Vendor in runc d49ece5a83da3dcb820121d6850e2b61bd0a5fbe

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>

Dockerfile

@@ -36,7 +36,7 @@ RUN set -x \
 	&& rm -rf "$SECCOMP_PATH"
 
 # Install runc
-ENV RUNC_COMMIT 9c89737e6e117a8be5a4980bc9795fe1a2b1028e
+ENV RUNC_COMMIT d49ece5a83da3dcb820121d6850e2b61bd0a5fbe
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
     && git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

hack/vendor.sh

@@ -14,7 +14,7 @@ clone git github.com/docker/go-units 5d2041e26a699eaca682e2ea41c8f891e1060444
 clone git github.com/godbus/dbus e2cf28118e66a6a63db46cf6088a35d2054d3bb0
 clone git github.com/golang/glog 23def4e6c14b4da8ac2ed8007337bc5eb5007998
 clone git github.com/golang/protobuf 8d92cf5fc15a4382f8964b08e1f42a75c0591aa3
-clone git github.com/opencontainers/runc 89c3c97a8482f3a57cd4bb683df1a7b2c61405d8
+clone git github.com/opencontainers/runc d49ece5a83da3dcb820121d6850e2b61bd0a5fbe
 clone git github.com/opencontainers/runtime-spec f955d90e70a98ddfb886bd930ffd076da9b67998
 clone git github.com/rcrowley/go-metrics eeba7bd0dd01ace6e690fa833b3f22aaec29af43
 clone git github.com/satori/go.uuid f9ab0dce87d815821e221626b772e3475a0d2749

vendor/src/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go

@@ -7,6 +7,7 @@ package apparmor
 // #include <stdlib.h>
 import "C"
 import (
+	"fmt"
 	"io/ioutil"
 	"os"
 	"unsafe"
@@ -32,7 +33,7 @@ func ApplyProfile(name string) error {
 	cName := C.CString(name)
 	defer C.free(unsafe.Pointer(cName))
 	if _, err := C.aa_change_onexec(cName); err != nil {
-		return err
+		return fmt.Errorf("apparmor failed to apply profile: %s", err)
 	}
 	return nil
 }

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go

@@ -5,6 +5,7 @@ package fs
 import (
 	"bufio"
 	"fmt"
+	"math"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -12,6 +13,7 @@ import (
 
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/system"
 )
 
 type MemoryGroup struct {
@@ -33,7 +35,7 @@ func (s *MemoryGroup) Apply(d *cgroupData) (err error) {
 			}
 		}
 		// We have to set kernel memory here, as we can't change it once
-		// processes have been attached.
+		// processes have been attached to the cgroup.
 		if err := s.SetKernelMemory(path, d.config); err != nil {
 			return err
 		}
@@ -55,9 +57,44 @@ func (s *MemoryGroup) Apply(d *cgroupData) (err error) {
 }
 
 func (s *MemoryGroup) SetKernelMemory(path string, cgroup *configs.Cgroup) error {
-	// This has to be done separately because it has special constraints (it
+	// This has to be done separately because it has special
-	// can't be done after there are processes attached to the cgroup).
+	// constraints (it can only be initialized before setting up a
-	if cgroup.Resources.KernelMemory > 0 {
+	// hierarchy or adding a task to the cgroups. However, if
+	// sucessfully initialized, it can be updated anytime afterwards)
+	if cgroup.Resources.KernelMemory != 0 {
+		kmemInitialized := false
+		// Is kmem.limit_in_bytes already set?
+		kmemValue, err := getCgroupParamUint(path, "memory.kmem.limit_in_bytes")
+		if err != nil {
+			return err
+		}
+		switch system.GetLongBit() {
+		case 32:
+			kmemInitialized = uint32(kmemValue) != uint32(math.MaxUint32)
+		case 64:
+			kmemInitialized = kmemValue != uint64(math.MaxUint64)
+		}
+
+		if !kmemInitialized {
+			// If hierarchy is set, we can't change the limit
+			usesHierarchy, err := getCgroupParamUint(path, "memory.use_hierarchy")
+			if err != nil {
+				return err
+			}
+			if usesHierarchy != 0 {
+				return fmt.Errorf("cannot initialize kmem.limit_in_bytes if use_hierarchy is already set")
+			}
+
+			// If there's already tasks in the cgroup, we can't change the limit either
+			tasks, err := getCgroupParamString(path, "tasks")
+			if err != nil {
+				return err
+			}
+			if tasks != "" {
+				return fmt.Errorf("cannot initialize kmem.limit_in_bytes after task have joined this cgroup")
+			}
+		}
+
 		if err := writeFile(path, "memory.kmem.limit_in_bytes", strconv.FormatInt(cgroup.Resources.KernelMemory, 10)); err != nil {
 			return err
 		}
@@ -113,6 +150,10 @@ func (s *MemoryGroup) Set(path string, cgroup *configs.Cgroup) error {
 		return err
 	}
 
+	if err := s.SetKernelMemory(path, cgroup); err != nil {
+		return err
+	}
+
 	if cgroup.Resources.MemoryReservation != 0 {
 		if err := writeFile(path, "memory.soft_limit_in_bytes", strconv.FormatInt(cgroup.Resources.MemoryReservation, 10)); err != nil {
 			return err

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go

@@ -214,11 +214,9 @@ func (m *Manager) Apply(pid int) error {
 			newProp("BlockIOWeight", uint64(c.Resources.BlkioWeight)))
 	}
 
-	// We need to set kernel memory before processes join cgroup because
+	// We have to set kernel memory here, as we can't change it once
-	// kmem.limit_in_bytes can only be set when the cgroup is empty.
+	// processes have been attached to the cgroup.
-	// And swap memory limit needs to be set after memory limit, only
+	if c.Resources.KernelMemory != 0 {
-	// memory limit is handled by systemd, so it's kind of ugly here.
-	if c.Resources.KernelMemory > 0 {
 		if err := setKernelMemory(c); err != nil {
 			return err
 		}
@@ -469,11 +467,5 @@ func setKernelMemory(c *configs.Cgroup) error {
 		return err
 	}
 
-	if err := os.MkdirAll(path, 0755); err != nil {
+	return os.MkdirAll(path, 0755)
-		return err
-	}
-
-	// This doesn't get called by manager.Set, so we need to do it here.
-	s := &fs.MemoryGroup{}
-	return s.SetKernelMemory(path, c)
 }

vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go

@@ -10,3 +10,7 @@ import "C"
 func GetClockTicks() int {
 	return int(C.sysconf(C._SC_CLK_TCK))
 }
+
+func GetLongBit() int {
+	return int(C.sysconf(C._SC_LONG_BIT))
+}