debugging

Signed-off-by: Jess Frazelle <jess@mesosphere.com>
2016-04-16 16:05:09 -07:00 · 2016-04-16 16:05:09 -07:00 · b92f1bdae4
commit b92f1bdae4
parent 0ae930df26
8 changed files with 51 additions and 14 deletions
--- a/3
+++ b/3
@ -49,7 +49,7 @@ image.tar:
 	docker export $(shell docker create $(DOCKER_ROOTFS_IMAGE) sh) > $@

 rootfs.go: image.tar
-	go generate
+	GOMAXPROCS=1 go generate

 fmt:
 	@echo "+ $@"
@ -76,6 +76,7 @@ clean: clean-rootfs
 	@$(RM) *.tar
 	@$(RM) rootfs.go
 	@$(RM) -r $(BINDIR)
+	-@docker rm $(shell docker ps -aq) /dev/null 2>&1

 install:
 	@echo "+ $@"
--- a/README.md
+++ b/README.md
@ -8,13 +8,19 @@ This is based off a crazy idea from [@crosbymichael](https://github.com/crosbymi
 **NOTE**

 You may have noticed you can't file an issue. That's because this is using a crazy
-person's (aka my) fork of libcontainer
-and until I get the patches into upstream there's no
-way in hell I'm fielding issues from whoever is crazy 
-enough to try this.
+person's (aka my) fork of libcontainer and until I get the patches into upstream
+there's no way in hell I'm fielding issues from whoever is crazy enough to try this.

 ### Building

+This uses the new Golang vendoring so you need go 1.6 or
+`GO15VENDOREXPERIMENT=1` in your env.
+
+You will also need `libapparmor-dev` and `libseccomp-dev`.
+
+Most importantly you need userns in your kernel (`CONFIG_USER_NS=y`)
+or else this won't even work.
+
 ```console
 $ make static
 Static container created at: ./bin/alpine
@ -100,6 +106,12 @@ The binary spawned does NOT need to oversee the container process if you
 run in detached mode with a PID file. You can have it watched by the user mode
 systemd so that this binary is really just the launcher :)

+## Example
+
+Nginx running with my user "jessie".
+
+![nginx.png](nginx.png)
+
 ## Caveats

 **Caps the binary needs to unpack and set
--- a/main.go
+++ b/main.go
@ -12,6 +12,7 @@ import (
 	aaprofile "github.com/docker/docker/profiles/apparmor"
 	"github.com/opencontainers/runc/libcontainer"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
+	"github.com/opencontainers/runc/libcontainer/user"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )

@ -180,13 +181,21 @@ func main() {

 	// install the default apparmor profile
 	if apparmor.IsEnabled() {
-		if err := aaprofile.InstallDefault(defaultApparmorProfile); err != nil {
-			logrus.Warnf("AppArmor is enabled on the the system, but the profile (%s) could not be loaded", defaultApparmorProfile)
+		// check if we have the docker-default apparmor profile loaded
+		if err := aaprofile.IsLoaded(defaultApparmorProfile); err != nil {
+			logrus.Warnf("AppArmor enabled on system but the %s profile is not loaded. apparmor_parser needs root to load a profile so we can't do it for you.", defaultApparmorProfile)
 		} else {
 			spec.Process.ApparmorProfile = defaultApparmorProfile
 		}
 	}

+	// set the CgroupsPath as this user
+	user, err := user.CurrentUser()
+	if err != nil {
+		logrus.Fatal(err)
+	}
+	spec.Linux.CgroupsPath = sPtr(user.Name)
+
 	if err := unpackRootfs(spec); err != nil {
 		logrus.Fatal(err)
 	}
--- a/nginx.png
+++ b/nginx.png
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
@ -111,11 +111,14 @@ func (m *Manager) Apply(pid int) (err error) {

 	var c = m.Cgroups

+	logrus.Debugf("pre get cgroups data: %#v", c)
 	d, err := getCgroupData(m.Cgroups, pid)
 	if err != nil {
 		return err
 	}

+	logrus.Debugf("cgroups data: %#v, config: %#v", d, d.config)
+
 	if c.Paths != nil {
 		paths := make(map[string]string)
 		for name, path := range c.Paths {
@ -129,6 +132,7 @@ func (m *Manager) Apply(pid int) (err error) {
 			paths[name] = path
 		}
 		m.Paths = paths
+		logrus.Debugf("cgroups apply paths: %#v", m.Paths)
 		return cgroups.EnterPid(m.Paths, pid)
 	}

@ -136,6 +140,7 @@ func (m *Manager) Apply(pid int) (err error) {
 	defer m.mu.Unlock()
 	paths := make(map[string]string)
 	for _, sys := range subsystems {
+		logrus.Debugf("applying cgroups to subsystem %#v", sys)
 		if err := sys.Apply(d); err != nil {
 			return err
 		}
@ -353,23 +358,25 @@ func writeFile(dir, file, data string) error {
 	if dir == "" {
 		return fmt.Errorf("no such directory for %s", file)
 	}
-
 	// get the current user
 	u, err := user.CurrentUser()
 	if err != nil {
 		return err
 	}

-	if err := os.Chown(dir, u.Uid, u.Gid); err != nil {
-		return fmt.Errorf("failed to chown %s to %d:%d -> %v", dir, u.Uid, u.Gid, err)
+	if err := os.Lchown(dir, u.Uid, u.Gid); err != nil {
+		return fmt.Errorf("failed to chown to %d:%d -> %v", u.Uid, u.Gid, err)
 	}
+	logrus.Debugf("chown dir %s to %d:%d", dir, u.Uid, u.Gid)

-	if err := os.Chown(filepath.Join(dir, "tasks"), u.Uid, u.Gid); err != nil {
-		return fmt.Errorf("failed to chown %s/tasks to %d:%d -> %v", dir, u.Uid, u.Gid, err)
+	if err := os.Lchown(filepath.Join(dir, file), u.Uid, u.Gid); err != nil {
+		return fmt.Errorf("failed to chown to %d:%d -> %v", u.Uid, u.Gid, err)
 	}
+	logrus.Debugf("chown %s to %d:%d", filepath.Join(dir, file), u.Uid, u.Gid)

 	if err := ioutil.WriteFile(filepath.Join(dir, file), []byte(data), 0700); err != nil {
 		logrus.Debugf("failed to write %v to %v: %v", data, file, err)
+		//return err
 	}
 	return nil
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strconv"

+	"github.com/Sirupsen/logrus"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
@ -27,6 +28,7 @@ func (s *CpusetGroup) Apply(d *cgroupData) error {
 	if err != nil && !cgroups.IsNotFound(err) {
 		return err
 	}
+	logrus.Debugf("apply cpuset dir is %s", dir)
 	return s.ApplyDir(dir, d.config, d.pid)
 }

--- a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
@ -171,6 +171,7 @@ func (c *linuxContainer) Set(config configs.Config) error {
 	c.m.Lock()
 	defer c.m.Unlock()
 	c.config = &config
+	logrus.Debugf("setting cgroups")
 	return c.cgroupManager.Set(c.config)
 }

@ -741,6 +742,7 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
 }

 func (c *linuxContainer) criuApplyCgroups(pid int, req *criurpc.CriuReq) error {
+	logrus.Debugf("criu apply cgroups")
 	if err := c.cgroupManager.Apply(pid); err != nil {
 		return err
 	}
--- a/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go
@ -13,6 +13,7 @@ import (
 	"strconv"
 	"syscall"

+	"github.com/Sirupsen/logrus"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/system"
@ -247,6 +248,9 @@ func (p *initProcess) start() error {
 		return newSystemError(err)
 	}
 	p.setExternalDescriptors(fds)
+
+	logrus.Debugf("starting process apply cgroups")
+
 	// Do this before syncing with child so that no children
 	// can escape the cgroup
 	if err := p.manager.Apply(p.pid()); err != nil {