Update libcontainaer to d00b8369852285d6a830a8d3b9
Fixes #12015
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit d12fef1515cb3f0938ea6ed8cab8351e2df2753e)
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <jess@docker.com> (github: jfrazelle)
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <hugs@docker.com> (github: jfrazelle)
diff --git a/hack/vendor.sh b/hack/vendor.sh
index a822984..be2d856 100755
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -75,7 +75,7 @@
mkdir -p src/github.com/docker/distribution
mv tmp-digest src/github.com/docker/distribution/digest
-clone git github.com/docker/libcontainer c8512754166539461fd860451ff1a0af7491c197
+clone git github.com/docker/libcontainer d00b8369852285d6a830a8d3b966608b2ed89705
# see src/github.com/docker/libcontainer/update-vendor.sh which is the "source of truth" for libcontainer deps (just like this file)
rm -rf src/github.com/docker/libcontainer/vendor
eval "$(grep '^clone ' src/github.com/docker/libcontainer/update-vendor.sh | grep -v 'github.com/codegangsta/cli' | grep -v 'github.com/Sirupsen/logrus')"
diff --git a/vendor/src/github.com/docker/libcontainer/apparmor/gen.go b/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
index 825e646..4565f6d 100644
--- a/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
+++ b/vendor/src/github.com/docker/libcontainer/apparmor/gen.go
@@ -67,12 +67,12 @@
data := &data{
Name: "docker-default",
}
- if tuntablesExists() {
+ if tunablesExists() {
data.Imports = append(data.Imports, "#include <tunables/global>")
} else {
data.Imports = append(data.Imports, "@{PROC}=/proc/")
}
- if abstrctionsEsists() {
+ if abstractionsExists() {
data.InnerImports = append(data.InnerImports, "#include <abstractions/base>")
}
if err := compiled.Execute(out, data); err != nil {
@@ -82,13 +82,13 @@
}
// check if the tunables/global exist
-func tuntablesExists() bool {
+func tunablesExists() bool {
_, err := os.Stat("/etc/apparmor.d/tunables/global")
return err == nil
}
// check if abstractions/base exist
-func abstrctionsEsists() bool {
+func abstractionsExists() bool {
_, err := os.Stat("/etc/apparmor.d/abstractions/base")
return err == nil
}
diff --git a/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer.go
index fc8241d..1110e5f 100644
--- a/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer.go
+++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer.go
@@ -1,6 +1,7 @@
package fs
import (
+ "fmt"
"strings"
"time"
@@ -41,6 +42,10 @@
}
time.Sleep(1 * time.Millisecond)
}
+ case configs.Undefined:
+ return nil
+ default:
+ return fmt.Errorf("Invalid argument '%s' to freezer.state", string(cgroup.Freezer))
}
return nil
diff --git a/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer_test.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer_test.go
new file mode 100644
index 0000000..9ff1886
--- /dev/null
+++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer_test.go
@@ -0,0 +1,45 @@
+package fs
+
+import (
+ "testing"
+
+ "github.com/docker/libcontainer/configs"
+)
+
+func TestFreezerSetState(t *testing.T) {
+ helper := NewCgroupTestUtil("freezer", t)
+ defer helper.cleanup()
+
+ helper.writeFileContents(map[string]string{
+ "freezer.state": string(configs.Frozen),
+ })
+
+ helper.CgroupData.c.Freezer = configs.Thawed
+ freezer := &FreezerGroup{}
+ if err := freezer.Set(helper.CgroupPath, helper.CgroupData.c); err != nil {
+ t.Fatal(err)
+ }
+
+ value, err := getCgroupParamString(helper.CgroupPath, "freezer.state")
+ if err != nil {
+ t.Fatalf("Failed to parse freezer.state - %s", err)
+ }
+ if value != string(configs.Thawed) {
+ t.Fatal("Got the wrong value, set freezer.state failed.")
+ }
+}
+
+func TestFreezerSetInvalidState(t *testing.T) {
+ helper := NewCgroupTestUtil("freezer", t)
+ defer helper.cleanup()
+
+ const (
+ invalidArg configs.FreezerState = "Invalid"
+ )
+
+ helper.CgroupData.c.Freezer = invalidArg
+ freezer := &FreezerGroup{}
+ if err := freezer.Set(helper.CgroupPath, helper.CgroupData.c); err == nil {
+ t.Fatal("Failed to return invalid argument error")
+ }
+}
diff --git a/vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_systemd.go b/vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_systemd.go
index 85ee5db..dea196b 100644
--- a/vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_systemd.go
+++ b/vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_systemd.go
@@ -218,16 +218,7 @@
}
paths := make(map[string]string)
- for _, sysname := range []string{
- "devices",
- "memory",
- "cpu",
- "cpuset",
- "cpuacct",
- "blkio",
- "perf_event",
- "freezer",
- } {
+ for sysname := range subsystems {
subsystemPath, err := getSubsystemPath(m.Cgroups, sysname)
if err != nil {
// Don't fail if a cgroup hierarchy was not found, just skip this subsystem
diff --git a/vendor/src/github.com/docker/libcontainer/container_linux.go b/vendor/src/github.com/docker/libcontainer/container_linux.go
index 54d4061..3c077af 100644
--- a/vendor/src/github.com/docker/libcontainer/container_linux.go
+++ b/vendor/src/github.com/docker/libcontainer/container_linux.go
@@ -140,7 +140,9 @@
cmd.SysProcAttr = &syscall.SysProcAttr{}
}
cmd.ExtraFiles = []*os.File{childPipe}
- cmd.SysProcAttr.Pdeathsig = syscall.SIGKILL
+ // NOTE: when running a container with no PID namespace and the parent process spawning the container is
+ // PID1 the pdeathsig is being delivered to the container's init process by the kernel for some reason
+ // even with the parent still running.
if c.config.ParentDeathSignal > 0 {
cmd.SysProcAttr.Pdeathsig = syscall.Signal(c.config.ParentDeathSignal)
}
diff --git a/vendor/src/github.com/docker/libcontainer/init_linux.go b/vendor/src/github.com/docker/libcontainer/init_linux.go
index 0468b2e..1786b1e 100644
--- a/vendor/src/github.com/docker/libcontainer/init_linux.go
+++ b/vendor/src/github.com/docker/libcontainer/init_linux.go
@@ -69,7 +69,8 @@
}, nil
case initStandard:
return &linuxStandardInit{
- config: config,
+ parentPid: syscall.Getppid(),
+ config: config,
}, nil
}
return nil, fmt.Errorf("unknown init type %q", t)
diff --git a/vendor/src/github.com/docker/libcontainer/nsinit/README.md b/vendor/src/github.com/docker/libcontainer/nsinit/README.md
index f321e22..f2e66a8 100644
--- a/vendor/src/github.com/docker/libcontainer/nsinit/README.md
+++ b/vendor/src/github.com/docker/libcontainer/nsinit/README.md
@@ -5,13 +5,15 @@
### How to build?
-First to add the `libcontainer/vendor` into your GOPATH. It's because something related with this [issue](https://github.com/docker/libcontainer/issues/210).
+First add the `libcontainer/vendor` into your GOPATH. It's because libcontainer
+vendors all its dependencies, so it can be built predictably.
```
export GOPATH=$GOPATH:/your/path/to/libcontainer/vendor
```
-Then get into the nsinit folder and get the imported file. Use `make` command to make the nsinit binary.
+Then get into the nsinit folder and get the imported file. Use `make` command
+to make the nsinit binary.
```
cd libcontainer/nsinit
@@ -19,7 +21,8 @@
make
```
-We have finished compiling the nsinit package, but a root filesystem must be provided for use along with a container configuration file.
+We have finished compiling the nsinit package, but a root filesystem must be
+provided for use along with a container configuration file.
Choose a proper place to run your container. For example we use `/busybox`.
@@ -28,30 +31,37 @@
curl -sSL 'https://github.com/jpetazzo/docker-busybox/raw/buildroot-2014.11/rootfs.tar' | tar -xC /busybox
```
-Then you may need to write a configure file named `container.json` in the `/busybox` folder.
-Environment, networking, and different capabilities for the container are specified in this file.
-The configuration is used for each process executed inside the container
-See the `sample_configs` folder for examples of what the container configuration should look like.
+Then you may need to write a configuration file named `container.json` in the
+`/busybox` folder. Environment, networking, and different capabilities for
+the container are specified in this file. The configuration is used for each
+process executed inside the container.
+
+See the `sample_configs` folder for examples of what the container configuration
+should look like.
```
cp libcontainer/sample_configs/minimal.json /busybox/container.json
cd /busybox
```
-Now the nsinit is ready to work.
-To execute `/bin/bash` in the current directory as a container just run the following **as root**:
+You can customize `container.json` per your needs. After that, nsinit is
+ready to work.
+
+To execute `/bin/bash` in the current directory as a container just run the
+following **as root**:
+
```bash
-nsinit exec --tty /bin/bash
+nsinit exec --tty --config container.json /bin/bash
```
-If you wish to spawn another process inside the container while your
-current bash session is running, run the same command again to
-get another bash shell (or change the command). If the original
-process (PID 1) dies, all other processes spawned inside the container
-will be killed and the namespace will be removed.
+If you wish to spawn another process inside the container while your current
+bash session is running, run the same command again to get another bash shell
+(or change the command). If the original process (PID 1) dies, all other
+processes spawned inside the container will be killed and the namespace will
+be removed.
-You can identify if a process is running in a container by
-looking to see if `state.json` is in the root of the directory.
+You can identify if a process is running in a container by looking to see if
+`state.json` is in the root of the directory.
-You may also specify an alternate root place where
-the `container.json` file is read and where the `state.json` file will be saved.
+You may also specify an alternate root directory from where the `container.json`
+file is read and where the `state.json` file will be saved.
diff --git a/vendor/src/github.com/docker/libcontainer/standard_init_linux.go b/vendor/src/github.com/docker/libcontainer/standard_init_linux.go
index 29619d3..282832b 100644
--- a/vendor/src/github.com/docker/libcontainer/standard_init_linux.go
+++ b/vendor/src/github.com/docker/libcontainer/standard_init_linux.go
@@ -13,7 +13,8 @@
)
type linuxStandardInit struct {
- config *initConfig
+ parentPid int
+ config *initConfig
}
func (l *linuxStandardInit) Init() error {
@@ -85,9 +86,10 @@
if err := pdeath.Restore(); err != nil {
return err
}
- // Signal self if parent is already dead. Does nothing if running in a new
- // PID namespace, as Getppid will always return 0.
- if syscall.Getppid() == 1 {
+ // compare the parent from the inital start of the init process and make sure that it did not change.
+ // if the parent changes that means it died and we were reparened to something else so we should
+ // just kill ourself and not cause problems for someone else.
+ if syscall.Getppid() != l.parentPid {
return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)
}
return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
