Merge pull request #605 from mikebrow/runc-update

update runc vendor

pkg/containerd/opts/container.go

@@ -25,8 +25,8 @@ import (
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/errdefs"
-	"github.com/containerd/containerd/fs"
 	"github.com/containerd/containerd/mount"
+	"github.com/containerd/continuity/fs"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )

vendor.conf

@@ -1,8 +1,8 @@
 github.com/blang/semver v3.1.0
 github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895
 github.com/containerd/cgroups c0710c92e8b3a44681d1321dcfd1360fc5c6c089
-github.com/containerd/containerd f12ba2407e328c98f8be5eacbb9c510b073dd4c0
+github.com/containerd/containerd ee6ffdd91e8fd9ec2b9684fd385e81a16c40e99c
-github.com/containerd/continuity cf279e6ac893682272b4479d4c67fd3abf878b4e
+github.com/containerd/continuity 1a794c0014a7b786879312d1dab309ba96ead8bc
 github.com/containerd/fifo fbfb6a11ec671efbe94ad1c12c2e98773f19e1e6
 github.com/containerd/typeurl f6943554a7e7e88b3c14aad190bf05932da84788
 github.com/containernetworking/cni v0.6.0
@@ -31,7 +31,7 @@ github.com/Microsoft/go-winio v0.4.5
 github.com/Microsoft/hcsshim v0.6.7
 github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448
 github.com/opencontainers/image-spec v1.0.1
-github.com/opencontainers/runc 9f9c96235cc97674e935002fc3d78361b696a69e
+github.com/opencontainers/runc a618ab5a0186905949ee463dbb762c3d23e12a80
 github.com/opencontainers/runtime-spec v1.0.1
 github.com/opencontainers/runtime-tools 6073aff4ac61897f75895123f7e24135204a404d
 github.com/opencontainers/selinux 4a2974bf1ee960774ffd517717f1f45325af0206

vendor/github.com/containerd/containerd/contrib/seccomp/seccomp_default.go

@@ -403,11 +403,11 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 		s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
 			Names: []string{
 				"arch_prctl",
+				"modify_ldt",
 			},
 			Action: specs.ActAllow,
 			Args:   []specs.LinuxSeccompArg{},
 		})
-		fallthrough
 	case "386":
 		s.Syscalls = append(s.Syscalls, specs.LinuxSyscall{
 			Names: []string{

vendor/github.com/containerd/containerd/oci/spec_opts_unix.go

@@ -13,10 +13,10 @@ import (
 
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/content"
-	"github.com/containerd/containerd/fs"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/continuity/fs"
 	"github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/opencontainers/runc/libcontainer/user"
 	specs "github.com/opencontainers/runtime-spec/specs-go"

vendor/github.com/containerd/containerd/vendor.conf

@@ -16,7 +16,7 @@ github.com/docker/go-units v0.3.1
 github.com/gogo/protobuf v0.5
 github.com/golang/protobuf 1643683e1b54a9e88ad26d98f81400c8c9d9f4f9
 github.com/opencontainers/runtime-spec v1.0.1
-github.com/opencontainers/runc 9f9c96235cc97674e935002fc3d78361b696a69e
+github.com/opencontainers/runc a618ab5a0186905949ee463dbb762c3d23e12a80
 github.com/sirupsen/logrus v1.0.0
 github.com/containerd/btrfs cc52c4dea2ce11a44e6639e561bb5c2af9ada9e3
 github.com/stretchr/testify v1.1.4
@@ -30,7 +30,7 @@ github.com/pkg/errors v0.8.0
 github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448
 golang.org/x/sys 314a259e304ff91bd6985da2a7149bbf91237993 https://github.com/golang/sys
 github.com/opencontainers/image-spec v1.0.1
-github.com/containerd/continuity cf279e6ac893682272b4479d4c67fd3abf878b4e
+github.com/containerd/continuity 1a794c0014a7b786879312d1dab309ba96ead8bc
 golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
 github.com/BurntSushi/toml a368813c5e648fee92e5f6c30e3944ff9d5e8895
 github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0

vendor/github.com/containerd/continuity/fs/copy_linux.go

@@ -5,7 +5,6 @@ import (
 	"os"
 	"syscall"
 
-	"github.com/containerd/containerd/sys"
 	"github.com/containerd/continuity/sysx"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
@@ -36,7 +35,7 @@ func copyFileInfo(fi os.FileInfo, name string) error {
 		}
 	}
 
-	timespec := []unix.Timespec{unix.Timespec(sys.StatAtime(st)), unix.Timespec(sys.StatMtime(st))}
+	timespec := []unix.Timespec{unix.Timespec(StatAtime(st)), unix.Timespec(StatMtime(st))}
 	if err := unix.UtimesNanoAt(unix.AT_FDCWD, name, timespec, unix.AT_SYMLINK_NOFOLLOW); err != nil {
 		return errors.Wrapf(err, "failed to utime %s", name)
 	}

vendor/github.com/containerd/continuity/fs/copy_unix.go

@@ -7,7 +7,6 @@ import (
 	"os"
 	"syscall"
 
-	"github.com/containerd/containerd/sys"
 	"github.com/containerd/continuity/sysx"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/unix"
@@ -38,7 +37,7 @@ func copyFileInfo(fi os.FileInfo, name string) error {
 		}
 	}
 
-	timespec := []syscall.Timespec{sys.StatAtime(st), sys.StatMtime(st)}
+	timespec := []syscall.Timespec{StatAtime(st), StatMtime(st)}
 	if err := syscall.UtimesNano(name, timespec); err != nil {
 		return errors.Wrapf(err, "failed to utime %s", name)
 	}

vendor/github.com/containerd/continuity/fs/stat_bsd.go

@@ -0,0 +1,28 @@
+// +build darwin freebsd
+
+package fs
+
+import (
+	"syscall"
+	"time"
+)
+
+// StatAtime returns the access time from a stat struct
+func StatAtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Atimespec
+}
+
+// StatCtime returns the created time from a stat struct
+func StatCtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Ctimespec
+}
+
+// StatMtime returns the modified time from a stat struct
+func StatMtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Mtimespec
+}
+
+// StatATimeAsTime returns the access time as a time.Time
+func StatATimeAsTime(st *syscall.Stat_t) time.Time {
+	return time.Unix(int64(st.Atimespec.Sec), int64(st.Atimespec.Nsec)) // nolint: unconvert
+}

vendor/github.com/containerd/continuity/fs/stat_linux.go

@@ -0,0 +1,26 @@
+package fs
+
+import (
+	"syscall"
+	"time"
+)
+
+// StatAtime returns the Atim
+func StatAtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Atim
+}
+
+// StatCtime returns the Ctim
+func StatCtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Ctim
+}
+
+// StatMtime returns the Mtim
+func StatMtime(st *syscall.Stat_t) syscall.Timespec {
+	return st.Mtim
+}
+
+// StatATimeAsTime returns st.Atim as a time.Time
+func StatATimeAsTime(st *syscall.Stat_t) time.Time {
+	return time.Unix(st.Atim.Sec, st.Atim.Nsec)
+}

vendor/github.com/containerd/continuity/sysx/copy_linux.go

@@ -1,11 +0,0 @@
-package sysx
-
-// These functions will be generated by generate.sh
-//    $ GOOS=linux GOARCH=386 ./generate.sh copy
-//    $ GOOS=linux GOARCH=amd64 ./generate.sh copy
-//    $ GOOS=linux GOARCH=arm ./generate.sh copy
-//    $ GOOS=linux GOARCH=arm64 ./generate.sh copy
-//    $ GOOS=linux GOARCH=ppc64le ./generate.sh copy
-//    $ GOOS=linux GOARCH=s390x ./generate.sh copy
-
-//sys CopyFileRange(fdin uintptr, offin *int64, fdout uintptr, offout *int64, len int, flags int) (n int, err error)

vendor/github.com/containerd/continuity/sysx/copy_linux_386.go

@@ -1,20 +0,0 @@
-// mksyscall.pl -l32 copy_linux.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
-
-package sysx
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func CopyFileRange(fdin uintptr, offin *int64, fdout uintptr, offout *int64, len int, flags int) (n int, err error) {
-	r0, _, e1 := syscall.Syscall6(SYS_COPY_FILE_RANGE, uintptr(fdin), uintptr(unsafe.Pointer(offin)), uintptr(fdout), uintptr(unsafe.Pointer(offout)), uintptr(len), uintptr(flags))
-	n = int(r0)
-	if e1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}

vendor/github.com/containerd/continuity/sysx/copy_linux_amd64.go

@@ -1,20 +0,0 @@
-// mksyscall.pl copy_linux.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
-
-package sysx
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func CopyFileRange(fdin uintptr, offin *int64, fdout uintptr, offout *int64, len int, flags int) (n int, err error) {
-	r0, _, e1 := syscall.Syscall6(SYS_COPY_FILE_RANGE, uintptr(fdin), uintptr(unsafe.Pointer(offin)), uintptr(fdout), uintptr(unsafe.Pointer(offout)), uintptr(len), uintptr(flags))
-	n = int(r0)
-	if e1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}

vendor/github.com/containerd/continuity/sysx/copy_linux_arm.go

@@ -1,20 +0,0 @@
-// mksyscall.pl -l32 copy_linux.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
-
-package sysx
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func CopyFileRange(fdin uintptr, offin *int64, fdout uintptr, offout *int64, len int, flags int) (n int, err error) {
-	r0, _, e1 := syscall.Syscall6(SYS_COPY_FILE_RANGE, uintptr(fdin), uintptr(unsafe.Pointer(offin)), uintptr(fdout), uintptr(unsafe.Pointer(offout)), uintptr(len), uintptr(flags))
-	n = int(r0)
-	if e1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}

vendor/github.com/containerd/continuity/sysx/copy_linux_arm64.go

@@ -1,20 +0,0 @@
-// mksyscall.pl copy_linux.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
-
-package sysx
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func CopyFileRange(fdin uintptr, offin *int64, fdout uintptr, offout *int64, len int, flags int) (n int, err error) {
-	r0, _, e1 := syscall.Syscall6(SYS_COPY_FILE_RANGE, uintptr(fdin), uintptr(unsafe.Pointer(offin)), uintptr(fdout), uintptr(unsafe.Pointer(offout)), uintptr(len), uintptr(flags))
-	n = int(r0)
-	if e1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}

vendor/github.com/containerd/continuity/sysx/copy_linux_ppc64le.go

@@ -1,20 +0,0 @@
-// mksyscall.pl copy_linux.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
-
-package sysx
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func CopyFileRange(fdin uintptr, offin *int64, fdout uintptr, offout *int64, len int, flags int) (n int, err error) {
-	r0, _, e1 := syscall.Syscall6(SYS_COPY_FILE_RANGE, uintptr(fdin), uintptr(unsafe.Pointer(offin)), uintptr(fdout), uintptr(unsafe.Pointer(offout)), uintptr(len), uintptr(flags))
-	n = int(r0)
-	if e1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}

vendor/github.com/containerd/continuity/sysx/copy_linux_s390x.go

@@ -1,20 +0,0 @@
-// mksyscall.pl copy_linux.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
-
-package sysx
-
-import (
-	"syscall"
-	"unsafe"
-)
-
-// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-
-func CopyFileRange(fdin uintptr, offin *int64, fdout uintptr, offout *int64, len int, flags int) (n int, err error) {
-	r0, _, e1 := syscall.Syscall6(SYS_COPY_FILE_RANGE, uintptr(fdin), uintptr(unsafe.Pointer(offin)), uintptr(fdout), uintptr(unsafe.Pointer(offout)), uintptr(len), uintptr(flags))
-	n = int(r0)
-	if e1 != 0 {
-		err = errnoErr(e1)
-	}
-	return
-}

vendor/github.com/containerd/continuity/sysx/sysnum_linux_386.go

@@ -1,7 +0,0 @@
-package sysx
-
-const (
-	// SYS_COPYFILERANGE defined in Kernel 4.5+
-	// Number defined in /usr/include/asm/unistd_32.h
-	SYS_COPY_FILE_RANGE = 377
-)

vendor/github.com/containerd/continuity/sysx/sysnum_linux_amd64.go

@@ -1,7 +0,0 @@
-package sysx
-
-const (
-	// SYS_COPYFILERANGE defined in Kernel 4.5+
-	// Number defined in /usr/include/asm/unistd_64.h
-	SYS_COPY_FILE_RANGE = 326
-)

vendor/github.com/containerd/continuity/sysx/sysnum_linux_arm.go

@@ -1,7 +0,0 @@
-package sysx
-
-const (
-	// SYS_COPY_FILE_RANGE defined in Kernel 4.5+
-	// Number defined in /usr/include/arm-linux-gnueabihf/asm/unistd.h
-	SYS_COPY_FILE_RANGE = 391
-)

vendor/github.com/containerd/continuity/sysx/sysnum_linux_arm64.go

@@ -1,7 +0,0 @@
-package sysx
-
-const (
-	// SYS_COPY_FILE_RANGE defined in Kernel 4.5+
-	// Number defined in /usr/include/asm-generic/unistd.h
-	SYS_COPY_FILE_RANGE = 285
-)

vendor/github.com/containerd/continuity/sysx/sysnum_linux_ppc64le.go

@@ -1,7 +0,0 @@
-package sysx
-
-const (
-	// SYS_COPYFILERANGE defined in Kernel 4.5+
-	// Number defined in /usr/include/asm/unistd_64.h
-	SYS_COPY_FILE_RANGE = 379
-)

vendor/github.com/containerd/continuity/sysx/sysnum_linux_s390x.go

@@ -1,7 +0,0 @@
-package sysx
-
-const (
-	// SYS_COPYFILERANGE defined in Kernel 4.5+
-	// Number defined in /usr/include/asm/unistd_64.h
-	SYS_COPY_FILE_RANGE = 375
-)

vendor/github.com/containerd/continuity/vendor.conf

@@ -0,0 +1,13 @@
+bazil.org/fuse 371fbbdaa8987b715bdd21d6adc4c9b20155f748
+github.com/dustin/go-humanize bb3d318650d48840a39aa21a027c6630e198e626
+github.com/golang/protobuf 1e59b77b52bf8e4b449a57e6f79f21226d571845
+github.com/inconshreveable/mousetrap 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75
+github.com/opencontainers/go-digest 279bed98673dd5bef374d3b6e4b09e2af76183bf
+github.com/pkg/errors f15c970de5b76fac0b59abb32d62c17cc7bed265
+github.com/sirupsen/logrus 89742aefa4b206dcf400792f3bd35b542998eb3b
+github.com/spf13/cobra 2da4a54c5ceefcee7ca5dd0eea1e18a3b6366489
+github.com/spf13/pflag 4c012f6dcd9546820e378d0bdda4d8fc772cdfea
+golang.org/x/crypto 9f005a07e0d31d45e6656d241bb5c0f2efd4bc94
+golang.org/x/net a337091b0525af65de94df2eb7e98bd9962dcbe2
+golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
+golang.org/x/sys 665f6529cca930e27b831a0d1dafffbe1c172924

vendor/github.com/docker/docker/hack/README.md

@@ -0,0 +1,60 @@
+## About
+
+This directory contains a collection of scripts used to build and manage this
+repository. If there are any issues regarding the intention of a particular
+script (or even part of a certain script), please reach out to us.
+It may help us either refine our current scripts, or add on new ones
+that are appropriate for a given use case.
+
+## DinD (dind.sh)
+
+DinD is a wrapper script which allows Docker to be run inside a Docker
+container. DinD requires the container to
+be run with privileged mode enabled.
+
+## Generate Authors (generate-authors.sh)
+
+Generates AUTHORS; a file with all the names and corresponding emails of
+individual contributors. AUTHORS can be found in the home directory of
+this repository.
+
+## Make
+
+There are two make files, each with different extensions. Neither are supposed
+to be called directly; only invoke `make`. Both scripts run inside a Docker
+container.
+
+### make.ps1
+
+- The Windows native build script that uses PowerShell semantics; it is limited
+unlike `hack\make.sh` since it does not provide support for the full set of
+operations provided by the Linux counterpart, `make.sh`. However, `make.ps1`
+does provide support for local Windows development and Windows to Windows CI.
+More information is found within `make.ps1` by the author, @jhowardmsft
+
+### make.sh
+
+- Referenced via `make test` when running tests on a local machine,
+or directly referenced when running tests inside a Docker development container.  
+- When running on a local machine, `make test` to run all tests found in
+`test`, `test-unit`, `test-integration`, and `test-docker-py` on
+your local machine. The default timeout is set in `make.sh` to 60 minutes
+(`${TIMEOUT:=60m}`), since it currently takes up to an hour to run
+all of the tests.
+- When running inside a Docker development container, `hack/make.sh` does
+not have a single target that runs all the tests. You need to provide a
+single command line with multiple targets that performs the same thing.
+An example referenced from [Run targets inside a development container](https://docs.docker.com/opensource/project/test-and-docs/#run-targets-inside-a-development-container): `root@5f8630b873fe:/go/src/github.com/moby/moby# hack/make.sh dynbinary binary cross test-unit test-integration test-docker-py`
+- For more information related to testing outside the scope of this README,
+refer to
+[Run tests and test documentation](https://docs.docker.com/opensource/project/test-and-docs/)
+
+## Release (release.sh)
+
+Releases any bundles built by `make` on a public AWS S3 bucket.
+For information regarding configuration, please view `release.sh`.
+
+## Vendor (vendor.sh)
+
+A shell script that is a wrapper around Vndr. For information on how to use
+this, please refer to [vndr's README](https://github.com/LK4D4/vndr/blob/master/README.md)

vendor/github.com/docker/docker/hack/integration-cli-on-swarm/README.md

@@ -0,0 +1,69 @@
+# Integration Testing on Swarm
+
+IT on Swarm allows you to execute integration test in parallel across a Docker Swarm cluster
+
+## Architecture
+
+### Master service
+
+  - Works as a funker caller
+  - Calls a worker funker (`-worker-service`) with a chunk of `-check.f` filter strings (passed as a file via `-input` flag, typically `/mnt/input`)
+
+### Worker service
+
+  - Works as a funker callee
+  - Executes an equivalent of `TESTFLAGS=-check.f TestFoo|TestBar|TestBaz ... make test-integration-cli` using the bind-mounted API socket (`docker.sock`)
+
+### Client
+
+  - Controls master and workers via `docker stack`
+  - No need to have a local daemon
+
+Typically, the master and workers are supposed to be running on a cloud environment,
+while the client is supposed to be running on a laptop, e.g. Docker for Mac/Windows.
+
+## Requirement
+
+  - Docker daemon 1.13 or later
+  - Private registry for distributed execution with multiple nodes
+
+## Usage
+
+### Step 1: Prepare images
+
+    $ make build-integration-cli-on-swarm
+
+Following environment variables are known to work in this step:
+
+ - `BUILDFLAGS`
+ - `DOCKER_INCREMENTAL_BINARY`
+
+Note: during the transition into Moby Project, you might need to create a symbolic link `$GOPATH/src/github.com/docker/docker` to `$GOPATH/src/github.com/moby/moby`. 
+
+### Step 2: Execute tests
+
+    $ ./hack/integration-cli-on-swarm/integration-cli-on-swarm -replicas 40 -push-worker-image YOUR_REGISTRY.EXAMPLE.COM/integration-cli-worker:latest 
+
+Following environment variables are known to work in this step:
+
+ - `DOCKER_GRAPHDRIVER`
+ - `DOCKER_EXPERIMENTAL`
+
+#### Flags
+
+Basic flags:
+
+ - `-replicas N`: the number of worker service replicas. i.e. degree of parallelism.
+ - `-chunks N`: the number of chunks. By default, `chunks` == `replicas`.
+ - `-push-worker-image REGISTRY/IMAGE:TAG`: push the worker image to the registry. Note that if you have only single node and hence you do not need a private registry, you do not need to specify `-push-worker-image`.
+
+Experimental flags for mitigating makespan nonuniformity:
+
+ - `-shuffle`: Shuffle the test filter strings
+
+Flags for debugging IT on Swarm itself:
+
+ - `-rand-seed N`: the random seed. This flag is useful for deterministic replaying. By default(0), the timestamp is used.
+ - `-filters-file FILE`: the file contains `-check.f` strings. By default, the file is automatically generated.
+ - `-dry-run`: skip the actual workload
+ - `keep-executor`: do not auto-remove executor containers, which is used for running privileged programs on Swarm

vendor/github.com/docker/docker/hack/integration-cli-on-swarm/agent/vendor.conf

@@ -0,0 +1,2 @@
+# dependencies specific to worker (i.e. github.com/docker/docker/...) are not vendored here
+github.com/bfirsh/funker-go eaa0a2e06f30e72c9a0b7f858951e581e26ef773

vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c

@@ -22,7 +22,6 @@
 #include <sys/types.h>
 #include <sys/wait.h>
 
-
 #include <linux/limits.h>
 #include <linux/netlink.h>
 #include <linux/types.h>
@@ -32,15 +31,15 @@
 
 /* Synchronisation values. */
 enum sync_t {
-	SYNC_USERMAP_PLS = 0x40, /* Request parent to map our users. */
+	SYNC_USERMAP_PLS = 0x40,	/* Request parent to map our users. */
-	SYNC_USERMAP_ACK = 0x41, /* Mapping finished by the parent. */
+	SYNC_USERMAP_ACK = 0x41,	/* Mapping finished by the parent. */
-	SYNC_RECVPID_PLS = 0x42, /* Tell parent we're sending the PID. */
+	SYNC_RECVPID_PLS = 0x42,	/* Tell parent we're sending the PID. */
-	SYNC_RECVPID_ACK = 0x43, /* PID was correctly received by parent. */
+	SYNC_RECVPID_ACK = 0x43,	/* PID was correctly received by parent. */
-	SYNC_GRANDCHILD  = 0x44, /* The grandchild is ready to run. */
+	SYNC_GRANDCHILD = 0x44,	/* The grandchild is ready to run. */
-	SYNC_CHILD_READY = 0x45, /* The child or grandchild is ready to return. */
+	SYNC_CHILD_READY = 0x45,	/* The child or grandchild is ready to return. */
 
 	/* XXX: This doesn't help with segfaults and other such issues. */
-	SYNC_ERR = 0xFF, /* Fatal error, no turning back. The error code follows. */
+	SYNC_ERR = 0xFF,	/* Fatal error, no turning back. The error code follows. */
 };
 
 /* longjmp() arguments. */
@@ -73,7 +72,7 @@ struct nlconfig_t {
 	char *oom_score_adj;
 	size_t oom_score_adj_len;
 
-	/* User namespace settings.*/
+	/* User namespace settings. */
 	char *uidmap;
 	size_t uidmap_len;
 	char *gidmap;
@@ -82,7 +81,7 @@ struct nlconfig_t {
 	size_t namespaces_len;
 	uint8_t is_setgroup;
 
-	/* Rootless container settings.*/
+	/* Rootless container settings. */
 	uint8_t is_rootless;
 	char *uidmappath;
 	size_t uidmappath_len;
@@ -167,7 +166,7 @@ static int write_file(char *data, size_t data_len, char *pathfmt, ...)
 		goto out;
 	}
 
-out:
+ out:
 	close(fd);
 	return ret;
 }
@@ -184,16 +183,16 @@ static void update_setgroups(int pid, enum policy_t setgroup)
 	char *policy;
 
 	switch (setgroup) {
-		case SETGROUPS_ALLOW:
+	case SETGROUPS_ALLOW:
-			policy = "allow";
+		policy = "allow";
-			break;
+		break;
-		case SETGROUPS_DENY:
+	case SETGROUPS_DENY:
-			policy = "deny";
+		policy = "deny";
-			break;
+		break;
-		case SETGROUPS_DEFAULT:
+	case SETGROUPS_DEFAULT:
-		default:
+	default:
-			/* Nothing to do. */
+		/* Nothing to do. */
-			return;
+		return;
 	}
 
 	if (write_file(policy, strlen(policy), "/proc/%d/setgroups", pid) < 0) {
@@ -226,14 +225,14 @@ static int try_mapping_tool(const char *app, int pid, char *map, size_t map_len)
 	if (!child) {
 #define MAX_ARGV 20
 		char *argv[MAX_ARGV];
-		char *envp[] = {NULL};
+		char *envp[] = { NULL };
 		char pid_fmt[16];
 		int argc = 0;
 		char *next;
 
 		snprintf(pid_fmt, 16, "%d", pid);
 
-		argv[argc++] = (char *) app;
+		argv[argc++] = (char *)app;
 		argv[argc++] = pid_fmt;
 		/*
 		 * Convert the map string into a list of argument that
@@ -319,7 +318,7 @@ static int clone_parent(jmp_buf *env, int jmpval) __attribute__ ((noinline));
 static int clone_parent(jmp_buf *env, int jmpval)
 {
 	struct clone_t ca = {
-		.env    = env,
+		.env = env,
 		.jmpval = jmpval,
 	};
 
@@ -533,7 +532,7 @@ void nsexec(void)
 	int pipenum;
 	jmp_buf env;
 	int sync_child_pipe[2], sync_grandchild_pipe[2];
-	struct nlconfig_t config = {0};
+	struct nlconfig_t config = { 0 };
 
 	/*
 	 * If we don't have an init pipe, just return to the go routine.
@@ -630,21 +629,21 @@ void nsexec(void)
 	 */
 
 	switch (setjmp(env)) {
-	/*
+		/*
-	 * Stage 0: We're in the parent. Our job is just to create a new child
+		 * Stage 0: We're in the parent. Our job is just to create a new child
-	 *          (stage 1: JUMP_CHILD) process and write its uid_map and
+		 *          (stage 1: JUMP_CHILD) process and write its uid_map and
-	 *          gid_map. That process will go on to create a new process, then
+		 *          gid_map. That process will go on to create a new process, then
-	 *          it will send us its PID which we will send to the bootstrap
+		 *          it will send us its PID which we will send to the bootstrap
-	 *          process.
+		 *          process.
-	 */
+		 */
-	case JUMP_PARENT: {
+	case JUMP_PARENT:{
 			int len;
 			pid_t child, first_child = -1;
 			char buf[JSON_MAX];
 			bool ready = false;
 
 			/* For debugging. */
-			prctl(PR_SET_NAME, (unsigned long) "runc:[0:PARENT]", 0, 0, 0);
+			prctl(PR_SET_NAME, (unsigned long)"runc:[0:PARENT]", 0, 0, 0);
 
 			/* Start the process of getting a container. */
 			child = clone_parent(&env, JUMP_CHILD);
@@ -702,7 +701,7 @@ void nsexec(void)
 						bail("failed to sync with child: write(SYNC_USERMAP_ACK)");
 					}
 					break;
-				case SYNC_RECVPID_PLS: {
+				case SYNC_RECVPID_PLS:{
 						first_child = child;
 
 						/* Get the init_func pid. */
@@ -781,16 +780,16 @@ void nsexec(void)
 			exit(0);
 		}
 
-	/*
+		/*
-	 * Stage 1: We're in the first child process. Our job is to join any
+		 * Stage 1: We're in the first child process. Our job is to join any
-	 *          provided namespaces in the netlink payload and unshare all
+		 *          provided namespaces in the netlink payload and unshare all
-	 *          of the requested namespaces. If we've been asked to
+		 *          of the requested namespaces. If we've been asked to
-	 *          CLONE_NEWUSER, we will ask our parent (stage 0) to set up
+		 *          CLONE_NEWUSER, we will ask our parent (stage 0) to set up
-	 *          our user mappings for us. Then, we create a new child
+		 *          our user mappings for us. Then, we create a new child
-	 *          (stage 2: JUMP_INIT) for PID namespace. We then send the
+		 *          (stage 2: JUMP_INIT) for PID namespace. We then send the
-	 *          child's PID to our parent (stage 0).
+		 *          child's PID to our parent (stage 0).
-	 */
+		 */
-	case JUMP_CHILD: {
+	case JUMP_CHILD:{
 			pid_t child;
 			enum sync_t s;
 
@@ -799,7 +798,7 @@ void nsexec(void)
 			close(sync_child_pipe[1]);
 
 			/* For debugging. */
-			prctl(PR_SET_NAME, (unsigned long) "runc:[1:CHILD]", 0, 0, 0);
+			prctl(PR_SET_NAME, (unsigned long)"runc:[1:CHILD]", 0, 0, 0);
 
 			/*
 			 * We need to setns first. We cannot do this earlier (in stage 0)
@@ -901,13 +900,13 @@ void nsexec(void)
 			exit(0);
 		}
 
-	/*
+		/*
-	 * Stage 2: We're the final child process, and the only process that will
+		 * Stage 2: We're the final child process, and the only process that will
-	 *          actually return to the Go runtime. Our job is to just do the
+		 *          actually return to the Go runtime. Our job is to just do the
-	 *          final cleanup steps and then return to the Go runtime to allow
+		 *          final cleanup steps and then return to the Go runtime to allow
-	 *          init_linux.go to run.
+		 *          init_linux.go to run.
-	 */
+		 */
-	case JUMP_INIT: {
+	case JUMP_INIT:{
 			/*
 			 * We're inside the child now, having jumped from the
 			 * start_child() code after forking in the parent.
@@ -921,7 +920,7 @@ void nsexec(void)
 			close(sync_child_pipe[1]);
 
 			/* For debugging. */
-			prctl(PR_SET_NAME, (unsigned long) "runc:[2:INIT]", 0, 0, 0);
+			prctl(PR_SET_NAME, (unsigned long)"runc:[2:INIT]", 0, 0, 0);
 
 			if (read(syncfd, &s, sizeof(s)) != sizeof(s))
 				bail("failed to sync with parent: read(SYNC_GRANDCHILD)");