Users of libcontainer other than runc may also require parsing and
converting specification configuration files.
Since runc cannot be imported, move the relevant functions and
definitions to a separate package, libcontainer/specconv.
Signed-off-by: Ido Yariv <ido@wizery.com>
Fixes#680
This changes setupRlimit to use the Prlimit syscall (rather than
Setrlimit) and moves the call to the parent process. This is necessary
because Setrlimit would affect the libcontainer consumer if called in
the parent, and would fail if called from the child if the
child process is in a user namespace and the requested rlimit is higher
than that in the parent.
Signed-off-by: Julian Friedman <julz.friedman@uk.ibm.com>
systemd expects cgroupsPath to be of form "slice:prefix:name".
So dont call cleanPath on it anymore.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Make sure we don't error out collecting statistics for cases where
pids.max == "max". In that case, we can use a limit of 0 which means
"unlimited".
In addition, change the name of the stats attribute (Max) to mirror the
name of the resources attribute in the spec (Limit) so that it's
consistent internally.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
For things that depend or watch for this pid file to know when the
container is started we need to create this file atomically.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
So we won't see the link message every time we make
runc. Also it use force remove when make clean, so
we don't see annoying error when do extra make clean.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This is required because we manage some of the cgroups ourselves.
This recommendation came from talking with systemd devs about
some of the issues that we see when using the systemd cgroups driver.
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
We need to make sure the container is destroyed before closing the stdio
for the container. This becomes a big issues when running in the host's
pid namespace because the other processes could have inherited the stdio
of the initial process. The call to close will just block as they still
have the io open.
Calling destroy before closing io, especially in the host pid namespace
will cause all additional processes to be killed in the container's
cgroup. This will allow the io to be closed successfuly.
This change makes sure the order for destroy and close is correct as
well as ensuring that if any errors encoutered during start or exec will
be handled by terminating the process and destroying the container. We
cannot use defers here because we need to enforce the correct ordering
on destroy.
This also sets the subreaper setting for runc so that when running in
pid host, runc can wait on the addiontal processes launched by the
container, useful on destroy, but also good for reaping the additional
processes that were launched.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Michael Crosby
Ido Yariv
Julian Friedman
Qiang Huang
allencloud
Thomas Tanaka
Anusha Ragunathan
Mrunal Patel
Mrunal Patel
Tonis Tiigi
pankit thapar
rajasec
Aleksa Sarai
Mike Brown
Jessica Frazelle
Thomas LE ROUX
Alexander Morozov