265de539ff
Merge pull request #5865 from crosbymichael/add-all-caps
...
Add the rest of the caps so that they are retained in privilged mode
2014-05-19 09:56:55 -07:00
e1c7abe890
Add the rest of the caps so that they are retained in privilged mode
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-19 16:43:31 +00:00
72d1e40c4a
Check uid ranges
...
Fixes #5647
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
2014-05-18 20:49:08 +04:00
a0070f0c17
add support for CAP_FOWNER
...
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-05-17 01:16:07 +00:00
92614928ce
Make libcontainer's CapabilitiesMask into a []string (Capabilities).
...
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-17 00:44:10 +00:00
62c3183fc8
Merge pull request #5833 from ActiveState/fix_nsinit_env_panic
...
fix panic when passing empty environment
2014-05-16 12:03:26 -07:00
d787f2731e
fix panic when passing empty environment
...
Docker-DCO-1.1-Signed-off-by: Sridhar Ratnakumar <github@srid.name> (github: srid)
2014-05-16 11:55:34 -07:00
01d10d6f13
Merge pull request #5810 from vmarmol/drop-caps
...
Change libcontainer to drop all capabilities by default.
2014-05-16 11:51:41 -07:00
6a1d76bc7b
nsinit.DefaultCreateCommand sets Pdeathsig to SIGKILL
...
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
2014-05-16 13:48:41 +02:00
00e1adfead
nsinit.Init() restores parent death signal before exec
...
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
2014-05-16 13:48:41 +02:00
9d6875d19d
Change libcontainer to drop all capabilities by default. Only keeps
...
those that were specified in the config. This commit also explicitly
adds a set of capabilities that we were silently not dropping and were
assumed by the tests.
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-16 00:57:58 +00:00
ad35d522db
Fixes 5370 infinite/maxLoopCount loop for relative symlinks
...
use path.IsAbs() instead of checking if first char is '/'
Docker-DCO-1.1-Signed-off-by: Lajos Papp <lajos.papp@sequenceiq.com> (github: lalyos)
2014-05-16 01:03:11 +02:00
b51c366bfc
Defend against infinite loop when following symlinks
...
ideally it should never reach it, but there was already multiple issues with infinite loop
at following symlinks. this fixes hanging unit tests
Docker-DCO-1.1-Signed-off-by: Lajos Papp <lajos.papp@sequenceiq.com> (github: lalyos)
2014-05-16 00:47:20 +02:00
8b77a5b7ae
Adding test case for symlink causes infinit loop, reproduces: dotcloud#5370
...
normally symlinks are created as either
ln -s /path/existing /path/new-name
or
cd /path && ln -s ./existing new-name
but one can create it this way
cd /path && ln -s existing new-name
this drives FollowSymlinkInScope into infinite loop
Docker-DCO-1.1-Signed-off-by: Lajos Papp <lajos.papp@sequenceiq.com> (github: lalyos)
2014-05-16 00:47:20 +02:00
002aa8fc20
Add GetParentDeathSignal() to pkg/system
...
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
2014-05-15 10:17:44 +02:00
b22d10e3c5
Remove the cgroups maintainer file
...
We don't need this because it is covered by the libcontainer MAINTAINERS
file
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-14 16:01:45 -07:00
3b7a19def6
Move cgroups package into libcontainer
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-14 15:21:44 -07:00
2bc34036b9
Setup standard /dev symlinks
...
After copying allowed device nodes, set up "/dev/fd", "/dev/stdin",
"/dev/stdout", and "/dev/stderr" symlinks.
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
[rebased by @crosbymichael]
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-14 13:59:13 -07:00
17a1f470ae
Merge pull request #5783 from LK4D4/fix_duplicate_ip_allocation_#5729
...
Fix duplicate ip allocation
2014-05-14 13:32:27 -07:00
bc22c9948c
Merge pull request #5756 from crosbymichael/move-units-to-pkg
...
Move duration and size to units pkg
2014-05-14 11:36:14 -07:00
432e42e715
Merge pull request #5791 from bernerdschaefer/nsinit-exec-forwards-signals
...
"nsinit exec ..." forwards signals to container
2014-05-14 11:05:27 -07:00
3bf1b562e3
Merge pull request #5781 from creack/remove_bind_console
...
Remove the bind mount for dev/console which override the mknod/label
2014-05-14 10:57:21 -07:00
830c2d7fa3
"nsinit exec ..." forwards signals to container
...
Docker-DCO-1.1-Signed-off-by: Bernerd Schaefer <bj.schaefer@gmail.com> (github: bernerdschaefer)
2014-05-14 11:01:02 +02:00
5128feb690
Refactoring collections/orderedintset and benchmarks for it
...
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
2014-05-14 06:04:12 +04:00
3de15bda7e
Copy parents cpus and mems for cpuset
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-13 18:01:31 -07:00
ae85dd5458
Remove the bind mount for dev/console which override the mknod/label
...
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-05-13 11:59:27 -07:00
ea7647099f
Add MAINTAINERS file to symlink pkg
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-13 11:27:24 -07:00
ca040b1a37
Update code to handle new path to Follow Symlink func
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-13 10:54:08 -07:00
dcf81f95fd
Move Follow symlink to pkg
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-13 10:35:57 -07:00
b7c7b851dc
libcontainer: Ensure bind mount target files are inside rootfs
...
Before we create any files to bind-mount on, make sure they are
inside the container rootfs, handling for instance absolute symbolic
links inside the container.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-05-13 10:24:52 -07:00
f1eabe436a
Merge pull request #5655 from alexlarsson/mount-run-dir
...
Always mount a /run tmpfs in the container
2014-05-13 11:51:14 +03:00
d33b4655c4
Move duration and size to units pkg
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-12 17:05:07 -07:00
905795ece6
Always mount a /run tmpfs in the container
...
All modern distros set up /run to be a tmpfs, see for instance:
https://wiki.debian.org/ReleaseGoals/RunDirectory
Its a very useful place to store pid-files, sockets and other things
that only live at runtime and that should not be stored in the image.
This is also useful when running systemd inside a container, as it
will try to mount /run if not already mounted, which will fail for
non-privileged container.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-05-12 21:41:04 +02:00
30a40de205
Merge pull request #5748 from crosbymichael/libcontainer-bindmounts
...
libcontainer: Create dirs/files as needed for bind mounts
2014-05-12 12:27:18 -07:00
cc678a7078
Remove newline char in error message
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-12 12:24:30 -07:00
fee1bbd79e
Correct a comment in libcontainer Mount Namespace setup.
...
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-05-12 19:01:36 +00:00
70ef53f25e
libcontainer: Create dirs/files as needed for bind mounts
...
If you specify a bind mount in a place that doesn't have a file yet we
create that (and parent directories). This is needed because otherwise
you can't use volumes like e.g. /dev/log, as that gets covered by the
/dev tmpfs mounts.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-05-12 09:57:15 +02:00
62bfef59f7
Use int64 instead of int
...
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-05-11 06:23:53 -07:00
2af030ab57
beam/data: Message.GetOne() returns the last value set at a key
...
This is a convenience for callers which are only interested in one value
per key. Similar to how HTTP headers allow multiple keys per value, but
are often used to store and retrieve only one value.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-09 17:01:27 -07:00
0aeff69e59
Fix stdin handling in engine.Sender and engine.Receiver
...
This introduces a superficial change to the Beam API:
* `beam.SendPipe` is renamed to the more accurate `beam.SendRPipe`
* `beam.SendWPipe` is introduced as a mirror to `SendRPipe`
There is no other change in the beam API.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-09 15:39:55 -07:00
7673e3c589
Merge pull request #5673 from tianon/kcore-error
...
Update restrict.Restrict to both show the error message when failing to mount /dev/null over /proc/kcore, and to ignore "not exists" errors while doing so (for when CONFIG_PROC_KCORE=n in the kernel)
2014-05-08 10:20:19 -07:00
718154b3b6
Merge pull request #5535 from vmarmol/add-maintainers-cgroup
...
Adding Rohit Jnagal and Victor Marmol to pkg/cgroups maintainers.
2014-05-08 09:48:31 -07:00
d60301edb8
Update restrict.Restrict to both show the error message when failing to mount /dev/null over /proc/kcore, and to ignore "not exists" errors while doing so (for when CONFIG_PROC_KCORE=n in the kernel)
...
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-05-08 01:03:45 -06:00
77098d5b5b
use tabwriter to display usage in mflag
...
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-05-06 21:31:21 +00:00
5c12a27838
Merge pull request #5631 from vmarmol/cpuacct-usage
...
Export cpuacct CPU usage in total cores over the sampled period.
2014-05-06 11:47:55 -07:00
543e60eb60
Export cpuacct CPU usage in total cores over the sampled period.
...
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-06 16:56:39 +00:00
818648ff9f
Merge pull request #5630 from rjnagal/libcontainer-fixes
...
Check supplied hostname before using it.
2014-05-06 09:49:52 -07:00
7e3a1b6521
Merge pull request #5629 from vmarmol/fix-systemd-softlimit
...
Remove support for MemoryReservation in systemd systems.
2014-05-06 09:48:33 -07:00
69d43b2674
Remove support for MemoryReservation in systemd systems. This has been
...
deperecated since systemd 208.
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-06 15:53:38 +00:00
14f65ab83b
pkg: networkfs: etchosts: fixed tests
...
This patch fixes the fact that the tests for pkg/networkfs/etchosts
couldn't build due to syntax errors.
Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
2014-05-07 00:42:22 +10:00
53f38a14cd
add linked containers to hosts file
...
Docker-DCO-1.1-Signed-off-by: Bryan Murphy <bmurphy1976@gmail.com> (github: bmurphy1976)
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
Tested-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-05 19:40:27 -07:00
0b15944cb0
Merge pull request #5354 from alexlarsson/cgroups-systemd-fixes
...
cgroups: Update systemd to match fs backend
2014-05-05 16:00:56 -07:00
3744452ecf
add resolvconf
...
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-05-05 22:55:32 +00:00
a1a029f6d7
add etchosts
...
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-05-05 22:43:38 +00:00
2165a4993b
Merge pull request #5602 from crosbymichael/libcontainer-enable
...
Improve libcontainer namespace and cap format
2014-05-05 13:50:08 -07:00
99be235332
Merge pull request #5400 from bmatsuo/5398-fix-pkg/graphdb-osx
2014-05-05 13:41:43 -07:00
db5f6b4aa0
Improve libcontainer namespace and cap format
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-05 12:34:21 -07:00
412324cfbe
Check supplied hostname before using it.
...
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-05-05 18:12:25 +00:00
5b094530c0
cgroups: Update systemd to match fs backend
...
This updates systemd.Apply to match the fs backend by:
* Always join blockio controller (for stats)
* Support CpusetCpus
* Support MemorySwap
Also, it removes the generic UnitProperties in favour of a single
option to set the slice.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-05-05 20:06:44 +02:00
3a1f0dedc7
Merge pull request #5556 from crosbymichael/no-restrict-lxc
...
Don't restrict lxc because of apparmor
2014-05-02 17:20:27 -07:00
a7ccbfd5f1
Month devpts before mounting subdirs
...
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-05-02 13:55:45 -07:00
59fe77bfa6
Don't restrict lxc because of apparmor
...
We don't have the flexibility to do extra things with lxc because it is
a black box and most fo the magic happens before we get a chance to
interact with it in dockerinit.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-02 11:14:24 -07:00
1c5a3123cc
Merge pull request #5529 from crosbymichael/restrict-proc
...
Mount /proc and /sys read-only, except in privileged containers
2014-05-02 10:52:53 -07:00
76fa7d588a
Apply apparmor before restrictions
...
There is not need for the remount hack, we use aa_change_onexec so the
apparmor profile is not applied until we exec the users app.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 19:09:12 -07:00
71e3757174
Adding Rohit Jnagal and Victor Marmol to pkg/libcontainer maintainers.
...
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-01 15:51:38 -07:00
91b5fe8502
Adding Rohit Jnagal and Victor Marmol to pkg/cgroups maintainers.
...
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-05-01 15:48:16 -07:00
24e0df8136
Fix /proc/kcore mount of /dev/null
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
3f74bdd93f
Mount attr and task as rw for selinux support
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
f5139233b9
Update restrictions for better handling of mounts
...
This also cleans up some of the left over restriction paths code from
before.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
83982e8b1d
Update to enable cross compile
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
1c4202a614
Mount /proc and /sys read-only, except in privileged containers.
...
It has been pointed out that some files in /proc and /sys can be used
to break out of containers. However, if those filesystems are mounted
read-only, most of the known exploits are mitigated, since they rely
on writing some file in those filesystems.
This does not replace security modules (like SELinux or AppArmor), it
is just another layer of security. Likewise, it doesn't mean that the
other mitigations (shadowing parts of /proc or /sys with bind mounts)
are useless. Those measures are still useful. As such, the shadowing
of /proc/kcore is still enabled with both LXC and native drivers.
Special care has to be taken with /proc/1/attr, which still needs to
be mounted read-write in order to enable the AppArmor profile. It is
bind-mounted from a private read-write mount of procfs.
All that enforcement is done in dockerinit. The code doing the real
work is in libcontainer. The init function for the LXC driver calls
the function from libcontainer to avoid code duplication.
Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
2014-05-01 15:26:58 -07:00
de191e8632
skip apparmor with dind
...
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-05-01 22:22:08 +00:00
cac0cea03f
drop CAP_SYSLOG capability
...
Kernel capabilities for privileged syslog operations are currently splitted into
CAP_SYS_ADMIN and CAP_SYSLOG since the following commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce6ada35bdf710d16582cc4869c26722547e6f11
This patch drops CAP_SYSLOG to prevent containers from messing with
host's syslog (e.g. `dmesg -c` clears up host's printk ring buffer).
Closes #5491
Docker-DCO-1.1-Signed-off-by: Eiichi Tsukata <devel@etsukata.com> (github: Etsukata)
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 11:43:55 -07:00
fe4a25546a
Merge pull request #5515 from crosbymichael/refactor-libcontainer2
...
Remove CommandFactory and NsInit interface
2014-05-01 11:41:54 -07:00
24f9187a04
beam: Add simple framing system for UnixConn
...
This is needed for Send/Recieve to correctly handle borders between
the messages.
The framing uses a single 32bit uint32 length for each frame, of which
the high bit is used to indicate whether the message contains a file
descriptor or not. This is enough to separate out each message sent
and to decide to which message each file descriptors belongs, even
though multiple Sends may be coalesced into a single read, and/or one
Send can be split into multiple writes.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-05-01 11:06:01 -07:00
d0bee79394
Remove container.json from readme
...
No need to duplicate this information when we already have a
container.json file in the root of libcontainer
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 18:52:15 -07:00
da0d6dbd7b
Make native driver use Exec func with different CreateCommand
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 18:49:24 -07:00
aa9705f832
Fix execin with environment and Enabled support
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 18:24:47 -07:00
60e4276f5a
Integrate new structure into docker's native driver
...
This duplicates some of the Exec code but I think it it worth it because
the native driver is more straight forward and does not have the
complexity have handling the type issues for now.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 18:20:01 -07:00
176c49d7a9
Remove command factory and NsInit interface from libcontainer
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 17:55:15 -07:00
b6b0dfdba7
Export more functions from libcontainer
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 17:18:07 -07:00
aecb9c39ab
Split term files to make it easier to manage
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 17:04:24 -07:00
a3e96abb5a
Export syncpipe fields
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 17:02:45 -07:00
26ac05c8bc
Merge pull request #5511 from crosbymichael/refactor-libcontainer
...
Refactor: remove statewriter type and all callback for process start
2014-04-30 16:50:57 -07:00
be013c7820
Merge pull request #5512 from crosbymichael/set-freezer
...
Add ability to set cgroups freezer
2014-04-30 16:50:01 -07:00
5f6fda8cfd
Add ability to set cgroups freezer
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 16:07:12 -07:00
f110401437
Remove statewriter interface, export more libcontainer funcs
...
This temp. expands the Exec method's signature but adds a more robust
way to know when the container's process is actually released and begins
to run. The network interfaces are not guaranteed to be up yet but this
provides a more accurate view with a single callback at this time.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 15:52:40 -07:00
cd8cec854b
Export SetupUser
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 15:27:59 -07:00
162dafbcd5
Remove logger from nsinit struct
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 15:24:18 -07:00
bfedf247a4
Merge pull request #5498 from tianon/better-apparmor-missing-error
2014-04-30 15:16:43 -07:00
2a711d16e0
Merge pull request #5448 from crosbymichael/selinux-defaults
...
Add selinux label support for processes and mount
2014-04-30 14:14:39 -07:00
2fc5bed61d
Merge pull request #5506 from crosbymichael/add-system-maintainer
...
Add system maintainers
2014-04-30 14:14:21 -07:00
e88ef454b7
Merge pull request #5464 from tianon/close-leftover-fds
2014-04-30 12:27:52 -07:00
6203d8b462
Add system maintainers
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-30 12:01:06 -07:00
99284a24e7
FIXES #5398 : pkg/graphdb build only dependent on cgo tag
...
Docker-DCO-1.1-Signed-off-by: Bryan Matsuo <bryan.matsuo@gmail.com> (github: bmatsuo)
2014-04-30 11:57:10 -06:00
defecac279
Fix various MAINTAINERS format inconsistencies
...
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-04-30 11:22:11 -06:00
e802b69146
beam: Add more tests to unix_test.go
...
These are failing, and indicate things that need to be fixed. The
primarily problem is the lack of framing between beam messages.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
[solomon@docker.com: rebased on master]
Signed-off-by: Solomon Hykes <solomon@docker.com>
2014-04-30 02:10:09 -07:00
a1a9baf926
Update pkg/apparmor to provide a better error message when apparmor_parser cannot be found
...
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-04-29 23:19:21 -06:00
d5d62ff955
Close extraneous file descriptors in containers
...
Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :)
Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-04-29 16:45:28 -06:00
bf59e67232
Merge pull request #5476 from rjnagal/libcontainer-fixes
...
Cleanup cgroups on Set failures
2014-04-29 12:27:31 -07:00
070747a213
Cleanup existing controllers when cleanup fails mid-way.
...
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-29 18:59:20 +00:00
0c7143b323
Add mountlabel to dev
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-29 03:41:44 -07:00
46e05ed2d9
Update process labels to be set at create not start
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-29 03:40:05 -07:00
12934ef3a4
Fix SELinux errors caused by multi-threading
...
Occasionally the selinux_test program will fail because we are setting file
context based on the Process ID but not the TID. THis change will always
use the TID to set SELinux labels.
Docker-DCO-1.1-Signed-off-by: Daniel Walsh <dwalsh@redhat.com> (github: rhatdan)
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: crosbymichael)
2014-04-29 03:40:05 -07:00
b7942ec2ca
This patch reworks the SELinux patch to be only run on demand by the daemon
...
Added --selinux-enable switch to daemon to enable SELinux labeling.
The daemon will now generate a new unique random SELinux label when a
container starts, and remove it when the container is removed. The MCS
labels will be stored in the daemon memory. The labels of containers will
be stored in the container.json file.
When the daemon restarts on boot or if done by an admin, it will read all containers json files and reserve the MCS labels.
A potential problem would be conflicts if you setup thousands of containers,
current scheme would handle ~500,000 containers.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: crosbymichael)
2014-04-29 03:40:05 -07:00
f0e6e135a8
Initial work on selinux patch
...
This has every container using the docker daemon's pid for the processes
label so it does not work correctly.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-29 03:40:05 -07:00
69d56acd45
Merge pull request #5455 from rjnagal/cgroup-stats
...
Add throttling stats for cpu cgroup
2014-04-28 17:53:37 -07:00
d724242297
Another test to check for invalid stats.
...
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-29 00:32:05 +00:00
61f156d521
Add cpu throttling stats.
...
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-29 00:18:18 +00:00
5b3f7851d8
Merge pull request #5451 from vmarmol/add-memory-stats
...
Adding a unit test for stats in pkg/cgroup/fs/memory.go
2014-04-28 16:38:34 -07:00
eb6a1c9f49
Merge pull request #5449 from tianon/remove-libcontainer-root-special-case
...
Remove "root" and "" special cases in libcontainer
2014-04-28 16:29:08 -07:00
c44c51e3ce
Merge branch 'master' into libcontainer-fixes
...
Conflicts:
pkg/libcontainer/README.md
pkg/libcontainer/container.json
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-28 23:04:04 +00:00
76f95294a3
Adding a unit test for pkg/cgroup/fs/memory.go
...
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-04-28 22:58:25 +00:00
d98069030d
Remove "root" and "" special cases in libcontainer
...
These are unnecessary since the user package handles these cases properly already (as evidenced by the LXC backend not having these special cases).
I also updated the errors returned to match the other libcontainer error messages in this same file.
Also, switching from Setresuid to Setuid directly isn't a problem, because the "setuid" system call will automatically do that if our own effective UID is root currently: (from `man 2 setuid`)
setuid() sets the effective user ID of the calling process. If the
effective UID of the caller is root, the real UID and saved set-user-
ID are also set.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-04-28 16:46:03 -06:00
b386f2f558
Merge pull request #5412 from vmarmol/add-blkio-test
...
Adding a test for blkio stats.
2014-04-28 12:50:20 -07:00
3c5bac0348
Merge pull request #5394 from vmarmol/add-croup-memory-stats
...
Add memory usage and max usage stats.
2014-04-28 12:44:34 -07:00
f4055ee2a4
Adding a test for blkio stats.
...
Also adds a test utility we can use for other cgroup tests.
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-04-26 07:29:13 +00:00
44140f7909
Merge pull request #5411 from crosbymichael/lockdown
...
Update default restrictions for exec drivers
2014-04-26 03:27:56 +03:00
8cdb720d26
Updated sample config to be usable. We should change the namespace
...
config to not need "value" later.
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-25 21:10:23 +00:00
24f978094d
Updated sample config and README to match the default template for
...
native execdriver.
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-25 06:02:30 +00:00
ad924959a9
Add memory usage and max usage stats.
...
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-04-25 02:51:28 +00:00
580c2620e7
Improved README formatting.
...
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-25 01:23:48 +00:00
569b234135
Add enabled option to namespaces and capabilities spec in
...
container.json. Although we don't yet check for enabled everywhere.
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-25 01:10:11 +00:00
0aacca3ae6
Fix typos in nsinit logs.
...
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-25 00:20:14 +00:00
14b2a9de87
Fix container.json sample to be loadable by nsinit.
...
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-25 00:17:45 +00:00
f188b9f623
Separating cgroup Memory and MemoryReservation.
...
This will allow for these to be set independently. Keep the current Docker behavior where Memory and MemoryReservation are set to the value of Memory.
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
2014-04-24 11:09:38 -07:00
d5c9f61ecc
Ignore isnot exists errors for proc paths
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
fa5cabf9fe
Update init for new apparmor import path
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
2d31aeb911
Update container.json and readme
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
7a0b361066
Move capabilities into security pkg
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
156987c118
Move mounts into types.go
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
a949d39f19
Move rest of console functions to pkg
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
05b611574f
Refactor mounts into pkg to make changes easier
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
de3d51b0a8
Move console into its own package
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
5ba1242bdc
Mount over dev and only copy allowed nodes in
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
81e5026a6a
No not mount sysfs by default for non privilged containers
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
60a90970bc
Add restrictions to proc in libcontainer
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:19 -07:00
d26ea78e42
Move apparmor into security sub dir
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:19 -07:00
264dc8a46b
Add support for cpu hardcapping to cgroups.
...
Docker-DCO-1.1-Signed-off-by: Rohit Jnagal <jnagal@google.com> (github: rjnagal)
2014-04-24 14:43:02 +00:00
bf51f36d8f
Fix Go formatting in beam and dockerscript
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 16:16:29 -07:00
0bf2109121
pkg/dockerscript: add MAINTAINERS file
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:24 -07:00
bc6303f15d
beam/examples/beamsh: 'chdir' changes the current directory
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:24 -07:00
6ce4d2c842
beam/examples/beamsh: 'exec' can communicate with its child via beam.
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:24 -07:00
271ba18043
beam/examples/beamsh: use beam.Router to simplify 'multiprint' and fix job passthrough
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:23 -07:00
0d08d36bf5
beam: new routing functions Route.KeyEquals, Route.KeyIncludes, Route.NoKey
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:23 -07:00
30424f4e3a
beam/examples/beamsh: use beam.Router to simplify 'trace'
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:23 -07:00
d3df4b5baf
beam/examples/beamsh: move builtins to a separate file for readability
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:23 -07:00
0822d67b2d
beam/examples/beamsh: simplify commands by always creating and sending stdout and stderr for them
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:23 -07:00
63fd2ec0f7
beam/examples/beamsh: use beam.Router to simplify 'logger'
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:23 -07:00
9206b18818
beam/examples/beamsh: use beam.Router to simplify the 'stdio' command
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:23 -07:00
8f5435e80c
beam: Router can route beam messages with a convenient set of rules and handlers
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:23 -07:00
40b4f86eab
beam/examples/beamsh: move example scripts to scripts/
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:22 -07:00
1fb0bf1b3b
beam: Fix double close of fds in SendUnix
...
Instead of calling syscall.Close() on the fds in sendUnix() we call
Close() on the *os.File in Send(). Otherwise the fd will be closed, but
the *os.File will continue to live, and when it is finalized the
fd will be closed (which by then may be reused and can be anything).
This also adds a note to Send() the the file is closed.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-22 15:50:22 -07:00
a88d8d678b
beam: more unit tests
...
This adds testing to SendConn.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:22 -07:00
06df94d55b
beam/examples/beamsh: add scripts to reproduce various bugs
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:22 -07:00
d0ca66dded
beam/examples/beamsh: fix 'print' to be pass-through
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:22 -07:00
b97375fc29
beam/examples/beamsh: rename 'log' to 'logger' to avoid conflict with stdout/stderr
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:22 -07:00
a2b88b4915
beam/examples/beamsh: 'prompt' asks the user for a value and sends it.
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:22 -07:00
ed62ca5b2f
beam/examples/beamsh: commands are messages.
...
Commands in the pipeline should either implement or pass-through command messages.
This amounts to a proof-of-concept implementation of the "pipeline"
design of Docker plugins.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:22 -07:00
2f4b8b7e8d
beam/examples/beamsh: cosmetic fix in Fatalf
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:22 -07:00
4f92ffb500
beam: replace SendPair() with the simpler SendConn()
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:21 -07:00
5833e78887
beam/examples/beamsh: miniserver.ds demo
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:21 -07:00
70d3262161
beam: improve the API with Sender/Receiver interfaces and utilities: Copy/SendPipe/SendPair
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:21 -07:00
b0228d94be
beam: Make extracted Fds CloseOnExec
...
Grab forklock to make sure no forks accidentally inherit the new fds
before they are made CLOEXEC There is a slight race condition between
ReadMsgUnix returns and when we grap the lock, so this is not
perfect. Unfortunately There is no way to pass MSG_CMSG_CLOEXEC to
recvmsg() nor any way to implement non-blocking i/o in go, so this is
hard to fix.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-22 15:50:21 -07:00
207e604bad
beam/examples/beamsh: add a few example dockerscripts
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:21 -07:00
29ddf2be1e
beam/examples/beamsh: simplify code by using sendWPipe utility
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:21 -07:00
1dc449e11d
beam/examples/beamsh: move code around for readability
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:21 -07:00
3a2b31a30b
beam/examples/beamsh: 'exec' adds 'fromcmd' field to its output
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:21 -07:00
7534f7a34b
beam/examples/beamsh: simple 'log' command tees streams to a local directory
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:21 -07:00
4f5b94d369
beam/examples/beamsh: 'render' and 'beamsh -x'
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
4ebe7aab91
beam/examples/beamsh: run commands in an implicit context of pre-loaded 'plugins'
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
cd85af06fe
beam/examples/beamsh: convenience commands 'devnull', 'echo' and 'stdio'
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
6d9cdbf24f
beam/examples/beamsh: 'emit' supports key=value syntax to compose arbitrary objects
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
2b81fb8424
dockerscript: '=' is not a special character
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
6e0a156d90
beam/examples/beamsh: support for background commands with '&' terminator
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
08686f1d21
beam/data: Message.Parse creates a message from shell-style 'key=value' arguments
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
ffe19414b1
dockerscript: support '#' line comments
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
e1c8dbba97
beam/examples/beamsh: scripts can be passed as filenames
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
222fc87ade
beam/examples/beamsh: remote communication over beam (experimental).
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:20 -07:00
371f6fc63d
beam/examples/beamsh: 'in' chdirs to a directory. 'pass' does simple passthrough
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
6d5c75a224
beam/examples/beamsh: 'beamsend' command serializes all messages and sends them over a network connection
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
5ddf673851
beam/examples/beamsh: 'exec' command correctly closes stdout and stderr when the process exists
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
e512fef425
beam/examples/beamsh: don't print discarded messages in Devnull
...
This avoids false alarms when process exits without printing. Devnull
doesn't require synchronization.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
34c5724b89
beam/examples/beamsh: more useful debugging
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
a5bc75d406
beam/data: expose EncodeString for convenience access to the underlying netstring primitive
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
fb1af1f0bc
beam/examples/beamsh: utility function 'fileToConn'
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
74b90c25d9
beam/examples/beamsh: 'connect' command
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
dff9854305
beam/examples/beamsh: 'exec' and 'listen' commands
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:19 -07:00
3686d50429
beam/examples/beamsh: prettier devnull
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
c9b8e0fcac
beam/data: prettier Message.Pretty()
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
d7a2ae8e13
beam/examples/beamsh: prettier 'trace' command
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
eca6fecb59
beam/data: convenience Message.Pretty() function
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
d4920b3fff
beam/examples/beamsh: basic implementation of the pipeline design, with static handlers for now.
...
In the pipeline design, several beam commands can be run concurrently,
with their respective inputs and outputs connected in such a way that
beam messages flow from the first to last. This is similar to the way
a unix shell executes commands in a pipeline: instead of STDIN and
STDOUT, each beam command has a "BEAMIN" and "BEAMOUT".
Since beam allows for richer communication than plain byte streams, beam
pipelines can express more powerful computation, while retaining the
fundamental elegance and ease of use of unix-style composition.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
ec288895e5
beam/examples/beamsh: better debugging messages
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
ab2010cfd3
beam/examples/beamsh: simple 'exec' command
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
5689792171
beam/examples/beamsh: catch introspection calls from jobs for proper nesting
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
bcd31405cf
beam: fix FD leaks in SendPipe
...
This fixes file descriptor leaks in the SendPipe function.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:18 -07:00
1737063904
beam: more hooks for interactive debugging
...
This inserts low-level hooks for interactive step-by-step debugging.
Hooks are triggered by setting the *TEST* environment variable.
This is particularly useful for tracking down file descriptor leaks,
double-closing, or other issues which are difficult to debug with
the usual toolbox.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
6072dec9e7
beam/examples/beamsh: first try at nested execution
...
The "wiring" is broken because engine does not keep a reference for handling introspection calls.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
8697490740
beam/examples/beamsh: fix a bug in the log command
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
488fe61354
beam/data: convenience Message.Get
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
460c98d92d
beam/examples/beamsh: use beam/data
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
5bcf2a736c
beam/data: Message.Bytes() convenience method
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
99dda11d45
beam/data: fix a bug in encoding of multi-value maps
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
276fb1918d
beam/data: convenience Message type for chained manipulation
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
916372c76f
Beam: remove leftover debugging messages
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
cb66e8c136
beam/examples/beamsh: hide debug messages in examples/beamsh by default
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:17 -07:00
97a2c0ebe6
beam/data: a simple format for sending structured data over beam
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
771e493457
beam/examples/beamsh: more bells and whistles for demos
...
* Automatically switch to interactive mode when stdin is a terminal
* Basic implementation of "responses"
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
851c1b05d0
Beam: fix bug in beamsh which 'swapped' FDs because of underlying implementation of net.FileConn
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
4481e80636
pkg/dockerscript: <!> is not a special character
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
07c03944ff
Beam: don't close the attachment FD when closing superfluous FDs
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
8875cdf561
Beam: debugging hooks for easy step-by-step inspection of the FD table
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
f586dcf307
beam/examples/beamsh: use 'log' command to pass stdout
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
d00a6b7648
beam/examples/beamsh: basic execution of commands, with in-process beam and dummy handlers
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
f0933a91b0
pkg/dockerscript: remove debug messages
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:16 -07:00
5c14c3ada5
pkg/dockerscript: '.' is not a special character
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
f94a18677a
Beam: Send: pass the underlying error unchanged to allow io.EOF detection
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
11f2531da6
pkg/dockerscript: expose a simple, clean API with a single Parse method
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
7f00a3b665
beam/examples/beamsh: correctly parse nested commands
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
fd890136a9
dockerscript: patch text/scanner to use a shell-like syntax instead of the default go-like syntax
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
cd8ddacdc7
pkg/dockerscript: a simple shell-like syntax to express docker operations
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
be470f2497
Beam: beamsh is a mini-shell which runs processes and communicates with them over beam
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
0e42c7d889
Beam: basic test harness for the unix socket implementation.
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
59853c188d
Beam: USocketPair returns a *net.UnixConn socket pair for convenience.
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
c401c43cae
Beam: fix file descriptor leaks
...
* Close all file descriptors successfully sent as attachment
* Close duplicate file descriptors created by net.FileCon and net.UnixConn.File
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:15 -07:00
b637e5f04a
Beam: change the prototype of SendPipe() to return a *net.UnixSocket
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:14 -07:00
188c2ef806
Beam: allow sending messages without attachments.
...
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:14 -07:00
3960da04c8
Beam: convenience functions Listen and Connect
...
These convenience functions expose a familiar face to the unknown and bizarre world of beam networking.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:14 -07:00
5957e6b385
Beam: a simple stream-oriented communication protocol for distributed systems.
...
This patch includes a stripped down implementation with a bare minimum
unix socket transport. It relies on fd passing for stream multiplexing.
The purpose of this first patch is to allow implementation of dynamic
linking, which will allow advanced service discovery.
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
2014-04-22 15:50:14 -07:00
7816712457
Merge pull request #5328 from crosbymichael/refactor-cgroups
...
Refactor cgroups into subsystems and support metrics
2014-04-21 14:06:17 -07:00
c0d5eac120
Merge pull request #5223 from crosbymichael/load-profile
...
Use apparmor parser directly
2014-04-21 21:50:59 +03:00
813cebc64f
Merge branch 'master' into load-profile
...
Conflicts:
daemon/execdriver/native/create.go
daemon/execdriver/native/driver.go
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-04-21 10:32:13 -07:00
ac814ee3c7
Make sure @proc is defined
...
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-04-21 10:28:04 -07:00
004cf556e8
Use cgo to get systems clock ticks for metrics
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-21 10:26:22 -07:00
f59be989dc
Refactor stat parsing to use only 8 fields
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-20 20:45:08 -07:00
2f24b5a9dc
work on cpu stats
...
Docker-DCO-1.1-Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> (github: ehazlett)
2014-04-21 00:07:05 -04:00
bce49dff0d
Add freezer stats
...
This one is a problem because the most useful stat is a string and not a
float like verything else. We may have to change the return type
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-20 18:35:33 -07:00
3bfe13de2c
Reuse cpuacct stats for cpu subsystem
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-20 18:20:44 -07:00
37248039e1
Fix parsing of blkio files
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-20 18:18:17 -07:00
7f12260fd1
Add external function to get cgroup stats
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-20 17:36:20 -07:00
9b65f16355
Refactor stats and add them to all subsystems
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-20 12:02:39 -07:00
86e34ce59f
Squashed commit of the following:
...
commit 75af1649b063abbc5d662fd2f8bc4ff62c927687
Author: Evan Hazlett <ejhazlett@gmail.com>
Date: Sun Apr 20 01:32:42 2014 -0400
more refactor
commit 43b36d0f15d634497127bcb17dacaa70ae92e903
Author: Evan Hazlett <ejhazlett@gmail.com>
Date: Sun Apr 20 01:11:49 2014 -0400
refactored cgroup param parsing to util func
commit e3738b0168a075bd92ec828879b0e46bdbbe3845
Author: Evan Hazlett <ejhazlett@gmail.com>
Date: Sun Apr 20 00:57:19 2014 -0400
dat error checking
commit 57872bcc59403ecd308cfe97c78f73d6ca58d165
Author: Evan Hazlett <ejhazlett@gmail.com>
Date: Sun Apr 20 00:43:25 2014 -0400
proper use of fmt.Errorf
commit 43dad6acc0cb21aac2b04ce074699879898ee820
Author: Evan Hazlett <ejhazlett@gmail.com>
Date: Sun Apr 20 00:36:45 2014 -0400
proper placement of defer
commit b7f20b934b2bc92cd39397dbc608b77bff28493c
Author: Evan Hazlett <ejhazlett@gmail.com>
Date: Sun Apr 20 00:34:39 2014 -0400
defers, error checking, panic avoidance
commit 7a9a6ff267f8806dfe6676486f73fe89b72968fb
Author: Evan Hazlett <ejhazlett@gmail.com>
Date: Sun Apr 20 00:22:00 2014 -0400
data param to use container info instead of host
commit 0e0cf7309be1644687160d6519db792b23cd26e9
Author: Evan Hazlett <ejhazlett@gmail.com>
Date: Sun Apr 20 00:11:29 2014 -0400
added stats for cpuacct, memory, and blkio
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-20 11:34:28 -07:00
7fdeda8717
Add remove method to subsystems
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 22:17:31 -07:00
e92f2fd395
Break down groups into subsystems
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 22:10:30 -07:00
06db0604e5
Move raw cgroups into fs package (filesystem)
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 21:34:26 -07:00
ec43ec50b4
Move systemd code into pkg
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 21:30:08 -07:00
42fb2973c6
Refactor cgroups file locations
...
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 21:14:58 -07:00
92ea101bc4
SQLite is also available in FreeBSD
...
Docker-DCO-1.1-Signed-off-by: Kato Kazuyoshi <kato.kazuyoshi@gmail.com> (github: kzys)
2014-04-17 07:19:30 +09:00
3754fdd7ca
Support FreeBSD on pkg/mount
...
Docker-DCO-1.1-Signed-off-by: Kato Kazuyoshi <kato.kazuyoshi@gmail.com> (github: kzys)
2014-04-15 23:16:51 +09:00
Michael Crosby
Michael Crosby
Alexandr Morozov
Victor Vieux
Victor Marmol
Sridhar Ratnakumar
Bernerd Schaefer
lalyos
Guillaume J. Charmes
Victor Vieux
Guillaume J. Charmes
Alexander Larsson
unclejack
Vishnu Kannan
Solomon Hykes
Tianon Gravi
cyphar
Bryan Murphy
Rohit Jnagal
Jérôme Petazzoni
Eiichi Tsukata
Bryan Matsuo
Dan Walsh
Evan Hazlett
Kato Kazuyoshi