all: Switch from package syscall to golang.org/x/sys/unix

The syscall package is locked down and the comment in [1] advises to
switch code to use the corresponding package from golang.org/x/sys. Do
so and replace usage of package syscall where possible (leave
syscall.SysProcAttr and syscall.Stat_t).

  [1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24

This will also allow to get updates and fixes just by re-vendoring
golang.org/x/sys/unix instead of having to update to a new go version.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This commit is contained in:
Tobias Klauser 2017-06-28 17:47:31 +02:00
parent c9edee9af2
commit 822172a892
7 changed files with 24 additions and 23 deletions

View file

@ -9,13 +9,13 @@ import (
"os/signal" "os/signal"
"sort" "sort"
"strings" "strings"
"syscall"
"github.com/Sirupsen/logrus" "github.com/Sirupsen/logrus"
"github.com/containers/storage/pkg/reexec" "github.com/containers/storage/pkg/reexec"
"github.com/kubernetes-incubator/cri-o/server" "github.com/kubernetes-incubator/cri-o/server"
"github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux"
"github.com/urfave/cli" "github.com/urfave/cli"
"golang.org/x/sys/unix"
"google.golang.org/grpc" "google.golang.org/grpc"
"k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
) )
@ -117,13 +117,13 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
func catchShutdown(gserver *grpc.Server, sserver *server.Server, signalled *bool) { func catchShutdown(gserver *grpc.Server, sserver *server.Server, signalled *bool) {
sig := make(chan os.Signal, 10) sig := make(chan os.Signal, 10)
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM) signal.Notify(sig, unix.SIGINT, unix.SIGTERM)
go func() { go func() {
for s := range sig { for s := range sig {
switch s { switch s {
case syscall.SIGINT: case unix.SIGINT:
logrus.Debugf("Caught SIGINT") logrus.Debugf("Caught SIGINT")
case syscall.SIGTERM: case unix.SIGTERM:
logrus.Debugf("Caught SIGTERM") logrus.Debugf("Caught SIGTERM")
default: default:
continue continue

View file

@ -425,7 +425,7 @@ func (r *Runtime) ExecSync(c *Container, command []string, timeout int64) (resp
err = cmd.Wait() err = cmd.Wait()
if err != nil { if err != nil {
if exitErr, ok := err.(*exec.ExitError); ok { if exitErr, ok := err.(*exec.ExitError); ok {
if status, ok := exitErr.Sys().(syscall.WaitStatus); ok { if status, ok := exitErr.Sys().(unix.WaitStatus); ok {
return nil, ExecSyncError{ return nil, ExecSyncError{
Stdout: stdoutBuf, Stdout: stdoutBuf,
Stderr: stderrBuf, Stderr: stderrBuf,
@ -516,7 +516,7 @@ func (r *Runtime) StopContainer(c *Container, timeout int64) error {
default: default:
// Check if the process is still around // Check if the process is still around
err := unix.Kill(c.state.Pid, 0) err := unix.Kill(c.state.Pid, 0)
if err == syscall.ESRCH { if err == unix.ESRCH {
close(done) close(done)
return return
} }
@ -529,8 +529,8 @@ func (r *Runtime) StopContainer(c *Container, timeout int64) error {
return nil return nil
case <-time.After(time.Duration(timeout) * time.Second): case <-time.After(time.Duration(timeout) * time.Second):
close(chControl) close(chControl)
err := unix.Kill(c.state.Pid, syscall.SIGKILL) err := unix.Kill(c.state.Pid, unix.SIGKILL)
if err != nil && err != syscall.ESRCH { if err != nil && err != unix.ESRCH {
return fmt.Errorf("failed to kill process: %v", err) return fmt.Errorf("failed to kill process: %v", err)
} }
} }
@ -617,7 +617,7 @@ func (r *Runtime) ContainerStatus(c *Container) *ContainerState {
// newPipe creates a unix socket pair for communication // newPipe creates a unix socket pair for communication
func newPipe() (parent *os.File, child *os.File, err error) { func newPipe() (parent *os.File, child *os.File, err error) {
fds, err := syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0) fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }

View file

@ -6,12 +6,12 @@ import (
"net" "net"
"os" "os"
"path/filepath" "path/filepath"
"syscall"
"github.com/Sirupsen/logrus" "github.com/Sirupsen/logrus"
"github.com/kubernetes-incubator/cri-o/oci" "github.com/kubernetes-incubator/cri-o/oci"
"github.com/kubernetes-incubator/cri-o/utils" "github.com/kubernetes-incubator/cri-o/utils"
"golang.org/x/net/context" "golang.org/x/net/context"
"golang.org/x/sys/unix"
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
"k8s.io/kubernetes/pkg/util/term" "k8s.io/kubernetes/pkg/util/term"
@ -54,7 +54,7 @@ func (ss streamService) Attach(containerID string, inputStream io.Reader, output
} }
controlPath := filepath.Join(c.BundlePath(), "ctl") controlPath := filepath.Join(c.BundlePath(), "ctl")
controlFile, err := os.OpenFile(controlPath, syscall.O_WRONLY, 0) controlFile, err := os.OpenFile(controlPath, unix.O_WRONLY, 0)
if err != nil { if err != nil {
return fmt.Errorf("failed to open container ctl file: %v", err) return fmt.Errorf("failed to open container ctl file: %v", err)
} }

View file

@ -9,7 +9,6 @@ import (
"path/filepath" "path/filepath"
"strconv" "strconv"
"strings" "strings"
"syscall"
"time" "time"
"github.com/Sirupsen/logrus" "github.com/Sirupsen/logrus"
@ -25,6 +24,7 @@ import (
"github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate"
"github.com/opencontainers/selinux/go-selinux/label" "github.com/opencontainers/selinux/go-selinux/label"
"golang.org/x/net/context" "golang.org/x/net/context"
"golang.org/x/sys/unix"
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
) )
@ -60,7 +60,7 @@ func addOCIBindMounts(sb *sandbox, containerConfig *pb.ContainerConfig, specgen
if mount.SelinuxRelabel { if mount.SelinuxRelabel {
// Need a way in kubernetes to determine if the volume is shared or private // Need a way in kubernetes to determine if the volume is shared or private
if err := label.Relabel(src, sb.mountLabel, true); err != nil && err != syscall.ENOTSUP { if err := label.Relabel(src, sb.mountLabel, true); err != nil && err != unix.ENOTSUP {
return fmt.Errorf("relabel failed %s: %v", src, err) return fmt.Errorf("relabel failed %s: %v", src, err)
} }
} }

View file

@ -9,7 +9,6 @@ import (
"regexp" "regexp"
"strconv" "strconv"
"strings" "strings"
"syscall"
"time" "time"
"github.com/Sirupsen/logrus" "github.com/Sirupsen/logrus"
@ -20,6 +19,7 @@ import (
"github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate"
"github.com/opencontainers/selinux/go-selinux/label" "github.com/opencontainers/selinux/go-selinux/label"
"golang.org/x/net/context" "golang.org/x/net/context"
"golang.org/x/sys/unix"
"k8s.io/kubernetes/pkg/api/v1" "k8s.io/kubernetes/pkg/api/v1"
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime" pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
"k8s.io/kubernetes/pkg/kubelet/network/hostport" "k8s.io/kubernetes/pkg/kubelet/network/hostport"
@ -271,7 +271,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
} }
defer func() { defer func() {
if err != nil { if err != nil {
if err2 := syscall.Unmount(shmPath, syscall.MNT_DETACH); err2 != nil { if err2 := unix.Unmount(shmPath, unix.MNT_DETACH); err2 != nil {
logrus.Warnf("failed to unmount shm for pod: %v", err2) logrus.Warnf("failed to unmount shm for pod: %v", err2)
} }
} }
@ -580,7 +580,7 @@ func setupShm(podSandboxRunDir, mountLabel string) (shmPath string, err error) {
return "", err return "", err
} }
shmOptions := "mode=1777,size=" + strconv.Itoa(defaultShmSize) shmOptions := "mode=1777,size=" + strconv.Itoa(defaultShmSize)
if err = syscall.Mount("shm", shmPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), if err = unix.Mount("shm", shmPath, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV,
label.FormatMountLabel(shmOptions, mountLabel)); err != nil { label.FormatMountLabel(shmOptions, mountLabel)); err != nil {
return "", fmt.Errorf("failed to mount shm tmpfs for pod: %v", err) return "", fmt.Errorf("failed to mount shm tmpfs for pod: %v", err)
} }

View file

@ -6,12 +6,12 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"syscall"
"github.com/docker/docker/pkg/stringutils" "github.com/docker/docker/pkg/stringutils"
specs "github.com/opencontainers/runtime-spec/specs-go" specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate"
libseccomp "github.com/seccomp/libseccomp-golang" libseccomp "github.com/seccomp/libseccomp-golang"
"golang.org/x/sys/unix"
) )
// IsEnabled returns true if seccomp is enabled for the host. // IsEnabled returns true if seccomp is enabled for the host.
@ -21,9 +21,9 @@ func IsEnabled() bool {
enabled := false enabled := false
// Check if Seccomp is supported, via CONFIG_SECCOMP. // Check if Seccomp is supported, via CONFIG_SECCOMP.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_GET_SECCOMP, 0, 0); err != unix.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER. // Make sure the kernel has CONFIG_SECCOMP_FILTER.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL { if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_SECCOMP, seccompModeFilter, 0); err != unix.EINVAL {
enabled = true enabled = true
} }
} }

View file

@ -2,19 +2,20 @@ package main
import ( import (
"os" "os"
"syscall"
"golang.org/x/sys/unix"
) )
const ( const (
// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER. // SeccompModeFilter refers to the unix argument SECCOMP_MODE_FILTER.
SeccompModeFilter = uintptr(2) SeccompModeFilter = uintptr(2)
) )
func main() { func main() {
// Check if Seccomp is supported, via CONFIG_SECCOMP. // Check if Seccomp is supported, via CONFIG_SECCOMP.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL { if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_GET_SECCOMP, 0, 0); err != unix.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER. // Make sure the kernel has CONFIG_SECCOMP_FILTER.
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL { if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_SECCOMP, SeccompModeFilter, 0); err != unix.EINVAL {
os.Exit(0) os.Exit(0)
} }
} }