Since Linux 4.3 ambient capabilities are available. If set these allow unprivileged child
processes to inherit capabilities, while at present there is no means to set capabilities
on non root processes, other than via filesystem capabilities which are not usually
supported in image formats.
With ambient capabilities non root processes can be given capabilities as well, and so
the main reason to use root in containers goes away, and capabilities work as expected.
The code falls back to the existing behaviour if ambient capabilities are not supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
grep -r "range map" showw 3 parts use map to
range enum types, use slice instead can get
better performance and less memory usage.
Signed-off-by: Peng Gao <peng.gao.dut@gmail.com>
For example, the /sys/firmware directory should be masked because it can contain some sensitive files:
- /sys/firmware/acpi/tables/{SLIC,MSDM}: Windows license information:
- /sys/firmware/ibft/target0/chap-secret: iSCSI CHAP secret
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
cgroupData.join method using `WriteCgroupProc` to place the pid into
the proc file, it can avoid attach any pid to the cgroup if -1 is
specified as a pid.
so, replace `writeFile` with `WriteCgroupProc` like `cpuset.go`'s
ApplyDir method.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
if a container state is running or created, the container.Pause()
method can set the state to pausing, and then paused.
this patch update the comment, so it can be consistent with the code.
Signed-off-by: Wang Long <long.wanglong@huawei.com>
This patch enhance the `runc delete` command as following
1) when `runc delete` without one container-id
```
$ runc delete
runc: "delete" requires a minimum of 1 argument
```
2) we can delete more containers at one command
for example:
```
$ runc list
ID PID STATUS BUNDLE CREATED
a 8490 created /mycontainer 2016-09-18T03:49:32.259760434Z
b 8520 running /mycontainer 2016-09-18T03:49:36.999299944Z
c 8535 created /mycontainer 2016-09-18T03:49:40.975277538Z
d 8549 created /mycontainer 2016-09-18T03:49:42.675282602Z
e 8562 running /mycontainer 2016-09-18T03:49:44.175400931Z
$ runc delete a b cc
cannot delete container b that is not stopped: running
container cc is not exist
$ runc list
ID PID STATUS BUNDLE CREATED
b 8520 running /mycontainer 2016-09-18T03:49:36.999299944Z
c 8535 created /mycontainer 2016-09-18T03:49:40.975277538Z
d 8549 created /mycontainer 2016-09-18T03:49:42.675282602Z
e 8562 running /mycontainer 2016-09-18T03:49:44.175400931Z
$ runc delete -f b c d e
$ runc list
ID PID STATUS BUNDLE CREATED
```
Signed-off-by: Wang Long <long.wanglong@huawei.com>
Currently if a user does a command like
docker: Error response from daemon: operation not supported.
With this fix they should see a much more informative error message.
docker run -ti -v /proc:/proc:Z fedora sh
docker: Error response from daemon: SELinux Relabeling of /proc is not allowed: operation not supported.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This will print out the error on stderr when loading a container but
still list everything that was sucessful.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Error sent from child process is already genericError, if
we don't allow recrusive generic error, we won't get any
cause infomation from parent process.
Before, we got:
WARN[0000] exit status 1
ERRO[0000] operation not permitted
After, we got:
WARN[0000] exit status 1
ERRO[0000] container_linux.go:247: starting container process caused "process_linux.go:359: container init caused \"operation not permitted\""
it's not pretty but useful for detecting root causes.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Justin Cormack
Peng Gao
derekwaynecarr
Mrunal Patel
Qiang Huang
Daniel, Dao Quang Minh
Michael Crosby
Shukui Yang
rajasec
Akihiro Suda
Wang Long
Aleksa Sarai
Yuanhong Peng
Mrunal Patel
Dan Walsh