Update libcontainer to a6044b701c166fe538fc760f9e2
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is contained in:
parent
e6e2893fa3
commit
b4196f7892
|
@ -75,7 +75,7 @@ rm -rf src/github.com/docker/distribution
|
||||||
mkdir -p src/github.com/docker/distribution
|
mkdir -p src/github.com/docker/distribution
|
||||||
mv tmp-digest src/github.com/docker/distribution/digest
|
mv tmp-digest src/github.com/docker/distribution/digest
|
||||||
|
|
||||||
clone git github.com/docker/libcontainer fd0087d3acdc4c5865de1829d4accee5e3ebb658
|
clone git github.com/docker/libcontainer a6044b701c166fe538fc760f9e2dcea3d737cd2a
|
||||||
# see src/github.com/docker/libcontainer/update-vendor.sh which is the "source of truth" for libcontainer deps (just like this file)
|
# see src/github.com/docker/libcontainer/update-vendor.sh which is the "source of truth" for libcontainer deps (just like this file)
|
||||||
rm -rf src/github.com/docker/libcontainer/vendor
|
rm -rf src/github.com/docker/libcontainer/vendor
|
||||||
eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli' | grep -v 'github.com/Sirupsen/logrus')"
|
eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli' | grep -v 'github.com/Sirupsen/logrus')"
|
||||||
|
|
|
@ -173,9 +173,6 @@ func (m *Manager) Freeze(state configs.FreezerState) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if !cgroups.PathExists(dir) {
|
|
||||||
return cgroups.NewNotFoundError("freezer")
|
|
||||||
}
|
|
||||||
|
|
||||||
prevState := m.Cgroups.Freezer
|
prevState := m.Cgroups.Freezer
|
||||||
m.Cgroups.Freezer = state
|
m.Cgroups.Freezer = state
|
||||||
|
@ -200,9 +197,6 @@ func (m *Manager) GetPids() ([]int, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
if !cgroups.PathExists(dir) {
|
|
||||||
return nil, cgroups.NewNotFoundError("devices")
|
|
||||||
}
|
|
||||||
|
|
||||||
return cgroups.ReadProcsFile(dir)
|
return cgroups.ReadProcsFile(dir)
|
||||||
}
|
}
|
||||||
|
|
|
@ -91,7 +91,7 @@ func populateProcessEnvironment(env []string) error {
|
||||||
|
|
||||||
// finalizeNamespace drops the caps, sets the correct user
|
// finalizeNamespace drops the caps, sets the correct user
|
||||||
// and working dir, and closes any leaked file descriptors
|
// and working dir, and closes any leaked file descriptors
|
||||||
// before execing the command inside the namespace
|
// before executing the command inside the namespace
|
||||||
func finalizeNamespace(config *initConfig) error {
|
func finalizeNamespace(config *initConfig) error {
|
||||||
// Ensure that all non-standard fds we may have accidentally
|
// Ensure that all non-standard fds we may have accidentally
|
||||||
// inherited are marked close-on-exec so they stay out of the
|
// inherited are marked close-on-exec so they stay out of the
|
||||||
|
|
|
@ -186,7 +186,9 @@ func reOpenDevNull(rootfs string) error {
|
||||||
func createDevices(config *configs.Config) error {
|
func createDevices(config *configs.Config) error {
|
||||||
oldMask := syscall.Umask(0000)
|
oldMask := syscall.Umask(0000)
|
||||||
for _, node := range config.Devices {
|
for _, node := range config.Devices {
|
||||||
if err := createDeviceNode(config.Rootfs, node); err != nil {
|
// containers running in a user namespace are not allowed to mknod
|
||||||
|
// devices so we can just bind mount it from the host.
|
||||||
|
if err := createDeviceNode(config.Rootfs, node, config.Namespaces.Contains(configs.NEWUSER)); err != nil {
|
||||||
syscall.Umask(oldMask)
|
syscall.Umask(oldMask)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -196,20 +198,13 @@ func createDevices(config *configs.Config) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Creates the device node in the rootfs of the container.
|
// Creates the device node in the rootfs of the container.
|
||||||
func createDeviceNode(rootfs string, node *configs.Device) error {
|
func createDeviceNode(rootfs string, node *configs.Device, bind bool) error {
|
||||||
dest := filepath.Join(rootfs, node.Path)
|
dest := filepath.Join(rootfs, node.Path)
|
||||||
if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
|
if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := mknodDevice(dest, node); err != nil {
|
|
||||||
if os.IsExist(err) {
|
if bind {
|
||||||
return nil
|
|
||||||
}
|
|
||||||
if err != syscall.EPERM {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
// containers running in a user namespace are not allowed to mknod
|
|
||||||
// devices so we can just bind mount it from the host.
|
|
||||||
f, err := os.Create(dest)
|
f, err := os.Create(dest)
|
||||||
if err != nil && !os.IsExist(err) {
|
if err != nil && !os.IsExist(err) {
|
||||||
return err
|
return err
|
||||||
|
@ -219,6 +214,12 @@ func createDeviceNode(rootfs string, node *configs.Device) error {
|
||||||
}
|
}
|
||||||
return syscall.Mount(node.Path, dest, "bind", syscall.MS_BIND, "")
|
return syscall.Mount(node.Path, dest, "bind", syscall.MS_BIND, "")
|
||||||
}
|
}
|
||||||
|
if err := mknodDevice(dest, node); err != nil {
|
||||||
|
if os.IsExist(err) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,6 @@ clone git github.com/codegangsta/cli 1.1.0
|
||||||
clone git github.com/coreos/go-systemd v2
|
clone git github.com/coreos/go-systemd v2
|
||||||
clone git github.com/godbus/dbus v2
|
clone git github.com/godbus/dbus v2
|
||||||
clone git github.com/Sirupsen/logrus v0.6.6
|
clone git github.com/Sirupsen/logrus v0.6.6
|
||||||
clone git github.com/syndtr/gocapability e55e583369
|
clone git github.com/syndtr/gocapability 8e4cdcb
|
||||||
|
|
||||||
# intentionally not vendoring Docker itself... that'd be a circle :)
|
# intentionally not vendoring Docker itself... that'd be a circle :)
|
||||||
|
|
|
@ -417,10 +417,6 @@ func (c *capsV3) Load() (err error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *capsV3) Apply(kind CapType) (err error) {
|
func (c *capsV3) Apply(kind CapType) (err error) {
|
||||||
err = initLastCap()
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if kind&BOUNDS == BOUNDS {
|
if kind&BOUNDS == BOUNDS {
|
||||||
var data [2]capData
|
var data [2]capData
|
||||||
err = capget(&c.hdr, &data[0])
|
err = capget(&c.hdr, &data[0])
|
||||||
|
@ -428,7 +424,7 @@ func (c *capsV3) Apply(kind CapType) (err error) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
|
if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
|
||||||
for i := Cap(0); i <= capLastCap; i++ {
|
for i := Cap(0); i <= CAP_LAST_CAP; i++ {
|
||||||
if c.Get(BOUNDING, i) {
|
if c.Get(BOUNDING, i) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue