summaryrefslogtreecommitdiff
path: root/vendor/github.com/opencontainers/runc
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2020-07-08 16:05:12 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2020-07-09 11:02:28 -0400
commitb020d1ad13267bd71065457f83116af39c77f7e5 (patch)
tree076e8b6dd991ee3c4a50b141dcc2e68198417597 /vendor/github.com/opencontainers/runc
parent5c6002bf9d0c5f8ea0b4231e0d24f8e7a0994b30 (diff)
downloadpodman-b020d1ad13267bd71065457f83116af39c77f7e5.tar.gz
podman-b020d1ad13267bd71065457f83116af39c77f7e5.tar.bz2
podman-b020d1ad13267bd71065457f83116af39c77f7e5.zip
Vendor in new version of Buildah
This also pulls in latest runc and containers/common Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'vendor/github.com/opencontainers/runc')
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go55
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go27
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go357
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go250
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go28
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/config.go96
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/device.go161
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go111
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go16
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go5
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go36
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/linux.go39
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go12
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go15
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/user.go30
15 files changed, 660 insertions, 578 deletions
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
index c0a965923..a16a68e97 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
@@ -3,8 +3,6 @@
package cgroups
import (
- "fmt"
-
"github.com/opencontainers/runc/libcontainer/configs"
)
@@ -27,48 +25,27 @@ type Manager interface {
// Destroys the cgroup set
Destroy() error
- // The option func SystemdCgroups() and Cgroupfs() require following attributes:
- // Paths map[string]string
- // Cgroups *configs.Cgroup
- // Paths maps cgroup subsystem to path at which it is mounted.
- // Cgroups specifies specific cgroup settings for the various subsystems
-
- // Returns cgroup paths to save in a state file and to be able to
- // restore the object later.
- GetPaths() map[string]string
-
- // GetUnifiedPath returns the unified path when running in unified mode.
- // The value corresponds to the all values of GetPaths() map.
- //
- // GetUnifiedPath returns error when running in hybrid mode as well as
- // in legacy mode.
- GetUnifiedPath() (string, error)
+ // Path returns a cgroup path to the specified controller/subsystem.
+ // For cgroupv2, the argument is unused and can be empty.
+ Path(string) string
// Sets the cgroup as configured.
Set(container *configs.Config) error
- // Gets the cgroup as configured.
- GetCgroups() (*configs.Cgroup, error)
-}
-
-type NotFoundError struct {
- Subsystem string
-}
+ // GetPaths returns cgroup path(s) to save in a state file in order to restore later.
+ //
+ // For cgroup v1, a key is cgroup subsystem name, and the value is the path
+ // to the cgroup for this subsystem.
+ //
+ // For cgroup v2 unified hierarchy, a key is "", and the value is the unified path.
+ GetPaths() map[string]string
-func (e *NotFoundError) Error() string {
- return fmt.Sprintf("mountpoint for %s not found", e.Subsystem)
-}
+ // GetCgroups returns the cgroup data as configured.
+ GetCgroups() (*configs.Cgroup, error)
-func NewNotFoundError(sub string) error {
- return &NotFoundError{
- Subsystem: sub,
- }
-}
+ // GetFreezerState retrieves the current FreezerState of the cgroup.
+ GetFreezerState() (configs.FreezerState, error)
-func IsNotFound(err error) bool {
- if err == nil {
- return false
- }
- _, ok := err.(*NotFoundError)
- return ok
+ // Whether the cgroup path exists or not
+ Exists() bool
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go
index 8eeedc55b..7ac816605 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go
@@ -20,6 +20,12 @@ type CpuUsage struct {
// Total CPU time consumed per core.
// Units: nanoseconds.
PercpuUsage []uint64 `json:"percpu_usage,omitempty"`
+ // CPU time consumed per core in kernel mode
+ // Units: nanoseconds.
+ PercpuUsageInKernelmode []uint64 `json:"percpu_usage_in_kernelmode"`
+ // CPU time consumed per core in user mode
+ // Units: nanoseconds.
+ PercpuUsageInUsermode []uint64 `json:"percpu_usage_in_usermode"`
// Time spent by tasks of the cgroup in kernel mode.
// Units: nanoseconds.
UsageInKernelmode uint64 `json:"usage_in_kernelmode"`
@@ -51,12 +57,33 @@ type MemoryStats struct {
KernelUsage MemoryData `json:"kernel_usage,omitempty"`
// usage of kernel TCP memory
KernelTCPUsage MemoryData `json:"kernel_tcp_usage,omitempty"`
+ // usage of memory pages by NUMA node
+ // see chapter 5.6 of memory controller documentation
+ PageUsageByNUMA PageUsageByNUMA `json:"page_usage_by_numa,omitempty"`
// if true, memory usage is accounted for throughout a hierarchy of cgroups.
UseHierarchy bool `json:"use_hierarchy"`
Stats map[string]uint64 `json:"stats,omitempty"`
}
+type PageUsageByNUMA struct {
+ // Embedding is used as types can't be recursive.
+ PageUsageByNUMAInner
+ Hierarchical PageUsageByNUMAInner `json:"hierarchical,omitempty"`
+}
+
+type PageUsageByNUMAInner struct {
+ Total PageStats `json:"total,omitempty"`
+ File PageStats `json:"file,omitempty"`
+ Anon PageStats `json:"anon,omitempty"`
+ Unevictable PageStats `json:"unevictable,omitempty"`
+}
+
+type PageStats struct {
+ Total uint64 `json:"total,omitempty"`
+ Nodes map[uint8]uint64 `json:"nodes,omitempty"`
+}
+
type PidsStats struct {
// number of pids in the cgroup
Current uint64 `json:"current,omitempty"`
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
index dbcc58f5b..6e88b5dff 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
@@ -4,6 +4,7 @@ package cgroups
import (
"bufio"
+ "errors"
"fmt"
"io"
"io/ioutil"
@@ -12,7 +13,6 @@ import (
"strconv"
"strings"
"sync"
- "syscall"
"time"
units "github.com/docker/go-units"
@@ -20,7 +20,6 @@ import (
)
const (
- CgroupNamePrefix = "name="
CgroupProcesses = "cgroup.procs"
unifiedMountpoint = "/sys/fs/cgroup"
)
@@ -40,8 +39,8 @@ var HugePageSizeUnitList = []string{"B", "KB", "MB", "GB", "TB", "PB"}
// IsCgroup2UnifiedMode returns whether we are running in cgroup v2 unified mode.
func IsCgroup2UnifiedMode() bool {
isUnifiedOnce.Do(func() {
- var st syscall.Statfs_t
- if err := syscall.Statfs(unifiedMountpoint, &st); err != nil {
+ var st unix.Statfs_t
+ if err := unix.Statfs(unifiedMountpoint, &st); err != nil {
panic("cannot statfs cgroup root")
}
isUnified = st.Type == unix.CGROUP2_SUPER_MAGIC
@@ -49,191 +48,19 @@ func IsCgroup2UnifiedMode() bool {
return isUnified
}
-// https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
-func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) {
- if IsCgroup2UnifiedMode() {
- return unifiedMountpoint, nil
- }
- mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem)
- return mnt, err
-}
-
-func FindCgroupMountpointAndRoot(cgroupPath, subsystem string) (string, string, error) {
- // We are not using mount.GetMounts() because it's super-inefficient,
- // parsing it directly sped up x10 times because of not using Sscanf.
- // It was one of two major performance drawbacks in container start.
- if !isSubsystemAvailable(subsystem) {
- return "", "", NewNotFoundError(subsystem)
- }
-
- f, err := os.Open("/proc/self/mountinfo")
- if err != nil {
- return "", "", err
- }
- defer f.Close()
-
- if IsCgroup2UnifiedMode() {
- subsystem = ""
- }
-
- return findCgroupMountpointAndRootFromReader(f, cgroupPath, subsystem)
-}
-
-func findCgroupMountpointAndRootFromReader(reader io.Reader, cgroupPath, subsystem string) (string, string, error) {
- scanner := bufio.NewScanner(reader)
- for scanner.Scan() {
- txt := scanner.Text()
- fields := strings.Fields(txt)
- if len(fields) < 9 {
- continue
- }
- if strings.HasPrefix(fields[4], cgroupPath) {
- for _, opt := range strings.Split(fields[len(fields)-1], ",") {
- if (subsystem == "" && fields[9] == "cgroup2") || opt == subsystem {
- return fields[4], fields[3], nil
- }
- }
- }
- }
- if err := scanner.Err(); err != nil {
- return "", "", err
- }
-
- return "", "", NewNotFoundError(subsystem)
-}
-
-func isSubsystemAvailable(subsystem string) bool {
- if IsCgroup2UnifiedMode() {
- controllers, err := GetAllSubsystems()
- if err != nil {
- return false
- }
- for _, c := range controllers {
- if c == subsystem {
- return true
- }
- }
- return false
- }
-
- cgroups, err := ParseCgroupFile("/proc/self/cgroup")
- if err != nil {
- return false
- }
- _, avail := cgroups[subsystem]
- return avail
-}
-
-func GetClosestMountpointAncestor(dir, mountinfo string) string {
- deepestMountPoint := ""
- for _, mountInfoEntry := range strings.Split(mountinfo, "\n") {
- mountInfoParts := strings.Fields(mountInfoEntry)
- if len(mountInfoParts) < 5 {
- continue
- }
- mountPoint := mountInfoParts[4]
- if strings.HasPrefix(mountPoint, deepestMountPoint) && strings.HasPrefix(dir, mountPoint) {
- deepestMountPoint = mountPoint
- }
- }
- return deepestMountPoint
-}
-
-func FindCgroupMountpointDir() (string, error) {
- f, err := os.Open("/proc/self/mountinfo")
- if err != nil {
- return "", err
- }
- defer f.Close()
-
- scanner := bufio.NewScanner(f)
- for scanner.Scan() {
- text := scanner.Text()
- fields := strings.Split(text, " ")
- // Safe as mountinfo encodes mountpoints with spaces as \040.
- index := strings.Index(text, " - ")
- postSeparatorFields := strings.Fields(text[index+3:])
- numPostFields := len(postSeparatorFields)
-
- // This is an error as we can't detect if the mount is for "cgroup"
- if numPostFields == 0 {
- return "", fmt.Errorf("Found no fields post '-' in %q", text)
- }
-
- if postSeparatorFields[0] == "cgroup" || postSeparatorFields[0] == "cgroup2" {
- // Check that the mount is properly formatted.
- if numPostFields < 3 {
- return "", fmt.Errorf("Error found less than 3 fields post '-' in %q", text)
- }
-
- return filepath.Dir(fields[4]), nil
- }
- }
- if err := scanner.Err(); err != nil {
- return "", err
- }
-
- return "", NewNotFoundError("cgroup")
-}
-
type Mount struct {
Mountpoint string
Root string
Subsystems []string
}
-func (m Mount) GetOwnCgroup(cgroups map[string]string) (string, error) {
- if len(m.Subsystems) == 0 {
- return "", fmt.Errorf("no subsystem for mount")
- }
-
- return getControllerPath(m.Subsystems[0], cgroups)
-}
-
-func getCgroupMountsHelper(ss map[string]bool, mi io.Reader, all bool) ([]Mount, error) {
- res := make([]Mount, 0, len(ss))
- scanner := bufio.NewScanner(mi)
- numFound := 0
- for scanner.Scan() && numFound < len(ss) {
- txt := scanner.Text()
- sepIdx := strings.Index(txt, " - ")
- if sepIdx == -1 {
- return nil, fmt.Errorf("invalid mountinfo format")
- }
- if txt[sepIdx+3:sepIdx+10] == "cgroup2" || txt[sepIdx+3:sepIdx+9] != "cgroup" {
- continue
- }
- fields := strings.Split(txt, " ")
- m := Mount{
- Mountpoint: fields[4],
- Root: fields[3],
- }
- for _, opt := range strings.Split(fields[len(fields)-1], ",") {
- seen, known := ss[opt]
- if !known || (!all && seen) {
- continue
- }
- ss[opt] = true
- if strings.HasPrefix(opt, CgroupNamePrefix) {
- opt = opt[len(CgroupNamePrefix):]
- }
- m.Subsystems = append(m.Subsystems, opt)
- numFound++
- }
- if len(m.Subsystems) > 0 || all {
- res = append(res, m)
- }
- }
- if err := scanner.Err(); err != nil {
- return nil, err
- }
- return res, nil
-}
-
// GetCgroupMounts returns the mounts for the cgroup subsystems.
// all indicates whether to return just the first instance or all the mounts.
+// This function should not be used from cgroupv2 code, as in this case
+// all the controllers are available under the constant unifiedMountpoint.
func GetCgroupMounts(all bool) ([]Mount, error) {
if IsCgroup2UnifiedMode() {
+ // TODO: remove cgroupv2 case once all external users are converted
availableControllers, err := GetAllSubsystems()
if err != nil {
return nil, err
@@ -246,22 +73,7 @@ func GetCgroupMounts(all bool) ([]Mount, error) {
return []Mount{m}, nil
}
- f, err := os.Open("/proc/self/mountinfo")
- if err != nil {
- return nil, err
- }
- defer f.Close()
-
- allSubsystems, err := ParseCgroupFile("/proc/self/cgroup")
- if err != nil {
- return nil, err
- }
-
- allMap := make(map[string]bool)
- for s := range allSubsystems {
- allMap[s] = false
- }
- return getCgroupMountsHelper(allMap, f, all)
+ return getCgroupMountsV1(all)
}
// GetAllSubsystems returns all the cgroup subsystems supported by the kernel
@@ -305,61 +117,8 @@ func GetAllSubsystems() ([]string, error) {
return subsystems, nil
}
-// GetOwnCgroup returns the relative path to the cgroup docker is running in.
-func GetOwnCgroup(subsystem string) (string, error) {
- cgroups, err := ParseCgroupFile("/proc/self/cgroup")
- if err != nil {
- return "", err
- }
-
- return getControllerPath(subsystem, cgroups)
-}
-
-func GetOwnCgroupPath(subsystem string) (string, error) {
- cgroup, err := GetOwnCgroup(subsystem)
- if err != nil {
- return "", err
- }
-
- return getCgroupPathHelper(subsystem, cgroup)
-}
-
-func GetInitCgroup(subsystem string) (string, error) {
- cgroups, err := ParseCgroupFile("/proc/1/cgroup")
- if err != nil {
- return "", err
- }
-
- return getControllerPath(subsystem, cgroups)
-}
-
-func GetInitCgroupPath(subsystem string) (string, error) {
- cgroup, err := GetInitCgroup(subsystem)
- if err != nil {
- return "", err
- }
-
- return getCgroupPathHelper(subsystem, cgroup)
-}
-
-func getCgroupPathHelper(subsystem, cgroup string) (string, error) {
- mnt, root, err := FindCgroupMountpointAndRoot("", subsystem)
- if err != nil {
- return "", err
- }
-
- // This is needed for nested containers, because in /proc/self/cgroup we
- // see paths from host, which don't exist in container.
- relCgroup, err := filepath.Rel(root, cgroup)
- if err != nil {
- return "", err
- }
-
- return filepath.Join(mnt, relCgroup), nil
-}
-
-func readProcsFile(dir string) ([]int, error) {
- f, err := os.Open(filepath.Join(dir, CgroupProcesses))
+func readProcsFile(file string) ([]int, error) {
+ f, err := os.Open(file)
if err != nil {
return nil, err
}
@@ -379,11 +138,18 @@ func readProcsFile(dir string) ([]int, error) {
out = append(out, pid)
}
}
- return out, nil
+ return out, s.Err()
}
-// ParseCgroupFile parses the given cgroup file, typically from
-// /proc/<pid>/cgroup, into a map of subgroups to cgroup names.
+// ParseCgroupFile parses the given cgroup file, typically /proc/self/cgroup
+// or /proc/<pid>/cgroup, into a map of subsystems to cgroup paths, e.g.
+// "cpu": "/user.slice/user-1000.slice"
+// "pids": "/user.slice/user-1000.slice"
+// etc.
+//
+// Note that for cgroup v2 unified hierarchy, there are no per-controller
+// cgroup paths, so the resulting map will have a single element where the key
+// is empty string ("") and the value is the cgroup path the <pid> is in.
func ParseCgroupFile(path string) (map[string]string, error) {
f, err := os.Open(path)
if err != nil {
@@ -423,22 +189,6 @@ func parseCgroupFromReader(r io.Reader) (map[string]string, error) {
return cgroups, nil
}
-func getControllerPath(subsystem string, cgroups map[string]string) (string, error) {
- if IsCgroup2UnifiedMode() {
- return "/", nil
- }
-
- if p, ok := cgroups[subsystem]; ok {
- return p, nil
- }
-
- if p, ok := cgroups[CgroupNamePrefix+subsystem]; ok {
- return p, nil
- }
-
- return "", NewNotFoundError(subsystem)
-}
-
func PathExists(path string) bool {
if _, err := os.Stat(path); err != nil {
return false
@@ -514,8 +264,8 @@ func getHugePageSizeFromFilenames(fileNames []string) ([]string, error) {
}
// GetPids returns all pids, that were added to cgroup at path.
-func GetPids(path string) ([]int, error) {
- return readProcsFile(path)
+func GetPids(dir string) ([]int, error) {
+ return readProcsFile(filepath.Join(dir, CgroupProcesses))
}
// GetAllPids returns all pids, that were added to cgroup at path and to all its
@@ -524,14 +274,13 @@ func GetAllPids(path string) ([]int, error) {
var pids []int
// collect pids from all sub-cgroups
err := filepath.Walk(path, func(p string, info os.FileInfo, iErr error) error {
- dir, file := filepath.Split(p)
- if file != CgroupProcesses {
- return nil
- }
if iErr != nil {
return iErr
}
- cPids, err := readProcsFile(dir)
+ if info.IsDir() || info.Name() != CgroupProcesses {
+ return nil
+ }
+ cPids, err := readProcsFile(p)
if err != nil {
return err
}
@@ -568,7 +317,7 @@ func WriteCgroupProc(dir string, pid int) error {
// EINVAL might mean that the task being added to cgroup.procs is in state
// TASK_NEW. We should attempt to do so again.
- if isEINVAL(err) {
+ if errors.Is(err, unix.EINVAL) {
time.Sleep(30 * time.Millisecond)
continue
}
@@ -578,11 +327,53 @@ func WriteCgroupProc(dir string, pid int) error {
return err
}
-func isEINVAL(err error) bool {
- switch err := err.(type) {
- case *os.PathError:
- return err.Err == unix.EINVAL
- default:
- return false
+// Since the OCI spec is designed for cgroup v1, in some cases
+// there is need to convert from the cgroup v1 configuration to cgroup v2
+// the formula for BlkIOWeight is y = (1 + (x - 10) * 9999 / 990)
+// convert linearly from [10-1000] to [1-10000]
+func ConvertBlkIOToCgroupV2Value(blkIoWeight uint16) uint64 {
+ if blkIoWeight == 0 {
+ return 0
+ }
+ return uint64(1 + (uint64(blkIoWeight)-10)*9999/990)
+}
+
+// Since the OCI spec is designed for cgroup v1, in some cases
+// there is need to convert from the cgroup v1 configuration to cgroup v2
+// the formula for cpuShares is y = (1 + ((x - 2) * 9999) / 262142)
+// convert from [2-262144] to [1-10000]
+// 262144 comes from Linux kernel definition "#define MAX_SHARES (1UL << 18)"
+func ConvertCPUSharesToCgroupV2Value(cpuShares uint64) uint64 {
+ if cpuShares == 0 {
+ return 0
}
+ return (1 + ((cpuShares-2)*9999)/262142)
+}
+
+// ConvertMemorySwapToCgroupV2Value converts MemorySwap value from OCI spec
+// for use by cgroup v2 drivers. A conversion is needed since Resources.MemorySwap
+// is defined as memory+swap combined, while in cgroup v2 swap is a separate value.
+func ConvertMemorySwapToCgroupV2Value(memorySwap, memory int64) (int64, error) {
+ // for compatibility with cgroup1 controller, set swap to unlimited in
+ // case the memory is set to unlimited, and swap is not explicitly set,
+ // treating the request as "set both memory and swap to unlimited".
+ if memory == -1 && memorySwap == 0 {
+ return -1, nil
+ }
+ if memorySwap == -1 || memorySwap == 0 {
+ // -1 is "max", 0 is "unset", so treat as is
+ return memorySwap, nil
+ }
+ // sanity checks
+ if memory == 0 || memory == -1 {
+ return 0, errors.New("unable to set swap limit without memory limit")
+ }
+ if memory < 0 {
+ return 0, fmt.Errorf("invalid memory value: %d", memory)
+ }
+ if memorySwap < memory {
+ return 0, errors.New("memory+swap limit should be >= memory limit")
+ }
+
+ return memorySwap - memory, nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go
new file mode 100644
index 000000000..f8487b0a9
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/v1_utils.go
@@ -0,0 +1,250 @@
+package cgroups
+
+import (
+ "bufio"
+ "errors"
+ "fmt"
+ "io"
+ "os"
+ "path/filepath"
+ "strings"
+)
+
+// Code in this source file are specific to cgroup v1,
+// and must not be used from any cgroup v2 code.
+
+const (
+ CgroupNamePrefix = "name="
+)
+
+var (
+ errUnified = errors.New("not implemented for cgroup v2 unified hierarchy")
+)
+
+type NotFoundError struct {
+ Subsystem string
+}
+
+func (e *NotFoundError) Error() string {
+ return fmt.Sprintf("mountpoint for %s not found", e.Subsystem)
+}
+
+func NewNotFoundError(sub string) error {
+ return &NotFoundError{
+ Subsystem: sub,
+ }
+}
+
+func IsNotFound(err error) bool {
+ if err == nil {
+ return false
+ }
+ _, ok := err.(*NotFoundError)
+ return ok
+}
+
+// https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
+func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) {
+ if IsCgroup2UnifiedMode() {
+ return "", errUnified
+ }
+ mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem)
+ return mnt, err
+}
+
+func FindCgroupMountpointAndRoot(cgroupPath, subsystem string) (string, string, error) {
+ if IsCgroup2UnifiedMode() {
+ return "", "", errUnified
+ }
+
+ // We are not using mount.GetMounts() because it's super-inefficient,
+ // parsing it directly sped up x10 times because of not using Sscanf.
+ // It was one of two major performance drawbacks in container start.
+ if !isSubsystemAvailable(subsystem) {
+ return "", "", NewNotFoundError(subsystem)
+ }
+
+ f, err := os.Open("/proc/self/mountinfo")
+ if err != nil {
+ return "", "", err
+ }
+ defer f.Close()
+
+ return findCgroupMountpointAndRootFromReader(f, cgroupPath, subsystem)
+}
+
+func findCgroupMountpointAndRootFromReader(reader io.Reader, cgroupPath, subsystem string) (string, string, error) {
+ scanner := bufio.NewScanner(reader)
+ for scanner.Scan() {
+ txt := scanner.Text()
+ fields := strings.Fields(txt)
+ if len(fields) < 9 {
+ continue
+ }
+ if strings.HasPrefix(fields[4], cgroupPath) {
+ for _, opt := range strings.Split(fields[len(fields)-1], ",") {
+ if opt == subsystem {
+ return fields[4], fields[3], nil
+ }
+ }
+ }
+ }
+ if err := scanner.Err(); err != nil {
+ return "", "", err
+ }
+
+ return "", "", NewNotFoundError(subsystem)
+}
+
+func isSubsystemAvailable(subsystem string) bool {
+ if IsCgroup2UnifiedMode() {
+ panic("don't call isSubsystemAvailable from cgroupv2 code")
+ }
+
+ cgroups, err := ParseCgroupFile("/proc/self/cgroup")
+ if err != nil {
+ return false
+ }
+ _, avail := cgroups[subsystem]
+ return avail
+}
+
+func (m Mount) GetOwnCgroup(cgroups map[string]string) (string, error) {
+ if len(m.Subsystems) == 0 {
+ return "", fmt.Errorf("no subsystem for mount")
+ }
+
+ return getControllerPath(m.Subsystems[0], cgroups)
+}
+
+func getCgroupMountsHelper(ss map[string]bool, mi io.Reader, all bool) ([]Mount, error) {
+ res := make([]Mount, 0, len(ss))
+ scanner := bufio.NewScanner(mi)
+ numFound := 0
+ for scanner.Scan() && numFound < len(ss) {
+ txt := scanner.Text()
+ sepIdx := strings.Index(txt, " - ")
+ if sepIdx == -1 {
+ return nil, fmt.Errorf("invalid mountinfo format")
+ }
+ if txt[sepIdx+3:sepIdx+10] == "cgroup2" || txt[sepIdx+3:sepIdx+9] != "cgroup" {
+ continue
+ }
+ fields := strings.Split(txt, " ")
+ m := Mount{
+ Mountpoint: fields[4],
+ Root: fields[3],
+ }
+ for _, opt := range strings.Split(fields[len(fields)-1], ",") {
+ seen, known := ss[opt]
+ if !known || (!all && seen) {
+ continue
+ }
+ ss[opt] = true
+ opt = strings.TrimPrefix(opt, CgroupNamePrefix)
+ m.Subsystems = append(m.Subsystems, opt)
+ numFound++
+ }
+ if len(m.Subsystems) > 0 || all {
+ res = append(res, m)
+ }
+ }
+ if err := scanner.Err(); err != nil {
+ return nil, err
+ }
+ return res, nil
+}
+
+func getCgroupMountsV1(all bool) ([]Mount, error) {
+ f, err := os.Open("/proc/self/mountinfo")
+ if err != nil {
+ return nil, err
+ }
+ defer f.Close()
+
+ allSubsystems, err := ParseCgroupFile("/proc/self/cgroup")
+ if err != nil {
+ return nil, err
+ }
+
+ allMap := make(map[string]bool)
+ for s := range allSubsystems {
+ allMap[s] = false
+ }
+ return getCgroupMountsHelper(allMap, f, all)
+}
+
+// GetOwnCgroup returns the relative path to the cgroup docker is running in.
+func GetOwnCgroup(subsystem string) (string, error) {
+ if IsCgroup2UnifiedMode() {
+ return "", errUnified
+ }
+ cgroups, err := ParseCgroupFile("/proc/self/cgroup")
+ if err != nil {
+ return "", err
+ }
+
+ return getControllerPath(subsystem, cgroups)
+}
+
+func GetOwnCgroupPath(subsystem string) (string, error) {
+ cgroup, err := GetOwnCgroup(subsystem)
+ if err != nil {
+ return "", err
+ }
+
+ return getCgroupPathHelper(subsystem, cgroup)
+}
+
+func GetInitCgroup(subsystem string) (string, error) {
+ if IsCgroup2UnifiedMode() {
+ return "", errUnified
+ }
+ cgroups, err := ParseCgroupFile("/proc/1/cgroup")
+ if err != nil {
+ return "", err
+ }
+
+ return getControllerPath(subsystem, cgroups)
+}
+
+func GetInitCgroupPath(subsystem string) (string, error) {
+ cgroup, err := GetInitCgroup(subsystem)
+ if err != nil {
+ return "", err
+ }
+
+ return getCgroupPathHelper(subsystem, cgroup)
+}
+
+func getCgroupPathHelper(subsystem, cgroup string) (string, error) {
+ mnt, root, err := FindCgroupMountpointAndRoot("", subsystem)
+ if err != nil {
+ return "", err
+ }
+
+ // This is needed for nested containers, because in /proc/self/cgroup we
+ // see paths from host, which don't exist in container.
+ relCgroup, err := filepath.Rel(root, cgroup)
+ if err != nil {
+ return "", err
+ }
+
+ return filepath.Join(mnt, relCgroup), nil
+}
+
+func getControllerPath(subsystem string, cgroups map[string]string) (string, error) {
+ if IsCgroup2UnifiedMode() {
+ return "", errUnified
+ }
+
+ if p, ok := cgroups[subsystem]; ok {
+ return p, nil
+ }
+
+ if p, ok := cgroups[CgroupNamePrefix+subsystem]; ok {
+ return p, nil
+ }
+
+ return "", NewNotFoundError(subsystem)
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
index 58ed19c9e..6e90ae16b 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
@@ -1,5 +1,9 @@
package configs
+import (
+ systemdDbus "github.com/coreos/go-systemd/v22/dbus"
+)
+
type FreezerState string
const (
@@ -29,18 +33,16 @@ type Cgroup struct {
// Resources contains various cgroups settings to apply
*Resources
+
+ // SystemdProps are any additional properties for systemd,
+ // derived from org.systemd.property.xxx annotations.
+ // Ignored unless systemd is used for managing cgroups.
+ SystemdProps []systemdDbus.Property `json:"-"`
}
type Resources struct {
- // If this is true allow access to any kind of device within the container. If false, allow access only to devices explicitly listed in the allowed_devices list.
- // Deprecated
- AllowAllDevices *bool `json:"allow_all_devices,omitempty"`
- // Deprecated
- AllowedDevices []*Device `json:"allowed_devices,omitempty"`
- // Deprecated
- DeniedDevices []*Device `json:"denied_devices,omitempty"`
-
- Devices []*Device `json:"devices"`
+ // Devices is the set of access rules for devices in the container.
+ Devices []*DeviceRule `json:"devices"`
// Memory limit (in bytes)
Memory int64 `json:"memory"`
@@ -125,6 +127,10 @@ type Resources struct {
// CpuWeight sets a proportional bandwidth limit.
CpuWeight uint64 `json:"cpu_weight"`
- // CpuMax sets she maximum bandwidth limit (format: max period).
- CpuMax string `json:"cpu_max"`
+ // SkipDevices allows to skip configuring device permissions.
+ // Used by e.g. kubelet while creating a parent cgroup (kubepods)
+ // common for many containers.
+ //
+ // NOTE it is impossible to start a container which has this flag set.
+ SkipDevices bool `json:"skip_devices"`
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
index 24989e9f5..ac523b417 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
@@ -8,7 +8,7 @@ import (
"time"
"github.com/opencontainers/runtime-spec/specs-go"
-
+ "github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -70,9 +70,10 @@ type Arg struct {
// Syscall is a rule to match a syscall in Seccomp
type Syscall struct {
- Name string `json:"name"`
- Action Action `json:"action"`
- Args []*Arg `json:"args"`
+ Name string `json:"name"`
+ Action Action `json:"action"`
+ ErrnoRet *uint `json:"errnoRet"`
+ Args []*Arg `json:"args"`
}
// TODO Windows. Many of these fields should be factored out into those parts
@@ -175,7 +176,7 @@ type Config struct {
// Hooks are a collection of actions to perform at various container lifecycle events.
// CommandHooks are serialized to JSON, but other hooks are not.
- Hooks *Hooks
+ Hooks Hooks
// Version is the version of opencontainer specification that is supported.
Version string `json:"version"`
@@ -202,17 +203,50 @@ type Config struct {
RootlessCgroups bool `json:"rootless_cgroups,omitempty"`
}
-type Hooks struct {
+type HookName string
+type HookList []Hook
+type Hooks map[HookName]HookList
+
+const (
// Prestart commands are executed after the container namespaces are created,
// but before the user supplied command is executed from init.
- Prestart []Hook
+ // Note: This hook is now deprecated
+ // Prestart commands are called in the Runtime namespace.
+ Prestart HookName = "prestart"
+
+ // CreateRuntime commands MUST be called as part of the create operation after
+ // the runtime environment has been created but before the pivot_root has been executed.
+ // CreateRuntime is called immediately after the deprecated Prestart hook.
+ // CreateRuntime commands are called in the Runtime Namespace.
+ CreateRuntime = "createRuntime"
+
+ // CreateContainer commands MUST be called as part of the create operation after
+ // the runtime environment has been created but before the pivot_root has been executed.
+ // CreateContainer commands are called in the Container namespace.
+ CreateContainer = "createContainer"
+
+ // StartContainer commands MUST be called as part of the start operation and before
+ // the container process is started.
+ // StartContainer commands are called in the Container namespace.
+ StartContainer = "startContainer"
// Poststart commands are executed after the container init process starts.
- Poststart []Hook
+ // Poststart commands are called in the Runtime Namespace.
+ Poststart = "poststart"
// Poststop commands are executed after the container init process exits.
- Poststop []Hook
-}
+ // Poststop commands are called in the Runtime Namespace.
+ Poststop = "poststop"
+)
+
+// TODO move this to runtime-spec
+// See: https://github.com/opencontainers/runtime-spec/pull/1046
+const (
+ Creating = "creating"
+ Created = "created"
+ Running = "running"
+ Stopped = "stopped"
+)
type Capabilities struct {
// Bounding is the set of capabilities checked by the kernel.
@@ -227,32 +261,39 @@ type Capabilities struct {
Ambient []string
}
-func (hooks *Hooks) UnmarshalJSON(b []byte) error {
- var state struct {
- Prestart []CommandHook
- Poststart []CommandHook
- Poststop []CommandHook
+func (hooks HookList) RunHooks(state *specs.State) error {
+ for i, h := range hooks {
+ if err := h.Run(state); err != nil {
+ return errors.Wrapf(err, "Running hook #%d:", i)
+ }
}
+ return nil
+}
+
+func (hooks *Hooks) UnmarshalJSON(b []byte) error {
+ var state map[HookName][]CommandHook
+
if err := json.Unmarshal(b, &state); err != nil {
return err
}
- deserialize := func(shooks []CommandHook) (hooks []Hook) {
- for _, shook := range shooks {
- hooks = append(hooks, shook)
+ *hooks = Hooks{}
+ for n, commandHooks := range state {
+ if len(commandHooks) == 0 {
+ continue
}
- return hooks
+ (*hooks)[n] = HookList{}
+ for _, h := range commandHooks {
+ (*hooks)[n] = append((*hooks)[n], h)
+ }
}
- hooks.Prestart = deserialize(state.Prestart)
- hooks.Poststart = deserialize(state.Poststart)
- hooks.Poststop = deserialize(state.Poststop)
return nil
}
-func (hooks Hooks) MarshalJSON() ([]byte, error) {
+func (hooks *Hooks) MarshalJSON() ([]byte, error) {
serialize := func(hooks []Hook) (serializableHooks []CommandHook) {
for _, hook := range hooks {
switch chook := hook.(type) {
@@ -267,9 +308,12 @@ func (hooks Hooks) MarshalJSON() ([]byte, error) {
}
return json.Marshal(map[string]interface{}{
- "prestart": serialize(hooks.Prestart),
- "poststart": serialize(hooks.Poststart),
- "poststop": serialize(hooks.Poststop),
+ "prestart": serialize((*hooks)[Prestart]),
+ "createRuntime": serialize((*hooks)[CreateRuntime]),
+ "createContainer": serialize((*hooks)[CreateContainer]),
+ "startContainer": serialize((*hooks)[StartContainer]),
+ "poststart": serialize((*hooks)[Poststart]),
+ "poststop": serialize((*hooks)[Poststop]),
})
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go
index 8701bb212..632bf6ac4 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device.go
@@ -3,30 +3,19 @@ package configs
import (
"fmt"
"os"
+ "strconv"
)
const (
Wildcard = -1
)
-// TODO Windows: This can be factored out in the future
-
type Device struct {
- // Device type, block, char, etc.
- Type rune `json:"type"`
+ DeviceRule
// Path to the device.
Path string `json:"path"`
- // Major is the device's major number.
- Major int64 `json:"major"`
-
- // Minor is the device's minor number.
- Minor int64 `json:"minor"`
-
- // Cgroup permissions format, rwm.
- Permissions string `json:"permissions"`
-
// FileMode permission bits for the device.
FileMode os.FileMode `json:"file_mode"`
@@ -35,23 +24,147 @@ type Device struct {
// Gid of the device.
Gid uint32 `json:"gid"`
+}
- // Write the file to the allowed list
- Allow bool `json:"allow"`
+// DevicePermissions is a cgroupv1-style string to represent device access. It
+// has to be a string for backward compatibility reasons, hence why it has
+// methods to do set operations.
+type DevicePermissions string
+
+const (
+ deviceRead uint = (1 << iota)
+ deviceWrite
+ deviceMknod
+)
+
+func (p DevicePermissions) toSet() uint {
+ var set uint
+ for _, perm := range p {
+ switch perm {
+ case 'r':
+ set |= deviceRead
+ case 'w':
+ set |= deviceWrite
+ case 'm':
+ set |= deviceMknod
+ }
+ }
+ return set
+}
+
+func fromSet(set uint) DevicePermissions {
+ var perm string
+ if set&deviceRead == deviceRead {
+ perm += "r"
+ }
+ if set&deviceWrite == deviceWrite {
+ perm += "w"
+ }
+ if set&deviceMknod == deviceMknod {
+ perm += "m"
+ }
+ return DevicePermissions(perm)
+}
+
+// Union returns the union of the two sets of DevicePermissions.
+func (p DevicePermissions) Union(o DevicePermissions) DevicePermissions {
+ lhs := p.toSet()
+ rhs := o.toSet()
+ return fromSet(lhs | rhs)
+}
+
+// Difference returns the set difference of the two sets of DevicePermissions.
+// In set notation, A.Difference(B) gives you A\B.
+func (p DevicePermissions) Difference(o DevicePermissions) DevicePermissions {
+ lhs := p.toSet()
+ rhs := o.toSet()
+ return fromSet(lhs &^ rhs)
+}
+
+// Intersection computes the intersection of the two sets of DevicePermissions.
+func (p DevicePermissions) Intersection(o DevicePermissions) DevicePermissions {
+ lhs := p.toSet()
+ rhs := o.toSet()
+ return fromSet(lhs & rhs)
}
-func (d *Device) CgroupString() string {
- return fmt.Sprintf("%c %s:%s %s", d.Type, deviceNumberString(d.Major), deviceNumberString(d.Minor), d.Permissions)
+// IsEmpty returns whether the set of permissions in a DevicePermissions is
+// empty.
+func (p DevicePermissions) IsEmpty() bool {
+ return p == DevicePermissions("")
}
-func (d *Device) Mkdev() int {
- return int((d.Major << 8) | (d.Minor & 0xff) | ((d.Minor & 0xfff00) << 12))
+// IsValid returns whether the set of permissions is a subset of valid
+// permissions (namely, {r,w,m}).
+func (p DevicePermissions) IsValid() bool {
+ return p == fromSet(p.toSet())
}
-// deviceNumberString converts the device number to a string return result.
-func deviceNumberString(number int64) string {
- if number == Wildcard {
- return "*"
+type DeviceType rune
+
+const (
+ WildcardDevice DeviceType = 'a'
+ BlockDevice DeviceType = 'b'
+ CharDevice DeviceType = 'c' // or 'u'
+ FifoDevice DeviceType = 'p'
+)
+
+func (t DeviceType) IsValid() bool {
+ switch t {
+ case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
+ return true
+ default:
+ return false
+ }
+}
+
+func (t DeviceType) CanMknod() bool {
+ switch t {
+ case BlockDevice, CharDevice, FifoDevice:
+ return true
+ default:
+ return false
+ }
+}
+
+func (t DeviceType) CanCgroup() bool {
+ switch t {
+ case WildcardDevice, BlockDevice, CharDevice:
+ return true
+ default:
+ return false
+ }
+}
+
+type DeviceRule struct {
+ // Type of device ('c' for char, 'b' for block). If set to 'a', this rule
+ // acts as a wildcard and all fields other than Allow are ignored.
+ Type DeviceType `json:"type"`
+
+ // Major is the device's major number.
+ Major int64 `json:"major"`
+
+ // Minor is the device's minor number.
+ Minor int64 `json:"minor"`
+
+ // Permissions is the set of permissions that this rule applies to (in the
+ // cgroupv1 format -- any combination of "rwm").
+ Permissions DevicePermissions `json:"permissions"`
+
+ // Allow specifies whether this rule is allowed.
+ Allow bool `json:"allow"`
+}
+
+func (d *DeviceRule) CgroupString() string {
+ var (
+ major = strconv.FormatInt(d.Major, 10)
+ minor = strconv.FormatInt(d.Minor, 10)
+ )
+ if d.Major == Wildcard {
+ major = "*"
+ }
+ if d.Minor == Wildcard {
+ minor = "*"
}
- return fmt.Sprint(number)
+ return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
deleted file mode 100644
index e4f423c52..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
+++ /dev/null
@@ -1,111 +0,0 @@
-// +build linux
-
-package configs
-
-var (
- // DefaultSimpleDevices are devices that are to be both allowed and created.
- DefaultSimpleDevices = []*Device{
- // /dev/null and zero
- {
- Path: "/dev/null",
- Type: 'c',
- Major: 1,
- Minor: 3,
- Permissions: "rwm",
- FileMode: 0666,
- },
- {
- Path: "/dev/zero",
- Type: 'c',
- Major: 1,
- Minor: 5,
- Permissions: "rwm",
- FileMode: 0666,
- },
-
- {
- Path: "/dev/full",
- Type: 'c',
- Major: 1,
- Minor: 7,
- Permissions: "rwm",
- FileMode: 0666,
- },
-
- // consoles and ttys
- {
- Path: "/dev/tty",
- Type: 'c',
- Major: 5,
- Minor: 0,
- Permissions: "rwm",
- FileMode: 0666,
- },
-
- // /dev/urandom,/dev/random
- {
- Path: "/dev/urandom",
- Type: 'c',
- Major: 1,
- Minor: 9,
- Permissions: "rwm",
- FileMode: 0666,
- },
- {
- Path: "/dev/random",
- Type: 'c',
- Major: 1,
- Minor: 8,
- Permissions: "rwm",
- FileMode: 0666,
- },
- }
- DefaultAllowedDevices = append([]*Device{
- // allow mknod for any device
- {
- Type: 'c',
- Major: Wildcard,
- Minor: Wildcard,
- Permissions: "m",
- },
- {
- Type: 'b',
- Major: Wildcard,
- Minor: Wildcard,
- Permissions: "m",
- },
-
- {
- Path: "/dev/console",
- Type: 'c',
- Major: 5,
- Minor: 1,
- Permissions: "rwm",
- },
- // /dev/pts/ - pts namespaces are "coming soon"
- {
- Path: "",
- Type: 'c',
- Major: 136,
- Minor: Wildcard,
- Permissions: "rwm",
- },
- {
- Path: "",
- Type: 'c',
- Major: 5,
- Minor: 2,
- Permissions: "rwm",
- },
-
- // tuntap
- {
- Path: "",
- Type: 'c',
- Major: 10,
- Minor: 200,
- Permissions: "rwm",
- },
- }, DefaultSimpleDevices...)
- DefaultAutoCreatedDevices = append([]*Device{}, DefaultSimpleDevices...)
-)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go
new file mode 100644
index 000000000..650c46848
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_unix.go
@@ -0,0 +1,16 @@
+// +build !windows
+
+package configs
+
+import (
+ "errors"
+
+ "golang.org/x/sys/unix"
+)
+
+func (d *DeviceRule) Mkdev() (uint64, error) {
+ if d.Major == Wildcard || d.Minor == Wildcard {
+ return 0, errors.New("cannot mkdev() device with wildcards")
+ }
+ return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go
new file mode 100644
index 000000000..729289393
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_windows.go
@@ -0,0 +1,5 @@
+package configs
+
+func (d *DeviceRule) Mkdev() (uint64, error) {
+ return 0, nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
index 5dabe06ce..702f913ec 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
@@ -31,33 +31,33 @@ func DeviceFromPath(path, permissions string) (*configs.Device, error) {
}
var (
+ devType configs.DeviceType
+ mode = stat.Mode
devNumber = uint64(stat.Rdev)
major = unix.Major(devNumber)
minor = unix.Minor(devNumber)
)
- if major == 0 {
- return nil, ErrNotADevice
- }
-
- var (
- devType rune
- mode = stat.Mode
- )
switch {
case mode&unix.S_IFBLK == unix.S_IFBLK:
- devType = 'b'
+ devType = configs.BlockDevice
case mode&unix.S_IFCHR == unix.S_IFCHR:
- devType = 'c'
+ devType = configs.CharDevice
+ case mode&unix.S_IFIFO == unix.S_IFIFO:
+ devType = configs.FifoDevice
+ default:
+ return nil, ErrNotADevice
}
return &configs.Device{
- Type: devType,
- Path: path,
- Major: int64(major),
- Minor: int64(minor),
- Permissions: permissions,
- FileMode: os.FileMode(mode),
- Uid: stat.Uid,
- Gid: stat.Gid,
+ DeviceRule: configs.DeviceRule{
+ Type: devType,
+ Major: int64(major),
+ Minor: int64(minor),
+ Permissions: configs.DevicePermissions(permissions),
+ },
+ Path: path,
+ FileMode: os.FileMode(mode),
+ Uid: stat.Uid,
+ Gid: stat.Gid,
}, nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
index a4ae8901a..49471960b 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
@@ -5,26 +5,13 @@ package system
import (
"os"
"os/exec"
- "syscall" // only for exec
+ "sync"
"unsafe"
"github.com/opencontainers/runc/libcontainer/user"
"golang.org/x/sys/unix"
)
-// If arg2 is nonzero, set the "child subreaper" attribute of the
-// calling process; if arg2 is zero, unset the attribute. When a
-// process is marked as a child subreaper, all of the children
-// that it creates, and their descendants, will be marked as
-// having a subreaper. In effect, a subreaper fulfills the role
-// of init(1) for its descendant processes. Upon termination of
-// a process that is orphaned (i.e., its immediate parent has
-// already terminated) and marked as having a subreaper, the
-// nearest still living ancestor subreaper will receive a SIGCHLD
-// signal and be able to wait(2) on the process to discover its
-// termination status.
-const PR_SET_CHILD_SUBREAPER = 36
-
type ParentDeathSignal int
func (p ParentDeathSignal) Restore() error {
@@ -51,7 +38,7 @@ func Execv(cmd string, args []string, env []string) error {
return err
}
- return syscall.Exec(name, args, env)
+ return unix.Exec(name, args, env)
}
func Prlimit(pid, resource int, limit unix.Rlimit) error {
@@ -100,15 +87,23 @@ func Setctty() error {
return nil
}
+var (
+ inUserNS bool
+ nsOnce sync.Once
+)
+
// RunningInUserNS detects whether we are currently running in a user namespace.
// Originally copied from github.com/lxc/lxd/shared/util.go
func RunningInUserNS() bool {
- uidmap, err := user.CurrentProcessUIDMap()
- if err != nil {
- // This kernel-provided file only exists if user namespaces are supported
- return false
- }
- return UIDMapInUserNS(uidmap)
+ nsOnce.Do(func() {
+ uidmap, err := user.CurrentProcessUIDMap()
+ if err != nil {
+ // This kernel-provided file only exists if user namespaces are supported
+ return
+ }
+ inUserNS = UIDMapInUserNS(uidmap)
+ })
+ return inUserNS
}
func UIDMapInUserNS(uidmap []user.IDMap) bool {
@@ -140,7 +135,7 @@ func GetParentNSeuid() int64 {
// SetSubreaper sets the value i as the subreaper setting for the calling process
func SetSubreaper(i int) error {
- return unix.Prctl(PR_SET_CHILD_SUBREAPER, uintptr(i), 0, 0, 0)
+ return unix.Prctl(unix.PR_SET_CHILD_SUBREAPER, uintptr(i), 0, 0, 0)
}
// GetSubreaper returns the subreaper setting for the calling process
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
deleted file mode 100644
index b8434f105..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// +build cgo,linux
-
-package system
-
-/*
-#include <unistd.h>
-*/
-import "C"
-
-func GetClockTicks() int {
- return int(C.sysconf(C._SC_CLK_TCK))
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go
deleted file mode 100644
index d93b5d5fd..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// +build !cgo windows
-
-package system
-
-func GetClockTicks() int {
- // TODO figure out a better alternative for platforms where we're missing cgo
- //
- // TODO Windows. This could be implemented using Win32 QueryPerformanceFrequency().
- // https://msdn.microsoft.com/en-us/library/windows/desktop/ms644905(v=vs.85).aspx
- //
- // An example of its usage can be found here.
- // https://msdn.microsoft.com/en-us/library/windows/desktop/dn553408(v=vs.85).aspx
-
- return 100
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
index 7b912bbf8..4b89dad73 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
@@ -60,7 +60,7 @@ type Group struct {
// groupFromOS converts an os/user.(*Group) to local Group
//
-// (This does not include Pass, Shell or Gecos)
+// (This does not include Pass or List)
func groupFromOS(g *user.Group) (Group, error) {
newGroup := Group{
Name: g.Name,
@@ -162,10 +162,6 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
)
for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
line := strings.TrimSpace(s.Text())
if line == "" {
continue
@@ -183,6 +179,9 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
out = append(out, p)
}
}
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
return out, nil
}
@@ -221,10 +220,6 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
)
for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
text := s.Text()
if text == "" {
continue
@@ -242,6 +237,9 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
out = append(out, p)
}
}
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
return out, nil
}
@@ -532,10 +530,6 @@ func ParseSubIDFilter(r io.Reader, filter func(SubID) bool) ([]SubID, error) {
)
for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
line := strings.TrimSpace(s.Text())
if line == "" {
continue
@@ -549,6 +543,9 @@ func ParseSubIDFilter(r io.Reader, filter func(SubID) bool) ([]SubID, error) {
out = append(out, p)
}
}
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
return out, nil
}
@@ -586,10 +583,6 @@ func ParseIDMapFilter(r io.Reader, filter func(IDMap) bool) ([]IDMap, error) {
)
for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
line := strings.TrimSpace(s.Text())
if line == "" {
continue
@@ -603,6 +596,9 @@ func ParseIDMapFilter(r io.Reader, filter func(IDMap) bool) ([]IDMap, error) {
out = append(out, p)
}
}
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
return out, nil
}