This commit adds support for the PID namespace mode TARGET
when generating a container spec.
The container that is created will be sharing its PID namespace
with the target container that was specified by ID in the namespace
options.
Signed-off-by: Thomas Hartland <thomas.george.hartland@cern.ch>
The proto version was updated with cgroup in v1.0.0 but
the protos were not regenerated. The v1.0.1 tag fixes this.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Using `-E` preserves environment variables, except for PATH, so PATH has to be
manually set to match the current environment.
I removed env-vars that were redundant (such as `GOPATH=$GOPATH`), which should
be handled by `-E`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/google/uuid/compare/v1.1.2...v1.2.0
I did not switch to us the `uuid.NewString()` function; we are not currently using
`uuid.New()`, probably because it can `panic` in case an invalid UUID is produced;
in stead we are using `uuid.NewRandom()`, which is equivalent, but returns an
error instead.
Changes:
- v1.2.0: Add NewString()
This release introduces the NewString() function which is the equivalent of
uuid.New().String().
- v1.1.5: Syntactic cleanup
There are no code changes. A missing period was add to a godoc comment and the
linter was told to not complain that the results of hash.Write() are ignored
(the function cannot fail)
- v1.1.4: Further error optimizations
Do not allocate memory for errors (it is only one word)
- v1.1.3: Optimize error reporting
Optimize length of time it takes to discover an input is bad by no longer using
fmt.Errorf, which is quite slow. It now uses a custom error type that formats
the string when the Error method is called rather than when generating the error.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It does not make sense to check if seccomp is supported by the kernel
more than once per runtime, so let's use sync.Once to speed it up.
A quick benchmark (old implementation, before this commit, after):
BenchmarkIsEnabledOld-4 37183 27971 ns/op
BenchmarkIsEnabled-4 1252161 947 ns/op
BenchmarkIsEnabledOnce-4 666274008 2.14 ns/op
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Current implementation of seccomp.IsEnabled (rooted in runc) is not
too good.
First, it parses the whole /proc/self/status, adding each key: value
pair into the map (lots of allocations and future work for garbage
collector), when using a single key from that map.
Second, the presence of "Seccomp" key in /proc/self/status merely means
that kernel option CONFIG_SECCOMP is set, but there is a need to _also_
check for CONFIG_SECCOMP_FILTER (the code for which exists but never
executed in case /proc/self/status has Seccomp key).
Replace all this with a single call to prctl; see the long comment in
the code for details.
While at it, improve the IsEnabled documentation.
NOTE historically, parsing /proc/self/status was added after a concern
was raised in https://github.com/opencontainers/runc/pull/471 that
prctl(PR_GET_SECCOMP, ...) can result in the calling process being
killed with SIGKILL. This is a valid concern, so the new code here
does not use PR_GET_SECCOMP at all.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
fork/exec can fail and log a warning like this in containerd's log:
failed to clean up after shim disconnected error=": fork/exec /usr/local/bin/containerd-shim-[my-shim]: no such file or directory" id=test namespace=default
Passing the bundle path on the command line allows the shim delete
command to run successfully.
Signed-off-by: Samuel Karp <me@samuelkarp.com>
Deleting a non-empty namespace fails with
> namespace must be empty: failed precondition
This change improves the error message by listing the types of
the objects in the namespace that prevent deletion.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
