Commit graph

162 commits

Author SHA1 Message Date
Xianglin Gao
ca7d5c77c2 Do not load ocid-default if configured apparmor profile is set up.
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-12 15:55:17 +08:00
Antonio Murdaca
67055e20bc
server: fix call to logrus.Warnf
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-12-10 19:21:52 +01:00
Mrunal Patel
be29524ba4 Add support for pod /dev/shm that is shared by the pod ctrs
Signed-off-by: Mrunal Patel <mpatel@redhat.com>
2016-12-08 15:32:17 -08:00
Xianglin Gao
cb5ed1ce9d reload default apparmor profile if it is unloaded
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-07 20:19:29 +08:00
Xianglin Gao
4f323377ee add apparmor build tag and update readme
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-06 11:51:15 +08:00
Xianglin Gao
26645c90ac Make the profile configurable
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
1f863846f5 add default apparmor profile
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Xianglin Gao
71b80591e3 support apparmor
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
2016-12-01 13:26:59 +08:00
Samuel Ortiz
60123a77ce server: Export more container metadata for VM containers
VM base container runtimes (e.g. Clear Containers) will run each pod
in a VM and will create containers within that pod VM. Unfortunately
those runtimes will get called by ocid with the same commands
(create and start) for both the pause containers and subsequent
containers to be added to the pod namespace. Unless they work around
that by e.g. infering that a container which rootfs is under
"/pause" would represent a pod, they have no way to decide if they
need to create/start a VM or if they need to add a container to an
already running VM pod.

This patch tries to formalize this difference through pod
annotations. When starting a container or a sandbox, we now add 2
annotations for the container type (Infrastructure or not) and the
sandbox name. This will allow VM based container runtimes to handle
2 things:

- Decide if they need to create a pod VM or not.
- Keep track of which pod ID runs in a given VM, so that they
  know to which sandbox they have to add containers.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-11-29 10:24:33 +01:00
Antonio Murdaca
78ee03a8fc
add seccomp support
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-28 22:05:34 +01:00
Antonio Murdaca
70481bc5af
*: bump opencontainers/runtime-tools
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-24 12:26:18 +01:00
Antonio Murdaca
61bb04c87c
server: split containers actions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-11-22 18:38:05 +01:00