Commit Graph

54 Commits

Author SHA1 Message Date
Aleksa Sarai db3159c9d9 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:32 +11:00
Mrunal Patel 4124ba9468 Revert "cgroups: add pids controller support"
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-19 07:48:48 -08:00
Aleksa Sarai 37789f5bf1 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-19 11:30:38 +11:00
Mrunal Patel 55a49f2110 Move the cgroups setting into a Resources struct
This allows us to distinguish cases where a container
needs to just join the paths or also additionally
set cgroups settings. This will help in implementing
cgroupsPath support in the spec.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-16 15:53:31 -05:00
Mrunal Patel b28ec60b0e Merge pull request #373 from mikebrow/bundle-dir-310
adding support for --bundle
2015-11-16 12:07:01 -08:00
Mike Brown 8b19581694 adding support for --bundle -b to start, restore, and spec; fixes issue #310
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2015-11-13 09:13:57 -06:00
Mrunal Patel 452e8a73c5 Integrate poststart hooks with spec
* Call poststart hooks after the container is started
* Tie in with spec configuration

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-11-06 18:03:32 -05:00
Alexander Morozov db21ac7750 Merge pull request #355 from keloyang/nake
Remove naked return
2015-10-25 19:50:41 -07:00
yangshukui e5ef8d239a Add the conversion of architectures for seccomp config
Signed-off-by: yangshukui <yangshukui@huawei.com>
2015-10-23 10:17:39 +08:00
yangshukui 4584a4e762 Remove naked return
Signed-off-by: yangshukui <yangshukui@huawei.com>
2015-10-22 14:31:15 +08:00
Mrunal Patel 546c5c80dc Add additional gids support
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-10-07 16:51:53 -04:00
Antonio Murdaca c6e406af24 Adjust runc to new opencontainers/specs version
Godeps: Vendor opencontainers/specs 96bcd043aa

Fix a bug where it's impossible to pass multiple devices to blkio
cgroup controller files. See https://github.com/opencontainers/runc/issues/274

Signed-off-by: Antonio Murdaca <runcom@linux.com>
2015-10-03 12:25:33 +02:00
Vivek Goyal f6fadd2ffe Start parsing rootfsPropagation and make it effective
spec introduced a new field rootfsPropagation. Right now that field
is not parsed by runc and it does not take effect. Starting parsing
it and for now allow only limited propagation flags. More can be
opened as new use cases show up. 

We are apply propagation flags on / and not rootfs. So ideally
we should introduce another field in spec say rootPropagation. For
now I am parsing rootfsPropagation. Once we agree on design, we
can discuss if we need another field in spec or not.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-10-01 17:03:02 -04:00
Vivek Goyal 5dd6caf6cf Replace config.Privatefs with config.RootPropagation
Right now config.Privatefs is a boolean which determines if / is applied
with propagation flag syscall.MS_PRIVATE | syscall.MS_REC or not.

Soon we want to represent other propagation states like private, [r]slave,
and [r]shared. So either we can introduce more boolean variable or keep
track of propagation flags in an integer variable. Keeping an integer
variable is more versatile and can allow various kind of propagation flags
to be specified. So replace Privatefs with RootPropagation which is an
integer.

Note, this will require changes in docker. Instead of setting Privatefs
to true, they will need to set.

config.RootPropagation = syscall.MS_PRIVATE | syscall.MS_REC
 
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-10-01 17:03:02 -04:00
Mrunal Patel dcafe48737 Add version to HookState to make it json-compatible with spec State
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-09-23 17:13:00 -07:00
Mrunal Patel 9964fcde37 hooks: Integrate spec hooks with libcontainer
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-09-23 16:29:10 -07:00
Mrunal Patel 18c461301d Merge pull request #270 from laijs/spec-options-refactor
simple refactor for the options of `runc spec`
2015-09-23 16:26:01 -07:00
Vivek Goyal d1f4a5b8b5 libcontainer: Allow passing mount propagation flags
Right now if one passes a mount propagation flag in spec file, it
does not take effect. For example, try following in spec json file.

{
  "type": "bind",
  "source": "/root/mnt-source",
  "destination": "/root/mnt-dest",
  "options": "rbind,shared"
}

One would expect that /root/mnt-dest will be shared inside the container
but that's not the case.

#findmnt -o TARGET,PROPAGATION
`-/root/mnt-dest                      private

Reason being that propagation flags can't be passed in along with other
regular flags. They need to be passed in a separate call to mount syscall.
That too, one propagation flag at a time. (from mount man page).

Hence, store propagation flags separately in a slice and apply these
in that order after the mount call wherever appropriate. This allows
user to control the propagation property of mount point inside
the container.

Storing them separately also solves another problem where recursive flag
(syscall.MS_REC) can get mixed up. For example, options "rbind,private"
and "bind,rprivate" will be same and there will be no way to differentiate
between these if all the flags are stored in a single integer.

This patch would allow one to pass propagation flags "[r]shared,[r]slave,
[r]private,[r]unbindable" in spec file as per mount property.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-09-16 15:53:23 -04:00
Alexander Morozov dae4560ec2 Merge pull request #257 from mrunalp/cap_prefix
Add CAP prefix for capabilities
2015-09-16 11:39:39 -07:00
Lai Jiangshan 8132f4d797 close config file after loaded
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-09-16 10:54:53 +08:00
Lai Jiangshan 66f152d6dd simple refactor for the options of `runc spec`
Signed-off-by: Lai Jiangshan <jiangshanlai@gmail.com>
2015-09-16 10:06:59 +08:00
Mrunal Patel 859abee0c8 Add CAP prefix for capabilities
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-09-15 14:43:03 -04:00
Alexander Morozov ea5032bc5e Adjust runc to new opencontainers/specs version
I deleted possibility to specify config file from commands for now.
Until we decide how it'll be done. Also I changed runc spec interface to
write config files instead of output them.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-09-15 08:35:25 -07:00
Michael Crosby b9c32b3869 Merge pull request #223 from rajasec/rlimitspec
Adding rlimit in spec
2015-08-28 10:34:59 -07:00
Matthew Heon 2ee6d1e8b6 Connect Seccomp configuration in Spec to configuration in Libcontainer
Signed-off-by: Matthew Heon <mheon@redhat.com>
2015-08-25 17:35:06 -04:00
Rajasekaran ab4b825f8c Adding rlimit in spec
Signed-off-by: Rajasekaran <rajasec79@gmail.com>

Removing return type

Signed-off-by: Rajasekaran <rajasec79@gmail.com>
2015-08-24 21:33:36 +05:30
Mrunal Patel 31f88daf91 Integrate security settings
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-08-18 20:10:23 -04:00
Tonis Tiigi b5eed4a246 Update runc to use device structs from updated spec
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-08-11 14:24:00 -07:00
Fabio Kung 85f40c2bc7 container id is the cgroup name
Without this, multiple runc containers can accidentally share the same cgroup(s)
(and change each other's limits), when runc is invoked from the same directory
(i.e.: same cwd on multiple runc executions).

After these changes, each runc container will run on its own cgroup(s). Before,
the only workaround was to invoke runc from an unique (temporary?) cwd for each
container.

Common cgroup configuration (and hierarchical limits) can be set by having
multiple runc containers share the same cgroup parent, which is the cgroup of
the process executing runc.

Signed-off-by: Fabio Kung <fabio.kung@gmail.com>
2015-08-10 16:41:39 -07:00
Michael Crosby bdd67b9029 Merge pull request #180 from LK4D4/rename_proc_ns
Rename process namespace to pid
2015-08-04 17:49:46 -04:00
Mrunal Patel f3a3025933 Fix minor stylistic issues
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-08-04 17:44:45 -04:00
Alexander Morozov 6d1e6a17e1 Rename process namespace to pid
It's "pid" in opencontainers/specs

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-08-04 14:12:21 -07:00
Mrunal Patel 5f65056c89 Update github.com/opecontainers/specs to 5b31bb2b77
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Make runc changes required to pull in the updated spec

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-08-03 15:33:48 -04:00
Michael Crosby b14412ec36 Only add network info if NEWNET is set
Only add the localhost interface information to the config if the NEWNET
flag is passed on the namespaces.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-07-27 16:36:28 -07:00
Fabio Kung 963fc63fca bring the loopback interface up
Signed-off-by: Fabio Kung <fabio.kung@gmail.com>
2015-07-23 19:07:24 -07:00
Mrunal Patel 42aa891a6b Merge pull request #91 from hqhq/hq_add_cgroup_mount
Add cgroup mount in the recommended config
2015-07-15 09:51:24 -07:00
Qiang Huang d7181a73e4 Add cgroup mount in the recommended config
And allow cgroup mount take flags from user configs.
As we show ro in the recommendation, so hard-coded
read-only flag should be removed.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-07-15 09:31:39 +08:00
Zefan Li 6bd71ad6a4 Add memory swappiness support
- Initialize swappiness to -1 for the default config.json
- Pass swappiness from config.json to libcontainer config

Signed-off-by: Zefan Li <lizefan@huawei.com>
2015-07-14 10:43:43 +08:00
Michael Crosby 3c403a265e Merge pull request #98 from wking/clarify-idmapping-fields
Fix IDMapping host / container field confusion
2015-07-10 14:08:00 -07:00
Qiang Huang 0b2fb3edb5 Sort mount flags so it's easier to be found
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-07-10 10:31:20 +08:00
W. Trevor King 41979ca62c spec.go: Adjust to new IDMapping field names
This fixes a bug where IDMapping.From was mapped to IDMap.ContainerID
and IDMapping.To was mapped to IDMap.HostID, while the old spec docs
were:

  // From is the uid/gid of the host user or group.
  From int32 `json:"from"`
  // To is the uid/gid of the container's user or group.
  To int32 `json:"to"`

The new IDMapping field names make the expected mapping more obvious
(HostID -> HostID and ContainerID -> ContainerID ;).
2015-07-08 10:53:06 -07:00
Michael Crosby 48182db8cc Merge pull request #90 from hqhq/hq_add_memory_limit
Add memory limit set
2015-07-07 11:30:24 -07:00
Qiang Huang 2539d53896 Add memory limit set
Don't know why we missed that.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-07-07 09:20:51 +08:00
Mrunal Patel 8ea6c65d12 Rename SystemProperties to Sysctl and make it available in the runc config
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-07-06 19:18:08 -04:00
Michael Crosby 845fc65e54 Create linux spec for runc spec command
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-07-02 13:45:56 -07:00
Michael Crosby f4c35e70d1 Depend on Spec types from specs repository
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-07-02 13:45:27 -07:00
Michael Crosby d8af59822b Remove spec types from runc
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-07-02 13:45:27 -07:00
Michael Crosby e15b86edb9 Add user struct based on spec implementation.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-07-02 13:45:27 -07:00
Marianna 5aa82c950d Enable build on unsupported platforms
Should compile now without errors but changes needed to be added for each system so it actually works.
main_unsupported.go is a new file with all the unsupported commands
Fixes #9

Signed-off-by: Marianna <mtesselh@gmail.com>
2015-06-29 17:03:44 -07:00
Michael Crosby c4fd381a38 Move namespaces into linux spec
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-06-29 13:30:35 -07:00