Merge pull request #16684 from estesp/lets-update-runc-again

Update runc to fba07bce72e72ce5b2dd618e4f67dd86ccb49c82

hack/vendor.sh

@@ -45,7 +45,7 @@ clone git github.com/endophage/gotuf 9bcdad0308e34a49f38448b8ad436ad8860825ce
 clone git github.com/jfrazelle/go 6e461eb70cb4187b41a84e9a567d7137bdbe0f16
 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
 
-clone git github.com/opencontainers/runc aac9179bbadbf958054ce97ab368ac178140e5da # libcontainer
+clone git github.com/opencontainers/runc fba07bce72e72ce5b2dd618e4f67dd86ccb49c82 # libcontainer
 # libcontainer deps (see src/github.com/docker/libcontainer/update-vendor.sh)
 clone git github.com/coreos/go-systemd v3
 clone git github.com/godbus/dbus v2

vendor/src/github.com/opencontainers/runc/libcontainer/capabilities_linux.go

@@ -5,57 +5,35 @@ package libcontainer
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/syndtr/gocapability/capability"
 )
 
 const allCapabilityTypes = capability.CAPS | capability.BOUNDS
 
-var capabilityList = map[string]capability.Cap{
-	"CAP_SETPCAP":          capability.CAP_SETPCAP,
-	"CAP_SYS_MODULE":       capability.CAP_SYS_MODULE,
-	"CAP_SYS_RAWIO":        capability.CAP_SYS_RAWIO,
-	"CAP_SYS_PACCT":        capability.CAP_SYS_PACCT,
-	"CAP_SYS_ADMIN":        capability.CAP_SYS_ADMIN,
-	"CAP_SYS_NICE":         capability.CAP_SYS_NICE,
-	"CAP_SYS_RESOURCE":     capability.CAP_SYS_RESOURCE,
-	"CAP_SYS_TIME":         capability.CAP_SYS_TIME,
-	"CAP_SYS_TTY_CONFIG":   capability.CAP_SYS_TTY_CONFIG,
-	"CAP_MKNOD":            capability.CAP_MKNOD,
-	"CAP_AUDIT_WRITE":      capability.CAP_AUDIT_WRITE,
-	"CAP_AUDIT_CONTROL":    capability.CAP_AUDIT_CONTROL,
-	"CAP_MAC_OVERRIDE":     capability.CAP_MAC_OVERRIDE,
-	"CAP_MAC_ADMIN":        capability.CAP_MAC_ADMIN,
-	"CAP_NET_ADMIN":        capability.CAP_NET_ADMIN,
-	"CAP_SYSLOG":           capability.CAP_SYSLOG,
-	"CAP_CHOWN":            capability.CAP_CHOWN,
-	"CAP_NET_RAW":          capability.CAP_NET_RAW,
-	"CAP_DAC_OVERRIDE":     capability.CAP_DAC_OVERRIDE,
-	"CAP_FOWNER":           capability.CAP_FOWNER,
-	"CAP_DAC_READ_SEARCH":  capability.CAP_DAC_READ_SEARCH,
-	"CAP_FSETID":           capability.CAP_FSETID,
-	"CAP_KILL":             capability.CAP_KILL,
-	"CAP_SETGID":           capability.CAP_SETGID,
-	"CAP_SETUID":           capability.CAP_SETUID,
-	"CAP_LINUX_IMMUTABLE":  capability.CAP_LINUX_IMMUTABLE,
-	"CAP_NET_BIND_SERVICE": capability.CAP_NET_BIND_SERVICE,
-	"CAP_NET_BROADCAST":    capability.CAP_NET_BROADCAST,
-	"CAP_IPC_LOCK":         capability.CAP_IPC_LOCK,
-	"CAP_IPC_OWNER":        capability.CAP_IPC_OWNER,
-	"CAP_SYS_CHROOT":       capability.CAP_SYS_CHROOT,
-	"CAP_SYS_PTRACE":       capability.CAP_SYS_PTRACE,
-	"CAP_SYS_BOOT":         capability.CAP_SYS_BOOT,
-	"CAP_LEASE":            capability.CAP_LEASE,
-	"CAP_SETFCAP":          capability.CAP_SETFCAP,
-	"CAP_WAKE_ALARM":       capability.CAP_WAKE_ALARM,
-	"CAP_BLOCK_SUSPEND":    capability.CAP_BLOCK_SUSPEND,
-	"CAP_AUDIT_READ":       capability.CAP_AUDIT_READ,
+var capabilityMap map[string]capability.Cap
+
+func init() {
+	capabilityMap = make(map[string]capability.Cap)
+	last := capability.CAP_LAST_CAP
+	// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
+	}
+	for _, cap := range capability.List() {
+		if cap > last {
+			continue
+		}
+		capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
+		capabilityMap[capKey] = cap
+	}
 }
 
 func newCapWhitelist(caps []string) (*whitelist, error) {
 	l := []capability.Cap{}
 	for _, c := range caps {
-		v, ok := capabilityList[c]
+		v, ok := capabilityMap[c]
 		if !ok {
 			return nil, fmt.Errorf("unknown capability %q", c)
 		}

vendor/src/github.com/opencontainers/runc/libcontainer/process_linux.go

@@ -58,7 +58,7 @@ func (p *setnsProcess) signal(sig os.Signal) error {
 	if !ok {
 		return errors.New("os: unsupported signal type")
 	}
-	return syscall.Kill(p.cmd.Process.Pid, s)
+	return syscall.Kill(p.pid(), s)
 }
 
 func (p *setnsProcess) start() (err error) {
@@ -67,7 +67,7 @@ func (p *setnsProcess) start() (err error) {
 		return newSystemError(err)
 	}
 	if len(p.cgroupPaths) > 0 {
-		if err := cgroups.EnterPid(p.cgroupPaths, p.cmd.Process.Pid); err != nil {
+		if err := cgroups.EnterPid(p.cgroupPaths, p.pid()); err != nil {
 			return newSystemError(err)
 		}
 	}
@@ -290,7 +290,7 @@ func (p *initProcess) signal(sig os.Signal) error {
 	if !ok {
 		return errors.New("os: unsupported signal type")
 	}
-	return syscall.Kill(p.cmd.Process.Pid, s)
+	return syscall.Kill(p.pid(), s)
 }
 
 func (p *initProcess) setExternalDescriptors(newFds []string) {

vendor/src/github.com/opencontainers/runc/libcontainer/rootfs_linux.go

@@ -106,13 +106,17 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
 		if err := os.MkdirAll(dest, 0755); err != nil {
 			return err
 		}
-		return mountPropagate(m, rootfs, mountLabel)
+		// Selinux kernels do not support labeling of /proc or /sys
+		return mountPropagate(m, rootfs, "")
 	case "mqueue":
 		if err := os.MkdirAll(dest, 0755); err != nil {
 			return err
 		}
 		if err := mountPropagate(m, rootfs, mountLabel); err != nil {
-			return err
+			// older kernels do not support labeling of /dev/mqueue
+			if err := mountPropagate(m, rootfs, ""); err != nil {
+				return err
+			}
 		}
 		return label.SetFileLabel(dest, mountLabel)
 	case "tmpfs":
@@ -167,9 +171,14 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
 			return err
 		}
 		// bind mount won't change mount options, we need remount to make mount options effective.
-		if err := remount(m, rootfs); err != nil {
-			return err
+		// first check that we have non-default options required before attempting a remount
+		if m.Flags&^(syscall.MS_REC|syscall.MS_REMOUNT|syscall.MS_BIND) != 0 {
+			// only remount if unique mount options are set
+			if err := remount(m, rootfs); err != nil {
+				return err
+			}
 		}
+
 		if m.Relabel != "" {
 			if err := label.Validate(m.Relabel); err != nil {
 				return err