diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index 8439b23c035..ed1b4f261eb 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -2355,83 +2355,83 @@ }, { "ImportPath": "github.com/opencontainers/runc/libcontainer", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/apparmor", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/cgroups", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/cgroups/fs", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/cgroups/systemd", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/configs", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/configs/validate", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/criurpc", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/intelrdt", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/keys", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/mount", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/seccomp", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/stacktrace", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/system", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/user", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runc/libcontainer/utils", - "Comment": "v1.0.0-rc4-197-gd5b4a3e", - "Rev": "d5b4a3eddbe4c890843da971b64f45a0f023f4db" + "Comment": "v1.0.0-rc4-221-g595bea02", + "Rev": "595bea022f077a9e17d7473b34fbaf1adaed9e43" }, { "ImportPath": "github.com/opencontainers/runtime-spec/specs-go", diff --git a/vendor/github.com/opencontainers/runc/libcontainer/capabilities_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/capabilities_linux.go index 8981b2a2f52..7c66f572580 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/capabilities_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/capabilities_linux.go @@ -4,7 +4,6 @@ package libcontainer import ( "fmt" - "os" "strings" "github.com/opencontainers/runc/libcontainer/configs" @@ -72,7 +71,7 @@ func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilitie } ambient = append(ambient, v) } - pid, err := capability.NewPid(os.Getpid()) + pid, err := capability.NewPid(0) if err != nil { return nil, err } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go index 45bd3acce71..b5cf33aa8af 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go @@ -395,7 +395,7 @@ func joinCgroups(c *configs.Cgroup, pid int) error { // systemd represents slice hierarchy using `-`, so we need to follow suit when // generating the path of slice. Essentially, test-a-b.slice becomes -// test.slice/test-a.slice/test-a-b.slice. +// /test.slice/test-a.slice/test-a-b.slice. func ExpandSlice(slice string) (string, error) { suffix := ".slice" // Name has to end with ".slice", but can't be just ".slice". @@ -421,10 +421,9 @@ func ExpandSlice(slice string) (string, error) { } // Append the component to the path and to the prefix. - path += prefix + component + suffix + "/" + path += "/" + prefix + component + suffix prefix += component + "-" } - return path, nil } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go index 1ac74b1bf82..db2242e2696 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go @@ -5,6 +5,7 @@ package libcontainer import ( "bytes" "encoding/json" + "errors" "fmt" "io" "io/ioutil" @@ -267,20 +268,71 @@ func (c *linuxContainer) Exec() error { func (c *linuxContainer) exec() error { path := filepath.Join(c.root, execFifoFilename) - f, err := os.OpenFile(path, os.O_RDONLY, 0) - if err != nil { - return newSystemErrorWithCause(err, "open exec fifo for reading") + + fifoOpen := make(chan struct{}) + select { + case <-awaitProcessExit(c.initProcess.pid(), fifoOpen): + return errors.New("container process is already dead") + case result := <-awaitFifoOpen(path): + close(fifoOpen) + if result.err != nil { + return result.err + } + f := result.file + defer f.Close() + if err := readFromExecFifo(f); err != nil { + return err + } + return os.Remove(path) } - defer f.Close() - data, err := ioutil.ReadAll(f) +} + +func readFromExecFifo(execFifo io.Reader) error { + data, err := ioutil.ReadAll(execFifo) if err != nil { return err } - if len(data) > 0 { - os.Remove(path) - return nil + if len(data) <= 0 { + return fmt.Errorf("cannot start an already running container") } - return fmt.Errorf("cannot start an already running container") + return nil +} + +func awaitProcessExit(pid int, exit <-chan struct{}) <-chan struct{} { + isDead := make(chan struct{}) + go func() { + for { + select { + case <-exit: + return + case <-time.After(time.Millisecond * 100): + stat, err := system.Stat(pid) + if err != nil || stat.State == system.Zombie { + close(isDead) + return + } + } + } + }() + return isDead +} + +func awaitFifoOpen(path string) <-chan openResult { + fifoOpened := make(chan openResult) + go func() { + f, err := os.OpenFile(path, os.O_RDONLY, 0) + if err != nil { + fifoOpened <- openResult{err: newSystemErrorWithCause(err, "open exec fifo for reading")} + return + } + fifoOpened <- openResult{file: f} + }() + return fifoOpened +} + +type openResult struct { + file *os.File + err error } func (c *linuxContainer) start(process *Process, isInit bool) error { @@ -308,11 +360,13 @@ func (c *linuxContainer) start(process *Process, isInit bool) error { c.initProcessStartTime = state.InitProcessStartTime if c.config.Hooks != nil { + bundle, annotations := utils.Annotations(c.config.Labels) s := configs.HookState{ - Version: c.config.Version, - ID: c.id, - Pid: parent.pid(), - Bundle: utils.SearchLabels(c.config.Labels, "bundle"), + Version: c.config.Version, + ID: c.id, + Pid: parent.pid(), + Bundle: bundle, + Annotations: annotations, } for i, hook := range c.config.Hooks.Poststart { if err := hook.Run(s); err != nil { @@ -1436,11 +1490,13 @@ func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Proc } case notify.GetScript() == "setup-namespaces": if c.config.Hooks != nil { + bundle, annotations := utils.Annotations(c.config.Labels) s := configs.HookState{ - Version: c.config.Version, - ID: c.id, - Pid: int(notify.GetPid()), - Bundle: utils.SearchLabels(c.config.Labels, "bundle"), + Version: c.config.Version, + ID: c.id, + Pid: int(notify.GetPid()), + Bundle: bundle, + Annotations: annotations, } for i, hook := range c.config.Hooks.Prestart { if err := hook.Run(s); err != nil { @@ -1748,7 +1804,7 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na // The following only applies if we are root. if !c.config.Rootless { // check if we have CAP_SETGID to setgroup properly - pid, err := capability.NewPid(os.Getpid()) + pid, err := capability.NewPid(0) if err != nil { return nil, err } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go index 149b1126652..58980b0594e 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go @@ -341,11 +341,13 @@ func (p *initProcess) start() error { } if p.config.Config.Hooks != nil { + bundle, annotations := utils.Annotations(p.container.config.Labels) s := configs.HookState{ - Version: p.container.config.Version, - ID: p.container.id, - Pid: p.pid(), - Bundle: utils.SearchLabels(p.config.Config.Labels, "bundle"), + Version: p.container.config.Version, + ID: p.container.id, + Pid: p.pid(), + Bundle: bundle, + Annotations: annotations, } for i, hook := range p.config.Config.Hooks.Prestart { if err := hook.Run(s); err != nil { @@ -370,11 +372,13 @@ func (p *initProcess) start() error { } } if p.config.Config.Hooks != nil { + bundle, annotations := utils.Annotations(p.container.config.Labels) s := configs.HookState{ - Version: p.container.config.Version, - ID: p.container.id, - Pid: p.pid(), - Bundle: utils.SearchLabels(p.config.Config.Labels, "bundle"), + Version: p.container.config.Version, + ID: p.container.id, + Pid: p.pid(), + Bundle: bundle, + Annotations: annotations, } for i, hook := range p.config.Config.Hooks.Prestart { if err := hook.Run(s); err != nil { diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go index eb9e0253b9a..73ee2bd691a 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go @@ -100,8 +100,10 @@ func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) { if config.NoPivotRoot { err = msMoveRoot(config.Rootfs) - } else { + } else if config.Namespaces.Contains(configs.NEWNS) { err = pivotRoot(config.Rootfs) + } else { + err = chroot(config.Rootfs) } if err != nil { return newSystemErrorWithCause(err, "jailing process inside rootfs") @@ -702,6 +704,10 @@ func msMoveRoot(rootfs string) error { if err := unix.Mount(rootfs, "/", "", unix.MS_MOVE, ""); err != nil { return err } + return chroot(rootfs) +} + +func chroot(rootfs string) error { if err := unix.Chroot("."); err != nil { return err } diff --git a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go index 8a544ed5be7..02ea753eda3 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go @@ -65,14 +65,9 @@ func (l *linuxStandardInit) Init() error { } label.Init() - - // prepareRootfs() can be executed only for a new mount namespace. - if l.config.Config.Namespaces.Contains(configs.NEWNS) { - if err := prepareRootfs(l.pipe, l.config); err != nil { - return err - } + if err := prepareRootfs(l.pipe, l.config); err != nil { + return err } - // Set up the console. This has to be done *before* we finalize the rootfs, // but *after* we've given the user the chance to set up all of the mounts // they wanted. diff --git a/vendor/github.com/opencontainers/runc/libcontainer/state_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/state_linux.go index 1f8c5e71e41..b45ce23e4a5 100644 --- a/vendor/github.com/opencontainers/runc/libcontainer/state_linux.go +++ b/vendor/github.com/opencontainers/runc/libcontainer/state_linux.go @@ -63,10 +63,12 @@ func destroy(c *linuxContainer) error { func runPoststopHooks(c *linuxContainer) error { if c.config.Hooks != nil { + bundle, annotations := utils.Annotations(c.config.Labels) s := configs.HookState{ - Version: c.config.Version, - ID: c.id, - Bundle: utils.SearchLabels(c.config.Labels, "bundle"), + Version: c.config.Version, + ID: c.id, + Bundle: bundle, + Annotations: annotations, } for _, hook := range c.config.Hooks.Poststop { if err := hook.Run(s); err != nil {