Merge pull request #44940 from sjenning/bump-runc

Automatic merge from submit-queue

Bump runc to d223e2a

Fixes https://github.com/kubernetes/kubernetes/issues/43856

@derekwaynecarr

Godeps/Godeps.json

@@ -2044,83 +2044,83 @@
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/apparmor",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/cgroups",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/cgroups/fs",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/cgroups/systemd",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/configs",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/configs/validate",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/criurpc",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/keys",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/label",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/seccomp",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/selinux",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/stacktrace",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/system",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/user",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/utils",
-			"Comment": "v1.0.0-rc2-14-g45c30e7",
+			"Comment": "v1.0.0-rc2-49-gd223e2a",
-			"Rev": "45c30e75abfd52107b53048004a83165403ad0d1"
+			"Rev": "d223e2adae83f62d58448a799a5da05730228089"
 		},
 		{
 			"ImportPath": "github.com/pborman/uuid",

vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go

@@ -295,7 +295,7 @@ func (raw *cgroupData) path(subsystem string) (string, error) {
 
 	// If the cgroup name/path is absolute do not look relative to the cgroup of the init process.
 	if filepath.IsAbs(raw.innerPath) {
-		// Sometimes subsystems can be mounted togethger as 'cpu,cpuacct'.
+		// Sometimes subsystems can be mounted together as 'cpu,cpuacct'.
 		return filepath.Join(raw.root, filepath.Base(mnt), raw.innerPath), nil
 	}
 

vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go

@@ -282,7 +282,7 @@ func (m *Manager) Apply(pid int) error {
 		}
 	}
 
-	if _, err := theConn.StartTransientUnit(unitName, "replace", properties, nil); err != nil {
+	if _, err := theConn.StartTransientUnit(unitName, "replace", properties, nil); err != nil && !isUnitExists(err) {
 		return err
 	}
 
@@ -388,7 +388,7 @@ func joinCgroups(c *configs.Cgroup, pid int) error {
 	return nil
 }
 
-// systemd represents slice heirarchy using `-`, so we need to follow suit when
+// systemd represents slice hierarchy using `-`, so we need to follow suit when
 // generating the path of slice. Essentially, test-a-b.slice becomes
 // test.slice/test-a.slice/test-a-b.slice.
 func ExpandSlice(slice string) (string, error) {
@@ -546,3 +546,13 @@ func setKernelMemory(c *configs.Cgroup) error {
 	}
 	return fs.EnableKernelMemoryAccounting(path)
 }
+
+// isUnitExists returns true if the error is that a systemd unit already exists.
+func isUnitExists(err error) bool {
+	if err != nil {
+		if dbusError, ok := err.(dbus.Error); ok {
+			return strings.Contains(dbusError.Name, "org.freedesktop.systemd1.UnitExists")
+		}
+	}
+	return false
+}

vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go

@@ -22,7 +22,7 @@ type Cgroup struct {
 	// The path is assumed to be relative to the host system cgroup mountpoint.
 	Path string `json:"path"`
 
-	// ScopePrefix decribes prefix for the scope name
+	// ScopePrefix describes prefix for the scope name
 	ScopePrefix string `json:"scope_prefix"`
 
 	// Paths represent the absolute cgroups paths to join.
@@ -95,7 +95,7 @@ type Resources struct {
 	// IO read rate limit per cgroup per device, bytes per second.
 	BlkioThrottleReadBpsDevice []*ThrottleDevice `json:"blkio_throttle_read_bps_device"`
 
-	// IO write rate limit per cgroup per divice, bytes per second.
+	// IO write rate limit per cgroup per device, bytes per second.
 	BlkioThrottleWriteBpsDevice []*ThrottleDevice `json:"blkio_throttle_write_bps_device"`
 
 	// IO read rate limit per cgroup per device, IO per second.

vendor/github.com/opencontainers/runc/libcontainer/console_linux.go

@@ -44,7 +44,7 @@ func newConsoleFromPath(slavePath string) *linuxConsole {
 	}
 }
 
-// linuxConsole is a linux psuedo TTY for use within a container.
+// linuxConsole is a linux pseudo TTY for use within a container.
 type linuxConsole struct {
 	master    *os.File
 	slavePath string

vendor/github.com/opencontainers/runc/libcontainer/console_windows.go

@@ -5,7 +5,7 @@ func NewConsole(uid, gid int) (Console, error) {
 	return &windowsConsole{}, nil
 }
 
-// windowsConsole is a Windows psuedo TTY for use within a container.
+// windowsConsole is a Windows pseudo TTY for use within a container.
 type windowsConsole struct {
 }
 

vendor/github.com/opencontainers/runc/libcontainer/container.go

@@ -123,7 +123,7 @@ type BaseContainer interface {
 	// SystemError - System error.
 	Start(process *Process) (err error)
 
-	// Run immediatly starts the process inside the conatiner.  Returns error if process
+	// Run immediately starts the process inside the conatiner.  Returns error if process
 	// fails to start.  It does not block waiting for the exec fifo  after start returns but
 	// opens the fifo after start returns.
 	//

vendor/github.com/opencontainers/runc/libcontainer/label/label.go

@@ -9,6 +9,10 @@ func InitLabels(options []string) (string, string, error) {
 	return "", "", nil
 }
 
+func GetROMountLabel() string {
+	return ""
+}
+
 func GenLabels(options string) (string, string, error) {
 	return "", "", nil
 }

vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go

@@ -33,15 +33,19 @@ func InitLabels(options []string) (string, string, error) {
 		pcon := selinux.NewContext(processLabel)
 		mcon := selinux.NewContext(mountLabel)
 		for _, opt := range options {
-			if opt == "disable" {
+			val := strings.SplitN(opt, "=", 2)
+			if val[0] != "label" {
+				continue
+			}
+			if len(val) < 2 {
+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
+			}
+			if val[1] == "disable" {
 				return "", "", nil
 			}
-			if i := strings.Index(opt, ":"); i == -1 {
+			con := strings.SplitN(val[1], ":", 2)
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
+			if len(con) < 2 || !validOptions[con[0]] {
-			}
+				return "", "", fmt.Errorf("bad label option %q, valid options 'disable, user, role, level, type'", con[0])
-			con := strings.SplitN(opt, ":", 2)
-			if !validOptions[con[0]] {
-				return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
 
 			}
 			pcon[con[0]] = con[1]
@@ -55,6 +59,10 @@ func InitLabels(options []string) (string, string, error) {
 	return processLabel, mountLabel, nil
 }
 
+func GetROMountLabel() string {
+	return selinux.GetROFileLabel()
+}
+
 // DEPRECATED: The GenLabels function is only to be used during the transition to the official API.
 func GenLabels(options string) (string, string, error) {
 	return InitLabels(strings.Fields(options))

vendor/github.com/opencontainers/runc/libcontainer/process_linux.go

@@ -146,7 +146,7 @@ func (p *setnsProcess) execSetns() error {
 }
 
 // terminate sends a SIGKILL to the forked process for the setns routine then waits to
-// avoid the process becomming a zombie.
+// avoid the process becoming a zombie.
 func (p *setnsProcess) terminate() error {
 	if p.cmd.Process == nil {
 		return nil
@@ -264,7 +264,7 @@ func (p *initProcess) start() error {
 		}
 	}()
 	if err := p.createNetworkInterfaces(); err != nil {
-		return newSystemErrorWithCause(err, "creating nework interfaces")
+		return newSystemErrorWithCause(err, "creating network interfaces")
 	}
 	if err := p.sendConfig(); err != nil {
 		return newSystemErrorWithCause(err, "sending config to init process")

vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go

@@ -93,7 +93,7 @@ func setupRootfs(config *configs.Config, console *linuxConsole, pipe io.ReadWrit
 			return newSystemErrorWithCause(err, "reopening /dev/null inside container")
 		}
 	}
-	// remount dev as ro if specifed
+	// remount dev as ro if specified
 	for _, m := range config.Mounts {
 		if libcontainerUtils.CleanPath(m.Destination) == "/dev" {
 			if m.Flags&syscall.MS_RDONLY != 0 {

vendor/github.com/opencontainers/runc/libcontainer/selinux/selinux.go

@@ -355,6 +355,12 @@ func FreeLxcContexts(scon string) {
 	}
 }
 
+var roFileLabel string
+
+func GetROFileLabel() (fileLabel string) {
+	return roFileLabel
+}
+
 func GetLxcContexts() (processLabel string, fileLabel string) {
 	var (
 		val, key string
@@ -399,6 +405,9 @@ func GetLxcContexts() (processLabel string, fileLabel string) {
 			if key == "file" {
 				fileLabel = strings.Trim(val, "\"")
 			}
+			if key == "ro_file" {
+				roFileLabel = strings.Trim(val, "\"")
+			}
 		}
 	}
 
@@ -406,6 +415,9 @@ func GetLxcContexts() (processLabel string, fileLabel string) {
 		return "", ""
 	}
 
+	if roFileLabel == "" {
+		roFileLabel = fileLabel
+	}
 exit:
 	//	mcs := IntToMcs(os.Getpid(), 1024)
 	mcs := uniqMcs(1024)

vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go

@@ -143,7 +143,7 @@ func (l *linuxStandardInit) Init() error {
 	if err := pdeath.Restore(); err != nil {
 		return err
 	}
-	// compare the parent from the inital start of the init process and make sure that it did not change.
+	// compare the parent from the initial start of the init process and make sure that it did not change.
 	// if the parent changes that means it died and we were reparented to something else so we should
 	// just kill ourself and not cause problems for someone else.
 	if syscall.Getppid() != l.parentPid {

vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go

@@ -103,7 +103,7 @@ func SearchLabels(labels []string, query string) string {
 }
 
 // Annotations returns the bundle path and user defined annotations from the
-// libcontianer state.  We need to remove the bundle because that is a label
+// libcontainer state.  We need to remove the bundle because that is a label
 // added by libcontainer.
 func Annotations(labels []string) (bundle string, userAnnotations map[string]string) {
 	userAnnotations = make(map[string]string)