Commit graph

14 commits

Author SHA1 Message Date
Justin Cormack
199e19548e Add support for ambient capabilities
Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.

Previously there was no way to allow containers not running as root
capabilities in a useful way.

Fix #8460

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-10-10 19:29:02 +01:00
Michael Holzheu
87e4e3af68 TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone
On Ubuntu and Debian there is a sysctl which allows to block
clone(CLONE_NEWUSER) via "sysctl kernel.unprivileged_userns_clone=0"
for unprivileged users that do not have CAP_SYS_ADMIN.

See: https://lists.ubuntu.com/archives/kernel-team/2016-January/067926.html

The DockerSuite.TestRunSeccompUnconfinedCloneUserns testcase fails if
"kernel.unprivileged_userns_clone" is set to 0:

 docker_cli_run_unix_test.go:1040:
    c.Fatalf("expected clone userns with --security-opt seccomp=unconfined
              to succeed, got %s: %v", out, err)
 ... Error: expected clone userns with --security-opt seccomp=unconfined
              to succeed, got clone failed: Operation not permitted
 : exit status 1

So add a check and skip the testcase if kernel.unprivileged_userns_clone is 0.

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-07-29 12:16:03 -04:00
Jessica Frazelle
69cf03700f
pids limit support
update bash commpletion for pids limit

update check config for kernel

add docs for pids limit

add pids stats

add stats to docker client

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-03-08 07:55:01 -08:00
Christy Perez
5b3fc7aab2 Match case for variables in sysinfo pkg
I noticied an inconsistency when reviewing docker/pull/20692.

Changing Ip to IP and Nf to NF.

More info: The golang folks recommend that you keep the initials consistent:
https://github.com/golang/go/wiki/CodeReviewComments#initialisms.

Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
2016-03-01 10:37:05 -06:00
Lei Jitang
79843b727f Add bridgeNfIptables and bridgeNfIp6tables test request
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2016-02-26 19:53:35 -05:00
Jessica Frazelle
40d5ced9d0
check seccomp is configured in the kernel
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2016-01-12 09:45:21 -08:00
Phil Estes
0433e38915 Allow non-seccomp platforms to pass integration-cli tests
Since seccomp is still a configurable build-tag, add a requirements
entry for seccomp, as well as move seccomp tests to "_unix" given it
won't be applicable to other platforms at this time.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-12-07 20:14:52 -05:00
qhuang
aa1780997f Add support for memory reservation
Signed-off-by: qhuang <qhuang@10.0.2.15>
2015-09-23 14:02:45 +08:00
Lei Jitang
c340ca4f5d Add some missing cgroup test require and refactor the require check.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-08-24 11:37:11 +08:00
Qiang Huang
b6f1b4ad35 Add support for kernel memory limit
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-08-19 23:56:55 +08:00
Ben Firshman
6b3c928140 Fix golint warnings for integration-cli
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
2015-07-22 14:03:50 +01:00
Alexander Morozov
c86189d554 Update libcontainer
Replaced github.com/docker/libcontainer with
github.com/opencontainers/runc/libcontaier.
Also I moved AppArmor profile generation to docker.

Main idea of this update is to fix mounting cgroups inside containers.
After updating docker on CI we can even remove dind.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-07-16 16:02:26 -07:00
John Howard
c1b524486c Fix Windows CI fail due to GH13866 and patch up tests
Signed-off-by: John Howard <jhoward@microsoft.com>
2015-07-09 10:09:45 -07:00
David Calavera
a914101296 Do not require cgroups capabilities on windows to run the integration tests.
Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-05-29 11:42:40 -07:00