github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #2788 from crosbymichael/runc-bump

Browse Source 
Update runc to 10d38b660a77168360df3522881e2dc2be
This commit is contained in:
Michael Crosby 2018-11-16 12:39:47 -05:00 committed by GitHub
commit ee41ce3f8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 67 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
vendor.conf
View File

@ -20,7 +20,7 @@ github.com/gogo/protobuf v1.0.0
github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
github.com/golang/protobuf v1.1.0 github.com/golang/protobuf v1.1.0
github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 # v1.0.1-45-geba862d github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 # v1.0.1-45-geba862d
github.com/opencontainers/runc 58592df56734acf62e574865fe40b9e53e967910 github.com/opencontainers/runc 10d38b660a77168360df3522881e2dc2be5056bd
github.com/sirupsen/logrus v1.0.3 github.com/sirupsen/logrus v1.0.3
github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
golang.org/x/net b3756b4b77d7b13260a0a2ec658753cf48922eac golang.org/x/net b3756b4b77d7b13260a0a2ec658753cf48922eac

5
vendor/github.com/opencontainers/runc/README.md generated vendored
View File

@ -68,6 +68,7 @@ make BUILDTAGS='seccomp apparmor'
| selinux | selinux process and mount labeling | <none> | | selinux | selinux process and mount labeling | <none> |
| apparmor | apparmor profile support | <none> | | apparmor | apparmor profile support | <none> |
| ambient | ambient capability support | kernel 4.3 | | ambient | ambient capability support | kernel 4.3 |
| nokmem | disable kernel memory account | <none> |
### Running the test suite ### Running the test suite
@ -263,3 +264,7 @@ PIDFile=/run/mycontainerid.pid
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
``` ```
## License
The code and docs are released under the [Apache 2.0 license](LICENSE).

8
vendor/github.com/opencontainers/runc/libcontainer/README.md generated vendored
View File

@ -148,6 +148,7 @@ config := &configs.Config{
{Type: configs.NEWPID}, {Type: configs.NEWPID},
{Type: configs.NEWUSER}, {Type: configs.NEWUSER},
{Type: configs.NEWNET}, {Type: configs.NEWNET},
{Type: configs.NEWCGROUP},
}), }),
Cgroups: &configs.Cgroup{ Cgroups: &configs.Cgroup{
Name: "test-container", Name: "test-container",
@ -323,6 +324,7 @@ generated when building libcontainer with docker.
## Copyright and license ## Copyright and license
Code and documentation copyright 2014 Docker, inc. Code released under the Apache 2.0 license. Code and documentation copyright 2014 Docker, inc.
Docs released under Creative commons. The code and documentation are released under the [Apache 2.0 license](../LICENSE).
The documentation is also released under Creative Commons Attribution 4.0 International License.
You may obtain a copy of the license, titled CC-BY-4.0, at http://creativecommons.org/licenses/by/4.0/.

4
vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go generated vendored
View File

@ -13,6 +13,7 @@ const (
NEWUTS NamespaceType = "NEWUTS" NEWUTS NamespaceType = "NEWUTS"
NEWIPC NamespaceType = "NEWIPC" NEWIPC NamespaceType = "NEWIPC"
NEWUSER NamespaceType = "NEWUSER" NEWUSER NamespaceType = "NEWUSER"
NEWCGROUP NamespaceType = "NEWCGROUP"
) )
var ( var (
@ -35,6 +36,8 @@ func NsName(ns NamespaceType) string {
return "user" return "user"
case NEWUTS: case NEWUTS:
return "uts" return "uts"
case NEWCGROUP:
return "cgroup"
} }
return "" return ""
} }
@ -68,6 +71,7 @@ func NamespaceTypes() []NamespaceType {
NEWNET, NEWNET,
NEWPID, NEWPID,
NEWNS, NEWNS,
NEWCGROUP,
} }
} }

1
vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go generated vendored
View File

@ -15,6 +15,7 @@ var namespaceInfo = map[NamespaceType]int{
NEWIPC: unix.CLONE_NEWIPC, NEWIPC: unix.CLONE_NEWIPC,
NEWUTS: unix.CLONE_NEWUTS, NEWUTS: unix.CLONE_NEWUTS,
NEWPID: unix.CLONE_NEWPID, NEWPID: unix.CLONE_NEWPID,
NEWCGROUP: unix.CLONE_NEWCGROUP,
} }
// CloneFlags parses the container's Namespaces options to set the correct // CloneFlags parses the container's Namespaces options to set the correct

63
vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c generated vendored
View File

@ -42,6 +42,12 @@ enum sync_t {
SYNC_ERR = 0xFF, /* Fatal error, no turning back. The error code follows. */ SYNC_ERR = 0xFF, /* Fatal error, no turning back. The error code follows. */
}; };
/*
* Synchronisation value for cgroup namespace setup.
* The same constant is defined in process_linux.go as "createCgroupns".
*/
#define CREATECGROUPNS 0x80
/* longjmp() arguments. */ /* longjmp() arguments. */
#define JUMP_PARENT 0x00 #define JUMP_PARENT 0x00
#define JUMP_CHILD 0xA0 #define JUMP_CHILD 0xA0
@ -640,7 +646,6 @@ void nsexec(void)
case JUMP_PARENT:{ case JUMP_PARENT:{
int len; int len;
pid_t child, first_child = -1; pid_t child, first_child = -1;
char buf[JSON_MAX];
bool ready = false; bool ready = false;
/* For debugging. */ /* For debugging. */
@ -716,6 +721,18 @@ void nsexec(void)
kill(child, SIGKILL); kill(child, SIGKILL);
bail("failed to sync with child: write(SYNC_RECVPID_ACK)"); bail("failed to sync with child: write(SYNC_RECVPID_ACK)");
} }
/* Send the init_func pid back to our parent.
*
* Send the init_func pid and the pid of the first child back to our parent.
* We need to send both back because we can't reap the first child we created (CLONE_PARENT).
* It becomes the responsibility of our parent to reap the first child.
*/
len = dprintf(pipenum, "{\"pid\": %d, \"pid_first\": %d}\n", child, first_child);
if (len < 0) {
kill(child, SIGKILL);
bail("unable to generate JSON for child pid");
}
} }
break; break;
case SYNC_CHILD_READY: case SYNC_CHILD_READY:
@ -759,23 +776,6 @@ void nsexec(void)
bail("unexpected sync value: %u", s); bail("unexpected sync value: %u", s);
} }
} }
/*
* Send the init_func pid and the pid of the first child back to our parent.
*
* We need to send both back because we can't reap the first child we created (CLONE_PARENT).
* It becomes the responsibility of our parent to reap the first child.
*/
len = snprintf(buf, JSON_MAX, "{\"pid\": %d, \"pid_first\": %d}\n", child, first_child);
if (len < 0) {
kill(child, SIGKILL);
bail("unable to generate JSON for child pid");
}
if (write(pipenum, buf, len) != len) {
kill(child, SIGKILL);
bail("unable to send child pid to bootstrapper");
}
exit(0); exit(0);
} }
@ -862,14 +862,17 @@ void nsexec(void)
if (setresuid(0, 0, 0) < 0) if (setresuid(0, 0, 0) < 0)
bail("failed to become root in user namespace"); bail("failed to become root in user namespace");
} }
/* /*
* Unshare all of the namespaces. Note that we don't merge this * Unshare all of the namespaces. Now, it should be noted that this
* with clone() because there were some old kernel versions where * ordering might break in the future (especially with rootless
* clone(CLONE_PARENT | CLONE_NEWPID) was broken, so we'll just do * containers). But for now, it's not possible to split this into
* it the long way. * CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues.
*
* Note that we don't merge this with clone() because there were
* some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
* was broken, so we'll just do it the long way anyway.
*/ */
if (unshare(config.cloneflags) < 0) if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
bail("failed to unshare namespaces"); bail("failed to unshare namespaces");
/* /*
@ -958,6 +961,18 @@ void nsexec(void)
bail("setgroups failed"); bail("setgroups failed");
} }
/* ... wait until our topmost parent has finished cgroup setup in p.manager.Apply() ... */
if (config.cloneflags & CLONE_NEWCGROUP) {
uint8_t value;
if (read(pipenum, &value, sizeof(value)) != sizeof(value))
bail("read synchronisation value failed");
if (value == CREATECGROUPNS) {
if (unshare(CLONE_NEWCGROUP) < 0)
bail("failed to unshare cgroup namespace");
} else
bail("received unknown synchronisation value");
}
s = SYNC_CHILD_READY; s = SYNC_CHILD_READY;
if (write(syncfd, &s, sizeof(s)) != sizeof(s)) if (write(syncfd, &s, sizeof(s)) != sizeof(s))
bail("failed to sync with patent: write(SYNC_CHILD_READY)"); bail("failed to sync with patent: write(SYNC_CHILD_READY)");