This repository has been archived by the owner on May 12, 2021. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bring support for cgroups v2
shortlog:
8541d9cf Fix race checking for process exit and waiting for exec fifo
52951a7c Fix race in tty integration test with slow startup
8ddd8920 libcontainer: add method to get cgroup config from cgroup Manager
cd7c59d0 libcontainer: export createCgroupConfig
41a20b58 Expose network interfaces via runc events
48b055c4 Makefile: allow overriding `docker` command
42690e68 Make event types public
faf1e44e cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error
ccd4436f .travis.yml: add Fedora 31 vagrant box (for cgroup2)
faf673ee cgroup2: port over eBPF device controller from crun
74a3fe5d cgroup2: do not parse /proc/cgroups
9c81440f cgroup2: allow mounting /sys/fs/cgroup in UserNS without unsharing
CgroupNS
13919f5d Remove the static_build build tag.
dbd771e4 cgroup2: implement `runc ps`
9996cf7d README.md: clarify cgroup2 support is not ready for production
d918e7f4 cpuset_v2: skip Apply when no limit is specified
033936ef io_v2.go: remove blkio v1 code
a610a848 criu: Ensure other users cannot read c/r files
b28f58f3 Set unified mountpoint in find mnt func
f017e0f9 checkpoint: Set descriptors.json file mode to 0600
4be50fe3 SECURITY: Add Security Policy
2111613c VERSION: back to development
d736ef14 VERSION: update to 1.0.0-rc9
d463f648 *: verify that operations on /proc/... are on procfs
9aef5044 vendor: update github.com/opencontainers/selinux
28e58a0f Support different field counts of cpuaact.stats
84373aaa Add SCMP_ACT_LOG as a valid Seccomp action (#1951)
331692ba Only allow proc mount if it is procfs
af7b6547 libcontainer/nsenter: Don't import C in non-cgo file
718a566e cgroup: support mount of cgroup2
115d4b9e bump golang/protobuf v1.0.0
85c02f3f bump coreos/go-systemd v19, godbus/dbus v5.0.1
21498b8e bump mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7
eb86f603 bump syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2
1150ce9c bump urfave/cli v1.20.0
8e4f645f bump docker/go-units v0.3.3
0fc06623 bump cyphar/filepath-securejoin v0.2.2
414a39de bump containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
de24d733 bump github.com/pkg/errors 0.8.1
4be3c48e Reformat vendor.conf and pin all deps by git-sha
524cb7c3 libcontainer: add systemd.UnifiedManager
ec111368 libcontainer, cgroups: rename systemd.Manager to LegacyManager
1932917b libcontainer: add initial support for cgroups v2
4316e4d0 Bump x/sys and update syscall to start Risc-V support
0bc069d7 nsenter: fix clang-tidy warning
b225ef58 nsenter: minor clean up
e4aa7342 Rename cgroups_windows.go to cgroups_unsupported.go
c740965a libcontainer: update masked paths of /proc
518c8558 Remove libcontainer detection for systemd features
4ca00773 Update vendored dependencies to remove go-systemd/util
588f040a Avoid the dependency on cgo through go-systemd/util package
afc24792 Make get devices function public
9c822e48 cgroups/fs: check nil pointers in cgroup manager
1712af0e man: fix man-pages
f08cdaee Skip searching /dev/.udev for device nodes.
808e809f doc: First process in container needs `Init: true`
5e0e67d7 fix permission denied
351bfb4b integration: remove blkio.weight (unavailable in kernel 5.0)
7e678625 Bump CRIU to 3.12
68cc1a77 Update busybox source and fix runc exec bug
371d13c9 Update bash completion for v1.0.0 release
652297c7 Update dependency libseccomp-golang
6770c869 Allow to define `COMMIT` by env
b54fd85b libcontainer: change seccomp test for clone syscall
6f77e35d Export list of HugePageSizeUnits
c6445b1c Add tests for GetHugePageSize
273e7b74 Fix cgroup hugetlb size prefix for kB
65032b55 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP
8383c724 main: not reopen /dev/stderr
7a9ffa89 Change the permissions of the notify listener socket to rwx for
everyone
46351eb3 Move systemd.Manager initialization into a function in that module
62bd2593 VERSION: back to development
425e105d VERSION: release 1.0.0-rc8
8362cd02 Vendor in latest selinux code for keycreate errors
a1460818 Write logs to stderr by default
68b4ff5b Simplify bail logic & minor nsexec improvements
17b37ea3 libcontainer: intelrdt: add missing destroy handler in defer func
475aef10 Remove redundant log function
ba3cabf9 Improve nsexec logging
e7831f2a Update to Go 1.12 and drop obsolete versions
da5a2dd4 `r.destroy` can defer exec in `runner.run` method.
8296826d specconv: always set "type: bind" in case of MS_BIND
c486e3c4 Address comments in PR 1861
feebfac3 Remove pipe close before exec.
9a599f62 Support for logging from children processes
3e6688f5 add selinux label for runc exec
dcf994b4 Fix SELinux failures on disabled SELinux Machines
6b5ee713 VERSION: back to development
69ae5da6 VERSION: release v1.0.0-rc7
eab53309 Fixes regression causing zombie runc:[1:CHILD] processes
9fe7c939 Add a Travis-CI job for systemd cgroup driver
5369f9ad Skip CRIU tests when $RUNC_USE_SYSTEMD for now
d4586090 Update tests that depend on cgroupfs paths to consider systemd cgroups
a9056a34 Add $RUNC_USE_SYSTEMD to use systemd cgroup driver in tests
4b2b9782 Add cgroup name to error message
6f714aa9 Use getenv not secure_getenv
cd96170c Need to setup labeling of kernel keyrings.
472fe623 criu image path permission error in rootless checkpoint
dbf6e48d README: link to /org/security/
2d4a37b4 nsenter: cloned_binary: userspace copy fallback if sendfile fails
16612d74 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
af9da0a4 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
2429d593 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
7cb3cde1 fix preserve-fds flag may cause runc hang
5b775bf2 nsenter: cloned_binary: detect and handle short copies
52f4e0fa exec: expose --preserve-fds
f1da0d30 switched travis to xenial
9edb5494 Use vendored in CRIU Go bindings
bfca1e62 Vendor in go-criu
bb7d8b1f nsexec (CVE-2019-5736): avoid parsing environ
cd41feb4 Remove detection for scope properties, which have always been broken
7354546c Create mountpoints also on restore
f661e023 factor out bind mount mountpoint creation
0a8e4117 nsenter: clone /proc/self/exe to avoid exposing host binary to
container
ec069fe3 Vendor opencontainers/runtime-spec 29686dbc
4a600c04 Update vendored golang.org/x/sys to latest
565325fc integration: fix mis-use of libcontainer.Factory
dd50c7e3 Add 'org.criu.config' annotation documentation
5f32bb94 Update runc-checkpoint man-page
28a697cc rootfs: umount all procfs and sysfs with --no-pivot
f0192337 systemd: fix setting kernel memory limit
acb75d0e libcontainer: intelrdt: fix null intelrdt path issue in Destroy()
403986c5 Add CRIU patch to fix checkpoint test
6f3e13cc Added test for container specific CRIU configuration files
e1579630 Enable CRIU configuration files
360ba8a2 Update criurpc definition for latest features
0855bce4 Fix .Fatalf() error message
bdf3524b Retry adding pids to cgroups when EINVAL occurs
769d6c4a Fix some typos
dce70cdf cr: get pid from criu notify when restore
8a4629f7 cgroups: nokmem: error out on explicitly-set kmemcg limits
07d1ad44 kill: allow to signal paused containers
30817421 Modify check-config.sh in accordance with Moby Project updates
a0200001 MAINTAINERS: remove @vmarmol
2efedb02 MAINTAINERS: remove @rjnagal
87a18899 may kill other process when container has been stopped
061dfe95 VERSION: back to development
ccb5efd3 VERSION: release v1.0.0~rc6
bc0b0471 Small fixes for CRIU based test cases
37634277 Bump CRIU to 3.11
056909bd Adds note about user ns for rootless containers
48189715 add missing intelRdt parameters in 'runc update' manpage
e2386860 libcontainer: Set 'status' in hook stdin
95af9eff libcontainer: intelrdt: add support for Intel RDT/MBA Software
Controller in runc
714a4d46 rootless: fix potential panic in shouldUseRootlessCgroupManager
16d55f17 libcontainer: fix potential panic if spec.Process is nil
95d1aa18 test: fix TestDupNamespaces
f1b1407e readme: add nokmem build tag
1e0d04c6 Makefile: rm cgo tag
6a2c1559 libcontainer: ability to compile without kmem
df3fa115 Add support for cgroup namespace
869add33 rootless: fix running with /proc/self/setgroups set to deny
5c6b9c3c libcontainer: map PidsLimit to systemd's TasksMax property
9a3a8a5e libcontainer: implement CLONE_NEWCGROUP
630fb5b8 Bump Travis versions
6c307f8f libcontainer: intelrdt: add user-friendly diagnostics for Intel RDT
operation errors
d59b17d6 libcontainer: intelrdt: Add more check if sub-features are enabled
f0973392 libcontainer: intelrdt: add test cases for Intel RDT/MBA
1ed597bf libcontainer: intelrdt: add update command support for Intel RDT/MBA
27560ace libcontainer: intelrdt: add support for Intel RDT/MBA in runc
c1cece7e libcontainer: intelrdt: add Intel RDT/MBA docs in SPEC.md
bd905416 vendor: bump runtime-spec to 5684b8af48c1
0b412e94 various cleanups to address linter issues
0d011647 Fix travis Go: tip
36f84720 fix build break
1499c746 Move spec.Linux.IntelRdt check to spec.Linux != nil block
26bdc0dc clarify license information
a1d5398a Respect container's cgroup path
5de99cd3 tty: clean up epollConsole closing
ec0d23a9 tty: close epollConsole on errors
40f14684 keyring: handle ENOSYS with keyctl(KEYCTL_JOIN_SESSION_KEYRING)
5963cf2a test: add more test case for CleanPath
06f789cf Disable rootless mode except RootlessCgMgr when executed as the root
in userns
feb90346 doc: fix typo
4eb30fcd code optimization: use securejoin.SecureJoin and CleanPath
4fae8fcc code optimization after review
d2d226e8 fix unexpected delete bug when container id is ..
3ce8fac7 libcontainer: add /proc/loadavg to the white list of bind mount
636b6640 linux: drop check for /proc as invalid dest
b34d6d8a libcontainer: CurrentGroupSubGIDs -> CurrentUserSubGIDs
fe3d5c4c Remove unused veth setup code
832ac8a5 tests: add external network namespace tests
fa43a72a criu: restore into existing namespace when specified
b399167f Add docker proxy settings for make test in a proxy environment
62a4763a When doing a copyup, /tmp can not be a shared mount point
4803faf0 cr: don't restore net namespace by default
cb3e35b5 Add missing data to man page
26ec8a97 Revert "libcontainer/rootfs_linux: minor cleanup"
e389f575 Dockerfile: update criu to v3.10 + checkpoint-restore/criu@27034e7c
34ed6269 Update outdated nsenter README content
a2faaa13 Fix duplicate entries and missing entries in getCgroupMountsHelper
0880503b Add an explanation for TESTPATH
3321aa1a Fix regression with mounts with non-absolute source path
b681b58e Fix the problem TESTFLAGS is not to be used in Makefile correctly
8187fb74 cr: don't dump network devices and their configuration
46221e39 criu tests: rename criu feature check
7fb79f31 Add osusergo flag to static build
53fddb54 Pass GOMAXPROCS to init processes
472fcb30 docs: add information about terminals
e5a7c61f Add test for testing cgroup mounts on bedrock linux
5ee0648b Stop relying on number of subsystems for cgroups
823c06ea libcontainer: improve "kernel.{domainname,hostname}" sysctl handling
d18a45f6 Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys
a0e99e7a libcontainer: devices: fix mips builds
39f679c4 travis: test cross compilation
c205e9fb libcontainer: fix compilation on GOARCH=arm GOARM=6 (32 bits)
cbcc85d3 runc: not require uid/gid mappings if euid()==0
aa3fee6c SELinux labels are tied to the thread
bd3c4f84 Fix race in runc exec
63bb0fe9 Fix merge conflict
939d5a37 cgroup: clean up isIgnorableError for skippable EROFS
c9381573 libcontainer: remove extra CAP_SETGID check for SetgroupAttr
b515963c systemd cpu quota ignores -1
fd0febd3 Wrap error messages during init
cdb7f23d main: add condition to isRootless()
f103de57 main: support rootless mode in userns
9c7d8bc1 libcontainer: add parser for /etc/sub{u,g}id and /proc/PID/{u,g}id_map
40680b2d Make the setupSeccomp function public.
1b27db67 libcontainer/rootfs_linux: minor cleanup
165ee453 Make channel for StartTransientUnit buffered
1a506462 nsexec.c: fix GCC 8 warning
4521d4b1 Only configure networking when creating a net ns
0e16bd9b Detect whether Delegate is available on both slices and scopes
8ab251f2 Fix systemd.Apply() to check for DBus error before waiting on a
channel.
985628dd libcontainer: Don't set container state to running when exec'ing
73f3dc63 libcontainer: allow setgroup in rootless mode
ed58366c libcontainer: fix Boolmsg alignment
58415b4b Fix error message
4f4af7bf rootless: set sticky bit if using XDG_RUNTIME_DIR
fd3a6e6c libcontainer: handle unset oomScoreAdj corectly
03e58598 rootless: cgroup: treat EROFS as a skippable error
74e961e2 tests: allow to load kernel modules from a test container
43aea059 Label the masked tmpfs with the mount label
0aa6e4e5 libcontainer/specconv/spec_linux: Support empty 'type' for bind mounts
04e95b52 Add timeout while waiting for StartTransinetUnit completion signal
from dbus
3d26fc3f cgroups/fs: fix NPE on Destroy than no cgroups are set
e7e303ab Minor wording enhancement in readme
bf749516 libcontainer/user: platform dependent calls
8d7b5731 makefile: make "release" PHONY
10a4cde4 Fix make shell
442a6cff VERSION: back to development
4fc53a81 VERSION: bump to v1.0.0-rc5
2420eb1f The setupUserNamespace function is always called.
8be31629 upgrade criu to v3.7
121c7b45 upgrade to go 1.10 with debian stretch
3f32e729 fix lint error in specconv
0f3d8245 adding go get instruction to readme
59e5b61c Update console dependency to fix runc exec on BE
50dc7ee9 libcontainer/capabilities_linux: Drop os.Getpid() call
7019e1de fix systemd slice expansion so that it could be consumed by cAdvisor
72f92cf9 Warning message if 'go-md2man' is not yet installed
7ac503d1 kill.go: Remove unnecessary checks
be16b136 libcontainer/state_linux_test: Add a testTransitions helper
91ca3314 chroot when no mount namespaces is provided
5a46c2ba nsenter: move namespace creation after userns creation
dd5eb3b9 make: validate C format
5c0af14b Return from goroutine when it should terminate
8d3e6c98 Avoid race when opening exec fifo
862e4911 man: Fix manpages related to console
cd1e7abe libcontainer: expose annotations in hooks
d5b4a3ed Fix race against systemd
a1edc03c Pin version of gojsonschema in tests
db093f62 libcontainer: remove dependency on libapparmor
bb912eb0 libcontainer: Do not wait for signalled processes if subreaper is set
5061fd3e stopped container can't be checkpoint
fec6b0fe Update criu_opts_linux.go
57edfbba specconv: avoid skipping gidmappings applied when uidmappings is empty
0495fece Ensure container tests do not write on the host
93c5f706 vendor: removed more build=ignore vendor
8898b6b4 remove placeholder for non-linux platforms
4d27f20d libcontainer: drop FreeBSD support
38d1e6ec Delete xattr related code
17db6560 support unbindable,runbindable for rootfs propagation
bca53e7b systemd: adjust CPUQuotaPerSecUSec to compensate for systemd
internal handling
604dbfbe enable integration test on arm64 platform
03ca562b Remove github.com/docker/docker from vendor
3ca4c78b Import docker/docker/pkg/mount into runc
ab0a6dd2 Add build 1.9 to travis
0aac2368 specconv.Example(): add /proc/scsi to masked paths
dc609cc5 enable unit test on arm64 platform
fdbb9e3e Avoid disk usage explosion when copying busybox
59450147 Use cyphar/filepath-securejoin instead of docker pkg/symlink
780f8ef5 Specconv: Test create command hooks and seccomp setup
1cda65c3 tests: add missing cgroups_kmem requirement
c0e6e12f Test Cgroup creation and memory allocations
ffe5cdc4 tests: add various !terminal tests
ff5075c3 init: correctly handle unmapped stdio with multiple mappings
e9193ba6 Fix breaking change in Seccomp profile behavior
d8921751 libcontainer: intelrdt: fix a GetStats() issue
0eed453b libcontainer: use Major/Minor from x/sys/unix
80988286 propagate argv0 when re-execing from /proc/self/exe
23f4d316 tests: improve rootless_cg testing
d2bc0814 libcontainer: merge common syscall implementations
acb93c9c libcontainer: cgroups: Write freezer state after every state check
5f9284cb Check for negative gid
f55f79d6 Use Int64SliceFlag instead of StringFlag to get additional gids.
7a386c2b Add --additional-gids to runc exec.
472fa3d0 Update Travis config to use trusty-backports libseccomp
bbc847a4 Add integration tests for multi-argument Seccomp filters
03a5a747 Vendor updated libseccomp-golang for bugfix
bfe3058f Make process check more forgiving
eb68b900 Prevent invalid errors from terminate
d4f0f9a5 specconv: emit an error when using MS_PRIVATE with --no-pivot
ca4f427a Support cgroups with limits as rootless
2edd36fd libcontainer: create Cwd when it does not exist
605dc5c8 Set initial console size based on process spec
65918b02 intelrdt: add update command support
2549545d intelrdt: always init IntelRdtManager if Intel RDT is enabled
9c36ffbc make localintegration fails on Ubuntu 17.04
117c9274 rootfs: switch ms_private remount of oldroot to ms_slave
d01050e6 Add support for mips/mips64
9916b791 Put signalMap in a separate file, so it may be arch-specific
602c85fd trailing punctuation in header
Signed-off-by: Julio Montes <[email protected]>- Loading branch information