Merge pull request #14693 from LK4D4/update_libcontainer

Update libcontainer

daemon/container.go

@@ -13,7 +13,7 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/docker/daemon/execdriver"

daemon/container_unix.go

@@ -27,12 +27,12 @@ import (
 	"github.com/docker/docker/pkg/ulimit"
 	"github.com/docker/docker/runconfig"
 	"github.com/docker/docker/utils"
-	"github.com/docker/libcontainer/configs"
-	"github.com/docker/libcontainer/devices"
 	"github.com/docker/libnetwork"
 	"github.com/docker/libnetwork/netlabel"
 	"github.com/docker/libnetwork/options"
 	"github.com/docker/libnetwork/types"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/devices"
 )
 
 const DefaultPathEnv = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

daemon/create.go

@@ -11,7 +11,7 @@ import (
 	"github.com/docker/docker/pkg/parsers"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/docker/runconfig"
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 func (daemon *Daemon) ContainerCreate(name string, config *runconfig.Config, hostConfig *runconfig.HostConfig) (string, []string, error) {

daemon/daemon.go

@@ -35,8 +35,8 @@ import (
 	"github.com/docker/docker/registry"
 	"github.com/docker/docker/runconfig"
 	"github.com/docker/docker/trust"
-	"github.com/docker/libcontainer/netlink"
 	"github.com/docker/libnetwork"
+	"github.com/opencontainers/runc/libcontainer/netlink"
 )
 
 var (

daemon/daemon_unix.go

@@ -24,12 +24,12 @@ import (
 	"github.com/docker/docker/utils"
 	volumedrivers "github.com/docker/docker/volume/drivers"
 	"github.com/docker/docker/volume/local"
-	"github.com/docker/libcontainer/label"
 	"github.com/docker/libnetwork"
 	nwapi "github.com/docker/libnetwork/api"
 	nwconfig "github.com/docker/libnetwork/config"
 	"github.com/docker/libnetwork/netlabel"
 	"github.com/docker/libnetwork/options"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 func (daemon *Daemon) Changes(container *Container) ([]archive.Change, error) {

daemon/execdriver/driver.go

@@ -8,8 +8,8 @@ import (
 
 	// TODO Windows: Factor out ulimit
 	"github.com/docker/docker/pkg/ulimit"
-	"github.com/docker/libcontainer"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 // Context is a generic key value pair that allows

daemon/execdriver/driver_linux.go

@@ -10,9 +10,9 @@ import (
 	"time"
 
 	"github.com/docker/docker/daemon/execdriver/native/template"
-	"github.com/docker/libcontainer"
-	"github.com/docker/libcontainer/cgroups/fs"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fs"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 func InitContainer(c *Command) *configs.Config {

daemon/execdriver/lxc/driver.go

@@ -25,12 +25,12 @@ import (
 	sysinfo "github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/pkg/term"
 	"github.com/docker/docker/pkg/version"
-	"github.com/docker/libcontainer"
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
-	"github.com/docker/libcontainer/system"
-	"github.com/docker/libcontainer/user"
 	"github.com/kr/pty"
+	"github.com/opencontainers/runc/libcontainer"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/system"
+	"github.com/opencontainers/runc/libcontainer/user"
 	"github.com/vishvananda/netns"
 )
 

daemon/execdriver/lxc/lxc_init_linux.go

@@ -5,7 +5,7 @@ package lxc
 import (
 	"fmt"
 
-	"github.com/docker/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 func finalizeNamespace(args *InitArgs) error {

daemon/execdriver/lxc/lxc_template.go

@@ -12,7 +12,7 @@ import (
 	"github.com/docker/docker/daemon/execdriver"
 	nativeTemplate "github.com/docker/docker/daemon/execdriver/native/template"
 	"github.com/docker/docker/pkg/stringutils"
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 const LxcTemplate = `

daemon/execdriver/lxc/lxc_template_unit_test.go

@@ -15,7 +15,7 @@ import (
 
 	"github.com/docker/docker/daemon/execdriver"
 	nativeTemplate "github.com/docker/docker/daemon/execdriver/native/template"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/syndtr/gocapability/capability"
 )
 

daemon/execdriver/native/apparmor.go

@@ -1,11 +1,20 @@
 // +build linux
 
-package apparmor
+package native
 
 import (
+	"fmt"
 	"io"
 	"os"
+	"os/exec"
+	"path"
 	"text/template"
+
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+)
+
+const (
+	apparmorProfilePath = "/etc/apparmor.d/docker"
 )
 
 type data struct {
@@ -81,3 +90,35 @@ func abstractionsExists() bool {
 	_, err := os.Stat("/etc/apparmor.d/abstractions/base")
 	return err == nil
 }
+
+func installApparmorProfile() error {
+	if !apparmor.IsEnabled() {
+		return nil
+	}
+
+	// Make sure /etc/apparmor.d exists
+	if err := os.MkdirAll(path.Dir(apparmorProfilePath), 0755); err != nil {
+		return err
+	}
+
+	f, err := os.OpenFile(apparmorProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return err
+	}
+	if err := generateProfile(f); err != nil {
+		f.Close()
+		return err
+	}
+	f.Close()
+
+	cmd := exec.Command("/sbin/apparmor_parser", "-r", "-W", "docker")
+	// to use the parser directly we have to make sure we are in the correct
+	// dir with the profile
+	cmd.Dir = "/etc/apparmor.d"
+
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("Error loading docker apparmor profile: %s (%s)", err, output)
+	}
+	return nil
+}

daemon/execdriver/native/create.go

@@ -10,10 +10,10 @@ import (
 	"syscall"
 
 	"github.com/docker/docker/daemon/execdriver"
-	"github.com/docker/libcontainer/apparmor"
-	"github.com/docker/libcontainer/configs"
-	"github.com/docker/libcontainer/devices"
-	"github.com/docker/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/devices"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 // createContainer populates and configures the container type with the

daemon/execdriver/native/driver.go

@@ -20,12 +20,11 @@ import (
 	"github.com/docker/docker/pkg/reexec"
 	sysinfo "github.com/docker/docker/pkg/system"
 	"github.com/docker/docker/pkg/term"
-	"github.com/docker/libcontainer"
-	"github.com/docker/libcontainer/apparmor"
-	"github.com/docker/libcontainer/cgroups/systemd"
-	"github.com/docker/libcontainer/configs"
-	"github.com/docker/libcontainer/system"
-	"github.com/docker/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer"
+	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/system"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 const (
@@ -52,7 +51,7 @@ func NewDriver(root, initPath string, options []string) (*driver, error) {
 		return nil, err
 	}
 	// native driver root is at docker_root/execdriver/native. Put apparmor at docker_root
-	if err := apparmor.InstallDefaultProfile(); err != nil {
+	if err := installApparmorProfile(); err != nil {
 		return nil, err
 	}
 

daemon/execdriver/native/exec.go

@@ -9,9 +9,9 @@ import (
 	"syscall"
 
 	"github.com/docker/docker/daemon/execdriver"
-	"github.com/docker/libcontainer"
-	_ "github.com/docker/libcontainer/nsenter"
-	"github.com/docker/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer"
+	_ "github.com/opencontainers/runc/libcontainer/nsenter"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 // TODO(vishh): Add support for running in privileged mode.

daemon/execdriver/native/init.go

@@ -8,7 +8,7 @@ import (
 	"runtime"
 
 	"github.com/docker/docker/pkg/reexec"
-	"github.com/docker/libcontainer"
+	"github.com/opencontainers/runc/libcontainer"
 )
 
 func init() {

daemon/execdriver/native/template/default_template.go

@@ -3,8 +3,8 @@ package template
 import (
 	"syscall"
 
-	"github.com/docker/libcontainer/apparmor"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/apparmor"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV

daemon/graphdriver/aufs/aufs.go

@@ -40,7 +40,7 @@ import (
 	"github.com/docker/docker/pkg/directory"
 	mountpk "github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/pkg/stringid"
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 var (

daemon/graphdriver/devmapper/deviceset.go

@@ -23,7 +23,7 @@ import (
 	"github.com/docker/docker/pkg/devicemapper"
 	"github.com/docker/docker/pkg/parsers"
 	"github.com/docker/docker/pkg/units"
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 var (

daemon/graphdriver/overlay/overlay.go

@@ -16,7 +16,7 @@ import (
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/chrootarchive"
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 // This is a small wrapper over the NaiveDiffWriter that lets us have a custom

daemon/graphdriver/vfs/driver.go

@@ -10,7 +10,7 @@ import (
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/system"
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 func init() {

daemon/graphdriver/zfs/zfs.go

@@ -17,8 +17,8 @@ import (
 	"github.com/docker/docker/daemon/graphdriver"
 	"github.com/docker/docker/pkg/mount"
 	"github.com/docker/docker/pkg/parsers"
-	"github.com/docker/libcontainer/label"
 	zfs "github.com/mistifyio/go-zfs"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 type ZfsOptions struct {

daemon/stats.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/daemon/execdriver"
-	"github.com/docker/libcontainer"
 	"github.com/docker/libnetwork/sandbox"
+	"github.com/opencontainers/runc/libcontainer"
 )
 
 type ContainerStatsConfig struct {

daemon/stats_collector_unix.go

@@ -14,7 +14,7 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/docker/daemon/execdriver"
 	"github.com/docker/docker/pkg/pubsub"
-	"github.com/docker/libcontainer/system"
+	"github.com/opencontainers/runc/libcontainer/system"
 )
 
 // newStatsCollector returns a new statsCollector that collections

daemon/stats_linux.go

@@ -2,8 +2,8 @@ package daemon
 
 import (
 	"github.com/docker/docker/api/types"
-	"github.com/docker/libcontainer"
-	"github.com/docker/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
 )
 
 // convertStatsToAPITypes converts the libcontainer.Stats to the api specific

daemon/stats_windows.go

@@ -2,7 +2,7 @@ package daemon
 
 import (
 	"github.com/docker/docker/api/types"
-	"github.com/docker/libcontainer"
+	"github.com/opencontainers/runc/libcontainer"
 )
 
 // convertStatsToAPITypes converts the libcontainer.Stats to the api specific

daemon/utils_unix.go

@@ -8,7 +8,7 @@ import (
 	"strings"
 
 	"github.com/docker/docker/runconfig"
-	"github.com/docker/libcontainer/selinux"
+	"github.com/opencontainers/runc/libcontainer/selinux"
 )
 
 func selinuxSetDisabled() {

daemon/volumes.go

@@ -13,7 +13,7 @@ import (
 	"github.com/docker/docker/runconfig"
 	"github.com/docker/docker/volume"
 	"github.com/docker/docker/volume/local"
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 type mountPoint struct {

hack/vendor.sh

@@ -36,7 +36,7 @@ clone git github.com/hashicorp/consul v0.5.2
 # get distribution packages
 clone git github.com/docker/distribution 419bbc2da637d9b2a812be78ef8436df7caac70d
 
-clone git github.com/docker/libcontainer v2.2.1
+clone git github.com/opencontainers/runc v0.0.1 # libcontainer
 # libcontainer deps (see src/github.com/docker/libcontainer/update-vendor.sh)
 clone git github.com/coreos/go-systemd v2
 clone git github.com/godbus/dbus v2

integration-cli/requirements_unix.go

@@ -6,7 +6,7 @@ import (
 	"io/ioutil"
 	"path"
 
-	"github.com/docker/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
 )
 
 var (

pkg/homedir/homedir.go

@@ -4,7 +4,7 @@ import (
 	"os"
 	"runtime"
 
-	"github.com/docker/libcontainer/user"
+	"github.com/opencontainers/runc/libcontainer/user"
 )
 
 // Key returns the env var name for the user's home dir based on

pkg/sockets/unix_socket.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/docker/pkg/listenbuffer"
-	"github.com/docker/libcontainer/user"
+	"github.com/opencontainers/runc/libcontainer/user"
 )
 
 func NewUnixSocket(path, group string, activate <-chan struct{}) (net.Listener, error) {

pkg/sysinfo/sysinfo_linux.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/docker/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
 )
 
 // New returns a new SysInfo, using the filesystem to detect which features the kernel supports.

vendor/src/github.com/docker/libcontainer/.gitignore

@@ -1,3 +0,0 @@
-bundles
-nsinit/nsinit
-vendor/pkg

vendor/src/github.com/docker/libcontainer/CONTRIBUTING.md

@@ -1,257 +0,0 @@
-# The libcontainer Contributors' Guide
-
-Want to hack on libcontainer? Awesome! Here are instructions to get you
-started. They are probably not perfect, please let us know if anything
-feels wrong or incomplete.
-
-## Reporting Issues
-
-When reporting [issues](https://github.com/docker/libcontainer/issues)
-on GitHub please include your host OS (Ubuntu 12.04, Fedora 19, etc),
-the output of `uname -a`. Please include the steps required to reproduce
-the problem if possible and applicable.
-This information will help us review and fix your issue faster.
-
-## Development Environment
-
-### Requirements
-
-For best results, use a Linux development environment.
-The following packages are required to compile libcontainer natively.
-
-- Golang 1.3
-- GCC
-- git
-- cgutils
-
-You can develop on OSX, but you are limited to Dockerfile-based builds only.
-
-### Building libcontainer from Dockerfile
-
-    make all
-
-This is the easiest way of building libcontainer.
-As this build is done using Docker, you can even run this from [OSX](https://github.com/boot2docker/boot2docker)
-
-### Testing changes with "nsinit"
-
-    make sh
-
-This will create an container that runs `nsinit exec sh` on a busybox rootfs with the configuration from ['minimal.json'](https://github.com/docker/libcontainer/blob/master/sample_configs/minimal.json).
-Like the previous command, you can run this on OSX too!
-
-### Building libcontainer directly
-
-> Note: You should add the `vendor` directory to your GOPATH to use the vendored libraries
-
-    ./update-vendor.sh
-    go get -d ./...
-    make direct-build
-    # Run the tests
-    make direct-test-short | egrep --color 'FAIL|$'
-    # Run all the test
-    make direct-test | egrep --color 'FAIL|$'
-
-### Testing Changes with "nsinit" directly
-
-To test a change:
-
-    # Install nsinit
-    make direct-install
-
-    # Optional, add a docker0 bridge
-    ip link add docker0 type bridge
-    ifconfig docker0 172.17.0.1/16 up
-
-    mkdir testfs
-    curl -sSL https://github.com/jpetazzo/docker-busybox/raw/buildroot-2014.02/rootfs.tar | tar -xC testfs
-    cd testfs
-    cp <your-sample-config.json> container.json
-    nsinit exec sh
-
-## Contribution Guidelines
-
-### Pull requests are always welcome
-
-We are always thrilled to receive pull requests, and do our best to
-process them as fast as possible. Not sure if that typo is worth a pull
-request? Do it! We will appreciate it.
-
-If your pull request is not accepted on the first try, don't be
-discouraged! If there's a problem with the implementation, hopefully you
-received feedback on what to improve.
-
-We're trying very hard to keep libcontainer lean and focused. We don't want it
-to do everything for everybody. This means that we might decide against
-incorporating a new feature. However, there might be a way to implement
-that feature *on top of* libcontainer.
-
-### Discuss your design on the mailing list
-
-We recommend discussing your plans [on the mailing
-list](https://groups.google.com/forum/?fromgroups#!forum/libcontainer)
-before starting to code - especially for more ambitious contributions.
-This gives other contributors a chance to point you in the right
-direction, give feedback on your design, and maybe point out if someone
-else is working on the same thing.
-
-### Create issues...
-
-Any significant improvement should be documented as [a GitHub
-issue](https://github.com/docker/libcontainer/issues) before anybody
-starts working on it.
-
-### ...but check for existing issues first!
-
-Please take a moment to check that an issue doesn't already exist
-documenting your bug report or improvement proposal. If it does, it
-never hurts to add a quick "+1" or "I have this problem too". This will
-help prioritize the most common problems and requests.
-
-### Conventions
-
-Fork the repo and make changes on your fork in a feature branch:
-
-- If it's a bugfix branch, name it XXX-something where XXX is the number of the
-  issue
-- If it's a feature branch, create an enhancement issue to announce your
-  intentions, and name it XXX-something where XXX is the number of the issue.
-
-Submit unit tests for your changes.  Go has a great test framework built in; use
-it! Take a look at existing tests for inspiration. Run the full test suite on
-your branch before submitting a pull request.
-
-Update the documentation when creating or modifying features. Test
-your documentation changes for clarity, concision, and correctness, as
-well as a clean documentation build. See ``docs/README.md`` for more
-information on building the docs and how docs get released.
-
-Write clean code. Universally formatted code promotes ease of writing, reading,
-and maintenance. Always run `gofmt -s -w file.go` on each changed file before
-committing your changes. Most editors have plugins that do this automatically.
-
-Pull requests descriptions should be as clear as possible and include a
-reference to all the issues that they address.
-
-Pull requests must not contain commits from other users or branches.
-
-Commit messages must start with a capitalized and short summary (max. 50
-chars) written in the imperative, followed by an optional, more detailed
-explanatory text which is separated from the summary by an empty line.
-
-Code review comments may be added to your pull request. Discuss, then make the
-suggested modifications and push additional commits to your feature branch. Be
-sure to post a comment after pushing. The new commits will show up in the pull
-request automatically, but the reviewers will not be notified unless you
-comment.
-
-Before the pull request is merged, make sure that you squash your commits into
-logical units of work using `git rebase -i` and `git push -f`. After every
-commit the test suite should be passing. Include documentation changes in the
-same commit so that a revert would remove all traces of the feature or fix.
-
-Commits that fix or close an issue should include a reference like `Closes #XXX`
-or `Fixes #XXX`, which will automatically close the issue when merged.
-
-### Testing
-
-Make sure you include suitable tests, preferably unit tests, in your pull request
-and that all the tests pass.
-
-*Instructions for running tests to be added.*
-
-### Merge approval
-
-libcontainer maintainers use LGTM (looks good to me) in comments on the code review
-to indicate acceptance.
-
-A change requires LGTMs from at lease two maintainers. One of those must come from
-a maintainer of the component affected. For example, if a change affects `netlink/`
-and `security`, it needs at least one LGTM from a maintainer of each. Maintainers
-only need one LGTM as presumably they LGTM their own change.
-
-For more details see [MAINTAINERS.md](MAINTAINERS.md)
-
-### Sign your work
-
-The sign-off is a simple line at the end of the explanation for the
-patch, which certifies that you wrote it or otherwise have the right to
-pass it on as an open-source patch.  The rules are pretty simple: if you
-can certify the below (from
-[developercertificate.org](http://developercertificate.org/)):
-
-```
-Developer Certificate of Origin
-Version 1.1
-
-Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
-660 York Street, Suite 102,
-San Francisco, CA 94110 USA
-
-Everyone is permitted to copy and distribute verbatim copies of this
-license document, but changing it is not allowed.
-
-
-Developer's Certificate of Origin 1.1
-
-By making a contribution to this project, I certify that:
-
-(a) The contribution was created in whole or in part by me and I
-    have the right to submit it under the open source license
-    indicated in the file; or
-
-(b) The contribution is based upon previous work that, to the best
-    of my knowledge, is covered under an appropriate open source
-    license and I have the right under that license to submit that
-    work with modifications, whether created in whole or in part
-    by me, under the same open source license (unless I am
-    permitted to submit under a different license), as indicated
-    in the file; or
-
-(c) The contribution was provided directly to me by some other
-    person who certified (a), (b) or (c) and I have not modified
-    it.
-
-(d) I understand and agree that this project and the contribution
-    are public and that a record of the contribution (including all
-    personal information I submit with it, including my sign-off) is
-    maintained indefinitely and may be redistributed consistent with
-    this project or the open source license(s) involved.
-```
-
-then you just add a line to every git commit message:
-
-    Docker-DCO-1.1-Signed-off-by: Joe Smith <joe.smith@email.com> (github: github_handle)
-
-using your real name (sorry, no pseudonyms or anonymous contributions.)
-
-One way to automate this, is customise your get ``commit.template`` by adding
-a ``prepare-commit-msg`` hook to your libcontainer checkout:
-
-```
-curl -o .git/hooks/prepare-commit-msg https://raw.githubusercontent.com/docker/docker/master/contrib/prepare-commit-msg.hook && chmod +x .git/hooks/prepare-commit-msg
-```
-
-* Note: the above script expects to find your GitHub user name in ``git config --get github.user``
-
-#### Small patch exception
-
-There are several exceptions to the signing requirement. Currently these are:
-
-* Your patch fixes spelling or grammar errors.
-* Your patch is a single line change to documentation contained in the
-  `docs` directory.
-* Your patch fixes Markdown formatting or syntax errors in the
-  documentation contained in the `docs` directory.
-
-If you have any questions, please refer to the FAQ in the [docs](to be written)
-
-### How can I become a maintainer?
-
-* Step 1: learn the component inside out
-* Step 2: make yourself useful by contributing code, bugfixes, support etc.
-* Step 3: volunteer on the irc channel (#libcontainer@freenode)
-
-Don't forget: being a maintainer is a time investment. Make sure you will have time to make yourself available.
-You don't have to be a maintainer to make a difference on the project!
-

vendor/src/github.com/docker/libcontainer/Dockerfile

@@ -1,25 +0,0 @@
-FROM golang:1.4
-
-RUN echo "deb http://ftp.us.debian.org/debian testing main contrib" >> /etc/apt/sources.list
-RUN apt-get update && apt-get install -y iptables criu=1.5.2-1 && rm -rf /var/lib/apt/lists/*
-
-RUN go get golang.org/x/tools/cmd/cover
-
-ENV GOPATH $GOPATH:/go/src/github.com/docker/libcontainer/vendor
-RUN go get github.com/docker/docker/pkg/term
-
-# setup a playground for us to spawn containers in
-RUN mkdir /busybox && \
-    curl -sSL 'https://github.com/jpetazzo/docker-busybox/raw/buildroot-2014.11/rootfs.tar' | tar -xC /busybox
-
-RUN curl -sSL https://raw.githubusercontent.com/docker/docker/master/hack/dind -o /dind && \
-    chmod +x /dind
-
-COPY . /go/src/github.com/docker/libcontainer
-WORKDIR /go/src/github.com/docker/libcontainer
-RUN cp sample_configs/minimal.json /busybox/container.json
-
-RUN make direct-install
-
-ENTRYPOINT ["/dind"]
-CMD ["make", "direct-test"]

vendor/src/github.com/docker/libcontainer/LICENSE

@@ -1,191 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   Copyright 2014 Docker, Inc.
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

vendor/src/github.com/docker/libcontainer/MAINTAINERS

@@ -1,7 +0,0 @@
-Michael Crosby <michael@docker.com> (@crosbymichael)
-Rohit Jnagal <jnagal@google.com> (@rjnagal)
-Victor Marmol <vmarmol@google.com> (@vmarmol)
-Mrunal Patel <mpatel@redhat.com> (@mrunalp)
-Alexandr Morozov <lk4d4@docker.com> (@LK4D4)
-Daniel, Dao Quang Minh <dqminh89@gmail.com> (@dqminh)
-update-vendor.sh: Tianon Gravi <admwiggin@gmail.com> (@tianon)

vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md

@@ -1,99 +0,0 @@
-# The libcontainer Maintainers' Guide
-
-## Introduction
-
-Dear maintainer. Thank you for investing the time and energy to help
-make libcontainer as useful as possible. Maintaining a project is difficult,
-sometimes unrewarding work.  Sure, you will get to contribute cool
-features to the project. But most of your time will be spent reviewing,
-cleaning up, documenting, answering questions, justifying design
-decisions - while everyone has all the fun! But remember - the quality
-of the maintainers work is what distinguishes the good projects from the
-great.  So please be proud of your work, even the unglamourous parts,
-and encourage a culture of appreciation and respect for *every* aspect
-of improving the project - not just the hot new features.
-
-This document is a manual for maintainers old and new. It explains what
-is expected of maintainers, how they should work, and what tools are
-available to them.
-
-This is a living document - if you see something out of date or missing,
-speak up!
-
-## What are a maintainer's responsibility?
-
-It is every maintainer's responsibility to:
-
-* 1) Expose a clear roadmap for improving their component.
-* 2) Deliver prompt feedback and decisions on pull requests.
-* 3) Be available to anyone with questions, bug reports, criticism etc.
-  on their component. This includes IRC, GitHub requests and the mailing
-  list.
-* 4) Make sure their component respects the philosophy, design and
-  roadmap of the project.
-
-## How are decisions made?
-
-Short answer: with pull requests to the libcontainer repository.
-
-libcontainer is an open-source project with an open design philosophy. This
-means that the repository is the source of truth for EVERY aspect of the
-project, including its philosophy, design, roadmap and APIs. *If it's
-part of the project, it's in the repo. It's in the repo, it's part of
-the project.*
-
-As a result, all decisions can be expressed as changes to the
-repository. An implementation change is a change to the source code. An
-API change is a change to the API specification. A philosophy change is
-a change to the philosophy manifesto. And so on.
-
-All decisions affecting libcontainer, big and small, follow the same 3 steps:
-
-* Step 1: Open a pull request. Anyone can do this.
-
-* Step 2: Discuss the pull request. Anyone can do this.
-
-* Step 3: Accept (`LGTM`) or refuse a pull request. The relevant maintainers do 
-this (see below "Who decides what?")
-
-
-## Who decides what?
-
-All decisions are pull requests, and the relevant maintainers make
-decisions by accepting or refusing the pull request. Review and acceptance
-by anyone is denoted by adding a comment in the pull request: `LGTM`. 
-However, only currently listed `MAINTAINERS` are counted towards the required
-two LGTMs.
-
-libcontainer follows the timeless, highly efficient and totally unfair system
-known as [Benevolent dictator for life](http://en.wikipedia.org/wiki/Benevolent_Dictator_for_Life), with Michael Crosby in the role of BDFL.
-This means that all decisions are made by default by Michael. Since making
-every decision himself would be highly un-scalable, in practice decisions
-are spread across multiple maintainers.
-
-The relevant maintainers for a pull request can be worked out in two steps:
-
-* Step 1: Determine the subdirectories affected by the pull request. This
-  might be `netlink/` and `security/`, or any other part of the repo.
-
-* Step 2: Find the `MAINTAINERS` file which affects this directory. If the
-  directory itself does not have a `MAINTAINERS` file, work your way up
-  the repo hierarchy until you find one.
-
-### I'm a maintainer, and I'm going on holiday
-
-Please let your co-maintainers and other contributors know by raising a pull
-request that comments out your `MAINTAINERS` file entry using a `#`.
-
-### I'm a maintainer, should I make pull requests too?
-
-Yes. Nobody should ever push to master directly. All changes should be
-made through a pull request.
-
-### Who assigns maintainers?
-
-Michael has final `LGTM` approval for all pull requests to `MAINTAINERS` files.
-
-### How is this process changed?
-
-Just like everything else: by making a pull request :)

vendor/src/github.com/docker/libcontainer/Makefile

@@ -1,33 +0,0 @@
-
-all:
-	docker build -t dockercore/libcontainer .
-
-test: 
-	# we need NET_ADMIN for the netlink tests and SYS_ADMIN for mounting
-	docker run --rm -it --privileged dockercore/libcontainer
-
-sh:
-	docker run --rm -it --privileged -w /busybox dockercore/libcontainer nsinit exec sh
-
-GO_PACKAGES = $(shell find . -not \( -wholename ./vendor -prune -o -wholename ./.git -prune \) -name '*.go' -print0 | xargs -0n1 dirname | sort -u)
-
-direct-test:
-	go test $(TEST_TAGS) -cover -v $(GO_PACKAGES)
-
-direct-test-short:
-	go test $(TEST_TAGS) -cover -test.short -v $(GO_PACKAGES)
-
-direct-build:
-	go build -v $(GO_PACKAGES)
-
-direct-install:
-	go install -v $(GO_PACKAGES)
-
-local:
-	go test -v
-
-validate:
-	hack/validate.sh
-
-binary: all
-	docker run --rm --privileged -v $(CURDIR)/bundles:/go/bin dockercore/libcontainer make direct-install

vendor/src/github.com/docker/libcontainer/NOTICE

@@ -1,16 +0,0 @@
-libcontainer
-Copyright 2012-2015 Docker, Inc.
-
-This product includes software developed at Docker, Inc. (http://www.docker.com).
-
-The following is courtesy of our legal counsel:
-
-
-Use and transfer of Docker may be subject to certain restrictions by the
-United States and other governments.  
-It is your responsibility to ensure that your use and/or transfer does not
-violate applicable laws. 
-
-For more information, please see http://www.bis.doc.gov
-
-See also http://www.apache.org/dev/crypto.html and/or seek legal counsel.

vendor/src/github.com/docker/libcontainer/PRINCIPLES.md

@@ -1,19 +0,0 @@
-# libcontainer Principles
-
-In the design and development of libcontainer we try to follow these principles:
-
-(Work in progress)
-
-* Don't try to replace every tool. Instead, be an ingredient to improve them.
-* Less code is better.
-* Fewer components are better. Do you really need to add one more class?
-* 50 lines of straightforward, readable code is better than 10 lines of magic that nobody can understand.
-* Don't do later what you can do now. "//TODO: refactor" is not acceptable in new code.
-* When hesitating between two options, choose the one that is easier to reverse.
-* "No" is temporary; "Yes" is forever. If you're not sure about a new feature, say no. You can change your mind later.
-* Containers must be portable to the greatest possible number of machines. Be suspicious of any change which makes machines less interchangeable.
-* The fewer moving parts in a container, the better.
-* Don't merge it unless you document it.
-* Don't document it unless you can keep it up-to-date.
-* Don't merge it unless you test it!
-* Everyone's problem is slightly different. Focus on the part that is the same for everyone, and solve that.

vendor/src/github.com/docker/libcontainer/ROADMAP.md

@@ -1,20 +0,0 @@
-# libcontainer: what's next?
-
-This document is a high-level overview of where we want to take libcontainer next.
-It is a curated selection of planned improvements which are either important, difficult, or both.
-
-For a more complete view of planned and requested improvements, see [the Github issues](https://github.com/docker/libcontainer/issues).
-
-To suggest changes to the roadmap, including additions, please write the change as if it were already in effect, and make a pull request.
-
-## Broader kernel support
-
-Our goal is to make libcontainer run everywhere, but currently libcontainer requires Linux version 3.8 or higher. If you’re deploying new machines for the purpose of running libcontainer, this is a fairly easy requirement to meet. However, if you’re adding libcontainer to an existing deployment, you may not have the flexibility to update and patch the kernel.
-
-## Cross-architecture support
-
-Our goal is to make libcontainer run everywhere. Recently libcontainer has
-expanded from its initial support for x86_64 systems to include POWER (ppc64
-little and big endian variants), IBM System z (s390x 64-bit), and ARM. We plan
-to continue expanding architecture support such that libcontainer containers
-can be created and used on more architectures.

vendor/src/github.com/docker/libcontainer/apparmor/setup.go

@@ -1,46 +0,0 @@
-// +build linux
-
-package apparmor
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path"
-)
-
-const (
-	DefaultProfilePath = "/etc/apparmor.d/docker"
-)
-
-func InstallDefaultProfile() error {
-	if !IsEnabled() {
-		return nil
-	}
-
-	// Make sure /etc/apparmor.d exists
-	if err := os.MkdirAll(path.Dir(DefaultProfilePath), 0755); err != nil {
-		return err
-	}
-
-	f, err := os.OpenFile(DefaultProfilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
-	if err != nil {
-		return err
-	}
-	if err := generateProfile(f); err != nil {
-		f.Close()
-		return err
-	}
-	f.Close()
-
-	cmd := exec.Command("/sbin/apparmor_parser", "-r", "-W", "docker")
-	// to use the parser directly we have to make sure we are in the correct
-	// dir with the profile
-	cmd.Dir = "/etc/apparmor.d"
-
-	output, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("Error loading docker apparmor profile: %s (%s)", err, output)
-	}
-	return nil
-}

vendor/src/github.com/docker/libcontainer/update-vendor.sh

@@ -1,50 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-cd "$(dirname "$BASH_SOURCE")"
-
-# Downloads dependencies into vendor/ directory
-mkdir -p vendor
-cd vendor
-
-clone() {
-	vcs=$1
-	pkg=$2
-	rev=$3
-	
-	pkg_url=https://$pkg
-	target_dir=src/$pkg
-	
-	echo -n "$pkg @ $rev: "
-	
-	if [ -d $target_dir ]; then
-		echo -n 'rm old, '
-		rm -fr $target_dir
-	fi
-	
-	echo -n 'clone, '
-	case $vcs in
-		git)
-			git clone --quiet --no-checkout $pkg_url $target_dir
-			( cd $target_dir && git reset --quiet --hard $rev )
-			;;
-		hg)
-			hg clone --quiet --updaterev $rev $pkg_url $target_dir
-			;;
-	esac
-	
-	echo -n 'rm VCS, '
-	( cd $target_dir && rm -rf .{git,hg} )
-	
-	echo done
-}
-
-# the following lines are in sorted order, FYI
-clone git github.com/codegangsta/cli 1.1.0
-clone git github.com/coreos/go-systemd v2
-clone git github.com/godbus/dbus v2
-clone git github.com/Sirupsen/logrus v0.7.3
-clone git github.com/syndtr/gocapability 8e4cdcb
-clone git github.com/golang/protobuf 655cdfa588ea
-
-# intentionally not vendoring Docker itself...  that'd be a circle :)

vendor/src/github.com/opencontainers/runc/libcontainer/README.md

@@ -1,5 +1,3 @@
-## libcontainer - reference implementation for containers [![Build Status](https://jenkins.dockerproject.org/buildStatus/icon?job=Libcontainer%20Master)](https://jenkins.dockerproject.org/job/Libcontainer%20Master/)
-
 Libcontainer provides a native Go implementation for creating containers
 with namespaces, cgroups, capabilities, and filesystem access controls.
 It allows you to manage the lifecycle of the container performing additional operations
@@ -135,40 +133,6 @@ container.Resume()
 ```
 
 
-#### nsinit
-
-`nsinit` is a cli application which demonstrates the use of libcontainer.
-It is able to spawn new containers or join existing containers.  A root
-filesystem must be provided for use along with a container configuration file.
-
-To build `nsinit`, run `make binary`. It will save the binary into
-`bundles/nsinit`.
-
-To use `nsinit`, cd into a Linux rootfs and copy a `container.json` file into
-the directory with your specified configuration. Environment, networking,
-and different capabilities for the container are specified in this file.
-The configuration is used for each process executed inside the container.
-
-See the `sample_configs` folder for examples of what the container configuration should look like.
-
-To execute `/bin/bash` in the current directory as a container just run the following **as root**:
-```bash
-nsinit exec --tty /bin/bash
-```
-
-If you wish to spawn another process inside the container while your
-current bash session is running, run the same command again to
-get another bash shell (or change the command).  If the original
-process (PID 1) dies, all other processes spawned inside the container
-will be killed and the namespace will be removed.
-
-You can identify if a process is running in a container by
-looking to see if `state.json` is in the root of the directory.
-
-You may also specify an alternate root place where
-the `container.json` file is read and where the `state.json` file will be saved.
-
-
 #### Checkpoint & Restore
 
 libcontainer now integrates [CRIU](http://criu.org/) for checkpointing and restoring containers.
@@ -180,39 +144,9 @@ If you don't already  have `criu` installed, you can build it from source, follo
 [online instructions](http://criu.org/Installation). `criu` is also installed in the docker image
 generated when building libcontainer with docker.
 
-To try an example with `nsinit`, open two terminals to the same busybox directory.
-In the first terminal, run a command like this one:
-```bash
-nsinit exec -- sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done'
-```
-
-You should see logs printing to the terminal every second. Now, in the second terminal, run:
-```bash
-nsinit checkpoint --image-path=/tmp/criu
-```
-
-The logs in your first terminal will stop and the process will exit. Finally, in the second
-terminal, run the restore command:
-```bash
-nsinit restore --image-path=/tmp/criu
-```
-
-The process will resume counting where it left off and printing to the new terminal window.
-
-
-#### Future
-See the [roadmap](ROADMAP.md).
 
 ## Copyright and license
 
 Code and documentation copyright 2014 Docker, inc. Code released under the Apache 2.0 license.
 Docs released under Creative commons.
 
-## Hacking on libcontainer
-
-First of all, please familiarise yourself with the [libcontainer Principles](PRINCIPLES.md).
-
-If you're a *contributor* or aspiring contributor, you should read the [Contributors' Guide](CONTRIBUTING.md).
-
-If you're a *maintainer* or aspiring maintainer, you should read the [Maintainers' Guide](MAINTAINERS_GUIDE.md) and
-"How can I become a maintainer?" in the Contributors' Guide.

vendor/src/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go

@@ -12,6 +12,7 @@ import (
 	"unsafe"
 )
 
+// IsEnabled returns true if apparmor is enabled for the host.
 func IsEnabled() bool {
 	if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil && os.Getenv("container") == "" {
 		if _, err = os.Stat("/sbin/apparmor_parser"); err == nil {
@@ -22,13 +23,14 @@ func IsEnabled() bool {
 	return false
 }
 
+// ApplyProfile will apply the profile with the specified name to the process after
+// the next exec.
 func ApplyProfile(name string) error {
 	if name == "" {
 		return nil
 	}
 	cName := C.CString(name)
 	defer C.free(unsafe.Pointer(cName))
-
 	if _, err := C.aa_change_onexec(cName); err != nil {
 		return err
 	}

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go

@@ -5,7 +5,7 @@ package cgroups
 import (
 	"fmt"
 
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type Manager interface {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go

@@ -11,8 +11,8 @@ import (
 	"strconv"
 	"sync"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 var (
@@ -29,7 +29,7 @@ var (
 		"perf_event": &PerfEventGroup{},
 		"freezer":    &FreezerGroup{},
 	}
-	CgroupProcesses = "cgroup.procs"
+	CgroupProcesses  = "cgroup.procs"
 	HugePageSizes, _ = cgroups.GetHugePageSize()
 )
 
@@ -304,6 +304,10 @@ func removePath(p string, err error) error {
 func CheckCpushares(path string, c int64) error {
 	var cpuShares int64
 
+	if c == 0 {
+		return nil
+	}
+
 	fd, err := os.Open(filepath.Join(path, "cpu.shares"))
 	if err != nil {
 		return err
@@ -314,12 +318,11 @@ func CheckCpushares(path string, c int64) error {
 	if err != nil && err != io.EOF {
 		return err
 	}
-	if c != 0 {
-		if c > cpuShares {
-			return fmt.Errorf("The maximum allowed cpu-shares is %d", cpuShares)
-		} else if c < cpuShares {
-			return fmt.Errorf("The minimum allowed cpu-shares is %d", cpuShares)
-		}
+
+	if c > cpuShares {
+		return fmt.Errorf("The maximum allowed cpu-shares is %d", cpuShares)
+	} else if c < cpuShares {
+		return fmt.Errorf("The minimum allowed cpu-shares is %d", cpuShares)
 	}
 
 	return nil

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/blkio.go

@@ -10,8 +10,8 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type BlkioGroup struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go

@@ -8,8 +8,8 @@ import (
 	"path/filepath"
 	"strconv"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type CpuGroup struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuacct.go

@@ -9,9 +9,9 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
-	"github.com/docker/libcontainer/system"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/system"
 )
 
 const (

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go

@@ -9,8 +9,8 @@ import (
 	"path/filepath"
 	"strconv"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type CpusetGroup struct {
@@ -21,7 +21,6 @@ func (s *CpusetGroup) Apply(d *data) error {
 	if err != nil && !cgroups.IsNotFound(err) {
 		return err
 	}
-
 	return s.ApplyDir(dir, d.c, d.pid)
 }
 
@@ -31,13 +30,11 @@ func (s *CpusetGroup) Set(path string, cgroup *configs.Cgroup) error {
 			return err
 		}
 	}
-
 	if cgroup.CpusetMems != "" {
 		if err := writeFile(path, "cpuset.mems", cgroup.CpusetMems); err != nil {
 			return err
 		}
 	}
-
 	return nil
 }
 
@@ -55,10 +52,13 @@ func (s *CpusetGroup) ApplyDir(dir string, cgroup *configs.Cgroup, pid int) erro
 	if dir == "" {
 		return nil
 	}
-	if err := s.ensureParent(dir); err != nil {
+	root, err := getCgroupRoot()
+	if err != nil {
+		return err
+	}
+	if err := s.ensureParent(dir, root); err != nil {
 		return err
 	}
-
 	// because we are not using d.join we need to place the pid into the procs file
 	// unlike the other subsystems
 	if err := writeFile(dir, "cgroup.procs", strconv.Itoa(pid)); err != nil {
@@ -84,22 +84,17 @@ func (s *CpusetGroup) getSubsystemSettings(parent string) (cpus []byte, mems []b
 	return cpus, mems, nil
 }
 
-// ensureParent ensures that the parent directory of current is created
-// with the proper cpus and mems files copied from it's parent if the values
-// are a file with a new line char
-func (s *CpusetGroup) ensureParent(current string) error {
+// ensureParent makes sure that the parent directory of current is created
+// and populated with the proper cpus and mems files copied from
+// it's parent.
+func (s *CpusetGroup) ensureParent(current, root string) error {
 	parent := filepath.Dir(current)
-
-	if _, err := os.Stat(parent); err != nil {
-		if !os.IsNotExist(err) {
-			return err
-		}
-
-		if err := s.ensureParent(parent); err != nil {
-			return err
-		}
+	if filepath.Clean(parent) == root {
+		return nil
+	}
+	if err := s.ensureParent(parent, root); err != nil {
+		return err
 	}
-
 	if err := os.MkdirAll(current, 0755); err != nil && !os.IsExist(err) {
 		return err
 	}

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices.go

@@ -3,8 +3,8 @@
 package fs
 
 import (
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type DevicesGroup struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer.go

@@ -7,8 +7,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type FreezerGroup struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/hugetlb.go

@@ -7,8 +7,8 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type HugetlbGroup struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go

@@ -10,28 +10,40 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type MemoryGroup struct {
 }
 
 func (s *MemoryGroup) Apply(d *data) error {
-	dir, err := d.join("memory")
-	if err != nil && !cgroups.IsNotFound(err) {
+	path, err := d.path("memory")
+	if err != nil {
+		if cgroups.IsNotFound(err) {
+			return nil
+		}
+		return err
+	}
+	if err := os.MkdirAll(path, 0755); err != nil && !os.IsExist(err) {
+		return err
+	}
+	if err := s.Set(path, d.c); err != nil {
+		return err
+	}
+
+	// We need to join memory cgroup after set memory limits, because
+	// kmem.limit_in_bytes can only be set when the cgroup is empty.
+	_, err = d.join("memory")
+	if err != nil {
 		return err
 	}
 	defer func() {
 		if err != nil {
-			os.RemoveAll(dir)
+			os.RemoveAll(path)
 		}
 	}()
 
-	if err := s.Set(dir, d.c); err != nil {
-		return err
-	}
-
 	return nil
 }
 
@@ -66,6 +78,10 @@ func (s *MemoryGroup) Set(path string, cgroup *configs.Cgroup) error {
 		if err := writeFile(path, "memory.swappiness", strconv.FormatInt(cgroup.MemorySwappiness, 10)); err != nil {
 			return err
 		}
+	} else if cgroup.MemorySwappiness == -1 {
+		return nil
+	} else {
+		return fmt.Errorf("invalid value:%d. valid memory swappiness range is 0-100", cgroup.MemorySwappiness)
 	}
 
 	return nil

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls.go

@@ -1,8 +1,8 @@
 package fs
 
 import (
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type NetClsGroup struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_prio.go

@@ -1,8 +1,8 @@
 package fs
 
 import (
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type NetPrioGroup struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/perf_event.go

@@ -3,8 +3,8 @@
 package fs
 
 import (
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type PerfEventGroup struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_nosystemd.go

@@ -5,8 +5,8 @@ package systemd
 import (
 	"fmt"
 
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type Manager struct {

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go

@@ -13,10 +13,10 @@ import (
 	"time"
 
 	systemd "github.com/coreos/go-systemd/dbus"
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/cgroups/fs"
-	"github.com/docker/libcontainer/configs"
 	"github.com/godbus/dbus"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fs"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type Manager struct {
@@ -188,6 +188,16 @@ func (m *Manager) Apply(pid int) error {
 			newProp("BlockIOWeight", uint64(c.BlkioWeight)))
 	}
 
+	// We need to set kernel memory before processes join cgroup because
+	// kmem.limit_in_bytes can only be set when the cgroup is empty.
+	// And swap memory limit needs to be set after memory limit, only
+	// memory limit is handled by systemd, so it's kind of ugly here.
+	if c.KernelMemory > 0 {
+		if err := setKernelMemory(c); err != nil {
+			return err
+		}
+	}
+
 	if _, err := theConn.StartTransientUnit(unitName, "replace", properties...); err != nil {
 		return err
 	}
@@ -227,7 +237,7 @@ func (m *Manager) Apply(pid int) error {
 		return err
 	}
 	// FIXME: Systemd does have `BlockIODeviceWeight` property, but we got problem
-	// using that (at least on systemd 208, see https://github.com/docker/libcontainer/pull/354),
+	// using that (at least on systemd 208, see https://github.com/opencontainers/runc/libcontainer/pull/354),
 	// so use fs work around for now.
 	if err := joinBlkio(c, pid); err != nil {
 		return err
@@ -462,6 +472,26 @@ func joinDevices(c *configs.Cgroup, pid int) error {
 	return devices.Set(path, c)
 }
 
+func setKernelMemory(c *configs.Cgroup) error {
+	path, err := getSubsystemPath(c, "memory")
+	if err != nil && !cgroups.IsNotFound(err) {
+		return err
+	}
+
+	if err := os.MkdirAll(path, 0755); err != nil && !os.IsExist(err) {
+		return err
+	}
+
+	if c.KernelMemory > 0 {
+		err = writeFile(path, "memory.kmem.limit_in_bytes", strconv.FormatInt(c.KernelMemory, 10))
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func joinMemory(c *configs.Cgroup, pid int) error {
 	path, err := getSubsystemPath(c, "memory")
 	if err != nil && !cgroups.IsNotFound(err) {
@@ -475,18 +505,21 @@ func joinMemory(c *configs.Cgroup, pid int) error {
 			return err
 		}
 	}
-
-	if c.KernelMemory > 0 {
-		err = writeFile(path, "memory.kmem.limit_in_bytes", strconv.FormatInt(c.KernelMemory, 10))
-		if err != nil {
+	if c.OomKillDisable {
+		if err := writeFile(path, "memory.oom_control", "1"); err != nil {
 			return err
 		}
 	}
+
 	if c.MemorySwappiness >= 0 && c.MemorySwappiness <= 100 {
 		err = writeFile(path, "memory.swappiness", strconv.FormatInt(c.MemorySwappiness, 10))
 		if err != nil {
 			return err
 		}
+	} else if c.MemorySwappiness == -1 {
+		return nil
+	} else {
+		return fmt.Errorf("invalid value:%d. valid memory swappiness range is 0-100", c.MemorySwappiness)
 	}
 
 	return nil

vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/utils.go

@@ -17,6 +17,8 @@ import (
 	"github.com/docker/docker/pkg/units"
 )
 
+const cgroupNamePrefix = "name="
+
 // https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
 func FindCgroupMountpoint(subsystem string) (string, error) {
 	f, err := os.Open("/proc/self/mountinfo")
@@ -57,6 +59,7 @@ func FindCgroupMountpointDir() (string, error) {
 
 type Mount struct {
 	Mountpoint string
+	Root       string
 	Subsystems []string
 }
 
@@ -87,11 +90,11 @@ func GetCgroupMounts() ([]Mount, error) {
 	res := []Mount{}
 	for _, mount := range mounts {
 		if mount.Fstype == "cgroup" {
-			m := Mount{Mountpoint: mount.Mountpoint}
+			m := Mount{Mountpoint: mount.Mountpoint, Root: mount.Root}
 
 			for _, opt := range strings.Split(mount.VfsOpts, ",") {
-				if strings.HasPrefix(opt, "name=") {
-					m.Subsystems = append(m.Subsystems, opt)
+				if strings.HasPrefix(opt, cgroupNamePrefix) {
+					m.Subsystems = append(m.Subsystems, opt[len(cgroupNamePrefix):])
 				}
 				if allMap[opt] {
 					m.Subsystems = append(m.Subsystems, opt)
@@ -186,7 +189,7 @@ func ParseCgroupFile(subsystem string, r io.Reader) (string, error) {
 		parts := strings.Split(text, ":")
 
 		for _, subs := range strings.Split(parts[1], ",") {
-			if subs == subsystem {
+			if subs == subsystem || subs == cgroupNamePrefix+subsystem {
 				return parts[2], nil
 			}
 		}

vendor/src/github.com/opencontainers/runc/libcontainer/configs/config.go

@@ -135,9 +135,9 @@ type Config struct {
 	// so that these files prevent any writes.
 	ReadonlyPaths []string `json:"readonly_paths"`
 
-	// SystemProperties is a map of properties and their values. It is the equivalent of using
+	// Sysctl is a map of properties and their values. It is the equivalent of using
 	// sysctl -w my.property.name value in Linux.
-	SystemProperties map[string]string `json:"system_properties"`
+	Sysctl map[string]string `json:"sysctl"`
 
 	// Seccomp allows actions to be taken whenever a syscall is made within the container.
 	// By default, all syscalls are allowed with actions to allow, trap, kill, or return an errno

vendor/src/github.com/opencontainers/runc/libcontainer/configs/validate/config.go

@@ -5,7 +5,7 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 type Validator interface {

vendor/src/github.com/opencontainers/runc/libcontainer/console_linux.go

@@ -7,7 +7,7 @@ import (
 	"syscall"
 	"unsafe"
 
-	"github.com/docker/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/label"
 )
 
 // newConsole returns an initalized console that can be used within a container by copying bytes

vendor/src/github.com/opencontainers/runc/libcontainer/container.go

@@ -5,7 +5,7 @@
 package libcontainer
 
 import (
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 // The status of a container.

vendor/src/github.com/opencontainers/runc/libcontainer/container_linux.go

@@ -14,10 +14,10 @@ import (
 	"syscall"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/docker/libcontainer/cgroups"
-	"github.com/docker/libcontainer/configs"
-	"github.com/docker/libcontainer/criurpc"
 	"github.com/golang/protobuf/proto"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/criurpc"
 )
 
 const stdioFdCount = 3
@@ -344,6 +344,7 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
 		LeaveRunning:   proto.Bool(criuOpts.LeaveRunning),
 		TcpEstablished: proto.Bool(criuOpts.TcpEstablished),
 		ExtUnixSk:      proto.Bool(criuOpts.ExternalUnixConnections),
+		FileLocks:      proto.Bool(criuOpts.FileLocks),
 	}
 
 	// append optional criu opts, e.g., page-server and port
@@ -463,6 +464,7 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
 			ShellJob:       proto.Bool(criuOpts.ShellJob),
 			ExtUnixSk:      proto.Bool(criuOpts.ExternalUnixConnections),
 			TcpEstablished: proto.Bool(criuOpts.TcpEstablished),
+			FileLocks:      proto.Bool(criuOpts.FileLocks),
 		},
 	}
 	for _, m := range c.config.Mounts {

vendor/src/github.com/opencontainers/runc/libcontainer/criu_opts.go

@@ -12,5 +12,6 @@ type CriuOpts struct {
 	TcpEstablished          bool               // checkpoint/restore established TCP connections
 	ExternalUnixConnections bool               // allow external unix connections
 	ShellJob                bool               // allow to dump and restore shell jobs
+	FileLocks               bool               // handle file locks, for safety
 	PageServer              CriuPageServerInfo // allow to dump to criu page server
 }

vendor/src/github.com/opencontainers/runc/libcontainer/devices/devices_unix.go

@@ -10,7 +10,7 @@ import (
 	"path/filepath"
 	"syscall"
 
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 var (

vendor/src/github.com/opencontainers/runc/libcontainer/devices/devices_windows.go

@@ -1,7 +1,7 @@
 package devices
 
 import (
-	"github.com/docker/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
 // TODO Windows. This can be factored out further - Devices are not supported