kotovalexarian-likes-github
/
moby--moby
mirror of https://github.com/moby/moby.git
1
0
Fork 0
Code Releases Activity
moby--moby/container
History
Brian Goff eaa5192856 Make container resource mounts unbindable 
It's a common scenario for admins and/or monitoring applications to
mount in the daemon root dir into a container. When doing so all mounts
get coppied into the container, often with private references.
This can prevent removal of a container due to the various mounts that
must be configured before a container is started (for example, for
shared /dev/shm, or secrets) being leaked into another namespace,
usually with private references.

This is particularly problematic on older kernels (e.g. RHEL < 7.4)
where a mount may be active in another namespace and attempting to
remove a mountpoint which is active in another namespace fails.

This change moves all container resource mounts into a common directory
so that the directory can be made unbindable.
What this does is prevents sub-mounts of this new directory from leaking
into other namespaces when mounted with `rbind`... which is how all
binds are handled for containers.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
 		2018-01-16 15:09:05 -05:00
..
stream Remove libcontainerd.IOPipe 2018-01-09 12:00:28 -05:00
archive.go LCOW: Implemented support for docker cp + build 2017-09-14 12:07:52 -07:00
container.go Make container resource mounts unbindable 2018-01-16 15:09:05 -05:00
container_linux.go Add functional support for Docker sub commands on Solaris 2016-11-07 09:06:34 -08:00
container_notlinux.go Remove solaris build tag and `contrib/mkimage/solaris 2017-11-02 00:01:46 +00:00
container_unit_test.go LCOW: Remove CommonContainer - just Container 2017-06-20 08:55:46 -07:00
container_unix.go Make container resource mounts unbindable 2018-01-16 15:09:05 -05:00
container_windows.go Make container resource mounts unbindable 2018-01-16 15:09:05 -05:00
env.go Move ReplaceOrAppendEnvValues to container package 2016-12-21 22:42:39 +01:00
env_test.go api: clarify that Env var without `=` is removed from the environment 2017-03-08 04:27:25 +00:00
health.go container: protect the health status with mutex 2017-11-16 15:04:01 -08:00
history.go Release memoryStore locks before filter/apply 2016-05-23 11:45:04 -07:00
memory_store.go Add functional support for Docker sub commands on Solaris 2016-11-07 09:06:34 -08:00
memory_store_test.go Fix some output information for container test 2016-11-24 20:01:00 +08:00
monitor.go Update logrus to v1.0.1 2017-07-31 13:16:46 -07:00
mounts_unix.go Replace execdrivers with containerd implementation 2016-03-18 13:38:32 -07:00
mounts_windows.go Windows libcontainerd implementation 2016-03-18 13:38:41 -07:00
state.go Add test case for `docker ps -f health=starting` 2018-01-07 05:10:36 +00:00
state_test.go add testcase IsValidStateString 2017-10-24 09:49:58 +08:00
store.go Extract container store from the daemon. 2016-01-19 13:21:41 -05:00
view.go Golint: remove redundant ifs 2018-01-15 00:42:25 +01:00
view_test.go Add test case for `docker ps -f health=starting` 2018-01-07 05:10:36 +00:00