This document specifies the current container specification with all the
underlying setup and configuration that goes into making a container.
This is the v1 spec that is today but allows for flexability when we
introduce more features such as seccomp default profiles and more.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Adds a new item to the config struct []*Rlimit
Rlimit takes a type (ie, syscall.RLIMIT_NOFILE) and the hard/soft limit
(As max/cur)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
SELinux supports a call that tells the kernel, from this point onward
create content with this label. If you pass "", the kernel will
go back to the default.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Writing to this file within /sys is casuing some issues for
older kernels, specifically with 2.6.xx, where the write is failing
because /sys is becoming ro. We will continue to work on the 2.6 issues
but for the time being we cannot ship this with it enabled as it's
breaking all container runs.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Currently if we don't use --cpuset, the cpuset cgroup is not
created, it's bad if we want to modify cpuset config subsequently,
change the behavior to make it right.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
There is no reason to have a special type returned from the cgroups
Apply function for getting the paths and cleanup. With access to the
paths we can just delete what we need.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Because we are using the paths that are created when we initially setup
cgroups for a container we no longer have to dynamically generates them
when a user requests stats. This allows us to fully use the fs stats
code without having system create it's paths.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Besides possible other problems 16bit UIDs might be disabled by the kernel
configuration on Linux for ARM (see CONFIG_UID16).
Signed-off-by: Alexander Holler <holler@ahsoftware.de>
because `LoadContainerEnvironment` is already run, os.Environ() will return the
correct environment variables for the exec command (i.e. removed duplicated
envs, set HOME for user etc...)
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
This patch adds an os/user-like user lookup API, implemented in pure Go.
It also has some features not present in the standard library
implementation (such as group lookups).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This patch refactors most of GetUserGroupSupplementaryHome and its
signature, to make using it much simpler. The private parsing ftunctions
have also been exposed (parsePasswdFile, parseGroupFile) to allow custom
data source to be used (increasing the versatility of the user/ tools).
In addition, file path wrappers around the formerly private API
functions have been added to make usage of the API for callers easier if
the files that are being parsed are on the filesystem (while the
io.Reader APIs are exposed for non-traditional usecases).
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This removes the entire syncpipe package and replaces it with standard
operations on the pipes. The syncpipe type just never felt right and
probably should not have been there.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Mrunal Patel
Michael Crosby
Rohit Jnagal
Michael Crosby
Brian Goff
Milos Gajdos
Yohei Ueda
unclejack
Dan Walsh
Vishnu Kannan
Qiang Huang
Victor Marmol
Donald Huang
Alexander Holler
Daniel, Dao Quang Minh
Hans Rødtang
Mrunal Patel
Aleksa Sarai
Albert Zhang
Alexandr Morozov