client/mflag: remove use of docker/docker/pkg/homedir

The homedir package was only used to print default values for
flags that contained paths inside the user's home-directory in
a slightly nicer way (replace `/users/home` with `~`).

Given that this is not critical, we can replace this with golang's
function, which does not depend on libcontainer.

There's still one use of the homedir package in docker/docker/opts,
which is used by the dnet binary (but only requires the homedir
package when running in rootless mode)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

libnetwork/client/mflag/flag.go

@@ -91,8 +91,6 @@ import (
 	"strings"
 	"text/tabwriter"
 	"time"
-
-	"github.com/docker/docker/pkg/homedir"
 )
 
 // ErrHelp is the error returned if the flag -help is invoked but no such flag is defined.
@@ -538,7 +536,7 @@ func isZeroValue(value string) bool {
 // otherwise, the default values of all defined flags in the set.
 func (fs *FlagSet) PrintDefaults() {
 	writer := tabwriter.NewWriter(fs.Out(), 20, 1, 3, ' ', 0)
-	home := homedir.Get()
+	home, _ := os.UserHomeDir()
 
 	// Don't substitute when HOME is /
 	if runtime.GOOS != "windows" && home == "/" {
@@ -561,7 +559,7 @@ func (fs *FlagSet) PrintDefaults() {
 			val := flag.DefValue
 
 			if home != "" && strings.HasPrefix(val, home) {
-				val = homedir.GetShortcutString() + val[len(home):]
+				val = getShortcutString() + val[len(home):]
 			}
 
 			if isZeroValue(val) {
@@ -579,6 +577,13 @@ func (fs *FlagSet) PrintDefaults() {
 	writer.Flush()
 }
 
+func getShortcutString() string {
+	if runtime.GOOS == "windows" {
+		return "%USERPROFILE%"
+	}
+	return "~"
+}
+
 // PrintDefaults prints to standard error the default values of all defined command-line flags.
 func PrintDefaults() {
 	CommandLine.PrintDefaults()

libnetwork/vendor.conf

@@ -14,7 +14,6 @@ github.com/docker/docker                            dbe4a30928d418e0570891a09703
 github.com/docker/distribution                      0d3efadf0154c2b8a4e7b6621fff9809655cc580
 github.com/docker/go-connections                    7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0
 github.com/docker/go-events                         9461782956ad83b30282bf90e31fa6a70c255ba9
-github.com/docker/go-units                          47565b4f722fb6ceae66b95f853feed578a4a51c # v0.3.3
 github.com/docker/libkv                             458977154600b9f23984d9f4b82e79570b5ae12b
 
 github.com/gogo/protobuf                            ba06b47c162d49f2af050fb4c75bcbc86a159d5c # v1.2.1
@@ -35,7 +34,6 @@ github.com/hashicorp/go-sockaddr                    c7188e74f6acae5a989bdc959aa7
 github.com/hashicorp/serf                           598c54895cc5a7b1a24a398d635e8c0ea0959870
 github.com/mattn/go-shellwords                      02e3cf038dcea8290e44424da473dd12be796a8a # v1.0.3
 github.com/miekg/dns                                6c0c4e6581f8e173cc562c8b3363ab984e4ae071 # v1.1.27
-github.com/opencontainers/runc                      2b18fe1d885ee5083ef9f0838fee39b62d653e30
 github.com/opencontainers/runtime-spec              29686dbc5559d93fb1ef402eeda3e35c38d75af4 # v1.0.1-59-g29686db
 github.com/samuel/go-zookeeper                      d0e0d8e11f318e000a8cc434616d69e329edc374
 github.com/sirupsen/logrus                          8bdbc7bcc01dcbb8ec23dc8a28e332258d25251f # v1.4.1

libnetwork/vendor/github.com/docker/docker/pkg/homedir/homedir_linux.go

@@ -1,109 +0,0 @@
-package homedir // import "github.com/docker/docker/pkg/homedir"
-
-import (
-	"errors"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/docker/docker/pkg/idtools"
-)
-
-// GetStatic returns the home directory for the current user without calling
-// os/user.Current(). This is useful for static-linked binary on glibc-based
-// system, because a call to os/user.Current() in a static binary leads to
-// segfault due to a glibc issue that won't be fixed in a short term.
-// (#29344, golang/go#13470, https://sourceware.org/bugzilla/show_bug.cgi?id=19341)
-func GetStatic() (string, error) {
-	uid := os.Getuid()
-	usr, err := idtools.LookupUID(uid)
-	if err != nil {
-		return "", err
-	}
-	return usr.Home, nil
-}
-
-// GetRuntimeDir returns XDG_RUNTIME_DIR.
-// XDG_RUNTIME_DIR is typically configured via pam_systemd.
-// GetRuntimeDir returns non-nil error if XDG_RUNTIME_DIR is not set.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func GetRuntimeDir() (string, error) {
-	if xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR"); xdgRuntimeDir != "" {
-		return xdgRuntimeDir, nil
-	}
-	return "", errors.New("could not get XDG_RUNTIME_DIR")
-}
-
-// StickRuntimeDirContents sets the sticky bit on files that are under
-// XDG_RUNTIME_DIR, so that the files won't be periodically removed by the system.
-//
-// StickyRuntimeDir returns slice of sticked files.
-// StickyRuntimeDir returns nil error if XDG_RUNTIME_DIR is not set.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func StickRuntimeDirContents(files []string) ([]string, error) {
-	runtimeDir, err := GetRuntimeDir()
-	if err != nil {
-		// ignore error if runtimeDir is empty
-		return nil, nil
-	}
-	runtimeDir, err = filepath.Abs(runtimeDir)
-	if err != nil {
-		return nil, err
-	}
-	var sticked []string
-	for _, f := range files {
-		f, err = filepath.Abs(f)
-		if err != nil {
-			return sticked, err
-		}
-		if strings.HasPrefix(f, runtimeDir+"/") {
-			if err = stick(f); err != nil {
-				return sticked, err
-			}
-			sticked = append(sticked, f)
-		}
-	}
-	return sticked, nil
-}
-
-func stick(f string) error {
-	st, err := os.Stat(f)
-	if err != nil {
-		return err
-	}
-	m := st.Mode()
-	m |= os.ModeSticky
-	return os.Chmod(f, m)
-}
-
-// GetDataHome returns XDG_DATA_HOME.
-// GetDataHome returns $HOME/.local/share and nil error if XDG_DATA_HOME is not set.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func GetDataHome() (string, error) {
-	if xdgDataHome := os.Getenv("XDG_DATA_HOME"); xdgDataHome != "" {
-		return xdgDataHome, nil
-	}
-	home := os.Getenv("HOME")
-	if home == "" {
-		return "", errors.New("could not get either XDG_DATA_HOME or HOME")
-	}
-	return filepath.Join(home, ".local", "share"), nil
-}
-
-// GetConfigHome returns XDG_CONFIG_HOME.
-// GetConfigHome returns $HOME/.config and nil error if XDG_CONFIG_HOME is not set.
-//
-// See also https://standards.freedesktop.org/basedir-spec/latest/ar01s03.html
-func GetConfigHome() (string, error) {
-	if xdgConfigHome := os.Getenv("XDG_CONFIG_HOME"); xdgConfigHome != "" {
-		return xdgConfigHome, nil
-	}
-	home := os.Getenv("HOME")
-	if home == "" {
-		return "", errors.New("could not get either XDG_CONFIG_HOME or HOME")
-	}
-	return filepath.Join(home, ".config"), nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/homedir/homedir_others.go

@@ -1,33 +0,0 @@
-// +build !linux
-
-package homedir // import "github.com/docker/docker/pkg/homedir"
-
-import (
-	"errors"
-)
-
-// GetStatic is not needed for non-linux systems.
-// (Precisely, it is needed only for glibc-based linux systems.)
-func GetStatic() (string, error) {
-	return "", errors.New("homedir.GetStatic() is not supported on this system")
-}
-
-// GetRuntimeDir is unsupported on non-linux system.
-func GetRuntimeDir() (string, error) {
-	return "", errors.New("homedir.GetRuntimeDir() is not supported on this system")
-}
-
-// StickRuntimeDirContents is unsupported on non-linux system.
-func StickRuntimeDirContents(files []string) ([]string, error) {
-	return nil, errors.New("homedir.StickRuntimeDirContents() is not supported on this system")
-}
-
-// GetDataHome is unsupported on non-linux system.
-func GetDataHome() (string, error) {
-	return "", errors.New("homedir.GetDataHome() is not supported on this system")
-}
-
-// GetConfigHome is unsupported on non-linux system.
-func GetConfigHome() (string, error) {
-	return "", errors.New("homedir.GetConfigHome() is not supported on this system")
-}

libnetwork/vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go

@@ -1,34 +0,0 @@
-// +build !windows
-
-package homedir // import "github.com/docker/docker/pkg/homedir"
-
-import (
-	"os"
-
-	"github.com/opencontainers/runc/libcontainer/user"
-)
-
-// Key returns the env var name for the user's home dir based on
-// the platform being run on
-func Key() string {
-	return "HOME"
-}
-
-// Get returns the home directory of the current user with the help of
-// environment variables depending on the target operating system.
-// Returned path should be used with "path/filepath" to form new paths.
-func Get() string {
-	home := os.Getenv(Key())
-	if home == "" {
-		if u, err := user.CurrentUser(); err == nil {
-			return u.Home
-		}
-	}
-	return home
-}
-
-// GetShortcutString returns the string that is shortcut to user's home directory
-// in the native shell of the platform running on.
-func GetShortcutString() string {
-	return "~"
-}

libnetwork/vendor/github.com/docker/docker/pkg/homedir/homedir_windows.go

@@ -1,24 +0,0 @@
-package homedir // import "github.com/docker/docker/pkg/homedir"
-
-import (
-	"os"
-)
-
-// Key returns the env var name for the user's home dir based on
-// the platform being run on
-func Key() string {
-	return "USERPROFILE"
-}
-
-// Get returns the home directory of the current user with the help of
-// environment variables depending on the target operating system.
-// Returned path should be used with "path/filepath" to form new paths.
-func Get() string {
-	return os.Getenv(Key())
-}
-
-// GetShortcutString returns the string that is shortcut to user's home directory
-// in the native shell of the platform running on.
-func GetShortcutString() string {
-	return "%USERPROFILE%" // be careful while using in format functions
-}

libnetwork/vendor/github.com/docker/docker/pkg/idtools/idtools.go

@@ -1,267 +0,0 @@
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import (
-	"bufio"
-	"fmt"
-	"os"
-	"sort"
-	"strconv"
-	"strings"
-)
-
-// IDMap contains a single entry for user namespace range remapping. An array
-// of IDMap entries represents the structure that will be provided to the Linux
-// kernel for creating a user namespace.
-type IDMap struct {
-	ContainerID int `json:"container_id"`
-	HostID      int `json:"host_id"`
-	Size        int `json:"size"`
-}
-
-type subIDRange struct {
-	Start  int
-	Length int
-}
-
-type ranges []subIDRange
-
-func (e ranges) Len() int           { return len(e) }
-func (e ranges) Swap(i, j int)      { e[i], e[j] = e[j], e[i] }
-func (e ranges) Less(i, j int) bool { return e[i].Start < e[j].Start }
-
-const (
-	subuidFileName = "/etc/subuid"
-	subgidFileName = "/etc/subgid"
-)
-
-// MkdirAllAndChown creates a directory (include any along the path) and then modifies
-// ownership to the requested uid/gid.  If the directory already exists, this
-// function will still change ownership to the requested uid/gid pair.
-func MkdirAllAndChown(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, true, true)
-}
-
-// MkdirAndChown creates a directory and then modifies ownership to the requested uid/gid.
-// If the directory already exists, this function still changes ownership.
-// Note that unlike os.Mkdir(), this function does not return IsExist error
-// in case path already exists.
-func MkdirAndChown(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, false, true)
-}
-
-// MkdirAllAndChownNew creates a directory (include any along the path) and then modifies
-// ownership ONLY of newly created directories to the requested uid/gid. If the
-// directories along the path exist, no change of ownership will be performed
-func MkdirAllAndChownNew(path string, mode os.FileMode, owner Identity) error {
-	return mkdirAs(path, mode, owner, true, false)
-}
-
-// GetRootUIDGID retrieves the remapped root uid/gid pair from the set of maps.
-// If the maps are empty, then the root uid/gid will default to "real" 0/0
-func GetRootUIDGID(uidMap, gidMap []IDMap) (int, int, error) {
-	uid, err := toHost(0, uidMap)
-	if err != nil {
-		return -1, -1, err
-	}
-	gid, err := toHost(0, gidMap)
-	if err != nil {
-		return -1, -1, err
-	}
-	return uid, gid, nil
-}
-
-// toContainer takes an id mapping, and uses it to translate a
-// host ID to the remapped ID. If no map is provided, then the translation
-// assumes a 1-to-1 mapping and returns the passed in id
-func toContainer(hostID int, idMap []IDMap) (int, error) {
-	if idMap == nil {
-		return hostID, nil
-	}
-	for _, m := range idMap {
-		if (hostID >= m.HostID) && (hostID <= (m.HostID + m.Size - 1)) {
-			contID := m.ContainerID + (hostID - m.HostID)
-			return contID, nil
-		}
-	}
-	return -1, fmt.Errorf("Host ID %d cannot be mapped to a container ID", hostID)
-}
-
-// toHost takes an id mapping and a remapped ID, and translates the
-// ID to the mapped host ID. If no map is provided, then the translation
-// assumes a 1-to-1 mapping and returns the passed in id #
-func toHost(contID int, idMap []IDMap) (int, error) {
-	if idMap == nil {
-		return contID, nil
-	}
-	for _, m := range idMap {
-		if (contID >= m.ContainerID) && (contID <= (m.ContainerID + m.Size - 1)) {
-			hostID := m.HostID + (contID - m.ContainerID)
-			return hostID, nil
-		}
-	}
-	return -1, fmt.Errorf("Container ID %d cannot be mapped to a host ID", contID)
-}
-
-// Identity is either a UID and GID pair or a SID (but not both)
-type Identity struct {
-	UID int
-	GID int
-	SID string
-}
-
-// IdentityMapping contains a mappings of UIDs and GIDs
-type IdentityMapping struct {
-	uids []IDMap
-	gids []IDMap
-}
-
-// NewIdentityMapping takes a requested user and group name and
-// using the data from /etc/sub{uid,gid} ranges, creates the
-// proper uid and gid remapping ranges for that user/group pair
-func NewIdentityMapping(username, groupname string) (*IdentityMapping, error) {
-	subuidRanges, err := parseSubuid(username)
-	if err != nil {
-		return nil, err
-	}
-	subgidRanges, err := parseSubgid(groupname)
-	if err != nil {
-		return nil, err
-	}
-	if len(subuidRanges) == 0 {
-		return nil, fmt.Errorf("No subuid ranges found for user %q", username)
-	}
-	if len(subgidRanges) == 0 {
-		return nil, fmt.Errorf("No subgid ranges found for group %q", groupname)
-	}
-
-	return &IdentityMapping{
-		uids: createIDMap(subuidRanges),
-		gids: createIDMap(subgidRanges),
-	}, nil
-}
-
-// NewIDMappingsFromMaps creates a new mapping from two slices
-// Deprecated: this is a temporary shim while transitioning to IDMapping
-func NewIDMappingsFromMaps(uids []IDMap, gids []IDMap) *IdentityMapping {
-	return &IdentityMapping{uids: uids, gids: gids}
-}
-
-// RootPair returns a uid and gid pair for the root user. The error is ignored
-// because a root user always exists, and the defaults are correct when the uid
-// and gid maps are empty.
-func (i *IdentityMapping) RootPair() Identity {
-	uid, gid, _ := GetRootUIDGID(i.uids, i.gids)
-	return Identity{UID: uid, GID: gid}
-}
-
-// ToHost returns the host UID and GID for the container uid, gid.
-// Remapping is only performed if the ids aren't already the remapped root ids
-func (i *IdentityMapping) ToHost(pair Identity) (Identity, error) {
-	var err error
-	target := i.RootPair()
-
-	if pair.UID != target.UID {
-		target.UID, err = toHost(pair.UID, i.uids)
-		if err != nil {
-			return target, err
-		}
-	}
-
-	if pair.GID != target.GID {
-		target.GID, err = toHost(pair.GID, i.gids)
-	}
-	return target, err
-}
-
-// ToContainer returns the container UID and GID for the host uid and gid
-func (i *IdentityMapping) ToContainer(pair Identity) (int, int, error) {
-	uid, err := toContainer(pair.UID, i.uids)
-	if err != nil {
-		return -1, -1, err
-	}
-	gid, err := toContainer(pair.GID, i.gids)
-	return uid, gid, err
-}
-
-// Empty returns true if there are no id mappings
-func (i *IdentityMapping) Empty() bool {
-	return len(i.uids) == 0 && len(i.gids) == 0
-}
-
-// UIDs return the UID mapping
-// TODO: remove this once everything has been refactored to use pairs
-func (i *IdentityMapping) UIDs() []IDMap {
-	return i.uids
-}
-
-// GIDs return the UID mapping
-// TODO: remove this once everything has been refactored to use pairs
-func (i *IdentityMapping) GIDs() []IDMap {
-	return i.gids
-}
-
-func createIDMap(subidRanges ranges) []IDMap {
-	idMap := []IDMap{}
-
-	// sort the ranges by lowest ID first
-	sort.Sort(subidRanges)
-	containerID := 0
-	for _, idrange := range subidRanges {
-		idMap = append(idMap, IDMap{
-			ContainerID: containerID,
-			HostID:      idrange.Start,
-			Size:        idrange.Length,
-		})
-		containerID = containerID + idrange.Length
-	}
-	return idMap
-}
-
-func parseSubuid(username string) (ranges, error) {
-	return parseSubidFile(subuidFileName, username)
-}
-
-func parseSubgid(username string) (ranges, error) {
-	return parseSubidFile(subgidFileName, username)
-}
-
-// parseSubidFile will read the appropriate file (/etc/subuid or /etc/subgid)
-// and return all found ranges for a specified username. If the special value
-// "ALL" is supplied for username, then all ranges in the file will be returned
-func parseSubidFile(path, username string) (ranges, error) {
-	var rangeList ranges
-
-	subidFile, err := os.Open(path)
-	if err != nil {
-		return rangeList, err
-	}
-	defer subidFile.Close()
-
-	s := bufio.NewScanner(subidFile)
-	for s.Scan() {
-		if err := s.Err(); err != nil {
-			return rangeList, err
-		}
-
-		text := strings.TrimSpace(s.Text())
-		if text == "" || strings.HasPrefix(text, "#") {
-			continue
-		}
-		parts := strings.Split(text, ":")
-		if len(parts) != 3 {
-			return rangeList, fmt.Errorf("Cannot parse subuid/gid information: Format not correct for %s file", path)
-		}
-		if parts[0] == username || username == "ALL" {
-			startid, err := strconv.Atoi(parts[1])
-			if err != nil {
-				return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
-			}
-			length, err := strconv.Atoi(parts[2])
-			if err != nil {
-				return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
-			}
-			rangeList = append(rangeList, subIDRange{startid, length})
-		}
-	}
-	return rangeList, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go

@@ -1,231 +0,0 @@
-// +build !windows
-
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-	"syscall"
-
-	"github.com/docker/docker/pkg/system"
-	"github.com/opencontainers/runc/libcontainer/user"
-)
-
-var (
-	entOnce   sync.Once
-	getentCmd string
-)
-
-func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error {
-	// make an array containing the original path asked for, plus (for mkAll == true)
-	// all path components leading up to the complete path that don't exist before we MkdirAll
-	// so that we can chown all of them properly at the end.  If chownExisting is false, we won't
-	// chown the full directory path if it exists
-
-	var paths []string
-
-	stat, err := system.Stat(path)
-	if err == nil {
-		if !stat.IsDir() {
-			return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR}
-		}
-		if !chownExisting {
-			return nil
-		}
-
-		// short-circuit--we were called with an existing directory and chown was requested
-		return lazyChown(path, owner.UID, owner.GID, stat)
-	}
-
-	if os.IsNotExist(err) {
-		paths = []string{path}
-	}
-
-	if mkAll {
-		// walk back to "/" looking for directories which do not exist
-		// and add them to the paths array for chown after creation
-		dirPath := path
-		for {
-			dirPath = filepath.Dir(dirPath)
-			if dirPath == "/" {
-				break
-			}
-			if _, err := os.Stat(dirPath); err != nil && os.IsNotExist(err) {
-				paths = append(paths, dirPath)
-			}
-		}
-		if err := system.MkdirAll(path, mode, ""); err != nil {
-			return err
-		}
-	} else {
-		if err := os.Mkdir(path, mode); err != nil && !os.IsExist(err) {
-			return err
-		}
-	}
-	// even if it existed, we will chown the requested path + any subpaths that
-	// didn't exist when we called MkdirAll
-	for _, pathComponent := range paths {
-		if err := lazyChown(pathComponent, owner.UID, owner.GID, nil); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// CanAccess takes a valid (existing) directory and a uid, gid pair and determines
-// if that uid, gid pair has access (execute bit) to the directory
-func CanAccess(path string, pair Identity) bool {
-	statInfo, err := system.Stat(path)
-	if err != nil {
-		return false
-	}
-	fileMode := os.FileMode(statInfo.Mode())
-	permBits := fileMode.Perm()
-	return accessible(statInfo.UID() == uint32(pair.UID),
-		statInfo.GID() == uint32(pair.GID), permBits)
-}
-
-func accessible(isOwner, isGroup bool, perms os.FileMode) bool {
-	if isOwner && (perms&0100 == 0100) {
-		return true
-	}
-	if isGroup && (perms&0010 == 0010) {
-		return true
-	}
-	if perms&0001 == 0001 {
-		return true
-	}
-	return false
-}
-
-// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username,
-// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
-func LookupUser(username string) (user.User, error) {
-	// first try a local system files lookup using existing capabilities
-	usr, err := user.LookupUser(username)
-	if err == nil {
-		return usr, nil
-	}
-	// local files lookup failed; attempt to call `getent` to query configured passwd dbs
-	usr, err = getentUser(fmt.Sprintf("%s %s", "passwd", username))
-	if err != nil {
-		return user.User{}, err
-	}
-	return usr, nil
-}
-
-// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid,
-// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
-func LookupUID(uid int) (user.User, error) {
-	// first try a local system files lookup using existing capabilities
-	usr, err := user.LookupUid(uid)
-	if err == nil {
-		return usr, nil
-	}
-	// local files lookup failed; attempt to call `getent` to query configured passwd dbs
-	return getentUser(fmt.Sprintf("%s %d", "passwd", uid))
-}
-
-func getentUser(args string) (user.User, error) {
-	reader, err := callGetent(args)
-	if err != nil {
-		return user.User{}, err
-	}
-	users, err := user.ParsePasswd(reader)
-	if err != nil {
-		return user.User{}, err
-	}
-	if len(users) == 0 {
-		return user.User{}, fmt.Errorf("getent failed to find passwd entry for %q", strings.Split(args, " ")[1])
-	}
-	return users[0], nil
-}
-
-// LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name,
-// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
-func LookupGroup(groupname string) (user.Group, error) {
-	// first try a local system files lookup using existing capabilities
-	group, err := user.LookupGroup(groupname)
-	if err == nil {
-		return group, nil
-	}
-	// local files lookup failed; attempt to call `getent` to query configured group dbs
-	return getentGroup(fmt.Sprintf("%s %s", "group", groupname))
-}
-
-// LookupGID uses traditional local system files lookup (from libcontainer/user) on a group ID,
-// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
-func LookupGID(gid int) (user.Group, error) {
-	// first try a local system files lookup using existing capabilities
-	group, err := user.LookupGid(gid)
-	if err == nil {
-		return group, nil
-	}
-	// local files lookup failed; attempt to call `getent` to query configured group dbs
-	return getentGroup(fmt.Sprintf("%s %d", "group", gid))
-}
-
-func getentGroup(args string) (user.Group, error) {
-	reader, err := callGetent(args)
-	if err != nil {
-		return user.Group{}, err
-	}
-	groups, err := user.ParseGroup(reader)
-	if err != nil {
-		return user.Group{}, err
-	}
-	if len(groups) == 0 {
-		return user.Group{}, fmt.Errorf("getent failed to find groups entry for %q", strings.Split(args, " ")[1])
-	}
-	return groups[0], nil
-}
-
-func callGetent(args string) (io.Reader, error) {
-	entOnce.Do(func() { getentCmd, _ = resolveBinary("getent") })
-	// if no `getent` command on host, can't do anything else
-	if getentCmd == "" {
-		return nil, fmt.Errorf("")
-	}
-	out, err := execCmd(getentCmd, args)
-	if err != nil {
-		exitCode, errC := system.GetExitCode(err)
-		if errC != nil {
-			return nil, err
-		}
-		switch exitCode {
-		case 1:
-			return nil, fmt.Errorf("getent reported invalid parameters/database unknown")
-		case 2:
-			terms := strings.Split(args, " ")
-			return nil, fmt.Errorf("getent unable to find entry %q in %s database", terms[1], terms[0])
-		case 3:
-			return nil, fmt.Errorf("getent database doesn't support enumeration")
-		default:
-			return nil, err
-		}
-
-	}
-	return bytes.NewReader(out), nil
-}
-
-// lazyChown performs a chown only if the uid/gid don't match what's requested
-// Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the
-// dir is on an NFS share, so don't call chown unless we absolutely must.
-func lazyChown(p string, uid, gid int, stat *system.StatT) error {
-	if stat == nil {
-		var err error
-		stat, err = system.Stat(p)
-		if err != nil {
-			return err
-		}
-	}
-	if stat.UID() == uint32(uid) && stat.GID() == uint32(gid) {
-		return nil
-	}
-	return os.Chown(p, uid, gid)
-}

libnetwork/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go

@@ -1,25 +0,0 @@
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import (
-	"os"
-
-	"github.com/docker/docker/pkg/system"
-)
-
-// This is currently a wrapper around MkdirAll, however, since currently
-// permissions aren't set through this path, the identity isn't utilized.
-// Ownership is handled elsewhere, but in the future could be support here
-// too.
-func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error {
-	if err := system.MkdirAll(path, mode, ""); err != nil {
-		return err
-	}
-	return nil
-}
-
-// CanAccess takes a valid (existing) directory and a uid, gid pair and determines
-// if that uid, gid pair has access (execute bit) to the directory
-// Windows does not require/support this function, so always return true
-func CanAccess(path string, identity Identity) bool {
-	return true
-}

libnetwork/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_linux.go

@@ -1,164 +0,0 @@
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import (
-	"fmt"
-	"regexp"
-	"sort"
-	"strconv"
-	"strings"
-	"sync"
-)
-
-// add a user and/or group to Linux /etc/passwd, /etc/group using standard
-// Linux distribution commands:
-// adduser --system --shell /bin/false --disabled-login --disabled-password --no-create-home --group <username>
-// useradd -r -s /bin/false <username>
-
-var (
-	once        sync.Once
-	userCommand string
-
-	cmdTemplates = map[string]string{
-		"adduser": "--system --shell /bin/false --no-create-home --disabled-login --disabled-password --group %s",
-		"useradd": "-r -s /bin/false %s",
-		"usermod": "-%s %d-%d %s",
-	}
-
-	idOutRegexp = regexp.MustCompile(`uid=([0-9]+).*gid=([0-9]+)`)
-	// default length for a UID/GID subordinate range
-	defaultRangeLen   = 65536
-	defaultRangeStart = 100000
-	userMod           = "usermod"
-)
-
-// AddNamespaceRangesUser takes a username and uses the standard system
-// utility to create a system user/group pair used to hold the
-// /etc/sub{uid,gid} ranges which will be used for user namespace
-// mapping ranges in containers.
-func AddNamespaceRangesUser(name string) (int, int, error) {
-	if err := addUser(name); err != nil {
-		return -1, -1, fmt.Errorf("Error adding user %q: %v", name, err)
-	}
-
-	// Query the system for the created uid and gid pair
-	out, err := execCmd("id", name)
-	if err != nil {
-		return -1, -1, fmt.Errorf("Error trying to find uid/gid for new user %q: %v", name, err)
-	}
-	matches := idOutRegexp.FindStringSubmatch(strings.TrimSpace(string(out)))
-	if len(matches) != 3 {
-		return -1, -1, fmt.Errorf("Can't find uid, gid from `id` output: %q", string(out))
-	}
-	uid, err := strconv.Atoi(matches[1])
-	if err != nil {
-		return -1, -1, fmt.Errorf("Can't convert found uid (%s) to int: %v", matches[1], err)
-	}
-	gid, err := strconv.Atoi(matches[2])
-	if err != nil {
-		return -1, -1, fmt.Errorf("Can't convert found gid (%s) to int: %v", matches[2], err)
-	}
-
-	// Now we need to create the subuid/subgid ranges for our new user/group (system users
-	// do not get auto-created ranges in subuid/subgid)
-
-	if err := createSubordinateRanges(name); err != nil {
-		return -1, -1, fmt.Errorf("Couldn't create subordinate ID ranges: %v", err)
-	}
-	return uid, gid, nil
-}
-
-func addUser(userName string) error {
-	once.Do(func() {
-		// set up which commands are used for adding users/groups dependent on distro
-		if _, err := resolveBinary("adduser"); err == nil {
-			userCommand = "adduser"
-		} else if _, err := resolveBinary("useradd"); err == nil {
-			userCommand = "useradd"
-		}
-	})
-	if userCommand == "" {
-		return fmt.Errorf("Cannot add user; no useradd/adduser binary found")
-	}
-	args := fmt.Sprintf(cmdTemplates[userCommand], userName)
-	out, err := execCmd(userCommand, args)
-	if err != nil {
-		return fmt.Errorf("Failed to add user with error: %v; output: %q", err, string(out))
-	}
-	return nil
-}
-
-func createSubordinateRanges(name string) error {
-
-	// first, we should verify that ranges weren't automatically created
-	// by the distro tooling
-	ranges, err := parseSubuid(name)
-	if err != nil {
-		return fmt.Errorf("Error while looking for subuid ranges for user %q: %v", name, err)
-	}
-	if len(ranges) == 0 {
-		// no UID ranges; let's create one
-		startID, err := findNextUIDRange()
-		if err != nil {
-			return fmt.Errorf("Can't find available subuid range: %v", err)
-		}
-		out, err := execCmd(userMod, fmt.Sprintf(cmdTemplates[userMod], "v", startID, startID+defaultRangeLen-1, name))
-		if err != nil {
-			return fmt.Errorf("Unable to add subuid range to user: %q; output: %s, err: %v", name, out, err)
-		}
-	}
-
-	ranges, err = parseSubgid(name)
-	if err != nil {
-		return fmt.Errorf("Error while looking for subgid ranges for user %q: %v", name, err)
-	}
-	if len(ranges) == 0 {
-		// no GID ranges; let's create one
-		startID, err := findNextGIDRange()
-		if err != nil {
-			return fmt.Errorf("Can't find available subgid range: %v", err)
-		}
-		out, err := execCmd(userMod, fmt.Sprintf(cmdTemplates[userMod], "w", startID, startID+defaultRangeLen-1, name))
-		if err != nil {
-			return fmt.Errorf("Unable to add subgid range to user: %q; output: %s, err: %v", name, out, err)
-		}
-	}
-	return nil
-}
-
-func findNextUIDRange() (int, error) {
-	ranges, err := parseSubuid("ALL")
-	if err != nil {
-		return -1, fmt.Errorf("Couldn't parse all ranges in /etc/subuid file: %v", err)
-	}
-	sort.Sort(ranges)
-	return findNextRangeStart(ranges)
-}
-
-func findNextGIDRange() (int, error) {
-	ranges, err := parseSubgid("ALL")
-	if err != nil {
-		return -1, fmt.Errorf("Couldn't parse all ranges in /etc/subgid file: %v", err)
-	}
-	sort.Sort(ranges)
-	return findNextRangeStart(ranges)
-}
-
-func findNextRangeStart(rangeList ranges) (int, error) {
-	startID := defaultRangeStart
-	for _, arange := range rangeList {
-		if wouldOverlap(arange, startID) {
-			startID = arange.Start + arange.Length
-		}
-	}
-	return startID, nil
-}
-
-func wouldOverlap(arange subIDRange, ID int) bool {
-	low := ID
-	high := ID + defaultRangeLen
-	if (low >= arange.Start && low <= arange.Start+arange.Length) ||
-		(high <= arange.Start+arange.Length && high >= arange.Start) {
-		return true
-	}
-	return false
-}

libnetwork/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_unsupported.go

@@ -1,12 +0,0 @@
-// +build !linux
-
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import "fmt"
-
-// AddNamespaceRangesUser takes a name and finds an unused uid, gid pair
-// and calls the appropriate helper function to add the group and then
-// the user to the group in /etc/group and /etc/passwd respectively.
-func AddNamespaceRangesUser(name string) (int, int, error) {
-	return -1, -1, fmt.Errorf("No support for adding users or groups on this OS")
-}

libnetwork/vendor/github.com/docker/docker/pkg/idtools/utils_unix.go

@@ -1,32 +0,0 @@
-// +build !windows
-
-package idtools // import "github.com/docker/docker/pkg/idtools"
-
-import (
-	"fmt"
-	"os/exec"
-	"path/filepath"
-	"strings"
-)
-
-func resolveBinary(binname string) (string, error) {
-	binaryPath, err := exec.LookPath(binname)
-	if err != nil {
-		return "", err
-	}
-	resolvedPath, err := filepath.EvalSymlinks(binaryPath)
-	if err != nil {
-		return "", err
-	}
-	//only return no error if the final resolved binary basename
-	//matches what was searched for
-	if filepath.Base(resolvedPath) == binname {
-		return resolvedPath, nil
-	}
-	return "", fmt.Errorf("Binary %q does not resolve to a binary of that name in $PATH (%q)", binname, resolvedPath)
-}
-
-func execCmd(cmd, args string) ([]byte, error) {
-	execCmd := exec.Command(cmd, strings.Split(args, " ")...)
-	return execCmd.CombinedOutput()
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/flags.go

@@ -1,137 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-import (
-	"fmt"
-	"strings"
-)
-
-var flags = map[string]struct {
-	clear bool
-	flag  int
-}{
-	"defaults":      {false, 0},
-	"ro":            {false, RDONLY},
-	"rw":            {true, RDONLY},
-	"suid":          {true, NOSUID},
-	"nosuid":        {false, NOSUID},
-	"dev":           {true, NODEV},
-	"nodev":         {false, NODEV},
-	"exec":          {true, NOEXEC},
-	"noexec":        {false, NOEXEC},
-	"sync":          {false, SYNCHRONOUS},
-	"async":         {true, SYNCHRONOUS},
-	"dirsync":       {false, DIRSYNC},
-	"remount":       {false, REMOUNT},
-	"mand":          {false, MANDLOCK},
-	"nomand":        {true, MANDLOCK},
-	"atime":         {true, NOATIME},
-	"noatime":       {false, NOATIME},
-	"diratime":      {true, NODIRATIME},
-	"nodiratime":    {false, NODIRATIME},
-	"bind":          {false, BIND},
-	"rbind":         {false, RBIND},
-	"unbindable":    {false, UNBINDABLE},
-	"runbindable":   {false, RUNBINDABLE},
-	"private":       {false, PRIVATE},
-	"rprivate":      {false, RPRIVATE},
-	"shared":        {false, SHARED},
-	"rshared":       {false, RSHARED},
-	"slave":         {false, SLAVE},
-	"rslave":        {false, RSLAVE},
-	"relatime":      {false, RELATIME},
-	"norelatime":    {true, RELATIME},
-	"strictatime":   {false, STRICTATIME},
-	"nostrictatime": {true, STRICTATIME},
-}
-
-var validFlags = map[string]bool{
-	"":          true,
-	"size":      true,
-	"mode":      true,
-	"uid":       true,
-	"gid":       true,
-	"nr_inodes": true,
-	"nr_blocks": true,
-	"mpol":      true,
-}
-
-var propagationFlags = map[string]bool{
-	"bind":        true,
-	"rbind":       true,
-	"unbindable":  true,
-	"runbindable": true,
-	"private":     true,
-	"rprivate":    true,
-	"shared":      true,
-	"rshared":     true,
-	"slave":       true,
-	"rslave":      true,
-}
-
-// MergeTmpfsOptions merge mount options to make sure there is no duplicate.
-func MergeTmpfsOptions(options []string) ([]string, error) {
-	// We use collisions maps to remove duplicates.
-	// For flag, the key is the flag value (the key for propagation flag is -1)
-	// For data=value, the key is the data
-	flagCollisions := map[int]bool{}
-	dataCollisions := map[string]bool{}
-
-	var newOptions []string
-	// We process in reverse order
-	for i := len(options) - 1; i >= 0; i-- {
-		option := options[i]
-		if option == "defaults" {
-			continue
-		}
-		if f, ok := flags[option]; ok && f.flag != 0 {
-			// There is only one propagation mode
-			key := f.flag
-			if propagationFlags[option] {
-				key = -1
-			}
-			// Check to see if there is collision for flag
-			if !flagCollisions[key] {
-				// We prepend the option and add to collision map
-				newOptions = append([]string{option}, newOptions...)
-				flagCollisions[key] = true
-			}
-			continue
-		}
-		opt := strings.SplitN(option, "=", 2)
-		if len(opt) != 2 || !validFlags[opt[0]] {
-			return nil, fmt.Errorf("Invalid tmpfs option %q", opt)
-		}
-		if !dataCollisions[opt[0]] {
-			// We prepend the option and add to collision map
-			newOptions = append([]string{option}, newOptions...)
-			dataCollisions[opt[0]] = true
-		}
-	}
-
-	return newOptions, nil
-}
-
-// Parse fstab type mount options into mount() flags
-// and device specific data
-func parseOptions(options string) (int, string) {
-	var (
-		flag int
-		data []string
-	)
-
-	for _, o := range strings.Split(options, ",") {
-		// If the option does not exist in the flags table or the flag
-		// is not supported on the platform,
-		// then it is a data value for a specific fs type
-		if f, exists := flags[o]; exists && f.flag != 0 {
-			if f.clear {
-				flag &= ^f.flag
-			} else {
-				flag |= f.flag
-			}
-		} else {
-			data = append(data, o)
-		}
-	}
-	return flag, strings.Join(data, ",")
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/flags_freebsd.go

@@ -1,49 +0,0 @@
-// +build freebsd,cgo
-
-package mount // import "github.com/docker/docker/pkg/mount"
-
-/*
-#include <sys/mount.h>
-*/
-import "C"
-
-const (
-	// RDONLY will mount the filesystem as read-only.
-	RDONLY = C.MNT_RDONLY
-
-	// NOSUID will not allow set-user-identifier or set-group-identifier bits to
-	// take effect.
-	NOSUID = C.MNT_NOSUID
-
-	// NOEXEC will not allow execution of any binaries on the mounted file system.
-	NOEXEC = C.MNT_NOEXEC
-
-	// SYNCHRONOUS will allow any I/O to the file system to be done synchronously.
-	SYNCHRONOUS = C.MNT_SYNCHRONOUS
-
-	// NOATIME will not update the file access time when reading from a file.
-	NOATIME = C.MNT_NOATIME
-)
-
-// These flags are unsupported.
-const (
-	BIND        = 0
-	DIRSYNC     = 0
-	MANDLOCK    = 0
-	NODEV       = 0
-	NODIRATIME  = 0
-	UNBINDABLE  = 0
-	RUNBINDABLE = 0
-	PRIVATE     = 0
-	RPRIVATE    = 0
-	SHARED      = 0
-	RSHARED     = 0
-	SLAVE       = 0
-	RSLAVE      = 0
-	RBIND       = 0
-	RELATIVE    = 0
-	RELATIME    = 0
-	REMOUNT     = 0
-	STRICTATIME = 0
-	mntDetach   = 0
-)

libnetwork/vendor/github.com/docker/docker/pkg/mount/flags_linux.go

@@ -1,87 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-const (
-	// RDONLY will mount the file system read-only.
-	RDONLY = unix.MS_RDONLY
-
-	// NOSUID will not allow set-user-identifier or set-group-identifier bits to
-	// take effect.
-	NOSUID = unix.MS_NOSUID
-
-	// NODEV will not interpret character or block special devices on the file
-	// system.
-	NODEV = unix.MS_NODEV
-
-	// NOEXEC will not allow execution of any binaries on the mounted file system.
-	NOEXEC = unix.MS_NOEXEC
-
-	// SYNCHRONOUS will allow I/O to the file system to be done synchronously.
-	SYNCHRONOUS = unix.MS_SYNCHRONOUS
-
-	// DIRSYNC will force all directory updates within the file system to be done
-	// synchronously. This affects the following system calls: create, link,
-	// unlink, symlink, mkdir, rmdir, mknod and rename.
-	DIRSYNC = unix.MS_DIRSYNC
-
-	// REMOUNT will attempt to remount an already-mounted file system. This is
-	// commonly used to change the mount flags for a file system, especially to
-	// make a readonly file system writeable. It does not change device or mount
-	// point.
-	REMOUNT = unix.MS_REMOUNT
-
-	// MANDLOCK will force mandatory locks on a filesystem.
-	MANDLOCK = unix.MS_MANDLOCK
-
-	// NOATIME will not update the file access time when reading from a file.
-	NOATIME = unix.MS_NOATIME
-
-	// NODIRATIME will not update the directory access time.
-	NODIRATIME = unix.MS_NODIRATIME
-
-	// BIND remounts a subtree somewhere else.
-	BIND = unix.MS_BIND
-
-	// RBIND remounts a subtree and all possible submounts somewhere else.
-	RBIND = unix.MS_BIND | unix.MS_REC
-
-	// UNBINDABLE creates a mount which cannot be cloned through a bind operation.
-	UNBINDABLE = unix.MS_UNBINDABLE
-
-	// RUNBINDABLE marks the entire mount tree as UNBINDABLE.
-	RUNBINDABLE = unix.MS_UNBINDABLE | unix.MS_REC
-
-	// PRIVATE creates a mount which carries no propagation abilities.
-	PRIVATE = unix.MS_PRIVATE
-
-	// RPRIVATE marks the entire mount tree as PRIVATE.
-	RPRIVATE = unix.MS_PRIVATE | unix.MS_REC
-
-	// SLAVE creates a mount which receives propagation from its master, but not
-	// vice versa.
-	SLAVE = unix.MS_SLAVE
-
-	// RSLAVE marks the entire mount tree as SLAVE.
-	RSLAVE = unix.MS_SLAVE | unix.MS_REC
-
-	// SHARED creates a mount which provides the ability to create mirrors of
-	// that mount such that mounts and unmounts within any of the mirrors
-	// propagate to the other mirrors.
-	SHARED = unix.MS_SHARED
-
-	// RSHARED marks the entire mount tree as SHARED.
-	RSHARED = unix.MS_SHARED | unix.MS_REC
-
-	// RELATIME updates inode access times relative to modify or change time.
-	RELATIME = unix.MS_RELATIME
-
-	// STRICTATIME allows to explicitly request full atime updates.  This makes
-	// it possible for the kernel to default to relatime or noatime but still
-	// allow userspace to override it.
-	STRICTATIME = unix.MS_STRICTATIME
-
-	mntDetach = unix.MNT_DETACH
-)

libnetwork/vendor/github.com/docker/docker/pkg/mount/flags_unsupported.go

@@ -1,31 +0,0 @@
-// +build !linux,!freebsd freebsd,!cgo
-
-package mount // import "github.com/docker/docker/pkg/mount"
-
-// These flags are unsupported.
-const (
-	BIND        = 0
-	DIRSYNC     = 0
-	MANDLOCK    = 0
-	NOATIME     = 0
-	NODEV       = 0
-	NODIRATIME  = 0
-	NOEXEC      = 0
-	NOSUID      = 0
-	UNBINDABLE  = 0
-	RUNBINDABLE = 0
-	PRIVATE     = 0
-	RPRIVATE    = 0
-	SHARED      = 0
-	RSHARED     = 0
-	SLAVE       = 0
-	RSLAVE      = 0
-	RBIND       = 0
-	RELATIME    = 0
-	RELATIVE    = 0
-	REMOUNT     = 0
-	STRICTATIME = 0
-	SYNCHRONOUS = 0
-	RDONLY      = 0
-	mntDetach   = 0
-)

libnetwork/vendor/github.com/docker/docker/pkg/mount/mount.go

@@ -1,159 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-import (
-	"sort"
-	"strconv"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-)
-
-// mountError records an error from mount or unmount operation
-type mountError struct {
-	op             string
-	source, target string
-	flags          uintptr
-	data           string
-	err            error
-}
-
-func (e *mountError) Error() string {
-	out := e.op + " "
-
-	if e.source != "" {
-		out += e.source + ":" + e.target
-	} else {
-		out += e.target
-	}
-
-	if e.flags != uintptr(0) {
-		out += ", flags: 0x" + strconv.FormatUint(uint64(e.flags), 16)
-	}
-	if e.data != "" {
-		out += ", data: " + e.data
-	}
-
-	out += ": " + e.err.Error()
-	return out
-}
-
-// Cause returns the underlying cause of the error
-func (e *mountError) Cause() error {
-	return e.err
-}
-
-// FilterFunc is a type defining a callback function
-// to filter out unwanted entries. It takes a pointer
-// to an Info struct (not fully populated, currently
-// only Mountpoint is filled in), and returns two booleans:
-//  - skip: true if the entry should be skipped
-//  - stop: true if parsing should be stopped after the entry
-type FilterFunc func(*Info) (skip, stop bool)
-
-// PrefixFilter discards all entries whose mount points
-// do not start with a prefix specified
-func PrefixFilter(prefix string) FilterFunc {
-	return func(m *Info) (bool, bool) {
-		skip := !strings.HasPrefix(m.Mountpoint, prefix)
-		return skip, false
-	}
-}
-
-// SingleEntryFilter looks for a specific entry
-func SingleEntryFilter(mp string) FilterFunc {
-	return func(m *Info) (bool, bool) {
-		if m.Mountpoint == mp {
-			return false, true // don't skip, stop now
-		}
-		return true, false // skip, keep going
-	}
-}
-
-// ParentsFilter returns all entries whose mount points
-// can be parents of a path specified, discarding others.
-// For example, given `/var/lib/docker/something`, entries
-// like `/var/lib/docker`, `/var` and `/` are returned.
-func ParentsFilter(path string) FilterFunc {
-	return func(m *Info) (bool, bool) {
-		skip := !strings.HasPrefix(path, m.Mountpoint)
-		return skip, false
-	}
-}
-
-// GetMounts retrieves a list of mounts for the current running process,
-// with an optional filter applied (use nil for no filter).
-func GetMounts(f FilterFunc) ([]*Info, error) {
-	return parseMountTable(f)
-}
-
-// Mounted determines if a specified mountpoint has been mounted.
-// On Linux it looks at /proc/self/mountinfo.
-func Mounted(mountpoint string) (bool, error) {
-	entries, err := GetMounts(SingleEntryFilter(mountpoint))
-	if err != nil {
-		return false, err
-	}
-
-	return len(entries) > 0, nil
-}
-
-// Mount will mount filesystem according to the specified configuration, on the
-// condition that the target path is *not* already mounted. Options must be
-// specified like the mount or fstab unix commands: "opt1=val1,opt2=val2". See
-// flags.go for supported option flags.
-func Mount(device, target, mType, options string) error {
-	flag, _ := parseOptions(options)
-	if flag&REMOUNT != REMOUNT {
-		if mounted, err := Mounted(target); err != nil || mounted {
-			return err
-		}
-	}
-	return ForceMount(device, target, mType, options)
-}
-
-// ForceMount will mount a filesystem according to the specified configuration,
-// *regardless* if the target path is not already mounted. Options must be
-// specified like the mount or fstab unix commands: "opt1=val1,opt2=val2". See
-// flags.go for supported option flags.
-func ForceMount(device, target, mType, options string) error {
-	flag, data := parseOptions(options)
-	return mount(device, target, mType, uintptr(flag), data)
-}
-
-// Unmount lazily unmounts a filesystem on supported platforms, otherwise
-// does a normal unmount.
-func Unmount(target string) error {
-	return unmount(target, mntDetach)
-}
-
-// RecursiveUnmount unmounts the target and all mounts underneath, starting with
-// the deepsest mount first.
-func RecursiveUnmount(target string) error {
-	mounts, err := parseMountTable(PrefixFilter(target))
-	if err != nil {
-		return err
-	}
-
-	// Make the deepest mount be first
-	sort.Slice(mounts, func(i, j int) bool {
-		return len(mounts[i].Mountpoint) > len(mounts[j].Mountpoint)
-	})
-
-	for i, m := range mounts {
-		logrus.Debugf("Trying to unmount %s", m.Mountpoint)
-		err = unmount(m.Mountpoint, mntDetach)
-		if err != nil {
-			if i == len(mounts)-1 { // last mount
-				if mounted, e := Mounted(m.Mountpoint); e != nil || mounted {
-					return err
-				}
-			} else {
-				// This is some submount, we can ignore this error for now, the final unmount will fail if this is a real problem
-				logrus.WithError(err).Warnf("Failed to unmount submount %s", m.Mountpoint)
-			}
-		}
-
-		logrus.Debugf("Unmounted %s", m.Mountpoint)
-	}
-	return nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/mounter_freebsd.go

@@ -1,59 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-/*
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/_iovec.h>
-#include <sys/mount.h>
-#include <sys/param.h>
-*/
-import "C"
-
-import (
-	"strings"
-	"syscall"
-	"unsafe"
-)
-
-func allocateIOVecs(options []string) []C.struct_iovec {
-	out := make([]C.struct_iovec, len(options))
-	for i, option := range options {
-		out[i].iov_base = unsafe.Pointer(C.CString(option))
-		out[i].iov_len = C.size_t(len(option) + 1)
-	}
-	return out
-}
-
-func mount(device, target, mType string, flag uintptr, data string) error {
-	isNullFS := false
-
-	xs := strings.Split(data, ",")
-	for _, x := range xs {
-		if x == "bind" {
-			isNullFS = true
-		}
-	}
-
-	options := []string{"fspath", target}
-	if isNullFS {
-		options = append(options, "fstype", "nullfs", "target", device)
-	} else {
-		options = append(options, "fstype", mType, "from", device)
-	}
-	rawOptions := allocateIOVecs(options)
-	for _, rawOption := range rawOptions {
-		defer C.free(rawOption.iov_base)
-	}
-
-	if errno := C.nmount(&rawOptions[0], C.uint(len(options)), C.int(flag)); errno != 0 {
-		return &mountError{
-			op:     "mount",
-			source: device,
-			target: target,
-			flags:  flag,
-			err:    syscall.Errno(errno),
-		}
-	}
-	return nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/mounter_linux.go

@@ -1,73 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-const (
-	// ptypes is the set propagation types.
-	ptypes = unix.MS_SHARED | unix.MS_PRIVATE | unix.MS_SLAVE | unix.MS_UNBINDABLE
-
-	// pflags is the full set valid flags for a change propagation call.
-	pflags = ptypes | unix.MS_REC | unix.MS_SILENT
-
-	// broflags is the combination of bind and read only
-	broflags = unix.MS_BIND | unix.MS_RDONLY
-)
-
-// isremount returns true if either device name or flags identify a remount request, false otherwise.
-func isremount(device string, flags uintptr) bool {
-	switch {
-	// We treat device "" and "none" as a remount request to provide compatibility with
-	// requests that don't explicitly set MS_REMOUNT such as those manipulating bind mounts.
-	case flags&unix.MS_REMOUNT != 0, device == "", device == "none":
-		return true
-	default:
-		return false
-	}
-}
-
-func mount(device, target, mType string, flags uintptr, data string) error {
-	oflags := flags &^ ptypes
-	if !isremount(device, flags) || data != "" {
-		// Initial call applying all non-propagation flags for mount
-		// or remount with changed data
-		if err := unix.Mount(device, target, mType, oflags, data); err != nil {
-			return &mountError{
-				op:     "mount",
-				source: device,
-				target: target,
-				flags:  oflags,
-				data:   data,
-				err:    err,
-			}
-		}
-	}
-
-	if flags&ptypes != 0 {
-		// Change the propagation type.
-		if err := unix.Mount("", target, "", flags&pflags, ""); err != nil {
-			return &mountError{
-				op:     "remount",
-				target: target,
-				flags:  flags & pflags,
-				err:    err,
-			}
-		}
-	}
-
-	if oflags&broflags == broflags {
-		// Remount the bind to apply read only.
-		if err := unix.Mount("", target, "", oflags|unix.MS_REMOUNT, ""); err != nil {
-			return &mountError{
-				op:     "remount-ro",
-				target: target,
-				flags:  oflags | unix.MS_REMOUNT,
-				err:    err,
-			}
-
-		}
-	}
-
-	return nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/mounter_unsupported.go

@@ -1,7 +0,0 @@
-// +build !linux,!freebsd freebsd,!cgo
-
-package mount // import "github.com/docker/docker/pkg/mount"
-
-func mount(device, target, mType string, flag uintptr, data string) error {
-	panic("Not implemented")
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/mountinfo.go

@@ -1,40 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-// Info reveals information about a particular mounted filesystem. This
-// struct is populated from the content in the /proc/<pid>/mountinfo file.
-type Info struct {
-	// ID is a unique identifier of the mount (may be reused after umount).
-	ID int
-
-	// Parent indicates the ID of the mount parent (or of self for the top of the
-	// mount tree).
-	Parent int
-
-	// Major indicates one half of the device ID which identifies the device class.
-	Major int
-
-	// Minor indicates one half of the device ID which identifies a specific
-	// instance of device.
-	Minor int
-
-	// Root of the mount within the filesystem.
-	Root string
-
-	// Mountpoint indicates the mount point relative to the process's root.
-	Mountpoint string
-
-	// Opts represents mount-specific options.
-	Opts string
-
-	// Optional represents optional fields.
-	Optional string
-
-	// Fstype indicates the type of filesystem, such as EXT3.
-	Fstype string
-
-	// Source indicates filesystem specific information or "none".
-	Source string
-
-	// VfsOpts represents per super block options.
-	VfsOpts string
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/mountinfo_freebsd.go

@@ -1,55 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-/*
-#include <sys/param.h>
-#include <sys/ucred.h>
-#include <sys/mount.h>
-*/
-import "C"
-
-import (
-	"fmt"
-	"reflect"
-	"unsafe"
-)
-
-// Parse /proc/self/mountinfo because comparing Dev and ino does not work from
-// bind mounts.
-func parseMountTable(filter FilterFunc) ([]*Info, error) {
-	var rawEntries *C.struct_statfs
-
-	count := int(C.getmntinfo(&rawEntries, C.MNT_WAIT))
-	if count == 0 {
-		return nil, fmt.Errorf("Failed to call getmntinfo")
-	}
-
-	var entries []C.struct_statfs
-	header := (*reflect.SliceHeader)(unsafe.Pointer(&entries))
-	header.Cap = count
-	header.Len = count
-	header.Data = uintptr(unsafe.Pointer(rawEntries))
-
-	var out []*Info
-	for _, entry := range entries {
-		var mountinfo Info
-		var skip, stop bool
-		mountinfo.Mountpoint = C.GoString(&entry.f_mntonname[0])
-
-		if filter != nil {
-			// filter out entries we're not interested in
-			skip, stop = filter(p)
-			if skip {
-				continue
-			}
-		}
-
-		mountinfo.Source = C.GoString(&entry.f_mntfromname[0])
-		mountinfo.Fstype = C.GoString(&entry.f_fstypename[0])
-
-		out = append(out, &mountinfo)
-		if stop {
-			break
-		}
-	}
-	return out, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/mountinfo_linux.go

@@ -1,144 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-import (
-	"bufio"
-	"fmt"
-	"io"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/pkg/errors"
-)
-
-func parseInfoFile(r io.Reader, filter FilterFunc) ([]*Info, error) {
-	s := bufio.NewScanner(r)
-	out := []*Info{}
-	var err error
-	for s.Scan() {
-		if err = s.Err(); err != nil {
-			return nil, err
-		}
-		/*
-		   See http://man7.org/linux/man-pages/man5/proc.5.html
-
-		   36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue
-		   (1)(2)(3)   (4)   (5)      (6)      (7)   (8) (9)   (10)         (11)
-
-		   (1) mount ID:  unique identifier of the mount (may be reused after umount)
-		   (2) parent ID:  ID of parent (or of self for the top of the mount tree)
-		   (3) major:minor:  value of st_dev for files on filesystem
-		   (4) root:  root of the mount within the filesystem
-		   (5) mount point:  mount point relative to the process's root
-		   (6) mount options:  per mount options
-		   (7) optional fields:  zero or more fields of the form "tag[:value]"
-		   (8) separator:  marks the end of the optional fields
-		   (9) filesystem type:  name of filesystem of the form "type[.subtype]"
-		   (10) mount source:  filesystem specific information or "none"
-		   (11) super options:  per super block options
-		*/
-
-		text := s.Text()
-		fields := strings.Split(text, " ")
-		numFields := len(fields)
-		if numFields < 10 {
-			// should be at least 10 fields
-			return nil, fmt.Errorf("Parsing '%s' failed: not enough fields (%d)", text, numFields)
-		}
-
-		p := &Info{}
-		// ignore any numbers parsing errors, as there should not be any
-		p.ID, _ = strconv.Atoi(fields[0])
-		p.Parent, _ = strconv.Atoi(fields[1])
-		mm := strings.Split(fields[2], ":")
-		if len(mm) != 2 {
-			return nil, fmt.Errorf("Parsing '%s' failed: unexpected minor:major pair %s", text, mm)
-		}
-		p.Major, _ = strconv.Atoi(mm[0])
-		p.Minor, _ = strconv.Atoi(mm[1])
-
-		p.Root, err = strconv.Unquote(`"` + fields[3] + `"`)
-		if err != nil {
-			return nil, errors.Wrapf(err, "Parsing '%s' failed: unable to unquote root field", fields[3])
-		}
-
-		p.Mountpoint, err = strconv.Unquote(`"` + fields[4] + `"`)
-		if err != nil {
-			return nil, errors.Wrapf(err, "Parsing '%s' failed: unable to unquote mount point field", fields[4])
-		}
-		p.Opts = fields[5]
-
-		var skip, stop bool
-		if filter != nil {
-			// filter out entries we're not interested in
-			skip, stop = filter(p)
-			if skip {
-				continue
-			}
-		}
-
-		// one or more optional fields, when a separator (-)
-		i := 6
-		for ; i < numFields && fields[i] != "-"; i++ {
-			switch i {
-			case 6:
-				p.Optional = fields[6]
-			default:
-				/* NOTE there might be more optional fields before the such as
-				   fields[7]...fields[N] (where N < sepIndex), although
-				   as of Linux kernel 4.15 the only known ones are
-				   mount propagation flags in fields[6]. The correct
-				   behavior is to ignore any unknown optional fields.
-				*/
-				break
-			}
-		}
-		if i == numFields {
-			return nil, fmt.Errorf("Parsing '%s' failed: missing separator ('-')", text)
-		}
-
-		// There should be 3 fields after the separator...
-		if i+4 > numFields {
-			return nil, fmt.Errorf("Parsing '%s' failed: not enough fields after a separator", text)
-		}
-		// ... but in Linux <= 3.9 mounting a cifs with spaces in a share name
-		// (like "//serv/My Documents") _may_ end up having a space in the last field
-		// of mountinfo (like "unc=//serv/My Documents"). Since kernel 3.10-rc1, cifs
-		// option unc= is ignored,  so a space should not appear. In here we ignore
-		// those "extra" fields caused by extra spaces.
-		p.Fstype = fields[i+1]
-		p.Source = fields[i+2]
-		p.VfsOpts = fields[i+3]
-
-		out = append(out, p)
-		if stop {
-			break
-		}
-	}
-	return out, nil
-}
-
-// Parse /proc/self/mountinfo because comparing Dev and ino does not work from
-// bind mounts
-func parseMountTable(filter FilterFunc) ([]*Info, error) {
-	f, err := os.Open("/proc/self/mountinfo")
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	return parseInfoFile(f, filter)
-}
-
-// PidMountInfo collects the mounts for a specific process ID. If the process
-// ID is unknown, it is better to use `GetMounts` which will inspect
-// "/proc/self/mountinfo" instead.
-func PidMountInfo(pid int) ([]*Info, error) {
-	f, err := os.Open(fmt.Sprintf("/proc/%d/mountinfo", pid))
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	return parseInfoFile(f, nil)
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/mountinfo_unsupported.go

@@ -1,12 +0,0 @@
-// +build !windows,!linux,!freebsd freebsd,!cgo
-
-package mount // import "github.com/docker/docker/pkg/mount"
-
-import (
-	"fmt"
-	"runtime"
-)
-
-func parseMountTable(f FilterFunc) ([]*Info, error) {
-	return nil, fmt.Errorf("mount.parseMountTable is not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/mountinfo_windows.go

@@ -1,6 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-func parseMountTable(f FilterFunc) ([]*Info, error) {
-	// Do NOT return an error!
-	return nil, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/sharedsubtree_linux.go

@@ -1,71 +0,0 @@
-package mount // import "github.com/docker/docker/pkg/mount"
-
-// MakeShared ensures a mounted filesystem has the SHARED mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakeShared(mountPoint string) error {
-	return ensureMountedAs(mountPoint, "shared")
-}
-
-// MakeRShared ensures a mounted filesystem has the RSHARED mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakeRShared(mountPoint string) error {
-	return ensureMountedAs(mountPoint, "rshared")
-}
-
-// MakePrivate ensures a mounted filesystem has the PRIVATE mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakePrivate(mountPoint string) error {
-	return ensureMountedAs(mountPoint, "private")
-}
-
-// MakeRPrivate ensures a mounted filesystem has the RPRIVATE mount option
-// enabled. See the supported options in flags.go for further reference.
-func MakeRPrivate(mountPoint string) error {
-	return ensureMountedAs(mountPoint, "rprivate")
-}
-
-// MakeSlave ensures a mounted filesystem has the SLAVE mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakeSlave(mountPoint string) error {
-	return ensureMountedAs(mountPoint, "slave")
-}
-
-// MakeRSlave ensures a mounted filesystem has the RSLAVE mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakeRSlave(mountPoint string) error {
-	return ensureMountedAs(mountPoint, "rslave")
-}
-
-// MakeUnbindable ensures a mounted filesystem has the UNBINDABLE mount option
-// enabled. See the supported options in flags.go for further reference.
-func MakeUnbindable(mountPoint string) error {
-	return ensureMountedAs(mountPoint, "unbindable")
-}
-
-// MakeRUnbindable ensures a mounted filesystem has the RUNBINDABLE mount
-// option enabled. See the supported options in flags.go for further reference.
-func MakeRUnbindable(mountPoint string) error {
-	return ensureMountedAs(mountPoint, "runbindable")
-}
-
-// MakeMount ensures that the file or directory given is a mount point,
-// bind mounting it to itself it case it is not.
-func MakeMount(mnt string) error {
-	mounted, err := Mounted(mnt)
-	if err != nil {
-		return err
-	}
-	if mounted {
-		return nil
-	}
-
-	return Mount(mnt, mnt, "none", "bind")
-}
-
-func ensureMountedAs(mountPoint, options string) error {
-	if err := MakeMount(mountPoint); err != nil {
-		return err
-	}
-
-	return ForceMount("", mountPoint, "none", options)
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/unmount_unix.go

@@ -1,22 +0,0 @@
-// +build !windows
-
-package mount // import "github.com/docker/docker/pkg/mount"
-
-import "golang.org/x/sys/unix"
-
-func unmount(target string, flags int) error {
-	err := unix.Unmount(target, flags)
-	if err == nil || err == unix.EINVAL {
-		// Ignore "not mounted" error here. Note the same error
-		// can be returned if flags are invalid, so this code
-		// assumes that the flags value is always correct.
-		return nil
-	}
-
-	return &mountError{
-		op:     "umount",
-		target: target,
-		flags:  uintptr(flags),
-		err:    err,
-	}
-}

libnetwork/vendor/github.com/docker/docker/pkg/mount/unmount_unsupported.go

@@ -1,7 +0,0 @@
-// +build windows
-
-package mount // import "github.com/docker/docker/pkg/mount"
-
-func unmount(target string, flag int) error {
-	panic("Not implemented")
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/args_windows.go

@@ -1,16 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"strings"
-
-	"golang.org/x/sys/windows"
-)
-
-// EscapeArgs makes a Windows-style escaped command line from a set of arguments
-func EscapeArgs(args []string) string {
-	escapedArgs := make([]string, len(args))
-	for i, a := range args {
-		escapedArgs[i] = windows.EscapeArg(a)
-	}
-	return strings.Join(escapedArgs, " ")
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/chtimes.go

@@ -1,31 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"time"
-)
-
-// Chtimes changes the access time and modified time of a file at the given path
-func Chtimes(name string, atime time.Time, mtime time.Time) error {
-	unixMinTime := time.Unix(0, 0)
-	unixMaxTime := maxTime
-
-	// If the modified time is prior to the Unix Epoch, or after the
-	// end of Unix Time, os.Chtimes has undefined behavior
-	// default to Unix Epoch in this case, just in case
-
-	if atime.Before(unixMinTime) || atime.After(unixMaxTime) {
-		atime = unixMinTime
-	}
-
-	if mtime.Before(unixMinTime) || mtime.After(unixMaxTime) {
-		mtime = unixMinTime
-	}
-
-	if err := os.Chtimes(name, atime, mtime); err != nil {
-		return err
-	}
-
-	// Take platform specific action for setting create time.
-	return setCTime(name, mtime)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/chtimes_unix.go

@@ -1,14 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"time"
-)
-
-//setCTime will set the create time on a file. On Unix, the create
-//time is updated as a side effect of setting the modified time, so
-//no action is required.
-func setCTime(path string, ctime time.Time) error {
-	return nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/chtimes_windows.go

@@ -1,26 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"time"
-
-	"golang.org/x/sys/windows"
-)
-
-//setCTime will set the create time on a file. On Windows, this requires
-//calling SetFileTime and explicitly including the create time.
-func setCTime(path string, ctime time.Time) error {
-	ctimespec := windows.NsecToTimespec(ctime.UnixNano())
-	pathp, e := windows.UTF16PtrFromString(path)
-	if e != nil {
-		return e
-	}
-	h, e := windows.CreateFile(pathp,
-		windows.FILE_WRITE_ATTRIBUTES, windows.FILE_SHARE_WRITE, nil,
-		windows.OPEN_EXISTING, windows.FILE_FLAG_BACKUP_SEMANTICS, 0)
-	if e != nil {
-		return e
-	}
-	defer windows.Close(h)
-	c := windows.NsecToFiletime(windows.TimespecToNsec(ctimespec))
-	return windows.SetFileTime(h, &c, nil, nil)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/errors.go

@@ -1,13 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"errors"
-)
-
-var (
-	// ErrNotSupportedPlatform means the platform is not supported.
-	ErrNotSupportedPlatform = errors.New("platform and architecture is not supported")
-
-	// ErrNotSupportedOperatingSystem means the operating system is not supported.
-	ErrNotSupportedOperatingSystem = errors.New("operating system is not supported")
-)

libnetwork/vendor/github.com/docker/docker/pkg/system/exitcode.go

@@ -1,19 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"fmt"
-	"os/exec"
-	"syscall"
-)
-
-// GetExitCode returns the ExitStatus of the specified error if its type is
-// exec.ExitError, returns 0 and an error otherwise.
-func GetExitCode(err error) (int, error) {
-	exitCode := 0
-	if exiterr, ok := err.(*exec.ExitError); ok {
-		if procExit, ok := exiterr.Sys().(syscall.WaitStatus); ok {
-			return procExit.ExitStatus(), nil
-		}
-	}
-	return exitCode, fmt.Errorf("failed to get exit code")
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/filesys.go

@@ -1,67 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"io/ioutil"
-	"os"
-	"path/filepath"
-)
-
-// MkdirAllWithACL is a wrapper for MkdirAll on unix systems.
-func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
-	return MkdirAll(path, perm, sddl)
-}
-
-// MkdirAll creates a directory named path along with any necessary parents,
-// with permission specified by attribute perm for all dir created.
-func MkdirAll(path string, perm os.FileMode, sddl string) error {
-	return os.MkdirAll(path, perm)
-}
-
-// IsAbs is a platform-specific wrapper for filepath.IsAbs.
-func IsAbs(path string) bool {
-	return filepath.IsAbs(path)
-}
-
-// The functions below here are wrappers for the equivalents in the os and ioutils packages.
-// They are passthrough on Unix platforms, and only relevant on Windows.
-
-// CreateSequential creates the named file with mode 0666 (before umask), truncating
-// it if it already exists. If successful, methods on the returned
-// File can be used for I/O; the associated file descriptor has mode
-// O_RDWR.
-// If there is an error, it will be of type *PathError.
-func CreateSequential(name string) (*os.File, error) {
-	return os.Create(name)
-}
-
-// OpenSequential opens the named file for reading. If successful, methods on
-// the returned file can be used for reading; the associated file
-// descriptor has mode O_RDONLY.
-// If there is an error, it will be of type *PathError.
-func OpenSequential(name string) (*os.File, error) {
-	return os.Open(name)
-}
-
-// OpenFileSequential is the generalized open call; most users will use Open
-// or Create instead. It opens the named file with specified flag
-// (O_RDONLY etc.) and perm, (0666 etc.) if applicable. If successful,
-// methods on the returned File can be used for I/O.
-// If there is an error, it will be of type *PathError.
-func OpenFileSequential(name string, flag int, perm os.FileMode) (*os.File, error) {
-	return os.OpenFile(name, flag, perm)
-}
-
-// TempFileSequential creates a new temporary file in the directory dir
-// with a name beginning with prefix, opens the file for reading
-// and writing, and returns the resulting *os.File.
-// If dir is the empty string, TempFile uses the default directory
-// for temporary files (see os.TempDir).
-// Multiple programs calling TempFile simultaneously
-// will not choose the same file. The caller can use f.Name()
-// to find the pathname of the file. It is the caller's responsibility
-// to remove the file when no longer needed.
-func TempFileSequential(dir, prefix string) (f *os.File, err error) {
-	return ioutil.TempFile(dir, prefix)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/filesys_windows.go

@@ -1,294 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"path/filepath"
-	"regexp"
-	"strconv"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-	"unsafe"
-
-	winio "github.com/Microsoft/go-winio"
-	"golang.org/x/sys/windows"
-)
-
-const (
-	// SddlAdministratorsLocalSystem is local administrators plus NT AUTHORITY\System
-	SddlAdministratorsLocalSystem = "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
-)
-
-// MkdirAllWithACL is a wrapper for MkdirAll that creates a directory
-// with an appropriate SDDL defined ACL.
-func MkdirAllWithACL(path string, perm os.FileMode, sddl string) error {
-	return mkdirall(path, true, sddl)
-}
-
-// MkdirAll implementation that is volume path aware for Windows.
-func MkdirAll(path string, _ os.FileMode, sddl string) error {
-	return mkdirall(path, false, sddl)
-}
-
-// mkdirall is a custom version of os.MkdirAll modified for use on Windows
-// so that it is both volume path aware, and can create a directory with
-// a DACL.
-func mkdirall(path string, applyACL bool, sddl string) error {
-	if re := regexp.MustCompile(`^\\\\\?\\Volume{[a-z0-9-]+}$`); re.MatchString(path) {
-		return nil
-	}
-
-	// The rest of this method is largely copied from os.MkdirAll and should be kept
-	// as-is to ensure compatibility.
-
-	// Fast path: if we can tell whether path is a directory or file, stop with success or error.
-	dir, err := os.Stat(path)
-	if err == nil {
-		if dir.IsDir() {
-			return nil
-		}
-		return &os.PathError{
-			Op:   "mkdir",
-			Path: path,
-			Err:  syscall.ENOTDIR,
-		}
-	}
-
-	// Slow path: make sure parent exists and then call Mkdir for path.
-	i := len(path)
-	for i > 0 && os.IsPathSeparator(path[i-1]) { // Skip trailing path separator.
-		i--
-	}
-
-	j := i
-	for j > 0 && !os.IsPathSeparator(path[j-1]) { // Scan backward over element.
-		j--
-	}
-
-	if j > 1 {
-		// Create parent
-		err = mkdirall(path[0:j-1], false, sddl)
-		if err != nil {
-			return err
-		}
-	}
-
-	// Parent now exists; invoke os.Mkdir or mkdirWithACL and use its result.
-	if applyACL {
-		err = mkdirWithACL(path, sddl)
-	} else {
-		err = os.Mkdir(path, 0)
-	}
-
-	if err != nil {
-		// Handle arguments like "foo/." by
-		// double-checking that directory doesn't exist.
-		dir, err1 := os.Lstat(path)
-		if err1 == nil && dir.IsDir() {
-			return nil
-		}
-		return err
-	}
-	return nil
-}
-
-// mkdirWithACL creates a new directory. If there is an error, it will be of
-// type *PathError. .
-//
-// This is a modified and combined version of os.Mkdir and windows.Mkdir
-// in golang to cater for creating a directory am ACL permitting full
-// access, with inheritance, to any subfolder/file for Built-in Administrators
-// and Local System.
-func mkdirWithACL(name string, sddl string) error {
-	sa := windows.SecurityAttributes{Length: 0}
-	sd, err := winio.SddlToSecurityDescriptor(sddl)
-	if err != nil {
-		return &os.PathError{Op: "mkdir", Path: name, Err: err}
-	}
-	sa.Length = uint32(unsafe.Sizeof(sa))
-	sa.InheritHandle = 1
-	sa.SecurityDescriptor = uintptr(unsafe.Pointer(&sd[0]))
-
-	namep, err := windows.UTF16PtrFromString(name)
-	if err != nil {
-		return &os.PathError{Op: "mkdir", Path: name, Err: err}
-	}
-
-	e := windows.CreateDirectory(namep, &sa)
-	if e != nil {
-		return &os.PathError{Op: "mkdir", Path: name, Err: e}
-	}
-	return nil
-}
-
-// IsAbs is a platform-specific wrapper for filepath.IsAbs. On Windows,
-// golang filepath.IsAbs does not consider a path \windows\system32 as absolute
-// as it doesn't start with a drive-letter/colon combination. However, in
-// docker we need to verify things such as WORKDIR /windows/system32 in
-// a Dockerfile (which gets translated to \windows\system32 when being processed
-// by the daemon. This SHOULD be treated as absolute from a docker processing
-// perspective.
-func IsAbs(path string) bool {
-	if !filepath.IsAbs(path) {
-		if !strings.HasPrefix(path, string(os.PathSeparator)) {
-			return false
-		}
-	}
-	return true
-}
-
-// The origin of the functions below here are the golang OS and windows packages,
-// slightly modified to only cope with files, not directories due to the
-// specific use case.
-//
-// The alteration is to allow a file on Windows to be opened with
-// FILE_FLAG_SEQUENTIAL_SCAN (particular for docker load), to avoid eating
-// the standby list, particularly when accessing large files such as layer.tar.
-
-// CreateSequential creates the named file with mode 0666 (before umask), truncating
-// it if it already exists. If successful, methods on the returned
-// File can be used for I/O; the associated file descriptor has mode
-// O_RDWR.
-// If there is an error, it will be of type *PathError.
-func CreateSequential(name string) (*os.File, error) {
-	return OpenFileSequential(name, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0)
-}
-
-// OpenSequential opens the named file for reading. If successful, methods on
-// the returned file can be used for reading; the associated file
-// descriptor has mode O_RDONLY.
-// If there is an error, it will be of type *PathError.
-func OpenSequential(name string) (*os.File, error) {
-	return OpenFileSequential(name, os.O_RDONLY, 0)
-}
-
-// OpenFileSequential is the generalized open call; most users will use Open
-// or Create instead.
-// If there is an error, it will be of type *PathError.
-func OpenFileSequential(name string, flag int, _ os.FileMode) (*os.File, error) {
-	if name == "" {
-		return nil, &os.PathError{Op: "open", Path: name, Err: syscall.ENOENT}
-	}
-	r, errf := windowsOpenFileSequential(name, flag, 0)
-	if errf == nil {
-		return r, nil
-	}
-	return nil, &os.PathError{Op: "open", Path: name, Err: errf}
-}
-
-func windowsOpenFileSequential(name string, flag int, _ os.FileMode) (file *os.File, err error) {
-	r, e := windowsOpenSequential(name, flag|windows.O_CLOEXEC, 0)
-	if e != nil {
-		return nil, e
-	}
-	return os.NewFile(uintptr(r), name), nil
-}
-
-func makeInheritSa() *windows.SecurityAttributes {
-	var sa windows.SecurityAttributes
-	sa.Length = uint32(unsafe.Sizeof(sa))
-	sa.InheritHandle = 1
-	return &sa
-}
-
-func windowsOpenSequential(path string, mode int, _ uint32) (fd windows.Handle, err error) {
-	if len(path) == 0 {
-		return windows.InvalidHandle, windows.ERROR_FILE_NOT_FOUND
-	}
-	pathp, err := windows.UTF16PtrFromString(path)
-	if err != nil {
-		return windows.InvalidHandle, err
-	}
-	var access uint32
-	switch mode & (windows.O_RDONLY | windows.O_WRONLY | windows.O_RDWR) {
-	case windows.O_RDONLY:
-		access = windows.GENERIC_READ
-	case windows.O_WRONLY:
-		access = windows.GENERIC_WRITE
-	case windows.O_RDWR:
-		access = windows.GENERIC_READ | windows.GENERIC_WRITE
-	}
-	if mode&windows.O_CREAT != 0 {
-		access |= windows.GENERIC_WRITE
-	}
-	if mode&windows.O_APPEND != 0 {
-		access &^= windows.GENERIC_WRITE
-		access |= windows.FILE_APPEND_DATA
-	}
-	sharemode := uint32(windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE)
-	var sa *windows.SecurityAttributes
-	if mode&windows.O_CLOEXEC == 0 {
-		sa = makeInheritSa()
-	}
-	var createmode uint32
-	switch {
-	case mode&(windows.O_CREAT|windows.O_EXCL) == (windows.O_CREAT | windows.O_EXCL):
-		createmode = windows.CREATE_NEW
-	case mode&(windows.O_CREAT|windows.O_TRUNC) == (windows.O_CREAT | windows.O_TRUNC):
-		createmode = windows.CREATE_ALWAYS
-	case mode&windows.O_CREAT == windows.O_CREAT:
-		createmode = windows.OPEN_ALWAYS
-	case mode&windows.O_TRUNC == windows.O_TRUNC:
-		createmode = windows.TRUNCATE_EXISTING
-	default:
-		createmode = windows.OPEN_EXISTING
-	}
-	// Use FILE_FLAG_SEQUENTIAL_SCAN rather than FILE_ATTRIBUTE_NORMAL as implemented in golang.
-	//https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
-	const fileFlagSequentialScan = 0x08000000 // FILE_FLAG_SEQUENTIAL_SCAN
-	h, e := windows.CreateFile(pathp, access, sharemode, sa, createmode, fileFlagSequentialScan, 0)
-	return h, e
-}
-
-// Helpers for TempFileSequential
-var rand uint32
-var randmu sync.Mutex
-
-func reseed() uint32 {
-	return uint32(time.Now().UnixNano() + int64(os.Getpid()))
-}
-func nextSuffix() string {
-	randmu.Lock()
-	r := rand
-	if r == 0 {
-		r = reseed()
-	}
-	r = r*1664525 + 1013904223 // constants from Numerical Recipes
-	rand = r
-	randmu.Unlock()
-	return strconv.Itoa(int(1e9 + r%1e9))[1:]
-}
-
-// TempFileSequential is a copy of ioutil.TempFile, modified to use sequential
-// file access. Below is the original comment from golang:
-// TempFile creates a new temporary file in the directory dir
-// with a name beginning with prefix, opens the file for reading
-// and writing, and returns the resulting *os.File.
-// If dir is the empty string, TempFile uses the default directory
-// for temporary files (see os.TempDir).
-// Multiple programs calling TempFile simultaneously
-// will not choose the same file. The caller can use f.Name()
-// to find the pathname of the file. It is the caller's responsibility
-// to remove the file when no longer needed.
-func TempFileSequential(dir, prefix string) (f *os.File, err error) {
-	if dir == "" {
-		dir = os.TempDir()
-	}
-
-	nconflict := 0
-	for i := 0; i < 10000; i++ {
-		name := filepath.Join(dir, prefix+nextSuffix())
-		f, err = OpenFileSequential(name, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0600)
-		if os.IsExist(err) {
-			if nconflict++; nconflict > 10 {
-				randmu.Lock()
-				rand = reseed()
-				randmu.Unlock()
-			}
-			continue
-		}
-		break
-	}
-	return
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/init.go

@@ -1,22 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"syscall"
-	"time"
-	"unsafe"
-)
-
-// Used by chtimes
-var maxTime time.Time
-
-func init() {
-	// chtimes initialization
-	if unsafe.Sizeof(syscall.Timespec{}.Nsec) == 8 {
-		// This is a 64 bit timespec
-		// os.Chtimes limits time to the following
-		maxTime = time.Unix(0, 1<<63-1)
-	} else {
-		// This is a 32 bit timespec
-		maxTime = time.Unix(1<<31-1, 0)
-	}
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/init_unix.go

@@ -1,12 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-// InitLCOW does nothing since LCOW is a windows only feature
-func InitLCOW(experimental bool) {
-}
-
-// ContainerdRuntimeSupported returns true if the use of ContainerD runtime is supported.
-func ContainerdRuntimeSupported(_ bool, _ string) bool {
-	return true
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/init_windows.go

@@ -1,40 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-
-	"github.com/sirupsen/logrus"
-)
-
-var (
-	// lcowSupported determines if Linux Containers on Windows are supported.
-	lcowSupported = false
-
-	// containerdRuntimeSupported determines if ContainerD should be the runtime.
-	// As of March 2019, this is an experimental feature.
-	containerdRuntimeSupported = false
-)
-
-// InitLCOW sets whether LCOW is supported or not
-func InitLCOW(experimental bool) {
-	v := GetOSVersion()
-	if experimental && v.Build >= 16299 {
-		lcowSupported = true
-	}
-}
-
-// InitContainerdRuntime sets whether to use ContainerD for runtime
-// on Windows. This is an experimental feature still in development, and
-// also requires an environment variable to be set (so as not to turn the
-// feature on from simply experimental which would also mean LCOW.
-func InitContainerdRuntime(experimental bool, cdPath string) {
-	if experimental && len(cdPath) > 0 && len(os.Getenv("DOCKER_WINDOWS_CONTAINERD_RUNTIME")) > 0 {
-		logrus.Warnf("Using ContainerD runtime. This feature is experimental")
-		containerdRuntimeSupported = true
-	}
-}
-
-// ContainerdRuntimeSupported returns true if the use of ContainerD runtime is supported.
-func ContainerdRuntimeSupported() bool {
-	return containerdRuntimeSupported
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/lcow.go

@@ -1,32 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"runtime"
-	"strings"
-
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
-)
-
-// IsOSSupported determines if an operating system is supported by the host
-func IsOSSupported(os string) bool {
-	if strings.EqualFold(runtime.GOOS, os) {
-		return true
-	}
-	if LCOWSupported() && strings.EqualFold(os, "linux") {
-		return true
-	}
-	return false
-}
-
-// ValidatePlatform determines if a platform structure is valid.
-// TODO This is a temporary windows-only function, should be replaced by
-// comparison of worker capabilities
-func ValidatePlatform(platform specs.Platform) error {
-	if runtime.GOOS == "windows" {
-		if !(platform.OS == runtime.GOOS || (LCOWSupported() && platform.OS == "linux")) {
-			return errors.Errorf("unsupported os %s", platform.OS)
-		}
-	}
-	return nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/lcow_unix.go

@@ -1,8 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-// LCOWSupported returns true if Linux containers on Windows are supported.
-func LCOWSupported() bool {
-	return false
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/lcow_windows.go

@@ -1,6 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-// LCOWSupported returns true if Linux containers on Windows are supported.
-func LCOWSupported() bool {
-	return lcowSupported
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/lstat_unix.go

@@ -1,20 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"syscall"
-)
-
-// Lstat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist
-func Lstat(path string) (*StatT, error) {
-	s := &syscall.Stat_t{}
-	if err := syscall.Lstat(path, s); err != nil {
-		return nil, &os.PathError{Op: "Lstat", Path: path, Err: err}
-	}
-	return fromStatT(s)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/lstat_windows.go

@@ -1,14 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "os"
-
-// Lstat calls os.Lstat to get a fileinfo interface back.
-// This is then copied into our own locally defined structure.
-func Lstat(path string) (*StatT, error) {
-	fi, err := os.Lstat(path)
-	if err != nil {
-		return nil, err
-	}
-
-	return fromStatT(&fi)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/meminfo.go

@@ -1,17 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-// MemInfo contains memory statistics of the host system.
-type MemInfo struct {
-	// Total usable RAM (i.e. physical RAM minus a few reserved bits and the
-	// kernel binary code).
-	MemTotal int64
-
-	// Amount of free memory.
-	MemFree int64
-
-	// Total amount of swap space available.
-	SwapTotal int64
-
-	// Amount of swap space that is currently unused.
-	SwapFree int64
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/meminfo_linux.go

@@ -1,65 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"bufio"
-	"io"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/docker/go-units"
-)
-
-// ReadMemInfo retrieves memory statistics of the host system and returns a
-// MemInfo type.
-func ReadMemInfo() (*MemInfo, error) {
-	file, err := os.Open("/proc/meminfo")
-	if err != nil {
-		return nil, err
-	}
-	defer file.Close()
-	return parseMemInfo(file)
-}
-
-// parseMemInfo parses the /proc/meminfo file into
-// a MemInfo object given an io.Reader to the file.
-// Throws error if there are problems reading from the file
-func parseMemInfo(reader io.Reader) (*MemInfo, error) {
-	meminfo := &MemInfo{}
-	scanner := bufio.NewScanner(reader)
-	for scanner.Scan() {
-		// Expected format: ["MemTotal:", "1234", "kB"]
-		parts := strings.Fields(scanner.Text())
-
-		// Sanity checks: Skip malformed entries.
-		if len(parts) < 3 || parts[2] != "kB" {
-			continue
-		}
-
-		// Convert to bytes.
-		size, err := strconv.Atoi(parts[1])
-		if err != nil {
-			continue
-		}
-		bytes := int64(size) * units.KiB
-
-		switch parts[0] {
-		case "MemTotal:":
-			meminfo.MemTotal = bytes
-		case "MemFree:":
-			meminfo.MemFree = bytes
-		case "SwapTotal:":
-			meminfo.SwapTotal = bytes
-		case "SwapFree:":
-			meminfo.SwapFree = bytes
-		}
-
-	}
-
-	// Handle errors that may have occurred during the reading of the file.
-	if err := scanner.Err(); err != nil {
-		return nil, err
-	}
-
-	return meminfo, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/meminfo_unsupported.go

@@ -1,8 +0,0 @@
-// +build !linux,!windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-// ReadMemInfo is not supported on platforms other than linux and windows.
-func ReadMemInfo() (*MemInfo, error) {
-	return nil, ErrNotSupportedPlatform
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/meminfo_windows.go

@@ -1,45 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-var (
-	modkernel32 = windows.NewLazySystemDLL("kernel32.dll")
-
-	procGlobalMemoryStatusEx = modkernel32.NewProc("GlobalMemoryStatusEx")
-)
-
-// https://msdn.microsoft.com/en-us/library/windows/desktop/aa366589(v=vs.85).aspx
-// https://msdn.microsoft.com/en-us/library/windows/desktop/aa366770(v=vs.85).aspx
-type memorystatusex struct {
-	dwLength                uint32
-	dwMemoryLoad            uint32
-	ullTotalPhys            uint64
-	ullAvailPhys            uint64
-	ullTotalPageFile        uint64
-	ullAvailPageFile        uint64
-	ullTotalVirtual         uint64
-	ullAvailVirtual         uint64
-	ullAvailExtendedVirtual uint64
-}
-
-// ReadMemInfo retrieves memory statistics of the host system and returns a
-//  MemInfo type.
-func ReadMemInfo() (*MemInfo, error) {
-	msi := &memorystatusex{
-		dwLength: 64,
-	}
-	r1, _, _ := procGlobalMemoryStatusEx.Call(uintptr(unsafe.Pointer(msi)))
-	if r1 == 0 {
-		return &MemInfo{}, nil
-	}
-	return &MemInfo{
-		MemTotal:  int64(msi.ullTotalPhys),
-		MemFree:   int64(msi.ullAvailPhys),
-		SwapTotal: int64(msi.ullTotalPageFile),
-		SwapFree:  int64(msi.ullAvailPageFile),
-	}, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/mknod.go

@@ -1,22 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-// Mknod creates a filesystem node (file, device special file or named pipe) named path
-// with attributes specified by mode and dev.
-func Mknod(path string, mode uint32, dev int) error {
-	return unix.Mknod(path, mode, dev)
-}
-
-// Mkdev is used to build the value of linux devices (in /dev/) which specifies major
-// and minor number of the newly created device special file.
-// Linux device nodes are a bit weird due to backwards compat with 16 bit device nodes.
-// They are, from low to high: the lower 8 bits of the minor, then 12 bits of the major,
-// then the top 12 bits of the minor.
-func Mkdev(major int64, minor int64) uint32 {
-	return uint32(unix.Mkdev(uint32(major), uint32(minor)))
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/mknod_windows.go

@@ -1,11 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-// Mknod is not implemented on Windows.
-func Mknod(path string, mode uint32, dev int) error {
-	return ErrNotSupportedPlatform
-}
-
-// Mkdev is not implemented on Windows.
-func Mkdev(major int64, minor int64) uint32 {
-	panic("Mkdev not implemented on Windows.")
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/path.go

@@ -1,60 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"fmt"
-	"path/filepath"
-	"runtime"
-	"strings"
-
-	"github.com/containerd/continuity/pathdriver"
-)
-
-const defaultUnixPathEnv = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-
-// DefaultPathEnv is unix style list of directories to search for
-// executables. Each directory is separated from the next by a colon
-// ':' character .
-func DefaultPathEnv(os string) string {
-	if runtime.GOOS == "windows" {
-		if os != runtime.GOOS {
-			return defaultUnixPathEnv
-		}
-		// Deliberately empty on Windows containers on Windows as the default path will be set by
-		// the container. Docker has no context of what the default path should be.
-		return ""
-	}
-	return defaultUnixPathEnv
-
-}
-
-// CheckSystemDriveAndRemoveDriveLetter verifies that a path, if it includes a drive letter,
-// is the system drive.
-// On Linux: this is a no-op.
-// On Windows: this does the following>
-// CheckSystemDriveAndRemoveDriveLetter verifies and manipulates a Windows path.
-// This is used, for example, when validating a user provided path in docker cp.
-// If a drive letter is supplied, it must be the system drive. The drive letter
-// is always removed. Also, it translates it to OS semantics (IOW / to \). We
-// need the path in this syntax so that it can ultimately be concatenated with
-// a Windows long-path which doesn't support drive-letters. Examples:
-// C:			--> Fail
-// C:\			--> \
-// a			--> a
-// /a			--> \a
-// d:\			--> Fail
-func CheckSystemDriveAndRemoveDriveLetter(path string, driver pathdriver.PathDriver) (string, error) {
-	if runtime.GOOS != "windows" || LCOWSupported() {
-		return path, nil
-	}
-
-	if len(path) == 2 && string(path[1]) == ":" {
-		return "", fmt.Errorf("No relative path specified in %q", path)
-	}
-	if !driver.IsAbs(path) || len(path) < 2 {
-		return filepath.FromSlash(path), nil
-	}
-	if string(path[1]) == ":" && !strings.EqualFold(string(path[0]), "c") {
-		return "", fmt.Errorf("The specified path is not on the system drive (C:)")
-	}
-	return filepath.FromSlash(path[2:]), nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/path_unix.go

@@ -1,10 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-// GetLongPathName converts Windows short pathnames to full pathnames.
-// For example C:\Users\ADMIN~1 --> C:\Users\Administrator.
-// It is a no-op on non-Windows platforms
-func GetLongPathName(path string) (string, error) {
-	return path, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/path_windows.go

@@ -1,24 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// GetLongPathName converts Windows short pathnames to full pathnames.
-// For example C:\Users\ADMIN~1 --> C:\Users\Administrator.
-// It is a no-op on non-Windows platforms
-func GetLongPathName(path string) (string, error) {
-	// See https://groups.google.com/forum/#!topic/golang-dev/1tufzkruoTg
-	p := syscall.StringToUTF16(path)
-	b := p // GetLongPathName says we can reuse buffer
-	n, err := syscall.GetLongPathName(&p[0], &b[0], uint32(len(b)))
-	if err != nil {
-		return "", err
-	}
-	if n > uint32(len(b)) {
-		b = make([]uint16, n)
-		_, err = syscall.GetLongPathName(&p[0], &b[0], uint32(len(b)))
-		if err != nil {
-			return "", err
-		}
-	}
-	return syscall.UTF16ToString(b), nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/process_unix.go

@@ -1,24 +0,0 @@
-// +build linux freebsd darwin
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"syscall"
-
-	"golang.org/x/sys/unix"
-)
-
-// IsProcessAlive returns true if process with a given pid is running.
-func IsProcessAlive(pid int) bool {
-	err := unix.Kill(pid, syscall.Signal(0))
-	if err == nil || err == unix.EPERM {
-		return true
-	}
-
-	return false
-}
-
-// KillProcess force-stops a process.
-func KillProcess(pid int) {
-	unix.Kill(pid, unix.SIGKILL)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/process_windows.go

@@ -1,18 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "os"
-
-// IsProcessAlive returns true if process with a given pid is running.
-func IsProcessAlive(pid int) bool {
-	_, err := os.FindProcess(pid)
-
-	return err == nil
-}
-
-// KillProcess force-stops a process.
-func KillProcess(pid int) {
-	p, err := os.FindProcess(pid)
-	if err == nil {
-		p.Kill()
-	}
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/rm.go

@@ -1,80 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"syscall"
-	"time"
-
-	"github.com/docker/docker/pkg/mount"
-	"github.com/pkg/errors"
-)
-
-// EnsureRemoveAll wraps `os.RemoveAll` to check for specific errors that can
-// often be remedied.
-// Only use `EnsureRemoveAll` if you really want to make every effort to remove
-// a directory.
-//
-// Because of the way `os.Remove` (and by extension `os.RemoveAll`) works, there
-// can be a race between reading directory entries and then actually attempting
-// to remove everything in the directory.
-// These types of errors do not need to be returned since it's ok for the dir to
-// be gone we can just retry the remove operation.
-//
-// This should not return a `os.ErrNotExist` kind of error under any circumstances
-func EnsureRemoveAll(dir string) error {
-	notExistErr := make(map[string]bool)
-
-	// track retries
-	exitOnErr := make(map[string]int)
-	maxRetry := 50
-
-	// Attempt to unmount anything beneath this dir first
-	mount.RecursiveUnmount(dir)
-
-	for {
-		err := os.RemoveAll(dir)
-		if err == nil {
-			return nil
-		}
-
-		pe, ok := err.(*os.PathError)
-		if !ok {
-			return err
-		}
-
-		if os.IsNotExist(err) {
-			if notExistErr[pe.Path] {
-				return err
-			}
-			notExistErr[pe.Path] = true
-
-			// There is a race where some subdir can be removed but after the parent
-			//   dir entries have been read.
-			// So the path could be from `os.Remove(subdir)`
-			// If the reported non-existent path is not the passed in `dir` we
-			// should just retry, but otherwise return with no error.
-			if pe.Path == dir {
-				return nil
-			}
-			continue
-		}
-
-		if pe.Err != syscall.EBUSY {
-			return err
-		}
-
-		if mounted, _ := mount.Mounted(pe.Path); mounted {
-			if e := mount.Unmount(pe.Path); e != nil {
-				if mounted, _ := mount.Mounted(pe.Path); mounted {
-					return errors.Wrapf(e, "error while removing %s", dir)
-				}
-			}
-		}
-
-		if exitOnErr[pe.Path] == maxRetry {
-			return err
-		}
-		exitOnErr[pe.Path]++
-		time.Sleep(100 * time.Millisecond)
-	}
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/stat_darwin.go

@@ -1,13 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{size: s.Size,
-		mode: uint32(s.Mode),
-		uid:  s.Uid,
-		gid:  s.Gid,
-		rdev: uint64(s.Rdev),
-		mtim: s.Mtimespec}, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/stat_freebsd.go

@@ -1,13 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{size: s.Size,
-		mode: uint32(s.Mode),
-		uid:  s.Uid,
-		gid:  s.Gid,
-		rdev: uint64(s.Rdev),
-		mtim: s.Mtimespec}, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/stat_linux.go

@@ -1,19 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{size: s.Size,
-		mode: s.Mode,
-		uid:  s.Uid,
-		gid:  s.Gid,
-		rdev: s.Rdev,
-		mtim: s.Mtim}, nil
-}
-
-// FromStatT converts a syscall.Stat_t type to a system.Stat_t type
-// This is exposed on Linux as pkg/archive/changes uses it.
-func FromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return fromStatT(s)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go

@@ -1,13 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{size: s.Size,
-		mode: uint32(s.Mode),
-		uid:  s.Uid,
-		gid:  s.Gid,
-		rdev: uint64(s.Rdev),
-		mtim: s.Mtim}, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/stat_solaris.go

@@ -1,13 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
-	return &StatT{size: s.Size,
-		mode: uint32(s.Mode),
-		uid:  s.Uid,
-		gid:  s.Gid,
-		rdev: uint64(s.Rdev),
-		mtim: s.Mtim}, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/stat_unix.go

@@ -1,66 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"syscall"
-)
-
-// StatT type contains status of a file. It contains metadata
-// like permission, owner, group, size, etc about a file.
-type StatT struct {
-	mode uint32
-	uid  uint32
-	gid  uint32
-	rdev uint64
-	size int64
-	mtim syscall.Timespec
-}
-
-// Mode returns file's permission mode.
-func (s StatT) Mode() uint32 {
-	return s.mode
-}
-
-// UID returns file's user id of owner.
-func (s StatT) UID() uint32 {
-	return s.uid
-}
-
-// GID returns file's group id of owner.
-func (s StatT) GID() uint32 {
-	return s.gid
-}
-
-// Rdev returns file's device ID (if it's special file).
-func (s StatT) Rdev() uint64 {
-	return s.rdev
-}
-
-// Size returns file's size.
-func (s StatT) Size() int64 {
-	return s.size
-}
-
-// Mtim returns file's last modification time.
-func (s StatT) Mtim() syscall.Timespec {
-	return s.mtim
-}
-
-// IsDir reports whether s describes a directory.
-func (s StatT) IsDir() bool {
-	return s.mode&syscall.S_IFDIR != 0
-}
-
-// Stat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist
-func Stat(path string) (*StatT, error) {
-	s := &syscall.Stat_t{}
-	if err := syscall.Stat(path, s); err != nil {
-		return nil, &os.PathError{Op: "Stat", Path: path, Err: err}
-	}
-	return fromStatT(s)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/stat_windows.go

@@ -1,49 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"os"
-	"time"
-)
-
-// StatT type contains status of a file. It contains metadata
-// like permission, size, etc about a file.
-type StatT struct {
-	mode os.FileMode
-	size int64
-	mtim time.Time
-}
-
-// Size returns file's size.
-func (s StatT) Size() int64 {
-	return s.size
-}
-
-// Mode returns file's permission mode.
-func (s StatT) Mode() os.FileMode {
-	return os.FileMode(s.mode)
-}
-
-// Mtim returns file's last modification time.
-func (s StatT) Mtim() time.Time {
-	return time.Time(s.mtim)
-}
-
-// Stat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist
-func Stat(path string) (*StatT, error) {
-	fi, err := os.Stat(path)
-	if err != nil {
-		return nil, err
-	}
-	return fromStatT(&fi)
-}
-
-// fromStatT converts a os.FileInfo type to a system.StatT type
-func fromStatT(fi *os.FileInfo) (*StatT, error) {
-	return &StatT{
-		size: (*fi).Size(),
-		mode: (*fi).Mode(),
-		mtim: (*fi).ModTime()}, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/syscall_unix.go

@@ -1,17 +0,0 @@
-// +build linux freebsd
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import "golang.org/x/sys/unix"
-
-// Unmount is a platform-specific helper function to call
-// the unmount syscall.
-func Unmount(dest string) error {
-	return unix.Unmount(dest, 0)
-}
-
-// CommandLineToArgv should not be used on Unix.
-// It simply returns commandLine in the only element in the returned array.
-func CommandLineToArgv(commandLine string) ([]string, error) {
-	return []string{commandLine}, nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/syscall_windows.go

@@ -1,193 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"fmt"
-	"syscall"
-	"unsafe"
-
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows"
-)
-
-const (
-	OWNER_SECURITY_INFORMATION               = 0x00000001
-	GROUP_SECURITY_INFORMATION               = 0x00000002
-	DACL_SECURITY_INFORMATION                = 0x00000004
-	SACL_SECURITY_INFORMATION                = 0x00000008
-	LABEL_SECURITY_INFORMATION               = 0x00000010
-	ATTRIBUTE_SECURITY_INFORMATION           = 0x00000020
-	SCOPE_SECURITY_INFORMATION               = 0x00000040
-	PROCESS_TRUST_LABEL_SECURITY_INFORMATION = 0x00000080
-	ACCESS_FILTER_SECURITY_INFORMATION       = 0x00000100
-	BACKUP_SECURITY_INFORMATION              = 0x00010000
-	PROTECTED_DACL_SECURITY_INFORMATION      = 0x80000000
-	PROTECTED_SACL_SECURITY_INFORMATION      = 0x40000000
-	UNPROTECTED_DACL_SECURITY_INFORMATION    = 0x20000000
-	UNPROTECTED_SACL_SECURITY_INFORMATION    = 0x10000000
-)
-
-const (
-	SE_UNKNOWN_OBJECT_TYPE = iota
-	SE_FILE_OBJECT
-	SE_SERVICE
-	SE_PRINTER
-	SE_REGISTRY_KEY
-	SE_LMSHARE
-	SE_KERNEL_OBJECT
-	SE_WINDOW_OBJECT
-	SE_DS_OBJECT
-	SE_DS_OBJECT_ALL
-	SE_PROVIDER_DEFINED_OBJECT
-	SE_WMIGUID_OBJECT
-	SE_REGISTRY_WOW64_32KEY
-)
-
-const (
-	SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
-)
-
-const (
-	ContainerAdministratorSidString = "S-1-5-93-2-1"
-	ContainerUserSidString          = "S-1-5-93-2-2"
-)
-
-var (
-	ntuserApiset                  = windows.NewLazyDLL("ext-ms-win-ntuser-window-l1-1-0")
-	modadvapi32                   = windows.NewLazySystemDLL("advapi32.dll")
-	procGetVersionExW             = modkernel32.NewProc("GetVersionExW")
-	procGetProductInfo            = modkernel32.NewProc("GetProductInfo")
-	procSetNamedSecurityInfo      = modadvapi32.NewProc("SetNamedSecurityInfoW")
-	procGetSecurityDescriptorDacl = modadvapi32.NewProc("GetSecurityDescriptorDacl")
-)
-
-// OSVersion is a wrapper for Windows version information
-// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
-type OSVersion struct {
-	Version      uint32
-	MajorVersion uint8
-	MinorVersion uint8
-	Build        uint16
-}
-
-// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
-type osVersionInfoEx struct {
-	OSVersionInfoSize uint32
-	MajorVersion      uint32
-	MinorVersion      uint32
-	BuildNumber       uint32
-	PlatformID        uint32
-	CSDVersion        [128]uint16
-	ServicePackMajor  uint16
-	ServicePackMinor  uint16
-	SuiteMask         uint16
-	ProductType       byte
-	Reserve           byte
-}
-
-// GetOSVersion gets the operating system version on Windows. Note that
-// docker.exe must be manifested to get the correct version information.
-func GetOSVersion() OSVersion {
-	var err error
-	osv := OSVersion{}
-	osv.Version, err = windows.GetVersion()
-	if err != nil {
-		// GetVersion never fails.
-		panic(err)
-	}
-	osv.MajorVersion = uint8(osv.Version & 0xFF)
-	osv.MinorVersion = uint8(osv.Version >> 8 & 0xFF)
-	osv.Build = uint16(osv.Version >> 16)
-	return osv
-}
-
-func (osv OSVersion) ToString() string {
-	return fmt.Sprintf("%d.%d.%d", osv.MajorVersion, osv.MinorVersion, osv.Build)
-}
-
-// IsWindowsClient returns true if the SKU is client
-// @engine maintainers - this function should not be removed or modified as it
-// is used to enforce licensing restrictions on Windows.
-func IsWindowsClient() bool {
-	osviex := &osVersionInfoEx{OSVersionInfoSize: 284}
-	r1, _, err := procGetVersionExW.Call(uintptr(unsafe.Pointer(osviex)))
-	if r1 == 0 {
-		logrus.Warnf("GetVersionExW failed - assuming server SKU: %v", err)
-		return false
-	}
-	const verNTWorkstation = 0x00000001
-	return osviex.ProductType == verNTWorkstation
-}
-
-// IsIoTCore returns true if the currently running image is based off of
-// Windows 10 IoT Core.
-// @engine maintainers - this function should not be removed or modified as it
-// is used to enforce licensing restrictions on Windows.
-func IsIoTCore() bool {
-	var returnedProductType uint32
-	r1, _, err := procGetProductInfo.Call(6, 1, 0, 0, uintptr(unsafe.Pointer(&returnedProductType)))
-	if r1 == 0 {
-		logrus.Warnf("GetProductInfo failed - assuming this is not IoT: %v", err)
-		return false
-	}
-	const productIoTUAP = 0x0000007B
-	const productIoTUAPCommercial = 0x00000083
-	return returnedProductType == productIoTUAP || returnedProductType == productIoTUAPCommercial
-}
-
-// Unmount is a platform-specific helper function to call
-// the unmount syscall. Not supported on Windows
-func Unmount(dest string) error {
-	return nil
-}
-
-// CommandLineToArgv wraps the Windows syscall to turn a commandline into an argument array.
-func CommandLineToArgv(commandLine string) ([]string, error) {
-	var argc int32
-
-	argsPtr, err := windows.UTF16PtrFromString(commandLine)
-	if err != nil {
-		return nil, err
-	}
-
-	argv, err := windows.CommandLineToArgv(argsPtr, &argc)
-	if err != nil {
-		return nil, err
-	}
-	defer windows.LocalFree(windows.Handle(uintptr(unsafe.Pointer(argv))))
-
-	newArgs := make([]string, argc)
-	for i, v := range (*argv)[:argc] {
-		newArgs[i] = string(windows.UTF16ToString((*v)[:]))
-	}
-
-	return newArgs, nil
-}
-
-// HasWin32KSupport determines whether containers that depend on win32k can
-// run on this machine. Win32k is the driver used to implement windowing.
-func HasWin32KSupport() bool {
-	// For now, check for ntuser API support on the host. In the future, a host
-	// may support win32k in containers even if the host does not support ntuser
-	// APIs.
-	return ntuserApiset.Load() == nil
-}
-
-func SetNamedSecurityInfo(objectName *uint16, objectType uint32, securityInformation uint32, sidOwner *windows.SID, sidGroup *windows.SID, dacl *byte, sacl *byte) (result error) {
-	r0, _, _ := syscall.Syscall9(procSetNamedSecurityInfo.Addr(), 7, uintptr(unsafe.Pointer(objectName)), uintptr(objectType), uintptr(securityInformation), uintptr(unsafe.Pointer(sidOwner)), uintptr(unsafe.Pointer(sidGroup)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(sacl)), 0, 0)
-	if r0 != 0 {
-		result = syscall.Errno(r0)
-	}
-	return
-}
-
-func GetSecurityDescriptorDacl(securityDescriptor *byte, daclPresent *uint32, dacl **byte, daclDefaulted *uint32) (result error) {
-	r1, _, e1 := syscall.Syscall6(procGetSecurityDescriptorDacl.Addr(), 4, uintptr(unsafe.Pointer(securityDescriptor)), uintptr(unsafe.Pointer(daclPresent)), uintptr(unsafe.Pointer(dacl)), uintptr(unsafe.Pointer(daclDefaulted)), 0, 0)
-	if r1 == 0 {
-		if e1 != 0 {
-			result = syscall.Errno(e1)
-		} else {
-			result = syscall.EINVAL
-		}
-	}
-	return
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/umask.go

@@ -1,13 +0,0 @@
-// +build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"golang.org/x/sys/unix"
-)
-
-// Umask sets current process's file mode creation mask to newmask
-// and returns oldmask.
-func Umask(newmask int) (oldmask int, err error) {
-	return unix.Umask(newmask), nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/umask_windows.go

@@ -1,7 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-// Umask is not supported on the windows platform.
-func Umask(newmask int) (oldmask int, err error) {
-	// should not be called on cli code path
-	return 0, ErrNotSupportedPlatform
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/utimes_freebsd.go

@@ -1,24 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/unix"
-)
-
-// LUtimesNano is used to change access and modification time of the specified path.
-// It's used for symbol link file because unix.UtimesNano doesn't support a NOFOLLOW flag atm.
-func LUtimesNano(path string, ts []syscall.Timespec) error {
-	var _path *byte
-	_path, err := unix.BytePtrFromString(path)
-	if err != nil {
-		return err
-	}
-
-	if _, _, err := unix.Syscall(unix.SYS_LUTIMES, uintptr(unsafe.Pointer(_path)), uintptr(unsafe.Pointer(&ts[0])), 0); err != 0 && err != unix.ENOSYS {
-		return err
-	}
-
-	return nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/utimes_linux.go

@@ -1,25 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/unix"
-)
-
-// LUtimesNano is used to change access and modification time of the specified path.
-// It's used for symbol link file because unix.UtimesNano doesn't support a NOFOLLOW flag atm.
-func LUtimesNano(path string, ts []syscall.Timespec) error {
-	atFdCwd := unix.AT_FDCWD
-
-	var _path *byte
-	_path, err := unix.BytePtrFromString(path)
-	if err != nil {
-		return err
-	}
-	if _, _, err := unix.Syscall6(unix.SYS_UTIMENSAT, uintptr(atFdCwd), uintptr(unsafe.Pointer(_path)), uintptr(unsafe.Pointer(&ts[0])), unix.AT_SYMLINK_NOFOLLOW, 0, 0); err != 0 && err != unix.ENOSYS {
-		return err
-	}
-
-	return nil
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/utimes_unsupported.go

@@ -1,10 +0,0 @@
-// +build !linux,!freebsd
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// LUtimesNano is only supported on linux and freebsd.
-func LUtimesNano(path string, ts []syscall.Timespec) error {
-	return ErrNotSupportedPlatform
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go

@@ -1,29 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "golang.org/x/sys/unix"
-
-// Lgetxattr retrieves the value of the extended attribute identified by attr
-// and associated with the given path in the file system.
-// It will returns a nil slice and nil error if the xattr is not set.
-func Lgetxattr(path string, attr string) ([]byte, error) {
-	dest := make([]byte, 128)
-	sz, errno := unix.Lgetxattr(path, attr, dest)
-	if errno == unix.ENODATA {
-		return nil, nil
-	}
-	if errno == unix.ERANGE {
-		dest = make([]byte, sz)
-		sz, errno = unix.Lgetxattr(path, attr, dest)
-	}
-	if errno != nil {
-		return nil, errno
-	}
-
-	return dest[:sz], nil
-}
-
-// Lsetxattr sets the value of the extended attribute identified by attr
-// and associated with the given path in the file system.
-func Lsetxattr(path string, attr string, data []byte, flags int) error {
-	return unix.Lsetxattr(path, attr, data, flags)
-}

libnetwork/vendor/github.com/docker/docker/pkg/system/xattrs_unsupported.go

@@ -1,13 +0,0 @@
-// +build !linux
-
-package system // import "github.com/docker/docker/pkg/system"
-
-// Lgetxattr is not supported on platforms other than linux.
-func Lgetxattr(path string, attr string) ([]byte, error) {
-	return nil, ErrNotSupportedPlatform
-}
-
-// Lsetxattr is not supported on platforms other than linux.
-func Lsetxattr(path string, attr string, data []byte, flags int) error {
-	return ErrNotSupportedPlatform
-}

libnetwork/vendor/github.com/docker/go-units/LICENSE

@@ -1,191 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        https://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   Copyright 2015 Docker, Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       https://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

libnetwork/vendor/github.com/docker/go-units/README.md

@@ -1,16 +0,0 @@
-[![GoDoc](https://godoc.org/github.com/docker/go-units?status.svg)](https://godoc.org/github.com/docker/go-units)
-
-# Introduction
-
-go-units is a library to transform human friendly measurements into machine friendly values.
-
-## Usage
-
-See the [docs in godoc](https://godoc.org/github.com/docker/go-units) for examples and documentation.
-
-## Copyright and license
-
-Copyright © 2015 Docker, Inc.
-
-go-units is licensed under the Apache License, Version 2.0.
-See [LICENSE](LICENSE) for the full text of the license.

libnetwork/vendor/github.com/docker/go-units/duration.go

@@ -1,35 +0,0 @@
-// Package units provides helper function to parse and print size and time units
-// in human-readable format.
-package units
-
-import (
-	"fmt"
-	"time"
-)
-
-// HumanDuration returns a human-readable approximation of a duration
-// (eg. "About a minute", "4 hours ago", etc.).
-func HumanDuration(d time.Duration) string {
-	if seconds := int(d.Seconds()); seconds < 1 {
-		return "Less than a second"
-	} else if seconds == 1 {
-		return "1 second"
-	} else if seconds < 60 {
-		return fmt.Sprintf("%d seconds", seconds)
-	} else if minutes := int(d.Minutes()); minutes == 1 {
-		return "About a minute"
-	} else if minutes < 46 {
-		return fmt.Sprintf("%d minutes", minutes)
-	} else if hours := int(d.Hours() + 0.5); hours == 1 {
-		return "About an hour"
-	} else if hours < 48 {
-		return fmt.Sprintf("%d hours", hours)
-	} else if hours < 24*7*2 {
-		return fmt.Sprintf("%d days", hours/24)
-	} else if hours < 24*30*2 {
-		return fmt.Sprintf("%d weeks", hours/24/7)
-	} else if hours < 24*365*2 {
-		return fmt.Sprintf("%d months", hours/24/30)
-	}
-	return fmt.Sprintf("%d years", int(d.Hours())/24/365)
-}

libnetwork/vendor/github.com/docker/go-units/size.go

@@ -1,108 +0,0 @@
-package units
-
-import (
-	"fmt"
-	"regexp"
-	"strconv"
-	"strings"
-)
-
-// See: http://en.wikipedia.org/wiki/Binary_prefix
-const (
-	// Decimal
-
-	KB = 1000
-	MB = 1000 * KB
-	GB = 1000 * MB
-	TB = 1000 * GB
-	PB = 1000 * TB
-
-	// Binary
-
-	KiB = 1024
-	MiB = 1024 * KiB
-	GiB = 1024 * MiB
-	TiB = 1024 * GiB
-	PiB = 1024 * TiB
-)
-
-type unitMap map[string]int64
-
-var (
-	decimalMap = unitMap{"k": KB, "m": MB, "g": GB, "t": TB, "p": PB}
-	binaryMap  = unitMap{"k": KiB, "m": MiB, "g": GiB, "t": TiB, "p": PiB}
-	sizeRegex  = regexp.MustCompile(`^(\d+(\.\d+)*) ?([kKmMgGtTpP])?[iI]?[bB]?$`)
-)
-
-var decimapAbbrs = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB"}
-var binaryAbbrs = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB", "ZiB", "YiB"}
-
-func getSizeAndUnit(size float64, base float64, _map []string) (float64, string) {
-	i := 0
-	unitsLimit := len(_map) - 1
-	for size >= base && i < unitsLimit {
-		size = size / base
-		i++
-	}
-	return size, _map[i]
-}
-
-// CustomSize returns a human-readable approximation of a size
-// using custom format.
-func CustomSize(format string, size float64, base float64, _map []string) string {
-	size, unit := getSizeAndUnit(size, base, _map)
-	return fmt.Sprintf(format, size, unit)
-}
-
-// HumanSizeWithPrecision allows the size to be in any precision,
-// instead of 4 digit precision used in units.HumanSize.
-func HumanSizeWithPrecision(size float64, precision int) string {
-	size, unit := getSizeAndUnit(size, 1000.0, decimapAbbrs)
-	return fmt.Sprintf("%.*g%s", precision, size, unit)
-}
-
-// HumanSize returns a human-readable approximation of a size
-// capped at 4 valid numbers (eg. "2.746 MB", "796 KB").
-func HumanSize(size float64) string {
-	return HumanSizeWithPrecision(size, 4)
-}
-
-// BytesSize returns a human-readable size in bytes, kibibytes,
-// mebibytes, gibibytes, or tebibytes (eg. "44kiB", "17MiB").
-func BytesSize(size float64) string {
-	return CustomSize("%.4g%s", size, 1024.0, binaryAbbrs)
-}
-
-// FromHumanSize returns an integer from a human-readable specification of a
-// size using SI standard (eg. "44kB", "17MB").
-func FromHumanSize(size string) (int64, error) {
-	return parseSize(size, decimalMap)
-}
-
-// RAMInBytes parses a human-readable string representing an amount of RAM
-// in bytes, kibibytes, mebibytes, gibibytes, or tebibytes and
-// returns the number of bytes, or -1 if the string is unparseable.
-// Units are case-insensitive, and the 'b' suffix is optional.
-func RAMInBytes(size string) (int64, error) {
-	return parseSize(size, binaryMap)
-}
-
-// Parses the human-readable size string into the amount it represents.
-func parseSize(sizeStr string, uMap unitMap) (int64, error) {
-	matches := sizeRegex.FindStringSubmatch(sizeStr)
-	if len(matches) != 4 {
-		return -1, fmt.Errorf("invalid size: '%s'", sizeStr)
-	}
-
-	size, err := strconv.ParseFloat(matches[1], 64)
-	if err != nil {
-		return -1, err
-	}
-
-	unitPrefix := strings.ToLower(matches[3])
-	if mul, ok := uMap[unitPrefix]; ok {
-		size *= float64(mul)
-	}
-
-	return int64(size), nil
-}

libnetwork/vendor/github.com/docker/go-units/ulimit.go

@@ -1,118 +0,0 @@
-package units
-
-import (
-	"fmt"
-	"strconv"
-	"strings"
-)
-
-// Ulimit is a human friendly version of Rlimit.
-type Ulimit struct {
-	Name string
-	Hard int64
-	Soft int64
-}
-
-// Rlimit specifies the resource limits, such as max open files.
-type Rlimit struct {
-	Type int    `json:"type,omitempty"`
-	Hard uint64 `json:"hard,omitempty"`
-	Soft uint64 `json:"soft,omitempty"`
-}
-
-const (
-	// magic numbers for making the syscall
-	// some of these are defined in the syscall package, but not all.
-	// Also since Windows client doesn't get access to the syscall package, need to
-	//	define these here
-	rlimitAs         = 9
-	rlimitCore       = 4
-	rlimitCPU        = 0
-	rlimitData       = 2
-	rlimitFsize      = 1
-	rlimitLocks      = 10
-	rlimitMemlock    = 8
-	rlimitMsgqueue   = 12
-	rlimitNice       = 13
-	rlimitNofile     = 7
-	rlimitNproc      = 6
-	rlimitRss        = 5
-	rlimitRtprio     = 14
-	rlimitRttime     = 15
-	rlimitSigpending = 11
-	rlimitStack      = 3
-)
-
-var ulimitNameMapping = map[string]int{
-	//"as":         rlimitAs, // Disabled since this doesn't seem usable with the way Docker inits a container.
-	"core":       rlimitCore,
-	"cpu":        rlimitCPU,
-	"data":       rlimitData,
-	"fsize":      rlimitFsize,
-	"locks":      rlimitLocks,
-	"memlock":    rlimitMemlock,
-	"msgqueue":   rlimitMsgqueue,
-	"nice":       rlimitNice,
-	"nofile":     rlimitNofile,
-	"nproc":      rlimitNproc,
-	"rss":        rlimitRss,
-	"rtprio":     rlimitRtprio,
-	"rttime":     rlimitRttime,
-	"sigpending": rlimitSigpending,
-	"stack":      rlimitStack,
-}
-
-// ParseUlimit parses and returns a Ulimit from the specified string.
-func ParseUlimit(val string) (*Ulimit, error) {
-	parts := strings.SplitN(val, "=", 2)
-	if len(parts) != 2 {
-		return nil, fmt.Errorf("invalid ulimit argument: %s", val)
-	}
-
-	if _, exists := ulimitNameMapping[parts[0]]; !exists {
-		return nil, fmt.Errorf("invalid ulimit type: %s", parts[0])
-	}
-
-	var (
-		soft int64
-		hard = &soft // default to soft in case no hard was set
-		temp int64
-		err  error
-	)
-	switch limitVals := strings.Split(parts[1], ":"); len(limitVals) {
-	case 2:
-		temp, err = strconv.ParseInt(limitVals[1], 10, 64)
-		if err != nil {
-			return nil, err
-		}
-		hard = &temp
-		fallthrough
-	case 1:
-		soft, err = strconv.ParseInt(limitVals[0], 10, 64)
-		if err != nil {
-			return nil, err
-		}
-	default:
-		return nil, fmt.Errorf("too many limit value arguments - %s, can only have up to two, `soft[:hard]`", parts[1])
-	}
-
-	if soft > *hard {
-		return nil, fmt.Errorf("ulimit soft limit must be less than or equal to hard limit: %d > %d", soft, *hard)
-	}
-
-	return &Ulimit{Name: parts[0], Soft: soft, Hard: *hard}, nil
-}
-
-// GetRlimit returns the RLimit corresponding to Ulimit.
-func (u *Ulimit) GetRlimit() (*Rlimit, error) {
-	t, exists := ulimitNameMapping[u.Name]
-	if !exists {
-		return nil, fmt.Errorf("invalid ulimit name %s", u.Name)
-	}
-
-	return &Rlimit{Type: t, Soft: uint64(u.Soft), Hard: uint64(u.Hard)}, nil
-}
-
-func (u *Ulimit) String() string {
-	return fmt.Sprintf("%s=%d:%d", u.Name, u.Soft, u.Hard)
-}

libnetwork/vendor/github.com/opencontainers/runc/LICENSE

@@ -1,191 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   Copyright 2014 Docker, Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

libnetwork/vendor/github.com/opencontainers/runc/NOTICE

@@ -1,17 +0,0 @@
-runc
-
-Copyright 2012-2015 Docker, Inc.
-
-This product includes software developed at Docker, Inc. (http://www.docker.com).
-
-The following is courtesy of our legal counsel:
-
-
-Use and transfer of Docker may be subject to certain restrictions by the
-United States and other governments.  
-It is your responsibility to ensure that your use and/or transfer does not
-violate applicable laws. 
-
-For more information, please see http://www.bis.doc.gov
-
-See also http://www.apache.org/dev/crypto.html and/or seek legal counsel.

libnetwork/vendor/github.com/opencontainers/runc/README.md

@@ -1,269 +0,0 @@
-# runc
-
-[![Build Status](https://travis-ci.org/opencontainers/runc.svg?branch=master)](https://travis-ci.org/opencontainers/runc)
-[![Go Report Card](https://goreportcard.com/badge/github.com/opencontainers/runc)](https://goreportcard.com/report/github.com/opencontainers/runc)
-[![GoDoc](https://godoc.org/github.com/opencontainers/runc?status.svg)](https://godoc.org/github.com/opencontainers/runc)
-
-## Introduction
-
-`runc` is a CLI tool for spawning and running containers according to the OCI specification.
-
-## Releases
-
-`runc` depends on and tracks the [runtime-spec](https://github.com/opencontainers/runtime-spec) repository.
-We will try to make sure that `runc` and the OCI specification major versions stay in lockstep.
-This means that `runc` 1.0.0 should implement the 1.0 version of the specification.
-
-You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.
-
-## Security
-
-Reporting process and disclosure communications are outlined in [/org/security](https://github.com/opencontainers/org/blob/master/security/)
-
-## Building
-
-`runc` currently supports the Linux platform with various architecture support.
-It must be built with Go version 1.6 or higher in order for some features to function properly.
-
-In order to enable seccomp support you will need to install `libseccomp` on your platform.
-> e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu
-
-Otherwise, if you do not want to build `runc` with seccomp support you can add `BUILDTAGS=""` when running make.
-
-```bash
-# create a 'github.com/opencontainers' in your GOPATH/src
-cd github.com/opencontainers
-git clone https://github.com/opencontainers/runc
-cd runc
-
-make
-sudo make install
-```
-
-You can also use `go get` to install to your `GOPATH`, assuming that you have a `github.com` parent folder already created under `src`:
-
-```bash
-go get github.com/opencontainers/runc
-cd $GOPATH/src/github.com/opencontainers/runc
-make
-sudo make install
-```
-
-`runc` will be installed to `/usr/local/sbin/runc` on your system.
-
-
-#### Build Tags
-
-`runc` supports optional build tags for compiling support of various features.
-To add build tags to the make option the `BUILDTAGS` variable must be set.
-
-```bash
-make BUILDTAGS='seccomp apparmor'
-```
-
-| Build Tag | Feature                            | Dependency  |
-|-----------|------------------------------------|-------------|
-| seccomp   | Syscall filtering                  | libseccomp  |
-| selinux   | selinux process and mount labeling | <none>      |
-| apparmor  | apparmor profile support           | <none>      |
-| ambient   | ambient capability support         | kernel 4.3  |
-| nokmem    | disable kernel memory account      | <none>      |
-
-
-### Running the test suite
-
-`runc` currently supports running its test suite via Docker.
-To run the suite just type `make test`.
-
-```bash
-make test
-```
-
-There are additional make targets for running the tests outside of a container but this is not recommended as the tests are written with the expectation that they can write and remove anywhere.
-
-You can run a specific test case by setting the `TESTFLAGS` variable.
-
-```bash
-# make test TESTFLAGS="-run=SomeTestFunction"
-```
-
-You can run a specific integration test by setting the `TESTPATH` variable.
-
-```bash
-# make test TESTPATH="/checkpoint.bats"
-```
-
-You can run a test in your proxy environment by setting `DOCKER_BUILD_PROXY` and `DOCKER_RUN_PROXY` variables.
-
-```bash
-# make test DOCKER_BUILD_PROXY="--build-arg HTTP_PROXY=http://yourproxy/" DOCKER_RUN_PROXY="-e HTTP_PROXY=http://yourproxy/"
-```
-
-### Dependencies Management
-
-`runc` uses [vndr](https://github.com/LK4D4/vndr) for dependencies management.
-Please refer to [vndr](https://github.com/LK4D4/vndr) for how to add or update
-new dependencies.
-
-## Using runc
-
-### Creating an OCI Bundle
-
-In order to use runc you must have your container in the format of an OCI bundle.
-If you have Docker installed you can use its `export` method to acquire a root filesystem from an existing Docker container.
-
-```bash
-# create the top most bundle directory
-mkdir /mycontainer
-cd /mycontainer
-
-# create the rootfs directory
-mkdir rootfs
-
-# export busybox via Docker into the rootfs directory
-docker export $(docker create busybox) | tar -C rootfs -xvf -
-```
-
-After a root filesystem is populated you just generate a spec in the format of a `config.json` file inside your bundle.
-`runc` provides a `spec` command to generate a base template spec that you are then able to edit.
-To find features and documentation for fields in the spec please refer to the [specs](https://github.com/opencontainers/runtime-spec) repository.
-
-```bash
-runc spec
-```
-
-### Running Containers
-
-Assuming you have an OCI bundle from the previous step you can execute the container in two different ways.
-
-The first way is to use the convenience command `run` that will handle creating, starting, and deleting the container after it exits.
-
-```bash
-# run as root
-cd /mycontainer
-runc run mycontainerid
-```
-
-If you used the unmodified `runc spec` template this should give you a `sh` session inside the container.
-
-The second way to start a container is using the specs lifecycle operations.
-This gives you more power over how the container is created and managed while it is running.
-This will also launch the container in the background so you will have to edit the `config.json` to remove the `terminal` setting for the simple examples here.
-Your process field in the `config.json` should look like this below with `"terminal": false` and `"args": ["sleep", "5"]`.
-
-
-```json
-        "process": {
-                "terminal": false,
-                "user": {
-                        "uid": 0,
-                        "gid": 0
-                },
-                "args": [
-                        "sleep", "5"
-                ],
-                "env": [
-                        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-                        "TERM=xterm"
-                ],
-                "cwd": "/",
-                "capabilities": {
-                        "bounding": [
-                                "CAP_AUDIT_WRITE",
-                                "CAP_KILL",
-                                "CAP_NET_BIND_SERVICE"
-                        ],
-                        "effective": [
-                                "CAP_AUDIT_WRITE",
-                                "CAP_KILL",
-                                "CAP_NET_BIND_SERVICE"
-                        ],
-                        "inheritable": [
-                                "CAP_AUDIT_WRITE",
-                                "CAP_KILL",
-                                "CAP_NET_BIND_SERVICE"
-                        ],
-                        "permitted": [
-                                "CAP_AUDIT_WRITE",
-                                "CAP_KILL",
-                                "CAP_NET_BIND_SERVICE"
-                        ],
-                        "ambient": [
-                                "CAP_AUDIT_WRITE",
-                                "CAP_KILL",
-                                "CAP_NET_BIND_SERVICE"
-                        ]
-                },
-                "rlimits": [
-                        {
-                                "type": "RLIMIT_NOFILE",
-                                "hard": 1024,
-                                "soft": 1024
-                        }
-                ],
-                "noNewPrivileges": true
-        },
-```
-
-Now we can go through the lifecycle operations in your shell.
-
-
-```bash
-# run as root
-cd /mycontainer
-runc create mycontainerid
-
-# view the container is created and in the "created" state
-runc list
-
-# start the process inside the container
-runc start mycontainerid
-
-# after 5 seconds view that the container has exited and is now in the stopped state
-runc list
-
-# now delete the container
-runc delete mycontainerid
-```
-
-This allows higher level systems to augment the containers creation logic with setup of various settings after the container is created and/or before it is deleted. For example, the container's network stack is commonly set up after `create` but before `start`.
-
-#### Rootless containers
-`runc` has the ability to run containers without root privileges. This is called `rootless`. You need to pass some parameters to `runc` in order to run rootless containers. See below and compare with the previous version. Run the following commands as an ordinary user:
-```bash
-# Same as the first example
-mkdir ~/mycontainer
-cd ~/mycontainer
-mkdir rootfs
-docker export $(docker create busybox) | tar -C rootfs -xvf -
-
-# The --rootless parameter instructs runc spec to generate a configuration for a rootless container, which will allow you to run the container as a non-root user.
-runc spec --rootless
-
-# The --root parameter tells runc where to store the container state. It must be writable by the user.
-runc --root /tmp/runc run mycontainerid
-```
-
-#### Supervisors
-
-`runc` can be used with process supervisors and init systems to ensure that containers are restarted when they exit.
-An example systemd unit file looks something like this.
-
-```systemd
-[Unit]
-Description=Start My Container
-
-[Service]
-Type=forking
-ExecStart=/usr/local/sbin/runc run -d --pid-file /run/mycontainerid.pid mycontainerid
-ExecStopPost=/usr/local/sbin/runc delete mycontainerid
-WorkingDirectory=/mycontainer
-PIDFile=/run/mycontainerid.pid
-
-[Install]
-WantedBy=multi-user.target
-```
-
-## License
-
-The code and docs are released under the [Apache 2.0 license](LICENSE).

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/README.md

@@ -1,330 +0,0 @@
-# libcontainer
-
-[![GoDoc](https://godoc.org/github.com/opencontainers/runc/libcontainer?status.svg)](https://godoc.org/github.com/opencontainers/runc/libcontainer)
-
-Libcontainer provides a native Go implementation for creating containers
-with namespaces, cgroups, capabilities, and filesystem access controls.
-It allows you to manage the lifecycle of the container performing additional operations
-after the container is created.
-
-
-#### Container
-A container is a self contained execution environment that shares the kernel of the
-host system and which is (optionally) isolated from other containers in the system.
-
-#### Using libcontainer
-
-Because containers are spawned in a two step process you will need a binary that
-will be executed as the init process for the container. In libcontainer, we use
-the current binary (/proc/self/exe) to be executed as the init process, and use
-arg "init", we call the first step process "bootstrap", so you always need a "init"
-function as the entry of "bootstrap".
-
-In addition to the go init function the early stage bootstrap is handled by importing
-[nsenter](https://github.com/opencontainers/runc/blob/master/libcontainer/nsenter/README.md).
-
-```go
-import (
-	_ "github.com/opencontainers/runc/libcontainer/nsenter"
-)
-
-func init() {
-	if len(os.Args) > 1 && os.Args[1] == "init" {
-		runtime.GOMAXPROCS(1)
-		runtime.LockOSThread()
-		factory, _ := libcontainer.New("")
-		if err := factory.StartInitialization(); err != nil {
-			logrus.Fatal(err)
-		}
-		panic("--this line should have never been executed, congratulations--")
-	}
-}
-```
-
-Then to create a container you first have to initialize an instance of a factory
-that will handle the creation and initialization for a container.
-
-```go
-factory, err := libcontainer.New("/var/lib/container", libcontainer.Cgroupfs, libcontainer.InitArgs(os.Args[0], "init"))
-if err != nil {
-	logrus.Fatal(err)
-	return
-}
-```
-
-Once you have an instance of the factory created we can create a configuration
-struct describing how the container is to be created. A sample would look similar to this:
-
-```go
-defaultMountFlags := unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
-config := &configs.Config{
-	Rootfs: "/your/path/to/rootfs",
-	Capabilities: &configs.Capabilities{
-                Bounding: []string{
-                        "CAP_CHOWN",
-                        "CAP_DAC_OVERRIDE",
-                        "CAP_FSETID",
-                        "CAP_FOWNER",
-                        "CAP_MKNOD",
-                        "CAP_NET_RAW",
-                        "CAP_SETGID",
-                        "CAP_SETUID",
-                        "CAP_SETFCAP",
-                        "CAP_SETPCAP",
-                        "CAP_NET_BIND_SERVICE",
-                        "CAP_SYS_CHROOT",
-                        "CAP_KILL",
-                        "CAP_AUDIT_WRITE",
-                },
-                Effective: []string{
-                        "CAP_CHOWN",
-                        "CAP_DAC_OVERRIDE",
-                        "CAP_FSETID",
-                        "CAP_FOWNER",
-                        "CAP_MKNOD",
-                        "CAP_NET_RAW",
-                        "CAP_SETGID",
-                        "CAP_SETUID",
-                        "CAP_SETFCAP",
-                        "CAP_SETPCAP",
-                        "CAP_NET_BIND_SERVICE",
-                        "CAP_SYS_CHROOT",
-                        "CAP_KILL",
-                        "CAP_AUDIT_WRITE",
-                },
-                Inheritable: []string{
-                        "CAP_CHOWN",
-                        "CAP_DAC_OVERRIDE",
-                        "CAP_FSETID",
-                        "CAP_FOWNER",
-                        "CAP_MKNOD",
-                        "CAP_NET_RAW",
-                        "CAP_SETGID",
-                        "CAP_SETUID",
-                        "CAP_SETFCAP",
-                        "CAP_SETPCAP",
-                        "CAP_NET_BIND_SERVICE",
-                        "CAP_SYS_CHROOT",
-                        "CAP_KILL",
-                        "CAP_AUDIT_WRITE",
-                },
-                Permitted: []string{
-                        "CAP_CHOWN",
-                        "CAP_DAC_OVERRIDE",
-                        "CAP_FSETID",
-                        "CAP_FOWNER",
-                        "CAP_MKNOD",
-                        "CAP_NET_RAW",
-                        "CAP_SETGID",
-                        "CAP_SETUID",
-                        "CAP_SETFCAP",
-                        "CAP_SETPCAP",
-                        "CAP_NET_BIND_SERVICE",
-                        "CAP_SYS_CHROOT",
-                        "CAP_KILL",
-                        "CAP_AUDIT_WRITE",
-                },
-                Ambient: []string{
-                        "CAP_CHOWN",
-                        "CAP_DAC_OVERRIDE",
-                        "CAP_FSETID",
-                        "CAP_FOWNER",
-                        "CAP_MKNOD",
-                        "CAP_NET_RAW",
-                        "CAP_SETGID",
-                        "CAP_SETUID",
-                        "CAP_SETFCAP",
-                        "CAP_SETPCAP",
-                        "CAP_NET_BIND_SERVICE",
-                        "CAP_SYS_CHROOT",
-                        "CAP_KILL",
-                        "CAP_AUDIT_WRITE",
-                },
-        },
-	Namespaces: configs.Namespaces([]configs.Namespace{
-		{Type: configs.NEWNS},
-		{Type: configs.NEWUTS},
-		{Type: configs.NEWIPC},
-		{Type: configs.NEWPID},
-		{Type: configs.NEWUSER},
-		{Type: configs.NEWNET},
-		{Type: configs.NEWCGROUP},
-	}),
-	Cgroups: &configs.Cgroup{
-		Name:   "test-container",
-		Parent: "system",
-		Resources: &configs.Resources{
-			MemorySwappiness: nil,
-			AllowAllDevices:  nil,
-			AllowedDevices:   configs.DefaultAllowedDevices,
-		},
-	},
-	MaskPaths: []string{
-		"/proc/kcore",
-		"/sys/firmware",
-	},
-	ReadonlyPaths: []string{
-		"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
-	},
-	Devices:  configs.DefaultAutoCreatedDevices,
-	Hostname: "testing",
-	Mounts: []*configs.Mount{
-		{
-			Source:      "proc",
-			Destination: "/proc",
-			Device:      "proc",
-			Flags:       defaultMountFlags,
-		},
-		{
-			Source:      "tmpfs",
-			Destination: "/dev",
-			Device:      "tmpfs",
-			Flags:       unix.MS_NOSUID | unix.MS_STRICTATIME,
-			Data:        "mode=755",
-		},
-		{
-			Source:      "devpts",
-			Destination: "/dev/pts",
-			Device:      "devpts",
-			Flags:       unix.MS_NOSUID | unix.MS_NOEXEC,
-			Data:        "newinstance,ptmxmode=0666,mode=0620,gid=5",
-		},
-		{
-			Device:      "tmpfs",
-			Source:      "shm",
-			Destination: "/dev/shm",
-			Data:        "mode=1777,size=65536k",
-			Flags:       defaultMountFlags,
-		},
-		{
-			Source:      "mqueue",
-			Destination: "/dev/mqueue",
-			Device:      "mqueue",
-			Flags:       defaultMountFlags,
-		},
-		{
-			Source:      "sysfs",
-			Destination: "/sys",
-			Device:      "sysfs",
-			Flags:       defaultMountFlags | unix.MS_RDONLY,
-		},
-	},
-	UidMappings: []configs.IDMap{
-		{
-			ContainerID: 0,
-			HostID: 1000,
-			Size: 65536,
-		},
-	},
-	GidMappings: []configs.IDMap{
-		{
-			ContainerID: 0,
-			HostID: 1000,
-			Size: 65536,
-		},
-	},
-	Networks: []*configs.Network{
-		{
-			Type:    "loopback",
-			Address: "127.0.0.1/0",
-			Gateway: "localhost",
-		},
-	},
-	Rlimits: []configs.Rlimit{
-		{
-			Type: unix.RLIMIT_NOFILE,
-			Hard: uint64(1025),
-			Soft: uint64(1025),
-		},
-	},
-}
-```
-
-Once you have the configuration populated you can create a container:
-
-```go
-container, err := factory.Create("container-id", config)
-if err != nil {
-	logrus.Fatal(err)
-	return
-}
-```
-
-To spawn bash as the initial process inside the container and have the
-processes pid returned in order to wait, signal, or kill the process:
-
-```go
-process := &libcontainer.Process{
-	Args:   []string{"/bin/bash"},
-	Env:    []string{"PATH=/bin"},
-	User:   "daemon",
-	Stdin:  os.Stdin,
-	Stdout: os.Stdout,
-	Stderr: os.Stderr,
-}
-
-err := container.Run(process)
-if err != nil {
-	container.Destroy()
-	logrus.Fatal(err)
-	return
-}
-
-// wait for the process to finish.
-_, err := process.Wait()
-if err != nil {
-	logrus.Fatal(err)
-}
-
-// destroy the container.
-container.Destroy()
-```
-
-Additional ways to interact with a running container are:
-
-```go
-// return all the pids for all processes running inside the container.
-processes, err := container.Processes()
-
-// get detailed cpu, memory, io, and network statistics for the container and
-// it's processes.
-stats, err := container.Stats()
-
-// pause all processes inside the container.
-container.Pause()
-
-// resume all paused processes.
-container.Resume()
-
-// send signal to container's init process.
-container.Signal(signal)
-
-// update container resource constraints.
-container.Set(config)
-
-// get current status of the container.
-status, err := container.Status()
-
-// get current container's state information.
-state, err := container.State()
-```
-
-
-#### Checkpoint & Restore
-
-libcontainer now integrates [CRIU](http://criu.org/) for checkpointing and restoring containers.
-This let's you save the state of a process running inside a container to disk, and then restore
-that state into a new process, on the same machine or on another machine.
-
-`criu` version 1.5.2 or higher is required to use checkpoint and restore.
-If you don't already  have `criu` installed, you can build it from source, following the
-[online instructions](http://criu.org/Installation). `criu` is also installed in the docker image
-generated when building libcontainer with docker.
-
-
-## Copyright and license
-
-Code and documentation copyright 2014 Docker, inc.
-The code and documentation are released under the [Apache 2.0 license](../LICENSE).
-The documentation is also released under Creative Commons Attribution 4.0 International License.
-You may obtain a copy of the license, titled CC-BY-4.0, at http://creativecommons.org/licenses/by/4.0/.

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/nsenter/README.md

@@ -1,44 +0,0 @@
-## nsenter
-
-The `nsenter` package registers a special init constructor that is called before 
-the Go runtime has a chance to boot.  This provides us the ability to `setns` on 
-existing namespaces and avoid the issues that the Go runtime has with multiple 
-threads.  This constructor will be called if this package is registered, 
-imported, in your go application.
-
-The `nsenter` package will `import "C"` and it uses [cgo](https://golang.org/cmd/cgo/)
-package. In cgo, if the import of "C" is immediately preceded by a comment, that comment, 
-called the preamble, is used as a header when compiling the C parts of the package.
-So every time we  import package `nsenter`, the C code function `nsexec()` would be 
-called. And package `nsenter` is only imported in `init.go`, so every time the runc
-`init` command is invoked, that C code is run.
-
-Because `nsexec()` must be run before the Go runtime in order to use the
-Linux kernel namespace, you must `import` this library into a package if
-you plan to use `libcontainer` directly. Otherwise Go will not execute
-the `nsexec()` constructor, which means that the re-exec will not cause
-the namespaces to be joined. You can import it like this:
-
-```go
-import _ "github.com/opencontainers/runc/libcontainer/nsenter"
-```
-
-`nsexec()` will first get the file descriptor number for the init pipe
-from the environment variable `_LIBCONTAINER_INITPIPE` (which was opened
-by the parent and kept open across the fork-exec of the `nsexec()` init
-process). The init pipe is used to read bootstrap data (namespace paths,
-clone flags, uid and gid mappings, and the console path) from the parent
-process. `nsexec()` will then call `setns(2)` to join the namespaces
-provided in the bootstrap data (if available), `clone(2)` a child process
-with the provided clone flags, update the user and group ID mappings, do
-some further miscellaneous setup steps, and then send the PID of the
-child process to the parent of the `nsexec()` "caller". Finally,
-the parent `nsexec()` will exit and the child `nsexec()` process will
-return to allow the Go runtime take over.
-
-NOTE: We do both `setns(2)` and `clone(2)` even if we don't have any
-`CLONE_NEW*` clone flags because we must fork a new process in order to
-enter the PID namespace.
-
-
-

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c

@@ -1,516 +0,0 @@
-/*
- * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
- * Copyright (C) 2019 SUSE LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define _GNU_SOURCE
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdbool.h>
-#include <string.h>
-#include <limits.h>
-#include <fcntl.h>
-#include <errno.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/statfs.h>
-#include <sys/vfs.h>
-#include <sys/mman.h>
-#include <sys/mount.h>
-#include <sys/sendfile.h>
-#include <sys/syscall.h>
-
-/* Use our own wrapper for memfd_create. */
-#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
-#  define SYS_memfd_create __NR_memfd_create
-#endif
-/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
-#ifndef MFD_CLOEXEC
-#  define MFD_CLOEXEC       0x0001U
-#  define MFD_ALLOW_SEALING 0x0002U
-#endif
-int memfd_create(const char *name, unsigned int flags)
-{
-#ifdef SYS_memfd_create
-	return syscall(SYS_memfd_create, name, flags);
-#else
-	errno = ENOSYS;
-	return -1;
-#endif
-}
-
-
-/* This comes directly from <linux/fcntl.h>. */
-#ifndef F_LINUX_SPECIFIC_BASE
-#  define F_LINUX_SPECIFIC_BASE 1024
-#endif
-#ifndef F_ADD_SEALS
-#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
-#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
-#endif
-#ifndef F_SEAL_SEAL
-#  define F_SEAL_SEAL   0x0001	/* prevent further seals from being set */
-#  define F_SEAL_SHRINK 0x0002	/* prevent file from shrinking */
-#  define F_SEAL_GROW   0x0004	/* prevent file from growing */
-#  define F_SEAL_WRITE  0x0008	/* prevent writes */
-#endif
-
-#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY"
-#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
-#define RUNC_MEMFD_SEALS \
-	(F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
-
-static void *must_realloc(void *ptr, size_t size)
-{
-	void *old = ptr;
-	do {
-		ptr = realloc(old, size);
-	} while(!ptr);
-	return ptr;
-}
-
-/*
- * Verify whether we are currently in a self-cloned program (namely, is
- * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
- * for shmem files), and we want to be sure it's actually sealed.
- */
-static int is_self_cloned(void)
-{
-	int fd, ret, is_cloned = 0;
-	struct stat statbuf = {};
-	struct statfs fsbuf = {};
-
-	fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
-	if (fd < 0)
-		return -ENOTRECOVERABLE;
-
-	/*
-	 * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for
-	 * this, because you cannot write to a sealed memfd no matter what (so
-	 * sharing it isn't a bad thing -- and an admin could bind-mount a sealed
-	 * memfd to /usr/bin/runc to allow re-use).
-	 */
-	ret = fcntl(fd, F_GET_SEALS);
-	if (ret >= 0) {
-		is_cloned = (ret == RUNC_MEMFD_SEALS);
-		goto out;
-	}
-
-	/*
-	 * All other forms require CLONED_BINARY_ENV, since they are potentially
-	 * writeable (or we can't tell if they're fully safe) and thus we must
-	 * check the environment as an extra layer of defence.
-	 */
-	if (!getenv(CLONED_BINARY_ENV)) {
-		is_cloned = false;
-		goto out;
-	}
-
-	/*
-	 * Is the binary on a read-only filesystem? We can't detect bind-mounts in
-	 * particular (in-kernel they are identical to regular mounts) but we can
-	 * at least be sure that it's read-only. In addition, to make sure that
-	 * it's *our* bind-mount we check CLONED_BINARY_ENV.
-	 */
-	if (fstatfs(fd, &fsbuf) >= 0)
-		is_cloned |= (fsbuf.f_flags & MS_RDONLY);
-
-	/*
-	 * Okay, we're a tmpfile -- or we're currently running on RHEL <=7.6
-	 * which appears to have a borked backport of F_GET_SEALS. Either way,
-	 * having a file which has no hardlinks indicates that we aren't using
-	 * a host-side "runc" binary and this is something that a container
-	 * cannot fake (because unlinking requires being able to resolve the
-	 * path that you want to unlink).
-	 */
-	if (fstat(fd, &statbuf) >= 0)
-		is_cloned |= (statbuf.st_nlink == 0);
-
-out:
-	close(fd);
-	return is_cloned;
-}
-
-/* Read a given file into a new buffer, and providing the length. */
-static char *read_file(char *path, size_t *length)
-{
-	int fd;
-	char buf[4096], *copy = NULL;
-
-	if (!length)
-		return NULL;
-
-	fd = open(path, O_RDONLY | O_CLOEXEC);
-	if (fd < 0)
-		return NULL;
-
-	*length = 0;
-	for (;;) {
-		ssize_t n;
-
-		n = read(fd, buf, sizeof(buf));
-		if (n < 0)
-			goto error;
-		if (!n)
-			break;
-
-		copy = must_realloc(copy, (*length + n) * sizeof(*copy));
-		memcpy(copy + *length, buf, n);
-		*length += n;
-	}
-	close(fd);
-	return copy;
-
-error:
-	close(fd);
-	free(copy);
-	return NULL;
-}
-
-/*
- * A poor-man's version of "xargs -0". Basically parses a given block of
- * NUL-delimited data, within the given length and adds a pointer to each entry
- * to the array of pointers.
- */
-static int parse_xargs(char *data, int data_length, char ***output)
-{
-	int num = 0;
-	char *cur = data;
-
-	if (!data || *output != NULL)
-		return -1;
-
-	while (cur < data + data_length) {
-		num++;
-		*output = must_realloc(*output, (num + 1) * sizeof(**output));
-		(*output)[num - 1] = cur;
-		cur += strlen(cur) + 1;
-	}
-	(*output)[num] = NULL;
-	return num;
-}
-
-/*
- * "Parse" out argv from /proc/self/cmdline.
- * This is necessary because we are running in a context where we don't have a
- * main() that we can just get the arguments from.
- */
-static int fetchve(char ***argv)
-{
-	char *cmdline = NULL;
-	size_t cmdline_size;
-
-	cmdline = read_file("/proc/self/cmdline", &cmdline_size);
-	if (!cmdline)
-		goto error;
-
-	if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
-		goto error;
-
-	return 0;
-
-error:
-	free(cmdline);
-	return -EINVAL;
-}
-
-enum {
-	EFD_NONE = 0,
-	EFD_MEMFD,
-	EFD_FILE,
-};
-
-/*
- * This comes from <linux/fcntl.h>. We can't hard-code __O_TMPFILE because it
- * changes depending on the architecture. If we don't have O_TMPFILE we always
- * have the mkostemp(3) fallback.
- */
-#ifndef O_TMPFILE
-#  if defined(__O_TMPFILE) && defined(O_DIRECTORY)
-#    define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
-#  endif
-#endif
-
-static int make_execfd(int *fdtype)
-{
-	int fd = -1;
-	char template[PATH_MAX] = {0};
-	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
-
-	if (!prefix || *prefix != '/')
-		prefix = "/tmp";
-	if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
-		return -1;
-
-	/*
-	 * Now try memfd, it's much nicer than actually creating a file in STATEDIR
-	 * since it's easily detected thanks to sealing and also doesn't require
-	 * assumptions about STATEDIR.
-	 */
-	*fdtype = EFD_MEMFD;
-	fd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
-	if (fd >= 0)
-		return fd;
-	if (errno != ENOSYS && errno != EINVAL)
-		goto error;
-
-#ifdef O_TMPFILE
-	/*
-	 * Try O_TMPFILE to avoid races where someone might snatch our file. Note
-	 * that O_EXCL isn't actually a security measure here (since you can just
-	 * fd re-open it and clear O_EXCL).
-	 */
-	*fdtype = EFD_FILE;
-	fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700);
-	if (fd >= 0) {
-		struct stat statbuf = {};
-		bool working_otmpfile = false;
-
-		/*
-		 * open(2) ignores unknown O_* flags -- yeah, I was surprised when I
-		 * found this out too. As a result we can't check for EINVAL. However,
-		 * if we get nlink != 0 (or EISDIR) then we know that this kernel
-		 * doesn't support O_TMPFILE.
-		 */
-		if (fstat(fd, &statbuf) >= 0)
-			working_otmpfile = (statbuf.st_nlink == 0);
-
-		if (working_otmpfile)
-			return fd;
-
-		/* Pretend that we got EISDIR since O_TMPFILE failed. */
-		close(fd);
-		errno = EISDIR;
-	}
-	if (errno != EISDIR)
-		goto error;
-#endif /* defined(O_TMPFILE) */
-
-	/*
-	 * Our final option is to create a temporary file the old-school way, and
-	 * then unlink it so that nothing else sees it by accident.
-	 */
-	*fdtype = EFD_FILE;
-	fd = mkostemp(template, O_CLOEXEC);
-	if (fd >= 0) {
-		if (unlink(template) >= 0)
-			return fd;
-		close(fd);
-	}
-
-error:
-	*fdtype = EFD_NONE;
-	return -1;
-}
-
-static int seal_execfd(int *fd, int fdtype)
-{
-	switch (fdtype) {
-	case EFD_MEMFD:
-		return fcntl(*fd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
-	case EFD_FILE: {
-		/* Need to re-open our pseudo-memfd as an O_PATH to avoid execve(2) giving -ETXTBSY. */
-		int newfd;
-		char fdpath[PATH_MAX] = {0};
-
-		if (fchmod(*fd, 0100) < 0)
-			return -1;
-
-		if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", *fd) < 0)
-			return -1;
-
-		newfd = open(fdpath, O_PATH | O_CLOEXEC);
-		if (newfd < 0)
-			return -1;
-
-		close(*fd);
-		*fd = newfd;
-		return 0;
-	}
-	default:
-	   break;
-	}
-	return -1;
-}
-
-static int try_bindfd(void)
-{
-	int fd, ret = -1;
-	char template[PATH_MAX] = {0};
-	char *prefix = secure_getenv("_LIBCONTAINER_STATEDIR");
-
-	if (!prefix || *prefix != '/')
-		prefix = "/tmp";
-	if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
-		return ret;
-
-	/*
-	 * We need somewhere to mount it, mounting anything over /proc/self is a
-	 * BAD idea on the host -- even if we do it temporarily.
-	 */
-	fd = mkstemp(template);
-	if (fd < 0)
-		return ret;
-	close(fd);
-
-	/*
-	 * For obvious reasons this won't work in rootless mode because we haven't
-	 * created a userns+mntns -- but getting that to work will be a bit
-	 * complicated and it's only worth doing if someone actually needs it.
-	 */
-	ret = -EPERM;
-	if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0)
-		goto out;
-	if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0)
-		goto out_umount;
-
-
-	/* Get read-only handle that we're sure can't be made read-write. */
-	ret = open(template, O_PATH | O_CLOEXEC);
-
-out_umount:
-	/*
-	 * Make sure the MNT_DETACH works, otherwise we could get remounted
-	 * read-write and that would be quite bad (the fd would be made read-write
-	 * too, invalidating the protection).
-	 */
-	if (umount2(template, MNT_DETACH) < 0) {
-		if (ret >= 0)
-			close(ret);
-		ret = -ENOTRECOVERABLE;
-	}
-
-out:
-	/*
-	 * We don't care about unlink errors, the worst that happens is that
-	 * there's an empty file left around in STATEDIR.
-	 */
-	unlink(template);
-	return ret;
-}
-
-static ssize_t fd_to_fd(int outfd, int infd)
-{
-	ssize_t total = 0;
-	char buffer[4096];
-
-	for (;;) {
-		ssize_t nread, nwritten = 0;
-
-		nread = read(infd, buffer, sizeof(buffer));
-		if (nread < 0)
-			return -1;
-		if (!nread)
-			break;
-
-		do {
-			ssize_t n = write(outfd, buffer + nwritten, nread - nwritten);
-			if (n < 0)
-				return -1;
-			nwritten += n;
-		} while(nwritten < nread);
-
-		total += nwritten;
-	}
-
-	return total;
-}
-
-static int clone_binary(void)
-{
-	int binfd, execfd;
-	struct stat statbuf = {};
-	size_t sent = 0;
-	int fdtype = EFD_NONE;
-
-	/*
-	 * Before we resort to copying, let's try creating an ro-binfd in one shot
-	 * by getting a handle for a read-only bind-mount of the execfd.
-	 */
-	execfd = try_bindfd();
-	if (execfd >= 0)
-		return execfd;
-
-	/*
-	 * Dammit, that didn't work -- time to copy the binary to a safe place we
-	 * can seal the contents.
-	 */
-	execfd = make_execfd(&fdtype);
-	if (execfd < 0 || fdtype == EFD_NONE)
-		return -ENOTRECOVERABLE;
-
-	binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
-	if (binfd < 0)
-		goto error;
-
-	if (fstat(binfd, &statbuf) < 0)
-		goto error_binfd;
-
-	while (sent < statbuf.st_size) {
-		int n = sendfile(execfd, binfd, NULL, statbuf.st_size - sent);
-		if (n < 0) {
-			/* sendfile can fail so we fallback to a dumb user-space copy. */
-			n = fd_to_fd(execfd, binfd);
-			if (n < 0)
-				goto error_binfd;
-		}
-		sent += n;
-	}
-	close(binfd);
-	if (sent != statbuf.st_size)
-		goto error;
-
-	if (seal_execfd(&execfd, fdtype) < 0)
-		goto error;
-
-	return execfd;
-
-error_binfd:
-	close(binfd);
-error:
-	close(execfd);
-	return -EIO;
-}
-
-/* Get cheap access to the environment. */
-extern char **environ;
-
-int ensure_cloned_binary(void)
-{
-	int execfd;
-	char **argv = NULL;
-
-	/* Check that we're not self-cloned, and if we are then bail. */
-	int cloned = is_self_cloned();
-	if (cloned > 0 || cloned == -ENOTRECOVERABLE)
-		return cloned;
-
-	if (fetchve(&argv) < 0)
-		return -EINVAL;
-
-	execfd = clone_binary();
-	if (execfd < 0)
-		return -EIO;
-
-	if (putenv(CLONED_BINARY_ENV "=1"))
-		goto error;
-
-	fexecve(execfd, argv, environ);
-error:
-	close(execfd);
-	return -ENOEXEC;
-}

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/nsenter/namespace.h

@@ -1,32 +0,0 @@
-#ifndef NSENTER_NAMESPACE_H
-#define NSENTER_NAMESPACE_H
-
-#ifndef _GNU_SOURCE
-#	define _GNU_SOURCE
-#endif
-#include <sched.h>
-
-/* All of these are taken from include/uapi/linux/sched.h */
-#ifndef CLONE_NEWNS
-#	define CLONE_NEWNS 0x00020000 /* New mount namespace group */
-#endif
-#ifndef CLONE_NEWCGROUP
-#	define CLONE_NEWCGROUP 0x02000000 /* New cgroup namespace */
-#endif
-#ifndef CLONE_NEWUTS
-#	define CLONE_NEWUTS 0x04000000 /* New utsname namespace */
-#endif
-#ifndef CLONE_NEWIPC
-#	define CLONE_NEWIPC 0x08000000 /* New ipc namespace */
-#endif
-#ifndef CLONE_NEWUSER
-#	define CLONE_NEWUSER 0x10000000 /* New user namespace */
-#endif
-#ifndef CLONE_NEWPID
-#	define CLONE_NEWPID 0x20000000 /* New pid namespace */
-#endif
-#ifndef CLONE_NEWNET
-#	define CLONE_NEWNET 0x40000000 /* New network namespace */
-#endif
-
-#endif /* NSENTER_NAMESPACE_H */

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter.go

@@ -1,12 +0,0 @@
-// +build linux,!gccgo
-
-package nsenter
-
-/*
-#cgo CFLAGS: -Wall
-extern void nsexec();
-void __attribute__((constructor)) init(void) {
-	nsexec();
-}
-*/
-import "C"

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_gccgo.go

@@ -1,25 +0,0 @@
-// +build linux,gccgo
-
-package nsenter
-
-/*
-#cgo CFLAGS: -Wall
-extern void nsexec();
-void __attribute__((constructor)) init(void) {
-	nsexec();
-}
-*/
-import "C"
-
-// AlwaysFalse is here to stay false
-// (and be exported so the compiler doesn't optimize out its reference)
-var AlwaysFalse bool
-
-func init() {
-	if AlwaysFalse {
-		// by referencing this C init() in a noop test, it will ensure the compiler
-		// links in the C function.
-		// https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65134
-		C.init()
-	}
-}

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_unsupported.go

@@ -1,5 +0,0 @@
-// +build !linux !cgo
-
-package nsenter
-
-import "C"

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c

@@ -1,1006 +0,0 @@
-
-#define _GNU_SOURCE
-#include <endian.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <grp.h>
-#include <sched.h>
-#include <setjmp.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdbool.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdbool.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <sys/ioctl.h>
-#include <sys/prctl.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-
-#include <linux/limits.h>
-#include <linux/netlink.h>
-#include <linux/types.h>
-
-/* Get all of the CLONE_NEW* flags. */
-#include "namespace.h"
-
-/* Synchronisation values. */
-enum sync_t {
-	SYNC_USERMAP_PLS = 0x40,	/* Request parent to map our users. */
-	SYNC_USERMAP_ACK = 0x41,	/* Mapping finished by the parent. */
-	SYNC_RECVPID_PLS = 0x42,	/* Tell parent we're sending the PID. */
-	SYNC_RECVPID_ACK = 0x43,	/* PID was correctly received by parent. */
-	SYNC_GRANDCHILD = 0x44,	/* The grandchild is ready to run. */
-	SYNC_CHILD_READY = 0x45,	/* The child or grandchild is ready to return. */
-
-	/* XXX: This doesn't help with segfaults and other such issues. */
-	SYNC_ERR = 0xFF,	/* Fatal error, no turning back. The error code follows. */
-};
-
-/*
- * Synchronisation value for cgroup namespace setup.
- * The same constant is defined in process_linux.go as "createCgroupns".
- */
-#define CREATECGROUPNS 0x80
-
-/* longjmp() arguments. */
-#define JUMP_PARENT 0x00
-#define JUMP_CHILD  0xA0
-#define JUMP_INIT   0xA1
-
-/* JSON buffer. */
-#define JSON_MAX 4096
-
-/* Assume the stack grows down, so arguments should be above it. */
-struct clone_t {
-	/*
-	 * Reserve some space for clone() to locate arguments
-	 * and retcode in this place
-	 */
-	char stack[4096] __attribute__ ((aligned(16)));
-	char stack_ptr[0];
-
-	/* There's two children. This is used to execute the different code. */
-	jmp_buf *env;
-	int jmpval;
-};
-
-struct nlconfig_t {
-	char *data;
-
-	/* Process settings. */
-	uint32_t cloneflags;
-	char *oom_score_adj;
-	size_t oom_score_adj_len;
-
-	/* User namespace settings. */
-	char *uidmap;
-	size_t uidmap_len;
-	char *gidmap;
-	size_t gidmap_len;
-	char *namespaces;
-	size_t namespaces_len;
-	uint8_t is_setgroup;
-
-	/* Rootless container settings. */
-	uint8_t is_rootless_euid;	/* boolean */
-	char *uidmappath;
-	size_t uidmappath_len;
-	char *gidmappath;
-	size_t gidmappath_len;
-};
-
-/*
- * List of netlink message types sent to us as part of bootstrapping the init.
- * These constants are defined in libcontainer/message_linux.go.
- */
-#define INIT_MSG			62000
-#define CLONE_FLAGS_ATTR	27281
-#define NS_PATHS_ATTR		27282
-#define UIDMAP_ATTR			27283
-#define GIDMAP_ATTR			27284
-#define SETGROUP_ATTR		27285
-#define OOM_SCORE_ADJ_ATTR	27286
-#define ROOTLESS_EUID_ATTR	27287
-#define UIDMAPPATH_ATTR	    27288
-#define GIDMAPPATH_ATTR	    27289
-
-/*
- * Use the raw syscall for versions of glibc which don't include a function for
- * it, namely (glibc 2.12).
- */
-#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 14
-#	define _GNU_SOURCE
-#	include "syscall.h"
-#	if !defined(SYS_setns) && defined(__NR_setns)
-#		define SYS_setns __NR_setns
-#	endif
-
-#ifndef SYS_setns
-#	error "setns(2) syscall not supported by glibc version"
-#endif
-
-int setns(int fd, int nstype)
-{
-	return syscall(SYS_setns, fd, nstype);
-}
-#endif
-
-/* XXX: This is ugly. */
-static int syncfd = -1;
-
-/* TODO(cyphar): Fix this so it correctly deals with syncT. */
-#define bail(fmt, ...)								\
-	do {									\
-		int ret = __COUNTER__ + 1;					\
-		fprintf(stderr, "nsenter: " fmt ": %m\n", ##__VA_ARGS__);	\
-		if (syncfd >= 0) {						\
-			enum sync_t s = SYNC_ERR;				\
-			if (write(syncfd, &s, sizeof(s)) != sizeof(s))		\
-				fprintf(stderr, "nsenter: failed: write(s)");	\
-			if (write(syncfd, &ret, sizeof(ret)) != sizeof(ret))	\
-				fprintf(stderr, "nsenter: failed: write(ret)");	\
-		}								\
-		exit(ret);							\
-	} while(0)
-
-static int write_file(char *data, size_t data_len, char *pathfmt, ...)
-{
-	int fd, len, ret = 0;
-	char path[PATH_MAX];
-
-	va_list ap;
-	va_start(ap, pathfmt);
-	len = vsnprintf(path, PATH_MAX, pathfmt, ap);
-	va_end(ap);
-	if (len < 0)
-		return -1;
-
-	fd = open(path, O_RDWR);
-	if (fd < 0) {
-		return -1;
-	}
-
-	len = write(fd, data, data_len);
-	if (len != data_len) {
-		ret = -1;
-		goto out;
-	}
-
- out:
-	close(fd);
-	return ret;
-}
-
-enum policy_t {
-	SETGROUPS_DEFAULT = 0,
-	SETGROUPS_ALLOW,
-	SETGROUPS_DENY,
-};
-
-/* This *must* be called before we touch gid_map. */
-static void update_setgroups(int pid, enum policy_t setgroup)
-{
-	char *policy;
-
-	switch (setgroup) {
-	case SETGROUPS_ALLOW:
-		policy = "allow";
-		break;
-	case SETGROUPS_DENY:
-		policy = "deny";
-		break;
-	case SETGROUPS_DEFAULT:
-	default:
-		/* Nothing to do. */
-		return;
-	}
-
-	if (write_file(policy, strlen(policy), "/proc/%d/setgroups", pid) < 0) {
-		/*
-		 * If the kernel is too old to support /proc/pid/setgroups,
-		 * open(2) or write(2) will return ENOENT. This is fine.
-		 */
-		if (errno != ENOENT)
-			bail("failed to write '%s' to /proc/%d/setgroups", policy, pid);
-	}
-}
-
-static int try_mapping_tool(const char *app, int pid, char *map, size_t map_len)
-{
-	int child;
-
-	/*
-	 * If @app is NULL, execve will segfault. Just check it here and bail (if
-	 * we're in this path, the caller is already getting desperate and there
-	 * isn't a backup to this failing). This usually would be a configuration
-	 * or programming issue.
-	 */
-	if (!app)
-		bail("mapping tool not present");
-
-	child = fork();
-	if (child < 0)
-		bail("failed to fork");
-
-	if (!child) {
-#define MAX_ARGV 20
-		char *argv[MAX_ARGV];
-		char *envp[] = { NULL };
-		char pid_fmt[16];
-		int argc = 0;
-		char *next;
-
-		snprintf(pid_fmt, 16, "%d", pid);
-
-		argv[argc++] = (char *)app;
-		argv[argc++] = pid_fmt;
-		/*
-		 * Convert the map string into a list of argument that
-		 * newuidmap/newgidmap can understand.
-		 */
-
-		while (argc < MAX_ARGV) {
-			if (*map == '\0') {
-				argv[argc++] = NULL;
-				break;
-			}
-			argv[argc++] = map;
-			next = strpbrk(map, "\n ");
-			if (next == NULL)
-				break;
-			*next++ = '\0';
-			map = next + strspn(next, "\n ");
-		}
-
-		execve(app, argv, envp);
-		bail("failed to execv");
-	} else {
-		int status;
-
-		while (true) {
-			if (waitpid(child, &status, 0) < 0) {
-				if (errno == EINTR)
-					continue;
-				bail("failed to waitpid");
-			}
-			if (WIFEXITED(status) || WIFSIGNALED(status))
-				return WEXITSTATUS(status);
-		}
-	}
-
-	return -1;
-}
-
-static void update_uidmap(const char *path, int pid, char *map, size_t map_len)
-{
-	if (map == NULL || map_len <= 0)
-		return;
-
-	if (write_file(map, map_len, "/proc/%d/uid_map", pid) < 0) {
-		if (errno != EPERM)
-			bail("failed to update /proc/%d/uid_map", pid);
-		if (try_mapping_tool(path, pid, map, map_len))
-			bail("failed to use newuid map on %d", pid);
-	}
-}
-
-static void update_gidmap(const char *path, int pid, char *map, size_t map_len)
-{
-	if (map == NULL || map_len <= 0)
-		return;
-
-	if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0) {
-		if (errno != EPERM)
-			bail("failed to update /proc/%d/gid_map", pid);
-		if (try_mapping_tool(path, pid, map, map_len))
-			bail("failed to use newgid map on %d", pid);
-	}
-}
-
-static void update_oom_score_adj(char *data, size_t len)
-{
-	if (data == NULL || len <= 0)
-		return;
-
-	if (write_file(data, len, "/proc/self/oom_score_adj") < 0)
-		bail("failed to update /proc/self/oom_score_adj");
-}
-
-/* A dummy function that just jumps to the given jumpval. */
-static int child_func(void *arg) __attribute__ ((noinline));
-static int child_func(void *arg)
-{
-	struct clone_t *ca = (struct clone_t *)arg;
-	longjmp(*ca->env, ca->jmpval);
-}
-
-static int clone_parent(jmp_buf *env, int jmpval) __attribute__ ((noinline));
-static int clone_parent(jmp_buf *env, int jmpval)
-{
-	struct clone_t ca = {
-		.env = env,
-		.jmpval = jmpval,
-	};
-
-	return clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD, &ca);
-}
-
-/*
- * Gets the init pipe fd from the environment, which is used to read the
- * bootstrap data and tell the parent what the new pid is after we finish
- * setting up the environment.
- */
-static int initpipe(void)
-{
-	int pipenum;
-	char *initpipe, *endptr;
-
-	initpipe = getenv("_LIBCONTAINER_INITPIPE");
-	if (initpipe == NULL || *initpipe == '\0')
-		return -1;
-
-	pipenum = strtol(initpipe, &endptr, 10);
-	if (*endptr != '\0')
-		bail("unable to parse _LIBCONTAINER_INITPIPE");
-
-	return pipenum;
-}
-
-/* Returns the clone(2) flag for a namespace, given the name of a namespace. */
-static int nsflag(char *name)
-{
-	if (!strcmp(name, "cgroup"))
-		return CLONE_NEWCGROUP;
-	else if (!strcmp(name, "ipc"))
-		return CLONE_NEWIPC;
-	else if (!strcmp(name, "mnt"))
-		return CLONE_NEWNS;
-	else if (!strcmp(name, "net"))
-		return CLONE_NEWNET;
-	else if (!strcmp(name, "pid"))
-		return CLONE_NEWPID;
-	else if (!strcmp(name, "user"))
-		return CLONE_NEWUSER;
-	else if (!strcmp(name, "uts"))
-		return CLONE_NEWUTS;
-
-	/* If we don't recognise a name, fallback to 0. */
-	return 0;
-}
-
-static uint32_t readint32(char *buf)
-{
-	return *(uint32_t *) buf;
-}
-
-static uint8_t readint8(char *buf)
-{
-	return *(uint8_t *) buf;
-}
-
-static void nl_parse(int fd, struct nlconfig_t *config)
-{
-	size_t len, size;
-	struct nlmsghdr hdr;
-	char *data, *current;
-
-	/* Retrieve the netlink header. */
-	len = read(fd, &hdr, NLMSG_HDRLEN);
-	if (len != NLMSG_HDRLEN)
-		bail("invalid netlink header length %zu", len);
-
-	if (hdr.nlmsg_type == NLMSG_ERROR)
-		bail("failed to read netlink message");
-
-	if (hdr.nlmsg_type != INIT_MSG)
-		bail("unexpected msg type %d", hdr.nlmsg_type);
-
-	/* Retrieve data. */
-	size = NLMSG_PAYLOAD(&hdr, 0);
-	current = data = malloc(size);
-	if (!data)
-		bail("failed to allocate %zu bytes of memory for nl_payload", size);
-
-	len = read(fd, data, size);
-	if (len != size)
-		bail("failed to read netlink payload, %zu != %zu", len, size);
-
-	/* Parse the netlink payload. */
-	config->data = data;
-	while (current < data + size) {
-		struct nlattr *nlattr = (struct nlattr *)current;
-		size_t payload_len = nlattr->nla_len - NLA_HDRLEN;
-
-		/* Advance to payload. */
-		current += NLA_HDRLEN;
-
-		/* Handle payload. */
-		switch (nlattr->nla_type) {
-		case CLONE_FLAGS_ATTR:
-			config->cloneflags = readint32(current);
-			break;
-		case ROOTLESS_EUID_ATTR:
-			config->is_rootless_euid = readint8(current);	/* boolean */
-			break;
-		case OOM_SCORE_ADJ_ATTR:
-			config->oom_score_adj = current;
-			config->oom_score_adj_len = payload_len;
-			break;
-		case NS_PATHS_ATTR:
-			config->namespaces = current;
-			config->namespaces_len = payload_len;
-			break;
-		case UIDMAP_ATTR:
-			config->uidmap = current;
-			config->uidmap_len = payload_len;
-			break;
-		case GIDMAP_ATTR:
-			config->gidmap = current;
-			config->gidmap_len = payload_len;
-			break;
-		case UIDMAPPATH_ATTR:
-			config->uidmappath = current;
-			config->uidmappath_len = payload_len;
-			break;
-		case GIDMAPPATH_ATTR:
-			config->gidmappath = current;
-			config->gidmappath_len = payload_len;
-			break;
-		case SETGROUP_ATTR:
-			config->is_setgroup = readint8(current);
-			break;
-		default:
-			bail("unknown netlink message type %d", nlattr->nla_type);
-		}
-
-		current += NLA_ALIGN(payload_len);
-	}
-}
-
-void nl_free(struct nlconfig_t *config)
-{
-	free(config->data);
-}
-
-void join_namespaces(char *nslist)
-{
-	int num = 0, i;
-	char *saveptr = NULL;
-	char *namespace = strtok_r(nslist, ",", &saveptr);
-	struct namespace_t {
-		int fd;
-		int ns;
-		char type[PATH_MAX];
-		char path[PATH_MAX];
-	} *namespaces = NULL;
-
-	if (!namespace || !strlen(namespace) || !strlen(nslist))
-		bail("ns paths are empty");
-
-	/*
-	 * We have to open the file descriptors first, since after
-	 * we join the mnt namespace we might no longer be able to
-	 * access the paths.
-	 */
-	do {
-		int fd;
-		char *path;
-		struct namespace_t *ns;
-
-		/* Resize the namespace array. */
-		namespaces = realloc(namespaces, ++num * sizeof(struct namespace_t));
-		if (!namespaces)
-			bail("failed to reallocate namespace array");
-		ns = &namespaces[num - 1];
-
-		/* Split 'ns:path'. */
-		path = strstr(namespace, ":");
-		if (!path)
-			bail("failed to parse %s", namespace);
-		*path++ = '\0';
-
-		fd = open(path, O_RDONLY);
-		if (fd < 0)
-			bail("failed to open %s", path);
-
-		ns->fd = fd;
-		ns->ns = nsflag(namespace);
-		strncpy(ns->path, path, PATH_MAX - 1);
-		ns->path[PATH_MAX - 1] = '\0';
-	} while ((namespace = strtok_r(NULL, ",", &saveptr)) != NULL);
-
-	/*
-	 * The ordering in which we join namespaces is important. We should
-	 * always join the user namespace *first*. This is all guaranteed
-	 * from the container_linux.go side of this, so we're just going to
-	 * follow the order given to us.
-	 */
-
-	for (i = 0; i < num; i++) {
-		struct namespace_t ns = namespaces[i];
-
-		if (setns(ns.fd, ns.ns) < 0)
-			bail("failed to setns to %s", ns.path);
-
-		close(ns.fd);
-	}
-
-	free(namespaces);
-}
-
-/* Defined in cloned_binary.c. */
-extern int ensure_cloned_binary(void);
-
-void nsexec(void)
-{
-	int pipenum;
-	jmp_buf env;
-	int sync_child_pipe[2], sync_grandchild_pipe[2];
-	struct nlconfig_t config = { 0 };
-
-	/*
-	 * If we don't have an init pipe, just return to the go routine.
-	 * We'll only get an init pipe for start or exec.
-	 */
-	pipenum = initpipe();
-	if (pipenum == -1)
-		return;
-
-	/*
-	 * We need to re-exec if we are not in a cloned binary. This is necessary
-	 * to ensure that containers won't be able to access the host binary
-	 * through /proc/self/exe. See CVE-2019-5736.
-	 */
-	if (ensure_cloned_binary() < 0)
-		bail("could not ensure we are a cloned binary");
-
-	/* Parse all of the netlink configuration. */
-	nl_parse(pipenum, &config);
-
-	/* Set oom_score_adj. This has to be done before !dumpable because
-	 * /proc/self/oom_score_adj is not writeable unless you're an privileged
-	 * user (if !dumpable is set). All children inherit their parent's
-	 * oom_score_adj value on fork(2) so this will always be propagated
-	 * properly.
-	 */
-	update_oom_score_adj(config.oom_score_adj, config.oom_score_adj_len);
-
-	/*
-	 * Make the process non-dumpable, to avoid various race conditions that
-	 * could cause processes in namespaces we're joining to access host
-	 * resources (or potentially execute code).
-	 *
-	 * However, if the number of namespaces we are joining is 0, we are not
-	 * going to be switching to a different security context. Thus setting
-	 * ourselves to be non-dumpable only breaks things (like rootless
-	 * containers), which is the recommendation from the kernel folks.
-	 */
-	if (config.namespaces) {
-		if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) < 0)
-			bail("failed to set process as non-dumpable");
-	}
-
-	/* Pipe so we can tell the child when we've finished setting up. */
-	if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sync_child_pipe) < 0)
-		bail("failed to setup sync pipe between parent and child");
-
-	/*
-	 * We need a new socketpair to sync with grandchild so we don't have
-	 * race condition with child.
-	 */
-	if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sync_grandchild_pipe) < 0)
-		bail("failed to setup sync pipe between parent and grandchild");
-
-	/* TODO: Currently we aren't dealing with child deaths properly. */
-
-	/*
-	 * Okay, so this is quite annoying.
-	 *
-	 * In order for this unsharing code to be more extensible we need to split
-	 * up unshare(CLONE_NEWUSER) and clone() in various ways. The ideal case
-	 * would be if we did clone(CLONE_NEWUSER) and the other namespaces
-	 * separately, but because of SELinux issues we cannot really do that. But
-	 * we cannot just dump the namespace flags into clone(...) because several
-	 * usecases (such as rootless containers) require more granularity around
-	 * the namespace setup. In addition, some older kernels had issues where
-	 * CLONE_NEWUSER wasn't handled before other namespaces (but we cannot
-	 * handle this while also dealing with SELinux so we choose SELinux support
-	 * over broken kernel support).
-	 *
-	 * However, if we unshare(2) the user namespace *before* we clone(2), then
-	 * all hell breaks loose.
-	 *
-	 * The parent no longer has permissions to do many things (unshare(2) drops
-	 * all capabilities in your old namespace), and the container cannot be set
-	 * up to have more than one {uid,gid} mapping. This is obviously less than
-	 * ideal. In order to fix this, we have to first clone(2) and then unshare.
-	 *
-	 * Unfortunately, it's not as simple as that. We have to fork to enter the
-	 * PID namespace (the PID namespace only applies to children). Since we'll
-	 * have to double-fork, this clone_parent() call won't be able to get the
-	 * PID of the _actual_ init process (without doing more synchronisation than
-	 * I can deal with at the moment). So we'll just get the parent to send it
-	 * for us, the only job of this process is to update
-	 * /proc/pid/{setgroups,uid_map,gid_map}.
-	 *
-	 * And as a result of the above, we also need to setns(2) in the first child
-	 * because if we join a PID namespace in the topmost parent then our child
-	 * will be in that namespace (and it will not be able to give us a PID value
-	 * that makes sense without resorting to sending things with cmsg).
-	 *
-	 * This also deals with an older issue caused by dumping cloneflags into
-	 * clone(2): On old kernels, CLONE_PARENT didn't work with CLONE_NEWPID, so
-	 * we have to unshare(2) before clone(2) in order to do this. This was fixed
-	 * in upstream commit 1f7f4dde5c945f41a7abc2285be43d918029ecc5, and was
-	 * introduced by 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e. As far as we're
-	 * aware, the last mainline kernel which had this bug was Linux 3.12.
-	 * However, we cannot comment on which kernels the broken patch was
-	 * backported to.
-	 *
-	 * -- Aleksa "what has my life come to?" Sarai
-	 */
-
-	switch (setjmp(env)) {
-		/*
-		 * Stage 0: We're in the parent. Our job is just to create a new child
-		 *          (stage 1: JUMP_CHILD) process and write its uid_map and
-		 *          gid_map. That process will go on to create a new process, then
-		 *          it will send us its PID which we will send to the bootstrap
-		 *          process.
-		 */
-	case JUMP_PARENT:{
-			int len;
-			pid_t child, first_child = -1;
-			bool ready = false;
-
-			/* For debugging. */
-			prctl(PR_SET_NAME, (unsigned long)"runc:[0:PARENT]", 0, 0, 0);
-
-			/* Start the process of getting a container. */
-			child = clone_parent(&env, JUMP_CHILD);
-			if (child < 0)
-				bail("unable to fork: child_func");
-
-			/*
-			 * State machine for synchronisation with the children.
-			 *
-			 * Father only return when both child and grandchild are
-			 * ready, so we can receive all possible error codes
-			 * generated by children.
-			 */
-			while (!ready) {
-				enum sync_t s;
-				int ret;
-
-				syncfd = sync_child_pipe[1];
-				close(sync_child_pipe[0]);
-
-				if (read(syncfd, &s, sizeof(s)) != sizeof(s))
-					bail("failed to sync with child: next state");
-
-				switch (s) {
-				case SYNC_ERR:
-					/* We have to mirror the error code of the child. */
-					if (read(syncfd, &ret, sizeof(ret)) != sizeof(ret))
-						bail("failed to sync with child: read(error code)");
-
-					exit(ret);
-				case SYNC_USERMAP_PLS:
-					/*
-					 * Enable setgroups(2) if we've been asked to. But we also
-					 * have to explicitly disable setgroups(2) if we're
-					 * creating a rootless container for single-entry mapping.
-					 * i.e. config.is_setgroup == false.
-					 * (this is required since Linux 3.19).
-					 *
-					 * For rootless multi-entry mapping, config.is_setgroup shall be true and
-					 * newuidmap/newgidmap shall be used.
-					 */
-
-					if (config.is_rootless_euid && !config.is_setgroup)
-						update_setgroups(child, SETGROUPS_DENY);
-
-					/* Set up mappings. */
-					update_uidmap(config.uidmappath, child, config.uidmap, config.uidmap_len);
-					update_gidmap(config.gidmappath, child, config.gidmap, config.gidmap_len);
-
-					s = SYNC_USERMAP_ACK;
-					if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
-						kill(child, SIGKILL);
-						bail("failed to sync with child: write(SYNC_USERMAP_ACK)");
-					}
-					break;
-				case SYNC_RECVPID_PLS:{
-						first_child = child;
-
-						/* Get the init_func pid. */
-						if (read(syncfd, &child, sizeof(child)) != sizeof(child)) {
-							kill(first_child, SIGKILL);
-							bail("failed to sync with child: read(childpid)");
-						}
-
-						/* Send ACK. */
-						s = SYNC_RECVPID_ACK;
-						if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
-							kill(first_child, SIGKILL);
-							kill(child, SIGKILL);
-							bail("failed to sync with child: write(SYNC_RECVPID_ACK)");
-						}
-
-						/* Send the init_func pid back to our parent.
-						 *
-						 * Send the init_func pid and the pid of the first child back to our parent.
-						 * We need to send both back because we can't reap the first child we created (CLONE_PARENT).
-						 * It becomes the responsibility of our parent to reap the first child.
-						 */
-						len = dprintf(pipenum, "{\"pid\": %d, \"pid_first\": %d}\n", child, first_child);
-						if (len < 0) {
-							kill(child, SIGKILL);
-							bail("unable to generate JSON for child pid");
-						}
-					}
-					break;
-				case SYNC_CHILD_READY:
-					ready = true;
-					break;
-				default:
-					bail("unexpected sync value: %u", s);
-				}
-			}
-
-			/* Now sync with grandchild. */
-
-			ready = false;
-			while (!ready) {
-				enum sync_t s;
-				int ret;
-
-				syncfd = sync_grandchild_pipe[1];
-				close(sync_grandchild_pipe[0]);
-
-				s = SYNC_GRANDCHILD;
-				if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
-					kill(child, SIGKILL);
-					bail("failed to sync with child: write(SYNC_GRANDCHILD)");
-				}
-
-				if (read(syncfd, &s, sizeof(s)) != sizeof(s))
-					bail("failed to sync with child: next state");
-
-				switch (s) {
-				case SYNC_ERR:
-					/* We have to mirror the error code of the child. */
-					if (read(syncfd, &ret, sizeof(ret)) != sizeof(ret))
-						bail("failed to sync with child: read(error code)");
-
-					exit(ret);
-				case SYNC_CHILD_READY:
-					ready = true;
-					break;
-				default:
-					bail("unexpected sync value: %u", s);
-				}
-			}
-			exit(0);
-		}
-
-		/*
-		 * Stage 1: We're in the first child process. Our job is to join any
-		 *          provided namespaces in the netlink payload and unshare all
-		 *          of the requested namespaces. If we've been asked to
-		 *          CLONE_NEWUSER, we will ask our parent (stage 0) to set up
-		 *          our user mappings for us. Then, we create a new child
-		 *          (stage 2: JUMP_INIT) for PID namespace. We then send the
-		 *          child's PID to our parent (stage 0).
-		 */
-	case JUMP_CHILD:{
-			pid_t child;
-			enum sync_t s;
-
-			/* We're in a child and thus need to tell the parent if we die. */
-			syncfd = sync_child_pipe[0];
-			close(sync_child_pipe[1]);
-
-			/* For debugging. */
-			prctl(PR_SET_NAME, (unsigned long)"runc:[1:CHILD]", 0, 0, 0);
-
-			/*
-			 * We need to setns first. We cannot do this earlier (in stage 0)
-			 * because of the fact that we forked to get here (the PID of
-			 * [stage 2: JUMP_INIT]) would be meaningless). We could send it
-			 * using cmsg(3) but that's just annoying.
-			 */
-			if (config.namespaces)
-				join_namespaces(config.namespaces);
-
-			/*
-			 * Deal with user namespaces first. They are quite special, as they
-			 * affect our ability to unshare other namespaces and are used as
-			 * context for privilege checks.
-			 *
-			 * We don't unshare all namespaces in one go. The reason for this
-			 * is that, while the kernel documentation may claim otherwise,
-			 * there are certain cases where unsharing all namespaces at once
-			 * will result in namespace objects being owned incorrectly.
-			 * Ideally we should just fix these kernel bugs, but it's better to
-			 * be safe than sorry, and fix them separately.
-			 *
-			 * A specific case of this is that the SELinux label of the
-			 * internal kern-mount that mqueue uses will be incorrect if the
-			 * UTS namespace is cloned before the USER namespace is mapped.
-			 * I've also heard of similar problems with the network namespace
-			 * in some scenarios. This also mirrors how LXC deals with this
-			 * problem.
-			 */
-			if (config.cloneflags & CLONE_NEWUSER) {
-				if (unshare(CLONE_NEWUSER) < 0)
-					bail("failed to unshare user namespace");
-				config.cloneflags &= ~CLONE_NEWUSER;
-
-				/*
-				 * We don't have the privileges to do any mapping here (see the
-				 * clone_parent rant). So signal our parent to hook us up.
-				 */
-
-				/* Switching is only necessary if we joined namespaces. */
-				if (config.namespaces) {
-					if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) < 0)
-						bail("failed to set process as dumpable");
-				}
-				s = SYNC_USERMAP_PLS;
-				if (write(syncfd, &s, sizeof(s)) != sizeof(s))
-					bail("failed to sync with parent: write(SYNC_USERMAP_PLS)");
-
-				/* ... wait for mapping ... */
-
-				if (read(syncfd, &s, sizeof(s)) != sizeof(s))
-					bail("failed to sync with parent: read(SYNC_USERMAP_ACK)");
-				if (s != SYNC_USERMAP_ACK)
-					bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s);
-				/* Switching is only necessary if we joined namespaces. */
-				if (config.namespaces) {
-					if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) < 0)
-						bail("failed to set process as dumpable");
-				}
-
-				/* Become root in the namespace proper. */
-				if (setresuid(0, 0, 0) < 0)
-					bail("failed to become root in user namespace");
-			}
-			/*
-			 * Unshare all of the namespaces. Now, it should be noted that this
-			 * ordering might break in the future (especially with rootless
-			 * containers). But for now, it's not possible to split this into
-			 * CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues.
-			 *
-			 * Note that we don't merge this with clone() because there were
-			 * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
-			 * was broken, so we'll just do it the long way anyway.
-			 */
-			if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
-				bail("failed to unshare namespaces");
-
-			/*
-			 * TODO: What about non-namespace clone flags that we're dropping here?
-			 *
-			 * We fork again because of PID namespace, setns(2) or unshare(2) don't
-			 * change the PID namespace of the calling process, because doing so
-			 * would change the caller's idea of its own PID (as reported by getpid()),
-			 * which would break many applications and libraries, so we must fork
-			 * to actually enter the new PID namespace.
-			 */
-			child = clone_parent(&env, JUMP_INIT);
-			if (child < 0)
-				bail("unable to fork: init_func");
-
-			/* Send the child to our parent, which knows what it's doing. */
-			s = SYNC_RECVPID_PLS;
-			if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
-				kill(child, SIGKILL);
-				bail("failed to sync with parent: write(SYNC_RECVPID_PLS)");
-			}
-			if (write(syncfd, &child, sizeof(child)) != sizeof(child)) {
-				kill(child, SIGKILL);
-				bail("failed to sync with parent: write(childpid)");
-			}
-
-			/* ... wait for parent to get the pid ... */
-
-			if (read(syncfd, &s, sizeof(s)) != sizeof(s)) {
-				kill(child, SIGKILL);
-				bail("failed to sync with parent: read(SYNC_RECVPID_ACK)");
-			}
-			if (s != SYNC_RECVPID_ACK) {
-				kill(child, SIGKILL);
-				bail("failed to sync with parent: SYNC_RECVPID_ACK: got %u", s);
-			}
-
-			s = SYNC_CHILD_READY;
-			if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
-				kill(child, SIGKILL);
-				bail("failed to sync with parent: write(SYNC_CHILD_READY)");
-			}
-
-			/* Our work is done. [Stage 2: JUMP_INIT] is doing the rest of the work. */
-			exit(0);
-		}
-
-		/*
-		 * Stage 2: We're the final child process, and the only process that will
-		 *          actually return to the Go runtime. Our job is to just do the
-		 *          final cleanup steps and then return to the Go runtime to allow
-		 *          init_linux.go to run.
-		 */
-	case JUMP_INIT:{
-			/*
-			 * We're inside the child now, having jumped from the
-			 * start_child() code after forking in the parent.
-			 */
-			enum sync_t s;
-
-			/* We're in a child and thus need to tell the parent if we die. */
-			syncfd = sync_grandchild_pipe[0];
-			close(sync_grandchild_pipe[1]);
-			close(sync_child_pipe[0]);
-			close(sync_child_pipe[1]);
-
-			/* For debugging. */
-			prctl(PR_SET_NAME, (unsigned long)"runc:[2:INIT]", 0, 0, 0);
-
-			if (read(syncfd, &s, sizeof(s)) != sizeof(s))
-				bail("failed to sync with parent: read(SYNC_GRANDCHILD)");
-			if (s != SYNC_GRANDCHILD)
-				bail("failed to sync with parent: SYNC_GRANDCHILD: got %u", s);
-
-			if (setsid() < 0)
-				bail("setsid failed");
-
-			if (setuid(0) < 0)
-				bail("setuid failed");
-
-			if (setgid(0) < 0)
-				bail("setgid failed");
-
-			if (!config.is_rootless_euid && config.is_setgroup) {
-				if (setgroups(0, NULL) < 0)
-					bail("setgroups failed");
-			}
-
-			/* ... wait until our topmost parent has finished cgroup setup in p.manager.Apply() ... */
-			if (config.cloneflags & CLONE_NEWCGROUP) {
-				uint8_t value;
-				if (read(pipenum, &value, sizeof(value)) != sizeof(value))
-					bail("read synchronisation value failed");
-				if (value == CREATECGROUPNS) {
-					if (unshare(CLONE_NEWCGROUP) < 0)
-						bail("failed to unshare cgroup namespace");
-				} else
-					bail("received unknown synchronisation value");
-			}
-
-			s = SYNC_CHILD_READY;
-			if (write(syncfd, &s, sizeof(s)) != sizeof(s))
-				bail("failed to sync with patent: write(SYNC_CHILD_READY)");
-
-			/* Close sync pipes. */
-			close(sync_grandchild_pipe[0]);
-
-			/* Free netlink data. */
-			nl_free(&config);
-
-			/* Finish executing, let the Go runtime take over. */
-			return;
-		}
-	default:
-		bail("unexpected jump value");
-	}
-
-	/* Should never be reached. */
-	bail("should never be reached");
-}

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go

@@ -1,41 +0,0 @@
-package user
-
-import (
-	"errors"
-)
-
-var (
-	// The current operating system does not provide the required data for user lookups.
-	ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
-	// No matching entries found in file.
-	ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
-	ErrNoGroupEntries  = errors.New("no matching entries in group file")
-)
-
-// LookupUser looks up a user by their username in /etc/passwd. If the user
-// cannot be found (or there is no /etc/passwd file on the filesystem), then
-// LookupUser returns an error.
-func LookupUser(username string) (User, error) {
-	return lookupUser(username)
-}
-
-// LookupUid looks up a user by their user id in /etc/passwd. If the user cannot
-// be found (or there is no /etc/passwd file on the filesystem), then LookupId
-// returns an error.
-func LookupUid(uid int) (User, error) {
-	return lookupUid(uid)
-}
-
-// LookupGroup looks up a group by its name in /etc/group. If the group cannot
-// be found (or there is no /etc/group file on the filesystem), then LookupGroup
-// returns an error.
-func LookupGroup(groupname string) (Group, error) {
-	return lookupGroup(groupname)
-}
-
-// LookupGid looks up a group by its group id in /etc/group. If the group cannot
-// be found (or there is no /etc/group file on the filesystem), then LookupGid
-// returns an error.
-func LookupGid(gid int) (Group, error) {
-	return lookupGid(gid)
-}

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go

@@ -1,144 +0,0 @@
-// +build darwin dragonfly freebsd linux netbsd openbsd solaris
-
-package user
-
-import (
-	"io"
-	"os"
-	"strconv"
-
-	"golang.org/x/sys/unix"
-)
-
-// Unix-specific path to the passwd and group formatted files.
-const (
-	unixPasswdPath = "/etc/passwd"
-	unixGroupPath  = "/etc/group"
-)
-
-func lookupUser(username string) (User, error) {
-	return lookupUserFunc(func(u User) bool {
-		return u.Name == username
-	})
-}
-
-func lookupUid(uid int) (User, error) {
-	return lookupUserFunc(func(u User) bool {
-		return u.Uid == uid
-	})
-}
-
-func lookupUserFunc(filter func(u User) bool) (User, error) {
-	// Get operating system-specific passwd reader-closer.
-	passwd, err := GetPasswd()
-	if err != nil {
-		return User{}, err
-	}
-	defer passwd.Close()
-
-	// Get the users.
-	users, err := ParsePasswdFilter(passwd, filter)
-	if err != nil {
-		return User{}, err
-	}
-
-	// No user entries found.
-	if len(users) == 0 {
-		return User{}, ErrNoPasswdEntries
-	}
-
-	// Assume the first entry is the "correct" one.
-	return users[0], nil
-}
-
-func lookupGroup(groupname string) (Group, error) {
-	return lookupGroupFunc(func(g Group) bool {
-		return g.Name == groupname
-	})
-}
-
-func lookupGid(gid int) (Group, error) {
-	return lookupGroupFunc(func(g Group) bool {
-		return g.Gid == gid
-	})
-}
-
-func lookupGroupFunc(filter func(g Group) bool) (Group, error) {
-	// Get operating system-specific group reader-closer.
-	group, err := GetGroup()
-	if err != nil {
-		return Group{}, err
-	}
-	defer group.Close()
-
-	// Get the users.
-	groups, err := ParseGroupFilter(group, filter)
-	if err != nil {
-		return Group{}, err
-	}
-
-	// No user entries found.
-	if len(groups) == 0 {
-		return Group{}, ErrNoGroupEntries
-	}
-
-	// Assume the first entry is the "correct" one.
-	return groups[0], nil
-}
-
-func GetPasswdPath() (string, error) {
-	return unixPasswdPath, nil
-}
-
-func GetPasswd() (io.ReadCloser, error) {
-	return os.Open(unixPasswdPath)
-}
-
-func GetGroupPath() (string, error) {
-	return unixGroupPath, nil
-}
-
-func GetGroup() (io.ReadCloser, error) {
-	return os.Open(unixGroupPath)
-}
-
-// CurrentUser looks up the current user by their user id in /etc/passwd. If the
-// user cannot be found (or there is no /etc/passwd file on the filesystem),
-// then CurrentUser returns an error.
-func CurrentUser() (User, error) {
-	return LookupUid(unix.Getuid())
-}
-
-// CurrentGroup looks up the current user's group by their primary group id's
-// entry in /etc/passwd. If the group cannot be found (or there is no
-// /etc/group file on the filesystem), then CurrentGroup returns an error.
-func CurrentGroup() (Group, error) {
-	return LookupGid(unix.Getgid())
-}
-
-func currentUserSubIDs(fileName string) ([]SubID, error) {
-	u, err := CurrentUser()
-	if err != nil {
-		return nil, err
-	}
-	filter := func(entry SubID) bool {
-		return entry.Name == u.Name || entry.Name == strconv.Itoa(u.Uid)
-	}
-	return ParseSubIDFileFilter(fileName, filter)
-}
-
-func CurrentUserSubUIDs() ([]SubID, error) {
-	return currentUserSubIDs("/etc/subuid")
-}
-
-func CurrentUserSubGIDs() ([]SubID, error) {
-	return currentUserSubIDs("/etc/subgid")
-}
-
-func CurrentProcessUIDMap() ([]IDMap, error) {
-	return ParseIDMapFile("/proc/self/uid_map")
-}
-
-func CurrentProcessGIDMap() ([]IDMap, error) {
-	return ParseIDMapFile("/proc/self/gid_map")
-}

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go

@@ -1,40 +0,0 @@
-// +build windows
-
-package user
-
-import (
-	"fmt"
-	"os/user"
-)
-
-func lookupUser(username string) (User, error) {
-	u, err := user.Lookup(username)
-	if err != nil {
-		return User{}, err
-	}
-	return userFromOS(u)
-}
-
-func lookupUid(uid int) (User, error) {
-	u, err := user.LookupId(fmt.Sprintf("%d", uid))
-	if err != nil {
-		return User{}, err
-	}
-	return userFromOS(u)
-}
-
-func lookupGroup(groupname string) (Group, error) {
-	g, err := user.LookupGroup(groupname)
-	if err != nil {
-		return Group{}, err
-	}
-	return groupFromOS(g)
-}
-
-func lookupGid(gid int) (Group, error) {
-	g, err := user.LookupGroupId(fmt.Sprintf("%d", gid))
-	if err != nil {
-		return Group{}, err
-	}
-	return groupFromOS(g)
-}

libnetwork/vendor/github.com/opencontainers/runc/libcontainer/user/user.go

@@ -1,608 +0,0 @@
-package user
-
-import (
-	"bufio"
-	"fmt"
-	"io"
-	"os"
-	"os/user"
-	"strconv"
-	"strings"
-)
-
-const (
-	minId = 0
-	maxId = 1<<31 - 1 //for 32-bit systems compatibility
-)
-
-var (
-	ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId)
-)
-
-type User struct {
-	Name  string
-	Pass  string
-	Uid   int
-	Gid   int
-	Gecos string
-	Home  string
-	Shell string
-}
-
-// userFromOS converts an os/user.(*User) to local User
-//
-// (This does not include Pass, Shell or Gecos)
-func userFromOS(u *user.User) (User, error) {
-	newUser := User{
-		Name: u.Username,
-		Home: u.HomeDir,
-	}
-	id, err := strconv.Atoi(u.Uid)
-	if err != nil {
-		return newUser, err
-	}
-	newUser.Uid = id
-
-	id, err = strconv.Atoi(u.Gid)
-	if err != nil {
-		return newUser, err
-	}
-	newUser.Gid = id
-	return newUser, nil
-}
-
-type Group struct {
-	Name string
-	Pass string
-	Gid  int
-	List []string
-}
-
-// groupFromOS converts an os/user.(*Group) to local Group
-//
-// (This does not include Pass, Shell or Gecos)
-func groupFromOS(g *user.Group) (Group, error) {
-	newGroup := Group{
-		Name: g.Name,
-	}
-
-	id, err := strconv.Atoi(g.Gid)
-	if err != nil {
-		return newGroup, err
-	}
-	newGroup.Gid = id
-
-	return newGroup, nil
-}
-
-// SubID represents an entry in /etc/sub{u,g}id
-type SubID struct {
-	Name  string
-	SubID int64
-	Count int64
-}
-
-// IDMap represents an entry in /proc/PID/{u,g}id_map
-type IDMap struct {
-	ID       int64
-	ParentID int64
-	Count    int64
-}
-
-func parseLine(line string, v ...interface{}) {
-	parseParts(strings.Split(line, ":"), v...)
-}
-
-func parseParts(parts []string, v ...interface{}) {
-	if len(parts) == 0 {
-		return
-	}
-
-	for i, p := range parts {
-		// Ignore cases where we don't have enough fields to populate the arguments.
-		// Some configuration files like to misbehave.
-		if len(v) <= i {
-			break
-		}
-
-		// Use the type of the argument to figure out how to parse it, scanf() style.
-		// This is legit.
-		switch e := v[i].(type) {
-		case *string:
-			*e = p
-		case *int:
-			// "numbers", with conversion errors ignored because of some misbehaving configuration files.
-			*e, _ = strconv.Atoi(p)
-		case *int64:
-			*e, _ = strconv.ParseInt(p, 10, 64)
-		case *[]string:
-			// Comma-separated lists.
-			if p != "" {
-				*e = strings.Split(p, ",")
-			} else {
-				*e = []string{}
-			}
-		default:
-			// Someone goof'd when writing code using this function. Scream so they can hear us.
-			panic(fmt.Sprintf("parseLine only accepts {*string, *int, *int64, *[]string} as arguments! %#v is not a pointer!", e))
-		}
-	}
-}
-
-func ParsePasswdFile(path string) ([]User, error) {
-	passwd, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer passwd.Close()
-	return ParsePasswd(passwd)
-}
-
-func ParsePasswd(passwd io.Reader) ([]User, error) {
-	return ParsePasswdFilter(passwd, nil)
-}
-
-func ParsePasswdFileFilter(path string, filter func(User) bool) ([]User, error) {
-	passwd, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer passwd.Close()
-	return ParsePasswdFilter(passwd, filter)
-}
-
-func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
-	if r == nil {
-		return nil, fmt.Errorf("nil source for passwd-formatted data")
-	}
-
-	var (
-		s   = bufio.NewScanner(r)
-		out = []User{}
-	)
-
-	for s.Scan() {
-		if err := s.Err(); err != nil {
-			return nil, err
-		}
-
-		line := strings.TrimSpace(s.Text())
-		if line == "" {
-			continue
-		}
-
-		// see: man 5 passwd
-		//  name:password:UID:GID:GECOS:directory:shell
-		// Name:Pass:Uid:Gid:Gecos:Home:Shell
-		//  root:x:0:0:root:/root:/bin/bash
-		//  adm:x:3:4:adm:/var/adm:/bin/false
-		p := User{}
-		parseLine(line, &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell)
-
-		if filter == nil || filter(p) {
-			out = append(out, p)
-		}
-	}
-
-	return out, nil
-}
-
-func ParseGroupFile(path string) ([]Group, error) {
-	group, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-
-	defer group.Close()
-	return ParseGroup(group)
-}
-
-func ParseGroup(group io.Reader) ([]Group, error) {
-	return ParseGroupFilter(group, nil)
-}
-
-func ParseGroupFileFilter(path string, filter func(Group) bool) ([]Group, error) {
-	group, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer group.Close()
-	return ParseGroupFilter(group, filter)
-}
-
-func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
-	if r == nil {
-		return nil, fmt.Errorf("nil source for group-formatted data")
-	}
-
-	var (
-		s   = bufio.NewScanner(r)
-		out = []Group{}
-	)
-
-	for s.Scan() {
-		if err := s.Err(); err != nil {
-			return nil, err
-		}
-
-		text := s.Text()
-		if text == "" {
-			continue
-		}
-
-		// see: man 5 group
-		//  group_name:password:GID:user_list
-		// Name:Pass:Gid:List
-		//  root:x:0:root
-		//  adm:x:4:root,adm,daemon
-		p := Group{}
-		parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List)
-
-		if filter == nil || filter(p) {
-			out = append(out, p)
-		}
-	}
-
-	return out, nil
-}
-
-type ExecUser struct {
-	Uid   int
-	Gid   int
-	Sgids []int
-	Home  string
-}
-
-// GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the
-// given file paths and uses that data as the arguments to GetExecUser. If the
-// files cannot be opened for any reason, the error is ignored and a nil
-// io.Reader is passed instead.
-func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath string) (*ExecUser, error) {
-	var passwd, group io.Reader
-
-	if passwdFile, err := os.Open(passwdPath); err == nil {
-		passwd = passwdFile
-		defer passwdFile.Close()
-	}
-
-	if groupFile, err := os.Open(groupPath); err == nil {
-		group = groupFile
-		defer groupFile.Close()
-	}
-
-	return GetExecUser(userSpec, defaults, passwd, group)
-}
-
-// GetExecUser parses a user specification string (using the passwd and group
-// readers as sources for /etc/passwd and /etc/group data, respectively). In
-// the case of blank fields or missing data from the sources, the values in
-// defaults is used.
-//
-// GetExecUser will return an error if a user or group literal could not be
-// found in any entry in passwd and group respectively.
-//
-// Examples of valid user specifications are:
-//     * ""
-//     * "user"
-//     * "uid"
-//     * "user:group"
-//     * "uid:gid
-//     * "user:gid"
-//     * "uid:group"
-//
-// It should be noted that if you specify a numeric user or group id, they will
-// not be evaluated as usernames (only the metadata will be filled). So attempting
-// to parse a user with user.Name = "1337" will produce the user with a UID of
-// 1337.
-func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (*ExecUser, error) {
-	if defaults == nil {
-		defaults = new(ExecUser)
-	}
-
-	// Copy over defaults.
-	user := &ExecUser{
-		Uid:   defaults.Uid,
-		Gid:   defaults.Gid,
-		Sgids: defaults.Sgids,
-		Home:  defaults.Home,
-	}
-
-	// Sgids slice *cannot* be nil.
-	if user.Sgids == nil {
-		user.Sgids = []int{}
-	}
-
-	// Allow for userArg to have either "user" syntax, or optionally "user:group" syntax
-	var userArg, groupArg string
-	parseLine(userSpec, &userArg, &groupArg)
-
-	// Convert userArg and groupArg to be numeric, so we don't have to execute
-	// Atoi *twice* for each iteration over lines.
-	uidArg, uidErr := strconv.Atoi(userArg)
-	gidArg, gidErr := strconv.Atoi(groupArg)
-
-	// Find the matching user.
-	users, err := ParsePasswdFilter(passwd, func(u User) bool {
-		if userArg == "" {
-			// Default to current state of the user.
-			return u.Uid == user.Uid
-		}
-
-		if uidErr == nil {
-			// If the userArg is numeric, always treat it as a UID.
-			return uidArg == u.Uid
-		}
-
-		return u.Name == userArg
-	})
-
-	// If we can't find the user, we have to bail.
-	if err != nil && passwd != nil {
-		if userArg == "" {
-			userArg = strconv.Itoa(user.Uid)
-		}
-		return nil, fmt.Errorf("unable to find user %s: %v", userArg, err)
-	}
-
-	var matchedUserName string
-	if len(users) > 0 {
-		// First match wins, even if there's more than one matching entry.
-		matchedUserName = users[0].Name
-		user.Uid = users[0].Uid
-		user.Gid = users[0].Gid
-		user.Home = users[0].Home
-	} else if userArg != "" {
-		// If we can't find a user with the given username, the only other valid
-		// option is if it's a numeric username with no associated entry in passwd.
-
-		if uidErr != nil {
-			// Not numeric.
-			return nil, fmt.Errorf("unable to find user %s: %v", userArg, ErrNoPasswdEntries)
-		}
-		user.Uid = uidArg
-
-		// Must be inside valid uid range.
-		if user.Uid < minId || user.Uid > maxId {
-			return nil, ErrRange
-		}
-
-		// Okay, so it's numeric. We can just roll with this.
-	}
-
-	// On to the groups. If we matched a username, we need to do this because of
-	// the supplementary group IDs.
-	if groupArg != "" || matchedUserName != "" {
-		groups, err := ParseGroupFilter(group, func(g Group) bool {
-			// If the group argument isn't explicit, we'll just search for it.
-			if groupArg == "" {
-				// Check if user is a member of this group.
-				for _, u := range g.List {
-					if u == matchedUserName {
-						return true
-					}
-				}
-				return false
-			}
-
-			if gidErr == nil {
-				// If the groupArg is numeric, always treat it as a GID.
-				return gidArg == g.Gid
-			}
-
-			return g.Name == groupArg
-		})
-		if err != nil && group != nil {
-			return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err)
-		}
-
-		// Only start modifying user.Gid if it is in explicit form.
-		if groupArg != "" {
-			if len(groups) > 0 {
-				// First match wins, even if there's more than one matching entry.
-				user.Gid = groups[0].Gid
-			} else {
-				// If we can't find a group with the given name, the only other valid
-				// option is if it's a numeric group name with no associated entry in group.
-
-				if gidErr != nil {
-					// Not numeric.
-					return nil, fmt.Errorf("unable to find group %s: %v", groupArg, ErrNoGroupEntries)
-				}
-				user.Gid = gidArg
-
-				// Must be inside valid gid range.
-				if user.Gid < minId || user.Gid > maxId {
-					return nil, ErrRange
-				}
-
-				// Okay, so it's numeric. We can just roll with this.
-			}
-		} else if len(groups) > 0 {
-			// Supplementary group ids only make sense if in the implicit form.
-			user.Sgids = make([]int, len(groups))
-			for i, group := range groups {
-				user.Sgids[i] = group.Gid
-			}
-		}
-	}
-
-	return user, nil
-}
-
-// GetAdditionalGroups looks up a list of groups by name or group id
-// against the given /etc/group formatted data. If a group name cannot
-// be found, an error will be returned. If a group id cannot be found,
-// or the given group data is nil, the id will be returned as-is
-// provided it is in the legal range.
-func GetAdditionalGroups(additionalGroups []string, group io.Reader) ([]int, error) {
-	var groups = []Group{}
-	if group != nil {
-		var err error
-		groups, err = ParseGroupFilter(group, func(g Group) bool {
-			for _, ag := range additionalGroups {
-				if g.Name == ag || strconv.Itoa(g.Gid) == ag {
-					return true
-				}
-			}
-			return false
-		})
-		if err != nil {
-			return nil, fmt.Errorf("Unable to find additional groups %v: %v", additionalGroups, err)
-		}
-	}
-
-	gidMap := make(map[int]struct{})
-	for _, ag := range additionalGroups {
-		var found bool
-		for _, g := range groups {
-			// if we found a matched group either by name or gid, take the
-			// first matched as correct
-			if g.Name == ag || strconv.Itoa(g.Gid) == ag {
-				if _, ok := gidMap[g.Gid]; !ok {
-					gidMap[g.Gid] = struct{}{}
-					found = true
-					break
-				}
-			}
-		}
-		// we asked for a group but didn't find it. let's check to see
-		// if we wanted a numeric group
-		if !found {
-			gid, err := strconv.Atoi(ag)
-			if err != nil {
-				return nil, fmt.Errorf("Unable to find group %s", ag)
-			}
-			// Ensure gid is inside gid range.
-			if gid < minId || gid > maxId {
-				return nil, ErrRange
-			}
-			gidMap[gid] = struct{}{}
-		}
-	}
-	gids := []int{}
-	for gid := range gidMap {
-		gids = append(gids, gid)
-	}
-	return gids, nil
-}
-
-// GetAdditionalGroupsPath is a wrapper around GetAdditionalGroups
-// that opens the groupPath given and gives it as an argument to
-// GetAdditionalGroups.
-func GetAdditionalGroupsPath(additionalGroups []string, groupPath string) ([]int, error) {
-	var group io.Reader
-
-	if groupFile, err := os.Open(groupPath); err == nil {
-		group = groupFile
-		defer groupFile.Close()
-	}
-	return GetAdditionalGroups(additionalGroups, group)
-}
-
-func ParseSubIDFile(path string) ([]SubID, error) {
-	subid, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer subid.Close()
-	return ParseSubID(subid)
-}
-
-func ParseSubID(subid io.Reader) ([]SubID, error) {
-	return ParseSubIDFilter(subid, nil)
-}
-
-func ParseSubIDFileFilter(path string, filter func(SubID) bool) ([]SubID, error) {
-	subid, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer subid.Close()
-	return ParseSubIDFilter(subid, filter)
-}
-
-func ParseSubIDFilter(r io.Reader, filter func(SubID) bool) ([]SubID, error) {
-	if r == nil {
-		return nil, fmt.Errorf("nil source for subid-formatted data")
-	}
-
-	var (
-		s   = bufio.NewScanner(r)
-		out = []SubID{}
-	)
-
-	for s.Scan() {
-		if err := s.Err(); err != nil {
-			return nil, err
-		}
-
-		line := strings.TrimSpace(s.Text())
-		if line == "" {
-			continue
-		}
-
-		// see: man 5 subuid
-		p := SubID{}
-		parseLine(line, &p.Name, &p.SubID, &p.Count)
-
-		if filter == nil || filter(p) {
-			out = append(out, p)
-		}
-	}
-
-	return out, nil
-}
-
-func ParseIDMapFile(path string) ([]IDMap, error) {
-	r, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer r.Close()
-	return ParseIDMap(r)
-}
-
-func ParseIDMap(r io.Reader) ([]IDMap, error) {
-	return ParseIDMapFilter(r, nil)
-}
-
-func ParseIDMapFileFilter(path string, filter func(IDMap) bool) ([]IDMap, error) {
-	r, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer r.Close()
-	return ParseIDMapFilter(r, filter)
-}
-
-func ParseIDMapFilter(r io.Reader, filter func(IDMap) bool) ([]IDMap, error) {
-	if r == nil {
-		return nil, fmt.Errorf("nil source for idmap-formatted data")
-	}
-
-	var (
-		s   = bufio.NewScanner(r)
-		out = []IDMap{}
-	)
-
-	for s.Scan() {
-		if err := s.Err(); err != nil {
-			return nil, err
-		}
-
-		line := strings.TrimSpace(s.Text())
-		if line == "" {
-			continue
-		}
-
-		// see: man 7 user_namespaces
-		p := IDMap{}
-		parseParts(strings.Fields(line), &p.ID, &p.ParentID, &p.Count)
-
-		if filter == nil || filter(p) {
-			out = append(out, p)
-		}
-	}
-
-	return out, nil
-}

libnetwork/vendor/github.com/opencontainers/runc/vendor.conf

@@ -1,26 +0,0 @@
-# OCI runtime-spec. When updating this, make sure you use a version tag rather
-# than a commit ID so it's much more obvious what version of the spec we are
-# using.
-github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4
-# Core libcontainer functionality.
-github.com/checkpoint-restore/go-criu v3.11
-github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
-github.com/opencontainers/selinux v1.0.0-rc1
-github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
-github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac
-github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
-github.com/vishvananda/netlink 1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270
-# systemd integration.
-github.com/coreos/go-systemd v14
-github.com/coreos/pkg v3
-github.com/godbus/dbus v3
-github.com/golang/protobuf 18c9bb3261723cd5401db4d0c9fbc5c3b6c70fe8
-# Command-line interface.
-github.com/cyphar/filepath-securejoin v0.2.1
-github.com/docker/go-units v0.2.0
-github.com/urfave/cli d53eb991652b1d438abdd34ce4bfa3ef1539108e
-golang.org/x/sys 41f3e6584952bb034a481797859f6ab34b6803bd https://github.com/golang/sys
-
-# console dependencies
-github.com/containerd/console 2748ece16665b45a47f884001d5831ec79703880
-github.com/pkg/errors v0.8.0