialized in this function
[-Wmaybe-uninitialized]
pr_perror("Failed to open %s", ns);
Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c:273:30:
note: ‘__s’ was declared here
static struct nsenter_config process_nl_attributes(int pipenum, char
*data, int data_size)
^~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: rajasec <rajasec79@gmail.com>
Adding kernel mem tcp for update command
Signed-off-by: rajasec <rajasec79@gmail.com>
Fixing update.bats to reduce the TCP value
Signed-off-by: rajasec <rajasec79@gmail.com>
Updated the kernelTCP in bats as per json
Signed-off-by: rajasec <rajasec79@gmail.com>
Fixed some minor issue in bats file
Signed-off-by: rajasec <rajasec79@gmail.com>
Rounded off to right bytes for kernel TCP
Signed-off-by: rajasec <rajasec79@gmail.com>
Updating man file for update command
Signed-off-by: rajasec <rajasec79@gmail.com>
Enable the full test suite to run on `make test`. They also all run
inside a Docker container for maximum reproducibility.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
`libcontainer/cgroups/utils.go` uses an incorrect path to the
documentation for cgroups. This updates the comment to use the correct
URL. Fixes#794.
Signed-off-by: Jim Berlage <james.berlage@gmail.com>
See https://github.com/docker/docker/issues/22252
Previously we would apply seccomp rules before applying
capabilities, because it requires CAP_SYS_ADMIN. This
however means that a seccomp profile needs to allow
operations such as setcap() and setuid() which you
might reasonably want to disallow.
If prctl(PR_SET_NO_NEW_PRIVS) has been applied however
setting a seccomp filter is an unprivileged operation.
Therefore if this has been set, apply the seccomp
filter as late as possible, after capabilities have
been dropped and the uid set.
Note a small number of syscalls will take place
after the filter is applied, such as `futex`,
`stat` and `execve`, so these still need to be allowed
in addition to any the program itself needs.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This adds specific types and improves the json format for the marshaled
structure so that it is inline with the output that the spec produce,
camelCase not snake_case.
This should be the last change needed for people to really depend on the
output of this command and ensure that it does not change with any
internal changes instead of just marshaling the libcontainer structure.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Michael Crosby
Mrunal Patel
Aleksa Sarai
Qiang Huang
Peng Gao
Antonio Murdaca
Kenfe-Mickael Laventure
rajasec
Aleksa Sarai
Mrunal Patel
Dan Walsh
Jim Berlage
Bryan Boreham
Justin Cormack