These PR does a few things. It ensures that the freezer cgroup is
joined in the systemd driver. It also provides a public api for setting
the freezer state via the cgroups package.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
The systemd support for the devices cgroup lacks two required features:
* Support for wildcards to allow mknod on any device
* Support for wildcards to allow /dev/pts support
The second is available in more recent systemd as "char-pts", but not in e.g. v208 which is in wide use.
Additionally, the current approach of letting systemd set up the devices cgroup and then adding
some devices to it doesn't work, because some times systemd (at least v208) re-initializes
the devices cgroup, overwriting our custom devices. See https://github.com/dotcloud/docker/issues/6009
for the details.
When wildcarded mknod support is available in systemd we should implement a pure systemd version,
but we need to keep the old one around for backwards compat.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
This patch adds some tests to ensure that quoted flags are properly
handled by the mflag package.
Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This patch improves the mflag package to ensure that things arguments
to mflag such as `-flag="var"` or `-flag='var'` have the quotes
stripped from the value (to mirror the getopt functionality for similar
flags).
Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This also makes sure that devices are pointers to avoid copies
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
We now have one place that keeps track of (most) devices that are allowed and created within the container. That place is pkg/libcontainer/devices/devices.go
This fixes several inconsistencies between which devices were created in the lxc backend and the native backend. It also fixes inconsistencies between wich devices were created and which were allowed. For example, /dev/full was being created but it was not allowed within the cgroup. It also declares the file modes and permissions of the default devices, rather than copying them from the host. This is in line with docker's philosphy of not being host dependent.
Docker-DCO-1.1-Signed-off-by: Timothy Hobbs <timothyhobbs@seznam.cz> (github: https://github.com/timthelion)
Remove old Stats interface in libcontainers cgroups package.
Changed Stats to use unit64 instead of int64 to prevent integer overflow issues.
Updated unit tests.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
There is no need for this, the device node by itself doesn't work, since
its not on a devpts fs, and we can just a regular file to bind mount over.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
It is no longer necessary to pass "SETUID" or "SETGID" capabilities to
the container when a "user" is specified in the config.
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
Fixes#2586
This fixes a few races where the name generator asks if a name is free
but another container takes the name before it can be reserved. This
solves this by generating the name and setting it. If the set fails
with a non unique error then we try again.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
