jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
4,145 Commits 5 Branches 25 Tags 17 MiB
Commit Graph

4145 Commits

Author SHA1 Message Date
James Peach 13919f5dfd Remove the static_build build tag. 
The `static_build` build tag was introduced in e9944d0f
to remove build warnings related to systemd cgroup driver
dependencies. Since then, those dependencies have changed and
building the systemd cgroup driver no longer imports dlopen.

After this change, runc builds will always include the systemd
cgroup driver.

This fixes #2008.

Signed-off-by: James Peach <jpeach@apache.org>
 2019-10-26 08:28:45 +11:00
Michael Crosby c4d8e1688c
Merge pull request #2140 from crosbymichael/fs-unified 
Set unified mountpoint in find mnt func
 2019-10-24 15:20:47 -04:00
Michael Crosby 792af40dc0
Merge pull request #1929 from kkallday/patch-1 
Adds info about `userns` for rootless containers
 2019-10-23 12:35:59 -04:00
Michael Crosby 8790f24326
Merge pull request #2147 from AkihiroSuda/iov2-remove-v1-code 
io_v2.go: remove blkio v1 code
 2019-10-23 10:45:59 -04:00
Michael Crosby 2cd9ba236b
Merge pull request #2146 from AkihiroSuda/doc-not-prod-ready 
README.md: clarify cgroup2 support is not ready for production
 2019-10-23 10:45:45 -04:00
Akihiro Suda dbd771e475 cgroup2: implement `runc ps` 
Implemented `runc ps` for cgroup v2 , using a newly added method `m.GetUnifiedPath()`.
Unlike the v1  implementation that checks `m.GetPaths()["devices"]`, the v2 implementation does not require the device controller to be available.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2019-10-19 01:59:24 +09:00
Akihiro Suda 9996cf7d39 README.md: clarify cgroup2 support is not ready for production 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2019-10-19 01:51:11 +09:00
Akihiro Suda d918e7f408 cpuset_v2: skip Apply when no limit is specified 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2019-10-19 00:33:31 +09:00
Akihiro Suda 033936ef76 io_v2.go: remove blkio v1 code 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2019-10-18 21:33:48 +09:00
Radostin Stoyanov a610a84821 criu: Ensure other users cannot read c/r files 
No checkpoint files should be readable by
anyone else but the user creating it.

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
 2019-10-17 07:49:38 +01:00
Mrunal Patel 4e3701702e
Merge pull request #2139 from rst0git/desc-permisions 
checkpoint: Set descriptors.json file mode to 0600
 2019-10-16 15:27:08 -07:00
Michael Crosby b28f58f31b
Set unified mountpoint in find mnt func 
This is needed for the fsv2 cgroups to work when there is a unified mountpoint.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-10-15 15:40:03 -04:00
Radostin Stoyanov f017e0f9e1 checkpoint: Set descriptors.json file mode to 0600 
Prevent unprivileged users from being able to read descriptors.json

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
 2019-10-12 19:29:44 +01:00
Aleksa Sarai c1485a1e88
merge branch 'pr-2134' 
VERSION: back to development
  VERSION: update to 1.0.0-rc9

Vote: +4 -0 #1
LGTMs: @crosbymichael @hqhq @mrunalp
Closes #2134
 2019-10-05 21:33:59 +10:00
Aleksa Sarai 1b8a1eeec3
merge branch 'pr-2132' 
Support different field counts of cpuaact.stats

LGTMs: @crosbymichael @cyphar
Closes #2132
 2019-10-02 01:50:47 +10:00
Michael Crosby ba16a38bc4
Merge pull request #2135 from mrueg/security 
SECURITY: Add Security Policy
 2019-10-01 11:49:49 -04:00
Manuel Rüger 4be50fe338 SECURITY: Add Security Policy 
This should make the vuln reporting process more visible on GitHub
https://help.github.com/en/articles/adding-a-security-policy-to-your-repository

Signed-off-by: Manuel Rüger <manuel@rueg.eu>
 2019-10-01 13:38:50 +02:00
Aleksa Sarai 2111613c19
VERSION: back to development 
Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2019-10-01 02:36:34 +10:00
Aleksa Sarai d736ef14f0
VERSION: update to 1.0.0-rc9 
Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2019-10-01 02:36:09 +10:00
Michael Crosby cad42f6e09
Merge pull request #2130 from cyphar/apparmor-verify-procfs 
*: verify operations on /proc/... are on procfs
 2019-09-30 10:50:03 -04:00
Aleksa Sarai d463f6485b
*: verify that operations on /proc/... are on procfs 
This is an additional mitigation for CVE-2019-16884. The primary problem
is that Docker can be coerced into bind-mounting a file system on top of
/proc (resulting in label-related writes to /proc no longer happening).

While we are working on mitigations against permitting the mounts, this
helps avoid our code from being tricked into writing to non-procfs
files. This is not a perfect solution (after all, there might be a
bind-mount of a different procfs file over the target) but in order to
exploit that you would need to be able to tweak a config.json pretty
specifically (which thankfully Docker doesn't allow).

Specifically this stops AppArmor from not labeling a process silently
due to /proc/self/attr/... being incorrectly set, and stops any
accidental fd leaks because /proc/self/fd/... is not real.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2019-09-30 09:06:48 +10:00
Aleksa Sarai 9aef504415
vendor: update github.com/opencontainers/selinux 
This is a bump to v1.3.0, plus the necessary CVE-2019-16884 mitigation.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
 2019-09-30 00:36:59 +10:00
tianye15 28e58a0f6a Support different field counts of cpuaact.stats 
Signed-off-by: skilxnTL <tylxltt@gmail.com>
 2019-09-29 10:20:58 +08:00
Julia Nedialkova e63b797f38 Handle ENODEV when accessing the freezer.state file 
...when checking if a container is paused

Signed-off-by: Julia Nedialkova <julianedialkova@hotmail.com>
 2019-09-27 17:02:56 +03:00
blacktop 84373aaa56 Add SCMP_ACT_LOG as a valid Seccomp action (#1951) 
Signed-off-by: blacktop <blacktop@users.noreply.github.com>
 2019-09-26 11:03:03 -04:00
Mrunal Patel 3e425f80a8
Merge pull request #2129 from crosbymichael/proc-mount 
Only allow proc mount if it is procfs
 2019-09-25 17:02:15 -07:00
Michael Crosby 331692baa7 Only allow proc mount if it is procfs 
Fixes #2128

This allows proc to be bind mounted for host and rootless namespace usecases but
it removes the ability to mount over the top of proc with a directory.

```bash
> sudo docker run --rm  apparmor
docker: Error response from daemon: OCI runtime create failed:
container_linux.go:346: starting container process caused "process_linux.go:449:
container init caused \"rootfs_linux.go:58: mounting
\\\"/var/lib/docker/volumes/aae28ea068c33d60e64d1a75916cf3ec2dc3634f97571854c9ed30c8401460c1/_data\\\"
to rootfs
\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged\\\"
at \\\"/proc\\\" caused
\\\"\\\\\\\"/var/lib/docker/overlay2/a6be5ae911bf19f8eecb23a295dec85be9a8ee8da66e9fb55b47c841d1e381b7/merged/proc\\\\\\\"
cannot be mounted because it is not of type proc\\\"\"": unknown.

> sudo docker run --rm -v /proc:/proc apparmor

docker-default (enforce)        root     18989  0.9  0.0   1288     4 ?
Ss   16:47   0:00 sleep 20
```

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2019-09-24 11:00:18 -04:00
Michael Crosby 7507c64ff6
Merge pull request #2041 from jburianek/notify-socket-permissions 
Change the permissions of the notify listener socket to rwx for everyone
 2019-09-18 14:53:36 -04:00
Mrunal Patel bf27c2f86d
Merge pull request #2126 from flynn/fix-nsenter-unsupported 
libcontainer/nsenter: Don't import C in non-cgo file
 2019-09-12 10:12:54 -07:00
Jonathan Rudenberg af7b6547ec libcontainer/nsenter: Don't import C in non-cgo file 
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
 2019-09-11 17:03:07 +00:00
Mrunal Patel 6c0555209b
Merge pull request #2125 from giuseppe/mount-cgroups 
cgroup: support mount of cgroup2
 2019-09-10 21:03:38 -07:00
Michael Crosby 267490e3ca
Merge pull request #2010 from lifubang/checkpointrootless 
criu image path permission error when checkpoint rootless container
 2019-09-10 15:40:31 -04:00
Mrunal Patel e7a87dd240
Merge pull request #2098 from adrianreber/master 
man: fix man-pages
 2019-09-09 12:50:17 -07:00
Giuseppe Scrivano 718a566e02
cgroup: support mount of cgroup2 
convert a "cgroup" mount to "cgroup2" when the system uses cgroups v2
unified hierarchy.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 2019-09-06 17:57:14 +02:00
Qiang Huang a6606a7ae9
Merge pull request #2029 from thaJeztah/bump_dependencies 
Update dependencies
 2019-09-06 09:12:14 +08:00
Sebastiaan van Stijn 115d4b9e57
bump golang/protobuf v1.0.0 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:44:33 +02:00
Sebastiaan van Stijn 85c02f3f30
bump coreos/go-systemd v19, godbus/dbus v5.0.1 
- https://github.com/coreos/go-systemd/compare/v14..v19
  - coreos/go-systemd#248 dbus: add SetPropertiesSubscriber method
  - coreos/go-systemd#251 activation: add support for listeners with names
  - coreos/go-systemd#296 dbus: Fix API break from godbus
- https://github.com/godbus/dbus/compare/v3..v5.0.1
  - godbus/dbus#89 introduce MakeVariantWithSignature

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:44:30 +02:00
Sebastiaan van Stijn 21498b8e54
bump mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7 
no significant changes, other than some linting fixes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:44:28 +02:00
Sebastiaan van Stijn eb86f6037e
bump syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 
relevant changes:

  - syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2
  - syndtr/gocapability#16 Fix capHeader.pid type

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:44:26 +02:00
Sebastiaan van Stijn 1150ce9c6e
bump urfave/cli v1.20.0 
previous version was somewhere between v1.18 and v1.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:44:23 +02:00
Sebastiaan van Stijn 8e4f645fca
bump docker/go-units v0.3.3 
relevant changes:

  - docker/go-units#8 Enhance FromHumanSize to parse float64 string
  - docker/go-units#20 Add `HumanSizeWithPrecision` function

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:43:44 +02:00
Sebastiaan van Stijn 0fc0662338
bump cyphar/filepath-securejoin v0.2.2 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:43:42 +02:00
Sebastiaan van Stijn 414a39dedb
bump containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f 
relevant changes:

- containerd/console#27 console_linux: Fix race: lock Cond before Signal

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:43:39 +02:00
Sebastiaan van Stijn de24d73350
bump github.com/pkg/errors 0.8.1 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:43:37 +02:00
Sebastiaan van Stijn 4be3c48e05
Reformat vendor.conf and pin all deps by git-sha 
to make it better readable, and to encourage pinning by
sha, but align to a tagged release.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2019-09-06 01:43:33 +02:00
Mrunal Patel 0fd4342a92
Merge pull request #2028 from thaJeztah/bump_golang_versions 
Update to Go 1.12 and drop obsolete versions
 2019-09-05 16:30:01 -07:00
Mrunal Patel 92ac8e3f84
Merge pull request #2113 from giuseppe/cgroupv2 
libcontainer: initial support for cgroups v2
 2019-09-05 13:14:29 -07:00
Giuseppe Scrivano 524cb7c318
libcontainer: add systemd.UnifiedManager 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 2019-09-05 13:02:27 +02:00
Giuseppe Scrivano ec11136828
libcontainer, cgroups: rename systemd.Manager to LegacyManager 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 2019-09-05 13:02:26 +02:00
Giuseppe Scrivano 1932917b71
libcontainer: add initial support for cgroups v2 
allow to set what subsystems are used by
libcontainer/cgroups/fs.Manager.

subsystemsUnified is used on a system running with cgroups v2 unified
mode.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 2019-09-05 13:02:25 +02:00