The stime syscall is a legacy syscall on some architectures
to set the clock, should be blocked as time is not namespaced.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 6300a08be905969b16197f6a82a3d0d99a3f99cd
Component: engine
clock_adjtime is the new posix style version of adjtime allowing
a specific clock to be specified. Time is not namespaced, so do
not allow.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 0e5c43cddad304301ca8a82f652e15f75ee68cfe
Component: engine
This is a new version of init_module that takes a file descriptor
rather than a file name.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 0d5306a0b69c912a981f3a4bd41b80beb1207851
Component: engine
The original umount syscall without flags argument needs to
be blocked too.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 9be0d93cf74d1bb31c401f1154abc773af31cbd6
Component: engine
It's used for updating properties of one or more containers, we only
support resource configs for now. It can be extended in the future.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: 8799c4fc0feadede6ae60e77bd7d9dfd7cc72a79
Component: engine
- Make the API client library completely standalone.
- Move windows partition isolation detection to the client, so the
driver doesn't use external types.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: 7ac4232e70fe7cf7318333cd0890db7f95663079
Component: engine
Whether a shared/slave volume propagation will work or not also depends on
where source directory is mounted on and what are the propagation properties
of that mount point. For example, for shared volume mount to work, source
mount point should be shared. For slave volume mount to work, source mount
point should be either shared/slave.
This patch determines the mount point on which directory is mounted and
checks for desired minimum propagation properties of that mount point. It
errors out of configuration does not seem right.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Upstream-commit: d4b4ce2588d02acd3602d42b788c6b36ab9b01e5
Component: engine
Ubuntu 14.04 LTS is on apparmor 2.8.95.
This enables `ps` inside a container without causing
audit log entries on the host.
Signed-off-by: Joel Hansson <joel.hansson@ecraft.com>
Upstream-commit: 6480feb7668851d3878bf36eedc5fd8ffa789e25
Component: engine
It means that containers will be created under root cgroup and not under
daemon cgroup.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 4b55765c11b3ae3bc02385ad17fe2a3c419e71bc
Component: engine
It will Tar up contents of child directory onto tmpfs if mounted over
This patch will use the new PreMount and PostMount hooks to "tar"
up the contents of the base image on top of tmpfs mount points.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Upstream-commit: b3e527dfd242ad30c0297c8b257862116cf2c50e
Component: engine
libcontainer v0.0.4 introduces setting `/proc/self/oom_score_adj` to
better tune oom killing preferences for container process. This patch
simply integrates OomScoreAdj libcontainer's config option and adjust
the cli with this new option.
Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Upstream-commit: d3af7f283d8dc0be67be48e14cd740fbeb690f7a
Component: engine
Adjust the docker-default profile for when the docker daemon is running in
AppArmor confinement. To enable 'docker kill' we need to allow the container
to receive kill signals from the daemon.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Upstream-commit: 5cd6b3eca236df06e66777b15932b1a7fbb2e954
Component: engine
Our implementation of systemd cgroups is mixture of systemd api and
plain filesystem api. It's hard to keep it up to date with systemd and
it already contains some nasty bugs with new versions. Ideally it should
be replaced with some daemon flag which will allow to set parent systemd
slice.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 419fd7449fe1a984f582731fcd4d9455000846b0
Component: engine
