diff --git a/Dockerfile b/Dockerfile index f27a65711b..48d6388bdd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -222,7 +222,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \ hello-world:latest@sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7 # See also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is) -# Install tomlv, runc, containerd.and grimes +# Install tomlv, runc, containerd and grimes # Please edit hack/dockerfile/install-binaries.sh to update them. COPY hack/dockerfile/install-binaries.sh /tmp/install-binaries.sh RUN /tmp/install-binaries.sh tomlv runc containerd grimes diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 2e77315825..b37dd855ab 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -165,7 +165,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \ aarch64/hello-world:latest@sha256:65a4a158587b307bb02db4de41b836addb0c35175bdc801367b1ac1ddeb9afda # See also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is) -# Install tomlv, runc, containerd.and grimes +# Install tomlv, runc, containerd and grimes # Please edit hack/dockerfile/install-binaries.sh to update them. COPY hack/dockerfile/install-binaries.sh /tmp/install-binaries.sh RUN /tmp/install-binaries.sh tomlv runc containerd grimes diff --git a/Dockerfile.armhf b/Dockerfile.armhf index c4a63860eb..f0c2a27856 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -164,7 +164,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \ armhf/hello-world:latest@sha256:161dcecea0225975b2ad5f768058212c1e0d39e8211098666ffa1ac74cfb7791 # See also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is) -# Install tomlv, runc, containerd.and grimes +# Install tomlv, runc, containerd and grimes # Please edit hack/dockerfile/install-binaries.sh to update them. COPY hack/dockerfile/install-binaries.sh /tmp/install-binaries.sh RUN /tmp/install-binaries.sh tomlv runc containerd grimes diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index aa3350a063..f6f66ab9a6 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -183,7 +183,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \ ppc64le/hello-world:latest@sha256:186a40a9a02ca26df0b6c8acdfb8ac2f3ae6678996a838f977e57fac9d963974 # See also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is) -# Install tomlv, runc, containerd.and grimes +# Install tomlv, runc, containerd and grimes # Please edit hack/dockerfile/install-binaries.sh to update them. COPY hack/dockerfile/install-binaries.sh /tmp/install-binaries.sh RUN /tmp/install-binaries.sh tomlv runc containerd grimes diff --git a/Dockerfile.s390x b/Dockerfile.s390x index f03ccfdfaf..0663c63b97 100644 --- a/Dockerfile.s390x +++ b/Dockerfile.s390x @@ -175,7 +175,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \ s390x/hello-world:latest@sha256:780d80b3a7677c3788c0d5cd9168281320c8d4a6d9183892d8ee5cdd610f5699 # See also "hack/make/.ensure-frozen-images" (which needs to be updated any time this list is) -# Install tomlv, runc, containerd.and grimes +# Install tomlv, runc, containerd and grimes # Please edit hack/dockerfile/install-binaries.sh to update them. COPY hack/dockerfile/install-binaries.sh /tmp/install-binaries.sh RUN /tmp/install-binaries.sh tomlv runc containerd grimes diff --git a/Dockerfile.simple b/Dockerfile.simple index ab00776a49..908e8734a8 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -56,7 +56,7 @@ ENV PATH /go/bin:/usr/local/go/bin:$PATH ENV GOPATH /go:/go/src/github.com/docker/docker/vendor ENV CGO_LDFLAGS -L/lib -# Install runc, containerd.and grimes +# Install runc, containerd and grimes # Please edit hack/dockerfile/install-binaries.sh to update them. COPY hack/dockerfile/install-binaries.sh /tmp/install-binaries.sh RUN /tmp/install-binaries.sh runc containerd grimes diff --git a/hack/dockerfile/install-binaries.sh b/hack/dockerfile/install-binaries.sh index 4933e7d771..0274f95e3c 100755 --- a/hack/dockerfile/install-binaries.sh +++ b/hack/dockerfile/install-binaries.sh @@ -3,8 +3,8 @@ set -e set -x TOMLV_COMMIT=9baf8a8a9f2ed20a8e54160840c492f937eeaf9a -RUNC_COMMIT=cc29e3dded8e27ba8f65738f40d251c885030a28 -CONTAINERD_COMMIT=2545227b0357eb55e369fa0072baef9ad91cdb69 +RUNC_COMMIT=02f8fa7863dd3f82909a73e2061897828460d52f +CONTAINERD_COMMIT=837e8c5e1cad013ed57f5c2090c8591c10cbbdae GRIMES_COMMIT=f207601a8d19a534cc90d9e26e037e9931ccb9db export GOPATH="$(mktemp -d)" diff --git a/hack/vendor.sh b/hack/vendor.sh index 444bd9075f..664372cfee 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -106,7 +106,7 @@ clone git github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f clone git github.com/docker/go v1.5.1-1-1-gbaf439e clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c -clone git github.com/opencontainers/runc cc29e3dded8e27ba8f65738f40d251c885030a28 # libcontainer +clone git github.com/opencontainers/runc 02f8fa7863dd3f82909a73e2061897828460d52f # libcontainer clone git github.com/opencontainers/runtime-spec 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs clone git github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json) @@ -140,7 +140,7 @@ clone git google.golang.org/cloud dae7e3d993bc3812a2185af60552bb6b847e52a0 https clone git github.com/docker/docker-credential-helpers v0.3.0 # containerd -clone git github.com/docker/containerd 2545227b0357eb55e369fa0072baef9ad91cdb69 +clone git github.com/docker/containerd 837e8c5e1cad013ed57f5c2090c8591c10cbbdae # cluster clone git github.com/docker/swarmkit 7e63bdefb94e5bea2641e8bdebae2cfa61a0ed44 diff --git a/integration-cli/docker_cli_daemon_test.go b/integration-cli/docker_cli_daemon_test.go index 68aa1f3267..26051c5429 100644 --- a/integration-cli/docker_cli_daemon_test.go +++ b/integration-cli/docker_cli_daemon_test.go @@ -2778,7 +2778,7 @@ func (s *DockerDaemonSuite) TestDaemonRestartSaveContainerExitCode(c *check.C) { c.Assert(err, checker.IsNil) containerName := "error-values" - runError := "oci runtime error: exec: \"toto\": executable file not found in $PATH" + runError := `exec: \"toto\": executable file not found in $PATH` // Make a container with both a non 0 exit code and an error message out, err := s.d.Cmd("run", "--name", containerName, "busybox", "toto") c.Assert(err, checker.NotNil) @@ -2793,7 +2793,7 @@ func (s *DockerDaemonSuite) TestDaemonRestartSaveContainerExitCode(c *check.C) { out, err = s.d.Cmd("inspect", "-f", "{{.State.Error}}", containerName) out = strings.TrimSpace(out) c.Assert(err, checker.IsNil) - c.Assert(out, checker.Equals, runError) + c.Assert(out, checker.Contains, runError) // now restart daemon err = s.d.Restart() @@ -2808,7 +2808,7 @@ func (s *DockerDaemonSuite) TestDaemonRestartSaveContainerExitCode(c *check.C) { out, err = s.d.Cmd("inspect", "-f", "{{.State.Error}}", containerName) out = strings.TrimSpace(out) c.Assert(err, checker.IsNil) - c.Assert(out, checker.Equals, runError) + c.Assert(out, checker.Contains, runError) } func (s *DockerDaemonSuite) TestDaemonBackcompatPre17Volumes(c *check.C) { diff --git a/pkg/sysinfo/sysinfo_linux.go b/pkg/sysinfo/sysinfo_linux.go index 8ba3ce4d39..7dce3a3ec0 100644 --- a/pkg/sysinfo/sysinfo_linux.go +++ b/pkg/sysinfo/sysinfo_linux.go @@ -18,7 +18,7 @@ const ( ) func findCgroupMountpoints() (map[string]string, error) { - cgMounts, err := cgroups.GetCgroupMounts() + cgMounts, err := cgroups.GetCgroupMounts(false) if err != nil { return nil, fmt.Errorf("Failed to parse cgroup information: %v", err) } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go index 274ab47dd8..35fc8eb961 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go @@ -37,7 +37,7 @@ type Manager interface { // restore the object later. GetPaths() map[string]string - // Set the cgroup as configured. + // Sets the cgroup as configured. Set(container *configs.Config) error } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go index 1a7c4e1a05..8946dd5959 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go @@ -16,7 +16,10 @@ import ( "github.com/docker/go-units" ) -const cgroupNamePrefix = "name=" +const ( + cgroupNamePrefix = "name=" + CgroupProcesses = "cgroup.procs" +) // https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt func FindCgroupMountpoint(subsystem string) (string, error) { @@ -136,7 +139,7 @@ func (m Mount) GetThisCgroupDir(cgroups map[string]string) (string, error) { return getControllerPath(m.Subsystems[0], cgroups) } -func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) { +func getCgroupMountsHelper(ss map[string]bool, mi io.Reader, all bool) ([]Mount, error) { res := make([]Mount, 0, len(ss)) scanner := bufio.NewScanner(mi) numFound := 0 @@ -163,7 +166,9 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) { } else { m.Subsystems = append(m.Subsystems, opt) } - numFound++ + if !all { + numFound++ + } } res = append(res, m) } @@ -173,23 +178,25 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) { return res, nil } -func GetCgroupMounts() ([]Mount, error) { +// GetCgroupMounts returns the mounts for the cgroup subsystems. +// all indicates whether to return just the first instance or all the mounts. +func GetCgroupMounts(all bool) ([]Mount, error) { f, err := os.Open("/proc/self/mountinfo") if err != nil { return nil, err } defer f.Close() - all, err := ParseCgroupFile("/proc/self/cgroup") + allSubsystems, err := ParseCgroupFile("/proc/self/cgroup") if err != nil { return nil, err } allMap := make(map[string]bool) - for s := range all { + for s := range allSubsystems { allMap[s] = true } - return getCgroupMountsHelper(allMap, f) + return getCgroupMountsHelper(allMap, f, all) } // GetAllSubsystems returns all the cgroup subsystems supported by the kernel @@ -239,7 +246,7 @@ func GetInitCgroupDir(subsystem string) (string, error) { } func readProcsFile(dir string) ([]int, error) { - f, err := os.Open(filepath.Join(dir, "cgroup.procs")) + f, err := os.Open(filepath.Join(dir, CgroupProcesses)) if err != nil { return nil, err } @@ -326,8 +333,7 @@ func PathExists(path string) bool { func EnterPid(cgroupPaths map[string]string, pid int) error { for _, path := range cgroupPaths { if PathExists(path) { - if err := ioutil.WriteFile(filepath.Join(path, "cgroup.procs"), - []byte(strconv.Itoa(pid)), 0700); err != nil { + if err := WriteCgroupProc(path, pid); err != nil { return err } } @@ -396,7 +402,7 @@ func GetAllPids(path string) ([]int, error) { // collect pids from all sub-cgroups err := filepath.Walk(path, func(p string, info os.FileInfo, iErr error) error { dir, file := filepath.Split(p) - if file != "cgroup.procs" { + if file != CgroupProcesses { return nil } if iErr != nil { @@ -411,3 +417,20 @@ func GetAllPids(path string) ([]int, error) { }) return pids, err } + +// WriteCgroupProc writes the specified pid into the cgroup's cgroup.procs file +func WriteCgroupProc(dir string, pid int) error { + // Normally dir should not be empty, one case is that cgroup subsystem + // is not mounted, we will get empty dir, and we want it fail here. + if dir == "" { + return fmt.Errorf("no such directory for %s", CgroupProcesses) + } + + // Dont attach any pid to the cgroup if -1 is specified as a pid + if pid != -1 { + if err := ioutil.WriteFile(filepath.Join(dir, CgroupProcesses), []byte(strconv.Itoa(pid)), 0700); err != nil { + return fmt.Errorf("failed to write %v to %v: %v", pid, CgroupProcesses, err) + } + } + return nil +} diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go index f2eff91cf4..94b38879ed 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go @@ -36,7 +36,7 @@ type Cgroup struct { type Resources struct { // If this is true allow access to any kind of device within the container. If false, allow access only to devices explicitly listed in the allowed_devices list. // Deprecated - AllowAllDevices bool `json:"allow_all_devices,omitempty"` + AllowAllDevices *bool `json:"allow_all_devices,omitempty"` // Deprecated AllowedDevices []*Device `json:"allowed_devices,omitempty"` // Deprecated @@ -69,10 +69,10 @@ type Resources struct { CpuPeriod int64 `json:"cpu_period"` // How many time CPU will use in realtime scheduling (in usecs). - CpuRtRuntime int64 `json:"cpu_quota"` + CpuRtRuntime int64 `json:"cpu_rt_quota"` // CPU period to be used for realtime scheduling (in usecs). - CpuRtPeriod int64 `json:"cpu_period"` + CpuRtPeriod int64 `json:"cpu_rt_period"` // CPU to use CpusetCpus string `json:"cpuset_cpus"` @@ -120,5 +120,5 @@ type Resources struct { NetPrioIfpriomap []*IfPrioMap `json:"net_prio_ifpriomap"` // Set class identifier for container's network packets - NetClsClassid string `json:"net_cls_classid"` + NetClsClassid uint32 `json:"net_cls_classid_u"` } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go index 806e0be960..a56d12bdb9 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go @@ -148,10 +148,6 @@ type Config struct { // More information about kernel oom score calculation here: https://lwn.net/Articles/317814/ OomScoreAdj int `json:"oom_score_adj"` - // AdditionalGroups specifies the gids that should be added to supplementary groups - // in addition to those that the user belongs to. - AdditionalGroups []string `json:"additional_groups"` - // UidMappings is an array of User ID mappings for User Namespaces UidMappings []IDMap `json:"uid_mappings"` @@ -304,29 +300,38 @@ func (c Command) Run(s HookState) error { if err != nil { return err } + var stdout, stderr bytes.Buffer cmd := exec.Cmd{ - Path: c.Path, - Args: c.Args, - Env: c.Env, - Stdin: bytes.NewReader(b), + Path: c.Path, + Args: c.Args, + Env: c.Env, + Stdin: bytes.NewReader(b), + Stdout: &stdout, + Stderr: &stderr, + } + if err := cmd.Start(); err != nil { + return err } errC := make(chan error, 1) go func() { - out, err := cmd.CombinedOutput() + err := cmd.Wait() if err != nil { - err = fmt.Errorf("%s: %s", err, out) + err = fmt.Errorf("error running hook: %v, stdout: %s, stderr: %s", err, stdout.String(), stderr.String()) } errC <- err }() + var timerCh <-chan time.Time if c.Timeout != nil { - select { - case err := <-errC: - return err - case <-time.After(*c.Timeout): - cmd.Process.Kill() - cmd.Wait() - return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds()) - } + timer := time.NewTimer(*c.Timeout) + defer timer.Stop() + timerCh = timer.C + } + select { + case err := <-errC: + return err + case <-timerCh: + cmd.Process.Kill() + cmd.Wait() + return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds()) } - return <-errC } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go index ba1f437f3b..4d348d217e 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go @@ -107,19 +107,5 @@ var ( Permissions: "rwm", }, }, DefaultSimpleDevices...) - DefaultAutoCreatedDevices = append([]*Device{ - { - // /dev/fuse is created but not allowed. - // This is to allow java to work. Because java - // Insists on there being a /dev/fuse - // https://github.com/docker/docker/issues/514 - // https://github.com/docker/docker/issues/2393 - // - Path: "/dev/fuse", - Type: 'c', - Major: 10, - Minor: 229, - Permissions: "rwm", - }, - }, DefaultSimpleDevices...) + DefaultAutoCreatedDevices = append([]*Device{}, DefaultSimpleDevices...) ) diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go b/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go index 4493bda774..1d9d78a390 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/label/label_selinux.go @@ -129,7 +129,7 @@ func Relabel(path string, fileLabel string, shared bool) error { exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true} if exclude_paths[path] { - return fmt.Errorf("Relabeling of %s is not allowed", path) + return fmt.Errorf("SELinux relabeling of %s is not allowed", path) } if shared { @@ -137,7 +137,10 @@ func Relabel(path string, fileLabel string, shared bool) error { c["level"] = "s0" fileLabel = c.Get() } - return selinux.Chcon(path, fileLabel, true) + if err := selinux.Chcon(path, fileLabel, true); err != nil { + return fmt.Errorf("SELinux relabeling of %s is not allowed: %q", path, err) + } + return nil } // GetPidLabel will return the label of the process running with the specified pid diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go b/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go index c990065189..bb44d895ce 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go @@ -8,7 +8,7 @@ import ( // Setuid sets the uid of the calling thread to the specified uid. func Setuid(uid int) (err error) { - _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0) + _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID32, uintptr(uid), 0, 0) if e1 != 0 { err = e1 } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go index 4fba6c2b70..b3a07cba3e 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go @@ -4,28 +4,9 @@ package system /* #include -#include - -int GetLongBit() { -#ifdef _SC_LONG_BIT - int longbits; - - longbits = sysconf(_SC_LONG_BIT); - if (longbits < 0) { - longbits = (CHAR_BIT * sizeof(long)); - } - return longbits; -#else - return (CHAR_BIT * sizeof(long)); -#endif -} */ import "C" func GetClockTicks() int { return int(C.sysconf(C._SC_CLK_TCK)) } - -func GetLongBit() int { - return int(C.GetLongBit()) -}