1. rootfs is already validated to be kosher by (*ConfigValidator).rootfs()
2. mount points from /proc/self/mountinfo are absolute and clean, too
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Delete libcontainer/mount in favor of github.com/moby/sys/mountinfo,
which is fast mountinfo parser.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
When github is giving HTTP 404 (or other error), it still sends some
document (to be viewed in a browser), but we have tar on the other end
of the pipe, so the end result is like this:
> Step 13/13 : RUN . tests/integration/multi-arch.bash && curl -o- -sSL `get_busybox` | tar xfJC - ${ROOTFS}
> 4872 ---> Running in ad84646a69f3
> 4873xz: (stdin): File format not recognized
> 4874tar: Child returned status 1
> 4875tar: Error is not recoverable: exiting now
> 4876The command '/bin/sh -c . tests/integration/multi-arch.bash && curl -o- -sSL `get_busybox` | tar xfJC - ${ROOTFS}' returned a non-zero code: 2
Add -f switch to curl, so it will display an HTTP error and exit:
> curl: (22) The requested URL returned error: 404 Not Found
> xz: (stdin): File format not recognized
> tar: Child returned status 1
> tar: Error is not recoverable: exiting now
While at it, also
* remove -v from criu untar (too much output)
* remove -o - from curl (it does the same by default)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
1. Return earlier if there is an error.
2. Do not use filepath.Split on every entry, use info.Name() instead.
3. Make readProcsFile() accept file name as an argument, to avoid
unnecessary file name and directory splitting and merging.
4. Skip on info.IsDir() -- this avoids an error when cgroup name is
set to "cgroup.procs".
This is still not very good since filepath.Walk() performs an unnecessary
stat(2) on every entry, but better than before.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
fmt.Sprintf is slow and is not needed here, string concatenation would
be sufficient. It is also redundant to convert []byte from string and
back, since `bytes` package now provides the same functions as `strings`.
Use Fields() instead of TrimSpace() and Split(), mainly for readability
(note Fields() is somewhat slower than Split() but here it doesn't
matter much).
Use Join() to prepend the plus signs.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Golang 1.14 introduces asynchronous preemption which results into
applications getting frequent EINTR (syscall interrupted) errors when
invoking slow syscalls, e.g. when writing to cgroup files.
As writing to cgroups is idempotent, it is safe to retry writing to the
file whenever the write syscall is interrupted.
Signed-off-by: Mario Nitchev <marionitchev@gmail.com>
If checkpointing a container with '--leave-running' runc started to
print the following message:
ERRO[0000] container is not destroyed
The message is correct, because CRIU did not terminate the process, but
as that was requested by the user the message is wrong.
So now the container is only destroyed if the user did not specify
'--leave-running'.
Signed-off-by: Adrian Reber <areber@redhat.com>
Since [1], x/sys/unix has a function to convert signal name
to a number. Let's use it and drop home-grown signal map.
While at it, add a test case.
[1] d455e41777
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Odin Ugedal (7):
Run verify-dependencies only on go1.x
Don't add git utils to go.mod in CI
Remove refrences to vndr
Make CI script to verify that vendor is in sync
Fix file permissions for mounts.bats
Update spec test to use go.mod
Add support for GO Modules
LGTMs: @hqhq @AkihiroSuda @cyphar
Closes#2073
Both selinux and apparmor subsystem can detect whether it is enabled,
and act accordingly. Compiling it in by default should help avoid
some frustration cased by missing build tags.
This should not change anything in case BUILDTAGS is already set.
README.md is amended to clarify what BUILDTAGS are enabled by
default.
[v2: add apparmor]
[v3: add it unconditionally, fix README]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
if NOTIFY_SOCKET is used, do not block the main runc process waiting
for events on the notify socket. Bind mount the parent directory of
the notify socket, so that "start" can create the socket and it is
still accessible from the container.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* TestConvertCPUSharesToCgroupV2Value(0) was returning 70369281052672, while the correct value is 0
* ConvertBlkIOToCgroupV2Value(0) was returning 32, while the correct value is 0
* ConvertBlkIOToCgroupV2Value(1000) was returning 4, while the correct value is 10000
Fix#2244
Follow-up to #2212#2213
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
linuxContainer.Signal() can race with another call to say Destroy()
which clears the container's initProcess. This can cause a nil pointer
dereference in Signal().
This patch will synchronize Signal() and Destroy() by grabbing the
container's mutex as part of the Signal() call.
Signed-off-by: Pradyumna Agrawal <pradyumnaa@vmware.com>
Mrunal Patel
Akihiro Suda
Michael Crosby
Ted Yu
Kir Kolyshkin
Mario Nitchev
Danail Branekov
Adrian Reber
SiYu Zhao
Aleksa Sarai
Giuseppe Scrivano
Sascha Grunert
lifubang
Boris Popovschi
l00397676
Pradyumna Agrawal
Odin Ugedal