Merge pull request #7109 from crosbymichael/update-libcontainer-july4
Update libcontainer to cf45d141db69ce11dcccac178e5
This commit is contained in:
Victor Vieux
commit
ccbaf4bc6e
|
|
@ -63,4 +63,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar
|
|||
|
||||
clone git github.com/godbus/dbus v1
|
||||
clone git github.com/coreos/go-systemd v2
|
||||
clone git github.com/docker/libcontainer be85764f109c3f0f62cd2a5c8be9af7a599798cf
|
||||
clone git github.com/docker/libcontainer cf45d141db69ce11dcccac178e5607a385609e15
|
||||
|
|
|
|||
|
|
@ -1,22 +1,30 @@
|
|||
language: go
|
||||
go: 1.3
|
||||
|
||||
# let us have pretty experimental Docker-based Travis workers
|
||||
sudo: false
|
||||
|
||||
env:
|
||||
- TRAVIS_GLOBAL_WTF=1
|
||||
- GOOS=linux GOARCH=amd64
|
||||
- GOOS=linux GOARCH=386
|
||||
- GOOS=linux GOARCH=arm
|
||||
- GOOS=darwin GOARCH=amd64
|
||||
- GOOS=darwin GOARCH=386
|
||||
- GOOS=freebsd GOARCH=amd64
|
||||
- _GOOS=linux _GOARCH=amd64
|
||||
# - _GOOS=linux _GOARCH=386 # Travis can't currently do 32bit cgo... (see https://travis-ci.org/tianon/libcontainer/jobs/30126518#L168)
|
||||
# - _GOOS=linux _GOARCH=arm # see https://github.com/moovweb/gvm/issues/22
|
||||
|
||||
install:
|
||||
- mkdir -pv "${GOPATH%%:*}/src/github.com/docker" && [ -d "${GOPATH%%:*}/src/github.com/docker/libcontainer" ] || ln -sv "$(readlink -f .)" "${GOPATH%%:*}/src/github.com/docker/libcontainer"
|
||||
- if [ -z "$TRAVIS_GLOBAL_WTF" ]; then
|
||||
export CGO_ENABLED=1;
|
||||
gvm cross "$_GOOS" "$_GOARCH";
|
||||
export GOOS="$_GOOS" GOARCH="$_GOARCH";
|
||||
fi
|
||||
- if [ -z "$TRAVIS_GLOBAL_WTF" ]; then go env; fi
|
||||
- go get -d -v ./...
|
||||
- go get -d -v github.com/dotcloud/docker # just to be sure
|
||||
- DOCKER_PATH="${GOPATH%%:*}/src/github.com/dotcloud/docker"
|
||||
- sed -i 's!dotcloud/docker!docker/libcontainer!' "$DOCKER_PATH/hack/make/.validate"
|
||||
- if [ "$TRAVIS_GLOBAL_WTF" ]; then
|
||||
export DOCKER_PATH="${GOPATH%%:*}/src/github.com/dotcloud/docker";
|
||||
mkdir -p "$DOCKER_PATH/hack/make";
|
||||
( cd "$DOCKER_PATH/hack/make" && wget -c 'https://raw.githubusercontent.com/dotcloud/docker/master/hack/make/'{.validate,validate-dco,validate-gofmt} );
|
||||
sed -i 's!dotcloud/docker!docker/libcontainer!' "$DOCKER_PATH/hack/make/.validate";
|
||||
fi
|
||||
|
||||
script:
|
||||
- if [ "$TRAVIS_GLOBAL_WTF" ]; then bash "$DOCKER_PATH/hack/make/validate-dco"; fi
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
// +build apparmor,linux,amd64
|
||||
// +build apparmor,linux
|
||||
|
||||
package apparmor
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
// +build !apparmor !linux !amd64
|
||||
// +build !apparmor !linux
|
||||
|
||||
package apparmor
|
||||
|
||||
|
|
|
|||
|
|
@ -21,6 +21,14 @@ type Container interface {
|
|||
// Returns the current config of the container.
|
||||
Config() *Config
|
||||
|
||||
// Start a process inside the container. Returns the PID of the new process (in the caller process's namespace) and a channel that will return the exit status of the process whenever it dies.
|
||||
//
|
||||
// Errors: container no longer exists,
|
||||
// config is invalid,
|
||||
// container is paused,
|
||||
// system error.
|
||||
Start(*ProcessConfig) (pid int, exitChan chan int, err error)
|
||||
|
||||
// Destroys the container after killing all running processes.
|
||||
//
|
||||
// Any event registrations are removed before the container is destroyed.
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ type mount struct {
|
|||
|
||||
// InitializeMountNamespace sets up the devices, mount points, and filesystems for use inside a
|
||||
// new mount namespace.
|
||||
func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig) error {
|
||||
func InitializeMountNamespace(rootfs, console string, sysReadonly bool, mountConfig *MountConfig) error {
|
||||
var (
|
||||
err error
|
||||
flag = syscall.MS_PRIVATE
|
||||
|
|
@ -40,7 +40,7 @@ func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig)
|
|||
if err := syscall.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {
|
||||
return fmt.Errorf("mouting %s as bind %s", rootfs, err)
|
||||
}
|
||||
if err := mountSystem(rootfs, mountConfig); err != nil {
|
||||
if err := mountSystem(rootfs, sysReadonly, mountConfig); err != nil {
|
||||
return fmt.Errorf("mount system %s", err)
|
||||
}
|
||||
if err := setupBindmounts(rootfs, mountConfig); err != nil {
|
||||
|
|
@ -81,8 +81,8 @@ func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig)
|
|||
|
||||
// mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts
|
||||
// inside the mount namespace
|
||||
func mountSystem(rootfs string, mountConfig *MountConfig) error {
|
||||
for _, m := range newSystemMounts(rootfs, mountConfig.MountLabel, mountConfig.Mounts) {
|
||||
func mountSystem(rootfs string, sysReadonly bool, mountConfig *MountConfig) error {
|
||||
for _, m := range newSystemMounts(rootfs, mountConfig.MountLabel, sysReadonly, mountConfig.Mounts) {
|
||||
if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {
|
||||
return fmt.Errorf("mkdirall %s %s", m.path, err)
|
||||
}
|
||||
|
|
@ -192,14 +192,19 @@ func setupBindmounts(rootfs string, mountConfig *MountConfig) error {
|
|||
|
||||
// TODO: this is crappy right now and should be cleaned up with a better way of handling system and
|
||||
// standard bind mounts allowing them to be more dynamic
|
||||
func newSystemMounts(rootfs, mountLabel string, mounts Mounts) []mount {
|
||||
func newSystemMounts(rootfs, mountLabel string, sysReadonly bool, mounts Mounts) []mount {
|
||||
systemMounts := []mount{
|
||||
{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},
|
||||
{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags},
|
||||
{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)},
|
||||
{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
|
||||
{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
|
||||
}
|
||||
|
||||
sysMountFlags := defaultMountFlags
|
||||
if sysReadonly {
|
||||
sysMountFlags |= syscall.MS_RDONLY
|
||||
}
|
||||
systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: sysMountFlags})
|
||||
|
||||
return systemMounts
|
||||
}
|
||||
|
|
|
|||
|
|
@ -76,6 +76,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
|
|||
|
||||
if err := mount.InitializeMountNamespace(rootfs,
|
||||
consolePath,
|
||||
container.RestrictSys,
|
||||
(*mount.MountConfig)(container.MountConfig)); err != nil {
|
||||
return fmt.Errorf("setup mount namespace %s", err)
|
||||
}
|
||||
|
|
@ -98,7 +99,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
|
|||
|
||||
// TODO: (crosbymichael) make this configurable at the Config level
|
||||
if container.RestrictSys {
|
||||
if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus", "sys"); err != nil {
|
||||
if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,8 @@
|
|||
// +build amd64
|
||||
|
||||
package netlink
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
"math/rand"
|
||||
"net"
|
||||
"sync/atomic"
|
||||
"syscall"
|
||||
|
|
@ -951,7 +948,7 @@ func setBridgeMacAddress(s int, name string) error {
|
|||
copy(ifr.IfrnName[:], name)
|
||||
|
||||
for i := 0; i < 6; i++ {
|
||||
ifr.IfruHwaddr.Data[i] = int8(rand.Intn(255))
|
||||
ifr.IfruHwaddr.Data[i] = randIfrDataByte()
|
||||
}
|
||||
|
||||
ifr.IfruHwaddr.Data[0] &^= 0x1 // clear multicast bit
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
package netlink
|
||||
|
||||
import (
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func randIfrDataByte() uint8 {
|
||||
return uint8(rand.Intn(255))
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
// +build !arm
|
||||
|
||||
package netlink
|
||||
|
||||
import (
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func randIfrDataByte() int8 {
|
||||
return int8(rand.Intn(255))
|
||||
}
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
// +build !linux !amd64
|
||||
// +build !linux
|
||||
|
||||
package netlink
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
// +build linux
|
||||
|
||||
package selinux
|
||||
|
||||
import (
|
||||
|
|
|
|||
|
|
@ -1,9 +1,12 @@
|
|||
// +build linux
|
||||
|
||||
package selinux_test
|
||||
|
||||
import (
|
||||
"github.com/docker/libcontainer/selinux"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/docker/libcontainer/selinux"
|
||||
)
|
||||
|
||||
func testSetfilecon(t *testing.T) {
|
||||
|
|
|
|||
|
|
@ -11,7 +11,9 @@ import (
|
|||
// We need different setns values for the different platforms and arch
|
||||
// We are declaring the macro here because the SETNS syscall does not exist in th stdlib
|
||||
var setNsMap = map[string]uintptr{
|
||||
"linux/386": 346,
|
||||
"linux/amd64": 308,
|
||||
"linux/arm": 374,
|
||||
}
|
||||
|
||||
func Setns(fd uintptr, flags uintptr) error {
|
||||
|
|
|
|||
|
|
@ -4,10 +4,9 @@ package system
|
|||
|
||||
/*
|
||||
#include <unistd.h>
|
||||
int get_hz(void) { return sysconf(_SC_CLK_TCK); }
|
||||
*/
|
||||
import "C"
|
||||
|
||||
func GetClockTicks() int {
|
||||
return int(C.get_hz())
|
||||
return int(C.sysconf(C._SC_CLK_TCK))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
// +build linux,!cgo
|
||||
|
||||
package system
|
||||
|
||||
func GetClockTicks() int {
|
||||
// TODO figure out a better alternative for platforms where we're missing cgo
|
||||
return 100
|
||||
}
|
||||
Loading…
Reference in New Issue