all: Switch from package syscall to golang.org/x/sys/unix
The syscall package is locked down and the comment in [1] advises to switch code to use the corresponding package from golang.org/x/sys. Do so and replace usage of package syscall where possible (leave syscall.SysProcAttr and syscall.Stat_t). [1] https://github.com/golang/go/blob/master/src/syscall/syscall.go#L21-L24 This will also allow to get updates and fixes just by re-vendoring golang.org/x/sys/unix instead of having to update to a new go version. Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
This commit is contained in:
parent
c9edee9af2
commit
822172a892
7 changed files with 24 additions and 23 deletions
|
@ -9,13 +9,13 @@ import (
|
||||||
"os/signal"
|
"os/signal"
|
||||||
"sort"
|
"sort"
|
||||||
"strings"
|
"strings"
|
||||||
"syscall"
|
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
"github.com/containers/storage/pkg/reexec"
|
"github.com/containers/storage/pkg/reexec"
|
||||||
"github.com/kubernetes-incubator/cri-o/server"
|
"github.com/kubernetes-incubator/cri-o/server"
|
||||||
"github.com/opencontainers/selinux/go-selinux"
|
"github.com/opencontainers/selinux/go-selinux"
|
||||||
"github.com/urfave/cli"
|
"github.com/urfave/cli"
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
"k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
||||||
)
|
)
|
||||||
|
@ -117,13 +117,13 @@ func mergeConfig(config *server.Config, ctx *cli.Context) error {
|
||||||
|
|
||||||
func catchShutdown(gserver *grpc.Server, sserver *server.Server, signalled *bool) {
|
func catchShutdown(gserver *grpc.Server, sserver *server.Server, signalled *bool) {
|
||||||
sig := make(chan os.Signal, 10)
|
sig := make(chan os.Signal, 10)
|
||||||
signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
|
signal.Notify(sig, unix.SIGINT, unix.SIGTERM)
|
||||||
go func() {
|
go func() {
|
||||||
for s := range sig {
|
for s := range sig {
|
||||||
switch s {
|
switch s {
|
||||||
case syscall.SIGINT:
|
case unix.SIGINT:
|
||||||
logrus.Debugf("Caught SIGINT")
|
logrus.Debugf("Caught SIGINT")
|
||||||
case syscall.SIGTERM:
|
case unix.SIGTERM:
|
||||||
logrus.Debugf("Caught SIGTERM")
|
logrus.Debugf("Caught SIGTERM")
|
||||||
default:
|
default:
|
||||||
continue
|
continue
|
||||||
|
|
10
oci/oci.go
10
oci/oci.go
|
@ -425,7 +425,7 @@ func (r *Runtime) ExecSync(c *Container, command []string, timeout int64) (resp
|
||||||
err = cmd.Wait()
|
err = cmd.Wait()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if exitErr, ok := err.(*exec.ExitError); ok {
|
if exitErr, ok := err.(*exec.ExitError); ok {
|
||||||
if status, ok := exitErr.Sys().(syscall.WaitStatus); ok {
|
if status, ok := exitErr.Sys().(unix.WaitStatus); ok {
|
||||||
return nil, ExecSyncError{
|
return nil, ExecSyncError{
|
||||||
Stdout: stdoutBuf,
|
Stdout: stdoutBuf,
|
||||||
Stderr: stderrBuf,
|
Stderr: stderrBuf,
|
||||||
|
@ -516,7 +516,7 @@ func (r *Runtime) StopContainer(c *Container, timeout int64) error {
|
||||||
default:
|
default:
|
||||||
// Check if the process is still around
|
// Check if the process is still around
|
||||||
err := unix.Kill(c.state.Pid, 0)
|
err := unix.Kill(c.state.Pid, 0)
|
||||||
if err == syscall.ESRCH {
|
if err == unix.ESRCH {
|
||||||
close(done)
|
close(done)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -529,8 +529,8 @@ func (r *Runtime) StopContainer(c *Container, timeout int64) error {
|
||||||
return nil
|
return nil
|
||||||
case <-time.After(time.Duration(timeout) * time.Second):
|
case <-time.After(time.Duration(timeout) * time.Second):
|
||||||
close(chControl)
|
close(chControl)
|
||||||
err := unix.Kill(c.state.Pid, syscall.SIGKILL)
|
err := unix.Kill(c.state.Pid, unix.SIGKILL)
|
||||||
if err != nil && err != syscall.ESRCH {
|
if err != nil && err != unix.ESRCH {
|
||||||
return fmt.Errorf("failed to kill process: %v", err)
|
return fmt.Errorf("failed to kill process: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -617,7 +617,7 @@ func (r *Runtime) ContainerStatus(c *Container) *ContainerState {
|
||||||
|
|
||||||
// newPipe creates a unix socket pair for communication
|
// newPipe creates a unix socket pair for communication
|
||||||
func newPipe() (parent *os.File, child *os.File, err error) {
|
func newPipe() (parent *os.File, child *os.File, err error) {
|
||||||
fds, err := syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0)
|
fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,12 +6,12 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"syscall"
|
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
"github.com/kubernetes-incubator/cri-o/oci"
|
"github.com/kubernetes-incubator/cri-o/oci"
|
||||||
"github.com/kubernetes-incubator/cri-o/utils"
|
"github.com/kubernetes-incubator/cri-o/utils"
|
||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
||||||
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
|
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
|
||||||
"k8s.io/kubernetes/pkg/util/term"
|
"k8s.io/kubernetes/pkg/util/term"
|
||||||
|
@ -54,7 +54,7 @@ func (ss streamService) Attach(containerID string, inputStream io.Reader, output
|
||||||
}
|
}
|
||||||
|
|
||||||
controlPath := filepath.Join(c.BundlePath(), "ctl")
|
controlPath := filepath.Join(c.BundlePath(), "ctl")
|
||||||
controlFile, err := os.OpenFile(controlPath, syscall.O_WRONLY, 0)
|
controlFile, err := os.OpenFile(controlPath, unix.O_WRONLY, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to open container ctl file: %v", err)
|
return fmt.Errorf("failed to open container ctl file: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,7 +9,6 @@ import (
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"syscall"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
|
@ -25,6 +24,7 @@ import (
|
||||||
"github.com/opencontainers/runtime-tools/generate"
|
"github.com/opencontainers/runtime-tools/generate"
|
||||||
"github.com/opencontainers/selinux/go-selinux/label"
|
"github.com/opencontainers/selinux/go-selinux/label"
|
||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -60,7 +60,7 @@ func addOCIBindMounts(sb *sandbox, containerConfig *pb.ContainerConfig, specgen
|
||||||
|
|
||||||
if mount.SelinuxRelabel {
|
if mount.SelinuxRelabel {
|
||||||
// Need a way in kubernetes to determine if the volume is shared or private
|
// Need a way in kubernetes to determine if the volume is shared or private
|
||||||
if err := label.Relabel(src, sb.mountLabel, true); err != nil && err != syscall.ENOTSUP {
|
if err := label.Relabel(src, sb.mountLabel, true); err != nil && err != unix.ENOTSUP {
|
||||||
return fmt.Errorf("relabel failed %s: %v", src, err)
|
return fmt.Errorf("relabel failed %s: %v", src, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,7 +9,6 @@ import (
|
||||||
"regexp"
|
"regexp"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"syscall"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/Sirupsen/logrus"
|
"github.com/Sirupsen/logrus"
|
||||||
|
@ -20,6 +19,7 @@ import (
|
||||||
"github.com/opencontainers/runtime-tools/generate"
|
"github.com/opencontainers/runtime-tools/generate"
|
||||||
"github.com/opencontainers/selinux/go-selinux/label"
|
"github.com/opencontainers/selinux/go-selinux/label"
|
||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
"k8s.io/kubernetes/pkg/api/v1"
|
"k8s.io/kubernetes/pkg/api/v1"
|
||||||
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
pb "k8s.io/kubernetes/pkg/kubelet/api/v1alpha1/runtime"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/network/hostport"
|
"k8s.io/kubernetes/pkg/kubelet/network/hostport"
|
||||||
|
@ -271,7 +271,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err2 := syscall.Unmount(shmPath, syscall.MNT_DETACH); err2 != nil {
|
if err2 := unix.Unmount(shmPath, unix.MNT_DETACH); err2 != nil {
|
||||||
logrus.Warnf("failed to unmount shm for pod: %v", err2)
|
logrus.Warnf("failed to unmount shm for pod: %v", err2)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -580,7 +580,7 @@ func setupShm(podSandboxRunDir, mountLabel string) (shmPath string, err error) {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
shmOptions := "mode=1777,size=" + strconv.Itoa(defaultShmSize)
|
shmOptions := "mode=1777,size=" + strconv.Itoa(defaultShmSize)
|
||||||
if err = syscall.Mount("shm", shmPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV),
|
if err = unix.Mount("shm", shmPath, "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV,
|
||||||
label.FormatMountLabel(shmOptions, mountLabel)); err != nil {
|
label.FormatMountLabel(shmOptions, mountLabel)); err != nil {
|
||||||
return "", fmt.Errorf("failed to mount shm tmpfs for pod: %v", err)
|
return "", fmt.Errorf("failed to mount shm tmpfs for pod: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,12 +6,12 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"syscall"
|
|
||||||
|
|
||||||
"github.com/docker/docker/pkg/stringutils"
|
"github.com/docker/docker/pkg/stringutils"
|
||||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
"github.com/opencontainers/runtime-tools/generate"
|
"github.com/opencontainers/runtime-tools/generate"
|
||||||
libseccomp "github.com/seccomp/libseccomp-golang"
|
libseccomp "github.com/seccomp/libseccomp-golang"
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
)
|
)
|
||||||
|
|
||||||
// IsEnabled returns true if seccomp is enabled for the host.
|
// IsEnabled returns true if seccomp is enabled for the host.
|
||||||
|
@ -21,9 +21,9 @@ func IsEnabled() bool {
|
||||||
|
|
||||||
enabled := false
|
enabled := false
|
||||||
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
||||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
|
if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_GET_SECCOMP, 0, 0); err != unix.EINVAL {
|
||||||
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
||||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, seccompModeFilter, 0); err != syscall.EINVAL {
|
if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_SECCOMP, seccompModeFilter, 0); err != unix.EINVAL {
|
||||||
enabled = true
|
enabled = true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,19 +2,20 @@ package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"os"
|
"os"
|
||||||
"syscall"
|
|
||||||
|
"golang.org/x/sys/unix"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
|
// SeccompModeFilter refers to the unix argument SECCOMP_MODE_FILTER.
|
||||||
SeccompModeFilter = uintptr(2)
|
SeccompModeFilter = uintptr(2)
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
// Check if Seccomp is supported, via CONFIG_SECCOMP.
|
||||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
|
if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_GET_SECCOMP, 0, 0); err != unix.EINVAL {
|
||||||
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
|
||||||
if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
|
if _, _, err := unix.RawSyscall(unix.SYS_PRCTL, unix.PR_SET_SECCOMP, SeccompModeFilter, 0); err != unix.EINVAL {
|
||||||
os.Exit(0)
|
os.Exit(0)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue