Browse code
Update libcontainer to a6044b701c166fe538fc760f9e2
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Michael Crosby authored on 2015/03/26 03:32:14Showing 6 changed files
- hack/vendor.sh
- vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go
- vendor/src/github.com/docker/libcontainer/init_linux.go
- vendor/src/github.com/docker/libcontainer/rootfs_linux.go
- vendor/src/github.com/docker/libcontainer/update-vendor.sh
- vendor/src/github.com/syndtr/gocapability/capability/capability_linux.go
| ... | ... |
@@ -75,7 +75,7 @@ rm -rf src/github.com/docker/distribution |
| 75 | 75 |
mkdir -p src/github.com/docker/distribution |
| 76 | 76 |
mv tmp-digest src/github.com/docker/distribution/digest |
| 77 | 77 |
|
| 78 |
-clone git github.com/docker/libcontainer fd0087d3acdc4c5865de1829d4accee5e3ebb658 |
|
| 78 |
+clone git github.com/docker/libcontainer a6044b701c166fe538fc760f9e2dcea3d737cd2a |
|
| 79 | 79 |
# see src/github.com/docker/libcontainer/update-vendor.sh which is the "source of truth" for libcontainer deps (just like this file) |
| 80 | 80 |
rm -rf src/github.com/docker/libcontainer/vendor |
| 81 | 81 |
eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli' | grep -v 'github.com/Sirupsen/logrus')" |
| ... | ... |
@@ -173,9 +173,6 @@ func (m *Manager) Freeze(state configs.FreezerState) error {
|
| 173 | 173 |
if err != nil {
|
| 174 | 174 |
return err |
| 175 | 175 |
} |
| 176 |
- if !cgroups.PathExists(dir) {
|
|
| 177 |
- return cgroups.NewNotFoundError("freezer")
|
|
| 178 |
- } |
|
| 179 | 176 |
|
| 180 | 177 |
prevState := m.Cgroups.Freezer |
| 181 | 178 |
m.Cgroups.Freezer = state |
| ... | ... |
@@ -200,9 +197,6 @@ func (m *Manager) GetPids() ([]int, error) {
|
| 200 | 200 |
if err != nil {
|
| 201 | 201 |
return nil, err |
| 202 | 202 |
} |
| 203 |
- if !cgroups.PathExists(dir) {
|
|
| 204 |
- return nil, cgroups.NewNotFoundError("devices")
|
|
| 205 |
- } |
|
| 206 | 203 |
|
| 207 | 204 |
return cgroups.ReadProcsFile(dir) |
| 208 | 205 |
} |
| ... | ... |
@@ -91,7 +91,7 @@ func populateProcessEnvironment(env []string) error {
|
| 91 | 91 |
|
| 92 | 92 |
// finalizeNamespace drops the caps, sets the correct user |
| 93 | 93 |
// and working dir, and closes any leaked file descriptors |
| 94 |
-// before execing the command inside the namespace |
|
| 94 |
+// before executing the command inside the namespace |
|
| 95 | 95 |
func finalizeNamespace(config *initConfig) error {
|
| 96 | 96 |
// Ensure that all non-standard fds we may have accidentally |
| 97 | 97 |
// inherited are marked close-on-exec so they stay out of the |
| ... | ... |
@@ -186,7 +186,9 @@ func reOpenDevNull(rootfs string) error {
|
| 186 | 186 |
func createDevices(config *configs.Config) error {
|
| 187 | 187 |
oldMask := syscall.Umask(0000) |
| 188 | 188 |
for _, node := range config.Devices {
|
| 189 |
- if err := createDeviceNode(config.Rootfs, node); err != nil {
|
|
| 189 |
+ // containers running in a user namespace are not allowed to mknod |
|
| 190 |
+ // devices so we can just bind mount it from the host. |
|
| 191 |
+ if err := createDeviceNode(config.Rootfs, node, config.Namespaces.Contains(configs.NEWUSER)); err != nil {
|
|
| 190 | 192 |
syscall.Umask(oldMask) |
| 191 | 193 |
return err |
| 192 | 194 |
} |
| ... | ... |
@@ -196,20 +198,13 @@ func createDevices(config *configs.Config) error {
|
| 196 | 196 |
} |
| 197 | 197 |
|
| 198 | 198 |
// Creates the device node in the rootfs of the container. |
| 199 |
-func createDeviceNode(rootfs string, node *configs.Device) error {
|
|
| 199 |
+func createDeviceNode(rootfs string, node *configs.Device, bind bool) error {
|
|
| 200 | 200 |
dest := filepath.Join(rootfs, node.Path) |
| 201 | 201 |
if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
|
| 202 | 202 |
return err |
| 203 | 203 |
} |
| 204 |
- if err := mknodDevice(dest, node); err != nil {
|
|
| 205 |
- if os.IsExist(err) {
|
|
| 206 |
- return nil |
|
| 207 |
- } |
|
| 208 |
- if err != syscall.EPERM {
|
|
| 209 |
- return err |
|
| 210 |
- } |
|
| 211 |
- // containers running in a user namespace are not allowed to mknod |
|
| 212 |
- // devices so we can just bind mount it from the host. |
|
| 204 |
+ |
|
| 205 |
+ if bind {
|
|
| 213 | 206 |
f, err := os.Create(dest) |
| 214 | 207 |
if err != nil && !os.IsExist(err) {
|
| 215 | 208 |
return err |
| ... | ... |
@@ -219,6 +214,12 @@ func createDeviceNode(rootfs string, node *configs.Device) error {
|
| 219 | 219 |
} |
| 220 | 220 |
return syscall.Mount(node.Path, dest, "bind", syscall.MS_BIND, "") |
| 221 | 221 |
} |
| 222 |
+ if err := mknodDevice(dest, node); err != nil {
|
|
| 223 |
+ if os.IsExist(err) {
|
|
| 224 |
+ return nil |
|
| 225 |
+ } |
|
| 226 |
+ return err |
|
| 227 |
+ } |
|
| 222 | 228 |
return nil |
| 223 | 229 |
} |
| 224 | 230 |
|
| ... | ... |
@@ -44,6 +44,6 @@ clone git github.com/codegangsta/cli 1.1.0 |
| 44 | 44 |
clone git github.com/coreos/go-systemd v2 |
| 45 | 45 |
clone git github.com/godbus/dbus v2 |
| 46 | 46 |
clone git github.com/Sirupsen/logrus v0.6.6 |
| 47 |
-clone git github.com/syndtr/gocapability e55e583369 |
|
| 47 |
+clone git github.com/syndtr/gocapability 8e4cdcb |
|
| 48 | 48 |
|
| 49 | 49 |
# intentionally not vendoring Docker itself... that'd be a circle :) |
| ... | ... |
@@ -417,10 +417,6 @@ func (c *capsV3) Load() (err error) {
|
| 417 | 417 |
} |
| 418 | 418 |
|
| 419 | 419 |
func (c *capsV3) Apply(kind CapType) (err error) {
|
| 420 |
- err = initLastCap() |
|
| 421 |
- if err != nil {
|
|
| 422 |
- return |
|
| 423 |
- } |
|
| 424 | 420 |
if kind&BOUNDS == BOUNDS {
|
| 425 | 421 |
var data [2]capData |
| 426 | 422 |
err = capget(&c.hdr, &data[0]) |
| ... | ... |
@@ -428,7 +424,7 @@ func (c *capsV3) Apply(kind CapType) (err error) {
|
| 428 | 428 |
return |
| 429 | 429 |
} |
| 430 | 430 |
if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
|
| 431 |
- for i := Cap(0); i <= capLastCap; i++ {
|
|
| 431 |
+ for i := Cap(0); i <= CAP_LAST_CAP; i++ {
|
|
| 432 | 432 |
if c.Get(BOUNDING, i) {
|
| 433 | 433 |
continue |
| 434 | 434 |
} |