diff --git a/hack/vendor.sh b/hack/vendor.sh index f3347d374b..3b71004de3 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -63,4 +63,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar clone git github.com/godbus/dbus v1 clone git github.com/coreos/go-systemd v2 -clone git github.com/docker/libcontainer be85764f109c3f0f62cd2a5c8be9af7a599798cf +clone git github.com/docker/libcontainer cf45d141db69ce11dcccac178e5607a385609e15 diff --git a/vendor/src/github.com/docker/libcontainer/.travis.yml b/vendor/src/github.com/docker/libcontainer/.travis.yml index d4c2045d8a..5ce4587689 100644 --- a/vendor/src/github.com/docker/libcontainer/.travis.yml +++ b/vendor/src/github.com/docker/libcontainer/.travis.yml @@ -1,22 +1,30 @@ language: go +go: 1.3 # let us have pretty experimental Docker-based Travis workers sudo: false env: - TRAVIS_GLOBAL_WTF=1 - - GOOS=linux GOARCH=amd64 - - GOOS=linux GOARCH=386 - - GOOS=linux GOARCH=arm - - GOOS=darwin GOARCH=amd64 - - GOOS=darwin GOARCH=386 - - GOOS=freebsd GOARCH=amd64 + - _GOOS=linux _GOARCH=amd64 +# - _GOOS=linux _GOARCH=386 # Travis can't currently do 32bit cgo... (see https://travis-ci.org/tianon/libcontainer/jobs/30126518#L168) +# - _GOOS=linux _GOARCH=arm # see https://github.com/moovweb/gvm/issues/22 install: + - mkdir -pv "${GOPATH%%:*}/src/github.com/docker" && [ -d "${GOPATH%%:*}/src/github.com/docker/libcontainer" ] || ln -sv "$(readlink -f .)" "${GOPATH%%:*}/src/github.com/docker/libcontainer" + - if [ -z "$TRAVIS_GLOBAL_WTF" ]; then + export CGO_ENABLED=1; + gvm cross "$_GOOS" "$_GOARCH"; + export GOOS="$_GOOS" GOARCH="$_GOARCH"; + fi + - if [ -z "$TRAVIS_GLOBAL_WTF" ]; then go env; fi - go get -d -v ./... - - go get -d -v github.com/dotcloud/docker # just to be sure - - DOCKER_PATH="${GOPATH%%:*}/src/github.com/dotcloud/docker" - - sed -i 's!dotcloud/docker!docker/libcontainer!' "$DOCKER_PATH/hack/make/.validate" + - if [ "$TRAVIS_GLOBAL_WTF" ]; then + export DOCKER_PATH="${GOPATH%%:*}/src/github.com/dotcloud/docker"; + mkdir -p "$DOCKER_PATH/hack/make"; + ( cd "$DOCKER_PATH/hack/make" && wget -c 'https://raw.githubusercontent.com/dotcloud/docker/master/hack/make/'{.validate,validate-dco,validate-gofmt} ); + sed -i 's!dotcloud/docker!docker/libcontainer!' "$DOCKER_PATH/hack/make/.validate"; + fi script: - if [ "$TRAVIS_GLOBAL_WTF" ]; then bash "$DOCKER_PATH/hack/make/validate-dco"; fi diff --git a/vendor/src/github.com/docker/libcontainer/apparmor/apparmor.go b/vendor/src/github.com/docker/libcontainer/apparmor/apparmor.go index 704ee29ed0..fb1574dfc6 100644 --- a/vendor/src/github.com/docker/libcontainer/apparmor/apparmor.go +++ b/vendor/src/github.com/docker/libcontainer/apparmor/apparmor.go @@ -1,4 +1,4 @@ -// +build apparmor,linux,amd64 +// +build apparmor,linux package apparmor diff --git a/vendor/src/github.com/docker/libcontainer/apparmor/apparmor_disabled.go b/vendor/src/github.com/docker/libcontainer/apparmor/apparmor_disabled.go index 8d86ce9d4a..937bf915c7 100644 --- a/vendor/src/github.com/docker/libcontainer/apparmor/apparmor_disabled.go +++ b/vendor/src/github.com/docker/libcontainer/apparmor/apparmor_disabled.go @@ -1,4 +1,4 @@ -// +build !apparmor !linux !amd64 +// +build !apparmor !linux package apparmor diff --git a/vendor/src/github.com/docker/libcontainer/container.go b/vendor/src/github.com/docker/libcontainer/container.go index 5fb2bba651..c4d372ce35 100644 --- a/vendor/src/github.com/docker/libcontainer/container.go +++ b/vendor/src/github.com/docker/libcontainer/container.go @@ -21,6 +21,14 @@ type Container interface { // Returns the current config of the container. Config() *Config + // Start a process inside the container. Returns the PID of the new process (in the caller process's namespace) and a channel that will return the exit status of the process whenever it dies. + // + // Errors: container no longer exists, + // config is invalid, + // container is paused, + // system error. + Start(*ProcessConfig) (pid int, exitChan chan int, err error) + // Destroys the container after killing all running processes. // // Any event registrations are removed before the container is destroyed. diff --git a/vendor/src/github.com/docker/libcontainer/mount/init.go b/vendor/src/github.com/docker/libcontainer/mount/init.go index daec6ac865..a59b4a76fe 100644 --- a/vendor/src/github.com/docker/libcontainer/mount/init.go +++ b/vendor/src/github.com/docker/libcontainer/mount/init.go @@ -26,7 +26,7 @@ type mount struct { // InitializeMountNamespace sets up the devices, mount points, and filesystems for use inside a // new mount namespace. -func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig) error { +func InitializeMountNamespace(rootfs, console string, sysReadonly bool, mountConfig *MountConfig) error { var ( err error flag = syscall.MS_PRIVATE @@ -40,7 +40,7 @@ func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig) if err := syscall.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil { return fmt.Errorf("mouting %s as bind %s", rootfs, err) } - if err := mountSystem(rootfs, mountConfig); err != nil { + if err := mountSystem(rootfs, sysReadonly, mountConfig); err != nil { return fmt.Errorf("mount system %s", err) } if err := setupBindmounts(rootfs, mountConfig); err != nil { @@ -81,8 +81,8 @@ func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig) // mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts // inside the mount namespace -func mountSystem(rootfs string, mountConfig *MountConfig) error { - for _, m := range newSystemMounts(rootfs, mountConfig.MountLabel, mountConfig.Mounts) { +func mountSystem(rootfs string, sysReadonly bool, mountConfig *MountConfig) error { + for _, m := range newSystemMounts(rootfs, mountConfig.MountLabel, sysReadonly, mountConfig.Mounts) { if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) { return fmt.Errorf("mkdirall %s %s", m.path, err) } @@ -192,14 +192,19 @@ func setupBindmounts(rootfs string, mountConfig *MountConfig) error { // TODO: this is crappy right now and should be cleaned up with a better way of handling system and // standard bind mounts allowing them to be more dynamic -func newSystemMounts(rootfs, mountLabel string, mounts Mounts) []mount { +func newSystemMounts(rootfs, mountLabel string, sysReadonly bool, mounts Mounts) []mount { systemMounts := []mount{ {source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags}, - {source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags}, {source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)}, {source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)}, {source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)}, } + sysMountFlags := defaultMountFlags + if sysReadonly { + sysMountFlags |= syscall.MS_RDONLY + } + systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: sysMountFlags}) + return systemMounts } diff --git a/vendor/src/github.com/docker/libcontainer/namespaces/init.go b/vendor/src/github.com/docker/libcontainer/namespaces/init.go index 7c917c015d..62452cba16 100644 --- a/vendor/src/github.com/docker/libcontainer/namespaces/init.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/init.go @@ -76,6 +76,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn if err := mount.InitializeMountNamespace(rootfs, consolePath, + container.RestrictSys, (*mount.MountConfig)(container.MountConfig)); err != nil { return fmt.Errorf("setup mount namespace %s", err) } @@ -98,7 +99,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn // TODO: (crosbymichael) make this configurable at the Config level if container.RestrictSys { - if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus", "sys"); err != nil { + if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil { return err } } diff --git a/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux.go b/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux.go index 14e30aa026..92accd4aaa 100644 --- a/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux.go +++ b/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux.go @@ -1,11 +1,8 @@ -// +build amd64 - package netlink import ( "encoding/binary" "fmt" - "math/rand" "net" "sync/atomic" "syscall" @@ -951,7 +948,7 @@ func setBridgeMacAddress(s int, name string) error { copy(ifr.IfrnName[:], name) for i := 0; i < 6; i++ { - ifr.IfruHwaddr.Data[i] = int8(rand.Intn(255)) + ifr.IfruHwaddr.Data[i] = randIfrDataByte() } ifr.IfruHwaddr.Data[0] &^= 0x1 // clear multicast bit diff --git a/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux_arm.go b/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux_arm.go new file mode 100644 index 0000000000..7789ae275a --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux_arm.go @@ -0,0 +1,9 @@ +package netlink + +import ( + "math/rand" +) + +func randIfrDataByte() uint8 { + return uint8(rand.Intn(255)) +} diff --git a/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux_notarm.go b/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux_notarm.go new file mode 100644 index 0000000000..23c4a92712 --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux_notarm.go @@ -0,0 +1,11 @@ +// +build !arm + +package netlink + +import ( + "math/rand" +) + +func randIfrDataByte() int8 { + return int8(rand.Intn(255)) +} diff --git a/vendor/src/github.com/docker/libcontainer/netlink/netlink_unsupported.go b/vendor/src/github.com/docker/libcontainer/netlink/netlink_unsupported.go index 1359345662..2c4d31940c 100644 --- a/vendor/src/github.com/docker/libcontainer/netlink/netlink_unsupported.go +++ b/vendor/src/github.com/docker/libcontainer/netlink/netlink_unsupported.go @@ -1,4 +1,4 @@ -// +build !linux !amd64 +// +build !linux package netlink diff --git a/vendor/src/github.com/docker/libcontainer/selinux/selinux.go b/vendor/src/github.com/docker/libcontainer/selinux/selinux.go index 8dbdbdbc21..55da87ff26 100644 --- a/vendor/src/github.com/docker/libcontainer/selinux/selinux.go +++ b/vendor/src/github.com/docker/libcontainer/selinux/selinux.go @@ -1,3 +1,5 @@ +// +build linux + package selinux import ( diff --git a/vendor/src/github.com/docker/libcontainer/selinux/selinux_test.go b/vendor/src/github.com/docker/libcontainer/selinux/selinux_test.go index 40ed70d166..34c3497441 100644 --- a/vendor/src/github.com/docker/libcontainer/selinux/selinux_test.go +++ b/vendor/src/github.com/docker/libcontainer/selinux/selinux_test.go @@ -1,9 +1,12 @@ +// +build linux + package selinux_test import ( - "github.com/docker/libcontainer/selinux" "os" "testing" + + "github.com/docker/libcontainer/selinux" ) func testSetfilecon(t *testing.T) { diff --git a/vendor/src/github.com/docker/libcontainer/system/setns_linux.go b/vendor/src/github.com/docker/libcontainer/system/setns_linux.go index a0a259e170..32821ee2bf 100644 --- a/vendor/src/github.com/docker/libcontainer/system/setns_linux.go +++ b/vendor/src/github.com/docker/libcontainer/system/setns_linux.go @@ -11,7 +11,9 @@ import ( // We need different setns values for the different platforms and arch // We are declaring the macro here because the SETNS syscall does not exist in th stdlib var setNsMap = map[string]uintptr{ + "linux/386": 346, "linux/amd64": 308, + "linux/arm": 374, } func Setns(fd uintptr, flags uintptr) error { diff --git a/vendor/src/github.com/docker/libcontainer/system/sysconfig.go b/vendor/src/github.com/docker/libcontainer/system/sysconfig.go index dcbe6c9cdd..3e2f43b1e9 100644 --- a/vendor/src/github.com/docker/libcontainer/system/sysconfig.go +++ b/vendor/src/github.com/docker/libcontainer/system/sysconfig.go @@ -4,10 +4,9 @@ package system /* #include -int get_hz(void) { return sysconf(_SC_CLK_TCK); } */ import "C" func GetClockTicks() int { - return int(C.get_hz()) + return int(C.sysconf(C._SC_CLK_TCK)) } diff --git a/vendor/src/github.com/docker/libcontainer/system/sysconfig_notcgo.go b/vendor/src/github.com/docker/libcontainer/system/sysconfig_notcgo.go new file mode 100644 index 0000000000..4bbb69896f --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/system/sysconfig_notcgo.go @@ -0,0 +1,8 @@ +// +build linux,!cgo + +package system + +func GetClockTicks() int { + // TODO figure out a better alternative for platforms where we're missing cgo + return 100 +}