@@ -61,4 +61,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar

 clone git github.com/godbus/dbus v1

 clone git github.com/coreos/go-systemd v2

-clone git github.com/docker/libcontainer 77ffd49dfedbc78a7cd4cb7a50c7446cf118725f

+clone git github.com/docker/libcontainer v1.0.1

@@ -9,3 +9,4 @@ install:

 script:

     - bash "$DOCKER_PATH/hack/make/validate-dco"

     - bash "$DOCKER_PATH/hack/make/validate-gofmt"

+    - go test

@@ -36,7 +36,7 @@ that feature *on top of* libcontainer.

 ### Discuss your design on the mailing list

 We recommend discussing your plans [on the mailing

-list](https://groups.google.com/forum/?fromgroups#!forum/docker-dev)

+list](https://groups.google.com/forum/?fromgroups#!forum/libcontainer)

 before starting to code - especially for more ambitious contributions.

 This gives other contributors a chance to point you in the right

 direction, give feedback on your design, and maybe point out if someone

@@ -112,12 +112,12 @@ and that all the tests pass.

 libcontainer maintainers use LGTM (looks good to me) in comments on the code review

 to indicate acceptance.

-A change requires LGTMs from at lease one maintainer of each

-component affected. For example, if a change affects `netlink/` and `security/`, it

-needs at least one LGTM from the maintainers of `netlink/` AND, separately, at

-least one LGTM from the maintainers of `security/`.

+A change requires LGTMs from at lease two maintainers. One of those must come from

+a maintainer of the component affected. For example, if a change affects `netlink/`

+and `security`, it needs at least one LGTM from a maintainer of each. Maintainers

+only need one LGTM as presumably they LGTM their own change.

-For more details see [MAINTAINERS.md](hack/MAINTAINERS.md)

+For more details see [MAINTAINERS.md](MAINTAINERS.md)

 ### Sign your work

@@ -63,7 +63,7 @@ All decisions are pull requests, and the relevant maintainers make

 decisions by accepting or refusing the pull request. Review and acceptance

 by anyone is denoted by adding a comment in the pull request: `LGTM`. 

 However, only currently listed `MAINTAINERS` are counted towards the required

-majority.

+two LGTMs.

 libcontainer follows the timeless, highly efficient and totally unfair system

 known as [Benevolent dictator for life](http://en.wikipedia.org/wiki/Benevolent_Dictator_for_Life), with Michael Crosby in the role of BDFL.

@@ -84,6 +84,7 @@ func (s *cpuacctGroup) GetStats(d *data, stats *cgroups.Stats) error {

 	if err != nil {

 		return err

 	}

+	stats.CpuStats.CpuUsage.TotalUsage = lastUsage

 	stats.CpuStats.CpuUsage.PercpuUsage = percpuUsage

 	stats.CpuStats.CpuUsage.UsageInKernelmode = (kernelModeUsage * nanosecondsInSecond) / clockTicks

 	stats.CpuStats.CpuUsage.UsageInUsermode = (userModeUsage * nanosecondsInSecond) / clockTicks

@@ -13,8 +13,10 @@ type CpuUsage struct {

 	// percentage of available CPUs currently being used.

 	PercentUsage uint64 `json:"percent_usage,omitempty"`

 	// nanoseconds of cpu time consumed over the last 100 ms.

-	CurrentUsage uint64   `json:"current_usage,omitempty"`

-	PercpuUsage  []uint64 `json:"percpu_usage,omitempty"`

+	CurrentUsage uint64 `json:"current_usage,omitempty"`

+	// total nanoseconds of cpu time consumed

+	TotalUsage  uint64   `json:"total_usage,omitempty"`

+	PercpuUsage []uint64 `json:"percpu_usage,omitempty"`

 	// Time spent by tasks of the cgroup in kernel mode. Units: nanoseconds.

 	UsageInKernelmode uint64 `json:"usage_in_kernelmode"`

 	// Time spent by tasks of the cgroup in user mode. Units: nanoseconds.

@@ -1,107 +1,213 @@

 {

-  "namespaces": {

-    "NEWNET": true,

-    "NEWPID": true,

-    "NEWIPC": true,

-    "NEWUTS": true,

-    "NEWNS": true

-  },

-  "networks": [

-    {

-      "gateway": "localhost",

-      "type": "loopback",

-      "address": "127.0.0.1/0",

-      "mtu": 1500

+    "capabilities": [

+        "CHOWN",

+        "DAC_OVERRIDE",

+        "FOWNER",

+        "MKNOD",

+        "NET_RAW",

+        "SETGID",

+        "SETUID",

+        "SETFCAP",

+        "SETPCAP",

+        "NET_BIND_SERVICE",

+        "SYS_CHROOT",

+        "KILL"

+    ],

+    "cgroups": {

+        "allowed_devices": [

+            {

+                "cgroup_permissions": "m",

+                "major_number": -1,

+                "minor_number": -1,

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "m",

+                "major_number": -1,

+                "minor_number": -1,

+                "type": 98

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "major_number": 5,

+                "minor_number": 1,

+                "path": "/dev/console",

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "major_number": 4,

+                "path": "/dev/tty0",

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "major_number": 4,

+                "minor_number": 1,

+                "path": "/dev/tty1",

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "major_number": 136,

+                "minor_number": -1,

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "major_number": 5,

+                "minor_number": 2,

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "major_number": 10,

+                "minor_number": 200,

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "file_mode": 438,

+                "major_number": 1,

+                "minor_number": 3,

+                "path": "/dev/null",

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "file_mode": 438,

+                "major_number": 1,

+                "minor_number": 5,

+                "path": "/dev/zero",

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "file_mode": 438,

+                "major_number": 1,

+                "minor_number": 7,

+                "path": "/dev/full",

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "file_mode": 438,

+                "major_number": 5,

+                "path": "/dev/tty",

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "file_mode": 438,

+                "major_number": 1,

+                "minor_number": 9,

+                "path": "/dev/urandom",

+                "type": 99

+            },

+            {

+                "cgroup_permissions": "rwm",

+                "file_mode": 438,

+                "major_number": 1,

+                "minor_number": 8,

+                "path": "/dev/random",

+                "type": 99

+            }

+        ],

+        "name": "docker-koye",

+        "parent": "docker"

     },

-    {

-      "gateway": "172.17.42.1",

-      "context": {

-        "prefix": "veth",

-        "bridge": "docker0"

-      },

-      "type": "veth",

-      "address": "172.17.42.2/16",

-      "mtu": 1500

-    }

-  ],

-  "routes": [

-    {

-      "gateway": "172.17.42.1",

-      "interface_name": "eth0"

+    "context": {

+        "mount_label": "",

+        "process_label": "",

+        "restrictions": "true"

     },

-    {

-      "destination": "192.168.0.0/24",

-      "interface_name": "eth0"

-    }

-  ],

-  "capabilities": [

-    "MKNOD"

-  ],

-  "cgroups": {

-    "name": "docker-koye",

-    "parent": "docker"

-  },

-  "hostname": "koye",

-  "environment": [

-    "HOME=/",

-    "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin",

-    "container=docker",

-    "TERM=xterm-256color"

-  ],

-  "tty": true,

-  "mounts": [

-    {

-      "type": "devtmpfs"

-    }

-  ],

-  "device_nodes": [

-		{

-			"path":  "/dev/null",

-			"type":        99,

-			"major_number": 1,

-			"minor_number": 3,

-			"cgroup_permissions": "rwm",

-			"file_mode": 438

-		},

-		{

-			"path":  "/dev/zero",

-			"type":        99,

-			"major_number": 1,

-			"minor_number": 5,

-			"cgroup_permissions": "rwm",

-			"file_mode": 438

-		},

-		{

-			"path":  "/dev/full",

-			"type":        99,

-			"major_number": 1,

-			"minor_number": 7,

-			"cgroup_permissions": "rwm",

-			"file_mode": 438

-		},

-		{

-			"path":  "/dev/tty",

-			"type":        99,

-			"major_number": 5,

-			"minor_number": 0,

-			"cgroup_permissions": "rwm",

-			"file_mode": 438

-		},

-		{

-			"path":  "/dev/urandom",

-			"type":        99,

-			"major_number": 1,

-			"minor_number": 9,

-			"cgroup_permissions": "rwm",

-			"file_mode": 438

-		},

-		{

-			"path":  "/dev/random",

-			"type":        99,

-			"major_number": 1,

-			"minor_number": 8,

-			"cgroup_permissions": "rwm",

-			"file_mode": 438

-		}

-  ]

+    "device_nodes": [

+        {

+            "cgroup_permissions": "rwm",

+            "major_number": 10,

+            "minor_number": 229,

+            "path": "/dev/fuse",

+            "type": 99

+        },

+        {

+            "cgroup_permissions": "rwm",

+            "file_mode": 438,

+            "major_number": 1,

+            "minor_number": 3,

+            "path": "/dev/null",

+            "type": 99

+        },

+        {

+            "cgroup_permissions": "rwm",

+            "file_mode": 438,

+            "major_number": 1,

+            "minor_number": 5,

+            "path": "/dev/zero",

+            "type": 99

+        },

+        {

+            "cgroup_permissions": "rwm",

+            "file_mode": 438,

+            "major_number": 1,

+            "minor_number": 7,

+            "path": "/dev/full",

+            "type": 99

+        },

+        {

+            "cgroup_permissions": "rwm",

+            "file_mode": 438,

+            "major_number": 5,

+            "path": "/dev/tty",

+            "type": 99

+        },

+        {

+            "cgroup_permissions": "rwm",

+            "file_mode": 438,

+            "major_number": 1,

+            "minor_number": 9,

+            "path": "/dev/urandom",

+            "type": 99

+        },

+        {

+            "cgroup_permissions": "rwm",

+            "file_mode": 438,

+            "major_number": 1,

+            "minor_number": 8,

+            "path": "/dev/random",

+            "type": 99

+        }

+    ],

+    "environment": [

+        "HOME=/",

+        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",

+        "HOSTNAME=2d388ea3bd92",

+        "TERM=xterm"

+    ],

+    "hostname": "koye",

+    "namespaces": {

+        "NEWIPC": true,

+        "NEWNET": true,

+        "NEWNS": true,

+        "NEWPID": true,

+        "NEWUTS": true

+    },

+    "networks": [

+        {

+            "address": "127.0.0.1/0",

+            "gateway": "localhost",

+            "mtu": 1500,

+            "type": "loopback"

+        },

+        {

+            "address": "172.17.0.101/16",

+            "context": {

+                "bridge": "docker0",

+                "prefix": "veth"

+            },

+            "gateway": "172.17.42.1",

+            "mtu": 1500,

+            "type": "veth"

+        }

+    ],

+    "tty": true

 }

@@ -37,11 +37,6 @@ func TestContainerJsonFormat(t *testing.T) {

 		t.Fail()

 	}

-	if len(container.Routes) != 2 {

-		t.Log("should have found 2 routes")

-		t.Fail()

-	}

-

 	if !container.Namespaces["NEWNET"] {

 		t.Log("namespaces should contain NEWNET")

 		t.Fail()

@@ -62,8 +57,8 @@ func TestContainerJsonFormat(t *testing.T) {

 		t.Fail()

 	}

-	if contains("SYS_CHROOT", container.Capabilities) {

-		t.Log("capabilities mask should not contain SYS_CHROOT")

+	if !contains("SYS_CHROOT", container.Capabilities) {

+		t.Log("capabilities mask should contain SYS_CHROOT")

 		t.Fail()

 	}

 }

@@ -21,14 +21,8 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) error {

 		return err

 	}

-	// TODO(vmarmol): Move this to the container JSON.

-	processLabel, err := label.GetPidCon(nspid)

-	if err != nil {

-		return err

-	}

-

 	// Enter the namespace and then finish setup

-	finalArgs := []string{os.Args[0], "nsenter", strconv.Itoa(nspid), processLabel, string(containerJson)}

+	finalArgs := []string{os.Args[0], "nsenter", "--nspid", strconv.Itoa(nspid), "--containerjson", string(containerJson), "--"}

 	finalArgs = append(finalArgs, args...)

 	if err := system.Execv(finalArgs[0], finalArgs[0:], os.Environ()); err != nil {

 		return err

@@ -37,7 +31,7 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) error {

 }

 // NsEnter is run after entering the namespace.

-func NsEnter(container *libcontainer.Container, processLabel string, nspid int, args []string) error {

+func NsEnter(container *libcontainer.Container, nspid int, args []string) error {

 	// clear the current processes env and replace it with the environment

 	// defined on the container

 	if err := LoadContainerEnvironment(container); err != nil {

@@ -46,9 +40,13 @@ func NsEnter(container *libcontainer.Container, processLabel string, nspid int,

 	if err := FinalizeNamespace(container); err != nil {

 		return err

 	}

-	if err := label.SetProcessLabel(processLabel); err != nil {

-		return err

+

+	if process_label, ok := container.Context["process_label"]; ok {

+		if err := label.SetProcessLabel(process_label); err != nil {

+			return err

+		}

 	}

+

 	if err := system.Execv(args[0], args[0:], container.Env); err != nil {

 		return err

 	}

@@ -15,6 +15,7 @@ package namespaces

 #include <sys/stat.h>

 #include <sys/types.h>

 #include <unistd.h>

+#include <getopt.h>

 static const kBufSize = 256;

@@ -64,6 +65,10 @@ int setns(int fd, int nstype) {

 #endif

 #endif

+void print_usage() {

+	fprintf(stderr, "<binary> nsenter --nspid <pid> --containerjson <container_json> -- cmd1 arg1 arg2...\n");

+}

+

 void nsenter() {

 	int argc;

 	char **argv;

@@ -79,11 +84,40 @@ void nsenter() {

 		fprintf(stderr, "nsenter: Incorrect usage, not enough arguments\n");

 		exit(1);

 	}

-	pid_t init_pid = strtol(argv[2], NULL, 10);

+

+	static const struct option longopts[] = {

+		{ "nspid",         required_argument, NULL, 'n' },

+		{ "containerjson", required_argument, NULL, 'c' },

+		{ NULL,            0,                 NULL,  0  }

+	};

+

+	int c;

+	pid_t init_pid = -1;

+	char *init_pid_str = NULL;

+	char *container_json = NULL;

+	while ((c = getopt_long_only(argc, argv, "n:s:c:", longopts, NULL)) != -1) {

+		switch (c) {

+		case 'n':

+			init_pid_str = optarg;

+			break;

+		case 'c':

+			container_json = optarg;

+			break;

+		}

+	}

+

+	if (container_json == NULL || init_pid_str == NULL) {

+		print_usage();

+		exit(1);

+	}

+

+	init_pid = strtol(init_pid_str, NULL, 10);

 	if (errno != 0 || init_pid <= 0) {

-		fprintf(stderr, "nsenter: Failed to parse PID from \"%s\" with error: \"%s\"\n", argv[2], strerror(errno));

+		fprintf(stderr, "nsenter: Failed to parse PID from \"%s\" with error: \"%s\"\n", init_pid_str, strerror(errno));

+		print_usage();

 		exit(1);

 	}

+

 	argc -= 3;

 	argv += 3;

@@ -2,7 +2,6 @@ package main

 import (

 	"log"

-	"strconv"

 	"github.com/codegangsta/cli"

 	"github.com/docker/libcontainer/namespaces"

@@ -12,29 +11,30 @@ var nsenterCommand = cli.Command{

 	Name:   "nsenter",

 	Usage:  "init process for entering an existing namespace",

 	Action: nsenterAction,

+	Flags: []cli.Flag{

+		cli.IntFlag{Name: "nspid"},

+		cli.StringFlag{Name: "containerjson"},

+	},

 }

 func nsenterAction(context *cli.Context) {

 	args := context.Args()

-	if len(args) < 4 {

-		log.Fatalf("incorrect usage: <pid> <process label> <container JSON> <cmd>...")

-	}

-	container, err := loadContainerFromJson(args.Get(2))

-	if err != nil {

-		log.Fatalf("unable to load container: %s", err)

+	if len(args) == 0 {

+		args = []string{"/bin/bash"}

 	}

-	nspid, err := strconv.Atoi(args.Get(0))

+	container, err := loadContainerFromJson(context.String("containerjson"))

 	if err != nil {

-		log.Fatalf("unable to read pid: %s from %q", err, args.Get(0))

+		log.Fatalf("unable to load container: %s", err)

 	}

+	nspid := context.Int("nspid")

 	if nspid <= 0 {

 		log.Fatalf("cannot enter into namespaces without valid pid: %q", nspid)

 	}

-	if err := namespaces.NsEnter(container, args.Get(1), nspid, args[3:]); err != nil {

+	if err := namespaces.NsEnter(container, nspid, args); err != nil {

 		log.Fatalf("failed to nsenter: %s", err)

 	}

 }