@@ -32,7 +32,7 @@ func initializer() {

 	if err != nil {

 		fatal(err)

 	}

-	if err := factory.StartInitialization(3); err != nil {

+	if err := factory.StartInitialization(); err != nil {

 		fatal(err)

 	}

@@ -53,8 +53,6 @@ clone hg code.google.com/p/gosqlite 74691fb6f837

 clone git github.com/docker/libtrust 230dfd18c232

-clone git github.com/Sirupsen/logrus v0.7.2

-

 clone git github.com/go-fsnotify/fsnotify v1.2.0

 clone git github.com/go-check/check 64131543e7896d5bcc6bd5a76287eb75ea96c673

@@ -69,8 +67,8 @@ mv tmp-digest src/github.com/docker/distribution/digest

 mkdir -p src/github.com/docker/distribution/registry

 mv tmp-api src/github.com/docker/distribution/registry/api

-clone git github.com/docker/libcontainer bd8ec36106086f72b66e1be85a81202b93503e44

+clone git github.com/docker/libcontainer 6607689b1d06743003a45a722d9fe0bef36b274e

 # see src/github.com/docker/libcontainer/update-vendor.sh which is the "source of truth" for libcontainer deps (just like this file)

 rm -rf src/github.com/docker/libcontainer/vendor

-eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli' | grep -v 'github.com/Sirupsen/logrus')"

+eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli')"

 # we exclude "github.com/codegangsta/cli" here because it's only needed for "nsinit", which Docker doesn't include

@@ -1,3 +1,7 @@

+# 0.7.3

+

+formatter/\*: allow configuration of timestamp layout

+

 # 0.7.2

 formatter/text: Add configuration option for time format (#158)

@@ -108,6 +108,16 @@ func main() {

     "omg":    true,

     "number": 100,

   }).Fatal("The ice breaks!")

+

+  // A common pattern is to re-use fields between logging statements by re-using

+  // the logrus.Entry returned from WithFields()

+  contextLogger := log.WithFields(log.Fields{

+    "common": "this is a common field",

+    "other": "I also should be logged always",

+  })

+

+  contextLogger.Info("I'll be logged with common and other field")

+  contextLogger.Info("Me too")

 }

 ```

@@ -189,31 +199,18 @@ func init() {

 }

 ```

-* [`github.com/Sirupsen/logrus/hooks/airbrake`](https://github.com/Sirupsen/logrus/blob/master/hooks/airbrake/airbrake.go)

-  Send errors to an exception tracking service compatible with the Airbrake API.

-  Uses [`airbrake-go`](https://github.com/tobi/airbrake-go) behind the scenes.

-

-* [`github.com/Sirupsen/logrus/hooks/papertrail`](https://github.com/Sirupsen/logrus/blob/master/hooks/papertrail/papertrail.go)

-  Send errors to the Papertrail hosted logging service via UDP.

-

-* [`github.com/Sirupsen/logrus/hooks/syslog`](https://github.com/Sirupsen/logrus/blob/master/hooks/syslog/syslog.go)

-  Send errors to remote syslog server.

-  Uses standard library `log/syslog` behind the scenes.

-

-* [`github.com/Sirupsen/logrus/hooks/bugsnag`](https://github.com/Sirupsen/logrus/blob/master/hooks/bugsnag/bugsnag.go)

-  Send errors to the Bugsnag exception tracking service.

-

-* [`github.com/nubo/hiprus`](https://github.com/nubo/hiprus)

-  Send errors to a channel in hipchat.

-

-* [`github.com/sebest/logrusly`](https://github.com/sebest/logrusly)

-  Send logs to Loggly (https://www.loggly.com/)

-

-* [`github.com/johntdyer/slackrus`](https://github.com/johntdyer/slackrus)

-  Hook for Slack chat.

-* [`github.com/wercker/journalhook`](https://github.com/wercker/journalhook).

-  Hook for logging to `systemd-journald`.

+| Hook  | Description |

+| ----- | ----------- |

+| [Airbrake](https://github.com/Sirupsen/logrus/blob/master/hooks/airbrake/airbrake.go) | Send errors to an exception tracking service compatible with the Airbrake API. Uses [`airbrake-go`](https://github.com/tobi/airbrake-go) behind the scenes. |

+| [Papertrail](https://github.com/Sirupsen/logrus/blob/master/hooks/papertrail/papertrail.go) | Send errors to the Papertrail hosted logging service via UDP. |

+| [Syslog](https://github.com/Sirupsen/logrus/blob/master/hooks/syslog/syslog.go) | Send errors to remote syslog server. Uses standard library `log/syslog` behind the scenes. |

+| [BugSnag](https://github.com/Sirupsen/logrus/blob/master/hooks/bugsnag/bugsnag.go) | Send errors to the Bugsnag exception tracking service. |

+| [Hiprus](https://github.com/nubo/hiprus) | Send errors to a channel in hipchat. |

+| [Logrusly](https://github.com/sebest/logrusly) | Send logs to [Loggly](https://www.loggly.com/) |

+| [Slackrus](https://github.com/johntdyer/slackrus) | Hook for Slack chat. |

+| [Journalhook](https://github.com/wercker/journalhook) | Hook for logging to `systemd-journald` |

+| [Graylog](https://github.com/gemnasium/logrus-hooks/tree/master/graylog) | Hook for logging to [Graylog](http://graylog2.org/) |

 #### Level logging

@@ -1,5 +1,9 @@

 package logrus

+import "time"

+

+const DefaultTimestampFormat = time.RFC3339

+

 // The Formatter interface is used to implement a custom Formatter. It takes an

 // `Entry`. It exposes all the fields, including the default ones:

 //

@@ -3,19 +3,27 @@ package logstash

 import (

 	"encoding/json"

 	"fmt"

+

 	"github.com/Sirupsen/logrus"

-	"time"

 )

 // Formatter generates json in logstash format.

 // Logstash site: http://logstash.net/

 type LogstashFormatter struct {

 	Type string // if not empty use for logstash type field.

+

+	// TimestampFormat sets the format used for timestamps.

+	TimestampFormat string

 }

 func (f *LogstashFormatter) Format(entry *logrus.Entry) ([]byte, error) {

 	entry.Data["@version"] = 1

-	entry.Data["@timestamp"] = entry.Time.Format(time.RFC3339)

+

+	if f.TimestampFormat == "" {

+		f.TimestampFormat = logrus.DefaultTimestampFormat

+	}

+

+	entry.Data["@timestamp"] = entry.Time.Format(f.TimestampFormat)

 	// set message field

 	v, ok := entry.Data["message"]

@@ -3,10 +3,12 @@ package logrus

 import (

 	"encoding/json"

 	"fmt"

-	"time"

 )

-type JSONFormatter struct{}

+type JSONFormatter struct {

+	// TimestampFormat sets the format used for marshaling timestamps.

+	TimestampFormat string

+}

 func (f *JSONFormatter) Format(entry *Entry) ([]byte, error) {

 	data := make(Fields, len(entry.Data)+3)

@@ -21,7 +23,12 @@ func (f *JSONFormatter) Format(entry *Entry) ([]byte, error) {

 		}

 	}

 	prefixFieldClashes(data)

-	data["time"] = entry.Time.Format(time.RFC3339)

+

+	if f.TimestampFormat == "" {

+		f.TimestampFormat = DefaultTimestampFormat

+	}

+

+	data["time"] = entry.Time.Format(f.TimestampFormat)

 	data["msg"] = entry.Message

 	data["level"] = entry.Level.String()

@@ -18,9 +18,8 @@ const (

 )

 var (

-	baseTimestamp          time.Time

-	isTerminal             bool

-	defaultTimestampFormat = time.RFC3339

+	baseTimestamp time.Time

+	isTerminal    bool

 )

 func init() {

@@ -47,7 +46,7 @@ type TextFormatter struct {

 	// the time passed since beginning of execution.

 	FullTimestamp bool

-	// Timestamp format to use for display, if a full timestamp is printed

+	// TimestampFormat to use for display when a full timestamp is printed

 	TimestampFormat string

 	// The fields are sorted by default for a consistent output. For applications

@@ -73,7 +72,7 @@ func (f *TextFormatter) Format(entry *Entry) ([]byte, error) {

 	isColored := (f.ForceColors || isTerminal) && !f.DisableColors

 	if f.TimestampFormat == "" {

-		f.TimestampFormat = defaultTimestampFormat

+		f.TimestampFormat = DefaultTimestampFormat

 	}

 	if isColored {

 		f.printColored(b, entry, keys)

@@ -14,8 +14,10 @@ import (

 func IsEnabled() bool {

 	if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {

-		buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")

-		return err == nil && len(buf) > 1 && buf[0] == 'Y'

+		if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {

+			buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled")

+			return err == nil && len(buf) > 1 && buf[0] == 'Y'

+		}

 	}

 	return false

 }

@@ -1,6 +1,8 @@

 package fs

 import (

+	"fmt"

+	"io"

 	"io/ioutil"

 	"os"

 	"path/filepath"

@@ -19,6 +21,7 @@ var (

 		"cpuset":     &CpusetGroup{},

 		"cpuacct":    &CpuacctGroup{},

 		"blkio":      &BlkioGroup{},

+		"hugetlb":    &HugetlbGroup{},

 		"perf_event": &PerfEventGroup{},

 		"freezer":    &FreezerGroup{},

 	}

@@ -75,10 +78,13 @@ type data struct {

 }

 func (m *Manager) Apply(pid int) error {

+

 	if m.Cgroups == nil {

 		return nil

 	}

+	var c = m.Cgroups

+

 	d, err := getCgroupData(m.Cgroups, pid)

 	if err != nil {

 		return err

@@ -108,6 +114,12 @@ func (m *Manager) Apply(pid int) error {

 	}

 	m.Paths = paths

+	if paths["cpu"] != "" {

+		if err := CheckCpushares(paths["cpu"], c.CpuShares); err != nil {

+			return err

+		}

+	}

+

 	return nil

 }

@@ -119,19 +131,6 @@ func (m *Manager) GetPaths() map[string]string {

 	return m.Paths

 }

-// Symmetrical public function to update device based cgroups.  Also available

-// in the systemd implementation.

-func ApplyDevices(c *configs.Cgroup, pid int) error {

-	d, err := getCgroupData(c, pid)

-	if err != nil {

-		return err

-	}

-

-	devices := subsystems["devices"]

-

-	return devices.Apply(d)

-}

-

 func (m *Manager) GetStats() (*cgroups.Stats, error) {

 	stats := cgroups.NewStats()

 	for name, path := range m.Paths {

@@ -280,3 +279,27 @@ func removePath(p string, err error) error {

 	}

 	return nil

 }

+

+func CheckCpushares(path string, c int64) error {

+	var cpuShares int64

+

+	fd, err := os.Open(filepath.Join(path, "cpu.shares"))

+	if err != nil {

+		return err

+	}

+	defer fd.Close()

+

+	_, err = fmt.Fscanf(fd, "%d", &cpuShares)

+	if err != nil && err != io.EOF {

+		return err

+	}

+	if c != 0 {

+		if c > cpuShares {

+			return fmt.Errorf("The maximum allowed cpu-shares is %d", cpuShares)

+		} else if c < cpuShares {

+			return fmt.Errorf("The minimum allowed cpu-shares is %d", cpuShares)

+		}

+	}

+

+	return nil

+}

@@ -35,6 +35,32 @@ func (s *BlkioGroup) Set(path string, cgroup *configs.Cgroup) error {

 		}

 	}

+	if cgroup.BlkioWeightDevice != "" {

+		if err := writeFile(path, "blkio.weight_device", cgroup.BlkioWeightDevice); err != nil {

+			return err

+		}

+	}

+	if cgroup.BlkioThrottleReadBpsDevice != "" {

+		if err := writeFile(path, "blkio.throttle.read_bps_device", cgroup.BlkioThrottleReadBpsDevice); err != nil {

+			return err

+		}

+	}

+	if cgroup.BlkioThrottleWriteBpsDevice != "" {

+		if err := writeFile(path, "blkio.throttle.write_bps_device", cgroup.BlkioThrottleWriteBpsDevice); err != nil {

+			return err

+		}

+	}

+	if cgroup.BlkioThrottleReadIOpsDevice != "" {

+		if err := writeFile(path, "blkio.throttle.read_iops_device", cgroup.BlkioThrottleReadIOpsDevice); err != nil {

+			return err

+		}

+	}

+	if cgroup.BlkioThrottleWriteIOpsDevice != "" {

+		if err := writeFile(path, "blkio.throttle.write_iops_device", cgroup.BlkioThrottleWriteIOpsDevice); err != nil {

+			return err

+		}

+	}

+

 	return nil

 }

@@ -67,6 +67,8 @@ Total 22061056`

 252:0 Async 164

 252:0 Total 164

 Total 328`

+	throttleBefore = `8:0 1024`

+	throttleAfter  = `8:0 2048`

 )

 func appendBlkioStatEntry(blkioStatEntries *[]cgroups.BlkioStatEntry, major, minor, value uint64, op string) {

@@ -102,6 +104,35 @@ func TestBlkioSetWeight(t *testing.T) {

 	}

 }

+func TestBlkioSetWeightDevice(t *testing.T) {

+	helper := NewCgroupTestUtil("blkio", t)

+	defer helper.cleanup()

+

+	const (

+		weightDeviceBefore = "8:0 400"

+		weightDeviceAfter  = "8:0 500"

+	)

+

+	helper.writeFileContents(map[string]string{

+		"blkio.weight_device": weightDeviceBefore,

+	})

+

+	helper.CgroupData.c.BlkioWeightDevice = weightDeviceAfter

+	blkio := &BlkioGroup{}

+	if err := blkio.Set(helper.CgroupPath, helper.CgroupData.c); err != nil {

+		t.Fatal(err)

+	}

+

+	value, err := getCgroupParamString(helper.CgroupPath, "blkio.weight_device")

+	if err != nil {

+		t.Fatalf("Failed to parse blkio.weight_device - %s", err)

+	}

+

+	if value != weightDeviceAfter {

+		t.Fatal("Got the wrong value, set blkio.weight_device failed.")

+	}

+}

+

 func TestBlkioStats(t *testing.T) {

 	helper := NewCgroupTestUtil("blkio", t)

 	defer helper.cleanup()

@@ -442,3 +473,96 @@ func TestNonCFQBlkioStats(t *testing.T) {

 	expectBlkioStatsEquals(t, expectedStats, actualStats.BlkioStats)

 }

+

+func TestBlkioSetThrottleReadBpsDevice(t *testing.T) {

+	helper := NewCgroupTestUtil("blkio", t)

+	defer helper.cleanup()

+

+	helper.writeFileContents(map[string]string{

+		"blkio.throttle.read_bps_device": throttleBefore,

+	})

+

+	helper.CgroupData.c.BlkioThrottleReadBpsDevice = throttleAfter

+	blkio := &BlkioGroup{}

+	if err := blkio.Set(helper.CgroupPath, helper.CgroupData.c); err != nil {

+		t.Fatal(err)

+	}

+

+	value, err := getCgroupParamString(helper.CgroupPath, "blkio.throttle.read_bps_device")

+	if err != nil {

+		t.Fatalf("Failed to parse blkio.throttle.read_bps_device - %s", err)

+	}

+

+	if value != throttleAfter {

+		t.Fatal("Got the wrong value, set blkio.throttle.read_bps_device failed.")

+	}

+}

+func TestBlkioSetThrottleWriteBpsDevice(t *testing.T) {

+	helper := NewCgroupTestUtil("blkio", t)

+	defer helper.cleanup()

+

+	helper.writeFileContents(map[string]string{

+		"blkio.throttle.write_bps_device": throttleBefore,

+	})

+

+	helper.CgroupData.c.BlkioThrottleWriteBpsDevice = throttleAfter

+	blkio := &BlkioGroup{}

+	if err := blkio.Set(helper.CgroupPath, helper.CgroupData.c); err != nil {

+		t.Fatal(err)

+	}

+

+	value, err := getCgroupParamString(helper.CgroupPath, "blkio.throttle.write_bps_device")

+	if err != nil {

+		t.Fatalf("Failed to parse blkio.throttle.write_bps_device - %s", err)

+	}

+

+	if value != throttleAfter {

+		t.Fatal("Got the wrong value, set blkio.throttle.write_bps_device failed.")

+	}

+}

+func TestBlkioSetThrottleReadIOpsDevice(t *testing.T) {

+	helper := NewCgroupTestUtil("blkio", t)

+	defer helper.cleanup()

+

+	helper.writeFileContents(map[string]string{

+		"blkio.throttle.read_iops_device": throttleBefore,

+	})

+

+	helper.CgroupData.c.BlkioThrottleReadIOpsDevice = throttleAfter

+	blkio := &BlkioGroup{}

+	if err := blkio.Set(helper.CgroupPath, helper.CgroupData.c); err != nil {

+		t.Fatal(err)

+	}

+

+	value, err := getCgroupParamString(helper.CgroupPath, "blkio.throttle.read_iops_device")

+	if err != nil {

+		t.Fatalf("Failed to parse blkio.throttle.read_iops_device - %s", err)

+	}

+

+	if value != throttleAfter {

+		t.Fatal("Got the wrong value, set blkio.throttle.read_iops_device failed.")

+	}

+}

+func TestBlkioSetThrottleWriteIOpsDevice(t *testing.T) {

+	helper := NewCgroupTestUtil("blkio", t)

+	defer helper.cleanup()

+

+	helper.writeFileContents(map[string]string{

+		"blkio.throttle.write_iops_device": throttleBefore,

+	})

+

+	helper.CgroupData.c.BlkioThrottleWriteIOpsDevice = throttleAfter

+	blkio := &BlkioGroup{}

+	if err := blkio.Set(helper.CgroupPath, helper.CgroupData.c); err != nil {

+		t.Fatal(err)

+	}

+

+	value, err := getCgroupParamString(helper.CgroupPath, "blkio.throttle.write_iops_device")

+	if err != nil {

+		t.Fatalf("Failed to parse blkio.throttle.write_iops_device - %s", err)

+	}

+

+	if value != throttleAfter {

+		t.Fatal("Got the wrong value, set blkio.throttle.write_iops_device failed.")

+	}

+}

@@ -32,6 +32,17 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {

 				return err

 			}

 		}

+		return nil

+	}

+

+	if err := writeFile(path, "devices.allow", "a"); err != nil {

+		return err

+	}

+

+	for _, dev := range cgroup.DeniedDevices {

+		if err := writeFile(path, "devices.deny", dev.CgroupString()); err != nil {

+			return err

+		}

 	}

 	return nil

@@ -17,7 +17,18 @@ var (

 			FileMode:    0666,

 		},

 	}

-	allowedList = "c 1:5 rwm"

+	allowedList   = "c 1:5 rwm"

+	deniedDevices = []*configs.Device{

+		{

+			Path:        "/dev/null",

+			Type:        'c',

+			Major:       1,

+			Minor:       3,

+			Permissions: "rwm",

+			FileMode:    0666,

+		},

+	}

+	deniedList = "c 1:3 rwm"

 )

 func TestDevicesSetAllow(t *testing.T) {

@@ -44,3 +55,28 @@ func TestDevicesSetAllow(t *testing.T) {

 		t.Fatal("Got the wrong value, set devices.allow failed.")

 	}

 }

+

+func TestDevicesSetDeny(t *testing.T) {

+	helper := NewCgroupTestUtil("devices", t)

+	defer helper.cleanup()

+

+	helper.writeFileContents(map[string]string{

+		"devices.allow": "a",

+	})

+

+	helper.CgroupData.c.AllowAllDevices = true

+	helper.CgroupData.c.DeniedDevices = deniedDevices

+	devices := &DevicesGroup{}

+	if err := devices.Set(helper.CgroupPath, helper.CgroupData.c); err != nil {

+		t.Fatal(err)

+	}

+

+	value, err := getCgroupParamString(helper.CgroupPath, "devices.deny")

+	if err != nil {

+		t.Fatalf("Failed to parse devices.deny - %s", err)

+	}

+

+	if value != deniedList {

+		t.Fatal("Got the wrong value, set devices.deny failed.")

+	}

+}

new file mode 100644

@@ -0,0 +1,29 @@

+package fs

+

+import (

+	"github.com/docker/libcontainer/cgroups"

+	"github.com/docker/libcontainer/configs"

+)

+

+type HugetlbGroup struct {

+}

+

+func (s *HugetlbGroup) Apply(d *data) error {

+	// we just want to join this group even though we don't set anything

+	if _, err := d.join("hugetlb"); err != nil && !cgroups.IsNotFound(err) {

+		return err

+	}

+	return nil

+}

+

+func (s *HugetlbGroup) Set(path string, cgroup *configs.Cgroup) error {

+	return nil

+}

+

+func (s *HugetlbGroup) Remove(d *data) error {

+	return removePath(d.path("hugetlb"))

+}

+

+func (s *HugetlbGroup) GetStats(path string, stats *cgroups.Stats) error {

+	return nil

+}

@@ -95,6 +95,7 @@ func (s *MemoryGroup) GetStats(path string, stats *cgroups.Stats) error {

 		return fmt.Errorf("failed to parse memory.usage_in_bytes - %v", err)

 	}

 	stats.MemoryStats.Usage = value

+	stats.MemoryStats.Cache = stats.MemoryStats.Stats["cache"]

 	value, err = getCgroupParamUint(path, "memory.max_usage_in_bytes")

 	if err != nil {

 		return fmt.Errorf("failed to parse memory.max_usage_in_bytes - %v", err)

@@ -128,7 +128,7 @@ func TestMemoryStats(t *testing.T) {

 	if err != nil {

 		t.Fatal(err)

 	}

-	expectedStats := cgroups.MemoryStats{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Stats: map[string]uint64{"cache": 512, "rss": 1024}}

+	expectedStats := cgroups.MemoryStats{Usage: 2048, Cache: 512, MaxUsage: 4096, Failcnt: 100, Stats: map[string]uint64{"cache": 512, "rss": 1024}}

 	expectMemoryStatEquals(t, expectedStats, actualStats.MemoryStats)

 }

@@ -2,9 +2,9 @@ package fs

 import (

 	"fmt"

-	"log"

 	"testing"

+	log "github.com/Sirupsen/logrus"

 	"github.com/docker/libcontainer/cgroups"

 )

@@ -33,6 +33,8 @@ type CpuStats struct {

 type MemoryStats struct {

 	// current res_counter usage for memory

 	Usage uint64 `json:"usage,omitempty"`

+	// memory used for cache

+	Cache uint64 `json:"cache,omitempty"`

 	// maximum usage ever recorded.

 	MaxUsage uint64 `json:"max_usage,omitempty"`

 	// TODO(vishh): Export these as stronger types.

@@ -46,10 +46,6 @@ func (m *Manager) Freeze(state configs.FreezerState) error {

 	return fmt.Errorf("Systemd not supported")

 }

-func ApplyDevices(c *configs.Cgroup, pid int) error {

-	return fmt.Errorf("Systemd not supported")

-}

-

 func Freeze(c *configs.Cgroup, state configs.FreezerState) error {

 	return fmt.Errorf("Systemd not supported")

 }

@@ -38,6 +38,7 @@ var subsystems = map[string]subsystem{

 	"cpuset":     &fs.CpusetGroup{},

 	"cpuacct":    &fs.CpuacctGroup{},

 	"blkio":      &fs.BlkioGroup{},

+	"hugetlb":    &fs.HugetlbGroup{},

 	"perf_event": &fs.PerfEventGroup{},

 	"freezer":    &fs.FreezerGroup{},

 }

@@ -216,6 +217,13 @@ func (m *Manager) Apply(pid int) error {

 		return err

 	}

+	// FIXME: Systemd does have `BlockIODeviceWeight` property, but we got problem

+	// using that (at least on systemd 208, see https://github.com/docker/libcontainer/pull/354),

+	// so use fs work around for now.

+	if err := joinBlkio(c, pid); err != nil {

+		return err

+	}

+

 	paths := make(map[string]string)

 	for sysname := range subsystems {

 		subsystemPath, err := getSubsystemPath(m.Cgroups, sysname)

@@ -228,9 +236,14 @@ func (m *Manager) Apply(pid int) error {

 		}

 		paths[sysname] = subsystemPath

 	}

-

 	m.Paths = paths

+	if paths["cpu"] != "" {

+		if err := fs.CheckCpushares(paths["cpu"], c.CpuShares); err != nil {

+			return err

+		}

+	}

+

 	return nil

 }

@@ -350,7 +363,17 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {

 }

 func (m *Manager) Set(container *configs.Config) error {

-	panic("not implemented")

+	for name, path := range m.Paths {

+		sys, ok := subsystems[name]

+		if !ok || !cgroups.PathExists(path) {

+			continue

+		}

+		if err := sys.Set(path, container.Cgroups); err != nil {

+			return err

+		}

+	}

+

+	return nil

 }

 func getUnitName(c *configs.Cgroup) string {

@@ -362,7 +385,7 @@ func getUnitName(c *configs.Cgroup) string {

 // * Support for wildcards to allow /dev/pts support

 //

 // The second is available in more recent systemd as "char-pts", but not in e.g. v208 which is

-// in wide use. When both these are availalable we will be able to switch, but need to keep the old

+// in wide use. When both these are available we will be able to switch, but need to keep the old

 // implementation for backwards compat.

 //

 // Note: we can't use systemd to set up the initial limits, and then change the cgroup

@@ -375,17 +398,7 @@ func joinDevices(c *configs.Cgroup, pid int) error {

 	}

 	devices := subsystems["devices"]

-	if err := devices.Set(path, c); err != nil {

-		return err

-	}

-

-	return nil

-}

-

-// Symmetrical public function to update device based cgroups.  Also available

-// in the fs implementation.

-func ApplyDevices(c *configs.Cgroup, pid int) error {

-	return joinDevices(c, pid)

+	return devices.Set(path, c)

 }

 func joinMemory(c *configs.Cgroup, pid int) error {

@@ -417,3 +430,40 @@ func joinCpuset(c *configs.Cgroup, pid int) error {

 	return s.ApplyDir(path, c, pid)

 }

+

+// `BlockIODeviceWeight` property of systemd does not work properly, and systemd

+// expects device path instead of major minor numbers, which is also confusing

+// for users. So we use fs work around for now.

+func joinBlkio(c *configs.Cgroup, pid int) error {

+	path, err := getSubsystemPath(c, "blkio")

+	if err != nil {

+		return err

+	}

+	if c.BlkioWeightDevice != "" {

+		if err := writeFile(path, "blkio.weight_device", c.BlkioWeightDevice); err != nil {

+			return err

+		}

+	}

+	if c.BlkioThrottleReadBpsDevice != "" {

+		if err := writeFile(path, "blkio.throttle.read_bps_device", c.BlkioThrottleReadBpsDevice); err != nil {

+			return err

+		}

+	}

+	if c.BlkioThrottleWriteBpsDevice != "" {

+		if err := writeFile(path, "blkio.throttle.write_bps_device", c.BlkioThrottleWriteBpsDevice); err != nil {

+			return err

+		}

+	}

+	if c.BlkioThrottleReadIOpsDevice != "" {

+		if err := writeFile(path, "blkio.throttle.read_iops_device", c.BlkioThrottleReadIOpsDevice); err != nil {

+			return err

+		}

+	}

+	if c.BlkioThrottleWriteIOpsDevice != "" {

+		if err := writeFile(path, "blkio.throttle.write_iops_device", c.BlkioThrottleWriteIOpsDevice); err != nil {

+			return err

+		}

+	}

+

+	return nil

+}

@@ -19,6 +19,8 @@ type Cgroup struct {

 	AllowedDevices []*Device `json:"allowed_devices"`

+	DeniedDevices []*Device `json:"denied_devices"`

+

 	// Memory limit (in bytes)

 	Memory int64 `json:"memory"`

@@ -43,9 +45,24 @@ type Cgroup struct {

 	// MEM to use

 	CpusetMems string `json:"cpuset_mems"`

+	// IO read rate limit per cgroup per device, bytes per second.

+	BlkioThrottleReadBpsDevice string `json:"blkio_throttle_read_bps_device"`

+

+	// IO write rate limit per cgroup per divice, bytes per second.

+	BlkioThrottleWriteBpsDevice string `json:"blkio_throttle_write_bps_device"`

+

+	// IO read rate limit per cgroup per device, IO per second.

+	BlkioThrottleReadIOpsDevice string `json:"blkio_throttle_read_iops_device"`

+

+	// IO write rate limit per cgroup per device, IO per second.

+	BlkioThrottleWriteIOpsDevice string `json:"blkio_throttle_write_iops_device"`

+

 	// Specifies per cgroup weight, range is from 10 to 1000.

 	BlkioWeight int64 `json:"blkio_weight"`

+	// Weight per cgroup per device, can override BlkioWeight.

+	BlkioWeightDevice string `json:"blkio_weight_device"`

+

 	// set the freeze value for the process

 	Freezer FreezerState `json:"freezer"`

@@ -37,6 +37,9 @@ type Config struct {

 	// bind mounts are writtable.

 	Readonlyfs bool `json:"readonlyfs"`

+	// Privatefs will mount the container's rootfs as private where mount points from the parent will not propogate

+	Privatefs bool `json:"privatefs"`

+

 	// Mounts specify additional source and destination paths that will be mounted inside the container's

 	// rootfs and mount namespace if specified

 	Mounts []*Mount `json:"mounts"`

@@ -96,6 +99,10 @@ type Config struct {

 	// ReadonlyPaths specifies paths within the container's rootfs to remount as read-only

 	// so that these files prevent any writes.

 	ReadonlyPaths []string `json:"readonly_paths"`

+

+	// SystemProperties is a map of properties and their values. It is the equivalent of using

+	// sysctl -w my.property.name value in Linux.

+	SystemProperties map[string]string `json:"system_properties"`

 }

 // Gets the root uid for the process on host which could be non-zero

@@ -18,4 +18,17 @@ type Mount struct {

 	// Relabel source if set, "z" indicates shared, "Z" indicates unshared.

 	Relabel string `json:"relabel"`

+

+	// Optional Command to be run before Source is mounted.

+	PremountCmds []Command `json:"premount_cmds"`

+

+	// Optional Command to be run after Source is mounted.

+	PostmountCmds []Command `json:"postmount_cmds"`

+}

+

+type Command struct {

+	Path string   `json:"path"`

+	Args []string `json:"args"`

+	Env  []string `json:"env"`

+	Dir  string   `json:"dir"`

 }

@@ -1,9 +1,6 @@

 package configs

-import (

-	"fmt"

-	"syscall"

-)

+import "fmt"

 type NamespaceType string

@@ -34,10 +31,6 @@ type Namespace struct {

 	Path string        `json:"path"`

 }

-func (n *Namespace) Syscall() int {

-	return namespaceInfo[n.Type]

-}

-

 func (n *Namespace) GetPath(pid int) string {