Commit Graph

135 Commits

Author SHA1 Message Date
Abin Shahab 3bd3f7854a Restored removed docker init options
Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2015-02-24 16:59:04 +00:00
Abin Shahab 1a26ed09ee Implements stats for lxc driver
Implements stats and fixes stats test.

Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2015-02-23 10:16:52 +00:00
Abin Shahab 9c744cb454 Fixes apparmor regression
Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2015-01-22 07:06:46 +00:00
Abin Shahab 3ca5af6b1a Adds ipc namespace capability to lxc, and fixes tests.
This fixes various tests by checking for non zero exit code, accounting for lxc-specific base-diffs, and by removing lxc specific environment vars.
It also adds the --share-ipc option to lxc-start for shared ipc namespaces.
Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2015-01-21 06:08:00 +00:00
Michael Crosby 4f174aa792 Evict stopped containers
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-01-20 20:21:46 -08:00
Michael Crosby 65f58e2a74 Implement container stats collection in daemon
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-01-20 20:21:46 -08:00
Abin Shahab d821c63e0d use lxc.auto.mount to ensure proc and sys are readonly
Set lxc.auto.mount = proc:mixed in unprivilged mode. This ensures that lxc mounts sys and proc/sysrq-trigger as readonly.
Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2015-01-18 09:27:16 +00:00
Abin Shahab bff3509e43 SEND CAPABILITY IDS TO LXC
Sending capability ids instead of capability names ot LXC for --cap-add and --cap-drop.
Also fixed tests.

Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2015-01-17 04:01:52 +00:00
Michael Crosby 582a79f00a Update lxc with libcontainer SetupUser change
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-01-12 10:43:33 -08:00
Abin Shahab f91650376a LXC TEMPLATE ALLOWS IPV4 OVERRIDE
This fixes the issue where an lxc.conf override of lxc.network.ipv4 was not being honored.

Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2014-12-25 20:06:59 +00:00
Alexander Morozov e7d086c2be Fix vet errors about unkeyed fields
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2014-12-12 10:44:59 -08:00
Abin Shahab fdf7457683 LXC CAP ADD CAP DROP IN TEMPLATE
Added cap-drop and cap-add in lxc template
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2014-12-05 23:08:22 +00:00
Michael Crosby 1bac8f5322 Merge pull request #9039 from ashahab-altiscale/8617-lxc-volume
Have lxc create mount points if they don't exist
2014-11-18 17:24:16 -08:00
Michael Crosby 5c863f983d Merge pull request #9107 from ashahab-altiscale/9062-linked-container
Share network namespace of containers with lxc
2014-11-13 18:25:38 -08:00
Michael Crosby 08f5edce30 Merge pull request #8479 from vishh/OOM
Provide Out Of Memory information in container status
2014-11-12 14:15:29 -08:00
Abin Shahab adb07b53e0 LINKED CONTAINER ID PASSED TO LXC
This passed the --net=container:CONTINER_ID to lxc-start as --share-net
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2014-11-11 09:10:15 +00:00
unclejack 6f8e42ac74 execdriver/lxc: add comment to MAINTAINERS
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-11-08 16:27:25 +02:00
Vishnu Kannan 46f2944977 Address comments.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-11-08 00:14:08 +00:00
Vishnu Kannan f96e04ffc7 This patch adds ability in docker to detect out of memory conditions in containers.
Since the containers can handle the out of memory kernel kills gracefully, docker
will only provide out of memory information as an additional metadata as part of
container status.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-11-08 00:14:08 +00:00
Abin Shahab b36bf98174 LXC TEMPLATE WILL CREATE MOUNT
Lxc driver was throwing errors for mounts where the mount point does not exist in the container.
This adds a create=dir/file mount option to the lxc template, to alleviate this issue.

Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
2014-11-06 02:14:03 +00:00
unclejack acd64278f1 pkg/reexec: move reexec code to a new package
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-10-30 14:48:30 +02:00
Alexandr Morozov ee7dd44c01 Mass gofmt
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:11:48 -07:00
Alexandr Morozov 7c62cee51e Use logrus everywhere for logging
Fixed #8761

Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:03:06 -07:00
Albert Zhang 210db1234d Fix lxc driver build issue on Mac OS X
Docker-DCO-1.1-Signed-off-by: Albert Zhang <zhgwenming@gmail.com> (github: zhgwenming)
2014-10-17 09:41:23 +08:00
Michael Crosby 32dca1a7b0 Strongly type exec driver context
This also removes dead code in the native driver for a past feature that
was never fully implemented.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-09-29 22:40:26 +00:00
Victor Vieux 0913009ebe Merge pull request #8191 from vieux/improve_error_exec_lxc
Improve error for docker exec & LXC
2014-09-25 15:58:21 -07:00
Victor Vieux ab30e19b96 Improve error for docker exec & LXC
Signed-off-by: Victor Vieux <vieux@docker.com>
2014-09-23 21:47:33 +00:00
Alexandr Morozov 623ebf203b Persistent directory for container in execdriver
This is needed for persistent namespaces

Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-09-22 22:48:26 +04:00
Vishnu Kannan f3c767d798 Adding Exec method to native execdriver.
Modified Attach() method to support docker exec.

Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-09-15 16:57:52 +00:00
Daniel, Dao Quang Minh 4b3b54ca38 fix console attribute in lxc template
commit 4aa5da278f moves `Console` from Command to
ProcessConfig, but missed the change in lxc_template. Therefore creating a
container with tty using lxc driver with fail with error

template: lxc:60:20: executing "lxc" at <.Console>: Console is not a field of
struct type struct { *execdriver.Command; AppArmor bool; ProcessLabel string; MountLabel string }

This changes lxc_console template to refers to `.ProcessConfig.Console`

Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
2014-09-09 13:51:13 -04:00
Vishnu Kannan 3a7e07355a Rename 'StdConfig' to 'StreamConfig'.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-09-01 14:31:01 -07:00
Vishnu Kannan 4aa5da278f Refactoring execdriver.Command and Container structs to support 'docker exec' and other
similar features in the future.

Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-09-01 14:30:16 -07:00
Josiah Kiehl a02f67be5b Extract log utils into pkg/log
Docker-DCO-1.1-Signed-off-by: Josiah Kiehl <josiah@capoferro.net> (github: capoferro)
2014-08-13 15:18:15 -07:00
Alexandr Morozov 391c35c822
Fix go vet warnings
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-13 11:37:30 +04:00
Michael Crosby 7321067176 Use argv0 as reexec implementation for dockerinit
This changes the way the exec drivers work by not specifing a -driver
flag on reexec.  For each of the exec  drivers they register their own
functions that will be matched aginst the argv 0 on exec and called if
they match.

This also allows any functionality to be added to docker so that the
binary can be reexec'd and any type of function can be called.  I moved
the flag parsing on docker exec to the specific initializers so that the
implementations do not bleed into one another.  This also allows for
more flexability within reexec initializers to specify their own flags
and options.

Signed-off-by: Michael Crosby <michael@docker.com>
2014-08-11 11:47:21 -07:00
Tianon Gravi 89ec17d113 Replace "amd64" build tags with "cgo" as appropriate, and remove where unnecessary
Signed-off-by: Andrew Page <admwiggin@gmail.com>
2014-08-06 17:20:21 -06:00
Tianon Gravi 60341f80d7 Purge the bits of pkg/system that moved to libcontainer/system
Signed-off-by: Andrew Page <admwiggin@gmail.com>
2014-08-02 01:35:04 -06:00
Vishnu Kannan d82bb603af Make lxc driver rbind all user specified mounts.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-07-30 02:23:24 +00:00
Victor Vieux ac3eecf3db Merge pull request #7062 from crosbymichael/fix-lxc-caps
Fix cap drop issues with lxc
2014-07-28 16:19:08 -07:00
Victor Vieux 5a0ef08c94 gofmt -s -w
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-24 22:25:29 +00:00
Victor Vieux b3ee9ac74e update go import path and libcontainer
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-24 22:19:50 +00:00
Michael Crosby 0d67b420b5 Make tty term exec driver specific
lxc is special in that we cannot create the master outside of the
container without opening the slave because we have nothing to provide to the
cmd.  We have to open both then do the crazy setup on command right now instead of
passing the console path to lxc and telling it to open up that console.  we save a couple of
openfiles in the native driver because we can do this.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-07-16 16:57:49 -07:00
Victor Vieux 6d238c6fba Merge pull request #6797 from zhgwenming/master
make /.dockerinit bind mount driver specific
2014-07-16 16:01:43 -07:00
Michael Crosby 50b580cfec Use : to split caps in sysinit flags
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-07-16 13:40:10 -07:00
Michael Crosby 47917135da Fix cap drop issues with lxc
This uses "," instead of spaces so that the flags are parsed correctly
and also does not do a strings.Split on an empty string because
strings.Split will return a slice with one element, and empty string
causing parsing to fail when it validates that the cap exists.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-07-16 12:14:26 -07:00
Albert Zhang b3b6e05f26 since moved the ./dockerinit mount into lxc driver, fix the lxc testcase accordingly
Docker-DCO-1.1-Signed-off-by: Albert Zhang <zhgwenming@gmail.com> (github: zhgwenming)
2014-07-15 07:56:19 -04:00
Victor Vieux c04230c42b add check for invalid caps
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-11 23:43:21 +00:00
Victor Vieux f3ff323fb3 small refactoring
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-11 23:43:21 +00:00
Victor Vieux 21059af3ac Basic --cap-add and --cap-drop support for lxc
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-11 23:43:21 +00:00
Kato Kazuyoshi dda0ce6459 Skip lxc_template_unit_test.go on non-Linux platforms
It doesn't work without lxc-start.

Docker-DCO-1.1-Signed-off-by: Kato Kazuyoshi <kato.kazuyoshi@gmail.com> (github: kzys)
2014-06-29 17:11:30 +09:00
Michael Crosby cee6f4506c Update libcontainer references
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-24 11:31:03 -07:00
Michael Crosby 707ef9618b Update close fd issues for lxc
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-19 16:02:21 -04:00
Michael Crosby d31ae5aed8 Use libcontainer cap drop method
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-19 16:00:53 -04:00
Dinesh Subhraveti cf331cdd6a Maintain a whitelist of capabilities rather than droplist
This fixes 6/18 vulnerability

Docker-DCO-1.1-Signed-off-by: Dinesh Subhraveti <dineshs@altiscale.com> (github: dineshs-altiscale)
2014-06-19 03:34:04 -04:00
Michael Crosby c99ee556d4 Merge pull request #6060 from dineshs-altiscale/maintainers
Add Dinesh Subhraveti to MAINTAINERS
2014-06-11 14:37:01 -07:00
Michael Crosby 8194556337 Update libcontainer imports
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-06-10 19:58:15 -07:00
Michael Crosby bae6a5a616 Gofmt imports
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-06-09 16:01:57 -07:00
Michael Crosby 6158ccad97 Move libcontainer deps into libcontainer
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-06-09 15:52:12 -07:00
Ian Main b054569cde Add ability to pause/unpause containers via cgroups freeze
This patch adds pause/unpause to the command line, api, and drivers
for use on containers.  This is implemented using the cgroups/freeze
utility in libcontainer and lxc freeze/unfreeze.

Co-Authored-By: Eric Windisch <ewindisch@docker.com>
Co-Authored-By: Chris Alfonso <calfonso@redhat.com>
Docker-DCO-1.1-Signed-off-by: Ian Main <imain@redhat.com> (github: imain)
2014-06-04 13:33:44 -06:00
Albert Zhang b611198d28 mount of /.dockerinit is not needed for native driver, so move it into lxc driver
Docker-DCO-1.1-Signed-off-by: Albert Zhang <zhgwenming@gmail.com> (github: zhgwenming)
2014-06-03 18:13:54 +08:00
Shane Canon f9705477d0 Fix for setuid race condition in LXC driver
This is a fix for a race condition in the LXC driver.  This is described
more in issue #6092.

Closes #6092

Docker-DCO-1.1-Signed-off-by: Shane Canon <scanon@lbl.gov> (github: scanon)
2014-05-31 10:42:48 -07:00
Michael Crosby 69989b7c06 Ensure all dev nodes are copied for privileged
This also makes sure that devices are pointers to avoid copies
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-30 18:39:11 -07:00
unclejack 0ef637722f Merge pull request #6097 from timthelion/consistentdevices
Refactor device handling code
2014-05-31 03:34:52 +03:00
Timothy Hobbs 608702b980 Refactor device handling code
We now have one place that keeps track of (most) devices that are allowed and created within the container.  That place is pkg/libcontainer/devices/devices.go

This fixes several inconsistencies between which devices were created in the lxc backend and the native backend.  It also fixes inconsistencies between wich devices were created and which were allowed.  For example, /dev/full was being created but it was not allowed within the cgroup.  It also declares the file modes and permissions of the default devices, rather than copying them from the host.  This is in line with docker's philosphy of not being host dependent.

Docker-DCO-1.1-Signed-off-by: Timothy Hobbs <timothyhobbs@seznam.cz> (github: https://github.com/timthelion)
2014-05-30 19:21:29 +00:00
Victor Marmol 5e2af07137 Merge pull request #5868 from jhspaybar/5749-libcontainerroutes
libcontainer support for arbitrary route table entries
2014-05-28 10:50:56 -07:00
William Thurston bf7f360dca Fixes #5749
libcontainer support for arbitrary route table entries

Docker-DCO-1.1-Signed-off-by: William Thurston <me@williamthurston.com> (github: jhspaybar)
2014-05-28 17:42:02 +00:00
Michael Crosby 5310e8575f Update lxc to use cmd.Wait()
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-27 13:52:05 -07:00
Dinesh Subhraveti 249524ec49 Add Dinesh Subhraveti to MAINTAINERS
Docker-DCO-1.1-Signed-off-by: Dinesh Subhraveti <dineshs@altiscale.com> (github: dineshs-altiscale)
2014-05-27 16:45:17 -04:00
Erik Hollensbe 92e41a02ce Add Wait() calls in the appropriate spots
Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-05-27 12:26:56 -07:00
Tianon Gravi 8e967fe802 Revert "Always mount a /run tmpfs in the container"
This reverts commit 905795ece6.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-05-21 14:28:19 -06:00
Michael Crosby 0f27894094 Fix network mode for lxc 1.0
Fixes #5692

This change requires lxc 1.0+ to work and breaks lxc versions less than
1.0 for host networking.  We think that this is a find tradeoff by
bumping docker to only support lxc 1.0
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-20 19:10:23 +00:00
Michael Crosby 3b7a19def6 Move cgroups package into libcontainer
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-14 15:21:44 -07:00
Michael Crosby adbe3096e8 Add cpuset cpus support for docker
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-13 18:17:12 -07:00
Alexander Larsson 905795ece6 Always mount a /run tmpfs in the container
All modern distros set up /run to be a tmpfs, see for instance:
https://wiki.debian.org/ReleaseGoals/RunDirectory

Its a very useful place to store pid-files, sockets and other things
that only live at runtime and that should not be stored in the image.

This is also useful when running systemd inside a container, as it
will try to mount /run if not already mounted, which will fail for
non-privileged container.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-05-12 21:41:04 +02:00
Fernando 752c57ae56 Fix bug on LXC container start. Fixes #5718
Docker-DCO-1.1-Signed-off-by: Fernando Mayo <fernando@tutum.co> (github: fermayo)
2014-05-10 18:05:02 -04:00
Michael Crosby 4994b0fe54 Move envconfig generation to lxc driver
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-05 14:45:14 -07:00
Michael Crosby a785882b29 Setup host networking for lxc and native
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-05 10:08:59 -07:00
Michael Crosby 59fe77bfa6 Don't restrict lxc because of apparmor
We don't have the flexibility to do extra things with lxc because it is
a black box and most fo the magic happens before we get a chance to
interact with it in dockerinit.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-02 11:14:24 -07:00
Michael Crosby f5139233b9 Update restrictions for better handling of mounts
This also cleans up some of the left over restriction paths code from
before.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 15:26:58 -07:00
Jérôme Petazzoni 1c4202a614 Mount /proc and /sys read-only, except in privileged containers.
It has been pointed out that some files in /proc and /sys can be used
to break out of containers. However, if those filesystems are mounted
read-only, most of the known exploits are mitigated, since they rely
on writing some file in those filesystems.

This does not replace security modules (like SELinux or AppArmor), it
is just another layer of security. Likewise, it doesn't mean that the
other mitigations (shadowing parts of /proc or /sys with bind mounts)
are useless. Those measures are still useful. As such, the shadowing
of /proc/kcore is still enabled with both LXC and native drivers.

Special care has to be taken with /proc/1/attr, which still needs to
be mounted read-write in order to enable the AppArmor profile. It is
bind-mounted from a private read-write mount of procfs.

All that enforcement is done in dockerinit. The code doing the real
work is in libcontainer. The init function for the LXC driver calls
the function from libcontainer to avoid code duplication.

Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
2014-05-01 15:26:58 -07:00
Eiichi Tsukata cac0cea03f drop CAP_SYSLOG capability
Kernel capabilities for privileged syslog operations are currently splitted into
CAP_SYS_ADMIN and CAP_SYSLOG since the following commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce6ada35bdf710d16582cc4869c26722547e6f11

This patch drops CAP_SYSLOG to prevent containers from messing with
host's syslog (e.g. `dmesg -c` clears up host's printk ring buffer).

Closes #5491

Docker-DCO-1.1-Signed-off-by: Eiichi Tsukata <devel@etsukata.com> (github: Etsukata)
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-01 11:43:55 -07:00
Tianon Gravi d5d62ff955 Close extraneous file descriptors in containers
Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :)

Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-04-29 16:45:28 -06:00
Michael Crosby 81e5026a6a No not mount sysfs by default for non privilged containers
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby 0779a8c328 Add lxc support for restricting proc
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Alexander Larsson 359b7df5d2 Rename runtime/* to daemon/*
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-17 14:43:01 -07:00