summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/runc/libcontainer/configs
diff options
context:
space:
mode:
authorbaude <bbaude@redhat.com>2018-02-14 12:51:06 -0600
committerAtomic Bot <atomic-devel@projectatomic.io>2018-02-15 00:20:47 +0000
commitbe9ed1cfacc19d1ad3c09e10481da445615b8b8e (patch)
tree1c0c01daf5b43c6139e37408be601475c1dcea41 /vendor/github.com/opencontainers/runc/libcontainer/configs
parentd051dc38d81920c94c37b20ceba0d33b35299bca (diff)
downloadpodman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.tar.gz
podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.tar.bz2
podman-be9ed1cfacc19d1ad3c09e10481da445615b8b8e.zip
Privileged containers should inherit host devices
When running a privileged container, it should inherit the same devices the host has. Signed-off-by: baude <bbaude@redhat.com> Closes: #330 Approved by: mheon
Diffstat (limited to 'vendor/github.com/opencontainers/runc/libcontainer/configs')
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go6
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/config.go4
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go2
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go7
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless.go68
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go17
6 files changed, 63 insertions, 41 deletions
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go
deleted file mode 100644
index 95e2830a4..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go
+++ /dev/null
@@ -1,6 +0,0 @@
-// +build !windows,!linux,!freebsd
-
-package configs
-
-type Cgroup struct {
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
index 269fffff3..3cae4fd8d 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
@@ -187,6 +187,10 @@ type Config struct {
// Rootless specifies whether the container is a rootless container.
Rootless bool `json:"rootless"`
+
+ // IntelRdt specifies settings for Intel RDT/CAT group that the container is placed into
+ // to limit the resources (e.g., L3 cache) the container has available
+ IntelRdt *IntelRdt `json:"intel_rdt,omitempty"`
}
type Hooks struct {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
index 4d348d217..e4f423c52 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
@@ -1,4 +1,4 @@
-// +build linux freebsd
+// +build linux
package configs
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go
new file mode 100644
index 000000000..36bd5f96a
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go
@@ -0,0 +1,7 @@
+package configs
+
+type IntelRdt struct {
+ // The schema for L3 cache id and capacity bitmask (CBM)
+ // Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
+ L3CacheSchema string `json:"l3_cache_schema,omitempty"`
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless.go
index 0cebfaf80..7a9f33b71 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless.go
@@ -21,13 +21,6 @@ func (v *ConfigValidator) rootless(config *configs.Config) error {
if err := rootlessMount(config); err != nil {
return err
}
- // Currently, cgroups cannot effectively be used in rootless containers.
- // The new cgroup namespace doesn't really help us either because it doesn't
- // have nice interactions with the user namespace (we're working with upstream
- // to fix this).
- if err := rootlessCgroup(config); err != nil {
- return err
- }
// XXX: We currently can't verify the user config at all, because
// configs.Config doesn't store the user-related configs. So this
@@ -36,37 +29,27 @@ func (v *ConfigValidator) rootless(config *configs.Config) error {
return nil
}
-func rootlessMappings(config *configs.Config) error {
- rootuid, err := config.HostRootUID()
- if err != nil {
- return fmt.Errorf("failed to get root uid from uidMappings: %v", err)
+func hasIDMapping(id int, mappings []configs.IDMap) bool {
+ for _, m := range mappings {
+ if id >= m.ContainerID && id < m.ContainerID+m.Size {
+ return true
+ }
}
+ return false
+}
+
+func rootlessMappings(config *configs.Config) error {
if euid := geteuid(); euid != 0 {
if !config.Namespaces.Contains(configs.NEWUSER) {
return fmt.Errorf("rootless containers require user namespaces")
}
- if rootuid != euid {
- return fmt.Errorf("rootless containers cannot map container root to a different host user")
- }
- }
-
- rootgid, err := config.HostRootGID()
- if err != nil {
- return fmt.Errorf("failed to get root gid from gidMappings: %v", err)
}
- // Similar to the above test, we need to make sure that we aren't trying to
- // map to a group ID that we don't have the right to be.
- if rootgid != getegid() {
- return fmt.Errorf("rootless containers cannot map container root to a different host group")
+ if len(config.UidMappings) == 0 {
+ return fmt.Errorf("rootless containers requires at least one UID mapping")
}
-
- // We can only map one user and group inside a container (our own).
- if len(config.UidMappings) != 1 || config.UidMappings[0].Size != 1 {
- return fmt.Errorf("rootless containers cannot map more than one user")
- }
- if len(config.GidMappings) != 1 || config.GidMappings[0].Size != 1 {
- return fmt.Errorf("rootless containers cannot map more than one group")
+ if len(config.GidMappings) == 0 {
+ return fmt.Errorf("rootless containers requires at least one UID mapping")
}
return nil
@@ -104,11 +87,28 @@ func rootlessMount(config *configs.Config) error {
// Check that the options list doesn't contain any uid= or gid= entries
// that don't resolve to root.
for _, opt := range strings.Split(mount.Data, ",") {
- if strings.HasPrefix(opt, "uid=") && opt != "uid=0" {
- return fmt.Errorf("cannot specify uid= mount options in rootless containers where argument isn't 0")
+ if strings.HasPrefix(opt, "uid=") {
+ var uid int
+ n, err := fmt.Sscanf(opt, "uid=%d", &uid)
+ if n != 1 || err != nil {
+ // Ignore unknown mount options.
+ continue
+ }
+ if !hasIDMapping(uid, config.UidMappings) {
+ return fmt.Errorf("cannot specify uid= mount options for unmapped uid in rootless containers")
+ }
}
- if strings.HasPrefix(opt, "gid=") && opt != "gid=0" {
- return fmt.Errorf("cannot specify gid= mount options in rootless containers where argument isn't 0")
+
+ if strings.HasPrefix(opt, "gid=") {
+ var gid int
+ n, err := fmt.Sscanf(opt, "gid=%d", &gid)
+ if n != 1 || err != nil {
+ // Ignore unknown mount options.
+ continue
+ }
+ if !hasIDMapping(gid, config.GidMappings) {
+ return fmt.Errorf("cannot specify gid= mount options for unmapped gid in rootless containers")
+ }
}
}
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
index 828434544..cbbba9a03 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
@@ -7,6 +7,7 @@ import (
"strings"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
selinux "github.com/opencontainers/selinux/go-selinux"
)
@@ -40,6 +41,9 @@ func (v *ConfigValidator) Validate(config *configs.Config) error {
if err := v.sysctl(config); err != nil {
return err
}
+ if err := v.intelrdt(config); err != nil {
+ return err
+ }
if config.Rootless {
if err := v.rootless(config); err != nil {
return err
@@ -153,6 +157,19 @@ func (v *ConfigValidator) sysctl(config *configs.Config) error {
return nil
}
+func (v *ConfigValidator) intelrdt(config *configs.Config) error {
+ if config.IntelRdt != nil {
+ if !intelrdt.IsEnabled() {
+ return fmt.Errorf("intelRdt is specified in config, but Intel RDT feature is not supported or enabled")
+ }
+ if config.IntelRdt.L3CacheSchema == "" {
+ return fmt.Errorf("intelRdt is specified in config, but intelRdt.l3CacheSchema is empty")
+ }
+ }
+
+ return nil
+}
+
func isSymbolicLink(path string) (bool, error) {
fi, err := os.Lstat(path)
if err != nil {