Merge pull request #7109 from crosbymichael/update-libcontainer-july4

Update libcontainer to cf45d141db69ce11dcccac178e5

hack/vendor.sh

@@ -63,4 +63,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar
 
 clone git github.com/godbus/dbus v1
 clone git github.com/coreos/go-systemd v2
-clone git github.com/docker/libcontainer be85764f109c3f0f62cd2a5c8be9af7a599798cf
+clone git github.com/docker/libcontainer cf45d141db69ce11dcccac178e5607a385609e15

vendor/src/github.com/docker/libcontainer/.travis.yml

@@ -1,22 +1,30 @@
 language: go
+go: 1.3
 
 # let us have pretty experimental Docker-based Travis workers
 sudo: false
 
 env:
     - TRAVIS_GLOBAL_WTF=1
-    - GOOS=linux GOARCH=amd64
-    - GOOS=linux GOARCH=386
-    - GOOS=linux GOARCH=arm
-    - GOOS=darwin GOARCH=amd64
-    - GOOS=darwin GOARCH=386
-    - GOOS=freebsd GOARCH=amd64
+    - _GOOS=linux _GOARCH=amd64
+#    - _GOOS=linux _GOARCH=386 # Travis can't currently do 32bit cgo... (see https://travis-ci.org/tianon/libcontainer/jobs/30126518#L168)
+#    - _GOOS=linux _GOARCH=arm # see https://github.com/moovweb/gvm/issues/22
 
 install:
+    - mkdir -pv "${GOPATH%%:*}/src/github.com/docker" && [ -d "${GOPATH%%:*}/src/github.com/docker/libcontainer" ] || ln -sv "$(readlink -f .)" "${GOPATH%%:*}/src/github.com/docker/libcontainer"
+    - if [ -z "$TRAVIS_GLOBAL_WTF" ]; then
+          export CGO_ENABLED=1;
+          gvm cross "$_GOOS" "$_GOARCH";
+          export GOOS="$_GOOS" GOARCH="$_GOARCH";
+      fi
+    - if [ -z "$TRAVIS_GLOBAL_WTF" ]; then go env; fi
     - go get -d -v ./...
-    - go get -d -v github.com/dotcloud/docker # just to be sure
-    - DOCKER_PATH="${GOPATH%%:*}/src/github.com/dotcloud/docker"
-    - sed -i 's!dotcloud/docker!docker/libcontainer!' "$DOCKER_PATH/hack/make/.validate"
+    - if [ "$TRAVIS_GLOBAL_WTF" ]; then
+          export DOCKER_PATH="${GOPATH%%:*}/src/github.com/dotcloud/docker";
+          mkdir -p "$DOCKER_PATH/hack/make";
+          ( cd "$DOCKER_PATH/hack/make" && wget -c 'https://raw.githubusercontent.com/dotcloud/docker/master/hack/make/'{.validate,validate-dco,validate-gofmt} );
+          sed -i 's!dotcloud/docker!docker/libcontainer!' "$DOCKER_PATH/hack/make/.validate";
+      fi
 
 script:
     - if [ "$TRAVIS_GLOBAL_WTF" ]; then bash "$DOCKER_PATH/hack/make/validate-dco"; fi

vendor/src/github.com/docker/libcontainer/apparmor/apparmor.go

@@ -1,4 +1,4 @@
-// +build apparmor,linux,amd64
+// +build apparmor,linux
 
 package apparmor
 

vendor/src/github.com/docker/libcontainer/apparmor/apparmor_disabled.go

@@ -1,4 +1,4 @@
-// +build !apparmor !linux !amd64
+// +build !apparmor !linux
 
 package apparmor
 

vendor/src/github.com/docker/libcontainer/container.go

@@ -21,6 +21,14 @@ type Container interface {
 	// Returns the current config of the container.
 	Config() *Config
 
+	// Start a process inside the container. Returns the PID of the new process (in the caller process's namespace) and a channel that will return the exit status of the process whenever it dies.
+	//
+	// Errors: container no longer exists,
+	//         config is invalid,
+	//         container is paused,
+	//         system error.
+	Start(*ProcessConfig) (pid int, exitChan chan int, err error)
+
 	// Destroys the container after killing all running processes.
 	//
 	// Any event registrations are removed before the container is destroyed.

vendor/src/github.com/docker/libcontainer/mount/init.go

@@ -26,7 +26,7 @@ type mount struct {
 
 // InitializeMountNamespace sets up the devices, mount points, and filesystems for use inside a
 // new mount namespace.
-func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig) error {
+func InitializeMountNamespace(rootfs, console string, sysReadonly bool, mountConfig *MountConfig) error {
 	var (
 		err  error
 		flag = syscall.MS_PRIVATE
@@ -40,7 +40,7 @@ func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig)
 	if err := syscall.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {
 		return fmt.Errorf("mouting %s as bind %s", rootfs, err)
 	}
-	if err := mountSystem(rootfs, mountConfig); err != nil {
+	if err := mountSystem(rootfs, sysReadonly, mountConfig); err != nil {
 		return fmt.Errorf("mount system %s", err)
 	}
 	if err := setupBindmounts(rootfs, mountConfig); err != nil {
@@ -81,8 +81,8 @@ func InitializeMountNamespace(rootfs, console string, mountConfig *MountConfig)
 
 // mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts
 // inside the mount namespace
-func mountSystem(rootfs string, mountConfig *MountConfig) error {
-	for _, m := range newSystemMounts(rootfs, mountConfig.MountLabel, mountConfig.Mounts) {
+func mountSystem(rootfs string, sysReadonly bool, mountConfig *MountConfig) error {
+	for _, m := range newSystemMounts(rootfs, mountConfig.MountLabel, sysReadonly, mountConfig.Mounts) {
 		if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {
 			return fmt.Errorf("mkdirall %s %s", m.path, err)
 		}
@@ -192,14 +192,19 @@ func setupBindmounts(rootfs string, mountConfig *MountConfig) error {
 
 // TODO: this is crappy right now and should be cleaned up with a better way of handling system and
 // standard bind mounts allowing them to be more dynamic
-func newSystemMounts(rootfs, mountLabel string, mounts Mounts) []mount {
+func newSystemMounts(rootfs, mountLabel string, sysReadonly bool, mounts Mounts) []mount {
 	systemMounts := []mount{
 		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaultMountFlags},
-		{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaultMountFlags},
 		{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: label.FormatMountLabel("mode=755", mountLabel)},
 		{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaultMountFlags, data: label.FormatMountLabel("mode=1777,size=65536k", mountLabel)},
 		{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: label.FormatMountLabel("newinstance,ptmxmode=0666,mode=620,gid=5", mountLabel)},
 	}
 
+	sysMountFlags := defaultMountFlags
+	if sysReadonly {
+		sysMountFlags |= syscall.MS_RDONLY
+	}
+	systemMounts = append(systemMounts, mount{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: sysMountFlags})
+
 	return systemMounts
 }

vendor/src/github.com/docker/libcontainer/namespaces/init.go

@@ -76,6 +76,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
 
 	if err := mount.InitializeMountNamespace(rootfs,
 		consolePath,
+		container.RestrictSys,
 		(*mount.MountConfig)(container.MountConfig)); err != nil {
 		return fmt.Errorf("setup mount namespace %s", err)
 	}
@@ -98,7 +99,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, syn
 
 	// TODO: (crosbymichael) make this configurable at the Config level
 	if container.RestrictSys {
-		if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus", "sys"); err != nil {
+		if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil {
 			return err
 		}
 	}

vendor/src/github.com/docker/libcontainer/netlink/netlink_linux.go

@@ -1,11 +1,8 @@
-// +build amd64
-
 package netlink
 
 import (
 	"encoding/binary"
 	"fmt"
-	"math/rand"
 	"net"
 	"sync/atomic"
 	"syscall"
@@ -951,7 +948,7 @@ func setBridgeMacAddress(s int, name string) error {
 	copy(ifr.IfrnName[:], name)
 
 	for i := 0; i < 6; i++ {
-		ifr.IfruHwaddr.Data[i] = int8(rand.Intn(255))
+		ifr.IfruHwaddr.Data[i] = randIfrDataByte()
 	}
 
 	ifr.IfruHwaddr.Data[0] &^= 0x1 // clear multicast bit

vendor/src/github.com/docker/libcontainer/netlink/netlink_linux_arm.go

@@ -0,0 +1,9 @@
+package netlink
+
+import (
+	"math/rand"
+)
+
+func randIfrDataByte() uint8 {
+	return uint8(rand.Intn(255))
+}

vendor/src/github.com/docker/libcontainer/netlink/netlink_linux_notarm.go

@@ -0,0 +1,11 @@
+// +build !arm
+
+package netlink
+
+import (
+	"math/rand"
+)
+
+func randIfrDataByte() int8 {
+	return int8(rand.Intn(255))
+}

vendor/src/github.com/docker/libcontainer/netlink/netlink_unsupported.go

@@ -1,4 +1,4 @@
-// +build !linux !amd64
+// +build !linux
 
 package netlink
 

vendor/src/github.com/docker/libcontainer/selinux/selinux.go

@@ -1,3 +1,5 @@
+// +build linux
+
 package selinux
 
 import (

vendor/src/github.com/docker/libcontainer/selinux/selinux_test.go

@@ -1,9 +1,12 @@
+// +build linux
+
 package selinux_test
 
 import (
-	"github.com/docker/libcontainer/selinux"
 	"os"
 	"testing"
+
+	"github.com/docker/libcontainer/selinux"
 )
 
 func testSetfilecon(t *testing.T) {

vendor/src/github.com/docker/libcontainer/system/setns_linux.go

@@ -11,7 +11,9 @@ import (
 // We need different setns values for the different platforms and arch
 // We are declaring the macro here because the SETNS syscall does not exist in th stdlib
 var setNsMap = map[string]uintptr{
+	"linux/386":   346,
 	"linux/amd64": 308,
+	"linux/arm":   374,
 }
 
 func Setns(fd uintptr, flags uintptr) error {

vendor/src/github.com/docker/libcontainer/system/sysconfig.go

@@ -4,10 +4,9 @@ package system
 
 /*
 #include <unistd.h>
-int get_hz(void) { return sysconf(_SC_CLK_TCK); }
 */
 import "C"
 
 func GetClockTicks() int {
-	return int(C.get_hz())
+	return int(C.sysconf(C._SC_CLK_TCK))
 }

vendor/src/github.com/docker/libcontainer/system/sysconfig_notcgo.go

@@ -0,0 +1,8 @@
+// +build linux,!cgo
+
+package system
+
+func GetClockTicks() int {
+	// TODO figure out a better alternative for platforms where we're missing cgo
+	return 100
+}