vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity
786 commits 2 branches 0 tags 3.9 MiB
Commit graph

786 commits

This branch
This branch
All branches
Author SHA1 Message Date
Michael Crosby
c22a0a3297 Merge pull request #6105 from gdm85/master 
Do not consider iptables' output an error in case of xtables lock
 2014-05-29 11:06:25 -07:00
Giuseppe Mazzotta
d68100ec34 * do not consider iptables' output an error in case of xtables lock 
Docker-DCO-1.1-Signed-off-by: Giuseppe Mazzotta <gdm85@users.noreply.github.com> (github: gdm85)
 2014-05-29 15:57:29 +02:00
Michael Crosby
e8727a6236 Handle EBUSY on remount 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-28 18:10:50 -07:00
Victor Vieux
1dd391fe26 Merge pull request #6083 from bernerdschaefer/nsinit-drop-capabilities-after-changing-user 
SETUID/SETGID not required for changing user
 2014-05-28 17:29:17 -07:00
Alexander Larsson
95a61f16dc libcontainer: Don't create a device node on /dev/console to bind mount on 
There is no need for this, the device node by itself doesn't work, since
its not on a devpts fs, and we can just a regular file to bind mount over.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-05-28 21:07:40 +02:00
Alexander Larsson
a193d05209 Revert "Remove the bind mount for dev/console which override the mknod/label" 
This reverts commit ae85dd54582e94d36b146ab1688844ed58cc8df3.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-05-28 21:07:27 +02:00
unclejack
2ca2e1b82a Merge pull request #6076 from LK4D4/remove_collections_package 
Remove collections package
 2014-05-28 21:32:27 +03:00
Victor Marmol
744a7c030c Merge pull request #5868 from jhspaybar/5749-libcontainerroutes 
libcontainer support for arbitrary route table entries
 2014-05-28 10:50:56 -07:00
William Thurston
755e5047a7 Fixes #5749 
libcontainer support for arbitrary route table entries

Docker-DCO-1.1-Signed-off-by: William Thurston <me@williamthurston.com> (github: jhspaybar)
 2014-05-28 17:42:02 +00:00
Bernerd Schaefer
906451091d SETUID/SETGID not required for changing user 
It is no longer necessary to pass "SETUID" or "SETGID" capabilities to
the container when a "user" is specified in the config.

Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
 2014-05-28 16:41:48 +02:00
Bernerd Schaefer
b6ee193b8e Add system.SetKeepCaps and system.ClearKeepCaps 
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
 2014-05-28 16:40:36 +02:00
Alexandr Morozov
a09f2d1c41 Remove collections package 
It doesn't needed anymore аfter port and ip allocators refactoring
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4dmath@gmail.com> (github: LK4D4)
 2014-05-28 13:59:45 +04:00
Michael Crosby
c8a8176936 Update wait calls to call Wait on Command 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-27 13:38:24 -07:00
unclejack
eb075733c5 Merge pull request #6025 from crosbymichael/concurrent-names 
Improve name generation on concurrent requests
 2014-05-27 23:18:19 +03:00
Erik Hollensbe
18d68cf1a9 libcontainer/nsinit: remove Wait call from Exec and Kill from Attach in tty_term.go 
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
 2014-05-27 12:26:56 -07:00
Erik Hollensbe
36bd5bf98b Add Wait() calls in the appropriate spots 
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
 2014-05-27 12:26:56 -07:00
Michael Crosby
47b9bba5e1 Improve name generation on concurrent requests 
Fixes #2586

This fixes a few races where the name generator asks if a name is free
but another container takes the name before it can be reserved.  This
solves this by generating the name and setting it.  If the set fails
with a non unique error then we try again.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-23 17:51:16 -07:00
Michael Crosby
4a0d1718ee Merge pull request #6018 from vishh/stats_strongtype 
Strong type all stats exported by libcontainer
 2014-05-23 14:35:14 -07:00
Michael Crosby
1c07f75e6f Add check for iptables xlock support 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-23 14:18:50 -07:00
Vishnu Kannan
c5be84cd2d Added stats.go which provides strong types for all stats that will be exported by libcontainer. This commit only introduces the strong type. 
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
 2014-05-23 20:42:43 +00:00
Michael Crosby
cc706701b0 Add wait flag to iptables 
Fixes #1573
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-23 01:24:58 +00:00
Michael Crosby
b98c3f7fb4 Merge pull request #5995 from vieux/recur_nodes 
Add device nodes recursively
 2014-05-22 16:35:27 -07:00
Victor Vieux
4b1df3687b update test 
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
 2014-05-22 22:50:41 +00:00
Victor Vieux
bf21f0d493 add recursive device nodes 
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
 2014-05-22 22:29:13 +00:00
Victor Marmol
c88ecf6acd Make all cgroup stats output int64s instead of float64. 
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
 2014-05-22 20:53:36 +00:00
Victor Vieux
89b64d33ee Merge pull request #5976 from crosbymichael/getpids 
Move get pid into cgroup implementation
 2014-05-21 19:09:50 -07:00
Victor Vieux
a0841ff1eb Merge pull request #5922 from crosbymichael/host-dev-priv 
Mount /dev in tmpfs for privileged containers
 2014-05-21 18:56:24 -07:00
Michael Crosby
c6c0dc2ebb Move get pid into cgroup implementation 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-21 21:14:07 +00:00
Tianon Gravi
c3c5ddfc50 Revert "Always mount a /run tmpfs in the container" 
This reverts commit 905795ece624675abe2ec2622b0bbafdb9d7f44c.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
 2014-05-21 14:28:19 -06:00
Michael Crosby
3d95e5cf7b Update code post codereview 
Add specific types for Required and Optional DeviceNodes
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-21 00:40:41 +00:00
Michael Crosby
7fb3f86fec Update documentation for container struct in libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-20 23:34:46 +00:00
Michael Crosby
d48b2cf390 Mount /dev in tmpfs for privileged containers 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-20 22:51:24 +00:00
Alexander Larsson
0f44c2849c cgroups: Allow mknod for any device in systemd cgroup backend 
Without this any container startup fails:
2014/05/20 09:20:36 setup mount namespace copy additional dev nodes mknod fuse operation not permitted

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-05-20 09:29:32 +02:00
Michael Crosby
f06ca4fdd2 Make sure dev/fuse is created in container 
Fixes #5849

If the host system does not have fuse enabled in the kernel config we
will ignore the is not exist errors when trying to copy the device node
from the host system into the container.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-19 20:46:59 +00:00
Victor Marmol
c6e60b57a2 Merge pull request #5903 from alexlarsson/writable-proc 
Make /proc writable, but not /proc/sys and /proc/sysrq-trigger
 2014-05-19 12:21:15 -07:00
Alexander Larsson
6b97c80b4d Make /proc writable, but not /proc/sys and /proc/sysrq-trigger 
Some applications want to write to /proc. For instance:

docker run -it centos groupadd foo

Gives: groupadd: failure while writing changes to /etc/group

And strace reveals why:

open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system)

I've looked at what other systems do, and systemd-nspawn makes /proc read-write
and /proc/sys readonly, while lxc allows "proc:mixed" which does the same,
plus it makes /proc/sysrq-trigger also readonly.

The later seems like a prudent idea, so we follows lxc proc:mixed.
Additionally we make /proc/irq and /proc/bus, as these seem to let
you control various hardware things.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-05-19 20:46:05 +02:00
Victor Marmol
c3b01dfb59 Merge pull request #5792 from bernerdschaefer/nsinit-supports-pdeathsig 
Add PDEATHSIG support to nsinit library
 2014-05-19 11:13:23 -07:00
Michael Crosby
9e23d99fa2 Merge pull request #5865 from crosbymichael/add-all-caps 
Add the rest of the caps so that they are retained in privilged mode
 2014-05-19 09:56:55 -07:00
Michael Crosby
3e097e5052 Add the rest of the caps so that they are retained in privilged mode 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-19 16:43:31 +00:00
Alexandr Morozov
b089773388 Check uid ranges 
Fixes #5647
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
 2014-05-18 20:49:08 +04:00
Victor Vieux
58ba10aa54 add support for CAP_FOWNER 
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
 2014-05-17 01:16:07 +00:00
Victor Marmol
73f678f6f8 Make libcontainer's CapabilitiesMask into a []string (Capabilities). 
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
 2014-05-17 00:44:10 +00:00
Michael Crosby
724c84c6fc Merge pull request #5833 from ActiveState/fix_nsinit_env_panic 
fix panic when passing empty environment
 2014-05-16 12:03:26 -07:00
Sridhar Ratnakumar
18a7cee3c7 fix panic when passing empty environment 
Docker-DCO-1.1-Signed-off-by: Sridhar Ratnakumar <github@srid.name> (github: srid)
 2014-05-16 11:55:34 -07:00
Victor Marmol
fa7e4d6946 Merge pull request #5810 from vmarmol/drop-caps 
Change libcontainer to drop all capabilities by default.
 2014-05-16 11:51:41 -07:00
Bernerd Schaefer
2732a59592 nsinit.DefaultCreateCommand sets Pdeathsig to SIGKILL 
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
 2014-05-16 13:48:41 +02:00
Bernerd Schaefer
f6ddb6051c nsinit.Init() restores parent death signal before exec 
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
 2014-05-16 13:48:41 +02:00
Victor Marmol
3a423f3e4e Change libcontainer to drop all capabilities by default. Only keeps 
those that were specified in the config. This commit also explicitly
adds a set of capabilities that we were silently not dropping and were
assumed by the tests.

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
 2014-05-16 00:57:58 +00:00
lalyos
0b1aab5435 Fixes 5370 infinite/maxLoopCount loop for relative symlinks 
use path.IsAbs() instead of checking if first char is '/'

Docker-DCO-1.1-Signed-off-by: Lajos Papp <lajos.papp@sequenceiq.com> (github: lalyos)
 2014-05-16 01:03:11 +02:00
lalyos
02b08b3961 Defend against infinite loop when following symlinks 
ideally it should never reach it, but there was already multiple issues with infinite loop
at following symlinks. this fixes hanging unit tests

Docker-DCO-1.1-Signed-off-by: Lajos Papp <lajos.papp@sequenceiq.com> (github: lalyos)
 2014-05-16 00:47:20 +02:00