Update libcontainer dep to v1.0.1

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)

hack/vendor.sh

@@ -61,4 +61,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar
 
 clone git github.com/godbus/dbus v1
 clone git github.com/coreos/go-systemd v2
-clone git github.com/docker/libcontainer 77ffd49dfedbc78a7cd4cb7a50c7446cf118725f
+clone git github.com/docker/libcontainer v1.0.1

vendor/src/github.com/docker/libcontainer/.travis.yml

@@ -9,3 +9,4 @@ install:
 script:
     - bash "$DOCKER_PATH/hack/make/validate-dco"
     - bash "$DOCKER_PATH/hack/make/validate-gofmt"
+    - go test

vendor/src/github.com/docker/libcontainer/CONTRIBUTORS_GUIDE.md

@@ -36,7 +36,7 @@ that feature *on top of* libcontainer.
 ### Discuss your design on the mailing list
 
 We recommend discussing your plans [on the mailing
-list](https://groups.google.com/forum/?fromgroups#!forum/docker-dev)
+list](https://groups.google.com/forum/?fromgroups#!forum/libcontainer)
 before starting to code - especially for more ambitious contributions.
 This gives other contributors a chance to point you in the right
 direction, give feedback on your design, and maybe point out if someone
@@ -112,12 +112,12 @@ and that all the tests pass.
 libcontainer maintainers use LGTM (looks good to me) in comments on the code review
 to indicate acceptance.
 
-A change requires LGTMs from at lease one maintainer of each
-component affected. For example, if a change affects `netlink/` and `security/`, it
-needs at least one LGTM from the maintainers of `netlink/` AND, separately, at
-least one LGTM from the maintainers of `security/`.
+A change requires LGTMs from at lease two maintainers. One of those must come from
+a maintainer of the component affected. For example, if a change affects `netlink/`
+and `security`, it needs at least one LGTM from a maintainer of each. Maintainers
+only need one LGTM as presumably they LGTM their own change.
 
-For more details see [MAINTAINERS.md](hack/MAINTAINERS.md)
+For more details see [MAINTAINERS.md](MAINTAINERS.md)
 
 ### Sign your work
 

vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md

@@ -63,7 +63,7 @@ All decisions are pull requests, and the relevant maintainers make
 decisions by accepting or refusing the pull request. Review and acceptance
 by anyone is denoted by adding a comment in the pull request: `LGTM`. 
 However, only currently listed `MAINTAINERS` are counted towards the required
-majority.
+two LGTMs.
 
 libcontainer follows the timeless, highly efficient and totally unfair system
 known as [Benevolent dictator for life](http://en.wikipedia.org/wiki/Benevolent_Dictator_for_Life), with Michael Crosby in the role of BDFL.

vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuacct.go

@@ -84,6 +84,7 @@ func (s *cpuacctGroup) GetStats(d *data, stats *cgroups.Stats) error {
 	if err != nil {
 		return err
 	}
+	stats.CpuStats.CpuUsage.TotalUsage = lastUsage
 	stats.CpuStats.CpuUsage.PercpuUsage = percpuUsage
 	stats.CpuStats.CpuUsage.UsageInKernelmode = (kernelModeUsage * nanosecondsInSecond) / clockTicks
 	stats.CpuStats.CpuUsage.UsageInUsermode = (userModeUsage * nanosecondsInSecond) / clockTicks

vendor/src/github.com/docker/libcontainer/cgroups/stats.go

@@ -13,8 +13,10 @@ type CpuUsage struct {
 	// percentage of available CPUs currently being used.
 	PercentUsage uint64 `json:"percent_usage,omitempty"`
 	// nanoseconds of cpu time consumed over the last 100 ms.
-	CurrentUsage uint64   `json:"current_usage,omitempty"`
-	PercpuUsage  []uint64 `json:"percpu_usage,omitempty"`
+	CurrentUsage uint64 `json:"current_usage,omitempty"`
+	// total nanoseconds of cpu time consumed
+	TotalUsage  uint64   `json:"total_usage,omitempty"`
+	PercpuUsage []uint64 `json:"percpu_usage,omitempty"`
 	// Time spent by tasks of the cgroup in kernel mode. Units: nanoseconds.
 	UsageInKernelmode uint64 `json:"usage_in_kernelmode"`
 	// Time spent by tasks of the cgroup in user mode. Units: nanoseconds.

vendor/src/github.com/docker/libcontainer/container.json

@@ -1,107 +1,213 @@
 {
-  "namespaces": {
-    "NEWNET": true,
-    "NEWPID": true,
-    "NEWIPC": true,
-    "NEWUTS": true,
-    "NEWNS": true
-  },
-  "networks": [
-    {
-      "gateway": "localhost",
-      "type": "loopback",
-      "address": "127.0.0.1/0",
-      "mtu": 1500
+    "capabilities": [
+        "CHOWN",
+        "DAC_OVERRIDE",
+        "FOWNER",
+        "MKNOD",
+        "NET_RAW",
+        "SETGID",
+        "SETUID",
+        "SETFCAP",
+        "SETPCAP",
+        "NET_BIND_SERVICE",
+        "SYS_CHROOT",
+        "KILL"
+    ],
+    "cgroups": {
+        "allowed_devices": [
+            {
+                "cgroup_permissions": "m",
+                "major_number": -1,
+                "minor_number": -1,
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "m",
+                "major_number": -1,
+                "minor_number": -1,
+                "type": 98
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "major_number": 5,
+                "minor_number": 1,
+                "path": "/dev/console",
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "major_number": 4,
+                "path": "/dev/tty0",
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "major_number": 4,
+                "minor_number": 1,
+                "path": "/dev/tty1",
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "major_number": 136,
+                "minor_number": -1,
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "major_number": 5,
+                "minor_number": 2,
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "major_number": 10,
+                "minor_number": 200,
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "file_mode": 438,
+                "major_number": 1,
+                "minor_number": 3,
+                "path": "/dev/null",
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "file_mode": 438,
+                "major_number": 1,
+                "minor_number": 5,
+                "path": "/dev/zero",
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "file_mode": 438,
+                "major_number": 1,
+                "minor_number": 7,
+                "path": "/dev/full",
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "file_mode": 438,
+                "major_number": 5,
+                "path": "/dev/tty",
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "file_mode": 438,
+                "major_number": 1,
+                "minor_number": 9,
+                "path": "/dev/urandom",
+                "type": 99
+            },
+            {
+                "cgroup_permissions": "rwm",
+                "file_mode": 438,
+                "major_number": 1,
+                "minor_number": 8,
+                "path": "/dev/random",
+                "type": 99
+            }
+        ],
+        "name": "docker-koye",
+        "parent": "docker"
     },
-    {
-      "gateway": "172.17.42.1",
-      "context": {
-        "prefix": "veth",
-        "bridge": "docker0"
-      },
-      "type": "veth",
-      "address": "172.17.42.2/16",
-      "mtu": 1500
-    }
-  ],
-  "routes": [
-    {
-      "gateway": "172.17.42.1",
-      "interface_name": "eth0"
+    "context": {
+        "mount_label": "",
+        "process_label": "",
+        "restrictions": "true"
     },
-    {
-      "destination": "192.168.0.0/24",
-      "interface_name": "eth0"
-    }
-  ],
-  "capabilities": [
-    "MKNOD"
-  ],
-  "cgroups": {
-    "name": "docker-koye",
-    "parent": "docker"
-  },
-  "hostname": "koye",
-  "environment": [
-    "HOME=/",
-    "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin",
-    "container=docker",
-    "TERM=xterm-256color"
-  ],
-  "tty": true,
-  "mounts": [
-    {
-      "type": "devtmpfs"
-    }
-  ],
-  "device_nodes": [
-		{
-			"path":  "/dev/null",
-			"type":        99,
-			"major_number": 1,
-			"minor_number": 3,
-			"cgroup_permissions": "rwm",
-			"file_mode": 438
-		},
-		{
-			"path":  "/dev/zero",
-			"type":        99,
-			"major_number": 1,
-			"minor_number": 5,
-			"cgroup_permissions": "rwm",
-			"file_mode": 438
-		},
-		{
-			"path":  "/dev/full",
-			"type":        99,
-			"major_number": 1,
-			"minor_number": 7,
-			"cgroup_permissions": "rwm",
-			"file_mode": 438
-		},
-		{
-			"path":  "/dev/tty",
-			"type":        99,
-			"major_number": 5,
-			"minor_number": 0,
-			"cgroup_permissions": "rwm",
-			"file_mode": 438
-		},
-		{
-			"path":  "/dev/urandom",
-			"type":        99,
-			"major_number": 1,
-			"minor_number": 9,
-			"cgroup_permissions": "rwm",
-			"file_mode": 438
-		},
-		{
-			"path":  "/dev/random",
-			"type":        99,
-			"major_number": 1,
-			"minor_number": 8,
-			"cgroup_permissions": "rwm",
-			"file_mode": 438
-		}
-  ]
+    "device_nodes": [
+        {
+            "cgroup_permissions": "rwm",
+            "major_number": 10,
+            "minor_number": 229,
+            "path": "/dev/fuse",
+            "type": 99
+        },
+        {
+            "cgroup_permissions": "rwm",
+            "file_mode": 438,
+            "major_number": 1,
+            "minor_number": 3,
+            "path": "/dev/null",
+            "type": 99
+        },
+        {
+            "cgroup_permissions": "rwm",
+            "file_mode": 438,
+            "major_number": 1,
+            "minor_number": 5,
+            "path": "/dev/zero",
+            "type": 99
+        },
+        {
+            "cgroup_permissions": "rwm",
+            "file_mode": 438,
+            "major_number": 1,
+            "minor_number": 7,
+            "path": "/dev/full",
+            "type": 99
+        },
+        {
+            "cgroup_permissions": "rwm",
+            "file_mode": 438,
+            "major_number": 5,
+            "path": "/dev/tty",
+            "type": 99
+        },
+        {
+            "cgroup_permissions": "rwm",
+            "file_mode": 438,
+            "major_number": 1,
+            "minor_number": 9,
+            "path": "/dev/urandom",
+            "type": 99
+        },
+        {
+            "cgroup_permissions": "rwm",
+            "file_mode": 438,
+            "major_number": 1,
+            "minor_number": 8,
+            "path": "/dev/random",
+            "type": 99
+        }
+    ],
+    "environment": [
+        "HOME=/",
+        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+        "HOSTNAME=2d388ea3bd92",
+        "TERM=xterm"
+    ],
+    "hostname": "koye",
+    "namespaces": {
+        "NEWIPC": true,
+        "NEWNET": true,
+        "NEWNS": true,
+        "NEWPID": true,
+        "NEWUTS": true
+    },
+    "networks": [
+        {
+            "address": "127.0.0.1/0",
+            "gateway": "localhost",
+            "mtu": 1500,
+            "type": "loopback"
+        },
+        {
+            "address": "172.17.0.101/16",
+            "context": {
+                "bridge": "docker0",
+                "prefix": "veth"
+            },
+            "gateway": "172.17.42.1",
+            "mtu": 1500,
+            "type": "veth"
+        }
+    ],
+    "tty": true
 }

vendor/src/github.com/docker/libcontainer/container_test.go

@@ -37,11 +37,6 @@ func TestContainerJsonFormat(t *testing.T) {
 		t.Fail()
 	}
 
-	if len(container.Routes) != 2 {
-		t.Log("should have found 2 routes")
-		t.Fail()
-	}
-
 	if !container.Namespaces["NEWNET"] {
 		t.Log("namespaces should contain NEWNET")
 		t.Fail()
@@ -62,8 +57,8 @@ func TestContainerJsonFormat(t *testing.T) {
 		t.Fail()
 	}
 
-	if contains("SYS_CHROOT", container.Capabilities) {
-		t.Log("capabilities mask should not contain SYS_CHROOT")
+	if !contains("SYS_CHROOT", container.Capabilities) {
+		t.Log("capabilities mask should contain SYS_CHROOT")
 		t.Fail()
 	}
 }

vendor/src/github.com/docker/libcontainer/namespaces/execin.go

@@ -21,14 +21,8 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) error {
 		return err
 	}
 
-	// TODO(vmarmol): Move this to the container JSON.
-	processLabel, err := label.GetPidCon(nspid)
-	if err != nil {
-		return err
-	}
-
 	// Enter the namespace and then finish setup
-	finalArgs := []string{os.Args[0], "nsenter", strconv.Itoa(nspid), processLabel, string(containerJson)}
+	finalArgs := []string{os.Args[0], "nsenter", "--nspid", strconv.Itoa(nspid), "--containerjson", string(containerJson), "--"}
 	finalArgs = append(finalArgs, args...)
 	if err := system.Execv(finalArgs[0], finalArgs[0:], os.Environ()); err != nil {
 		return err
@@ -37,7 +31,7 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) error {
 }
 
 // NsEnter is run after entering the namespace.
-func NsEnter(container *libcontainer.Container, processLabel string, nspid int, args []string) error {
+func NsEnter(container *libcontainer.Container, nspid int, args []string) error {
 	// clear the current processes env and replace it with the environment
 	// defined on the container
 	if err := LoadContainerEnvironment(container); err != nil {
@@ -46,9 +40,13 @@ func NsEnter(container *libcontainer.Container, processLabel string, nspid int,
 	if err := FinalizeNamespace(container); err != nil {
 		return err
 	}
-	if err := label.SetProcessLabel(processLabel); err != nil {
-		return err
+
+	if process_label, ok := container.Context["process_label"]; ok {
+		if err := label.SetProcessLabel(process_label); err != nil {
+			return err
+		}
 	}
+
 	if err := system.Execv(args[0], args[0:], container.Env); err != nil {
 		return err
 	}

vendor/src/github.com/docker/libcontainer/namespaces/nsenter.go

@@ -15,6 +15,7 @@ package namespaces
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <getopt.h>
 
 static const kBufSize = 256;
 
@@ -64,6 +65,10 @@ int setns(int fd, int nstype) {
 #endif
 #endif
 
+void print_usage() {
+	fprintf(stderr, "<binary> nsenter --nspid <pid> --containerjson <container_json> -- cmd1 arg1 arg2...\n");
+}
+
 void nsenter() {
 	int argc;
 	char **argv;
@@ -79,11 +84,40 @@ void nsenter() {
 		fprintf(stderr, "nsenter: Incorrect usage, not enough arguments\n");
 		exit(1);
 	}
-	pid_t init_pid = strtol(argv[2], NULL, 10);
+
+	static const struct option longopts[] = {
+		{ "nspid",         required_argument, NULL, 'n' },
+		{ "containerjson", required_argument, NULL, 'c' },
+		{ NULL,            0,                 NULL,  0  }
+	};
+
+	int c;
+	pid_t init_pid = -1;
+	char *init_pid_str = NULL;
+	char *container_json = NULL;
+	while ((c = getopt_long_only(argc, argv, "n:s:c:", longopts, NULL)) != -1) {
+		switch (c) {
+		case 'n':
+			init_pid_str = optarg;
+			break;
+		case 'c':
+			container_json = optarg;
+			break;
+		}
+	}
+
+	if (container_json == NULL || init_pid_str == NULL) {
+		print_usage();
+		exit(1);
+	}
+
+	init_pid = strtol(init_pid_str, NULL, 10);
 	if (errno != 0 || init_pid <= 0) {
-		fprintf(stderr, "nsenter: Failed to parse PID from \"%s\" with error: \"%s\"\n", argv[2], strerror(errno));
+		fprintf(stderr, "nsenter: Failed to parse PID from \"%s\" with error: \"%s\"\n", init_pid_str, strerror(errno));
+		print_usage();
 		exit(1);
 	}
+
 	argc -= 3;
 	argv += 3;
 

vendor/src/github.com/docker/libcontainer/nsinit/nsenter.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"log"
-	"strconv"
 
 	"github.com/codegangsta/cli"
 	"github.com/docker/libcontainer/namespaces"
@@ -12,29 +11,30 @@ var nsenterCommand = cli.Command{
 	Name:   "nsenter",
 	Usage:  "init process for entering an existing namespace",
 	Action: nsenterAction,
+	Flags: []cli.Flag{
+		cli.IntFlag{Name: "nspid"},
+		cli.StringFlag{Name: "containerjson"},
+	},
 }
 
 func nsenterAction(context *cli.Context) {
 	args := context.Args()
-	if len(args) < 4 {
-		log.Fatalf("incorrect usage: <pid> <process label> <container JSON> <cmd>...")
-	}
 
-	container, err := loadContainerFromJson(args.Get(2))
-	if err != nil {
-		log.Fatalf("unable to load container: %s", err)
+	if len(args) == 0 {
+		args = []string{"/bin/bash"}
 	}
 
-	nspid, err := strconv.Atoi(args.Get(0))
+	container, err := loadContainerFromJson(context.String("containerjson"))
 	if err != nil {
-		log.Fatalf("unable to read pid: %s from %q", err, args.Get(0))
+		log.Fatalf("unable to load container: %s", err)
 	}
 
+	nspid := context.Int("nspid")
 	if nspid <= 0 {
 		log.Fatalf("cannot enter into namespaces without valid pid: %q", nspid)
 	}
 
-	if err := namespaces.NsEnter(container, args.Get(1), nspid, args[3:]); err != nil {
+	if err := namespaces.NsEnter(container, nspid, args); err != nil {
 		log.Fatalf("failed to nsenter: %s", err)
 	}
 }