jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
1,160 Commits 5 Branches 25 Tags 17 MiB
Commit Graph

241 Commits

Author SHA1 Message Date
Michael Crosby 7d1ba0698f Cleanup and rename loadContainer to loadConfig 
Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-12 12:03:53 -07:00
Michael Crosby 52ba97e3b1 Add ip func example for listing namespace interfaces 
Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-12 11:52:33 -07:00
Michael Crosby 70367b2cf3 Improve execin to support registering funcs 
This also changes the functionality of the default exec in to just be an
existing func that is called than handles the implementation to exec a
user user's process inside the container.  This implements this
functionallity in nsinit but is a base for how we will be handling these
types of features inside docker.

Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-12 11:43:12 -07:00
Michael Crosby 51e6049226 Make nsinit package main only 
Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-12 10:48:12 -07:00
Michael Crosby 9378c05c37 Remove nsinit main calling pkg 
Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-12 10:45:41 -07:00
Michael Crosby 3abf1dd99e Modify nsinit to register actions for argv 0 
Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-08 11:16:56 -07:00
Michael Crosby c8aa9323f1 Import nsenter code so that it is compiled into nsinit 
Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-08 10:43:18 -07:00
Michael Crosby ae9af437f0 After parsing flags check that the command is nsenter 
Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-07 10:48:29 -07:00
Michael Crosby a48b001013 Refactor execin code to be simpler 
Signed-off-by: Michael Crosby <michael@docker.com>
 2014-08-06 18:44:41 -07:00
Vishnu Kannan 74b99b8dd6 Check for "nsenter" in args before parsing flags. Addressed comments. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-08-05 22:13:23 +00:00
Vishnu Kannan e5e40b6ef0 Docker 'runin' demands passing flags before 'nsenter' cli option. 
Docker does not require RunIn API. Hence that API has been removed.
nsinit CLI has been modified to work around the nsenter changes.

Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-08-05 22:13:23 +00:00
Mrunal Patel 7f3bbbb47b Move locking to caller. 
Docker-DCO-1.1-Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)
 2014-08-01 19:06:56 -04:00
Michael Crosby 4568ca76c8 Update imports for new docker location 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-07-24 14:28:49 -07:00
Michael Crosby b2337e4860 Fix runin code for nsinit 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-07-22 19:50:00 +00:00
Vishnu Kannan bb85e2b07a 'nsinit exec' now uses namespaces.RunIn instead of namespaces.ExecIn. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-07-22 19:50:00 +00:00
Vishnu Kannan 1f2828770d Updated RunIn API to match the new console handling behavior in HEAD. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-07-22 19:49:59 +00:00
Michael Crosby b56aa0658a Don't open slave in parent 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-07-15 18:24:15 -07:00
Michael Crosby 18e12838d6 Add resize of term in tty mode 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-07-15 17:44:18 -07:00
Michael Crosby 43b4258c46 Open with NOCTTY and set raw term 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-07-15 17:29:09 -07:00
Michael Crosby d661720fd7 Remove terminal handling in libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-07-15 16:55:11 -07:00
Paul Morie ea6e255f45 Remove unused arg from namespaces.NsEnter 
Docker-DCO-1.1-Signed-off-by: Paul Morie <pmorie@gmail.com> (github: pmorie)
 2014-07-13 17:48:27 -04:00
Michael Crosby 422824c9d8 Move syncpipe into separate package 
This moves the sync pipe into a separate package to help the changes
when moving the API around.

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-07-11 11:06:00 -07:00
Michael Crosby 704a90bec4 Rename package correctly so the binary is nsinit 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-07-08 16:36:59 -07:00
Vishnu Kannan 28dadc538c Separate nsinit main from implementation. This is done inorder to package nsinit as part of docker binary. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-07-01 22:00:15 +00:00
Michael Crosby 3f0764fa51 Add pause and unpause commands to nsinit 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-06-26 16:45:18 -07:00
Michael Crosby 361ac10612 Just output raw stats json 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-06-26 16:25:55 -07:00
Michael Crosby 21b71ef33d Rename spec to config 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-06-26 16:24:16 -07:00
Vishnu Kannan 813d247bc7 Fixing some nits. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-06-26 20:49:02 +00:00
Vishnu Kannan edf1e856a0 RuntimeCkpt is now State and the checkpoint file is called state.json. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-06-25 21:29:04 +00:00
Vishnu Kannan 481552c02b Created a global runtime checkpoint for libcontainer. Got rid of the network specific runtime checkpoint. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-06-25 19:20:07 +00:00
Vishnu Kannan 9253412ee1 1. Added a basic version of network stats inside network package. 
2. Introducing a new checkpoint file 'network.stats' which will contain the network runtime information (veth interface names for now).
3. Adding network stats to 'nsinit stats'.
4. Added a libcontainer Stats API to get both network and cgroup stats

Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-06-25 19:19:10 +00:00
Michael Crosby 77dcaac129 Update code based on review comments 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-06-25 11:36:54 -07:00
Michael Crosby 81e5a3f7a7 Replace pid and started file with State type 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
 2014-06-25 11:36:54 -07:00
Victor Marmol 60b381e600 Rename Container -> Config. 
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
 2014-06-23 17:08:15 -07:00
Mrunal Patel 88acda82d9 Add option parsing to nsenter and enable specifying commands with arguments. 
Docker-DCO-1.1-Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)
 2014-06-18 14:29:40 -04:00
Michael Crosby 6ab3ef56f4 Update imports for new repository path 2014-06-10 08:14:16 -07:00
Michael Crosby 2d538dc80d Update for nsenter 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-06-05 14:31:16 -07:00
Michael Crosby 4e51c8b41f Update nsinit to be nicer to work with and test 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-06-05 14:13:02 -07:00
Victor Marmol 944b4434a6 Adding initial version of C-based nsenter for allowing execin in 
libcontainer.

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
 2014-06-05 00:44:13 +00:00
Michael Crosby ed7f4a0f6d Rename nsinit package to namespaces in libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-06-04 15:47:57 -07:00
Vishnu Kannan 953f6da166 Adding "stats" and "spec" option to nsinit binary which will print the stats and spec respectively. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-06-02 06:37:22 +00:00
Victor Vieux d660c31681 Merge pull request #6083 from bernerdschaefer/nsinit-drop-capabilities-after-changing-user 
SETUID/SETGID not required for changing user
 2014-05-28 17:29:17 -07:00
Victor Marmol 83710135b6 Merge pull request #5868 from jhspaybar/5749-libcontainerroutes 
libcontainer support for arbitrary route table entries
 2014-05-28 10:50:56 -07:00
William Thurston d931738466 Fixes #5749 
libcontainer support for arbitrary route table entries

Docker-DCO-1.1-Signed-off-by: William Thurston <me@williamthurston.com> (github: jhspaybar)
 2014-05-28 17:42:02 +00:00
Bernerd Schaefer 864d77dad0 SETUID/SETGID not required for changing user 
It is no longer necessary to pass "SETUID" or "SETGID" capabilities to
the container when a "user" is specified in the config.

Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
 2014-05-28 16:41:48 +02:00
Michael Crosby 5db18f2d5d Update wait calls to call Wait on Command 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-27 13:38:24 -07:00
Erik Hollensbe e0b1546d8b libcontainer/nsinit: remove Wait call from Exec and Kill from Attach in tty_term.go 
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
 2014-05-27 12:26:56 -07:00
Erik Hollensbe 40b9c5564f Add Wait() calls in the appropriate spots 
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
 2014-05-27 12:26:56 -07:00
Victor Marmol 8d83ef55af Merge pull request #5903 from alexlarsson/writable-proc 
Make /proc writable, but not /proc/sys and /proc/sysrq-trigger
 2014-05-19 12:21:15 -07:00
Alexander Larsson 73c607b7ad Make /proc writable, but not /proc/sys and /proc/sysrq-trigger 
Some applications want to write to /proc. For instance:

docker run -it centos groupadd foo

Gives: groupadd: failure while writing changes to /etc/group

And strace reveals why:

open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system)

I've looked at what other systems do, and systemd-nspawn makes /proc read-write
and /proc/sys readonly, while lxc allows "proc:mixed" which does the same,
plus it makes /proc/sysrq-trigger also readonly.

The later seems like a prudent idea, so we follows lxc proc:mixed.
Additionally we make /proc/irq and /proc/bus, as these seem to let
you control various hardware things.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-05-19 20:46:05 +02:00
Victor Marmol 7c1f13e897 Merge pull request #5792 from bernerdschaefer/nsinit-supports-pdeathsig 
Add PDEATHSIG support to nsinit library
 2014-05-19 11:13:23 -07:00
Sridhar Ratnakumar d636e8aa0a fix panic when passing empty environment 
Docker-DCO-1.1-Signed-off-by: Sridhar Ratnakumar <github@srid.name> (github: srid)
 2014-05-16 11:55:34 -07:00
Bernerd Schaefer 98b3daa8dd nsinit.DefaultCreateCommand sets Pdeathsig to SIGKILL 
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
 2014-05-16 13:48:41 +02:00
Bernerd Schaefer 1c33652c66 nsinit.Init() restores parent death signal before exec 
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
 2014-05-16 13:48:41 +02:00
Michael Crosby 3ce347c35f Move cgroups package into libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-14 15:21:44 -07:00
Bernerd Schaefer edbe7cc547 "nsinit exec ..." forwards signals to container 
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
 2014-05-14 11:01:02 +02:00
Michael Crosby 68de553fca Merge pull request #5630 from rjnagal/libcontainer-fixes 
Check supplied hostname before using it.
 2014-05-06 09:49:52 -07:00
Michael Crosby 6c1bf629ef Improve libcontainer namespace and cap format 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-05 12:34:21 -07:00
Rohit Jnagal 2499d43325 Check supplied hostname before using it. 
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
 2014-05-05 18:12:25 +00:00
Michael Crosby da71a207cb Don't restrict lxc because of apparmor 
We don't have the flexibility to do extra things with lxc because it is
a black box and most fo the magic happens before we get a chance to
interact with it in dockerinit.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-02 11:14:24 -07:00
Michael Crosby 08dbd53706 Apply apparmor before restrictions 
There is not need for the remount hack, we use aa_change_onexec so the
apparmor profile is not applied until we exec the users app.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-01 19:09:12 -07:00
Michael Crosby df78075a8e Update restrictions for better handling of mounts 
This also cleans up some of the left over restriction paths code from
before.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-01 15:26:58 -07:00
Michael Crosby dcc4061db3 Update to enable cross compile 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-01 15:26:58 -07:00
Jérôme Petazzoni 5a6b042e53 Mount /proc and /sys read-only, except in privileged containers. 
It has been pointed out that some files in /proc and /sys can be used
to break out of containers. However, if those filesystems are mounted
read-only, most of the known exploits are mitigated, since they rely
on writing some file in those filesystems.

This does not replace security modules (like SELinux or AppArmor), it
is just another layer of security. Likewise, it doesn't mean that the
other mitigations (shadowing parts of /proc or /sys with bind mounts)
are useless. Those measures are still useful. As such, the shadowing
of /proc/kcore is still enabled with both LXC and native drivers.

Special care has to be taken with /proc/1/attr, which still needs to
be mounted read-write in order to enable the AppArmor profile. It is
bind-mounted from a private read-write mount of procfs.

All that enforcement is done in dockerinit. The code doing the real
work is in libcontainer. The init function for the LXC driver calls
the function from libcontainer to avoid code duplication.

Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
 2014-05-01 15:26:58 -07:00
Michael Crosby 568ee3ea63 Make native driver use Exec func with different CreateCommand 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 18:49:24 -07:00
Michael Crosby af37dd5b4f Fix execin with environment and Enabled support 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 18:24:47 -07:00
Michael Crosby d6ea76a53e Integrate new structure into docker's native driver 
This duplicates some of the Exec code but I think it it worth it because
the native driver is more straight forward and does not have the
complexity have handling the type issues for now.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 18:20:01 -07:00
Michael Crosby 44636dd863 Remove command factory and NsInit interface from libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 17:55:15 -07:00
Michael Crosby 55ae447a9d Export more functions from libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 17:18:07 -07:00
Michael Crosby 68690eecdb Split term files to make it easier to manage 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 17:04:24 -07:00
Michael Crosby b4f098e706 Export syncpipe fields 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 17:02:45 -07:00
Michael Crosby dcd57b8b41 Remove statewriter interface, export more libcontainer funcs 
This temp. expands the Exec method's signature but adds a more robust
way to know when the container's process is actually released and begins
to run.  The network interfaces are not guaranteed to be up yet but this
provides a more accurate view with a single callback at this time.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 15:52:40 -07:00
Michael Crosby 44b79ef817 Export SetupUser 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 15:27:59 -07:00
Michael Crosby 30da95051a Remove logger from nsinit struct 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-30 15:24:18 -07:00
Guillaume J. Charmes 3ceb5e32c5 Merge pull request #5448 from crosbymichael/selinux-defaults 
Add selinux label support for processes and mount
 2014-04-30 14:14:39 -07:00
Michael Crosby d8554248b0 Merge pull request #5464 from tianon/close-leftover-fds 2014-04-30 12:27:52 -07:00
Tianon Gravi 187b637515 Close extraneous file descriptors in containers 
Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :)

Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
 2014-04-29 16:45:28 -06:00
Michael Crosby 71bac2ca67 Initial work on selinux patch 
This has every container using the docker daemon's pid for the processes
label so it does not work correctly.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-29 03:40:05 -07:00
Victor Vieux d5951041df Merge pull request #5449 from tianon/remove-libcontainer-root-special-case 
Remove "root" and "" special cases in libcontainer
 2014-04-28 16:29:08 -07:00
Rohit Jnagal eb9c9cabcb Merge branch 'master' into libcontainer-fixes 
Conflicts:
	pkg/libcontainer/README.md
	pkg/libcontainer/container.json

Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
 2014-04-28 23:04:04 +00:00
Tianon Gravi a2efe18fb8 Remove "root" and "" special cases in libcontainer 
These are unnecessary since the user package handles these cases properly already (as evidenced by the LXC backend not having these special cases).

I also updated the errors returned to match the other libcontainer error messages in this same file.

Also, switching from Setresuid to Setuid directly isn't a problem, because the "setuid" system call will automatically do that if our own effective UID is root currently: (from `man 2 setuid`)

    setuid() sets the effective user ID of the calling process.  If the
    effective UID of the caller is root, the real UID and saved set-user-
    ID are also set.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
 2014-04-28 16:46:03 -06:00
Rohit Jnagal 8593067f40 Fix typos in nsinit logs. 
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
 2014-04-25 00:20:14 +00:00
Michael Crosby 1cac3510ce Update init for new apparmor import path 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
Michael Crosby 39efc20b0f Move capabilities into security pkg 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
Michael Crosby d4ea33bf43 Move rest of console functions to pkg 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
Michael Crosby 9cb39c7274 Refactor mounts into pkg to make changes easier 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
Michael Crosby b589e619aa Move console into its own package 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
Michael Crosby 772023089b Mount over dev and only copy allowed nodes in 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
Michael Crosby d001be23ca No not mount sysfs by default for non privilged containers 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
Michael Crosby 4d2d63546b Add restrictions to proc in libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:19 -07:00
Michael Crosby 2ded58e3da Move apparmor into security sub dir 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:19 -07:00
Guillaume J. Charmes a10479fef7 Merge pull request #5328 from crosbymichael/refactor-cgroups 
Refactor cgroups into subsystems and support metrics
 2014-04-21 14:06:17 -07:00
Michael Crosby ad442c6e36 Move raw cgroups into fs package (filesystem) 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 21:34:26 -07:00
Michael Crosby 21d9b9a86a Move systemd code into pkg 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 21:30:08 -07:00
Michael Crosby 956cdea49f Refactor cgroups file locations 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 21:14:58 -07:00
Michael Crosby 613c48e3dd Move apparmor to top level pkg 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-13 23:33:25 +00:00
Michael Crosby c4222aca03 Change shm mode to 1777 
Fixes #5126
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-09 10:53:32 +00:00
Michael Crosby 471098f7cc Ensure that ro mounts are remounted 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-07 18:23:22 -07:00
Michael Crosby 89db8365b8 Remove loopback setup for native driver 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-02 13:12:52 +00:00
Victor Vieux 23f80b4d97 Merge pull request #4953 from rhatdan/selinux 
These two patches should fix problems we see with running docker in the wild.
 2014-04-02 16:36:41 -07:00