bump runc@b263a43430ac6996a4302b891688544225197294

Signed-off-by: Antonio Murdaca <runcom@redhat.com>

vendor/github.com/opencontainers/runc/libcontainer/integration/checkpoint_test.go

@@ -89,7 +89,7 @@ func TestCheckpoint(t *testing.T) {
 		Stdout: &stdout,
 	}
 
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	stdinR.Close()
 	defer stdinW.Close()
 	if err != nil {

vendor/github.com/opencontainers/runc/libcontainer/integration/exec_test.go

@@ -2,6 +2,7 @@ package integration
 
 import (
 	"bytes"
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -38,12 +39,12 @@ func testExecPS(t *testing.T, userns bool) {
 	defer remove(rootfs)
 	config := newTemplateConfig(rootfs)
 	if userns {
-		config.UidMappings = []configs.IDMap{{0, 0, 1000}}
-		config.GidMappings = []configs.IDMap{{0, 0, 1000}}
+		config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+		config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
 		config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
 	}
 
-	buffers, exitCode, err := runContainer(config, "", "ps")
+	buffers, exitCode, err := runContainer(config, "", "ps", "-o", "pid,user,comm")
 	if err != nil {
 		t.Fatalf("%s: %s", buffers, err)
 	}
@@ -180,8 +181,8 @@ func testRlimit(t *testing.T, userns bool) {
 
 	config := newTemplateConfig(rootfs)
 	if userns {
-		config.UidMappings = []configs.IDMap{{0, 0, 1000}}
-		config.GidMappings = []configs.IDMap{{0, 0, 1000}}
+		config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+		config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
 		config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
 	}
 
@@ -199,17 +200,6 @@ func testRlimit(t *testing.T, userns bool) {
 	}
 }
 
-func newTestRoot() (string, error) {
-	dir, err := ioutil.TempDir("", "libcontainer")
-	if err != nil {
-		return "", err
-	}
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return "", err
-	}
-	return dir, nil
-}
-
 func TestEnter(t *testing.T) {
 	if testing.Short() {
 		return
@@ -241,7 +231,7 @@ func TestEnter(t *testing.T) {
 		Stdin:  stdinR,
 		Stdout: &stdout,
 	}
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -259,7 +249,7 @@ func TestEnter(t *testing.T) {
 	pconfig2.Stdin = stdinR2
 	pconfig2.Stdout = &stdout2
 
-	err = container.Start(&pconfig2)
+	err = container.Run(&pconfig2)
 	stdinR2.Close()
 	defer stdinW2.Close()
 	ok(t, err)
@@ -330,7 +320,7 @@ func TestProcessEnv(t *testing.T) {
 		Stdin:  nil,
 		Stdout: &stdout,
 	}
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	ok(t, err)
 
 	// Wait for process
@@ -378,7 +368,7 @@ func TestProcessCaps(t *testing.T) {
 		Stdin:        nil,
 		Stdout:       &stdout,
 	}
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	ok(t, err)
 
 	// Wait for process
@@ -431,7 +421,6 @@ func TestAdditionalGroups(t *testing.T) {
 	defer remove(rootfs)
 
 	config := newTemplateConfig(rootfs)
-	config.AdditionalGroups = []string{"plugdev", "audio"}
 
 	factory, err := libcontainer.New(root, libcontainer.Cgroupfs)
 	ok(t, err)
@@ -442,13 +431,14 @@ func TestAdditionalGroups(t *testing.T) {
 
 	var stdout bytes.Buffer
 	pconfig := libcontainer.Process{
-		Cwd:    "/",
-		Args:   []string{"sh", "-c", "id", "-Gn"},
-		Env:    standardEnvironment,
-		Stdin:  nil,
-		Stdout: &stdout,
+		Cwd:              "/",
+		Args:             []string{"sh", "-c", "id", "-Gn"},
+		Env:              standardEnvironment,
+		Stdin:            nil,
+		Stdout:           &stdout,
+		AdditionalGroups: []string{"plugdev", "audio"},
 	}
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	ok(t, err)
 
 	// Wait for process
@@ -508,7 +498,7 @@ func testFreeze(t *testing.T, systemd bool) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(pconfig)
+	err = container.Run(pconfig)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -613,7 +603,7 @@ func testPids(t *testing.T, systemd bool) {
 	}
 
 	// Enforce a restrictive limit. 64 * /bin/true + 1 * shell should cause this
-	// to fail reliabily.
+	// to fail reliability.
 	config.Cgroups.Resources.PidsLimit = 64
 	out, _, err := runContainer(config, "", "/bin/sh", "-c", `
 	/bin/true | /bin/true | /bin/true | /bin/true | /bin/true | /bin/true | bin/true | /bin/true |
@@ -719,7 +709,7 @@ func TestContainerState(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(p)
+	err = container.Run(p)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -772,7 +762,7 @@ func TestPassExtraFiles(t *testing.T) {
 		Stdin:      nil,
 		Stdout:     &stdout,
 	}
-	err = container.Start(&process)
+	err = container.Run(&process)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -853,7 +843,7 @@ func TestMountCmds(t *testing.T) {
 		Args: []string{"sh", "-c", "env"},
 		Env:  standardEnvironment,
 	}
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -902,7 +892,7 @@ func TestSysctl(t *testing.T) {
 		Stdin:  nil,
 		Stdout: &stdout,
 	}
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	ok(t, err)
 
 	// Wait for process
@@ -1042,7 +1032,7 @@ func TestOomScoreAdj(t *testing.T) {
 		Stdin:  nil,
 		Stdout: &stdout,
 	}
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	ok(t, err)
 
 	// Wait for process
@@ -1059,17 +1049,32 @@ func TestHook(t *testing.T) {
 	if testing.Short() {
 		return
 	}
-	root, err := newTestRoot()
+
+	bundle, err := newTestBundle()
 	ok(t, err)
-	defer os.RemoveAll(root)
+	defer remove(bundle)
 
 	rootfs, err := newRootfs()
 	ok(t, err)
 	defer remove(rootfs)
 
 	config := newTemplateConfig(rootfs)
-	expectedBundlePath := "/path/to/bundle/path"
+	expectedBundlePath := bundle
 	config.Labels = append(config.Labels, fmt.Sprintf("bundle=%s", expectedBundlePath))
+
+	getRootfsFromBundle := func(bundle string) (string, error) {
+		f, err := os.Open(filepath.Join(bundle, "config.json"))
+		if err != nil {
+			return "", err
+		}
+
+		var config configs.Config
+		if err = json.NewDecoder(f).Decode(&config); err != nil {
+			return "", err
+		}
+		return config.Rootfs, nil
+	}
+
 	config.Hooks = &configs.Hooks{
 		Prestart: []configs.Hook{
 			configs.NewFunctionHook(func(s configs.HookState) error {
@@ -1077,7 +1082,11 @@ func TestHook(t *testing.T) {
 					t.Fatalf("Expected prestart hook bundlePath '%s'; got '%s'", expectedBundlePath, s.BundlePath)
 				}
 
-				f, err := os.Create(filepath.Join(s.Root, "test"))
+				root, err := getRootfsFromBundle(s.BundlePath)
+				if err != nil {
+					return err
+				}
+				f, err := os.Create(filepath.Join(root, "test"))
 				if err != nil {
 					return err
 				}
@@ -1090,7 +1099,11 @@ func TestHook(t *testing.T) {
 					t.Fatalf("Expected poststart hook bundlePath '%s'; got '%s'", expectedBundlePath, s.BundlePath)
 				}
 
-				return ioutil.WriteFile(filepath.Join(s.Root, "test"), []byte("hello world"), 0755)
+				root, err := getRootfsFromBundle(s.BundlePath)
+				if err != nil {
+					return err
+				}
+				return ioutil.WriteFile(filepath.Join(root, "test"), []byte("hello world"), 0755)
 			}),
 		},
 		Poststop: []configs.Hook{
@@ -1099,10 +1112,20 @@ func TestHook(t *testing.T) {
 					t.Fatalf("Expected poststop hook bundlePath '%s'; got '%s'", expectedBundlePath, s.BundlePath)
 				}
 
-				return os.RemoveAll(filepath.Join(s.Root, "test"))
+				root, err := getRootfsFromBundle(s.BundlePath)
+				if err != nil {
+					return err
+				}
+				return os.RemoveAll(filepath.Join(root, "test"))
 			}),
 		},
 	}
+
+	// write config of json format into config.json under bundle
+	f, err := os.OpenFile(filepath.Join(bundle, "config.json"), os.O_CREATE|os.O_RDWR, 0644)
+	ok(t, err)
+	ok(t, json.NewEncoder(f).Encode(config))
+
 	container, err := factory.Create("test", config)
 	ok(t, err)
 
@@ -1114,7 +1137,7 @@ func TestHook(t *testing.T) {
 		Stdin:  nil,
 		Stdout: &stdout,
 	}
-	err = container.Start(&pconfig)
+	err = container.Run(&pconfig)
 	ok(t, err)
 
 	// Wait for process
@@ -1139,7 +1162,7 @@ func TestHook(t *testing.T) {
 	}
 
 	if err := container.Destroy(); err != nil {
-		t.Fatalf("container destory %s", err)
+		t.Fatalf("container destroy %s", err)
 	}
 	fi, err := os.Stat(filepath.Join(rootfs, "test"))
 	if err == nil || !os.IsNotExist(err) {
@@ -1231,7 +1254,7 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
 		Stdin: stdinR,
 	}
 
-	err = container.Start(pconfig)
+	err = container.Run(pconfig)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -1260,7 +1283,7 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
 		Stdout: &stdout2,
 	}
 
-	err = container.Start(pconfig2)
+	err = container.Run(pconfig2)
 	stdinR2.Close()
 	defer stdinW2.Close()
 	ok(t, err)
@@ -1348,7 +1371,7 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
 		Stdin: stdinR,
 	}
 
-	err = container.Start(pconfig)
+	err = container.Run(pconfig)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -1380,7 +1403,7 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
 		Capabilities: processCaps,
 	}
 
-	err = container.Start(pconfig2)
+	err = container.Run(pconfig2)
 	stdinR2.Close()
 	defer stdinW2.Close()
 	ok(t, err)
@@ -1452,7 +1475,7 @@ func TestInitJoinPID(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR1,
 	}
-	err = container1.Start(init1)
+	err = container1.Run(init1)
 	stdinR1.Close()
 	defer stdinW1.Close()
 	ok(t, err)
@@ -1462,7 +1485,7 @@ func TestInitJoinPID(t *testing.T) {
 	ok(t, err)
 	pidns1 := state1.NamespacePaths[configs.NEWPID]
 
-	// Start a container inside the existing pidns but with different cgroups
+	// Run a container inside the existing pidns but with different cgroups
 	config2 := newTemplateConfig(rootfs)
 	config2.Namespaces.Add(configs.NEWPID, pidns1)
 	config2.Cgroups.Path = "integration/test2"
@@ -1478,7 +1501,7 @@ func TestInitJoinPID(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR2,
 	}
-	err = container2.Start(init2)
+	err = container2.Run(init2)
 	stdinR2.Close()
 	defer stdinW2.Close()
 	ok(t, err)
@@ -1508,7 +1531,7 @@ func TestInitJoinPID(t *testing.T) {
 		Env:    standardEnvironment,
 		Stdout: buffers.Stdout,
 	}
-	err = container1.Start(ps)
+	err = container1.Run(ps)
 	ok(t, err)
 	waitProcess(ps, t)
 
@@ -1542,8 +1565,8 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
 
 	// Execute a long-running container
 	config1 := newTemplateConfig(rootfs)
-	config1.UidMappings = []configs.IDMap{{0, 0, 1000}}
-	config1.GidMappings = []configs.IDMap{{0, 0, 1000}}
+	config1.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+	config1.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
 	config1.Namespaces = append(config1.Namespaces, configs.Namespace{Type: configs.NEWUSER})
 	container1, err := newContainer(config1)
 	ok(t, err)
@@ -1557,7 +1580,7 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR1,
 	}
-	err = container1.Start(init1)
+	err = container1.Run(init1)
 	stdinR1.Close()
 	defer stdinW1.Close()
 	ok(t, err)
@@ -1568,14 +1591,14 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
 	netns1 := state1.NamespacePaths[configs.NEWNET]
 	userns1 := state1.NamespacePaths[configs.NEWUSER]
 
-	// Start a container inside the existing pidns but with different cgroups
+	// Run a container inside the existing pidns but with different cgroups
 	rootfs2, err := newRootfs()
 	ok(t, err)
 	defer remove(rootfs2)
 
 	config2 := newTemplateConfig(rootfs2)
-	config2.UidMappings = []configs.IDMap{{0, 0, 1000}}
-	config2.GidMappings = []configs.IDMap{{0, 0, 1000}}
+	config2.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+	config2.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
 	config2.Namespaces.Add(configs.NEWNET, netns1)
 	config2.Namespaces.Add(configs.NEWUSER, userns1)
 	config2.Cgroups.Path = "integration/test2"
@@ -1591,7 +1614,7 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR2,
 	}
-	err = container2.Start(init2)
+	err = container2.Run(init2)
 	stdinR2.Close()
 	defer stdinW2.Close()
 	ok(t, err)
@@ -1622,3 +1645,52 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
 	stdinW1.Close()
 	waitProcess(init1, t)
 }
+
+func TestTmpfsCopyUp(t *testing.T) {
+	if testing.Short() {
+		return
+	}
+	root, err := newTestRoot()
+	ok(t, err)
+	defer os.RemoveAll(root)
+
+	rootfs, err := newRootfs()
+	ok(t, err)
+	defer remove(rootfs)
+
+	config := newTemplateConfig(rootfs)
+
+	config.Mounts = append(config.Mounts, &configs.Mount{
+		Source:      "tmpfs",
+		Destination: "/etc",
+		Device:      "tmpfs",
+		Extensions:  configs.EXT_COPYUP,
+	})
+
+	factory, err := libcontainer.New(root, libcontainer.Cgroupfs)
+	ok(t, err)
+
+	container, err := factory.Create("test", config)
+	ok(t, err)
+	defer container.Destroy()
+
+	var stdout bytes.Buffer
+	pconfig := libcontainer.Process{
+		Args:   []string{"ls", "/etc/passwd"},
+		Env:    standardEnvironment,
+		Stdin:  nil,
+		Stdout: &stdout,
+	}
+	err = container.Run(&pconfig)
+	ok(t, err)
+
+	// Wait for process
+	waitProcess(&pconfig, t)
+
+	outputLs := string(stdout.Bytes())
+
+	// Check that the ls output has /etc/passwd
+	if !strings.Contains(outputLs, "/etc/passwd") {
+		t.Fatalf("/etc/passwd not copied up as expected: %v", outputLs)
+	}
+}

vendor/github.com/opencontainers/runc/libcontainer/integration/execin_test.go

@@ -36,7 +36,7 @@ func TestExecIn(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(process)
+	err = container.Run(process)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -51,7 +51,7 @@ func TestExecIn(t *testing.T) {
 		Stderr: buffers.Stderr,
 	}
 
-	err = container.Start(ps)
+	err = container.Run(ps)
 	ok(t, err)
 	waitProcess(ps, t)
 	stdinW.Close()
@@ -61,6 +61,9 @@ func TestExecIn(t *testing.T) {
 	if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
 		t.Fatalf("unexpected running process, output %q", out)
 	}
+	if strings.Contains(out, "\r") {
+		t.Fatalf("unexpected carriage-return in output")
+	}
 }
 
 func TestExecInUsernsRlimit(t *testing.T) {
@@ -86,8 +89,8 @@ func testExecInRlimit(t *testing.T, userns bool) {
 
 	config := newTemplateConfig(rootfs)
 	if userns {
-		config.UidMappings = []configs.IDMap{{0, 0, 1000}}
-		config.GidMappings = []configs.IDMap{{0, 0, 1000}}
+		config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+		config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
 		config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
 	}
 
@@ -103,7 +106,7 @@ func testExecInRlimit(t *testing.T, userns bool) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(process)
+	err = container.Run(process)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -121,7 +124,7 @@ func testExecInRlimit(t *testing.T, userns bool) {
 			{Type: syscall.RLIMIT_NOFILE, Hard: 1026, Soft: 1026},
 		},
 	}
-	err = container.Start(ps)
+	err = container.Run(ps)
 	ok(t, err)
 	waitProcess(ps, t)
 
@@ -134,6 +137,64 @@ func testExecInRlimit(t *testing.T, userns bool) {
 	}
 }
 
+func TestExecInAdditionalGroups(t *testing.T) {
+	if testing.Short() {
+		return
+	}
+
+	rootfs, err := newRootfs()
+	ok(t, err)
+	defer remove(rootfs)
+
+	config := newTemplateConfig(rootfs)
+	container, err := newContainer(config)
+	ok(t, err)
+	defer container.Destroy()
+
+	// Execute a first process in the container
+	stdinR, stdinW, err := os.Pipe()
+	ok(t, err)
+	process := &libcontainer.Process{
+		Cwd:   "/",
+		Args:  []string{"cat"},
+		Env:   standardEnvironment,
+		Stdin: stdinR,
+	}
+	err = container.Run(process)
+	stdinR.Close()
+	defer stdinW.Close()
+	ok(t, err)
+
+	var stdout bytes.Buffer
+	pconfig := libcontainer.Process{
+		Cwd:              "/",
+		Args:             []string{"sh", "-c", "id", "-Gn"},
+		Env:              standardEnvironment,
+		Stdin:            nil,
+		Stdout:           &stdout,
+		AdditionalGroups: []string{"plugdev", "audio"},
+	}
+	err = container.Run(&pconfig)
+	ok(t, err)
+
+	// Wait for process
+	waitProcess(&pconfig, t)
+
+	stdinW.Close()
+	waitProcess(process, t)
+
+	outputGroups := string(stdout.Bytes())
+
+	// Check that the groups output has the groups that we specified
+	if !strings.Contains(outputGroups, "audio") {
+		t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)
+	}
+
+	if !strings.Contains(outputGroups, "plugdev") {
+		t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)
+	}
+}
+
 func TestExecInError(t *testing.T) {
 	if testing.Short() {
 		return
@@ -155,7 +216,7 @@ func TestExecInError(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(process)
+	err = container.Run(process)
 	stdinR.Close()
 	defer func() {
 		stdinW.Close()
@@ -173,7 +234,7 @@ func TestExecInError(t *testing.T) {
 			Env:    standardEnvironment,
 			Stdout: &out,
 		}
-		err = container.Start(unexistent)
+		err = container.Run(unexistent)
 		if err == nil {
 			t.Fatal("Should be an error")
 		}
@@ -207,7 +268,7 @@ func TestExecInTTY(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(process)
+	err = container.Run(process)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -218,15 +279,15 @@ func TestExecInTTY(t *testing.T) {
 		Args: []string{"ps"},
 		Env:  standardEnvironment,
 	}
-	console, err := ps.NewConsole(0)
+	err = container.Run(ps)
+	ok(t, err)
+	console, err := ps.GetConsole()
 	copy := make(chan struct{})
 	go func() {
 		io.Copy(&stdout, console)
 		close(copy)
 	}()
 	ok(t, err)
-	err = container.Start(ps)
-	ok(t, err)
 	select {
 	case <-time.After(5 * time.Second):
 		t.Fatal("Waiting for copy timed out")
@@ -238,9 +299,12 @@ func TestExecInTTY(t *testing.T) {
 	waitProcess(process, t)
 
 	out := stdout.String()
-	if !strings.Contains(out, "cat") || !strings.Contains(string(out), "ps") {
+	if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
 		t.Fatalf("unexpected running process, output %q", out)
 	}
+	if strings.Contains(out, "\r") {
+		t.Fatalf("unexpected carriage-return in output")
+	}
 }
 
 func TestExecInEnvironment(t *testing.T) {
@@ -264,7 +328,7 @@ func TestExecInEnvironment(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(process)
+	err = container.Run(process)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -283,7 +347,7 @@ func TestExecInEnvironment(t *testing.T) {
 		Stdout: buffers.Stdout,
 		Stderr: buffers.Stderr,
 	}
-	err = container.Start(process2)
+	err = container.Run(process2)
 	ok(t, err)
 	waitProcess(process2, t)
 
@@ -328,7 +392,7 @@ func TestExecinPassExtraFiles(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(process)
+	err = container.Run(process)
 	stdinR.Close()
 	defer stdinW.Close()
 	if err != nil {
@@ -346,7 +410,7 @@ func TestExecinPassExtraFiles(t *testing.T) {
 		Stdin:      nil,
 		Stdout:     &stdout,
 	}
-	err = container.Start(inprocess)
+	err = container.Run(inprocess)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -401,7 +465,7 @@ func TestExecInOomScoreAdj(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(process)
+	err = container.Run(process)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -415,7 +479,7 @@ func TestExecInOomScoreAdj(t *testing.T) {
 		Stdout: buffers.Stdout,
 		Stderr: buffers.Stderr,
 	}
-	err = container.Start(ps)
+	err = container.Run(ps)
 	ok(t, err)
 	waitProcess(ps, t)
 
@@ -439,8 +503,8 @@ func TestExecInUserns(t *testing.T) {
 	ok(t, err)
 	defer remove(rootfs)
 	config := newTemplateConfig(rootfs)
-	config.UidMappings = []configs.IDMap{{0, 0, 1000}}
-	config.GidMappings = []configs.IDMap{{0, 0, 1000}}
+	config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+	config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
 	config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
 	container, err := newContainer(config)
 	ok(t, err)
@@ -456,7 +520,7 @@ func TestExecInUserns(t *testing.T) {
 		Env:   standardEnvironment,
 		Stdin: stdinR,
 	}
-	err = container.Start(process)
+	err = container.Run(process)
 	stdinR.Close()
 	defer stdinW.Close()
 	ok(t, err)
@@ -476,7 +540,7 @@ func TestExecInUserns(t *testing.T) {
 		Stdout: buffers.Stdout,
 		Stderr: os.Stderr,
 	}
-	err = container.Start(process2)
+	err = container.Run(process2)
 	ok(t, err)
 	waitProcess(process2, t)
 	stdinW.Close()

vendor/github.com/opencontainers/runc/libcontainer/integration/init_test.go

@@ -36,19 +36,19 @@ var (
 func TestMain(m *testing.M) {
 	var (
 		err error
-		ret int = 0
+		ret int
 	)
 
 	logrus.SetOutput(os.Stderr)
 	logrus.SetLevel(logrus.InfoLevel)
 
-	factory, err = libcontainer.New(".", libcontainer.Cgroupfs)
+	factory, err = libcontainer.New("/run/libctTests", libcontainer.Cgroupfs)
 	if err != nil {
 		logrus.Error(err)
 		os.Exit(1)
 	}
 	if systemd.UseSystemd() {
-		systemdFactory, err = libcontainer.New(".", libcontainer.SystemdCgroups)
+		systemdFactory, err = libcontainer.New("/run/libctTests", libcontainer.SystemdCgroups)
 		if err != nil {
 			logrus.Error(err)
 			os.Exit(1)

vendor/github.com/opencontainers/runc/libcontainer/integration/seccomp_test.go

@@ -50,7 +50,7 @@ func TestSeccompDenyGetcwd(t *testing.T) {
 		Stderr: buffers.Stderr,
 	}
 
-	err = container.Start(pwd)
+	err = container.Run(pwd)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -101,8 +101,8 @@ func TestSeccompPermitWriteConditional(t *testing.T) {
 				Args: []*configs.Arg{
 					{
 						Index: 0,
-						Value: 1,
-						Op:    configs.GreaterThan,
+						Value: 2,
+						Op:    configs.EqualTo,
 					},
 				},
 			},
@@ -125,7 +125,7 @@ func TestSeccompPermitWriteConditional(t *testing.T) {
 		Stderr: buffers.Stderr,
 	}
 
-	err = container.Start(dmesg)
+	err = container.Run(dmesg)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -162,8 +162,8 @@ func TestSeccompDenyWriteConditional(t *testing.T) {
 				Args: []*configs.Arg{
 					{
 						Index: 0,
-						Value: 1,
-						Op:    configs.GreaterThan,
+						Value: 2,
+						Op:    configs.EqualTo,
 					},
 				},
 			},
@@ -186,7 +186,7 @@ func TestSeccompDenyWriteConditional(t *testing.T) {
 		Stderr: buffers.Stderr,
 	}
 
-	err = container.Start(dmesg)
+	err = container.Run(dmesg)
 	if err != nil {
 		t.Fatal(err)
 	}

vendor/github.com/opencontainers/runc/libcontainer/integration/template_test.go

@@ -20,6 +20,7 @@ const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NOD
 // it uses a network strategy of just setting a loopback interface
 // and the default setup for devices
 func newTemplateConfig(rootfs string) *configs.Config {
+	allowAllDevices := false
 	return &configs.Config{
 		Rootfs: rootfs,
 		Capabilities: []string{
@@ -49,12 +50,13 @@ func newTemplateConfig(rootfs string) *configs.Config {
 			Path: "integration/test",
 			Resources: &configs.Resources{
 				MemorySwappiness: nil,
-				AllowAllDevices:  false,
+				AllowAllDevices:  &allowAllDevices,
 				AllowedDevices:   configs.DefaultAllowedDevices,
 			},
 		},
 		MaskPaths: []string{
 			"/proc/kcore",
+			"/sys/firmware",
 		},
 		ReadonlyPaths: []string{
 			"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
@@ -89,12 +91,15 @@ func newTemplateConfig(rootfs string) *configs.Config {
 				Data:        "mode=1777,size=65536k",
 				Flags:       defaultMountFlags,
 			},
-			{
-				Source:      "mqueue",
-				Destination: "/dev/mqueue",
-				Device:      "mqueue",
-				Flags:       defaultMountFlags,
-			},
+			/*
+				            CI is broken on the debian based kernels with this
+							{
+								Source:      "mqueue",
+								Destination: "/dev/mqueue",
+								Device:      "mqueue",
+								Flags:       defaultMountFlags,
+							},
+			*/
 			{
 				Source:      "sysfs",
 				Destination: "/sys",

vendor/github.com/opencontainers/runc/libcontainer/integration/utils_test.go

@@ -2,6 +2,8 @@ package integration
 
 import (
 	"bytes"
+	"crypto/md5"
+	"encoding/hex"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -11,6 +13,7 @@ import (
 	"strings"
 	"syscall"
 	"testing"
+	"time"
 
 	"github.com/opencontainers/runc/libcontainer"
 	"github.com/opencontainers/runc/libcontainer/configs"
@@ -62,6 +65,28 @@ func waitProcess(p *libcontainer.Process, t *testing.T) {
 	}
 }
 
+func newTestRoot() (string, error) {
+	dir, err := ioutil.TempDir("", "libcontainer")
+	if err != nil {
+		return "", err
+	}
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return "", err
+	}
+	return dir, nil
+}
+
+func newTestBundle() (string, error) {
+	dir, err := ioutil.TempDir("", "bundle")
+	if err != nil {
+		return "", err
+	}
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return "", err
+	}
+	return dir, nil
+}
+
 // newRootfs creates a new tmp directory and copies the busybox root filesystem
 func newRootfs() (string, error) {
 	dir, err := ioutil.TempDir("", "")
@@ -92,7 +117,9 @@ func copyBusybox(dest string) error {
 }
 
 func newContainer(config *configs.Config) (libcontainer.Container, error) {
-	return newContainerWithName("testCT", config)
+	h := md5.New()
+	h.Write([]byte(time.Now().String()))
+	return newContainerWithName(hex.EncodeToString(h.Sum(nil)), config)
 }
 
 func newContainerWithName(name string, config *configs.Config) (libcontainer.Container, error) {
@@ -123,7 +150,7 @@ func runContainer(config *configs.Config, console string, args ...string) (buffe
 		Stderr: buffers.Stderr,
 	}
 
-	err = container.Start(process)
+	err = container.Run(process)
 	if err != nil {
 		return buffers, -1, err
 	}