Merge pull request #1321 from runcom/bump-runtime-tools-cap-fix
vendor: bump runtime-tools to fix caps drop handling
This commit is contained in:
commit
7310839369
5 changed files with 39 additions and 27 deletions
|
@ -20,7 +20,7 @@ github.com/containernetworking/cni v0.4.0
|
|||
google.golang.org/grpc v1.0.4 https://github.com/grpc/grpc-go
|
||||
github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
|
||||
github.com/opencontainers/go-digest v1.0.0-rc0
|
||||
github.com/opencontainers/runtime-tools 625e2322645b151a7cbb93a8b42920933e72167f
|
||||
github.com/opencontainers/runtime-tools 263fad0457d4a42d08aea3fb2bc4da7d2f8c3af7
|
||||
github.com/opencontainers/runc 9f9c96235cc97674e935002fc3d78361b696a69e
|
||||
github.com/mrunalp/fileutils master
|
||||
github.com/vishvananda/netlink master
|
||||
|
|
12
vendor/github.com/opencontainers/runtime-tools/README.md
generated
vendored
12
vendor/github.com/opencontainers/runtime-tools/README.md
generated
vendored
|
@ -37,17 +37,29 @@ If your distribution does not package node-tap, you can install [npm][] (for exa
|
|||
$ npm install tap
|
||||
```
|
||||
|
||||
Build the validation executables:
|
||||
|
||||
```console
|
||||
$ make runtimetest validation-executables
|
||||
```
|
||||
|
||||
Runtime validation currently [only supports](docs/runtime-compliance-testing.md) the [OCI Runtime Command Line Interface](doc/command-line-interface.md).
|
||||
If we add support for alternative APIs in the future, runtime validation will gain an option to select the desired runtime API.
|
||||
For the command line interface, the `RUNTIME` option selects the runtime command (`funC` in the [OCI Runtime Command Line Interface](doc/command-line-interface.md)).
|
||||
|
||||
```
|
||||
$ sudo make RUNTIME=runc localvalidation
|
||||
RUNTIME=runc tap validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t
|
||||
validation/linux_rootfs_propagation_shared.t ........ 18/19
|
||||
not ok rootfs propagation
|
||||
error: 'rootfs should be shared, but not'
|
||||
|
||||
validation/create.t ................................... 4/4
|
||||
validation/default.t ................................ 19/19
|
||||
validation/linux_readonly_paths.t ................... 19/19
|
||||
validation/linux_masked_paths.t ..................... 18/19
|
||||
not ok masked paths
|
||||
error: /masktest should not be readable
|
||||
|
||||
validation/mounts.t ................................... 0/1
|
||||
Skipped: 1
|
||||
|
|
20
vendor/github.com/opencontainers/runtime-tools/generate/generate.go
generated
vendored
20
vendor/github.com/opencontainers/runtime-tools/generate/generate.go
generated
vendored
|
@ -914,12 +914,6 @@ func (g *Generator) ClearPreStartHooks() {
|
|||
// AddPreStartHook add a prestart hook into g.spec.Hooks.Prestart.
|
||||
func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) error {
|
||||
g.initSpecHooks()
|
||||
for i, hook := range g.spec.Hooks.Prestart {
|
||||
if hook.Path == preStartHook.Path {
|
||||
g.spec.Hooks.Prestart[i] = preStartHook
|
||||
return nil
|
||||
}
|
||||
}
|
||||
g.spec.Hooks.Prestart = append(g.spec.Hooks.Prestart, preStartHook)
|
||||
return nil
|
||||
}
|
||||
|
@ -935,12 +929,6 @@ func (g *Generator) ClearPostStopHooks() {
|
|||
// AddPostStopHook adds a poststop hook into g.spec.Hooks.Poststop.
|
||||
func (g *Generator) AddPostStopHook(postStopHook rspec.Hook) error {
|
||||
g.initSpecHooks()
|
||||
for i, hook := range g.spec.Hooks.Poststop {
|
||||
if hook.Path == postStopHook.Path {
|
||||
g.spec.Hooks.Poststop[i] = postStopHook
|
||||
return nil
|
||||
}
|
||||
}
|
||||
g.spec.Hooks.Poststop = append(g.spec.Hooks.Poststop, postStopHook)
|
||||
return nil
|
||||
}
|
||||
|
@ -956,12 +944,6 @@ func (g *Generator) ClearPostStartHooks() {
|
|||
// AddPostStartHook adds a poststart hook into g.spec.Hooks.Poststart.
|
||||
func (g *Generator) AddPostStartHook(postStartHook rspec.Hook) error {
|
||||
g.initSpecHooks()
|
||||
for i, hook := range g.spec.Hooks.Poststart {
|
||||
if hook.Path == postStartHook.Path {
|
||||
g.spec.Hooks.Poststart[i] = postStartHook
|
||||
return nil
|
||||
}
|
||||
}
|
||||
g.spec.Hooks.Poststart = append(g.spec.Hooks.Poststart, postStartHook)
|
||||
return nil
|
||||
}
|
||||
|
@ -1225,7 +1207,7 @@ func (g *Generator) DropProcessCapabilityPermitted(c string) error {
|
|||
cp := strings.ToUpper(c)
|
||||
for i, cap := range g.spec.Process.Capabilities.Permitted {
|
||||
if strings.ToUpper(cap) == cp {
|
||||
g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i)
|
||||
g.spec.Process.Capabilities.Permitted = removeFunc(g.spec.Process.Capabilities.Permitted, i)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
12
vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go
generated
vendored
12
vendor/github.com/opencontainers/runtime-tools/specerror/runtime.go
generated
vendored
|
@ -68,10 +68,10 @@ const (
|
|||
PropApplyFailNotCreate
|
||||
// StartWithoutIDGenError represents "`start` operation MUST generate an error if it is not provided the container ID."
|
||||
StartWithoutIDGenError
|
||||
// StartNonCreateHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
|
||||
StartNonCreateHaveNoEffect
|
||||
// StartNonCreateGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
|
||||
StartNonCreateGenError
|
||||
// StartNotCreatedHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
|
||||
StartNotCreatedHaveNoEffect
|
||||
// StartNotCreatedGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
|
||||
StartNotCreatedGenError
|
||||
// StartProcImplement represents "`start` operation MUST run the user-specified program as specified by `process`."
|
||||
StartProcImplement
|
||||
// StartWithProcUnsetGenError represents "`start` operation MUST generate an error if `process` was not set."
|
||||
|
@ -163,8 +163,8 @@ func init() {
|
|||
register(PropApplyFailGenError, rfc2119.Must, createRef)
|
||||
register(PropApplyFailNotCreate, rfc2119.Must, createRef)
|
||||
register(StartWithoutIDGenError, rfc2119.Must, startRef)
|
||||
register(StartNonCreateHaveNoEffect, rfc2119.Must, startRef)
|
||||
register(StartNonCreateGenError, rfc2119.Must, startRef)
|
||||
register(StartNotCreatedHaveNoEffect, rfc2119.Must, startRef)
|
||||
register(StartNotCreatedGenError, rfc2119.Must, startRef)
|
||||
register(StartProcImplement, rfc2119.Must, startRef)
|
||||
register(StartWithProcUnsetGenError, rfc2119.Must, startRef)
|
||||
register(KillWithoutIDGenError, rfc2119.Must, killRef)
|
||||
|
|
20
vendor/github.com/opencontainers/runtime-tools/validate/validate.go
generated
vendored
20
vendor/github.com/opencontainers/runtime-tools/validate/validate.go
generated
vendored
|
@ -142,6 +142,8 @@ func JSONSchemaURL(version string) (url string, err error) {
|
|||
// runtime-spec JSON Schema, using the version of the schema that
|
||||
// matches the configuration's declared version.
|
||||
func (v *Validator) CheckJSONSchema() (errs error) {
|
||||
logrus.Debugf("check JSON schema")
|
||||
|
||||
url, err := JSONSchemaURL(v.spec.Version)
|
||||
if err != nil {
|
||||
errs = multierror.Append(errs, err)
|
||||
|
@ -733,7 +735,7 @@ func (v *Validator) CheckLinux() (errs error) {
|
|||
}
|
||||
|
||||
if _, exists := devTypeList[devID]; exists {
|
||||
logrus.Warnf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor)
|
||||
logrus.Warnf("%v", specerror.NewError(specerror.DevicesErrorOnDup, fmt.Errorf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor), rspec.Version))
|
||||
} else {
|
||||
devTypeList[devID] = true
|
||||
}
|
||||
|
@ -817,6 +819,18 @@ func (v *Validator) CheckLinuxResources() (errs error) {
|
|||
}
|
||||
}
|
||||
|
||||
if r.BlockIO != nil && r.BlockIO.WeightDevice != nil {
|
||||
for i, weightDevice := range r.BlockIO.WeightDevice {
|
||||
if weightDevice.Weight == nil && weightDevice.LeafWeight == nil {
|
||||
errs = multierror.Append(errs,
|
||||
specerror.NewError(
|
||||
specerror.BlkIOWeightOrLeafWeightExist,
|
||||
fmt.Errorf("linux.resources.blockIO.weightDevice[%d] specifies neither weight nor leafWeight", i),
|
||||
rspec.Version))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -990,5 +1004,9 @@ func checkMandatory(obj interface{}) (errs error) {
|
|||
func (v *Validator) CheckMandatoryFields() error {
|
||||
logrus.Debugf("check mandatory fields")
|
||||
|
||||
if v.spec == nil {
|
||||
return fmt.Errorf("Spec can't be nil")
|
||||
}
|
||||
|
||||
return checkMandatory(v.spec)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue