Commit graph

8220 commits

Author SHA1 Message Date
unclejack
44140f7909 Merge pull request #5411 from crosbymichael/lockdown
Update default restrictions for exec drivers
2014-04-26 03:27:56 +03:00
unclejack
077b7d0359 Merge pull request #5342 from danielnorberg/avoid-suicide
avoid suicide
2014-04-25 21:44:45 +03:00
Alexander Larsson
6d631968fa devmapper: Store metadata in one file per device
This allows multiple instances of the backend in different containers
to access devices (although generally only one can modify/create them).

Any old metadata is converted on the first run.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-25 15:21:56 +02:00
Alexander Larsson
f26203cf54 devmapper: Simplify thin pool device id allocation
Instead of globally keeping track of the free device ids we just
start from 0 each run and handle EEXIST error and try the next one.

This way we don't need any global state for the device ids, which
means we can read device metadata lazily. This is important for
multi-process use of the backend.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-25 14:26:27 +02:00
Alexander Larsson
586a511cb5 devmapper: Move error detection to devmapper.go
This moves the EBUSY detection to devmapper.go, and then returns
a real ErrBusy that deviceset uses.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-25 14:26:27 +02:00
Alexander Larsson
8116b86e05 devmapper: Maks createSnapDevice a function, not a method
No idea why this was a method. Maybe a cut and paste bug.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-25 14:26:27 +02:00
Guillaume J. Charmes
85540f6aa0 Merge pull request #5373 from vmarmol/master
Separating cgroup Memory and MemoryReservation.
2014-04-24 14:28:40 -07:00
Michael Crosby
8af84c5e23 Merge pull request #5335 from alexlarsson/remove-ghost
container: Remove Ghost state
2014-04-24 11:55:05 -07:00
Victor Marmol
f188b9f623 Separating cgroup Memory and MemoryReservation.
This will allow for these to be set independently. Keep the current Docker behavior where Memory and MemoryReservation are set to the value of Memory.

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-04-24 11:09:38 -07:00
Michael Crosby
2d6c367434 Increment native driver version with these changes
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby
5ba1242bdc Mount over dev and only copy allowed nodes in
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby
81e5026a6a No not mount sysfs by default for non privilged containers
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby
0779a8c328 Add lxc support for restricting proc
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby
60a90970bc Add restrictions to proc in libcontainer
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:19 -07:00
Daniel Norberg
b3ddc31b95 avoid suicide
container.Kill() might read a pid of 0 from
container.State.Pid due to losing a race with
container.monitor() calling
container.State.SetStopped(). Sending a SIGKILL to
pid 0 is undesirable as "If pid equals 0, then sig
is sent to every process in the process group of
the calling process."

Docker-DCO-1.1-Signed-off-by: Daniel Norberg <daniel.norberg@gmail.com> (github: danielnorberg)
2014-04-23 11:06:59 -04:00
Alexander Larsson
73d9ede12c devicemapper: Don't mount in Create()
We used to mount in Create() to be able to create a few files that
needs to be in each device. However, this mount is problematic for
selinux, as we need to set the mount label at mount-time, and it
is not known at the time of Create().

This change just moves the file creation to first Get() call and
drops the mount from Create(). Additionally, this lets us remove
some complexities we had to avoid an extra unmount+mount cycle.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-23 13:50:53 +02:00
Alexander Larsson
cf997aa905 container: Remove Ghost state
container.Register() checks both IsRunning() and IsGhost(), but at
this point IsGhost() is always true if IsRunning() is true. For a
newly created container both are false, and for a restored-from-disk
container Daemon.load() sets Ghost to true if IsRunning is true. So we
just drop the IsGhost check.

This was the last call to IsGhost, so we remove It and all other
traces of the ghost state.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-22 09:49:53 +02:00
Guillaume J. Charmes
813cebc64f
Merge branch 'master' into load-profile
Conflicts:
	daemon/execdriver/native/create.go
	daemon/execdriver/native/driver.go

Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-04-21 10:32:13 -07:00
Michael Crosby
eceeebc22d Remove IsGhost checks around networking
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-17 23:49:59 +00:00
Alexander Larsson
359b7df5d2 Rename runtime/* to daemon/*
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-17 14:43:01 -07:00