Merge pull request #7407 from crosbymichael/update-libcontainer-aug1

Update libcontainer to version 68ea1234a0b046803aacb2562df0da1

hack/vendor.sh

@@ -63,4 +63,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar
 
 clone git github.com/godbus/dbus v1
 clone git github.com/coreos/go-systemd v2
-clone git github.com/docker/libcontainer bc06326a5e7decdc4191d1367de8439b9d83c450
+clone git github.com/docker/libcontainer 68ea1234a0b046803aacb2562df0da12eec2b2f9

sysinit/sysinit.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"runtime"
 
 	"github.com/docker/docker/daemon/execdriver"
 	_ "github.com/docker/docker/daemon/execdriver/lxc"
@@ -23,6 +24,10 @@ func executeProgram(args *execdriver.InitArgs) error {
 // This code is run INSIDE the container and is responsible for setting
 // up the environment before running the actual process
 func SysInit() {
+	// The very first thing that we should do is lock the thread so that other
+	// system level options will work and not have issues, i.e. setns
+	runtime.LockOSThread()
+
 	if len(os.Args) <= 1 {
 		fmt.Println("You should not invoke dockerinit manually")
 		os.Exit(1)

vendor/src/github.com/docker/libcontainer/namespaces/exec.go

@@ -133,7 +133,7 @@ func DefaultCreateCommand(container *libcontainer.Config, console, rootfs, dataP
 	   }
 	*/
 
-	command := exec.Command(init, append([]string{"init"}, args...)...)
+	command := exec.Command(init, append([]string{"init", "--"}, args...)...)
 	// make sure the process is executed inside the context of the rootfs
 	command.Dir = rootfs
 	command.Env = append(os.Environ(), env...)

vendor/src/github.com/docker/libcontainer/namespaces/init.go

@@ -5,7 +5,6 @@ package namespaces
 import (
 	"fmt"
 	"os"
-	"runtime"
 	"strings"
 	"syscall"
 
@@ -28,6 +27,8 @@ import (
 // Move this to libcontainer package.
 // Init is the init process that first runs inside a new namespace to setup mounts, users, networking,
 // and other options required for the new container.
+// The caller of Init function has to ensure that the go runtime is locked to an OS thread
+// (using runtime.LockOSThread) else system calls like setns called within Init may not work as intended.
 func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syncPipe *syncpipe.SyncPipe, args []string) (err error) {
 	defer func() {
 		if err != nil {
@@ -87,8 +88,6 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
 		}
 	}
 
-	runtime.LockOSThread()
-
 	if err := apparmor.ApplyProfile(container.AppArmorProfile); err != nil {
 		return fmt.Errorf("set apparmor profile %s: %s", container.AppArmorProfile, err)
 	}

vendor/src/github.com/docker/libcontainer/nsinit/init.go

@@ -3,6 +3,7 @@ package nsinit
 import (
 	"log"
 	"os"
+	"runtime"
 	"strconv"
 
 	"github.com/codegangsta/cli"
@@ -23,6 +24,8 @@ var (
 )
 
 func initAction(context *cli.Context) {
+	runtime.LockOSThread()
+
 	container, err := loadContainer()
 	if err != nil {
 		log.Fatal(err)