When working with Go channels you must not set it to nil or else the
channel will block forever. It will not panic reading from a nil chan
but it blocks. The correct way to do this is to create the channel then
close it as the correct results to the caller will be returned.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 7061a993c5b620d6e68450f1b90f3458bfa1add0
Component: engine
container.
docker run -v /dev:/dev should stop mounting other default mounts in i
libcontainer otherwise directories and devices like /dev/ptx get mishandled.
We want to be able to run libvirtd for launching vms and it needs
access to the hosts /dev. This is a key componant of OpenStack.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: fe9fe1473cc54c4d2962391d6fa05ecc1c2c96f1
Component: engine
This ensures that the libcontainer state is fully removed for a
container after it is terminated.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 06c939e5279eb62b9088202a27d02d67c1cba6a5
Component: engine
The default for rlimit handling should be to inherit the rlimit of the
daemon unless explicitly set.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: f5a154f2d2b2bea5054ae35314d15021a8bf8ae4
Component: engine
Add a --readonly flag to allow the container's root filesystem to be
mounted as readonly. This can be used in combination with volumes to
force a container's process to only write to locations that will be
persisted. This is useful in many cases where the admin controls where
they would like developers to write files and error on any other
locations.
Closes#7923Closes#8752
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 409407091a7282d0c4086b71e86397e2d089ba13
Component: engine
We want to be able to use container without the PID namespace. We basically
want containers that can manage the host os, which I call Super Privileged
Containers. We eventually would like to get to the point where the only
namespace we use is the MNT namespace to bring the Apps userspace with it.
By eliminating the PID namespace we can get better communication between the
host and the clients and potentially tools like strace and gdb become easier
to use. We also see tools like libvirtd running within a container telling
systemd to place a VM in a particular cgroup, we need to have communications of the PID.
I don't see us needing to share PID namespaces between containers, since this
is really what docker exec does.
So currently I see us just needing docker run --pid=host
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 23feaaa240853c0e7f9817f8c2d272dd1c93ac3f
Component: engine
This commit contains changes for docker:
* user.GetGroupFile to user.GetGroupPath docker/libcontainer#301
* Add systemd support for OOM docker/libcontainer#307
* Support for custom namespaces docker/libcontainer#279, docker/libcontainer#312
* Fixes#9699docker/libcontainer#308
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 50905a6d6ce2fdd1ab0c33ec0b7a26895e0cbeea
Component: engine
Some workloads rely on IPC for communications with other processes. We
would like to split workloads between two container but still allow them
to communicate though shared IPC.
This patch mimics the --net code to allow --ipc=host to not split off
the IPC Namespace. ipc=container:CONTAINERID to share ipc between containers
If you share IPC between containers, then you need to make sure SELinux labels
match.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 497fc8876ede9924f61c0eee4dfadd71e5d9f537
Component: engine
Since the containers can handle the out of memory kernel kills gracefully, docker
will only provide out of memory information as an additional metadata as part of
container status.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
Upstream-commit: f96e04ffc7973e290653044cc86dbc1efb18276d
Component: engine
We removed the syncpipe package and replaced it with specific calls to
create a new *os.File from a specified fd passed to the process. This
reduced code and an extra object to manage the container's init
lifecycle.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: ed556fb38f4d1cba1460650f703cc8147a7b8f32
Component: engine
Right now, MAC addresses are randomly generated by the kernel when
creating the veth interfaces.
This causes different issues related to ARP, such as #4581, #5737 and #8269.
This change adds support for consistent MAC addresses, guaranteeing that
an IP address will always end up with the same MAC address, no matter
what.
Since IP addresses are already guaranteed to be unique by the
IPAllocator, MAC addresses will inherit this property as well for free.
Consistent mac addresses is also a requirement for stable networking (#8297)
since re-using the same IP address on a different MAC address triggers the ARP
issue.
Finally, this change makes the MAC address accessible through docker
inspect, which fixes#4033.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Upstream-commit: 88e21c6a75310da158bbee3a5fdc135697c93ba1
Component: engine
Add --security-opts options to allow user to customize container labels and apparmor profile
Upstream-commit: d40ab6f1238c78ea84645e516f1f24d7991798b0
Component: engine
This also removes dead code in the native driver for a past feature that
was never fully implemented.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 32dca1a7b0e800d796e54fc8f253818ba64fa075
Component: engine
This is needed for persistent namespaces
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
Upstream-commit: 623ebf203bc4f4e6ddefdd494f201a1401ab72a6
Component: engine
