@@ -3,7 +3,7 @@

 TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a

 # When updating RUNC_COMMIT, also update runc in vendor.conf accordingly

-RUNC_COMMIT=1c81e2a794c6e26a4c650142ae8893c47f619764

+RUNC_COMMIT=0351df1c5a66838d0c392b4ac4cf9450de844e2d

 CONTAINERD_COMMIT=06b9cb35161009dcb7123345749fef02f7cea8e0

 TINI_COMMIT=949e6facb77383876aeff8a6944dde66b3089574

 LIBNETWORK_COMMIT=7b2b1feb1de4817d522cc372af149ff48d25028e

@@ -66,7 +66,7 @@ github.com/pborman/uuid v1.0

 google.golang.org/grpc v1.3.0

 # When updating, also update RUNC_COMMIT in hack/dockerfile/binaries-commits accordingly

-github.com/opencontainers/runc 1c81e2a794c6e26a4c650142ae8893c47f619764

+github.com/opencontainers/runc 0351df1c5a66838d0c392b4ac4cf9450de844e2d

 github.com/opencontainers/image-spec 372ad780f63454fbbbbcc7cf80e5b90245c13e13

 github.com/opencontainers/runtime-spec v1.0.0

@@ -187,6 +187,10 @@ type Config struct {

 	// Rootless specifies whether the container is a rootless container.

 	Rootless bool `json:"rootless"`

+

+	// IntelRdt specifies settings for Intel RDT/CAT group that the container is placed into

+	// to limit the resources (e.g., L3 cache) the container has available

+	IntelRdt *IntelRdt `json:"intel_rdt,omitempty"`

 }

 type Hooks struct {

new file mode 100644

@@ -0,0 +1,7 @@

+package configs

+

+type IntelRdt struct {

+	// The schema for L3 cache id and capacity bitmask (CBM)

+	// Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."

+	L3CacheSchema string `json:"l3_cache_schema,omitempty"`

+}

@@ -1,3 +1,4 @@

+

 #define _GNU_SOURCE

 #include <endian.h>

 #include <errno.h>

@@ -19,6 +20,8 @@

 #include <sys/prctl.h>

 #include <sys/socket.h>

 #include <sys/types.h>

+#include <sys/wait.h>

+

 #include <linux/limits.h>

 #include <linux/netlink.h>

@@ -64,7 +67,13 @@ struct clone_t {

 struct nlconfig_t {

 	char *data;

+

+	/* Process settings. */

 	uint32_t cloneflags;

+	char *oom_score_adj;

+	size_t oom_score_adj_len;

+

+	/* User namespace settings.*/

 	char *uidmap;

 	size_t uidmap_len;

 	char *gidmap;

@@ -72,9 +81,13 @@ struct nlconfig_t {

 	char *namespaces;

 	size_t namespaces_len;

 	uint8_t is_setgroup;

+

+	/* Rootless container settings.*/

 	uint8_t is_rootless;

-	char *oom_score_adj;

-	size_t oom_score_adj_len;

+	char *uidmappath;

+	size_t uidmappath_len;

+	char *gidmappath;

+	size_t gidmappath_len;

 };

 /*

@@ -89,6 +102,8 @@ struct nlconfig_t {

 #define SETGROUP_ATTR		27285

 #define OOM_SCORE_ADJ_ATTR	27286

 #define ROOTLESS_ATTR	    27287

+#define UIDMAPPATH_ATTR	    27288

+#define GIDMAPPATH_ATTR	    27289

 /*

  * Use the raw syscall for versions of glibc which don't include a function for

@@ -191,22 +206,96 @@ static void update_setgroups(int pid, enum policy_t setgroup)

 	}

 }

-static void update_uidmap(int pid, char *map, size_t map_len)

+static int try_mapping_tool(const char *app, int pid, char *map, size_t map_len)

+{

+	int child;

+

+	/*

+	 * If @app is NULL, execve will segfault. Just check it here and bail (if

+	 * we're in this path, the caller is already getting desparate and there

+	 * isn't a backup to this failing). This usually would be a configuration

+	 * or programming issue.

+	 */

+	if (!app)

+		bail("mapping tool not present");

+

+	child = fork();

+	if (child < 0)

+		bail("failed to fork");

+

+	if (!child) {

+#define MAX_ARGV 20

+		char *argv[MAX_ARGV];

+		char *envp[] = {NULL};

+		char pid_fmt[16];

+		int argc = 0;

+		char *next;

+

+		snprintf(pid_fmt, 16, "%d", pid);

+

+		argv[argc++] = (char *) app;

+		argv[argc++] = pid_fmt;

+		/*

+		 * Convert the map string into a list of argument that

+		 * newuidmap/newgidmap can understand.

+		 */

+

+		while (argc < MAX_ARGV) {

+			if (*map == '\0') {

+				argv[argc++] = NULL;

+				break;

+			}

+			argv[argc++] = map;

+			next = strpbrk(map, "\n ");

+			if (next == NULL)

+				break;

+			*next++ = '\0';

+			map = next + strspn(next, "\n ");

+		}

+

+		execve(app, argv, envp);

+		bail("failed to execv");

+	} else {

+		int status;

+

+		while (true) {

+			if (waitpid(child, &status, 0) < 0) {

+				if (errno == EINTR)

+					continue;

+				bail("failed to waitpid");

+			}

+			if (WIFEXITED(status) || WIFSIGNALED(status))

+				return WEXITSTATUS(status);

+		}

+	}

+

+	return -1;

+}

+

+static void update_uidmap(const char *path, int pid, char *map, size_t map_len)

 {

 	if (map == NULL || map_len <= 0)

 		return;

-	if (write_file(map, map_len, "/proc/%d/uid_map", pid) < 0)

-		bail("failed to update /proc/%d/uid_map", pid);

+	if (write_file(map, map_len, "/proc/%d/uid_map", pid) < 0) {

+		if (errno != EPERM)

+			bail("failed to update /proc/%d/uid_map", pid);

+		if (try_mapping_tool(path, pid, map, map_len))

+			bail("failed to use newuid map on %d", pid);

+	}

 }

-static void update_gidmap(int pid, char *map, size_t map_len)

+static void update_gidmap(const char *path, int pid, char *map, size_t map_len)

 {

 	if (map == NULL || map_len <= 0)

 		return;

-	if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0)

-		bail("failed to update /proc/%d/gid_map", pid);

+	if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0) {

+		if (errno != EPERM)

+			bail("failed to update /proc/%d/gid_map", pid);

+		if (try_mapping_tool(path, pid, map, map_len))

+			bail("failed to use newgid map on %d", pid);

+	}

 }

 static void update_oom_score_adj(char *data, size_t len)

@@ -350,6 +439,14 @@ static void nl_parse(int fd, struct nlconfig_t *config)

 			config->gidmap = current;

 			config->gidmap_len = payload_len;

 			break;

+		case UIDMAPPATH_ATTR:

+			config->uidmappath = current;

+			config->uidmappath_len = payload_len;

+			break;

+		case GIDMAPPATH_ATTR:

+			config->gidmappath = current;

+			config->gidmappath_len = payload_len;

+			break;

 		case SETGROUP_ATTR:

 			config->is_setgroup = readint8(current);

 			break;

@@ -596,8 +693,8 @@ void nsexec(void)

 						update_setgroups(child, SETGROUPS_DENY);

 					/* Set up mappings. */

-					update_uidmap(child, config.uidmap, config.uidmap_len);

-					update_gidmap(child, config.gidmap, config.gidmap_len);

+					update_uidmap(config.uidmappath, child, config.uidmap, config.uidmap_len);

+					update_gidmap(config.gidmappath, child, config.gidmap, config.gidmap_len);

 					s = SYNC_USERMAP_ACK;

 					if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {

@@ -18,4 +18,8 @@ github.com/golang/protobuf 18c9bb3261723cd5401db4d0c9fbc5c3b6c70fe8

 github.com/docker/docker 0f5c9d301b9b1cca66b3ea0f9dec3b5317d3686d

 github.com/docker/go-units v0.2.0

 github.com/urfave/cli d53eb991652b1d438abdd34ce4bfa3ef1539108e

-golang.org/x/sys 0e0164865330d5cf1c00247be08330bf96e2f87c https://github.com/golang/sys

+golang.org/x/sys 7ddbeae9ae08c6a06a59597f0c9edbc5ff2444ce https://github.com/golang/sys

+

+# console dependencies

+github.com/containerd/console 84eeaae905fa414d03e07bcd6c8d3f19e7cf180e

+github.com/pkg/errors v0.8.0