Merge pull request #1321 from runcom/bump-runtime-tools-cap-fix

vendor: bump runtime-tools to fix caps drop handling
This commit is contained in:
Mrunal Patel 2018-02-12 12:15:40 -08:00 committed by GitHub
commit 7310839369
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 39 additions and 27 deletions

View file

@ -20,7 +20,7 @@ github.com/containernetworking/cni v0.4.0
google.golang.org/grpc v1.0.4 https://github.com/grpc/grpc-go
github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
github.com/opencontainers/go-digest v1.0.0-rc0
github.com/opencontainers/runtime-tools 625e2322645b151a7cbb93a8b42920933e72167f
github.com/opencontainers/runtime-tools 263fad0457d4a42d08aea3fb2bc4da7d2f8c3af7
github.com/opencontainers/runc 9f9c96235cc97674e935002fc3d78361b696a69e
github.com/mrunalp/fileutils master
github.com/vishvananda/netlink master

View file

@ -37,17 +37,29 @@ If your distribution does not package node-tap, you can install [npm][] (for exa
$ npm install tap
```
Build the validation executables:
```console
$ make runtimetest validation-executables
```
Runtime validation currently [only supports](docs/runtime-compliance-testing.md) the [OCI Runtime Command Line Interface](doc/command-line-interface.md).
If we add support for alternative APIs in the future, runtime validation will gain an option to select the desired runtime API.
For the command line interface, the `RUNTIME` option selects the runtime command (`funC` in the [OCI Runtime Command Line Interface](doc/command-line-interface.md)).
```
$ sudo make RUNTIME=runc localvalidation
RUNTIME=runc tap validation/linux_rootfs_propagation_shared.t validation/create.t validation/default.t validation/linux_readonly_paths.t validation/linux_masked_paths.t validation/mounts.t validation/process.t validation/root_readonly_false.t validation/linux_sysctl.t validation/linux_devices.t validation/linux_gid_mappings.t validation/process_oom_score_adj.t validation/process_capabilities.t validation/process_rlimits.t validation/root_readonly_true.t validation/linux_rootfs_propagation_unbindable.t validation/hostname.t validation/linux_uid_mappings.t
validation/linux_rootfs_propagation_shared.t ........ 18/19
not ok rootfs propagation
error: 'rootfs should be shared, but not'
validation/create.t ................................... 4/4
validation/default.t ................................ 19/19
validation/linux_readonly_paths.t ................... 19/19
validation/linux_masked_paths.t ..................... 18/19
not ok masked paths
error: /masktest should not be readable
validation/mounts.t ................................... 0/1
Skipped: 1

View file

@ -914,12 +914,6 @@ func (g *Generator) ClearPreStartHooks() {
// AddPreStartHook add a prestart hook into g.spec.Hooks.Prestart.
func (g *Generator) AddPreStartHook(preStartHook rspec.Hook) error {
g.initSpecHooks()
for i, hook := range g.spec.Hooks.Prestart {
if hook.Path == preStartHook.Path {
g.spec.Hooks.Prestart[i] = preStartHook
return nil
}
}
g.spec.Hooks.Prestart = append(g.spec.Hooks.Prestart, preStartHook)
return nil
}
@ -935,12 +929,6 @@ func (g *Generator) ClearPostStopHooks() {
// AddPostStopHook adds a poststop hook into g.spec.Hooks.Poststop.
func (g *Generator) AddPostStopHook(postStopHook rspec.Hook) error {
g.initSpecHooks()
for i, hook := range g.spec.Hooks.Poststop {
if hook.Path == postStopHook.Path {
g.spec.Hooks.Poststop[i] = postStopHook
return nil
}
}
g.spec.Hooks.Poststop = append(g.spec.Hooks.Poststop, postStopHook)
return nil
}
@ -956,12 +944,6 @@ func (g *Generator) ClearPostStartHooks() {
// AddPostStartHook adds a poststart hook into g.spec.Hooks.Poststart.
func (g *Generator) AddPostStartHook(postStartHook rspec.Hook) error {
g.initSpecHooks()
for i, hook := range g.spec.Hooks.Poststart {
if hook.Path == postStartHook.Path {
g.spec.Hooks.Poststart[i] = postStartHook
return nil
}
}
g.spec.Hooks.Poststart = append(g.spec.Hooks.Poststart, postStartHook)
return nil
}
@ -1225,7 +1207,7 @@ func (g *Generator) DropProcessCapabilityPermitted(c string) error {
cp := strings.ToUpper(c)
for i, cap := range g.spec.Process.Capabilities.Permitted {
if strings.ToUpper(cap) == cp {
g.spec.Process.Capabilities.Ambient = removeFunc(g.spec.Process.Capabilities.Ambient, i)
g.spec.Process.Capabilities.Permitted = removeFunc(g.spec.Process.Capabilities.Permitted, i)
}
}

View file

@ -68,10 +68,10 @@ const (
PropApplyFailNotCreate
// StartWithoutIDGenError represents "`start` operation MUST generate an error if it is not provided the container ID."
StartWithoutIDGenError
// StartNonCreateHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
StartNonCreateHaveNoEffect
// StartNonCreateGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
StartNonCreateGenError
// StartNotCreatedHaveNoEffect represents "Attempting to `start` a container that is not `created` MUST have no effect on the container."
StartNotCreatedHaveNoEffect
// StartNotCreatedGenError represents "Attempting to `start` a container that is not `created` MUST generate an error."
StartNotCreatedGenError
// StartProcImplement represents "`start` operation MUST run the user-specified program as specified by `process`."
StartProcImplement
// StartWithProcUnsetGenError represents "`start` operation MUST generate an error if `process` was not set."
@ -163,8 +163,8 @@ func init() {
register(PropApplyFailGenError, rfc2119.Must, createRef)
register(PropApplyFailNotCreate, rfc2119.Must, createRef)
register(StartWithoutIDGenError, rfc2119.Must, startRef)
register(StartNonCreateHaveNoEffect, rfc2119.Must, startRef)
register(StartNonCreateGenError, rfc2119.Must, startRef)
register(StartNotCreatedHaveNoEffect, rfc2119.Must, startRef)
register(StartNotCreatedGenError, rfc2119.Must, startRef)
register(StartProcImplement, rfc2119.Must, startRef)
register(StartWithProcUnsetGenError, rfc2119.Must, startRef)
register(KillWithoutIDGenError, rfc2119.Must, killRef)

View file

@ -142,6 +142,8 @@ func JSONSchemaURL(version string) (url string, err error) {
// runtime-spec JSON Schema, using the version of the schema that
// matches the configuration's declared version.
func (v *Validator) CheckJSONSchema() (errs error) {
logrus.Debugf("check JSON schema")
url, err := JSONSchemaURL(v.spec.Version)
if err != nil {
errs = multierror.Append(errs, err)
@ -733,7 +735,7 @@ func (v *Validator) CheckLinux() (errs error) {
}
if _, exists := devTypeList[devID]; exists {
logrus.Warnf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor)
logrus.Warnf("%v", specerror.NewError(specerror.DevicesErrorOnDup, fmt.Errorf("type:%s, major:%d and minor:%d for linux devices is duplicated", device.Type, device.Major, device.Minor), rspec.Version))
} else {
devTypeList[devID] = true
}
@ -817,6 +819,18 @@ func (v *Validator) CheckLinuxResources() (errs error) {
}
}
if r.BlockIO != nil && r.BlockIO.WeightDevice != nil {
for i, weightDevice := range r.BlockIO.WeightDevice {
if weightDevice.Weight == nil && weightDevice.LeafWeight == nil {
errs = multierror.Append(errs,
specerror.NewError(
specerror.BlkIOWeightOrLeafWeightExist,
fmt.Errorf("linux.resources.blockIO.weightDevice[%d] specifies neither weight nor leafWeight", i),
rspec.Version))
}
}
}
return
}
@ -990,5 +1004,9 @@ func checkMandatory(obj interface{}) (errs error) {
func (v *Validator) CheckMandatoryFields() error {
logrus.Debugf("check mandatory fields")
if v.spec == nil {
return fmt.Errorf("Spec can't be nil")
}
return checkMandatory(v.spec)
}