Commit Graph

1179 Commits

Author SHA1 Message Date
Andrey Vagin df52d63854 namespaces: send config, network state and other arguments in one packet
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-30 10:38:35 +03:00
Mrunal Patel e31ef02610 Merge pull request #351 from avagin/api-rebase-2
Merge remote-tracking branch 'origin/master' into api-rebase
2015-01-29 19:20:09 -08:00
Victor Marmol 3c52181f61 Merge pull request #353 from LK4D4/update_dbus
Update github.com/godbus/dbus to v2
2015-01-29 15:46:05 -08:00
Alexander Morozov 689e8ec949 Update github.com/godbus/dbus to v2
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-01-29 15:35:22 -08:00
Rohit Jnagal 2fac2dad91 Merge pull request #341 from shishir-a412ed/master
Created man page for nsinit
2015-01-29 14:00:07 -08:00
Shishir Mahajan e9f8f8528a Created man page for nsinit
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
2015-01-29 16:33:08 -05:00
Victor Marmol c37b9125ec Merge pull request #344 from hqhq/hq_fix_systemd_device
cgroups: always create device cgroup on systemd
2015-01-29 11:39:07 -08:00
Andrey Vagin ca633b2f29 Merge remote-tracking branch 'origin/master' into api
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-28 14:37:40 +03:00
Michael Crosby 904bae3247 Merge pull request #348 from avagin/api-nsexec
nsenter: remove a proxy process
2015-01-26 13:08:02 -08:00
Michael Crosby e05f807a89 Merge pull request #349 from LK4D4/replace_wait_for_wait4
Use Wait4 instead of cmd.Wait
2015-01-26 13:07:54 -08:00
Alexander Morozov 39fbf0a904 Use cmd.Process.Wait instead of cmd.Wait
Issue with cmd.Wait is that it is waiting for closing pipes and if we
have forked processes which inherited pipes from parent, then we need to
kill them to unblock cmd.Wait.

Should fix docker/docker#10303

Now idea is next:
- cmd.Process.Wait for init process dead
- Kill remaining processes in cgroup (pipes closed as side effect)
- use cmd.Wait for waiting pipes flushed to client

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-01-26 12:54:52 -08:00
Andrey Vagin 8d8242aa8a nsenter: add tests
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-26 23:12:50 +03:00
Andrey Vagin 82367938b7 nsenter: remove a proxy process
Currently nsexec() creates a proxy process to enter into a pid namespace.
It isn't good, because we need to proxy an exit code and signals.
We can use CLONE_PARENT to fork a process with the right parent.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-26 23:12:50 +03:00
Andrey Vagin 11b2dab1c5 nsenter: add a macros to print errors
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-26 19:44:44 +03:00
Andrey Vagin e77b238a83 namespaces: don't send a container config twice
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-26 19:44:44 +03:00
Mrunal Patel 045e9ae4a0 Merge pull request #347 from guoxiuyan/master
Fix a minor typo
2015-01-25 18:44:12 -08:00
guoxiuyan 7d9244eab2 Fix a minor typo
Signed-off-by: Guo Xiuyan <guoxiuyan@huawei.com>
2015-01-26 09:41:22 +08:00
Mrunal Patel cab4b9bce1 Merge pull request #345 from fabiokung/allow-readonly-rootfs
Support read-only root filesystems
2015-01-22 16:02:57 -08:00
Fabio Kung 2a452c17aa Support read-only root filesystems
The only place I could find where libcontainer tries to write to the
container's root FS is when setting up the pivot dir, to be used on
pivot_root(2).

This makes the pivot base dir configurable, so a read-only FS can be
used as root FS of containers. Users can then specify a writeable
subpath to be used as pivot inside the container.

Signed-off-by: Fabio Kung <fabio@heroku.com> (github: fabiokung)
2015-01-22 13:58:41 -08:00
Qiang Huang 46573774a2 cgroups: simplify the join_memory check
If c.Memory=0, there is no point to set memoryswap.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-22 12:19:40 +08:00
Qiang Huang c4821b6f3e cgroups: always create device cgroup on systemd
This is the same behavior as fs does.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-22 09:53:30 +08:00
Daniel, Dao Quang Minh eb84dd1b73 add dqminh as maintainer
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
2015-01-21 20:37:37 -05:00
Mrunal Patel fae3abdadd Merge pull request #342 from avagin/api-next
new-api: implement Wait, WaitProcess
2015-01-21 16:59:05 -08:00
Andrew Vagin 61fef16f4a new-api: implement Wait, WaitProcess
Signed-off-by: Andrew Vagin <avagin@openvz.org>
2015-01-21 18:46:01 +03:00
Andrey Vagin e79e87e426 cgroup/systemd: set config.Cgroups.Freezer
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-21 18:46:00 +03:00
Andrey Vagin 6fc1dd5f25 integration: check a container state after resumning the CT
Otherwise CT will be left in a frozen state in a fail case

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-21 18:46:00 +03:00
Andrey Vagin 5162e5a81c integration: check container.Processes()
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-21 18:46:00 +03:00
Andrey Vagin 10f0ac2921 new-api: remove nsenter.c
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-21 18:46:00 +03:00
Andrey Vagin f0c20b5601 new-api: remove DefaultCreateCommand()
Signed-off-by: Andrew Vagin <avagin@openvz.org>
2015-01-21 18:45:57 +03:00
Michael Crosby 3fbf185602 Merge pull request #337 from hqhq/hq_add_blkio_weight
add support for blkio.weight
2015-01-20 10:40:12 -08:00
Michael Crosby 5847aacb32 Merge pull request #340 from mrunalp/check_ns_flags
Checks namespace flags for user ns code path.
2015-01-20 10:39:23 -08:00
Mrunal Patel bde8bf2ebc Adds namespace flag checks to userns setup.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)
2015-01-20 13:26:59 -05:00
Mrunal Patel 107bad0ee5 Adds namespace flag checks for userns code path in init.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)
2015-01-20 13:26:20 -05:00
Mrunal Patel 9303a8f15f Merge pull request #324 from avagin/namespaces
namespace: don't change namespaces which are not belonged to the CT
2015-01-20 09:31:24 -08:00
Andrey Vagin ef73d7e235 namespace: don't change namespaces which are not belonged to the CT
An error is reported if a config file contains configuration for
shared namespaces.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-20 15:05:00 +03:00
Mrunal Patel c70b6812b5 Merge pull request #339 from avagin/api-freezer
new-api: implement Pause() and Resume()
2015-01-19 15:17:45 -08:00
Alexander Morozov b89cd0cf5c Merge pull request #304 from mrunalp/feature/user_namespaces
Adds user namespace support to libcontainer
2015-01-19 11:55:20 -08:00
Mrunal Patel b0eece8d7d Adds support for User Namespaces.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

Adds sample configuration to test user namespaces.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

Rebases to master.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

Fixes integration tests.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

Move selinux labeling, apparmor profile and restrict kernel files back to init.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

Separate the code paths for userns and default cases.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

tty not required for setup

Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

Cleanup and address review comments.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

Remove debug logs and other cleanup.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)

Use function paramaters for SetupContainer.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)
2015-01-19 14:50:21 -05:00
Andrey Vagin 5138417f80 integration: add test to check Pause and Resume operations
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-19 22:25:52 +03:00
Mrunal Patel eb74393a3d Merge pull request #338 from avagin/fixes
cgroups: set a freezer state before calling FreezerGroup.Set()
2015-01-19 09:33:08 -08:00
Andrey Vagin e451df796a namespace: don't create needless namespaces
A non-zero Path field for a namespace says that a process should attach to an
existing namespace, so the process can be forked without the flag for this
namespace.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-19 18:43:16 +03:00
Andrey Vagin 02c1de6f11 cgroups: set a freezer state before calling FreezerGroup.Set()
My previous patch moved the setting of the freezer state after the Set()
command. It's wrong, because this command uses it, so we need to set the
freezer state before the command and rollback it in an error case.

Fixes: 13a5703 ("cgroups: don't change a freezer state if an operation failed")

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-19 17:38:26 +03:00
Andrey Vagin dcb3bca32c namespaces: destroy cgroups only on error paths
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-19 17:38:26 +03:00
Andrey Vagin 9c50d819ae new-api: implement Pause() and Resume()
Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-19 17:38:26 +03:00
Andrey Vagin 30b3306416 cgroups: set a freezer state before calling FreezerGroup.Set()
My previous patch moved the setting of the freezer state after the Set()
command. It's wrong, because this command uses it, so we need to set the
freezer state before the command and rollback it in an error case.

Fixes: 13a5703d85 ("cgroups: don't change a freezer state if an operation failed")

Signed-off-by: Andrey Vagin <avagin@openvz.org>
2015-01-19 17:26:34 +03:00
Qiang Huang 54968f68bc add support for blkio.weight
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-01-19 14:33:48 +08:00
Michael Crosby 73ba097bf5 Merge pull request #336 from dqminh/execin-wait
nsenter waits for parent signal before forking
2015-01-16 14:51:02 -08:00
Daniel, Dao Quang Minh 5a87153824 fix TestNsenterAlivePid
unblock the nsenter-exec test process to let it finish succesfully

Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
2015-01-16 05:13:19 -05:00
Daniel, Dao Quang Minh f5dfd9a702 nit: reindent with indent -linux
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
2015-01-16 04:58:30 -05:00
Daniel, Dao Quang Minh 9946e299af nsenter waits for parent signal before forking
this allows the parent to place the process into cgroup first so it can track
the children properly

Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
2015-01-16 04:56:45 -05:00