The set of the apparmor profile for the setns codepath was missing.
Selinux was being called but apparmor was forgotten. This was causing
no profiles to be applied to the extra process spawn inside an existing
container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
docker exec changes the mount namespace which fools selinux bindings
into thinking SELinux is disabled. Bindings should just check if
a label is passed in and attempt to use it. Docker will not call these
functions with a label if SELinux is disabled.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This is needed for the libvirt exec driver.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
- Add Llistxattr() support
- Additionally cleanup Lgetxattr() and implement it properly
in accordance with getxattr() syscall behavior.
Signed-off-by: Harshavardhana <fharshav@redhat.com>
You can now create VLAN and MAC VLAN devices using netlink.
I've also added tests for both VLAN and MAC VLAN stuff.
Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com> (github: milosgajdos83)
I've refactored NetworkSetNsPid and NetworkSetNsFd following
what we already have in place for Add/Del Ip and Add/Del Link.
I've reimplemented NetworkChangeName function which is now
using netlink for changing the interface name. I added tests too.
I've moved the original syscall implementation at the bottom
to keep it together with the other non-netlink functions.
Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com> (github: milosgajdos83)
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>
I've added more tests. We now have almost 55% coverage.
I've also reorganized netlink_linux codebase and moved
the non-RTNETLINK functions at the bottom. I've also
added some comments to some functions.
Docker-DCO-1.1-Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com> (github: milosgajdos83)
We calculate this on every cgroup call. It comprised of 30%+ of the CPU
usage in cAdvisor.
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
Since the caller of os.Lstat in devices.go is a function (not a method),
we use a variable to allow os.Lstat to be substituted during testing.
In this case the variable osLstat is private to the devices package to
prevent abuse. So the testcase needs to reside in the same package.
This commit includes a simple test of GetDevices() using osLstat to
simulate an error being returned from os.Lstat. In this case, the
behaviour of GetDevices() in the error case is trivial, but this may
change.
This is just the beginning of error injection. In future, it may be
necessary to pull out repetitive code sequences into a common file.
Signed-off-by: Steve Powell <spowell@pivotal.io>
Michael Crosby
Michael Crosby
Dan Walsh
Ye Yin
Victor Marmol
Alexander Larsson
Tianon Gravi
Mrunal Patel
Harshavardhana
Malte Janduda
Milos Gajdos
Hugo Duncan
Vishnu Kannan
Saied Kazemi
Lewis Marshall
Jonathan Rudenberg
Steve Powell