Attempt to fix CI is failing due to a regression in Go 1.10.6 / 1.11.3 (see https://github.com/golang/go/issues/29241)
```
package github.com/containernetworking/plugins/...: github.com/containernetworking/plugins/...: invalid import path: malformed import path "github.com/containernetworking/plugins/...": double dot
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There are two images, A and B. A is based on B. If user pulls A first,
then user pulls B. containerd already has the unpacked snapshots in the
backend. During unpacking B, the client doesn't set gc snapshot
reference label to the config descriptor. That is the problem.
The gc module cannot reach the snapshot from the config descriptor. If
user removes the image B, the snapshot will be deleted by gc module.
That is why we should always set the snapshot gc label to config
descriptor.
Signed-off-by: Wei Fu <fhfuwei@163.com>
There is still a special case where the client side fails to open or
load causes things to be slow and the shim can lock up when this
happens. This adds a timeout to the context for this case to abort fifo
creation.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The $EDITOR is not clear for user. If the env doesn't set the value for
$EDITOR, the users don't know how to use this subcommand when they get
error like this:
```
sh: 1: /tmp/edit-605573012: Permission denied
```
Signed-off-by: Wei Fu <fuweid89@gmail.com>
Adds ctr run --memory-limit for all platforms.
Adds ctr run --cpu-count for Windows platforms.
Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>
```
1152b960fcee041f50df15cdc67c29dbccf801ef (HEAD -> master, origin/master)
Merge pull request #73 from gliptak/gofmt1
afd5981a16647b45b6dba3a50a88418b576cc17d Gofmt cgroup_test
65ce98b3dfeb0a9a8fecd7e4ebffb24ad0bfe28f Merge pull request #69 from
cclerget/master-weight-pointer
0f372c6d4a65a49c72b0afbd1aee6214637958bf Merge pull request #71 from
JoeWrightss/patch-1
f48bd85c9cbc306fada0cebc3a646a1f1fe99afe Fixs return error message
10cd53efd916e22b9bdea67223d287684f57f1f4 Merge pull request #70 from
gliptak/patch-1
64bade4cea6c438ee51a7a12528225946b42c6ca Take value instead of pointer
value
b49c4713f3824e81bfa67faddcdde1414171b54e Correct ineffassign warning
3bc6dde829bc2dc8d4097ce8ad5acc275de3df06 Merge pull request #68 from
cclerget/master-net_prio-typo
6b552a86e60e31903d3f8f3f494eda71f562cc54 Fix net_prio typo
c0437c3dd5958f74d7f54e9f5def749850b9d6a1 Merge pull request #67 from
gpanouts/get-all-cgroup-tasks
a31a0ff985237eddf30d9fe30a3643c7da4ae912 Add functionality for
retrieving all tasks of a cgroup
82cb49fc1779971dfef4ad696f1453f6f44987b1 Merge pull request #63 from
ChrsMark/lenient-subsystems-checking
7d825b29aecc02bb1e9bede427f8ed62bbc3030d Add test for cgroups load when
missing hierarchy in one subsystem
f6cbfb45aec6a2590c7e7f4b84a080602b3e642d Change Load function in order
to be more lenient on subsystems' checking
965bb1da4db7c8ce2690108c5a081562ce7493cb Merge pull request #66 from
crosbymichael/systemdci
ab9ec0e4abde2c2cb999719ff43af2d3b5830f75 (fork/systemdci, systemdci) Add
go-systemd dep for CI testing
0e94a83b6eb6cf4bc05d7f91ec1eaad57a77d3b6 Merge pull request #59 from
gliptak/patch-1
4479d118c89b5500a08cce7a78bbe822229c1e65 Merge pull request #62 from
estesp/fix-gofmt
9beb998c23f510b1e6670ad7791807eb9aff6741 Merge pull request #61 from
gliptak/patch-3
9a09e5899acc95fabcc620d6489fec674e6dddfa Fix gofmt of systemd.go
84e6e6ed2afdf661cd9dbf47c6f3412b546bc67f Merge pull request #60 from
gliptak/patch-2
e13f6cc3b9637c36e6a8af393b561127498f4be5 Add GoReportCard badge to
README
d124595ee85c245e7c1443fe402adf7ce4f7f6a4 Add Go 1.11 to Travis
d961ab930c38eb8bedcded479f1708b2ef4984c5 Correct typo
d2400726cfa7904fb79e3b896ec0e6ae500a76bd Merge pull request #57 from
estesp/project-update
e4cf832b95deb7ce898ece716307abc35cbd0a09 Add project references and use
common project travis
8baeff6b9d069acde48ef1bedec7e0f8ba684f05 Merge pull request #56 from
grantseltzer/patch-1
9de57ffeb46f6179333d7939436d92dcb5631e5f Add godoc badge to README.md
5017d4e9a9cf2d4381db99eacd9baf84b95bfb14 Merge pull request #54 from
WeiZhang555/bugfix
13aaafdc37e772059d3234ec762303537f440c5b Bugfix: can't write to cpuset
cgroup
58556f5ad8448d99a6f7bea69ea4bdb7747cfeb0 Merge pull request #53 from
baude/systemdslicedelegate
15ed73c1c075e6590ecf56170acedcba0da8167e systemd-239+ no longer allows
delegate slice
3024bc7cc0c88af4b32d38a14444f38e65ab169f Merge pull request #52 from
Sykomaniac/bugfix/slice-name
2596f332e449ea374f0f24a977437116714ce7ef Remove call to unitName
2e2922e146ed53ccf4481c245187b6afe244fded Merge pull request #51 from
containerd/type
0f3de2f77d3b76b3871242fbab2a6116179229af (type) Fix empty device type
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
While looking through the Moby source code was found /proc/asound to be shared
with containers as read-only.
This can lead to two information leaks.
---
**Leak of media playback status of the host**
Steps to reproduce the issue:
- Listen to music/Play a YouTube video/Do anything else that involves sound
output
- Execute docker run --rm ubuntu:latest bash -c "sleep 7; cat
/proc/asound/card*/pcm*p/sub*/status | grep state | cut -d ' ' -f2 | grep
RUNNING || echo 'not running'"
- See that the containerized process is able to check whether someone on the
host is playing music as it prints RUNNING
- Stop the music output
- Execute the command again (The sleep is delaying the output because
information regarding playback status isn't propagated instantly)
- See that it outputs not running
**Describe the results you received:**
A containerized process is able to gather information on the playback
status of an audio device governed by the host. Therefore a process of a
container is able to check whether and what kind of user activity is
present on the host system. Also, this may indicate whether a container
runs on a desktop system or a server as media playback rarely happens on
server systems.
The description above is in regard to media playback - when examining
`/proc/asound/card*/pcm*c/sub*/status` (`pcm*c` instead of `pcm*p`) this
can also leak information regarding capturing sound, as in recording
audio or making calls on the host system.
Reported-by: Philipp Schmied <pschmied@mailbox.org>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In many cases code is calling errors.Wrapf with an arbitrary string
instead of a format string. This causes confusing errors when the
wrapped error message contains '%' characters.
This change replaces such calls with calls to errors.Wrap.
Signed-off-by: John Starks <jostarks@microsoft.com>
support checkpoint without committing a checkpoint dir into a
checkpoint image and restore without untar image into checkpoint
directory. support for both v1 and v2 runtime
Signed-off-by: Ace-Tang <aceapril@126.com>
Signed-off-by: John Howard <jhoward@microsoft.com>
Allows containerd.exe to run as a Windows service. eg
Register: `.\containerd.exe --register-service`
Start: `net start containerd`
...
Stop: `net stop containerd`
Unregister: `.\containerd.exe --unregister-service`
When running as a service, logs will go to the Windows application
event log.
add ImagePath and WorkPath for checkpoint process, add CriuImagePath
and CriuWorkPath for create process in runtime v2 protobuf
Signed-off-by: Ace-Tang <aceapril@126.com>
add ImagePath and WorkPath for checkpoint process, add CriuImagePath
and CriuWorkPath for create process in runtime v1 protobuf
Signed-off-by: Ace-Tang <aceapril@126.com>
