From b4196f7892f4aeb11318bbd6c2d68227868e27e2 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Wed, 25 Mar 2015 11:32:14 -0700 Subject: [PATCH] Update libcontainer to a6044b701c166fe538fc760f9e2 Signed-off-by: Michael Crosby --- hack/vendor.sh | 2 +- .../libcontainer/cgroups/fs/apply_raw.go | 6 ----- .../docker/libcontainer/init_linux.go | 2 +- .../docker/libcontainer/rootfs_linux.go | 23 ++++++++++--------- .../docker/libcontainer/update-vendor.sh | 2 +- .../capability/capability_linux.go | 6 +---- 6 files changed, 16 insertions(+), 25 deletions(-) diff --git a/hack/vendor.sh b/hack/vendor.sh index f6422ccac5..ed09831097 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -75,7 +75,7 @@ rm -rf src/github.com/docker/distribution mkdir -p src/github.com/docker/distribution mv tmp-digest src/github.com/docker/distribution/digest -clone git github.com/docker/libcontainer fd0087d3acdc4c5865de1829d4accee5e3ebb658 +clone git github.com/docker/libcontainer a6044b701c166fe538fc760f9e2dcea3d737cd2a # see src/github.com/docker/libcontainer/update-vendor.sh which is the "source of truth" for libcontainer deps (just like this file) rm -rf src/github.com/docker/libcontainer/vendor eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli' | grep -v 'github.com/Sirupsen/logrus')" diff --git a/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go index 5cb8467c78..c771245da5 100644 --- a/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go @@ -173,9 +173,6 @@ func (m *Manager) Freeze(state configs.FreezerState) error { if err != nil { return err } - if !cgroups.PathExists(dir) { - return cgroups.NewNotFoundError("freezer") - } prevState := m.Cgroups.Freezer m.Cgroups.Freezer = state @@ -200,9 +197,6 @@ func (m *Manager) GetPids() ([]int, error) { if err != nil { return nil, err } - if !cgroups.PathExists(dir) { - return nil, cgroups.NewNotFoundError("devices") - } return cgroups.ReadProcsFile(dir) } diff --git a/vendor/src/github.com/docker/libcontainer/init_linux.go b/vendor/src/github.com/docker/libcontainer/init_linux.go index 1c5f6a87ee..aa95423e57 100644 --- a/vendor/src/github.com/docker/libcontainer/init_linux.go +++ b/vendor/src/github.com/docker/libcontainer/init_linux.go @@ -91,7 +91,7 @@ func populateProcessEnvironment(env []string) error { // finalizeNamespace drops the caps, sets the correct user // and working dir, and closes any leaked file descriptors -// before execing the command inside the namespace +// before executing the command inside the namespace func finalizeNamespace(config *initConfig) error { // Ensure that all non-standard fds we may have accidentally // inherited are marked close-on-exec so they stay out of the diff --git a/vendor/src/github.com/docker/libcontainer/rootfs_linux.go b/vendor/src/github.com/docker/libcontainer/rootfs_linux.go index 6caa07a0c5..ab1a9a5fcb 100644 --- a/vendor/src/github.com/docker/libcontainer/rootfs_linux.go +++ b/vendor/src/github.com/docker/libcontainer/rootfs_linux.go @@ -186,7 +186,9 @@ func reOpenDevNull(rootfs string) error { func createDevices(config *configs.Config) error { oldMask := syscall.Umask(0000) for _, node := range config.Devices { - if err := createDeviceNode(config.Rootfs, node); err != nil { + // containers running in a user namespace are not allowed to mknod + // devices so we can just bind mount it from the host. + if err := createDeviceNode(config.Rootfs, node, config.Namespaces.Contains(configs.NEWUSER)); err != nil { syscall.Umask(oldMask) return err } @@ -196,20 +198,13 @@ func createDevices(config *configs.Config) error { } // Creates the device node in the rootfs of the container. -func createDeviceNode(rootfs string, node *configs.Device) error { +func createDeviceNode(rootfs string, node *configs.Device, bind bool) error { dest := filepath.Join(rootfs, node.Path) if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil { return err } - if err := mknodDevice(dest, node); err != nil { - if os.IsExist(err) { - return nil - } - if err != syscall.EPERM { - return err - } - // containers running in a user namespace are not allowed to mknod - // devices so we can just bind mount it from the host. + + if bind { f, err := os.Create(dest) if err != nil && !os.IsExist(err) { return err @@ -219,6 +214,12 @@ func createDeviceNode(rootfs string, node *configs.Device) error { } return syscall.Mount(node.Path, dest, "bind", syscall.MS_BIND, "") } + if err := mknodDevice(dest, node); err != nil { + if os.IsExist(err) { + return nil + } + return err + } return nil } diff --git a/vendor/src/github.com/docker/libcontainer/update-vendor.sh b/vendor/src/github.com/docker/libcontainer/update-vendor.sh index 12077256e8..b68f5d4610 100755 --- a/vendor/src/github.com/docker/libcontainer/update-vendor.sh +++ b/vendor/src/github.com/docker/libcontainer/update-vendor.sh @@ -44,6 +44,6 @@ clone git github.com/codegangsta/cli 1.1.0 clone git github.com/coreos/go-systemd v2 clone git github.com/godbus/dbus v2 clone git github.com/Sirupsen/logrus v0.6.6 -clone git github.com/syndtr/gocapability e55e583369 +clone git github.com/syndtr/gocapability 8e4cdcb # intentionally not vendoring Docker itself... that'd be a circle :) diff --git a/vendor/src/github.com/syndtr/gocapability/capability/capability_linux.go b/vendor/src/github.com/syndtr/gocapability/capability/capability_linux.go index 24dc85fa8a..3dfcd398dc 100644 --- a/vendor/src/github.com/syndtr/gocapability/capability/capability_linux.go +++ b/vendor/src/github.com/syndtr/gocapability/capability/capability_linux.go @@ -417,10 +417,6 @@ func (c *capsV3) Load() (err error) { } func (c *capsV3) Apply(kind CapType) (err error) { - err = initLastCap() - if err != nil { - return - } if kind&BOUNDS == BOUNDS { var data [2]capData err = capget(&c.hdr, &data[0]) @@ -428,7 +424,7 @@ func (c *capsV3) Apply(kind CapType) (err error) { return } if (1<