@@ -61,4 +61,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar

 clone git github.com/godbus/dbus v1

 clone git github.com/coreos/go-systemd v2

-clone git github.com/docker/libcontainer v1.0.0

+clone git github.com/docker/libcontainer 77ffd49dfedbc78a7cd4cb7a50c7446cf118725f

new file mode 100644

@@ -0,0 +1,11 @@

+language: go

+

+install:

+    - go get -d ./...

+    - go get -d github.com/dotcloud/docker # just to be sure

+    - DOCKER_PATH="${GOPATH%%:*}/src/github.com/dotcloud/docker"

+    - sed -i 's!dotcloud/docker!docker/libcontainer!' "$DOCKER_PATH/hack/make/.validate"

+

+script:

+    - bash "$DOCKER_PATH/hack/make/validate-dco"

+    - bash "$DOCKER_PATH/hack/make/validate-gofmt"

new file mode 100644

@@ -0,0 +1,204 @@

+# The libcontainer Contributors' Guide

+

+Want to hack on libcontainer? Awesome! Here are instructions to get you

+started. They are probably not perfect, please let us know if anything

+feels wrong or incomplete.

+

+## Reporting Issues

+

+When reporting [issues](https://github.com/docker/libcontainer/issues) 

+on GitHub please include your host OS (Ubuntu 12.04, Fedora 19, etc),

+the output of `uname -a`. Please include the steps required to reproduce

+the problem if possible and applicable.

+This information will help us review and fix your issue faster.

+

+## Development Environment

+

+*Add instructions on setting up the development environment.*

+

+## Contribution Guidelines

+

+### Pull requests are always welcome

+

+We are always thrilled to receive pull requests, and do our best to

+process them as fast as possible. Not sure if that typo is worth a pull

+request? Do it! We will appreciate it.

+

+If your pull request is not accepted on the first try, don't be

+discouraged! If there's a problem with the implementation, hopefully you

+received feedback on what to improve.

+

+We're trying very hard to keep libcontainer lean and focused. We don't want it

+to do everything for everybody. This means that we might decide against

+incorporating a new feature. However, there might be a way to implement

+that feature *on top of* libcontainer.

+

+### Discuss your design on the mailing list

+

+We recommend discussing your plans [on the mailing

+list](https://groups.google.com/forum/?fromgroups#!forum/docker-dev)

+before starting to code - especially for more ambitious contributions.

+This gives other contributors a chance to point you in the right

+direction, give feedback on your design, and maybe point out if someone

+else is working on the same thing.

+

+### Create issues...

+

+Any significant improvement should be documented as [a GitHub

+issue](https://github.com/docker/libcontainer/issues) before anybody

+starts working on it.

+

+### ...but check for existing issues first!

+

+Please take a moment to check that an issue doesn't already exist

+documenting your bug report or improvement proposal. If it does, it

+never hurts to add a quick "+1" or "I have this problem too". This will

+help prioritize the most common problems and requests.

+

+### Conventions

+

+Fork the repo and make changes on your fork in a feature branch:

+

+- If it's a bugfix branch, name it XXX-something where XXX is the number of the

+  issue

+- If it's a feature branch, create an enhancement issue to announce your

+  intentions, and name it XXX-something where XXX is the number of the issue.

+

+Submit unit tests for your changes.  Go has a great test framework built in; use

+it! Take a look at existing tests for inspiration. Run the full test suite on

+your branch before submitting a pull request.

+

+Update the documentation when creating or modifying features. Test

+your documentation changes for clarity, concision, and correctness, as

+well as a clean documentation build. See ``docs/README.md`` for more

+information on building the docs and how docs get released.

+

+Write clean code. Universally formatted code promotes ease of writing, reading,

+and maintenance. Always run `gofmt -s -w file.go` on each changed file before

+committing your changes. Most editors have plugins that do this automatically.

+

+Pull requests descriptions should be as clear as possible and include a

+reference to all the issues that they address.

+

+Pull requests must not contain commits from other users or branches.

+

+Commit messages must start with a capitalized and short summary (max. 50

+chars) written in the imperative, followed by an optional, more detailed

+explanatory text which is separated from the summary by an empty line.

+

+Code review comments may be added to your pull request. Discuss, then make the

+suggested modifications and push additional commits to your feature branch. Be

+sure to post a comment after pushing. The new commits will show up in the pull

+request automatically, but the reviewers will not be notified unless you

+comment.

+

+Before the pull request is merged, make sure that you squash your commits into

+logical units of work using `git rebase -i` and `git push -f`. After every

+commit the test suite should be passing. Include documentation changes in the

+same commit so that a revert would remove all traces of the feature or fix.

+

+Commits that fix or close an issue should include a reference like `Closes #XXX`

+or `Fixes #XXX`, which will automatically close the issue when merged.

+

+### Testing

+

+Make sure you include suitable tests, preferably unit tests, in your pull request

+and that all the tests pass.

+

+*Instructions for running tests to be added.*

+

+### Merge approval

+

+libcontainer maintainers use LGTM (looks good to me) in comments on the code review

+to indicate acceptance.

+

+A change requires LGTMs from at lease one maintainer of each

+component affected. For example, if a change affects `netlink/` and `security/`, it

+needs at least one LGTM from the maintainers of `netlink/` AND, separately, at

+least one LGTM from the maintainers of `security/`.

+

+For more details see [MAINTAINERS.md](hack/MAINTAINERS.md)

+

+### Sign your work

+

+The sign-off is a simple line at the end of the explanation for the

+patch, which certifies that you wrote it or otherwise have the right to

+pass it on as an open-source patch.  The rules are pretty simple: if you

+can certify the below (from

+[developercertificate.org](http://developercertificate.org/)):

+

+```

+Developer Certificate of Origin

+Version 1.1

+

+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.

+660 York Street, Suite 102,

+San Francisco, CA 94110 USA

+

+Everyone is permitted to copy and distribute verbatim copies of this

+license document, but changing it is not allowed.

+

+

+Developer's Certificate of Origin 1.1

+

+By making a contribution to this project, I certify that:

+

+(a) The contribution was created in whole or in part by me and I

+    have the right to submit it under the open source license

+    indicated in the file; or

+

+(b) The contribution is based upon previous work that, to the best

+    of my knowledge, is covered under an appropriate open source

+    license and I have the right under that license to submit that

+    work with modifications, whether created in whole or in part

+    by me, under the same open source license (unless I am

+    permitted to submit under a different license), as indicated

+    in the file; or

+

+(c) The contribution was provided directly to me by some other

+    person who certified (a), (b) or (c) and I have not modified

+    it.

+

+(d) I understand and agree that this project and the contribution

+    are public and that a record of the contribution (including all

+    personal information I submit with it, including my sign-off) is

+    maintained indefinitely and may be redistributed consistent with

+    this project or the open source license(s) involved.

+```

+

+then you just add a line to every git commit message:

+

+    Docker-DCO-1.1-Signed-off-by: Joe Smith <joe.smith@email.com> (github: github_handle)

+

+using your real name (sorry, no pseudonyms or anonymous contributions.)

+

+One way to automate this, is customise your get ``commit.template`` by adding

+a ``prepare-commit-msg`` hook to your libcontainer checkout:

+

+```

+curl -o .git/hooks/prepare-commit-msg https://raw.githubusercontent.com/dotcloud/docker/master/contrib/prepare-commit-msg.hook && chmod +x .git/hooks/prepare-commit-msg

+```

+

+* Note: the above script expects to find your GitHub user name in ``git config --get github.user``

+

+#### Small patch exception

+

+There are several exceptions to the signing requirement. Currently these are:

+

+* Your patch fixes spelling or grammar errors.

+* Your patch is a single line change to documentation contained in the

+  `docs` directory.

+* Your patch fixes Markdown formatting or syntax errors in the

+  documentation contained in the `docs` directory.

+

+If you have any questions, please refer to the FAQ in the [docs](to be written)

+

+### How can I become a maintainer?

+

+* Step 1: learn the component inside out

+* Step 2: make yourself useful by contributing code, bugfixes, support etc.

+* Step 3: volunteer on the irc channel (#libcontainer@freenode)

+

+Don't forget: being a maintainer is a time investment. Make sure you will have time to make yourself available.

+You don't have to be a maintainer to make a difference on the project!

+

@@ -1,3 +1,4 @@

-Michael Crosby <michael@crosbymichael.com> (@crosbymichael)

+Michael Crosby <michael@docker.com> (@crosbymichael)

 Rohit Jnagal <jnagal@google.com> (@rjnagal)

 Victor Marmol <vmarmol@google.com> (@vmarmol)

+.travis.yml: Tianon Gravi <admwiggin@gmail.com> (@tianon)

new file mode 100644

@@ -0,0 +1,99 @@

+# The libcontainer Maintainers' Guide

+

+## Introduction

+

+Dear maintainer. Thank you for investing the time and energy to help

+make libcontainer as useful as possible. Maintaining a project is difficult,

+sometimes unrewarding work.  Sure, you will get to contribute cool

+features to the project. But most of your time will be spent reviewing,

+cleaning up, documenting, answering questions, justifying design

+decisions - while everyone has all the fun! But remember - the quality

+of the maintainers work is what distinguishes the good projects from the

+great.  So please be proud of your work, even the unglamourous parts,

+and encourage a culture of appreciation and respect for *every* aspect

+of improving the project - not just the hot new features.

+

+This document is a manual for maintainers old and new. It explains what

+is expected of maintainers, how they should work, and what tools are

+available to them.

+

+This is a living document - if you see something out of date or missing,

+speak up!

+

+## What are a maintainer's responsibility?

+

+It is every maintainer's responsibility to:

+

+* 1) Expose a clear roadmap for improving their component.

+* 2) Deliver prompt feedback and decisions on pull requests.

+* 3) Be available to anyone with questions, bug reports, criticism etc.

+  on their component. This includes IRC, GitHub requests and the mailing

+  list.

+* 4) Make sure their component respects the philosophy, design and

+  roadmap of the project.

+

+## How are decisions made?

+

+Short answer: with pull requests to the libcontainer repository.

+

+libcontainer is an open-source project with an open design philosophy. This

+means that the repository is the source of truth for EVERY aspect of the

+project, including its philosophy, design, roadmap and APIs. *If it's

+part of the project, it's in the repo. It's in the repo, it's part of

+the project.*

+

+As a result, all decisions can be expressed as changes to the

+repository. An implementation change is a change to the source code. An

+API change is a change to the API specification. A philosophy change is

+a change to the philosophy manifesto. And so on.

+

+All decisions affecting libcontainer, big and small, follow the same 3 steps:

+

+* Step 1: Open a pull request. Anyone can do this.

+

+* Step 2: Discuss the pull request. Anyone can do this.

+

+* Step 3: Accept (`LGTM`) or refuse a pull request. The relevant maintainers do 

+this (see below "Who decides what?")

+

+

+## Who decides what?

+

+All decisions are pull requests, and the relevant maintainers make

+decisions by accepting or refusing the pull request. Review and acceptance

+by anyone is denoted by adding a comment in the pull request: `LGTM`. 

+However, only currently listed `MAINTAINERS` are counted towards the required

+majority.

+

+libcontainer follows the timeless, highly efficient and totally unfair system

+known as [Benevolent dictator for life](http://en.wikipedia.org/wiki/Benevolent_Dictator_for_Life), with Michael Crosby in the role of BDFL.

+This means that all decisions are made by default by Michael. Since making

+every decision himself would be highly un-scalable, in practice decisions

+are spread across multiple maintainers.

+

+The relevant maintainers for a pull request can be worked out in two steps:

+

+* Step 1: Determine the subdirectories affected by the pull request. This

+  might be `netlink/` and `security/`, or any other part of the repo.

+

+* Step 2: Find the `MAINTAINERS` file which affects this directory. If the

+  directory itself does not have a `MAINTAINERS` file, work your way up

+  the repo hierarchy until you find one.

+

+### I'm a maintainer, and I'm going on holiday

+

+Please let your co-maintainers and other contributors know by raising a pull

+request that comments out your `MAINTAINERS` file entry using a `#`.

+

+### I'm a maintainer, should I make pull requests too?

+

+Yes. Nobody should ever push to master directly. All changes should be

+made through a pull request.

+

+### Who assigns maintainers?

+

+Michael has final `LGTM` approval for all pull requests to `MAINTAINERS` files.

+

+### How is this process changed?

+

+Just like everything else: by making a pull request :)

new file mode 100644

@@ -0,0 +1,19 @@

+# libcontainer Principles

+

+In the design and development of libcontainer we try to follow these principles:

+

+(Work in progress)

+

+* Don't try to replace every tool. Instead, be an ingredient to improve them.

+* Less code is better.

+* Fewer components are better. Do you really need to add one more class?

+* 50 lines of straightforward, readable code is better than 10 lines of magic that nobody can understand.

+* Don't do later what you can do now. "//FIXME: refactor" is not acceptable in new code.

+* When hesitating between two options, choose the one that is easier to reverse.

+* "No" is temporary; "Yes" is forever. If you're not sure about a new feature, say no. You can change your mind later.

+* Containers must be portable to the greatest possible number of machines. Be suspicious of any change which makes machines less interchangeable.

+* The fewer moving parts in a container, the better.

+* Don't merge it unless you document it.

+* Don't document it unless you can keep it up-to-date.

+* Don't merge it unless you test it!

+* Everyone's problem is slightly different. Focus on the part that is the same for everyone, and solve that.

@@ -1,16 +1,16 @@

 ## libcontainer - reference implementation for containers

-#### background

+#### Background

 libcontainer specifies configuration options for what a container is.  It provides a native Go implementation 

 for using Linux namespaces with no external dependencies.  libcontainer provides many convenience functions for working with namespaces, networking, and management.  

-#### container

+#### Container

 A container is a self contained directory that is able to run one or more processes without 

 affecting the host system.  The directory is usually a full system tree.  Inside the directory

 a `container.json` file is placed with the runtime configuration for how the processes 

-should be contained and ran.  Environment, networking, and different capabilities for the 

+should be contained and run.  Environment, networking, and different capabilities for the 

 process are specified in this file.  The configuration is used for each process executed inside the container.

 See the `container.json` file for what the configuration should look like.

@@ -35,8 +35,19 @@ If you wish to spawn another process inside the container while your current bas

 running just run the exact same command again to get another bash shell or change the command.  If the original process dies, PID 1, all other processes spawned inside the container will also be killed and the namespace will be removed. 

 You can identify if a process is running in a container by looking to see if `pid` is in the root of the directory.   

+#### Future

+See the [roadmap](ROADMAP.md).

 ## Copyright and license

 Code and documentation copyright 2014 Docker, inc. Code released under the Apache 2.0 license.

 Docs released under Creative commons.

+

+## Hacking on libcontainer

+

+First of all, please familiarise yourself with the [libcontainer Principles](PRINCIPLES.md).

+

+If you're a *contributor* or aspiring contributor, you should read the [Contributors' Guide](CONTRIBUTORS_GUIDE.md).

+

+If you're a *maintainer* or aspiring maintainer, you should read the [Maintainers' Guide](MAINTAINERS_GUIDE.md) and

+"How can I become a maintainer?" in the Contributors' Guide.

new file mode 100644

@@ -0,0 +1,16 @@

+# libcontainer: what's next?

+

+This document is a high-level overview of where we want to take libcontainer next.

+It is a curated selection of planned improvements which are either important, difficult, or both.

+

+For a more complete view of planned and requested improvements, see [the Github issues](https://github.com/docker/libcontainer/issues).

+

+To suggest changes to the roadmap, including additions, please write the change as if it were already in effect, and make a pull request.

+

+## Broader kernel support

+

+Our goal is to make libcontainer run everywhere, but currently libcontainer requires Linux version 3.8 or higher. If you’re deploying new machines for the purpose of running libcontainer, this is a fairly easy requirement to meet. However, if you’re adding libcontainer to an existing deployment, you may not have the flexibility to update and patch the kernel.

+

+## Cross-architecture support

+

+Our goal is to make libcontainer run everywhere. However currently libcontainer only runs on x86_64 systems. We plan on expanding architecture support, so that libcontainer containers can be created and used on more architectures.

@@ -31,7 +31,7 @@ func TestGetCgroupParamsInt(t *testing.T) {

 	if err != nil {

 		t.Fatal(err)

 	} else if value != floatValue {

-		t.Fatalf("Expected %f to equal %f", value, floatValue)

+		t.Fatalf("Expected %d to equal %f", value, floatValue)

 	}

 	// Success with new line.

@@ -43,7 +43,7 @@ func TestGetCgroupParamsInt(t *testing.T) {

 	if err != nil {

 		t.Fatal(err)

 	} else if value != floatValue {

-		t.Fatalf("Expected %f to equal %f", value, floatValue)

+		t.Fatalf("Expected %d to equal %f", value, floatValue)

 	}

 	// Not a float.

@@ -2,6 +2,7 @@ package cgroups

 import (

 	"bufio"

+	"fmt"

 	"io"

 	"os"

 	"path/filepath"

@@ -30,6 +31,80 @@ func FindCgroupMountpoint(subsystem string) (string, error) {

 	return "", ErrNotFound

 }

+type Mount struct {

+	Mountpoint string

+	Subsystems []string

+}

+

+func (m Mount) GetThisCgroupDir() (string, error) {

+	if len(m.Subsystems) == 0 {

+		return "", fmt.Errorf("no subsystem for mount")

+	}

+

+	return GetThisCgroupDir(m.Subsystems[0])

+}

+

+func GetCgroupMounts() ([]Mount, error) {

+	mounts, err := mount.GetMounts()

+	if err != nil {

+		return nil, err

+	}

+

+	all, err := GetAllSubsystems()

+	if err != nil {

+		return nil, err

+	}

+

+	allMap := make(map[string]bool)

+	for _, s := range all {

+		allMap[s] = true

+	}

+

+	res := []Mount{}

+	for _, mount := range mounts {

+		if mount.Fstype == "cgroup" {

+			m := Mount{Mountpoint: mount.Mountpoint}

+

+			for _, opt := range strings.Split(mount.VfsOpts, ",") {

+				if strings.HasPrefix(opt, "name=") {

+					m.Subsystems = append(m.Subsystems, opt)

+				}

+				if allMap[opt] {

+					m.Subsystems = append(m.Subsystems, opt)

+				}

+			}

+			res = append(res, m)

+		}

+	}

+	return res, nil

+}

+

+// Returns all the cgroup subsystems supported by the kernel

+func GetAllSubsystems() ([]string, error) {

+	f, err := os.Open("/proc/cgroups")

+	if err != nil {

+		return nil, err

+	}

+	defer f.Close()

+

+	subsystems := []string{}

+

+	s := bufio.NewScanner(f)

+	for s.Scan() {

+		if err := s.Err(); err != nil {

+			return nil, err

+		}

+		text := s.Text()

+		if text[0] != '#' {

+			parts := strings.Fields(text)

+			if len(parts) > 4 && parts[3] != "0" {

+				subsystems = append(subsystems, parts[0])

+			}

+		}

+	}

+	return subsystems, nil

+}

+

 // Returns the relative path to the cgroup docker is running in.

 func GetThisCgroupDir(subsystem string) (string, error) {

 	f, err := os.Open("/proc/self/cgroup")

@@ -39,8 +39,8 @@ func (device *Device) GetCgroupAllowString() string {

 }

 // Given the path to a device and it's cgroup_permissions(which cannot be easilly queried) look up the information about a linux device and return that information as a Device struct.

-func GetDevice(path string, cgroupPermissions string) (*Device, error) {

-	fileInfo, err := os.Stat(path)

+func GetDevice(path, cgroupPermissions string) (*Device, error) {

+	fileInfo, err := os.Lstat(path)

 	if err != nil {

 		return nil, err

 	}

@@ -4,17 +4,18 @@ package mount

 import (

 	"fmt"

-	"github.com/dotcloud/docker/pkg/system"

 	"io/ioutil"

 	"os"

 	"path/filepath"

 	"syscall"

+

+	"github.com/dotcloud/docker/pkg/system"

 )

 func PivotRoot(rootfs string) error {

 	pivotDir, err := ioutil.TempDir(rootfs, ".pivot_root")

 	if err != nil {

-		return fmt.Errorf("can't create pivot_root dir %s", pivotDir, err)

+		return fmt.Errorf("can't create pivot_root dir %s, error %v", pivotDir, err)

 	}

 	if err := system.Pivotroot(rootfs, pivotDir); err != nil {

 		return fmt.Errorf("pivot_root %s", err)

@@ -185,7 +185,10 @@ func setupRoute(container *libcontainer.Container) error {

 // and working dir, and closes any leaky file descriptors

 // before execing the command inside the namespace

 func FinalizeNamespace(container *libcontainer.Container) error {

-	if err := system.CloseFdsFrom(3); err != nil {

+	// Ensure that all non-standard fds we may have accidentally

+	// inherited are marked close-on-exec so they stay out of the

+	// container

+	if err := utils.CloseExecFrom(3); err != nil {

 		return fmt.Errorf("close open file descriptors %s", err)

 	}

@@ -217,6 +220,7 @@ func FinalizeNamespace(container *libcontainer.Container) error {

 			return fmt.Errorf("chdir to %s %s", container.WorkingDir, err)

 		}

 	}

+

 	return nil

 }

@@ -1,9 +1,12 @@

+// +build linux

+

 package namespaces

 /*

 #include <dirent.h>

 #include <errno.h>

 #include <fcntl.h>

+#include <linux/limits.h>

 #include <linux/sched.h>

 #include <signal.h>

 #include <stdio.h>

@@ -49,6 +52,18 @@ void get_args(int *argc, char ***argv) {

 	(*argv)[*argc] = NULL;

 }

+// Use raw setns syscall for versions of glibc that don't include it (namely glibc-2.12)

+#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 14

+#define _GNU_SOURCE

+#include <sched.h>

+#include "syscall.h"

+#ifdef SYS_setns

+int setns(int fd, int nstype) {

+  return syscall(SYS_setns, fd, nstype);

+}

+#endif

+#endif

+

 void nsenter() {

 	int argc;

 	char **argv;

@@ -73,12 +88,9 @@ void nsenter() {

 	argv += 3;

 	// Setns on all supported namespaces.

-	char ns_dir[kBufSize];

-	memset(ns_dir, 0, kBufSize);

-	if (snprintf(ns_dir, kBufSize - 1, "/proc/%d/ns/", init_pid) < 0) {

-		fprintf(stderr, "nsenter: Error getting ns dir path with error: \"%s\"\n", strerror(errno));

-		exit(1);

-	}

+	char ns_dir[PATH_MAX];

+	memset(ns_dir, 0, PATH_MAX);

+	snprintf(ns_dir, PATH_MAX - 1, "/proc/%d/ns/", init_pid);

 	struct dirent *dent;

 	DIR *dir = opendir(ns_dir);

 	if (dir == NULL) {

@@ -92,10 +104,9 @@ void nsenter() {

 		}

 		// Get and open the namespace for the init we are joining..

-		char buf[kBufSize];

-		memset(buf, 0, kBufSize);

-		strncat(buf, ns_dir, kBufSize - 1);

-		strncat(buf, dent->d_name, kBufSize - 1);

+		char buf[PATH_MAX];

+		memset(buf, 0, PATH_MAX);

+		snprintf(buf, PATH_MAX - 1, "%s%s", ns_dir, dent->d_name);

 		int fd = open(buf, O_RDONLY);

 		if (fd == -1) {

 			fprintf(stderr, "nsenter: Failed to open ns file \"%s\" for ns \"%s\" with error: \"%s\"\n", buf, dent->d_name, strerror(errno));

@@ -15,13 +15,14 @@ const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NOD

 func mountReadonly(path string) error {

 	for i := 0; i < 5; i++ {

-		if err := system.Mount("", path, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil {

+		if err := system.Mount("", path, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil && !os.IsNotExist(err) {

 			switch err {

 			case syscall.EINVAL:

 				// Probably not a mountpoint, use bind-mount

 				if err := system.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {

 					return err

 				}

+

 				return system.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC|defaultMountFlags, "")

 			case syscall.EBUSY:

 				time.Sleep(100 * time.Millisecond)

@@ -30,15 +31,16 @@ func mountReadonly(path string) error {

 				return err

 			}

 		}

+

 		return nil

 	}

+

 	return fmt.Errorf("unable to mount %s as readonly max retries reached", path)

 }

 // This has to be called while the container still has CAP_SYS_ADMIN (to be able to perform mounts).

 // However, afterwards, CAP_SYS_ADMIN should be dropped (otherwise the user will be able to revert those changes).

 func Restrict(mounts ...string) error {

-	// remount proc and sys as readonly

 	for _, dest := range mounts {

 		if err := mountReadonly(dest); err != nil {

 			return fmt.Errorf("unable to remount %s readonly: %s", dest, err)

@@ -48,5 +50,6 @@ func Restrict(mounts ...string) error {

 	if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil && !os.IsNotExist(err) {

 		return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore: %s", err)

 	}

+

 	return nil

 }

@@ -4,7 +4,10 @@ import (

 	"crypto/rand"

 	"encoding/hex"

 	"io"

+	"io/ioutil"

 	"path/filepath"

+	"strconv"

+	"syscall"

 )

 // GenerateRandomName returns a new name joined with a prefix.  This size

@@ -26,3 +29,27 @@ func ResolveRootfs(uncleanRootfs string) (string, error) {

 	}

 	return filepath.EvalSymlinks(rootfs)

 }

+

+func CloseExecFrom(minFd int) error {

+	fdList, err := ioutil.ReadDir("/proc/self/fd")

+	if err != nil {

+		return err

+	}

+	for _, fi := range fdList {

+		fd, err := strconv.Atoi(fi.Name())

+		if err != nil {

+			// ignore non-numeric file names

+			continue

+		}

+

+		if fd < minFd {

+			// ignore descriptors lower than our specified minimum

+			continue

+		}

+

+		// intentionally ignore errors from syscall.CloseOnExec

+		syscall.CloseOnExec(fd)

+		// the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)

+	}

+	return nil

+}