profile
viewpoint

hqhq/moby 1

Docker - the open-source application container engine

hqhq/oct 1

Testing cases and framework for OpenContainers project

hqhq/bolt 0

A low-level key/value database for Go.

hqhq/busybox 0

Docker Official Image packaging for Busybox

hqhq/cgroups 0

cgroups package for Go

hqhq/check 0

Rich testing for the Go language

hqhq/cli 0

A small package for building command line apps in Go

hqhq/cli-1 0

The Docker CLI

hqhq/console 0

console package for Go

hqhq/containerd 0

Standalone Container Daemon

pull request commentopencontainers/runc

MAINTAINERS: add Akihiro Suda to maintainers

LGTM

thaJeztah

comment created time in 2 days

push eventopencontainers/runc

Kir Kolyshkin

commit sha 4c5c3fb960b0aded4091507492bc2cb9f6784f94

Support for setting systemd properties via annotations In case systemd is used to set cgroups for the container, it creates a scope unit dedicated to it (usually named `runc-$ID.scope`). This patch adds an ability to set arbitrary systemd properties for the systemd unit via runtime spec annotations. Initially this was developed as an ability to specify the `TimeoutStopUSec` property, but later generalized to work with arbitrary ones. Example usage: add the following to runtime spec (config.json): ``` "annotations": { "org.systemd.property.TimeoutStopUSec": "uint64 123456789", "org.systemd.property.CollectMode":"'inactive-or-failed'" }, ``` and start the container (e.g. `runc --systemd-cgroup run $ID`). The above will set the following systemd parameters: * `TimeoutStopSec` to 2 minutes and 3 seconds, * `CollectMode` to "inactive-or-failed". The values are in the gvariant format (see [1]). To figure out which type systemd expects for a particular parameter, see systemd sources. In particular, parameters with `USec` suffix require an `uint64` typed argument, while gvariant assumes int32 for a numeric values, therefore the explicit type is required. NOTE that systemd receives the time-typed parameters as *USec but shows them (in `systemctl show`) as *Sec. For example, the stop timeout should be set as `TimeoutStopUSec` but is shown as `TimeoutStopSec`. [1] https://developer.gnome.org/glib/stable/gvariant-text.html Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

Kir Kolyshkin

commit sha 2a81236e899ac967300b84df738710b6d47621c0

Document using annotations to set systemd props Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

Kir Kolyshkin

commit sha 1cd71dfd7101c1d4b0f224fdcba207793dbd4a91

systemd properties: support for *Sec values Some systemd properties are documented as having "Sec" suffix (e.g. "TimeoutStopSec") but are expected to have "USec" suffix when passed over dbus, so let's provide appropriate conversion to improve compatibility. This means, one can specify TimeoutStopSec with a numeric argument, in seconds, and it will be properly converted to TimeoutStopUsec with the argument in microseconds. As a side bonus, even float values are converted, so e.g. TimeoutStopSec=1.5 is possible. This turned out a bit more tricky to implement when I was originally expected, since there are a handful of numeric types in dbus and each one requires explicit conversion. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

Qiang Huang

commit sha 13b1603fd0e37db1764433a140d494b2e9f05805

Merge pull request #2224 from kolyshkin/systemd-props Allow to set systemd scope properties via annotations

view details

push time in 2 days

PR merged opencontainers/runc

Reviewers
Allow to set systemd scope properties via annotations

In case systemd is used as a cgroups driver for container, it creates a scope (aka transient unit) dedicated to a container (usually named runc-$ID.scope).

This PR adds an ability to set arbitrary properties for the systemd unit via runtime spec annotations.

Usage

Add the following to runtime spec (config.json):

        "annotations": {
                "org.systemd.property.TimeoutStopSec": "300",
                "org.systemd.property.CollectMode":"'inactive-or-failed'"
        },

and start the container (e.g. runc --systemd-cgroup run $ID).

The above will set the following systemd parameters:

  • TimeoutStopSec to 2 minutes and 3 seconds;
  • CollectMode to "inactive-or-failed".

The values in spec should be in the gvariant format (see docs here).

To figure out which type systemd expects for a particular parameter, please consult systemd sources.

TODO

  • [x] unit tests
  • [x] documentation
  • [x] allow *Sec parameters, simplify doc

Notes

  • This is needed to fix kubernetes/kubernetes#77873
  • This is a carry of #2062, please see the initial discussion in there

History

  • v1: original version from #2062
  • v2: use map[string]interface{} for SystemdProperties as suggesed in https://github.com/opencontainers/runc/pull/2062#discussion_r295835117, generalize cli options parsing
  • v3: move SystemdProperties into configs.Cgroup to simplify code
  • v4: cli option removed, setting redone via annotations in a generic fashion
  • v5: allow time units with Sec suffix (in addition to USec)
+251 -1

16 comments

6 changed files

kolyshkin

pr closed time in 2 days

pull request commentopencontainers/runc

Allow to set systemd scope properties via annotations

LGTM

kolyshkin

comment created time in 2 days

pull request commentopencontainers/runc

Fix MAJ:MIN io.stat parsing order

LGTM

Zyqsempai

comment created time in 2 days

pull request commentopencontainers/runc

Added conversion for cpu.weight v2

Needs re-approve. @mrunalp

Zyqsempai

comment created time in 6 days

pull request commentopencontainers/runc

Fix the value corresponding to rlimitmap [key]

LGTM

wanghuaiqing2010

comment created time in 10 days

pull request commentopencontainers/runc

Convert blkioWeight to io.weight properly

LGTM

Zyqsempai

comment created time in 11 days

pull request commentopencontainers/runc

Added conversion for cpu.weight v2

LGTM

Zyqsempai

comment created time in 11 days

Pull request review commentopencontainers/runc

Added conversion for cpu.weight v2

 func Annotations(labels []string) (bundle string, userAnnotations map[string]str func GetIntSize() int { 	return int(unsafe.Sizeof(1)) }++// Since the OCI spec is designed for cgroup v1, in some cases+// there is need to convert from the cgroup v1 configuration to cgroup v2+// the formula for cpuShares is y = (1 + ((x - 2) * 9999) / 262142)+// convert from [2-262144] to [1-10000]+// 262144 comes from Linux kernel definition "#define MAX_SHARES (1UL << 18)"+func ConvertCPUSharesToCgroupV2Value(cpuShares uint64) uint64 {+	return (1 + ((cpuShares-2)*9999)/262142)+}

Sorry I should be more specific, but maybe libcontainer/cgroups/utils.go is a better place?

Zyqsempai

comment created time in 11 days

Pull request review commentopencontainers/runc

Added conversion for cpu.weight v2

 other options are ignored. 		return container.Set(config) 	}, }++// Since the OCI spec is designed for cgroup v1, in some cases+// there is need to convert from the cgroup v1 configuration to cgroup v2+// the formula for cpuShares is y = (1 + ((x - 2) * 9999) / 262142)+// convert from [2-262144] to [1-10000]+// 262144 comes from Linux kernel definition "#define MAX_SHARES (1UL << 18)"+func convertCPUSharesToCgroupV2Value(cpuShares uint64) uint64 {+	return (1 + ((cpuShares-2)*9999)/262142)+}

All these convertion functions should be put in a utils file so it'll be easier to remove them when we have these items in runtime-spec someday.

I've reclaimed my LGTM in the other PR.

Zyqsempai

comment created time in 12 days

pull request commentopencontainers/runc

Convert blkioWeight to io.weight properly

LGTM

Zyqsempai

comment created time in 12 days

push eventopencontainers/runtime-spec

Vincent Batts

commit sha 12fd09a068fa55947cad88a73e96909eba251809

RELEASE: document how to do the release It's been a couple of years and I have no idea what I am doing. Some of this could be automated, but for now I've included some of the shell that gets close to the process. Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

view details

Qiang Huang

commit sha 1ca19ac3226fbbba0ca30fe2d082bc0d08144152

Merge pull request #1027 from vbatts/release-checklist RELEASE: document how to do the release

view details

push time in 19 days

PR merged opencontainers/runtime-spec

RELEASE: document how to do the release

It's been a couple of years and I have no idea what I am doing. Some of this could be automated, but for now I've included some of the shell that gets close to the process.

Signed-off-by: Vincent Batts vbatts@hashbangbash.com

image

+45 -0

4 comments

1 changed file

vbatts

pr closed time in 19 days

pull request commentopencontainers/runtime-spec

RELEASE: document how to do the release

LGTM

vbatts

comment created time in 19 days

pull request commentopencontainers/runc

README.md: modify the explanation of make flags

LGTM

KentaTada

comment created time in 20 days

Pull request review commentopencontainers/runc

README.md: modify the explanation of make flags

 You can run a specific integration test by setting the `TESTPATH` variable. # make test TESTPATH="/checkpoint.bats" ``` -You can run a test in your proxy environment by setting `DOCKER_BUILD_PROXY` and `DOCKER_RUN_PROXY` variables.+You can run a test using your container engine's flags by setting `CONTAINER_ENGINE_BUILD_FLAGS` and `CONTAINER_ENGINE_RUN_FLAGS` variables.  ```bash-# make test DOCKER_BUILD_PROXY="--build-arg HTTP_PROXY=http://yourproxy/" DOCKER_RUN_PROXY="-e HTTP_PROXY=http://yourproxy/"+# make test CONTAINER_ENGINE_BUILD_FLAGS="--build-arg http_proxy=http://yourproxy/" CONTAINER_ENGINE_RUN_FLAGS="-e http_proxy=http://yourproxy/"

Maybe my memory is out-dated then : )

KentaTada

comment created time in 20 days

Pull request review commentopencontainers/runc

README.md: modify the explanation of make flags

 You can run a specific integration test by setting the `TESTPATH` variable. # make test TESTPATH="/checkpoint.bats" ``` -You can run a test in your proxy environment by setting `DOCKER_BUILD_PROXY` and `DOCKER_RUN_PROXY` variables.+You can run a test using your container engine's flags by setting `CONTAINER_ENGINE_BUILD_FLAGS` and `CONTAINER_ENGINE_RUN_FLAGS` variables.  ```bash-# make test DOCKER_BUILD_PROXY="--build-arg HTTP_PROXY=http://yourproxy/" DOCKER_RUN_PROXY="-e HTTP_PROXY=http://yourproxy/"+# make test CONTAINER_ENGINE_BUILD_FLAGS="--build-arg http_proxy=http://yourproxy/" CONTAINER_ENGINE_RUN_FLAGS="-e http_proxy=http://yourproxy/"

The default container engine is still docker, so I guess we should still keep HTTP_PROXY as upper case?

KentaTada

comment created time in 20 days

push eventopencontainers/runtime-spec

Brandon Philips

commit sha bacc285965f160c378bf24ca46436afb6911a6db

MAINTAINERS: remove philips Signed-off-by: Brandon Philips <brandon@ifup.org> Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

view details

Qiang Huang

commit sha 7cddf4f49ffc4012ca5f4ec5608c4c5514965bab

Merge pull request #1028 from opencontainers/philips-patch-1 MAINTAINERS: remove philips

view details

push time in 21 days

pull request commentopencontainers/runtime-spec

MAINTAINERS: remove philips

LGTM

philips

comment created time in 21 days

pull request commentopencontainers/runtime-spec

MAINTAINERS: remove Vishnu

LGTM

Thanks for your efforts, Vish.

vbatts

comment created time in 21 days

Pull request review commentopencontainers/runc

Added conversion for cpu.weight v2

 func CreateCgroupConfig(opts *CreateOpts) (*configs.Cgroup, error) { 		if r.CPU != nil { 			if r.CPU.Shares != nil { 				c.Resources.CpuShares = *r.CPU.Shares++				//CpuWeight is used for cgroupv2 and should be converted+				c.Resources.CpuWeight = (1 + ((*r.CPU.Shares-2)*9999)/262142)

We should do this with a function so people know it's converting runtime-spec items to cgroupv2 value.

And comments like "convert from [2-262144] to [1-10000]" would be helpful, more explaination such as value 262144 comes from Linux kernel definition "#define MAX_SHARES (1UL << 18)" will also help.

Zyqsempai

comment created time in 22 days

Pull request review commentopencontainers/runc

Convert blkioWeight to io.weight properly

 import ( func setIo(dirPath string, cgroup *configs.Cgroup) error { 	if cgroup.Resources.BlkioWeight != 0 { 		filename := "io.bfq.weight"-		if err := fscommon.WriteFile(dirPath, filename, strconv.FormatUint(uint64(cgroup.Resources.BlkioWeight), 10)); err != nil {+		weight := 1 + (cgroup.Resources.BlkioWeight-10)*9999/990

I don't quite get it, can you add some comments to explain why it's doing so?

Zyqsempai

comment created time in 22 days

pull request commentopencontainers/runc

VERSION: release 1.0.0~rc10

LGTM

cyphar

comment created time in a month

pull request commentopencontainers/runc

rootfs: do not permit /proc mounts to non-directories

LGTM

cyphar

comment created time in a month

push eventopencontainers/runc

Akihiro Suda

commit sha 5c20ea1472dbeeebdb1bcef31a09888890a25b3a

fix merging #2177 and #2169 A new method was added to the cgroup interface when #2177 was merged. After #2177 got merged, #2169 was merged without rebase (sorry!) and compilation was failing: libcontainer/cgroups/fs2/fs2.go:208:22: container.Cgroup undefined (type *configs.Config has no field or method Cgroup) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha 55f8c254beb00f916c115a7034f7eee0cfd657a1

temporarily disable CRIU tests Ubuntu kernel is temporarily broken: https://github.com/opencontainers/runc/pull/2198#issuecomment-571124087 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Qiang Huang

commit sha 709377ca558df88ea538852c9310b700f140fc9b

Merge pull request #2198 from AkihiroSuda/criu-master temporarily disable CRIU tests

view details

push time in a month

PR merged opencontainers/runc

temporarily disable CRIU tests

update criu to the latest revision on criu-dev branch (v3.13 is not enough to fix the issue)

Fix #2196

EDIT: Changed PR to skip the tests until Ubuntu kernel gets fixed (https://github.com/opencontainers/runc/pull/2198#issuecomment-571124087)

contains https://github.com/opencontainers/runc/pull/2206

+7 -0

13 comments

2 changed files

AkihiroSuda

pr closed time in a month

pull request commentopencontainers/runc

temporarily disable CRIU tests

LGTM

AkihiroSuda

comment created time in a month

push eventopencontainers/runc

Akihiro Suda

commit sha faf1e44ea9d001535f228ce570e56e18d3dece06

cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error Fix #2167 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Qiang Huang

commit sha 2186cfa3cd52b8e00b1de76db7859cacdf7b1f94

Merge pull request #2168 from AkihiroSuda/ebpf-fix-rlimit cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error

view details

push time in 3 months

issue closedopencontainers/runc

cgroup2: procHooks: failed to load program: operation not permitted

Moby is getting support for cgroup v2: https://github.com/moby/moby/pull/40174 (https://github.com/moby/moby/tree/ee30a1f5ad7c373bd9db3f0b5412b03082f76786)

But it doesn't work with runc b133feaeeb2e69ba94aa95eac3a455a143435ea9 (works with crun v0.10.4)

$ docker run -it --rm hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:415: setting cgroup config for procHooks process caused \\\"failed to load program: operation not permitted\\\"\"": unknown.

Podman+runc doesn't hit this issue.

closed time in 3 months

AkihiroSuda

push eventopencontainers/runc

Akihiro Suda

commit sha dbd771e4753a6630141ea9d7cde402d9a487f2c3

cgroup2: implement `runc ps` Implemented `runc ps` for cgroup v2 , using a newly added method `m.GetUnifiedPath()`. Unlike the v1 implementation that checks `m.GetPaths()["devices"]`, the v2 implementation does not require the device controller to be available. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Qiang Huang

commit sha e57a774066af2f0adc76ffb6201588091cd872d5

Merge pull request #2149 from AkihiroSuda/cgroup2-ps cgroup2: implement `runc ps`

view details

push time in 4 months

PR merged opencontainers/runc

cgroup2: implement `runc ps`

Implemented runc ps for cgroup v2 , using a newly added method m.GetUnifiedPath(). Unlike the v1 implementation that checks m.GetPaths()["devices"], the v2 implementation does not require the device controller to be available.

+76 -3

3 comments

6 changed files

AkihiroSuda

pr closed time in 4 months

pull request commentopencontainers/runc

cgroup2: implement `runc ps`

LGTM

AkihiroSuda

comment created time in 4 months

push eventopencontainers/runc

Akihiro Suda

commit sha d918e7f40817e4c2e22beade538bab1bd5edcc96

cpuset_v2: skip Apply when no limit is specified Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Qiang Huang

commit sha d239ca84254c579a964101b4f8049b860fbfc135

Merge pull request #2148 from AkihiroSuda/cg2-ignore-cpuset-when-no-config cgroup2: cpuset_v2: skip Apply when no limit is specified

view details

push time in 4 months

issue closedopencontainers/runc

cgroup2: v1.0.0-rc.9 doesn't start up without adding +cpuset to /sys/fs/cgroup/cgroup.subtree_control

# /tmp/runc run foo
WARN[0000] signal: killed                               
ERRO[0000] container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"open /sys/fs/cgroup/foo/cpuset.cpus.effective: no such file or directory\"" 
container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"open /sys/fs/cgroup/foo/cpuset.cpus.effective: no such file or directory\""

runc: 1.0.0-rc.9 OS: Fedora 31 beta (cgroup2 unified)

echo +cpuset > /sys/fs/cgroup/cgroup.subtree_control solves the issue

closed time in 4 months

AkihiroSuda

pull request commentopencontainers/runc

cgroup2: cpuset_v2: skip Apply when no limit is specified

LGTM

AkihiroSuda

comment created time in 4 months

pull request commentopencontainers/runc

VERSION: update to 1.0.0-rc9

LGTM

cyphar

comment created time in 5 months

pull request commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

LGTM

percontation

comment created time in 5 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 func (m *Manager) Freeze(state configs.FreezerState) error { 	return nil } +// ThawAll unfreezes the container's freezer cgroup, and all subcgroups+// recursively.+func (m *Manager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	paths := m.GetPaths()+	freezer, err := subsystemsLegacy.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*FreezerGroup).RecursiveThaw(paths["freezer"])

Right, my mistake, we could have a RecursiveSet method for subsystem, but we can do that when we see more needs.

percontation

comment created time in 5 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 var unifiedSubsystems = subsystemSet{ 	&fs.PidsGroupV2{}, } +func (m *UnifiedManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := unifiedSubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroupV2).RecursiveThaw(path)

Same here.

percontation

comment created time in 5 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 func (m *LegacyManager) Freeze(state configs.FreezerState) error { 	return nil } +func (m *LegacyManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := legacySubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroup).RecursiveThaw(path)

You can call freezer.RecursiveThaw directly.

percontation

comment created time in 5 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 func (m *Manager) Freeze(state configs.FreezerState) error { 	return nil } +// ThawAll unfreezes the container's freezer cgroup, and all subcgroups+// recursively.+func (m *Manager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	paths := m.GetPaths()+	freezer, err := subsystemsLegacy.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*FreezerGroup).RecursiveThaw(paths["freezer"])

As now you have RecursiveThaw for cgroupv2, you can use

freezer, err := m.getSubsystems().Get("freezer")
if err != nil {
    return err
}
return freezer.RecursiveThaw(paths["freezer"])
percontation

comment created time in 5 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 func (m *LegacyManager) Freeze(state configs.FreezerState) error { 	return nil } +func (m *LegacyManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := legacySubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroup).RecursiveThaw(path)

And you don't need cast here.

percontation

comment created time in 5 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 var unifiedSubsystems = subsystemSet{ 	&fs.PidsGroupV2{}, } +func (m *UnifiedManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := unifiedSubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroup).RecursiveThaw(path)

That's correct.

percontation

comment created time in 5 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 var unifiedSubsystems = subsystemSet{ 	&fs.PidsGroupV2{}, } +func (m *UnifiedManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := unifiedSubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroup).RecursiveThaw(path)

Yes, you can use fs cgroup method in cgroupv2, even in systemd cgroup, it'll work, but that'll be a dependency, and it'll be broken if one day we remove legacy cgroup support (though that most likely won't happen).

percontation

comment created time in 5 months

push eventopencontainers/runtime-spec

Giuseppe Scrivano

commit sha d1ef109cd0b39239ff82c267df314f7ed2da576b

config-linux: support seccomp flags allow to specify what flags must be passed to seccomp(2) when installing the filter. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Qiang Huang

commit sha 52e2591aa9f7211d64c49c4fed8691a183189284

Merge pull request #1018 from giuseppe/seccomp-flags config-linux: support seccomp flags

view details

push time in 5 months

PR merged opencontainers/runtime-spec

config-linux: support seccomp flags

allow to specify what flags must be passed to seccomp(2) when installing the filter.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

+26 -0

4 comments

4 changed files

giuseppe

pr closed time in 5 months

pull request commentopencontainers/runtime-spec

config-linux: support seccomp flags

LGTM

giuseppe

comment created time in 5 months

pull request commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

LGTM

@mrunalp @crosbymichael Is it OK that we only add functionalities on legacy cgroup now?

percontation

comment created time in 5 months

pull request commentopencontainers/runc

Make sure signalAllProcesses is invoked in the function of destroy when container shares pid namespace

I agree we should kill all processes when container exit while it's sharing pidns with other container. But why it's not handled in https://github.com/opencontainers/runc/blob/v1.0.0-rc8/signals.go#L99 ? We did call signalAllProcesses in wait method of initProcess https://github.com/opencontainers/runc/blob/v1.0.0-rc8/libcontainer/process_linux.go#L454

keloyang

comment created time in 5 months

pull request commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

@percontation @mruck Current change looks good to me, just needs rebase, thanks.

percontation

comment created time in 5 months

pull request commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

I don't think runc is quite robust for nested containers, but for this fix, the idea looks good to me, child container should not block the exit of father container.

percontation

comment created time in 6 months

push eventopencontainers/runc

Sebastiaan van Stijn

commit sha 4be3c48e054d3eb299245b3e5c94651e7b83dfd1

Reformat vendor.conf and pin all deps by git-sha to make it better readable, and to encourage pinning by sha, but align to a tagged release. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha de24d733509bbb39105a9241397da62ff0f19fac

bump github.com/pkg/errors 0.8.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 414a39dedbdadd401037197a1a561539957554c7

bump containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f relevant changes: - containerd/console#27 console_linux: Fix race: lock Cond before Signal Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 0fc0662338e0734de88a4829c55ab1331ddc1d9a

bump cyphar/filepath-securejoin v0.2.2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 8e4f645fcaf5ef2f1d67525066a6082edb979f56

bump docker/go-units v0.3.3 relevant changes: - docker/go-units#8 Enhance FromHumanSize to parse float64 string - docker/go-units#20 Add `HumanSizeWithPrecision` function Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 1150ce9c6efc7271dad2de6c3942858dba400bbd

bump urfave/cli v1.20.0 previous version was somewhere between v1.18 and v1.19 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha eb86f6037ec7b90497a447b3f91e5a69e66442c7

bump syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 relevant changes: - syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2 - syndtr/gocapability#16 Fix capHeader.pid type Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 21498b8e5458e15c08a945b567a4e67a94e1f914

bump mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7 no significant changes, other than some linting fixes Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 85c02f3f308074c240b1da7c14299a34a2bb27f8

bump coreos/go-systemd v19, godbus/dbus v5.0.1 - https://github.com/coreos/go-systemd/compare/v14..v19 - coreos/go-systemd#248 dbus: add SetPropertiesSubscriber method - coreos/go-systemd#251 activation: add support for listeners with names - coreos/go-systemd#296 dbus: Fix API break from godbus - https://github.com/godbus/dbus/compare/v3..v5.0.1 - godbus/dbus#89 introduce MakeVariantWithSignature Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 115d4b9e57af68946f110b76e9af968576e15f49

bump golang/protobuf v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Qiang Huang

commit sha a6606a7ae9d9e00bf0a8721ee1d4eb095fcc4ad6

Merge pull request #2029 from thaJeztah/bump_dependencies Update dependencies

view details

push time in 6 months

PR merged opencontainers/runc

Update dependencies

Thought I'd do a round of updating dependencies, and where possible use tagged versions

Also formatting the vendor.conf file, and pin all deps by git-sha, to make it better readable, and to encourage pinning by sha, but align to a tagged release.

  • https://github.com/pkg/errors/compare/v0.8.0...v0.8.1
  • https://github.com/containerd/console/compare/2748ece16665b45a47f884001d5831ec79703880...0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
    • containerd/console#27 console_linux: Fix race: lock Cond before Signal
  • https://github.com/docker/go-units/compare/v0.2.0...v0.3.3
    • docker/go-units#8 Enhance FromHumanSize to parse float64 string
    • docker/go-units#20 Add HumanSizeWithPrecision function
  • https://github.com/urfave/cli/compare/d53eb991652b1d438abdd34ce4bfa3ef1539108e...v1.20.0
    • previous version was somewhere between v1.18 and v1.19
  • https://github.com/syndtr/gocapability/compare/db04d3cc01c8b54962a58ec7e491717d06cfcc16...d98352740cb2c55f81556b63d4a1ec64c5a319c2
    • syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2
    • syndtr/gocapability#16 Fix capHeader.pid type
  • https://github.com/mrunalp/fileutils/compare/ed869b029674c0e9ce4c0dfa781405c2d9946d08...7d4729fb36185a7c1719923406c9d40e54fb93c7
    • no significant changes, other than some linting fixes
  • https://github.com/coreos/go-systemd/compare/v14..v19
    • coreos/go-systemd#248 dbus: add SetPropertiesSubscriber method
    • coreos/go-systemd#251 activation: add support for listeners with names
    • coreos/go-systemd#296 dbus: Fix API break from godbus
  • https://github.com/godbus/dbus/compare/v3..v5.0.1
    • godbus/dbus#89 introduce MakeVariantWithSignature
  • https://github.com/golang/protobuf/compare/18c9bb3261723cd5401db4d0c9fbc5c3b6c70fe8...v1.0.0
    • picking the first tagged release (newer versions exist, but I have bad experiences with bumping, lol)
+3422 -937

16 comments

79 changed files

thaJeztah

pr closed time in 6 months

pull request commentopencontainers/runc

Update dependencies

LGTM

thaJeztah

comment created time in 6 months

more