Again. It looks like a build tag was somehow dropped between
the PR here: https://github.com/docker/libcontainer/pull/625
and the move to runc.
Signed-off-by: Christy Perez <clnperez@linux.vnet.ibm.com>
Simplify the code introduced by the commit d1f0d5705deb:
Return actual ProcessState on Wait error
Cc: Alexander Morozov <lk4d4@docker.com>
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
This adds a `Signal()` method to the container interface so that the
initial process can be signaled after a Load or operation. It also
implements signaling the init process from a nonChildProcess.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
A boolean field named GidMappingsEnableSetgroups was added to
SysProcAttr in Go1.5. This field determines the value of the process's
setgroups proc entry.
Since the default is to set the entry to 'deny', calling setgroups will
fail on systems running kernels 3.19+.
Set GidMappingsEnableSetgroups to true so setgroups wont be set to
'deny'.
Signed-off-by: Ido Yariv <ido@wizery.com>
TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.
Quoting MkdirAll documentation:
> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.
This means two things:
1. If a directory to be created already exists, no error is
returned.
2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.
The above is a theory, based on quoted documentation and my UNIX
knowledge.
3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in #2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.
Because of #1, IsExist check after MkdirAll is not needed.
Because of #2 and #3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.
Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.
[1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
When the copyBusybox() fails, the error message should be
propagated to the caller of newRootfs().
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
Actually cgroup mounts are bind-mounts, so they should be
handled by the same way.
Reported-by: Ross Boucher <rboucher@gmail.com>
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Sometimes subsystem can be mounted to path like "subsystem1,subsystem2",
so we need to handle this.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
This is needed because for nested containers cgroups. Without this patch
they creating unnecessary intermediate cgroup like:
/sys/fs/cgroup/memory/system.slice/docker-9409d9f0b68fb9e9d7d532d5b3f35e7c7f9cca1312af392ae3b28436f1f2998f.scope/system.slice/docker-9409d9f0b68fb9e9d7d532d5b3f35e7c7f9cca1312af392ae3b28436f1f2998f.scope/docker/908ebcc9c13584a14322ec070bd971e0de62f126c0cd95c079acdb99990ad3a3
It is because in /proc/self/cgroup we see paths from host, and they don't
exist in container.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Before name=systemd cgroup was mounted inside container to
/sys/fs/cgroup/name=systemd, which is wrong, it should be
/sys/fs/cgroup/systemd
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Mrunal Patel
Michael Crosby
rajasec
Shijiang Wei
Michael Chase-Salerno
Lai Jiangshan
Alexander Morozov
Mrunal Patel
Ido Yariv
Hui Kang
Antonio Murdaca
Andrey Vagin
Kir Kolyshkin
Jin-Hwan Jeong
Alexander Morozov