diff options
| author | Michael Crosby <michael@docker.com> | 2014-06-19 15:23:19 -0700 |
|---|---|---|
| committer | Michael Crosby <michael@docker.com> | 2014-06-19 15:23:19 -0700 |
| commit | 8d06bfc12ec62b8276b2db22e049d40dde016c9f (patch) | |
| tree | 035220bdf34f557cf862241bf07f372cb767c166 | |
| parent | 98ea12ac3864239127ae3a9d2aa2d93a72aa5e61 (diff) | |
| download | docker-8d06bfc12ec62b8276b2db22e049d40dde016c9f.tar.gz | |
Update libcontainer dep to v1.0.1
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
11 files changed, 279 insertions, 142 deletions
diff --git a/hack/vendor.sh b/hack/vendor.sh index d876551250..e5158b1d8a 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -61,4 +61,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar clone git github.com/godbus/dbus v1 clone git github.com/coreos/go-systemd v2 -clone git github.com/docker/libcontainer 77ffd49dfedbc78a7cd4cb7a50c7446cf118725f +clone git github.com/docker/libcontainer v1.0.1 diff --git a/vendor/src/github.com/docker/libcontainer/.travis.yml b/vendor/src/github.com/docker/libcontainer/.travis.yml index ae7e8e2fc3..94dc5ac7c8 100644 --- a/vendor/src/github.com/docker/libcontainer/.travis.yml +++ b/vendor/src/github.com/docker/libcontainer/.travis.yml @@ -9,3 +9,4 @@ install: script: - bash "$DOCKER_PATH/hack/make/validate-dco" - bash "$DOCKER_PATH/hack/make/validate-gofmt" + - go test diff --git a/vendor/src/github.com/docker/libcontainer/CONTRIBUTORS_GUIDE.md b/vendor/src/github.com/docker/libcontainer/CONTRIBUTORS_GUIDE.md index 6c0c416ed1..f02689625c 100644 --- a/vendor/src/github.com/docker/libcontainer/CONTRIBUTORS_GUIDE.md +++ b/vendor/src/github.com/docker/libcontainer/CONTRIBUTORS_GUIDE.md @@ -36,7 +36,7 @@ that feature *on top of* libcontainer. ### Discuss your design on the mailing list We recommend discussing your plans [on the mailing -list](https://groups.google.com/forum/?fromgroups#!forum/docker-dev) +list](https://groups.google.com/forum/?fromgroups#!forum/libcontainer) before starting to code - especially for more ambitious contributions. This gives other contributors a chance to point you in the right direction, give feedback on your design, and maybe point out if someone @@ -112,12 +112,12 @@ and that all the tests pass. libcontainer maintainers use LGTM (looks good to me) in comments on the code review to indicate acceptance. -A change requires LGTMs from at lease one maintainer of each -component affected. For example, if a change affects `netlink/` and `security/`, it -needs at least one LGTM from the maintainers of `netlink/` AND, separately, at -least one LGTM from the maintainers of `security/`. +A change requires LGTMs from at lease two maintainers. One of those must come from +a maintainer of the component affected. For example, if a change affects `netlink/` +and `security`, it needs at least one LGTM from a maintainer of each. Maintainers +only need one LGTM as presumably they LGTM their own change. -For more details see [MAINTAINERS.md](hack/MAINTAINERS.md) +For more details see [MAINTAINERS.md](MAINTAINERS.md) ### Sign your work diff --git a/vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md b/vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md index b67832396c..2ac9ca21f4 100644 --- a/vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md +++ b/vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md @@ -63,7 +63,7 @@ All decisions are pull requests, and the relevant maintainers make decisions by accepting or refusing the pull request. Review and acceptance by anyone is denoted by adding a comment in the pull request: `LGTM`. However, only currently listed `MAINTAINERS` are counted towards the required -majority. +two LGTMs. libcontainer follows the timeless, highly efficient and totally unfair system known as [Benevolent dictator for life](http://en.wikipedia.org/wiki/Benevolent_Dictator_for_Life), with Michael Crosby in the role of BDFL. diff --git a/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuacct.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuacct.go index fe831d1be5..a3d22c9f74 100644 --- a/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuacct.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuacct.go @@ -84,6 +84,7 @@ func (s *cpuacctGroup) GetStats(d *data, stats *cgroups.Stats) error { if err != nil { return err } + stats.CpuStats.CpuUsage.TotalUsage = lastUsage stats.CpuStats.CpuUsage.PercpuUsage = percpuUsage stats.CpuStats.CpuUsage.UsageInKernelmode = (kernelModeUsage * nanosecondsInSecond) / clockTicks stats.CpuStats.CpuUsage.UsageInUsermode = (userModeUsage * nanosecondsInSecond) / clockTicks diff --git a/vendor/src/github.com/docker/libcontainer/cgroups/stats.go b/vendor/src/github.com/docker/libcontainer/cgroups/stats.go index 20a5f00a37..2640245e51 100644 --- a/vendor/src/github.com/docker/libcontainer/cgroups/stats.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/stats.go @@ -13,8 +13,10 @@ type CpuUsage struct { // percentage of available CPUs currently being used. PercentUsage uint64 `json:"percent_usage,omitempty"` // nanoseconds of cpu time consumed over the last 100 ms. - CurrentUsage uint64 `json:"current_usage,omitempty"` - PercpuUsage []uint64 `json:"percpu_usage,omitempty"` + CurrentUsage uint64 `json:"current_usage,omitempty"` + // total nanoseconds of cpu time consumed + TotalUsage uint64 `json:"total_usage,omitempty"` + PercpuUsage []uint64 `json:"percpu_usage,omitempty"` // Time spent by tasks of the cgroup in kernel mode. Units: nanoseconds. UsageInKernelmode uint64 `json:"usage_in_kernelmode"` // Time spent by tasks of the cgroup in user mode. Units: nanoseconds. diff --git a/vendor/src/github.com/docker/libcontainer/container.json b/vendor/src/github.com/docker/libcontainer/container.json index 7448a077e0..da138d173f 100644 --- a/vendor/src/github.com/docker/libcontainer/container.json +++ b/vendor/src/github.com/docker/libcontainer/container.json @@ -1,107 +1,213 @@ { - "namespaces": { - "NEWNET": true, - "NEWPID": true, - "NEWIPC": true, - "NEWUTS": true, - "NEWNS": true - }, - "networks": [ - { - "gateway": "localhost", - "type": "loopback", - "address": "127.0.0.1/0", - "mtu": 1500 + "capabilities": [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "MKNOD", + "NET_RAW", + "SETGID", + "SETUID", + "SETFCAP", + "SETPCAP", + "NET_BIND_SERVICE", + "SYS_CHROOT", + "KILL" + ], + "cgroups": { + "allowed_devices": [ + { + "cgroup_permissions": "m", + "major_number": -1, + "minor_number": -1, + "type": 99 + }, + { + "cgroup_permissions": "m", + "major_number": -1, + "minor_number": -1, + "type": 98 + }, + { + "cgroup_permissions": "rwm", + "major_number": 5, + "minor_number": 1, + "path": "/dev/console", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 4, + "path": "/dev/tty0", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 4, + "minor_number": 1, + "path": "/dev/tty1", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 136, + "minor_number": -1, + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 5, + "minor_number": 2, + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 10, + "minor_number": 200, + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 3, + "path": "/dev/null", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 5, + "path": "/dev/zero", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 7, + "path": "/dev/full", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 5, + "path": "/dev/tty", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 9, + "path": "/dev/urandom", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 8, + "path": "/dev/random", + "type": 99 + } + ], + "name": "docker-koye", + "parent": "docker" }, - { - "gateway": "172.17.42.1", - "context": { - "prefix": "veth", - "bridge": "docker0" - }, - "type": "veth", - "address": "172.17.42.2/16", - "mtu": 1500 - } - ], - "routes": [ - { - "gateway": "172.17.42.1", - "interface_name": "eth0" + "context": { + "mount_label": "", + "process_label": "", + "restrictions": "true" }, - { - "destination": "192.168.0.0/24", - "interface_name": "eth0" - } - ], - "capabilities": [ - "MKNOD" - ], - "cgroups": { - "name": "docker-koye", - "parent": "docker" - }, - "hostname": "koye", - "environment": [ - "HOME=/", - "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin", - "container=docker", - "TERM=xterm-256color" - ], - "tty": true, - "mounts": [ - { - "type": "devtmpfs" - } - ], - "device_nodes": [ - { - "path": "/dev/null", - "type": 99, - "major_number": 1, - "minor_number": 3, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/zero", - "type": 99, - "major_number": 1, - "minor_number": 5, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/full", - "type": 99, - "major_number": 1, - "minor_number": 7, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/tty", - "type": 99, - "major_number": 5, - "minor_number": 0, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/urandom", - "type": 99, - "major_number": 1, - "minor_number": 9, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/random", - "type": 99, - "major_number": 1, - "minor_number": 8, - "cgroup_permissions": "rwm", - "file_mode": 438 - } - ] + "device_nodes": [ + { + "cgroup_permissions": "rwm", + "major_number": 10, + "minor_number": 229, + "path": "/dev/fuse", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 3, + "path": "/dev/null", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 5, + "path": "/dev/zero", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 7, + "path": "/dev/full", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 5, + "path": "/dev/tty", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 9, + "path": "/dev/urandom", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 8, + "path": "/dev/random", + "type": 99 + } + ], + "environment": [ + "HOME=/", + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=2d388ea3bd92", + "TERM=xterm" + ], + "hostname": "koye", + "namespaces": { + "NEWIPC": true, + "NEWNET": true, + "NEWNS": true, + "NEWPID": true, + "NEWUTS": true + }, + "networks": [ + { + "address": "127.0.0.1/0", + "gateway": "localhost", + "mtu": 1500, + "type": "loopback" + }, + { + "address": "172.17.0.101/16", + "context": { + "bridge": "docker0", + "prefix": "veth" + }, + "gateway": "172.17.42.1", + "mtu": 1500, + "type": "veth" + } + ], + "tty": true } diff --git a/vendor/src/github.com/docker/libcontainer/container_test.go b/vendor/src/github.com/docker/libcontainer/container_test.go index 838281833f..deb65aa835 100644 --- a/vendor/src/github.com/docker/libcontainer/container_test.go +++ b/vendor/src/github.com/docker/libcontainer/container_test.go @@ -37,11 +37,6 @@ func TestContainerJsonFormat(t *testing.T) { t.Fail() } - if len(container.Routes) != 2 { - t.Log("should have found 2 routes") - t.Fail() - } - if !container.Namespaces["NEWNET"] { t.Log("namespaces should contain NEWNET") t.Fail() @@ -62,8 +57,8 @@ func TestContainerJsonFormat(t *testing.T) { t.Fail() } - if contains("SYS_CHROOT", container.Capabilities) { - t.Log("capabilities mask should not contain SYS_CHROOT") + if !contains("SYS_CHROOT", container.Capabilities) { + t.Log("capabilities mask should contain SYS_CHROOT") t.Fail() } } diff --git a/vendor/src/github.com/docker/libcontainer/namespaces/execin.go b/vendor/src/github.com/docker/libcontainer/namespaces/execin.go index 97bbb5f79d..f44e92abe5 100644 --- a/vendor/src/github.com/docker/libcontainer/namespaces/execin.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/execin.go @@ -21,14 +21,8 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) error { return err } - // TODO(vmarmol): Move this to the container JSON. - processLabel, err := label.GetPidCon(nspid) - if err != nil { - return err - } - // Enter the namespace and then finish setup - finalArgs := []string{os.Args[0], "nsenter", strconv.Itoa(nspid), processLabel, string(containerJson)} + finalArgs := []string{os.Args[0], "nsenter", "--nspid", strconv.Itoa(nspid), "--containerjson", string(containerJson), "--"} finalArgs = append(finalArgs, args...) if err := system.Execv(finalArgs[0], finalArgs[0:], os.Environ()); err != nil { return err @@ -37,7 +31,7 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) error { } // NsEnter is run after entering the namespace. -func NsEnter(container *libcontainer.Container, processLabel string, nspid int, args []string) error { +func NsEnter(container *libcontainer.Container, nspid int, args []string) error { // clear the current processes env and replace it with the environment // defined on the container if err := LoadContainerEnvironment(container); err != nil { @@ -46,9 +40,13 @@ func NsEnter(container *libcontainer.Container, processLabel string, nspid int, if err := FinalizeNamespace(container); err != nil { return err } - if err := label.SetProcessLabel(processLabel); err != nil { - return err + + if process_label, ok := container.Context["process_label"]; ok { + if err := label.SetProcessLabel(process_label); err != nil { + return err + } } + if err := system.Execv(args[0], args[0:], container.Env); err != nil { return err } diff --git a/vendor/src/github.com/docker/libcontainer/namespaces/nsenter.go b/vendor/src/github.com/docker/libcontainer/namespaces/nsenter.go index acf3d435ba..d5eaa27143 100644 --- a/vendor/src/github.com/docker/libcontainer/namespaces/nsenter.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/nsenter.go @@ -15,6 +15,7 @@ package namespaces #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> +#include <getopt.h> static const kBufSize = 256; @@ -64,6 +65,10 @@ int setns(int fd, int nstype) { #endif #endif +void print_usage() { + fprintf(stderr, "<binary> nsenter --nspid <pid> --containerjson <container_json> -- cmd1 arg1 arg2...\n"); +} + void nsenter() { int argc; char **argv; @@ -79,11 +84,40 @@ void nsenter() { fprintf(stderr, "nsenter: Incorrect usage, not enough arguments\n"); exit(1); } - pid_t init_pid = strtol(argv[2], NULL, 10); + + static const struct option longopts[] = { + { "nspid", required_argument, NULL, 'n' }, + { "containerjson", required_argument, NULL, 'c' }, + { NULL, 0, NULL, 0 } + }; + + int c; + pid_t init_pid = -1; + char *init_pid_str = NULL; + char *container_json = NULL; + while ((c = getopt_long_only(argc, argv, "n:s:c:", longopts, NULL)) != -1) { + switch (c) { + case 'n': + init_pid_str = optarg; + break; + case 'c': + container_json = optarg; + break; + } + } + + if (container_json == NULL || init_pid_str == NULL) { + print_usage(); + exit(1); + } + + init_pid = strtol(init_pid_str, NULL, 10); if (errno != 0 || init_pid <= 0) { - fprintf(stderr, "nsenter: Failed to parse PID from \"%s\" with error: \"%s\"\n", argv[2], strerror(errno)); + fprintf(stderr, "nsenter: Failed to parse PID from \"%s\" with error: \"%s\"\n", init_pid_str, strerror(errno)); + print_usage(); exit(1); } + argc -= 3; argv += 3; diff --git a/vendor/src/github.com/docker/libcontainer/nsinit/nsenter.go b/vendor/src/github.com/docker/libcontainer/nsinit/nsenter.go index 8a9caa75f4..faa61315e0 100644 --- a/vendor/src/github.com/docker/libcontainer/nsinit/nsenter.go +++ b/vendor/src/github.com/docker/libcontainer/nsinit/nsenter.go @@ -2,7 +2,6 @@ package main import ( "log" - "strconv" "github.com/codegangsta/cli" "github.com/docker/libcontainer/namespaces" @@ -12,29 +11,30 @@ var nsenterCommand = cli.Command{ Name: "nsenter", Usage: "init process for entering an existing namespace", Action: nsenterAction, + Flags: []cli.Flag{ + cli.IntFlag{Name: "nspid"}, + cli.StringFlag{Name: "containerjson"}, + }, } func nsenterAction(context *cli.Context) { args := context.Args() - if len(args) < 4 { - log.Fatalf("incorrect usage: <pid> <process label> <container JSON> <cmd>...") - } - container, err := loadContainerFromJson(args.Get(2)) - if err != nil { - log.Fatalf("unable to load container: %s", err) + if len(args) == 0 { + args = []string{"/bin/bash"} } - nspid, err := strconv.Atoi(args.Get(0)) + container, err := loadContainerFromJson(context.String("containerjson")) if err != nil { - log.Fatalf("unable to read pid: %s from %q", err, args.Get(0)) + log.Fatalf("unable to load container: %s", err) } + nspid := context.Int("nspid") if nspid <= 0 { log.Fatalf("cannot enter into namespaces without valid pid: %q", nspid) } - if err := namespaces.NsEnter(container, args.Get(1), nspid, args[3:]); err != nil { + if err := namespaces.NsEnter(container, nspid, args); err != nil { log.Fatalf("failed to nsenter: %s", err) } } |