@@ -1399,7 +1399,7 @@ func serveFd(addr string, job *engine.Job) error {

 }

 func lookupGidByName(nameOrGid string) (int, error) {

-	groupFile, err := user.GetGroupFile()

+	groupFile, err := user.GetGroupPath()

 	if err != nil {

 		return -1, err

 	}

@@ -82,7 +82,7 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Config, e

 func (d *driver) createNetwork(container *libcontainer.Config, c *execdriver.Command) error {

 	if c.Network.HostNetworking {

-		container.Namespaces["NEWNET"] = false

+		container.Namespaces.Remove(libcontainer.NEWNET)

 		return nil

 	}

@@ -119,10 +119,7 @@ func (d *driver) createNetwork(container *libcontainer.Config, c *execdriver.Com

 		cmd := active.cmd

 		nspath := filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "net")

-		container.Networks = append(container.Networks, &libcontainer.Network{

-			Type:   "netns",

-			NsPath: nspath,

-		})

+		container.Namespaces.Add(libcontainer.NEWNET, nspath)

 	}

 	return nil

@@ -130,7 +127,7 @@ func (d *driver) createNetwork(container *libcontainer.Config, c *execdriver.Com

 func (d *driver) createIpc(container *libcontainer.Config, c *execdriver.Command) error {

 	if c.Ipc.HostIpc {

-		container.Namespaces["NEWIPC"] = false

+		container.Namespaces.Remove(libcontainer.NEWIPC)

 		return nil

 	}

@@ -144,7 +141,7 @@ func (d *driver) createIpc(container *libcontainer.Config, c *execdriver.Command

 		}

 		cmd := active.cmd

-		container.IpcNsPath = filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "ipc")

+		container.Namespaces.Add(libcontainer.NEWIPC, filepath.Join("/proc", fmt.Sprint(cmd.Process.Pid), "ns", "ipc"))

 	}

 	return nil

@@ -61,10 +61,6 @@ func NewDriver(root, initPath string) (*driver, error) {

 	}, nil

 }

-func (d *driver) notifyOnOOM(config *libcontainer.Config) (<-chan struct{}, error) {

-	return fs.NotifyOnOOM(config.Cgroups)

-}

-

 type execOutput struct {

 	exitCode int

 	err      error

@@ -152,11 +148,16 @@ func (d *driver) Run(c *execdriver.Command, pipes *execdriver.Pipes, startCallba

 	}

 	oomKill := false

-	oomKillNotification, err := d.notifyOnOOM(container)

+	state, err := libcontainer.GetState(filepath.Join(d.root, c.ID))

 	if err == nil {

-		_, oomKill = <-oomKillNotification

+		oomKillNotification, err := libcontainer.NotifyOnOOM(state)

+		if err == nil {

+			_, oomKill = <-oomKillNotification

+		} else {

+			log.Warnf("WARNING: Your kernel does not support OOM notifications: %s", err)

+		}

 	} else {

-		log.Warnf("WARNING: Your kernel does not support OOM notifications: %s", err)

+		log.Warnf("Failed to get container state, oom notify will not work: %s", err)

 	}

 	// wait for the container to exit.

 	execOutput := <-execOutputChan

@@ -25,12 +25,12 @@ func New() *libcontainer.Config {

 			"KILL",

 			"AUDIT_WRITE",

 		},

-		Namespaces: map[string]bool{

-			"NEWNS":  true,

-			"NEWUTS": true,

-			"NEWIPC": true,

-			"NEWPID": true,

-			"NEWNET": true,

+		Namespaces: libcontainer.Namespaces{

+			{Type: "NEWNS"},

+			{Type: "NEWUTS"},

+			{Type: "NEWIPC"},

+			{Type: "NEWPID"},

+			{Type: "NEWNET"},

 		},

 		Cgroups: &cgroups.Cgroup{

 			Parent:          "docker",

@@ -66,7 +66,7 @@ if [ "$1" = '--go' ]; then

 	mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar

 fi

-clone git github.com/docker/libcontainer 53eca435e63db58b06cf796d3a9326db5fd42253

+clone git github.com/docker/libcontainer 1597c68f7b941fd97881155d7f077852e2914e7b

 # see src/github.com/docker/libcontainer/update-vendor.sh which is the "source of truth" for libcontainer deps (just like this file)

 rm -rf src/github.com/docker/libcontainer/vendor

 eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli')"

@@ -1,13 +1,13 @@

 all:

-	docker build -t docker/libcontainer .

+	docker build -t dockercore/libcontainer .

 test: 

 	# we need NET_ADMIN for the netlink tests and SYS_ADMIN for mounting

-	docker run --rm -it --privileged docker/libcontainer

+	docker run --rm -it --privileged dockercore/libcontainer

 sh:

-	docker run --rm -it --privileged -w /busybox docker/libcontainer nsinit exec sh

+	docker run --rm -it --privileged -w /busybox dockercore/libcontainer nsinit exec sh

 GO_PACKAGES = $(shell find . -not \( -wholename ./vendor -prune -o -wholename ./.git -prune \) -name '*.go' -print0 | xargs -0n1 dirname | sort -u)

@@ -318,4 +318,29 @@ a container.

 | Resume         | Resume all processes inside the container if paused                |

 | Exec           | Execute a new process inside of the container  ( requires setns )  |

+### Execute a new process inside of a running container.

+User can execute a new process inside of a running container. Any binaries to be

+executed must be accessible within the container's rootfs.

+

+The started process will run inside the container's rootfs. Any changes

+made by the process to the container's filesystem will persist after the

+process finished executing.

+

+The started process will join all the container's existing namespaces. When the

+container is paused, the process will also be paused and will resume when

+the container is unpaused.  The started process will only run when the container's

+primary process (PID 1) is running, and will not be restarted when the container

+is restarted.

+

+#### Planned additions

+

+The started process will have its own cgroups nested inside the container's

+cgroups. This is used for process tracking and optionally resource allocation

+handling for the new process. Freezer cgroup is required, the rest of the cgroups

+are optional. The process executor must place its pid inside the correct

+cgroups before starting the process. This is done so that no child processes or

+threads can escape the cgroups.

+

+When the process is stopped, the process executor will try (in a best-effort way)

+to stop all its children and remove the sub-cgroups.

@@ -50,6 +50,7 @@ type Cgroup struct {

 	CpuQuota          int64             `json:"cpu_quota,omitempty"`          // CPU hardcap limit (in usecs). Allowed cpu time in a given period.

 	CpuPeriod         int64             `json:"cpu_period,omitempty"`         // CPU period to be used for hardcapping (in usecs). 0 to use system default.

 	CpusetCpus        string            `json:"cpuset_cpus,omitempty"`        // CPU to use

+	CpusetMems        string            `json:"cpuset_mems,omitempty"`        // MEM to use

 	Freezer           FreezerState      `json:"freezer,omitempty"`            // set the freeze value for the process

 	Slice             string            `json:"slice,omitempty"`              // Parent slice to use for systemd

 }

@@ -18,7 +18,7 @@ func (s *CpusetGroup) Set(d *data) error {

 	if err != nil {

 		return err

 	}

-	return s.SetDir(dir, d.c.CpusetCpus, d.pid)

+	return s.SetDir(dir, d.c.CpusetCpus, d.c.CpusetMems, d.pid)

 }

 func (s *CpusetGroup) Remove(d *data) error {

@@ -29,7 +29,7 @@ func (s *CpusetGroup) GetStats(path string, stats *cgroups.Stats) error {

 	return nil

 }

-func (s *CpusetGroup) SetDir(dir, value string, pid int) error {

+func (s *CpusetGroup) SetDir(dir, cpus string, mems string, pid int) error {

 	if err := s.ensureParent(dir); err != nil {

 		return err

 	}

@@ -40,10 +40,15 @@ func (s *CpusetGroup) SetDir(dir, value string, pid int) error {

 		return err

 	}

-	// If we don't use --cpuset, the default cpuset.cpus is set in

-	// s.ensureParent, otherwise, use the value we set

-	if value != "" {

-		if err := writeFile(dir, "cpuset.cpus", value); err != nil {

+	// If we don't use --cpuset-xxx, the default value inherit from parent cgroup

+	// is set in s.ensureParent, otherwise, use the value we set

+	if cpus != "" {

+		if err := writeFile(dir, "cpuset.cpus", cpus); err != nil {

+			return err

+		}

+	}

+	if mems != "" {

+		if err := writeFile(dir, "cpuset.mems", mems); err != nil {

 			return err

 		}

 	}

@@ -38,12 +38,17 @@ func (s *MemoryGroup) Set(d *data) error {

 			}

 		}

 		// By default, MemorySwap is set to twice the size of RAM.

-		// If you want to omit MemorySwap, set it to `-1'.

-		if d.c.MemorySwap != -1 {

+		// If you want to omit MemorySwap, set it to '-1'.

+		if d.c.MemorySwap == 0 {

 			if err := writeFile(dir, "memory.memsw.limit_in_bytes", strconv.FormatInt(d.c.Memory*2, 10)); err != nil {

 				return err

 			}

 		}

+		if d.c.MemorySwap > 0 {

+			if err := writeFile(dir, "memory.memsw.limit_in_bytes", strconv.FormatInt(d.c.MemorySwap, 10)); err != nil {

+				return err

+			}

+		}

 	}

 	return nil

 }

deleted file mode 100644

@@ -1,82 +0,0 @@

-// +build linux

-

-package fs

-

-import (

-	"fmt"

-	"os"

-	"path/filepath"

-	"syscall"

-

-	"github.com/docker/libcontainer/cgroups"

-)

-

-// NotifyOnOOM sends signals on the returned channel when the cgroup reaches

-// its memory limit. The channel is closed when the cgroup is removed.

-func NotifyOnOOM(c *cgroups.Cgroup) (<-chan struct{}, error) {

-	d, err := getCgroupData(c, 0)

-	if err != nil {

-		return nil, err

-	}

-

-	return notifyOnOOM(d)

-}

-

-func notifyOnOOM(d *data) (<-chan struct{}, error) {

-	dir, err := d.path("memory")

-	if err != nil {

-		return nil, err

-	}

-

-	fd, _, syserr := syscall.RawSyscall(syscall.SYS_EVENTFD2, 0, syscall.FD_CLOEXEC, 0)

-	if syserr != 0 {

-		return nil, syserr

-	}

-

-	eventfd := os.NewFile(fd, "eventfd")

-

-	oomControl, err := os.Open(filepath.Join(dir, "memory.oom_control"))

-	if err != nil {

-		eventfd.Close()

-		return nil, err

-	}

-

-	var (

-		eventControlPath = filepath.Join(dir, "cgroup.event_control")

-		data             = fmt.Sprintf("%d %d", eventfd.Fd(), oomControl.Fd())

-	)

-

-	if err := writeFile(dir, "cgroup.event_control", data); err != nil {

-		eventfd.Close()

-		oomControl.Close()

-		return nil, err

-	}

-

-	ch := make(chan struct{})

-

-	go func() {

-		defer func() {

-			close(ch)

-			eventfd.Close()

-			oomControl.Close()

-		}()

-

-		buf := make([]byte, 8)

-

-		for {

-			if _, err := eventfd.Read(buf); err != nil {

-				return

-			}

-

-			// When a cgroup is destroyed, an event is sent to eventfd.

-			// So if the control path is gone, return instead of notifying.

-			if _, err := os.Lstat(eventControlPath); os.IsNotExist(err) {

-				return

-			}

-

-			ch <- struct{}{}

-		}

-	}()

-

-	return ch, nil

-}

deleted file mode 100644

@@ -1,86 +0,0 @@

-// +build linux

-

-package fs

-

-import (

-	"encoding/binary"

-	"fmt"

-	"syscall"

-	"testing"

-	"time"

-)

-

-func TestNotifyOnOOM(t *testing.T) {

-	helper := NewCgroupTestUtil("memory", t)

-	defer helper.cleanup()

-

-	helper.writeFileContents(map[string]string{

-		"memory.oom_control":   "",

-		"cgroup.event_control": "",

-	})

-

-	var eventFd, oomControlFd int

-

-	ooms, err := notifyOnOOM(helper.CgroupData)

-	if err != nil {

-		t.Fatal("expected no error, got:", err)

-	}

-

-	memoryPath, _ := helper.CgroupData.path("memory")

-	data, err := readFile(memoryPath, "cgroup.event_control")

-	if err != nil {

-		t.Fatal("couldn't read event control file:", err)

-	}

-

-	if _, err := fmt.Sscanf(data, "%d %d", &eventFd, &oomControlFd); err != nil {

-		t.Fatalf("invalid control data %q: %s", data, err)

-	}

-

-	// re-open the eventfd

-	efd, err := syscall.Dup(eventFd)

-	if err != nil {

-		t.Fatal("unable to reopen eventfd:", err)

-	}

-	defer syscall.Close(efd)

-

-	if err != nil {

-		t.Fatal("unable to dup event fd:", err)

-	}

-

-	buf := make([]byte, 8)

-	binary.LittleEndian.PutUint64(buf, 1)

-

-	if _, err := syscall.Write(efd, buf); err != nil {

-		t.Fatal("unable to write to eventfd:", err)

-	}

-

-	select {

-	case <-ooms:

-	case <-time.After(100 * time.Millisecond):

-		t.Fatal("no notification on oom channel after 100ms")

-	}

-

-	// simulate what happens when a cgroup is destroyed by cleaning up and then

-	// writing to the eventfd.

-	helper.cleanup()

-	if _, err := syscall.Write(efd, buf); err != nil {

-		t.Fatal("unable to write to eventfd:", err)

-	}

-

-	// give things a moment to shut down

-	select {

-	case _, ok := <-ooms:

-		if ok {

-			t.Fatal("expected no oom to be triggered")

-		}

-	case <-time.After(100 * time.Millisecond):

-	}

-

-	if _, _, err := syscall.Syscall(syscall.SYS_FCNTL, uintptr(oomControlFd), syscall.F_GETFD, 0); err != syscall.EBADF {

-		t.Error("expected oom control to be closed")

-	}

-

-	if _, _, err := syscall.Syscall(syscall.SYS_FCNTL, uintptr(eventFd), syscall.F_GETFD, 0); err != syscall.EBADF {

-		t.Error("expected event fd to be closed")

-	}

-}

@@ -90,4 +90,8 @@ func expectMemoryStatEquals(t *testing.T, expected, actual cgroups.MemoryStats)

 			t.Fail()

 		}

 	}

+	if expected.Failcnt != actual.Failcnt {

+		log.Printf("Expected memory failcnt %d but found %d\n", expected.Failcnt, actual.Failcnt)

+		t.Fail()

+	}

 }

@@ -313,5 +313,5 @@ func joinCpuset(c *cgroups.Cgroup, pid int) error {

 	s := &fs.CpusetGroup{}

-	return s.SetDir(path, c.CpusetCpus, pid)

+	return s.SetDir(path, c.CpusetCpus, c.CpusetMems, pid)

 }

@@ -9,6 +9,7 @@ import (

 	"path/filepath"

 	"strconv"

 	"strings"

+	"time"

 	"github.com/docker/docker/pkg/mount"

 )

@@ -193,13 +194,30 @@ func EnterPid(cgroupPaths map[string]string, pid int) error {

 }

 // RemovePaths iterates over the provided paths removing them.

-// If an error is encountered the removal proceeds and the first error is

-// returned to ensure a partial removal is not possible.

+// We trying to remove all paths five times with increasing delay between tries.

+// If after all there are not removed cgroups - appropriate error will be

+// returned.

 func RemovePaths(paths map[string]string) (err error) {

-	for _, path := range paths {

-		if rerr := os.RemoveAll(path); err == nil {

-			err = rerr

+	delay := 10 * time.Millisecond

+	for i := 0; i < 5; i++ {

+		if i != 0 {

+			time.Sleep(delay)

+			delay *= 2

+		}

+		for s, p := range paths {

+			os.RemoveAll(p)

+			// TODO: here probably should be logging

+			_, err := os.Stat(p)

+			// We need this strange way of checking cgroups existence because

+			// RemoveAll almost always returns error, even on already removed

+			// cgroups

+			if os.IsNotExist(err) {

+				delete(paths, s)

+			}

+		}

+		if len(paths) == 0 {

+			return nil

 		}

 	}

-	return err

+	return fmt.Errorf("Failed to remove paths: %s", paths)

 }

@@ -10,6 +10,57 @@ type MountConfig mount.MountConfig

 type Network network.Network

+type NamespaceType string

+

+const (

+	NEWNET  NamespaceType = "NEWNET"

+	NEWPID  NamespaceType = "NEWPID"

+	NEWNS   NamespaceType = "NEWNS"

+	NEWUTS  NamespaceType = "NEWUTS"

+	NEWIPC  NamespaceType = "NEWIPC"

+	NEWUSER NamespaceType = "NEWUSER"

+)

+

+// Namespace defines configuration for each namespace.  It specifies an

+// alternate path that is able to be joined via setns.

+type Namespace struct {

+	Type NamespaceType `json:"type"`

+	Path string        `json:"path,omitempty"`

+}

+

+type Namespaces []Namespace

+

+func (n Namespaces) Remove(t NamespaceType) bool {

+	i := n.index(t)

+	if i == -1 {

+		return false

+	}

+	n = append(n[:i], n[i+1:]...)

+	return true

+}

+

+func (n Namespaces) Add(t NamespaceType, path string) {

+	i := n.index(t)

+	if i == -1 {

+		n = append(n, Namespace{Type: t, Path: path})

+		return

+	}

+	n[i].Path = path

+}

+

+func (n Namespaces) index(t NamespaceType) int {

+	for i, ns := range n {

+		if ns.Type == t {

+			return i

+		}

+	}

+	return -1

+}

+

+func (n Namespaces) Contains(t NamespaceType) bool {

+	return n.index(t) != -1

+}

+

 // Config defines configuration options for executing a process inside a contained environment.

 type Config struct {

 	// Mount specific options.

@@ -38,7 +89,7 @@ type Config struct {

 	// Namespaces specifies the container's namespaces that it should setup when cloning the init process

 	// If a namespace is not provided that namespace is shared from the container's parent process

-	Namespaces map[string]bool `json:"namespaces,omitempty"`

+	Namespaces Namespaces `json:"namespaces,omitempty"`

 	// Capabilities specify the capabilities to keep when executing the process inside the container

 	// All capbilities not specified will be dropped from the processes capability mask

@@ -47,9 +98,6 @@ type Config struct {

 	// Networks specifies the container's network setup to be created

 	Networks []*Network `json:"networks,omitempty"`

-	// Ipc specifies the container's ipc setup to be created

-	IpcNsPath string `json:"ipc,omitempty"`

-

 	// Routes can be specified to create entries in the route table as the container is started

 	Routes []*Route `json:"routes,omitempty"`

@@ -64,12 +64,12 @@ func TestConfigJsonFormat(t *testing.T) {

 		t.Fail()

 	}

-	if !container.Namespaces["NEWNET"] {

+	if !container.Namespaces.Contains(NEWNET) {

 		t.Log("namespaces should contain NEWNET")

 		t.Fail()

 	}

-	if container.Namespaces["NEWUSER"] {

+	if container.Namespaces.Contains(NEWUSER) {

 		t.Log("namespaces should not contain NEWUSER")

 		t.Fail()

 	}

@@ -4,6 +4,8 @@ import (

 	"os"

 	"strings"

 	"testing"

+

+	"github.com/docker/libcontainer"

 )

 func TestExecPS(t *testing.T) {

@@ -55,7 +57,6 @@ func TestIPCPrivate(t *testing.T) {

 	}

 	config := newTemplateConfig(rootfs)

-	config.Namespaces["NEWIPC"] = true

 	buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/ipc")

 	if err != nil {

 		t.Fatal(err)

@@ -87,7 +88,7 @@ func TestIPCHost(t *testing.T) {

 	}

 	config := newTemplateConfig(rootfs)

-	config.Namespaces["NEWIPC"] = false

+	config.Namespaces.Remove(libcontainer.NEWIPC)

 	buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/ipc")

 	if err != nil {

 		t.Fatal(err)

@@ -119,8 +120,7 @@ func TestIPCJoinPath(t *testing.T) {

 	}

 	config := newTemplateConfig(rootfs)

-	config.Namespaces["NEWIPC"] = false

-	config.IpcNsPath = "/proc/1/ns/ipc"

+	config.Namespaces.Add(libcontainer.NEWIPC, "/proc/1/ns/ipc")

 	buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/ipc")

 	if err != nil {

@@ -148,8 +148,7 @@ func TestIPCBadPath(t *testing.T) {

 	defer remove(rootfs)

 	config := newTemplateConfig(rootfs)

-	config.Namespaces["NEWIPC"] = false

-	config.IpcNsPath = "/proc/1/ns/ipcc"

+	config.Namespaces.Add(libcontainer.NEWIPC, "/proc/1/ns/ipcc")

 	_, _, err = runContainer(config, "", "true")

 	if err == nil {

new file mode 100644

@@ -0,0 +1,140 @@

+package integration

+

+import (

+	"os"

+	"os/exec"

+	"strings"

+	"sync"

+	"testing"

+

+	"github.com/docker/libcontainer"

+	"github.com/docker/libcontainer/namespaces"

+)

+

+func TestExecIn(t *testing.T) {

+	if testing.Short() {

+		return

+	}

+

+	rootfs, err := newRootFs()

+	if err != nil {

+		t.Fatal(err)

+	}

+	defer remove(rootfs)

+

+	config := newTemplateConfig(rootfs)

+	if err := writeConfig(config); err != nil {

+		t.Fatalf("failed to write config %s", err)

+	}

+

+	containerCmd, statePath, containerErr := startLongRunningContainer(config)

+	defer func() {

+		// kill the container

+		if containerCmd.Process != nil {

+			containerCmd.Process.Kill()

+		}

+		if err := <-containerErr; err != nil {

+			t.Fatal(err)

+		}

+	}()

+

+	// start the exec process

+	state, err := libcontainer.GetState(statePath)

+	if err != nil {

+		t.Fatalf("failed to get state %s", err)

+	}

+	buffers := newStdBuffers()

+	execErr := make(chan error, 1)

+	go func() {

+		_, err := namespaces.ExecIn(config, state, []string{"ps"},

+			os.Args[0], "exec", buffers.Stdin, buffers.Stdout, buffers.Stderr,

+			"", nil)

+		execErr <- err

+	}()

+	if err := <-execErr; err != nil {

+		t.Fatalf("exec finished with error %s", err)

+	}

+

+	out := buffers.Stdout.String()

+	if !strings.Contains(out, "sleep 10") || !strings.Contains(out, "ps") {

+		t.Fatalf("unexpected running process, output %q", out)

+	}

+}

+

+func TestExecInRlimit(t *testing.T) {

+	if testing.Short() {

+		return

+	}

+

+	rootfs, err := newRootFs()

+	if err != nil {

+		t.Fatal(err)

+	}

+	defer remove(rootfs)

+

+	config := newTemplateConfig(rootfs)

+	if err := writeConfig(config); err != nil {

+		t.Fatalf("failed to write config %s", err)

+	}

+

+	containerCmd, statePath, containerErr := startLongRunningContainer(config)

+	defer func() {

+		// kill the container

+		if containerCmd.Process != nil {

+			containerCmd.Process.Kill()

+		}

+		if err := <-containerErr; err != nil {

+			t.Fatal(err)

+		}

+	}()

+

+	// start the exec process

+	state, err := libcontainer.GetState(statePath)

+	if err != nil {

+		t.Fatalf("failed to get state %s", err)

+	}

+	buffers := newStdBuffers()

+	execErr := make(chan error, 1)

+	go func() {

+		_, err := namespaces.ExecIn(config, state, []string{"/bin/sh", "-c", "ulimit -n"},

+			os.Args[0], "exec", buffers.Stdin, buffers.Stdout, buffers.Stderr,

+			"", nil)

+		execErr <- err

+	}()

+	if err := <-execErr; err != nil {

+		t.Fatalf("exec finished with error %s", err)

+	}

+

+	out := buffers.Stdout.String()

+	if limit := strings.TrimSpace(out); limit != "1024" {

+		t.Fatalf("expected rlimit to be 1024, got %s", limit)

+	}

+}

+

+// start a long-running container so we have time to inspect execin processes

+func startLongRunningContainer(config *libcontainer.Config) (*exec.Cmd, string, chan error) {

+	containerErr := make(chan error, 1)

+	containerCmd := &exec.Cmd{}

+	var statePath string

+

+	createCmd := func(container *libcontainer.Config, console, dataPath, init string,

+		pipe *os.File, args []string) *exec.Cmd {

+		containerCmd = namespaces.DefaultCreateCommand(container, console, dataPath, init, pipe, args)

+		statePath = dataPath

+		return containerCmd

+	}

+

+	var containerStart sync.WaitGroup

+	containerStart.Add(1)

+	go func() {

+		buffers := newStdBuffers()

+		_, err := namespaces.Exec(config,

+			buffers.Stdin, buffers.Stdout, buffers.Stderr,

+			"", config.RootFs, []string{"sleep", "10"},

+			createCmd, containerStart.Done)

+		containerErr <- err

+	}()

+	containerStart.Wait()

+

+	return containerCmd, statePath, containerErr

+}

@@ -1,33 +1,76 @@

 package integration

 import (

+	"encoding/json"

 	"log"

 	"os"

 	"runtime"

+	"github.com/docker/libcontainer"

 	"github.com/docker/libcontainer/namespaces"

+	_ "github.com/docker/libcontainer/namespaces/nsenter"

 )

 // init runs the libcontainer initialization code because of the busybox style needs

 // to work around the go runtime and the issues with forking

 func init() {

-	if len(os.Args) < 2 || os.Args[1] != "init" {

+	if len(os.Args) < 2 {

 		return

 	}

-	runtime.LockOSThread()

+	// handle init

+	if len(os.Args) >= 2 && os.Args[1] == "init" {

+		runtime.LockOSThread()

-	container, err := loadConfig()

-	if err != nil {

-		log.Fatal(err)

+		container, err := loadConfig()

+		if err != nil {

+			log.Fatal(err)

+		}

+

+		rootfs, err := os.Getwd()

+		if err != nil {

+			log.Fatal(err)

+		}

+

+		if err := namespaces.Init(container, rootfs, "", os.NewFile(3, "pipe"), os.Args[3:]); err != nil {

+			log.Fatalf("unable to initialize for container: %s", err)

+		}

+		os.Exit(1)

 	}

-	rootfs, err := os.Getwd()

-	if err != nil {

-		log.Fatal(err)

+	// handle execin

+	if len(os.Args) >= 2 && os.Args[0] == "nsenter-exec" {

+		runtime.LockOSThread()

+

+		// User args are passed after '--' in the command line.

+		userArgs := findUserArgs()

+

+		config, err := loadConfigFromFd()

+		if err != nil {

+			log.Fatalf("docker-exec: unable to receive config from sync pipe: %s", err)

+		}

+

+		if err := namespaces.FinalizeSetns(config, userArgs); err != nil {

+			log.Fatalf("docker-exec: failed to exec: %s", err)

+		}

+		os.Exit(1)

 	}

+}

+

+func findUserArgs() []string {

+	for i, a := range os.Args {

+		if a == "--" {

+			return os.Args[i+1:]

+		}

+	}

+	return []string{}

+}

-	if err := namespaces.Init(container, rootfs, "", os.NewFile(3, "pipe"), os.Args[3:]); err != nil {

-		log.Fatalf("unable to initialize for container: %s", err)

+// loadConfigFromFd loads a container's config from the sync pipe that is provided by

+// fd 3 when running a process

+func loadConfigFromFd() (*libcontainer.Config, error) {

+	var config *libcontainer.Config

+	if err := json.NewDecoder(os.NewFile(3, "child")).Decode(&config); err != nil {

+		return nil, err

 	}

-	os.Exit(1)

+	return config, nil

 }

@@ -32,12 +32,12 @@ func newTemplateConfig(rootfs string) *libcontainer.Config {

 			"KILL",

 			"AUDIT_WRITE",

 		},

-		Namespaces: map[string]bool{

-			"NEWNS":  true,

-			"NEWUTS": true,

-			"NEWIPC": true,

-			"NEWPID": true,

-			"NEWNET": true,

+		Namespaces: libcontainer.Namespaces{

+			{Type: libcontainer.NEWNS},

+			{Type: libcontainer.NEWUTS},

+			{Type: libcontainer.NEWIPC},

+			{Type: libcontainer.NEWPID},

+			{Type: libcontainer.NEWNET},

 		},

 		Cgroups: &cgroups.Cgroup{

 			Parent:          "integration",

deleted file mode 100644

@@ -1,29 +0,0 @@

-package ipc

-

-import (

-	"fmt"