diff --git a/hack/dockerfile/binaries-commits b/hack/dockerfile/binaries-commits index a141fbb6ca..96baaabbb6 100644 --- a/hack/dockerfile/binaries-commits +++ b/hack/dockerfile/binaries-commits @@ -1,8 +1,8 @@ #!/bin/sh TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a -RUNC_COMMIT=ac031b5bf1cc92239461125f4c1ffb760522bbf2 -CONTAINERD_COMMIT=8517738ba4b82aff5662c97ca4627e7e4d03b531 +RUNC_COMMIT=51371867a01c467f08af739783b8beafc15 +CONTAINERD_COMMIT=03e5862ec0d8d3b3f750e19fca3ee367e13c090e TINI_COMMIT=949e6facb77383876aeff8a6944dde66b3089574 LIBNETWORK_COMMIT=0f534354b813003a754606689722fe253101bc4e VNDR_COMMIT=f56bd4504b4fad07a357913687fb652ee54bb3b0 diff --git a/vendor.conf b/vendor.conf index 86a636a437..ecfe6da03c 100644 --- a/vendor.conf +++ b/vendor.conf @@ -59,7 +59,7 @@ github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f github.com/docker/go v1.5.1-1-1-gbaf439e github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c -github.com/opencontainers/runc ac031b5bf1cc92239461125f4c1ffb760522bbf2 # libcontainer +github.com/opencontainers/runc 51371867a01c467f08af739783b8beafc15 # libcontainer github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json) @@ -96,7 +96,7 @@ google.golang.org/cloud dae7e3d993bc3812a2185af60552bb6b847e52a0 github.com/docker/docker-credential-helpers f72c04f1d8e71959a6d103f808c50ccbad79b9fd # containerd -github.com/docker/containerd 8517738ba4b82aff5662c97ca4627e7e4d03b531 +github.com/docker/containerd 03e5862ec0d8d3b3f750e19fca3ee367e13c090e github.com/tonistiigi/fifo 1405643975692217d6720f8b54aeee1bf2cd5cf4 # cluster diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c index 97c070859c..c80f8e600f 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c +++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c @@ -598,11 +598,11 @@ void nsexec(void) /* * Stage 1: We're in the first child process. Our job is to join any - * provided user namespaces in the netlink payload. If we've been - * asked to CLONE_NEWUSER, we will unshare the user namespace and - * ask our parent (stage 0) to set up our user mappings for us. - * Then, we unshare the rest of the requested namespaces and - * create a new child (stage 2: JUMP_INIT). We then send the + * provided namespaces in the netlink payload and unshare all + * of the requested namespaces. If we've been asked to + * CLONE_NEWUSER, we will ask our parent (stage 0) to set up + * our user mappings for us. Then, we create a new child + * (stage 2: JUMP_INIT) for PID namespace. We then send the * child's PID to our parent (stage 0). */ case JUMP_CHILD: { @@ -660,7 +660,15 @@ void nsexec(void) bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s); } - /* TODO: What about non-namespace clone flags that we're dropping here? */ + /* + * TODO: What about non-namespace clone flags that we're dropping here? + * + * We fork again because of PID namespace, setns(2) or unshare(2) don't + * change the PID namespace of the calling process, because doing so + * would change the caller's idea of its own PID (as reported by getpid()), + * which would break many applications and libraries, so we must fork + * to actually enter the new PID namespace. + */ child = clone_parent(&env, JUMP_INIT); if (child < 0) bail("unable to fork: init_func");