diff --git a/Gopkg.lock b/Gopkg.lock
index d2e08ef408f500b7bb0d458f11619c73a804173f..90c253ee95c461355b9d19fa91e448fa3248f881 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -523,13 +523,12 @@
version = "v1.0.1"
[[projects]]
- branch = "gitlab-runner"
- digest = "1:75b40fc42638e16795927c70e04245019e3ac57ae1253b8e4b2b9f6e7b9c1842"
+ branch = "master"
+ digest = "1:37fa7939ecc94700a86a4658e769e5b298d38685b29c43e8100e10b123971cc4"
name = "github.com/opencontainers/runc"
packages = ["libcontainer/user"]
pruneopts = "N"
- revision = "fd48010b807f3c267c19f8f14ca6dca2370d0b54"
- source = "github.com/nolith/runc"
+ revision = "c1e454b2a1bfb0f0ebd9e621a1433f98f9a8d4b0"
[[projects]]
digest = "1:5da5dc86bcd23e94befc0048ccd757fc1706ebd3aa6c0ca9575d8b9def1b8f26"
diff --git a/Gopkg.toml b/Gopkg.toml
index e8f82aeb165d47caefa23f2b5e587129107f58b3..a22189a3f39728fa3729b2dcdc70fbb340719da3 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -229,11 +229,9 @@ ignored = ["test", "appengine"]
name = "github.com/minio/go-homedir"
revision = "4d76aabb80b22bad8695d3904e943f1fb5e6199f"
-# temporary fork to hanled Sirupsen -> sirupsen
[[override]]
name = "github.com/opencontainers/runc"
- branch = "gitlab-runner"
- source = "github.com/nolith/runc"
+ branch = "master"
[[override]]
name = "github.com/opencontainers/runtime-spec"
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/LICENSE
deleted file mode 100644
index f090cb42f370bda9e7f4f58d9b8b8ee2750c115f..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/LICENSE
+++ /dev/null
@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2014 Simon Eskildsen
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/entry.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/entry.go
deleted file mode 100644
index 17fe6f707bca7c5d58a81b8e2e15543960e7a6f5..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/entry.go
+++ /dev/null
@@ -1,252 +0,0 @@
-package logrus
-
-import (
- "bytes"
- "fmt"
- "io"
- "os"
- "time"
-)
-
-// An entry is the final or intermediate Logrus logging entry. It contains all
-// the fields passed with WithField{,s}. It's finally logged when Debug, Info,
-// Warn, Error, Fatal or Panic is called on it. These objects can be reused and
-// passed around as much as you wish to avoid field duplication.
-type Entry struct {
- Logger *Logger
-
- // Contains all the fields set by the user.
- Data Fields
-
- // Time at which the log entry was created
- Time time.Time
-
- // Level the log entry was logged at: Debug, Info, Warn, Error, Fatal or Panic
- Level Level
-
- // Message passed to Debug, Info, Warn, Error, Fatal or Panic
- Message string
-}
-
-func NewEntry(logger *Logger) *Entry {
- return &Entry{
- Logger: logger,
- // Default is three fields, give a little extra room
- Data: make(Fields, 5),
- }
-}
-
-// Returns a reader for the entry, which is a proxy to the formatter.
-func (entry *Entry) Reader() (*bytes.Buffer, error) {
- serialized, err := entry.Logger.Formatter.Format(entry)
- return bytes.NewBuffer(serialized), err
-}
-
-// Returns the string representation from the reader and ultimately the
-// formatter.
-func (entry *Entry) String() (string, error) {
- reader, err := entry.Reader()
- if err != nil {
- return "", err
- }
-
- return reader.String(), err
-}
-
-// Add a single field to the Entry.
-func (entry *Entry) WithField(key string, value interface{}) *Entry {
- return entry.WithFields(Fields{key: value})
-}
-
-// Add a map of fields to the Entry.
-func (entry *Entry) WithFields(fields Fields) *Entry {
- data := Fields{}
- for k, v := range entry.Data {
- data[k] = v
- }
- for k, v := range fields {
- data[k] = v
- }
- return &Entry{Logger: entry.Logger, Data: data}
-}
-
-func (entry *Entry) log(level Level, msg string) {
- entry.Time = time.Now()
- entry.Level = level
- entry.Message = msg
-
- if err := entry.Logger.Hooks.Fire(level, entry); err != nil {
- entry.Logger.mu.Lock()
- fmt.Fprintf(os.Stderr, "Failed to fire hook: %v\n", err)
- entry.Logger.mu.Unlock()
- }
-
- reader, err := entry.Reader()
- if err != nil {
- entry.Logger.mu.Lock()
- fmt.Fprintf(os.Stderr, "Failed to obtain reader, %v\n", err)
- entry.Logger.mu.Unlock()
- }
-
- entry.Logger.mu.Lock()
- defer entry.Logger.mu.Unlock()
-
- _, err = io.Copy(entry.Logger.Out, reader)
- if err != nil {
- fmt.Fprintf(os.Stderr, "Failed to write to log, %v\n", err)
- }
-
- // To avoid Entry#log() returning a value that only would make sense for
- // panic() to use in Entry#Panic(), we avoid the allocation by checking
- // directly here.
- if level <= PanicLevel {
- panic(entry)
- }
-}
-
-func (entry *Entry) Debug(args ...interface{}) {
- if entry.Logger.Level >= DebugLevel {
- entry.log(DebugLevel, fmt.Sprint(args...))
- }
-}
-
-func (entry *Entry) Print(args ...interface{}) {
- entry.Info(args...)
-}
-
-func (entry *Entry) Info(args ...interface{}) {
- if entry.Logger.Level >= InfoLevel {
- entry.log(InfoLevel, fmt.Sprint(args...))
- }
-}
-
-func (entry *Entry) Warn(args ...interface{}) {
- if entry.Logger.Level >= WarnLevel {
- entry.log(WarnLevel, fmt.Sprint(args...))
- }
-}
-
-func (entry *Entry) Warning(args ...interface{}) {
- entry.Warn(args...)
-}
-
-func (entry *Entry) Error(args ...interface{}) {
- if entry.Logger.Level >= ErrorLevel {
- entry.log(ErrorLevel, fmt.Sprint(args...))
- }
-}
-
-func (entry *Entry) Fatal(args ...interface{}) {
- if entry.Logger.Level >= FatalLevel {
- entry.log(FatalLevel, fmt.Sprint(args...))
- }
- os.Exit(1)
-}
-
-func (entry *Entry) Panic(args ...interface{}) {
- if entry.Logger.Level >= PanicLevel {
- entry.log(PanicLevel, fmt.Sprint(args...))
- }
- panic(fmt.Sprint(args...))
-}
-
-// Entry Printf family functions
-
-func (entry *Entry) Debugf(format string, args ...interface{}) {
- if entry.Logger.Level >= DebugLevel {
- entry.Debug(fmt.Sprintf(format, args...))
- }
-}
-
-func (entry *Entry) Infof(format string, args ...interface{}) {
- if entry.Logger.Level >= InfoLevel {
- entry.Info(fmt.Sprintf(format, args...))
- }
-}
-
-func (entry *Entry) Printf(format string, args ...interface{}) {
- entry.Infof(format, args...)
-}
-
-func (entry *Entry) Warnf(format string, args ...interface{}) {
- if entry.Logger.Level >= WarnLevel {
- entry.Warn(fmt.Sprintf(format, args...))
- }
-}
-
-func (entry *Entry) Warningf(format string, args ...interface{}) {
- entry.Warnf(format, args...)
-}
-
-func (entry *Entry) Errorf(format string, args ...interface{}) {
- if entry.Logger.Level >= ErrorLevel {
- entry.Error(fmt.Sprintf(format, args...))
- }
-}
-
-func (entry *Entry) Fatalf(format string, args ...interface{}) {
- if entry.Logger.Level >= FatalLevel {
- entry.Fatal(fmt.Sprintf(format, args...))
- }
-}
-
-func (entry *Entry) Panicf(format string, args ...interface{}) {
- if entry.Logger.Level >= PanicLevel {
- entry.Panic(fmt.Sprintf(format, args...))
- }
-}
-
-// Entry Println family functions
-
-func (entry *Entry) Debugln(args ...interface{}) {
- if entry.Logger.Level >= DebugLevel {
- entry.Debug(entry.sprintlnn(args...))
- }
-}
-
-func (entry *Entry) Infoln(args ...interface{}) {
- if entry.Logger.Level >= InfoLevel {
- entry.Info(entry.sprintlnn(args...))
- }
-}
-
-func (entry *Entry) Println(args ...interface{}) {
- entry.Infoln(args...)
-}
-
-func (entry *Entry) Warnln(args ...interface{}) {
- if entry.Logger.Level >= WarnLevel {
- entry.Warn(entry.sprintlnn(args...))
- }
-}
-
-func (entry *Entry) Warningln(args ...interface{}) {
- entry.Warnln(args...)
-}
-
-func (entry *Entry) Errorln(args ...interface{}) {
- if entry.Logger.Level >= ErrorLevel {
- entry.Error(entry.sprintlnn(args...))
- }
-}
-
-func (entry *Entry) Fatalln(args ...interface{}) {
- if entry.Logger.Level >= FatalLevel {
- entry.Fatal(entry.sprintlnn(args...))
- }
-}
-
-func (entry *Entry) Panicln(args ...interface{}) {
- if entry.Logger.Level >= PanicLevel {
- entry.Panic(entry.sprintlnn(args...))
- }
-}
-
-// Sprintlnn => Sprint no newline. This is to get the behavior of how
-// fmt.Sprintln where spaces are always added between operands, regardless of
-// their type. Instead of vendoring the Sprintln implementation to spare a
-// string allocation, we do the simplest thing.
-func (entry *Entry) sprintlnn(args ...interface{}) string {
- msg := fmt.Sprintln(args...)
- return msg[:len(msg)-1]
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/examples/basic/basic.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/examples/basic/basic.go
deleted file mode 100644
index b22468d9c3ee43d96d8dadd9514b0ca4b9b582cd..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/examples/basic/basic.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package main
-
-import (
- "github.com/sirupsen/logrus"
-)
-
-var log = logrus.New()
-
-func init() {
- log.Formatter = new(logrus.JSONFormatter)
- log.Formatter = new(logrus.TextFormatter) // default
- log.Level = logrus.DebugLevel
-}
-
-func main() {
- defer func() {
- err := recover()
- if err != nil {
- log.WithFields(logrus.Fields{
- "omg": true,
- "err": err,
- "number": 100,
- }).Fatal("The ice breaks!")
- }
- }()
-
- log.WithFields(logrus.Fields{
- "animal": "walrus",
- "number": 8,
- }).Debug("Started observing beach")
-
- log.WithFields(logrus.Fields{
- "animal": "walrus",
- "size": 10,
- }).Info("A group of walrus emerges from the ocean")
-
- log.WithFields(logrus.Fields{
- "omg": true,
- "number": 122,
- }).Warn("The group's number increased tremendously!")
-
- log.WithFields(logrus.Fields{
- "temperature": -4,
- }).Debug("Temperature changes")
-
- log.WithFields(logrus.Fields{
- "animal": "orca",
- "size": 9009,
- }).Panic("It's over 9000!")
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/examples/hook/hook.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/examples/hook/hook.go
deleted file mode 100644
index 754acc0cf2bc7810bcb9cef4e95d28f7ec08d122..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/examples/hook/hook.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package main
-
-import (
- "github.com/sirupsen/logrus"
- "github.com/sirupsen/logrus/hooks/airbrake"
-)
-
-var log = logrus.New()
-
-func init() {
- log.Formatter = new(logrus.TextFormatter) // default
- log.Hooks.Add(airbrake.NewHook("https://example.com", "xyz", "development"))
-}
-
-func main() {
- log.WithFields(logrus.Fields{
- "animal": "walrus",
- "size": 10,
- }).Info("A group of walrus emerges from the ocean")
-
- log.WithFields(logrus.Fields{
- "omg": true,
- "number": 122,
- }).Warn("The group's number increased tremendously!")
-
- log.WithFields(logrus.Fields{
- "omg": true,
- "number": 100,
- }).Fatal("The ice breaks!")
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/exported.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/exported.go
deleted file mode 100644
index a67e1b802d9143be3b804a60776dc6f07163b180..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/exported.go
+++ /dev/null
@@ -1,188 +0,0 @@
-package logrus
-
-import (
- "io"
-)
-
-var (
- // std is the name of the standard logger in stdlib `log`
- std = New()
-)
-
-func StandardLogger() *Logger {
- return std
-}
-
-// SetOutput sets the standard logger output.
-func SetOutput(out io.Writer) {
- std.mu.Lock()
- defer std.mu.Unlock()
- std.Out = out
-}
-
-// SetFormatter sets the standard logger formatter.
-func SetFormatter(formatter Formatter) {
- std.mu.Lock()
- defer std.mu.Unlock()
- std.Formatter = formatter
-}
-
-// SetLevel sets the standard logger level.
-func SetLevel(level Level) {
- std.mu.Lock()
- defer std.mu.Unlock()
- std.Level = level
-}
-
-// GetLevel returns the standard logger level.
-func GetLevel() Level {
- std.mu.Lock()
- defer std.mu.Unlock()
- return std.Level
-}
-
-// AddHook adds a hook to the standard logger hooks.
-func AddHook(hook Hook) {
- std.mu.Lock()
- defer std.mu.Unlock()
- std.Hooks.Add(hook)
-}
-
-// WithField creates an entry from the standard logger and adds a field to
-// it. If you want multiple fields, use `WithFields`.
-//
-// Note that it doesn't log until you call Debug, Print, Info, Warn, Fatal
-// or Panic on the Entry it returns.
-func WithField(key string, value interface{}) *Entry {
- return std.WithField(key, value)
-}
-
-// WithFields creates an entry from the standard logger and adds multiple
-// fields to it. This is simply a helper for `WithField`, invoking it
-// once for each field.
-//
-// Note that it doesn't log until you call Debug, Print, Info, Warn, Fatal
-// or Panic on the Entry it returns.
-func WithFields(fields Fields) *Entry {
- return std.WithFields(fields)
-}
-
-// Debug logs a message at level Debug on the standard logger.
-func Debug(args ...interface{}) {
- std.Debug(args...)
-}
-
-// Print logs a message at level Info on the standard logger.
-func Print(args ...interface{}) {
- std.Print(args...)
-}
-
-// Info logs a message at level Info on the standard logger.
-func Info(args ...interface{}) {
- std.Info(args...)
-}
-
-// Warn logs a message at level Warn on the standard logger.
-func Warn(args ...interface{}) {
- std.Warn(args...)
-}
-
-// Warning logs a message at level Warn on the standard logger.
-func Warning(args ...interface{}) {
- std.Warning(args...)
-}
-
-// Error logs a message at level Error on the standard logger.
-func Error(args ...interface{}) {
- std.Error(args...)
-}
-
-// Panic logs a message at level Panic on the standard logger.
-func Panic(args ...interface{}) {
- std.Panic(args...)
-}
-
-// Fatal logs a message at level Fatal on the standard logger.
-func Fatal(args ...interface{}) {
- std.Fatal(args...)
-}
-
-// Debugf logs a message at level Debug on the standard logger.
-func Debugf(format string, args ...interface{}) {
- std.Debugf(format, args...)
-}
-
-// Printf logs a message at level Info on the standard logger.
-func Printf(format string, args ...interface{}) {
- std.Printf(format, args...)
-}
-
-// Infof logs a message at level Info on the standard logger.
-func Infof(format string, args ...interface{}) {
- std.Infof(format, args...)
-}
-
-// Warnf logs a message at level Warn on the standard logger.
-func Warnf(format string, args ...interface{}) {
- std.Warnf(format, args...)
-}
-
-// Warningf logs a message at level Warn on the standard logger.
-func Warningf(format string, args ...interface{}) {
- std.Warningf(format, args...)
-}
-
-// Errorf logs a message at level Error on the standard logger.
-func Errorf(format string, args ...interface{}) {
- std.Errorf(format, args...)
-}
-
-// Panicf logs a message at level Panic on the standard logger.
-func Panicf(format string, args ...interface{}) {
- std.Panicf(format, args...)
-}
-
-// Fatalf logs a message at level Fatal on the standard logger.
-func Fatalf(format string, args ...interface{}) {
- std.Fatalf(format, args...)
-}
-
-// Debugln logs a message at level Debug on the standard logger.
-func Debugln(args ...interface{}) {
- std.Debugln(args...)
-}
-
-// Println logs a message at level Info on the standard logger.
-func Println(args ...interface{}) {
- std.Println(args...)
-}
-
-// Infoln logs a message at level Info on the standard logger.
-func Infoln(args ...interface{}) {
- std.Infoln(args...)
-}
-
-// Warnln logs a message at level Warn on the standard logger.
-func Warnln(args ...interface{}) {
- std.Warnln(args...)
-}
-
-// Warningln logs a message at level Warn on the standard logger.
-func Warningln(args ...interface{}) {
- std.Warningln(args...)
-}
-
-// Errorln logs a message at level Error on the standard logger.
-func Errorln(args ...interface{}) {
- std.Errorln(args...)
-}
-
-// Panicln logs a message at level Panic on the standard logger.
-func Panicln(args ...interface{}) {
- std.Panicln(args...)
-}
-
-// Fatalln logs a message at level Fatal on the standard logger.
-func Fatalln(args ...interface{}) {
- std.Fatalln(args...)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/formatter.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/formatter.go
deleted file mode 100644
index 104d689f187eb50d9a4ab7d4142e94baf5cf6ed8..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/formatter.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package logrus
-
-import "time"
-
-const DefaultTimestampFormat = time.RFC3339
-
-// The Formatter interface is used to implement a custom Formatter. It takes an
-// `Entry`. It exposes all the fields, including the default ones:
-//
-// * `entry.Data["msg"]`. The message passed from Info, Warn, Error ..
-// * `entry.Data["time"]`. The timestamp.
-// * `entry.Data["level"]. The level the entry was logged at.
-//
-// Any additional fields added with `WithField` or `WithFields` are also in
-// `entry.Data`. Format is expected to return an array of bytes which are then
-// logged to `logger.Out`.
-type Formatter interface {
- Format(*Entry) ([]byte, error)
-}
-
-// This is to not silently overwrite `time`, `msg` and `level` fields when
-// dumping it. If this code wasn't there doing:
-//
-// logrus.WithField("level", 1).Info("hello")
-//
-// Would just silently drop the user provided level. Instead with this code
-// it'll logged as:
-//
-// {"level": "info", "fields.level": 1, "msg": "hello", "time": "..."}
-//
-// It's not exported because it's still using Data in an opinionated way. It's to
-// avoid code duplication between the two default formatters.
-func prefixFieldClashes(data Fields) {
- _, ok := data["time"]
- if ok {
- data["fields.time"] = data["time"]
- }
-
- _, ok = data["msg"]
- if ok {
- data["fields.msg"] = data["msg"]
- }
-
- _, ok = data["level"]
- if ok {
- data["fields.level"] = data["level"]
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/formatters/logstash/logstash.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/formatters/logstash/logstash.go
deleted file mode 100644
index 6e5292785b1fb8769f979d6d66b993e6a4baef8f..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/formatters/logstash/logstash.go
+++ /dev/null
@@ -1,56 +0,0 @@
-package logstash
-
-import (
- "encoding/json"
- "fmt"
-
- "github.com/sirupsen/logrus"
-)
-
-// Formatter generates json in logstash format.
-// Logstash site: http://logstash.net/
-type LogstashFormatter struct {
- Type string // if not empty use for logstash type field.
-
- // TimestampFormat sets the format used for timestamps.
- TimestampFormat string
-}
-
-func (f *LogstashFormatter) Format(entry *logrus.Entry) ([]byte, error) {
- entry.Data["@version"] = 1
-
- if f.TimestampFormat == "" {
- f.TimestampFormat = logrus.DefaultTimestampFormat
- }
-
- entry.Data["@timestamp"] = entry.Time.Format(f.TimestampFormat)
-
- // set message field
- v, ok := entry.Data["message"]
- if ok {
- entry.Data["fields.message"] = v
- }
- entry.Data["message"] = entry.Message
-
- // set level field
- v, ok = entry.Data["level"]
- if ok {
- entry.Data["fields.level"] = v
- }
- entry.Data["level"] = entry.Level.String()
-
- // set type field
- if f.Type != "" {
- v, ok = entry.Data["type"]
- if ok {
- entry.Data["fields.type"] = v
- }
- entry.Data["type"] = f.Type
- }
-
- serialized, err := json.Marshal(entry.Data)
- if err != nil {
- return nil, fmt.Errorf("Failed to marshal fields to JSON, %v", err)
- }
- return append(serialized, '\n'), nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks.go
deleted file mode 100644
index 0da2b3653f5b8556ace1049e1a6b27258313511f..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package logrus
-
-// A hook to be fired when logging on the logging levels returned from
-// `Levels()` on your implementation of the interface. Note that this is not
-// fired in a goroutine or a channel with workers, you should handle such
-// functionality yourself if your call is non-blocking and you don't wish for
-// the logging calls for levels returned from `Levels()` to block.
-type Hook interface {
- Levels() []Level
- Fire(*Entry) error
-}
-
-// Internal type for storing the hooks on a logger instance.
-type levelHooks map[Level][]Hook
-
-// Add a hook to an instance of logger. This is called with
-// `log.Hooks.Add(new(MyHook))` where `MyHook` implements the `Hook` interface.
-func (hooks levelHooks) Add(hook Hook) {
- for _, level := range hook.Levels() {
- hooks[level] = append(hooks[level], hook)
- }
-}
-
-// Fire all the hooks for the passed level. Used by `entry.log` to fire
-// appropriate hooks for a log entry.
-func (hooks levelHooks) Fire(level Level, entry *Entry) error {
- for _, hook := range hooks[level] {
- if err := hook.Fire(entry); err != nil {
- return err
- }
- }
-
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/airbrake/airbrake.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/airbrake/airbrake.go
deleted file mode 100644
index 1dc5a412475d80536fcfe252583042e06011f8cc..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/airbrake/airbrake.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package airbrake
-
-import (
- "errors"
- "fmt"
-
- "github.com/sirupsen/logrus"
- "github.com/tobi/airbrake-go"
-)
-
-// AirbrakeHook to send exceptions to an exception-tracking service compatible
-// with the Airbrake API.
-type airbrakeHook struct {
- APIKey string
- Endpoint string
- Environment string
-}
-
-func NewHook(endpoint, apiKey, env string) *airbrakeHook {
- return &airbrakeHook{
- APIKey: apiKey,
- Endpoint: endpoint,
- Environment: env,
- }
-}
-
-func (hook *airbrakeHook) Fire(entry *logrus.Entry) error {
- airbrake.ApiKey = hook.APIKey
- airbrake.Endpoint = hook.Endpoint
- airbrake.Environment = hook.Environment
-
- var notifyErr error
- err, ok := entry.Data["error"].(error)
- if ok {
- notifyErr = err
- } else {
- notifyErr = errors.New(entry.Message)
- }
-
- airErr := airbrake.Notify(notifyErr)
- if airErr != nil {
- return fmt.Errorf("Failed to send error to Airbrake: %s", airErr)
- }
-
- return nil
-}
-
-func (hook *airbrakeHook) Levels() []logrus.Level {
- return []logrus.Level{
- logrus.ErrorLevel,
- logrus.FatalLevel,
- logrus.PanicLevel,
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/bugsnag/bugsnag.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/bugsnag/bugsnag.go
deleted file mode 100644
index fb9c9c9d172682eae3bde218a8dd4a68ea9496dc..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/bugsnag/bugsnag.go
+++ /dev/null
@@ -1,68 +0,0 @@
-package logrus_bugsnag
-
-import (
- "errors"
-
- "github.com/sirupsen/logrus"
- "github.com/bugsnag/bugsnag-go"
-)
-
-type bugsnagHook struct{}
-
-// ErrBugsnagUnconfigured is returned if NewBugsnagHook is called before
-// bugsnag.Configure. Bugsnag must be configured before the hook.
-var ErrBugsnagUnconfigured = errors.New("bugsnag must be configured before installing this logrus hook")
-
-// ErrBugsnagSendFailed indicates that the hook failed to submit an error to
-// bugsnag. The error was successfully generated, but `bugsnag.Notify()`
-// failed.
-type ErrBugsnagSendFailed struct {
- err error
-}
-
-func (e ErrBugsnagSendFailed) Error() string {
- return "failed to send error to Bugsnag: " + e.err.Error()
-}
-
-// NewBugsnagHook initializes a logrus hook which sends exceptions to an
-// exception-tracking service compatible with the Bugsnag API. Before using
-// this hook, you must call bugsnag.Configure(). The returned object should be
-// registered with a log via `AddHook()`
-//
-// Entries that trigger an Error, Fatal or Panic should now include an "error"
-// field to send to Bugsnag.
-func NewBugsnagHook() (*bugsnagHook, error) {
- if bugsnag.Config.APIKey == "" {
- return nil, ErrBugsnagUnconfigured
- }
- return &bugsnagHook{}, nil
-}
-
-// Fire forwards an error to Bugsnag. Given a logrus.Entry, it extracts the
-// "error" field (or the Message if the error isn't present) and sends it off.
-func (hook *bugsnagHook) Fire(entry *logrus.Entry) error {
- var notifyErr error
- err, ok := entry.Data["error"].(error)
- if ok {
- notifyErr = err
- } else {
- notifyErr = errors.New(entry.Message)
- }
-
- bugsnagErr := bugsnag.Notify(notifyErr)
- if bugsnagErr != nil {
- return ErrBugsnagSendFailed{bugsnagErr}
- }
-
- return nil
-}
-
-// Levels enumerates the log levels on which the error should be forwarded to
-// bugsnag: everything at or above the "Error" level.
-func (hook *bugsnagHook) Levels() []logrus.Level {
- return []logrus.Level{
- logrus.ErrorLevel,
- logrus.FatalLevel,
- logrus.PanicLevel,
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/papertrail/papertrail.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/papertrail/papertrail.go
deleted file mode 100644
index c1549b21413c30df9b823e29080925dae9dd5dfe..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/papertrail/papertrail.go
+++ /dev/null
@@ -1,55 +0,0 @@
-package logrus_papertrail
-
-import (
- "fmt"
- "net"
- "os"
- "time"
-
- "github.com/sirupsen/logrus"
-)
-
-const (
- format = "Jan 2 15:04:05"
-)
-
-// PapertrailHook to send logs to a logging service compatible with the Papertrail API.
-type PapertrailHook struct {
- Host string
- Port int
- AppName string
- UDPConn net.Conn
-}
-
-// NewPapertrailHook creates a hook to be added to an instance of logger.
-func NewPapertrailHook(host string, port int, appName string) (*PapertrailHook, error) {
- conn, err := net.Dial("udp", fmt.Sprintf("%s:%d", host, port))
- return &PapertrailHook{host, port, appName, conn}, err
-}
-
-// Fire is called when a log event is fired.
-func (hook *PapertrailHook) Fire(entry *logrus.Entry) error {
- date := time.Now().Format(format)
- msg, _ := entry.String()
- payload := fmt.Sprintf("<22> %s %s: %s", date, hook.AppName, msg)
-
- bytesWritten, err := hook.UDPConn.Write([]byte(payload))
- if err != nil {
- fmt.Fprintf(os.Stderr, "Unable to send log line to Papertrail via UDP. Wrote %d bytes before error: %v", bytesWritten, err)
- return err
- }
-
- return nil
-}
-
-// Levels returns the available logging levels.
-func (hook *PapertrailHook) Levels() []logrus.Level {
- return []logrus.Level{
- logrus.PanicLevel,
- logrus.FatalLevel,
- logrus.ErrorLevel,
- logrus.WarnLevel,
- logrus.InfoLevel,
- logrus.DebugLevel,
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/sentry/sentry.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/sentry/sentry.go
deleted file mode 100644
index 4e29565ba9754c1ca67852d1d84c1e416d9485b2..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/sentry/sentry.go
+++ /dev/null
@@ -1,100 +0,0 @@
-package logrus_sentry
-
-import (
- "fmt"
- "time"
-
- "github.com/sirupsen/logrus"
- "github.com/getsentry/raven-go"
-)
-
-var (
- severityMap = map[logrus.Level]raven.Severity{
- logrus.DebugLevel: raven.DEBUG,
- logrus.InfoLevel: raven.INFO,
- logrus.WarnLevel: raven.WARNING,
- logrus.ErrorLevel: raven.ERROR,
- logrus.FatalLevel: raven.FATAL,
- logrus.PanicLevel: raven.FATAL,
- }
-)
-
-func getAndDel(d logrus.Fields, key string) (string, bool) {
- var (
- ok bool
- v interface{}
- val string
- )
- if v, ok = d[key]; !ok {
- return "", false
- }
-
- if val, ok = v.(string); !ok {
- return "", false
- }
- delete(d, key)
- return val, true
-}
-
-// SentryHook delivers logs to a sentry server.
-type SentryHook struct {
- // Timeout sets the time to wait for a delivery error from the sentry server.
- // If this is set to zero the server will not wait for any response and will
- // consider the message correctly sent
- Timeout time.Duration
-
- client *raven.Client
- levels []logrus.Level
-}
-
-// NewSentryHook creates a hook to be added to an instance of logger
-// and initializes the raven client.
-// This method sets the timeout to 100 milliseconds.
-func NewSentryHook(DSN string, levels []logrus.Level) (*SentryHook, error) {
- client, err := raven.NewClient(DSN, nil)
- if err != nil {
- return nil, err
- }
- return &SentryHook{100 * time.Millisecond, client, levels}, nil
-}
-
-// Called when an event should be sent to sentry
-// Special fields that sentry uses to give more information to the server
-// are extracted from entry.Data (if they are found)
-// These fields are: logger and server_name
-func (hook *SentryHook) Fire(entry *logrus.Entry) error {
- packet := &raven.Packet{
- Message: entry.Message,
- Timestamp: raven.Timestamp(entry.Time),
- Level: severityMap[entry.Level],
- Platform: "go",
- }
-
- d := entry.Data
-
- if logger, ok := getAndDel(d, "logger"); ok {
- packet.Logger = logger
- }
- if serverName, ok := getAndDel(d, "server_name"); ok {
- packet.ServerName = serverName
- }
- packet.Extra = map[string]interface{}(d)
-
- _, errCh := hook.client.Capture(packet, nil)
- timeout := hook.Timeout
- if timeout != 0 {
- timeoutCh := time.After(timeout)
- select {
- case err := <-errCh:
- return err
- case <-timeoutCh:
- return fmt.Errorf("no response from sentry server in %s", timeout)
- }
- }
- return nil
-}
-
-// Levels returns the available logging levels.
-func (hook *SentryHook) Levels() []logrus.Level {
- return hook.levels
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/syslog/syslog.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/syslog/syslog.go
deleted file mode 100644
index 430f646e888eb96653a45fbfc2125ead0f2752dc..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/hooks/syslog/syslog.go
+++ /dev/null
@@ -1,59 +0,0 @@
-package logrus_syslog
-
-import (
- "fmt"
- "github.com/sirupsen/logrus"
- "log/syslog"
- "os"
-)
-
-// SyslogHook to send logs via syslog.
-type SyslogHook struct {
- Writer *syslog.Writer
- SyslogNetwork string
- SyslogRaddr string
-}
-
-// Creates a hook to be added to an instance of logger. This is called with
-// `hook, err := NewSyslogHook("udp", "localhost:514", syslog.LOG_DEBUG, "")`
-// `if err == nil { log.Hooks.Add(hook) }`
-func NewSyslogHook(network, raddr string, priority syslog.Priority, tag string) (*SyslogHook, error) {
- w, err := syslog.Dial(network, raddr, priority, tag)
- return &SyslogHook{w, network, raddr}, err
-}
-
-func (hook *SyslogHook) Fire(entry *logrus.Entry) error {
- line, err := entry.String()
- if err != nil {
- fmt.Fprintf(os.Stderr, "Unable to read entry, %v", err)
- return err
- }
-
- switch entry.Level {
- case logrus.PanicLevel:
- return hook.Writer.Crit(line)
- case logrus.FatalLevel:
- return hook.Writer.Crit(line)
- case logrus.ErrorLevel:
- return hook.Writer.Err(line)
- case logrus.WarnLevel:
- return hook.Writer.Warning(line)
- case logrus.InfoLevel:
- return hook.Writer.Info(line)
- case logrus.DebugLevel:
- return hook.Writer.Debug(line)
- default:
- return nil
- }
-}
-
-func (hook *SyslogHook) Levels() []logrus.Level {
- return []logrus.Level{
- logrus.PanicLevel,
- logrus.FatalLevel,
- logrus.ErrorLevel,
- logrus.WarnLevel,
- logrus.InfoLevel,
- logrus.DebugLevel,
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/json_formatter.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/json_formatter.go
deleted file mode 100644
index e733b0a1a3ccbdc9f92e8a5a8f267d58cfae1630..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/json_formatter.go
+++ /dev/null
@@ -1,40 +0,0 @@
-package logrus
-
-import (
- "encoding/json"
- "fmt"
-)
-
-type JSONFormatter struct {
- // TimestampFormat sets the format used for marshaling timestamps.
- TimestampFormat string
-}
-
-func (f *JSONFormatter) Format(entry *Entry) ([]byte, error) {
- data := make(Fields, len(entry.Data)+3)
- for k, v := range entry.Data {
- switch v := v.(type) {
- case error:
- // Otherwise errors are ignored by `encoding/json`
- // https://github.com/sirupsen/logrus/issues/137
- data[k] = v.Error()
- default:
- data[k] = v
- }
- }
- prefixFieldClashes(data)
-
- if f.TimestampFormat == "" {
- f.TimestampFormat = DefaultTimestampFormat
- }
-
- data["time"] = entry.Time.Format(f.TimestampFormat)
- data["msg"] = entry.Message
- data["level"] = entry.Level.String()
-
- serialized, err := json.Marshal(data)
- if err != nil {
- return nil, fmt.Errorf("Failed to marshal fields to JSON, %v", err)
- }
- return append(serialized, '\n'), nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/logger.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/logger.go
deleted file mode 100644
index da928a37509902f61d3214b2e1beb1b4753e514a..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/logger.go
+++ /dev/null
@@ -1,203 +0,0 @@
-package logrus
-
-import (
- "io"
- "os"
- "sync"
-)
-
-type Logger struct {
- // The logs are `io.Copy`'d to this in a mutex. It's common to set this to a
- // file, or leave it default which is `os.Stdout`. You can also set this to
- // something more adventorous, such as logging to Kafka.
- Out io.Writer
- // Hooks for the logger instance. These allow firing events based on logging
- // levels and log entries. For example, to send errors to an error tracking
- // service, log to StatsD or dump the core on fatal errors.
- Hooks levelHooks
- // All log entries pass through the formatter before logged to Out. The
- // included formatters are `TextFormatter` and `JSONFormatter` for which
- // TextFormatter is the default. In development (when a TTY is attached) it
- // logs with colors, but to a file it wouldn't. You can easily implement your
- // own that implements the `Formatter` interface, see the `README` or included
- // formatters for examples.
- Formatter Formatter
- // The logging level the logger should log at. This is typically (and defaults
- // to) `logrus.Info`, which allows Info(), Warn(), Error() and Fatal() to be
- // logged. `logrus.Debug` is useful in
- Level Level
- // Used to sync writing to the log.
- mu sync.Mutex
-}
-
-// Creates a new logger. Configuration should be set by changing `Formatter`,
-// `Out` and `Hooks` directly on the default logger instance. You can also just
-// instantiate your own:
-//
-// var log = &Logger{
-// Out: os.Stderr,
-// Formatter: new(JSONFormatter),
-// Hooks: make(levelHooks),
-// Level: logrus.DebugLevel,
-// }
-//
-// It's recommended to make this a global instance called `log`.
-func New() *Logger {
- return &Logger{
- Out: os.Stdout,
- Formatter: new(TextFormatter),
- Hooks: make(levelHooks),
- Level: InfoLevel,
- }
-}
-
-// Adds a field to the log entry, note that you it doesn't log until you call
-// Debug, Print, Info, Warn, Fatal or Panic. It only creates a log entry.
-// Ff you want multiple fields, use `WithFields`.
-func (logger *Logger) WithField(key string, value interface{}) *Entry {
- return NewEntry(logger).WithField(key, value)
-}
-
-// Adds a struct of fields to the log entry. All it does is call `WithField` for
-// each `Field`.
-func (logger *Logger) WithFields(fields Fields) *Entry {
- return NewEntry(logger).WithFields(fields)
-}
-
-func (logger *Logger) Debugf(format string, args ...interface{}) {
- if logger.Level >= DebugLevel {
- NewEntry(logger).Debugf(format, args...)
- }
-}
-
-func (logger *Logger) Infof(format string, args ...interface{}) {
- if logger.Level >= InfoLevel {
- NewEntry(logger).Infof(format, args...)
- }
-}
-
-func (logger *Logger) Printf(format string, args ...interface{}) {
- NewEntry(logger).Printf(format, args...)
-}
-
-func (logger *Logger) Warnf(format string, args ...interface{}) {
- if logger.Level >= WarnLevel {
- NewEntry(logger).Warnf(format, args...)
- }
-}
-
-func (logger *Logger) Warningf(format string, args ...interface{}) {
- if logger.Level >= WarnLevel {
- NewEntry(logger).Warnf(format, args...)
- }
-}
-
-func (logger *Logger) Errorf(format string, args ...interface{}) {
- if logger.Level >= ErrorLevel {
- NewEntry(logger).Errorf(format, args...)
- }
-}
-
-func (logger *Logger) Fatalf(format string, args ...interface{}) {
- if logger.Level >= FatalLevel {
- NewEntry(logger).Fatalf(format, args...)
- }
-}
-
-func (logger *Logger) Panicf(format string, args ...interface{}) {
- if logger.Level >= PanicLevel {
- NewEntry(logger).Panicf(format, args...)
- }
-}
-
-func (logger *Logger) Debug(args ...interface{}) {
- if logger.Level >= DebugLevel {
- NewEntry(logger).Debug(args...)
- }
-}
-
-func (logger *Logger) Info(args ...interface{}) {
- if logger.Level >= InfoLevel {
- NewEntry(logger).Info(args...)
- }
-}
-
-func (logger *Logger) Print(args ...interface{}) {
- NewEntry(logger).Info(args...)
-}
-
-func (logger *Logger) Warn(args ...interface{}) {
- if logger.Level >= WarnLevel {
- NewEntry(logger).Warn(args...)
- }
-}
-
-func (logger *Logger) Warning(args ...interface{}) {
- if logger.Level >= WarnLevel {
- NewEntry(logger).Warn(args...)
- }
-}
-
-func (logger *Logger) Error(args ...interface{}) {
- if logger.Level >= ErrorLevel {
- NewEntry(logger).Error(args...)
- }
-}
-
-func (logger *Logger) Fatal(args ...interface{}) {
- if logger.Level >= FatalLevel {
- NewEntry(logger).Fatal(args...)
- }
-}
-
-func (logger *Logger) Panic(args ...interface{}) {
- if logger.Level >= PanicLevel {
- NewEntry(logger).Panic(args...)
- }
-}
-
-func (logger *Logger) Debugln(args ...interface{}) {
- if logger.Level >= DebugLevel {
- NewEntry(logger).Debugln(args...)
- }
-}
-
-func (logger *Logger) Infoln(args ...interface{}) {
- if logger.Level >= InfoLevel {
- NewEntry(logger).Infoln(args...)
- }
-}
-
-func (logger *Logger) Println(args ...interface{}) {
- NewEntry(logger).Println(args...)
-}
-
-func (logger *Logger) Warnln(args ...interface{}) {
- if logger.Level >= WarnLevel {
- NewEntry(logger).Warnln(args...)
- }
-}
-
-func (logger *Logger) Warningln(args ...interface{}) {
- if logger.Level >= WarnLevel {
- NewEntry(logger).Warnln(args...)
- }
-}
-
-func (logger *Logger) Errorln(args ...interface{}) {
- if logger.Level >= ErrorLevel {
- NewEntry(logger).Errorln(args...)
- }
-}
-
-func (logger *Logger) Fatalln(args ...interface{}) {
- if logger.Level >= FatalLevel {
- NewEntry(logger).Fatalln(args...)
- }
-}
-
-func (logger *Logger) Panicln(args ...interface{}) {
- if logger.Level >= PanicLevel {
- NewEntry(logger).Panicln(args...)
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/logrus.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/logrus.go
deleted file mode 100644
index 43ee12e90e7b47401927cf787b3bd20fd45869e4..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/logrus.go
+++ /dev/null
@@ -1,94 +0,0 @@
-package logrus
-
-import (
- "fmt"
- "log"
-)
-
-// Fields type, used to pass to `WithFields`.
-type Fields map[string]interface{}
-
-// Level type
-type Level uint8
-
-// Convert the Level to a string. E.g. PanicLevel becomes "panic".
-func (level Level) String() string {
- switch level {
- case DebugLevel:
- return "debug"
- case InfoLevel:
- return "info"
- case WarnLevel:
- return "warning"
- case ErrorLevel:
- return "error"
- case FatalLevel:
- return "fatal"
- case PanicLevel:
- return "panic"
- }
-
- return "unknown"
-}
-
-// ParseLevel takes a string level and returns the Logrus log level constant.
-func ParseLevel(lvl string) (Level, error) {
- switch lvl {
- case "panic":
- return PanicLevel, nil
- case "fatal":
- return FatalLevel, nil
- case "error":
- return ErrorLevel, nil
- case "warn", "warning":
- return WarnLevel, nil
- case "info":
- return InfoLevel, nil
- case "debug":
- return DebugLevel, nil
- }
-
- var l Level
- return l, fmt.Errorf("not a valid logrus Level: %q", lvl)
-}
-
-// These are the different logging levels. You can set the logging level to log
-// on your instance of logger, obtained with `logrus.New()`.
-const (
- // PanicLevel level, highest level of severity. Logs and then calls panic with the
- // message passed to Debug, Info, ...
- PanicLevel Level = iota
- // FatalLevel level. Logs and then calls `os.Exit(1)`. It will exit even if the
- // logging level is set to Panic.
- FatalLevel
- // ErrorLevel level. Logs. Used for errors that should definitely be noted.
- // Commonly used for hooks to send errors to an error tracking service.
- ErrorLevel
- // WarnLevel level. Non-critical entries that deserve eyes.
- WarnLevel
- // InfoLevel level. General operational entries about what's going on inside the
- // application.
- InfoLevel
- // DebugLevel level. Usually only enabled when debugging. Very verbose logging.
- DebugLevel
-)
-
-// Won't compile if StdLogger can't be realized by a log.Logger
-var _ StdLogger = &log.Logger{}
-
-// StdLogger is what your logrus-enabled library should take, that way
-// it'll accept a stdlib logger and a logrus logger. There's no standard
-// interface, this is the closest we get, unfortunately.
-type StdLogger interface {
- Print(...interface{})
- Printf(string, ...interface{})
- Println(...interface{})
-
- Fatal(...interface{})
- Fatalf(string, ...interface{})
- Fatalln(...interface{})
-
- Panic(...interface{})
- Panicf(string, ...interface{})
- Panicln(...interface{})
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_darwin.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_darwin.go
deleted file mode 100644
index 8fe02a4aec1ac4b7228a0af24fb8df6622f8f2da..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_darwin.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// Based on ssh/terminal:
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package logrus
-
-import "syscall"
-
-const ioctlReadTermios = syscall.TIOCGETA
-
-type Termios syscall.Termios
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_freebsd.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_freebsd.go
deleted file mode 100644
index 0428ee5d52a6d2429120bf5a0540f3ca23e7ebba..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_freebsd.go
+++ /dev/null
@@ -1,20 +0,0 @@
-/*
- Go 1.2 doesn't include Termios for FreeBSD. This should be added in 1.3 and this could be merged with terminal_darwin.
-*/
-package logrus
-
-import (
- "syscall"
-)
-
-const ioctlReadTermios = syscall.TIOCGETA
-
-type Termios struct {
- Iflag uint32
- Oflag uint32
- Cflag uint32
- Lflag uint32
- Cc [20]uint8
- Ispeed uint32
- Ospeed uint32
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_linux.go
deleted file mode 100644
index a2c0b40db612b7c1be1646a5480eb1f6f646060e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_linux.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// Based on ssh/terminal:
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package logrus
-
-import "syscall"
-
-const ioctlReadTermios = syscall.TCGETS
-
-type Termios syscall.Termios
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_notwindows.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_notwindows.go
deleted file mode 100644
index b8bebc13eea6547985131671c556c3b5c44aa57c..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_notwindows.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// Based on ssh/terminal:
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build linux darwin freebsd openbsd
-
-package logrus
-
-import (
- "syscall"
- "unsafe"
-)
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal() bool {
- fd := syscall.Stdout
- var termios Termios
- _, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)
- return err == 0
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_openbsd.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_openbsd.go
deleted file mode 100644
index af609a53d6492443e6a664a8b81a82db2d7e05d3..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_openbsd.go
+++ /dev/null
@@ -1,7 +0,0 @@
-package logrus
-
-import "syscall"
-
-const ioctlReadTermios = syscall.TIOCGETA
-
-type Termios syscall.Termios
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_windows.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_windows.go
deleted file mode 100644
index 2e09f6f7e31d23314dc00f879b92619f76fe23f5..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/terminal_windows.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// Based on ssh/terminal:
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build windows
-
-package logrus
-
-import (
- "syscall"
- "unsafe"
-)
-
-var kernel32 = syscall.NewLazyDLL("kernel32.dll")
-
-var (
- procGetConsoleMode = kernel32.NewProc("GetConsoleMode")
-)
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal() bool {
- fd := syscall.Stdout
- var st uint32
- r, _, e := syscall.Syscall(procGetConsoleMode.Addr(), 2, uintptr(fd), uintptr(unsafe.Pointer(&st)), 0)
- return r != 0 && e == 0
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/text_formatter.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/text_formatter.go
deleted file mode 100644
index 612417ff9c846d2d208248ec39b044f0c940f094..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/text_formatter.go
+++ /dev/null
@@ -1,149 +0,0 @@
-package logrus
-
-import (
- "bytes"
- "fmt"
- "sort"
- "strings"
- "time"
-)
-
-const (
- nocolor = 0
- red = 31
- green = 32
- yellow = 33
- blue = 34
- gray = 37
-)
-
-var (
- baseTimestamp time.Time
- isTerminal bool
-)
-
-func init() {
- baseTimestamp = time.Now()
- isTerminal = IsTerminal()
-}
-
-func miniTS() int {
- return int(time.Since(baseTimestamp) / time.Second)
-}
-
-type TextFormatter struct {
- // Set to true to bypass checking for a TTY before outputting colors.
- ForceColors bool
-
- // Force disabling colors.
- DisableColors bool
-
- // Disable timestamp logging. useful when output is redirected to logging
- // system that already adds timestamps.
- DisableTimestamp bool
-
- // Enable logging the full timestamp when a TTY is attached instead of just
- // the time passed since beginning of execution.
- FullTimestamp bool
-
- // TimestampFormat to use for display when a full timestamp is printed
- TimestampFormat string
-
- // The fields are sorted by default for a consistent output. For applications
- // that log extremely frequently and don't use the JSON formatter this may not
- // be desired.
- DisableSorting bool
-}
-
-func (f *TextFormatter) Format(entry *Entry) ([]byte, error) {
- var keys []string = make([]string, 0, len(entry.Data))
- for k := range entry.Data {
- keys = append(keys, k)
- }
-
- if !f.DisableSorting {
- sort.Strings(keys)
- }
-
- b := &bytes.Buffer{}
-
- prefixFieldClashes(entry.Data)
-
- isColored := (f.ForceColors || isTerminal) && !f.DisableColors
-
- if f.TimestampFormat == "" {
- f.TimestampFormat = DefaultTimestampFormat
- }
- if isColored {
- f.printColored(b, entry, keys)
- } else {
- if !f.DisableTimestamp {
- f.appendKeyValue(b, "time", entry.Time.Format(f.TimestampFormat))
- }
- f.appendKeyValue(b, "level", entry.Level.String())
- f.appendKeyValue(b, "msg", entry.Message)
- for _, key := range keys {
- f.appendKeyValue(b, key, entry.Data[key])
- }
- }
-
- b.WriteByte('\n')
- return b.Bytes(), nil
-}
-
-func (f *TextFormatter) printColored(b *bytes.Buffer, entry *Entry, keys []string) {
- var levelColor int
- switch entry.Level {
- case DebugLevel:
- levelColor = gray
- case WarnLevel:
- levelColor = yellow
- case ErrorLevel, FatalLevel, PanicLevel:
- levelColor = red
- default:
- levelColor = blue
- }
-
- levelText := strings.ToUpper(entry.Level.String())[0:4]
-
- if !f.FullTimestamp {
- fmt.Fprintf(b, "\x1b[%dm%s\x1b[0m[%04d] %-44s ", levelColor, levelText, miniTS(), entry.Message)
- } else {
- fmt.Fprintf(b, "\x1b[%dm%s\x1b[0m[%s] %-44s ", levelColor, levelText, entry.Time.Format(f.TimestampFormat), entry.Message)
- }
- for _, k := range keys {
- v := entry.Data[k]
- fmt.Fprintf(b, " \x1b[%dm%s\x1b[0m=%v", levelColor, k, v)
- }
-}
-
-func needsQuoting(text string) bool {
- for _, ch := range text {
- if !((ch >= 'a' && ch <= 'z') ||
- (ch >= 'A' && ch <= 'Z') ||
- (ch >= '0' && ch <= '9') ||
- ch == '-' || ch == '.') {
- return false
- }
- }
- return true
-}
-
-func (f *TextFormatter) appendKeyValue(b *bytes.Buffer, key, value interface{}) {
- switch value.(type) {
- case string:
- if needsQuoting(value.(string)) {
- fmt.Fprintf(b, "%v=%s ", key, value)
- } else {
- fmt.Fprintf(b, "%v=%q ", key, value)
- }
- case error:
- if needsQuoting(value.(error).Error()) {
- fmt.Fprintf(b, "%v=%s ", key, value)
- } else {
- fmt.Fprintf(b, "%v=%q ", key, value)
- }
- default:
- fmt.Fprintf(b, "%v=%v ", key, value)
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/writer.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/writer.go
deleted file mode 100644
index 1e30b1c753a7425ea10c7c6cb9f3762a661b519b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/Sirupsen/logrus/writer.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package logrus
-
-import (
- "bufio"
- "io"
- "runtime"
-)
-
-func (logger *Logger) Writer() *io.PipeWriter {
- reader, writer := io.Pipe()
-
- go logger.writerScanner(reader)
- runtime.SetFinalizer(writer, writerFinalizer)
-
- return writer
-}
-
-func (logger *Logger) writerScanner(reader *io.PipeReader) {
- scanner := bufio.NewScanner(reader)
- for scanner.Scan() {
- logger.Print(scanner.Text())
- }
- if err := scanner.Err(); err != nil {
- logger.Errorf("Error while reading from Writer: %s", err)
- }
- reader.Close()
-}
-
-func writerFinalizer(writer *io.PipeWriter) {
- writer.Close()
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/LICENSE
deleted file mode 100644
index 5515ccfb716e0db1de7ab629502abe8a44a5faa5..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/LICENSE
+++ /dev/null
@@ -1,21 +0,0 @@
-Copyright (C) 2013 Jeremy Saenz
-All Rights Reserved.
-
-MIT LICENSE
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/app.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/app.go
deleted file mode 100644
index 2f992d0d7a79b1d4fb895c5feeced4b174ca559e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/app.go
+++ /dev/null
@@ -1,334 +0,0 @@
-package cli
-
-import (
- "fmt"
- "io"
- "io/ioutil"
- "os"
- "path"
- "time"
-)
-
-// App is the main structure of a cli application. It is recomended that
-// an app be created with the cli.NewApp() function
-type App struct {
- // The name of the program. Defaults to path.Base(os.Args[0])
- Name string
- // Full name of command for help, defaults to Name
- HelpName string
- // Description of the program.
- Usage string
- // Description of the program argument format.
- ArgsUsage string
- // Version of the program
- Version string
- // List of commands to execute
- Commands []Command
- // List of flags to parse
- Flags []Flag
- // Boolean to enable bash completion commands
- EnableBashCompletion bool
- // Boolean to hide built-in help command
- HideHelp bool
- // Boolean to hide built-in version flag
- HideVersion bool
- // An action to execute when the bash-completion flag is set
- BashComplete func(context *Context)
- // An action to execute before any subcommands are run, but after the context is ready
- // If a non-nil error is returned, no subcommands are run
- Before func(context *Context) error
- // An action to execute after any subcommands are run, but after the subcommand has finished
- // It is run even if Action() panics
- After func(context *Context) error
- // The action to execute when no subcommands are specified
- Action func(context *Context)
- // Execute this function if the proper command cannot be found
- CommandNotFound func(context *Context, command string)
- // Compilation date
- Compiled time.Time
- // List of all authors who contributed
- Authors []Author
- // Copyright of the binary if any
- Copyright string
- // Name of Author (Note: Use App.Authors, this is deprecated)
- Author string
- // Email of Author (Note: Use App.Authors, this is deprecated)
- Email string
- // Writer writer to write output to
- Writer io.Writer
-}
-
-// Tries to find out when this binary was compiled.
-// Returns the current time if it fails to find it.
-func compileTime() time.Time {
- info, err := os.Stat(os.Args[0])
- if err != nil {
- return time.Now()
- }
- return info.ModTime()
-}
-
-// Creates a new cli Application with some reasonable defaults for Name, Usage, Version and Action.
-func NewApp() *App {
- return &App{
- Name: path.Base(os.Args[0]),
- HelpName: path.Base(os.Args[0]),
- Usage: "A new cli application",
- Version: "0.0.0",
- BashComplete: DefaultAppComplete,
- Action: helpCommand.Action,
- Compiled: compileTime(),
- Writer: os.Stdout,
- }
-}
-
-// Entry point to the cli app. Parses the arguments slice and routes to the proper flag/args combination
-func (a *App) Run(arguments []string) (err error) {
- if a.Author != "" || a.Email != "" {
- a.Authors = append(a.Authors, Author{Name: a.Author, Email: a.Email})
- }
-
- newCmds := []Command{}
- for _, c := range a.Commands {
- if c.HelpName == "" {
- c.HelpName = fmt.Sprintf("%s %s", a.HelpName, c.Name)
- }
- newCmds = append(newCmds, c)
- }
- a.Commands = newCmds
-
- // append help to commands
- if a.Command(helpCommand.Name) == nil && !a.HideHelp {
- a.Commands = append(a.Commands, helpCommand)
- if (HelpFlag != BoolFlag{}) {
- a.appendFlag(HelpFlag)
- }
- }
-
- //append version/help flags
- if a.EnableBashCompletion {
- a.appendFlag(BashCompletionFlag)
- }
-
- if !a.HideVersion {
- a.appendFlag(VersionFlag)
- }
-
- // parse flags
- set := flagSet(a.Name, a.Flags)
- set.SetOutput(ioutil.Discard)
- err = set.Parse(arguments[1:])
- nerr := normalizeFlags(a.Flags, set)
- if nerr != nil {
- fmt.Fprintln(a.Writer, nerr)
- context := NewContext(a, set, nil)
- ShowAppHelp(context)
- return nerr
- }
- context := NewContext(a, set, nil)
-
- if checkCompletions(context) {
- return nil
- }
-
- if err != nil {
- fmt.Fprintln(a.Writer, "Incorrect Usage.")
- fmt.Fprintln(a.Writer)
- ShowAppHelp(context)
- return err
- }
-
- if !a.HideHelp && checkHelp(context) {
- ShowAppHelp(context)
- return nil
- }
-
- if !a.HideVersion && checkVersion(context) {
- ShowVersion(context)
- return nil
- }
-
- if a.After != nil {
- defer func() {
- afterErr := a.After(context)
- if afterErr != nil {
- if err != nil {
- err = NewMultiError(err, afterErr)
- } else {
- err = afterErr
- }
- }
- }()
- }
-
- if a.Before != nil {
- err := a.Before(context)
- if err != nil {
- return err
- }
- }
-
- args := context.Args()
- if args.Present() {
- name := args.First()
- c := a.Command(name)
- if c != nil {
- return c.Run(context)
- }
- }
-
- // Run default Action
- a.Action(context)
- return nil
-}
-
-// Another entry point to the cli app, takes care of passing arguments and error handling
-func (a *App) RunAndExitOnError() {
- if err := a.Run(os.Args); err != nil {
- fmt.Fprintln(os.Stderr, err)
- os.Exit(1)
- }
-}
-
-// Invokes the subcommand given the context, parses ctx.Args() to generate command-specific flags
-func (a *App) RunAsSubcommand(ctx *Context) (err error) {
- // append help to commands
- if len(a.Commands) > 0 {
- if a.Command(helpCommand.Name) == nil && !a.HideHelp {
- a.Commands = append(a.Commands, helpCommand)
- if (HelpFlag != BoolFlag{}) {
- a.appendFlag(HelpFlag)
- }
- }
- }
-
- newCmds := []Command{}
- for _, c := range a.Commands {
- if c.HelpName == "" {
- c.HelpName = fmt.Sprintf("%s %s", a.HelpName, c.Name)
- }
- newCmds = append(newCmds, c)
- }
- a.Commands = newCmds
-
- // append flags
- if a.EnableBashCompletion {
- a.appendFlag(BashCompletionFlag)
- }
-
- // parse flags
- set := flagSet(a.Name, a.Flags)
- set.SetOutput(ioutil.Discard)
- err = set.Parse(ctx.Args().Tail())
- nerr := normalizeFlags(a.Flags, set)
- context := NewContext(a, set, ctx)
-
- if nerr != nil {
- fmt.Fprintln(a.Writer, nerr)
- fmt.Fprintln(a.Writer)
- if len(a.Commands) > 0 {
- ShowSubcommandHelp(context)
- } else {
- ShowCommandHelp(ctx, context.Args().First())
- }
- return nerr
- }
-
- if checkCompletions(context) {
- return nil
- }
-
- if err != nil {
- fmt.Fprintln(a.Writer, "Incorrect Usage.")
- fmt.Fprintln(a.Writer)
- ShowSubcommandHelp(context)
- return err
- }
-
- if len(a.Commands) > 0 {
- if checkSubcommandHelp(context) {
- return nil
- }
- } else {
- if checkCommandHelp(ctx, context.Args().First()) {
- return nil
- }
- }
-
- if a.After != nil {
- defer func() {
- afterErr := a.After(context)
- if afterErr != nil {
- if err != nil {
- err = NewMultiError(err, afterErr)
- } else {
- err = afterErr
- }
- }
- }()
- }
-
- if a.Before != nil {
- err := a.Before(context)
- if err != nil {
- return err
- }
- }
-
- args := context.Args()
- if args.Present() {
- name := args.First()
- c := a.Command(name)
- if c != nil {
- return c.Run(context)
- }
- }
-
- // Run default Action
- a.Action(context)
-
- return nil
-}
-
-// Returns the named command on App. Returns nil if the command does not exist
-func (a *App) Command(name string) *Command {
- for _, c := range a.Commands {
- if c.HasName(name) {
- return &c
- }
- }
-
- return nil
-}
-
-func (a *App) hasFlag(flag Flag) bool {
- for _, f := range a.Flags {
- if flag == f {
- return true
- }
- }
-
- return false
-}
-
-func (a *App) appendFlag(flag Flag) {
- if !a.hasFlag(flag) {
- a.Flags = append(a.Flags, flag)
- }
-}
-
-// Author represents someone who has contributed to a cli project.
-type Author struct {
- Name string // The Authors name
- Email string // The Authors email
-}
-
-// String makes Author comply to the Stringer interface, to allow an easy print in the templating process
-func (a Author) String() string {
- e := ""
- if a.Email != "" {
- e = "<" + a.Email + "> "
- }
-
- return fmt.Sprintf("%v %v", a.Name, e)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/cli.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/cli.go
deleted file mode 100644
index 31dc9124d1eb6d1291cf94a4be695eb8ca945170..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/cli.go
+++ /dev/null
@@ -1,40 +0,0 @@
-// Package cli provides a minimal framework for creating and organizing command line
-// Go applications. cli is designed to be easy to understand and write, the most simple
-// cli application can be written as follows:
-// func main() {
-// cli.NewApp().Run(os.Args)
-// }
-//
-// Of course this application does not do much, so let's make this an actual application:
-// func main() {
-// app := cli.NewApp()
-// app.Name = "greet"
-// app.Usage = "say a greeting"
-// app.Action = func(c *cli.Context) {
-// println("Greetings")
-// }
-//
-// app.Run(os.Args)
-// }
-package cli
-
-import (
- "strings"
-)
-
-type MultiError struct {
- Errors []error
-}
-
-func NewMultiError(err ...error) MultiError {
- return MultiError{Errors: err}
-}
-
-func (m MultiError) Error() string {
- errs := make([]string, len(m.Errors))
- for i, err := range m.Errors {
- errs[i] = err.Error()
- }
-
- return strings.Join(errs, "\n")
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/command.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/command.go
deleted file mode 100644
index 824e77bae3f5d5175e3258fcc29faeeda6acd15a..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/command.go
+++ /dev/null
@@ -1,216 +0,0 @@
-package cli
-
-import (
- "fmt"
- "io/ioutil"
- "strings"
-)
-
-// Command is a subcommand for a cli.App.
-type Command struct {
- // The name of the command
- Name string
- // short name of the command. Typically one character (deprecated, use `Aliases`)
- ShortName string
- // A list of aliases for the command
- Aliases []string
- // A short description of the usage of this command
- Usage string
- // A longer explanation of how the command works
- Description string
- // A short description of the arguments of this command
- ArgsUsage string
- // The function to call when checking for bash command completions
- BashComplete func(context *Context)
- // An action to execute before any sub-subcommands are run, but after the context is ready
- // If a non-nil error is returned, no sub-subcommands are run
- Before func(context *Context) error
- // An action to execute after any subcommands are run, but after the subcommand has finished
- // It is run even if Action() panics
- After func(context *Context) error
- // The function to call when this command is invoked
- Action func(context *Context)
- // List of child commands
- Subcommands []Command
- // List of flags to parse
- Flags []Flag
- // Treat all flags as normal arguments if true
- SkipFlagParsing bool
- // Boolean to hide built-in help command
- HideHelp bool
-
- // Full name of command for help, defaults to full command name, including parent commands.
- HelpName string
- commandNamePath []string
-}
-
-// Returns the full name of the command.
-// For subcommands this ensures that parent commands are part of the command path
-func (c Command) FullName() string {
- if c.commandNamePath == nil {
- return c.Name
- }
- return strings.Join(c.commandNamePath, " ")
-}
-
-// Invokes the command given the context, parses ctx.Args() to generate command-specific flags
-func (c Command) Run(ctx *Context) error {
- if len(c.Subcommands) > 0 || c.Before != nil || c.After != nil {
- return c.startApp(ctx)
- }
-
- if !c.HideHelp && (HelpFlag != BoolFlag{}) {
- // append help to flags
- c.Flags = append(
- c.Flags,
- HelpFlag,
- )
- }
-
- if ctx.App.EnableBashCompletion {
- c.Flags = append(c.Flags, BashCompletionFlag)
- }
-
- set := flagSet(c.Name, c.Flags)
- set.SetOutput(ioutil.Discard)
-
- var err error
- if !c.SkipFlagParsing {
- firstFlagIndex := -1
- terminatorIndex := -1
- for index, arg := range ctx.Args() {
- if arg == "--" {
- terminatorIndex = index
- break
- } else if strings.HasPrefix(arg, "-") && firstFlagIndex == -1 {
- firstFlagIndex = index
- }
- }
-
- if firstFlagIndex > -1 {
- args := ctx.Args()
- regularArgs := make([]string, len(args[1:firstFlagIndex]))
- copy(regularArgs, args[1:firstFlagIndex])
-
- var flagArgs []string
- if terminatorIndex > -1 {
- flagArgs = args[firstFlagIndex:terminatorIndex]
- regularArgs = append(regularArgs, args[terminatorIndex:]...)
- } else {
- flagArgs = args[firstFlagIndex:]
- }
-
- err = set.Parse(append(flagArgs, regularArgs...))
- } else {
- err = set.Parse(ctx.Args().Tail())
- }
- } else {
- if c.SkipFlagParsing {
- err = set.Parse(append([]string{"--"}, ctx.Args().Tail()...))
- }
- }
-
- if err != nil {
- fmt.Fprintln(ctx.App.Writer, "Incorrect Usage.")
- fmt.Fprintln(ctx.App.Writer)
- ShowCommandHelp(ctx, c.Name)
- return err
- }
-
- nerr := normalizeFlags(c.Flags, set)
- if nerr != nil {
- fmt.Fprintln(ctx.App.Writer, nerr)
- fmt.Fprintln(ctx.App.Writer)
- ShowCommandHelp(ctx, c.Name)
- return nerr
- }
- context := NewContext(ctx.App, set, ctx)
-
- if checkCommandCompletions(context, c.Name) {
- return nil
- }
-
- if checkCommandHelp(context, c.Name) {
- return nil
- }
- context.Command = c
- c.Action(context)
- return nil
-}
-
-func (c Command) Names() []string {
- names := []string{c.Name}
-
- if c.ShortName != "" {
- names = append(names, c.ShortName)
- }
-
- return append(names, c.Aliases...)
-}
-
-// Returns true if Command.Name or Command.ShortName matches given name
-func (c Command) HasName(name string) bool {
- for _, n := range c.Names() {
- if n == name {
- return true
- }
- }
- return false
-}
-
-func (c Command) startApp(ctx *Context) error {
- app := NewApp()
-
- // set the name and usage
- app.Name = fmt.Sprintf("%s %s", ctx.App.Name, c.Name)
- if c.HelpName == "" {
- app.HelpName = c.HelpName
- } else {
- app.HelpName = fmt.Sprintf("%s %s", ctx.App.Name, c.Name)
- }
-
- if c.Description != "" {
- app.Usage = c.Description
- } else {
- app.Usage = c.Usage
- }
-
- // set CommandNotFound
- app.CommandNotFound = ctx.App.CommandNotFound
-
- // set the flags and commands
- app.Commands = c.Subcommands
- app.Flags = c.Flags
- app.HideHelp = c.HideHelp
-
- app.Version = ctx.App.Version
- app.HideVersion = ctx.App.HideVersion
- app.Compiled = ctx.App.Compiled
- app.Author = ctx.App.Author
- app.Email = ctx.App.Email
- app.Writer = ctx.App.Writer
-
- // bash completion
- app.EnableBashCompletion = ctx.App.EnableBashCompletion
- if c.BashComplete != nil {
- app.BashComplete = c.BashComplete
- }
-
- // set the actions
- app.Before = c.Before
- app.After = c.After
- if c.Action != nil {
- app.Action = c.Action
- } else {
- app.Action = helpSubcommand.Action
- }
-
- var newCmds []Command
- for _, cc := range app.Commands {
- cc.commandNamePath = []string{c.Name, cc.Name}
- newCmds = append(newCmds, cc)
- }
- app.Commands = newCmds
-
- return app.RunAsSubcommand(ctx)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/context.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/context.go
deleted file mode 100644
index 0513d34f61ec9ab41b400cf10731287609dd9fdf..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/context.go
+++ /dev/null
@@ -1,388 +0,0 @@
-package cli
-
-import (
- "errors"
- "flag"
- "strconv"
- "strings"
- "time"
-)
-
-// Context is a type that is passed through to
-// each Handler action in a cli application. Context
-// can be used to retrieve context-specific Args and
-// parsed command-line options.
-type Context struct {
- App *App
- Command Command
- flagSet *flag.FlagSet
- setFlags map[string]bool
- globalSetFlags map[string]bool
- parentContext *Context
-}
-
-// Creates a new context. For use in when invoking an App or Command action.
-func NewContext(app *App, set *flag.FlagSet, parentCtx *Context) *Context {
- return &Context{App: app, flagSet: set, parentContext: parentCtx}
-}
-
-// Looks up the value of a local int flag, returns 0 if no int flag exists
-func (c *Context) Int(name string) int {
- return lookupInt(name, c.flagSet)
-}
-
-// Looks up the value of a local time.Duration flag, returns 0 if no time.Duration flag exists
-func (c *Context) Duration(name string) time.Duration {
- return lookupDuration(name, c.flagSet)
-}
-
-// Looks up the value of a local float64 flag, returns 0 if no float64 flag exists
-func (c *Context) Float64(name string) float64 {
- return lookupFloat64(name, c.flagSet)
-}
-
-// Looks up the value of a local bool flag, returns false if no bool flag exists
-func (c *Context) Bool(name string) bool {
- return lookupBool(name, c.flagSet)
-}
-
-// Looks up the value of a local boolT flag, returns false if no bool flag exists
-func (c *Context) BoolT(name string) bool {
- return lookupBoolT(name, c.flagSet)
-}
-
-// Looks up the value of a local string flag, returns "" if no string flag exists
-func (c *Context) String(name string) string {
- return lookupString(name, c.flagSet)
-}
-
-// Looks up the value of a local string slice flag, returns nil if no string slice flag exists
-func (c *Context) StringSlice(name string) []string {
- return lookupStringSlice(name, c.flagSet)
-}
-
-// Looks up the value of a local int slice flag, returns nil if no int slice flag exists
-func (c *Context) IntSlice(name string) []int {
- return lookupIntSlice(name, c.flagSet)
-}
-
-// Looks up the value of a local generic flag, returns nil if no generic flag exists
-func (c *Context) Generic(name string) interface{} {
- return lookupGeneric(name, c.flagSet)
-}
-
-// Looks up the value of a global int flag, returns 0 if no int flag exists
-func (c *Context) GlobalInt(name string) int {
- if fs := lookupGlobalFlagSet(name, c); fs != nil {
- return lookupInt(name, fs)
- }
- return 0
-}
-
-// Looks up the value of a global time.Duration flag, returns 0 if no time.Duration flag exists
-func (c *Context) GlobalDuration(name string) time.Duration {
- if fs := lookupGlobalFlagSet(name, c); fs != nil {
- return lookupDuration(name, fs)
- }
- return 0
-}
-
-// Looks up the value of a global bool flag, returns false if no bool flag exists
-func (c *Context) GlobalBool(name string) bool {
- if fs := lookupGlobalFlagSet(name, c); fs != nil {
- return lookupBool(name, fs)
- }
- return false
-}
-
-// Looks up the value of a global string flag, returns "" if no string flag exists
-func (c *Context) GlobalString(name string) string {
- if fs := lookupGlobalFlagSet(name, c); fs != nil {
- return lookupString(name, fs)
- }
- return ""
-}
-
-// Looks up the value of a global string slice flag, returns nil if no string slice flag exists
-func (c *Context) GlobalStringSlice(name string) []string {
- if fs := lookupGlobalFlagSet(name, c); fs != nil {
- return lookupStringSlice(name, fs)
- }
- return nil
-}
-
-// Looks up the value of a global int slice flag, returns nil if no int slice flag exists
-func (c *Context) GlobalIntSlice(name string) []int {
- if fs := lookupGlobalFlagSet(name, c); fs != nil {
- return lookupIntSlice(name, fs)
- }
- return nil
-}
-
-// Looks up the value of a global generic flag, returns nil if no generic flag exists
-func (c *Context) GlobalGeneric(name string) interface{} {
- if fs := lookupGlobalFlagSet(name, c); fs != nil {
- return lookupGeneric(name, fs)
- }
- return nil
-}
-
-// Returns the number of flags set
-func (c *Context) NumFlags() int {
- return c.flagSet.NFlag()
-}
-
-// Determines if the flag was actually set
-func (c *Context) IsSet(name string) bool {
- if c.setFlags == nil {
- c.setFlags = make(map[string]bool)
- c.flagSet.Visit(func(f *flag.Flag) {
- c.setFlags[f.Name] = true
- })
- }
- return c.setFlags[name] == true
-}
-
-// Determines if the global flag was actually set
-func (c *Context) GlobalIsSet(name string) bool {
- if c.globalSetFlags == nil {
- c.globalSetFlags = make(map[string]bool)
- ctx := c
- if ctx.parentContext != nil {
- ctx = ctx.parentContext
- }
- for ; ctx != nil && c.globalSetFlags[name] == false; ctx = ctx.parentContext {
- ctx.flagSet.Visit(func(f *flag.Flag) {
- c.globalSetFlags[f.Name] = true
- })
- }
- }
- return c.globalSetFlags[name]
-}
-
-// Returns a slice of flag names used in this context.
-func (c *Context) FlagNames() (names []string) {
- for _, flag := range c.Command.Flags {
- name := strings.Split(flag.GetName(), ",")[0]
- if name == "help" {
- continue
- }
- names = append(names, name)
- }
- return
-}
-
-// Returns a slice of global flag names used by the app.
-func (c *Context) GlobalFlagNames() (names []string) {
- for _, flag := range c.App.Flags {
- name := strings.Split(flag.GetName(), ",")[0]
- if name == "help" || name == "version" {
- continue
- }
- names = append(names, name)
- }
- return
-}
-
-// Returns the parent context, if any
-func (c *Context) Parent() *Context {
- return c.parentContext
-}
-
-type Args []string
-
-// Returns the command line arguments associated with the context.
-func (c *Context) Args() Args {
- args := Args(c.flagSet.Args())
- return args
-}
-
-// Returns the nth argument, or else a blank string
-func (a Args) Get(n int) string {
- if len(a) > n {
- return a[n]
- }
- return ""
-}
-
-// Returns the first argument, or else a blank string
-func (a Args) First() string {
- return a.Get(0)
-}
-
-// Return the rest of the arguments (not the first one)
-// or else an empty string slice
-func (a Args) Tail() []string {
- if len(a) >= 2 {
- return []string(a)[1:]
- }
- return []string{}
-}
-
-// Checks if there are any arguments present
-func (a Args) Present() bool {
- return len(a) != 0
-}
-
-// Swaps arguments at the given indexes
-func (a Args) Swap(from, to int) error {
- if from >= len(a) || to >= len(a) {
- return errors.New("index out of range")
- }
- a[from], a[to] = a[to], a[from]
- return nil
-}
-
-func lookupGlobalFlagSet(name string, ctx *Context) *flag.FlagSet {
- if ctx.parentContext != nil {
- ctx = ctx.parentContext
- }
- for ; ctx != nil; ctx = ctx.parentContext {
- if f := ctx.flagSet.Lookup(name); f != nil {
- return ctx.flagSet
- }
- }
- return nil
-}
-
-func lookupInt(name string, set *flag.FlagSet) int {
- f := set.Lookup(name)
- if f != nil {
- val, err := strconv.Atoi(f.Value.String())
- if err != nil {
- return 0
- }
- return val
- }
-
- return 0
-}
-
-func lookupDuration(name string, set *flag.FlagSet) time.Duration {
- f := set.Lookup(name)
- if f != nil {
- val, err := time.ParseDuration(f.Value.String())
- if err == nil {
- return val
- }
- }
-
- return 0
-}
-
-func lookupFloat64(name string, set *flag.FlagSet) float64 {
- f := set.Lookup(name)
- if f != nil {
- val, err := strconv.ParseFloat(f.Value.String(), 64)
- if err != nil {
- return 0
- }
- return val
- }
-
- return 0
-}
-
-func lookupString(name string, set *flag.FlagSet) string {
- f := set.Lookup(name)
- if f != nil {
- return f.Value.String()
- }
-
- return ""
-}
-
-func lookupStringSlice(name string, set *flag.FlagSet) []string {
- f := set.Lookup(name)
- if f != nil {
- return (f.Value.(*StringSlice)).Value()
-
- }
-
- return nil
-}
-
-func lookupIntSlice(name string, set *flag.FlagSet) []int {
- f := set.Lookup(name)
- if f != nil {
- return (f.Value.(*IntSlice)).Value()
-
- }
-
- return nil
-}
-
-func lookupGeneric(name string, set *flag.FlagSet) interface{} {
- f := set.Lookup(name)
- if f != nil {
- return f.Value
- }
- return nil
-}
-
-func lookupBool(name string, set *flag.FlagSet) bool {
- f := set.Lookup(name)
- if f != nil {
- val, err := strconv.ParseBool(f.Value.String())
- if err != nil {
- return false
- }
- return val
- }
-
- return false
-}
-
-func lookupBoolT(name string, set *flag.FlagSet) bool {
- f := set.Lookup(name)
- if f != nil {
- val, err := strconv.ParseBool(f.Value.String())
- if err != nil {
- return true
- }
- return val
- }
-
- return false
-}
-
-func copyFlag(name string, ff *flag.Flag, set *flag.FlagSet) {
- switch ff.Value.(type) {
- case *StringSlice:
- default:
- set.Set(name, ff.Value.String())
- }
-}
-
-func normalizeFlags(flags []Flag, set *flag.FlagSet) error {
- visited := make(map[string]bool)
- set.Visit(func(f *flag.Flag) {
- visited[f.Name] = true
- })
- for _, f := range flags {
- parts := strings.Split(f.GetName(), ",")
- if len(parts) == 1 {
- continue
- }
- var ff *flag.Flag
- for _, name := range parts {
- name = strings.Trim(name, " ")
- if visited[name] {
- if ff != nil {
- return errors.New("Cannot use two forms of the same flag: " + name + " " + ff.Name)
- }
- ff = set.Lookup(name)
- }
- }
- if ff == nil {
- continue
- }
- for _, name := range parts {
- name = strings.Trim(name, " ")
- if !visited[name] {
- copyFlag(name, ff, set)
- }
- }
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/flag.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/flag.go
deleted file mode 100644
index 49f30994ea6bbaa06fe36e487e0a1f91431f67d1..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/flag.go
+++ /dev/null
@@ -1,527 +0,0 @@
-package cli
-
-import (
- "flag"
- "fmt"
- "os"
- "strconv"
- "strings"
- "time"
-)
-
-// This flag enables bash-completion for all commands and subcommands
-var BashCompletionFlag = BoolFlag{
- Name: "generate-bash-completion",
-}
-
-// This flag prints the version for the application
-var VersionFlag = BoolFlag{
- Name: "version, v",
- Usage: "print the version",
-}
-
-// This flag prints the help for all commands and subcommands
-// Set to the zero value (BoolFlag{}) to disable flag -- keeps subcommand
-// unless HideHelp is set to true)
-var HelpFlag = BoolFlag{
- Name: "help, h",
- Usage: "show help",
-}
-
-// Flag is a common interface related to parsing flags in cli.
-// For more advanced flag parsing techniques, it is recomended that
-// this interface be implemented.
-type Flag interface {
- fmt.Stringer
- // Apply Flag settings to the given flag set
- Apply(*flag.FlagSet)
- GetName() string
-}
-
-func flagSet(name string, flags []Flag) *flag.FlagSet {
- set := flag.NewFlagSet(name, flag.ContinueOnError)
-
- for _, f := range flags {
- f.Apply(set)
- }
- return set
-}
-
-func eachName(longName string, fn func(string)) {
- parts := strings.Split(longName, ",")
- for _, name := range parts {
- name = strings.Trim(name, " ")
- fn(name)
- }
-}
-
-// Generic is a generic parseable type identified by a specific flag
-type Generic interface {
- Set(value string) error
- String() string
-}
-
-// GenericFlag is the flag type for types implementing Generic
-type GenericFlag struct {
- Name string
- Value Generic
- Usage string
- EnvVar string
-}
-
-// String returns the string representation of the generic flag to display the
-// help text to the user (uses the String() method of the generic flag to show
-// the value)
-func (f GenericFlag) String() string {
- return withEnvHint(f.EnvVar, fmt.Sprintf("%s%s \"%v\"\t%v", prefixFor(f.Name), f.Name, f.Value, f.Usage))
-}
-
-// Apply takes the flagset and calls Set on the generic flag with the value
-// provided by the user for parsing by the flag
-func (f GenericFlag) Apply(set *flag.FlagSet) {
- val := f.Value
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- val.Set(envVal)
- break
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- set.Var(f.Value, name, f.Usage)
- })
-}
-
-func (f GenericFlag) GetName() string {
- return f.Name
-}
-
-// StringSlice is an opaque type for []string to satisfy flag.Value
-type StringSlice []string
-
-// Set appends the string value to the list of values
-func (f *StringSlice) Set(value string) error {
- *f = append(*f, value)
- return nil
-}
-
-// String returns a readable representation of this value (for usage defaults)
-func (f *StringSlice) String() string {
- return fmt.Sprintf("%s", *f)
-}
-
-// Value returns the slice of strings set by this flag
-func (f *StringSlice) Value() []string {
- return *f
-}
-
-// StringSlice is a string flag that can be specified multiple times on the
-// command-line
-type StringSliceFlag struct {
- Name string
- Value *StringSlice
- Usage string
- EnvVar string
-}
-
-// String returns the usage
-func (f StringSliceFlag) String() string {
- firstName := strings.Trim(strings.Split(f.Name, ",")[0], " ")
- pref := prefixFor(firstName)
- return withEnvHint(f.EnvVar, fmt.Sprintf("%s [%v]\t%v", prefixedNames(f.Name), pref+firstName+" option "+pref+firstName+" option", f.Usage))
-}
-
-// Apply populates the flag given the flag set and environment
-func (f StringSliceFlag) Apply(set *flag.FlagSet) {
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- newVal := &StringSlice{}
- for _, s := range strings.Split(envVal, ",") {
- s = strings.TrimSpace(s)
- newVal.Set(s)
- }
- f.Value = newVal
- break
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- if f.Value == nil {
- f.Value = &StringSlice{}
- }
- set.Var(f.Value, name, f.Usage)
- })
-}
-
-func (f StringSliceFlag) GetName() string {
- return f.Name
-}
-
-// StringSlice is an opaque type for []int to satisfy flag.Value
-type IntSlice []int
-
-// Set parses the value into an integer and appends it to the list of values
-func (f *IntSlice) Set(value string) error {
- tmp, err := strconv.Atoi(value)
- if err != nil {
- return err
- } else {
- *f = append(*f, tmp)
- }
- return nil
-}
-
-// String returns a readable representation of this value (for usage defaults)
-func (f *IntSlice) String() string {
- return fmt.Sprintf("%d", *f)
-}
-
-// Value returns the slice of ints set by this flag
-func (f *IntSlice) Value() []int {
- return *f
-}
-
-// IntSliceFlag is an int flag that can be specified multiple times on the
-// command-line
-type IntSliceFlag struct {
- Name string
- Value *IntSlice
- Usage string
- EnvVar string
-}
-
-// String returns the usage
-func (f IntSliceFlag) String() string {
- firstName := strings.Trim(strings.Split(f.Name, ",")[0], " ")
- pref := prefixFor(firstName)
- return withEnvHint(f.EnvVar, fmt.Sprintf("%s [%v]\t%v", prefixedNames(f.Name), pref+firstName+" option "+pref+firstName+" option", f.Usage))
-}
-
-// Apply populates the flag given the flag set and environment
-func (f IntSliceFlag) Apply(set *flag.FlagSet) {
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- newVal := &IntSlice{}
- for _, s := range strings.Split(envVal, ",") {
- s = strings.TrimSpace(s)
- err := newVal.Set(s)
- if err != nil {
- fmt.Fprintf(os.Stderr, err.Error())
- }
- }
- f.Value = newVal
- break
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- if f.Value == nil {
- f.Value = &IntSlice{}
- }
- set.Var(f.Value, name, f.Usage)
- })
-}
-
-func (f IntSliceFlag) GetName() string {
- return f.Name
-}
-
-// BoolFlag is a switch that defaults to false
-type BoolFlag struct {
- Name string
- Usage string
- EnvVar string
- Destination *bool
-}
-
-// String returns a readable representation of this value (for usage defaults)
-func (f BoolFlag) String() string {
- return withEnvHint(f.EnvVar, fmt.Sprintf("%s\t%v", prefixedNames(f.Name), f.Usage))
-}
-
-// Apply populates the flag given the flag set and environment
-func (f BoolFlag) Apply(set *flag.FlagSet) {
- val := false
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- envValBool, err := strconv.ParseBool(envVal)
- if err == nil {
- val = envValBool
- }
- break
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- if f.Destination != nil {
- set.BoolVar(f.Destination, name, val, f.Usage)
- return
- }
- set.Bool(name, val, f.Usage)
- })
-}
-
-func (f BoolFlag) GetName() string {
- return f.Name
-}
-
-// BoolTFlag this represents a boolean flag that is true by default, but can
-// still be set to false by --some-flag=false
-type BoolTFlag struct {
- Name string
- Usage string
- EnvVar string
- Destination *bool
-}
-
-// String returns a readable representation of this value (for usage defaults)
-func (f BoolTFlag) String() string {
- return withEnvHint(f.EnvVar, fmt.Sprintf("%s\t%v", prefixedNames(f.Name), f.Usage))
-}
-
-// Apply populates the flag given the flag set and environment
-func (f BoolTFlag) Apply(set *flag.FlagSet) {
- val := true
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- envValBool, err := strconv.ParseBool(envVal)
- if err == nil {
- val = envValBool
- break
- }
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- if f.Destination != nil {
- set.BoolVar(f.Destination, name, val, f.Usage)
- return
- }
- set.Bool(name, val, f.Usage)
- })
-}
-
-func (f BoolTFlag) GetName() string {
- return f.Name
-}
-
-// StringFlag represents a flag that takes as string value
-type StringFlag struct {
- Name string
- Value string
- Usage string
- EnvVar string
- Destination *string
-}
-
-// String returns the usage
-func (f StringFlag) String() string {
- var fmtString string
- fmtString = "%s %v\t%v"
-
- if len(f.Value) > 0 {
- fmtString = "%s \"%v\"\t%v"
- } else {
- fmtString = "%s %v\t%v"
- }
-
- return withEnvHint(f.EnvVar, fmt.Sprintf(fmtString, prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-// Apply populates the flag given the flag set and environment
-func (f StringFlag) Apply(set *flag.FlagSet) {
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- f.Value = envVal
- break
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- if f.Destination != nil {
- set.StringVar(f.Destination, name, f.Value, f.Usage)
- return
- }
- set.String(name, f.Value, f.Usage)
- })
-}
-
-func (f StringFlag) GetName() string {
- return f.Name
-}
-
-// IntFlag is a flag that takes an integer
-// Errors if the value provided cannot be parsed
-type IntFlag struct {
- Name string
- Value int
- Usage string
- EnvVar string
- Destination *int
-}
-
-// String returns the usage
-func (f IntFlag) String() string {
- return withEnvHint(f.EnvVar, fmt.Sprintf("%s \"%v\"\t%v", prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-// Apply populates the flag given the flag set and environment
-func (f IntFlag) Apply(set *flag.FlagSet) {
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- envValInt, err := strconv.ParseInt(envVal, 0, 64)
- if err == nil {
- f.Value = int(envValInt)
- break
- }
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- if f.Destination != nil {
- set.IntVar(f.Destination, name, f.Value, f.Usage)
- return
- }
- set.Int(name, f.Value, f.Usage)
- })
-}
-
-func (f IntFlag) GetName() string {
- return f.Name
-}
-
-// DurationFlag is a flag that takes a duration specified in Go's duration
-// format: https://golang.org/pkg/time/#ParseDuration
-type DurationFlag struct {
- Name string
- Value time.Duration
- Usage string
- EnvVar string
- Destination *time.Duration
-}
-
-// String returns a readable representation of this value (for usage defaults)
-func (f DurationFlag) String() string {
- return withEnvHint(f.EnvVar, fmt.Sprintf("%s \"%v\"\t%v", prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-// Apply populates the flag given the flag set and environment
-func (f DurationFlag) Apply(set *flag.FlagSet) {
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- envValDuration, err := time.ParseDuration(envVal)
- if err == nil {
- f.Value = envValDuration
- break
- }
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- if f.Destination != nil {
- set.DurationVar(f.Destination, name, f.Value, f.Usage)
- return
- }
- set.Duration(name, f.Value, f.Usage)
- })
-}
-
-func (f DurationFlag) GetName() string {
- return f.Name
-}
-
-// Float64Flag is a flag that takes an float value
-// Errors if the value provided cannot be parsed
-type Float64Flag struct {
- Name string
- Value float64
- Usage string
- EnvVar string
- Destination *float64
-}
-
-// String returns the usage
-func (f Float64Flag) String() string {
- return withEnvHint(f.EnvVar, fmt.Sprintf("%s \"%v\"\t%v", prefixedNames(f.Name), f.Value, f.Usage))
-}
-
-// Apply populates the flag given the flag set and environment
-func (f Float64Flag) Apply(set *flag.FlagSet) {
- if f.EnvVar != "" {
- for _, envVar := range strings.Split(f.EnvVar, ",") {
- envVar = strings.TrimSpace(envVar)
- if envVal := os.Getenv(envVar); envVal != "" {
- envValFloat, err := strconv.ParseFloat(envVal, 10)
- if err == nil {
- f.Value = float64(envValFloat)
- }
- }
- }
- }
-
- eachName(f.Name, func(name string) {
- if f.Destination != nil {
- set.Float64Var(f.Destination, name, f.Value, f.Usage)
- return
- }
- set.Float64(name, f.Value, f.Usage)
- })
-}
-
-func (f Float64Flag) GetName() string {
- return f.Name
-}
-
-func prefixFor(name string) (prefix string) {
- if len(name) == 1 {
- prefix = "-"
- } else {
- prefix = "--"
- }
-
- return
-}
-
-func prefixedNames(fullName string) (prefixed string) {
- parts := strings.Split(fullName, ",")
- for i, name := range parts {
- name = strings.Trim(name, " ")
- prefixed += prefixFor(name) + name
- if i < len(parts)-1 {
- prefixed += ", "
- }
- }
- return
-}
-
-func withEnvHint(envVar, str string) string {
- envText := ""
- if envVar != "" {
- envText = fmt.Sprintf(" [$%s]", strings.Join(strings.Split(envVar, ","), ", $"))
- }
- return str + envText
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/help.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/help.go
deleted file mode 100644
index a246f63ac4d0da78d5f5d0bdf9357d6b55519603..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/codegangsta/cli/help.go
+++ /dev/null
@@ -1,246 +0,0 @@
-package cli
-
-import (
- "fmt"
- "io"
- "strings"
- "text/tabwriter"
- "text/template"
-)
-
-// The text template for the Default help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var AppHelpTemplate = `NAME:
- {{.Name}} - {{.Usage}}
-
-USAGE:
- {{.HelpName}} {{if .Flags}}[global options]{{end}}{{if .Commands}} command [command options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}
- {{if .Version}}
-VERSION:
- {{.Version}}
- {{end}}{{if len .Authors}}
-AUTHOR(S):
- {{range .Authors}}{{ . }}{{end}}
- {{end}}{{if .Commands}}
-COMMANDS:
- {{range .Commands}}{{join .Names ", "}}{{ "\t" }}{{.Usage}}
- {{end}}{{end}}{{if .Flags}}
-GLOBAL OPTIONS:
- {{range .Flags}}{{.}}
- {{end}}{{end}}{{if .Copyright }}
-COPYRIGHT:
- {{.Copyright}}
- {{end}}
-`
-
-// The text template for the command help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var CommandHelpTemplate = `NAME:
- {{.HelpName}} - {{.Usage}}
-
-USAGE:
- {{.HelpName}}{{if .Flags}} [command options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{if .Description}}
-
-DESCRIPTION:
- {{.Description}}{{end}}{{if .Flags}}
-
-OPTIONS:
- {{range .Flags}}{{.}}
- {{end}}{{ end }}
-`
-
-// The text template for the subcommand help topic.
-// cli.go uses text/template to render templates. You can
-// render custom help text by setting this variable.
-var SubcommandHelpTemplate = `NAME:
- {{.HelpName}} - {{.Usage}}
-
-USAGE:
- {{.HelpName}} command{{if .Flags}} [command options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}
-
-COMMANDS:
- {{range .Commands}}{{join .Names ", "}}{{ "\t" }}{{.Usage}}
- {{end}}{{if .Flags}}
-OPTIONS:
- {{range .Flags}}{{.}}
- {{end}}{{end}}
-`
-
-var helpCommand = Command{
- Name: "help",
- Aliases: []string{"h"},
- Usage: "Shows a list of commands or help for one command",
- ArgsUsage: "[command]",
- Action: func(c *Context) {
- args := c.Args()
- if args.Present() {
- ShowCommandHelp(c, args.First())
- } else {
- ShowAppHelp(c)
- }
- },
-}
-
-var helpSubcommand = Command{
- Name: "help",
- Aliases: []string{"h"},
- Usage: "Shows a list of commands or help for one command",
- ArgsUsage: "[command]",
- Action: func(c *Context) {
- args := c.Args()
- if args.Present() {
- ShowCommandHelp(c, args.First())
- } else {
- ShowSubcommandHelp(c)
- }
- },
-}
-
-// Prints help for the App or Command
-type helpPrinter func(w io.Writer, templ string, data interface{})
-
-var HelpPrinter helpPrinter = printHelp
-
-// Prints version for the App
-var VersionPrinter = printVersion
-
-func ShowAppHelp(c *Context) {
- HelpPrinter(c.App.Writer, AppHelpTemplate, c.App)
-}
-
-// Prints the list of subcommands as the default app completion method
-func DefaultAppComplete(c *Context) {
- for _, command := range c.App.Commands {
- for _, name := range command.Names() {
- fmt.Fprintln(c.App.Writer, name)
- }
- }
-}
-
-// Prints help for the given command
-func ShowCommandHelp(ctx *Context, command string) {
- // show the subcommand help for a command with subcommands
- if command == "" {
- HelpPrinter(ctx.App.Writer, SubcommandHelpTemplate, ctx.App)
- return
- }
-
- for _, c := range ctx.App.Commands {
- if c.HasName(command) {
- HelpPrinter(ctx.App.Writer, CommandHelpTemplate, c)
- return
- }
- }
-
- if ctx.App.CommandNotFound != nil {
- ctx.App.CommandNotFound(ctx, command)
- } else {
- fmt.Fprintf(ctx.App.Writer, "No help topic for '%v'\n", command)
- }
-}
-
-// Prints help for the given subcommand
-func ShowSubcommandHelp(c *Context) {
- ShowCommandHelp(c, c.Command.Name)
-}
-
-// Prints the version number of the App
-func ShowVersion(c *Context) {
- VersionPrinter(c)
-}
-
-func printVersion(c *Context) {
- fmt.Fprintf(c.App.Writer, "%v version %v\n", c.App.Name, c.App.Version)
-}
-
-// Prints the lists of commands within a given context
-func ShowCompletions(c *Context) {
- a := c.App
- if a != nil && a.BashComplete != nil {
- a.BashComplete(c)
- }
-}
-
-// Prints the custom completions for a given command
-func ShowCommandCompletions(ctx *Context, command string) {
- c := ctx.App.Command(command)
- if c != nil && c.BashComplete != nil {
- c.BashComplete(ctx)
- }
-}
-
-func printHelp(out io.Writer, templ string, data interface{}) {
- funcMap := template.FuncMap{
- "join": strings.Join,
- }
-
- w := tabwriter.NewWriter(out, 0, 8, 1, '\t', 0)
- t := template.Must(template.New("help").Funcs(funcMap).Parse(templ))
- err := t.Execute(w, data)
- if err != nil {
- panic(err)
- }
- w.Flush()
-}
-
-func checkVersion(c *Context) bool {
- found := false
- if VersionFlag.Name != "" {
- eachName(VersionFlag.Name, func(name string) {
- if c.GlobalBool(name) || c.Bool(name) {
- found = true
- }
- })
- }
- return found
-}
-
-func checkHelp(c *Context) bool {
- found := false
- if HelpFlag.Name != "" {
- eachName(HelpFlag.Name, func(name string) {
- if c.GlobalBool(name) || c.Bool(name) {
- found = true
- }
- })
- }
- return found
-}
-
-func checkCommandHelp(c *Context, name string) bool {
- if c.Bool("h") || c.Bool("help") {
- ShowCommandHelp(c, name)
- return true
- }
-
- return false
-}
-
-func checkSubcommandHelp(c *Context) bool {
- if c.GlobalBool("h") || c.GlobalBool("help") {
- ShowSubcommandHelp(c)
- return true
- }
-
- return false
-}
-
-func checkCompletions(c *Context) bool {
- if (c.GlobalBool(BashCompletionFlag.Name) || c.Bool(BashCompletionFlag.Name)) && c.App.EnableBashCompletion {
- ShowCompletions(c)
- return true
- }
-
- return false
-}
-
-func checkCommandCompletions(c *Context, name string) bool {
- if c.Bool(BashCompletionFlag.Name) && c.App.EnableBashCompletion {
- ShowCommandCompletions(c, name)
- return true
- }
-
- return false
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/LICENSE
deleted file mode 100644
index 37ec93a14fdcd0d6e525d97c0cfa6b314eaa98d8..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-Apache License
-Version 2.0, January 2004
-http://www.apache.org/licenses/
-
-TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-1. Definitions.
-
-"License" shall mean the terms and conditions for use, reproduction, and
-distribution as defined by Sections 1 through 9 of this document.
-
-"Licensor" shall mean the copyright owner or entity authorized by the copyright
-owner that is granting the License.
-
-"Legal Entity" shall mean the union of the acting entity and all other entities
-that control, are controlled by, or are under common control with that entity.
-For the purposes of this definition, "control" means (i) the power, direct or
-indirect, to cause the direction or management of such entity, whether by
-contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
-outstanding shares, or (iii) beneficial ownership of such entity.
-
-"You" (or "Your") shall mean an individual or Legal Entity exercising
-permissions granted by this License.
-
-"Source" form shall mean the preferred form for making modifications, including
-but not limited to software source code, documentation source, and configuration
-files.
-
-"Object" form shall mean any form resulting from mechanical transformation or
-translation of a Source form, including but not limited to compiled object code,
-generated documentation, and conversions to other media types.
-
-"Work" shall mean the work of authorship, whether in Source or Object form, made
-available under the License, as indicated by a copyright notice that is included
-in or attached to the work (an example is provided in the Appendix below).
-
-"Derivative Works" shall mean any work, whether in Source or Object form, that
-is based on (or derived from) the Work and for which the editorial revisions,
-annotations, elaborations, or other modifications represent, as a whole, an
-original work of authorship. For the purposes of this License, Derivative Works
-shall not include works that remain separable from, or merely link (or bind by
-name) to the interfaces of, the Work and Derivative Works thereof.
-
-"Contribution" shall mean any work of authorship, including the original version
-of the Work and any modifications or additions to that Work or Derivative Works
-thereof, that is intentionally submitted to Licensor for inclusion in the Work
-by the copyright owner or by an individual or Legal Entity authorized to submit
-on behalf of the copyright owner. For the purposes of this definition,
-"submitted" means any form of electronic, verbal, or written communication sent
-to the Licensor or its representatives, including but not limited to
-communication on electronic mailing lists, source code control systems, and
-issue tracking systems that are managed by, or on behalf of, the Licensor for
-the purpose of discussing and improving the Work, but excluding communication
-that is conspicuously marked or otherwise designated in writing by the copyright
-owner as "Not a Contribution."
-
-"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
-of whom a Contribution has been received by Licensor and subsequently
-incorporated within the Work.
-
-2. Grant of Copyright License.
-
-Subject to the terms and conditions of this License, each Contributor hereby
-grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
-irrevocable copyright license to reproduce, prepare Derivative Works of,
-publicly display, publicly perform, sublicense, and distribute the Work and such
-Derivative Works in Source or Object form.
-
-3. Grant of Patent License.
-
-Subject to the terms and conditions of this License, each Contributor hereby
-grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
-irrevocable (except as stated in this section) patent license to make, have
-made, use, offer to sell, sell, import, and otherwise transfer the Work, where
-such license applies only to those patent claims licensable by such Contributor
-that are necessarily infringed by their Contribution(s) alone or by combination
-of their Contribution(s) with the Work to which such Contribution(s) was
-submitted. If You institute patent litigation against any entity (including a
-cross-claim or counterclaim in a lawsuit) alleging that the Work or a
-Contribution incorporated within the Work constitutes direct or contributory
-patent infringement, then any patent licenses granted to You under this License
-for that Work shall terminate as of the date such litigation is filed.
-
-4. Redistribution.
-
-You may reproduce and distribute copies of the Work or Derivative Works thereof
-in any medium, with or without modifications, and in Source or Object form,
-provided that You meet the following conditions:
-
-You must give any other recipients of the Work or Derivative Works a copy of
-this License; and
-You must cause any modified files to carry prominent notices stating that You
-changed the files; and
-You must retain, in the Source form of any Derivative Works that You distribute,
-all copyright, patent, trademark, and attribution notices from the Source form
-of the Work, excluding those notices that do not pertain to any part of the
-Derivative Works; and
-If the Work includes a "NOTICE" text file as part of its distribution, then any
-Derivative Works that You distribute must include a readable copy of the
-attribution notices contained within such NOTICE file, excluding those notices
-that do not pertain to any part of the Derivative Works, in at least one of the
-following places: within a NOTICE text file distributed as part of the
-Derivative Works; within the Source form or documentation, if provided along
-with the Derivative Works; or, within a display generated by the Derivative
-Works, if and wherever such third-party notices normally appear. The contents of
-the NOTICE file are for informational purposes only and do not modify the
-License. You may add Your own attribution notices within Derivative Works that
-You distribute, alongside or as an addendum to the NOTICE text from the Work,
-provided that such additional attribution notices cannot be construed as
-modifying the License.
-You may add Your own copyright statement to Your modifications and may provide
-additional or different license terms and conditions for use, reproduction, or
-distribution of Your modifications, or for any such Derivative Works as a whole,
-provided Your use, reproduction, and distribution of the Work otherwise complies
-with the conditions stated in this License.
-
-5. Submission of Contributions.
-
-Unless You explicitly state otherwise, any Contribution intentionally submitted
-for inclusion in the Work by You to the Licensor shall be under the terms and
-conditions of this License, without any additional terms or conditions.
-Notwithstanding the above, nothing herein shall supersede or modify the terms of
-any separate license agreement you may have executed with Licensor regarding
-such Contributions.
-
-6. Trademarks.
-
-This License does not grant permission to use the trade names, trademarks,
-service marks, or product names of the Licensor, except as required for
-reasonable and customary use in describing the origin of the Work and
-reproducing the content of the NOTICE file.
-
-7. Disclaimer of Warranty.
-
-Unless required by applicable law or agreed to in writing, Licensor provides the
-Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
-including, without limitation, any warranties or conditions of TITLE,
-NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
-solely responsible for determining the appropriateness of using or
-redistributing the Work and assume any risks associated with Your exercise of
-permissions under this License.
-
-8. Limitation of Liability.
-
-In no event and under no legal theory, whether in tort (including negligence),
-contract, or otherwise, unless required by applicable law (such as deliberate
-and grossly negligent acts) or agreed to in writing, shall any Contributor be
-liable to You for damages, including any direct, indirect, special, incidental,
-or consequential damages of any character arising as a result of this License or
-out of the use or inability to use the Work (including but not limited to
-damages for loss of goodwill, work stoppage, computer failure or malfunction, or
-any and all other commercial damages or losses), even if such Contributor has
-been advised of the possibility of such damages.
-
-9. Accepting Warranty or Additional Liability.
-
-While redistributing the Work or Derivative Works thereof, You may choose to
-offer, and charge a fee for, acceptance of support, warranty, indemnity, or
-other liability obligations and/or rights consistent with this License. However,
-in accepting such obligations, You may act only on Your own behalf and on Your
-sole responsibility, not on behalf of any other Contributor, and only if You
-agree to indemnify, defend, and hold each Contributor harmless for any liability
-incurred by, or claims asserted against, such Contributor by reason of your
-accepting any such warranty or additional liability.
-
-END OF TERMS AND CONDITIONS
-
-APPENDIX: How to apply the Apache License to your work
-
-To apply the Apache License to your work, attach the following boilerplate
-notice, with the fields enclosed by brackets "[]" replaced with your own
-identifying information. (Don't include the brackets!) The text should be
-enclosed in the appropriate comment syntax for the file format. We also
-recommend that a file or class name and description of purpose be included on
-the same "printed page" as the copyright notice for easier identification within
-third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/files.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/files.go
deleted file mode 100644
index c8e85fcd58894494b84693a9840e9c820558fce6..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/files.go
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package activation implements primitives for systemd socket activation.
-package activation
-
-import (
- "os"
- "strconv"
- "syscall"
-)
-
-// based on: https://gist.github.com/alberts/4640792
-const (
- listenFdsStart = 3
-)
-
-func Files(unsetEnv bool) []*os.File {
- if unsetEnv {
- defer os.Unsetenv("LISTEN_PID")
- defer os.Unsetenv("LISTEN_FDS")
- }
-
- pid, err := strconv.Atoi(os.Getenv("LISTEN_PID"))
- if err != nil || pid != os.Getpid() {
- return nil
- }
-
- nfds, err := strconv.Atoi(os.Getenv("LISTEN_FDS"))
- if err != nil || nfds == 0 {
- return nil
- }
-
- files := make([]*os.File, 0, nfds)
- for fd := listenFdsStart; fd < listenFdsStart+nfds; fd++ {
- syscall.CloseOnExec(fd)
- files = append(files, os.NewFile(uintptr(fd), "LISTEN_FD_"+strconv.Itoa(fd)))
- }
-
- return files
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/listeners.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/listeners.go
deleted file mode 100644
index df27c29e9eaa8a19b090b713c7cdaab4300a589b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/listeners.go
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package activation
-
-import (
- "crypto/tls"
- "net"
-)
-
-// Listeners returns a slice containing a net.Listener for each matching socket type
-// passed to this process.
-//
-// The order of the file descriptors is preserved in the returned slice.
-// Nil values are used to fill any gaps. For example if systemd were to return file descriptors
-// corresponding with "udp, tcp, tcp", then the slice would contain {nil, net.Listener, net.Listener}
-func Listeners(unsetEnv bool) ([]net.Listener, error) {
- files := Files(unsetEnv)
- listeners := make([]net.Listener, len(files))
-
- for i, f := range files {
- if pc, err := net.FileListener(f); err == nil {
- listeners[i] = pc
- }
- }
- return listeners, nil
-}
-
-// TLSListeners returns a slice containing a net.listener for each matching TCP socket type
-// passed to this process.
-// It uses default Listeners func and forces TCP sockets handlers to use TLS based on tlsConfig.
-func TLSListeners(unsetEnv bool, tlsConfig *tls.Config) ([]net.Listener, error) {
- listeners, err := Listeners(unsetEnv)
-
- if listeners == nil || err != nil {
- return nil, err
- }
-
- if tlsConfig != nil && err == nil {
- tlsConfig.NextProtos = []string{"http/1.1"}
-
- for i, l := range listeners {
- // Activate TLS only for TCP sockets
- if l.Addr().Network() == "tcp" {
- listeners[i] = tls.NewListener(l, tlsConfig)
- }
- }
- }
-
- return listeners, err
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/packetconns.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/packetconns.go
deleted file mode 100644
index 48b2ca029df208f20fd465f510a3c9a68e6eed75..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/activation/packetconns.go
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package activation
-
-import (
- "net"
-)
-
-// PacketConns returns a slice containing a net.PacketConn for each matching socket type
-// passed to this process.
-//
-// The order of the file descriptors is preserved in the returned slice.
-// Nil values are used to fill any gaps. For example if systemd were to return file descriptors
-// corresponding with "udp, tcp, udp", then the slice would contain {net.PacketConn, nil, net.PacketConn}
-func PacketConns(unsetEnv bool) ([]net.PacketConn, error) {
- files := Files(unsetEnv)
- conns := make([]net.PacketConn, len(files))
-
- for i, f := range files {
- if pc, err := net.FilePacketConn(f); err == nil {
- conns[i] = pc
- }
- }
- return conns, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/dbus.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/dbus.go
deleted file mode 100644
index 5dd748e60ff142f6537e9a83d8b2ed0772939ce9..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/dbus.go
+++ /dev/null
@@ -1,187 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Integration with the systemd D-Bus API. See http://www.freedesktop.org/wiki/Software/systemd/dbus/
-package dbus
-
-import (
- "fmt"
- "os"
- "strconv"
- "strings"
- "sync"
-
- "github.com/godbus/dbus"
-)
-
-const (
- alpha = `abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ`
- num = `0123456789`
- alphanum = alpha + num
- signalBuffer = 100
-)
-
-// needsEscape checks whether a byte in a potential dbus ObjectPath needs to be escaped
-func needsEscape(i int, b byte) bool {
- // Escape everything that is not a-z-A-Z-0-9
- // Also escape 0-9 if it's the first character
- return strings.IndexByte(alphanum, b) == -1 ||
- (i == 0 && strings.IndexByte(num, b) != -1)
-}
-
-// PathBusEscape sanitizes a constituent string of a dbus ObjectPath using the
-// rules that systemd uses for serializing special characters.
-func PathBusEscape(path string) string {
- // Special case the empty string
- if len(path) == 0 {
- return "_"
- }
- n := []byte{}
- for i := 0; i < len(path); i++ {
- c := path[i]
- if needsEscape(i, c) {
- e := fmt.Sprintf("_%x", c)
- n = append(n, []byte(e)...)
- } else {
- n = append(n, c)
- }
- }
- return string(n)
-}
-
-// Conn is a connection to systemd's dbus endpoint.
-type Conn struct {
- // sysconn/sysobj are only used to call dbus methods
- sysconn *dbus.Conn
- sysobj dbus.BusObject
-
- // sigconn/sigobj are only used to receive dbus signals
- sigconn *dbus.Conn
- sigobj dbus.BusObject
-
- jobListener struct {
- jobs map[dbus.ObjectPath]chan<- string
- sync.Mutex
- }
- subscriber struct {
- updateCh chan<- *SubStateUpdate
- errCh chan<- error
- sync.Mutex
- ignore map[dbus.ObjectPath]int64
- cleanIgnore int64
- }
-}
-
-// New establishes a connection to the system bus and authenticates.
-// Callers should call Close() when done with the connection.
-func New() (*Conn, error) {
- return newConnection(func() (*dbus.Conn, error) {
- return dbusAuthHelloConnection(dbus.SystemBusPrivate)
- })
-}
-
-// NewUserConnection establishes a connection to the session bus and
-// authenticates. This can be used to connect to systemd user instances.
-// Callers should call Close() when done with the connection.
-func NewUserConnection() (*Conn, error) {
- return newConnection(func() (*dbus.Conn, error) {
- return dbusAuthHelloConnection(dbus.SessionBusPrivate)
- })
-}
-
-// NewSystemdConnection establishes a private, direct connection to systemd.
-// This can be used for communicating with systemd without a dbus daemon.
-// Callers should call Close() when done with the connection.
-func NewSystemdConnection() (*Conn, error) {
- return newConnection(func() (*dbus.Conn, error) {
- // We skip Hello when talking directly to systemd.
- return dbusAuthConnection(func() (*dbus.Conn, error) {
- return dbus.Dial("unix:path=/run/systemd/private")
- })
- })
-}
-
-// Close closes an established connection
-func (c *Conn) Close() {
- c.sysconn.Close()
- c.sigconn.Close()
-}
-
-func newConnection(createBus func() (*dbus.Conn, error)) (*Conn, error) {
- sysconn, err := createBus()
- if err != nil {
- return nil, err
- }
-
- sigconn, err := createBus()
- if err != nil {
- sysconn.Close()
- return nil, err
- }
-
- c := &Conn{
- sysconn: sysconn,
- sysobj: systemdObject(sysconn),
- sigconn: sigconn,
- sigobj: systemdObject(sigconn),
- }
-
- c.subscriber.ignore = make(map[dbus.ObjectPath]int64)
- c.jobListener.jobs = make(map[dbus.ObjectPath]chan<- string)
-
- // Setup the listeners on jobs so that we can get completions
- c.sigconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0,
- "type='signal', interface='org.freedesktop.systemd1.Manager', member='JobRemoved'")
-
- c.dispatch()
- return c, nil
-}
-
-func dbusAuthConnection(createBus func() (*dbus.Conn, error)) (*dbus.Conn, error) {
- conn, err := createBus()
- if err != nil {
- return nil, err
- }
-
- // Only use EXTERNAL method, and hardcode the uid (not username)
- // to avoid a username lookup (which requires a dynamically linked
- // libc)
- methods := []dbus.Auth{dbus.AuthExternal(strconv.Itoa(os.Getuid()))}
-
- err = conn.Auth(methods)
- if err != nil {
- conn.Close()
- return nil, err
- }
-
- return conn, nil
-}
-
-func dbusAuthHelloConnection(createBus func() (*dbus.Conn, error)) (*dbus.Conn, error) {
- conn, err := dbusAuthConnection(createBus)
- if err != nil {
- return nil, err
- }
-
- if err = conn.Hello(); err != nil {
- conn.Close()
- return nil, err
- }
-
- return conn, nil
-}
-
-func systemdObject(conn *dbus.Conn) dbus.BusObject {
- return conn.Object("org.freedesktop.systemd1", dbus.ObjectPath("/org/freedesktop/systemd1"))
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/methods.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/methods.go
deleted file mode 100644
index ab614c7c63924086625f9f8b55a4c3f0053979a9..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/methods.go
+++ /dev/null
@@ -1,410 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package dbus
-
-import (
- "errors"
- "path"
- "strconv"
-
- "github.com/godbus/dbus"
-)
-
-func (c *Conn) jobComplete(signal *dbus.Signal) {
- var id uint32
- var job dbus.ObjectPath
- var unit string
- var result string
- dbus.Store(signal.Body, &id, &job, &unit, &result)
- c.jobListener.Lock()
- out, ok := c.jobListener.jobs[job]
- if ok {
- out <- result
- delete(c.jobListener.jobs, job)
- }
- c.jobListener.Unlock()
-}
-
-func (c *Conn) startJob(ch chan<- string, job string, args ...interface{}) (int, error) {
- if ch != nil {
- c.jobListener.Lock()
- defer c.jobListener.Unlock()
- }
-
- var p dbus.ObjectPath
- err := c.sysobj.Call(job, 0, args...).Store(&p)
- if err != nil {
- return 0, err
- }
-
- if ch != nil {
- c.jobListener.jobs[p] = ch
- }
-
- // ignore error since 0 is fine if conversion fails
- jobID, _ := strconv.Atoi(path.Base(string(p)))
-
- return jobID, nil
-}
-
-// StartUnit enqueues a start job and depending jobs, if any (unless otherwise
-// specified by the mode string).
-//
-// Takes the unit to activate, plus a mode string. The mode needs to be one of
-// replace, fail, isolate, ignore-dependencies, ignore-requirements. If
-// "replace" the call will start the unit and its dependencies, possibly
-// replacing already queued jobs that conflict with this. If "fail" the call
-// will start the unit and its dependencies, but will fail if this would change
-// an already queued job. If "isolate" the call will start the unit in question
-// and terminate all units that aren't dependencies of it. If
-// "ignore-dependencies" it will start a unit but ignore all its dependencies.
-// If "ignore-requirements" it will start a unit but only ignore the
-// requirement dependencies. It is not recommended to make use of the latter
-// two options.
-//
-// If the provided channel is non-nil, a result string will be sent to it upon
-// job completion: one of done, canceled, timeout, failed, dependency, skipped.
-// done indicates successful execution of a job. canceled indicates that a job
-// has been canceled before it finished execution. timeout indicates that the
-// job timeout was reached. failed indicates that the job failed. dependency
-// indicates that a job this job has been depending on failed and the job hence
-// has been removed too. skipped indicates that a job was skipped because it
-// didn't apply to the units current state.
-//
-// If no error occurs, the ID of the underlying systemd job will be returned. There
-// does exist the possibility for no error to be returned, but for the returned job
-// ID to be 0. In this case, the actual underlying ID is not 0 and this datapoint
-// should not be considered authoritative.
-//
-// If an error does occur, it will be returned to the user alongside a job ID of 0.
-func (c *Conn) StartUnit(name string, mode string, ch chan<- string) (int, error) {
- return c.startJob(ch, "org.freedesktop.systemd1.Manager.StartUnit", name, mode)
-}
-
-// StopUnit is similar to StartUnit but stops the specified unit rather
-// than starting it.
-func (c *Conn) StopUnit(name string, mode string, ch chan<- string) (int, error) {
- return c.startJob(ch, "org.freedesktop.systemd1.Manager.StopUnit", name, mode)
-}
-
-// ReloadUnit reloads a unit. Reloading is done only if the unit is already running and fails otherwise.
-func (c *Conn) ReloadUnit(name string, mode string, ch chan<- string) (int, error) {
- return c.startJob(ch, "org.freedesktop.systemd1.Manager.ReloadUnit", name, mode)
-}
-
-// RestartUnit restarts a service. If a service is restarted that isn't
-// running it will be started.
-func (c *Conn) RestartUnit(name string, mode string, ch chan<- string) (int, error) {
- return c.startJob(ch, "org.freedesktop.systemd1.Manager.RestartUnit", name, mode)
-}
-
-// TryRestartUnit is like RestartUnit, except that a service that isn't running
-// is not affected by the restart.
-func (c *Conn) TryRestartUnit(name string, mode string, ch chan<- string) (int, error) {
- return c.startJob(ch, "org.freedesktop.systemd1.Manager.TryRestartUnit", name, mode)
-}
-
-// ReloadOrRestart attempts a reload if the unit supports it and use a restart
-// otherwise.
-func (c *Conn) ReloadOrRestartUnit(name string, mode string, ch chan<- string) (int, error) {
- return c.startJob(ch, "org.freedesktop.systemd1.Manager.ReloadOrRestartUnit", name, mode)
-}
-
-// ReloadOrTryRestart attempts a reload if the unit supports it and use a "Try"
-// flavored restart otherwise.
-func (c *Conn) ReloadOrTryRestartUnit(name string, mode string, ch chan<- string) (int, error) {
- return c.startJob(ch, "org.freedesktop.systemd1.Manager.ReloadOrTryRestartUnit", name, mode)
-}
-
-// StartTransientUnit() may be used to create and start a transient unit, which
-// will be released as soon as it is not running or referenced anymore or the
-// system is rebooted. name is the unit name including suffix, and must be
-// unique. mode is the same as in StartUnit(), properties contains properties
-// of the unit.
-func (c *Conn) StartTransientUnit(name string, mode string, properties []Property, ch chan<- string) (int, error) {
- return c.startJob(ch, "org.freedesktop.systemd1.Manager.StartTransientUnit", name, mode, properties, make([]PropertyCollection, 0))
-}
-
-// KillUnit takes the unit name and a UNIX signal number to send. All of the unit's
-// processes are killed.
-func (c *Conn) KillUnit(name string, signal int32) {
- c.sysobj.Call("org.freedesktop.systemd1.Manager.KillUnit", 0, name, "all", signal).Store()
-}
-
-// ResetFailedUnit resets the "failed" state of a specific unit.
-func (c *Conn) ResetFailedUnit(name string) error {
- return c.sysobj.Call("org.freedesktop.systemd1.Manager.ResetFailedUnit", 0, name).Store()
-}
-
-// getProperties takes the unit name and returns all of its dbus object properties, for the given dbus interface
-func (c *Conn) getProperties(unit string, dbusInterface string) (map[string]interface{}, error) {
- var err error
- var props map[string]dbus.Variant
-
- path := unitPath(unit)
- if !path.IsValid() {
- return nil, errors.New("invalid unit name: " + unit)
- }
-
- obj := c.sysconn.Object("org.freedesktop.systemd1", path)
- err = obj.Call("org.freedesktop.DBus.Properties.GetAll", 0, dbusInterface).Store(&props)
- if err != nil {
- return nil, err
- }
-
- out := make(map[string]interface{}, len(props))
- for k, v := range props {
- out[k] = v.Value()
- }
-
- return out, nil
-}
-
-// GetUnitProperties takes the unit name and returns all of its dbus object properties.
-func (c *Conn) GetUnitProperties(unit string) (map[string]interface{}, error) {
- return c.getProperties(unit, "org.freedesktop.systemd1.Unit")
-}
-
-func (c *Conn) getProperty(unit string, dbusInterface string, propertyName string) (*Property, error) {
- var err error
- var prop dbus.Variant
-
- path := unitPath(unit)
- if !path.IsValid() {
- return nil, errors.New("invalid unit name: " + unit)
- }
-
- obj := c.sysconn.Object("org.freedesktop.systemd1", path)
- err = obj.Call("org.freedesktop.DBus.Properties.Get", 0, dbusInterface, propertyName).Store(&prop)
- if err != nil {
- return nil, err
- }
-
- return &Property{Name: propertyName, Value: prop}, nil
-}
-
-func (c *Conn) GetUnitProperty(unit string, propertyName string) (*Property, error) {
- return c.getProperty(unit, "org.freedesktop.systemd1.Unit", propertyName)
-}
-
-// GetUnitTypeProperties returns the extra properties for a unit, specific to the unit type.
-// Valid values for unitType: Service, Socket, Target, Device, Mount, Automount, Snapshot, Timer, Swap, Path, Slice, Scope
-// return "dbus.Error: Unknown interface" if the unitType is not the correct type of the unit
-func (c *Conn) GetUnitTypeProperties(unit string, unitType string) (map[string]interface{}, error) {
- return c.getProperties(unit, "org.freedesktop.systemd1."+unitType)
-}
-
-// SetUnitProperties() may be used to modify certain unit properties at runtime.
-// Not all properties may be changed at runtime, but many resource management
-// settings (primarily those in systemd.cgroup(5)) may. The changes are applied
-// instantly, and stored on disk for future boots, unless runtime is true, in which
-// case the settings only apply until the next reboot. name is the name of the unit
-// to modify. properties are the settings to set, encoded as an array of property
-// name and value pairs.
-func (c *Conn) SetUnitProperties(name string, runtime bool, properties ...Property) error {
- return c.sysobj.Call("org.freedesktop.systemd1.Manager.SetUnitProperties", 0, name, runtime, properties).Store()
-}
-
-func (c *Conn) GetUnitTypeProperty(unit string, unitType string, propertyName string) (*Property, error) {
- return c.getProperty(unit, "org.freedesktop.systemd1."+unitType, propertyName)
-}
-
-// ListUnits returns an array with all currently loaded units. Note that
-// units may be known by multiple names at the same time, and hence there might
-// be more unit names loaded than actual units behind them.
-func (c *Conn) ListUnits() ([]UnitStatus, error) {
- result := make([][]interface{}, 0)
- err := c.sysobj.Call("org.freedesktop.systemd1.Manager.ListUnits", 0).Store(&result)
- if err != nil {
- return nil, err
- }
-
- resultInterface := make([]interface{}, len(result))
- for i := range result {
- resultInterface[i] = result[i]
- }
-
- status := make([]UnitStatus, len(result))
- statusInterface := make([]interface{}, len(status))
- for i := range status {
- statusInterface[i] = &status[i]
- }
-
- err = dbus.Store(resultInterface, statusInterface...)
- if err != nil {
- return nil, err
- }
-
- return status, nil
-}
-
-type UnitStatus struct {
- Name string // The primary unit name as string
- Description string // The human readable description string
- LoadState string // The load state (i.e. whether the unit file has been loaded successfully)
- ActiveState string // The active state (i.e. whether the unit is currently started or not)
- SubState string // The sub state (a more fine-grained version of the active state that is specific to the unit type, which the active state is not)
- Followed string // A unit that is being followed in its state by this unit, if there is any, otherwise the empty string.
- Path dbus.ObjectPath // The unit object path
- JobId uint32 // If there is a job queued for the job unit the numeric job id, 0 otherwise
- JobType string // The job type as string
- JobPath dbus.ObjectPath // The job object path
-}
-
-type LinkUnitFileChange EnableUnitFileChange
-
-// LinkUnitFiles() links unit files (that are located outside of the
-// usual unit search paths) into the unit search path.
-//
-// It takes a list of absolute paths to unit files to link and two
-// booleans. The first boolean controls whether the unit shall be
-// enabled for runtime only (true, /run), or persistently (false,
-// /etc).
-// The second controls whether symlinks pointing to other units shall
-// be replaced if necessary.
-//
-// This call returns a list of the changes made. The list consists of
-// structures with three strings: the type of the change (one of symlink
-// or unlink), the file name of the symlink and the destination of the
-// symlink.
-func (c *Conn) LinkUnitFiles(files []string, runtime bool, force bool) ([]LinkUnitFileChange, error) {
- result := make([][]interface{}, 0)
- err := c.sysobj.Call("org.freedesktop.systemd1.Manager.LinkUnitFiles", 0, files, runtime, force).Store(&result)
- if err != nil {
- return nil, err
- }
-
- resultInterface := make([]interface{}, len(result))
- for i := range result {
- resultInterface[i] = result[i]
- }
-
- changes := make([]LinkUnitFileChange, len(result))
- changesInterface := make([]interface{}, len(changes))
- for i := range changes {
- changesInterface[i] = &changes[i]
- }
-
- err = dbus.Store(resultInterface, changesInterface...)
- if err != nil {
- return nil, err
- }
-
- return changes, nil
-}
-
-// EnableUnitFiles() may be used to enable one or more units in the system (by
-// creating symlinks to them in /etc or /run).
-//
-// It takes a list of unit files to enable (either just file names or full
-// absolute paths if the unit files are residing outside the usual unit
-// search paths), and two booleans: the first controls whether the unit shall
-// be enabled for runtime only (true, /run), or persistently (false, /etc).
-// The second one controls whether symlinks pointing to other units shall
-// be replaced if necessary.
-//
-// This call returns one boolean and an array with the changes made. The
-// boolean signals whether the unit files contained any enablement
-// information (i.e. an [Install]) section. The changes list consists of
-// structures with three strings: the type of the change (one of symlink
-// or unlink), the file name of the symlink and the destination of the
-// symlink.
-func (c *Conn) EnableUnitFiles(files []string, runtime bool, force bool) (bool, []EnableUnitFileChange, error) {
- var carries_install_info bool
-
- result := make([][]interface{}, 0)
- err := c.sysobj.Call("org.freedesktop.systemd1.Manager.EnableUnitFiles", 0, files, runtime, force).Store(&carries_install_info, &result)
- if err != nil {
- return false, nil, err
- }
-
- resultInterface := make([]interface{}, len(result))
- for i := range result {
- resultInterface[i] = result[i]
- }
-
- changes := make([]EnableUnitFileChange, len(result))
- changesInterface := make([]interface{}, len(changes))
- for i := range changes {
- changesInterface[i] = &changes[i]
- }
-
- err = dbus.Store(resultInterface, changesInterface...)
- if err != nil {
- return false, nil, err
- }
-
- return carries_install_info, changes, nil
-}
-
-type EnableUnitFileChange struct {
- Type string // Type of the change (one of symlink or unlink)
- Filename string // File name of the symlink
- Destination string // Destination of the symlink
-}
-
-// DisableUnitFiles() may be used to disable one or more units in the system (by
-// removing symlinks to them from /etc or /run).
-//
-// It takes a list of unit files to disable (either just file names or full
-// absolute paths if the unit files are residing outside the usual unit
-// search paths), and one boolean: whether the unit was enabled for runtime
-// only (true, /run), or persistently (false, /etc).
-//
-// This call returns an array with the changes made. The changes list
-// consists of structures with three strings: the type of the change (one of
-// symlink or unlink), the file name of the symlink and the destination of the
-// symlink.
-func (c *Conn) DisableUnitFiles(files []string, runtime bool) ([]DisableUnitFileChange, error) {
- result := make([][]interface{}, 0)
- err := c.sysobj.Call("org.freedesktop.systemd1.Manager.DisableUnitFiles", 0, files, runtime).Store(&result)
- if err != nil {
- return nil, err
- }
-
- resultInterface := make([]interface{}, len(result))
- for i := range result {
- resultInterface[i] = result[i]
- }
-
- changes := make([]DisableUnitFileChange, len(result))
- changesInterface := make([]interface{}, len(changes))
- for i := range changes {
- changesInterface[i] = &changes[i]
- }
-
- err = dbus.Store(resultInterface, changesInterface...)
- if err != nil {
- return nil, err
- }
-
- return changes, nil
-}
-
-type DisableUnitFileChange struct {
- Type string // Type of the change (one of symlink or unlink)
- Filename string // File name of the symlink
- Destination string // Destination of the symlink
-}
-
-// Reload instructs systemd to scan for and reload unit files. This is
-// equivalent to a 'systemctl daemon-reload'.
-func (c *Conn) Reload() error {
- return c.sysobj.Call("org.freedesktop.systemd1.Manager.Reload", 0).Store()
-}
-
-func unitPath(name string) dbus.ObjectPath {
- return dbus.ObjectPath("/org/freedesktop/systemd1/unit/" + PathBusEscape(name))
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/properties.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/properties.go
deleted file mode 100644
index 7520011564e1e469877000a20f29770d40491d31..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/properties.go
+++ /dev/null
@@ -1,218 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package dbus
-
-import (
- "github.com/godbus/dbus"
-)
-
-// From the systemd docs:
-//
-// The properties array of StartTransientUnit() may take many of the settings
-// that may also be configured in unit files. Not all parameters are currently
-// accepted though, but we plan to cover more properties with future release.
-// Currently you may set the Description, Slice and all dependency types of
-// units, as well as RemainAfterExit, ExecStart for service units,
-// TimeoutStopUSec and PIDs for scope units, and CPUAccounting, CPUShares,
-// BlockIOAccounting, BlockIOWeight, BlockIOReadBandwidth,
-// BlockIOWriteBandwidth, BlockIODeviceWeight, MemoryAccounting, MemoryLimit,
-// DevicePolicy, DeviceAllow for services/scopes/slices. These fields map
-// directly to their counterparts in unit files and as normal D-Bus object
-// properties. The exception here is the PIDs field of scope units which is
-// used for construction of the scope only and specifies the initial PIDs to
-// add to the scope object.
-
-type Property struct {
- Name string
- Value dbus.Variant
-}
-
-type PropertyCollection struct {
- Name string
- Properties []Property
-}
-
-type execStart struct {
- Path string // the binary path to execute
- Args []string // an array with all arguments to pass to the executed command, starting with argument 0
- UncleanIsFailure bool // a boolean whether it should be considered a failure if the process exits uncleanly
-}
-
-// PropExecStart sets the ExecStart service property. The first argument is a
-// slice with the binary path to execute followed by the arguments to pass to
-// the executed command. See
-// http://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
-func PropExecStart(command []string, uncleanIsFailure bool) Property {
- execStarts := []execStart{
- execStart{
- Path: command[0],
- Args: command,
- UncleanIsFailure: uncleanIsFailure,
- },
- }
-
- return Property{
- Name: "ExecStart",
- Value: dbus.MakeVariant(execStarts),
- }
-}
-
-// PropRemainAfterExit sets the RemainAfterExit service property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.service.html#RemainAfterExit=
-func PropRemainAfterExit(b bool) Property {
- return Property{
- Name: "RemainAfterExit",
- Value: dbus.MakeVariant(b),
- }
-}
-
-// PropDescription sets the Description unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit#Description=
-func PropDescription(desc string) Property {
- return Property{
- Name: "Description",
- Value: dbus.MakeVariant(desc),
- }
-}
-
-func propDependency(name string, units []string) Property {
- return Property{
- Name: name,
- Value: dbus.MakeVariant(units),
- }
-}
-
-// PropRequires sets the Requires unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=
-func PropRequires(units ...string) Property {
- return propDependency("Requires", units)
-}
-
-// PropRequiresOverridable sets the RequiresOverridable unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#RequiresOverridable=
-func PropRequiresOverridable(units ...string) Property {
- return propDependency("RequiresOverridable", units)
-}
-
-// PropRequisite sets the Requisite unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requisite=
-func PropRequisite(units ...string) Property {
- return propDependency("Requisite", units)
-}
-
-// PropRequisiteOverridable sets the RequisiteOverridable unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#RequisiteOverridable=
-func PropRequisiteOverridable(units ...string) Property {
- return propDependency("RequisiteOverridable", units)
-}
-
-// PropWants sets the Wants unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Wants=
-func PropWants(units ...string) Property {
- return propDependency("Wants", units)
-}
-
-// PropBindsTo sets the BindsTo unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#BindsTo=
-func PropBindsTo(units ...string) Property {
- return propDependency("BindsTo", units)
-}
-
-// PropRequiredBy sets the RequiredBy unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#RequiredBy=
-func PropRequiredBy(units ...string) Property {
- return propDependency("RequiredBy", units)
-}
-
-// PropRequiredByOverridable sets the RequiredByOverridable unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#RequiredByOverridable=
-func PropRequiredByOverridable(units ...string) Property {
- return propDependency("RequiredByOverridable", units)
-}
-
-// PropWantedBy sets the WantedBy unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy=
-func PropWantedBy(units ...string) Property {
- return propDependency("WantedBy", units)
-}
-
-// PropBoundBy sets the BoundBy unit property. See
-// http://www.freedesktop.org/software/systemd/main/systemd.unit.html#BoundBy=
-func PropBoundBy(units ...string) Property {
- return propDependency("BoundBy", units)
-}
-
-// PropConflicts sets the Conflicts unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Conflicts=
-func PropConflicts(units ...string) Property {
- return propDependency("Conflicts", units)
-}
-
-// PropConflictedBy sets the ConflictedBy unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#ConflictedBy=
-func PropConflictedBy(units ...string) Property {
- return propDependency("ConflictedBy", units)
-}
-
-// PropBefore sets the Before unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=
-func PropBefore(units ...string) Property {
- return propDependency("Before", units)
-}
-
-// PropAfter sets the After unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#After=
-func PropAfter(units ...string) Property {
- return propDependency("After", units)
-}
-
-// PropOnFailure sets the OnFailure unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#OnFailure=
-func PropOnFailure(units ...string) Property {
- return propDependency("OnFailure", units)
-}
-
-// PropTriggers sets the Triggers unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Triggers=
-func PropTriggers(units ...string) Property {
- return propDependency("Triggers", units)
-}
-
-// PropTriggeredBy sets the TriggeredBy unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#TriggeredBy=
-func PropTriggeredBy(units ...string) Property {
- return propDependency("TriggeredBy", units)
-}
-
-// PropPropagatesReloadTo sets the PropagatesReloadTo unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#PropagatesReloadTo=
-func PropPropagatesReloadTo(units ...string) Property {
- return propDependency("PropagatesReloadTo", units)
-}
-
-// PropRequiresMountsFor sets the RequiresMountsFor unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.unit.html#RequiresMountsFor=
-func PropRequiresMountsFor(units ...string) Property {
- return propDependency("RequiresMountsFor", units)
-}
-
-// PropSlice sets the Slice unit property. See
-// http://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Slice=
-func PropSlice(slice string) Property {
- return Property{
- Name: "Slice",
- Value: dbus.MakeVariant(slice),
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/set.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/set.go
deleted file mode 100644
index f92e6fbed1eaa86a1a0f92759ce3132881c29913..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/set.go
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package dbus
-
-type set struct {
- data map[string]bool
-}
-
-func (s *set) Add(value string) {
- s.data[value] = true
-}
-
-func (s *set) Remove(value string) {
- delete(s.data, value)
-}
-
-func (s *set) Contains(value string) (exists bool) {
- _, exists = s.data[value]
- return
-}
-
-func (s *set) Length() int {
- return len(s.data)
-}
-
-func (s *set) Values() (values []string) {
- for val, _ := range s.data {
- values = append(values, val)
- }
- return
-}
-
-func newSet() *set {
- return &set{make(map[string]bool)}
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/subscription.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/subscription.go
deleted file mode 100644
index 996451445c06e66ecfe7f15af8771e6ad8e515b7..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/subscription.go
+++ /dev/null
@@ -1,250 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package dbus
-
-import (
- "errors"
- "time"
-
- "github.com/godbus/dbus"
-)
-
-const (
- cleanIgnoreInterval = int64(10 * time.Second)
- ignoreInterval = int64(30 * time.Millisecond)
-)
-
-// Subscribe sets up this connection to subscribe to all systemd dbus events.
-// This is required before calling SubscribeUnits. When the connection closes
-// systemd will automatically stop sending signals so there is no need to
-// explicitly call Unsubscribe().
-func (c *Conn) Subscribe() error {
- c.sigconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0,
- "type='signal',interface='org.freedesktop.systemd1.Manager',member='UnitNew'")
- c.sigconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0,
- "type='signal',interface='org.freedesktop.DBus.Properties',member='PropertiesChanged'")
-
- err := c.sigobj.Call("org.freedesktop.systemd1.Manager.Subscribe", 0).Store()
- if err != nil {
- return err
- }
-
- return nil
-}
-
-// Unsubscribe this connection from systemd dbus events.
-func (c *Conn) Unsubscribe() error {
- err := c.sigobj.Call("org.freedesktop.systemd1.Manager.Unsubscribe", 0).Store()
- if err != nil {
- return err
- }
-
- return nil
-}
-
-func (c *Conn) dispatch() {
- ch := make(chan *dbus.Signal, signalBuffer)
-
- c.sigconn.Signal(ch)
-
- go func() {
- for {
- signal, ok := <-ch
- if !ok {
- return
- }
-
- if signal.Name == "org.freedesktop.systemd1.Manager.JobRemoved" {
- c.jobComplete(signal)
- }
-
- if c.subscriber.updateCh == nil {
- continue
- }
-
- var unitPath dbus.ObjectPath
- switch signal.Name {
- case "org.freedesktop.systemd1.Manager.JobRemoved":
- unitName := signal.Body[2].(string)
- c.sysobj.Call("org.freedesktop.systemd1.Manager.GetUnit", 0, unitName).Store(&unitPath)
- case "org.freedesktop.systemd1.Manager.UnitNew":
- unitPath = signal.Body[1].(dbus.ObjectPath)
- case "org.freedesktop.DBus.Properties.PropertiesChanged":
- if signal.Body[0].(string) == "org.freedesktop.systemd1.Unit" {
- unitPath = signal.Path
- }
- }
-
- if unitPath == dbus.ObjectPath("") {
- continue
- }
-
- c.sendSubStateUpdate(unitPath)
- }
- }()
-}
-
-// Returns two unbuffered channels which will receive all changed units every
-// interval. Deleted units are sent as nil.
-func (c *Conn) SubscribeUnits(interval time.Duration) (<-chan map[string]*UnitStatus, <-chan error) {
- return c.SubscribeUnitsCustom(interval, 0, func(u1, u2 *UnitStatus) bool { return *u1 != *u2 }, nil)
-}
-
-// SubscribeUnitsCustom is like SubscribeUnits but lets you specify the buffer
-// size of the channels, the comparison function for detecting changes and a filter
-// function for cutting down on the noise that your channel receives.
-func (c *Conn) SubscribeUnitsCustom(interval time.Duration, buffer int, isChanged func(*UnitStatus, *UnitStatus) bool, filterUnit func(string) bool) (<-chan map[string]*UnitStatus, <-chan error) {
- old := make(map[string]*UnitStatus)
- statusChan := make(chan map[string]*UnitStatus, buffer)
- errChan := make(chan error, buffer)
-
- go func() {
- for {
- timerChan := time.After(interval)
-
- units, err := c.ListUnits()
- if err == nil {
- cur := make(map[string]*UnitStatus)
- for i := range units {
- if filterUnit != nil && filterUnit(units[i].Name) {
- continue
- }
- cur[units[i].Name] = &units[i]
- }
-
- // add all new or changed units
- changed := make(map[string]*UnitStatus)
- for n, u := range cur {
- if oldU, ok := old[n]; !ok || isChanged(oldU, u) {
- changed[n] = u
- }
- delete(old, n)
- }
-
- // add all deleted units
- for oldN := range old {
- changed[oldN] = nil
- }
-
- old = cur
-
- if len(changed) != 0 {
- statusChan <- changed
- }
- } else {
- errChan <- err
- }
-
- <-timerChan
- }
- }()
-
- return statusChan, errChan
-}
-
-type SubStateUpdate struct {
- UnitName string
- SubState string
-}
-
-// SetSubStateSubscriber writes to updateCh when any unit's substate changes.
-// Although this writes to updateCh on every state change, the reported state
-// may be more recent than the change that generated it (due to an unavoidable
-// race in the systemd dbus interface). That is, this method provides a good
-// way to keep a current view of all units' states, but is not guaranteed to
-// show every state transition they go through. Furthermore, state changes
-// will only be written to the channel with non-blocking writes. If updateCh
-// is full, it attempts to write an error to errCh; if errCh is full, the error
-// passes silently.
-func (c *Conn) SetSubStateSubscriber(updateCh chan<- *SubStateUpdate, errCh chan<- error) {
- c.subscriber.Lock()
- defer c.subscriber.Unlock()
- c.subscriber.updateCh = updateCh
- c.subscriber.errCh = errCh
-}
-
-func (c *Conn) sendSubStateUpdate(path dbus.ObjectPath) {
- c.subscriber.Lock()
- defer c.subscriber.Unlock()
-
- if c.shouldIgnore(path) {
- return
- }
-
- info, err := c.GetUnitProperties(string(path))
- if err != nil {
- select {
- case c.subscriber.errCh <- err:
- default:
- }
- }
-
- name := info["Id"].(string)
- substate := info["SubState"].(string)
-
- update := &SubStateUpdate{name, substate}
- select {
- case c.subscriber.updateCh <- update:
- default:
- select {
- case c.subscriber.errCh <- errors.New("update channel full!"):
- default:
- }
- }
-
- c.updateIgnore(path, info)
-}
-
-// The ignore functions work around a wart in the systemd dbus interface.
-// Requesting the properties of an unloaded unit will cause systemd to send a
-// pair of UnitNew/UnitRemoved signals. Because we need to get a unit's
-// properties on UnitNew (as that's the only indication of a new unit coming up
-// for the first time), we would enter an infinite loop if we did not attempt
-// to detect and ignore these spurious signals. The signal themselves are
-// indistinguishable from relevant ones, so we (somewhat hackishly) ignore an
-// unloaded unit's signals for a short time after requesting its properties.
-// This means that we will miss e.g. a transient unit being restarted
-// *immediately* upon failure and also a transient unit being started
-// immediately after requesting its status (with systemctl status, for example,
-// because this causes a UnitNew signal to be sent which then causes us to fetch
-// the properties).
-
-func (c *Conn) shouldIgnore(path dbus.ObjectPath) bool {
- t, ok := c.subscriber.ignore[path]
- return ok && t >= time.Now().UnixNano()
-}
-
-func (c *Conn) updateIgnore(path dbus.ObjectPath, info map[string]interface{}) {
- c.cleanIgnore()
-
- // unit is unloaded - it will trigger bad systemd dbus behavior
- if info["LoadState"].(string) == "not-found" {
- c.subscriber.ignore[path] = time.Now().UnixNano() + ignoreInterval
- }
-}
-
-// without this, ignore would grow unboundedly over time
-func (c *Conn) cleanIgnore() {
- now := time.Now().UnixNano()
- if c.subscriber.cleanIgnore < now {
- c.subscriber.cleanIgnore = now + cleanIgnoreInterval
-
- for p, t := range c.subscriber.ignore {
- if t < now {
- delete(c.subscriber.ignore, p)
- }
- }
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/subscription_set.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/subscription_set.go
deleted file mode 100644
index 5b408d5847ad5309754ae69ed5fa69c9f8a391d7..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/dbus/subscription_set.go
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package dbus
-
-import (
- "time"
-)
-
-// SubscriptionSet returns a subscription set which is like conn.Subscribe but
-// can filter to only return events for a set of units.
-type SubscriptionSet struct {
- *set
- conn *Conn
-}
-
-func (s *SubscriptionSet) filter(unit string) bool {
- return !s.Contains(unit)
-}
-
-// Subscribe starts listening for dbus events for all of the units in the set.
-// Returns channels identical to conn.SubscribeUnits.
-func (s *SubscriptionSet) Subscribe() (<-chan map[string]*UnitStatus, <-chan error) {
- // TODO: Make fully evented by using systemd 209 with properties changed values
- return s.conn.SubscribeUnitsCustom(time.Second, 0,
- mismatchUnitStatus,
- func(unit string) bool { return s.filter(unit) },
- )
-}
-
-// NewSubscriptionSet returns a new subscription set.
-func (conn *Conn) NewSubscriptionSet() *SubscriptionSet {
- return &SubscriptionSet{newSet(), conn}
-}
-
-// mismatchUnitStatus returns true if the provided UnitStatus objects
-// are not equivalent. false is returned if the objects are equivalent.
-// Only the Name, Description and state-related fields are used in
-// the comparison.
-func mismatchUnitStatus(u1, u2 *UnitStatus) bool {
- return u1.Name != u2.Name ||
- u1.Description != u2.Description ||
- u1.LoadState != u2.LoadState ||
- u1.ActiveState != u2.ActiveState ||
- u1.SubState != u2.SubState
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/util/util.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/util/util.go
deleted file mode 100644
index 33832a1ed436da85767953523efd11c79113f4b2..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/coreos/go-systemd/util/util.go
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package util contains utility functions related to systemd that applications
-// can use to check things like whether systemd is running.
-package util
-
-import (
- "os"
-)
-
-// IsRunningSystemd checks whether the host was booted with systemd as its init
-// system. This functions similar to systemd's `sd_booted(3)`: internally, it
-// checks whether /run/systemd/system/ exists and is a directory.
-// http://www.freedesktop.org/software/systemd/man/sd_booted.html
-func IsRunningSystemd() bool {
- fi, err := os.Lstat("/run/systemd/system")
- if err != nil {
- return false
- }
- return fi.IsDir()
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/LICENSE
deleted file mode 100644
index c7a3f0cfd4562c0a99091050ae17a33878af9d20..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- https://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- Copyright 2013-2015 Docker, Inc.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/NOTICE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/NOTICE
deleted file mode 100644
index 6e6f469ab9b280ff337ae8a074884a2eca44cc8b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/NOTICE
+++ /dev/null
@@ -1,19 +0,0 @@
-Docker
-Copyright 2012-2015 Docker, Inc.
-
-This product includes software developed at Docker, Inc. (https://www.docker.com).
-
-This product contains software (https://github.com/kr/pty) developed
-by Keith Rarick, licensed under the MIT License.
-
-The following is courtesy of our legal counsel:
-
-
-Use and transfer of Docker may be subject to certain restrictions by the
-United States and other governments.
-It is your responsibility to ensure that your use and/or transfer does not
-violate applicable laws.
-
-For more information, please see https://www.bis.doc.gov
-
-See also https://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/contrib/syntax/vim/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/contrib/syntax/vim/LICENSE
deleted file mode 100644
index e67cdabd22e5fe01f016512e726b87d6243a419b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/contrib/syntax/vim/LICENSE
+++ /dev/null
@@ -1,22 +0,0 @@
-Copyright (c) 2013 Honza Pokorny
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/docs/project/images/red_notice.png b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/docs/project/images/red_notice.png
deleted file mode 100644
index 8839723a376b4a58ef31b86eabf3d2c57d21ccc3..0000000000000000000000000000000000000000
Binary files a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/docs/project/images/red_notice.png and /dev/null differ
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mflag/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mflag/LICENSE
deleted file mode 100644
index ac74d8f0496ca170fe1529bebfb983468ce989da..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mflag/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-Copyright (c) 2014-2015 The Docker & Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
- * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
- * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags.go
deleted file mode 100644
index 17dbd7a64cf4f4ae15cbcc0038eab358849f3de4..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags.go
+++ /dev/null
@@ -1,69 +0,0 @@
-package mount
-
-import (
- "strings"
-)
-
-// Parse fstab type mount options into mount() flags
-// and device specific data
-func parseOptions(options string) (int, string) {
- var (
- flag int
- data []string
- )
-
- flags := map[string]struct {
- clear bool
- flag int
- }{
- "defaults": {false, 0},
- "ro": {false, RDONLY},
- "rw": {true, RDONLY},
- "suid": {true, NOSUID},
- "nosuid": {false, NOSUID},
- "dev": {true, NODEV},
- "nodev": {false, NODEV},
- "exec": {true, NOEXEC},
- "noexec": {false, NOEXEC},
- "sync": {false, SYNCHRONOUS},
- "async": {true, SYNCHRONOUS},
- "dirsync": {false, DIRSYNC},
- "remount": {false, REMOUNT},
- "mand": {false, MANDLOCK},
- "nomand": {true, MANDLOCK},
- "atime": {true, NOATIME},
- "noatime": {false, NOATIME},
- "diratime": {true, NODIRATIME},
- "nodiratime": {false, NODIRATIME},
- "bind": {false, BIND},
- "rbind": {false, RBIND},
- "unbindable": {false, UNBINDABLE},
- "runbindable": {false, RUNBINDABLE},
- "private": {false, PRIVATE},
- "rprivate": {false, RPRIVATE},
- "shared": {false, SHARED},
- "rshared": {false, RSHARED},
- "slave": {false, SLAVE},
- "rslave": {false, RSLAVE},
- "relatime": {false, RELATIME},
- "norelatime": {true, RELATIME},
- "strictatime": {false, STRICTATIME},
- "nostrictatime": {true, STRICTATIME},
- }
-
- for _, o := range strings.Split(options, ",") {
- // If the option does not exist in the flags table or the flag
- // is not supported on the platform,
- // then it is a data value for a specific fs type
- if f, exists := flags[o]; exists && f.flag != 0 {
- if f.clear {
- flag &= ^f.flag
- } else {
- flag |= f.flag
- }
- } else {
- data = append(data, o)
- }
- }
- return flag, strings.Join(data, ",")
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_freebsd.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_freebsd.go
deleted file mode 100644
index f166cb2f77864fec5a9be945a2264e783585fd59..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_freebsd.go
+++ /dev/null
@@ -1,48 +0,0 @@
-// +build freebsd,cgo
-
-package mount
-
-/*
-#include <sys/mount.h>
-*/
-import "C"
-
-const (
- // RDONLY will mount the filesystem as read-only.
- RDONLY = C.MNT_RDONLY
-
- // NOSUID will not allow set-user-identifier or set-group-identifier bits to
- // take effect.
- NOSUID = C.MNT_NOSUID
-
- // NOEXEC will not allow execution of any binaries on the mounted file system.
- NOEXEC = C.MNT_NOEXEC
-
- // SYNCHRONOUS will allow any I/O to the file system to be done synchronously.
- SYNCHRONOUS = C.MNT_SYNCHRONOUS
-
- // NOATIME will not update the file access time when reading from a file.
- NOATIME = C.MNT_NOATIME
-)
-
-// These flags are unsupported.
-const (
- BIND = 0
- DIRSYNC = 0
- MANDLOCK = 0
- NODEV = 0
- NODIRATIME = 0
- UNBINDABLE = 0
- RUNBINDABLE = 0
- PRIVATE = 0
- RPRIVATE = 0
- SHARED = 0
- RSHARED = 0
- SLAVE = 0
- RSLAVE = 0
- RBIND = 0
- RELATIVE = 0
- RELATIME = 0
- REMOUNT = 0
- STRICTATIME = 0
-)
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_linux.go
deleted file mode 100644
index 2f9f5c58ee5d849e1ecd74eb77e4c16079503bc2..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_linux.go
+++ /dev/null
@@ -1,85 +0,0 @@
-package mount
-
-import (
- "syscall"
-)
-
-const (
- // RDONLY will mount the file system read-only.
- RDONLY = syscall.MS_RDONLY
-
- // NOSUID will not allow set-user-identifier or set-group-identifier bits to
- // take effect.
- NOSUID = syscall.MS_NOSUID
-
- // NODEV will not interpret character or block special devices on the file
- // system.
- NODEV = syscall.MS_NODEV
-
- // NOEXEC will not allow execution of any binaries on the mounted file system.
- NOEXEC = syscall.MS_NOEXEC
-
- // SYNCHRONOUS will allow I/O to the file system to be done synchronously.
- SYNCHRONOUS = syscall.MS_SYNCHRONOUS
-
- // DIRSYNC will force all directory updates within the file system to be done
- // synchronously. This affects the following system calls: creat, link,
- // unlink, symlink, mkdir, rmdir, mknod and rename.
- DIRSYNC = syscall.MS_DIRSYNC
-
- // REMOUNT will attempt to remount an already-mounted file system. This is
- // commonly used to change the mount flags for a file system, especially to
- // make a readonly file system writeable. It does not change device or mount
- // point.
- REMOUNT = syscall.MS_REMOUNT
-
- // MANDLOCK will force mandatory locks on a filesystem.
- MANDLOCK = syscall.MS_MANDLOCK
-
- // NOATIME will not update the file access time when reading from a file.
- NOATIME = syscall.MS_NOATIME
-
- // NODIRATIME will not update the directory access time.
- NODIRATIME = syscall.MS_NODIRATIME
-
- // BIND remounts a subtree somewhere else.
- BIND = syscall.MS_BIND
-
- // RBIND remounts a subtree and all possible submounts somewhere else.
- RBIND = syscall.MS_BIND | syscall.MS_REC
-
- // UNBINDABLE creates a mount which cannot be cloned through a bind operation.
- UNBINDABLE = syscall.MS_UNBINDABLE
-
- // RUNBINDABLE marks the entire mount tree as UNBINDABLE.
- RUNBINDABLE = syscall.MS_UNBINDABLE | syscall.MS_REC
-
- // PRIVATE creates a mount which carries no propagation abilities.
- PRIVATE = syscall.MS_PRIVATE
-
- // RPRIVATE marks the entire mount tree as PRIVATE.
- RPRIVATE = syscall.MS_PRIVATE | syscall.MS_REC
-
- // SLAVE creates a mount which receives propagation from its master, but not
- // vice versa.
- SLAVE = syscall.MS_SLAVE
-
- // RSLAVE marks the entire mount tree as SLAVE.
- RSLAVE = syscall.MS_SLAVE | syscall.MS_REC
-
- // SHARED creates a mount which provides the ability to create mirrors of
- // that mount such that mounts and unmounts within any of the mirrors
- // propagate to the other mirrors.
- SHARED = syscall.MS_SHARED
-
- // RSHARED marks the entire mount tree as SHARED.
- RSHARED = syscall.MS_SHARED | syscall.MS_REC
-
- // RELATIME updates inode access times relative to modify or change time.
- RELATIME = syscall.MS_RELATIME
-
- // STRICTATIME allows to explicitly request full atime updates. This makes
- // it possible for the kernel to default to relatime or noatime but still
- // allow userspace to override it.
- STRICTATIME = syscall.MS_STRICTATIME
-)
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_unsupported.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_unsupported.go
deleted file mode 100644
index a90d3d1151263bcb8f56e5ea235326cf81de90e3..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/flags_unsupported.go
+++ /dev/null
@@ -1,30 +0,0 @@
-// +build !linux,!freebsd freebsd,!cgo
-
-package mount
-
-// These flags are unsupported.
-const (
- BIND = 0
- DIRSYNC = 0
- MANDLOCK = 0
- NOATIME = 0
- NODEV = 0
- NODIRATIME = 0
- NOEXEC = 0
- NOSUID = 0
- UNBINDABLE = 0
- RUNBINDABLE = 0
- PRIVATE = 0
- RPRIVATE = 0
- SHARED = 0
- RSHARED = 0
- SLAVE = 0
- RSLAVE = 0
- RBIND = 0
- RELATIME = 0
- RELATIVE = 0
- REMOUNT = 0
- STRICTATIME = 0
- SYNCHRONOUS = 0
- RDONLY = 0
-)
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mount.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mount.go
deleted file mode 100644
index ed7216e5c04da8b39302a2c30afc1b6c5bef2d46..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mount.go
+++ /dev/null
@@ -1,74 +0,0 @@
-package mount
-
-import (
- "time"
-)
-
-// GetMounts retrieves a list of mounts for the current running process.
-func GetMounts() ([]*Info, error) {
- return parseMountTable()
-}
-
-// Mounted looks at /proc/self/mountinfo to determine of the specified
-// mountpoint has been mounted
-func Mounted(mountpoint string) (bool, error) {
- entries, err := parseMountTable()
- if err != nil {
- return false, err
- }
-
- // Search the table for the mountpoint
- for _, e := range entries {
- if e.Mountpoint == mountpoint {
- return true, nil
- }
- }
- return false, nil
-}
-
-// Mount will mount filesystem according to the specified configuration, on the
-// condition that the target path is *not* already mounted. Options must be
-// specified like the mount or fstab unix commands: "opt1=val1,opt2=val2". See
-// flags.go for supported option flags.
-func Mount(device, target, mType, options string) error {
- flag, _ := parseOptions(options)
- if flag&REMOUNT != REMOUNT {
- if mounted, err := Mounted(target); err != nil || mounted {
- return err
- }
- }
- return ForceMount(device, target, mType, options)
-}
-
-// ForceMount will mount a filesystem according to the specified configuration,
-// *regardless* if the target path is not already mounted. Options must be
-// specified like the mount or fstab unix commands: "opt1=val1,opt2=val2". See
-// flags.go for supported option flags.
-func ForceMount(device, target, mType, options string) error {
- flag, data := parseOptions(options)
- if err := mount(device, target, mType, uintptr(flag), data); err != nil {
- return err
- }
- return nil
-}
-
-// Unmount will unmount the target filesystem, so long as it is mounted.
-func Unmount(target string) error {
- if mounted, err := Mounted(target); err != nil || !mounted {
- return err
- }
- return ForceUnmount(target)
-}
-
-// ForceUnmount will force an unmount of the target filesystem, regardless if
-// it is mounted or not.
-func ForceUnmount(target string) (err error) {
- // Simple retry logic for unmount
- for i := 0; i < 10; i++ {
- if err = unmount(target, 0); err == nil {
- return nil
- }
- time.Sleep(100 * time.Millisecond)
- }
- return
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_freebsd.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_freebsd.go
deleted file mode 100644
index bb870e6f59b9f2dcd50cf9469b6c7edb11dab281..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_freebsd.go
+++ /dev/null
@@ -1,59 +0,0 @@
-package mount
-
-/*
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/_iovec.h>
-#include <sys/mount.h>
-#include <sys/param.h>
-*/
-import "C"
-
-import (
- "fmt"
- "strings"
- "syscall"
- "unsafe"
-)
-
-func allocateIOVecs(options []string) []C.struct_iovec {
- out := make([]C.struct_iovec, len(options))
- for i, option := range options {
- out[i].iov_base = unsafe.Pointer(C.CString(option))
- out[i].iov_len = C.size_t(len(option) + 1)
- }
- return out
-}
-
-func mount(device, target, mType string, flag uintptr, data string) error {
- isNullFS := false
-
- xs := strings.Split(data, ",")
- for _, x := range xs {
- if x == "bind" {
- isNullFS = true
- }
- }
-
- options := []string{"fspath", target}
- if isNullFS {
- options = append(options, "fstype", "nullfs", "target", device)
- } else {
- options = append(options, "fstype", mType, "from", device)
- }
- rawOptions := allocateIOVecs(options)
- for _, rawOption := range rawOptions {
- defer C.free(rawOption.iov_base)
- }
-
- if errno := C.nmount(&rawOptions[0], C.uint(len(options)), C.int(flag)); errno != 0 {
- reason := C.GoString(C.strerror(*C.__error()))
- return fmt.Errorf("Failed to call nmount: %s", reason)
- }
- return nil
-}
-
-func unmount(target string, flag int) error {
- return syscall.Unmount(target, flag)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_linux.go
deleted file mode 100644
index dd4280c7778626251ca049f66d18e4d8409ebda2..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_linux.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package mount
-
-import (
- "syscall"
-)
-
-func mount(device, target, mType string, flag uintptr, data string) error {
- if err := syscall.Mount(device, target, mType, flag, data); err != nil {
- return err
- }
-
- // If we have a bind mount or remount, remount...
- if flag&syscall.MS_BIND == syscall.MS_BIND && flag&syscall.MS_RDONLY == syscall.MS_RDONLY {
- return syscall.Mount(device, target, mType, flag|syscall.MS_REMOUNT, data)
- }
- return nil
-}
-
-func unmount(target string, flag int) error {
- return syscall.Unmount(target, flag)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_unsupported.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_unsupported.go
deleted file mode 100644
index eb93365eb74311e59439b44c302594448dc19075..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mounter_unsupported.go
+++ /dev/null
@@ -1,11 +0,0 @@
-// +build !linux,!freebsd freebsd,!cgo
-
-package mount
-
-func mount(device, target, mType string, flag uintptr, data string) error {
- panic("Not implemented")
-}
-
-func unmount(target string, flag int) error {
- panic("Not implemented")
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_freebsd.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_freebsd.go
deleted file mode 100644
index 4f32edcd906adda8167e746d4ed762ff61a487c6..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_freebsd.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package mount
-
-/*
-#include <sys/param.h>
-#include <sys/ucred.h>
-#include <sys/mount.h>
-*/
-import "C"
-
-import (
- "fmt"
- "reflect"
- "unsafe"
-)
-
-// Parse /proc/self/mountinfo because comparing Dev and ino does not work from
-// bind mounts.
-func parseMountTable() ([]*Info, error) {
- var rawEntries *C.struct_statfs
-
- count := int(C.getmntinfo(&rawEntries, C.MNT_WAIT))
- if count == 0 {
- return nil, fmt.Errorf("Failed to call getmntinfo")
- }
-
- var entries []C.struct_statfs
- header := (*reflect.SliceHeader)(unsafe.Pointer(&entries))
- header.Cap = count
- header.Len = count
- header.Data = uintptr(unsafe.Pointer(rawEntries))
-
- var out []*Info
- for _, entry := range entries {
- var mountinfo Info
- mountinfo.Mountpoint = C.GoString(&entry.f_mntonname[0])
- mountinfo.Source = C.GoString(&entry.f_mntfromname[0])
- mountinfo.Fstype = C.GoString(&entry.f_fstypename[0])
- out = append(out, &mountinfo)
- }
- return out, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_unsupported.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_unsupported.go
deleted file mode 100644
index 8245f01d42bc2b5c36c270d219c30b6aa338ea39..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_unsupported.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// +build !linux,!freebsd freebsd,!cgo
-
-package mount
-
-import (
- "fmt"
- "runtime"
-)
-
-func parseMountTable() ([]*Info, error) {
- return nil, fmt.Errorf("mount.parseMountTable is not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/sharedsubtree_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/sharedsubtree_linux.go
deleted file mode 100644
index 47303bbcb610da9a5a4be65196a9551459ab6176..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/sharedsubtree_linux.go
+++ /dev/null
@@ -1,70 +0,0 @@
-// +build linux
-
-package mount
-
-// MakeShared ensures a mounted filesystem has the SHARED mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakeShared(mountPoint string) error {
- return ensureMountedAs(mountPoint, "shared")
-}
-
-// MakeRShared ensures a mounted filesystem has the RSHARED mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakeRShared(mountPoint string) error {
- return ensureMountedAs(mountPoint, "rshared")
-}
-
-// MakePrivate ensures a mounted filesystem has the PRIVATE mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakePrivate(mountPoint string) error {
- return ensureMountedAs(mountPoint, "private")
-}
-
-// MakeRPrivate ensures a mounted filesystem has the RPRIVATE mount option
-// enabled. See the supported options in flags.go for further reference.
-func MakeRPrivate(mountPoint string) error {
- return ensureMountedAs(mountPoint, "rprivate")
-}
-
-// MakeSlave ensures a mounted filesystem has the SLAVE mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakeSlave(mountPoint string) error {
- return ensureMountedAs(mountPoint, "slave")
-}
-
-// MakeRSlave ensures a mounted filesystem has the RSLAVE mount option enabled.
-// See the supported options in flags.go for further reference.
-func MakeRSlave(mountPoint string) error {
- return ensureMountedAs(mountPoint, "rslave")
-}
-
-// MakeUnbindable ensures a mounted filesystem has the UNBINDABLE mount option
-// enabled. See the supported options in flags.go for further reference.
-func MakeUnbindable(mountPoint string) error {
- return ensureMountedAs(mountPoint, "unbindable")
-}
-
-// MakeRUnbindable ensures a mounted filesystem has the RUNBINDABLE mount
-// option enabled. See the supported options in flags.go for further reference.
-func MakeRUnbindable(mountPoint string) error {
- return ensureMountedAs(mountPoint, "runbindable")
-}
-
-func ensureMountedAs(mountPoint, options string) error {
- mounted, err := Mounted(mountPoint)
- if err != nil {
- return err
- }
-
- if !mounted {
- if err := Mount(mountPoint, mountPoint, "none", "bind,rw"); err != nil {
- return err
- }
- }
- mounted, err = Mounted(mountPoint)
- if err != nil {
- return err
- }
-
- return ForceMount("", mountPoint, "none", options)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/LICENSE.APACHE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/LICENSE.APACHE
deleted file mode 100644
index 9e4bd4dbee94d6801a7e07f12ad320e87386c212..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/LICENSE.APACHE
+++ /dev/null
@@ -1,191 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- Copyright 2014-2015 Docker, Inc.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/LICENSE.BSD b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/LICENSE.BSD
deleted file mode 100644
index ac74d8f0496ca170fe1529bebfb983468ce989da..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/LICENSE.BSD
+++ /dev/null
@@ -1,27 +0,0 @@
-Copyright (c) 2014-2015 The Docker & Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
- * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
- * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/fs.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/fs.go
deleted file mode 100644
index b4bdff24dd390ed16207df9225710dd62b4d313e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/symlink/fs.go
+++ /dev/null
@@ -1,131 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE.BSD file.
-
-// This code is a modified version of path/filepath/symlink.go from the Go standard library.
-
-package symlink
-
-import (
- "bytes"
- "errors"
- "os"
- "path/filepath"
- "strings"
-)
-
-// FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an absolute path
-func FollowSymlinkInScope(path, root string) (string, error) {
- path, err := filepath.Abs(path)
- if err != nil {
- return "", err
- }
- root, err = filepath.Abs(root)
- if err != nil {
- return "", err
- }
- return evalSymlinksInScope(path, root)
-}
-
-// evalSymlinksInScope will evaluate symlinks in `path` within a scope `root` and return
-// a result guaranteed to be contained within the scope `root`, at the time of the call.
-// Symlinks in `root` are not evaluated and left as-is.
-// Errors encountered while attempting to evaluate symlinks in path will be returned.
-// Non-existing paths are valid and do not constitute an error.
-// `path` has to contain `root` as a prefix, or else an error will be returned.
-// Trying to break out from `root` does not constitute an error.
-//
-// Example:
-// If /foo/bar -> /outside,
-// FollowSymlinkInScope("/foo/bar", "/foo") == "/foo/outside" instead of "/oustide"
-//
-// IMPORTANT: it is the caller's responsibility to call evalSymlinksInScope *after* relevant symlinks
-// are created and not to create subsequently, additional symlinks that could potentially make a
-// previously-safe path, unsafe. Example: if /foo/bar does not exist, evalSymlinksInScope("/foo/bar", "/foo")
-// would return "/foo/bar". If one makes /foo/bar a symlink to /baz subsequently, then "/foo/bar" should
-// no longer be considered safely contained in "/foo".
-func evalSymlinksInScope(path, root string) (string, error) {
- root = filepath.Clean(root)
- if path == root {
- return path, nil
- }
- if !strings.HasPrefix(path, root) {
- return "", errors.New("evalSymlinksInScope: " + path + " is not in " + root)
- }
- const maxIter = 255
- originalPath := path
- // given root of "/a" and path of "/a/b/../../c" we want path to be "/b/../../c"
- path = path[len(root):]
- if root == string(filepath.Separator) {
- path = string(filepath.Separator) + path
- }
- if !strings.HasPrefix(path, string(filepath.Separator)) {
- return "", errors.New("evalSymlinksInScope: " + path + " is not in " + root)
- }
- path = filepath.Clean(path)
- // consume path by taking each frontmost path element,
- // expanding it if it's a symlink, and appending it to b
- var b bytes.Buffer
- // b here will always be considered to be the "current absolute path inside
- // root" when we append paths to it, we also append a slash and use
- // filepath.Clean after the loop to trim the trailing slash
- for n := 0; path != ""; n++ {
- if n > maxIter {
- return "", errors.New("evalSymlinksInScope: too many links in " + originalPath)
- }
-
- // find next path component, p
- i := strings.IndexRune(path, filepath.Separator)
- var p string
- if i == -1 {
- p, path = path, ""
- } else {
- p, path = path[:i], path[i+1:]
- }
-
- if p == "" {
- continue
- }
-
- // this takes a b.String() like "b/../" and a p like "c" and turns it
- // into "/b/../c" which then gets filepath.Cleaned into "/c" and then
- // root gets prepended and we Clean again (to remove any trailing slash
- // if the first Clean gave us just "/")
- cleanP := filepath.Clean(string(filepath.Separator) + b.String() + p)
- if cleanP == string(filepath.Separator) {
- // never Lstat "/" itself
- b.Reset()
- continue
- }
- fullP := filepath.Clean(root + cleanP)
-
- fi, err := os.Lstat(fullP)
- if os.IsNotExist(err) {
- // if p does not exist, accept it
- b.WriteString(p)
- b.WriteRune(filepath.Separator)
- continue
- }
- if err != nil {
- return "", err
- }
- if fi.Mode()&os.ModeSymlink == 0 {
- b.WriteString(p + string(filepath.Separator))
- continue
- }
-
- // it's a symlink, put it at the front of path
- dest, err := os.Readlink(fullP)
- if err != nil {
- return "", err
- }
- if filepath.IsAbs(dest) {
- b.Reset()
- }
- path = dest + string(filepath.Separator) + path
- }
-
- // see note above on "fullP := ..." for why this is double-cleaned and
- // what's happening here
- return filepath.Clean(root + filepath.Clean(string(filepath.Separator)+b.String())), nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/tc_linux_cgo.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/tc_linux_cgo.go
deleted file mode 100644
index d47cf59b8dff7bb6287e09a2a47b1e7281d1b90b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/tc_linux_cgo.go
+++ /dev/null
@@ -1,48 +0,0 @@
-// +build linux,cgo
-
-package term
-
-import (
- "syscall"
- "unsafe"
-)
-
-// #include <termios.h>
-import "C"
-
-type Termios syscall.Termios
-
-// MakeRaw put the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func MakeRaw(fd uintptr) (*State, error) {
- var oldState State
- if err := tcget(fd, &oldState.termios); err != 0 {
- return nil, err
- }
-
- newState := oldState.termios
-
- C.cfmakeraw((*C.struct_termios)(unsafe.Pointer(&newState)))
- newState.Oflag = newState.Oflag | C.OPOST
- if err := tcset(fd, &newState); err != 0 {
- return nil, err
- }
- return &oldState, nil
-}
-
-func tcget(fd uintptr, p *Termios) syscall.Errno {
- ret, err := C.tcgetattr(C.int(fd), (*C.struct_termios)(unsafe.Pointer(p)))
- if ret != 0 {
- return err.(syscall.Errno)
- }
- return 0
-}
-
-func tcset(fd uintptr, p *Termios) syscall.Errno {
- ret, err := C.tcsetattr(C.int(fd), C.TCSANOW, (*C.struct_termios)(unsafe.Pointer(p)))
- if ret != 0 {
- return err.(syscall.Errno)
- }
- return 0
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/tc_other.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/tc_other.go
deleted file mode 100644
index 266039bac3e9dc0a6dbb9d283f7d57e02efa7a78..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/tc_other.go
+++ /dev/null
@@ -1,19 +0,0 @@
-// +build !windows
-// +build !linux !cgo
-
-package term
-
-import (
- "syscall"
- "unsafe"
-)
-
-func tcget(fd uintptr, p *Termios) syscall.Errno {
- _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(getTermios), uintptr(unsafe.Pointer(p)))
- return err
-}
-
-func tcset(fd uintptr, p *Termios) syscall.Errno {
- _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, setTermios, uintptr(unsafe.Pointer(p)))
- return err
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/term.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/term.go
deleted file mode 100644
index b945a3dcea9fb6550047c66dff0c851a8727c14c..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/term.go
+++ /dev/null
@@ -1,118 +0,0 @@
-// +build !windows
-
-package term
-
-import (
- "errors"
- "io"
- "os"
- "os/signal"
- "syscall"
- "unsafe"
-)
-
-var (
- ErrInvalidState = errors.New("Invalid terminal state")
-)
-
-type State struct {
- termios Termios
-}
-
-type Winsize struct {
- Height uint16
- Width uint16
- x uint16
- y uint16
-}
-
-func StdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) {
- return os.Stdin, os.Stdout, os.Stderr
-}
-
-func GetFdInfo(in interface{}) (uintptr, bool) {
- var inFd uintptr
- var isTerminalIn bool
- if file, ok := in.(*os.File); ok {
- inFd = file.Fd()
- isTerminalIn = IsTerminal(inFd)
- }
- return inFd, isTerminalIn
-}
-
-func GetWinsize(fd uintptr) (*Winsize, error) {
- ws := &Winsize{}
- _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(syscall.TIOCGWINSZ), uintptr(unsafe.Pointer(ws)))
- // Skipp errno = 0
- if err == 0 {
- return ws, nil
- }
- return ws, err
-}
-
-func SetWinsize(fd uintptr, ws *Winsize) error {
- _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(syscall.TIOCSWINSZ), uintptr(unsafe.Pointer(ws)))
- // Skipp errno = 0
- if err == 0 {
- return nil
- }
- return err
-}
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal(fd uintptr) bool {
- var termios Termios
- return tcget(fd, &termios) == 0
-}
-
-// Restore restores the terminal connected to the given file descriptor to a
-// previous state.
-func RestoreTerminal(fd uintptr, state *State) error {
- if state == nil {
- return ErrInvalidState
- }
- if err := tcset(fd, &state.termios); err != 0 {
- return err
- }
- return nil
-}
-
-func SaveState(fd uintptr) (*State, error) {
- var oldState State
- if err := tcget(fd, &oldState.termios); err != 0 {
- return nil, err
- }
-
- return &oldState, nil
-}
-
-func DisableEcho(fd uintptr, state *State) error {
- newState := state.termios
- newState.Lflag &^= syscall.ECHO
-
- if err := tcset(fd, &newState); err != 0 {
- return err
- }
- handleInterrupt(fd, state)
- return nil
-}
-
-func SetRawTerminal(fd uintptr) (*State, error) {
- oldState, err := MakeRaw(fd)
- if err != nil {
- return nil, err
- }
- handleInterrupt(fd, oldState)
- return oldState, err
-}
-
-func handleInterrupt(fd uintptr, state *State) {
- sigchan := make(chan os.Signal, 1)
- signal.Notify(sigchan, os.Interrupt)
-
- go func() {
- _ = <-sigchan
- RestoreTerminal(fd, state)
- os.Exit(0)
- }()
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/term_windows.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/term_windows.go
deleted file mode 100644
index 2c2c86b86ced6ca9446abe62267775cf43937781..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/term_windows.go
+++ /dev/null
@@ -1,139 +0,0 @@
-// +build windows
-
-package term
-
-import (
- "io"
- "os"
-
- "github.com/sirupsen/logrus"
- "github.com/docker/docker/pkg/term/winconsole"
-)
-
-// State holds the console mode for the terminal.
-type State struct {
- mode uint32
-}
-
-// Winsize is used for window size.
-type Winsize struct {
- Height uint16
- Width uint16
- x uint16
- y uint16
-}
-
-func StdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) {
- switch {
- case os.Getenv("ConEmuANSI") == "ON":
- // The ConEmu shell emulates ANSI well by default.
- return os.Stdin, os.Stdout, os.Stderr
- case os.Getenv("MSYSTEM") != "":
- // MSYS (mingw) does not emulate ANSI well.
- return winconsole.WinConsoleStreams()
- default:
- return winconsole.WinConsoleStreams()
- }
-}
-
-// GetFdInfo returns file descriptor and bool indicating whether the file is a terminal.
-func GetFdInfo(in interface{}) (uintptr, bool) {
- return winconsole.GetHandleInfo(in)
-}
-
-// GetWinsize retrieves the window size of the terminal connected to the passed file descriptor.
-func GetWinsize(fd uintptr) (*Winsize, error) {
- info, err := winconsole.GetConsoleScreenBufferInfo(fd)
- if err != nil {
- return nil, err
- }
-
- // TODO(azlinux): Set the pixel width / height of the console (currently unused by any caller)
- return &Winsize{
- Width: uint16(info.Window.Right - info.Window.Left + 1),
- Height: uint16(info.Window.Bottom - info.Window.Top + 1),
- x: 0,
- y: 0}, nil
-}
-
-// SetWinsize sets the size of the given terminal connected to the passed file descriptor.
-func SetWinsize(fd uintptr, ws *Winsize) error {
- // TODO(azlinux): Implement SetWinsize
- logrus.Debugf("[windows] SetWinsize: WARNING -- Unsupported method invoked")
- return nil
-}
-
-// IsTerminal returns true if the given file descriptor is a terminal.
-func IsTerminal(fd uintptr) bool {
- return winconsole.IsConsole(fd)
-}
-
-// RestoreTerminal restores the terminal connected to the given file descriptor to a
-// previous state.
-func RestoreTerminal(fd uintptr, state *State) error {
- return winconsole.SetConsoleMode(fd, state.mode)
-}
-
-// SaveState saves the state of the terminal connected to the given file descriptor.
-func SaveState(fd uintptr) (*State, error) {
- mode, e := winconsole.GetConsoleMode(fd)
- if e != nil {
- return nil, e
- }
- return &State{mode}, nil
-}
-
-// DisableEcho disables echo for the terminal connected to the given file descriptor.
-// -- See http://msdn.microsoft.com/en-us/library/windows/desktop/ms683462(v=vs.85).aspx
-func DisableEcho(fd uintptr, state *State) error {
- mode := state.mode
- mode &^= winconsole.ENABLE_ECHO_INPUT
- mode |= winconsole.ENABLE_PROCESSED_INPUT | winconsole.ENABLE_LINE_INPUT
- // TODO(azlinux): Core code registers a goroutine to catch os.Interrupt and reset the terminal state.
- return winconsole.SetConsoleMode(fd, mode)
-}
-
-// SetRawTerminal puts the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func SetRawTerminal(fd uintptr) (*State, error) {
- state, err := MakeRaw(fd)
- if err != nil {
- return nil, err
- }
- // TODO(azlinux): Core code registers a goroutine to catch os.Interrupt and reset the terminal state.
- return state, err
-}
-
-// MakeRaw puts the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func MakeRaw(fd uintptr) (*State, error) {
- state, err := SaveState(fd)
- if err != nil {
- return nil, err
- }
-
- // See
- // -- https://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx
- // -- https://msdn.microsoft.com/en-us/library/windows/desktop/ms683462(v=vs.85).aspx
- mode := state.mode
-
- // Disable these modes
- mode &^= winconsole.ENABLE_ECHO_INPUT
- mode &^= winconsole.ENABLE_LINE_INPUT
- mode &^= winconsole.ENABLE_MOUSE_INPUT
- mode &^= winconsole.ENABLE_WINDOW_INPUT
- mode &^= winconsole.ENABLE_PROCESSED_INPUT
-
- // Enable these modes
- mode |= winconsole.ENABLE_EXTENDED_FLAGS
- mode |= winconsole.ENABLE_INSERT_MODE
- mode |= winconsole.ENABLE_QUICK_EDIT_MODE
-
- err = winconsole.SetConsoleMode(fd, mode)
- if err != nil {
- return nil, err
- }
- return state, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_darwin.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_darwin.go
deleted file mode 100644
index 11cd70d10b846b9a667c787bc4e5111b61889d14..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_darwin.go
+++ /dev/null
@@ -1,65 +0,0 @@
-package term
-
-import (
- "syscall"
- "unsafe"
-)
-
-const (
- getTermios = syscall.TIOCGETA
- setTermios = syscall.TIOCSETA
-
- IGNBRK = syscall.IGNBRK
- PARMRK = syscall.PARMRK
- INLCR = syscall.INLCR
- IGNCR = syscall.IGNCR
- ECHONL = syscall.ECHONL
- CSIZE = syscall.CSIZE
- ICRNL = syscall.ICRNL
- ISTRIP = syscall.ISTRIP
- PARENB = syscall.PARENB
- ECHO = syscall.ECHO
- ICANON = syscall.ICANON
- ISIG = syscall.ISIG
- IXON = syscall.IXON
- BRKINT = syscall.BRKINT
- INPCK = syscall.INPCK
- OPOST = syscall.OPOST
- CS8 = syscall.CS8
- IEXTEN = syscall.IEXTEN
-)
-
-type Termios struct {
- Iflag uint64
- Oflag uint64
- Cflag uint64
- Lflag uint64
- Cc [20]byte
- Ispeed uint64
- Ospeed uint64
-}
-
-// MakeRaw put the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func MakeRaw(fd uintptr) (*State, error) {
- var oldState State
- if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(getTermios), uintptr(unsafe.Pointer(&oldState.termios))); err != 0 {
- return nil, err
- }
-
- newState := oldState.termios
- newState.Iflag &^= (IGNBRK | BRKINT | PARMRK | ISTRIP | INLCR | IGNCR | ICRNL | IXON)
- newState.Oflag &^= OPOST
- newState.Lflag &^= (ECHO | ECHONL | ICANON | ISIG | IEXTEN)
- newState.Cflag &^= (CSIZE | PARENB)
- newState.Cflag |= CS8
- newState.Cc[syscall.VMIN] = 1
- newState.Cc[syscall.VTIME] = 0
-
- if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(setTermios), uintptr(unsafe.Pointer(&newState))); err != 0 {
- return nil, err
- }
-
- return &oldState, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_freebsd.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_freebsd.go
deleted file mode 100644
index ed3659572cc1ad0a2aa8379373d9f3fbd63f1e53..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_freebsd.go
+++ /dev/null
@@ -1,65 +0,0 @@
-package term
-
-import (
- "syscall"
- "unsafe"
-)
-
-const (
- getTermios = syscall.TIOCGETA
- setTermios = syscall.TIOCSETA
-
- IGNBRK = syscall.IGNBRK
- PARMRK = syscall.PARMRK
- INLCR = syscall.INLCR
- IGNCR = syscall.IGNCR
- ECHONL = syscall.ECHONL
- CSIZE = syscall.CSIZE
- ICRNL = syscall.ICRNL
- ISTRIP = syscall.ISTRIP
- PARENB = syscall.PARENB
- ECHO = syscall.ECHO
- ICANON = syscall.ICANON
- ISIG = syscall.ISIG
- IXON = syscall.IXON
- BRKINT = syscall.BRKINT
- INPCK = syscall.INPCK
- OPOST = syscall.OPOST
- CS8 = syscall.CS8
- IEXTEN = syscall.IEXTEN
-)
-
-type Termios struct {
- Iflag uint32
- Oflag uint32
- Cflag uint32
- Lflag uint32
- Cc [20]byte
- Ispeed uint32
- Ospeed uint32
-}
-
-// MakeRaw put the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func MakeRaw(fd uintptr) (*State, error) {
- var oldState State
- if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(getTermios), uintptr(unsafe.Pointer(&oldState.termios))); err != 0 {
- return nil, err
- }
-
- newState := oldState.termios
- newState.Iflag &^= (IGNBRK | BRKINT | PARMRK | ISTRIP | INLCR | IGNCR | ICRNL | IXON)
- newState.Oflag &^= OPOST
- newState.Lflag &^= (ECHO | ECHONL | ICANON | ISIG | IEXTEN)
- newState.Cflag &^= (CSIZE | PARENB)
- newState.Cflag |= CS8
- newState.Cc[syscall.VMIN] = 1
- newState.Cc[syscall.VTIME] = 0
-
- if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(setTermios), uintptr(unsafe.Pointer(&newState))); err != 0 {
- return nil, err
- }
-
- return &oldState, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_linux.go
deleted file mode 100644
index 024187ff0664e51e5290b21435836ad0dfb7ff68..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/termios_linux.go
+++ /dev/null
@@ -1,46 +0,0 @@
-// +build !cgo
-
-package term
-
-import (
- "syscall"
- "unsafe"
-)
-
-const (
- getTermios = syscall.TCGETS
- setTermios = syscall.TCSETS
-)
-
-type Termios struct {
- Iflag uint32
- Oflag uint32
- Cflag uint32
- Lflag uint32
- Cc [20]byte
- Ispeed uint32
- Ospeed uint32
-}
-
-// MakeRaw put the terminal connected to the given file descriptor into raw
-// mode and returns the previous state of the terminal so that it can be
-// restored.
-func MakeRaw(fd uintptr) (*State, error) {
- var oldState State
- if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, getTermios, uintptr(unsafe.Pointer(&oldState.termios))); err != 0 {
- return nil, err
- }
-
- newState := oldState.termios
-
- newState.Iflag &^= (syscall.IGNBRK | syscall.BRKINT | syscall.PARMRK | syscall.ISTRIP | syscall.INLCR | syscall.IGNCR | syscall.ICRNL | syscall.IXON)
- newState.Oflag &^= syscall.OPOST
- newState.Lflag &^= (syscall.ECHO | syscall.ECHONL | syscall.ICANON | syscall.ISIG | syscall.IEXTEN)
- newState.Cflag &^= (syscall.CSIZE | syscall.PARENB)
- newState.Cflag |= syscall.CS8
-
- if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, setTermios, uintptr(unsafe.Pointer(&newState))); err != 0 {
- return nil, err
- }
- return &oldState, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/winconsole/console_windows.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/winconsole/console_windows.go
deleted file mode 100644
index 12338f069b767590eb0675aa91ca6077a9668b5e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/winconsole/console_windows.go
+++ /dev/null
@@ -1,1053 +0,0 @@
-// +build windows
-
-package winconsole
-
-import (
- "bytes"
- "fmt"
- "io"
- "os"
- "strconv"
- "strings"
- "sync"
- "syscall"
- "unsafe"
-
- "github.com/sirupsen/logrus"
-)
-
-const (
- // Consts for Get/SetConsoleMode function
- // -- See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx
- ENABLE_PROCESSED_INPUT = 0x0001
- ENABLE_LINE_INPUT = 0x0002
- ENABLE_ECHO_INPUT = 0x0004
- ENABLE_WINDOW_INPUT = 0x0008
- ENABLE_MOUSE_INPUT = 0x0010
- ENABLE_INSERT_MODE = 0x0020
- ENABLE_QUICK_EDIT_MODE = 0x0040
- ENABLE_EXTENDED_FLAGS = 0x0080
-
- // If parameter is a screen buffer handle, additional values
- ENABLE_PROCESSED_OUTPUT = 0x0001
- ENABLE_WRAP_AT_EOL_OUTPUT = 0x0002
-
- //http://msdn.microsoft.com/en-us/library/windows/desktop/ms682088(v=vs.85).aspx#_win32_character_attributes
- FOREGROUND_BLUE = 1
- FOREGROUND_GREEN = 2
- FOREGROUND_RED = 4
- FOREGROUND_INTENSITY = 8
- FOREGROUND_MASK_SET = 0x000F
- FOREGROUND_MASK_UNSET = 0xFFF0
-
- BACKGROUND_BLUE = 16
- BACKGROUND_GREEN = 32
- BACKGROUND_RED = 64
- BACKGROUND_INTENSITY = 128
- BACKGROUND_MASK_SET = 0x00F0
- BACKGROUND_MASK_UNSET = 0xFF0F
-
- COMMON_LVB_REVERSE_VIDEO = 0x4000
- COMMON_LVB_UNDERSCORE = 0x8000
-
- // http://man7.org/linux/man-pages/man4/console_codes.4.html
- // ECMA-48 Set Graphics Rendition
- ANSI_ATTR_RESET = 0
- ANSI_ATTR_BOLD = 1
- ANSI_ATTR_DIM = 2
- ANSI_ATTR_UNDERLINE = 4
- ANSI_ATTR_BLINK = 5
- ANSI_ATTR_REVERSE = 7
- ANSI_ATTR_INVISIBLE = 8
-
- ANSI_ATTR_UNDERLINE_OFF = 24
- ANSI_ATTR_BLINK_OFF = 25
- ANSI_ATTR_REVERSE_OFF = 27
- ANSI_ATTR_INVISIBLE_OFF = 8
-
- ANSI_FOREGROUND_BLACK = 30
- ANSI_FOREGROUND_RED = 31
- ANSI_FOREGROUND_GREEN = 32
- ANSI_FOREGROUND_YELLOW = 33
- ANSI_FOREGROUND_BLUE = 34
- ANSI_FOREGROUND_MAGENTA = 35
- ANSI_FOREGROUND_CYAN = 36
- ANSI_FOREGROUND_WHITE = 37
- ANSI_FOREGROUND_DEFAULT = 39
-
- ANSI_BACKGROUND_BLACK = 40
- ANSI_BACKGROUND_RED = 41
- ANSI_BACKGROUND_GREEN = 42
- ANSI_BACKGROUND_YELLOW = 43
- ANSI_BACKGROUND_BLUE = 44
- ANSI_BACKGROUND_MAGENTA = 45
- ANSI_BACKGROUND_CYAN = 46
- ANSI_BACKGROUND_WHITE = 47
- ANSI_BACKGROUND_DEFAULT = 49
-
- ANSI_MAX_CMD_LENGTH = 256
-
- MAX_INPUT_EVENTS = 128
- MAX_INPUT_BUFFER = 1024
- DEFAULT_WIDTH = 80
- DEFAULT_HEIGHT = 24
-)
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx
-const (
- VK_PRIOR = 0x21 // PAGE UP key
- VK_NEXT = 0x22 // PAGE DOWN key
- VK_END = 0x23 // END key
- VK_HOME = 0x24 // HOME key
- VK_LEFT = 0x25 // LEFT ARROW key
- VK_UP = 0x26 // UP ARROW key
- VK_RIGHT = 0x27 // RIGHT ARROW key
- VK_DOWN = 0x28 // DOWN ARROW key
- VK_SELECT = 0x29 // SELECT key
- VK_PRINT = 0x2A // PRINT key
- VK_EXECUTE = 0x2B // EXECUTE key
- VK_SNAPSHOT = 0x2C // PRINT SCREEN key
- VK_INSERT = 0x2D // INS key
- VK_DELETE = 0x2E // DEL key
- VK_HELP = 0x2F // HELP key
- VK_F1 = 0x70 // F1 key
- VK_F2 = 0x71 // F2 key
- VK_F3 = 0x72 // F3 key
- VK_F4 = 0x73 // F4 key
- VK_F5 = 0x74 // F5 key
- VK_F6 = 0x75 // F6 key
- VK_F7 = 0x76 // F7 key
- VK_F8 = 0x77 // F8 key
- VK_F9 = 0x78 // F9 key
- VK_F10 = 0x79 // F10 key
- VK_F11 = 0x7A // F11 key
- VK_F12 = 0x7B // F12 key
-)
-
-var kernel32DLL = syscall.NewLazyDLL("kernel32.dll")
-
-var (
- setConsoleModeProc = kernel32DLL.NewProc("SetConsoleMode")
- getConsoleScreenBufferInfoProc = kernel32DLL.NewProc("GetConsoleScreenBufferInfo")
- setConsoleCursorPositionProc = kernel32DLL.NewProc("SetConsoleCursorPosition")
- setConsoleTextAttributeProc = kernel32DLL.NewProc("SetConsoleTextAttribute")
- fillConsoleOutputCharacterProc = kernel32DLL.NewProc("FillConsoleOutputCharacterW")
- writeConsoleOutputProc = kernel32DLL.NewProc("WriteConsoleOutputW")
- readConsoleInputProc = kernel32DLL.NewProc("ReadConsoleInputW")
- getNumberOfConsoleInputEventsProc = kernel32DLL.NewProc("GetNumberOfConsoleInputEvents")
- getConsoleCursorInfoProc = kernel32DLL.NewProc("GetConsoleCursorInfo")
- setConsoleCursorInfoProc = kernel32DLL.NewProc("SetConsoleCursorInfo")
- setConsoleWindowInfoProc = kernel32DLL.NewProc("SetConsoleWindowInfo")
- setConsoleScreenBufferSizeProc = kernel32DLL.NewProc("SetConsoleScreenBufferSize")
-)
-
-// types for calling various windows API
-// see http://msdn.microsoft.com/en-us/library/windows/desktop/ms682093(v=vs.85).aspx
-type (
- SHORT int16
- BOOL int32
- WORD uint16
- WCHAR uint16
- DWORD uint32
-
- SMALL_RECT struct {
- Left SHORT
- Top SHORT
- Right SHORT
- Bottom SHORT
- }
-
- COORD struct {
- X SHORT
- Y SHORT
- }
-
- CONSOLE_SCREEN_BUFFER_INFO struct {
- Size COORD
- CursorPosition COORD
- Attributes WORD
- Window SMALL_RECT
- MaximumWindowSize COORD
- }
-
- CONSOLE_CURSOR_INFO struct {
- Size DWORD
- Visible BOOL
- }
-
- // http://msdn.microsoft.com/en-us/library/windows/desktop/ms684166(v=vs.85).aspx
- KEY_EVENT_RECORD struct {
- KeyDown BOOL
- RepeatCount WORD
- VirtualKeyCode WORD
- VirtualScanCode WORD
- UnicodeChar WCHAR
- ControlKeyState DWORD
- }
-
- INPUT_RECORD struct {
- EventType WORD
- KeyEvent KEY_EVENT_RECORD
- }
-
- CHAR_INFO struct {
- UnicodeChar WCHAR
- Attributes WORD
- }
-)
-
-// TODO(azlinux): Basic type clean-up
-// -- Convert all uses of uintptr to syscall.Handle to be consistent with Windows syscall
-// -- Convert, as appropriate, types to use defined Windows types (e.g., DWORD instead of uint32)
-
-// Implements the TerminalEmulator interface
-type WindowsTerminal struct {
- outMutex sync.Mutex
- inMutex sync.Mutex
- inputBuffer []byte
- inputSize int
- inputEvents []INPUT_RECORD
- screenBufferInfo *CONSOLE_SCREEN_BUFFER_INFO
- inputEscapeSequence []byte
-}
-
-func getStdHandle(stdhandle int) uintptr {
- handle, err := syscall.GetStdHandle(stdhandle)
- if err != nil {
- panic(fmt.Errorf("could not get standard io handle %d", stdhandle))
- }
- return uintptr(handle)
-}
-
-func WinConsoleStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) {
- handler := &WindowsTerminal{
- inputBuffer: make([]byte, MAX_INPUT_BUFFER),
- inputEscapeSequence: []byte(KEY_ESC_CSI),
- inputEvents: make([]INPUT_RECORD, MAX_INPUT_EVENTS),
- }
-
- if IsConsole(os.Stdin.Fd()) {
- stdIn = &terminalReader{
- wrappedReader: os.Stdin,
- emulator: handler,
- command: make([]byte, 0, ANSI_MAX_CMD_LENGTH),
- fd: getStdHandle(syscall.STD_INPUT_HANDLE),
- }
- } else {
- stdIn = os.Stdin
- }
-
- if IsConsole(os.Stdout.Fd()) {
- stdoutHandle := getStdHandle(syscall.STD_OUTPUT_HANDLE)
-
- // Save current screen buffer info
- screenBufferInfo, err := GetConsoleScreenBufferInfo(stdoutHandle)
- if err != nil {
- // If GetConsoleScreenBufferInfo returns a nil error, it usually means that stdout is not a TTY.
- // However, this is in the branch where stdout is a TTY, hence the panic.
- panic("could not get console screen buffer info")
- }
- handler.screenBufferInfo = screenBufferInfo
-
- buffer = make([]CHAR_INFO, screenBufferInfo.MaximumWindowSize.X*screenBufferInfo.MaximumWindowSize.Y)
-
- stdOut = &terminalWriter{
- wrappedWriter: os.Stdout,
- emulator: handler,
- command: make([]byte, 0, ANSI_MAX_CMD_LENGTH),
- fd: stdoutHandle,
- }
- } else {
- stdOut = os.Stdout
- }
-
- if IsConsole(os.Stderr.Fd()) {
- stdErr = &terminalWriter{
- wrappedWriter: os.Stderr,
- emulator: handler,
- command: make([]byte, 0, ANSI_MAX_CMD_LENGTH),
- fd: getStdHandle(syscall.STD_ERROR_HANDLE),
- }
- } else {
- stdErr = os.Stderr
- }
-
- return stdIn, stdOut, stdErr
-}
-
-// GetHandleInfo returns file descriptor and bool indicating whether the file is a console.
-func GetHandleInfo(in interface{}) (uintptr, bool) {
- var inFd uintptr
- var isTerminalIn bool
-
- switch t := in.(type) {
- case *terminalReader:
- in = t.wrappedReader
- case *terminalWriter:
- in = t.wrappedWriter
- }
-
- if file, ok := in.(*os.File); ok {
- inFd = file.Fd()
- isTerminalIn = IsConsole(inFd)
- }
- return inFd, isTerminalIn
-}
-
-func getError(r1, r2 uintptr, lastErr error) error {
- // If the function fails, the return value is zero.
- if r1 == 0 {
- if lastErr != nil {
- return lastErr
- }
- return syscall.EINVAL
- }
- return nil
-}
-
-// GetConsoleMode gets the console mode for given file descriptor
-// http://msdn.microsoft.com/en-us/library/windows/desktop/ms683167(v=vs.85).aspx
-func GetConsoleMode(handle uintptr) (uint32, error) {
- var mode uint32
- err := syscall.GetConsoleMode(syscall.Handle(handle), &mode)
- return mode, err
-}
-
-// SetConsoleMode sets the console mode for given file descriptor
-// http://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx
-func SetConsoleMode(handle uintptr, mode uint32) error {
- return getError(setConsoleModeProc.Call(handle, uintptr(mode), 0))
-}
-
-// SetCursorVisible sets the cursor visbility
-// http://msdn.microsoft.com/en-us/library/windows/desktop/ms686019(v=vs.85).aspx
-func SetCursorVisible(handle uintptr, isVisible BOOL) (bool, error) {
- var cursorInfo *CONSOLE_CURSOR_INFO = &CONSOLE_CURSOR_INFO{}
- if err := getError(getConsoleCursorInfoProc.Call(handle, uintptr(unsafe.Pointer(cursorInfo)), 0)); err != nil {
- return false, err
- }
- cursorInfo.Visible = isVisible
- if err := getError(setConsoleCursorInfoProc.Call(handle, uintptr(unsafe.Pointer(cursorInfo)), 0)); err != nil {
- return false, err
- }
- return true, nil
-}
-
-// SetWindowSize sets the size of the console window.
-func SetWindowSize(handle uintptr, width, height, max SHORT) (bool, error) {
- window := SMALL_RECT{Left: 0, Top: 0, Right: width - 1, Bottom: height - 1}
- coord := COORD{X: width - 1, Y: max}
- if err := getError(setConsoleWindowInfoProc.Call(handle, uintptr(1), uintptr(unsafe.Pointer(&window)))); err != nil {
- return false, err
- }
- if err := getError(setConsoleScreenBufferSizeProc.Call(handle, marshal(coord))); err != nil {
- return false, err
- }
- return true, nil
-}
-
-// GetConsoleScreenBufferInfo retrieves information about the specified console screen buffer.
-// http://msdn.microsoft.com/en-us/library/windows/desktop/ms683171(v=vs.85).aspx
-func GetConsoleScreenBufferInfo(handle uintptr) (*CONSOLE_SCREEN_BUFFER_INFO, error) {
- var info CONSOLE_SCREEN_BUFFER_INFO
- if err := getError(getConsoleScreenBufferInfoProc.Call(handle, uintptr(unsafe.Pointer(&info)), 0)); err != nil {
- return nil, err
- }
- return &info, nil
-}
-
-// setConsoleTextAttribute sets the attributes of characters written to the
-// console screen buffer by the WriteFile or WriteConsole function,
-// http://msdn.microsoft.com/en-us/library/windows/desktop/ms686047(v=vs.85).aspx
-func setConsoleTextAttribute(handle uintptr, attribute WORD) error {
- return getError(setConsoleTextAttributeProc.Call(handle, uintptr(attribute), 0))
-}
-
-func writeConsoleOutput(handle uintptr, buffer []CHAR_INFO, bufferSize COORD, bufferCoord COORD, writeRegion *SMALL_RECT) (bool, error) {
- if err := getError(writeConsoleOutputProc.Call(handle, uintptr(unsafe.Pointer(&buffer[0])), marshal(bufferSize), marshal(bufferCoord), uintptr(unsafe.Pointer(writeRegion)))); err != nil {
- return false, err
- }
- return true, nil
-}
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/ms682663(v=vs.85).aspx
-func fillConsoleOutputCharacter(handle uintptr, fillChar byte, length uint32, writeCord COORD) (bool, error) {
- out := int64(0)
- if err := getError(fillConsoleOutputCharacterProc.Call(handle, uintptr(fillChar), uintptr(length), marshal(writeCord), uintptr(unsafe.Pointer(&out)))); err != nil {
- return false, err
- }
- return true, nil
-}
-
-// Gets the number of space characters to write for "clearing" the section of terminal
-func getNumberOfChars(fromCoord COORD, toCoord COORD, screenSize COORD) uint32 {
- // must be valid cursor position
- if fromCoord.X < 0 || fromCoord.Y < 0 || toCoord.X < 0 || toCoord.Y < 0 {
- return 0
- }
- if fromCoord.X >= screenSize.X || fromCoord.Y >= screenSize.Y || toCoord.X >= screenSize.X || toCoord.Y >= screenSize.Y {
- return 0
- }
- // can't be backwards
- if fromCoord.Y > toCoord.Y {
- return 0
- }
- // same line
- if fromCoord.Y == toCoord.Y {
- return uint32(toCoord.X-fromCoord.X) + 1
- }
- // spans more than one line
- if fromCoord.Y < toCoord.Y {
- // from start till end of line for first line + from start of line till end
- retValue := uint32(screenSize.X-fromCoord.X) + uint32(toCoord.X) + 1
- // don't count first and last line
- linesBetween := toCoord.Y - fromCoord.Y - 1
- if linesBetween > 0 {
- retValue = retValue + uint32(linesBetween*screenSize.X)
- }
- return retValue
- }
- return 0
-}
-
-var buffer []CHAR_INFO
-
-func clearDisplayRect(handle uintptr, attributes WORD, fromCoord COORD, toCoord COORD) (uint32, error) {
- var writeRegion SMALL_RECT
- writeRegion.Left = fromCoord.X
- writeRegion.Top = fromCoord.Y
- writeRegion.Right = toCoord.X
- writeRegion.Bottom = toCoord.Y
-
- // allocate and initialize buffer
- width := toCoord.X - fromCoord.X + 1
- height := toCoord.Y - fromCoord.Y + 1
- size := uint32(width) * uint32(height)
- if size > 0 {
- buffer := make([]CHAR_INFO, size)
- for i := range buffer {
- buffer[i] = CHAR_INFO{WCHAR(' '), attributes}
- }
-
- // Write to buffer
- r, err := writeConsoleOutput(handle, buffer, COORD{X: width, Y: height}, COORD{X: 0, Y: 0}, &writeRegion)
- if !r {
- if err != nil {
- return 0, err
- }
- return 0, syscall.EINVAL
- }
- }
- return uint32(size), nil
-}
-
-func clearDisplayRange(handle uintptr, attributes WORD, fromCoord COORD, toCoord COORD) (uint32, error) {
- nw := uint32(0)
- // start and end on same line
- if fromCoord.Y == toCoord.Y {
- return clearDisplayRect(handle, attributes, fromCoord, toCoord)
- }
- // TODO(azlinux): if full screen, optimize
-
- // spans more than one line
- if fromCoord.Y < toCoord.Y {
- // from start position till end of line for first line
- n, err := clearDisplayRect(handle, attributes, fromCoord, COORD{X: toCoord.X, Y: fromCoord.Y})
- if err != nil {
- return nw, err
- }
- nw += n
- // lines between
- linesBetween := toCoord.Y - fromCoord.Y - 1
- if linesBetween > 0 {
- n, err = clearDisplayRect(handle, attributes, COORD{X: 0, Y: fromCoord.Y + 1}, COORD{X: toCoord.X, Y: toCoord.Y - 1})
- if err != nil {
- return nw, err
- }
- nw += n
- }
- // lines at end
- n, err = clearDisplayRect(handle, attributes, COORD{X: 0, Y: toCoord.Y}, toCoord)
- if err != nil {
- return nw, err
- }
- nw += n
- }
- return nw, nil
-}
-
-// setConsoleCursorPosition sets the console cursor position
-// Note The X and Y are zero based
-// If relative is true then the new position is relative to current one
-func setConsoleCursorPosition(handle uintptr, isRelative bool, column int16, line int16) error {
- screenBufferInfo, err := GetConsoleScreenBufferInfo(handle)
- if err != nil {
- return err
- }
- var position COORD
- if isRelative {
- position.X = screenBufferInfo.CursorPosition.X + SHORT(column)
- position.Y = screenBufferInfo.CursorPosition.Y + SHORT(line)
- } else {
- position.X = SHORT(column)
- position.Y = SHORT(line)
- }
- return getError(setConsoleCursorPositionProc.Call(handle, marshal(position), 0))
-}
-
-// http://msdn.microsoft.com/en-us/library/windows/desktop/ms683207(v=vs.85).aspx
-func getNumberOfConsoleInputEvents(handle uintptr) (uint16, error) {
- var n DWORD
- if err := getError(getNumberOfConsoleInputEventsProc.Call(handle, uintptr(unsafe.Pointer(&n)))); err != nil {
- return 0, err
- }
- return uint16(n), nil
-}
-
-//http://msdn.microsoft.com/en-us/library/windows/desktop/ms684961(v=vs.85).aspx
-func readConsoleInputKey(handle uintptr, inputBuffer []INPUT_RECORD) (int, error) {
- var nr DWORD
- if err := getError(readConsoleInputProc.Call(handle, uintptr(unsafe.Pointer(&inputBuffer[0])), uintptr(len(inputBuffer)), uintptr(unsafe.Pointer(&nr)))); err != nil {
- return 0, err
- }
- return int(nr), nil
-}
-
-func getWindowsTextAttributeForAnsiValue(originalFlag WORD, defaultValue WORD, ansiValue int16) (WORD, error) {
- flag := WORD(originalFlag)
- if flag == 0 {
- flag = defaultValue
- }
- switch ansiValue {
- case ANSI_ATTR_RESET:
- flag &^= COMMON_LVB_UNDERSCORE
- flag &^= BACKGROUND_INTENSITY
- flag = flag | FOREGROUND_INTENSITY
- case ANSI_ATTR_INVISIBLE:
- // TODO: how do you reset reverse?
- case ANSI_ATTR_UNDERLINE:
- flag = flag | COMMON_LVB_UNDERSCORE
- case ANSI_ATTR_BLINK:
- // seems like background intenisty is blink
- flag = flag | BACKGROUND_INTENSITY
- case ANSI_ATTR_UNDERLINE_OFF:
- flag &^= COMMON_LVB_UNDERSCORE
- case ANSI_ATTR_BLINK_OFF:
- // seems like background intenisty is blink
- flag &^= BACKGROUND_INTENSITY
- case ANSI_ATTR_BOLD:
- flag = flag | FOREGROUND_INTENSITY
- case ANSI_ATTR_DIM:
- flag &^= FOREGROUND_INTENSITY
- case ANSI_ATTR_REVERSE, ANSI_ATTR_REVERSE_OFF:
- // swap forground and background bits
- foreground := flag & FOREGROUND_MASK_SET
- background := flag & BACKGROUND_MASK_SET
- flag = (flag & BACKGROUND_MASK_UNSET & FOREGROUND_MASK_UNSET) | (foreground << 4) | (background >> 4)
-
- // FOREGROUND
- case ANSI_FOREGROUND_DEFAULT:
- flag = (flag & FOREGROUND_MASK_UNSET) | (defaultValue & FOREGROUND_MASK_SET)
- case ANSI_FOREGROUND_BLACK:
- flag = flag ^ (FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE)
- case ANSI_FOREGROUND_RED:
- flag = (flag & FOREGROUND_MASK_UNSET) | FOREGROUND_RED
- case ANSI_FOREGROUND_GREEN:
- flag = (flag & FOREGROUND_MASK_UNSET) | FOREGROUND_GREEN
- case ANSI_FOREGROUND_YELLOW:
- flag = (flag & FOREGROUND_MASK_UNSET) | FOREGROUND_RED | FOREGROUND_GREEN
- case ANSI_FOREGROUND_BLUE:
- flag = (flag & FOREGROUND_MASK_UNSET) | FOREGROUND_BLUE
- case ANSI_FOREGROUND_MAGENTA:
- flag = (flag & FOREGROUND_MASK_UNSET) | FOREGROUND_RED | FOREGROUND_BLUE
- case ANSI_FOREGROUND_CYAN:
- flag = (flag & FOREGROUND_MASK_UNSET) | FOREGROUND_GREEN | FOREGROUND_BLUE
- case ANSI_FOREGROUND_WHITE:
- flag = (flag & FOREGROUND_MASK_UNSET) | FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE
-
- // Background
- case ANSI_BACKGROUND_DEFAULT:
- // Black with no intensity
- flag = (flag & BACKGROUND_MASK_UNSET) | (defaultValue & BACKGROUND_MASK_SET)
- case ANSI_BACKGROUND_BLACK:
- flag = (flag & BACKGROUND_MASK_UNSET)
- case ANSI_BACKGROUND_RED:
- flag = (flag & BACKGROUND_MASK_UNSET) | BACKGROUND_RED
- case ANSI_BACKGROUND_GREEN:
- flag = (flag & BACKGROUND_MASK_UNSET) | BACKGROUND_GREEN
- case ANSI_BACKGROUND_YELLOW:
- flag = (flag & BACKGROUND_MASK_UNSET) | BACKGROUND_RED | BACKGROUND_GREEN
- case ANSI_BACKGROUND_BLUE:
- flag = (flag & BACKGROUND_MASK_UNSET) | BACKGROUND_BLUE
- case ANSI_BACKGROUND_MAGENTA:
- flag = (flag & BACKGROUND_MASK_UNSET) | BACKGROUND_RED | BACKGROUND_BLUE
- case ANSI_BACKGROUND_CYAN:
- flag = (flag & BACKGROUND_MASK_UNSET) | BACKGROUND_GREEN | BACKGROUND_BLUE
- case ANSI_BACKGROUND_WHITE:
- flag = (flag & BACKGROUND_MASK_UNSET) | BACKGROUND_RED | BACKGROUND_GREEN | BACKGROUND_BLUE
- }
- return flag, nil
-}
-
-// HandleOutputCommand interpretes the Ansi commands and then makes appropriate Win32 calls
-func (term *WindowsTerminal) HandleOutputCommand(handle uintptr, command []byte) (n int, err error) {
- // always consider all the bytes in command, processed
- n = len(command)
-
- parsedCommand := parseAnsiCommand(command)
- logrus.Debugf("[windows] HandleOutputCommand: %v", parsedCommand)
-
- // console settings changes need to happen in atomic way
- term.outMutex.Lock()
- defer term.outMutex.Unlock()
-
- switch parsedCommand.Command {
- case "m":
- // [Value;...;Valuem
- // Set Graphics Mode:
- // Calls the graphics functions specified by the following values.
- // These specified functions remain active until the next occurrence of this escape sequence.
- // Graphics mode changes the colors and attributes of text (such as bold and underline) displayed on the screen.
- screenBufferInfo, err := GetConsoleScreenBufferInfo(handle)
- if err != nil {
- return n, err
- }
- flag := screenBufferInfo.Attributes
- for _, e := range parsedCommand.Parameters {
- value, _ := strconv.ParseInt(e, 10, 16) // base 10, 16 bit
- if value == ANSI_ATTR_RESET {
- flag = term.screenBufferInfo.Attributes // reset
- } else {
- flag, err = getWindowsTextAttributeForAnsiValue(flag, term.screenBufferInfo.Attributes, int16(value))
- if err != nil {
- return n, err
- }
- }
- }
- if err := setConsoleTextAttribute(handle, flag); err != nil {
- return n, err
- }
- case "H", "f":
- // [line;columnH
- // [line;columnf
- // Moves the cursor to the specified position (coordinates).
- // If you do not specify a position, the cursor moves to the home position at the upper-left corner of the screen (line 0, column 0).
- screenBufferInfo, err := GetConsoleScreenBufferInfo(handle)
- if err != nil {
- return n, err
- }
- line, err := parseInt16OrDefault(parsedCommand.getParam(0), 1)
- if err != nil {
- return n, err
- }
- if line > int16(screenBufferInfo.Window.Bottom) {
- line = int16(screenBufferInfo.Window.Bottom) + 1
- }
- column, err := parseInt16OrDefault(parsedCommand.getParam(1), 1)
- if err != nil {
- return n, err
- }
- if column > int16(screenBufferInfo.Window.Right) {
- column = int16(screenBufferInfo.Window.Right) + 1
- }
- // The numbers are not 0 based, but 1 based
- logrus.Debugf("[windows] HandleOutputCommmand: Moving cursor to (%v,%v)", column-1, line-1)
- if err := setConsoleCursorPosition(handle, false, column-1, line-1); err != nil {
- return n, err
- }
-
- case "A":
- // [valueA
- // Moves the cursor up by the specified number of lines without changing columns.
- // If the cursor is already on the top line, ignores this sequence.
- value, err := parseInt16OrDefault(parsedCommand.getParam(0), 1)
- if err != nil {
- return len(command), err
- }
- if err := setConsoleCursorPosition(handle, true, 0, -value); err != nil {
- return n, err
- }
- case "B":
- // [valueB
- // Moves the cursor down by the specified number of lines without changing columns.
- // If the cursor is already on the bottom line, ignores this sequence.
- value, err := parseInt16OrDefault(parsedCommand.getParam(0), 1)
- if err != nil {
- return n, err
- }
- if err := setConsoleCursorPosition(handle, true, 0, value); err != nil {
- return n, err
- }
- case "C":
- // [valueC
- // Moves the cursor forward by the specified number of columns without changing lines.
- // If the cursor is already in the rightmost column, ignores this sequence.
- value, err := parseInt16OrDefault(parsedCommand.getParam(0), 1)
- if err != nil {
- return n, err
- }
- if err := setConsoleCursorPosition(handle, true, value, 0); err != nil {
- return n, err
- }
- case "D":
- // [valueD
- // Moves the cursor back by the specified number of columns without changing lines.
- // If the cursor is already in the leftmost column, ignores this sequence.
- value, err := parseInt16OrDefault(parsedCommand.getParam(0), 1)
- if err != nil {
- return n, err
- }
- if err := setConsoleCursorPosition(handle, true, -value, 0); err != nil {
- return n, err
- }
- case "J":
- // [J Erases from the cursor to the end of the screen, including the cursor position.
- // [1J Erases from the beginning of the screen to the cursor, including the cursor position.
- // [2J Erases the complete display. The cursor does not move.
- // Clears the screen and moves the cursor to the home position (line 0, column 0).
- value, err := parseInt16OrDefault(parsedCommand.getParam(0), 0)
- if err != nil {
- return n, err
- }
- var start COORD
- var cursor COORD
- var end COORD
- screenBufferInfo, err := GetConsoleScreenBufferInfo(handle)
- if err != nil {
- return n, err
- }
- switch value {
- case 0:
- start = screenBufferInfo.CursorPosition
- // end of the buffer
- end.X = screenBufferInfo.Size.X - 1
- end.Y = screenBufferInfo.Size.Y - 1
- // cursor
- cursor = screenBufferInfo.CursorPosition
- case 1:
-
- // start of the screen
- start.X = 0
- start.Y = 0
- // end of the screen
- end = screenBufferInfo.CursorPosition
- // cursor
- cursor = screenBufferInfo.CursorPosition
- case 2:
- // start of the screen
- start.X = 0
- start.Y = 0
- // end of the buffer
- end.X = screenBufferInfo.Size.X - 1
- end.Y = screenBufferInfo.Size.Y - 1
- // cursor
- cursor.X = 0
- cursor.Y = 0
- }
- if _, err := clearDisplayRange(uintptr(handle), term.screenBufferInfo.Attributes, start, end); err != nil {
- return n, err
- }
- // remember the the cursor position is 1 based
- if err := setConsoleCursorPosition(handle, false, int16(cursor.X), int16(cursor.Y)); err != nil {
- return n, err
- }
-
- case "K":
- // [K
- // Clears all characters from the cursor position to the end of the line (including the character at the cursor position).
- // [K Erases from the cursor to the end of the line, including the cursor position.
- // [1K Erases from the beginning of the line to the cursor, including the cursor position.
- // [2K Erases the complete line.
- value, err := parseInt16OrDefault(parsedCommand.getParam(0), 0)
- var start COORD
- var cursor COORD
- var end COORD
- screenBufferInfo, err := GetConsoleScreenBufferInfo(uintptr(handle))
- if err != nil {
- return n, err
- }
- switch value {
- case 0:
- // start is where cursor is
- start = screenBufferInfo.CursorPosition
- // end of line
- end.X = screenBufferInfo.Size.X - 1
- end.Y = screenBufferInfo.CursorPosition.Y
- // cursor remains the same
- cursor = screenBufferInfo.CursorPosition
-
- case 1:
- // beginning of line
- start.X = 0
- start.Y = screenBufferInfo.CursorPosition.Y
- // until cursor
- end = screenBufferInfo.CursorPosition
- // cursor remains the same
- cursor = screenBufferInfo.CursorPosition
- case 2:
- // start of the line
- start.X = 0
- start.Y = screenBufferInfo.CursorPosition.Y - 1
- // end of the line
- end.X = screenBufferInfo.Size.X - 1
- end.Y = screenBufferInfo.CursorPosition.Y - 1
- // cursor
- cursor.X = 0
- cursor.Y = screenBufferInfo.CursorPosition.Y - 1
- }
- if _, err := clearDisplayRange(uintptr(handle), term.screenBufferInfo.Attributes, start, end); err != nil {
- return n, err
- }
- // remember the the cursor position is 1 based
- if err := setConsoleCursorPosition(uintptr(handle), false, int16(cursor.X), int16(cursor.Y)); err != nil {
- return n, err
- }
-
- case "l":
- for _, value := range parsedCommand.Parameters {
- switch value {
- case "?25", "25":
- SetCursorVisible(uintptr(handle), BOOL(0))
- case "?1049", "1049":
- // TODO (azlinux): Restore terminal
- case "?1", "1":
- // If the DECCKM function is reset, then the arrow keys send ANSI cursor sequences to the host.
- term.inputEscapeSequence = []byte(KEY_ESC_CSI)
- }
- }
- case "h":
- for _, value := range parsedCommand.Parameters {
- switch value {
- case "?25", "25":
- SetCursorVisible(uintptr(handle), BOOL(1))
- case "?1049", "1049":
- // TODO (azlinux): Save terminal
- case "?1", "1":
- // If the DECCKM function is set, then the arrow keys send application sequences to the host.
- // DECCKM (default off): When set, the cursor keys send an ESC O prefix, rather than ESC [.
- term.inputEscapeSequence = []byte(KEY_ESC_O)
- }
- }
-
- case "]":
- /*
- TODO (azlinux):
- Linux Console Private CSI Sequences
-
- The following sequences are neither ECMA-48 nor native VT102. They are
- native to the Linux console driver. Colors are in SGR parameters: 0 =
- black, 1 = red, 2 = green, 3 = brown, 4 = blue, 5 = magenta, 6 = cyan,
- 7 = white.
-
- ESC [ 1 ; n ] Set color n as the underline color
- ESC [ 2 ; n ] Set color n as the dim color
- ESC [ 8 ] Make the current color pair the default attributes.
- ESC [ 9 ; n ] Set screen blank timeout to n minutes.
- ESC [ 10 ; n ] Set bell frequency in Hz.
- ESC [ 11 ; n ] Set bell duration in msec.
- ESC [ 12 ; n ] Bring specified console to the front.
- ESC [ 13 ] Unblank the screen.
- ESC [ 14 ; n ] Set the VESA powerdown interval in minutes.
-
- */
- }
- return n, nil
-}
-
-// WriteChars writes the bytes to given writer.
-func (term *WindowsTerminal) WriteChars(fd uintptr, w io.Writer, p []byte) (n int, err error) {
- if len(p) == 0 {
- return 0, nil
- }
- return w.Write(p)
-}
-
-const (
- CAPSLOCK_ON = 0x0080 //The CAPS LOCK light is on.
- ENHANCED_KEY = 0x0100 //The key is enhanced.
- LEFT_ALT_PRESSED = 0x0002 //The left ALT key is pressed.
- LEFT_CTRL_PRESSED = 0x0008 //The left CTRL key is pressed.
- NUMLOCK_ON = 0x0020 //The NUM LOCK light is on.
- RIGHT_ALT_PRESSED = 0x0001 //The right ALT key is pressed.
- RIGHT_CTRL_PRESSED = 0x0004 //The right CTRL key is pressed.
- SCROLLLOCK_ON = 0x0040 //The SCROLL LOCK light is on.
- SHIFT_PRESSED = 0x0010 // The SHIFT key is pressed.
-)
-
-const (
- KEY_CONTROL_PARAM_2 = ";2"
- KEY_CONTROL_PARAM_3 = ";3"
- KEY_CONTROL_PARAM_4 = ";4"
- KEY_CONTROL_PARAM_5 = ";5"
- KEY_CONTROL_PARAM_6 = ";6"
- KEY_CONTROL_PARAM_7 = ";7"
- KEY_CONTROL_PARAM_8 = ";8"
- KEY_ESC_CSI = "\x1B["
- KEY_ESC_N = "\x1BN"
- KEY_ESC_O = "\x1BO"
-)
-
-var keyMapPrefix = map[WORD]string{
- VK_UP: "\x1B[%sA",
- VK_DOWN: "\x1B[%sB",
- VK_RIGHT: "\x1B[%sC",
- VK_LEFT: "\x1B[%sD",
- VK_HOME: "\x1B[1%s~", // showkey shows ^[[1
- VK_END: "\x1B[4%s~", // showkey shows ^[[4
- VK_INSERT: "\x1B[2%s~",
- VK_DELETE: "\x1B[3%s~",
- VK_PRIOR: "\x1B[5%s~",
- VK_NEXT: "\x1B[6%s~",
- VK_F1: "",
- VK_F2: "",
- VK_F3: "\x1B[13%s~",
- VK_F4: "\x1B[14%s~",
- VK_F5: "\x1B[15%s~",
- VK_F6: "\x1B[17%s~",
- VK_F7: "\x1B[18%s~",
- VK_F8: "\x1B[19%s~",
- VK_F9: "\x1B[20%s~",
- VK_F10: "\x1B[21%s~",
- VK_F11: "\x1B[23%s~",
- VK_F12: "\x1B[24%s~",
-}
-
-var arrowKeyMapPrefix = map[WORD]string{
- VK_UP: "%s%sA",
- VK_DOWN: "%s%sB",
- VK_RIGHT: "%s%sC",
- VK_LEFT: "%s%sD",
-}
-
-func getControlStateParameter(shift, alt, control, meta bool) string {
- if shift && alt && control {
- return KEY_CONTROL_PARAM_8
- }
- if alt && control {
- return KEY_CONTROL_PARAM_7
- }
- if shift && control {
- return KEY_CONTROL_PARAM_6
- }
- if control {
- return KEY_CONTROL_PARAM_5
- }
- if shift && alt {
- return KEY_CONTROL_PARAM_4
- }
- if alt {
- return KEY_CONTROL_PARAM_3
- }
- if shift {
- return KEY_CONTROL_PARAM_2
- }
- return ""
-}
-
-func getControlKeys(controlState DWORD) (shift, alt, control bool) {
- shift = 0 != (controlState & SHIFT_PRESSED)
- alt = 0 != (controlState & (LEFT_ALT_PRESSED | RIGHT_ALT_PRESSED))
- control = 0 != (controlState & (LEFT_CTRL_PRESSED | RIGHT_CTRL_PRESSED))
- return shift, alt, control
-}
-
-func charSequenceForKeys(key WORD, controlState DWORD, escapeSequence []byte) string {
- i, ok := arrowKeyMapPrefix[key]
- if ok {
- shift, alt, control := getControlKeys(controlState)
- modifier := getControlStateParameter(shift, alt, control, false)
- return fmt.Sprintf(i, escapeSequence, modifier)
- }
-
- i, ok = keyMapPrefix[key]
- if ok {
- shift, alt, control := getControlKeys(controlState)
- modifier := getControlStateParameter(shift, alt, control, false)
- return fmt.Sprintf(i, modifier)
- }
-
- return ""
-}
-
-// mapKeystokeToTerminalString maps the given input event record to string
-func mapKeystokeToTerminalString(keyEvent *KEY_EVENT_RECORD, escapeSequence []byte) string {
- _, alt, control := getControlKeys(keyEvent.ControlKeyState)
- if keyEvent.UnicodeChar == 0 {
- return charSequenceForKeys(keyEvent.VirtualKeyCode, keyEvent.ControlKeyState, escapeSequence)
- }
- if control {
- // TODO(azlinux): Implement following control sequences
- // <Ctrl>-D Signals the end of input from the keyboard; also exits current shell.
- // <Ctrl>-H Deletes the first character to the left of the cursor. Also called the ERASE key.
- // <Ctrl>-Q Restarts printing after it has been stopped with <Ctrl>-s.
- // <Ctrl>-S Suspends printing on the screen (does not stop the program).
- // <Ctrl>-U Deletes all characters on the current line. Also called the KILL key.
- // <Ctrl>-E Quits current command and creates a core
-
- }
- // <Alt>+Key generates ESC N Key
- if !control && alt {
- return KEY_ESC_N + strings.ToLower(string(keyEvent.UnicodeChar))
- }
- return string(keyEvent.UnicodeChar)
-}
-
-// getAvailableInputEvents polls the console for availble events
-// The function does not return until at least one input record has been read.
-func getAvailableInputEvents(handle uintptr, inputEvents []INPUT_RECORD) (n int, err error) {
- // TODO(azlinux): Why is there a for loop? Seems to me, that `n` cannot be negative. - tibor
- for {
- // Read number of console events available
- n, err = readConsoleInputKey(handle, inputEvents)
- if err != nil || n >= 0 {
- return n, err
- }
- }
-}
-
-// getTranslatedKeyCodes converts the input events into the string of characters
-// The ansi escape sequence are used to map key strokes to the strings
-func getTranslatedKeyCodes(inputEvents []INPUT_RECORD, escapeSequence []byte) string {
- var buf bytes.Buffer
- for i := 0; i < len(inputEvents); i++ {
- input := inputEvents[i]
- if input.EventType == KEY_EVENT && input.KeyEvent.KeyDown != 0 {
- keyString := mapKeystokeToTerminalString(&input.KeyEvent, escapeSequence)
- buf.WriteString(keyString)
- }
- }
- return buf.String()
-}
-
-// ReadChars reads the characters from the given reader
-func (term *WindowsTerminal) ReadChars(fd uintptr, r io.Reader, p []byte) (n int, err error) {
- for term.inputSize == 0 {
- nr, err := getAvailableInputEvents(fd, term.inputEvents)
- if nr == 0 && nil != err {
- return n, err
- }
- if nr > 0 {
- keyCodes := getTranslatedKeyCodes(term.inputEvents[:nr], term.inputEscapeSequence)
- term.inputSize = copy(term.inputBuffer, keyCodes)
- }
- }
- n = copy(p, term.inputBuffer[:term.inputSize])
- term.inputSize -= n
- return n, nil
-}
-
-// HandleInputSequence interprets the input sequence command
-func (term *WindowsTerminal) HandleInputSequence(fd uintptr, command []byte) (n int, err error) {
- return 0, nil
-}
-
-func marshal(c COORD) uintptr {
- return uintptr(*((*DWORD)(unsafe.Pointer(&c))))
-}
-
-// IsConsole returns true if the given file descriptor is a terminal.
-// -- The code assumes that GetConsoleMode will return an error for file descriptors that are not a console.
-func IsConsole(fd uintptr) bool {
- _, e := GetConsoleMode(fd)
- return e == nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/winconsole/term_emulator.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/winconsole/term_emulator.go
deleted file mode 100644
index 2d5edc0390e5fc8d3b9ba7391310f7d37fad42bb..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/term/winconsole/term_emulator.go
+++ /dev/null
@@ -1,234 +0,0 @@
-package winconsole
-
-import (
- "fmt"
- "io"
- "strconv"
- "strings"
-)
-
-// http://manpages.ubuntu.com/manpages/intrepid/man4/console_codes.4.html
-const (
- ANSI_ESCAPE_PRIMARY = 0x1B
- ANSI_ESCAPE_SECONDARY = 0x5B
- ANSI_COMMAND_FIRST = 0x40
- ANSI_COMMAND_LAST = 0x7E
- ANSI_PARAMETER_SEP = ";"
- ANSI_CMD_G0 = '('
- ANSI_CMD_G1 = ')'
- ANSI_CMD_G2 = '*'
- ANSI_CMD_G3 = '+'
- ANSI_CMD_DECPNM = '>'
- ANSI_CMD_DECPAM = '='
- ANSI_CMD_OSC = ']'
- ANSI_CMD_STR_TERM = '\\'
- ANSI_BEL = 0x07
- KEY_EVENT = 1
-)
-
-// Interface that implements terminal handling
-type terminalEmulator interface {
- HandleOutputCommand(fd uintptr, command []byte) (n int, err error)
- HandleInputSequence(fd uintptr, command []byte) (n int, err error)
- WriteChars(fd uintptr, w io.Writer, p []byte) (n int, err error)
- ReadChars(fd uintptr, w io.Reader, p []byte) (n int, err error)
-}
-
-type terminalWriter struct {
- wrappedWriter io.Writer
- emulator terminalEmulator
- command []byte
- inSequence bool
- fd uintptr
-}
-
-type terminalReader struct {
- wrappedReader io.ReadCloser
- emulator terminalEmulator
- command []byte
- inSequence bool
- fd uintptr
-}
-
-// http://manpages.ubuntu.com/manpages/intrepid/man4/console_codes.4.html
-func isAnsiCommandChar(b byte) bool {
- switch {
- case ANSI_COMMAND_FIRST <= b && b <= ANSI_COMMAND_LAST && b != ANSI_ESCAPE_SECONDARY:
- return true
- case b == ANSI_CMD_G1 || b == ANSI_CMD_OSC || b == ANSI_CMD_DECPAM || b == ANSI_CMD_DECPNM:
- // non-CSI escape sequence terminator
- return true
- case b == ANSI_CMD_STR_TERM || b == ANSI_BEL:
- // String escape sequence terminator
- return true
- }
- return false
-}
-
-func isCharacterSelectionCmdChar(b byte) bool {
- return (b == ANSI_CMD_G0 || b == ANSI_CMD_G1 || b == ANSI_CMD_G2 || b == ANSI_CMD_G3)
-}
-
-func isXtermOscSequence(command []byte, current byte) bool {
- return (len(command) >= 2 && command[0] == ANSI_ESCAPE_PRIMARY && command[1] == ANSI_CMD_OSC && current != ANSI_BEL)
-}
-
-// Write writes len(p) bytes from p to the underlying data stream.
-// http://golang.org/pkg/io/#Writer
-func (tw *terminalWriter) Write(p []byte) (n int, err error) {
- if len(p) == 0 {
- return 0, nil
- }
- if tw.emulator == nil {
- return tw.wrappedWriter.Write(p)
- }
- // Emulate terminal by extracting commands and executing them
- totalWritten := 0
- start := 0 // indicates start of the next chunk
- end := len(p)
- for current := 0; current < end; current++ {
- if tw.inSequence {
- // inside escape sequence
- tw.command = append(tw.command, p[current])
- if isAnsiCommandChar(p[current]) {
- if !isXtermOscSequence(tw.command, p[current]) {
- // found the last command character.
- // Now we have a complete command.
- nchar, err := tw.emulator.HandleOutputCommand(tw.fd, tw.command)
- totalWritten += nchar
- if err != nil {
- return totalWritten, err
- }
-
- // clear the command
- // don't include current character again
- tw.command = tw.command[:0]
- start = current + 1
- tw.inSequence = false
- }
- }
- } else {
- if p[current] == ANSI_ESCAPE_PRIMARY {
- // entering escape sequnce
- tw.inSequence = true
- // indicates end of "normal sequence", write whatever you have so far
- if len(p[start:current]) > 0 {
- nw, err := tw.emulator.WriteChars(tw.fd, tw.wrappedWriter, p[start:current])
- totalWritten += nw
- if err != nil {
- return totalWritten, err
- }
- }
- // include the current character as part of the next sequence
- tw.command = append(tw.command, p[current])
- }
- }
- }
- // note that so far, start of the escape sequence triggers writing out of bytes to console.
- // For the part _after_ the end of last escape sequence, it is not written out yet. So write it out
- if !tw.inSequence {
- // assumption is that we can't be inside sequence and therefore command should be empty
- if len(p[start:]) > 0 {
- nw, err := tw.emulator.WriteChars(tw.fd, tw.wrappedWriter, p[start:])
- totalWritten += nw
- if err != nil {
- return totalWritten, err
- }
- }
- }
- return totalWritten, nil
-
-}
-
-// Read reads up to len(p) bytes into p.
-// http://golang.org/pkg/io/#Reader
-func (tr *terminalReader) Read(p []byte) (n int, err error) {
- //Implementations of Read are discouraged from returning a zero byte count
- // with a nil error, except when len(p) == 0.
- if len(p) == 0 {
- return 0, nil
- }
- if nil == tr.emulator {
- return tr.readFromWrappedReader(p)
- }
- return tr.emulator.ReadChars(tr.fd, tr.wrappedReader, p)
-}
-
-// Close the underlying stream
-func (tr *terminalReader) Close() (err error) {
- return tr.wrappedReader.Close()
-}
-
-func (tr *terminalReader) readFromWrappedReader(p []byte) (n int, err error) {
- return tr.wrappedReader.Read(p)
-}
-
-type ansiCommand struct {
- CommandBytes []byte
- Command string
- Parameters []string
- IsSpecial bool
-}
-
-func parseAnsiCommand(command []byte) *ansiCommand {
- if isCharacterSelectionCmdChar(command[1]) {
- // Is Character Set Selection commands
- return &ansiCommand{
- CommandBytes: command,
- Command: string(command),
- IsSpecial: true,
- }
- }
- // last char is command character
- lastCharIndex := len(command) - 1
-
- retValue := &ansiCommand{
- CommandBytes: command,
- Command: string(command[lastCharIndex]),
- IsSpecial: false,
- }
- // more than a single escape
- if lastCharIndex != 0 {
- start := 1
- // skip if double char escape sequence
- if command[0] == ANSI_ESCAPE_PRIMARY && command[1] == ANSI_ESCAPE_SECONDARY {
- start++
- }
- // convert this to GetNextParam method
- retValue.Parameters = strings.Split(string(command[start:lastCharIndex]), ANSI_PARAMETER_SEP)
- }
- return retValue
-}
-
-func (c *ansiCommand) getParam(index int) string {
- if len(c.Parameters) > index {
- return c.Parameters[index]
- }
- return ""
-}
-
-func (ac *ansiCommand) String() string {
- return fmt.Sprintf("0x%v \"%v\" (\"%v\")",
- bytesToHex(ac.CommandBytes),
- ac.Command,
- strings.Join(ac.Parameters, "\",\""))
-}
-
-func bytesToHex(b []byte) string {
- hex := make([]string, len(b))
- for i, ch := range b {
- hex[i] = fmt.Sprintf("%X", ch)
- }
- return strings.Join(hex, "")
-}
-
-func parseInt16OrDefault(s string, defaultValue int16) (n int16, err error) {
- if s == "" {
- return defaultValue, nil
- }
- parsedValue, err := strconv.ParseInt(s, 10, 16)
- if err != nil {
- return defaultValue, err
- }
- return int16(parsedValue), nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/LICENSE
deleted file mode 100644
index b55b37bc3162090c6e7c3458fbe0771089ef633b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- https://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- Copyright 2015 Docker, Inc.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/duration.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/duration.go
deleted file mode 100644
index c219a8a968c40035a4f3a44d448f94ac4bceece9..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/duration.go
+++ /dev/null
@@ -1,33 +0,0 @@
-// Package units provides helper function to parse and print size and time units
-// in human-readable format.
-package units
-
-import (
- "fmt"
- "time"
-)
-
-// HumanDuration returns a human-readable approximation of a duration
-// (eg. "About a minute", "4 hours ago", etc.).
-func HumanDuration(d time.Duration) string {
- if seconds := int(d.Seconds()); seconds < 1 {
- return "Less than a second"
- } else if seconds < 60 {
- return fmt.Sprintf("%d seconds", seconds)
- } else if minutes := int(d.Minutes()); minutes == 1 {
- return "About a minute"
- } else if minutes < 60 {
- return fmt.Sprintf("%d minutes", minutes)
- } else if hours := int(d.Hours()); hours == 1 {
- return "About an hour"
- } else if hours < 48 {
- return fmt.Sprintf("%d hours", hours)
- } else if hours < 24*7*2 {
- return fmt.Sprintf("%d days", hours/24)
- } else if hours < 24*30*3 {
- return fmt.Sprintf("%d weeks", hours/24/7)
- } else if hours < 24*365*2 {
- return fmt.Sprintf("%d months", hours/24/30)
- }
- return fmt.Sprintf("%d years", int(d.Hours())/24/365)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/size.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/size.go
deleted file mode 100644
index 3b59daff31b73be02f2fc36b7f172cd7dc187657..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/go-units/size.go
+++ /dev/null
@@ -1,95 +0,0 @@
-package units
-
-import (
- "fmt"
- "regexp"
- "strconv"
- "strings"
-)
-
-// See: http://en.wikipedia.org/wiki/Binary_prefix
-const (
- // Decimal
-
- KB = 1000
- MB = 1000 * KB
- GB = 1000 * MB
- TB = 1000 * GB
- PB = 1000 * TB
-
- // Binary
-
- KiB = 1024
- MiB = 1024 * KiB
- GiB = 1024 * MiB
- TiB = 1024 * GiB
- PiB = 1024 * TiB
-)
-
-type unitMap map[string]int64
-
-var (
- decimalMap = unitMap{"k": KB, "m": MB, "g": GB, "t": TB, "p": PB}
- binaryMap = unitMap{"k": KiB, "m": MiB, "g": GiB, "t": TiB, "p": PiB}
- sizeRegex = regexp.MustCompile(`^(\d+)([kKmMgGtTpP])?[bB]?$`)
-)
-
-var decimapAbbrs = []string{"B", "kB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB"}
-var binaryAbbrs = []string{"B", "KiB", "MiB", "GiB", "TiB", "PiB", "EiB", "ZiB", "YiB"}
-
-// CustomSize returns a human-readable approximation of a size
-// using custom format.
-func CustomSize(format string, size float64, base float64, _map []string) string {
- i := 0
- for size >= base {
- size = size / base
- i++
- }
- return fmt.Sprintf(format, size, _map[i])
-}
-
-// HumanSize returns a human-readable approximation of a size
-// capped at 4 valid numbers (eg. "2.746 MB", "796 KB").
-func HumanSize(size float64) string {
- return CustomSize("%.4g %s", size, 1000.0, decimapAbbrs)
-}
-
-// BytesSize returns a human-readable size in bytes, kibibytes,
-// mebibytes, gibibytes, or tebibytes (eg. "44kiB", "17MiB").
-func BytesSize(size float64) string {
- return CustomSize("%.4g %s", size, 1024.0, binaryAbbrs)
-}
-
-// FromHumanSize returns an integer from a human-readable specification of a
-// size using SI standard (eg. "44kB", "17MB").
-func FromHumanSize(size string) (int64, error) {
- return parseSize(size, decimalMap)
-}
-
-// RAMInBytes parses a human-readable string representing an amount of RAM
-// in bytes, kibibytes, mebibytes, gibibytes, or tebibytes and
-// returns the number of bytes, or -1 if the string is unparseable.
-// Units are case-insensitive, and the 'b' suffix is optional.
-func RAMInBytes(size string) (int64, error) {
- return parseSize(size, binaryMap)
-}
-
-// Parses the human-readable size string into the amount it represents.
-func parseSize(sizeStr string, uMap unitMap) (int64, error) {
- matches := sizeRegex.FindStringSubmatch(sizeStr)
- if len(matches) != 3 {
- return -1, fmt.Errorf("invalid size: '%s'", sizeStr)
- }
-
- size, err := strconv.ParseInt(matches[1], 10, 0)
- if err != nil {
- return -1, err
- }
-
- unitPrefix := strings.ToLower(matches[2])
- if mul, ok := uMap[unitPrefix]; ok {
- size *= mul
- }
-
- return size, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/LICENSE
deleted file mode 100644
index 670d88fcaaf0bcbca03a7179bad8b83393607b7f..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/LICENSE
+++ /dev/null
@@ -1,25 +0,0 @@
-Copyright (c) 2013, Georg Reinke (<guelfey at gmail dot com>), Google
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-notice, this list of conditions and the following disclaimer in the
-documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth.go
deleted file mode 100644
index 98017b693eec505bc9907d1a964081806a04e182..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth.go
+++ /dev/null
@@ -1,253 +0,0 @@
-package dbus
-
-import (
- "bufio"
- "bytes"
- "errors"
- "io"
- "os"
- "strconv"
-)
-
-// AuthStatus represents the Status of an authentication mechanism.
-type AuthStatus byte
-
-const (
- // AuthOk signals that authentication is finished; the next command
- // from the server should be an OK.
- AuthOk AuthStatus = iota
-
- // AuthContinue signals that additional data is needed; the next command
- // from the server should be a DATA.
- AuthContinue
-
- // AuthError signals an error; the server sent invalid data or some
- // other unexpected thing happened and the current authentication
- // process should be aborted.
- AuthError
-)
-
-type authState byte
-
-const (
- waitingForData authState = iota
- waitingForOk
- waitingForReject
-)
-
-// Auth defines the behaviour of an authentication mechanism.
-type Auth interface {
- // Return the name of the mechnism, the argument to the first AUTH command
- // and the next status.
- FirstData() (name, resp []byte, status AuthStatus)
-
- // Process the given DATA command, and return the argument to the DATA
- // command and the next status. If len(resp) == 0, no DATA command is sent.
- HandleData(data []byte) (resp []byte, status AuthStatus)
-}
-
-// Auth authenticates the connection, trying the given list of authentication
-// mechanisms (in that order). If nil is passed, the EXTERNAL and
-// DBUS_COOKIE_SHA1 mechanisms are tried for the current user. For private
-// connections, this method must be called before sending any messages to the
-// bus. Auth must not be called on shared connections.
-func (conn *Conn) Auth(methods []Auth) error {
- if methods == nil {
- uid := strconv.Itoa(os.Getuid())
- methods = []Auth{AuthExternal(uid), AuthCookieSha1(uid, getHomeDir())}
- }
- in := bufio.NewReader(conn.transport)
- err := conn.transport.SendNullByte()
- if err != nil {
- return err
- }
- err = authWriteLine(conn.transport, []byte("AUTH"))
- if err != nil {
- return err
- }
- s, err := authReadLine(in)
- if err != nil {
- return err
- }
- if len(s) < 2 || !bytes.Equal(s[0], []byte("REJECTED")) {
- return errors.New("dbus: authentication protocol error")
- }
- s = s[1:]
- for _, v := range s {
- for _, m := range methods {
- if name, data, status := m.FirstData(); bytes.Equal(v, name) {
- var ok bool
- err = authWriteLine(conn.transport, []byte("AUTH"), []byte(v), data)
- if err != nil {
- return err
- }
- switch status {
- case AuthOk:
- err, ok = conn.tryAuth(m, waitingForOk, in)
- case AuthContinue:
- err, ok = conn.tryAuth(m, waitingForData, in)
- default:
- panic("dbus: invalid authentication status")
- }
- if err != nil {
- return err
- }
- if ok {
- if conn.transport.SupportsUnixFDs() {
- err = authWriteLine(conn, []byte("NEGOTIATE_UNIX_FD"))
- if err != nil {
- return err
- }
- line, err := authReadLine(in)
- if err != nil {
- return err
- }
- switch {
- case bytes.Equal(line[0], []byte("AGREE_UNIX_FD")):
- conn.EnableUnixFDs()
- conn.unixFD = true
- case bytes.Equal(line[0], []byte("ERROR")):
- default:
- return errors.New("dbus: authentication protocol error")
- }
- }
- err = authWriteLine(conn.transport, []byte("BEGIN"))
- if err != nil {
- return err
- }
- go conn.inWorker()
- go conn.outWorker()
- return nil
- }
- }
- }
- }
- return errors.New("dbus: authentication failed")
-}
-
-// tryAuth tries to authenticate with m as the mechanism, using state as the
-// initial authState and in for reading input. It returns (nil, true) on
-// success, (nil, false) on a REJECTED and (someErr, false) if some other
-// error occured.
-func (conn *Conn) tryAuth(m Auth, state authState, in *bufio.Reader) (error, bool) {
- for {
- s, err := authReadLine(in)
- if err != nil {
- return err, false
- }
- switch {
- case state == waitingForData && string(s[0]) == "DATA":
- if len(s) != 2 {
- err = authWriteLine(conn.transport, []byte("ERROR"))
- if err != nil {
- return err, false
- }
- continue
- }
- data, status := m.HandleData(s[1])
- switch status {
- case AuthOk, AuthContinue:
- if len(data) != 0 {
- err = authWriteLine(conn.transport, []byte("DATA"), data)
- if err != nil {
- return err, false
- }
- }
- if status == AuthOk {
- state = waitingForOk
- }
- case AuthError:
- err = authWriteLine(conn.transport, []byte("ERROR"))
- if err != nil {
- return err, false
- }
- }
- case state == waitingForData && string(s[0]) == "REJECTED":
- return nil, false
- case state == waitingForData && string(s[0]) == "ERROR":
- err = authWriteLine(conn.transport, []byte("CANCEL"))
- if err != nil {
- return err, false
- }
- state = waitingForReject
- case state == waitingForData && string(s[0]) == "OK":
- if len(s) != 2 {
- err = authWriteLine(conn.transport, []byte("CANCEL"))
- if err != nil {
- return err, false
- }
- state = waitingForReject
- }
- conn.uuid = string(s[1])
- return nil, true
- case state == waitingForData:
- err = authWriteLine(conn.transport, []byte("ERROR"))
- if err != nil {
- return err, false
- }
- case state == waitingForOk && string(s[0]) == "OK":
- if len(s) != 2 {
- err = authWriteLine(conn.transport, []byte("CANCEL"))
- if err != nil {
- return err, false
- }
- state = waitingForReject
- }
- conn.uuid = string(s[1])
- return nil, true
- case state == waitingForOk && string(s[0]) == "REJECTED":
- return nil, false
- case state == waitingForOk && (string(s[0]) == "DATA" ||
- string(s[0]) == "ERROR"):
-
- err = authWriteLine(conn.transport, []byte("CANCEL"))
- if err != nil {
- return err, false
- }
- state = waitingForReject
- case state == waitingForOk:
- err = authWriteLine(conn.transport, []byte("ERROR"))
- if err != nil {
- return err, false
- }
- case state == waitingForReject && string(s[0]) == "REJECTED":
- return nil, false
- case state == waitingForReject:
- return errors.New("dbus: authentication protocol error"), false
- default:
- panic("dbus: invalid auth state")
- }
- }
-}
-
-// authReadLine reads a line and separates it into its fields.
-func authReadLine(in *bufio.Reader) ([][]byte, error) {
- data, err := in.ReadBytes('\n')
- if err != nil {
- return nil, err
- }
- data = bytes.TrimSuffix(data, []byte("\r\n"))
- return bytes.Split(data, []byte{' '}), nil
-}
-
-// authWriteLine writes the given line in the authentication protocol format
-// (elements of data separated by a " " and terminated by "\r\n").
-func authWriteLine(out io.Writer, data ...[]byte) error {
- buf := make([]byte, 0)
- for i, v := range data {
- buf = append(buf, v...)
- if i != len(data)-1 {
- buf = append(buf, ' ')
- }
- }
- buf = append(buf, '\r')
- buf = append(buf, '\n')
- n, err := out.Write(buf)
- if err != nil {
- return err
- }
- if n != len(buf) {
- return io.ErrUnexpectedEOF
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth_external.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth_external.go
deleted file mode 100644
index 7e376d3ef6adc98516df592840141abcd8e41e81..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth_external.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package dbus
-
-import (
- "encoding/hex"
-)
-
-// AuthExternal returns an Auth that authenticates as the given user with the
-// EXTERNAL mechanism.
-func AuthExternal(user string) Auth {
- return authExternal{user}
-}
-
-// AuthExternal implements the EXTERNAL authentication mechanism.
-type authExternal struct {
- user string
-}
-
-func (a authExternal) FirstData() ([]byte, []byte, AuthStatus) {
- b := make([]byte, 2*len(a.user))
- hex.Encode(b, []byte(a.user))
- return []byte("EXTERNAL"), b, AuthOk
-}
-
-func (a authExternal) HandleData(b []byte) ([]byte, AuthStatus) {
- return nil, AuthError
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth_sha1.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth_sha1.go
deleted file mode 100644
index df15b46119895b5d08e4477b3bd76bd2f889892c..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/auth_sha1.go
+++ /dev/null
@@ -1,102 +0,0 @@
-package dbus
-
-import (
- "bufio"
- "bytes"
- "crypto/rand"
- "crypto/sha1"
- "encoding/hex"
- "os"
-)
-
-// AuthCookieSha1 returns an Auth that authenticates as the given user with the
-// DBUS_COOKIE_SHA1 mechanism. The home parameter should specify the home
-// directory of the user.
-func AuthCookieSha1(user, home string) Auth {
- return authCookieSha1{user, home}
-}
-
-type authCookieSha1 struct {
- user, home string
-}
-
-func (a authCookieSha1) FirstData() ([]byte, []byte, AuthStatus) {
- b := make([]byte, 2*len(a.user))
- hex.Encode(b, []byte(a.user))
- return []byte("DBUS_COOKIE_SHA1"), b, AuthContinue
-}
-
-func (a authCookieSha1) HandleData(data []byte) ([]byte, AuthStatus) {
- challenge := make([]byte, len(data)/2)
- _, err := hex.Decode(challenge, data)
- if err != nil {
- return nil, AuthError
- }
- b := bytes.Split(challenge, []byte{' '})
- if len(b) != 3 {
- return nil, AuthError
- }
- context := b[0]
- id := b[1]
- svchallenge := b[2]
- cookie := a.getCookie(context, id)
- if cookie == nil {
- return nil, AuthError
- }
- clchallenge := a.generateChallenge()
- if clchallenge == nil {
- return nil, AuthError
- }
- hash := sha1.New()
- hash.Write(bytes.Join([][]byte{svchallenge, clchallenge, cookie}, []byte{':'}))
- hexhash := make([]byte, 2*hash.Size())
- hex.Encode(hexhash, hash.Sum(nil))
- data = append(clchallenge, ' ')
- data = append(data, hexhash...)
- resp := make([]byte, 2*len(data))
- hex.Encode(resp, data)
- return resp, AuthOk
-}
-
-// getCookie searches for the cookie identified by id in context and returns
-// the cookie content or nil. (Since HandleData can't return a specific error,
-// but only whether an error occured, this function also doesn't bother to
-// return an error.)
-func (a authCookieSha1) getCookie(context, id []byte) []byte {
- file, err := os.Open(a.home + "/.dbus-keyrings/" + string(context))
- if err != nil {
- return nil
- }
- defer file.Close()
- rd := bufio.NewReader(file)
- for {
- line, err := rd.ReadBytes('\n')
- if err != nil {
- return nil
- }
- line = line[:len(line)-1]
- b := bytes.Split(line, []byte{' '})
- if len(b) != 3 {
- return nil
- }
- if bytes.Equal(b[0], id) {
- return b[2]
- }
- }
-}
-
-// generateChallenge returns a random, hex-encoded challenge, or nil on error
-// (see above).
-func (a authCookieSha1) generateChallenge() []byte {
- b := make([]byte, 16)
- n, err := rand.Read(b)
- if err != nil {
- return nil
- }
- if n != 16 {
- return nil
- }
- enc := make([]byte, 32)
- hex.Encode(enc, b)
- return enc
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/call.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/call.go
deleted file mode 100644
index ba6e73f607a9d7f9e53e972363979439706f8e68..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/call.go
+++ /dev/null
@@ -1,36 +0,0 @@
-package dbus
-
-import (
- "errors"
-)
-
-// Call represents a pending or completed method call.
-type Call struct {
- Destination string
- Path ObjectPath
- Method string
- Args []interface{}
-
- // Strobes when the call is complete.
- Done chan *Call
-
- // After completion, the error status. If this is non-nil, it may be an
- // error message from the peer (with Error as its type) or some other error.
- Err error
-
- // Holds the response once the call is done.
- Body []interface{}
-}
-
-var errSignature = errors.New("dbus: mismatched signature")
-
-// Store stores the body of the reply into the provided pointers. It returns
-// an error if the signatures of the body and retvalues don't match, or if
-// the error status is not nil.
-func (c *Call) Store(retvalues ...interface{}) error {
- if c.Err != nil {
- return c.Err
- }
-
- return Store(c.Body, retvalues...)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn.go
deleted file mode 100644
index a4f5394010a1f15eb5e1b37b8ff8baa68b519c1d..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn.go
+++ /dev/null
@@ -1,625 +0,0 @@
-package dbus
-
-import (
- "errors"
- "io"
- "os"
- "reflect"
- "strings"
- "sync"
-)
-
-const defaultSystemBusAddress = "unix:path=/var/run/dbus/system_bus_socket"
-
-var (
- systemBus *Conn
- systemBusLck sync.Mutex
- sessionBus *Conn
- sessionBusLck sync.Mutex
-)
-
-// ErrClosed is the error returned by calls on a closed connection.
-var ErrClosed = errors.New("dbus: connection closed by user")
-
-// Conn represents a connection to a message bus (usually, the system or
-// session bus).
-//
-// Connections are either shared or private. Shared connections
-// are shared between calls to the functions that return them. As a result,
-// the methods Close, Auth and Hello must not be called on them.
-//
-// Multiple goroutines may invoke methods on a connection simultaneously.
-type Conn struct {
- transport
-
- busObj BusObject
- unixFD bool
- uuid string
-
- names []string
- namesLck sync.RWMutex
-
- serialLck sync.Mutex
- nextSerial uint32
- serialUsed map[uint32]bool
-
- calls map[uint32]*Call
- callsLck sync.RWMutex
-
- handlers map[ObjectPath]map[string]exportWithMapping
- handlersLck sync.RWMutex
-
- out chan *Message
- closed bool
- outLck sync.RWMutex
-
- signals []chan<- *Signal
- signalsLck sync.Mutex
-
- eavesdropped chan<- *Message
- eavesdroppedLck sync.Mutex
-}
-
-// SessionBus returns a shared connection to the session bus, connecting to it
-// if not already done.
-func SessionBus() (conn *Conn, err error) {
- sessionBusLck.Lock()
- defer sessionBusLck.Unlock()
- if sessionBus != nil {
- return sessionBus, nil
- }
- defer func() {
- if conn != nil {
- sessionBus = conn
- }
- }()
- conn, err = SessionBusPrivate()
- if err != nil {
- return
- }
- if err = conn.Auth(nil); err != nil {
- conn.Close()
- conn = nil
- return
- }
- if err = conn.Hello(); err != nil {
- conn.Close()
- conn = nil
- }
- return
-}
-
-// SessionBusPrivate returns a new private connection to the session bus.
-func SessionBusPrivate() (*Conn, error) {
- address := os.Getenv("DBUS_SESSION_BUS_ADDRESS")
- if address != "" && address != "autolaunch:" {
- return Dial(address)
- }
-
- return sessionBusPlatform()
-}
-
-// SystemBus returns a shared connection to the system bus, connecting to it if
-// not already done.
-func SystemBus() (conn *Conn, err error) {
- systemBusLck.Lock()
- defer systemBusLck.Unlock()
- if systemBus != nil {
- return systemBus, nil
- }
- defer func() {
- if conn != nil {
- systemBus = conn
- }
- }()
- conn, err = SystemBusPrivate()
- if err != nil {
- return
- }
- if err = conn.Auth(nil); err != nil {
- conn.Close()
- conn = nil
- return
- }
- if err = conn.Hello(); err != nil {
- conn.Close()
- conn = nil
- }
- return
-}
-
-// SystemBusPrivate returns a new private connection to the system bus.
-func SystemBusPrivate() (*Conn, error) {
- address := os.Getenv("DBUS_SYSTEM_BUS_ADDRESS")
- if address != "" {
- return Dial(address)
- }
- return Dial(defaultSystemBusAddress)
-}
-
-// Dial establishes a new private connection to the message bus specified by address.
-func Dial(address string) (*Conn, error) {
- tr, err := getTransport(address)
- if err != nil {
- return nil, err
- }
- return newConn(tr)
-}
-
-// NewConn creates a new private *Conn from an already established connection.
-func NewConn(conn io.ReadWriteCloser) (*Conn, error) {
- return newConn(genericTransport{conn})
-}
-
-// newConn creates a new *Conn from a transport.
-func newConn(tr transport) (*Conn, error) {
- conn := new(Conn)
- conn.transport = tr
- conn.calls = make(map[uint32]*Call)
- conn.out = make(chan *Message, 10)
- conn.handlers = make(map[ObjectPath]map[string]exportWithMapping)
- conn.nextSerial = 1
- conn.serialUsed = map[uint32]bool{0: true}
- conn.busObj = conn.Object("org.freedesktop.DBus", "/org/freedesktop/DBus")
- return conn, nil
-}
-
-// BusObject returns the object owned by the bus daemon which handles
-// administrative requests.
-func (conn *Conn) BusObject() BusObject {
- return conn.busObj
-}
-
-// Close closes the connection. Any blocked operations will return with errors
-// and the channels passed to Eavesdrop and Signal are closed. This method must
-// not be called on shared connections.
-func (conn *Conn) Close() error {
- conn.outLck.Lock()
- if conn.closed {
- // inWorker calls Close on read error, the read error may
- // be caused by another caller calling Close to shutdown the
- // dbus connection, a double-close scenario we prevent here.
- conn.outLck.Unlock()
- return nil
- }
- close(conn.out)
- conn.closed = true
- conn.outLck.Unlock()
- conn.signalsLck.Lock()
- for _, ch := range conn.signals {
- close(ch)
- }
- conn.signalsLck.Unlock()
- conn.eavesdroppedLck.Lock()
- if conn.eavesdropped != nil {
- close(conn.eavesdropped)
- }
- conn.eavesdroppedLck.Unlock()
- return conn.transport.Close()
-}
-
-// Eavesdrop causes conn to send all incoming messages to the given channel
-// without further processing. Method replies, errors and signals will not be
-// sent to the appropiate channels and method calls will not be handled. If nil
-// is passed, the normal behaviour is restored.
-//
-// The caller has to make sure that ch is sufficiently buffered;
-// if a message arrives when a write to ch is not possible, the message is
-// discarded.
-func (conn *Conn) Eavesdrop(ch chan<- *Message) {
- conn.eavesdroppedLck.Lock()
- conn.eavesdropped = ch
- conn.eavesdroppedLck.Unlock()
-}
-
-// getSerial returns an unused serial.
-func (conn *Conn) getSerial() uint32 {
- conn.serialLck.Lock()
- defer conn.serialLck.Unlock()
- n := conn.nextSerial
- for conn.serialUsed[n] {
- n++
- }
- conn.serialUsed[n] = true
- conn.nextSerial = n + 1
- return n
-}
-
-// Hello sends the initial org.freedesktop.DBus.Hello call. This method must be
-// called after authentication, but before sending any other messages to the
-// bus. Hello must not be called for shared connections.
-func (conn *Conn) Hello() error {
- var s string
- err := conn.busObj.Call("org.freedesktop.DBus.Hello", 0).Store(&s)
- if err != nil {
- return err
- }
- conn.namesLck.Lock()
- conn.names = make([]string, 1)
- conn.names[0] = s
- conn.namesLck.Unlock()
- return nil
-}
-
-// inWorker runs in an own goroutine, reading incoming messages from the
-// transport and dispatching them appropiately.
-func (conn *Conn) inWorker() {
- for {
- msg, err := conn.ReadMessage()
- if err == nil {
- conn.eavesdroppedLck.Lock()
- if conn.eavesdropped != nil {
- select {
- case conn.eavesdropped <- msg:
- default:
- }
- conn.eavesdroppedLck.Unlock()
- continue
- }
- conn.eavesdroppedLck.Unlock()
- dest, _ := msg.Headers[FieldDestination].value.(string)
- found := false
- if dest == "" {
- found = true
- } else {
- conn.namesLck.RLock()
- if len(conn.names) == 0 {
- found = true
- }
- for _, v := range conn.names {
- if dest == v {
- found = true
- break
- }
- }
- conn.namesLck.RUnlock()
- }
- if !found {
- // Eavesdropped a message, but no channel for it is registered.
- // Ignore it.
- continue
- }
- switch msg.Type {
- case TypeMethodReply, TypeError:
- serial := msg.Headers[FieldReplySerial].value.(uint32)
- conn.callsLck.Lock()
- if c, ok := conn.calls[serial]; ok {
- if msg.Type == TypeError {
- name, _ := msg.Headers[FieldErrorName].value.(string)
- c.Err = Error{name, msg.Body}
- } else {
- c.Body = msg.Body
- }
- c.Done <- c
- conn.serialLck.Lock()
- delete(conn.serialUsed, serial)
- conn.serialLck.Unlock()
- delete(conn.calls, serial)
- }
- conn.callsLck.Unlock()
- case TypeSignal:
- iface := msg.Headers[FieldInterface].value.(string)
- member := msg.Headers[FieldMember].value.(string)
- // as per http://dbus.freedesktop.org/doc/dbus-specification.html ,
- // sender is optional for signals.
- sender, _ := msg.Headers[FieldSender].value.(string)
- if iface == "org.freedesktop.DBus" && sender == "org.freedesktop.DBus" {
- if member == "NameLost" {
- // If we lost the name on the bus, remove it from our
- // tracking list.
- name, ok := msg.Body[0].(string)
- if !ok {
- panic("Unable to read the lost name")
- }
- conn.namesLck.Lock()
- for i, v := range conn.names {
- if v == name {
- conn.names = append(conn.names[:i],
- conn.names[i+1:]...)
- }
- }
- conn.namesLck.Unlock()
- } else if member == "NameAcquired" {
- // If we acquired the name on the bus, add it to our
- // tracking list.
- name, ok := msg.Body[0].(string)
- if !ok {
- panic("Unable to read the acquired name")
- }
- conn.namesLck.Lock()
- conn.names = append(conn.names, name)
- conn.namesLck.Unlock()
- }
- }
- signal := &Signal{
- Sender: sender,
- Path: msg.Headers[FieldPath].value.(ObjectPath),
- Name: iface + "." + member,
- Body: msg.Body,
- }
- conn.signalsLck.Lock()
- for _, ch := range conn.signals {
- ch <- signal
- }
- conn.signalsLck.Unlock()
- case TypeMethodCall:
- go conn.handleCall(msg)
- }
- } else if _, ok := err.(InvalidMessageError); !ok {
- // Some read error occured (usually EOF); we can't really do
- // anything but to shut down all stuff and returns errors to all
- // pending replies.
- conn.Close()
- conn.callsLck.RLock()
- for _, v := range conn.calls {
- v.Err = err
- v.Done <- v
- }
- conn.callsLck.RUnlock()
- return
- }
- // invalid messages are ignored
- }
-}
-
-// Names returns the list of all names that are currently owned by this
-// connection. The slice is always at least one element long, the first element
-// being the unique name of the connection.
-func (conn *Conn) Names() []string {
- conn.namesLck.RLock()
- // copy the slice so it can't be modified
- s := make([]string, len(conn.names))
- copy(s, conn.names)
- conn.namesLck.RUnlock()
- return s
-}
-
-// Object returns the object identified by the given destination name and path.
-func (conn *Conn) Object(dest string, path ObjectPath) BusObject {
- return &Object{conn, dest, path}
-}
-
-// outWorker runs in an own goroutine, encoding and sending messages that are
-// sent to conn.out.
-func (conn *Conn) outWorker() {
- for msg := range conn.out {
- err := conn.SendMessage(msg)
- conn.callsLck.RLock()
- if err != nil {
- if c := conn.calls[msg.serial]; c != nil {
- c.Err = err
- c.Done <- c
- }
- conn.serialLck.Lock()
- delete(conn.serialUsed, msg.serial)
- conn.serialLck.Unlock()
- } else if msg.Type != TypeMethodCall {
- conn.serialLck.Lock()
- delete(conn.serialUsed, msg.serial)
- conn.serialLck.Unlock()
- }
- conn.callsLck.RUnlock()
- }
-}
-
-// Send sends the given message to the message bus. You usually don't need to
-// use this; use the higher-level equivalents (Call / Go, Emit and Export)
-// instead. If msg is a method call and NoReplyExpected is not set, a non-nil
-// call is returned and the same value is sent to ch (which must be buffered)
-// once the call is complete. Otherwise, ch is ignored and a Call structure is
-// returned of which only the Err member is valid.
-func (conn *Conn) Send(msg *Message, ch chan *Call) *Call {
- var call *Call
-
- msg.serial = conn.getSerial()
- if msg.Type == TypeMethodCall && msg.Flags&FlagNoReplyExpected == 0 {
- if ch == nil {
- ch = make(chan *Call, 5)
- } else if cap(ch) == 0 {
- panic("dbus: unbuffered channel passed to (*Conn).Send")
- }
- call = new(Call)
- call.Destination, _ = msg.Headers[FieldDestination].value.(string)
- call.Path, _ = msg.Headers[FieldPath].value.(ObjectPath)
- iface, _ := msg.Headers[FieldInterface].value.(string)
- member, _ := msg.Headers[FieldMember].value.(string)
- call.Method = iface + "." + member
- call.Args = msg.Body
- call.Done = ch
- conn.callsLck.Lock()
- conn.calls[msg.serial] = call
- conn.callsLck.Unlock()
- conn.outLck.RLock()
- if conn.closed {
- call.Err = ErrClosed
- call.Done <- call
- } else {
- conn.out <- msg
- }
- conn.outLck.RUnlock()
- } else {
- conn.outLck.RLock()
- if conn.closed {
- call = &Call{Err: ErrClosed}
- } else {
- conn.out <- msg
- call = &Call{Err: nil}
- }
- conn.outLck.RUnlock()
- }
- return call
-}
-
-// sendError creates an error message corresponding to the parameters and sends
-// it to conn.out.
-func (conn *Conn) sendError(e Error, dest string, serial uint32) {
- msg := new(Message)
- msg.Type = TypeError
- msg.serial = conn.getSerial()
- msg.Headers = make(map[HeaderField]Variant)
- if dest != "" {
- msg.Headers[FieldDestination] = MakeVariant(dest)
- }
- msg.Headers[FieldErrorName] = MakeVariant(e.Name)
- msg.Headers[FieldReplySerial] = MakeVariant(serial)
- msg.Body = e.Body
- if len(e.Body) > 0 {
- msg.Headers[FieldSignature] = MakeVariant(SignatureOf(e.Body...))
- }
- conn.outLck.RLock()
- if !conn.closed {
- conn.out <- msg
- }
- conn.outLck.RUnlock()
-}
-
-// sendReply creates a method reply message corresponding to the parameters and
-// sends it to conn.out.
-func (conn *Conn) sendReply(dest string, serial uint32, values ...interface{}) {
- msg := new(Message)
- msg.Type = TypeMethodReply
- msg.serial = conn.getSerial()
- msg.Headers = make(map[HeaderField]Variant)
- if dest != "" {
- msg.Headers[FieldDestination] = MakeVariant(dest)
- }
- msg.Headers[FieldReplySerial] = MakeVariant(serial)
- msg.Body = values
- if len(values) > 0 {
- msg.Headers[FieldSignature] = MakeVariant(SignatureOf(values...))
- }
- conn.outLck.RLock()
- if !conn.closed {
- conn.out <- msg
- }
- conn.outLck.RUnlock()
-}
-
-// Signal registers the given channel to be passed all received signal messages.
-// The caller has to make sure that ch is sufficiently buffered; if a message
-// arrives when a write to c is not possible, it is discarded.
-//
-// Multiple of these channels can be registered at the same time. Passing a
-// channel that already is registered will remove it from the list of the
-// registered channels.
-//
-// These channels are "overwritten" by Eavesdrop; i.e., if there currently is a
-// channel for eavesdropped messages, this channel receives all signals, and
-// none of the channels passed to Signal will receive any signals.
-func (conn *Conn) Signal(ch chan<- *Signal) {
- conn.signalsLck.Lock()
- conn.signals = append(conn.signals, ch)
- conn.signalsLck.Unlock()
-}
-
-// SupportsUnixFDs returns whether the underlying transport supports passing of
-// unix file descriptors. If this is false, method calls containing unix file
-// descriptors will return an error and emitted signals containing them will
-// not be sent.
-func (conn *Conn) SupportsUnixFDs() bool {
- return conn.unixFD
-}
-
-// Error represents a D-Bus message of type Error.
-type Error struct {
- Name string
- Body []interface{}
-}
-
-func NewError(name string, body []interface{}) *Error {
- return &Error{name, body}
-}
-
-func (e Error) Error() string {
- if len(e.Body) >= 1 {
- s, ok := e.Body[0].(string)
- if ok {
- return s
- }
- }
- return e.Name
-}
-
-// Signal represents a D-Bus message of type Signal. The name member is given in
-// "interface.member" notation, e.g. org.freedesktop.D-Bus.NameLost.
-type Signal struct {
- Sender string
- Path ObjectPath
- Name string
- Body []interface{}
-}
-
-// transport is a D-Bus transport.
-type transport interface {
- // Read and Write raw data (for example, for the authentication protocol).
- io.ReadWriteCloser
-
- // Send the initial null byte used for the EXTERNAL mechanism.
- SendNullByte() error
-
- // Returns whether this transport supports passing Unix FDs.
- SupportsUnixFDs() bool
-
- // Signal the transport that Unix FD passing is enabled for this connection.
- EnableUnixFDs()
-
- // Read / send a message, handling things like Unix FDs.
- ReadMessage() (*Message, error)
- SendMessage(*Message) error
-}
-
-var (
- transports = make(map[string]func(string) (transport, error))
-)
-
-func getTransport(address string) (transport, error) {
- var err error
- var t transport
-
- addresses := strings.Split(address, ";")
- for _, v := range addresses {
- i := strings.IndexRune(v, ':')
- if i == -1 {
- err = errors.New("dbus: invalid bus address (no transport)")
- continue
- }
- f := transports[v[:i]]
- if f == nil {
- err = errors.New("dbus: invalid bus address (invalid or unsupported transport)")
- continue
- }
- t, err = f(v[i+1:])
- if err == nil {
- return t, nil
- }
- }
- return nil, err
-}
-
-// dereferenceAll returns a slice that, assuming that vs is a slice of pointers
-// of arbitrary types, containes the values that are obtained from dereferencing
-// all elements in vs.
-func dereferenceAll(vs []interface{}) []interface{} {
- for i := range vs {
- v := reflect.ValueOf(vs[i])
- v = v.Elem()
- vs[i] = v.Interface()
- }
- return vs
-}
-
-// getKey gets a key from a the list of keys. Returns "" on error / not found...
-func getKey(s, key string) string {
- i := strings.Index(s, key)
- if i == -1 {
- return ""
- }
- if i+len(key)+1 >= len(s) || s[i+len(key)] != '=' {
- return ""
- }
- j := strings.Index(s, ",")
- if j == -1 {
- j = len(s)
- }
- return s[i+len(key)+1 : j]
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn_darwin.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn_darwin.go
deleted file mode 100644
index b67bb1b81da68a64fe0c5221f4dafe4f429d5228..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn_darwin.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package dbus
-
-import (
- "errors"
- "os/exec"
-)
-
-func sessionBusPlatform() (*Conn, error) {
- cmd := exec.Command("launchctl", "getenv", "DBUS_LAUNCHD_SESSION_BUS_SOCKET")
- b, err := cmd.CombinedOutput()
-
- if err != nil {
- return nil, err
- }
-
- if len(b) == 0 {
- return nil, errors.New("dbus: couldn't determine address of session bus")
- }
-
- return Dial("unix:path=" + string(b[:len(b)-1]))
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn_other.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn_other.go
deleted file mode 100644
index f74b8758d44bb72d27f6b95ebfc835b10503b655..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/conn_other.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// +build !darwin
-
-package dbus
-
-import (
- "bytes"
- "errors"
- "os/exec"
-)
-
-func sessionBusPlatform() (*Conn, error) {
- cmd := exec.Command("dbus-launch")
- b, err := cmd.CombinedOutput()
-
- if err != nil {
- return nil, err
- }
-
- i := bytes.IndexByte(b, '=')
- j := bytes.IndexByte(b, '\n')
-
- if i == -1 || j == -1 {
- return nil, errors.New("dbus: couldn't determine address of session bus")
- }
-
- return Dial(string(b[i+1 : j]))
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/dbus.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/dbus.go
deleted file mode 100644
index 2ce68735cdf9250e45b5a871cc9076c4d3d47de5..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/dbus.go
+++ /dev/null
@@ -1,258 +0,0 @@
-package dbus
-
-import (
- "errors"
- "reflect"
- "strings"
-)
-
-var (
- byteType = reflect.TypeOf(byte(0))
- boolType = reflect.TypeOf(false)
- uint8Type = reflect.TypeOf(uint8(0))
- int16Type = reflect.TypeOf(int16(0))
- uint16Type = reflect.TypeOf(uint16(0))
- int32Type = reflect.TypeOf(int32(0))
- uint32Type = reflect.TypeOf(uint32(0))
- int64Type = reflect.TypeOf(int64(0))
- uint64Type = reflect.TypeOf(uint64(0))
- float64Type = reflect.TypeOf(float64(0))
- stringType = reflect.TypeOf("")
- signatureType = reflect.TypeOf(Signature{""})
- objectPathType = reflect.TypeOf(ObjectPath(""))
- variantType = reflect.TypeOf(Variant{Signature{""}, nil})
- interfacesType = reflect.TypeOf([]interface{}{})
- unixFDType = reflect.TypeOf(UnixFD(0))
- unixFDIndexType = reflect.TypeOf(UnixFDIndex(0))
-)
-
-// An InvalidTypeError signals that a value which cannot be represented in the
-// D-Bus wire format was passed to a function.
-type InvalidTypeError struct {
- Type reflect.Type
-}
-
-func (e InvalidTypeError) Error() string {
- return "dbus: invalid type " + e.Type.String()
-}
-
-// Store copies the values contained in src to dest, which must be a slice of
-// pointers. It converts slices of interfaces from src to corresponding structs
-// in dest. An error is returned if the lengths of src and dest or the types of
-// their elements don't match.
-func Store(src []interface{}, dest ...interface{}) error {
- if len(src) != len(dest) {
- return errors.New("dbus.Store: length mismatch")
- }
-
- for i := range src {
- if err := store(src[i], dest[i]); err != nil {
- return err
- }
- }
- return nil
-}
-
-func store(src, dest interface{}) error {
- if reflect.TypeOf(dest).Elem() == reflect.TypeOf(src) {
- reflect.ValueOf(dest).Elem().Set(reflect.ValueOf(src))
- return nil
- } else if hasStruct(dest) {
- rv := reflect.ValueOf(dest).Elem()
- switch rv.Kind() {
- case reflect.Struct:
- vs, ok := src.([]interface{})
- if !ok {
- return errors.New("dbus.Store: type mismatch")
- }
- t := rv.Type()
- ndest := make([]interface{}, 0, rv.NumField())
- for i := 0; i < rv.NumField(); i++ {
- field := t.Field(i)
- if field.PkgPath == "" && field.Tag.Get("dbus") != "-" {
- ndest = append(ndest, rv.Field(i).Addr().Interface())
- }
- }
- if len(vs) != len(ndest) {
- return errors.New("dbus.Store: type mismatch")
- }
- err := Store(vs, ndest...)
- if err != nil {
- return errors.New("dbus.Store: type mismatch")
- }
- case reflect.Slice:
- sv := reflect.ValueOf(src)
- if sv.Kind() != reflect.Slice {
- return errors.New("dbus.Store: type mismatch")
- }
- rv.Set(reflect.MakeSlice(rv.Type(), sv.Len(), sv.Len()))
- for i := 0; i < sv.Len(); i++ {
- if err := store(sv.Index(i).Interface(), rv.Index(i).Addr().Interface()); err != nil {
- return err
- }
- }
- case reflect.Map:
- sv := reflect.ValueOf(src)
- if sv.Kind() != reflect.Map {
- return errors.New("dbus.Store: type mismatch")
- }
- keys := sv.MapKeys()
- rv.Set(reflect.MakeMap(sv.Type()))
- for _, key := range keys {
- v := reflect.New(sv.Type().Elem())
- if err := store(v, sv.MapIndex(key).Interface()); err != nil {
- return err
- }
- rv.SetMapIndex(key, v.Elem())
- }
- default:
- return errors.New("dbus.Store: type mismatch")
- }
- return nil
- } else {
- return errors.New("dbus.Store: type mismatch")
- }
-}
-
-func hasStruct(v interface{}) bool {
- t := reflect.TypeOf(v)
- for {
- switch t.Kind() {
- case reflect.Struct:
- return true
- case reflect.Slice, reflect.Ptr, reflect.Map:
- t = t.Elem()
- default:
- return false
- }
- }
-}
-
-// An ObjectPath is an object path as defined by the D-Bus spec.
-type ObjectPath string
-
-// IsValid returns whether the object path is valid.
-func (o ObjectPath) IsValid() bool {
- s := string(o)
- if len(s) == 0 {
- return false
- }
- if s[0] != '/' {
- return false
- }
- if s[len(s)-1] == '/' && len(s) != 1 {
- return false
- }
- // probably not used, but technically possible
- if s == "/" {
- return true
- }
- split := strings.Split(s[1:], "/")
- for _, v := range split {
- if len(v) == 0 {
- return false
- }
- for _, c := range v {
- if !isMemberChar(c) {
- return false
- }
- }
- }
- return true
-}
-
-// A UnixFD is a Unix file descriptor sent over the wire. See the package-level
-// documentation for more information about Unix file descriptor passsing.
-type UnixFD int32
-
-// A UnixFDIndex is the representation of a Unix file descriptor in a message.
-type UnixFDIndex uint32
-
-// alignment returns the alignment of values of type t.
-func alignment(t reflect.Type) int {
- switch t {
- case variantType:
- return 1
- case objectPathType:
- return 4
- case signatureType:
- return 1
- case interfacesType: // sometimes used for structs
- return 8
- }
- switch t.Kind() {
- case reflect.Uint8:
- return 1
- case reflect.Uint16, reflect.Int16:
- return 2
- case reflect.Uint32, reflect.Int32, reflect.String, reflect.Array, reflect.Slice, reflect.Map:
- return 4
- case reflect.Uint64, reflect.Int64, reflect.Float64, reflect.Struct:
- return 8
- case reflect.Ptr:
- return alignment(t.Elem())
- }
- return 1
-}
-
-// isKeyType returns whether t is a valid type for a D-Bus dict.
-func isKeyType(t reflect.Type) bool {
- switch t.Kind() {
- case reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
- reflect.Int16, reflect.Int32, reflect.Int64, reflect.Float64,
- reflect.String:
-
- return true
- }
- return false
-}
-
-// isValidInterface returns whether s is a valid name for an interface.
-func isValidInterface(s string) bool {
- if len(s) == 0 || len(s) > 255 || s[0] == '.' {
- return false
- }
- elem := strings.Split(s, ".")
- if len(elem) < 2 {
- return false
- }
- for _, v := range elem {
- if len(v) == 0 {
- return false
- }
- if v[0] >= '0' && v[0] <= '9' {
- return false
- }
- for _, c := range v {
- if !isMemberChar(c) {
- return false
- }
- }
- }
- return true
-}
-
-// isValidMember returns whether s is a valid name for a member.
-func isValidMember(s string) bool {
- if len(s) == 0 || len(s) > 255 {
- return false
- }
- i := strings.Index(s, ".")
- if i != -1 {
- return false
- }
- if s[0] >= '0' && s[0] <= '9' {
- return false
- }
- for _, c := range s {
- if !isMemberChar(c) {
- return false
- }
- }
- return true
-}
-
-func isMemberChar(c rune) bool {
- return (c >= '0' && c <= '9') || (c >= 'A' && c <= 'Z') ||
- (c >= 'a' && c <= 'z') || c == '_'
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/decoder.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/decoder.go
deleted file mode 100644
index ef50dcab98d0d8fb1f166b25bd616f50f30b71fc..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/decoder.go
+++ /dev/null
@@ -1,228 +0,0 @@
-package dbus
-
-import (
- "encoding/binary"
- "io"
- "reflect"
-)
-
-type decoder struct {
- in io.Reader
- order binary.ByteOrder
- pos int
-}
-
-// newDecoder returns a new decoder that reads values from in. The input is
-// expected to be in the given byte order.
-func newDecoder(in io.Reader, order binary.ByteOrder) *decoder {
- dec := new(decoder)
- dec.in = in
- dec.order = order
- return dec
-}
-
-// align aligns the input to the given boundary and panics on error.
-func (dec *decoder) align(n int) {
- if dec.pos%n != 0 {
- newpos := (dec.pos + n - 1) & ^(n - 1)
- empty := make([]byte, newpos-dec.pos)
- if _, err := io.ReadFull(dec.in, empty); err != nil {
- panic(err)
- }
- dec.pos = newpos
- }
-}
-
-// Calls binary.Read(dec.in, dec.order, v) and panics on read errors.
-func (dec *decoder) binread(v interface{}) {
- if err := binary.Read(dec.in, dec.order, v); err != nil {
- panic(err)
- }
-}
-
-func (dec *decoder) Decode(sig Signature) (vs []interface{}, err error) {
- defer func() {
- var ok bool
- v := recover()
- if err, ok = v.(error); ok {
- if err == io.EOF || err == io.ErrUnexpectedEOF {
- err = FormatError("unexpected EOF")
- }
- }
- }()
- vs = make([]interface{}, 0)
- s := sig.str
- for s != "" {
- err, rem := validSingle(s, 0)
- if err != nil {
- return nil, err
- }
- v := dec.decode(s[:len(s)-len(rem)], 0)
- vs = append(vs, v)
- s = rem
- }
- return vs, nil
-}
-
-func (dec *decoder) decode(s string, depth int) interface{} {
- dec.align(alignment(typeFor(s)))
- switch s[0] {
- case 'y':
- var b [1]byte
- if _, err := dec.in.Read(b[:]); err != nil {
- panic(err)
- }
- dec.pos++
- return b[0]
- case 'b':
- i := dec.decode("u", depth).(uint32)
- switch {
- case i == 0:
- return false
- case i == 1:
- return true
- default:
- panic(FormatError("invalid value for boolean"))
- }
- case 'n':
- var i int16
- dec.binread(&i)
- dec.pos += 2
- return i
- case 'i':
- var i int32
- dec.binread(&i)
- dec.pos += 4
- return i
- case 'x':
- var i int64
- dec.binread(&i)
- dec.pos += 8
- return i
- case 'q':
- var i uint16
- dec.binread(&i)
- dec.pos += 2
- return i
- case 'u':
- var i uint32
- dec.binread(&i)
- dec.pos += 4
- return i
- case 't':
- var i uint64
- dec.binread(&i)
- dec.pos += 8
- return i
- case 'd':
- var f float64
- dec.binread(&f)
- dec.pos += 8
- return f
- case 's':
- length := dec.decode("u", depth).(uint32)
- b := make([]byte, int(length)+1)
- if _, err := io.ReadFull(dec.in, b); err != nil {
- panic(err)
- }
- dec.pos += int(length) + 1
- return string(b[:len(b)-1])
- case 'o':
- return ObjectPath(dec.decode("s", depth).(string))
- case 'g':
- length := dec.decode("y", depth).(byte)
- b := make([]byte, int(length)+1)
- if _, err := io.ReadFull(dec.in, b); err != nil {
- panic(err)
- }
- dec.pos += int(length) + 1
- sig, err := ParseSignature(string(b[:len(b)-1]))
- if err != nil {
- panic(err)
- }
- return sig
- case 'v':
- if depth >= 64 {
- panic(FormatError("input exceeds container depth limit"))
- }
- var variant Variant
- sig := dec.decode("g", depth).(Signature)
- if len(sig.str) == 0 {
- panic(FormatError("variant signature is empty"))
- }
- err, rem := validSingle(sig.str, 0)
- if err != nil {
- panic(err)
- }
- if rem != "" {
- panic(FormatError("variant signature has multiple types"))
- }
- variant.sig = sig
- variant.value = dec.decode(sig.str, depth+1)
- return variant
- case 'h':
- return UnixFDIndex(dec.decode("u", depth).(uint32))
- case 'a':
- if len(s) > 1 && s[1] == '{' {
- ksig := s[2:3]
- vsig := s[3 : len(s)-1]
- v := reflect.MakeMap(reflect.MapOf(typeFor(ksig), typeFor(vsig)))
- if depth >= 63 {
- panic(FormatError("input exceeds container depth limit"))
- }
- length := dec.decode("u", depth).(uint32)
- // Even for empty maps, the correct padding must be included
- dec.align(8)
- spos := dec.pos
- for dec.pos < spos+int(length) {
- dec.align(8)
- if !isKeyType(v.Type().Key()) {
- panic(InvalidTypeError{v.Type()})
- }
- kv := dec.decode(ksig, depth+2)
- vv := dec.decode(vsig, depth+2)
- v.SetMapIndex(reflect.ValueOf(kv), reflect.ValueOf(vv))
- }
- return v.Interface()
- }
- if depth >= 64 {
- panic(FormatError("input exceeds container depth limit"))
- }
- length := dec.decode("u", depth).(uint32)
- v := reflect.MakeSlice(reflect.SliceOf(typeFor(s[1:])), 0, int(length))
- // Even for empty arrays, the correct padding must be included
- dec.align(alignment(typeFor(s[1:])))
- spos := dec.pos
- for dec.pos < spos+int(length) {
- ev := dec.decode(s[1:], depth+1)
- v = reflect.Append(v, reflect.ValueOf(ev))
- }
- return v.Interface()
- case '(':
- if depth >= 64 {
- panic(FormatError("input exceeds container depth limit"))
- }
- dec.align(8)
- v := make([]interface{}, 0)
- s = s[1 : len(s)-1]
- for s != "" {
- err, rem := validSingle(s, 0)
- if err != nil {
- panic(err)
- }
- ev := dec.decode(s[:len(s)-len(rem)], depth+1)
- v = append(v, ev)
- s = rem
- }
- return v
- default:
- panic(SignatureError{Sig: s})
- }
-}
-
-// A FormatError is an error in the wire format.
-type FormatError string
-
-func (e FormatError) Error() string {
- return "dbus: wire format error: " + string(e)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/doc.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/doc.go
deleted file mode 100644
index deff554a381ad3baefb767a161bf77ca65f59934..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/doc.go
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
-Package dbus implements bindings to the D-Bus message bus system.
-
-To use the message bus API, you first need to connect to a bus (usually the
-session or system bus). The acquired connection then can be used to call methods
-on remote objects and emit or receive signals. Using the Export method, you can
-arrange D-Bus methods calls to be directly translated to method calls on a Go
-value.
-
-Conversion Rules
-
-For outgoing messages, Go types are automatically converted to the
-corresponding D-Bus types. The following types are directly encoded as their
-respective D-Bus equivalents:
-
- Go type | D-Bus type
- ------------+-----------
- byte | BYTE
- bool | BOOLEAN
- int16 | INT16
- uint16 | UINT16
- int32 | INT32
- uint32 | UINT32
- int64 | INT64
- uint64 | UINT64
- float64 | DOUBLE
- string | STRING
- ObjectPath | OBJECT_PATH
- Signature | SIGNATURE
- Variant | VARIANT
- UnixFDIndex | UNIX_FD
-
-Slices and arrays encode as ARRAYs of their element type.
-
-Maps encode as DICTs, provided that their key type can be used as a key for
-a DICT.
-
-Structs other than Variant and Signature encode as a STRUCT containing their
-exported fields. Fields whose tags contain `dbus:"-"` and unexported fields will
-be skipped.
-
-Pointers encode as the value they're pointed to.
-
-Trying to encode any other type or a slice, map or struct containing an
-unsupported type will result in an InvalidTypeError.
-
-For incoming messages, the inverse of these rules are used, with the exception
-of STRUCTs. Incoming STRUCTS are represented as a slice of empty interfaces
-containing the struct fields in the correct order. The Store function can be
-used to convert such values to Go structs.
-
-Unix FD passing
-
-Handling Unix file descriptors deserves special mention. To use them, you should
-first check that they are supported on a connection by calling SupportsUnixFDs.
-If it returns true, all method of Connection will translate messages containing
-UnixFD's to messages that are accompanied by the given file descriptors with the
-UnixFD values being substituted by the correct indices. Similarily, the indices
-of incoming messages are automatically resolved. It shouldn't be necessary to use
-UnixFDIndex.
-
-*/
-package dbus
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/encoder.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/encoder.go
deleted file mode 100644
index 9f0a9e89eabfe73e961de2d616424056ed77750d..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/encoder.go
+++ /dev/null
@@ -1,208 +0,0 @@
-package dbus
-
-import (
- "bytes"
- "encoding/binary"
- "io"
- "reflect"
-)
-
-// An encoder encodes values to the D-Bus wire format.
-type encoder struct {
- out io.Writer
- order binary.ByteOrder
- pos int
-}
-
-// NewEncoder returns a new encoder that writes to out in the given byte order.
-func newEncoder(out io.Writer, order binary.ByteOrder) *encoder {
- return newEncoderAtOffset(out, 0, order)
-}
-
-// newEncoderAtOffset returns a new encoder that writes to out in the given
-// byte order. Specify the offset to initialize pos for proper alignment
-// computation.
-func newEncoderAtOffset(out io.Writer, offset int, order binary.ByteOrder) *encoder {
- enc := new(encoder)
- enc.out = out
- enc.order = order
- enc.pos = offset
- return enc
-}
-
-// Aligns the next output to be on a multiple of n. Panics on write errors.
-func (enc *encoder) align(n int) {
- pad := enc.padding(0, n)
- if pad > 0 {
- empty := make([]byte, pad)
- if _, err := enc.out.Write(empty); err != nil {
- panic(err)
- }
- enc.pos += pad
- }
-}
-
-// pad returns the number of bytes of padding, based on current position and additional offset.
-// and alignment.
-func (enc *encoder) padding(offset, algn int) int {
- abs := enc.pos + offset
- if abs%algn != 0 {
- newabs := (abs + algn - 1) & ^(algn - 1)
- return newabs - abs
- }
- return 0
-}
-
-// Calls binary.Write(enc.out, enc.order, v) and panics on write errors.
-func (enc *encoder) binwrite(v interface{}) {
- if err := binary.Write(enc.out, enc.order, v); err != nil {
- panic(err)
- }
-}
-
-// Encode encodes the given values to the underyling reader. All written values
-// are aligned properly as required by the D-Bus spec.
-func (enc *encoder) Encode(vs ...interface{}) (err error) {
- defer func() {
- err, _ = recover().(error)
- }()
- for _, v := range vs {
- enc.encode(reflect.ValueOf(v), 0)
- }
- return nil
-}
-
-// encode encodes the given value to the writer and panics on error. depth holds
-// the depth of the container nesting.
-func (enc *encoder) encode(v reflect.Value, depth int) {
- enc.align(alignment(v.Type()))
- switch v.Kind() {
- case reflect.Uint8:
- var b [1]byte
- b[0] = byte(v.Uint())
- if _, err := enc.out.Write(b[:]); err != nil {
- panic(err)
- }
- enc.pos++
- case reflect.Bool:
- if v.Bool() {
- enc.encode(reflect.ValueOf(uint32(1)), depth)
- } else {
- enc.encode(reflect.ValueOf(uint32(0)), depth)
- }
- case reflect.Int16:
- enc.binwrite(int16(v.Int()))
- enc.pos += 2
- case reflect.Uint16:
- enc.binwrite(uint16(v.Uint()))
- enc.pos += 2
- case reflect.Int32:
- enc.binwrite(int32(v.Int()))
- enc.pos += 4
- case reflect.Uint32:
- enc.binwrite(uint32(v.Uint()))
- enc.pos += 4
- case reflect.Int64:
- enc.binwrite(v.Int())
- enc.pos += 8
- case reflect.Uint64:
- enc.binwrite(v.Uint())
- enc.pos += 8
- case reflect.Float64:
- enc.binwrite(v.Float())
- enc.pos += 8
- case reflect.String:
- enc.encode(reflect.ValueOf(uint32(len(v.String()))), depth)
- b := make([]byte, v.Len()+1)
- copy(b, v.String())
- b[len(b)-1] = 0
- n, err := enc.out.Write(b)
- if err != nil {
- panic(err)
- }
- enc.pos += n
- case reflect.Ptr:
- enc.encode(v.Elem(), depth)
- case reflect.Slice, reflect.Array:
- if depth >= 64 {
- panic(FormatError("input exceeds container depth limit"))
- }
- // Lookahead offset: 4 bytes for uint32 length (with alignment),
- // plus alignment for elements.
- n := enc.padding(0, 4) + 4
- offset := enc.pos + n + enc.padding(n, alignment(v.Type().Elem()))
-
- var buf bytes.Buffer
- bufenc := newEncoderAtOffset(&buf, offset, enc.order)
-
- for i := 0; i < v.Len(); i++ {
- bufenc.encode(v.Index(i), depth+1)
- }
- enc.encode(reflect.ValueOf(uint32(buf.Len())), depth)
- length := buf.Len()
- enc.align(alignment(v.Type().Elem()))
- if _, err := buf.WriteTo(enc.out); err != nil {
- panic(err)
- }
- enc.pos += length
- case reflect.Struct:
- if depth >= 64 && v.Type() != signatureType {
- panic(FormatError("input exceeds container depth limit"))
- }
- switch t := v.Type(); t {
- case signatureType:
- str := v.Field(0)
- enc.encode(reflect.ValueOf(byte(str.Len())), depth+1)
- b := make([]byte, str.Len()+1)
- copy(b, str.String())
- b[len(b)-1] = 0
- n, err := enc.out.Write(b)
- if err != nil {
- panic(err)
- }
- enc.pos += n
- case variantType:
- variant := v.Interface().(Variant)
- enc.encode(reflect.ValueOf(variant.sig), depth+1)
- enc.encode(reflect.ValueOf(variant.value), depth+1)
- default:
- for i := 0; i < v.Type().NumField(); i++ {
- field := t.Field(i)
- if field.PkgPath == "" && field.Tag.Get("dbus") != "-" {
- enc.encode(v.Field(i), depth+1)
- }
- }
- }
- case reflect.Map:
- // Maps are arrays of structures, so they actually increase the depth by
- // 2.
- if depth >= 63 {
- panic(FormatError("input exceeds container depth limit"))
- }
- if !isKeyType(v.Type().Key()) {
- panic(InvalidTypeError{v.Type()})
- }
- keys := v.MapKeys()
- // Lookahead offset: 4 bytes for uint32 length (with alignment),
- // plus 8-byte alignment
- n := enc.padding(0, 4) + 4
- offset := enc.pos + n + enc.padding(n, 8)
-
- var buf bytes.Buffer
- bufenc := newEncoderAtOffset(&buf, offset, enc.order)
- for _, k := range keys {
- bufenc.align(8)
- bufenc.encode(k, depth+2)
- bufenc.encode(v.MapIndex(k), depth+2)
- }
- enc.encode(reflect.ValueOf(uint32(buf.Len())), depth)
- length := buf.Len()
- enc.align(8)
- if _, err := buf.WriteTo(enc.out); err != nil {
- panic(err)
- }
- enc.pos += length
- default:
- panic(InvalidTypeError{v.Type()})
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/export.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/export.go
deleted file mode 100644
index c6440a7416a02248af76dc5b9c5e454d68bac26f..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/export.go
+++ /dev/null
@@ -1,411 +0,0 @@
-package dbus
-
-import (
- "errors"
- "fmt"
- "reflect"
- "strings"
-)
-
-var (
- errmsgInvalidArg = Error{
- "org.freedesktop.DBus.Error.InvalidArgs",
- []interface{}{"Invalid type / number of args"},
- }
- errmsgNoObject = Error{
- "org.freedesktop.DBus.Error.NoSuchObject",
- []interface{}{"No such object"},
- }
- errmsgUnknownMethod = Error{
- "org.freedesktop.DBus.Error.UnknownMethod",
- []interface{}{"Unknown / invalid method"},
- }
-)
-
-// exportWithMapping represents an exported struct along with a method name
-// mapping to allow for exporting lower-case methods, etc.
-type exportWithMapping struct {
- export interface{}
-
- // Method name mapping; key -> struct method, value -> dbus method.
- mapping map[string]string
-
- // Whether or not this export is for the entire subtree
- includeSubtree bool
-}
-
-// Sender is a type which can be used in exported methods to receive the message
-// sender.
-type Sender string
-
-func exportedMethod(export exportWithMapping, name string) reflect.Value {
- if export.export == nil {
- return reflect.Value{}
- }
-
- // If a mapping was included in the export, check the map to see if we
- // should be looking for a different method in the export.
- if export.mapping != nil {
- for key, value := range export.mapping {
- if value == name {
- name = key
- break
- }
-
- // Catch the case where a method is aliased but the client is calling
- // the original, e.g. the "Foo" method was exported mapped to
- // "foo," and dbus client called the original "Foo."
- if key == name {
- return reflect.Value{}
- }
- }
- }
-
- value := reflect.ValueOf(export.export)
- m := value.MethodByName(name)
-
- // Catch the case of attempting to call an unexported method
- method, ok := value.Type().MethodByName(name)
-
- if !m.IsValid() || !ok || method.PkgPath != "" {
- return reflect.Value{}
- }
- t := m.Type()
- if t.NumOut() == 0 ||
- t.Out(t.NumOut()-1) != reflect.TypeOf(&errmsgInvalidArg) {
-
- return reflect.Value{}
- }
- return m
-}
-
-// searchHandlers will look through all registered handlers looking for one
-// to handle the given path. If a verbatim one isn't found, it will check for
-// a subtree registration for the path as well.
-func (conn *Conn) searchHandlers(path ObjectPath) (map[string]exportWithMapping, bool) {
- conn.handlersLck.RLock()
- defer conn.handlersLck.RUnlock()
-
- handlers, ok := conn.handlers[path]
- if ok {
- return handlers, ok
- }
-
- // If handlers weren't found for this exact path, look for a matching subtree
- // registration
- handlers = make(map[string]exportWithMapping)
- path = path[:strings.LastIndex(string(path), "/")]
- for len(path) > 0 {
- var subtreeHandlers map[string]exportWithMapping
- subtreeHandlers, ok = conn.handlers[path]
- if ok {
- for iface, handler := range subtreeHandlers {
- // Only include this handler if it registered for the subtree
- if handler.includeSubtree {
- handlers[iface] = handler
- }
- }
-
- break
- }
-
- path = path[:strings.LastIndex(string(path), "/")]
- }
-
- return handlers, ok
-}
-
-// handleCall handles the given method call (i.e. looks if it's one of the
-// pre-implemented ones and searches for a corresponding handler if not).
-func (conn *Conn) handleCall(msg *Message) {
- name := msg.Headers[FieldMember].value.(string)
- path := msg.Headers[FieldPath].value.(ObjectPath)
- ifaceName, hasIface := msg.Headers[FieldInterface].value.(string)
- sender, hasSender := msg.Headers[FieldSender].value.(string)
- serial := msg.serial
- if ifaceName == "org.freedesktop.DBus.Peer" {
- switch name {
- case "Ping":
- conn.sendReply(sender, serial)
- case "GetMachineId":
- conn.sendReply(sender, serial, conn.uuid)
- default:
- conn.sendError(errmsgUnknownMethod, sender, serial)
- }
- return
- }
- if len(name) == 0 {
- conn.sendError(errmsgUnknownMethod, sender, serial)
- }
-
- // Find the exported handler (if any) for this path
- handlers, ok := conn.searchHandlers(path)
- if !ok {
- conn.sendError(errmsgNoObject, sender, serial)
- return
- }
-
- var m reflect.Value
- if hasIface {
- iface := handlers[ifaceName]
- m = exportedMethod(iface, name)
- } else {
- for _, v := range handlers {
- m = exportedMethod(v, name)
- if m.IsValid() {
- break
- }
- }
- }
-
- if !m.IsValid() {
- conn.sendError(errmsgUnknownMethod, sender, serial)
- return
- }
-
- t := m.Type()
- vs := msg.Body
- pointers := make([]interface{}, t.NumIn())
- decode := make([]interface{}, 0, len(vs))
- for i := 0; i < t.NumIn(); i++ {
- tp := t.In(i)
- val := reflect.New(tp)
- pointers[i] = val.Interface()
- if tp == reflect.TypeOf((*Sender)(nil)).Elem() {
- val.Elem().SetString(sender)
- } else if tp == reflect.TypeOf((*Message)(nil)).Elem() {
- val.Elem().Set(reflect.ValueOf(*msg))
- } else {
- decode = append(decode, pointers[i])
- }
- }
-
- if len(decode) != len(vs) {
- conn.sendError(errmsgInvalidArg, sender, serial)
- return
- }
-
- if err := Store(vs, decode...); err != nil {
- conn.sendError(errmsgInvalidArg, sender, serial)
- return
- }
-
- // Extract parameters
- params := make([]reflect.Value, len(pointers))
- for i := 0; i < len(pointers); i++ {
- params[i] = reflect.ValueOf(pointers[i]).Elem()
- }
-
- // Call method
- ret := m.Call(params)
- if em := ret[t.NumOut()-1].Interface().(*Error); em != nil {
- conn.sendError(*em, sender, serial)
- return
- }
-
- if msg.Flags&FlagNoReplyExpected == 0 {
- reply := new(Message)
- reply.Type = TypeMethodReply
- reply.serial = conn.getSerial()
- reply.Headers = make(map[HeaderField]Variant)
- if hasSender {
- reply.Headers[FieldDestination] = msg.Headers[FieldSender]
- }
- reply.Headers[FieldReplySerial] = MakeVariant(msg.serial)
- reply.Body = make([]interface{}, len(ret)-1)
- for i := 0; i < len(ret)-1; i++ {
- reply.Body[i] = ret[i].Interface()
- }
- if len(ret) != 1 {
- reply.Headers[FieldSignature] = MakeVariant(SignatureOf(reply.Body...))
- }
- conn.outLck.RLock()
- if !conn.closed {
- conn.out <- reply
- }
- conn.outLck.RUnlock()
- }
-}
-
-// Emit emits the given signal on the message bus. The name parameter must be
-// formatted as "interface.member", e.g., "org.freedesktop.DBus.NameLost".
-func (conn *Conn) Emit(path ObjectPath, name string, values ...interface{}) error {
- if !path.IsValid() {
- return errors.New("dbus: invalid object path")
- }
- i := strings.LastIndex(name, ".")
- if i == -1 {
- return errors.New("dbus: invalid method name")
- }
- iface := name[:i]
- member := name[i+1:]
- if !isValidMember(member) {
- return errors.New("dbus: invalid method name")
- }
- if !isValidInterface(iface) {
- return errors.New("dbus: invalid interface name")
- }
- msg := new(Message)
- msg.Type = TypeSignal
- msg.serial = conn.getSerial()
- msg.Headers = make(map[HeaderField]Variant)
- msg.Headers[FieldInterface] = MakeVariant(iface)
- msg.Headers[FieldMember] = MakeVariant(member)
- msg.Headers[FieldPath] = MakeVariant(path)
- msg.Body = values
- if len(values) > 0 {
- msg.Headers[FieldSignature] = MakeVariant(SignatureOf(values...))
- }
- conn.outLck.RLock()
- defer conn.outLck.RUnlock()
- if conn.closed {
- return ErrClosed
- }
- conn.out <- msg
- return nil
-}
-
-// Export registers the given value to be exported as an object on the
-// message bus.
-//
-// If a method call on the given path and interface is received, an exported
-// method with the same name is called with v as the receiver if the
-// parameters match and the last return value is of type *Error. If this
-// *Error is not nil, it is sent back to the caller as an error.
-// Otherwise, a method reply is sent with the other return values as its body.
-//
-// Any parameters with the special type Sender are set to the sender of the
-// dbus message when the method is called. Parameters of this type do not
-// contribute to the dbus signature of the method (i.e. the method is exposed
-// as if the parameters of type Sender were not there).
-//
-// Similarly, any parameters with the type Message are set to the raw message
-// received on the bus. Again, parameters of this type do not contribute to the
-// dbus signature of the method.
-//
-// Every method call is executed in a new goroutine, so the method may be called
-// in multiple goroutines at once.
-//
-// Method calls on the interface org.freedesktop.DBus.Peer will be automatically
-// handled for every object.
-//
-// Passing nil as the first parameter will cause conn to cease handling calls on
-// the given combination of path and interface.
-//
-// Export returns an error if path is not a valid path name.
-func (conn *Conn) Export(v interface{}, path ObjectPath, iface string) error {
- return conn.ExportWithMap(v, nil, path, iface)
-}
-
-// ExportWithMap works exactly like Export but provides the ability to remap
-// method names (e.g. export a lower-case method).
-//
-// The keys in the map are the real method names (exported on the struct), and
-// the values are the method names to be exported on DBus.
-func (conn *Conn) ExportWithMap(v interface{}, mapping map[string]string, path ObjectPath, iface string) error {
- return conn.exportWithMap(v, mapping, path, iface, false)
-}
-
-// ExportSubtree works exactly like Export but registers the given value for
-// an entire subtree rather under the root path provided.
-//
-// In order to make this useful, one parameter in each of the value's exported
-// methods should be a Message, in which case it will contain the raw message
-// (allowing one to get access to the path that caused the method to be called).
-//
-// Note that more specific export paths take precedence over less specific. For
-// example, a method call using the ObjectPath /foo/bar/baz will call a method
-// exported on /foo/bar before a method exported on /foo.
-func (conn *Conn) ExportSubtree(v interface{}, path ObjectPath, iface string) error {
- return conn.ExportSubtreeWithMap(v, nil, path, iface)
-}
-
-// ExportSubtreeWithMap works exactly like ExportSubtree but provides the
-// ability to remap method names (e.g. export a lower-case method).
-//
-// The keys in the map are the real method names (exported on the struct), and
-// the values are the method names to be exported on DBus.
-func (conn *Conn) ExportSubtreeWithMap(v interface{}, mapping map[string]string, path ObjectPath, iface string) error {
- return conn.exportWithMap(v, mapping, path, iface, true)
-}
-
-// exportWithMap is the worker function for all exports/registrations.
-func (conn *Conn) exportWithMap(v interface{}, mapping map[string]string, path ObjectPath, iface string, includeSubtree bool) error {
- if !path.IsValid() {
- return fmt.Errorf(`dbus: Invalid path name: "%s"`, path)
- }
-
- conn.handlersLck.Lock()
- defer conn.handlersLck.Unlock()
-
- // Remove a previous export if the interface is nil
- if v == nil {
- if _, ok := conn.handlers[path]; ok {
- delete(conn.handlers[path], iface)
- if len(conn.handlers[path]) == 0 {
- delete(conn.handlers, path)
- }
- }
-
- return nil
- }
-
- // If this is the first handler for this path, make a new map to hold all
- // handlers for this path.
- if _, ok := conn.handlers[path]; !ok {
- conn.handlers[path] = make(map[string]exportWithMapping)
- }
-
- // Finally, save this handler
- conn.handlers[path][iface] = exportWithMapping{export: v, mapping: mapping, includeSubtree: includeSubtree}
-
- return nil
-}
-
-// ReleaseName calls org.freedesktop.DBus.ReleaseName and awaits a response.
-func (conn *Conn) ReleaseName(name string) (ReleaseNameReply, error) {
- var r uint32
- err := conn.busObj.Call("org.freedesktop.DBus.ReleaseName", 0, name).Store(&r)
- if err != nil {
- return 0, err
- }
- return ReleaseNameReply(r), nil
-}
-
-// RequestName calls org.freedesktop.DBus.RequestName and awaits a response.
-func (conn *Conn) RequestName(name string, flags RequestNameFlags) (RequestNameReply, error) {
- var r uint32
- err := conn.busObj.Call("org.freedesktop.DBus.RequestName", 0, name, flags).Store(&r)
- if err != nil {
- return 0, err
- }
- return RequestNameReply(r), nil
-}
-
-// ReleaseNameReply is the reply to a ReleaseName call.
-type ReleaseNameReply uint32
-
-const (
- ReleaseNameReplyReleased ReleaseNameReply = 1 + iota
- ReleaseNameReplyNonExistent
- ReleaseNameReplyNotOwner
-)
-
-// RequestNameFlags represents the possible flags for a RequestName call.
-type RequestNameFlags uint32
-
-const (
- NameFlagAllowReplacement RequestNameFlags = 1 << iota
- NameFlagReplaceExisting
- NameFlagDoNotQueue
-)
-
-// RequestNameReply is the reply to a RequestName call.
-type RequestNameReply uint32
-
-const (
- RequestNameReplyPrimaryOwner RequestNameReply = 1 + iota
- RequestNameReplyInQueue
- RequestNameReplyExists
- RequestNameReplyAlreadyOwner
-)
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir.go
deleted file mode 100644
index 0b745f9313a4aeb8f6bcb9746d45fdeeedf0524f..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir.go
+++ /dev/null
@@ -1,28 +0,0 @@
-package dbus
-
-import (
- "os"
- "sync"
-)
-
-var (
- homeDir string
- homeDirLock sync.Mutex
-)
-
-func getHomeDir() string {
- homeDirLock.Lock()
- defer homeDirLock.Unlock()
-
- if homeDir != "" {
- return homeDir
- }
-
- homeDir = os.Getenv("HOME")
- if homeDir != "" {
- return homeDir
- }
-
- homeDir = lookupHomeDir()
- return homeDir
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir_dynamic.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir_dynamic.go
deleted file mode 100644
index 2732081e73b47367d4f084a62dfe3e56d33906bb..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir_dynamic.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// +build !static_build
-
-package dbus
-
-import (
- "os/user"
-)
-
-func lookupHomeDir() string {
- u, err := user.Current()
- if err != nil {
- return "/"
- }
- return u.HomeDir
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir_static.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir_static.go
deleted file mode 100644
index b9d9cb5525a397feb0214f077afbc24d790a3280..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/homedir_static.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// +build static_build
-
-package dbus
-
-import (
- "bufio"
- "os"
- "strconv"
- "strings"
-)
-
-func lookupHomeDir() string {
- myUid := os.Getuid()
-
- f, err := os.Open("/etc/passwd")
- if err != nil {
- return "/"
- }
- defer f.Close()
-
- s := bufio.NewScanner(f)
-
- for s.Scan() {
- if err := s.Err(); err != nil {
- break
- }
-
- line := strings.TrimSpace(s.Text())
- if line == "" {
- continue
- }
-
- parts := strings.Split(line, ":")
-
- if len(parts) >= 6 {
- uid, err := strconv.Atoi(parts[2])
- if err == nil && uid == myUid {
- return parts[5]
- }
- }
- }
-
- // Default to / if we can't get a better value
- return "/"
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/call.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/call.go
deleted file mode 100644
index 790a23ec2404602569485915c7b3a2007fc6fd8a..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/call.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package introspect
-
-import (
- "encoding/xml"
- "github.com/godbus/dbus"
- "strings"
-)
-
-// Call calls org.freedesktop.Introspectable.Introspect on a remote object
-// and returns the introspection data.
-func Call(o dbus.BusObject) (*Node, error) {
- var xmldata string
- var node Node
-
- err := o.Call("org.freedesktop.DBus.Introspectable.Introspect", 0).Store(&xmldata)
- if err != nil {
- return nil, err
- }
- err = xml.NewDecoder(strings.NewReader(xmldata)).Decode(&node)
- if err != nil {
- return nil, err
- }
- if node.Name == "" {
- node.Name = string(o.Path())
- }
- return &node, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/introspect.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/introspect.go
deleted file mode 100644
index b06c3f1cf2d08f49f06ace8fc1f940d783ba33fe..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/introspect.go
+++ /dev/null
@@ -1,86 +0,0 @@
-// Package introspect provides some utilities for dealing with the DBus
-// introspection format.
-package introspect
-
-import "encoding/xml"
-
-// The introspection data for the org.freedesktop.DBus.Introspectable interface.
-var IntrospectData = Interface{
- Name: "org.freedesktop.DBus.Introspectable",
- Methods: []Method{
- {
- Name: "Introspect",
- Args: []Arg{
- {"out", "s", "out"},
- },
- },
- },
-}
-
-// XML document type declaration of the introspection format version 1.0
-const IntrospectDeclarationString = `
- <!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-`
-
-// The introspection data for the org.freedesktop.DBus.Introspectable interface,
-// as a string.
-const IntrospectDataString = `
- <interface name="org.freedesktop.DBus.Introspectable">
- <method name="Introspect">
- <arg name="out" direction="out" type="s"/>
- </method>
- </interface>
-`
-
-// Node is the root element of an introspection.
-type Node struct {
- XMLName xml.Name `xml:"node"`
- Name string `xml:"name,attr,omitempty"`
- Interfaces []Interface `xml:"interface"`
- Children []Node `xml:"node,omitempty"`
-}
-
-// Interface describes a DBus interface that is available on the message bus.
-type Interface struct {
- Name string `xml:"name,attr"`
- Methods []Method `xml:"method"`
- Signals []Signal `xml:"signal"`
- Properties []Property `xml:"property"`
- Annotations []Annotation `xml:"annotation"`
-}
-
-// Method describes a Method on an Interface as retured by an introspection.
-type Method struct {
- Name string `xml:"name,attr"`
- Args []Arg `xml:"arg"`
- Annotations []Annotation `xml:"annotation"`
-}
-
-// Signal describes a Signal emitted on an Interface.
-type Signal struct {
- Name string `xml:"name,attr"`
- Args []Arg `xml:"arg"`
- Annotations []Annotation `xml:"annotation"`
-}
-
-// Property describes a property of an Interface.
-type Property struct {
- Name string `xml:"name,attr"`
- Type string `xml:"type,attr"`
- Access string `xml:"access,attr"`
- Annotations []Annotation `xml:"annotation"`
-}
-
-// Arg represents an argument of a method or a signal.
-type Arg struct {
- Name string `xml:"name,attr,omitempty"`
- Type string `xml:"type,attr"`
- Direction string `xml:"direction,attr,omitempty"`
-}
-
-// Annotation is an annotation in the introspection format.
-type Annotation struct {
- Name string `xml:"name,attr"`
- Value string `xml:"value,attr"`
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/introspectable.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/introspectable.go
deleted file mode 100644
index 2f16690b99cc4e143703753053d991df00eb4b78..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/introspect/introspectable.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package introspect
-
-import (
- "encoding/xml"
- "github.com/godbus/dbus"
- "reflect"
- "strings"
-)
-
-// Introspectable implements org.freedesktop.Introspectable.
-//
-// You can create it by converting the XML-formatted introspection data from a
-// string to an Introspectable or call NewIntrospectable with a Node. Then,
-// export it as org.freedesktop.Introspectable on you object.
-type Introspectable string
-
-// NewIntrospectable returns an Introspectable that returns the introspection
-// data that corresponds to the given Node. If n.Interfaces doesn't contain the
-// data for org.freedesktop.DBus.Introspectable, it is added automatically.
-func NewIntrospectable(n *Node) Introspectable {
- found := false
- for _, v := range n.Interfaces {
- if v.Name == "org.freedesktop.DBus.Introspectable" {
- found = true
- break
- }
- }
- if !found {
- n.Interfaces = append(n.Interfaces, IntrospectData)
- }
- b, err := xml.Marshal(n)
- if err != nil {
- panic(err)
- }
- return Introspectable(strings.TrimSpace(IntrospectDeclarationString) + string(b))
-}
-
-// Introspect implements org.freedesktop.Introspectable.Introspect.
-func (i Introspectable) Introspect() (string, *dbus.Error) {
- return string(i), nil
-}
-
-// Methods returns the description of the methods of v. This can be used to
-// create a Node which can be passed to NewIntrospectable.
-func Methods(v interface{}) []Method {
- t := reflect.TypeOf(v)
- ms := make([]Method, 0, t.NumMethod())
- for i := 0; i < t.NumMethod(); i++ {
- if t.Method(i).PkgPath != "" {
- continue
- }
- mt := t.Method(i).Type
- if mt.NumOut() == 0 ||
- mt.Out(mt.NumOut()-1) != reflect.TypeOf(&dbus.Error{}) {
-
- continue
- }
- var m Method
- m.Name = t.Method(i).Name
- m.Args = make([]Arg, 0, mt.NumIn()+mt.NumOut()-2)
- for j := 1; j < mt.NumIn(); j++ {
- if mt.In(j) != reflect.TypeOf((*dbus.Sender)(nil)).Elem() &&
- mt.In(j) != reflect.TypeOf((*dbus.Message)(nil)).Elem() {
- arg := Arg{"", dbus.SignatureOfType(mt.In(j)).String(), "in"}
- m.Args = append(m.Args, arg)
- }
- }
- for j := 0; j < mt.NumOut()-1; j++ {
- arg := Arg{"", dbus.SignatureOfType(mt.Out(j)).String(), "out"}
- m.Args = append(m.Args, arg)
- }
- m.Annotations = make([]Annotation, 0)
- ms = append(ms, m)
- }
- return ms
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/message.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/message.go
deleted file mode 100644
index 075d6e38baee960c3a35122d9dff74681f7c2776..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/message.go
+++ /dev/null
@@ -1,346 +0,0 @@
-package dbus
-
-import (
- "bytes"
- "encoding/binary"
- "errors"
- "io"
- "reflect"
- "strconv"
-)
-
-const protoVersion byte = 1
-
-// Flags represents the possible flags of a D-Bus message.
-type Flags byte
-
-const (
- // FlagNoReplyExpected signals that the message is not expected to generate
- // a reply. If this flag is set on outgoing messages, any possible reply
- // will be discarded.
- FlagNoReplyExpected Flags = 1 << iota
- // FlagNoAutoStart signals that the message bus should not automatically
- // start an application when handling this message.
- FlagNoAutoStart
-)
-
-// Type represents the possible types of a D-Bus message.
-type Type byte
-
-const (
- TypeMethodCall Type = 1 + iota
- TypeMethodReply
- TypeError
- TypeSignal
- typeMax
-)
-
-func (t Type) String() string {
- switch t {
- case TypeMethodCall:
- return "method call"
- case TypeMethodReply:
- return "reply"
- case TypeError:
- return "error"
- case TypeSignal:
- return "signal"
- }
- return "invalid"
-}
-
-// HeaderField represents the possible byte codes for the headers
-// of a D-Bus message.
-type HeaderField byte
-
-const (
- FieldPath HeaderField = 1 + iota
- FieldInterface
- FieldMember
- FieldErrorName
- FieldReplySerial
- FieldDestination
- FieldSender
- FieldSignature
- FieldUnixFDs
- fieldMax
-)
-
-// An InvalidMessageError describes the reason why a D-Bus message is regarded as
-// invalid.
-type InvalidMessageError string
-
-func (e InvalidMessageError) Error() string {
- return "dbus: invalid message: " + string(e)
-}
-
-// fieldType are the types of the various header fields.
-var fieldTypes = [fieldMax]reflect.Type{
- FieldPath: objectPathType,
- FieldInterface: stringType,
- FieldMember: stringType,
- FieldErrorName: stringType,
- FieldReplySerial: uint32Type,
- FieldDestination: stringType,
- FieldSender: stringType,
- FieldSignature: signatureType,
- FieldUnixFDs: uint32Type,
-}
-
-// requiredFields lists the header fields that are required by the different
-// message types.
-var requiredFields = [typeMax][]HeaderField{
- TypeMethodCall: {FieldPath, FieldMember},
- TypeMethodReply: {FieldReplySerial},
- TypeError: {FieldErrorName, FieldReplySerial},
- TypeSignal: {FieldPath, FieldInterface, FieldMember},
-}
-
-// Message represents a single D-Bus message.
-type Message struct {
- Type
- Flags
- Headers map[HeaderField]Variant
- Body []interface{}
-
- serial uint32
-}
-
-type header struct {
- Field byte
- Variant
-}
-
-// DecodeMessage tries to decode a single message in the D-Bus wire format
-// from the given reader. The byte order is figured out from the first byte.
-// The possibly returned error can be an error of the underlying reader, an
-// InvalidMessageError or a FormatError.
-func DecodeMessage(rd io.Reader) (msg *Message, err error) {
- var order binary.ByteOrder
- var hlength, length uint32
- var typ, flags, proto byte
- var headers []header
-
- b := make([]byte, 1)
- _, err = rd.Read(b)
- if err != nil {
- return
- }
- switch b[0] {
- case 'l':
- order = binary.LittleEndian
- case 'B':
- order = binary.BigEndian
- default:
- return nil, InvalidMessageError("invalid byte order")
- }
-
- dec := newDecoder(rd, order)
- dec.pos = 1
-
- msg = new(Message)
- vs, err := dec.Decode(Signature{"yyyuu"})
- if err != nil {
- return nil, err
- }
- if err = Store(vs, &typ, &flags, &proto, &length, &msg.serial); err != nil {
- return nil, err
- }
- msg.Type = Type(typ)
- msg.Flags = Flags(flags)
-
- // get the header length separately because we need it later
- b = make([]byte, 4)
- _, err = io.ReadFull(rd, b)
- if err != nil {
- return nil, err
- }
- binary.Read(bytes.NewBuffer(b), order, &hlength)
- if hlength+length+16 > 1<<27 {
- return nil, InvalidMessageError("message is too long")
- }
- dec = newDecoder(io.MultiReader(bytes.NewBuffer(b), rd), order)
- dec.pos = 12
- vs, err = dec.Decode(Signature{"a(yv)"})
- if err != nil {
- return nil, err
- }
- if err = Store(vs, &headers); err != nil {
- return nil, err
- }
-
- msg.Headers = make(map[HeaderField]Variant)
- for _, v := range headers {
- msg.Headers[HeaderField(v.Field)] = v.Variant
- }
-
- dec.align(8)
- body := make([]byte, int(length))
- if length != 0 {
- _, err := io.ReadFull(rd, body)
- if err != nil {
- return nil, err
- }
- }
-
- if err = msg.IsValid(); err != nil {
- return nil, err
- }
- sig, _ := msg.Headers[FieldSignature].value.(Signature)
- if sig.str != "" {
- buf := bytes.NewBuffer(body)
- dec = newDecoder(buf, order)
- vs, err := dec.Decode(sig)
- if err != nil {
- return nil, err
- }
- msg.Body = vs
- }
-
- return
-}
-
-// EncodeTo encodes and sends a message to the given writer. The byte order must
-// be either binary.LittleEndian or binary.BigEndian. If the message is not
-// valid or an error occurs when writing, an error is returned.
-func (msg *Message) EncodeTo(out io.Writer, order binary.ByteOrder) error {
- if err := msg.IsValid(); err != nil {
- return err
- }
- var vs [7]interface{}
- switch order {
- case binary.LittleEndian:
- vs[0] = byte('l')
- case binary.BigEndian:
- vs[0] = byte('B')
- default:
- return errors.New("dbus: invalid byte order")
- }
- body := new(bytes.Buffer)
- enc := newEncoder(body, order)
- if len(msg.Body) != 0 {
- enc.Encode(msg.Body...)
- }
- vs[1] = msg.Type
- vs[2] = msg.Flags
- vs[3] = protoVersion
- vs[4] = uint32(len(body.Bytes()))
- vs[5] = msg.serial
- headers := make([]header, 0, len(msg.Headers))
- for k, v := range msg.Headers {
- headers = append(headers, header{byte(k), v})
- }
- vs[6] = headers
- var buf bytes.Buffer
- enc = newEncoder(&buf, order)
- enc.Encode(vs[:]...)
- enc.align(8)
- body.WriteTo(&buf)
- if buf.Len() > 1<<27 {
- return InvalidMessageError("message is too long")
- }
- if _, err := buf.WriteTo(out); err != nil {
- return err
- }
- return nil
-}
-
-// IsValid checks whether msg is a valid message and returns an
-// InvalidMessageError if it is not.
-func (msg *Message) IsValid() error {
- if msg.Flags & ^(FlagNoAutoStart|FlagNoReplyExpected) != 0 {
- return InvalidMessageError("invalid flags")
- }
- if msg.Type == 0 || msg.Type >= typeMax {
- return InvalidMessageError("invalid message type")
- }
- for k, v := range msg.Headers {
- if k == 0 || k >= fieldMax {
- return InvalidMessageError("invalid header")
- }
- if reflect.TypeOf(v.value) != fieldTypes[k] {
- return InvalidMessageError("invalid type of header field")
- }
- }
- for _, v := range requiredFields[msg.Type] {
- if _, ok := msg.Headers[v]; !ok {
- return InvalidMessageError("missing required header")
- }
- }
- if path, ok := msg.Headers[FieldPath]; ok {
- if !path.value.(ObjectPath).IsValid() {
- return InvalidMessageError("invalid path name")
- }
- }
- if iface, ok := msg.Headers[FieldInterface]; ok {
- if !isValidInterface(iface.value.(string)) {
- return InvalidMessageError("invalid interface name")
- }
- }
- if member, ok := msg.Headers[FieldMember]; ok {
- if !isValidMember(member.value.(string)) {
- return InvalidMessageError("invalid member name")
- }
- }
- if errname, ok := msg.Headers[FieldErrorName]; ok {
- if !isValidInterface(errname.value.(string)) {
- return InvalidMessageError("invalid error name")
- }
- }
- if len(msg.Body) != 0 {
- if _, ok := msg.Headers[FieldSignature]; !ok {
- return InvalidMessageError("missing signature")
- }
- }
- return nil
-}
-
-// Serial returns the message's serial number. The returned value is only valid
-// for messages received by eavesdropping.
-func (msg *Message) Serial() uint32 {
- return msg.serial
-}
-
-// String returns a string representation of a message similar to the format of
-// dbus-monitor.
-func (msg *Message) String() string {
- if err := msg.IsValid(); err != nil {
- return "<invalid>"
- }
- s := msg.Type.String()
- if v, ok := msg.Headers[FieldSender]; ok {
- s += " from " + v.value.(string)
- }
- if v, ok := msg.Headers[FieldDestination]; ok {
- s += " to " + v.value.(string)
- }
- s += " serial " + strconv.FormatUint(uint64(msg.serial), 10)
- if v, ok := msg.Headers[FieldReplySerial]; ok {
- s += " reply_serial " + strconv.FormatUint(uint64(v.value.(uint32)), 10)
- }
- if v, ok := msg.Headers[FieldUnixFDs]; ok {
- s += " unixfds " + strconv.FormatUint(uint64(v.value.(uint32)), 10)
- }
- if v, ok := msg.Headers[FieldPath]; ok {
- s += " path " + string(v.value.(ObjectPath))
- }
- if v, ok := msg.Headers[FieldInterface]; ok {
- s += " interface " + v.value.(string)
- }
- if v, ok := msg.Headers[FieldErrorName]; ok {
- s += " error " + v.value.(string)
- }
- if v, ok := msg.Headers[FieldMember]; ok {
- s += " member " + v.value.(string)
- }
- if len(msg.Body) != 0 {
- s += "\n"
- }
- for i, v := range msg.Body {
- s += " " + MakeVariant(v).String()
- if i != len(msg.Body)-1 {
- s += "\n"
- }
- }
- return s
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/object.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/object.go
deleted file mode 100644
index 7ef45da4c88c606a4917dd97b8bfce28e821207d..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/object.go
+++ /dev/null
@@ -1,126 +0,0 @@
-package dbus
-
-import (
- "errors"
- "strings"
-)
-
-// BusObject is the interface of a remote object on which methods can be
-// invoked.
-type BusObject interface {
- Call(method string, flags Flags, args ...interface{}) *Call
- Go(method string, flags Flags, ch chan *Call, args ...interface{}) *Call
- GetProperty(p string) (Variant, error)
- Destination() string
- Path() ObjectPath
-}
-
-// Object represents a remote object on which methods can be invoked.
-type Object struct {
- conn *Conn
- dest string
- path ObjectPath
-}
-
-// Call calls a method with (*Object).Go and waits for its reply.
-func (o *Object) Call(method string, flags Flags, args ...interface{}) *Call {
- return <-o.Go(method, flags, make(chan *Call, 1), args...).Done
-}
-
-// Go calls a method with the given arguments asynchronously. It returns a
-// Call structure representing this method call. The passed channel will
-// return the same value once the call is done. If ch is nil, a new channel
-// will be allocated. Otherwise, ch has to be buffered or Go will panic.
-//
-// If the flags include FlagNoReplyExpected, ch is ignored and a Call structure
-// is returned of which only the Err member is valid.
-//
-// If the method parameter contains a dot ('.'), the part before the last dot
-// specifies the interface on which the method is called.
-func (o *Object) Go(method string, flags Flags, ch chan *Call, args ...interface{}) *Call {
- iface := ""
- i := strings.LastIndex(method, ".")
- if i != -1 {
- iface = method[:i]
- }
- method = method[i+1:]
- msg := new(Message)
- msg.Type = TypeMethodCall
- msg.serial = o.conn.getSerial()
- msg.Flags = flags & (FlagNoAutoStart | FlagNoReplyExpected)
- msg.Headers = make(map[HeaderField]Variant)
- msg.Headers[FieldPath] = MakeVariant(o.path)
- msg.Headers[FieldDestination] = MakeVariant(o.dest)
- msg.Headers[FieldMember] = MakeVariant(method)
- if iface != "" {
- msg.Headers[FieldInterface] = MakeVariant(iface)
- }
- msg.Body = args
- if len(args) > 0 {
- msg.Headers[FieldSignature] = MakeVariant(SignatureOf(args...))
- }
- if msg.Flags&FlagNoReplyExpected == 0 {
- if ch == nil {
- ch = make(chan *Call, 10)
- } else if cap(ch) == 0 {
- panic("dbus: unbuffered channel passed to (*Object).Go")
- }
- call := &Call{
- Destination: o.dest,
- Path: o.path,
- Method: method,
- Args: args,
- Done: ch,
- }
- o.conn.callsLck.Lock()
- o.conn.calls[msg.serial] = call
- o.conn.callsLck.Unlock()
- o.conn.outLck.RLock()
- if o.conn.closed {
- call.Err = ErrClosed
- call.Done <- call
- } else {
- o.conn.out <- msg
- }
- o.conn.outLck.RUnlock()
- return call
- }
- o.conn.outLck.RLock()
- defer o.conn.outLck.RUnlock()
- if o.conn.closed {
- return &Call{Err: ErrClosed}
- }
- o.conn.out <- msg
- return &Call{Err: nil}
-}
-
-// GetProperty calls org.freedesktop.DBus.Properties.GetProperty on the given
-// object. The property name must be given in interface.member notation.
-func (o *Object) GetProperty(p string) (Variant, error) {
- idx := strings.LastIndex(p, ".")
- if idx == -1 || idx+1 == len(p) {
- return Variant{}, errors.New("dbus: invalid property " + p)
- }
-
- iface := p[:idx]
- prop := p[idx+1:]
-
- result := Variant{}
- err := o.Call("org.freedesktop.DBus.Properties.Get", 0, iface, prop).Store(&result)
-
- if err != nil {
- return Variant{}, err
- }
-
- return result, nil
-}
-
-// Destination returns the destination that calls on o are sent to.
-func (o *Object) Destination() string {
- return o.dest
-}
-
-// Path returns the path that calls on o are sent to.
-func (o *Object) Path() ObjectPath {
- return o.path
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/prop/prop.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/prop/prop.go
deleted file mode 100644
index 834a1fa89327220b9d4c57efc57bd8ccd682bc9e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/prop/prop.go
+++ /dev/null
@@ -1,264 +0,0 @@
-// Package prop provides the Properties struct which can be used to implement
-// org.freedesktop.DBus.Properties.
-package prop
-
-import (
- "github.com/godbus/dbus"
- "github.com/godbus/dbus/introspect"
- "sync"
-)
-
-// EmitType controls how org.freedesktop.DBus.Properties.PropertiesChanged is
-// emitted for a property. If it is EmitTrue, the signal is emitted. If it is
-// EmitInvalidates, the signal is also emitted, but the new value of the property
-// is not disclosed.
-type EmitType byte
-
-const (
- EmitFalse EmitType = iota
- EmitTrue
- EmitInvalidates
-)
-
-// ErrIfaceNotFound is the error returned to peers who try to access properties
-// on interfaces that aren't found.
-var ErrIfaceNotFound = dbus.NewError("org.freedesktop.DBus.Properties.Error.InterfaceNotFound", nil)
-
-// ErrPropNotFound is the error returned to peers trying to access properties
-// that aren't found.
-var ErrPropNotFound = dbus.NewError("org.freedesktop.DBus.Properties.Error.PropertyNotFound", nil)
-
-// ErrReadOnly is the error returned to peers trying to set a read-only
-// property.
-var ErrReadOnly = dbus.NewError("org.freedesktop.DBus.Properties.Error.ReadOnly", nil)
-
-// ErrInvalidArg is returned to peers if the type of the property that is being
-// changed and the argument don't match.
-var ErrInvalidArg = dbus.NewError("org.freedesktop.DBus.Properties.Error.InvalidArg", nil)
-
-// The introspection data for the org.freedesktop.DBus.Properties interface.
-var IntrospectData = introspect.Interface{
- Name: "org.freedesktop.DBus.Properties",
- Methods: []introspect.Method{
- {
- Name: "Get",
- Args: []introspect.Arg{
- {"interface", "s", "in"},
- {"property", "s", "in"},
- {"value", "v", "out"},
- },
- },
- {
- Name: "GetAll",
- Args: []introspect.Arg{
- {"interface", "s", "in"},
- {"props", "a{sv}", "out"},
- },
- },
- {
- Name: "Set",
- Args: []introspect.Arg{
- {"interface", "s", "in"},
- {"property", "s", "in"},
- {"value", "v", "in"},
- },
- },
- },
- Signals: []introspect.Signal{
- {
- Name: "PropertiesChanged",
- Args: []introspect.Arg{
- {"interface", "s", "out"},
- {"changed_properties", "a{sv}", "out"},
- {"invalidates_properties", "as", "out"},
- },
- },
- },
-}
-
-// The introspection data for the org.freedesktop.DBus.Properties interface, as
-// a string.
-const IntrospectDataString = `
- <interface name="org.freedesktop.DBus.Introspectable">
- <method name="Get">
- <arg name="interface" direction="in" type="s"/>
- <arg name="property" direction="in" type="s"/>
- <arg name="value" direction="out" type="v"/>
- </method>
- <method name="GetAll">
- <arg name="interface" direction="in" type="s"/>
- <arg name="props" direction="out" type="a{sv}"/>
- </method>
- <method name="Set">
- <arg name="interface" direction="in" type="s"/>
- <arg name="property" direction="in" type="s"/>
- <arg name="value" direction="in" type="v"/>
- </method>
- <signal name="PropertiesChanged">
- <arg name="interface" type="s"/>
- <arg name="changed_properties" type="a{sv}"/>
- <arg name="invalidates_properties" type="as"/>
- </signal>
- </interface>
-`
-
-// Prop represents a single property. It is used for creating a Properties
-// value.
-type Prop struct {
- // Initial value. Must be a DBus-representable type.
- Value interface{}
-
- // If true, the value can be modified by calls to Set.
- Writable bool
-
- // Controls how org.freedesktop.DBus.Properties.PropertiesChanged is
- // emitted if this property changes.
- Emit EmitType
-
- // If not nil, anytime this property is changed by Set, this function is
- // called with an appropiate Change as its argument. If the returned error
- // is not nil, it is sent back to the caller of Set and the property is not
- // changed.
- Callback func(*Change) *dbus.Error
-}
-
-// Change represents a change of a property by a call to Set.
-type Change struct {
- Props *Properties
- Iface string
- Name string
- Value interface{}
-}
-
-// Properties is a set of values that can be made available to the message bus
-// using the org.freedesktop.DBus.Properties interface. It is safe for
-// concurrent use by multiple goroutines.
-type Properties struct {
- m map[string]map[string]*Prop
- mut sync.RWMutex
- conn *dbus.Conn
- path dbus.ObjectPath
-}
-
-// New returns a new Properties structure that manages the given properties.
-// The key for the first-level map of props is the name of the interface; the
-// second-level key is the name of the property. The returned structure will be
-// exported as org.freedesktop.DBus.Properties on path.
-func New(conn *dbus.Conn, path dbus.ObjectPath, props map[string]map[string]*Prop) *Properties {
- p := &Properties{m: props, conn: conn, path: path}
- conn.Export(p, path, "org.freedesktop.DBus.Properties")
- return p
-}
-
-// Get implements org.freedesktop.DBus.Properties.Get.
-func (p *Properties) Get(iface, property string) (dbus.Variant, *dbus.Error) {
- p.mut.RLock()
- defer p.mut.RUnlock()
- m, ok := p.m[iface]
- if !ok {
- return dbus.Variant{}, ErrIfaceNotFound
- }
- prop, ok := m[property]
- if !ok {
- return dbus.Variant{}, ErrPropNotFound
- }
- return dbus.MakeVariant(prop.Value), nil
-}
-
-// GetAll implements org.freedesktop.DBus.Properties.GetAll.
-func (p *Properties) GetAll(iface string) (map[string]dbus.Variant, *dbus.Error) {
- p.mut.RLock()
- defer p.mut.RUnlock()
- m, ok := p.m[iface]
- if !ok {
- return nil, ErrIfaceNotFound
- }
- rm := make(map[string]dbus.Variant, len(m))
- for k, v := range m {
- rm[k] = dbus.MakeVariant(v.Value)
- }
- return rm, nil
-}
-
-// GetMust returns the value of the given property and panics if either the
-// interface or the property name are invalid.
-func (p *Properties) GetMust(iface, property string) interface{} {
- p.mut.RLock()
- defer p.mut.RUnlock()
- return p.m[iface][property].Value
-}
-
-// Introspection returns the introspection data that represents the properties
-// of iface.
-func (p *Properties) Introspection(iface string) []introspect.Property {
- p.mut.RLock()
- defer p.mut.RUnlock()
- m := p.m[iface]
- s := make([]introspect.Property, 0, len(m))
- for k, v := range m {
- p := introspect.Property{Name: k, Type: dbus.SignatureOf(v.Value).String()}
- if v.Writable {
- p.Access = "readwrite"
- } else {
- p.Access = "read"
- }
- s = append(s, p)
- }
- return s
-}
-
-// set sets the given property and emits PropertyChanged if appropiate. p.mut
-// must already be locked.
-func (p *Properties) set(iface, property string, v interface{}) {
- prop := p.m[iface][property]
- prop.Value = v
- switch prop.Emit {
- case EmitFalse:
- // do nothing
- case EmitInvalidates:
- p.conn.Emit(p.path, "org.freedesktop.DBus.Properties.PropertiesChanged",
- iface, map[string]dbus.Variant{}, []string{property})
- case EmitTrue:
- p.conn.Emit(p.path, "org.freedesktop.DBus.Properties.PropertiesChanged",
- iface, map[string]dbus.Variant{property: dbus.MakeVariant(v)},
- []string{})
- default:
- panic("invalid value for EmitType")
- }
-}
-
-// Set implements org.freedesktop.Properties.Set.
-func (p *Properties) Set(iface, property string, newv dbus.Variant) *dbus.Error {
- p.mut.Lock()
- defer p.mut.Unlock()
- m, ok := p.m[iface]
- if !ok {
- return ErrIfaceNotFound
- }
- prop, ok := m[property]
- if !ok {
- return ErrPropNotFound
- }
- if !prop.Writable {
- return ErrReadOnly
- }
- if newv.Signature() != dbus.SignatureOf(prop.Value) {
- return ErrInvalidArg
- }
- if prop.Callback != nil {
- err := prop.Callback(&Change{p, iface, property, newv.Value()})
- if err != nil {
- return err
- }
- }
- p.set(iface, property, newv.Value())
- return nil
-}
-
-// SetMust sets the value of the given property and panics if the interface or
-// the property name are invalid.
-func (p *Properties) SetMust(iface, property string, v interface{}) {
- p.mut.Lock()
- p.set(iface, property, v)
- p.mut.Unlock()
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/sig.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/sig.go
deleted file mode 100644
index f45b53ce1b275fb9fe321bc230e6aa3b6273133f..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/sig.go
+++ /dev/null
@@ -1,257 +0,0 @@
-package dbus
-
-import (
- "fmt"
- "reflect"
- "strings"
-)
-
-var sigToType = map[byte]reflect.Type{
- 'y': byteType,
- 'b': boolType,
- 'n': int16Type,
- 'q': uint16Type,
- 'i': int32Type,
- 'u': uint32Type,
- 'x': int64Type,
- 't': uint64Type,
- 'd': float64Type,
- 's': stringType,
- 'g': signatureType,
- 'o': objectPathType,
- 'v': variantType,
- 'h': unixFDIndexType,
-}
-
-// Signature represents a correct type signature as specified by the D-Bus
-// specification. The zero value represents the empty signature, "".
-type Signature struct {
- str string
-}
-
-// SignatureOf returns the concatenation of all the signatures of the given
-// values. It panics if one of them is not representable in D-Bus.
-func SignatureOf(vs ...interface{}) Signature {
- var s string
- for _, v := range vs {
- s += getSignature(reflect.TypeOf(v))
- }
- return Signature{s}
-}
-
-// SignatureOfType returns the signature of the given type. It panics if the
-// type is not representable in D-Bus.
-func SignatureOfType(t reflect.Type) Signature {
- return Signature{getSignature(t)}
-}
-
-// getSignature returns the signature of the given type and panics on unknown types.
-func getSignature(t reflect.Type) string {
- // handle simple types first
- switch t.Kind() {
- case reflect.Uint8:
- return "y"
- case reflect.Bool:
- return "b"
- case reflect.Int16:
- return "n"
- case reflect.Uint16:
- return "q"
- case reflect.Int32:
- if t == unixFDType {
- return "h"
- }
- return "i"
- case reflect.Uint32:
- if t == unixFDIndexType {
- return "h"
- }
- return "u"
- case reflect.Int64:
- return "x"
- case reflect.Uint64:
- return "t"
- case reflect.Float64:
- return "d"
- case reflect.Ptr:
- return getSignature(t.Elem())
- case reflect.String:
- if t == objectPathType {
- return "o"
- }
- return "s"
- case reflect.Struct:
- if t == variantType {
- return "v"
- } else if t == signatureType {
- return "g"
- }
- var s string
- for i := 0; i < t.NumField(); i++ {
- field := t.Field(i)
- if field.PkgPath == "" && field.Tag.Get("dbus") != "-" {
- s += getSignature(t.Field(i).Type)
- }
- }
- return "(" + s + ")"
- case reflect.Array, reflect.Slice:
- return "a" + getSignature(t.Elem())
- case reflect.Map:
- if !isKeyType(t.Key()) {
- panic(InvalidTypeError{t})
- }
- return "a{" + getSignature(t.Key()) + getSignature(t.Elem()) + "}"
- }
- panic(InvalidTypeError{t})
-}
-
-// ParseSignature returns the signature represented by this string, or a
-// SignatureError if the string is not a valid signature.
-func ParseSignature(s string) (sig Signature, err error) {
- if len(s) == 0 {
- return
- }
- if len(s) > 255 {
- return Signature{""}, SignatureError{s, "too long"}
- }
- sig.str = s
- for err == nil && len(s) != 0 {
- err, s = validSingle(s, 0)
- }
- if err != nil {
- sig = Signature{""}
- }
-
- return
-}
-
-// ParseSignatureMust behaves like ParseSignature, except that it panics if s
-// is not valid.
-func ParseSignatureMust(s string) Signature {
- sig, err := ParseSignature(s)
- if err != nil {
- panic(err)
- }
- return sig
-}
-
-// Empty retruns whether the signature is the empty signature.
-func (s Signature) Empty() bool {
- return s.str == ""
-}
-
-// Single returns whether the signature represents a single, complete type.
-func (s Signature) Single() bool {
- err, r := validSingle(s.str, 0)
- return err != nil && r == ""
-}
-
-// String returns the signature's string representation.
-func (s Signature) String() string {
- return s.str
-}
-
-// A SignatureError indicates that a signature passed to a function or received
-// on a connection is not a valid signature.
-type SignatureError struct {
- Sig string
- Reason string
-}
-
-func (e SignatureError) Error() string {
- return fmt.Sprintf("dbus: invalid signature: %q (%s)", e.Sig, e.Reason)
-}
-
-// Try to read a single type from this string. If it was successfull, err is nil
-// and rem is the remaining unparsed part. Otherwise, err is a non-nil
-// SignatureError and rem is "". depth is the current recursion depth which may
-// not be greater than 64 and should be given as 0 on the first call.
-func validSingle(s string, depth int) (err error, rem string) {
- if s == "" {
- return SignatureError{Sig: s, Reason: "empty signature"}, ""
- }
- if depth > 64 {
- return SignatureError{Sig: s, Reason: "container nesting too deep"}, ""
- }
- switch s[0] {
- case 'y', 'b', 'n', 'q', 'i', 'u', 'x', 't', 'd', 's', 'g', 'o', 'v', 'h':
- return nil, s[1:]
- case 'a':
- if len(s) > 1 && s[1] == '{' {
- i := findMatching(s[1:], '{', '}')
- if i == -1 {
- return SignatureError{Sig: s, Reason: "unmatched '{'"}, ""
- }
- i++
- rem = s[i+1:]
- s = s[2:i]
- if err, _ = validSingle(s[:1], depth+1); err != nil {
- return err, ""
- }
- err, nr := validSingle(s[1:], depth+1)
- if err != nil {
- return err, ""
- }
- if nr != "" {
- return SignatureError{Sig: s, Reason: "too many types in dict"}, ""
- }
- return nil, rem
- }
- return validSingle(s[1:], depth+1)
- case '(':
- i := findMatching(s, '(', ')')
- if i == -1 {
- return SignatureError{Sig: s, Reason: "unmatched ')'"}, ""
- }
- rem = s[i+1:]
- s = s[1:i]
- for err == nil && s != "" {
- err, s = validSingle(s, depth+1)
- }
- if err != nil {
- rem = ""
- }
- return
- }
- return SignatureError{Sig: s, Reason: "invalid type character"}, ""
-}
-
-func findMatching(s string, left, right rune) int {
- n := 0
- for i, v := range s {
- if v == left {
- n++
- } else if v == right {
- n--
- }
- if n == 0 {
- return i
- }
- }
- return -1
-}
-
-// typeFor returns the type of the given signature. It ignores any left over
-// characters and panics if s doesn't start with a valid type signature.
-func typeFor(s string) (t reflect.Type) {
- err, _ := validSingle(s, 0)
- if err != nil {
- panic(err)
- }
-
- if t, ok := sigToType[s[0]]; ok {
- return t
- }
- switch s[0] {
- case 'a':
- if s[1] == '{' {
- i := strings.LastIndex(s, "}")
- t = reflect.MapOf(sigToType[s[2]], typeFor(s[3:i]))
- } else {
- t = reflect.SliceOf(typeFor(s[1:]))
- }
- case '(':
- t = interfacesType
- }
- return
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_darwin.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_darwin.go
deleted file mode 100644
index 1bba0d6bf781e7197d4de04a4812d19b74899186..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_darwin.go
+++ /dev/null
@@ -1,6 +0,0 @@
-package dbus
-
-func (t *unixTransport) SendNullByte() error {
- _, err := t.Write([]byte{0})
- return err
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_generic.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_generic.go
deleted file mode 100644
index 46f8f49d699b7a6819bcd78a231e78df6bf15b83..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_generic.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package dbus
-
-import (
- "encoding/binary"
- "errors"
- "io"
-)
-
-type genericTransport struct {
- io.ReadWriteCloser
-}
-
-func (t genericTransport) SendNullByte() error {
- _, err := t.Write([]byte{0})
- return err
-}
-
-func (t genericTransport) SupportsUnixFDs() bool {
- return false
-}
-
-func (t genericTransport) EnableUnixFDs() {}
-
-func (t genericTransport) ReadMessage() (*Message, error) {
- return DecodeMessage(t)
-}
-
-func (t genericTransport) SendMessage(msg *Message) error {
- for _, v := range msg.Body {
- if _, ok := v.(UnixFD); ok {
- return errors.New("dbus: unix fd passing not enabled")
- }
- }
- return msg.EncodeTo(t, binary.LittleEndian)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unix.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unix.go
deleted file mode 100644
index 3fafeabb15b75d12c874173fc62f7206b4a21a1d..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unix.go
+++ /dev/null
@@ -1,196 +0,0 @@
-//+build !windows
-
-package dbus
-
-import (
- "bytes"
- "encoding/binary"
- "errors"
- "io"
- "net"
- "syscall"
-)
-
-type oobReader struct {
- conn *net.UnixConn
- oob []byte
- buf [4096]byte
-}
-
-func (o *oobReader) Read(b []byte) (n int, err error) {
- n, oobn, flags, _, err := o.conn.ReadMsgUnix(b, o.buf[:])
- if err != nil {
- return n, err
- }
- if flags&syscall.MSG_CTRUNC != 0 {
- return n, errors.New("dbus: control data truncated (too many fds received)")
- }
- o.oob = append(o.oob, o.buf[:oobn]...)
- return n, nil
-}
-
-type unixTransport struct {
- *net.UnixConn
- hasUnixFDs bool
-}
-
-func newUnixTransport(keys string) (transport, error) {
- var err error
-
- t := new(unixTransport)
- abstract := getKey(keys, "abstract")
- path := getKey(keys, "path")
- switch {
- case abstract == "" && path == "":
- return nil, errors.New("dbus: invalid address (neither path nor abstract set)")
- case abstract != "" && path == "":
- t.UnixConn, err = net.DialUnix("unix", nil, &net.UnixAddr{Name: "@" + abstract, Net: "unix"})
- if err != nil {
- return nil, err
- }
- return t, nil
- case abstract == "" && path != "":
- t.UnixConn, err = net.DialUnix("unix", nil, &net.UnixAddr{Name: path, Net: "unix"})
- if err != nil {
- return nil, err
- }
- return t, nil
- default:
- return nil, errors.New("dbus: invalid address (both path and abstract set)")
- }
-}
-
-func init() {
- transports["unix"] = newUnixTransport
-}
-
-func (t *unixTransport) EnableUnixFDs() {
- t.hasUnixFDs = true
-}
-
-func (t *unixTransport) ReadMessage() (*Message, error) {
- var (
- blen, hlen uint32
- csheader [16]byte
- headers []header
- order binary.ByteOrder
- unixfds uint32
- )
- // To be sure that all bytes of out-of-band data are read, we use a special
- // reader that uses ReadUnix on the underlying connection instead of Read
- // and gathers the out-of-band data in a buffer.
- rd := &oobReader{conn: t.UnixConn}
- // read the first 16 bytes (the part of the header that has a constant size),
- // from which we can figure out the length of the rest of the message
- if _, err := io.ReadFull(rd, csheader[:]); err != nil {
- return nil, err
- }
- switch csheader[0] {
- case 'l':
- order = binary.LittleEndian
- case 'B':
- order = binary.BigEndian
- default:
- return nil, InvalidMessageError("invalid byte order")
- }
- // csheader[4:8] -> length of message body, csheader[12:16] -> length of
- // header fields (without alignment)
- binary.Read(bytes.NewBuffer(csheader[4:8]), order, &blen)
- binary.Read(bytes.NewBuffer(csheader[12:]), order, &hlen)
- if hlen%8 != 0 {
- hlen += 8 - (hlen % 8)
- }
-
- // decode headers and look for unix fds
- headerdata := make([]byte, hlen+4)
- copy(headerdata, csheader[12:])
- if _, err := io.ReadFull(t, headerdata[4:]); err != nil {
- return nil, err
- }
- dec := newDecoder(bytes.NewBuffer(headerdata), order)
- dec.pos = 12
- vs, err := dec.Decode(Signature{"a(yv)"})
- if err != nil {
- return nil, err
- }
- Store(vs, &headers)
- for _, v := range headers {
- if v.Field == byte(FieldUnixFDs) {
- unixfds, _ = v.Variant.value.(uint32)
- }
- }
- all := make([]byte, 16+hlen+blen)
- copy(all, csheader[:])
- copy(all[16:], headerdata[4:])
- if _, err := io.ReadFull(rd, all[16+hlen:]); err != nil {
- return nil, err
- }
- if unixfds != 0 {
- if !t.hasUnixFDs {
- return nil, errors.New("dbus: got unix fds on unsupported transport")
- }
- // read the fds from the OOB data
- scms, err := syscall.ParseSocketControlMessage(rd.oob)
- if err != nil {
- return nil, err
- }
- if len(scms) != 1 {
- return nil, errors.New("dbus: received more than one socket control message")
- }
- fds, err := syscall.ParseUnixRights(&scms[0])
- if err != nil {
- return nil, err
- }
- msg, err := DecodeMessage(bytes.NewBuffer(all))
- if err != nil {
- return nil, err
- }
- // substitute the values in the message body (which are indices for the
- // array receiver via OOB) with the actual values
- for i, v := range msg.Body {
- if j, ok := v.(UnixFDIndex); ok {
- if uint32(j) >= unixfds {
- return nil, InvalidMessageError("invalid index for unix fd")
- }
- msg.Body[i] = UnixFD(fds[j])
- }
- }
- return msg, nil
- }
- return DecodeMessage(bytes.NewBuffer(all))
-}
-
-func (t *unixTransport) SendMessage(msg *Message) error {
- fds := make([]int, 0)
- for i, v := range msg.Body {
- if fd, ok := v.(UnixFD); ok {
- msg.Body[i] = UnixFDIndex(len(fds))
- fds = append(fds, int(fd))
- }
- }
- if len(fds) != 0 {
- if !t.hasUnixFDs {
- return errors.New("dbus: unix fd passing not enabled")
- }
- msg.Headers[FieldUnixFDs] = MakeVariant(uint32(len(fds)))
- oob := syscall.UnixRights(fds...)
- buf := new(bytes.Buffer)
- msg.EncodeTo(buf, binary.LittleEndian)
- n, oobn, err := t.UnixConn.WriteMsgUnix(buf.Bytes(), oob, nil)
- if err != nil {
- return err
- }
- if n != buf.Len() || oobn != len(oob) {
- return io.ErrShortWrite
- }
- } else {
- if err := msg.EncodeTo(t, binary.LittleEndian); err != nil {
- return nil
- }
- }
- return nil
-}
-
-func (t *unixTransport) SupportsUnixFDs() bool {
- return true
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unixcred_dragonfly.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unixcred_dragonfly.go
deleted file mode 100644
index a8cd39395f02dd613feba13aaf1fa0cb441d9922..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unixcred_dragonfly.go
+++ /dev/null
@@ -1,95 +0,0 @@
-// The UnixCredentials system call is currently only implemented on Linux
-// http://golang.org/src/pkg/syscall/sockcmsg_linux.go
-// https://golang.org/s/go1.4-syscall
-// http://code.google.com/p/go/source/browse/unix/sockcmsg_linux.go?repo=sys
-
-// Local implementation of the UnixCredentials system call for DragonFly BSD
-
-package dbus
-
-/*
-#include <sys/ucred.h>
-*/
-import "C"
-
-import (
- "io"
- "os"
- "syscall"
- "unsafe"
-)
-
-// http://golang.org/src/pkg/syscall/ztypes_linux_amd64.go
-// http://golang.org/src/pkg/syscall/ztypes_dragonfly_amd64.go
-type Ucred struct {
- Pid int32
- Uid uint32
- Gid uint32
-}
-
-// http://golang.org/src/pkg/syscall/types_linux.go
-// http://golang.org/src/pkg/syscall/types_dragonfly.go
-// https://github.com/DragonFlyBSD/DragonFlyBSD/blob/master/sys/sys/ucred.h
-const (
- SizeofUcred = C.sizeof_struct_ucred
-)
-
-// http://golang.org/src/pkg/syscall/sockcmsg_unix.go
-func cmsgAlignOf(salen int) int {
- // From http://golang.org/src/pkg/syscall/sockcmsg_unix.go
- //salign := sizeofPtr
- // NOTE: It seems like 64-bit Darwin and DragonFly BSD kernels
- // still require 32-bit aligned access to network subsystem.
- //if darwin64Bit || dragonfly64Bit {
- // salign = 4
- //}
- salign := 4
- return (salen + salign - 1) & ^(salign - 1)
-}
-
-// http://golang.org/src/pkg/syscall/sockcmsg_unix.go
-func cmsgData(h *syscall.Cmsghdr) unsafe.Pointer {
- return unsafe.Pointer(uintptr(unsafe.Pointer(h)) + uintptr(cmsgAlignOf(syscall.SizeofCmsghdr)))
-}
-
-// http://golang.org/src/pkg/syscall/sockcmsg_linux.go
-// UnixCredentials encodes credentials into a socket control message
-// for sending to another process. This can be used for
-// authentication.
-func UnixCredentials(ucred *Ucred) []byte {
- b := make([]byte, syscall.CmsgSpace(SizeofUcred))
- h := (*syscall.Cmsghdr)(unsafe.Pointer(&b[0]))
- h.Level = syscall.SOL_SOCKET
- h.Type = syscall.SCM_CREDS
- h.SetLen(syscall.CmsgLen(SizeofUcred))
- *((*Ucred)(cmsgData(h))) = *ucred
- return b
-}
-
-// http://golang.org/src/pkg/syscall/sockcmsg_linux.go
-// ParseUnixCredentials decodes a socket control message that contains
-// credentials in a Ucred structure. To receive such a message, the
-// SO_PASSCRED option must be enabled on the socket.
-func ParseUnixCredentials(m *syscall.SocketControlMessage) (*Ucred, error) {
- if m.Header.Level != syscall.SOL_SOCKET {
- return nil, syscall.EINVAL
- }
- if m.Header.Type != syscall.SCM_CREDS {
- return nil, syscall.EINVAL
- }
- ucred := *(*Ucred)(unsafe.Pointer(&m.Data[0]))
- return &ucred, nil
-}
-
-func (t *unixTransport) SendNullByte() error {
- ucred := &Ucred{Pid: int32(os.Getpid()), Uid: uint32(os.Getuid()), Gid: uint32(os.Getgid())}
- b := UnixCredentials(ucred)
- _, oobn, err := t.UnixConn.WriteMsgUnix([]byte{0}, b, nil)
- if err != nil {
- return err
- }
- if oobn != len(b) {
- return io.ErrShortWrite
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unixcred_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unixcred_linux.go
deleted file mode 100644
index d9dfdf698210da415cbea49a0bd97adecdb4ee3b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/transport_unixcred_linux.go
+++ /dev/null
@@ -1,25 +0,0 @@
-// The UnixCredentials system call is currently only implemented on Linux
-// http://golang.org/src/pkg/syscall/sockcmsg_linux.go
-// https://golang.org/s/go1.4-syscall
-// http://code.google.com/p/go/source/browse/unix/sockcmsg_linux.go?repo=sys
-
-package dbus
-
-import (
- "io"
- "os"
- "syscall"
-)
-
-func (t *unixTransport) SendNullByte() error {
- ucred := &syscall.Ucred{Pid: int32(os.Getpid()), Uid: uint32(os.Getuid()), Gid: uint32(os.Getgid())}
- b := syscall.UnixCredentials(ucred)
- _, oobn, err := t.UnixConn.WriteMsgUnix([]byte{0}, b, nil)
- if err != nil {
- return err
- }
- if oobn != len(b) {
- return io.ErrShortWrite
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant.go
deleted file mode 100644
index b7b13ae90ddf1afe0ecfff584b3d632ef273e7d7..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant.go
+++ /dev/null
@@ -1,139 +0,0 @@
-package dbus
-
-import (
- "bytes"
- "fmt"
- "reflect"
- "sort"
- "strconv"
-)
-
-// Variant represents the D-Bus variant type.
-type Variant struct {
- sig Signature
- value interface{}
-}
-
-// MakeVariant converts the given value to a Variant. It panics if v cannot be
-// represented as a D-Bus type.
-func MakeVariant(v interface{}) Variant {
- return Variant{SignatureOf(v), v}
-}
-
-// ParseVariant parses the given string as a variant as described at
-// https://developer.gnome.org/glib/unstable/gvariant-text.html. If sig is not
-// empty, it is taken to be the expected signature for the variant.
-func ParseVariant(s string, sig Signature) (Variant, error) {
- tokens := varLex(s)
- p := &varParser{tokens: tokens}
- n, err := varMakeNode(p)
- if err != nil {
- return Variant{}, err
- }
- if sig.str == "" {
- sig, err = varInfer(n)
- if err != nil {
- return Variant{}, err
- }
- }
- v, err := n.Value(sig)
- if err != nil {
- return Variant{}, err
- }
- return MakeVariant(v), nil
-}
-
-// format returns a formatted version of v and whether this string can be parsed
-// unambigously.
-func (v Variant) format() (string, bool) {
- switch v.sig.str[0] {
- case 'b', 'i':
- return fmt.Sprint(v.value), true
- case 'n', 'q', 'u', 'x', 't', 'd', 'h':
- return fmt.Sprint(v.value), false
- case 's':
- return strconv.Quote(v.value.(string)), true
- case 'o':
- return strconv.Quote(string(v.value.(ObjectPath))), false
- case 'g':
- return strconv.Quote(v.value.(Signature).str), false
- case 'v':
- s, unamb := v.value.(Variant).format()
- if !unamb {
- return "<@" + v.value.(Variant).sig.str + " " + s + ">", true
- }
- return "<" + s + ">", true
- case 'y':
- return fmt.Sprintf("%#x", v.value.(byte)), false
- }
- rv := reflect.ValueOf(v.value)
- switch rv.Kind() {
- case reflect.Slice:
- if rv.Len() == 0 {
- return "[]", false
- }
- unamb := true
- buf := bytes.NewBuffer([]byte("["))
- for i := 0; i < rv.Len(); i++ {
- // TODO: slooow
- s, b := MakeVariant(rv.Index(i).Interface()).format()
- unamb = unamb && b
- buf.WriteString(s)
- if i != rv.Len()-1 {
- buf.WriteString(", ")
- }
- }
- buf.WriteByte(']')
- return buf.String(), unamb
- case reflect.Map:
- if rv.Len() == 0 {
- return "{}", false
- }
- unamb := true
- var buf bytes.Buffer
- kvs := make([]string, rv.Len())
- for i, k := range rv.MapKeys() {
- s, b := MakeVariant(k.Interface()).format()
- unamb = unamb && b
- buf.Reset()
- buf.WriteString(s)
- buf.WriteString(": ")
- s, b = MakeVariant(rv.MapIndex(k).Interface()).format()
- unamb = unamb && b
- buf.WriteString(s)
- kvs[i] = buf.String()
- }
- buf.Reset()
- buf.WriteByte('{')
- sort.Strings(kvs)
- for i, kv := range kvs {
- if i > 0 {
- buf.WriteString(", ")
- }
- buf.WriteString(kv)
- }
- buf.WriteByte('}')
- return buf.String(), unamb
- }
- return `"INVALID"`, true
-}
-
-// Signature returns the D-Bus signature of the underlying value of v.
-func (v Variant) Signature() Signature {
- return v.sig
-}
-
-// String returns the string representation of the underlying value of v as
-// described at https://developer.gnome.org/glib/unstable/gvariant-text.html.
-func (v Variant) String() string {
- s, unamb := v.format()
- if !unamb {
- return "@" + v.sig.str + " " + s
- }
- return s
-}
-
-// Value returns the underlying value of v.
-func (v Variant) Value() interface{} {
- return v.value
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant_lexer.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant_lexer.go
deleted file mode 100644
index 332007d6f123204ae6e3c1a75cb6a2da4aed4928..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant_lexer.go
+++ /dev/null
@@ -1,284 +0,0 @@
-package dbus
-
-import (
- "fmt"
- "strings"
- "unicode"
- "unicode/utf8"
-)
-
-// Heavily inspired by the lexer from text/template.
-
-type varToken struct {
- typ varTokenType
- val string
-}
-
-type varTokenType byte
-
-const (
- tokEOF varTokenType = iota
- tokError
- tokNumber
- tokString
- tokBool
- tokArrayStart
- tokArrayEnd
- tokDictStart
- tokDictEnd
- tokVariantStart
- tokVariantEnd
- tokComma
- tokColon
- tokType
- tokByteString
-)
-
-type varLexer struct {
- input string
- start int
- pos int
- width int
- tokens []varToken
-}
-
-type lexState func(*varLexer) lexState
-
-func varLex(s string) []varToken {
- l := &varLexer{input: s}
- l.run()
- return l.tokens
-}
-
-func (l *varLexer) accept(valid string) bool {
- if strings.IndexRune(valid, l.next()) >= 0 {
- return true
- }
- l.backup()
- return false
-}
-
-func (l *varLexer) backup() {
- l.pos -= l.width
-}
-
-func (l *varLexer) emit(t varTokenType) {
- l.tokens = append(l.tokens, varToken{t, l.input[l.start:l.pos]})
- l.start = l.pos
-}
-
-func (l *varLexer) errorf(format string, v ...interface{}) lexState {
- l.tokens = append(l.tokens, varToken{
- tokError,
- fmt.Sprintf(format, v...),
- })
- return nil
-}
-
-func (l *varLexer) ignore() {
- l.start = l.pos
-}
-
-func (l *varLexer) next() rune {
- var r rune
-
- if l.pos >= len(l.input) {
- l.width = 0
- return -1
- }
- r, l.width = utf8.DecodeRuneInString(l.input[l.pos:])
- l.pos += l.width
- return r
-}
-
-func (l *varLexer) run() {
- for state := varLexNormal; state != nil; {
- state = state(l)
- }
-}
-
-func (l *varLexer) peek() rune {
- r := l.next()
- l.backup()
- return r
-}
-
-func varLexNormal(l *varLexer) lexState {
- for {
- r := l.next()
- switch {
- case r == -1:
- l.emit(tokEOF)
- return nil
- case r == '[':
- l.emit(tokArrayStart)
- case r == ']':
- l.emit(tokArrayEnd)
- case r == '{':
- l.emit(tokDictStart)
- case r == '}':
- l.emit(tokDictEnd)
- case r == '<':
- l.emit(tokVariantStart)
- case r == '>':
- l.emit(tokVariantEnd)
- case r == ':':
- l.emit(tokColon)
- case r == ',':
- l.emit(tokComma)
- case r == '\'' || r == '"':
- l.backup()
- return varLexString
- case r == '@':
- l.backup()
- return varLexType
- case unicode.IsSpace(r):
- l.ignore()
- case unicode.IsNumber(r) || r == '+' || r == '-':
- l.backup()
- return varLexNumber
- case r == 'b':
- pos := l.start
- if n := l.peek(); n == '"' || n == '\'' {
- return varLexByteString
- }
- // not a byte string; try to parse it as a type or bool below
- l.pos = pos + 1
- l.width = 1
- fallthrough
- default:
- // either a bool or a type. Try bools first.
- l.backup()
- if l.pos+4 <= len(l.input) {
- if l.input[l.pos:l.pos+4] == "true" {
- l.pos += 4
- l.emit(tokBool)
- continue
- }
- }
- if l.pos+5 <= len(l.input) {
- if l.input[l.pos:l.pos+5] == "false" {
- l.pos += 5
- l.emit(tokBool)
- continue
- }
- }
- // must be a type.
- return varLexType
- }
- }
-}
-
-var varTypeMap = map[string]string{
- "boolean": "b",
- "byte": "y",
- "int16": "n",
- "uint16": "q",
- "int32": "i",
- "uint32": "u",
- "int64": "x",
- "uint64": "t",
- "double": "f",
- "string": "s",
- "objectpath": "o",
- "signature": "g",
-}
-
-func varLexByteString(l *varLexer) lexState {
- q := l.next()
-Loop:
- for {
- switch l.next() {
- case '\\':
- if r := l.next(); r != -1 {
- break
- }
- fallthrough
- case -1:
- return l.errorf("unterminated bytestring")
- case q:
- break Loop
- }
- }
- l.emit(tokByteString)
- return varLexNormal
-}
-
-func varLexNumber(l *varLexer) lexState {
- l.accept("+-")
- digits := "0123456789"
- if l.accept("0") {
- if l.accept("x") {
- digits = "0123456789abcdefABCDEF"
- } else {
- digits = "01234567"
- }
- }
- for strings.IndexRune(digits, l.next()) >= 0 {
- }
- l.backup()
- if l.accept(".") {
- for strings.IndexRune(digits, l.next()) >= 0 {
- }
- l.backup()
- }
- if l.accept("eE") {
- l.accept("+-")
- for strings.IndexRune("0123456789", l.next()) >= 0 {
- }
- l.backup()
- }
- if r := l.peek(); unicode.IsLetter(r) {
- l.next()
- return l.errorf("bad number syntax: %q", l.input[l.start:l.pos])
- }
- l.emit(tokNumber)
- return varLexNormal
-}
-
-func varLexString(l *varLexer) lexState {
- q := l.next()
-Loop:
- for {
- switch l.next() {
- case '\\':
- if r := l.next(); r != -1 {
- break
- }
- fallthrough
- case -1:
- return l.errorf("unterminated string")
- case q:
- break Loop
- }
- }
- l.emit(tokString)
- return varLexNormal
-}
-
-func varLexType(l *varLexer) lexState {
- at := l.accept("@")
- for {
- r := l.next()
- if r == -1 {
- break
- }
- if unicode.IsSpace(r) {
- l.backup()
- break
- }
- }
- if at {
- if _, err := ParseSignature(l.input[l.start+1 : l.pos]); err != nil {
- return l.errorf("%s", err)
- }
- } else {
- if _, ok := varTypeMap[l.input[l.start:l.pos]]; ok {
- l.emit(tokType)
- return varLexNormal
- }
- return l.errorf("unrecognized type %q", l.input[l.start:l.pos])
- }
- l.emit(tokType)
- return varLexNormal
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant_parser.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant_parser.go
deleted file mode 100644
index d20f5da6dd22d7c2e31b7bfbafbb15bc6bf09901..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/godbus/dbus/variant_parser.go
+++ /dev/null
@@ -1,817 +0,0 @@
-package dbus
-
-import (
- "bytes"
- "errors"
- "fmt"
- "io"
- "reflect"
- "strconv"
- "strings"
- "unicode/utf8"
-)
-
-type varParser struct {
- tokens []varToken
- i int
-}
-
-func (p *varParser) backup() {
- p.i--
-}
-
-func (p *varParser) next() varToken {
- if p.i < len(p.tokens) {
- t := p.tokens[p.i]
- p.i++
- return t
- }
- return varToken{typ: tokEOF}
-}
-
-type varNode interface {
- Infer() (Signature, error)
- String() string
- Sigs() sigSet
- Value(Signature) (interface{}, error)
-}
-
-func varMakeNode(p *varParser) (varNode, error) {
- var sig Signature
-
- for {
- t := p.next()
- switch t.typ {
- case tokEOF:
- return nil, io.ErrUnexpectedEOF
- case tokError:
- return nil, errors.New(t.val)
- case tokNumber:
- return varMakeNumNode(t, sig)
- case tokString:
- return varMakeStringNode(t, sig)
- case tokBool:
- if sig.str != "" && sig.str != "b" {
- return nil, varTypeError{t.val, sig}
- }
- b, err := strconv.ParseBool(t.val)
- if err != nil {
- return nil, err
- }
- return boolNode(b), nil
- case tokArrayStart:
- return varMakeArrayNode(p, sig)
- case tokVariantStart:
- return varMakeVariantNode(p, sig)
- case tokDictStart:
- return varMakeDictNode(p, sig)
- case tokType:
- if sig.str != "" {
- return nil, errors.New("unexpected type annotation")
- }
- if t.val[0] == '@' {
- sig.str = t.val[1:]
- } else {
- sig.str = varTypeMap[t.val]
- }
- case tokByteString:
- if sig.str != "" && sig.str != "ay" {
- return nil, varTypeError{t.val, sig}
- }
- b, err := varParseByteString(t.val)
- if err != nil {
- return nil, err
- }
- return byteStringNode(b), nil
- default:
- return nil, fmt.Errorf("unexpected %q", t.val)
- }
- }
-}
-
-type varTypeError struct {
- val string
- sig Signature
-}
-
-func (e varTypeError) Error() string {
- return fmt.Sprintf("dbus: can't parse %q as type %q", e.val, e.sig.str)
-}
-
-type sigSet map[Signature]bool
-
-func (s sigSet) Empty() bool {
- return len(s) == 0
-}
-
-func (s sigSet) Intersect(s2 sigSet) sigSet {
- r := make(sigSet)
- for k := range s {
- if s2[k] {
- r[k] = true
- }
- }
- return r
-}
-
-func (s sigSet) Single() (Signature, bool) {
- if len(s) == 1 {
- for k := range s {
- return k, true
- }
- }
- return Signature{}, false
-}
-
-func (s sigSet) ToArray() sigSet {
- r := make(sigSet, len(s))
- for k := range s {
- r[Signature{"a" + k.str}] = true
- }
- return r
-}
-
-type numNode struct {
- sig Signature
- str string
- val interface{}
-}
-
-var numSigSet = sigSet{
- Signature{"y"}: true,
- Signature{"n"}: true,
- Signature{"q"}: true,
- Signature{"i"}: true,
- Signature{"u"}: true,
- Signature{"x"}: true,
- Signature{"t"}: true,
- Signature{"d"}: true,
-}
-
-func (n numNode) Infer() (Signature, error) {
- if strings.ContainsAny(n.str, ".e") {
- return Signature{"d"}, nil
- }
- return Signature{"i"}, nil
-}
-
-func (n numNode) String() string {
- return n.str
-}
-
-func (n numNode) Sigs() sigSet {
- if n.sig.str != "" {
- return sigSet{n.sig: true}
- }
- if strings.ContainsAny(n.str, ".e") {
- return sigSet{Signature{"d"}: true}
- }
- return numSigSet
-}
-
-func (n numNode) Value(sig Signature) (interface{}, error) {
- if n.sig.str != "" && n.sig != sig {
- return nil, varTypeError{n.str, sig}
- }
- if n.val != nil {
- return n.val, nil
- }
- return varNumAs(n.str, sig)
-}
-
-func varMakeNumNode(tok varToken, sig Signature) (varNode, error) {
- if sig.str == "" {
- return numNode{str: tok.val}, nil
- }
- num, err := varNumAs(tok.val, sig)
- if err != nil {
- return nil, err
- }
- return numNode{sig: sig, val: num}, nil
-}
-
-func varNumAs(s string, sig Signature) (interface{}, error) {
- isUnsigned := false
- size := 32
- switch sig.str {
- case "n":
- size = 16
- case "i":
- case "x":
- size = 64
- case "y":
- size = 8
- isUnsigned = true
- case "q":
- size = 16
- isUnsigned = true
- case "u":
- isUnsigned = true
- case "t":
- size = 64
- isUnsigned = true
- case "d":
- d, err := strconv.ParseFloat(s, 64)
- if err != nil {
- return nil, err
- }
- return d, nil
- default:
- return nil, varTypeError{s, sig}
- }
- base := 10
- if strings.HasPrefix(s, "0x") {
- base = 16
- s = s[2:]
- }
- if strings.HasPrefix(s, "0") && len(s) != 1 {
- base = 8
- s = s[1:]
- }
- if isUnsigned {
- i, err := strconv.ParseUint(s, base, size)
- if err != nil {
- return nil, err
- }
- var v interface{} = i
- switch sig.str {
- case "y":
- v = byte(i)
- case "q":
- v = uint16(i)
- case "u":
- v = uint32(i)
- }
- return v, nil
- }
- i, err := strconv.ParseInt(s, base, size)
- if err != nil {
- return nil, err
- }
- var v interface{} = i
- switch sig.str {
- case "n":
- v = int16(i)
- case "i":
- v = int32(i)
- }
- return v, nil
-}
-
-type stringNode struct {
- sig Signature
- str string // parsed
- val interface{} // has correct type
-}
-
-var stringSigSet = sigSet{
- Signature{"s"}: true,
- Signature{"g"}: true,
- Signature{"o"}: true,
-}
-
-func (n stringNode) Infer() (Signature, error) {
- return Signature{"s"}, nil
-}
-
-func (n stringNode) String() string {
- return n.str
-}
-
-func (n stringNode) Sigs() sigSet {
- if n.sig.str != "" {
- return sigSet{n.sig: true}
- }
- return stringSigSet
-}
-
-func (n stringNode) Value(sig Signature) (interface{}, error) {
- if n.sig.str != "" && n.sig != sig {
- return nil, varTypeError{n.str, sig}
- }
- if n.val != nil {
- return n.val, nil
- }
- switch {
- case sig.str == "g":
- return Signature{n.str}, nil
- case sig.str == "o":
- return ObjectPath(n.str), nil
- case sig.str == "s":
- return n.str, nil
- default:
- return nil, varTypeError{n.str, sig}
- }
-}
-
-func varMakeStringNode(tok varToken, sig Signature) (varNode, error) {
- if sig.str != "" && sig.str != "s" && sig.str != "g" && sig.str != "o" {
- return nil, fmt.Errorf("invalid type %q for string", sig.str)
- }
- s, err := varParseString(tok.val)
- if err != nil {
- return nil, err
- }
- n := stringNode{str: s}
- if sig.str == "" {
- return stringNode{str: s}, nil
- }
- n.sig = sig
- switch sig.str {
- case "o":
- n.val = ObjectPath(s)
- case "g":
- n.val = Signature{s}
- case "s":
- n.val = s
- }
- return n, nil
-}
-
-func varParseString(s string) (string, error) {
- // quotes are guaranteed to be there
- s = s[1 : len(s)-1]
- buf := new(bytes.Buffer)
- for len(s) != 0 {
- r, size := utf8.DecodeRuneInString(s)
- if r == utf8.RuneError && size == 1 {
- return "", errors.New("invalid UTF-8")
- }
- s = s[size:]
- if r != '\\' {
- buf.WriteRune(r)
- continue
- }
- r, size = utf8.DecodeRuneInString(s)
- if r == utf8.RuneError && size == 1 {
- return "", errors.New("invalid UTF-8")
- }
- s = s[size:]
- switch r {
- case 'a':
- buf.WriteRune(0x7)
- case 'b':
- buf.WriteRune(0x8)
- case 'f':
- buf.WriteRune(0xc)
- case 'n':
- buf.WriteRune('\n')
- case 'r':
- buf.WriteRune('\r')
- case 't':
- buf.WriteRune('\t')
- case '\n':
- case 'u':
- if len(s) < 4 {
- return "", errors.New("short unicode escape")
- }
- r, err := strconv.ParseUint(s[:4], 16, 32)
- if err != nil {
- return "", err
- }
- buf.WriteRune(rune(r))
- s = s[4:]
- case 'U':
- if len(s) < 8 {
- return "", errors.New("short unicode escape")
- }
- r, err := strconv.ParseUint(s[:8], 16, 32)
- if err != nil {
- return "", err
- }
- buf.WriteRune(rune(r))
- s = s[8:]
- default:
- buf.WriteRune(r)
- }
- }
- return buf.String(), nil
-}
-
-var boolSigSet = sigSet{Signature{"b"}: true}
-
-type boolNode bool
-
-func (boolNode) Infer() (Signature, error) {
- return Signature{"b"}, nil
-}
-
-func (b boolNode) String() string {
- if b {
- return "true"
- }
- return "false"
-}
-
-func (boolNode) Sigs() sigSet {
- return boolSigSet
-}
-
-func (b boolNode) Value(sig Signature) (interface{}, error) {
- if sig.str != "b" {
- return nil, varTypeError{b.String(), sig}
- }
- return bool(b), nil
-}
-
-type arrayNode struct {
- set sigSet
- children []varNode
- val interface{}
-}
-
-func (n arrayNode) Infer() (Signature, error) {
- for _, v := range n.children {
- csig, err := varInfer(v)
- if err != nil {
- continue
- }
- return Signature{"a" + csig.str}, nil
- }
- return Signature{}, fmt.Errorf("can't infer type for %q", n.String())
-}
-
-func (n arrayNode) String() string {
- s := "["
- for i, v := range n.children {
- s += v.String()
- if i != len(n.children)-1 {
- s += ", "
- }
- }
- return s + "]"
-}
-
-func (n arrayNode) Sigs() sigSet {
- return n.set
-}
-
-func (n arrayNode) Value(sig Signature) (interface{}, error) {
- if n.set.Empty() {
- // no type information whatsoever, so this must be an empty slice
- return reflect.MakeSlice(typeFor(sig.str), 0, 0).Interface(), nil
- }
- if !n.set[sig] {
- return nil, varTypeError{n.String(), sig}
- }
- s := reflect.MakeSlice(typeFor(sig.str), len(n.children), len(n.children))
- for i, v := range n.children {
- rv, err := v.Value(Signature{sig.str[1:]})
- if err != nil {
- return nil, err
- }
- s.Index(i).Set(reflect.ValueOf(rv))
- }
- return s.Interface(), nil
-}
-
-func varMakeArrayNode(p *varParser, sig Signature) (varNode, error) {
- var n arrayNode
- if sig.str != "" {
- n.set = sigSet{sig: true}
- }
- if t := p.next(); t.typ == tokArrayEnd {
- return n, nil
- } else {
- p.backup()
- }
-Loop:
- for {
- t := p.next()
- switch t.typ {
- case tokEOF:
- return nil, io.ErrUnexpectedEOF
- case tokError:
- return nil, errors.New(t.val)
- }
- p.backup()
- cn, err := varMakeNode(p)
- if err != nil {
- return nil, err
- }
- if cset := cn.Sigs(); !cset.Empty() {
- if n.set.Empty() {
- n.set = cset.ToArray()
- } else {
- nset := cset.ToArray().Intersect(n.set)
- if nset.Empty() {
- return nil, fmt.Errorf("can't parse %q with given type information", cn.String())
- }
- n.set = nset
- }
- }
- n.children = append(n.children, cn)
- switch t := p.next(); t.typ {
- case tokEOF:
- return nil, io.ErrUnexpectedEOF
- case tokError:
- return nil, errors.New(t.val)
- case tokArrayEnd:
- break Loop
- case tokComma:
- continue
- default:
- return nil, fmt.Errorf("unexpected %q", t.val)
- }
- }
- return n, nil
-}
-
-type variantNode struct {
- n varNode
-}
-
-var variantSet = sigSet{
- Signature{"v"}: true,
-}
-
-func (variantNode) Infer() (Signature, error) {
- return Signature{"v"}, nil
-}
-
-func (n variantNode) String() string {
- return "<" + n.n.String() + ">"
-}
-
-func (variantNode) Sigs() sigSet {
- return variantSet
-}
-
-func (n variantNode) Value(sig Signature) (interface{}, error) {
- if sig.str != "v" {
- return nil, varTypeError{n.String(), sig}
- }
- sig, err := varInfer(n.n)
- if err != nil {
- return nil, err
- }
- v, err := n.n.Value(sig)
- if err != nil {
- return nil, err
- }
- return MakeVariant(v), nil
-}
-
-func varMakeVariantNode(p *varParser, sig Signature) (varNode, error) {
- n, err := varMakeNode(p)
- if err != nil {
- return nil, err
- }
- if t := p.next(); t.typ != tokVariantEnd {
- return nil, fmt.Errorf("unexpected %q", t.val)
- }
- vn := variantNode{n}
- if sig.str != "" && sig.str != "v" {
- return nil, varTypeError{vn.String(), sig}
- }
- return variantNode{n}, nil
-}
-
-type dictEntry struct {
- key, val varNode
-}
-
-type dictNode struct {
- kset, vset sigSet
- children []dictEntry
- val interface{}
-}
-
-func (n dictNode) Infer() (Signature, error) {
- for _, v := range n.children {
- ksig, err := varInfer(v.key)
- if err != nil {
- continue
- }
- vsig, err := varInfer(v.val)
- if err != nil {
- continue
- }
- return Signature{"a{" + ksig.str + vsig.str + "}"}, nil
- }
- return Signature{}, fmt.Errorf("can't infer type for %q", n.String())
-}
-
-func (n dictNode) String() string {
- s := "{"
- for i, v := range n.children {
- s += v.key.String() + ": " + v.val.String()
- if i != len(n.children)-1 {
- s += ", "
- }
- }
- return s + "}"
-}
-
-func (n dictNode) Sigs() sigSet {
- r := sigSet{}
- for k := range n.kset {
- for v := range n.vset {
- sig := "a{" + k.str + v.str + "}"
- r[Signature{sig}] = true
- }
- }
- return r
-}
-
-func (n dictNode) Value(sig Signature) (interface{}, error) {
- set := n.Sigs()
- if set.Empty() {
- // no type information -> empty dict
- return reflect.MakeMap(typeFor(sig.str)).Interface(), nil
- }
- if !set[sig] {
- return nil, varTypeError{n.String(), sig}
- }
- m := reflect.MakeMap(typeFor(sig.str))
- ksig := Signature{sig.str[2:3]}
- vsig := Signature{sig.str[3 : len(sig.str)-1]}
- for _, v := range n.children {
- kv, err := v.key.Value(ksig)
- if err != nil {
- return nil, err
- }
- vv, err := v.val.Value(vsig)
- if err != nil {
- return nil, err
- }
- m.SetMapIndex(reflect.ValueOf(kv), reflect.ValueOf(vv))
- }
- return m.Interface(), nil
-}
-
-func varMakeDictNode(p *varParser, sig Signature) (varNode, error) {
- var n dictNode
-
- if sig.str != "" {
- if len(sig.str) < 5 {
- return nil, fmt.Errorf("invalid signature %q for dict type", sig)
- }
- ksig := Signature{string(sig.str[2])}
- vsig := Signature{sig.str[3 : len(sig.str)-1]}
- n.kset = sigSet{ksig: true}
- n.vset = sigSet{vsig: true}
- }
- if t := p.next(); t.typ == tokDictEnd {
- return n, nil
- } else {
- p.backup()
- }
-Loop:
- for {
- t := p.next()
- switch t.typ {
- case tokEOF:
- return nil, io.ErrUnexpectedEOF
- case tokError:
- return nil, errors.New(t.val)
- }
- p.backup()
- kn, err := varMakeNode(p)
- if err != nil {
- return nil, err
- }
- if kset := kn.Sigs(); !kset.Empty() {
- if n.kset.Empty() {
- n.kset = kset
- } else {
- n.kset = kset.Intersect(n.kset)
- if n.kset.Empty() {
- return nil, fmt.Errorf("can't parse %q with given type information", kn.String())
- }
- }
- }
- t = p.next()
- switch t.typ {
- case tokEOF:
- return nil, io.ErrUnexpectedEOF
- case tokError:
- return nil, errors.New(t.val)
- case tokColon:
- default:
- return nil, fmt.Errorf("unexpected %q", t.val)
- }
- t = p.next()
- switch t.typ {
- case tokEOF:
- return nil, io.ErrUnexpectedEOF
- case tokError:
- return nil, errors.New(t.val)
- }
- p.backup()
- vn, err := varMakeNode(p)
- if err != nil {
- return nil, err
- }
- if vset := vn.Sigs(); !vset.Empty() {
- if n.vset.Empty() {
- n.vset = vset
- } else {
- n.vset = n.vset.Intersect(vset)
- if n.vset.Empty() {
- return nil, fmt.Errorf("can't parse %q with given type information", vn.String())
- }
- }
- }
- n.children = append(n.children, dictEntry{kn, vn})
- t = p.next()
- switch t.typ {
- case tokEOF:
- return nil, io.ErrUnexpectedEOF
- case tokError:
- return nil, errors.New(t.val)
- case tokDictEnd:
- break Loop
- case tokComma:
- continue
- default:
- return nil, fmt.Errorf("unexpected %q", t.val)
- }
- }
- return n, nil
-}
-
-type byteStringNode []byte
-
-var byteStringSet = sigSet{
- Signature{"ay"}: true,
-}
-
-func (byteStringNode) Infer() (Signature, error) {
- return Signature{"ay"}, nil
-}
-
-func (b byteStringNode) String() string {
- return string(b)
-}
-
-func (b byteStringNode) Sigs() sigSet {
- return byteStringSet
-}
-
-func (b byteStringNode) Value(sig Signature) (interface{}, error) {
- if sig.str != "ay" {
- return nil, varTypeError{b.String(), sig}
- }
- return []byte(b), nil
-}
-
-func varParseByteString(s string) ([]byte, error) {
- // quotes and b at start are guaranteed to be there
- b := make([]byte, 0, 1)
- s = s[2 : len(s)-1]
- for len(s) != 0 {
- c := s[0]
- s = s[1:]
- if c != '\\' {
- b = append(b, c)
- continue
- }
- c = s[0]
- s = s[1:]
- switch c {
- case 'a':
- b = append(b, 0x7)
- case 'b':
- b = append(b, 0x8)
- case 'f':
- b = append(b, 0xc)
- case 'n':
- b = append(b, '\n')
- case 'r':
- b = append(b, '\r')
- case 't':
- b = append(b, '\t')
- case 'x':
- if len(s) < 2 {
- return nil, errors.New("short escape")
- }
- n, err := strconv.ParseUint(s[:2], 16, 8)
- if err != nil {
- return nil, err
- }
- b = append(b, byte(n))
- s = s[2:]
- case '0':
- if len(s) < 3 {
- return nil, errors.New("short escape")
- }
- n, err := strconv.ParseUint(s[:3], 8, 8)
- if err != nil {
- return nil, err
- }
- b = append(b, byte(n))
- s = s[3:]
- default:
- b = append(b, c)
- }
- }
- return append(b, 0), nil
-}
-
-func varInfer(n varNode) (Signature, error) {
- if sig, ok := n.Sigs().Single(); ok {
- return sig, nil
- }
- return n.Infer()
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/LICENSE
deleted file mode 100644
index 1b1b1921efa6dded19f74b196f76a96bf39c83dc..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/LICENSE
+++ /dev/null
@@ -1,31 +0,0 @@
-Go support for Protocol Buffers - Google's data interchange format
-
-Copyright 2010 The Go Authors. All rights reserved.
-https://github.com/golang/protobuf
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
- * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
- * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/clone.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/clone.go
deleted file mode 100644
index 6c6a7d95f2c02eb9663e9d37df28208cfd5343df..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/clone.go
+++ /dev/null
@@ -1,197 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2011 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-// Protocol buffer deep copy and merge.
-// TODO: MessageSet and RawMessage.
-
-package proto
-
-import (
- "log"
- "reflect"
- "strings"
-)
-
-// Clone returns a deep copy of a protocol buffer.
-func Clone(pb Message) Message {
- in := reflect.ValueOf(pb)
- if in.IsNil() {
- return pb
- }
-
- out := reflect.New(in.Type().Elem())
- // out is empty so a merge is a deep copy.
- mergeStruct(out.Elem(), in.Elem())
- return out.Interface().(Message)
-}
-
-// Merge merges src into dst.
-// Required and optional fields that are set in src will be set to that value in dst.
-// Elements of repeated fields will be appended.
-// Merge panics if src and dst are not the same type, or if dst is nil.
-func Merge(dst, src Message) {
- in := reflect.ValueOf(src)
- out := reflect.ValueOf(dst)
- if out.IsNil() {
- panic("proto: nil destination")
- }
- if in.Type() != out.Type() {
- // Explicit test prior to mergeStruct so that mistyped nils will fail
- panic("proto: type mismatch")
- }
- if in.IsNil() {
- // Merging nil into non-nil is a quiet no-op
- return
- }
- mergeStruct(out.Elem(), in.Elem())
-}
-
-func mergeStruct(out, in reflect.Value) {
- for i := 0; i < in.NumField(); i++ {
- f := in.Type().Field(i)
- if strings.HasPrefix(f.Name, "XXX_") {
- continue
- }
- mergeAny(out.Field(i), in.Field(i))
- }
-
- if emIn, ok := in.Addr().Interface().(extendableProto); ok {
- emOut := out.Addr().Interface().(extendableProto)
- mergeExtension(emOut.ExtensionMap(), emIn.ExtensionMap())
- }
-
- uf := in.FieldByName("XXX_unrecognized")
- if !uf.IsValid() {
- return
- }
- uin := uf.Bytes()
- if len(uin) > 0 {
- out.FieldByName("XXX_unrecognized").SetBytes(append([]byte(nil), uin...))
- }
-}
-
-func mergeAny(out, in reflect.Value) {
- if in.Type() == protoMessageType {
- if !in.IsNil() {
- if out.IsNil() {
- out.Set(reflect.ValueOf(Clone(in.Interface().(Message))))
- } else {
- Merge(out.Interface().(Message), in.Interface().(Message))
- }
- }
- return
- }
- switch in.Kind() {
- case reflect.Bool, reflect.Float32, reflect.Float64, reflect.Int32, reflect.Int64,
- reflect.String, reflect.Uint32, reflect.Uint64:
- out.Set(in)
- case reflect.Map:
- if in.Len() == 0 {
- return
- }
- if out.IsNil() {
- out.Set(reflect.MakeMap(in.Type()))
- }
- // For maps with value types of *T or []byte we need to deep copy each value.
- elemKind := in.Type().Elem().Kind()
- for _, key := range in.MapKeys() {
- var val reflect.Value
- switch elemKind {
- case reflect.Ptr:
- val = reflect.New(in.Type().Elem().Elem())
- mergeAny(val, in.MapIndex(key))
- case reflect.Slice:
- val = in.MapIndex(key)
- val = reflect.ValueOf(append([]byte{}, val.Bytes()...))
- default:
- val = in.MapIndex(key)
- }
- out.SetMapIndex(key, val)
- }
- case reflect.Ptr:
- if in.IsNil() {
- return
- }
- if out.IsNil() {
- out.Set(reflect.New(in.Elem().Type()))
- }
- mergeAny(out.Elem(), in.Elem())
- case reflect.Slice:
- if in.IsNil() {
- return
- }
- if in.Type().Elem().Kind() == reflect.Uint8 {
- // []byte is a scalar bytes field, not a repeated field.
- // Make a deep copy.
- // Append to []byte{} instead of []byte(nil) so that we never end up
- // with a nil result.
- out.SetBytes(append([]byte{}, in.Bytes()...))
- return
- }
- n := in.Len()
- if out.IsNil() {
- out.Set(reflect.MakeSlice(in.Type(), 0, n))
- }
- switch in.Type().Elem().Kind() {
- case reflect.Bool, reflect.Float32, reflect.Float64, reflect.Int32, reflect.Int64,
- reflect.String, reflect.Uint32, reflect.Uint64:
- out.Set(reflect.AppendSlice(out, in))
- default:
- for i := 0; i < n; i++ {
- x := reflect.Indirect(reflect.New(in.Type().Elem()))
- mergeAny(x, in.Index(i))
- out.Set(reflect.Append(out, x))
- }
- }
- case reflect.Struct:
- mergeStruct(out, in)
- default:
- // unknown type, so not a protocol buffer
- log.Printf("proto: don't know how to copy %v", in)
- }
-}
-
-func mergeExtension(out, in map[int32]Extension) {
- for extNum, eIn := range in {
- eOut := Extension{desc: eIn.desc}
- if eIn.value != nil {
- v := reflect.New(reflect.TypeOf(eIn.value)).Elem()
- mergeAny(v, reflect.ValueOf(eIn.value))
- eOut.value = v.Interface()
- }
- if eIn.enc != nil {
- eOut.enc = make([]byte, len(eIn.enc))
- copy(eOut.enc, eIn.enc)
- }
-
- out[extNum] = eOut
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/decode.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/decode.go
deleted file mode 100644
index 129792ed124501006be9fcc621cb6163a4613783..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/decode.go
+++ /dev/null
@@ -1,821 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2010 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package proto
-
-/*
- * Routines for decoding protocol buffer data to construct in-memory representations.
- */
-
-import (
- "errors"
- "fmt"
- "io"
- "os"
- "reflect"
-)
-
-// errOverflow is returned when an integer is too large to be represented.
-var errOverflow = errors.New("proto: integer overflow")
-
-// The fundamental decoders that interpret bytes on the wire.
-// Those that take integer types all return uint64 and are
-// therefore of type valueDecoder.
-
-// DecodeVarint reads a varint-encoded integer from the slice.
-// It returns the integer and the number of bytes consumed, or
-// zero if there is not enough.
-// This is the format for the
-// int32, int64, uint32, uint64, bool, and enum
-// protocol buffer types.
-func DecodeVarint(buf []byte) (x uint64, n int) {
- // x, n already 0
- for shift := uint(0); shift < 64; shift += 7 {
- if n >= len(buf) {
- return 0, 0
- }
- b := uint64(buf[n])
- n++
- x |= (b & 0x7F) << shift
- if (b & 0x80) == 0 {
- return x, n
- }
- }
-
- // The number is too large to represent in a 64-bit value.
- return 0, 0
-}
-
-// DecodeVarint reads a varint-encoded integer from the Buffer.
-// This is the format for the
-// int32, int64, uint32, uint64, bool, and enum
-// protocol buffer types.
-func (p *Buffer) DecodeVarint() (x uint64, err error) {
- // x, err already 0
-
- i := p.index
- l := len(p.buf)
-
- for shift := uint(0); shift < 64; shift += 7 {
- if i >= l {
- err = io.ErrUnexpectedEOF
- return
- }
- b := p.buf[i]
- i++
- x |= (uint64(b) & 0x7F) << shift
- if b < 0x80 {
- p.index = i
- return
- }
- }
-
- // The number is too large to represent in a 64-bit value.
- err = errOverflow
- return
-}
-
-// DecodeFixed64 reads a 64-bit integer from the Buffer.
-// This is the format for the
-// fixed64, sfixed64, and double protocol buffer types.
-func (p *Buffer) DecodeFixed64() (x uint64, err error) {
- // x, err already 0
- i := p.index + 8
- if i < 0 || i > len(p.buf) {
- err = io.ErrUnexpectedEOF
- return
- }
- p.index = i
-
- x = uint64(p.buf[i-8])
- x |= uint64(p.buf[i-7]) << 8
- x |= uint64(p.buf[i-6]) << 16
- x |= uint64(p.buf[i-5]) << 24
- x |= uint64(p.buf[i-4]) << 32
- x |= uint64(p.buf[i-3]) << 40
- x |= uint64(p.buf[i-2]) << 48
- x |= uint64(p.buf[i-1]) << 56
- return
-}
-
-// DecodeFixed32 reads a 32-bit integer from the Buffer.
-// This is the format for the
-// fixed32, sfixed32, and float protocol buffer types.
-func (p *Buffer) DecodeFixed32() (x uint64, err error) {
- // x, err already 0
- i := p.index + 4
- if i < 0 || i > len(p.buf) {
- err = io.ErrUnexpectedEOF
- return
- }
- p.index = i
-
- x = uint64(p.buf[i-4])
- x |= uint64(p.buf[i-3]) << 8
- x |= uint64(p.buf[i-2]) << 16
- x |= uint64(p.buf[i-1]) << 24
- return
-}
-
-// DecodeZigzag64 reads a zigzag-encoded 64-bit integer
-// from the Buffer.
-// This is the format used for the sint64 protocol buffer type.
-func (p *Buffer) DecodeZigzag64() (x uint64, err error) {
- x, err = p.DecodeVarint()
- if err != nil {
- return
- }
- x = (x >> 1) ^ uint64((int64(x&1)<<63)>>63)
- return
-}
-
-// DecodeZigzag32 reads a zigzag-encoded 32-bit integer
-// from the Buffer.
-// This is the format used for the sint32 protocol buffer type.
-func (p *Buffer) DecodeZigzag32() (x uint64, err error) {
- x, err = p.DecodeVarint()
- if err != nil {
- return
- }
- x = uint64((uint32(x) >> 1) ^ uint32((int32(x&1)<<31)>>31))
- return
-}
-
-// These are not ValueDecoders: they produce an array of bytes or a string.
-// bytes, embedded messages
-
-// DecodeRawBytes reads a count-delimited byte buffer from the Buffer.
-// This is the format used for the bytes protocol buffer
-// type and for embedded messages.
-func (p *Buffer) DecodeRawBytes(alloc bool) (buf []byte, err error) {
- n, err := p.DecodeVarint()
- if err != nil {
- return nil, err
- }
-
- nb := int(n)
- if nb < 0 {
- return nil, fmt.Errorf("proto: bad byte length %d", nb)
- }
- end := p.index + nb
- if end < p.index || end > len(p.buf) {
- return nil, io.ErrUnexpectedEOF
- }
-
- if !alloc {
- // todo: check if can get more uses of alloc=false
- buf = p.buf[p.index:end]
- p.index += nb
- return
- }
-
- buf = make([]byte, nb)
- copy(buf, p.buf[p.index:])
- p.index += nb
- return
-}
-
-// DecodeStringBytes reads an encoded string from the Buffer.
-// This is the format used for the proto2 string type.
-func (p *Buffer) DecodeStringBytes() (s string, err error) {
- buf, err := p.DecodeRawBytes(false)
- if err != nil {
- return
- }
- return string(buf), nil
-}
-
-// Skip the next item in the buffer. Its wire type is decoded and presented as an argument.
-// If the protocol buffer has extensions, and the field matches, add it as an extension.
-// Otherwise, if the XXX_unrecognized field exists, append the skipped data there.
-func (o *Buffer) skipAndSave(t reflect.Type, tag, wire int, base structPointer, unrecField field) error {
- oi := o.index
-
- err := o.skip(t, tag, wire)
- if err != nil {
- return err
- }
-
- if !unrecField.IsValid() {
- return nil
- }
-
- ptr := structPointer_Bytes(base, unrecField)
-
- // Add the skipped field to struct field
- obuf := o.buf
-
- o.buf = *ptr
- o.EncodeVarint(uint64(tag<<3 | wire))
- *ptr = append(o.buf, obuf[oi:o.index]...)
-
- o.buf = obuf
-
- return nil
-}
-
-// Skip the next item in the buffer. Its wire type is decoded and presented as an argument.
-func (o *Buffer) skip(t reflect.Type, tag, wire int) error {
-
- var u uint64
- var err error
-
- switch wire {
- case WireVarint:
- _, err = o.DecodeVarint()
- case WireFixed64:
- _, err = o.DecodeFixed64()
- case WireBytes:
- _, err = o.DecodeRawBytes(false)
- case WireFixed32:
- _, err = o.DecodeFixed32()
- case WireStartGroup:
- for {
- u, err = o.DecodeVarint()
- if err != nil {
- break
- }
- fwire := int(u & 0x7)
- if fwire == WireEndGroup {
- break
- }
- ftag := int(u >> 3)
- err = o.skip(t, ftag, fwire)
- if err != nil {
- break
- }
- }
- default:
- err = fmt.Errorf("proto: can't skip unknown wire type %d for %s", wire, t)
- }
- return err
-}
-
-// Unmarshaler is the interface representing objects that can
-// unmarshal themselves. The method should reset the receiver before
-// decoding starts. The argument points to data that may be
-// overwritten, so implementations should not keep references to the
-// buffer.
-type Unmarshaler interface {
- Unmarshal([]byte) error
-}
-
-// Unmarshal parses the protocol buffer representation in buf and places the
-// decoded result in pb. If the struct underlying pb does not match
-// the data in buf, the results can be unpredictable.
-//
-// Unmarshal resets pb before starting to unmarshal, so any
-// existing data in pb is always removed. Use UnmarshalMerge
-// to preserve and append to existing data.
-func Unmarshal(buf []byte, pb Message) error {
- pb.Reset()
- return UnmarshalMerge(buf, pb)
-}
-
-// UnmarshalMerge parses the protocol buffer representation in buf and
-// writes the decoded result to pb. If the struct underlying pb does not match
-// the data in buf, the results can be unpredictable.
-//
-// UnmarshalMerge merges into existing data in pb.
-// Most code should use Unmarshal instead.
-func UnmarshalMerge(buf []byte, pb Message) error {
- // If the object can unmarshal itself, let it.
- if u, ok := pb.(Unmarshaler); ok {
- return u.Unmarshal(buf)
- }
- return NewBuffer(buf).Unmarshal(pb)
-}
-
-// Unmarshal parses the protocol buffer representation in the
-// Buffer and places the decoded result in pb. If the struct
-// underlying pb does not match the data in the buffer, the results can be
-// unpredictable.
-func (p *Buffer) Unmarshal(pb Message) error {
- // If the object can unmarshal itself, let it.
- if u, ok := pb.(Unmarshaler); ok {
- err := u.Unmarshal(p.buf[p.index:])
- p.index = len(p.buf)
- return err
- }
-
- typ, base, err := getbase(pb)
- if err != nil {
- return err
- }
-
- err = p.unmarshalType(typ.Elem(), GetProperties(typ.Elem()), false, base)
-
- if collectStats {
- stats.Decode++
- }
-
- return err
-}
-
-// unmarshalType does the work of unmarshaling a structure.
-func (o *Buffer) unmarshalType(st reflect.Type, prop *StructProperties, is_group bool, base structPointer) error {
- var state errorState
- required, reqFields := prop.reqCount, uint64(0)
-
- var err error
- for err == nil && o.index < len(o.buf) {
- oi := o.index
- var u uint64
- u, err = o.DecodeVarint()
- if err != nil {
- break
- }
- wire := int(u & 0x7)
- if wire == WireEndGroup {
- if is_group {
- return nil // input is satisfied
- }
- return fmt.Errorf("proto: %s: wiretype end group for non-group", st)
- }
- tag := int(u >> 3)
- if tag <= 0 {
- return fmt.Errorf("proto: %s: illegal tag %d (wire type %d)", st, tag, wire)
- }
- fieldnum, ok := prop.decoderTags.get(tag)
- if !ok {
- // Maybe it's an extension?
- if prop.extendable {
- if e := structPointer_Interface(base, st).(extendableProto); isExtensionField(e, int32(tag)) {
- if err = o.skip(st, tag, wire); err == nil {
- ext := e.ExtensionMap()[int32(tag)] // may be missing
- ext.enc = append(ext.enc, o.buf[oi:o.index]...)
- e.ExtensionMap()[int32(tag)] = ext
- }
- continue
- }
- }
- err = o.skipAndSave(st, tag, wire, base, prop.unrecField)
- continue
- }
- p := prop.Prop[fieldnum]
-
- if p.dec == nil {
- fmt.Fprintf(os.Stderr, "proto: no protobuf decoder for %s.%s\n", st, st.Field(fieldnum).Name)
- continue
- }
- dec := p.dec
- if wire != WireStartGroup && wire != p.WireType {
- if wire == WireBytes && p.packedDec != nil {
- // a packable field
- dec = p.packedDec
- } else {
- err = fmt.Errorf("proto: bad wiretype for field %s.%s: got wiretype %d, want %d", st, st.Field(fieldnum).Name, wire, p.WireType)
- continue
- }
- }
- decErr := dec(o, p, base)
- if decErr != nil && !state.shouldContinue(decErr, p) {
- err = decErr
- }
- if err == nil && p.Required {
- // Successfully decoded a required field.
- if tag <= 64 {
- // use bitmap for fields 1-64 to catch field reuse.
- var mask uint64 = 1 << uint64(tag-1)
- if reqFields&mask == 0 {
- // new required field
- reqFields |= mask
- required--
- }
- } else {
- // This is imprecise. It can be fooled by a required field
- // with a tag > 64 that is encoded twice; that's very rare.
- // A fully correct implementation would require allocating
- // a data structure, which we would like to avoid.
- required--
- }
- }
- }
- if err == nil {
- if is_group {
- return io.ErrUnexpectedEOF
- }
- if state.err != nil {
- return state.err
- }
- if required > 0 {
- // Not enough information to determine the exact field. If we use extra
- // CPU, we could determine the field only if the missing required field
- // has a tag <= 64 and we check reqFields.
- return &RequiredNotSetError{"{Unknown}"}
- }
- }
- return err
-}
-
-// Individual type decoders
-// For each,
-// u is the decoded value,
-// v is a pointer to the field (pointer) in the struct
-
-// Sizes of the pools to allocate inside the Buffer.
-// The goal is modest amortization and allocation
-// on at least 16-byte boundaries.
-const (
- boolPoolSize = 16
- uint32PoolSize = 8
- uint64PoolSize = 4
-)
-
-// Decode a bool.
-func (o *Buffer) dec_bool(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- if len(o.bools) == 0 {
- o.bools = make([]bool, boolPoolSize)
- }
- o.bools[0] = u != 0
- *structPointer_Bool(base, p.field) = &o.bools[0]
- o.bools = o.bools[1:]
- return nil
-}
-
-func (o *Buffer) dec_proto3_bool(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- *structPointer_BoolVal(base, p.field) = u != 0
- return nil
-}
-
-// Decode an int32.
-func (o *Buffer) dec_int32(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- word32_Set(structPointer_Word32(base, p.field), o, uint32(u))
- return nil
-}
-
-func (o *Buffer) dec_proto3_int32(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- word32Val_Set(structPointer_Word32Val(base, p.field), uint32(u))
- return nil
-}
-
-// Decode an int64.
-func (o *Buffer) dec_int64(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- word64_Set(structPointer_Word64(base, p.field), o, u)
- return nil
-}
-
-func (o *Buffer) dec_proto3_int64(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- word64Val_Set(structPointer_Word64Val(base, p.field), o, u)
- return nil
-}
-
-// Decode a string.
-func (o *Buffer) dec_string(p *Properties, base structPointer) error {
- s, err := o.DecodeStringBytes()
- if err != nil {
- return err
- }
- *structPointer_String(base, p.field) = &s
- return nil
-}
-
-func (o *Buffer) dec_proto3_string(p *Properties, base structPointer) error {
- s, err := o.DecodeStringBytes()
- if err != nil {
- return err
- }
- *structPointer_StringVal(base, p.field) = s
- return nil
-}
-
-// Decode a slice of bytes ([]byte).
-func (o *Buffer) dec_slice_byte(p *Properties, base structPointer) error {
- b, err := o.DecodeRawBytes(true)
- if err != nil {
- return err
- }
- *structPointer_Bytes(base, p.field) = b
- return nil
-}
-
-// Decode a slice of bools ([]bool).
-func (o *Buffer) dec_slice_bool(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- v := structPointer_BoolSlice(base, p.field)
- *v = append(*v, u != 0)
- return nil
-}
-
-// Decode a slice of bools ([]bool) in packed format.
-func (o *Buffer) dec_slice_packed_bool(p *Properties, base structPointer) error {
- v := structPointer_BoolSlice(base, p.field)
-
- nn, err := o.DecodeVarint()
- if err != nil {
- return err
- }
- nb := int(nn) // number of bytes of encoded bools
-
- y := *v
- for i := 0; i < nb; i++ {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- y = append(y, u != 0)
- }
-
- *v = y
- return nil
-}
-
-// Decode a slice of int32s ([]int32).
-func (o *Buffer) dec_slice_int32(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- structPointer_Word32Slice(base, p.field).Append(uint32(u))
- return nil
-}
-
-// Decode a slice of int32s ([]int32) in packed format.
-func (o *Buffer) dec_slice_packed_int32(p *Properties, base structPointer) error {
- v := structPointer_Word32Slice(base, p.field)
-
- nn, err := o.DecodeVarint()
- if err != nil {
- return err
- }
- nb := int(nn) // number of bytes of encoded int32s
-
- fin := o.index + nb
- if fin < o.index {
- return errOverflow
- }
- for o.index < fin {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- v.Append(uint32(u))
- }
- return nil
-}
-
-// Decode a slice of int64s ([]int64).
-func (o *Buffer) dec_slice_int64(p *Properties, base structPointer) error {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
-
- structPointer_Word64Slice(base, p.field).Append(u)
- return nil
-}
-
-// Decode a slice of int64s ([]int64) in packed format.
-func (o *Buffer) dec_slice_packed_int64(p *Properties, base structPointer) error {
- v := structPointer_Word64Slice(base, p.field)
-
- nn, err := o.DecodeVarint()
- if err != nil {
- return err
- }
- nb := int(nn) // number of bytes of encoded int64s
-
- fin := o.index + nb
- if fin < o.index {
- return errOverflow
- }
- for o.index < fin {
- u, err := p.valDec(o)
- if err != nil {
- return err
- }
- v.Append(u)
- }
- return nil
-}
-
-// Decode a slice of strings ([]string).
-func (o *Buffer) dec_slice_string(p *Properties, base structPointer) error {
- s, err := o.DecodeStringBytes()
- if err != nil {
- return err
- }
- v := structPointer_StringSlice(base, p.field)
- *v = append(*v, s)
- return nil
-}
-
-// Decode a slice of slice of bytes ([][]byte).
-func (o *Buffer) dec_slice_slice_byte(p *Properties, base structPointer) error {
- b, err := o.DecodeRawBytes(true)
- if err != nil {
- return err
- }
- v := structPointer_BytesSlice(base, p.field)
- *v = append(*v, b)
- return nil
-}
-
-// Decode a map field.
-func (o *Buffer) dec_new_map(p *Properties, base structPointer) error {
- raw, err := o.DecodeRawBytes(false)
- if err != nil {
- return err
- }
- oi := o.index // index at the end of this map entry
- o.index -= len(raw) // move buffer back to start of map entry
-
- mptr := structPointer_Map(base, p.field, p.mtype) // *map[K]V
- if mptr.Elem().IsNil() {
- mptr.Elem().Set(reflect.MakeMap(mptr.Type().Elem()))
- }
- v := mptr.Elem() // map[K]V
-
- // Prepare addressable doubly-indirect placeholders for the key and value types.
- // See enc_new_map for why.
- keyptr := reflect.New(reflect.PtrTo(p.mtype.Key())).Elem() // addressable *K
- keybase := toStructPointer(keyptr.Addr()) // **K
-
- var valbase structPointer
- var valptr reflect.Value
- switch p.mtype.Elem().Kind() {
- case reflect.Slice:
- // []byte
- var dummy []byte
- valptr = reflect.ValueOf(&dummy) // *[]byte
- valbase = toStructPointer(valptr) // *[]byte
- case reflect.Ptr:
- // message; valptr is **Msg; need to allocate the intermediate pointer
- valptr = reflect.New(reflect.PtrTo(p.mtype.Elem())).Elem() // addressable *V
- valptr.Set(reflect.New(valptr.Type().Elem()))
- valbase = toStructPointer(valptr)
- default:
- // everything else
- valptr = reflect.New(reflect.PtrTo(p.mtype.Elem())).Elem() // addressable *V
- valbase = toStructPointer(valptr.Addr()) // **V
- }
-
- // Decode.
- // This parses a restricted wire format, namely the encoding of a message
- // with two fields. See enc_new_map for the format.
- for o.index < oi {
- // tagcode for key and value properties are always a single byte
- // because they have tags 1 and 2.
- tagcode := o.buf[o.index]
- o.index++
- switch tagcode {
- case p.mkeyprop.tagcode[0]:
- if err := p.mkeyprop.dec(o, p.mkeyprop, keybase); err != nil {
- return err
- }
- case p.mvalprop.tagcode[0]:
- if err := p.mvalprop.dec(o, p.mvalprop, valbase); err != nil {
- return err
- }
- default:
- // TODO: Should we silently skip this instead?
- return fmt.Errorf("proto: bad map data tag %d", raw[0])
- }
- }
-
- v.SetMapIndex(keyptr.Elem(), valptr.Elem())
- return nil
-}
-
-// Decode a group.
-func (o *Buffer) dec_struct_group(p *Properties, base structPointer) error {
- bas := structPointer_GetStructPointer(base, p.field)
- if structPointer_IsNil(bas) {
- // allocate new nested message
- bas = toStructPointer(reflect.New(p.stype))
- structPointer_SetStructPointer(base, p.field, bas)
- }
- return o.unmarshalType(p.stype, p.sprop, true, bas)
-}
-
-// Decode an embedded message.
-func (o *Buffer) dec_struct_message(p *Properties, base structPointer) (err error) {
- raw, e := o.DecodeRawBytes(false)
- if e != nil {
- return e
- }
-
- bas := structPointer_GetStructPointer(base, p.field)
- if structPointer_IsNil(bas) {
- // allocate new nested message
- bas = toStructPointer(reflect.New(p.stype))
- structPointer_SetStructPointer(base, p.field, bas)
- }
-
- // If the object can unmarshal itself, let it.
- if p.isUnmarshaler {
- iv := structPointer_Interface(bas, p.stype)
- return iv.(Unmarshaler).Unmarshal(raw)
- }
-
- obuf := o.buf
- oi := o.index
- o.buf = raw
- o.index = 0
-
- err = o.unmarshalType(p.stype, p.sprop, false, bas)
- o.buf = obuf
- o.index = oi
-
- return err
-}
-
-// Decode a slice of embedded messages.
-func (o *Buffer) dec_slice_struct_message(p *Properties, base structPointer) error {
- return o.dec_slice_struct(p, false, base)
-}
-
-// Decode a slice of embedded groups.
-func (o *Buffer) dec_slice_struct_group(p *Properties, base structPointer) error {
- return o.dec_slice_struct(p, true, base)
-}
-
-// Decode a slice of structs ([]*struct).
-func (o *Buffer) dec_slice_struct(p *Properties, is_group bool, base structPointer) error {
- v := reflect.New(p.stype)
- bas := toStructPointer(v)
- structPointer_StructPointerSlice(base, p.field).Append(bas)
-
- if is_group {
- err := o.unmarshalType(p.stype, p.sprop, is_group, bas)
- return err
- }
-
- raw, err := o.DecodeRawBytes(false)
- if err != nil {
- return err
- }
-
- // If the object can unmarshal itself, let it.
- if p.isUnmarshaler {
- iv := v.Interface()
- return iv.(Unmarshaler).Unmarshal(raw)
- }
-
- obuf := o.buf
- oi := o.index
- o.buf = raw
- o.index = 0
-
- err = o.unmarshalType(p.stype, p.sprop, is_group, bas)
-
- o.buf = obuf
- o.index = oi
-
- return err
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/encode.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/encode.go
deleted file mode 100644
index cd826e9b1ac42d7e58064f7929994d4431272cdf..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/encode.go
+++ /dev/null
@@ -1,1286 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2010 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package proto
-
-/*
- * Routines for encoding data into the wire format for protocol buffers.
- */
-
-import (
- "errors"
- "fmt"
- "reflect"
- "sort"
-)
-
-// RequiredNotSetError is the error returned if Marshal is called with
-// a protocol buffer struct whose required fields have not
-// all been initialized. It is also the error returned if Unmarshal is
-// called with an encoded protocol buffer that does not include all the
-// required fields.
-//
-// When printed, RequiredNotSetError reports the first unset required field in a
-// message. If the field cannot be precisely determined, it is reported as
-// "{Unknown}".
-type RequiredNotSetError struct {
- field string
-}
-
-func (e *RequiredNotSetError) Error() string {
- return fmt.Sprintf("proto: required field %q not set", e.field)
-}
-
-var (
- // errRepeatedHasNil is the error returned if Marshal is called with
- // a struct with a repeated field containing a nil element.
- errRepeatedHasNil = errors.New("proto: repeated field has nil element")
-
- // ErrNil is the error returned if Marshal is called with nil.
- ErrNil = errors.New("proto: Marshal called with nil")
-)
-
-// The fundamental encoders that put bytes on the wire.
-// Those that take integer types all accept uint64 and are
-// therefore of type valueEncoder.
-
-const maxVarintBytes = 10 // maximum length of a varint
-
-// EncodeVarint returns the varint encoding of x.
-// This is the format for the
-// int32, int64, uint32, uint64, bool, and enum
-// protocol buffer types.
-// Not used by the package itself, but helpful to clients
-// wishing to use the same encoding.
-func EncodeVarint(x uint64) []byte {
- var buf [maxVarintBytes]byte
- var n int
- for n = 0; x > 127; n++ {
- buf[n] = 0x80 | uint8(x&0x7F)
- x >>= 7
- }
- buf[n] = uint8(x)
- n++
- return buf[0:n]
-}
-
-// EncodeVarint writes a varint-encoded integer to the Buffer.
-// This is the format for the
-// int32, int64, uint32, uint64, bool, and enum
-// protocol buffer types.
-func (p *Buffer) EncodeVarint(x uint64) error {
- for x >= 1<<7 {
- p.buf = append(p.buf, uint8(x&0x7f|0x80))
- x >>= 7
- }
- p.buf = append(p.buf, uint8(x))
- return nil
-}
-
-func sizeVarint(x uint64) (n int) {
- for {
- n++
- x >>= 7
- if x == 0 {
- break
- }
- }
- return n
-}
-
-// EncodeFixed64 writes a 64-bit integer to the Buffer.
-// This is the format for the
-// fixed64, sfixed64, and double protocol buffer types.
-func (p *Buffer) EncodeFixed64(x uint64) error {
- p.buf = append(p.buf,
- uint8(x),
- uint8(x>>8),
- uint8(x>>16),
- uint8(x>>24),
- uint8(x>>32),
- uint8(x>>40),
- uint8(x>>48),
- uint8(x>>56))
- return nil
-}
-
-func sizeFixed64(x uint64) int {
- return 8
-}
-
-// EncodeFixed32 writes a 32-bit integer to the Buffer.
-// This is the format for the
-// fixed32, sfixed32, and float protocol buffer types.
-func (p *Buffer) EncodeFixed32(x uint64) error {
- p.buf = append(p.buf,
- uint8(x),
- uint8(x>>8),
- uint8(x>>16),
- uint8(x>>24))
- return nil
-}
-
-func sizeFixed32(x uint64) int {
- return 4
-}
-
-// EncodeZigzag64 writes a zigzag-encoded 64-bit integer
-// to the Buffer.
-// This is the format used for the sint64 protocol buffer type.
-func (p *Buffer) EncodeZigzag64(x uint64) error {
- // use signed number to get arithmetic right shift.
- return p.EncodeVarint(uint64((x << 1) ^ uint64((int64(x) >> 63))))
-}
-
-func sizeZigzag64(x uint64) int {
- return sizeVarint(uint64((x << 1) ^ uint64((int64(x) >> 63))))
-}
-
-// EncodeZigzag32 writes a zigzag-encoded 32-bit integer
-// to the Buffer.
-// This is the format used for the sint32 protocol buffer type.
-func (p *Buffer) EncodeZigzag32(x uint64) error {
- // use signed number to get arithmetic right shift.
- return p.EncodeVarint(uint64((uint32(x) << 1) ^ uint32((int32(x) >> 31))))
-}
-
-func sizeZigzag32(x uint64) int {
- return sizeVarint(uint64((uint32(x) << 1) ^ uint32((int32(x) >> 31))))
-}
-
-// EncodeRawBytes writes a count-delimited byte buffer to the Buffer.
-// This is the format used for the bytes protocol buffer
-// type and for embedded messages.
-func (p *Buffer) EncodeRawBytes(b []byte) error {
- p.EncodeVarint(uint64(len(b)))
- p.buf = append(p.buf, b...)
- return nil
-}
-
-func sizeRawBytes(b []byte) int {
- return sizeVarint(uint64(len(b))) +
- len(b)
-}
-
-// EncodeStringBytes writes an encoded string to the Buffer.
-// This is the format used for the proto2 string type.
-func (p *Buffer) EncodeStringBytes(s string) error {
- p.EncodeVarint(uint64(len(s)))
- p.buf = append(p.buf, s...)
- return nil
-}
-
-func sizeStringBytes(s string) int {
- return sizeVarint(uint64(len(s))) +
- len(s)
-}
-
-// Marshaler is the interface representing objects that can marshal themselves.
-type Marshaler interface {
- Marshal() ([]byte, error)
-}
-
-// Marshal takes the protocol buffer
-// and encodes it into the wire format, returning the data.
-func Marshal(pb Message) ([]byte, error) {
- // Can the object marshal itself?
- if m, ok := pb.(Marshaler); ok {
- return m.Marshal()
- }
- p := NewBuffer(nil)
- err := p.Marshal(pb)
- var state errorState
- if err != nil && !state.shouldContinue(err, nil) {
- return nil, err
- }
- if p.buf == nil && err == nil {
- // Return a non-nil slice on success.
- return []byte{}, nil
- }
- return p.buf, err
-}
-
-// Marshal takes the protocol buffer
-// and encodes it into the wire format, writing the result to the
-// Buffer.
-func (p *Buffer) Marshal(pb Message) error {
- // Can the object marshal itself?
- if m, ok := pb.(Marshaler); ok {
- data, err := m.Marshal()
- if err != nil {
- return err
- }
- p.buf = append(p.buf, data...)
- return nil
- }
-
- t, base, err := getbase(pb)
- if structPointer_IsNil(base) {
- return ErrNil
- }
- if err == nil {
- err = p.enc_struct(GetProperties(t.Elem()), base)
- }
-
- if collectStats {
- stats.Encode++
- }
-
- return err
-}
-
-// Size returns the encoded size of a protocol buffer.
-func Size(pb Message) (n int) {
- // Can the object marshal itself? If so, Size is slow.
- // TODO: add Size to Marshaler, or add a Sizer interface.
- if m, ok := pb.(Marshaler); ok {
- b, _ := m.Marshal()
- return len(b)
- }
-
- t, base, err := getbase(pb)
- if structPointer_IsNil(base) {
- return 0
- }
- if err == nil {
- n = size_struct(GetProperties(t.Elem()), base)
- }
-
- if collectStats {
- stats.Size++
- }
-
- return
-}
-
-// Individual type encoders.
-
-// Encode a bool.
-func (o *Buffer) enc_bool(p *Properties, base structPointer) error {
- v := *structPointer_Bool(base, p.field)
- if v == nil {
- return ErrNil
- }
- x := 0
- if *v {
- x = 1
- }
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, uint64(x))
- return nil
-}
-
-func (o *Buffer) enc_proto3_bool(p *Properties, base structPointer) error {
- v := *structPointer_BoolVal(base, p.field)
- if !v {
- return ErrNil
- }
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, 1)
- return nil
-}
-
-func size_bool(p *Properties, base structPointer) int {
- v := *structPointer_Bool(base, p.field)
- if v == nil {
- return 0
- }
- return len(p.tagcode) + 1 // each bool takes exactly one byte
-}
-
-func size_proto3_bool(p *Properties, base structPointer) int {
- v := *structPointer_BoolVal(base, p.field)
- if !v {
- return 0
- }
- return len(p.tagcode) + 1 // each bool takes exactly one byte
-}
-
-// Encode an int32.
-func (o *Buffer) enc_int32(p *Properties, base structPointer) error {
- v := structPointer_Word32(base, p.field)
- if word32_IsNil(v) {
- return ErrNil
- }
- x := int32(word32_Get(v)) // permit sign extension to use full 64-bit range
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, uint64(x))
- return nil
-}
-
-func (o *Buffer) enc_proto3_int32(p *Properties, base structPointer) error {
- v := structPointer_Word32Val(base, p.field)
- x := int32(word32Val_Get(v)) // permit sign extension to use full 64-bit range
- if x == 0 {
- return ErrNil
- }
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, uint64(x))
- return nil
-}
-
-func size_int32(p *Properties, base structPointer) (n int) {
- v := structPointer_Word32(base, p.field)
- if word32_IsNil(v) {
- return 0
- }
- x := int32(word32_Get(v)) // permit sign extension to use full 64-bit range
- n += len(p.tagcode)
- n += p.valSize(uint64(x))
- return
-}
-
-func size_proto3_int32(p *Properties, base structPointer) (n int) {
- v := structPointer_Word32Val(base, p.field)
- x := int32(word32Val_Get(v)) // permit sign extension to use full 64-bit range
- if x == 0 {
- return 0
- }
- n += len(p.tagcode)
- n += p.valSize(uint64(x))
- return
-}
-
-// Encode a uint32.
-// Exactly the same as int32, except for no sign extension.
-func (o *Buffer) enc_uint32(p *Properties, base structPointer) error {
- v := structPointer_Word32(base, p.field)
- if word32_IsNil(v) {
- return ErrNil
- }
- x := word32_Get(v)
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, uint64(x))
- return nil
-}
-
-func (o *Buffer) enc_proto3_uint32(p *Properties, base structPointer) error {
- v := structPointer_Word32Val(base, p.field)
- x := word32Val_Get(v)
- if x == 0 {
- return ErrNil
- }
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, uint64(x))
- return nil
-}
-
-func size_uint32(p *Properties, base structPointer) (n int) {
- v := structPointer_Word32(base, p.field)
- if word32_IsNil(v) {
- return 0
- }
- x := word32_Get(v)
- n += len(p.tagcode)
- n += p.valSize(uint64(x))
- return
-}
-
-func size_proto3_uint32(p *Properties, base structPointer) (n int) {
- v := structPointer_Word32Val(base, p.field)
- x := word32Val_Get(v)
- if x == 0 {
- return 0
- }
- n += len(p.tagcode)
- n += p.valSize(uint64(x))
- return
-}
-
-// Encode an int64.
-func (o *Buffer) enc_int64(p *Properties, base structPointer) error {
- v := structPointer_Word64(base, p.field)
- if word64_IsNil(v) {
- return ErrNil
- }
- x := word64_Get(v)
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, x)
- return nil
-}
-
-func (o *Buffer) enc_proto3_int64(p *Properties, base structPointer) error {
- v := structPointer_Word64Val(base, p.field)
- x := word64Val_Get(v)
- if x == 0 {
- return ErrNil
- }
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, x)
- return nil
-}
-
-func size_int64(p *Properties, base structPointer) (n int) {
- v := structPointer_Word64(base, p.field)
- if word64_IsNil(v) {
- return 0
- }
- x := word64_Get(v)
- n += len(p.tagcode)
- n += p.valSize(x)
- return
-}
-
-func size_proto3_int64(p *Properties, base structPointer) (n int) {
- v := structPointer_Word64Val(base, p.field)
- x := word64Val_Get(v)
- if x == 0 {
- return 0
- }
- n += len(p.tagcode)
- n += p.valSize(x)
- return
-}
-
-// Encode a string.
-func (o *Buffer) enc_string(p *Properties, base structPointer) error {
- v := *structPointer_String(base, p.field)
- if v == nil {
- return ErrNil
- }
- x := *v
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeStringBytes(x)
- return nil
-}
-
-func (o *Buffer) enc_proto3_string(p *Properties, base structPointer) error {
- v := *structPointer_StringVal(base, p.field)
- if v == "" {
- return ErrNil
- }
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeStringBytes(v)
- return nil
-}
-
-func size_string(p *Properties, base structPointer) (n int) {
- v := *structPointer_String(base, p.field)
- if v == nil {
- return 0
- }
- x := *v
- n += len(p.tagcode)
- n += sizeStringBytes(x)
- return
-}
-
-func size_proto3_string(p *Properties, base structPointer) (n int) {
- v := *structPointer_StringVal(base, p.field)
- if v == "" {
- return 0
- }
- n += len(p.tagcode)
- n += sizeStringBytes(v)
- return
-}
-
-// All protocol buffer fields are nillable, but be careful.
-func isNil(v reflect.Value) bool {
- switch v.Kind() {
- case reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice:
- return v.IsNil()
- }
- return false
-}
-
-// Encode a message struct.
-func (o *Buffer) enc_struct_message(p *Properties, base structPointer) error {
- var state errorState
- structp := structPointer_GetStructPointer(base, p.field)
- if structPointer_IsNil(structp) {
- return ErrNil
- }
-
- // Can the object marshal itself?
- if p.isMarshaler {
- m := structPointer_Interface(structp, p.stype).(Marshaler)
- data, err := m.Marshal()
- if err != nil && !state.shouldContinue(err, nil) {
- return err
- }
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeRawBytes(data)
- return nil
- }
-
- o.buf = append(o.buf, p.tagcode...)
- return o.enc_len_struct(p.sprop, structp, &state)
-}
-
-func size_struct_message(p *Properties, base structPointer) int {
- structp := structPointer_GetStructPointer(base, p.field)
- if structPointer_IsNil(structp) {
- return 0
- }
-
- // Can the object marshal itself?
- if p.isMarshaler {
- m := structPointer_Interface(structp, p.stype).(Marshaler)
- data, _ := m.Marshal()
- n0 := len(p.tagcode)
- n1 := sizeRawBytes(data)
- return n0 + n1
- }
-
- n0 := len(p.tagcode)
- n1 := size_struct(p.sprop, structp)
- n2 := sizeVarint(uint64(n1)) // size of encoded length
- return n0 + n1 + n2
-}
-
-// Encode a group struct.
-func (o *Buffer) enc_struct_group(p *Properties, base structPointer) error {
- var state errorState
- b := structPointer_GetStructPointer(base, p.field)
- if structPointer_IsNil(b) {
- return ErrNil
- }
-
- o.EncodeVarint(uint64((p.Tag << 3) | WireStartGroup))
- err := o.enc_struct(p.sprop, b)
- if err != nil && !state.shouldContinue(err, nil) {
- return err
- }
- o.EncodeVarint(uint64((p.Tag << 3) | WireEndGroup))
- return state.err
-}
-
-func size_struct_group(p *Properties, base structPointer) (n int) {
- b := structPointer_GetStructPointer(base, p.field)
- if structPointer_IsNil(b) {
- return 0
- }
-
- n += sizeVarint(uint64((p.Tag << 3) | WireStartGroup))
- n += size_struct(p.sprop, b)
- n += sizeVarint(uint64((p.Tag << 3) | WireEndGroup))
- return
-}
-
-// Encode a slice of bools ([]bool).
-func (o *Buffer) enc_slice_bool(p *Properties, base structPointer) error {
- s := *structPointer_BoolSlice(base, p.field)
- l := len(s)
- if l == 0 {
- return ErrNil
- }
- for _, x := range s {
- o.buf = append(o.buf, p.tagcode...)
- v := uint64(0)
- if x {
- v = 1
- }
- p.valEnc(o, v)
- }
- return nil
-}
-
-func size_slice_bool(p *Properties, base structPointer) int {
- s := *structPointer_BoolSlice(base, p.field)
- l := len(s)
- if l == 0 {
- return 0
- }
- return l * (len(p.tagcode) + 1) // each bool takes exactly one byte
-}
-
-// Encode a slice of bools ([]bool) in packed format.
-func (o *Buffer) enc_slice_packed_bool(p *Properties, base structPointer) error {
- s := *structPointer_BoolSlice(base, p.field)
- l := len(s)
- if l == 0 {
- return ErrNil
- }
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeVarint(uint64(l)) // each bool takes exactly one byte
- for _, x := range s {
- v := uint64(0)
- if x {
- v = 1
- }
- p.valEnc(o, v)
- }
- return nil
-}
-
-func size_slice_packed_bool(p *Properties, base structPointer) (n int) {
- s := *structPointer_BoolSlice(base, p.field)
- l := len(s)
- if l == 0 {
- return 0
- }
- n += len(p.tagcode)
- n += sizeVarint(uint64(l))
- n += l // each bool takes exactly one byte
- return
-}
-
-// Encode a slice of bytes ([]byte).
-func (o *Buffer) enc_slice_byte(p *Properties, base structPointer) error {
- s := *structPointer_Bytes(base, p.field)
- if s == nil {
- return ErrNil
- }
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeRawBytes(s)
- return nil
-}
-
-func (o *Buffer) enc_proto3_slice_byte(p *Properties, base structPointer) error {
- s := *structPointer_Bytes(base, p.field)
- if len(s) == 0 {
- return ErrNil
- }
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeRawBytes(s)
- return nil
-}
-
-func size_slice_byte(p *Properties, base structPointer) (n int) {
- s := *structPointer_Bytes(base, p.field)
- if s == nil {
- return 0
- }
- n += len(p.tagcode)
- n += sizeRawBytes(s)
- return
-}
-
-func size_proto3_slice_byte(p *Properties, base structPointer) (n int) {
- s := *structPointer_Bytes(base, p.field)
- if len(s) == 0 {
- return 0
- }
- n += len(p.tagcode)
- n += sizeRawBytes(s)
- return
-}
-
-// Encode a slice of int32s ([]int32).
-func (o *Buffer) enc_slice_int32(p *Properties, base structPointer) error {
- s := structPointer_Word32Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return ErrNil
- }
- for i := 0; i < l; i++ {
- o.buf = append(o.buf, p.tagcode...)
- x := int32(s.Index(i)) // permit sign extension to use full 64-bit range
- p.valEnc(o, uint64(x))
- }
- return nil
-}
-
-func size_slice_int32(p *Properties, base structPointer) (n int) {
- s := structPointer_Word32Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return 0
- }
- for i := 0; i < l; i++ {
- n += len(p.tagcode)
- x := int32(s.Index(i)) // permit sign extension to use full 64-bit range
- n += p.valSize(uint64(x))
- }
- return
-}
-
-// Encode a slice of int32s ([]int32) in packed format.
-func (o *Buffer) enc_slice_packed_int32(p *Properties, base structPointer) error {
- s := structPointer_Word32Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return ErrNil
- }
- // TODO: Reuse a Buffer.
- buf := NewBuffer(nil)
- for i := 0; i < l; i++ {
- x := int32(s.Index(i)) // permit sign extension to use full 64-bit range
- p.valEnc(buf, uint64(x))
- }
-
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeVarint(uint64(len(buf.buf)))
- o.buf = append(o.buf, buf.buf...)
- return nil
-}
-
-func size_slice_packed_int32(p *Properties, base structPointer) (n int) {
- s := structPointer_Word32Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return 0
- }
- var bufSize int
- for i := 0; i < l; i++ {
- x := int32(s.Index(i)) // permit sign extension to use full 64-bit range
- bufSize += p.valSize(uint64(x))
- }
-
- n += len(p.tagcode)
- n += sizeVarint(uint64(bufSize))
- n += bufSize
- return
-}
-
-// Encode a slice of uint32s ([]uint32).
-// Exactly the same as int32, except for no sign extension.
-func (o *Buffer) enc_slice_uint32(p *Properties, base structPointer) error {
- s := structPointer_Word32Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return ErrNil
- }
- for i := 0; i < l; i++ {
- o.buf = append(o.buf, p.tagcode...)
- x := s.Index(i)
- p.valEnc(o, uint64(x))
- }
- return nil
-}
-
-func size_slice_uint32(p *Properties, base structPointer) (n int) {
- s := structPointer_Word32Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return 0
- }
- for i := 0; i < l; i++ {
- n += len(p.tagcode)
- x := s.Index(i)
- n += p.valSize(uint64(x))
- }
- return
-}
-
-// Encode a slice of uint32s ([]uint32) in packed format.
-// Exactly the same as int32, except for no sign extension.
-func (o *Buffer) enc_slice_packed_uint32(p *Properties, base structPointer) error {
- s := structPointer_Word32Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return ErrNil
- }
- // TODO: Reuse a Buffer.
- buf := NewBuffer(nil)
- for i := 0; i < l; i++ {
- p.valEnc(buf, uint64(s.Index(i)))
- }
-
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeVarint(uint64(len(buf.buf)))
- o.buf = append(o.buf, buf.buf...)
- return nil
-}
-
-func size_slice_packed_uint32(p *Properties, base structPointer) (n int) {
- s := structPointer_Word32Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return 0
- }
- var bufSize int
- for i := 0; i < l; i++ {
- bufSize += p.valSize(uint64(s.Index(i)))
- }
-
- n += len(p.tagcode)
- n += sizeVarint(uint64(bufSize))
- n += bufSize
- return
-}
-
-// Encode a slice of int64s ([]int64).
-func (o *Buffer) enc_slice_int64(p *Properties, base structPointer) error {
- s := structPointer_Word64Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return ErrNil
- }
- for i := 0; i < l; i++ {
- o.buf = append(o.buf, p.tagcode...)
- p.valEnc(o, s.Index(i))
- }
- return nil
-}
-
-func size_slice_int64(p *Properties, base structPointer) (n int) {
- s := structPointer_Word64Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return 0
- }
- for i := 0; i < l; i++ {
- n += len(p.tagcode)
- n += p.valSize(s.Index(i))
- }
- return
-}
-
-// Encode a slice of int64s ([]int64) in packed format.
-func (o *Buffer) enc_slice_packed_int64(p *Properties, base structPointer) error {
- s := structPointer_Word64Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return ErrNil
- }
- // TODO: Reuse a Buffer.
- buf := NewBuffer(nil)
- for i := 0; i < l; i++ {
- p.valEnc(buf, s.Index(i))
- }
-
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeVarint(uint64(len(buf.buf)))
- o.buf = append(o.buf, buf.buf...)
- return nil
-}
-
-func size_slice_packed_int64(p *Properties, base structPointer) (n int) {
- s := structPointer_Word64Slice(base, p.field)
- l := s.Len()
- if l == 0 {
- return 0
- }
- var bufSize int
- for i := 0; i < l; i++ {
- bufSize += p.valSize(s.Index(i))
- }
-
- n += len(p.tagcode)
- n += sizeVarint(uint64(bufSize))
- n += bufSize
- return
-}
-
-// Encode a slice of slice of bytes ([][]byte).
-func (o *Buffer) enc_slice_slice_byte(p *Properties, base structPointer) error {
- ss := *structPointer_BytesSlice(base, p.field)
- l := len(ss)
- if l == 0 {
- return ErrNil
- }
- for i := 0; i < l; i++ {
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeRawBytes(ss[i])
- }
- return nil
-}
-
-func size_slice_slice_byte(p *Properties, base structPointer) (n int) {
- ss := *structPointer_BytesSlice(base, p.field)
- l := len(ss)
- if l == 0 {
- return 0
- }
- n += l * len(p.tagcode)
- for i := 0; i < l; i++ {
- n += sizeRawBytes(ss[i])
- }
- return
-}
-
-// Encode a slice of strings ([]string).
-func (o *Buffer) enc_slice_string(p *Properties, base structPointer) error {
- ss := *structPointer_StringSlice(base, p.field)
- l := len(ss)
- for i := 0; i < l; i++ {
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeStringBytes(ss[i])
- }
- return nil
-}
-
-func size_slice_string(p *Properties, base structPointer) (n int) {
- ss := *structPointer_StringSlice(base, p.field)
- l := len(ss)
- n += l * len(p.tagcode)
- for i := 0; i < l; i++ {
- n += sizeStringBytes(ss[i])
- }
- return
-}
-
-// Encode a slice of message structs ([]*struct).
-func (o *Buffer) enc_slice_struct_message(p *Properties, base structPointer) error {
- var state errorState
- s := structPointer_StructPointerSlice(base, p.field)
- l := s.Len()
-
- for i := 0; i < l; i++ {
- structp := s.Index(i)
- if structPointer_IsNil(structp) {
- return errRepeatedHasNil
- }
-
- // Can the object marshal itself?
- if p.isMarshaler {
- m := structPointer_Interface(structp, p.stype).(Marshaler)
- data, err := m.Marshal()
- if err != nil && !state.shouldContinue(err, nil) {
- return err
- }
- o.buf = append(o.buf, p.tagcode...)
- o.EncodeRawBytes(data)
- continue
- }
-
- o.buf = append(o.buf, p.tagcode...)
- err := o.enc_len_struct(p.sprop, structp, &state)
- if err != nil && !state.shouldContinue(err, nil) {
- if err == ErrNil {
- return errRepeatedHasNil
- }
- return err
- }
- }
- return state.err
-}
-
-func size_slice_struct_message(p *Properties, base structPointer) (n int) {
- s := structPointer_StructPointerSlice(base, p.field)
- l := s.Len()
- n += l * len(p.tagcode)
- for i := 0; i < l; i++ {
- structp := s.Index(i)
- if structPointer_IsNil(structp) {
- return // return the size up to this point
- }
-
- // Can the object marshal itself?
- if p.isMarshaler {
- m := structPointer_Interface(structp, p.stype).(Marshaler)
- data, _ := m.Marshal()
- n += len(p.tagcode)
- n += sizeRawBytes(data)
- continue
- }
-
- n0 := size_struct(p.sprop, structp)
- n1 := sizeVarint(uint64(n0)) // size of encoded length
- n += n0 + n1
- }
- return
-}
-
-// Encode a slice of group structs ([]*struct).
-func (o *Buffer) enc_slice_struct_group(p *Properties, base structPointer) error {
- var state errorState
- s := structPointer_StructPointerSlice(base, p.field)
- l := s.Len()
-
- for i := 0; i < l; i++ {
- b := s.Index(i)
- if structPointer_IsNil(b) {
- return errRepeatedHasNil
- }
-
- o.EncodeVarint(uint64((p.Tag << 3) | WireStartGroup))
-
- err := o.enc_struct(p.sprop, b)
-
- if err != nil && !state.shouldContinue(err, nil) {
- if err == ErrNil {
- return errRepeatedHasNil
- }
- return err
- }
-
- o.EncodeVarint(uint64((p.Tag << 3) | WireEndGroup))
- }
- return state.err
-}
-
-func size_slice_struct_group(p *Properties, base structPointer) (n int) {
- s := structPointer_StructPointerSlice(base, p.field)
- l := s.Len()
-
- n += l * sizeVarint(uint64((p.Tag<<3)|WireStartGroup))
- n += l * sizeVarint(uint64((p.Tag<<3)|WireEndGroup))
- for i := 0; i < l; i++ {
- b := s.Index(i)
- if structPointer_IsNil(b) {
- return // return size up to this point
- }
-
- n += size_struct(p.sprop, b)
- }
- return
-}
-
-// Encode an extension map.
-func (o *Buffer) enc_map(p *Properties, base structPointer) error {
- v := *structPointer_ExtMap(base, p.field)
- if err := encodeExtensionMap(v); err != nil {
- return err
- }
- // Fast-path for common cases: zero or one extensions.
- if len(v) <= 1 {
- for _, e := range v {
- o.buf = append(o.buf, e.enc...)
- }
- return nil
- }
-
- // Sort keys to provide a deterministic encoding.
- keys := make([]int, 0, len(v))
- for k := range v {
- keys = append(keys, int(k))
- }
- sort.Ints(keys)
-
- for _, k := range keys {
- o.buf = append(o.buf, v[int32(k)].enc...)
- }
- return nil
-}
-
-func size_map(p *Properties, base structPointer) int {
- v := *structPointer_ExtMap(base, p.field)
- return sizeExtensionMap(v)
-}
-
-// Encode a map field.
-func (o *Buffer) enc_new_map(p *Properties, base structPointer) error {
- var state errorState // XXX: or do we need to plumb this through?
-
- /*
- A map defined as
- map<key_type, value_type> map_field = N;
- is encoded in the same way as
- message MapFieldEntry {
- key_type key = 1;
- value_type value = 2;
- }
- repeated MapFieldEntry map_field = N;
- */
-
- v := structPointer_Map(base, p.field, p.mtype).Elem() // map[K]V
- if v.Len() == 0 {
- return nil
- }
-
- keycopy, valcopy, keybase, valbase := mapEncodeScratch(p.mtype)
-
- enc := func() error {
- if err := p.mkeyprop.enc(o, p.mkeyprop, keybase); err != nil {
- return err
- }
- if err := p.mvalprop.enc(o, p.mvalprop, valbase); err != nil {
- return err
- }
- return nil
- }
-
- keys := v.MapKeys()
- sort.Sort(mapKeys(keys))
- for _, key := range keys {
- val := v.MapIndex(key)
-
- keycopy.Set(key)
- valcopy.Set(val)
-
- o.buf = append(o.buf, p.tagcode...)
- if err := o.enc_len_thing(enc, &state); err != nil {
- return err
- }
- }
- return nil
-}
-
-func size_new_map(p *Properties, base structPointer) int {
- v := structPointer_Map(base, p.field, p.mtype).Elem() // map[K]V
-
- keycopy, valcopy, keybase, valbase := mapEncodeScratch(p.mtype)
-
- n := 0
- for _, key := range v.MapKeys() {
- val := v.MapIndex(key)
- keycopy.Set(key)
- valcopy.Set(val)
-
- // Tag codes are two bytes per map entry.
- n += 2
- n += p.mkeyprop.size(p.mkeyprop, keybase)
- n += p.mvalprop.size(p.mvalprop, valbase)
- }
- return n
-}
-
-// mapEncodeScratch returns a new reflect.Value matching the map's value type,
-// and a structPointer suitable for passing to an encoder or sizer.
-func mapEncodeScratch(mapType reflect.Type) (keycopy, valcopy reflect.Value, keybase, valbase structPointer) {
- // Prepare addressable doubly-indirect placeholders for the key and value types.
- // This is needed because the element-type encoders expect **T, but the map iteration produces T.
-
- keycopy = reflect.New(mapType.Key()).Elem() // addressable K
- keyptr := reflect.New(reflect.PtrTo(keycopy.Type())).Elem() // addressable *K
- keyptr.Set(keycopy.Addr()) //
- keybase = toStructPointer(keyptr.Addr()) // **K
-
- // Value types are more varied and require special handling.
- switch mapType.Elem().Kind() {
- case reflect.Slice:
- // []byte
- var dummy []byte
- valcopy = reflect.ValueOf(&dummy).Elem() // addressable []byte
- valbase = toStructPointer(valcopy.Addr())
- case reflect.Ptr:
- // message; the generated field type is map[K]*Msg (so V is *Msg),
- // so we only need one level of indirection.
- valcopy = reflect.New(mapType.Elem()).Elem() // addressable V
- valbase = toStructPointer(valcopy.Addr())
- default:
- // everything else
- valcopy = reflect.New(mapType.Elem()).Elem() // addressable V
- valptr := reflect.New(reflect.PtrTo(valcopy.Type())).Elem() // addressable *V
- valptr.Set(valcopy.Addr()) //
- valbase = toStructPointer(valptr.Addr()) // **V
- }
- return
-}
-
-// Encode a struct.
-func (o *Buffer) enc_struct(prop *StructProperties, base structPointer) error {
- var state errorState
- // Encode fields in tag order so that decoders may use optimizations
- // that depend on the ordering.
- // https://developers.google.com/protocol-buffers/docs/encoding#order
- for _, i := range prop.order {
- p := prop.Prop[i]
- if p.enc != nil {
- err := p.enc(o, p, base)
- if err != nil {
- if err == ErrNil {
- if p.Required && state.err == nil {
- state.err = &RequiredNotSetError{p.Name}
- }
- } else if err == errRepeatedHasNil {
- // Give more context to nil values in repeated fields.
- return errors.New("repeated field " + p.OrigName + " has nil element")
- } else if !state.shouldContinue(err, p) {
- return err
- }
- }
- }
- }
-
- // Add unrecognized fields at the end.
- if prop.unrecField.IsValid() {
- v := *structPointer_Bytes(base, prop.unrecField)
- if len(v) > 0 {
- o.buf = append(o.buf, v...)
- }
- }
-
- return state.err
-}
-
-func size_struct(prop *StructProperties, base structPointer) (n int) {
- for _, i := range prop.order {
- p := prop.Prop[i]
- if p.size != nil {
- n += p.size(p, base)
- }
- }
-
- // Add unrecognized fields at the end.
- if prop.unrecField.IsValid() {
- v := *structPointer_Bytes(base, prop.unrecField)
- n += len(v)
- }
-
- return
-}
-
-var zeroes [20]byte // longer than any conceivable sizeVarint
-
-// Encode a struct, preceded by its encoded length (as a varint).
-func (o *Buffer) enc_len_struct(prop *StructProperties, base structPointer, state *errorState) error {
- return o.enc_len_thing(func() error { return o.enc_struct(prop, base) }, state)
-}
-
-// Encode something, preceded by its encoded length (as a varint).
-func (o *Buffer) enc_len_thing(enc func() error, state *errorState) error {
- iLen := len(o.buf)
- o.buf = append(o.buf, 0, 0, 0, 0) // reserve four bytes for length
- iMsg := len(o.buf)
- err := enc()
- if err != nil && !state.shouldContinue(err, nil) {
- return err
- }
- lMsg := len(o.buf) - iMsg
- lLen := sizeVarint(uint64(lMsg))
- switch x := lLen - (iMsg - iLen); {
- case x > 0: // actual length is x bytes larger than the space we reserved
- // Move msg x bytes right.
- o.buf = append(o.buf, zeroes[:x]...)
- copy(o.buf[iMsg+x:], o.buf[iMsg:iMsg+lMsg])
- case x < 0: // actual length is x bytes smaller than the space we reserved
- // Move msg x bytes left.
- copy(o.buf[iMsg+x:], o.buf[iMsg:iMsg+lMsg])
- o.buf = o.buf[:len(o.buf)+x] // x is negative
- }
- // Encode the length in the reserved space.
- o.buf = o.buf[:iLen]
- o.EncodeVarint(uint64(lMsg))
- o.buf = o.buf[:len(o.buf)+lMsg]
- return state.err
-}
-
-// errorState maintains the first error that occurs and updates that error
-// with additional context.
-type errorState struct {
- err error
-}
-
-// shouldContinue reports whether encoding should continue upon encountering the
-// given error. If the error is RequiredNotSetError, shouldContinue returns true
-// and, if this is the first appearance of that error, remembers it for future
-// reporting.
-//
-// If prop is not nil, it may update any error with additional context about the
-// field with the error.
-func (s *errorState) shouldContinue(err error, prop *Properties) bool {
- // Ignore unset required fields.
- reqNotSet, ok := err.(*RequiredNotSetError)
- if !ok {
- return false
- }
- if s.err == nil {
- if prop != nil {
- err = &RequiredNotSetError{prop.Name + "." + reqNotSet.field}
- }
- s.err = err
- }
- return true
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/equal.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/equal.go
deleted file mode 100644
index d8673a3e97aef00f2becedba88ed12e6fcb6ee57..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/equal.go
+++ /dev/null
@@ -1,256 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2011 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-// Protocol buffer comparison.
-// TODO: MessageSet.
-
-package proto
-
-import (
- "bytes"
- "log"
- "reflect"
- "strings"
-)
-
-/*
-Equal returns true iff protocol buffers a and b are equal.
-The arguments must both be pointers to protocol buffer structs.
-
-Equality is defined in this way:
- - Two messages are equal iff they are the same type,
- corresponding fields are equal, unknown field sets
- are equal, and extensions sets are equal.
- - Two set scalar fields are equal iff their values are equal.
- If the fields are of a floating-point type, remember that
- NaN != x for all x, including NaN.
- - Two repeated fields are equal iff their lengths are the same,
- and their corresponding elements are equal (a "bytes" field,
- although represented by []byte, is not a repeated field)
- - Two unset fields are equal.
- - Two unknown field sets are equal if their current
- encoded state is equal.
- - Two extension sets are equal iff they have corresponding
- elements that are pairwise equal.
- - Every other combination of things are not equal.
-
-The return value is undefined if a and b are not protocol buffers.
-*/
-func Equal(a, b Message) bool {
- if a == nil || b == nil {
- return a == b
- }
- v1, v2 := reflect.ValueOf(a), reflect.ValueOf(b)
- if v1.Type() != v2.Type() {
- return false
- }
- if v1.Kind() == reflect.Ptr {
- if v1.IsNil() {
- return v2.IsNil()
- }
- if v2.IsNil() {
- return false
- }
- v1, v2 = v1.Elem(), v2.Elem()
- }
- if v1.Kind() != reflect.Struct {
- return false
- }
- return equalStruct(v1, v2)
-}
-
-// v1 and v2 are known to have the same type.
-func equalStruct(v1, v2 reflect.Value) bool {
- for i := 0; i < v1.NumField(); i++ {
- f := v1.Type().Field(i)
- if strings.HasPrefix(f.Name, "XXX_") {
- continue
- }
- f1, f2 := v1.Field(i), v2.Field(i)
- if f.Type.Kind() == reflect.Ptr {
- if n1, n2 := f1.IsNil(), f2.IsNil(); n1 && n2 {
- // both unset
- continue
- } else if n1 != n2 {
- // set/unset mismatch
- return false
- }
- b1, ok := f1.Interface().(raw)
- if ok {
- b2 := f2.Interface().(raw)
- // RawMessage
- if !bytes.Equal(b1.Bytes(), b2.Bytes()) {
- return false
- }
- continue
- }
- f1, f2 = f1.Elem(), f2.Elem()
- }
- if !equalAny(f1, f2) {
- return false
- }
- }
-
- if em1 := v1.FieldByName("XXX_extensions"); em1.IsValid() {
- em2 := v2.FieldByName("XXX_extensions")
- if !equalExtensions(v1.Type(), em1.Interface().(map[int32]Extension), em2.Interface().(map[int32]Extension)) {
- return false
- }
- }
-
- uf := v1.FieldByName("XXX_unrecognized")
- if !uf.IsValid() {
- return true
- }
-
- u1 := uf.Bytes()
- u2 := v2.FieldByName("XXX_unrecognized").Bytes()
- if !bytes.Equal(u1, u2) {
- return false
- }
-
- return true
-}
-
-// v1 and v2 are known to have the same type.
-func equalAny(v1, v2 reflect.Value) bool {
- if v1.Type() == protoMessageType {
- m1, _ := v1.Interface().(Message)
- m2, _ := v2.Interface().(Message)
- return Equal(m1, m2)
- }
- switch v1.Kind() {
- case reflect.Bool:
- return v1.Bool() == v2.Bool()
- case reflect.Float32, reflect.Float64:
- return v1.Float() == v2.Float()
- case reflect.Int32, reflect.Int64:
- return v1.Int() == v2.Int()
- case reflect.Map:
- if v1.Len() != v2.Len() {
- return false
- }
- for _, key := range v1.MapKeys() {
- val2 := v2.MapIndex(key)
- if !val2.IsValid() {
- // This key was not found in the second map.
- return false
- }
- if !equalAny(v1.MapIndex(key), val2) {
- return false
- }
- }
- return true
- case reflect.Ptr:
- return equalAny(v1.Elem(), v2.Elem())
- case reflect.Slice:
- if v1.Type().Elem().Kind() == reflect.Uint8 {
- // short circuit: []byte
- if v1.IsNil() != v2.IsNil() {
- return false
- }
- return bytes.Equal(v1.Interface().([]byte), v2.Interface().([]byte))
- }
-
- if v1.Len() != v2.Len() {
- return false
- }
- for i := 0; i < v1.Len(); i++ {
- if !equalAny(v1.Index(i), v2.Index(i)) {
- return false
- }
- }
- return true
- case reflect.String:
- return v1.Interface().(string) == v2.Interface().(string)
- case reflect.Struct:
- return equalStruct(v1, v2)
- case reflect.Uint32, reflect.Uint64:
- return v1.Uint() == v2.Uint()
- }
-
- // unknown type, so not a protocol buffer
- log.Printf("proto: don't know how to compare %v", v1)
- return false
-}
-
-// base is the struct type that the extensions are based on.
-// em1 and em2 are extension maps.
-func equalExtensions(base reflect.Type, em1, em2 map[int32]Extension) bool {
- if len(em1) != len(em2) {
- return false
- }
-
- for extNum, e1 := range em1 {
- e2, ok := em2[extNum]
- if !ok {
- return false
- }
-
- m1, m2 := e1.value, e2.value
-
- if m1 != nil && m2 != nil {
- // Both are unencoded.
- if !equalAny(reflect.ValueOf(m1), reflect.ValueOf(m2)) {
- return false
- }
- continue
- }
-
- // At least one is encoded. To do a semantically correct comparison
- // we need to unmarshal them first.
- var desc *ExtensionDesc
- if m := extensionMaps[base]; m != nil {
- desc = m[extNum]
- }
- if desc == nil {
- log.Printf("proto: don't know how to compare extension %d of %v", extNum, base)
- continue
- }
- var err error
- if m1 == nil {
- m1, err = decodeExtension(e1.enc, desc)
- }
- if m2 == nil && err == nil {
- m2, err = decodeExtension(e2.enc, desc)
- }
- if err != nil {
- // The encoded form is invalid.
- log.Printf("proto: badly encoded extension %d of %v: %v", extNum, base, err)
- return false
- }
- if !equalAny(reflect.ValueOf(m1), reflect.ValueOf(m2)) {
- return false
- }
- }
-
- return true
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/extensions.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/extensions.go
deleted file mode 100644
index 5f62dff2474863632742a26a8c225590b47413f2..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/extensions.go
+++ /dev/null
@@ -1,362 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2010 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package proto
-
-/*
- * Types and routines for supporting protocol buffer extensions.
- */
-
-import (
- "errors"
- "fmt"
- "reflect"
- "strconv"
- "sync"
-)
-
-// ErrMissingExtension is the error returned by GetExtension if the named extension is not in the message.
-var ErrMissingExtension = errors.New("proto: missing extension")
-
-// ExtensionRange represents a range of message extensions for a protocol buffer.
-// Used in code generated by the protocol compiler.
-type ExtensionRange struct {
- Start, End int32 // both inclusive
-}
-
-// extendableProto is an interface implemented by any protocol buffer that may be extended.
-type extendableProto interface {
- Message
- ExtensionRangeArray() []ExtensionRange
- ExtensionMap() map[int32]Extension
-}
-
-var extendableProtoType = reflect.TypeOf((*extendableProto)(nil)).Elem()
-
-// ExtensionDesc represents an extension specification.
-// Used in generated code from the protocol compiler.
-type ExtensionDesc struct {
- ExtendedType Message // nil pointer to the type that is being extended
- ExtensionType interface{} // nil pointer to the extension type
- Field int32 // field number
- Name string // fully-qualified name of extension, for text formatting
- Tag string // protobuf tag style
-}
-
-func (ed *ExtensionDesc) repeated() bool {
- t := reflect.TypeOf(ed.ExtensionType)
- return t.Kind() == reflect.Slice && t.Elem().Kind() != reflect.Uint8
-}
-
-// Extension represents an extension in a message.
-type Extension struct {
- // When an extension is stored in a message using SetExtension
- // only desc and value are set. When the message is marshaled
- // enc will be set to the encoded form of the message.
- //
- // When a message is unmarshaled and contains extensions, each
- // extension will have only enc set. When such an extension is
- // accessed using GetExtension (or GetExtensions) desc and value
- // will be set.
- desc *ExtensionDesc
- value interface{}
- enc []byte
-}
-
-// SetRawExtension is for testing only.
-func SetRawExtension(base extendableProto, id int32, b []byte) {
- base.ExtensionMap()[id] = Extension{enc: b}
-}
-
-// isExtensionField returns true iff the given field number is in an extension range.
-func isExtensionField(pb extendableProto, field int32) bool {
- for _, er := range pb.ExtensionRangeArray() {
- if er.Start <= field && field <= er.End {
- return true
- }
- }
- return false
-}
-
-// checkExtensionTypes checks that the given extension is valid for pb.
-func checkExtensionTypes(pb extendableProto, extension *ExtensionDesc) error {
- // Check the extended type.
- if a, b := reflect.TypeOf(pb), reflect.TypeOf(extension.ExtendedType); a != b {
- return errors.New("proto: bad extended type; " + b.String() + " does not extend " + a.String())
- }
- // Check the range.
- if !isExtensionField(pb, extension.Field) {
- return errors.New("proto: bad extension number; not in declared ranges")
- }
- return nil
-}
-
-// extPropKey is sufficient to uniquely identify an extension.
-type extPropKey struct {
- base reflect.Type
- field int32
-}
-
-var extProp = struct {
- sync.RWMutex
- m map[extPropKey]*Properties
-}{
- m: make(map[extPropKey]*Properties),
-}
-
-func extensionProperties(ed *ExtensionDesc) *Properties {
- key := extPropKey{base: reflect.TypeOf(ed.ExtendedType), field: ed.Field}
-
- extProp.RLock()
- if prop, ok := extProp.m[key]; ok {
- extProp.RUnlock()
- return prop
- }
- extProp.RUnlock()
-
- extProp.Lock()
- defer extProp.Unlock()
- // Check again.
- if prop, ok := extProp.m[key]; ok {
- return prop
- }
-
- prop := new(Properties)
- prop.Init(reflect.TypeOf(ed.ExtensionType), "unknown_name", ed.Tag, nil)
- extProp.m[key] = prop
- return prop
-}
-
-// encodeExtensionMap encodes any unmarshaled (unencoded) extensions in m.
-func encodeExtensionMap(m map[int32]Extension) error {
- for k, e := range m {
- if e.value == nil || e.desc == nil {
- // Extension is only in its encoded form.
- continue
- }
-
- // We don't skip extensions that have an encoded form set,
- // because the extension value may have been mutated after
- // the last time this function was called.
-
- et := reflect.TypeOf(e.desc.ExtensionType)
- props := extensionProperties(e.desc)
-
- p := NewBuffer(nil)
- // If e.value has type T, the encoder expects a *struct{ X T }.
- // Pass a *T with a zero field and hope it all works out.
- x := reflect.New(et)
- x.Elem().Set(reflect.ValueOf(e.value))
- if err := props.enc(p, props, toStructPointer(x)); err != nil {
- return err
- }
- e.enc = p.buf
- m[k] = e
- }
- return nil
-}
-
-func sizeExtensionMap(m map[int32]Extension) (n int) {
- for _, e := range m {
- if e.value == nil || e.desc == nil {
- // Extension is only in its encoded form.
- n += len(e.enc)
- continue
- }
-
- // We don't skip extensions that have an encoded form set,
- // because the extension value may have been mutated after
- // the last time this function was called.
-
- et := reflect.TypeOf(e.desc.ExtensionType)
- props := extensionProperties(e.desc)
-
- // If e.value has type T, the encoder expects a *struct{ X T }.
- // Pass a *T with a zero field and hope it all works out.
- x := reflect.New(et)
- x.Elem().Set(reflect.ValueOf(e.value))
- n += props.size(props, toStructPointer(x))
- }
- return
-}
-
-// HasExtension returns whether the given extension is present in pb.
-func HasExtension(pb extendableProto, extension *ExtensionDesc) bool {
- // TODO: Check types, field numbers, etc.?
- _, ok := pb.ExtensionMap()[extension.Field]
- return ok
-}
-
-// ClearExtension removes the given extension from pb.
-func ClearExtension(pb extendableProto, extension *ExtensionDesc) {
- // TODO: Check types, field numbers, etc.?
- delete(pb.ExtensionMap(), extension.Field)
-}
-
-// GetExtension parses and returns the given extension of pb.
-// If the extension is not present it returns ErrMissingExtension.
-func GetExtension(pb extendableProto, extension *ExtensionDesc) (interface{}, error) {
- if err := checkExtensionTypes(pb, extension); err != nil {
- return nil, err
- }
-
- emap := pb.ExtensionMap()
- e, ok := emap[extension.Field]
- if !ok {
- return nil, ErrMissingExtension
- }
- if e.value != nil {
- // Already decoded. Check the descriptor, though.
- if e.desc != extension {
- // This shouldn't happen. If it does, it means that
- // GetExtension was called twice with two different
- // descriptors with the same field number.
- return nil, errors.New("proto: descriptor conflict")
- }
- return e.value, nil
- }
-
- v, err := decodeExtension(e.enc, extension)
- if err != nil {
- return nil, err
- }
-
- // Remember the decoded version and drop the encoded version.
- // That way it is safe to mutate what we return.
- e.value = v
- e.desc = extension
- e.enc = nil
- emap[extension.Field] = e
- return e.value, nil
-}
-
-// decodeExtension decodes an extension encoded in b.
-func decodeExtension(b []byte, extension *ExtensionDesc) (interface{}, error) {
- o := NewBuffer(b)
-
- t := reflect.TypeOf(extension.ExtensionType)
- rep := extension.repeated()
-
- props := extensionProperties(extension)
-
- // t is a pointer to a struct, pointer to basic type or a slice.
- // Allocate a "field" to store the pointer/slice itself; the
- // pointer/slice will be stored here. We pass
- // the address of this field to props.dec.
- // This passes a zero field and a *t and lets props.dec
- // interpret it as a *struct{ x t }.
- value := reflect.New(t).Elem()
-
- for {
- // Discard wire type and field number varint. It isn't needed.
- if _, err := o.DecodeVarint(); err != nil {
- return nil, err
- }
-
- if err := props.dec(o, props, toStructPointer(value.Addr())); err != nil {
- return nil, err
- }
-
- if !rep || o.index >= len(o.buf) {
- break
- }
- }
- return value.Interface(), nil
-}
-
-// GetExtensions returns a slice of the extensions present in pb that are also listed in es.
-// The returned slice has the same length as es; missing extensions will appear as nil elements.
-func GetExtensions(pb Message, es []*ExtensionDesc) (extensions []interface{}, err error) {
- epb, ok := pb.(extendableProto)
- if !ok {
- err = errors.New("proto: not an extendable proto")
- return
- }
- extensions = make([]interface{}, len(es))
- for i, e := range es {
- extensions[i], err = GetExtension(epb, e)
- if err == ErrMissingExtension {
- err = nil
- }
- if err != nil {
- return
- }
- }
- return
-}
-
-// SetExtension sets the specified extension of pb to the specified value.
-func SetExtension(pb extendableProto, extension *ExtensionDesc, value interface{}) error {
- if err := checkExtensionTypes(pb, extension); err != nil {
- return err
- }
- typ := reflect.TypeOf(extension.ExtensionType)
- if typ != reflect.TypeOf(value) {
- return errors.New("proto: bad extension value type")
- }
- // nil extension values need to be caught early, because the
- // encoder can't distinguish an ErrNil due to a nil extension
- // from an ErrNil due to a missing field. Extensions are
- // always optional, so the encoder would just swallow the error
- // and drop all the extensions from the encoded message.
- if reflect.ValueOf(value).IsNil() {
- return fmt.Errorf("proto: SetExtension called with nil value of type %T", value)
- }
-
- pb.ExtensionMap()[extension.Field] = Extension{desc: extension, value: value}
- return nil
-}
-
-// A global registry of extensions.
-// The generated code will register the generated descriptors by calling RegisterExtension.
-
-var extensionMaps = make(map[reflect.Type]map[int32]*ExtensionDesc)
-
-// RegisterExtension is called from the generated code.
-func RegisterExtension(desc *ExtensionDesc) {
- st := reflect.TypeOf(desc.ExtendedType).Elem()
- m := extensionMaps[st]
- if m == nil {
- m = make(map[int32]*ExtensionDesc)
- extensionMaps[st] = m
- }
- if _, ok := m[desc.Field]; ok {
- panic("proto: duplicate extension registered: " + st.String() + " " + strconv.Itoa(int(desc.Field)))
- }
- m[desc.Field] = desc
-}
-
-// RegisteredExtensions returns a map of the registered extensions of a
-// protocol buffer struct, indexed by the extension number.
-// The argument pb should be a nil pointer to the struct type.
-func RegisteredExtensions(pb Message) map[int32]*ExtensionDesc {
- return extensionMaps[reflect.TypeOf(pb).Elem()]
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/lib.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/lib.go
deleted file mode 100644
index f81052f2aeb11e2711eccfe6649dddfc732469e4..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/lib.go
+++ /dev/null
@@ -1,759 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2010 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-/*
- Package proto converts data structures to and from the wire format of
- protocol buffers. It works in concert with the Go source code generated
- for .proto files by the protocol compiler.
-
- A summary of the properties of the protocol buffer interface
- for a protocol buffer variable v:
-
- - Names are turned from camel_case to CamelCase for export.
- - There are no methods on v to set fields; just treat
- them as structure fields.
- - There are getters that return a field's value if set,
- and return the field's default value if unset.
- The getters work even if the receiver is a nil message.
- - The zero value for a struct is its correct initialization state.
- All desired fields must be set before marshaling.
- - A Reset() method will restore a protobuf struct to its zero state.
- - Non-repeated fields are pointers to the values; nil means unset.
- That is, optional or required field int32 f becomes F *int32.
- - Repeated fields are slices.
- - Helper functions are available to aid the setting of fields.
- msg.Foo = proto.String("hello") // set field
- - Constants are defined to hold the default values of all fields that
- have them. They have the form Default_StructName_FieldName.
- Because the getter methods handle defaulted values,
- direct use of these constants should be rare.
- - Enums are given type names and maps from names to values.
- Enum values are prefixed by the enclosing message's name, or by the
- enum's type name if it is a top-level enum. Enum types have a String
- method, and a Enum method to assist in message construction.
- - Nested messages, groups and enums have type names prefixed with the name of
- the surrounding message type.
- - Extensions are given descriptor names that start with E_,
- followed by an underscore-delimited list of the nested messages
- that contain it (if any) followed by the CamelCased name of the
- extension field itself. HasExtension, ClearExtension, GetExtension
- and SetExtension are functions for manipulating extensions.
- - Marshal and Unmarshal are functions to encode and decode the wire format.
-
- The simplest way to describe this is to see an example.
- Given file test.proto, containing
-
- package example;
-
- enum FOO { X = 17; }
-
- message Test {
- required string label = 1;
- optional int32 type = 2 [default=77];
- repeated int64 reps = 3;
- optional group OptionalGroup = 4 {
- required string RequiredField = 5;
- }
- }
-
- The resulting file, test.pb.go, is:
-
- package example
-
- import proto "github.com/golang/protobuf/proto"
- import math "math"
-
- type FOO int32
- const (
- FOO_X FOO = 17
- )
- var FOO_name = map[int32]string{
- 17: "X",
- }
- var FOO_value = map[string]int32{
- "X": 17,
- }
-
- func (x FOO) Enum() *FOO {
- p := new(FOO)
- *p = x
- return p
- }
- func (x FOO) String() string {
- return proto.EnumName(FOO_name, int32(x))
- }
- func (x *FOO) UnmarshalJSON(data []byte) error {
- value, err := proto.UnmarshalJSONEnum(FOO_value, data)
- if err != nil {
- return err
- }
- *x = FOO(value)
- return nil
- }
-
- type Test struct {
- Label *string `protobuf:"bytes,1,req,name=label" json:"label,omitempty"`
- Type *int32 `protobuf:"varint,2,opt,name=type,def=77" json:"type,omitempty"`
- Reps []int64 `protobuf:"varint,3,rep,name=reps" json:"reps,omitempty"`
- Optionalgroup *Test_OptionalGroup `protobuf:"group,4,opt,name=OptionalGroup" json:"optionalgroup,omitempty"`
- XXX_unrecognized []byte `json:"-"`
- }
- func (m *Test) Reset() { *m = Test{} }
- func (m *Test) String() string { return proto.CompactTextString(m) }
- func (*Test) ProtoMessage() {}
- const Default_Test_Type int32 = 77
-
- func (m *Test) GetLabel() string {
- if m != nil && m.Label != nil {
- return *m.Label
- }
- return ""
- }
-
- func (m *Test) GetType() int32 {
- if m != nil && m.Type != nil {
- return *m.Type
- }
- return Default_Test_Type
- }
-
- func (m *Test) GetOptionalgroup() *Test_OptionalGroup {
- if m != nil {
- return m.Optionalgroup
- }
- return nil
- }
-
- type Test_OptionalGroup struct {
- RequiredField *string `protobuf:"bytes,5,req" json:"RequiredField,omitempty"`
- }
- func (m *Test_OptionalGroup) Reset() { *m = Test_OptionalGroup{} }
- func (m *Test_OptionalGroup) String() string { return proto.CompactTextString(m) }
-
- func (m *Test_OptionalGroup) GetRequiredField() string {
- if m != nil && m.RequiredField != nil {
- return *m.RequiredField
- }
- return ""
- }
-
- func init() {
- proto.RegisterEnum("example.FOO", FOO_name, FOO_value)
- }
-
- To create and play with a Test object:
-
- package main
-
- import (
- "log"
-
- "github.com/golang/protobuf/proto"
- pb "./example.pb"
- )
-
- func main() {
- test := &pb.Test{
- Label: proto.String("hello"),
- Type: proto.Int32(17),
- Optionalgroup: &pb.Test_OptionalGroup{
- RequiredField: proto.String("good bye"),
- },
- }
- data, err := proto.Marshal(test)
- if err != nil {
- log.Fatal("marshaling error: ", err)
- }
- newTest := &pb.Test{}
- err = proto.Unmarshal(data, newTest)
- if err != nil {
- log.Fatal("unmarshaling error: ", err)
- }
- // Now test and newTest contain the same data.
- if test.GetLabel() != newTest.GetLabel() {
- log.Fatalf("data mismatch %q != %q", test.GetLabel(), newTest.GetLabel())
- }
- // etc.
- }
-*/
-package proto
-
-import (
- "encoding/json"
- "fmt"
- "log"
- "reflect"
- "strconv"
- "sync"
-)
-
-// Message is implemented by generated protocol buffer messages.
-type Message interface {
- Reset()
- String() string
- ProtoMessage()
-}
-
-// Stats records allocation details about the protocol buffer encoders
-// and decoders. Useful for tuning the library itself.
-type Stats struct {
- Emalloc uint64 // mallocs in encode
- Dmalloc uint64 // mallocs in decode
- Encode uint64 // number of encodes
- Decode uint64 // number of decodes
- Chit uint64 // number of cache hits
- Cmiss uint64 // number of cache misses
- Size uint64 // number of sizes
-}
-
-// Set to true to enable stats collection.
-const collectStats = false
-
-var stats Stats
-
-// GetStats returns a copy of the global Stats structure.
-func GetStats() Stats { return stats }
-
-// A Buffer is a buffer manager for marshaling and unmarshaling
-// protocol buffers. It may be reused between invocations to
-// reduce memory usage. It is not necessary to use a Buffer;
-// the global functions Marshal and Unmarshal create a
-// temporary Buffer and are fine for most applications.
-type Buffer struct {
- buf []byte // encode/decode byte stream
- index int // write point
-
- // pools of basic types to amortize allocation.
- bools []bool
- uint32s []uint32
- uint64s []uint64
-
- // extra pools, only used with pointer_reflect.go
- int32s []int32
- int64s []int64
- float32s []float32
- float64s []float64
-}
-
-// NewBuffer allocates a new Buffer and initializes its internal data to
-// the contents of the argument slice.
-func NewBuffer(e []byte) *Buffer {
- return &Buffer{buf: e}
-}
-
-// Reset resets the Buffer, ready for marshaling a new protocol buffer.
-func (p *Buffer) Reset() {
- p.buf = p.buf[0:0] // for reading/writing
- p.index = 0 // for reading
-}
-
-// SetBuf replaces the internal buffer with the slice,
-// ready for unmarshaling the contents of the slice.
-func (p *Buffer) SetBuf(s []byte) {
- p.buf = s
- p.index = 0
-}
-
-// Bytes returns the contents of the Buffer.
-func (p *Buffer) Bytes() []byte { return p.buf }
-
-/*
- * Helper routines for simplifying the creation of optional fields of basic type.
- */
-
-// Bool is a helper routine that allocates a new bool value
-// to store v and returns a pointer to it.
-func Bool(v bool) *bool {
- return &v
-}
-
-// Int32 is a helper routine that allocates a new int32 value
-// to store v and returns a pointer to it.
-func Int32(v int32) *int32 {
- return &v
-}
-
-// Int is a helper routine that allocates a new int32 value
-// to store v and returns a pointer to it, but unlike Int32
-// its argument value is an int.
-func Int(v int) *int32 {
- p := new(int32)
- *p = int32(v)
- return p
-}
-
-// Int64 is a helper routine that allocates a new int64 value
-// to store v and returns a pointer to it.
-func Int64(v int64) *int64 {
- return &v
-}
-
-// Float32 is a helper routine that allocates a new float32 value
-// to store v and returns a pointer to it.
-func Float32(v float32) *float32 {
- return &v
-}
-
-// Float64 is a helper routine that allocates a new float64 value
-// to store v and returns a pointer to it.
-func Float64(v float64) *float64 {
- return &v
-}
-
-// Uint32 is a helper routine that allocates a new uint32 value
-// to store v and returns a pointer to it.
-func Uint32(v uint32) *uint32 {
- return &v
-}
-
-// Uint64 is a helper routine that allocates a new uint64 value
-// to store v and returns a pointer to it.
-func Uint64(v uint64) *uint64 {
- return &v
-}
-
-// String is a helper routine that allocates a new string value
-// to store v and returns a pointer to it.
-func String(v string) *string {
- return &v
-}
-
-// EnumName is a helper function to simplify printing protocol buffer enums
-// by name. Given an enum map and a value, it returns a useful string.
-func EnumName(m map[int32]string, v int32) string {
- s, ok := m[v]
- if ok {
- return s
- }
- return strconv.Itoa(int(v))
-}
-
-// UnmarshalJSONEnum is a helper function to simplify recovering enum int values
-// from their JSON-encoded representation. Given a map from the enum's symbolic
-// names to its int values, and a byte buffer containing the JSON-encoded
-// value, it returns an int32 that can be cast to the enum type by the caller.
-//
-// The function can deal with both JSON representations, numeric and symbolic.
-func UnmarshalJSONEnum(m map[string]int32, data []byte, enumName string) (int32, error) {
- if data[0] == '"' {
- // New style: enums are strings.
- var repr string
- if err := json.Unmarshal(data, &repr); err != nil {
- return -1, err
- }
- val, ok := m[repr]
- if !ok {
- return 0, fmt.Errorf("unrecognized enum %s value %q", enumName, repr)
- }
- return val, nil
- }
- // Old style: enums are ints.
- var val int32
- if err := json.Unmarshal(data, &val); err != nil {
- return 0, fmt.Errorf("cannot unmarshal %#q into enum %s", data, enumName)
- }
- return val, nil
-}
-
-// DebugPrint dumps the encoded data in b in a debugging format with a header
-// including the string s. Used in testing but made available for general debugging.
-func (o *Buffer) DebugPrint(s string, b []byte) {
- var u uint64
-
- obuf := o.buf
- index := o.index
- o.buf = b
- o.index = 0
- depth := 0
-
- fmt.Printf("\n--- %s ---\n", s)
-
-out:
- for {
- for i := 0; i < depth; i++ {
- fmt.Print(" ")
- }
-
- index := o.index
- if index == len(o.buf) {
- break
- }
-
- op, err := o.DecodeVarint()
- if err != nil {
- fmt.Printf("%3d: fetching op err %v\n", index, err)
- break out
- }
- tag := op >> 3
- wire := op & 7
-
- switch wire {
- default:
- fmt.Printf("%3d: t=%3d unknown wire=%d\n",
- index, tag, wire)
- break out
-
- case WireBytes:
- var r []byte
-
- r, err = o.DecodeRawBytes(false)
- if err != nil {
- break out
- }
- fmt.Printf("%3d: t=%3d bytes [%d]", index, tag, len(r))
- if len(r) <= 6 {
- for i := 0; i < len(r); i++ {
- fmt.Printf(" %.2x", r[i])
- }
- } else {
- for i := 0; i < 3; i++ {
- fmt.Printf(" %.2x", r[i])
- }
- fmt.Printf(" ..")
- for i := len(r) - 3; i < len(r); i++ {
- fmt.Printf(" %.2x", r[i])
- }
- }
- fmt.Printf("\n")
-
- case WireFixed32:
- u, err = o.DecodeFixed32()
- if err != nil {
- fmt.Printf("%3d: t=%3d fix32 err %v\n", index, tag, err)
- break out
- }
- fmt.Printf("%3d: t=%3d fix32 %d\n", index, tag, u)
-
- case WireFixed64:
- u, err = o.DecodeFixed64()
- if err != nil {
- fmt.Printf("%3d: t=%3d fix64 err %v\n", index, tag, err)
- break out
- }
- fmt.Printf("%3d: t=%3d fix64 %d\n", index, tag, u)
- break
-
- case WireVarint:
- u, err = o.DecodeVarint()
- if err != nil {
- fmt.Printf("%3d: t=%3d varint err %v\n", index, tag, err)
- break out
- }
- fmt.Printf("%3d: t=%3d varint %d\n", index, tag, u)
-
- case WireStartGroup:
- if err != nil {
- fmt.Printf("%3d: t=%3d start err %v\n", index, tag, err)
- break out
- }
- fmt.Printf("%3d: t=%3d start\n", index, tag)
- depth++
-
- case WireEndGroup:
- depth--
- if err != nil {
- fmt.Printf("%3d: t=%3d end err %v\n", index, tag, err)
- break out
- }
- fmt.Printf("%3d: t=%3d end\n", index, tag)
- }
- }
-
- if depth != 0 {
- fmt.Printf("%3d: start-end not balanced %d\n", o.index, depth)
- }
- fmt.Printf("\n")
-
- o.buf = obuf
- o.index = index
-}
-
-// SetDefaults sets unset protocol buffer fields to their default values.
-// It only modifies fields that are both unset and have defined defaults.
-// It recursively sets default values in any non-nil sub-messages.
-func SetDefaults(pb Message) {
- setDefaults(reflect.ValueOf(pb), true, false)
-}
-
-// v is a pointer to a struct.
-func setDefaults(v reflect.Value, recur, zeros bool) {
- v = v.Elem()
-
- defaultMu.RLock()
- dm, ok := defaults[v.Type()]
- defaultMu.RUnlock()
- if !ok {
- dm = buildDefaultMessage(v.Type())
- defaultMu.Lock()
- defaults[v.Type()] = dm
- defaultMu.Unlock()
- }
-
- for _, sf := range dm.scalars {
- f := v.Field(sf.index)
- if !f.IsNil() {
- // field already set
- continue
- }
- dv := sf.value
- if dv == nil && !zeros {
- // no explicit default, and don't want to set zeros
- continue
- }
- fptr := f.Addr().Interface() // **T
- // TODO: Consider batching the allocations we do here.
- switch sf.kind {
- case reflect.Bool:
- b := new(bool)
- if dv != nil {
- *b = dv.(bool)
- }
- *(fptr.(**bool)) = b
- case reflect.Float32:
- f := new(float32)
- if dv != nil {
- *f = dv.(float32)
- }
- *(fptr.(**float32)) = f
- case reflect.Float64:
- f := new(float64)
- if dv != nil {
- *f = dv.(float64)
- }
- *(fptr.(**float64)) = f
- case reflect.Int32:
- // might be an enum
- if ft := f.Type(); ft != int32PtrType {
- // enum
- f.Set(reflect.New(ft.Elem()))
- if dv != nil {
- f.Elem().SetInt(int64(dv.(int32)))
- }
- } else {
- // int32 field
- i := new(int32)
- if dv != nil {
- *i = dv.(int32)
- }
- *(fptr.(**int32)) = i
- }
- case reflect.Int64:
- i := new(int64)
- if dv != nil {
- *i = dv.(int64)
- }
- *(fptr.(**int64)) = i
- case reflect.String:
- s := new(string)
- if dv != nil {
- *s = dv.(string)
- }
- *(fptr.(**string)) = s
- case reflect.Uint8:
- // exceptional case: []byte
- var b []byte
- if dv != nil {
- db := dv.([]byte)
- b = make([]byte, len(db))
- copy(b, db)
- } else {
- b = []byte{}
- }
- *(fptr.(*[]byte)) = b
- case reflect.Uint32:
- u := new(uint32)
- if dv != nil {
- *u = dv.(uint32)
- }
- *(fptr.(**uint32)) = u
- case reflect.Uint64:
- u := new(uint64)
- if dv != nil {
- *u = dv.(uint64)
- }
- *(fptr.(**uint64)) = u
- default:
- log.Printf("proto: can't set default for field %v (sf.kind=%v)", f, sf.kind)
- }
- }
-
- for _, ni := range dm.nested {
- f := v.Field(ni)
- if f.IsNil() {
- continue
- }
- // f is *T or []*T
- if f.Kind() == reflect.Ptr {
- setDefaults(f, recur, zeros)
- } else {
- for i := 0; i < f.Len(); i++ {
- e := f.Index(i)
- if e.IsNil() {
- continue
- }
- setDefaults(e, recur, zeros)
- }
- }
- }
-}
-
-var (
- // defaults maps a protocol buffer struct type to a slice of the fields,
- // with its scalar fields set to their proto-declared non-zero default values.
- defaultMu sync.RWMutex
- defaults = make(map[reflect.Type]defaultMessage)
-
- int32PtrType = reflect.TypeOf((*int32)(nil))
-)
-
-// defaultMessage represents information about the default values of a message.
-type defaultMessage struct {
- scalars []scalarField
- nested []int // struct field index of nested messages
-}
-
-type scalarField struct {
- index int // struct field index
- kind reflect.Kind // element type (the T in *T or []T)
- value interface{} // the proto-declared default value, or nil
-}
-
-func ptrToStruct(t reflect.Type) bool {
- return t.Kind() == reflect.Ptr && t.Elem().Kind() == reflect.Struct
-}
-
-// t is a struct type.
-func buildDefaultMessage(t reflect.Type) (dm defaultMessage) {
- sprop := GetProperties(t)
- for _, prop := range sprop.Prop {
- fi, ok := sprop.decoderTags.get(prop.Tag)
- if !ok {
- // XXX_unrecognized
- continue
- }
- ft := t.Field(fi).Type
-
- // nested messages
- if ptrToStruct(ft) || (ft.Kind() == reflect.Slice && ptrToStruct(ft.Elem())) {
- dm.nested = append(dm.nested, fi)
- continue
- }
-
- sf := scalarField{
- index: fi,
- kind: ft.Elem().Kind(),
- }
-
- // scalar fields without defaults
- if !prop.HasDefault {
- dm.scalars = append(dm.scalars, sf)
- continue
- }
-
- // a scalar field: either *T or []byte
- switch ft.Elem().Kind() {
- case reflect.Bool:
- x, err := strconv.ParseBool(prop.Default)
- if err != nil {
- log.Printf("proto: bad default bool %q: %v", prop.Default, err)
- continue
- }
- sf.value = x
- case reflect.Float32:
- x, err := strconv.ParseFloat(prop.Default, 32)
- if err != nil {
- log.Printf("proto: bad default float32 %q: %v", prop.Default, err)
- continue
- }
- sf.value = float32(x)
- case reflect.Float64:
- x, err := strconv.ParseFloat(prop.Default, 64)
- if err != nil {
- log.Printf("proto: bad default float64 %q: %v", prop.Default, err)
- continue
- }
- sf.value = x
- case reflect.Int32:
- x, err := strconv.ParseInt(prop.Default, 10, 32)
- if err != nil {
- log.Printf("proto: bad default int32 %q: %v", prop.Default, err)
- continue
- }
- sf.value = int32(x)
- case reflect.Int64:
- x, err := strconv.ParseInt(prop.Default, 10, 64)
- if err != nil {
- log.Printf("proto: bad default int64 %q: %v", prop.Default, err)
- continue
- }
- sf.value = x
- case reflect.String:
- sf.value = prop.Default
- case reflect.Uint8:
- // []byte (not *uint8)
- sf.value = []byte(prop.Default)
- case reflect.Uint32:
- x, err := strconv.ParseUint(prop.Default, 10, 32)
- if err != nil {
- log.Printf("proto: bad default uint32 %q: %v", prop.Default, err)
- continue
- }
- sf.value = uint32(x)
- case reflect.Uint64:
- x, err := strconv.ParseUint(prop.Default, 10, 64)
- if err != nil {
- log.Printf("proto: bad default uint64 %q: %v", prop.Default, err)
- continue
- }
- sf.value = x
- default:
- log.Printf("proto: unhandled def kind %v", ft.Elem().Kind())
- continue
- }
-
- dm.scalars = append(dm.scalars, sf)
- }
-
- return dm
-}
-
-// Map fields may have key types of non-float scalars, strings and enums.
-// The easiest way to sort them in some deterministic order is to use fmt.
-// If this turns out to be inefficient we can always consider other options,
-// such as doing a Schwartzian transform.
-
-type mapKeys []reflect.Value
-
-func (s mapKeys) Len() int { return len(s) }
-func (s mapKeys) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
-func (s mapKeys) Less(i, j int) bool {
- return fmt.Sprint(s[i].Interface()) < fmt.Sprint(s[j].Interface())
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/message_set.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/message_set.go
deleted file mode 100644
index 9d912bce19bb61f69634b9eb8ea64f69f9ddde63..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/message_set.go
+++ /dev/null
@@ -1,287 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2010 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package proto
-
-/*
- * Support for message sets.
- */
-
-import (
- "bytes"
- "encoding/json"
- "errors"
- "fmt"
- "reflect"
- "sort"
-)
-
-// ErrNoMessageTypeId occurs when a protocol buffer does not have a message type ID.
-// A message type ID is required for storing a protocol buffer in a message set.
-var ErrNoMessageTypeId = errors.New("proto does not have a message type ID")
-
-// The first two types (_MessageSet_Item and MessageSet)
-// model what the protocol compiler produces for the following protocol message:
-// message MessageSet {
-// repeated group Item = 1 {
-// required int32 type_id = 2;
-// required string message = 3;
-// };
-// }
-// That is the MessageSet wire format. We can't use a proto to generate these
-// because that would introduce a circular dependency between it and this package.
-//
-// When a proto1 proto has a field that looks like:
-// optional message<MessageSet> info = 3;
-// the protocol compiler produces a field in the generated struct that looks like:
-// Info *_proto_.MessageSet `protobuf:"bytes,3,opt,name=info"`
-// The package is automatically inserted so there is no need for that proto file to
-// import this package.
-
-type _MessageSet_Item struct {
- TypeId *int32 `protobuf:"varint,2,req,name=type_id"`
- Message []byte `protobuf:"bytes,3,req,name=message"`
-}
-
-type MessageSet struct {
- Item []*_MessageSet_Item `protobuf:"group,1,rep"`
- XXX_unrecognized []byte
- // TODO: caching?
-}
-
-// Make sure MessageSet is a Message.
-var _ Message = (*MessageSet)(nil)
-
-// messageTypeIder is an interface satisfied by a protocol buffer type
-// that may be stored in a MessageSet.
-type messageTypeIder interface {
- MessageTypeId() int32
-}
-
-func (ms *MessageSet) find(pb Message) *_MessageSet_Item {
- mti, ok := pb.(messageTypeIder)
- if !ok {
- return nil
- }
- id := mti.MessageTypeId()
- for _, item := range ms.Item {
- if *item.TypeId == id {
- return item
- }
- }
- return nil
-}
-
-func (ms *MessageSet) Has(pb Message) bool {
- if ms.find(pb) != nil {
- return true
- }
- return false
-}
-
-func (ms *MessageSet) Unmarshal(pb Message) error {
- if item := ms.find(pb); item != nil {
- return Unmarshal(item.Message, pb)
- }
- if _, ok := pb.(messageTypeIder); !ok {
- return ErrNoMessageTypeId
- }
- return nil // TODO: return error instead?
-}
-
-func (ms *MessageSet) Marshal(pb Message) error {
- msg, err := Marshal(pb)
- if err != nil {
- return err
- }
- if item := ms.find(pb); item != nil {
- // reuse existing item
- item.Message = msg
- return nil
- }
-
- mti, ok := pb.(messageTypeIder)
- if !ok {
- return ErrNoMessageTypeId
- }
-
- mtid := mti.MessageTypeId()
- ms.Item = append(ms.Item, &_MessageSet_Item{
- TypeId: &mtid,
- Message: msg,
- })
- return nil
-}
-
-func (ms *MessageSet) Reset() { *ms = MessageSet{} }
-func (ms *MessageSet) String() string { return CompactTextString(ms) }
-func (*MessageSet) ProtoMessage() {}
-
-// Support for the message_set_wire_format message option.
-
-func skipVarint(buf []byte) []byte {
- i := 0
- for ; buf[i]&0x80 != 0; i++ {
- }
- return buf[i+1:]
-}
-
-// MarshalMessageSet encodes the extension map represented by m in the message set wire format.
-// It is called by generated Marshal methods on protocol buffer messages with the message_set_wire_format option.
-func MarshalMessageSet(m map[int32]Extension) ([]byte, error) {
- if err := encodeExtensionMap(m); err != nil {
- return nil, err
- }
-
- // Sort extension IDs to provide a deterministic encoding.
- // See also enc_map in encode.go.
- ids := make([]int, 0, len(m))
- for id := range m {
- ids = append(ids, int(id))
- }
- sort.Ints(ids)
-
- ms := &MessageSet{Item: make([]*_MessageSet_Item, 0, len(m))}
- for _, id := range ids {
- e := m[int32(id)]
- // Remove the wire type and field number varint, as well as the length varint.
- msg := skipVarint(skipVarint(e.enc))
-
- ms.Item = append(ms.Item, &_MessageSet_Item{
- TypeId: Int32(int32(id)),
- Message: msg,
- })
- }
- return Marshal(ms)
-}
-
-// UnmarshalMessageSet decodes the extension map encoded in buf in the message set wire format.
-// It is called by generated Unmarshal methods on protocol buffer messages with the message_set_wire_format option.
-func UnmarshalMessageSet(buf []byte, m map[int32]Extension) error {
- ms := new(MessageSet)
- if err := Unmarshal(buf, ms); err != nil {
- return err
- }
- for _, item := range ms.Item {
- id := *item.TypeId
- msg := item.Message
-
- // Restore wire type and field number varint, plus length varint.
- // Be careful to preserve duplicate items.
- b := EncodeVarint(uint64(id)<<3 | WireBytes)
- if ext, ok := m[id]; ok {
- // Existing data; rip off the tag and length varint
- // so we join the new data correctly.
- // We can assume that ext.enc is set because we are unmarshaling.
- o := ext.enc[len(b):] // skip wire type and field number
- _, n := DecodeVarint(o) // calculate length of length varint
- o = o[n:] // skip length varint
- msg = append(o, msg...) // join old data and new data
- }
- b = append(b, EncodeVarint(uint64(len(msg)))...)
- b = append(b, msg...)
-
- m[id] = Extension{enc: b}
- }
- return nil
-}
-
-// MarshalMessageSetJSON encodes the extension map represented by m in JSON format.
-// It is called by generated MarshalJSON methods on protocol buffer messages with the message_set_wire_format option.
-func MarshalMessageSetJSON(m map[int32]Extension) ([]byte, error) {
- var b bytes.Buffer
- b.WriteByte('{')
-
- // Process the map in key order for deterministic output.
- ids := make([]int32, 0, len(m))
- for id := range m {
- ids = append(ids, id)
- }
- sort.Sort(int32Slice(ids)) // int32Slice defined in text.go
-
- for i, id := range ids {
- ext := m[id]
- if i > 0 {
- b.WriteByte(',')
- }
-
- msd, ok := messageSetMap[id]
- if !ok {
- // Unknown type; we can't render it, so skip it.
- continue
- }
- fmt.Fprintf(&b, `"[%s]":`, msd.name)
-
- x := ext.value
- if x == nil {
- x = reflect.New(msd.t.Elem()).Interface()
- if err := Unmarshal(ext.enc, x.(Message)); err != nil {
- return nil, err
- }
- }
- d, err := json.Marshal(x)
- if err != nil {
- return nil, err
- }
- b.Write(d)
- }
- b.WriteByte('}')
- return b.Bytes(), nil
-}
-
-// UnmarshalMessageSetJSON decodes the extension map encoded in buf in JSON format.
-// It is called by generated UnmarshalJSON methods on protocol buffer messages with the message_set_wire_format option.
-func UnmarshalMessageSetJSON(buf []byte, m map[int32]Extension) error {
- // Common-case fast path.
- if len(buf) == 0 || bytes.Equal(buf, []byte("{}")) {
- return nil
- }
-
- // This is fairly tricky, and it's not clear that it is needed.
- return errors.New("TODO: UnmarshalMessageSetJSON not yet implemented")
-}
-
-// A global registry of types that can be used in a MessageSet.
-
-var messageSetMap = make(map[int32]messageSetDesc)
-
-type messageSetDesc struct {
- t reflect.Type // pointer to struct
- name string
-}
-
-// RegisterMessageSetType is called from the generated code.
-func RegisterMessageSetType(m Message, fieldNum int32, name string) {
- messageSetMap[fieldNum] = messageSetDesc{
- t: reflect.TypeOf(m),
- name: name,
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/pointer_reflect.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/pointer_reflect.go
deleted file mode 100644
index c68b12525ca0bc6ab4e0000d42e06c4eaa6bb9bd..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/pointer_reflect.go
+++ /dev/null
@@ -1,479 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2012 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-// +build appengine
-
-// This file contains an implementation of proto field accesses using package reflect.
-// It is slower than the code in pointer_unsafe.go but it avoids package unsafe and can
-// be used on App Engine.
-
-package proto
-
-import (
- "math"
- "reflect"
-)
-
-// A structPointer is a pointer to a struct.
-type structPointer struct {
- v reflect.Value
-}
-
-// toStructPointer returns a structPointer equivalent to the given reflect value.
-// The reflect value must itself be a pointer to a struct.
-func toStructPointer(v reflect.Value) structPointer {
- return structPointer{v}
-}
-
-// IsNil reports whether p is nil.
-func structPointer_IsNil(p structPointer) bool {
- return p.v.IsNil()
-}
-
-// Interface returns the struct pointer as an interface value.
-func structPointer_Interface(p structPointer, _ reflect.Type) interface{} {
- return p.v.Interface()
-}
-
-// A field identifies a field in a struct, accessible from a structPointer.
-// In this implementation, a field is identified by the sequence of field indices
-// passed to reflect's FieldByIndex.
-type field []int
-
-// toField returns a field equivalent to the given reflect field.
-func toField(f *reflect.StructField) field {
- return f.Index
-}
-
-// invalidField is an invalid field identifier.
-var invalidField = field(nil)
-
-// IsValid reports whether the field identifier is valid.
-func (f field) IsValid() bool { return f != nil }
-
-// field returns the given field in the struct as a reflect value.
-func structPointer_field(p structPointer, f field) reflect.Value {
- // Special case: an extension map entry with a value of type T
- // passes a *T to the struct-handling code with a zero field,
- // expecting that it will be treated as equivalent to *struct{ X T },
- // which has the same memory layout. We have to handle that case
- // specially, because reflect will panic if we call FieldByIndex on a
- // non-struct.
- if f == nil {
- return p.v.Elem()
- }
-
- return p.v.Elem().FieldByIndex(f)
-}
-
-// ifield returns the given field in the struct as an interface value.
-func structPointer_ifield(p structPointer, f field) interface{} {
- return structPointer_field(p, f).Addr().Interface()
-}
-
-// Bytes returns the address of a []byte field in the struct.
-func structPointer_Bytes(p structPointer, f field) *[]byte {
- return structPointer_ifield(p, f).(*[]byte)
-}
-
-// BytesSlice returns the address of a [][]byte field in the struct.
-func structPointer_BytesSlice(p structPointer, f field) *[][]byte {
- return structPointer_ifield(p, f).(*[][]byte)
-}
-
-// Bool returns the address of a *bool field in the struct.
-func structPointer_Bool(p structPointer, f field) **bool {
- return structPointer_ifield(p, f).(**bool)
-}
-
-// BoolVal returns the address of a bool field in the struct.
-func structPointer_BoolVal(p structPointer, f field) *bool {
- return structPointer_ifield(p, f).(*bool)
-}
-
-// BoolSlice returns the address of a []bool field in the struct.
-func structPointer_BoolSlice(p structPointer, f field) *[]bool {
- return structPointer_ifield(p, f).(*[]bool)
-}
-
-// String returns the address of a *string field in the struct.
-func structPointer_String(p structPointer, f field) **string {
- return structPointer_ifield(p, f).(**string)
-}
-
-// StringVal returns the address of a string field in the struct.
-func structPointer_StringVal(p structPointer, f field) *string {
- return structPointer_ifield(p, f).(*string)
-}
-
-// StringSlice returns the address of a []string field in the struct.
-func structPointer_StringSlice(p structPointer, f field) *[]string {
- return structPointer_ifield(p, f).(*[]string)
-}
-
-// ExtMap returns the address of an extension map field in the struct.
-func structPointer_ExtMap(p structPointer, f field) *map[int32]Extension {
- return structPointer_ifield(p, f).(*map[int32]Extension)
-}
-
-// Map returns the reflect.Value for the address of a map field in the struct.
-func structPointer_Map(p structPointer, f field, typ reflect.Type) reflect.Value {
- return structPointer_field(p, f).Addr()
-}
-
-// SetStructPointer writes a *struct field in the struct.
-func structPointer_SetStructPointer(p structPointer, f field, q structPointer) {
- structPointer_field(p, f).Set(q.v)
-}
-
-// GetStructPointer reads a *struct field in the struct.
-func structPointer_GetStructPointer(p structPointer, f field) structPointer {
- return structPointer{structPointer_field(p, f)}
-}
-
-// StructPointerSlice the address of a []*struct field in the struct.
-func structPointer_StructPointerSlice(p structPointer, f field) structPointerSlice {
- return structPointerSlice{structPointer_field(p, f)}
-}
-
-// A structPointerSlice represents the address of a slice of pointers to structs
-// (themselves messages or groups). That is, v.Type() is *[]*struct{...}.
-type structPointerSlice struct {
- v reflect.Value
-}
-
-func (p structPointerSlice) Len() int { return p.v.Len() }
-func (p structPointerSlice) Index(i int) structPointer { return structPointer{p.v.Index(i)} }
-func (p structPointerSlice) Append(q structPointer) {
- p.v.Set(reflect.Append(p.v, q.v))
-}
-
-var (
- int32Type = reflect.TypeOf(int32(0))
- uint32Type = reflect.TypeOf(uint32(0))
- float32Type = reflect.TypeOf(float32(0))
- int64Type = reflect.TypeOf(int64(0))
- uint64Type = reflect.TypeOf(uint64(0))
- float64Type = reflect.TypeOf(float64(0))
-)
-
-// A word32 represents a field of type *int32, *uint32, *float32, or *enum.
-// That is, v.Type() is *int32, *uint32, *float32, or *enum and v is assignable.
-type word32 struct {
- v reflect.Value
-}
-
-// IsNil reports whether p is nil.
-func word32_IsNil(p word32) bool {
- return p.v.IsNil()
-}
-
-// Set sets p to point at a newly allocated word with bits set to x.
-func word32_Set(p word32, o *Buffer, x uint32) {
- t := p.v.Type().Elem()
- switch t {
- case int32Type:
- if len(o.int32s) == 0 {
- o.int32s = make([]int32, uint32PoolSize)
- }
- o.int32s[0] = int32(x)
- p.v.Set(reflect.ValueOf(&o.int32s[0]))
- o.int32s = o.int32s[1:]
- return
- case uint32Type:
- if len(o.uint32s) == 0 {
- o.uint32s = make([]uint32, uint32PoolSize)
- }
- o.uint32s[0] = x
- p.v.Set(reflect.ValueOf(&o.uint32s[0]))
- o.uint32s = o.uint32s[1:]
- return
- case float32Type:
- if len(o.float32s) == 0 {
- o.float32s = make([]float32, uint32PoolSize)
- }
- o.float32s[0] = math.Float32frombits(x)
- p.v.Set(reflect.ValueOf(&o.float32s[0]))
- o.float32s = o.float32s[1:]
- return
- }
-
- // must be enum
- p.v.Set(reflect.New(t))
- p.v.Elem().SetInt(int64(int32(x)))
-}
-
-// Get gets the bits pointed at by p, as a uint32.
-func word32_Get(p word32) uint32 {
- elem := p.v.Elem()
- switch elem.Kind() {
- case reflect.Int32:
- return uint32(elem.Int())
- case reflect.Uint32:
- return uint32(elem.Uint())
- case reflect.Float32:
- return math.Float32bits(float32(elem.Float()))
- }
- panic("unreachable")
-}
-
-// Word32 returns a reference to a *int32, *uint32, *float32, or *enum field in the struct.
-func structPointer_Word32(p structPointer, f field) word32 {
- return word32{structPointer_field(p, f)}
-}
-
-// A word32Val represents a field of type int32, uint32, float32, or enum.
-// That is, v.Type() is int32, uint32, float32, or enum and v is assignable.
-type word32Val struct {
- v reflect.Value
-}
-
-// Set sets *p to x.
-func word32Val_Set(p word32Val, x uint32) {
- switch p.v.Type() {
- case int32Type:
- p.v.SetInt(int64(x))
- return
- case uint32Type:
- p.v.SetUint(uint64(x))
- return
- case float32Type:
- p.v.SetFloat(float64(math.Float32frombits(x)))
- return
- }
-
- // must be enum
- p.v.SetInt(int64(int32(x)))
-}
-
-// Get gets the bits pointed at by p, as a uint32.
-func word32Val_Get(p word32Val) uint32 {
- elem := p.v
- switch elem.Kind() {
- case reflect.Int32:
- return uint32(elem.Int())
- case reflect.Uint32:
- return uint32(elem.Uint())
- case reflect.Float32:
- return math.Float32bits(float32(elem.Float()))
- }
- panic("unreachable")
-}
-
-// Word32Val returns a reference to a int32, uint32, float32, or enum field in the struct.
-func structPointer_Word32Val(p structPointer, f field) word32Val {
- return word32Val{structPointer_field(p, f)}
-}
-
-// A word32Slice is a slice of 32-bit values.
-// That is, v.Type() is []int32, []uint32, []float32, or []enum.
-type word32Slice struct {
- v reflect.Value
-}
-
-func (p word32Slice) Append(x uint32) {
- n, m := p.v.Len(), p.v.Cap()
- if n < m {
- p.v.SetLen(n + 1)
- } else {
- t := p.v.Type().Elem()
- p.v.Set(reflect.Append(p.v, reflect.Zero(t)))
- }
- elem := p.v.Index(n)
- switch elem.Kind() {
- case reflect.Int32:
- elem.SetInt(int64(int32(x)))
- case reflect.Uint32:
- elem.SetUint(uint64(x))
- case reflect.Float32:
- elem.SetFloat(float64(math.Float32frombits(x)))
- }
-}
-
-func (p word32Slice) Len() int {
- return p.v.Len()
-}
-
-func (p word32Slice) Index(i int) uint32 {
- elem := p.v.Index(i)
- switch elem.Kind() {
- case reflect.Int32:
- return uint32(elem.Int())
- case reflect.Uint32:
- return uint32(elem.Uint())
- case reflect.Float32:
- return math.Float32bits(float32(elem.Float()))
- }
- panic("unreachable")
-}
-
-// Word32Slice returns a reference to a []int32, []uint32, []float32, or []enum field in the struct.
-func structPointer_Word32Slice(p structPointer, f field) word32Slice {
- return word32Slice{structPointer_field(p, f)}
-}
-
-// word64 is like word32 but for 64-bit values.
-type word64 struct {
- v reflect.Value
-}
-
-func word64_Set(p word64, o *Buffer, x uint64) {
- t := p.v.Type().Elem()
- switch t {
- case int64Type:
- if len(o.int64s) == 0 {
- o.int64s = make([]int64, uint64PoolSize)
- }
- o.int64s[0] = int64(x)
- p.v.Set(reflect.ValueOf(&o.int64s[0]))
- o.int64s = o.int64s[1:]
- return
- case uint64Type:
- if len(o.uint64s) == 0 {
- o.uint64s = make([]uint64, uint64PoolSize)
- }
- o.uint64s[0] = x
- p.v.Set(reflect.ValueOf(&o.uint64s[0]))
- o.uint64s = o.uint64s[1:]
- return
- case float64Type:
- if len(o.float64s) == 0 {
- o.float64s = make([]float64, uint64PoolSize)
- }
- o.float64s[0] = math.Float64frombits(x)
- p.v.Set(reflect.ValueOf(&o.float64s[0]))
- o.float64s = o.float64s[1:]
- return
- }
- panic("unreachable")
-}
-
-func word64_IsNil(p word64) bool {
- return p.v.IsNil()
-}
-
-func word64_Get(p word64) uint64 {
- elem := p.v.Elem()
- switch elem.Kind() {
- case reflect.Int64:
- return uint64(elem.Int())
- case reflect.Uint64:
- return elem.Uint()
- case reflect.Float64:
- return math.Float64bits(elem.Float())
- }
- panic("unreachable")
-}
-
-func structPointer_Word64(p structPointer, f field) word64 {
- return word64{structPointer_field(p, f)}
-}
-
-// word64Val is like word32Val but for 64-bit values.
-type word64Val struct {
- v reflect.Value
-}
-
-func word64Val_Set(p word64Val, o *Buffer, x uint64) {
- switch p.v.Type() {
- case int64Type:
- p.v.SetInt(int64(x))
- return
- case uint64Type:
- p.v.SetUint(x)
- return
- case float64Type:
- p.v.SetFloat(math.Float64frombits(x))
- return
- }
- panic("unreachable")
-}
-
-func word64Val_Get(p word64Val) uint64 {
- elem := p.v
- switch elem.Kind() {
- case reflect.Int64:
- return uint64(elem.Int())
- case reflect.Uint64:
- return elem.Uint()
- case reflect.Float64:
- return math.Float64bits(elem.Float())
- }
- panic("unreachable")
-}
-
-func structPointer_Word64Val(p structPointer, f field) word64Val {
- return word64Val{structPointer_field(p, f)}
-}
-
-type word64Slice struct {
- v reflect.Value
-}
-
-func (p word64Slice) Append(x uint64) {
- n, m := p.v.Len(), p.v.Cap()
- if n < m {
- p.v.SetLen(n + 1)
- } else {
- t := p.v.Type().Elem()
- p.v.Set(reflect.Append(p.v, reflect.Zero(t)))
- }
- elem := p.v.Index(n)
- switch elem.Kind() {
- case reflect.Int64:
- elem.SetInt(int64(int64(x)))
- case reflect.Uint64:
- elem.SetUint(uint64(x))
- case reflect.Float64:
- elem.SetFloat(float64(math.Float64frombits(x)))
- }
-}
-
-func (p word64Slice) Len() int {
- return p.v.Len()
-}
-
-func (p word64Slice) Index(i int) uint64 {
- elem := p.v.Index(i)
- switch elem.Kind() {
- case reflect.Int64:
- return uint64(elem.Int())
- case reflect.Uint64:
- return uint64(elem.Uint())
- case reflect.Float64:
- return math.Float64bits(float64(elem.Float()))
- }
- panic("unreachable")
-}
-
-func structPointer_Word64Slice(p structPointer, f field) word64Slice {
- return word64Slice{structPointer_field(p, f)}
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/pointer_unsafe.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/pointer_unsafe.go
deleted file mode 100644
index 48bc0fa48278473461b9cef804dd159d9483308e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/pointer_unsafe.go
+++ /dev/null
@@ -1,266 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2012 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-// +build !appengine
-
-// This file contains the implementation of the proto field accesses using package unsafe.
-
-package proto
-
-import (
- "reflect"
- "unsafe"
-)
-
-// NOTE: These type_Foo functions would more idiomatically be methods,
-// but Go does not allow methods on pointer types, and we must preserve
-// some pointer type for the garbage collector. We use these
-// funcs with clunky names as our poor approximation to methods.
-//
-// An alternative would be
-// type structPointer struct { p unsafe.Pointer }
-// but that does not registerize as well.
-
-// A structPointer is a pointer to a struct.
-type structPointer unsafe.Pointer
-
-// toStructPointer returns a structPointer equivalent to the given reflect value.
-func toStructPointer(v reflect.Value) structPointer {
- return structPointer(unsafe.Pointer(v.Pointer()))
-}
-
-// IsNil reports whether p is nil.
-func structPointer_IsNil(p structPointer) bool {
- return p == nil
-}
-
-// Interface returns the struct pointer, assumed to have element type t,
-// as an interface value.
-func structPointer_Interface(p structPointer, t reflect.Type) interface{} {
- return reflect.NewAt(t, unsafe.Pointer(p)).Interface()
-}
-
-// A field identifies a field in a struct, accessible from a structPointer.
-// In this implementation, a field is identified by its byte offset from the start of the struct.
-type field uintptr
-
-// toField returns a field equivalent to the given reflect field.
-func toField(f *reflect.StructField) field {
- return field(f.Offset)
-}
-
-// invalidField is an invalid field identifier.
-const invalidField = ^field(0)
-
-// IsValid reports whether the field identifier is valid.
-func (f field) IsValid() bool {
- return f != ^field(0)
-}
-
-// Bytes returns the address of a []byte field in the struct.
-func structPointer_Bytes(p structPointer, f field) *[]byte {
- return (*[]byte)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// BytesSlice returns the address of a [][]byte field in the struct.
-func structPointer_BytesSlice(p structPointer, f field) *[][]byte {
- return (*[][]byte)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// Bool returns the address of a *bool field in the struct.
-func structPointer_Bool(p structPointer, f field) **bool {
- return (**bool)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// BoolVal returns the address of a bool field in the struct.
-func structPointer_BoolVal(p structPointer, f field) *bool {
- return (*bool)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// BoolSlice returns the address of a []bool field in the struct.
-func structPointer_BoolSlice(p structPointer, f field) *[]bool {
- return (*[]bool)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// String returns the address of a *string field in the struct.
-func structPointer_String(p structPointer, f field) **string {
- return (**string)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// StringVal returns the address of a string field in the struct.
-func structPointer_StringVal(p structPointer, f field) *string {
- return (*string)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// StringSlice returns the address of a []string field in the struct.
-func structPointer_StringSlice(p structPointer, f field) *[]string {
- return (*[]string)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// ExtMap returns the address of an extension map field in the struct.
-func structPointer_ExtMap(p structPointer, f field) *map[int32]Extension {
- return (*map[int32]Extension)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// Map returns the reflect.Value for the address of a map field in the struct.
-func structPointer_Map(p structPointer, f field, typ reflect.Type) reflect.Value {
- return reflect.NewAt(typ, unsafe.Pointer(uintptr(p)+uintptr(f)))
-}
-
-// SetStructPointer writes a *struct field in the struct.
-func structPointer_SetStructPointer(p structPointer, f field, q structPointer) {
- *(*structPointer)(unsafe.Pointer(uintptr(p) + uintptr(f))) = q
-}
-
-// GetStructPointer reads a *struct field in the struct.
-func structPointer_GetStructPointer(p structPointer, f field) structPointer {
- return *(*structPointer)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// StructPointerSlice the address of a []*struct field in the struct.
-func structPointer_StructPointerSlice(p structPointer, f field) *structPointerSlice {
- return (*structPointerSlice)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// A structPointerSlice represents a slice of pointers to structs (themselves submessages or groups).
-type structPointerSlice []structPointer
-
-func (v *structPointerSlice) Len() int { return len(*v) }
-func (v *structPointerSlice) Index(i int) structPointer { return (*v)[i] }
-func (v *structPointerSlice) Append(p structPointer) { *v = append(*v, p) }
-
-// A word32 is the address of a "pointer to 32-bit value" field.
-type word32 **uint32
-
-// IsNil reports whether *v is nil.
-func word32_IsNil(p word32) bool {
- return *p == nil
-}
-
-// Set sets *v to point at a newly allocated word set to x.
-func word32_Set(p word32, o *Buffer, x uint32) {
- if len(o.uint32s) == 0 {
- o.uint32s = make([]uint32, uint32PoolSize)
- }
- o.uint32s[0] = x
- *p = &o.uint32s[0]
- o.uint32s = o.uint32s[1:]
-}
-
-// Get gets the value pointed at by *v.
-func word32_Get(p word32) uint32 {
- return **p
-}
-
-// Word32 returns the address of a *int32, *uint32, *float32, or *enum field in the struct.
-func structPointer_Word32(p structPointer, f field) word32 {
- return word32((**uint32)(unsafe.Pointer(uintptr(p) + uintptr(f))))
-}
-
-// A word32Val is the address of a 32-bit value field.
-type word32Val *uint32
-
-// Set sets *p to x.
-func word32Val_Set(p word32Val, x uint32) {
- *p = x
-}
-
-// Get gets the value pointed at by p.
-func word32Val_Get(p word32Val) uint32 {
- return *p
-}
-
-// Word32Val returns the address of a *int32, *uint32, *float32, or *enum field in the struct.
-func structPointer_Word32Val(p structPointer, f field) word32Val {
- return word32Val((*uint32)(unsafe.Pointer(uintptr(p) + uintptr(f))))
-}
-
-// A word32Slice is a slice of 32-bit values.
-type word32Slice []uint32
-
-func (v *word32Slice) Append(x uint32) { *v = append(*v, x) }
-func (v *word32Slice) Len() int { return len(*v) }
-func (v *word32Slice) Index(i int) uint32 { return (*v)[i] }
-
-// Word32Slice returns the address of a []int32, []uint32, []float32, or []enum field in the struct.
-func structPointer_Word32Slice(p structPointer, f field) *word32Slice {
- return (*word32Slice)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
-
-// word64 is like word32 but for 64-bit values.
-type word64 **uint64
-
-func word64_Set(p word64, o *Buffer, x uint64) {
- if len(o.uint64s) == 0 {
- o.uint64s = make([]uint64, uint64PoolSize)
- }
- o.uint64s[0] = x
- *p = &o.uint64s[0]
- o.uint64s = o.uint64s[1:]
-}
-
-func word64_IsNil(p word64) bool {
- return *p == nil
-}
-
-func word64_Get(p word64) uint64 {
- return **p
-}
-
-func structPointer_Word64(p structPointer, f field) word64 {
- return word64((**uint64)(unsafe.Pointer(uintptr(p) + uintptr(f))))
-}
-
-// word64Val is like word32Val but for 64-bit values.
-type word64Val *uint64
-
-func word64Val_Set(p word64Val, o *Buffer, x uint64) {
- *p = x
-}
-
-func word64Val_Get(p word64Val) uint64 {
- return *p
-}
-
-func structPointer_Word64Val(p structPointer, f field) word64Val {
- return word64Val((*uint64)(unsafe.Pointer(uintptr(p) + uintptr(f))))
-}
-
-// word64Slice is like word32Slice but for 64-bit values.
-type word64Slice []uint64
-
-func (v *word64Slice) Append(x uint64) { *v = append(*v, x) }
-func (v *word64Slice) Len() int { return len(*v) }
-func (v *word64Slice) Index(i int) uint64 { return (*v)[i] }
-
-func structPointer_Word64Slice(p structPointer, f field) *word64Slice {
- return (*word64Slice)(unsafe.Pointer(uintptr(p) + uintptr(f)))
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/properties.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/properties.go
deleted file mode 100644
index 7216544815559344b2efe7cf60bf4484d9fbae42..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/properties.go
+++ /dev/null
@@ -1,737 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2010 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package proto
-
-/*
- * Routines for encoding data into the wire format for protocol buffers.
- */
-
-import (
- "fmt"
- "os"
- "reflect"
- "sort"
- "strconv"
- "strings"
- "sync"
-)
-
-const debug bool = false
-
-// Constants that identify the encoding of a value on the wire.
-const (
- WireVarint = 0
- WireFixed64 = 1
- WireBytes = 2
- WireStartGroup = 3
- WireEndGroup = 4
- WireFixed32 = 5
-)
-
-const startSize = 10 // initial slice/string sizes
-
-// Encoders are defined in encode.go
-// An encoder outputs the full representation of a field, including its
-// tag and encoder type.
-type encoder func(p *Buffer, prop *Properties, base structPointer) error
-
-// A valueEncoder encodes a single integer in a particular encoding.
-type valueEncoder func(o *Buffer, x uint64) error
-
-// Sizers are defined in encode.go
-// A sizer returns the encoded size of a field, including its tag and encoder
-// type.
-type sizer func(prop *Properties, base structPointer) int
-
-// A valueSizer returns the encoded size of a single integer in a particular
-// encoding.
-type valueSizer func(x uint64) int
-
-// Decoders are defined in decode.go
-// A decoder creates a value from its wire representation.
-// Unrecognized subelements are saved in unrec.
-type decoder func(p *Buffer, prop *Properties, base structPointer) error
-
-// A valueDecoder decodes a single integer in a particular encoding.
-type valueDecoder func(o *Buffer) (x uint64, err error)
-
-// tagMap is an optimization over map[int]int for typical protocol buffer
-// use-cases. Encoded protocol buffers are often in tag order with small tag
-// numbers.
-type tagMap struct {
- fastTags []int
- slowTags map[int]int
-}
-
-// tagMapFastLimit is the upper bound on the tag number that will be stored in
-// the tagMap slice rather than its map.
-const tagMapFastLimit = 1024
-
-func (p *tagMap) get(t int) (int, bool) {
- if t > 0 && t < tagMapFastLimit {
- if t >= len(p.fastTags) {
- return 0, false
- }
- fi := p.fastTags[t]
- return fi, fi >= 0
- }
- fi, ok := p.slowTags[t]
- return fi, ok
-}
-
-func (p *tagMap) put(t int, fi int) {
- if t > 0 && t < tagMapFastLimit {
- for len(p.fastTags) < t+1 {
- p.fastTags = append(p.fastTags, -1)
- }
- p.fastTags[t] = fi
- return
- }
- if p.slowTags == nil {
- p.slowTags = make(map[int]int)
- }
- p.slowTags[t] = fi
-}
-
-// StructProperties represents properties for all the fields of a struct.
-// decoderTags and decoderOrigNames should only be used by the decoder.
-type StructProperties struct {
- Prop []*Properties // properties for each field
- reqCount int // required count
- decoderTags tagMap // map from proto tag to struct field number
- decoderOrigNames map[string]int // map from original name to struct field number
- order []int // list of struct field numbers in tag order
- unrecField field // field id of the XXX_unrecognized []byte field
- extendable bool // is this an extendable proto
-}
-
-// Implement the sorting interface so we can sort the fields in tag order, as recommended by the spec.
-// See encode.go, (*Buffer).enc_struct.
-
-func (sp *StructProperties) Len() int { return len(sp.order) }
-func (sp *StructProperties) Less(i, j int) bool {
- return sp.Prop[sp.order[i]].Tag < sp.Prop[sp.order[j]].Tag
-}
-func (sp *StructProperties) Swap(i, j int) { sp.order[i], sp.order[j] = sp.order[j], sp.order[i] }
-
-// Properties represents the protocol-specific behavior of a single struct field.
-type Properties struct {
- Name string // name of the field, for error messages
- OrigName string // original name before protocol compiler (always set)
- Wire string
- WireType int
- Tag int
- Required bool
- Optional bool
- Repeated bool
- Packed bool // relevant for repeated primitives only
- Enum string // set for enum types only
- proto3 bool // whether this is known to be a proto3 field; set for []byte only
-
- Default string // default value
- HasDefault bool // whether an explicit default was provided
- def_uint64 uint64
-
- enc encoder
- valEnc valueEncoder // set for bool and numeric types only
- field field
- tagcode []byte // encoding of EncodeVarint((Tag<<3)|WireType)
- tagbuf [8]byte
- stype reflect.Type // set for struct types only
- sprop *StructProperties // set for struct types only
- isMarshaler bool
- isUnmarshaler bool
-
- mtype reflect.Type // set for map types only
- mkeyprop *Properties // set for map types only
- mvalprop *Properties // set for map types only
-
- size sizer
- valSize valueSizer // set for bool and numeric types only
-
- dec decoder
- valDec valueDecoder // set for bool and numeric types only
-
- // If this is a packable field, this will be the decoder for the packed version of the field.
- packedDec decoder
-}
-
-// String formats the properties in the protobuf struct field tag style.
-func (p *Properties) String() string {
- s := p.Wire
- s = ","
- s += strconv.Itoa(p.Tag)
- if p.Required {
- s += ",req"
- }
- if p.Optional {
- s += ",opt"
- }
- if p.Repeated {
- s += ",rep"
- }
- if p.Packed {
- s += ",packed"
- }
- if p.OrigName != p.Name {
- s += ",name=" + p.OrigName
- }
- if p.proto3 {
- s += ",proto3"
- }
- if len(p.Enum) > 0 {
- s += ",enum=" + p.Enum
- }
- if p.HasDefault {
- s += ",def=" + p.Default
- }
- return s
-}
-
-// Parse populates p by parsing a string in the protobuf struct field tag style.
-func (p *Properties) Parse(s string) {
- // "bytes,49,opt,name=foo,def=hello!"
- fields := strings.Split(s, ",") // breaks def=, but handled below.
- if len(fields) < 2 {
- fmt.Fprintf(os.Stderr, "proto: tag has too few fields: %q\n", s)
- return
- }
-
- p.Wire = fields[0]
- switch p.Wire {
- case "varint":
- p.WireType = WireVarint
- p.valEnc = (*Buffer).EncodeVarint
- p.valDec = (*Buffer).DecodeVarint
- p.valSize = sizeVarint
- case "fixed32":
- p.WireType = WireFixed32
- p.valEnc = (*Buffer).EncodeFixed32
- p.valDec = (*Buffer).DecodeFixed32
- p.valSize = sizeFixed32
- case "fixed64":
- p.WireType = WireFixed64
- p.valEnc = (*Buffer).EncodeFixed64
- p.valDec = (*Buffer).DecodeFixed64
- p.valSize = sizeFixed64
- case "zigzag32":
- p.WireType = WireVarint
- p.valEnc = (*Buffer).EncodeZigzag32
- p.valDec = (*Buffer).DecodeZigzag32
- p.valSize = sizeZigzag32
- case "zigzag64":
- p.WireType = WireVarint
- p.valEnc = (*Buffer).EncodeZigzag64
- p.valDec = (*Buffer).DecodeZigzag64
- p.valSize = sizeZigzag64
- case "bytes", "group":
- p.WireType = WireBytes
- // no numeric converter for non-numeric types
- default:
- fmt.Fprintf(os.Stderr, "proto: tag has unknown wire type: %q\n", s)
- return
- }
-
- var err error
- p.Tag, err = strconv.Atoi(fields[1])
- if err != nil {
- return
- }
-
- for i := 2; i < len(fields); i++ {
- f := fields[i]
- switch {
- case f == "req":
- p.Required = true
- case f == "opt":
- p.Optional = true
- case f == "rep":
- p.Repeated = true
- case f == "packed":
- p.Packed = true
- case strings.HasPrefix(f, "name="):
- p.OrigName = f[5:]
- case strings.HasPrefix(f, "enum="):
- p.Enum = f[5:]
- case f == "proto3":
- p.proto3 = true
- case strings.HasPrefix(f, "def="):
- p.HasDefault = true
- p.Default = f[4:] // rest of string
- if i+1 < len(fields) {
- // Commas aren't escaped, and def is always last.
- p.Default += "," + strings.Join(fields[i+1:], ",")
- break
- }
- }
- }
-}
-
-func logNoSliceEnc(t1, t2 reflect.Type) {
- fmt.Fprintf(os.Stderr, "proto: no slice oenc for %T = []%T\n", t1, t2)
-}
-
-var protoMessageType = reflect.TypeOf((*Message)(nil)).Elem()
-
-// Initialize the fields for encoding and decoding.
-func (p *Properties) setEncAndDec(typ reflect.Type, f *reflect.StructField, lockGetProp bool) {
- p.enc = nil
- p.dec = nil
- p.size = nil
-
- switch t1 := typ; t1.Kind() {
- default:
- fmt.Fprintf(os.Stderr, "proto: no coders for %v\n", t1)
-
- // proto3 scalar types
-
- case reflect.Bool:
- p.enc = (*Buffer).enc_proto3_bool
- p.dec = (*Buffer).dec_proto3_bool
- p.size = size_proto3_bool
- case reflect.Int32:
- p.enc = (*Buffer).enc_proto3_int32
- p.dec = (*Buffer).dec_proto3_int32
- p.size = size_proto3_int32
- case reflect.Uint32:
- p.enc = (*Buffer).enc_proto3_uint32
- p.dec = (*Buffer).dec_proto3_int32 // can reuse
- p.size = size_proto3_uint32
- case reflect.Int64, reflect.Uint64:
- p.enc = (*Buffer).enc_proto3_int64
- p.dec = (*Buffer).dec_proto3_int64
- p.size = size_proto3_int64
- case reflect.Float32:
- p.enc = (*Buffer).enc_proto3_uint32 // can just treat them as bits
- p.dec = (*Buffer).dec_proto3_int32
- p.size = size_proto3_uint32
- case reflect.Float64:
- p.enc = (*Buffer).enc_proto3_int64 // can just treat them as bits
- p.dec = (*Buffer).dec_proto3_int64
- p.size = size_proto3_int64
- case reflect.String:
- p.enc = (*Buffer).enc_proto3_string
- p.dec = (*Buffer).dec_proto3_string
- p.size = size_proto3_string
-
- case reflect.Ptr:
- switch t2 := t1.Elem(); t2.Kind() {
- default:
- fmt.Fprintf(os.Stderr, "proto: no encoder function for %v -> %v\n", t1, t2)
- break
- case reflect.Bool:
- p.enc = (*Buffer).enc_bool
- p.dec = (*Buffer).dec_bool
- p.size = size_bool
- case reflect.Int32:
- p.enc = (*Buffer).enc_int32
- p.dec = (*Buffer).dec_int32
- p.size = size_int32
- case reflect.Uint32:
- p.enc = (*Buffer).enc_uint32
- p.dec = (*Buffer).dec_int32 // can reuse
- p.size = size_uint32
- case reflect.Int64, reflect.Uint64:
- p.enc = (*Buffer).enc_int64
- p.dec = (*Buffer).dec_int64
- p.size = size_int64
- case reflect.Float32:
- p.enc = (*Buffer).enc_uint32 // can just treat them as bits
- p.dec = (*Buffer).dec_int32
- p.size = size_uint32
- case reflect.Float64:
- p.enc = (*Buffer).enc_int64 // can just treat them as bits
- p.dec = (*Buffer).dec_int64
- p.size = size_int64
- case reflect.String:
- p.enc = (*Buffer).enc_string
- p.dec = (*Buffer).dec_string
- p.size = size_string
- case reflect.Struct:
- p.stype = t1.Elem()
- p.isMarshaler = isMarshaler(t1)
- p.isUnmarshaler = isUnmarshaler(t1)
- if p.Wire == "bytes" {
- p.enc = (*Buffer).enc_struct_message
- p.dec = (*Buffer).dec_struct_message
- p.size = size_struct_message
- } else {
- p.enc = (*Buffer).enc_struct_group
- p.dec = (*Buffer).dec_struct_group
- p.size = size_struct_group
- }
- }
-
- case reflect.Slice:
- switch t2 := t1.Elem(); t2.Kind() {
- default:
- logNoSliceEnc(t1, t2)
- break
- case reflect.Bool:
- if p.Packed {
- p.enc = (*Buffer).enc_slice_packed_bool
- p.size = size_slice_packed_bool
- } else {
- p.enc = (*Buffer).enc_slice_bool
- p.size = size_slice_bool
- }
- p.dec = (*Buffer).dec_slice_bool
- p.packedDec = (*Buffer).dec_slice_packed_bool
- case reflect.Int32:
- if p.Packed {
- p.enc = (*Buffer).enc_slice_packed_int32
- p.size = size_slice_packed_int32
- } else {
- p.enc = (*Buffer).enc_slice_int32
- p.size = size_slice_int32
- }
- p.dec = (*Buffer).dec_slice_int32
- p.packedDec = (*Buffer).dec_slice_packed_int32
- case reflect.Uint32:
- if p.Packed {
- p.enc = (*Buffer).enc_slice_packed_uint32
- p.size = size_slice_packed_uint32
- } else {
- p.enc = (*Buffer).enc_slice_uint32
- p.size = size_slice_uint32
- }
- p.dec = (*Buffer).dec_slice_int32
- p.packedDec = (*Buffer).dec_slice_packed_int32
- case reflect.Int64, reflect.Uint64:
- if p.Packed {
- p.enc = (*Buffer).enc_slice_packed_int64
- p.size = size_slice_packed_int64
- } else {
- p.enc = (*Buffer).enc_slice_int64
- p.size = size_slice_int64
- }
- p.dec = (*Buffer).dec_slice_int64
- p.packedDec = (*Buffer).dec_slice_packed_int64
- case reflect.Uint8:
- p.enc = (*Buffer).enc_slice_byte
- p.dec = (*Buffer).dec_slice_byte
- p.size = size_slice_byte
- if p.proto3 {
- p.enc = (*Buffer).enc_proto3_slice_byte
- p.size = size_proto3_slice_byte
- }
- case reflect.Float32, reflect.Float64:
- switch t2.Bits() {
- case 32:
- // can just treat them as bits
- if p.Packed {
- p.enc = (*Buffer).enc_slice_packed_uint32
- p.size = size_slice_packed_uint32
- } else {
- p.enc = (*Buffer).enc_slice_uint32
- p.size = size_slice_uint32
- }
- p.dec = (*Buffer).dec_slice_int32
- p.packedDec = (*Buffer).dec_slice_packed_int32
- case 64:
- // can just treat them as bits
- if p.Packed {
- p.enc = (*Buffer).enc_slice_packed_int64
- p.size = size_slice_packed_int64
- } else {
- p.enc = (*Buffer).enc_slice_int64
- p.size = size_slice_int64
- }
- p.dec = (*Buffer).dec_slice_int64
- p.packedDec = (*Buffer).dec_slice_packed_int64
- default:
- logNoSliceEnc(t1, t2)
- break
- }
- case reflect.String:
- p.enc = (*Buffer).enc_slice_string
- p.dec = (*Buffer).dec_slice_string
- p.size = size_slice_string
- case reflect.Ptr:
- switch t3 := t2.Elem(); t3.Kind() {
- default:
- fmt.Fprintf(os.Stderr, "proto: no ptr oenc for %T -> %T -> %T\n", t1, t2, t3)
- break
- case reflect.Struct:
- p.stype = t2.Elem()
- p.isMarshaler = isMarshaler(t2)
- p.isUnmarshaler = isUnmarshaler(t2)
- if p.Wire == "bytes" {
- p.enc = (*Buffer).enc_slice_struct_message
- p.dec = (*Buffer).dec_slice_struct_message
- p.size = size_slice_struct_message
- } else {
- p.enc = (*Buffer).enc_slice_struct_group
- p.dec = (*Buffer).dec_slice_struct_group
- p.size = size_slice_struct_group
- }
- }
- case reflect.Slice:
- switch t2.Elem().Kind() {
- default:
- fmt.Fprintf(os.Stderr, "proto: no slice elem oenc for %T -> %T -> %T\n", t1, t2, t2.Elem())
- break
- case reflect.Uint8:
- p.enc = (*Buffer).enc_slice_slice_byte
- p.dec = (*Buffer).dec_slice_slice_byte
- p.size = size_slice_slice_byte
- }
- }
-
- case reflect.Map:
- p.enc = (*Buffer).enc_new_map
- p.dec = (*Buffer).dec_new_map
- p.size = size_new_map
-
- p.mtype = t1
- p.mkeyprop = &Properties{}
- p.mkeyprop.init(reflect.PtrTo(p.mtype.Key()), "Key", f.Tag.Get("protobuf_key"), nil, lockGetProp)
- p.mvalprop = &Properties{}
- vtype := p.mtype.Elem()
- if vtype.Kind() != reflect.Ptr && vtype.Kind() != reflect.Slice {
- // The value type is not a message (*T) or bytes ([]byte),
- // so we need encoders for the pointer to this type.
- vtype = reflect.PtrTo(vtype)
- }
- p.mvalprop.init(vtype, "Value", f.Tag.Get("protobuf_val"), nil, lockGetProp)
- }
-
- // precalculate tag code
- wire := p.WireType
- if p.Packed {
- wire = WireBytes
- }
- x := uint32(p.Tag)<<3 | uint32(wire)
- i := 0
- for i = 0; x > 127; i++ {
- p.tagbuf[i] = 0x80 | uint8(x&0x7F)
- x >>= 7
- }
- p.tagbuf[i] = uint8(x)
- p.tagcode = p.tagbuf[0 : i+1]
-
- if p.stype != nil {
- if lockGetProp {
- p.sprop = GetProperties(p.stype)
- } else {
- p.sprop = getPropertiesLocked(p.stype)
- }
- }
-}
-
-var (
- marshalerType = reflect.TypeOf((*Marshaler)(nil)).Elem()
- unmarshalerType = reflect.TypeOf((*Unmarshaler)(nil)).Elem()
-)
-
-// isMarshaler reports whether type t implements Marshaler.
-func isMarshaler(t reflect.Type) bool {
- // We're checking for (likely) pointer-receiver methods
- // so if t is not a pointer, something is very wrong.
- // The calls above only invoke isMarshaler on pointer types.
- if t.Kind() != reflect.Ptr {
- panic("proto: misuse of isMarshaler")
- }
- return t.Implements(marshalerType)
-}
-
-// isUnmarshaler reports whether type t implements Unmarshaler.
-func isUnmarshaler(t reflect.Type) bool {
- // We're checking for (likely) pointer-receiver methods
- // so if t is not a pointer, something is very wrong.
- // The calls above only invoke isUnmarshaler on pointer types.
- if t.Kind() != reflect.Ptr {
- panic("proto: misuse of isUnmarshaler")
- }
- return t.Implements(unmarshalerType)
-}
-
-// Init populates the properties from a protocol buffer struct tag.
-func (p *Properties) Init(typ reflect.Type, name, tag string, f *reflect.StructField) {
- p.init(typ, name, tag, f, true)
-}
-
-func (p *Properties) init(typ reflect.Type, name, tag string, f *reflect.StructField, lockGetProp bool) {
- // "bytes,49,opt,def=hello!"
- p.Name = name
- p.OrigName = name
- if f != nil {
- p.field = toField(f)
- }
- if tag == "" {
- return
- }
- p.Parse(tag)
- p.setEncAndDec(typ, f, lockGetProp)
-}
-
-var (
- propertiesMu sync.RWMutex
- propertiesMap = make(map[reflect.Type]*StructProperties)
-)
-
-// GetProperties returns the list of properties for the type represented by t.
-// t must represent a generated struct type of a protocol message.
-func GetProperties(t reflect.Type) *StructProperties {
- if t.Kind() != reflect.Struct {
- panic("proto: type must have kind struct")
- }
-
- // Most calls to GetProperties in a long-running program will be
- // retrieving details for types we have seen before.
- propertiesMu.RLock()
- sprop, ok := propertiesMap[t]
- propertiesMu.RUnlock()
- if ok {
- if collectStats {
- stats.Chit++
- }
- return sprop
- }
-
- propertiesMu.Lock()
- sprop = getPropertiesLocked(t)
- propertiesMu.Unlock()
- return sprop
-}
-
-// getPropertiesLocked requires that propertiesMu is held.
-func getPropertiesLocked(t reflect.Type) *StructProperties {
- if prop, ok := propertiesMap[t]; ok {
- if collectStats {
- stats.Chit++
- }
- return prop
- }
- if collectStats {
- stats.Cmiss++
- }
-
- prop := new(StructProperties)
- // in case of recursive protos, fill this in now.
- propertiesMap[t] = prop
-
- // build properties
- prop.extendable = reflect.PtrTo(t).Implements(extendableProtoType)
- prop.unrecField = invalidField
- prop.Prop = make([]*Properties, t.NumField())
- prop.order = make([]int, t.NumField())
-
- for i := 0; i < t.NumField(); i++ {
- f := t.Field(i)
- p := new(Properties)
- name := f.Name
- p.init(f.Type, name, f.Tag.Get("protobuf"), &f, false)
-
- if f.Name == "XXX_extensions" { // special case
- p.enc = (*Buffer).enc_map
- p.dec = nil // not needed
- p.size = size_map
- }
- if f.Name == "XXX_unrecognized" { // special case
- prop.unrecField = toField(&f)
- }
- prop.Prop[i] = p
- prop.order[i] = i
- if debug {
- print(i, " ", f.Name, " ", t.String(), " ")
- if p.Tag > 0 {
- print(p.String())
- }
- print("\n")
- }
- if p.enc == nil && !strings.HasPrefix(f.Name, "XXX_") {
- fmt.Fprintln(os.Stderr, "proto: no encoder for", f.Name, f.Type.String(), "[GetProperties]")
- }
- }
-
- // Re-order prop.order.
- sort.Sort(prop)
-
- // build required counts
- // build tags
- reqCount := 0
- prop.decoderOrigNames = make(map[string]int)
- for i, p := range prop.Prop {
- if strings.HasPrefix(p.Name, "XXX_") {
- // Internal fields should not appear in tags/origNames maps.
- // They are handled specially when encoding and decoding.
- continue
- }
- if p.Required {
- reqCount++
- }
- prop.decoderTags.put(p.Tag, i)
- prop.decoderOrigNames[p.OrigName] = i
- }
- prop.reqCount = reqCount
-
- return prop
-}
-
-// Return the Properties object for the x[0]'th field of the structure.
-func propByIndex(t reflect.Type, x []int) *Properties {
- if len(x) != 1 {
- fmt.Fprintf(os.Stderr, "proto: field index dimension %d (not 1) for type %s\n", len(x), t)
- return nil
- }
- prop := GetProperties(t)
- return prop.Prop[x[0]]
-}
-
-// Get the address and type of a pointer to a struct from an interface.
-func getbase(pb Message) (t reflect.Type, b structPointer, err error) {
- if pb == nil {
- err = ErrNil
- return
- }
- // get the reflect type of the pointer to the struct.
- t = reflect.TypeOf(pb)
- // get the address of the struct.
- value := reflect.ValueOf(pb)
- b = toStructPointer(value)
- return
-}
-
-// A global registry of enum types.
-// The generated code will register the generated maps by calling RegisterEnum.
-
-var enumValueMaps = make(map[string]map[string]int32)
-
-// RegisterEnum is called from the generated code to install the enum descriptor
-// maps into the global table to aid parsing text format protocol buffers.
-func RegisterEnum(typeName string, unusedNameMap map[int32]string, valueMap map[string]int32) {
- if _, ok := enumValueMaps[typeName]; ok {
- panic("proto: duplicate enum registered: " + typeName)
- }
- enumValueMaps[typeName] = valueMap
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/text.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/text.go
deleted file mode 100644
index 720eac470505075186dfdc2701834171012486c6..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/text.go
+++ /dev/null
@@ -1,789 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2010 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package proto
-
-// Functions for writing the text protocol buffer format.
-
-import (
- "bufio"
- "bytes"
- "encoding"
- "fmt"
- "io"
- "log"
- "math"
- "os"
- "reflect"
- "sort"
- "strings"
-)
-
-var (
- newline = []byte("\n")
- spaces = []byte(" ")
- gtNewline = []byte(">\n")
- endBraceNewline = []byte("}\n")
- backslashN = []byte{'\\', 'n'}
- backslashR = []byte{'\\', 'r'}
- backslashT = []byte{'\\', 't'}
- backslashDQ = []byte{'\\', '"'}
- backslashBS = []byte{'\\', '\\'}
- posInf = []byte("inf")
- negInf = []byte("-inf")
- nan = []byte("nan")
-)
-
-type writer interface {
- io.Writer
- WriteByte(byte) error
-}
-
-// textWriter is an io.Writer that tracks its indentation level.
-type textWriter struct {
- ind int
- complete bool // if the current position is a complete line
- compact bool // whether to write out as a one-liner
- w writer
-}
-
-func (w *textWriter) WriteString(s string) (n int, err error) {
- if !strings.Contains(s, "\n") {
- if !w.compact && w.complete {
- w.writeIndent()
- }
- w.complete = false
- return io.WriteString(w.w, s)
- }
- // WriteString is typically called without newlines, so this
- // codepath and its copy are rare. We copy to avoid
- // duplicating all of Write's logic here.
- return w.Write([]byte(s))
-}
-
-func (w *textWriter) Write(p []byte) (n int, err error) {
- newlines := bytes.Count(p, newline)
- if newlines == 0 {
- if !w.compact && w.complete {
- w.writeIndent()
- }
- n, err = w.w.Write(p)
- w.complete = false
- return n, err
- }
-
- frags := bytes.SplitN(p, newline, newlines+1)
- if w.compact {
- for i, frag := range frags {
- if i > 0 {
- if err := w.w.WriteByte(' '); err != nil {
- return n, err
- }
- n++
- }
- nn, err := w.w.Write(frag)
- n += nn
- if err != nil {
- return n, err
- }
- }
- return n, nil
- }
-
- for i, frag := range frags {
- if w.complete {
- w.writeIndent()
- }
- nn, err := w.w.Write(frag)
- n += nn
- if err != nil {
- return n, err
- }
- if i+1 < len(frags) {
- if err := w.w.WriteByte('\n'); err != nil {
- return n, err
- }
- n++
- }
- }
- w.complete = len(frags[len(frags)-1]) == 0
- return n, nil
-}
-
-func (w *textWriter) WriteByte(c byte) error {
- if w.compact && c == '\n' {
- c = ' '
- }
- if !w.compact && w.complete {
- w.writeIndent()
- }
- err := w.w.WriteByte(c)
- w.complete = c == '\n'
- return err
-}
-
-func (w *textWriter) indent() { w.ind++ }
-
-func (w *textWriter) unindent() {
- if w.ind == 0 {
- log.Printf("proto: textWriter unindented too far")
- return
- }
- w.ind--
-}
-
-func writeName(w *textWriter, props *Properties) error {
- if _, err := w.WriteString(props.OrigName); err != nil {
- return err
- }
- if props.Wire != "group" {
- return w.WriteByte(':')
- }
- return nil
-}
-
-var (
- messageSetType = reflect.TypeOf((*MessageSet)(nil)).Elem()
-)
-
-// raw is the interface satisfied by RawMessage.
-type raw interface {
- Bytes() []byte
-}
-
-func writeStruct(w *textWriter, sv reflect.Value) error {
- if sv.Type() == messageSetType {
- return writeMessageSet(w, sv.Addr().Interface().(*MessageSet))
- }
-
- st := sv.Type()
- sprops := GetProperties(st)
- for i := 0; i < sv.NumField(); i++ {
- fv := sv.Field(i)
- props := sprops.Prop[i]
- name := st.Field(i).Name
-
- if strings.HasPrefix(name, "XXX_") {
- // There are two XXX_ fields:
- // XXX_unrecognized []byte
- // XXX_extensions map[int32]proto.Extension
- // The first is handled here;
- // the second is handled at the bottom of this function.
- if name == "XXX_unrecognized" && !fv.IsNil() {
- if err := writeUnknownStruct(w, fv.Interface().([]byte)); err != nil {
- return err
- }
- }
- continue
- }
- if fv.Kind() == reflect.Ptr && fv.IsNil() {
- // Field not filled in. This could be an optional field or
- // a required field that wasn't filled in. Either way, there
- // isn't anything we can show for it.
- continue
- }
- if fv.Kind() == reflect.Slice && fv.IsNil() {
- // Repeated field that is empty, or a bytes field that is unused.
- continue
- }
-
- if props.Repeated && fv.Kind() == reflect.Slice {
- // Repeated field.
- for j := 0; j < fv.Len(); j++ {
- if err := writeName(w, props); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte(' '); err != nil {
- return err
- }
- }
- v := fv.Index(j)
- if v.Kind() == reflect.Ptr && v.IsNil() {
- // A nil message in a repeated field is not valid,
- // but we can handle that more gracefully than panicking.
- if _, err := w.Write([]byte("<nil>\n")); err != nil {
- return err
- }
- continue
- }
- if err := writeAny(w, v, props); err != nil {
- return err
- }
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- }
- continue
- }
- if fv.Kind() == reflect.Map {
- // Map fields are rendered as a repeated struct with key/value fields.
- keys := fv.MapKeys() // TODO: should we sort these for deterministic output?
- sort.Sort(mapKeys(keys))
- for _, key := range keys {
- val := fv.MapIndex(key)
- if err := writeName(w, props); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte(' '); err != nil {
- return err
- }
- }
- // open struct
- if err := w.WriteByte('<'); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- }
- w.indent()
- // key
- if _, err := w.WriteString("key:"); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte(' '); err != nil {
- return err
- }
- }
- if err := writeAny(w, key, props.mkeyprop); err != nil {
- return err
- }
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- // value
- if _, err := w.WriteString("value:"); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte(' '); err != nil {
- return err
- }
- }
- if err := writeAny(w, val, props.mvalprop); err != nil {
- return err
- }
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- // close struct
- w.unindent()
- if err := w.WriteByte('>'); err != nil {
- return err
- }
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- }
- continue
- }
- if props.proto3 && fv.Kind() == reflect.Slice && fv.Len() == 0 {
- // empty bytes field
- continue
- }
- if fv.Kind() != reflect.Ptr && fv.Kind() != reflect.Slice {
- // proto3 non-repeated scalar field; skip if zero value
- switch fv.Kind() {
- case reflect.Bool:
- if !fv.Bool() {
- continue
- }
- case reflect.Int32, reflect.Int64:
- if fv.Int() == 0 {
- continue
- }
- case reflect.Uint32, reflect.Uint64:
- if fv.Uint() == 0 {
- continue
- }
- case reflect.Float32, reflect.Float64:
- if fv.Float() == 0 {
- continue
- }
- case reflect.String:
- if fv.String() == "" {
- continue
- }
- }
- }
-
- if err := writeName(w, props); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte(' '); err != nil {
- return err
- }
- }
- if b, ok := fv.Interface().(raw); ok {
- if err := writeRaw(w, b.Bytes()); err != nil {
- return err
- }
- continue
- }
-
- // Enums have a String method, so writeAny will work fine.
- if err := writeAny(w, fv, props); err != nil {
- return err
- }
-
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- }
-
- // Extensions (the XXX_extensions field).
- pv := sv.Addr()
- if pv.Type().Implements(extendableProtoType) {
- if err := writeExtensions(w, pv); err != nil {
- return err
- }
- }
-
- return nil
-}
-
-// writeRaw writes an uninterpreted raw message.
-func writeRaw(w *textWriter, b []byte) error {
- if err := w.WriteByte('<'); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- }
- w.indent()
- if err := writeUnknownStruct(w, b); err != nil {
- return err
- }
- w.unindent()
- if err := w.WriteByte('>'); err != nil {
- return err
- }
- return nil
-}
-
-// writeAny writes an arbitrary field.
-func writeAny(w *textWriter, v reflect.Value, props *Properties) error {
- v = reflect.Indirect(v)
-
- // Floats have special cases.
- if v.Kind() == reflect.Float32 || v.Kind() == reflect.Float64 {
- x := v.Float()
- var b []byte
- switch {
- case math.IsInf(x, 1):
- b = posInf
- case math.IsInf(x, -1):
- b = negInf
- case math.IsNaN(x):
- b = nan
- }
- if b != nil {
- _, err := w.Write(b)
- return err
- }
- // Other values are handled below.
- }
-
- // We don't attempt to serialise every possible value type; only those
- // that can occur in protocol buffers.
- switch v.Kind() {
- case reflect.Slice:
- // Should only be a []byte; repeated fields are handled in writeStruct.
- if err := writeString(w, string(v.Interface().([]byte))); err != nil {
- return err
- }
- case reflect.String:
- if err := writeString(w, v.String()); err != nil {
- return err
- }
- case reflect.Struct:
- // Required/optional group/message.
- var bra, ket byte = '<', '>'
- if props != nil && props.Wire == "group" {
- bra, ket = '{', '}'
- }
- if err := w.WriteByte(bra); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- }
- w.indent()
- if tm, ok := v.Interface().(encoding.TextMarshaler); ok {
- text, err := tm.MarshalText()
- if err != nil {
- return err
- }
- if _, err = w.Write(text); err != nil {
- return err
- }
- } else if err := writeStruct(w, v); err != nil {
- return err
- }
- w.unindent()
- if err := w.WriteByte(ket); err != nil {
- return err
- }
- default:
- _, err := fmt.Fprint(w, v.Interface())
- return err
- }
- return nil
-}
-
-// equivalent to C's isprint.
-func isprint(c byte) bool {
- return c >= 0x20 && c < 0x7f
-}
-
-// writeString writes a string in the protocol buffer text format.
-// It is similar to strconv.Quote except we don't use Go escape sequences,
-// we treat the string as a byte sequence, and we use octal escapes.
-// These differences are to maintain interoperability with the other
-// languages' implementations of the text format.
-func writeString(w *textWriter, s string) error {
- // use WriteByte here to get any needed indent
- if err := w.WriteByte('"'); err != nil {
- return err
- }
- // Loop over the bytes, not the runes.
- for i := 0; i < len(s); i++ {
- var err error
- // Divergence from C++: we don't escape apostrophes.
- // There's no need to escape them, and the C++ parser
- // copes with a naked apostrophe.
- switch c := s[i]; c {
- case '\n':
- _, err = w.w.Write(backslashN)
- case '\r':
- _, err = w.w.Write(backslashR)
- case '\t':
- _, err = w.w.Write(backslashT)
- case '"':
- _, err = w.w.Write(backslashDQ)
- case '\\':
- _, err = w.w.Write(backslashBS)
- default:
- if isprint(c) {
- err = w.w.WriteByte(c)
- } else {
- _, err = fmt.Fprintf(w.w, "\\%03o", c)
- }
- }
- if err != nil {
- return err
- }
- }
- return w.WriteByte('"')
-}
-
-func writeMessageSet(w *textWriter, ms *MessageSet) error {
- for _, item := range ms.Item {
- id := *item.TypeId
- if msd, ok := messageSetMap[id]; ok {
- // Known message set type.
- if _, err := fmt.Fprintf(w, "[%s]: <\n", msd.name); err != nil {
- return err
- }
- w.indent()
-
- pb := reflect.New(msd.t.Elem())
- if err := Unmarshal(item.Message, pb.Interface().(Message)); err != nil {
- if _, err := fmt.Fprintf(w, "/* bad message: %v */\n", err); err != nil {
- return err
- }
- } else {
- if err := writeStruct(w, pb.Elem()); err != nil {
- return err
- }
- }
- } else {
- // Unknown type.
- if _, err := fmt.Fprintf(w, "[%d]: <\n", id); err != nil {
- return err
- }
- w.indent()
- if err := writeUnknownStruct(w, item.Message); err != nil {
- return err
- }
- }
- w.unindent()
- if _, err := w.Write(gtNewline); err != nil {
- return err
- }
- }
- return nil
-}
-
-func writeUnknownStruct(w *textWriter, data []byte) (err error) {
- if !w.compact {
- if _, err := fmt.Fprintf(w, "/* %d unknown bytes */\n", len(data)); err != nil {
- return err
- }
- }
- b := NewBuffer(data)
- for b.index < len(b.buf) {
- x, err := b.DecodeVarint()
- if err != nil {
- _, err := fmt.Fprintf(w, "/* %v */\n", err)
- return err
- }
- wire, tag := x&7, x>>3
- if wire == WireEndGroup {
- w.unindent()
- if _, err := w.Write(endBraceNewline); err != nil {
- return err
- }
- continue
- }
- if _, err := fmt.Fprint(w, tag); err != nil {
- return err
- }
- if wire != WireStartGroup {
- if err := w.WriteByte(':'); err != nil {
- return err
- }
- }
- if !w.compact || wire == WireStartGroup {
- if err := w.WriteByte(' '); err != nil {
- return err
- }
- }
- switch wire {
- case WireBytes:
- buf, e := b.DecodeRawBytes(false)
- if e == nil {
- _, err = fmt.Fprintf(w, "%q", buf)
- } else {
- _, err = fmt.Fprintf(w, "/* %v */", e)
- }
- case WireFixed32:
- x, err = b.DecodeFixed32()
- err = writeUnknownInt(w, x, err)
- case WireFixed64:
- x, err = b.DecodeFixed64()
- err = writeUnknownInt(w, x, err)
- case WireStartGroup:
- err = w.WriteByte('{')
- w.indent()
- case WireVarint:
- x, err = b.DecodeVarint()
- err = writeUnknownInt(w, x, err)
- default:
- _, err = fmt.Fprintf(w, "/* unknown wire type %d */", wire)
- }
- if err != nil {
- return err
- }
- if err = w.WriteByte('\n'); err != nil {
- return err
- }
- }
- return nil
-}
-
-func writeUnknownInt(w *textWriter, x uint64, err error) error {
- if err == nil {
- _, err = fmt.Fprint(w, x)
- } else {
- _, err = fmt.Fprintf(w, "/* %v */", err)
- }
- return err
-}
-
-type int32Slice []int32
-
-func (s int32Slice) Len() int { return len(s) }
-func (s int32Slice) Less(i, j int) bool { return s[i] < s[j] }
-func (s int32Slice) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
-
-// writeExtensions writes all the extensions in pv.
-// pv is assumed to be a pointer to a protocol message struct that is extendable.
-func writeExtensions(w *textWriter, pv reflect.Value) error {
- emap := extensionMaps[pv.Type().Elem()]
- ep := pv.Interface().(extendableProto)
-
- // Order the extensions by ID.
- // This isn't strictly necessary, but it will give us
- // canonical output, which will also make testing easier.
- m := ep.ExtensionMap()
- ids := make([]int32, 0, len(m))
- for id := range m {
- ids = append(ids, id)
- }
- sort.Sort(int32Slice(ids))
-
- for _, extNum := range ids {
- ext := m[extNum]
- var desc *ExtensionDesc
- if emap != nil {
- desc = emap[extNum]
- }
- if desc == nil {
- // Unknown extension.
- if err := writeUnknownStruct(w, ext.enc); err != nil {
- return err
- }
- continue
- }
-
- pb, err := GetExtension(ep, desc)
- if err != nil {
- if _, err := fmt.Fprintln(os.Stderr, "proto: failed getting extension: ", err); err != nil {
- return err
- }
- continue
- }
-
- // Repeated extensions will appear as a slice.
- if !desc.repeated() {
- if err := writeExtension(w, desc.Name, pb); err != nil {
- return err
- }
- } else {
- v := reflect.ValueOf(pb)
- for i := 0; i < v.Len(); i++ {
- if err := writeExtension(w, desc.Name, v.Index(i).Interface()); err != nil {
- return err
- }
- }
- }
- }
- return nil
-}
-
-func writeExtension(w *textWriter, name string, pb interface{}) error {
- if _, err := fmt.Fprintf(w, "[%s]:", name); err != nil {
- return err
- }
- if !w.compact {
- if err := w.WriteByte(' '); err != nil {
- return err
- }
- }
- if err := writeAny(w, reflect.ValueOf(pb), nil); err != nil {
- return err
- }
- if err := w.WriteByte('\n'); err != nil {
- return err
- }
- return nil
-}
-
-func (w *textWriter) writeIndent() {
- if !w.complete {
- return
- }
- remain := w.ind * 2
- for remain > 0 {
- n := remain
- if n > len(spaces) {
- n = len(spaces)
- }
- w.w.Write(spaces[:n])
- remain -= n
- }
- w.complete = false
-}
-
-func marshalText(w io.Writer, pb Message, compact bool) error {
- val := reflect.ValueOf(pb)
- if pb == nil || val.IsNil() {
- w.Write([]byte("<nil>"))
- return nil
- }
- var bw *bufio.Writer
- ww, ok := w.(writer)
- if !ok {
- bw = bufio.NewWriter(w)
- ww = bw
- }
- aw := &textWriter{
- w: ww,
- complete: true,
- compact: compact,
- }
-
- if tm, ok := pb.(encoding.TextMarshaler); ok {
- text, err := tm.MarshalText()
- if err != nil {
- return err
- }
- if _, err = aw.Write(text); err != nil {
- return err
- }
- if bw != nil {
- return bw.Flush()
- }
- return nil
- }
- // Dereference the received pointer so we don't have outer < and >.
- v := reflect.Indirect(val)
- if err := writeStruct(aw, v); err != nil {
- return err
- }
- if bw != nil {
- return bw.Flush()
- }
- return nil
-}
-
-// MarshalText writes a given protocol buffer in text format.
-// The only errors returned are from w.
-func MarshalText(w io.Writer, pb Message) error {
- return marshalText(w, pb, false)
-}
-
-// MarshalTextString is the same as MarshalText, but returns the string directly.
-func MarshalTextString(pb Message) string {
- var buf bytes.Buffer
- marshalText(&buf, pb, false)
- return buf.String()
-}
-
-// CompactText writes a given protocol buffer in compact text format (one line).
-func CompactText(w io.Writer, pb Message) error { return marshalText(w, pb, true) }
-
-// CompactTextString is the same as CompactText, but returns the string directly.
-func CompactTextString(pb Message) string {
- var buf bytes.Buffer
- marshalText(&buf, pb, true)
- return buf.String()
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/text_parser.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/text_parser.go
deleted file mode 100644
index d1caeff5d9e04323d108f5b990f94326842e4bd0..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/golang/protobuf/proto/text_parser.go
+++ /dev/null
@@ -1,757 +0,0 @@
-// Go support for Protocol Buffers - Google's data interchange format
-//
-// Copyright 2010 The Go Authors. All rights reserved.
-// https://github.com/golang/protobuf
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-package proto
-
-// Functions for parsing the Text protocol buffer format.
-// TODO: message sets.
-
-import (
- "encoding"
- "errors"
- "fmt"
- "reflect"
- "strconv"
- "strings"
- "unicode/utf8"
-)
-
-type ParseError struct {
- Message string
- Line int // 1-based line number
- Offset int // 0-based byte offset from start of input
-}
-
-func (p *ParseError) Error() string {
- if p.Line == 1 {
- // show offset only for first line
- return fmt.Sprintf("line 1.%d: %v", p.Offset, p.Message)
- }
- return fmt.Sprintf("line %d: %v", p.Line, p.Message)
-}
-
-type token struct {
- value string
- err *ParseError
- line int // line number
- offset int // byte number from start of input, not start of line
- unquoted string // the unquoted version of value, if it was a quoted string
-}
-
-func (t *token) String() string {
- if t.err == nil {
- return fmt.Sprintf("%q (line=%d, offset=%d)", t.value, t.line, t.offset)
- }
- return fmt.Sprintf("parse error: %v", t.err)
-}
-
-type textParser struct {
- s string // remaining input
- done bool // whether the parsing is finished (success or error)
- backed bool // whether back() was called
- offset, line int
- cur token
-}
-
-func newTextParser(s string) *textParser {
- p := new(textParser)
- p.s = s
- p.line = 1
- p.cur.line = 1
- return p
-}
-
-func (p *textParser) errorf(format string, a ...interface{}) *ParseError {
- pe := &ParseError{fmt.Sprintf(format, a...), p.cur.line, p.cur.offset}
- p.cur.err = pe
- p.done = true
- return pe
-}
-
-// Numbers and identifiers are matched by [-+._A-Za-z0-9]
-func isIdentOrNumberChar(c byte) bool {
- switch {
- case 'A' <= c && c <= 'Z', 'a' <= c && c <= 'z':
- return true
- case '0' <= c && c <= '9':
- return true
- }
- switch c {
- case '-', '+', '.', '_':
- return true
- }
- return false
-}
-
-func isWhitespace(c byte) bool {
- switch c {
- case ' ', '\t', '\n', '\r':
- return true
- }
- return false
-}
-
-func (p *textParser) skipWhitespace() {
- i := 0
- for i < len(p.s) && (isWhitespace(p.s[i]) || p.s[i] == '#') {
- if p.s[i] == '#' {
- // comment; skip to end of line or input
- for i < len(p.s) && p.s[i] != '\n' {
- i++
- }
- if i == len(p.s) {
- break
- }
- }
- if p.s[i] == '\n' {
- p.line++
- }
- i++
- }
- p.offset += i
- p.s = p.s[i:len(p.s)]
- if len(p.s) == 0 {
- p.done = true
- }
-}
-
-func (p *textParser) advance() {
- // Skip whitespace
- p.skipWhitespace()
- if p.done {
- return
- }
-
- // Start of non-whitespace
- p.cur.err = nil
- p.cur.offset, p.cur.line = p.offset, p.line
- p.cur.unquoted = ""
- switch p.s[0] {
- case '<', '>', '{', '}', ':', '[', ']', ';', ',':
- // Single symbol
- p.cur.value, p.s = p.s[0:1], p.s[1:len(p.s)]
- case '"', '\'':
- // Quoted string
- i := 1
- for i < len(p.s) && p.s[i] != p.s[0] && p.s[i] != '\n' {
- if p.s[i] == '\\' && i+1 < len(p.s) {
- // skip escaped char
- i++
- }
- i++
- }
- if i >= len(p.s) || p.s[i] != p.s[0] {
- p.errorf("unmatched quote")
- return
- }
- unq, err := unquoteC(p.s[1:i], rune(p.s[0]))
- if err != nil {
- p.errorf("invalid quoted string %v", p.s[0:i+1])
- return
- }
- p.cur.value, p.s = p.s[0:i+1], p.s[i+1:len(p.s)]
- p.cur.unquoted = unq
- default:
- i := 0
- for i < len(p.s) && isIdentOrNumberChar(p.s[i]) {
- i++
- }
- if i == 0 {
- p.errorf("unexpected byte %#x", p.s[0])
- return
- }
- p.cur.value, p.s = p.s[0:i], p.s[i:len(p.s)]
- }
- p.offset += len(p.cur.value)
-}
-
-var (
- errBadUTF8 = errors.New("proto: bad UTF-8")
- errBadHex = errors.New("proto: bad hexadecimal")
-)
-
-func unquoteC(s string, quote rune) (string, error) {
- // This is based on C++'s tokenizer.cc.
- // Despite its name, this is *not* parsing C syntax.
- // For instance, "\0" is an invalid quoted string.
-
- // Avoid allocation in trivial cases.
- simple := true
- for _, r := range s {
- if r == '\\' || r == quote {
- simple = false
- break
- }
- }
- if simple {
- return s, nil
- }
-
- buf := make([]byte, 0, 3*len(s)/2)
- for len(s) > 0 {
- r, n := utf8.DecodeRuneInString(s)
- if r == utf8.RuneError && n == 1 {
- return "", errBadUTF8
- }
- s = s[n:]
- if r != '\\' {
- if r < utf8.RuneSelf {
- buf = append(buf, byte(r))
- } else {
- buf = append(buf, string(r)...)
- }
- continue
- }
-
- ch, tail, err := unescape(s)
- if err != nil {
- return "", err
- }
- buf = append(buf, ch...)
- s = tail
- }
- return string(buf), nil
-}
-
-func unescape(s string) (ch string, tail string, err error) {
- r, n := utf8.DecodeRuneInString(s)
- if r == utf8.RuneError && n == 1 {
- return "", "", errBadUTF8
- }
- s = s[n:]
- switch r {
- case 'a':
- return "\a", s, nil
- case 'b':
- return "\b", s, nil
- case 'f':
- return "\f", s, nil
- case 'n':
- return "\n", s, nil
- case 'r':
- return "\r", s, nil
- case 't':
- return "\t", s, nil
- case 'v':
- return "\v", s, nil
- case '?':
- return "?", s, nil // trigraph workaround
- case '\'', '"', '\\':
- return string(r), s, nil
- case '0', '1', '2', '3', '4', '5', '6', '7', 'x', 'X':
- if len(s) < 2 {
- return "", "", fmt.Errorf(`\%c requires 2 following digits`, r)
- }
- base := 8
- ss := s[:2]
- s = s[2:]
- if r == 'x' || r == 'X' {
- base = 16
- } else {
- ss = string(r) + ss
- }
- i, err := strconv.ParseUint(ss, base, 8)
- if err != nil {
- return "", "", err
- }
- return string([]byte{byte(i)}), s, nil
- case 'u', 'U':
- n := 4
- if r == 'U' {
- n = 8
- }
- if len(s) < n {
- return "", "", fmt.Errorf(`\%c requires %d digits`, r, n)
- }
-
- bs := make([]byte, n/2)
- for i := 0; i < n; i += 2 {
- a, ok1 := unhex(s[i])
- b, ok2 := unhex(s[i+1])
- if !ok1 || !ok2 {
- return "", "", errBadHex
- }
- bs[i/2] = a<<4 | b
- }
- s = s[n:]
- return string(bs), s, nil
- }
- return "", "", fmt.Errorf(`unknown escape \%c`, r)
-}
-
-// Adapted from src/pkg/strconv/quote.go.
-func unhex(b byte) (v byte, ok bool) {
- switch {
- case '0' <= b && b <= '9':
- return b - '0', true
- case 'a' <= b && b <= 'f':
- return b - 'a' + 10, true
- case 'A' <= b && b <= 'F':
- return b - 'A' + 10, true
- }
- return 0, false
-}
-
-// Back off the parser by one token. Can only be done between calls to next().
-// It makes the next advance() a no-op.
-func (p *textParser) back() { p.backed = true }
-
-// Advances the parser and returns the new current token.
-func (p *textParser) next() *token {
- if p.backed || p.done {
- p.backed = false
- return &p.cur
- }
- p.advance()
- if p.done {
- p.cur.value = ""
- } else if len(p.cur.value) > 0 && p.cur.value[0] == '"' {
- // Look for multiple quoted strings separated by whitespace,
- // and concatenate them.
- cat := p.cur
- for {
- p.skipWhitespace()
- if p.done || p.s[0] != '"' {
- break
- }
- p.advance()
- if p.cur.err != nil {
- return &p.cur
- }
- cat.value += " " + p.cur.value
- cat.unquoted += p.cur.unquoted
- }
- p.done = false // parser may have seen EOF, but we want to return cat
- p.cur = cat
- }
- return &p.cur
-}
-
-func (p *textParser) consumeToken(s string) error {
- tok := p.next()
- if tok.err != nil {
- return tok.err
- }
- if tok.value != s {
- p.back()
- return p.errorf("expected %q, found %q", s, tok.value)
- }
- return nil
-}
-
-// Return a RequiredNotSetError indicating which required field was not set.
-func (p *textParser) missingRequiredFieldError(sv reflect.Value) *RequiredNotSetError {
- st := sv.Type()
- sprops := GetProperties(st)
- for i := 0; i < st.NumField(); i++ {
- if !isNil(sv.Field(i)) {
- continue
- }
-
- props := sprops.Prop[i]
- if props.Required {
- return &RequiredNotSetError{fmt.Sprintf("%v.%v", st, props.OrigName)}
- }
- }
- return &RequiredNotSetError{fmt.Sprintf("%v.<unknown field name>", st)} // should not happen
-}
-
-// Returns the index in the struct for the named field, as well as the parsed tag properties.
-func structFieldByName(st reflect.Type, name string) (int, *Properties, bool) {
- sprops := GetProperties(st)
- i, ok := sprops.decoderOrigNames[name]
- if ok {
- return i, sprops.Prop[i], true
- }
- return -1, nil, false
-}
-
-// Consume a ':' from the input stream (if the next token is a colon),
-// returning an error if a colon is needed but not present.
-func (p *textParser) checkForColon(props *Properties, typ reflect.Type) *ParseError {
- tok := p.next()
- if tok.err != nil {
- return tok.err
- }
- if tok.value != ":" {
- // Colon is optional when the field is a group or message.
- needColon := true
- switch props.Wire {
- case "group":
- needColon = false
- case "bytes":
- // A "bytes" field is either a message, a string, or a repeated field;
- // those three become *T, *string and []T respectively, so we can check for
- // this field being a pointer to a non-string.
- if typ.Kind() == reflect.Ptr {
- // *T or *string
- if typ.Elem().Kind() == reflect.String {
- break
- }
- } else if typ.Kind() == reflect.Slice {
- // []T or []*T
- if typ.Elem().Kind() != reflect.Ptr {
- break
- }
- } else if typ.Kind() == reflect.String {
- // The proto3 exception is for a string field,
- // which requires a colon.
- break
- }
- needColon = false
- }
- if needColon {
- return p.errorf("expected ':', found %q", tok.value)
- }
- p.back()
- }
- return nil
-}
-
-func (p *textParser) readStruct(sv reflect.Value, terminator string) error {
- st := sv.Type()
- reqCount := GetProperties(st).reqCount
- var reqFieldErr error
- fieldSet := make(map[string]bool)
- // A struct is a sequence of "name: value", terminated by one of
- // '>' or '}', or the end of the input. A name may also be
- // "[extension]".
- for {
- tok := p.next()
- if tok.err != nil {
- return tok.err
- }
- if tok.value == terminator {
- break
- }
- if tok.value == "[" {
- // Looks like an extension.
- //
- // TODO: Check whether we need to handle
- // namespace rooted names (e.g. ".something.Foo").
- tok = p.next()
- if tok.err != nil {
- return tok.err
- }
- var desc *ExtensionDesc
- // This could be faster, but it's functional.
- // TODO: Do something smarter than a linear scan.
- for _, d := range RegisteredExtensions(reflect.New(st).Interface().(Message)) {
- if d.Name == tok.value {
- desc = d
- break
- }
- }
- if desc == nil {
- return p.errorf("unrecognized extension %q", tok.value)
- }
- // Check the extension terminator.
- tok = p.next()
- if tok.err != nil {
- return tok.err
- }
- if tok.value != "]" {
- return p.errorf("unrecognized extension terminator %q", tok.value)
- }
-
- props := &Properties{}
- props.Parse(desc.Tag)
-
- typ := reflect.TypeOf(desc.ExtensionType)
- if err := p.checkForColon(props, typ); err != nil {
- return err
- }
-
- rep := desc.repeated()
-
- // Read the extension structure, and set it in
- // the value we're constructing.
- var ext reflect.Value
- if !rep {
- ext = reflect.New(typ).Elem()
- } else {
- ext = reflect.New(typ.Elem()).Elem()
- }
- if err := p.readAny(ext, props); err != nil {
- if _, ok := err.(*RequiredNotSetError); !ok {
- return err
- }
- reqFieldErr = err
- }
- ep := sv.Addr().Interface().(extendableProto)
- if !rep {
- SetExtension(ep, desc, ext.Interface())
- } else {
- old, err := GetExtension(ep, desc)
- var sl reflect.Value
- if err == nil {
- sl = reflect.ValueOf(old) // existing slice
- } else {
- sl = reflect.MakeSlice(typ, 0, 1)
- }
- sl = reflect.Append(sl, ext)
- SetExtension(ep, desc, sl.Interface())
- }
- } else {
- // This is a normal, non-extension field.
- name := tok.value
- fi, props, ok := structFieldByName(st, name)
- if !ok {
- return p.errorf("unknown field name %q in %v", name, st)
- }
-
- dst := sv.Field(fi)
-
- if dst.Kind() == reflect.Map {
- // Consume any colon.
- if err := p.checkForColon(props, dst.Type()); err != nil {
- return err
- }
-
- // Construct the map if it doesn't already exist.
- if dst.IsNil() {
- dst.Set(reflect.MakeMap(dst.Type()))
- }
- key := reflect.New(dst.Type().Key()).Elem()
- val := reflect.New(dst.Type().Elem()).Elem()
-
- // The map entry should be this sequence of tokens:
- // < key : KEY value : VALUE >
- // Technically the "key" and "value" could come in any order,
- // but in practice they won't.
-
- tok := p.next()
- var terminator string
- switch tok.value {
- case "<":
- terminator = ">"
- case "{":
- terminator = "}"
- default:
- return p.errorf("expected '{' or '<', found %q", tok.value)
- }
- if err := p.consumeToken("key"); err != nil {
- return err
- }
- if err := p.consumeToken(":"); err != nil {
- return err
- }
- if err := p.readAny(key, props.mkeyprop); err != nil {
- return err
- }
- if err := p.consumeToken("value"); err != nil {
- return err
- }
- if err := p.checkForColon(props.mvalprop, dst.Type().Elem()); err != nil {
- return err
- }
- if err := p.readAny(val, props.mvalprop); err != nil {
- return err
- }
- if err := p.consumeToken(terminator); err != nil {
- return err
- }
-
- dst.SetMapIndex(key, val)
- continue
- }
-
- // Check that it's not already set if it's not a repeated field.
- if !props.Repeated && fieldSet[name] {
- return p.errorf("non-repeated field %q was repeated", name)
- }
-
- if err := p.checkForColon(props, st.Field(fi).Type); err != nil {
- return err
- }
-
- // Parse into the field.
- fieldSet[name] = true
- if err := p.readAny(dst, props); err != nil {
- if _, ok := err.(*RequiredNotSetError); !ok {
- return err
- }
- reqFieldErr = err
- } else if props.Required {
- reqCount--
- }
- }
-
- // For backward compatibility, permit a semicolon or comma after a field.
- tok = p.next()
- if tok.err != nil {
- return tok.err
- }
- if tok.value != ";" && tok.value != "," {
- p.back()
- }
- }
-
- if reqCount > 0 {
- return p.missingRequiredFieldError(sv)
- }
- return reqFieldErr
-}
-
-func (p *textParser) readAny(v reflect.Value, props *Properties) error {
- tok := p.next()
- if tok.err != nil {
- return tok.err
- }
- if tok.value == "" {
- return p.errorf("unexpected EOF")
- }
-
- switch fv := v; fv.Kind() {
- case reflect.Slice:
- at := v.Type()
- if at.Elem().Kind() == reflect.Uint8 {
- // Special case for []byte
- if tok.value[0] != '"' && tok.value[0] != '\'' {
- // Deliberately written out here, as the error after
- // this switch statement would write "invalid []byte: ...",
- // which is not as user-friendly.
- return p.errorf("invalid string: %v", tok.value)
- }
- bytes := []byte(tok.unquoted)
- fv.Set(reflect.ValueOf(bytes))
- return nil
- }
- // Repeated field. May already exist.
- flen := fv.Len()
- if flen == fv.Cap() {
- nav := reflect.MakeSlice(at, flen, 2*flen+1)
- reflect.Copy(nav, fv)
- fv.Set(nav)
- }
- fv.SetLen(flen + 1)
-
- // Read one.
- p.back()
- return p.readAny(fv.Index(flen), props)
- case reflect.Bool:
- // Either "true", "false", 1 or 0.
- switch tok.value {
- case "true", "1":
- fv.SetBool(true)
- return nil
- case "false", "0":
- fv.SetBool(false)
- return nil
- }
- case reflect.Float32, reflect.Float64:
- v := tok.value
- // Ignore 'f' for compatibility with output generated by C++, but don't
- // remove 'f' when the value is "-inf" or "inf".
- if strings.HasSuffix(v, "f") && tok.value != "-inf" && tok.value != "inf" {
- v = v[:len(v)-1]
- }
- if f, err := strconv.ParseFloat(v, fv.Type().Bits()); err == nil {
- fv.SetFloat(f)
- return nil
- }
- case reflect.Int32:
- if x, err := strconv.ParseInt(tok.value, 0, 32); err == nil {
- fv.SetInt(x)
- return nil
- }
-
- if len(props.Enum) == 0 {
- break
- }
- m, ok := enumValueMaps[props.Enum]
- if !ok {
- break
- }
- x, ok := m[tok.value]
- if !ok {
- break
- }
- fv.SetInt(int64(x))
- return nil
- case reflect.Int64:
- if x, err := strconv.ParseInt(tok.value, 0, 64); err == nil {
- fv.SetInt(x)
- return nil
- }
-
- case reflect.Ptr:
- // A basic field (indirected through pointer), or a repeated message/group
- p.back()
- fv.Set(reflect.New(fv.Type().Elem()))
- return p.readAny(fv.Elem(), props)
- case reflect.String:
- if tok.value[0] == '"' || tok.value[0] == '\'' {
- fv.SetString(tok.unquoted)
- return nil
- }
- case reflect.Struct:
- var terminator string
- switch tok.value {
- case "{":
- terminator = "}"
- case "<":
- terminator = ">"
- default:
- return p.errorf("expected '{' or '<', found %q", tok.value)
- }
- // TODO: Handle nested messages which implement encoding.TextUnmarshaler.
- return p.readStruct(fv, terminator)
- case reflect.Uint32:
- if x, err := strconv.ParseUint(tok.value, 0, 32); err == nil {
- fv.SetUint(uint64(x))
- return nil
- }
- case reflect.Uint64:
- if x, err := strconv.ParseUint(tok.value, 0, 64); err == nil {
- fv.SetUint(x)
- return nil
- }
- }
- return p.errorf("invalid %v: %v", v.Type(), tok.value)
-}
-
-// UnmarshalText reads a protocol buffer in Text format. UnmarshalText resets pb
-// before starting to unmarshal, so any existing data in pb is always removed.
-// If a required field is not set and no other error occurs,
-// UnmarshalText returns *RequiredNotSetError.
-func UnmarshalText(s string, pb Message) error {
- if um, ok := pb.(encoding.TextUnmarshaler); ok {
- err := um.UnmarshalText([]byte(s))
- return err
- }
- pb.Reset()
- v := reflect.ValueOf(pb)
- if pe := newTextParser(s).readStruct(v.Elem(), ""); pe != nil {
- return pe
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE
deleted file mode 100644
index bdc403653e0a053959f28d1d83f72aab72ff20ac..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- Copyright 2015 The Linux Foundation.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go
deleted file mode 100644
index ba66ff1c63f9ddf3f53e567b9c19c8d36631ab4e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/config.go
+++ /dev/null
@@ -1,412 +0,0 @@
-package specs
-
-import "os"
-
-// Spec is the base configuration for the container. It specifies platform
-// independent configuration. This information must be included when the
-// bundle is packaged for distribution.
-type Spec struct {
- // Version is the version of the specification that is supported.
- Version string `json:"ociVersion"`
- // Platform is the host information for OS and Arch.
- Platform Platform `json:"platform"`
- // Process is the container's main process.
- Process Process `json:"process"`
- // Root is the root information for the container's filesystem.
- Root Root `json:"root"`
- // Hostname is the container's host name.
- Hostname string `json:"hostname,omitempty"`
- // Mounts profile configuration for adding mounts to the container's filesystem.
- Mounts []Mount `json:"mounts"`
- // Hooks are the commands run at various lifecycle events of the container.
- Hooks Hooks `json:"hooks"`
- // Annotations is an unstructured key value map that may be set by external tools to store and retrieve arbitrary metadata.
- Annotations map[string]string `json:"annotations,omitempty"`
-
- // Linux is platform specific configuration for Linux based containers.
- Linux Linux `json:"linux" platform:"linux"`
-}
-
-// Process contains information to start a specific application inside the container.
-type Process struct {
- // Terminal creates an interactive terminal for the container.
- Terminal bool `json:"terminal"`
- // User specifies user information for the process.
- User User `json:"user"`
- // Args specifies the binary and arguments for the application to execute.
- Args []string `json:"args"`
- // Env populates the process environment for the process.
- Env []string `json:"env,omitempty"`
- // Cwd is the current working directory for the process and must be
- // relative to the container's root.
- Cwd string `json:"cwd"`
- // Capabilities are Linux capabilities that are kept for the container.
- Capabilities []string `json:"capabilities,omitempty" platform:"linux"`
- // Rlimits specifies rlimit options to apply to the process.
- Rlimits []Rlimit `json:"rlimits,omitempty"`
- // NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
- NoNewPrivileges bool `json:"noNewPrivileges,omitempty"`
-
- // ApparmorProfile specified the apparmor profile for the container. (this field is platform dependent)
- ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
- // SelinuxProcessLabel specifies the selinux context that the container process is run as. (this field is platform dependent)
- SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
-}
-
-// User specifies Linux specific user and group information for the container's
-// main process.
-type User struct {
- // UID is the user id. (this field is platform dependent)
- UID uint32 `json:"uid,omitempty" platform:"linux"`
- // GID is the group id. (this field is platform dependent)
- GID uint32 `json:"gid,omitempty" platform:"linux"`
- // AdditionalGids are additional group ids set for the container's process. (this field is platform dependent)
- AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux"`
-}
-
-// Root contains information about the container's root filesystem on the host.
-type Root struct {
- // Path is the absolute path to the container's root filesystem.
- Path string `json:"path"`
- // Readonly makes the root filesystem for the container readonly before the process is executed.
- Readonly bool `json:"readonly"`
-}
-
-// Platform specifies OS and arch information for the host system that the container
-// is created for.
-type Platform struct {
- // OS is the operating system.
- OS string `json:"os"`
- // Arch is the architecture
- Arch string `json:"arch"`
-}
-
-// Mount specifies a mount for a container.
-type Mount struct {
- // Destination is the path where the mount will be placed relative to the container's root. The path and child directories MUST exist, a runtime MUST NOT create directories automatically to a mount point.
- Destination string `json:"destination"`
- // Type specifies the mount kind.
- Type string `json:"type"`
- // Source specifies the source path of the mount. In the case of bind mounts on
- // Linux based systems this would be the file on the host.
- Source string `json:"source"`
- // Options are fstab style mount options.
- Options []string `json:"options,omitempty"`
-}
-
-// Hook specifies a command that is run at a particular event in the lifecycle of a container
-type Hook struct {
- Path string `json:"path"`
- Args []string `json:"args,omitempty"`
- Env []string `json:"env,omitempty"`
-}
-
-// Hooks for container setup and teardown
-type Hooks struct {
- // Prestart is a list of hooks to be run before the container process is executed.
- // On Linux, they are run after the container namespaces are created.
- Prestart []Hook `json:"prestart,omitempty"`
- // Poststart is a list of hooks to be run after the container process is started.
- Poststart []Hook `json:"poststart,omitempty"`
- // Poststop is a list of hooks to be run after the container process exits.
- Poststop []Hook `json:"poststop,omitempty"`
-}
-
-// Linux contains platform specific configuration for Linux based containers.
-type Linux struct {
- // UIDMapping specifies user mappings for supporting user namespaces on Linux.
- UIDMappings []IDMapping `json:"uidMappings,omitempty"`
- // GIDMapping specifies group mappings for supporting user namespaces on Linux.
- GIDMappings []IDMapping `json:"gidMappings,omitempty"`
- // Sysctl are a set of key value pairs that are set for the container on start
- Sysctl map[string]string `json:"sysctl,omitempty"`
- // Resources contain cgroup information for handling resource constraints
- // for the container
- Resources *Resources `json:"resources,omitempty"`
- // CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
- // The path is expected to be relative to the cgroups mountpoint.
- // If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
- CgroupsPath *string `json:"cgroupsPath,omitempty"`
- // Namespaces contains the namespaces that are created and/or joined by the container
- Namespaces []Namespace `json:"namespaces"`
- // Devices are a list of device nodes that are created for the container
- Devices []Device `json:"devices"`
- // Seccomp specifies the seccomp security settings for the container.
- Seccomp *Seccomp `json:"seccomp,omitempty"`
- // RootfsPropagation is the rootfs mount propagation mode for the container.
- RootfsPropagation string `json:"rootfsPropagation,omitempty"`
-}
-
-// Namespace is the configuration for a Linux namespace
-type Namespace struct {
- // Type is the type of Linux namespace
- Type NamespaceType `json:"type"`
- // Path is a path to an existing namespace persisted on disk that can be joined
- // and is of the same type
- Path string `json:"path,omitempty"`
-}
-
-// NamespaceType is one of the Linux namespaces
-type NamespaceType string
-
-const (
- // PIDNamespace for isolating process IDs
- PIDNamespace NamespaceType = "pid"
- // NetworkNamespace for isolating network devices, stacks, ports, etc
- NetworkNamespace = "network"
- // MountNamespace for isolating mount points
- MountNamespace = "mount"
- // IPCNamespace for isolating System V IPC, POSIX message queues
- IPCNamespace = "ipc"
- // UTSNamespace for isolating hostname and NIS domain name
- UTSNamespace = "uts"
- // UserNamespace for isolating user and group IDs
- UserNamespace = "user"
-)
-
-// IDMapping specifies UID/GID mappings
-type IDMapping struct {
- // HostID is the UID/GID of the host user or group
- HostID uint32 `json:"hostID"`
- // ContainerID is the UID/GID of the container's user or group
- ContainerID uint32 `json:"containerID"`
- // Size is the length of the range of IDs mapped between the two namespaces
- Size uint32 `json:"size"`
-}
-
-// Rlimit type and restrictions
-type Rlimit struct {
- // Type of the rlimit to set
- Type string `json:"type"`
- // Hard is the hard limit for the specified type
- Hard uint64 `json:"hard"`
- // Soft is the soft limit for the specified type
- Soft uint64 `json:"soft"`
-}
-
-// HugepageLimit structure corresponds to limiting kernel hugepages
-type HugepageLimit struct {
- // Pagesize is the hugepage size
- Pagesize *string `json:"pageSize,omitempty"`
- // Limit is the limit of "hugepagesize" hugetlb usage
- Limit *uint64 `json:"limit,omitempty"`
-}
-
-// InterfacePriority for network interfaces
-type InterfacePriority struct {
- // Name is the name of the network interface
- Name string `json:"name"`
- // Priority for the interface
- Priority uint32 `json:"priority"`
-}
-
-// blockIODevice holds major:minor format supported in blkio cgroup
-type blockIODevice struct {
- // Major is the device's major number.
- Major int64 `json:"major"`
- // Minor is the device's minor number.
- Minor int64 `json:"minor"`
-}
-
-// WeightDevice struct holds a `major:minor weight` pair for blkioWeightDevice
-type WeightDevice struct {
- blockIODevice
- // Weight is the bandwidth rate for the device, range is from 10 to 1000
- Weight *uint16 `json:"weight,omitempty"`
- // LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
- LeafWeight *uint16 `json:"leafWeight,omitempty"`
-}
-
-// ThrottleDevice struct holds a `major:minor rate_per_second` pair
-type ThrottleDevice struct {
- blockIODevice
- // Rate is the IO rate limit per cgroup per device
- Rate *uint64 `json:"rate,omitempty"`
-}
-
-// BlockIO for Linux cgroup 'blkio' resource management
-type BlockIO struct {
- // Specifies per cgroup weight, range is from 10 to 1000
- Weight *uint16 `json:"blkioWeight,omitempty"`
- // Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, range is from 10 to 1000, CFQ scheduler only
- LeafWeight *uint16 `json:"blkioLeafWeight,omitempty"`
- // Weight per cgroup per device, can override BlkioWeight
- WeightDevice []WeightDevice `json:"blkioWeightDevice,omitempty"`
- // IO read rate limit per cgroup per device, bytes per second
- ThrottleReadBpsDevice []ThrottleDevice `json:"blkioThrottleReadBpsDevice,omitempty"`
- // IO write rate limit per cgroup per device, bytes per second
- ThrottleWriteBpsDevice []ThrottleDevice `json:"blkioThrottleWriteBpsDevice,omitempty"`
- // IO read rate limit per cgroup per device, IO per second
- ThrottleReadIOPSDevice []ThrottleDevice `json:"blkioThrottleReadIOPSDevice,omitempty"`
- // IO write rate limit per cgroup per device, IO per second
- ThrottleWriteIOPSDevice []ThrottleDevice `json:"blkioThrottleWriteIOPSDevice,omitempty"`
-}
-
-// Memory for Linux cgroup 'memory' resource management
-type Memory struct {
- // Memory limit (in bytes).
- Limit *uint64 `json:"limit,omitempty"`
- // Memory reservation or soft_limit (in bytes).
- Reservation *uint64 `json:"reservation,omitempty"`
- // Total memory limit (memory + swap).
- Swap *uint64 `json:"swap,omitempty"`
- // Kernel memory limit (in bytes).
- Kernel *uint64 `json:"kernel,omitempty"`
- // Kernel memory limit for tcp (in bytes)
- KernelTCP *uint64 `json:"kernelTCP"`
- // How aggressive the kernel will swap memory pages. Range from 0 to 100.
- Swappiness *uint64 `json:"swappiness,omitempty"`
-}
-
-// CPU for Linux cgroup 'cpu' resource management
-type CPU struct {
- // CPU shares (relative weight (ratio) vs. other cgroups with cpu shares).
- Shares *uint64 `json:"shares,omitempty"`
- // CPU hardcap limit (in usecs). Allowed cpu time in a given period.
- Quota *uint64 `json:"quota,omitempty"`
- // CPU period to be used for hardcapping (in usecs).
- Period *uint64 `json:"period,omitempty"`
- // How much time realtime scheduling may use (in usecs).
- RealtimeRuntime *uint64 `json:"realtimeRuntime,omitempty"`
- // CPU period to be used for realtime scheduling (in usecs).
- RealtimePeriod *uint64 `json:"realtimePeriod,omitempty"`
- // CPUs to use within the cpuset. Default is to use any CPU available.
- Cpus *string `json:"cpus,omitempty"`
- // List of memory nodes in the cpuset. Default is to use any available memory node.
- Mems *string `json:"mems,omitempty"`
-}
-
-// Pids for Linux cgroup 'pids' resource management (Linux 4.3)
-type Pids struct {
- // Maximum number of PIDs. Default is "no limit".
- Limit *int64 `json:"limit,omitempty"`
-}
-
-// Network identification and priority configuration
-type Network struct {
- // Set class identifier for container's network packets
- ClassID *uint32 `json:"classID"`
- // Set priority of network traffic for container
- Priorities []InterfacePriority `json:"priorities,omitempty"`
-}
-
-// Resources has container runtime resource constraints
-type Resources struct {
- // Devices are a list of device rules for the whitelist controller
- Devices []DeviceCgroup `json:"devices"`
- // DisableOOMKiller disables the OOM killer for out of memory conditions
- DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
- // Specify an oom_score_adj for the container.
- OOMScoreAdj *int `json:"oomScoreAdj,omitempty"`
- // Memory restriction configuration
- Memory *Memory `json:"memory,omitempty"`
- // CPU resource restriction configuration
- CPU *CPU `json:"cpu,omitempty"`
- // Task resource restriction configuration.
- Pids *Pids `json:"pids,omitempty"`
- // BlockIO restriction configuration
- BlockIO *BlockIO `json:"blockIO,omitempty"`
- // Hugetlb limit (in bytes)
- HugepageLimits []HugepageLimit `json:"hugepageLimits,omitempty"`
- // Network restriction configuration
- Network *Network `json:"network,omitempty"`
-}
-
-// Device represents the mknod information for a Linux special device file
-type Device struct {
- // Path to the device.
- Path string `json:"path"`
- // Device type, block, char, etc.
- Type string `json:"type"`
- // Major is the device's major number.
- Major int64 `json:"major"`
- // Minor is the device's minor number.
- Minor int64 `json:"minor"`
- // FileMode permission bits for the device.
- FileMode *os.FileMode `json:"fileMode,omitempty"`
- // UID of the device.
- UID *uint32 `json:"uid,omitempty"`
- // Gid of the device.
- GID *uint32 `json:"gid,omitempty"`
-}
-
-// DeviceCgroup represents a device rule for the whitelist controller
-type DeviceCgroup struct {
- // Allow or deny
- Allow bool `json:"allow"`
- // Device type, block, char, etc.
- Type *string `json:"type,omitempty"`
- // Major is the device's major number.
- Major *int64 `json:"major,omitempty"`
- // Minor is the device's minor number.
- Minor *int64 `json:"minor,omitempty"`
- // Cgroup access permissions format, rwm.
- Access *string `json:"access,omitempty"`
-}
-
-// Seccomp represents syscall restrictions
-type Seccomp struct {
- DefaultAction Action `json:"defaultAction"`
- Architectures []Arch `json:"architectures"`
- Syscalls []Syscall `json:"syscalls,omitempty"`
-}
-
-// Arch used for additional architectures
-type Arch string
-
-// Additional architectures permitted to be used for system calls
-// By default only the native architecture of the kernel is permitted
-const (
- ArchX86 Arch = "SCMP_ARCH_X86"
- ArchX86_64 Arch = "SCMP_ARCH_X86_64"
- ArchX32 Arch = "SCMP_ARCH_X32"
- ArchARM Arch = "SCMP_ARCH_ARM"
- ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
- ArchMIPS Arch = "SCMP_ARCH_MIPS"
- ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
- ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
- ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
- ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
- ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
-)
-
-// Action taken upon Seccomp rule match
-type Action string
-
-// Define actions for Seccomp rules
-const (
- ActKill Action = "SCMP_ACT_KILL"
- ActTrap Action = "SCMP_ACT_TRAP"
- ActErrno Action = "SCMP_ACT_ERRNO"
- ActTrace Action = "SCMP_ACT_TRACE"
- ActAllow Action = "SCMP_ACT_ALLOW"
-)
-
-// Operator used to match syscall arguments in Seccomp
-type Operator string
-
-// Define operators for syscall arguments in Seccomp
-const (
- OpNotEqual Operator = "SCMP_CMP_NE"
- OpLessThan Operator = "SCMP_CMP_LT"
- OpLessEqual Operator = "SCMP_CMP_LE"
- OpEqualTo Operator = "SCMP_CMP_EQ"
- OpGreaterEqual Operator = "SCMP_CMP_GE"
- OpGreaterThan Operator = "SCMP_CMP_GT"
- OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ"
-)
-
-// Arg used for matching specific syscall arguments in Seccomp
-type Arg struct {
- Index uint `json:"index"`
- Value uint64 `json:"value"`
- ValueTwo uint64 `json:"valueTwo"`
- Op Operator `json:"op"`
-}
-
-// Syscall is used to match a syscall in Seccomp
-type Syscall struct {
- Name string `json:"name"`
- Action Action `json:"action"`
- Args []Arg `json:"args,omitempty"`
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go
deleted file mode 100644
index d3ad79d9c23f640fd7a26c79497a18ff515ad7bd..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/state.go
+++ /dev/null
@@ -1,13 +0,0 @@
-package specs
-
-// State holds information about the runtime state of the container.
-type State struct {
- // Version is the version of the specification that is supported.
- Version string `json:"version"`
- // ID is the container ID
- ID string `json:"id"`
- // Pid is the process id for the container's main process.
- Pid int `json:"pid"`
- // BundlePath is the path to the container's bundle directory.
- BundlePath string `json:"bundlePath"`
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go
deleted file mode 100644
index f11c8978960fada59cc8fd93f7315ab199b518f3..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/opencontainers/specs/specs-go/version.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package specs
-
-import "fmt"
-
-const (
- // VersionMajor is for an API incompatible changes
- VersionMajor = 0
- // VersionMinor is for functionality in a backwards-compatible manner
- VersionMinor = 4
- // VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 0
-
- // VersionDev indicates development branch. Releases will be empty string.
- VersionDev = ""
-)
-
-// Version is the specification version that the package types support.
-var Version = fmt.Sprintf("%d.%d.%d%s", VersionMajor, VersionMinor, VersionPatch, VersionDev)
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/LICENSE
deleted file mode 100644
index 81cf60de29ef6ded599bedc36ac4dcf2ef511375..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/LICENSE
+++ /dev/null
@@ -1,22 +0,0 @@
-Copyright (c) 2015 Matthew Heon <mheon@redhat.com>
-Copyright (c) 2015 Paul Moore <pmoore@redhat.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-- Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-- Redistributions in binary form must reproduce the above copyright notice,
- this list of conditions and the following disclaimer in the documentation
- and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp.go
deleted file mode 100644
index cebafdfae8414da20c284412d6fffe8f2963aa96..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp.go
+++ /dev/null
@@ -1,827 +0,0 @@
-// +build linux
-
-// Public API specification for libseccomp Go bindings
-// Contains public API for the bindings
-
-// Package seccomp rovides bindings for libseccomp, a library wrapping the Linux
-// seccomp syscall. Seccomp enables an application to restrict system call use
-// for itself and its children.
-package seccomp
-
-import (
- "fmt"
- "os"
- "runtime"
- "strings"
- "sync"
- "syscall"
- "unsafe"
-)
-
-// C wrapping code
-
-// #cgo LDFLAGS: -lseccomp
-// #include <stdlib.h>
-// #include <seccomp.h>
-import "C"
-
-// Exported types
-
-// ScmpArch represents a CPU architecture. Seccomp can restrict syscalls on a
-// per-architecture basis.
-type ScmpArch uint
-
-// ScmpAction represents an action to be taken on a filter rule match in
-// libseccomp
-type ScmpAction uint
-
-// ScmpCompareOp represents a comparison operator which can be used in a filter
-// rule
-type ScmpCompareOp uint
-
-// ScmpCondition represents a rule in a libseccomp filter context
-type ScmpCondition struct {
- Argument uint `json:"argument,omitempty"`
- Op ScmpCompareOp `json:"operator,omitempty"`
- Operand1 uint64 `json:"operand_one,omitempty"`
- Operand2 uint64 `json:"operand_two,omitempty"`
-}
-
-// ScmpSyscall represents a Linux System Call
-type ScmpSyscall int32
-
-// Exported Constants
-
-const (
- // Valid architectures recognized by libseccomp
- // ARM64 and all MIPS architectures are unsupported by versions of the
- // library before v2.2 and will return errors if used
-
- // ArchInvalid is a placeholder to ensure uninitialized ScmpArch
- // variables are invalid
- ArchInvalid ScmpArch = iota
- // ArchNative is the native architecture of the kernel
- ArchNative ScmpArch = iota
- // ArchX86 represents 32-bit x86 syscalls
- ArchX86 ScmpArch = iota
- // ArchAMD64 represents 64-bit x86-64 syscalls
- ArchAMD64 ScmpArch = iota
- // ArchX32 represents 64-bit x86-64 syscalls (32-bit pointers)
- ArchX32 ScmpArch = iota
- // ArchARM represents 32-bit ARM syscalls
- ArchARM ScmpArch = iota
- // ArchARM64 represents 64-bit ARM syscalls
- ArchARM64 ScmpArch = iota
- // ArchMIPS represents 32-bit MIPS syscalls
- ArchMIPS ScmpArch = iota
- // ArchMIPS64 represents 64-bit MIPS syscalls
- ArchMIPS64 ScmpArch = iota
- // ArchMIPS64N32 represents 64-bit MIPS syscalls (32-bit pointers)
- ArchMIPS64N32 ScmpArch = iota
- // ArchMIPSEL represents 32-bit MIPS syscalls (little endian)
- ArchMIPSEL ScmpArch = iota
- // ArchMIPSEL64 represents 64-bit MIPS syscalls (little endian)
- ArchMIPSEL64 ScmpArch = iota
- // ArchMIPSEL64N32 represents 64-bit MIPS syscalls (little endian,
- // 32-bit pointers)
- ArchMIPSEL64N32 ScmpArch = iota
-)
-
-const (
- // Supported actions on filter match
-
- // ActInvalid is a placeholder to ensure uninitialized ScmpAction
- // variables are invalid
- ActInvalid ScmpAction = iota
- // ActKill kills the process
- ActKill ScmpAction = iota
- // ActTrap throws SIGSYS
- ActTrap ScmpAction = iota
- // ActErrno causes the syscall to return a negative error code. This
- // code can be set with the SetReturnCode method
- ActErrno ScmpAction = iota
- // ActTrace causes the syscall to notify tracing processes with the
- // given error code. This code can be set with the SetReturnCode method
- ActTrace ScmpAction = iota
- // ActAllow permits the syscall to continue execution
- ActAllow ScmpAction = iota
-)
-
-const (
- // These are comparison operators used in conditional seccomp rules
- // They are used to compare the value of a single argument of a syscall
- // against a user-defined constant
-
- // CompareInvalid is a placeholder to ensure uninitialized ScmpCompareOp
- // variables are invalid
- CompareInvalid ScmpCompareOp = iota
- // CompareNotEqual returns true if the argument is not equal to the
- // given value
- CompareNotEqual ScmpCompareOp = iota
- // CompareLess returns true if the argument is less than the given value
- CompareLess ScmpCompareOp = iota
- // CompareLessOrEqual returns true if the argument is less than or equal
- // to the given value
- CompareLessOrEqual ScmpCompareOp = iota
- // CompareEqual returns true if the argument is equal to the given value
- CompareEqual ScmpCompareOp = iota
- // CompareGreaterEqual returns true if the argument is greater than or
- // equal to the given value
- CompareGreaterEqual ScmpCompareOp = iota
- // CompareGreater returns true if the argument is greater than the given
- // value
- CompareGreater ScmpCompareOp = iota
- // CompareMaskedEqual returns true if the argument is equal to the given
- // value, when masked (bitwise &) against the second given value
- CompareMaskedEqual ScmpCompareOp = iota
-)
-
-// Helpers for types
-
-// GetArchFromString returns an ScmpArch constant from a string representing an
-// architecture
-func GetArchFromString(arch string) (ScmpArch, error) {
- switch strings.ToLower(arch) {
- case "x86":
- return ArchX86, nil
- case "amd64", "x86-64", "x86_64", "x64":
- return ArchAMD64, nil
- case "x32":
- return ArchX32, nil
- case "arm":
- return ArchARM, nil
- case "arm64", "aarch64":
- return ArchARM64, nil
- case "mips":
- return ArchMIPS, nil
- case "mips64":
- return ArchMIPS64, nil
- case "mips64n32":
- return ArchMIPS64N32, nil
- case "mipsel":
- return ArchMIPSEL, nil
- case "mipsel64":
- return ArchMIPSEL64, nil
- case "mipsel64n32":
- return ArchMIPSEL64N32, nil
- default:
- return ArchInvalid, fmt.Errorf("cannot convert unrecognized string %s", arch)
- }
-}
-
-// String returns a string representation of an architecture constant
-func (a ScmpArch) String() string {
- switch a {
- case ArchX86:
- return "x86"
- case ArchAMD64:
- return "amd64"
- case ArchX32:
- return "x32"
- case ArchARM:
- return "arm"
- case ArchARM64:
- return "arm64"
- case ArchMIPS:
- return "mips"
- case ArchMIPS64:
- return "mips64"
- case ArchMIPS64N32:
- return "mips64n32"
- case ArchMIPSEL:
- return "mipsel"
- case ArchMIPSEL64:
- return "mipsel64"
- case ArchMIPSEL64N32:
- return "mipsel64n32"
- case ArchNative:
- return "native"
- case ArchInvalid:
- return "Invalid architecture"
- default:
- return "Unknown architecture"
- }
-}
-
-// String returns a string representation of a comparison operator constant
-func (a ScmpCompareOp) String() string {
- switch a {
- case CompareNotEqual:
- return "Not equal"
- case CompareLess:
- return "Less than"
- case CompareLessOrEqual:
- return "Less than or equal to"
- case CompareEqual:
- return "Equal"
- case CompareGreaterEqual:
- return "Greater than or equal to"
- case CompareGreater:
- return "Greater than"
- case CompareMaskedEqual:
- return "Masked equality"
- case CompareInvalid:
- return "Invalid comparison operator"
- default:
- return "Unrecognized comparison operator"
- }
-}
-
-// String returns a string representation of a seccomp match action
-func (a ScmpAction) String() string {
- switch a & 0xFFFF {
- case ActKill:
- return "Action: Kill Process"
- case ActTrap:
- return "Action: Send SIGSYS"
- case ActErrno:
- return fmt.Sprintf("Action: Return error code %d", (a >> 16))
- case ActTrace:
- return fmt.Sprintf("Action: Notify tracing processes with code %d",
- (a >> 16))
- case ActAllow:
- return "Action: Allow system call"
- default:
- return "Unrecognized Action"
- }
-}
-
-// SetReturnCode adds a return code to a supporting ScmpAction, clearing any
-// existing code Only valid on ActErrno and ActTrace. Takes no action otherwise.
-// Accepts 16-bit return code as argument.
-// Returns a valid ScmpAction of the original type with the new error code set.
-func (a ScmpAction) SetReturnCode(code int16) ScmpAction {
- aTmp := a & 0x0000FFFF
- if aTmp == ActErrno || aTmp == ActTrace {
- return (aTmp | (ScmpAction(code)&0xFFFF)<<16)
- }
- return a
-}
-
-// GetReturnCode returns the return code of an ScmpAction
-func (a ScmpAction) GetReturnCode() int16 {
- return int16(a >> 16)
-}
-
-// General utility functions
-
-// GetLibraryVersion returns the version of the library the bindings are built
-// against.
-// The version is formatted as follows: Major.Minor.Micro
-func GetLibraryVersion() (major, minor, micro int) {
- return verMajor, verMinor, verMicro
-}
-
-// Syscall functions
-
-// GetName retrieves the name of a syscall from its number.
-// Acts on any syscall number.
-// Returns either a string containing the name of the syscall, or an error.
-func (s ScmpSyscall) GetName() (string, error) {
- return s.GetNameByArch(ArchNative)
-}
-
-// GetNameByArch retrieves the name of a syscall from its number for a given
-// architecture.
-// Acts on any syscall number.
-// Accepts a valid architecture constant.
-// Returns either a string containing the name of the syscall, or an error.
-// if the syscall is unrecognized or an issue occurred.
-func (s ScmpSyscall) GetNameByArch(arch ScmpArch) (string, error) {
- if err := sanitizeArch(arch); err != nil {
- return "", err
- }
-
- cString := C.seccomp_syscall_resolve_num_arch(arch.toNative(), C.int(s))
- if cString == nil {
- return "", fmt.Errorf("could not resolve syscall name")
- }
- defer C.free(unsafe.Pointer(cString))
-
- finalStr := C.GoString(cString)
- return finalStr, nil
-}
-
-// GetSyscallFromName returns the number of a syscall by name on the kernel's
-// native architecture.
-// Accepts a string containing the name of a syscall.
-// Returns the number of the syscall, or an error if no syscall with that name
-// was found.
-func GetSyscallFromName(name string) (ScmpSyscall, error) {
- cString := C.CString(name)
- defer C.free(unsafe.Pointer(cString))
-
- result := C.seccomp_syscall_resolve_name(cString)
- if result == scmpError {
- return 0, fmt.Errorf("could not resolve name to syscall")
- }
-
- return ScmpSyscall(result), nil
-}
-
-// GetSyscallFromNameByArch returns the number of a syscall by name for a given
-// architecture's ABI.
-// Accepts the name of a syscall and an architecture constant.
-// Returns the number of the syscall, or an error if an invalid architecture is
-// passed or a syscall with that name was not found.
-func GetSyscallFromNameByArch(name string, arch ScmpArch) (ScmpSyscall, error) {
- if err := sanitizeArch(arch); err != nil {
- return 0, err
- }
-
- cString := C.CString(name)
- defer C.free(unsafe.Pointer(cString))
-
- result := C.seccomp_syscall_resolve_name_arch(arch.toNative(), cString)
- if result == scmpError {
- return 0, fmt.Errorf("could not resolve name to syscall")
- }
-
- return ScmpSyscall(result), nil
-}
-
-// MakeCondition creates and returns a new condition to attach to a filter rule.
-// Associated rules will only match if this condition is true.
-// Accepts the number the argument we are checking, and a comparison operator
-// and value to compare to.
-// The rule will match if argument $arg (zero-indexed) of the syscall is
-// $COMPARE_OP the provided comparison value.
-// Some comparison operators accept two values. Masked equals, for example,
-// will mask $arg of the syscall with the second value provided (via bitwise
-// AND) and then compare against the first value provided.
-// For example, in the less than or equal case, if the syscall argument was
-// 0 and the value provided was 1, the condition would match, as 0 is less
-// than or equal to 1.
-// Return either an error on bad argument or a valid ScmpCondition struct.
-func MakeCondition(arg uint, comparison ScmpCompareOp, values ...uint64) (ScmpCondition, error) {
- var condStruct ScmpCondition
-
- if comparison == CompareInvalid {
- return condStruct, fmt.Errorf("invalid comparison operator")
- } else if arg > 5 {
- return condStruct, fmt.Errorf("syscalls only have up to 6 arguments")
- } else if len(values) > 2 {
- return condStruct, fmt.Errorf("conditions can have at most 2 arguments")
- } else if len(values) == 0 {
- return condStruct, fmt.Errorf("must provide at least one value to compare against")
- }
-
- condStruct.Argument = arg
- condStruct.Op = comparison
- condStruct.Operand1 = values[0]
- if len(values) == 2 {
- condStruct.Operand2 = values[1]
- } else {
- condStruct.Operand2 = 0 // Unused
- }
-
- return condStruct, nil
-}
-
-// Utility Functions
-
-// GetNativeArch returns architecture token representing the native kernel
-// architecture
-func GetNativeArch() (ScmpArch, error) {
- arch := C.seccomp_arch_native()
-
- return archFromNative(arch)
-}
-
-// Public Filter API
-
-// ScmpFilter represents a filter context in libseccomp.
-// A filter context is initially empty. Rules can be added to it, and it can
-// then be loaded into the kernel.
-type ScmpFilter struct {
- filterCtx C.scmp_filter_ctx
- valid bool
- lock sync.Mutex
-}
-
-// NewFilter creates and returns a new filter context.
-// Accepts a default action to be taken for syscalls which match no rules in
-// the filter.
-// Returns a reference to a valid filter context, or nil and an error if the
-// filter context could not be created or an invalid default action was given.
-func NewFilter(defaultAction ScmpAction) (*ScmpFilter, error) {
- if err := sanitizeAction(defaultAction); err != nil {
- return nil, err
- }
-
- fPtr := C.seccomp_init(defaultAction.toNative())
- if fPtr == nil {
- return nil, fmt.Errorf("could not create filter")
- }
-
- filter := new(ScmpFilter)
- filter.filterCtx = fPtr
- filter.valid = true
- runtime.SetFinalizer(filter, filterFinalizer)
-
- return filter, nil
-}
-
-// IsValid determines whether a filter context is valid to use.
-// Some operations (Release and Merge) render filter contexts invalid and
-// consequently prevent further use.
-func (f *ScmpFilter) IsValid() bool {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- return f.valid
-}
-
-// Reset resets a filter context, removing all its existing state.
-// Accepts a new default action to be taken for syscalls which do not match.
-// Returns an error if the filter or action provided are invalid.
-func (f *ScmpFilter) Reset(defaultAction ScmpAction) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if err := sanitizeAction(defaultAction); err != nil {
- return err
- } else if !f.valid {
- return errBadFilter
- }
-
- retCode := C.seccomp_reset(f.filterCtx, defaultAction.toNative())
- if retCode != 0 {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
-
-// Release releases a filter context, freeing its memory. Should be called after
-// loading into the kernel, when the filter is no longer needed.
-// After calling this function, the given filter is no longer valid and cannot
-// be used.
-// Release() will be invoked automatically when a filter context is garbage
-// collected, but can also be called manually to free memory.
-func (f *ScmpFilter) Release() {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if !f.valid {
- return
- }
-
- f.valid = false
- C.seccomp_release(f.filterCtx)
-}
-
-// Merge merges two filter contexts.
-// The source filter src will be released as part of the process, and will no
-// longer be usable or valid after this call.
-// To be merged, filters must NOT share any architectures, and all their
-// attributes (Default Action, Bad Arch Action, No New Privs and TSync bools)
-// must match.
-// The filter src will be merged into the filter this is called on.
-// The architectures of the src filter not present in the destination, and all
-// associated rules, will be added to the destination.
-// Returns an error if merging the filters failed.
-func (f *ScmpFilter) Merge(src *ScmpFilter) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- src.lock.Lock()
- defer src.lock.Unlock()
-
- if !src.valid || !f.valid {
- return fmt.Errorf("one or more of the filter contexts is invalid or uninitialized")
- }
-
- // Merge the filters
- retCode := C.seccomp_merge(f.filterCtx, src.filterCtx)
- if syscall.Errno(-1*retCode) == syscall.EINVAL {
- return fmt.Errorf("filters could not be merged due to a mismatch in attributes or invalid filter")
- } else if retCode != 0 {
- return syscall.Errno(-1 * retCode)
- }
-
- src.valid = false
-
- return nil
-}
-
-// IsArchPresent checks if an architecture is present in a filter.
-// If a filter contains an architecture, it uses its default action for
-// syscalls which do not match rules in it, and its rules can match syscalls
-// for that ABI.
-// If a filter does not contain an architecture, all syscalls made to that
-// kernel ABI will fail with the filter's default Bad Architecture Action
-// (by default, killing the process).
-// Accepts an architecture constant.
-// Returns true if the architecture is present in the filter, false otherwise,
-// and an error on an invalid filter context, architecture constant, or an
-// issue with the call to libseccomp.
-func (f *ScmpFilter) IsArchPresent(arch ScmpArch) (bool, error) {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if err := sanitizeArch(arch); err != nil {
- return false, err
- } else if !f.valid {
- return false, errBadFilter
- }
-
- retCode := C.seccomp_arch_exist(f.filterCtx, arch.toNative())
- if syscall.Errno(-1*retCode) == syscall.EEXIST {
- // -EEXIST is "arch not present"
- return false, nil
- } else if retCode != 0 {
- return false, syscall.Errno(-1 * retCode)
- }
-
- return true, nil
-}
-
-// AddArch adds an architecture to the filter.
-// Accepts an architecture constant.
-// Returns an error on invalid filter context or architecture token, or an
-// issue with the call to libseccomp.
-func (f *ScmpFilter) AddArch(arch ScmpArch) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if err := sanitizeArch(arch); err != nil {
- return err
- } else if !f.valid {
- return errBadFilter
- }
-
- // Libseccomp returns -EEXIST if the specified architecture is already
- // present. Succeed silently in this case, as it's not fatal, and the
- // architecture is present already.
- retCode := C.seccomp_arch_add(f.filterCtx, arch.toNative())
- if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
-
-// RemoveArch removes an architecture from the filter.
-// Accepts an architecture constant.
-// Returns an error on invalid filter context or architecture token, or an
-// issue with the call to libseccomp.
-func (f *ScmpFilter) RemoveArch(arch ScmpArch) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if err := sanitizeArch(arch); err != nil {
- return err
- } else if !f.valid {
- return errBadFilter
- }
-
- // Similar to AddArch, -EEXIST is returned if the arch is not present
- // Succeed silently in that case, this is not fatal and the architecture
- // is not present in the filter after RemoveArch
- retCode := C.seccomp_arch_remove(f.filterCtx, arch.toNative())
- if retCode != 0 && syscall.Errno(-1*retCode) != syscall.EEXIST {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
-
-// Load loads a filter context into the kernel.
-// Returns an error if the filter context is invalid or the syscall failed.
-func (f *ScmpFilter) Load() error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if !f.valid {
- return errBadFilter
- }
-
- if retCode := C.seccomp_load(f.filterCtx); retCode != 0 {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
-
-// GetDefaultAction returns the default action taken on a syscall which does not
-// match a rule in the filter, or an error if an issue was encountered
-// retrieving the value.
-func (f *ScmpFilter) GetDefaultAction() (ScmpAction, error) {
- action, err := f.getFilterAttr(filterAttrActDefault)
- if err != nil {
- return 0x0, err
- }
-
- return actionFromNative(action)
-}
-
-// GetBadArchAction returns the default action taken on a syscall for an
-// architecture not in the filter, or an error if an issue was encountered
-// retrieving the value.
-func (f *ScmpFilter) GetBadArchAction() (ScmpAction, error) {
- action, err := f.getFilterAttr(filterAttrActBadArch)
- if err != nil {
- return 0x0, err
- }
-
- return actionFromNative(action)
-}
-
-// GetNoNewPrivsBit returns the current state the No New Privileges bit will be set
-// to on the filter being loaded, or an error if an issue was encountered
-// retrieving the value.
-// The No New Privileges bit tells the kernel that new processes run with exec()
-// cannot gain more privileges than the process that ran exec().
-// For example, a process with No New Privileges set would be unable to exec
-// setuid/setgid executables.
-func (f *ScmpFilter) GetNoNewPrivsBit() (bool, error) {
- noNewPrivs, err := f.getFilterAttr(filterAttrNNP)
- if err != nil {
- return false, err
- }
-
- if noNewPrivs == 0 {
- return false, nil
- }
-
- return true, nil
-}
-
-// GetTsyncBit returns whether Thread Synchronization will be enabled on the
-// filter being loaded, or an error if an issue was encountered retrieving the
-// value.
-// Thread Sync ensures that all members of the thread group of the calling
-// process will share the same Seccomp filter set.
-// Tsync is a fairly recent addition to the Linux kernel and older kernels
-// lack support. If the running kernel does not support Tsync and it is
-// requested in a filter, Libseccomp will not enable TSync support and will
-// proceed as normal.
-// This function is unavailable before v2.2 of libseccomp and will return an
-// error.
-func (f *ScmpFilter) GetTsyncBit() (bool, error) {
- tSync, err := f.getFilterAttr(filterAttrTsync)
- if err != nil {
- return false, err
- }
-
- if tSync == 0 {
- return false, nil
- }
-
- return true, nil
-}
-
-// SetBadArchAction sets the default action taken on a syscall for an
-// architecture not in the filter, or an error if an issue was encountered
-// setting the value.
-func (f *ScmpFilter) SetBadArchAction(action ScmpAction) error {
- if err := sanitizeAction(action); err != nil {
- return err
- }
-
- return f.setFilterAttr(filterAttrActBadArch, action.toNative())
-}
-
-// SetNoNewPrivsBit sets the state of the No New Privileges bit, which will be
-// applied on filter load, or an error if an issue was encountered setting the
-// value.
-// Filters with No New Privileges set to 0 can only be loaded if the process
-// has the CAP_SYS_ADMIN capability.
-func (f *ScmpFilter) SetNoNewPrivsBit(state bool) error {
- var toSet C.uint32_t = 0x0
-
- if state {
- toSet = 0x1
- }
-
- return f.setFilterAttr(filterAttrNNP, toSet)
-}
-
-// SetTsync sets whether Thread Synchronization will be enabled on the filter
-// being loaded. Returns an error if setting Tsync failed, or the filter is
-// invalid.
-// Thread Sync ensures that all members of the thread group of the calling
-// process will share the same Seccomp filter set.
-// Tsync is a fairly recent addition to the Linux kernel and older kernels
-// lack support. If the running kernel does not support Tsync and it is
-// requested in a filter, Libseccomp will not enable TSync support and will
-// proceed as normal.
-// This function is unavailable before v2.2 of libseccomp and will return an
-// error.
-func (f *ScmpFilter) SetTsync(enable bool) error {
- var toSet C.uint32_t = 0x0
-
- if enable {
- toSet = 0x1
- }
-
- return f.setFilterAttr(filterAttrTsync, toSet)
-}
-
-// SetSyscallPriority sets a syscall's priority.
-// This provides a hint to the filter generator in libseccomp about the
-// importance of this syscall. High-priority syscalls are placed
-// first in the filter code, and incur less overhead (at the expense of
-// lower-priority syscalls).
-func (f *ScmpFilter) SetSyscallPriority(call ScmpSyscall, priority uint8) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if !f.valid {
- return errBadFilter
- }
-
- if retCode := C.seccomp_syscall_priority(f.filterCtx, C.int(call),
- C.uint8_t(priority)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
-
-// AddRule adds a single rule for an unconditional action on a syscall.
-// Accepts the number of the syscall and the action to be taken on the call
-// being made.
-// Returns an error if an issue was encountered adding the rule.
-func (f *ScmpFilter) AddRule(call ScmpSyscall, action ScmpAction) error {
- return f.addRuleGeneric(call, action, false, nil)
-}
-
-// AddRuleExact adds a single rule for an unconditional action on a syscall.
-// Accepts the number of the syscall and the action to be taken on the call
-// being made.
-// No modifications will be made to the rule, and it will fail to add if it
-// cannot be applied to the current architecture without modification.
-// The rule will function exactly as described, but it may not function identically
-// (or be able to be applied to) all architectures.
-// Returns an error if an issue was encountered adding the rule.
-func (f *ScmpFilter) AddRuleExact(call ScmpSyscall, action ScmpAction) error {
- return f.addRuleGeneric(call, action, true, nil)
-}
-
-// AddRuleConditional adds a single rule for a conditional action on a syscall.
-// Returns an error if an issue was encountered adding the rule.
-// All conditions must match for the rule to match.
-// There is a bug in library versions below v2.2.1 which can, in some cases,
-// cause conditions to be lost when more than one are used. Consequently,
-// AddRuleConditional is disabled on library versions lower than v2.2.1
-func (f *ScmpFilter) AddRuleConditional(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error {
- return f.addRuleGeneric(call, action, false, conds)
-}
-
-// AddRuleConditionalExact adds a single rule for a conditional action on a
-// syscall.
-// No modifications will be made to the rule, and it will fail to add if it
-// cannot be applied to the current architecture without modification.
-// The rule will function exactly as described, but it may not function identically
-// (or be able to be applied to) all architectures.
-// Returns an error if an issue was encountered adding the rule.
-// There is a bug in library versions below v2.2.1 which can, in some cases,
-// cause conditions to be lost when more than one are used. Consequently,
-// AddRuleConditionalExact is disabled on library versions lower than v2.2.1
-func (f *ScmpFilter) AddRuleConditionalExact(call ScmpSyscall, action ScmpAction, conds []ScmpCondition) error {
- return f.addRuleGeneric(call, action, true, conds)
-}
-
-// ExportPFC output PFC-formatted, human-readable dump of a filter context's
-// rules to a file.
-// Accepts file to write to (must be open for writing).
-// Returns an error if writing to the file fails.
-func (f *ScmpFilter) ExportPFC(file *os.File) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- fd := file.Fd()
-
- if !f.valid {
- return errBadFilter
- }
-
- if retCode := C.seccomp_export_pfc(f.filterCtx, C.int(fd)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
-
-// ExportBPF outputs Berkeley Packet Filter-formatted, kernel-readable dump of a
-// filter context's rules to a file.
-// Accepts file to write to (must be open for writing).
-// Returns an error if writing to the file fails.
-func (f *ScmpFilter) ExportBPF(file *os.File) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- fd := file.Fd()
-
- if !f.valid {
- return errBadFilter
- }
-
- if retCode := C.seccomp_export_bpf(f.filterCtx, C.int(fd)); retCode != 0 {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp_internal.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp_internal.go
deleted file mode 100644
index 306ed17570bef9ab6d031ba319e5639a75979b79..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp_internal.go
+++ /dev/null
@@ -1,461 +0,0 @@
-// +build linux
-
-// Internal functions for libseccomp Go bindings
-// No exported functions
-
-package seccomp
-
-import (
- "fmt"
- "os"
- "syscall"
-)
-
-// Unexported C wrapping code - provides the C-Golang interface
-// Get the seccomp header in scope
-// Need stdlib.h for free() on cstrings
-
-// #cgo LDFLAGS: -lseccomp
-/*
-#include <stdlib.h>
-#include <seccomp.h>
-
-#if SCMP_VER_MAJOR < 2
-#error Minimum supported version of Libseccomp is v2.1.0
-#elif SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 1
-#error Minimum supported version of Libseccomp is v2.1.0
-#endif
-
-#define ARCH_BAD ~0
-
-const uint32_t C_ARCH_BAD = ARCH_BAD;
-
-#ifndef SCMP_ARCH_AARCH64
-#define SCMP_ARCH_AARCH64 ARCH_BAD
-#endif
-
-#ifndef SCMP_ARCH_MIPS
-#define SCMP_ARCH_MIPS ARCH_BAD
-#endif
-
-#ifndef SCMP_ARCH_MIPS64
-#define SCMP_ARCH_MIPS64 ARCH_BAD
-#endif
-
-#ifndef SCMP_ARCH_MIPS64N32
-#define SCMP_ARCH_MIPS64N32 ARCH_BAD
-#endif
-
-#ifndef SCMP_ARCH_MIPSEL
-#define SCMP_ARCH_MIPSEL ARCH_BAD
-#endif
-
-#ifndef SCMP_ARCH_MIPSEL64
-#define SCMP_ARCH_MIPSEL64 ARCH_BAD
-#endif
-
-#ifndef SCMP_ARCH_MIPSEL64N32
-#define SCMP_ARCH_MIPSEL64N32 ARCH_BAD
-#endif
-
-const uint32_t C_ARCH_NATIVE = SCMP_ARCH_NATIVE;
-const uint32_t C_ARCH_X86 = SCMP_ARCH_X86;
-const uint32_t C_ARCH_X86_64 = SCMP_ARCH_X86_64;
-const uint32_t C_ARCH_X32 = SCMP_ARCH_X32;
-const uint32_t C_ARCH_ARM = SCMP_ARCH_ARM;
-const uint32_t C_ARCH_AARCH64 = SCMP_ARCH_AARCH64;
-const uint32_t C_ARCH_MIPS = SCMP_ARCH_MIPS;
-const uint32_t C_ARCH_MIPS64 = SCMP_ARCH_MIPS64;
-const uint32_t C_ARCH_MIPS64N32 = SCMP_ARCH_MIPS64N32;
-const uint32_t C_ARCH_MIPSEL = SCMP_ARCH_MIPSEL;
-const uint32_t C_ARCH_MIPSEL64 = SCMP_ARCH_MIPSEL64;
-const uint32_t C_ARCH_MIPSEL64N32 = SCMP_ARCH_MIPSEL64N32;
-
-const uint32_t C_ACT_KILL = SCMP_ACT_KILL;
-const uint32_t C_ACT_TRAP = SCMP_ACT_TRAP;
-const uint32_t C_ACT_ERRNO = SCMP_ACT_ERRNO(0);
-const uint32_t C_ACT_TRACE = SCMP_ACT_TRACE(0);
-const uint32_t C_ACT_ALLOW = SCMP_ACT_ALLOW;
-
-// If TSync is not supported, make sure it doesn't map to a supported filter attribute
-// Don't worry about major version < 2, the minimum version checks should catch that case
-#if SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 2
-#define SCMP_FLTATR_CTL_TSYNC _SCMP_CMP_MIN
-#endif
-
-const uint32_t C_ATTRIBUTE_DEFAULT = (uint32_t)SCMP_FLTATR_ACT_DEFAULT;
-const uint32_t C_ATTRIBUTE_BADARCH = (uint32_t)SCMP_FLTATR_ACT_BADARCH;
-const uint32_t C_ATTRIBUTE_NNP = (uint32_t)SCMP_FLTATR_CTL_NNP;
-const uint32_t C_ATTRIBUTE_TSYNC = (uint32_t)SCMP_FLTATR_CTL_TSYNC;
-
-const int C_CMP_NE = (int)SCMP_CMP_NE;
-const int C_CMP_LT = (int)SCMP_CMP_LT;
-const int C_CMP_LE = (int)SCMP_CMP_LE;
-const int C_CMP_EQ = (int)SCMP_CMP_EQ;
-const int C_CMP_GE = (int)SCMP_CMP_GE;
-const int C_CMP_GT = (int)SCMP_CMP_GT;
-const int C_CMP_MASKED_EQ = (int)SCMP_CMP_MASKED_EQ;
-
-const int C_VERSION_MAJOR = SCMP_VER_MAJOR;
-const int C_VERSION_MINOR = SCMP_VER_MINOR;
-const int C_VERSION_MICRO = SCMP_VER_MICRO;
-
-typedef struct scmp_arg_cmp* scmp_cast_t;
-
-// Wrapper to create an scmp_arg_cmp struct
-void*
-make_struct_arg_cmp(
- unsigned int arg,
- int compare,
- uint64_t a,
- uint64_t b
- )
-{
- struct scmp_arg_cmp *s = malloc(sizeof(struct scmp_arg_cmp));
-
- s->arg = arg;
- s->op = compare;
- s->datum_a = a;
- s->datum_b = b;
-
- return s;
-}
-*/
-import "C"
-
-// Nonexported types
-type scmpFilterAttr uint32
-
-// Nonexported constants
-
-const (
- filterAttrActDefault scmpFilterAttr = iota
- filterAttrActBadArch scmpFilterAttr = iota
- filterAttrNNP scmpFilterAttr = iota
- filterAttrTsync scmpFilterAttr = iota
-)
-
-const (
- // An error return from certain libseccomp functions
- scmpError C.int = -1
- // Comparison boundaries to check for architecture validity
- archStart ScmpArch = ArchNative
- archEnd ScmpArch = ArchMIPSEL64N32
- // Comparison boundaries to check for action validity
- actionStart ScmpAction = ActKill
- actionEnd ScmpAction = ActAllow
- // Comparison boundaries to check for comparison operator validity
- compareOpStart ScmpCompareOp = CompareNotEqual
- compareOpEnd ScmpCompareOp = CompareMaskedEqual
-)
-
-var (
- // Error thrown on bad filter context
- errBadFilter = fmt.Errorf("filter is invalid or uninitialized")
- // Constants representing library major, minor, and micro versions
- verMajor = int(C.C_VERSION_MAJOR)
- verMinor = int(C.C_VERSION_MINOR)
- verMicro = int(C.C_VERSION_MICRO)
-)
-
-// Nonexported functions
-
-// Check if library version is greater than or equal to the given one
-func checkVersionAbove(major, minor, micro int) bool {
- return (verMajor > major) ||
- (verMajor == major && verMinor > minor) ||
- (verMajor == major && verMinor == minor && verMicro >= micro)
-}
-
-// Init function: Verify library version is appropriate
-func init() {
- if !checkVersionAbove(2, 1, 0) {
- fmt.Fprintf(os.Stderr, "Libseccomp version too low: minimum supported is 2.1.0, detected %d.%d.%d", C.C_VERSION_MAJOR, C.C_VERSION_MINOR, C.C_VERSION_MICRO)
- os.Exit(-1)
- }
-}
-
-// Filter helpers
-
-// Filter finalizer - ensure that kernel context for filters is freed
-func filterFinalizer(f *ScmpFilter) {
- f.Release()
-}
-
-// Get a raw filter attribute
-func (f *ScmpFilter) getFilterAttr(attr scmpFilterAttr) (C.uint32_t, error) {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if !f.valid {
- return 0x0, errBadFilter
- }
-
- if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync {
- return 0x0, fmt.Errorf("the thread synchronization attribute is not supported in this version of the library")
- }
-
- var attribute C.uint32_t
-
- retCode := C.seccomp_attr_get(f.filterCtx, attr.toNative(), &attribute)
- if retCode != 0 {
- return 0x0, syscall.Errno(-1 * retCode)
- }
-
- return attribute, nil
-}
-
-// Set a raw filter attribute
-func (f *ScmpFilter) setFilterAttr(attr scmpFilterAttr, value C.uint32_t) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if !f.valid {
- return errBadFilter
- }
-
- if !checkVersionAbove(2, 2, 0) && attr == filterAttrTsync {
- return fmt.Errorf("the thread synchronization attribute is not supported in this version of the library")
- }
-
- retCode := C.seccomp_attr_set(f.filterCtx, attr.toNative(), value)
- if retCode != 0 {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
-
-// DOES NOT LOCK OR CHECK VALIDITY
-// Assumes caller has already done this
-// Wrapper for seccomp_rule_add_... functions
-func (f *ScmpFilter) addRuleWrapper(call ScmpSyscall, action ScmpAction, exact bool, cond C.scmp_cast_t) error {
- var length C.uint
- if cond != nil {
- length = 1
- } else {
- length = 0
- }
-
- var retCode C.int
- if exact {
- retCode = C.seccomp_rule_add_exact_array(f.filterCtx, action.toNative(), C.int(call), length, cond)
- } else {
- retCode = C.seccomp_rule_add_array(f.filterCtx, action.toNative(), C.int(call), length, cond)
- }
-
- if syscall.Errno(-1*retCode) == syscall.EFAULT {
- return fmt.Errorf("unrecognized syscall")
- } else if syscall.Errno(-1*retCode) == syscall.EPERM {
- return fmt.Errorf("requested action matches default action of filter")
- } else if retCode != 0 {
- return syscall.Errno(-1 * retCode)
- }
-
- return nil
-}
-
-// Generic add function for filter rules
-func (f *ScmpFilter) addRuleGeneric(call ScmpSyscall, action ScmpAction, exact bool, conds []ScmpCondition) error {
- f.lock.Lock()
- defer f.lock.Unlock()
-
- if !f.valid {
- return errBadFilter
- }
-
- if len(conds) == 0 {
- if err := f.addRuleWrapper(call, action, exact, nil); err != nil {
- return err
- }
- } else {
- // We don't support conditional filtering in library version v2.1
- if !checkVersionAbove(2, 2, 1) {
- return fmt.Errorf("conditional filtering requires libseccomp version >= 2.2.1")
- }
-
- for _, cond := range conds {
- cmpStruct := C.make_struct_arg_cmp(C.uint(cond.Argument), cond.Op.toNative(), C.uint64_t(cond.Operand1), C.uint64_t(cond.Operand2))
- defer C.free(cmpStruct)
-
- if err := f.addRuleWrapper(call, action, exact, C.scmp_cast_t(cmpStruct)); err != nil {
- return err
- }
- }
- }
-
- return nil
-}
-
-// Generic Helpers
-
-// Helper - Sanitize Arch token input
-func sanitizeArch(in ScmpArch) error {
- if in < archStart || in > archEnd {
- return fmt.Errorf("unrecognized architecture")
- }
-
- if in.toNative() == C.C_ARCH_BAD {
- return fmt.Errorf("architecture is not supported on this version of the library")
- }
-
- return nil
-}
-
-func sanitizeAction(in ScmpAction) error {
- inTmp := in & 0x0000FFFF
- if inTmp < actionStart || inTmp > actionEnd {
- return fmt.Errorf("unrecognized action")
- }
-
- if inTmp != ActTrace && inTmp != ActErrno && (in&0xFFFF0000) != 0 {
- return fmt.Errorf("highest 16 bits must be zeroed except for Trace and Errno")
- }
-
- return nil
-}
-
-func sanitizeCompareOp(in ScmpCompareOp) error {
- if in < compareOpStart || in > compareOpEnd {
- return fmt.Errorf("unrecognized comparison operator")
- }
-
- return nil
-}
-
-func archFromNative(a C.uint32_t) (ScmpArch, error) {
- switch a {
- case C.C_ARCH_X86:
- return ArchX86, nil
- case C.C_ARCH_X86_64:
- return ArchAMD64, nil
- case C.C_ARCH_X32:
- return ArchX32, nil
- case C.C_ARCH_ARM:
- return ArchARM, nil
- case C.C_ARCH_NATIVE:
- return ArchNative, nil
- case C.C_ARCH_AARCH64:
- return ArchARM64, nil
- case C.C_ARCH_MIPS:
- return ArchMIPS, nil
- case C.C_ARCH_MIPS64:
- return ArchMIPS64, nil
- case C.C_ARCH_MIPS64N32:
- return ArchMIPS64N32, nil
- case C.C_ARCH_MIPSEL:
- return ArchMIPSEL, nil
- case C.C_ARCH_MIPSEL64:
- return ArchMIPSEL64, nil
- case C.C_ARCH_MIPSEL64N32:
- return ArchMIPSEL64N32, nil
- default:
- return 0x0, fmt.Errorf("unrecognized architecture")
- }
-}
-
-// Only use with sanitized arches, no error handling
-func (a ScmpArch) toNative() C.uint32_t {
- switch a {
- case ArchX86:
- return C.C_ARCH_X86
- case ArchAMD64:
- return C.C_ARCH_X86_64
- case ArchX32:
- return C.C_ARCH_X32
- case ArchARM:
- return C.C_ARCH_ARM
- case ArchARM64:
- return C.C_ARCH_AARCH64
- case ArchMIPS:
- return C.C_ARCH_MIPS
- case ArchMIPS64:
- return C.C_ARCH_MIPS64
- case ArchMIPS64N32:
- return C.C_ARCH_MIPS64N32
- case ArchMIPSEL:
- return C.C_ARCH_MIPSEL
- case ArchMIPSEL64:
- return C.C_ARCH_MIPSEL64
- case ArchMIPSEL64N32:
- return C.C_ARCH_MIPSEL64N32
- case ArchNative:
- return C.C_ARCH_NATIVE
- default:
- return 0x0
- }
-}
-
-// Only use with sanitized ops, no error handling
-func (a ScmpCompareOp) toNative() C.int {
- switch a {
- case CompareNotEqual:
- return C.C_CMP_NE
- case CompareLess:
- return C.C_CMP_LT
- case CompareLessOrEqual:
- return C.C_CMP_LE
- case CompareEqual:
- return C.C_CMP_EQ
- case CompareGreaterEqual:
- return C.C_CMP_GE
- case CompareGreater:
- return C.C_CMP_GT
- case CompareMaskedEqual:
- return C.C_CMP_MASKED_EQ
- default:
- return 0x0
- }
-}
-
-func actionFromNative(a C.uint32_t) (ScmpAction, error) {
- aTmp := a & 0xFFFF
- switch a & 0xFFFF0000 {
- case C.C_ACT_KILL:
- return ActKill, nil
- case C.C_ACT_TRAP:
- return ActTrap, nil
- case C.C_ACT_ERRNO:
- return ActErrno.SetReturnCode(int16(aTmp)), nil
- case C.C_ACT_TRACE:
- return ActTrace.SetReturnCode(int16(aTmp)), nil
- case C.C_ACT_ALLOW:
- return ActAllow, nil
- default:
- return 0x0, fmt.Errorf("unrecognized action")
- }
-}
-
-// Only use with sanitized actions, no error handling
-func (a ScmpAction) toNative() C.uint32_t {
- switch a & 0xFFFF {
- case ActKill:
- return C.C_ACT_KILL
- case ActTrap:
- return C.C_ACT_TRAP
- case ActErrno:
- return C.C_ACT_ERRNO | (C.uint32_t(a) >> 16)
- case ActTrace:
- return C.C_ACT_TRACE | (C.uint32_t(a) >> 16)
- case ActAllow:
- return C.C_ACT_ALLOW
- default:
- return 0x0
- }
-}
-
-// Internal only, assumes safe attribute
-func (a scmpFilterAttr) toNative() uint32 {
- switch a {
- case filterAttrActDefault:
- return uint32(C.C_ATTRIBUTE_DEFAULT)
- case filterAttrActBadArch:
- return uint32(C.C_ATTRIBUTE_BADARCH)
- case filterAttrNNP:
- return uint32(C.C_ATTRIBUTE_NNP)
- case filterAttrTsync:
- return uint32(C.C_ATTRIBUTE_TSYNC)
- default:
- return 0x0
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/LICENSE
deleted file mode 100644
index 80dd96de77fab9a0e619fbfb6f675921fa96c51e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/LICENSE
+++ /dev/null
@@ -1,24 +0,0 @@
-Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
- * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright
-notice, this list of conditions and the following disclaimer in the
-documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go
deleted file mode 100644
index c13f4e52a9cfece36ef625b2d8f19180403c0a2d..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go
+++ /dev/null
@@ -1,72 +0,0 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Package capability provides utilities for manipulating POSIX capabilities.
-package capability
-
-type Capabilities interface {
- // Get check whether a capability present in the given
- // capabilities set. The 'which' value should be one of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
- Get(which CapType, what Cap) bool
-
- // Empty check whether all capability bits of the given capabilities
- // set are zero. The 'which' value should be one of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
- Empty(which CapType) bool
-
- // Full check whether all capability bits of the given capabilities
- // set are one. The 'which' value should be one of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
- Full(which CapType) bool
-
- // Set sets capabilities of the given capabilities sets. The
- // 'which' value should be one or combination (OR'ed) of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
- Set(which CapType, caps ...Cap)
-
- // Unset unsets capabilities of the given capabilities sets. The
- // 'which' value should be one or combination (OR'ed) of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
- Unset(which CapType, caps ...Cap)
-
- // Fill sets all bits of the given capabilities kind to one. The
- // 'kind' value should be one or combination (OR'ed) of CAPS or
- // BOUNDS.
- Fill(kind CapType)
-
- // Clear sets all bits of the given capabilities kind to zero. The
- // 'kind' value should be one or combination (OR'ed) of CAPS or
- // BOUNDS.
- Clear(kind CapType)
-
- // String return current capabilities state of the given capabilities
- // set as string. The 'which' value should be one of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
- StringCap(which CapType) string
-
- // String return current capabilities state as string.
- String() string
-
- // Load load actual capabilities value. This will overwrite all
- // outstanding changes.
- Load() error
-
- // Apply apply the capabilities settings, so all changes will take
- // effect.
- Apply(kind CapType) error
-}
-
-// NewPid create new initialized Capabilities object for given pid when it
-// is nonzero, or for the current pid if pid is 0
-func NewPid(pid int) (Capabilities, error) {
- return newPid(pid)
-}
-
-// NewFile create new initialized Capabilities object for given named file.
-func NewFile(name string) (Capabilities, error) {
- return newFile(name)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go
deleted file mode 100644
index 3dfcd398dcd7441bcbe533f2981499e62367cb85..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go
+++ /dev/null
@@ -1,608 +0,0 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-package capability
-
-import (
- "bufio"
- "errors"
- "fmt"
- "io"
- "os"
- "strings"
- "syscall"
-)
-
-var errUnknownVers = errors.New("unknown capability version")
-
-const (
- linuxCapVer1 = 0x19980330
- linuxCapVer2 = 0x20071026
- linuxCapVer3 = 0x20080522
-)
-
-var (
- capVers uint32
- capLastCap Cap
-)
-
-func init() {
- var hdr capHeader
- capget(&hdr, nil)
- capVers = hdr.version
-
- if initLastCap() == nil {
- CAP_LAST_CAP = capLastCap
- if capLastCap > 31 {
- capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1
- } else {
- capUpperMask = 0
- }
- }
-}
-
-func initLastCap() error {
- if capLastCap != 0 {
- return nil
- }
-
- f, err := os.Open("/proc/sys/kernel/cap_last_cap")
- if err != nil {
- return err
- }
- defer f.Close()
-
- var b []byte = make([]byte, 11)
- _, err = f.Read(b)
- if err != nil {
- return err
- }
-
- fmt.Sscanf(string(b), "%d", &capLastCap)
-
- return nil
-}
-
-func mkStringCap(c Capabilities, which CapType) (ret string) {
- for i, first := Cap(0), true; i <= CAP_LAST_CAP; i++ {
- if !c.Get(which, i) {
- continue
- }
- if first {
- first = false
- } else {
- ret += ", "
- }
- ret += i.String()
- }
- return
-}
-
-func mkString(c Capabilities, max CapType) (ret string) {
- ret = "{"
- for i := CapType(1); i <= max; i <<= 1 {
- ret += " " + i.String() + "=\""
- if c.Empty(i) {
- ret += "empty"
- } else if c.Full(i) {
- ret += "full"
- } else {
- ret += c.StringCap(i)
- }
- ret += "\""
- }
- ret += " }"
- return
-}
-
-func newPid(pid int) (c Capabilities, err error) {
- switch capVers {
- case linuxCapVer1:
- p := new(capsV1)
- p.hdr.version = capVers
- p.hdr.pid = pid
- c = p
- case linuxCapVer2, linuxCapVer3:
- p := new(capsV3)
- p.hdr.version = capVers
- p.hdr.pid = pid
- c = p
- default:
- err = errUnknownVers
- return
- }
- err = c.Load()
- if err != nil {
- c = nil
- }
- return
-}
-
-type capsV1 struct {
- hdr capHeader
- data capData
-}
-
-func (c *capsV1) Get(which CapType, what Cap) bool {
- if what > 32 {
- return false
- }
-
- switch which {
- case EFFECTIVE:
- return (1<<uint(what))&c.data.effective != 0
- case PERMITTED:
- return (1<<uint(what))&c.data.permitted != 0
- case INHERITABLE:
- return (1<<uint(what))&c.data.inheritable != 0
- }
-
- return false
-}
-
-func (c *capsV1) getData(which CapType) (ret uint32) {
- switch which {
- case EFFECTIVE:
- ret = c.data.effective
- case PERMITTED:
- ret = c.data.permitted
- case INHERITABLE:
- ret = c.data.inheritable
- }
- return
-}
-
-func (c *capsV1) Empty(which CapType) bool {
- return c.getData(which) == 0
-}
-
-func (c *capsV1) Full(which CapType) bool {
- return (c.getData(which) & 0x7fffffff) == 0x7fffffff
-}
-
-func (c *capsV1) Set(which CapType, caps ...Cap) {
- for _, what := range caps {
- if what > 32 {
- continue
- }
-
- if which&EFFECTIVE != 0 {
- c.data.effective |= 1 << uint(what)
- }
- if which&PERMITTED != 0 {
- c.data.permitted |= 1 << uint(what)
- }
- if which&INHERITABLE != 0 {
- c.data.inheritable |= 1 << uint(what)
- }
- }
-}
-
-func (c *capsV1) Unset(which CapType, caps ...Cap) {
- for _, what := range caps {
- if what > 32 {
- continue
- }
-
- if which&EFFECTIVE != 0 {
- c.data.effective &= ^(1 << uint(what))
- }
- if which&PERMITTED != 0 {
- c.data.permitted &= ^(1 << uint(what))
- }
- if which&INHERITABLE != 0 {
- c.data.inheritable &= ^(1 << uint(what))
- }
- }
-}
-
-func (c *capsV1) Fill(kind CapType) {
- if kind&CAPS == CAPS {
- c.data.effective = 0x7fffffff
- c.data.permitted = 0x7fffffff
- c.data.inheritable = 0
- }
-}
-
-func (c *capsV1) Clear(kind CapType) {
- if kind&CAPS == CAPS {
- c.data.effective = 0
- c.data.permitted = 0
- c.data.inheritable = 0
- }
-}
-
-func (c *capsV1) StringCap(which CapType) (ret string) {
- return mkStringCap(c, which)
-}
-
-func (c *capsV1) String() (ret string) {
- return mkString(c, BOUNDING)
-}
-
-func (c *capsV1) Load() (err error) {
- return capget(&c.hdr, &c.data)
-}
-
-func (c *capsV1) Apply(kind CapType) error {
- if kind&CAPS == CAPS {
- return capset(&c.hdr, &c.data)
- }
- return nil
-}
-
-type capsV3 struct {
- hdr capHeader
- data [2]capData
- bounds [2]uint32
-}
-
-func (c *capsV3) Get(which CapType, what Cap) bool {
- var i uint
- if what > 31 {
- i = uint(what) >> 5
- what %= 32
- }
-
- switch which {
- case EFFECTIVE:
- return (1<<uint(what))&c.data[i].effective != 0
- case PERMITTED:
- return (1<<uint(what))&c.data[i].permitted != 0
- case INHERITABLE:
- return (1<<uint(what))&c.data[i].inheritable != 0
- case BOUNDING:
- return (1<<uint(what))&c.bounds[i] != 0
- }
-
- return false
-}
-
-func (c *capsV3) getData(which CapType, dest []uint32) {
- switch which {
- case EFFECTIVE:
- dest[0] = c.data[0].effective
- dest[1] = c.data[1].effective
- case PERMITTED:
- dest[0] = c.data[0].permitted
- dest[1] = c.data[1].permitted
- case INHERITABLE:
- dest[0] = c.data[0].inheritable
- dest[1] = c.data[1].inheritable
- case BOUNDING:
- dest[0] = c.bounds[0]
- dest[1] = c.bounds[1]
- }
-}
-
-func (c *capsV3) Empty(which CapType) bool {
- var data [2]uint32
- c.getData(which, data[:])
- return data[0] == 0 && data[1] == 0
-}
-
-func (c *capsV3) Full(which CapType) bool {
- var data [2]uint32
- c.getData(which, data[:])
- if (data[0] & 0xffffffff) != 0xffffffff {
- return false
- }
- return (data[1] & capUpperMask) == capUpperMask
-}
-
-func (c *capsV3) Set(which CapType, caps ...Cap) {
- for _, what := range caps {
- var i uint
- if what > 31 {
- i = uint(what) >> 5
- what %= 32
- }
-
- if which&EFFECTIVE != 0 {
- c.data[i].effective |= 1 << uint(what)
- }
- if which&PERMITTED != 0 {
- c.data[i].permitted |= 1 << uint(what)
- }
- if which&INHERITABLE != 0 {
- c.data[i].inheritable |= 1 << uint(what)
- }
- if which&BOUNDING != 0 {
- c.bounds[i] |= 1 << uint(what)
- }
- }
-}
-
-func (c *capsV3) Unset(which CapType, caps ...Cap) {
- for _, what := range caps {
- var i uint
- if what > 31 {
- i = uint(what) >> 5
- what %= 32
- }
-
- if which&EFFECTIVE != 0 {
- c.data[i].effective &= ^(1 << uint(what))
- }
- if which&PERMITTED != 0 {
- c.data[i].permitted &= ^(1 << uint(what))
- }
- if which&INHERITABLE != 0 {
- c.data[i].inheritable &= ^(1 << uint(what))
- }
- if which&BOUNDING != 0 {
- c.bounds[i] &= ^(1 << uint(what))
- }
- }
-}
-
-func (c *capsV3) Fill(kind CapType) {
- if kind&CAPS == CAPS {
- c.data[0].effective = 0xffffffff
- c.data[0].permitted = 0xffffffff
- c.data[0].inheritable = 0
- c.data[1].effective = 0xffffffff
- c.data[1].permitted = 0xffffffff
- c.data[1].inheritable = 0
- }
-
- if kind&BOUNDS == BOUNDS {
- c.bounds[0] = 0xffffffff
- c.bounds[1] = 0xffffffff
- }
-}
-
-func (c *capsV3) Clear(kind CapType) {
- if kind&CAPS == CAPS {
- c.data[0].effective = 0
- c.data[0].permitted = 0
- c.data[0].inheritable = 0
- c.data[1].effective = 0
- c.data[1].permitted = 0
- c.data[1].inheritable = 0
- }
-
- if kind&BOUNDS == BOUNDS {
- c.bounds[0] = 0
- c.bounds[1] = 0
- }
-}
-
-func (c *capsV3) StringCap(which CapType) (ret string) {
- return mkStringCap(c, which)
-}
-
-func (c *capsV3) String() (ret string) {
- return mkString(c, BOUNDING)
-}
-
-func (c *capsV3) Load() (err error) {
- err = capget(&c.hdr, &c.data[0])
- if err != nil {
- return
- }
-
- var status_path string
-
- if c.hdr.pid == 0 {
- status_path = fmt.Sprintf("/proc/self/status")
- } else {
- status_path = fmt.Sprintf("/proc/%d/status", c.hdr.pid)
- }
-
- f, err := os.Open(status_path)
- if err != nil {
- return
- }
- b := bufio.NewReader(f)
- for {
- line, e := b.ReadString('\n')
- if e != nil {
- if e != io.EOF {
- err = e
- }
- break
- }
- if strings.HasPrefix(line, "CapB") {
- fmt.Sscanf(line[4:], "nd: %08x%08x", &c.bounds[1], &c.bounds[0])
- break
- }
- }
- f.Close()
-
- return
-}
-
-func (c *capsV3) Apply(kind CapType) (err error) {
- if kind&BOUNDS == BOUNDS {
- var data [2]capData
- err = capget(&c.hdr, &data[0])
- if err != nil {
- return
- }
- if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
- for i := Cap(0); i <= CAP_LAST_CAP; i++ {
- if c.Get(BOUNDING, i) {
- continue
- }
- err = prctl(syscall.PR_CAPBSET_DROP, uintptr(i), 0, 0, 0)
- if err != nil {
- // Ignore EINVAL since the capability may not be supported in this system.
- if errno, ok := err.(syscall.Errno); ok && errno == syscall.EINVAL {
- err = nil
- continue
- }
- return
- }
- }
- }
- }
-
- if kind&CAPS == CAPS {
- return capset(&c.hdr, &c.data[0])
- }
-
- return
-}
-
-func newFile(path string) (c Capabilities, err error) {
- c = &capsFile{path: path}
- err = c.Load()
- if err != nil {
- c = nil
- }
- return
-}
-
-type capsFile struct {
- path string
- data vfscapData
-}
-
-func (c *capsFile) Get(which CapType, what Cap) bool {
- var i uint
- if what > 31 {
- if c.data.version == 1 {
- return false
- }
- i = uint(what) >> 5
- what %= 32
- }
-
- switch which {
- case EFFECTIVE:
- return (1<<uint(what))&c.data.effective[i] != 0
- case PERMITTED:
- return (1<<uint(what))&c.data.data[i].permitted != 0
- case INHERITABLE:
- return (1<<uint(what))&c.data.data[i].inheritable != 0
- }
-
- return false
-}
-
-func (c *capsFile) getData(which CapType, dest []uint32) {
- switch which {
- case EFFECTIVE:
- dest[0] = c.data.effective[0]
- dest[1] = c.data.effective[1]
- case PERMITTED:
- dest[0] = c.data.data[0].permitted
- dest[1] = c.data.data[1].permitted
- case INHERITABLE:
- dest[0] = c.data.data[0].inheritable
- dest[1] = c.data.data[1].inheritable
- }
-}
-
-func (c *capsFile) Empty(which CapType) bool {
- var data [2]uint32
- c.getData(which, data[:])
- return data[0] == 0 && data[1] == 0
-}
-
-func (c *capsFile) Full(which CapType) bool {
- var data [2]uint32
- c.getData(which, data[:])
- if c.data.version == 0 {
- return (data[0] & 0x7fffffff) == 0x7fffffff
- }
- if (data[0] & 0xffffffff) != 0xffffffff {
- return false
- }
- return (data[1] & capUpperMask) == capUpperMask
-}
-
-func (c *capsFile) Set(which CapType, caps ...Cap) {
- for _, what := range caps {
- var i uint
- if what > 31 {
- if c.data.version == 1 {
- continue
- }
- i = uint(what) >> 5
- what %= 32
- }
-
- if which&EFFECTIVE != 0 {
- c.data.effective[i] |= 1 << uint(what)
- }
- if which&PERMITTED != 0 {
- c.data.data[i].permitted |= 1 << uint(what)
- }
- if which&INHERITABLE != 0 {
- c.data.data[i].inheritable |= 1 << uint(what)
- }
- }
-}
-
-func (c *capsFile) Unset(which CapType, caps ...Cap) {
- for _, what := range caps {
- var i uint
- if what > 31 {
- if c.data.version == 1 {
- continue
- }
- i = uint(what) >> 5
- what %= 32
- }
-
- if which&EFFECTIVE != 0 {
- c.data.effective[i] &= ^(1 << uint(what))
- }
- if which&PERMITTED != 0 {
- c.data.data[i].permitted &= ^(1 << uint(what))
- }
- if which&INHERITABLE != 0 {
- c.data.data[i].inheritable &= ^(1 << uint(what))
- }
- }
-}
-
-func (c *capsFile) Fill(kind CapType) {
- if kind&CAPS == CAPS {
- c.data.effective[0] = 0xffffffff
- c.data.data[0].permitted = 0xffffffff
- c.data.data[0].inheritable = 0
- if c.data.version == 2 {
- c.data.effective[1] = 0xffffffff
- c.data.data[1].permitted = 0xffffffff
- c.data.data[1].inheritable = 0
- }
- }
-}
-
-func (c *capsFile) Clear(kind CapType) {
- if kind&CAPS == CAPS {
- c.data.effective[0] = 0
- c.data.data[0].permitted = 0
- c.data.data[0].inheritable = 0
- if c.data.version == 2 {
- c.data.effective[1] = 0
- c.data.data[1].permitted = 0
- c.data.data[1].inheritable = 0
- }
- }
-}
-
-func (c *capsFile) StringCap(which CapType) (ret string) {
- return mkStringCap(c, which)
-}
-
-func (c *capsFile) String() (ret string) {
- return mkString(c, INHERITABLE)
-}
-
-func (c *capsFile) Load() (err error) {
- return getVfsCap(c.path, &c.data)
-}
-
-func (c *capsFile) Apply(kind CapType) (err error) {
- if kind&CAPS == CAPS {
- return setVfsCap(c.path, &c.data)
- }
- return
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_noop.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_noop.go
deleted file mode 100644
index 9bb3070c5ec5a468d94a5a44b1b146688c8c12ed..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_noop.go
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// +build !linux
-
-package capability
-
-import "errors"
-
-func newPid(pid int) (Capabilities, error) {
- return nil, errors.New("not supported")
-}
-
-func newFile(path string) (Capabilities, error) {
- return nil, errors.New("not supported")
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go
deleted file mode 100644
index fd0ce7fe8ee89cf8230f90534ee773042b80e037..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go
+++ /dev/null
@@ -1,264 +0,0 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-package capability
-
-type CapType uint
-
-func (c CapType) String() string {
- switch c {
- case EFFECTIVE:
- return "effective"
- case PERMITTED:
- return "permitted"
- case INHERITABLE:
- return "inheritable"
- case BOUNDING:
- return "bounding"
- case CAPS:
- return "caps"
- }
- return "unknown"
-}
-
-const (
- EFFECTIVE CapType = 1 << iota
- PERMITTED
- INHERITABLE
- BOUNDING
-
- CAPS = EFFECTIVE | PERMITTED | INHERITABLE
- BOUNDS = BOUNDING
-)
-
-//go:generate go run enumgen/gen.go
-type Cap int
-
-// POSIX-draft defined capabilities.
-const (
- // In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
- // overrides the restriction of changing file ownership and group
- // ownership.
- CAP_CHOWN = Cap(0)
-
- // Override all DAC access, including ACL execute access if
- // [_POSIX_ACL] is defined. Excluding DAC access covered by
- // CAP_LINUX_IMMUTABLE.
- CAP_DAC_OVERRIDE = Cap(1)
-
- // Overrides all DAC restrictions regarding read and search on files
- // and directories, including ACL restrictions if [_POSIX_ACL] is
- // defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
- CAP_DAC_READ_SEARCH = Cap(2)
-
- // Overrides all restrictions about allowed operations on files, where
- // file owner ID must be equal to the user ID, except where CAP_FSETID
- // is applicable. It doesn't override MAC and DAC restrictions.
- CAP_FOWNER = Cap(3)
-
- // Overrides the following restrictions that the effective user ID
- // shall match the file owner ID when setting the S_ISUID and S_ISGID
- // bits on that file; that the effective group ID (or one of the
- // supplementary group IDs) shall match the file owner ID when setting
- // the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
- // cleared on successful return from chown(2) (not implemented).
- CAP_FSETID = Cap(4)
-
- // Overrides the restriction that the real or effective user ID of a
- // process sending a signal must match the real or effective user ID
- // of the process receiving the signal.
- CAP_KILL = Cap(5)
-
- // Allows setgid(2) manipulation
- // Allows setgroups(2)
- // Allows forged gids on socket credentials passing.
- CAP_SETGID = Cap(6)
-
- // Allows set*uid(2) manipulation (including fsuid).
- // Allows forged pids on socket credentials passing.
- CAP_SETUID = Cap(7)
-
- // Linux-specific capabilities
-
- // Without VFS support for capabilities:
- // Transfer any capability in your permitted set to any pid,
- // remove any capability in your permitted set from any pid
- // With VFS support for capabilities (neither of above, but)
- // Add any capability from current's capability bounding set
- // to the current process' inheritable set
- // Allow taking bits out of capability bounding set
- // Allow modification of the securebits for a process
- CAP_SETPCAP = Cap(8)
-
- // Allow modification of S_IMMUTABLE and S_APPEND file attributes
- CAP_LINUX_IMMUTABLE = Cap(9)
-
- // Allows binding to TCP/UDP sockets below 1024
- // Allows binding to ATM VCIs below 32
- CAP_NET_BIND_SERVICE = Cap(10)
-
- // Allow broadcasting, listen to multicast
- CAP_NET_BROADCAST = Cap(11)
-
- // Allow interface configuration
- // Allow administration of IP firewall, masquerading and accounting
- // Allow setting debug option on sockets
- // Allow modification of routing tables
- // Allow setting arbitrary process / process group ownership on
- // sockets
- // Allow binding to any address for transparent proxying (also via NET_RAW)
- // Allow setting TOS (type of service)
- // Allow setting promiscuous mode
- // Allow clearing driver statistics
- // Allow multicasting
- // Allow read/write of device-specific registers
- // Allow activation of ATM control sockets
- CAP_NET_ADMIN = Cap(12)
-
- // Allow use of RAW sockets
- // Allow use of PACKET sockets
- // Allow binding to any address for transparent proxying (also via NET_ADMIN)
- CAP_NET_RAW = Cap(13)
-
- // Allow locking of shared memory segments
- // Allow mlock and mlockall (which doesn't really have anything to do
- // with IPC)
- CAP_IPC_LOCK = Cap(14)
-
- // Override IPC ownership checks
- CAP_IPC_OWNER = Cap(15)
-
- // Insert and remove kernel modules - modify kernel without limit
- CAP_SYS_MODULE = Cap(16)
-
- // Allow ioperm/iopl access
- // Allow sending USB messages to any device via /proc/bus/usb
- CAP_SYS_RAWIO = Cap(17)
-
- // Allow use of chroot()
- CAP_SYS_CHROOT = Cap(18)
-
- // Allow ptrace() of any process
- CAP_SYS_PTRACE = Cap(19)
-
- // Allow configuration of process accounting
- CAP_SYS_PACCT = Cap(20)
-
- // Allow configuration of the secure attention key
- // Allow administration of the random device
- // Allow examination and configuration of disk quotas
- // Allow setting the domainname
- // Allow setting the hostname
- // Allow calling bdflush()
- // Allow mount() and umount(), setting up new smb connection
- // Allow some autofs root ioctls
- // Allow nfsservctl
- // Allow VM86_REQUEST_IRQ
- // Allow to read/write pci config on alpha
- // Allow irix_prctl on mips (setstacksize)
- // Allow flushing all cache on m68k (sys_cacheflush)
- // Allow removing semaphores
- // Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
- // and shared memory
- // Allow locking/unlocking of shared memory segment
- // Allow turning swap on/off
- // Allow forged pids on socket credentials passing
- // Allow setting readahead and flushing buffers on block devices
- // Allow setting geometry in floppy driver
- // Allow turning DMA on/off in xd driver
- // Allow administration of md devices (mostly the above, but some
- // extra ioctls)
- // Allow tuning the ide driver
- // Allow access to the nvram device
- // Allow administration of apm_bios, serial and bttv (TV) device
- // Allow manufacturer commands in isdn CAPI support driver
- // Allow reading non-standardized portions of pci configuration space
- // Allow DDI debug ioctl on sbpcd driver
- // Allow setting up serial ports
- // Allow sending raw qic-117 commands
- // Allow enabling/disabling tagged queuing on SCSI controllers and sending
- // arbitrary SCSI commands
- // Allow setting encryption key on loopback filesystem
- // Allow setting zone reclaim policy
- CAP_SYS_ADMIN = Cap(21)
-
- // Allow use of reboot()
- CAP_SYS_BOOT = Cap(22)
-
- // Allow raising priority and setting priority on other (different
- // UID) processes
- // Allow use of FIFO and round-robin (realtime) scheduling on own
- // processes and setting the scheduling algorithm used by another
- // process.
- // Allow setting cpu affinity on other processes
- CAP_SYS_NICE = Cap(23)
-
- // Override resource limits. Set resource limits.
- // Override quota limits.
- // Override reserved space on ext2 filesystem
- // Modify data journaling mode on ext3 filesystem (uses journaling
- // resources)
- // NOTE: ext2 honors fsuid when checking for resource overrides, so
- // you can override using fsuid too
- // Override size restrictions on IPC message queues
- // Allow more than 64hz interrupts from the real-time clock
- // Override max number of consoles on console allocation
- // Override max number of keymaps
- CAP_SYS_RESOURCE = Cap(24)
-
- // Allow manipulation of system clock
- // Allow irix_stime on mips
- // Allow setting the real-time clock
- CAP_SYS_TIME = Cap(25)
-
- // Allow configuration of tty devices
- // Allow vhangup() of tty
- CAP_SYS_TTY_CONFIG = Cap(26)
-
- // Allow the privileged aspects of mknod()
- CAP_MKNOD = Cap(27)
-
- // Allow taking of leases on files
- CAP_LEASE = Cap(28)
-
- CAP_AUDIT_WRITE = Cap(29)
- CAP_AUDIT_CONTROL = Cap(30)
- CAP_SETFCAP = Cap(31)
-
- // Override MAC access.
- // The base kernel enforces no MAC policy.
- // An LSM may enforce a MAC policy, and if it does and it chooses
- // to implement capability based overrides of that policy, this is
- // the capability it should use to do so.
- CAP_MAC_OVERRIDE = Cap(32)
-
- // Allow MAC configuration or state changes.
- // The base kernel requires no MAC configuration.
- // An LSM may enforce a MAC policy, and if it does and it chooses
- // to implement capability based checks on modifications to that
- // policy or the data required to maintain it, this is the
- // capability it should use to do so.
- CAP_MAC_ADMIN = Cap(33)
-
- // Allow configuring the kernel's syslog (printk behaviour)
- CAP_SYSLOG = Cap(34)
-
- // Allow triggering something that will wake the system
- CAP_WAKE_ALARM = Cap(35)
-
- // Allow preventing system suspends
- CAP_BLOCK_SUSPEND = Cap(36)
-
- // Allow reading audit messages from the kernel
- CAP_AUDIT_READ = Cap(37)
-)
-
-var (
- // Highest valid capability of the running kernel.
- CAP_LAST_CAP = Cap(63)
-
- capUpperMask = ^uint32(0)
-)
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum_gen.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum_gen.go
deleted file mode 100644
index b9e6d2d5e1ee5cf97cf5b51a543a11875749441d..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum_gen.go
+++ /dev/null
@@ -1,129 +0,0 @@
-// generated file; DO NOT EDIT - use go generate in directory with source
-
-package capability
-
-func (c Cap) String() string {
- switch c {
- case CAP_CHOWN:
- return "chown"
- case CAP_DAC_OVERRIDE:
- return "dac_override"
- case CAP_DAC_READ_SEARCH:
- return "dac_read_search"
- case CAP_FOWNER:
- return "fowner"
- case CAP_FSETID:
- return "fsetid"
- case CAP_KILL:
- return "kill"
- case CAP_SETGID:
- return "setgid"
- case CAP_SETUID:
- return "setuid"
- case CAP_SETPCAP:
- return "setpcap"
- case CAP_LINUX_IMMUTABLE:
- return "linux_immutable"
- case CAP_NET_BIND_SERVICE:
- return "net_bind_service"
- case CAP_NET_BROADCAST:
- return "net_broadcast"
- case CAP_NET_ADMIN:
- return "net_admin"
- case CAP_NET_RAW:
- return "net_raw"
- case CAP_IPC_LOCK:
- return "ipc_lock"
- case CAP_IPC_OWNER:
- return "ipc_owner"
- case CAP_SYS_MODULE:
- return "sys_module"
- case CAP_SYS_RAWIO:
- return "sys_rawio"
- case CAP_SYS_CHROOT:
- return "sys_chroot"
- case CAP_SYS_PTRACE:
- return "sys_ptrace"
- case CAP_SYS_PACCT:
- return "sys_pacct"
- case CAP_SYS_ADMIN:
- return "sys_admin"
- case CAP_SYS_BOOT:
- return "sys_boot"
- case CAP_SYS_NICE:
- return "sys_nice"
- case CAP_SYS_RESOURCE:
- return "sys_resource"
- case CAP_SYS_TIME:
- return "sys_time"
- case CAP_SYS_TTY_CONFIG:
- return "sys_tty_config"
- case CAP_MKNOD:
- return "mknod"
- case CAP_LEASE:
- return "lease"
- case CAP_AUDIT_WRITE:
- return "audit_write"
- case CAP_AUDIT_CONTROL:
- return "audit_control"
- case CAP_SETFCAP:
- return "setfcap"
- case CAP_MAC_OVERRIDE:
- return "mac_override"
- case CAP_MAC_ADMIN:
- return "mac_admin"
- case CAP_SYSLOG:
- return "syslog"
- case CAP_WAKE_ALARM:
- return "wake_alarm"
- case CAP_BLOCK_SUSPEND:
- return "block_suspend"
- case CAP_AUDIT_READ:
- return "audit_read"
- }
- return "unknown"
-}
-
-// List returns list of all supported capabilities
-func List() []Cap {
- return []Cap{
- CAP_CHOWN,
- CAP_DAC_OVERRIDE,
- CAP_DAC_READ_SEARCH,
- CAP_FOWNER,
- CAP_FSETID,
- CAP_KILL,
- CAP_SETGID,
- CAP_SETUID,
- CAP_SETPCAP,
- CAP_LINUX_IMMUTABLE,
- CAP_NET_BIND_SERVICE,
- CAP_NET_BROADCAST,
- CAP_NET_ADMIN,
- CAP_NET_RAW,
- CAP_IPC_LOCK,
- CAP_IPC_OWNER,
- CAP_SYS_MODULE,
- CAP_SYS_RAWIO,
- CAP_SYS_CHROOT,
- CAP_SYS_PTRACE,
- CAP_SYS_PACCT,
- CAP_SYS_ADMIN,
- CAP_SYS_BOOT,
- CAP_SYS_NICE,
- CAP_SYS_RESOURCE,
- CAP_SYS_TIME,
- CAP_SYS_TTY_CONFIG,
- CAP_MKNOD,
- CAP_LEASE,
- CAP_AUDIT_WRITE,
- CAP_AUDIT_CONTROL,
- CAP_SETFCAP,
- CAP_MAC_OVERRIDE,
- CAP_MAC_ADMIN,
- CAP_SYSLOG,
- CAP_WAKE_ALARM,
- CAP_BLOCK_SUSPEND,
- CAP_AUDIT_READ,
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enumgen/gen.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enumgen/gen.go
deleted file mode 100644
index 4c733809b1b68896f7c3d9dec19cd5da141f66ee..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enumgen/gen.go
+++ /dev/null
@@ -1,92 +0,0 @@
-package main
-
-import (
- "bytes"
- "fmt"
- "go/ast"
- "go/format"
- "go/parser"
- "go/token"
- "io/ioutil"
- "log"
- "os"
- "strings"
-)
-
-const fileName = "enum.go"
-const genName = "enum_gen.go"
-
-type generator struct {
- buf bytes.Buffer
- caps []string
-}
-
-func (g *generator) writeHeader() {
- g.buf.WriteString("// generated file; DO NOT EDIT - use go generate in directory with source\n")
- g.buf.WriteString("\n")
- g.buf.WriteString("package capability")
-}
-
-func (g *generator) writeStringFunc() {
- g.buf.WriteString("\n")
- g.buf.WriteString("func (c Cap) String() string {\n")
- g.buf.WriteString("switch c {\n")
- for _, cap := range g.caps {
- fmt.Fprintf(&g.buf, "case %s:\n", cap)
- fmt.Fprintf(&g.buf, "return \"%s\"\n", strings.ToLower(cap[4:]))
- }
- g.buf.WriteString("}\n")
- g.buf.WriteString("return \"unknown\"\n")
- g.buf.WriteString("}\n")
-}
-
-func (g *generator) writeListFunc() {
- g.buf.WriteString("\n")
- g.buf.WriteString("// List returns list of all supported capabilities\n")
- g.buf.WriteString("func List() []Cap {\n")
- g.buf.WriteString("return []Cap{\n")
- for _, cap := range g.caps {
- fmt.Fprintf(&g.buf, "%s,\n", cap)
- }
- g.buf.WriteString("}\n")
- g.buf.WriteString("}\n")
-}
-
-func main() {
- fs := token.NewFileSet()
- parsedFile, err := parser.ParseFile(fs, fileName, nil, 0)
- if err != nil {
- log.Fatal(err)
- }
- var caps []string
- for _, decl := range parsedFile.Decls {
- decl, ok := decl.(*ast.GenDecl)
- if !ok || decl.Tok != token.CONST {
- continue
- }
- for _, spec := range decl.Specs {
- vspec := spec.(*ast.ValueSpec)
- name := vspec.Names[0].Name
- if strings.HasPrefix(name, "CAP_") {
- caps = append(caps, name)
- }
- }
- }
- g := &generator{caps: caps}
- g.writeHeader()
- g.writeStringFunc()
- g.writeListFunc()
- src, err := format.Source(g.buf.Bytes())
- if err != nil {
- fmt.Println("generated invalid Go code")
- fmt.Println(g.buf.String())
- log.Fatal(err)
- }
- fi, err := os.Stat(fileName)
- if err != nil {
- log.Fatal(err)
- }
- if err := ioutil.WriteFile(genName, src, fi.Mode().Perm()); err != nil {
- log.Fatal(err)
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go
deleted file mode 100644
index dd6f4540650b34352612f9dadd27f13b908499d9..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go
+++ /dev/null
@@ -1,145 +0,0 @@
-// Copyright (c) 2013, Suryandaru Triandana <syndtr@gmail.com>
-// All rights reserved.
-//
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-package capability
-
-import (
- "syscall"
- "unsafe"
-)
-
-type capHeader struct {
- version uint32
- pid int
-}
-
-type capData struct {
- effective uint32
- permitted uint32
- inheritable uint32
-}
-
-func capget(hdr *capHeader, data *capData) (err error) {
- _, _, e1 := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(hdr)), uintptr(unsafe.Pointer(data)), 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
-
-func capset(hdr *capHeader, data *capData) (err error) {
- _, _, e1 := syscall.Syscall(syscall.SYS_CAPSET, uintptr(unsafe.Pointer(hdr)), uintptr(unsafe.Pointer(data)), 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
-
-func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) {
- _, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
-
-const (
- vfsXattrName = "security.capability"
-
- vfsCapVerMask = 0xff000000
- vfsCapVer1 = 0x01000000
- vfsCapVer2 = 0x02000000
-
- vfsCapFlagMask = ^vfsCapVerMask
- vfsCapFlageffective = 0x000001
-
- vfscapDataSizeV1 = 4 * (1 + 2*1)
- vfscapDataSizeV2 = 4 * (1 + 2*2)
-)
-
-type vfscapData struct {
- magic uint32
- data [2]struct {
- permitted uint32
- inheritable uint32
- }
- effective [2]uint32
- version int8
-}
-
-var (
- _vfsXattrName *byte
-)
-
-func init() {
- _vfsXattrName, _ = syscall.BytePtrFromString(vfsXattrName)
-}
-
-func getVfsCap(path string, dest *vfscapData) (err error) {
- var _p0 *byte
- _p0, err = syscall.BytePtrFromString(path)
- if err != nil {
- return
- }
- r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_vfsXattrName)), uintptr(unsafe.Pointer(dest)), vfscapDataSizeV2, 0, 0)
- if e1 != 0 {
- if e1 == syscall.ENODATA {
- dest.version = 2
- return
- }
- err = e1
- }
- switch dest.magic & vfsCapVerMask {
- case vfsCapVer1:
- dest.version = 1
- if r0 != vfscapDataSizeV1 {
- return syscall.EINVAL
- }
- dest.data[1].permitted = 0
- dest.data[1].inheritable = 0
- case vfsCapVer2:
- dest.version = 2
- if r0 != vfscapDataSizeV2 {
- return syscall.EINVAL
- }
- default:
- return syscall.EINVAL
- }
- if dest.magic&vfsCapFlageffective != 0 {
- dest.effective[0] = dest.data[0].permitted | dest.data[0].inheritable
- dest.effective[1] = dest.data[1].permitted | dest.data[1].inheritable
- } else {
- dest.effective[0] = 0
- dest.effective[1] = 0
- }
- return
-}
-
-func setVfsCap(path string, data *vfscapData) (err error) {
- var _p0 *byte
- _p0, err = syscall.BytePtrFromString(path)
- if err != nil {
- return
- }
- var size uintptr
- if data.version == 1 {
- data.magic = vfsCapVer1
- size = vfscapDataSizeV1
- } else if data.version == 2 {
- data.magic = vfsCapVer2
- if data.effective[0] != 0 || data.effective[1] != 0 {
- data.magic |= vfsCapFlageffective
- }
- size = vfscapDataSizeV2
- } else {
- return syscall.EINVAL
- }
- _, _, e1 := syscall.Syscall6(syscall.SYS_SETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_vfsXattrName)), uintptr(unsafe.Pointer(data)), size, 0, 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/LICENSE b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/LICENSE
deleted file mode 100644
index 9f64db8582cf97fa23685c44b5f8d8d9630da11b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/LICENSE
+++ /dev/null
@@ -1,192 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- Copyright 2014 Vishvananda Ishaya.
- Copyright 2014 Docker, Inc.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/addr.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/addr.go
deleted file mode 100644
index 9bbaf508e0c9cbcfa8d90bb75ce2a4475e5d12f6..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/addr.go
+++ /dev/null
@@ -1,43 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "net"
- "strings"
-)
-
-// Addr represents an IP address from netlink. Netlink ip addresses
-// include a mask, so it stores the address as a net.IPNet.
-type Addr struct {
- *net.IPNet
- Label string
-}
-
-// String returns $ip/$netmask $label
-func (a Addr) String() string {
- return fmt.Sprintf("%s %s", a.IPNet, a.Label)
-}
-
-// ParseAddr parses the string representation of an address in the
-// form $ip/$netmask $label. The label portion is optional
-func ParseAddr(s string) (*Addr, error) {
- label := ""
- parts := strings.Split(s, " ")
- if len(parts) > 1 {
- s = parts[0]
- label = parts[1]
- }
- m, err := ParseIPNet(s)
- if err != nil {
- return nil, err
- }
- return &Addr{IPNet: m, Label: label}, nil
-}
-
-// Equal returns true if both Addrs have the same net.IPNet value.
-func (a Addr) Equal(x Addr) bool {
- sizea, _ := a.Mask.Size()
- sizeb, _ := x.Mask.Size()
- // ignore label for comparison
- return a.IP.Equal(x.IP) && sizea == sizeb
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/addr_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/addr_linux.go
deleted file mode 100644
index 19aac0fb9799a749e8df60871f064f41ce3a1b73..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/addr_linux.go
+++ /dev/null
@@ -1,128 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "net"
- "strings"
- "syscall"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-// AddrAdd will add an IP address to a link device.
-// Equivalent to: `ip addr add $addr dev $link`
-func AddrAdd(link Link, addr *Addr) error {
-
- req := nl.NewNetlinkRequest(syscall.RTM_NEWADDR, syscall.NLM_F_CREATE|syscall.NLM_F_EXCL|syscall.NLM_F_ACK)
- return addrHandle(link, addr, req)
-}
-
-// AddrDel will delete an IP address from a link device.
-// Equivalent to: `ip addr del $addr dev $link`
-func AddrDel(link Link, addr *Addr) error {
- req := nl.NewNetlinkRequest(syscall.RTM_DELADDR, syscall.NLM_F_ACK)
- return addrHandle(link, addr, req)
-}
-
-func addrHandle(link Link, addr *Addr, req *nl.NetlinkRequest) error {
- base := link.Attrs()
- if addr.Label != "" && !strings.HasPrefix(addr.Label, base.Name) {
- return fmt.Errorf("label must begin with interface name")
- }
- ensureIndex(base)
-
- family := nl.GetIPFamily(addr.IP)
-
- msg := nl.NewIfAddrmsg(family)
- msg.Index = uint32(base.Index)
- prefixlen, _ := addr.Mask.Size()
- msg.Prefixlen = uint8(prefixlen)
- req.AddData(msg)
-
- var addrData []byte
- if family == FAMILY_V4 {
- addrData = addr.IP.To4()
- } else {
- addrData = addr.IP.To16()
- }
-
- localData := nl.NewRtAttr(syscall.IFA_LOCAL, addrData)
- req.AddData(localData)
-
- addressData := nl.NewRtAttr(syscall.IFA_ADDRESS, addrData)
- req.AddData(addressData)
-
- if addr.Label != "" {
- labelData := nl.NewRtAttr(syscall.IFA_LABEL, nl.ZeroTerminated(addr.Label))
- req.AddData(labelData)
- }
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// AddrList gets a list of IP addresses in the system.
-// Equivalent to: `ip addr show`.
-// The list can be filtered by link and ip family.
-func AddrList(link Link, family int) ([]Addr, error) {
- req := nl.NewNetlinkRequest(syscall.RTM_GETADDR, syscall.NLM_F_DUMP)
- msg := nl.NewIfInfomsg(family)
- req.AddData(msg)
-
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, syscall.RTM_NEWADDR)
- if err != nil {
- return nil, err
- }
-
- index := 0
- if link != nil {
- base := link.Attrs()
- ensureIndex(base)
- index = base.Index
- }
-
- var res []Addr
- for _, m := range msgs {
- msg := nl.DeserializeIfAddrmsg(m)
-
- if link != nil && msg.Index != uint32(index) {
- // Ignore messages from other interfaces
- continue
- }
-
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- var local, dst *net.IPNet
- var addr Addr
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case syscall.IFA_ADDRESS:
- dst = &net.IPNet{
- IP: attr.Value,
- Mask: net.CIDRMask(int(msg.Prefixlen), 8*len(attr.Value)),
- }
- case syscall.IFA_LOCAL:
- local = &net.IPNet{
- IP: attr.Value,
- Mask: net.CIDRMask(int(msg.Prefixlen), 8*len(attr.Value)),
- }
- case syscall.IFA_LABEL:
- addr.Label = string(attr.Value[:len(attr.Value)-1])
- }
- }
-
- // IFA_LOCAL should be there but if not, fall back to IFA_ADDRESS
- if local != nil {
- addr.IPNet = local
- } else {
- addr.IPNet = dst
- }
-
- res = append(res, addr)
- }
-
- return res, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/filter.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/filter.go
deleted file mode 100644
index 83ad7007b99d20815d41e4efc4a17889624c12d3..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/filter.go
+++ /dev/null
@@ -1,55 +0,0 @@
-package netlink
-
-import (
- "fmt"
-)
-
-type Filter interface {
- Attrs() *FilterAttrs
- Type() string
-}
-
-// Filter represents a netlink filter. A filter is associated with a link,
-// has a handle and a parent. The root filter of a device should have a
-// parent == HANDLE_ROOT.
-type FilterAttrs struct {
- LinkIndex int
- Handle uint32
- Parent uint32
- Priority uint16 // lower is higher priority
- Protocol uint16 // syscall.ETH_P_*
-}
-
-func (q FilterAttrs) String() string {
- return fmt.Sprintf("{LinkIndex: %d, Handle: %s, Parent: %s, Priority: %d, Protocol: %d}", q.LinkIndex, HandleStr(q.Handle), HandleStr(q.Parent), q.Priority, q.Protocol)
-}
-
-// U32 filters on many packet related properties
-type U32 struct {
- FilterAttrs
- // Currently only supports redirecting to another interface
- RedirIndex int
-}
-
-func (filter *U32) Attrs() *FilterAttrs {
- return &filter.FilterAttrs
-}
-
-func (filter *U32) Type() string {
- return "u32"
-}
-
-// GenericFilter filters represent types that are not currently understood
-// by this netlink library.
-type GenericFilter struct {
- FilterAttrs
- FilterType string
-}
-
-func (filter *GenericFilter) Attrs() *FilterAttrs {
- return &filter.FilterAttrs
-}
-
-func (filter *GenericFilter) Type() string {
- return filter.FilterType
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/filter_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/filter_linux.go
deleted file mode 100644
index 1ec69870280554c87df6181eb358f171ac698925..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/filter_linux.go
+++ /dev/null
@@ -1,191 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "syscall"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-// FilterDel will delete a filter from the system.
-// Equivalent to: `tc filter del $filter`
-func FilterDel(filter Filter) error {
- req := nl.NewNetlinkRequest(syscall.RTM_DELTFILTER, syscall.NLM_F_ACK)
- base := filter.Attrs()
- msg := &nl.TcMsg{
- Family: nl.FAMILY_ALL,
- Ifindex: int32(base.LinkIndex),
- Handle: base.Handle,
- Parent: base.Parent,
- Info: MakeHandle(base.Priority, nl.Swap16(base.Protocol)),
- }
- req.AddData(msg)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// FilterAdd will add a filter to the system.
-// Equivalent to: `tc filter add $filter`
-func FilterAdd(filter Filter) error {
- req := nl.NewNetlinkRequest(syscall.RTM_NEWTFILTER, syscall.NLM_F_CREATE|syscall.NLM_F_EXCL|syscall.NLM_F_ACK)
- base := filter.Attrs()
- msg := &nl.TcMsg{
- Family: nl.FAMILY_ALL,
- Ifindex: int32(base.LinkIndex),
- Handle: base.Handle,
- Parent: base.Parent,
- Info: MakeHandle(base.Priority, nl.Swap16(base.Protocol)),
- }
- req.AddData(msg)
- req.AddData(nl.NewRtAttr(nl.TCA_KIND, nl.ZeroTerminated(filter.Type())))
-
- options := nl.NewRtAttr(nl.TCA_OPTIONS, nil)
- if u32, ok := filter.(*U32); ok {
- // match all
- sel := nl.TcU32Sel{
- Nkeys: 1,
- Flags: nl.TC_U32_TERMINAL,
- }
- sel.Keys = append(sel.Keys, nl.TcU32Key{})
- nl.NewRtAttrChild(options, nl.TCA_U32_SEL, sel.Serialize())
- actions := nl.NewRtAttrChild(options, nl.TCA_U32_ACT, nil)
- table := nl.NewRtAttrChild(actions, nl.TCA_ACT_TAB, nil)
- nl.NewRtAttrChild(table, nl.TCA_KIND, nl.ZeroTerminated("mirred"))
- // redirect to other interface
- mir := nl.TcMirred{
- Action: nl.TC_ACT_STOLEN,
- Eaction: nl.TCA_EGRESS_REDIR,
- Ifindex: uint32(u32.RedirIndex),
- }
- aopts := nl.NewRtAttrChild(table, nl.TCA_OPTIONS, nil)
- nl.NewRtAttrChild(aopts, nl.TCA_MIRRED_PARMS, mir.Serialize())
- }
- req.AddData(options)
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// FilterList gets a list of filters in the system.
-// Equivalent to: `tc filter show`.
-// Generally retunrs nothing if link and parent are not specified.
-func FilterList(link Link, parent uint32) ([]Filter, error) {
- req := nl.NewNetlinkRequest(syscall.RTM_GETTFILTER, syscall.NLM_F_DUMP)
- msg := &nl.TcMsg{
- Family: nl.FAMILY_ALL,
- Parent: parent,
- }
- if link != nil {
- base := link.Attrs()
- ensureIndex(base)
- msg.Ifindex = int32(base.Index)
- }
- req.AddData(msg)
-
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, syscall.RTM_NEWTFILTER)
- if err != nil {
- return nil, err
- }
-
- var res []Filter
- for _, m := range msgs {
- msg := nl.DeserializeTcMsg(m)
-
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- base := FilterAttrs{
- LinkIndex: int(msg.Ifindex),
- Handle: msg.Handle,
- Parent: msg.Parent,
- }
- base.Priority, base.Protocol = MajorMinor(msg.Info)
- base.Protocol = nl.Swap16(base.Protocol)
-
- var filter Filter
- filterType := ""
- detailed := false
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case nl.TCA_KIND:
- filterType = string(attr.Value[:len(attr.Value)-1])
- switch filterType {
- case "u32":
- filter = &U32{}
- default:
- filter = &GenericFilter{FilterType: filterType}
- }
- case nl.TCA_OPTIONS:
- switch filterType {
- case "u32":
- data, err := nl.ParseRouteAttr(attr.Value)
- if err != nil {
- return nil, err
- }
- detailed, err = parseU32Data(filter, data)
- if err != nil {
- return nil, err
- }
- }
- }
- }
- // only return the detailed version of the filter
- if detailed {
- *filter.Attrs() = base
- res = append(res, filter)
- }
- }
-
- return res, nil
-}
-
-func parseU32Data(filter Filter, data []syscall.NetlinkRouteAttr) (bool, error) {
- native = nl.NativeEndian()
- u32 := filter.(*U32)
- detailed := false
- for _, datum := range data {
- switch datum.Attr.Type {
- case nl.TCA_U32_SEL:
- detailed = true
- sel := nl.DeserializeTcU32Sel(datum.Value)
- // only parse if we have a very basic redirect
- if sel.Flags&nl.TC_U32_TERMINAL == 0 || sel.Nkeys != 1 {
- return detailed, nil
- }
- case nl.TCA_U32_ACT:
- table, err := nl.ParseRouteAttr(datum.Value)
- if err != nil {
- return detailed, err
- }
- if len(table) != 1 || table[0].Attr.Type != nl.TCA_ACT_TAB {
- return detailed, fmt.Errorf("Action table not formed properly")
- }
- aattrs, err := nl.ParseRouteAttr(table[0].Value)
- for _, aattr := range aattrs {
- switch aattr.Attr.Type {
- case nl.TCA_KIND:
- actionType := string(aattr.Value[:len(aattr.Value)-1])
- // only parse if the action is mirred
- if actionType != "mirred" {
- return detailed, nil
- }
- case nl.TCA_OPTIONS:
- adata, err := nl.ParseRouteAttr(aattr.Value)
- if err != nil {
- return detailed, err
- }
- for _, adatum := range adata {
- switch adatum.Attr.Type {
- case nl.TCA_MIRRED_PARMS:
- mir := nl.DeserializeTcMirred(adatum.Value)
- u32.RedirIndex = int(mir.Ifindex)
- }
- }
- }
- }
- }
- }
- return detailed, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/link.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/link.go
deleted file mode 100644
index 18fd1759adb5e6e87edee57b307f64a720af4802..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/link.go
+++ /dev/null
@@ -1,223 +0,0 @@
-package netlink
-
-import "net"
-
-// Link represents a link device from netlink. Shared link attributes
-// like name may be retrieved using the Attrs() method. Unique data
-// can be retrieved by casting the object to the proper type.
-type Link interface {
- Attrs() *LinkAttrs
- Type() string
-}
-
-type (
- NsPid int
- NsFd int
-)
-
-// LinkAttrs represents data shared by most link types
-type LinkAttrs struct {
- Index int
- MTU int
- TxQLen int // Transmit Queue Length
- Name string
- HardwareAddr net.HardwareAddr
- Flags net.Flags
- ParentIndex int // index of the parent link device
- MasterIndex int // must be the index of a bridge
- Namespace interface{} // nil | NsPid | NsFd
-}
-
-// NewLinkAttrs returns LinkAttrs structure filled with default values
-func NewLinkAttrs() LinkAttrs {
- return LinkAttrs{
- TxQLen: -1,
- }
-}
-
-// Device links cannot be created via netlink. These links
-// are links created by udev like 'lo' and 'etho0'
-type Device struct {
- LinkAttrs
-}
-
-func (device *Device) Attrs() *LinkAttrs {
- return &device.LinkAttrs
-}
-
-func (device *Device) Type() string {
- return "device"
-}
-
-// Dummy links are dummy ethernet devices
-type Dummy struct {
- LinkAttrs
-}
-
-func (dummy *Dummy) Attrs() *LinkAttrs {
- return &dummy.LinkAttrs
-}
-
-func (dummy *Dummy) Type() string {
- return "dummy"
-}
-
-// Ifb links are advanced dummy devices for packet filtering
-type Ifb struct {
- LinkAttrs
-}
-
-func (ifb *Ifb) Attrs() *LinkAttrs {
- return &ifb.LinkAttrs
-}
-
-func (ifb *Ifb) Type() string {
- return "ifb"
-}
-
-// Bridge links are simple linux bridges
-type Bridge struct {
- LinkAttrs
-}
-
-func (bridge *Bridge) Attrs() *LinkAttrs {
- return &bridge.LinkAttrs
-}
-
-func (bridge *Bridge) Type() string {
- return "bridge"
-}
-
-// Vlan links have ParentIndex set in their Attrs()
-type Vlan struct {
- LinkAttrs
- VlanId int
-}
-
-func (vlan *Vlan) Attrs() *LinkAttrs {
- return &vlan.LinkAttrs
-}
-
-func (vlan *Vlan) Type() string {
- return "vlan"
-}
-
-type MacvlanMode uint16
-
-const (
- MACVLAN_MODE_DEFAULT MacvlanMode = iota
- MACVLAN_MODE_PRIVATE
- MACVLAN_MODE_VEPA
- MACVLAN_MODE_BRIDGE
- MACVLAN_MODE_PASSTHRU
- MACVLAN_MODE_SOURCE
-)
-
-// Macvlan links have ParentIndex set in their Attrs()
-type Macvlan struct {
- LinkAttrs
- Mode MacvlanMode
-}
-
-func (macvlan *Macvlan) Attrs() *LinkAttrs {
- return &macvlan.LinkAttrs
-}
-
-func (macvlan *Macvlan) Type() string {
- return "macvlan"
-}
-
-// Macvtap - macvtap is a virtual interfaces based on macvlan
-type Macvtap struct {
- Macvlan
-}
-
-func (macvtap Macvtap) Type() string {
- return "macvtap"
-}
-
-// Veth devices must specify PeerName on create
-type Veth struct {
- LinkAttrs
- PeerName string // veth on create only
-}
-
-func (veth *Veth) Attrs() *LinkAttrs {
- return &veth.LinkAttrs
-}
-
-func (veth *Veth) Type() string {
- return "veth"
-}
-
-// GenericLink links represent types that are not currently understood
-// by this netlink library.
-type GenericLink struct {
- LinkAttrs
- LinkType string
-}
-
-func (generic *GenericLink) Attrs() *LinkAttrs {
- return &generic.LinkAttrs
-}
-
-func (generic *GenericLink) Type() string {
- return generic.LinkType
-}
-
-type Vxlan struct {
- LinkAttrs
- VxlanId int
- VtepDevIndex int
- SrcAddr net.IP
- Group net.IP
- TTL int
- TOS int
- Learning bool
- Proxy bool
- RSC bool
- L2miss bool
- L3miss bool
- NoAge bool
- GBP bool
- Age int
- Limit int
- Port int
- PortLow int
- PortHigh int
-}
-
-func (vxlan *Vxlan) Attrs() *LinkAttrs {
- return &vxlan.LinkAttrs
-}
-
-func (vxlan *Vxlan) Type() string {
- return "vxlan"
-}
-
-type IPVlanMode uint16
-
-const (
- IPVLAN_MODE_L2 IPVlanMode = iota
- IPVLAN_MODE_L3
- IPVLAN_MODE_MAX
-)
-
-type IPVlan struct {
- LinkAttrs
- Mode IPVlanMode
-}
-
-func (ipvlan *IPVlan) Attrs() *LinkAttrs {
- return &ipvlan.LinkAttrs
-}
-
-func (ipvlan *IPVlan) Type() string {
- return "ipvlan"
-}
-
-// iproute2 supported devices;
-// vlan | veth | vcan | dummy | ifb | macvlan | macvtap |
-// bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan |
-// gre | gretap | ip6gre | ip6gretap | vti | nlmon |
-// bond_slave | ipvlan
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/link_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/link_linux.go
deleted file mode 100644
index 6851150443b48310c6015edacb368f1e01c09392..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/link_linux.go
+++ /dev/null
@@ -1,750 +0,0 @@
-package netlink
-
-import (
- "bytes"
- "encoding/binary"
- "fmt"
- "net"
- "syscall"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-var native = nl.NativeEndian()
-var lookupByDump = false
-
-var macvlanModes = [...]uint32{
- 0,
- nl.MACVLAN_MODE_PRIVATE,
- nl.MACVLAN_MODE_VEPA,
- nl.MACVLAN_MODE_BRIDGE,
- nl.MACVLAN_MODE_PASSTHRU,
- nl.MACVLAN_MODE_SOURCE,
-}
-
-func ensureIndex(link *LinkAttrs) {
- if link != nil && link.Index == 0 {
- newlink, _ := LinkByName(link.Name)
- if newlink != nil {
- link.Index = newlink.Attrs().Index
- }
- }
-}
-
-// LinkSetUp enables the link device.
-// Equivalent to: `ip link set $link up`
-func LinkSetUp(link Link) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_NEWLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Change = syscall.IFF_UP
- msg.Flags = syscall.IFF_UP
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// LinkSetDown disables link device.
-// Equivalent to: `ip link set $link down`
-func LinkSetDown(link Link) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_NEWLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Change = syscall.IFF_UP
- msg.Flags = 0 & ^syscall.IFF_UP
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// LinkSetMTU sets the mtu of the link device.
-// Equivalent to: `ip link set $link mtu $mtu`
-func LinkSetMTU(link Link, mtu int) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_SETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- b := make([]byte, 4)
- native.PutUint32(b, uint32(mtu))
-
- data := nl.NewRtAttr(syscall.IFLA_MTU, b)
- req.AddData(data)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// LinkSetName sets the name of the link device.
-// Equivalent to: `ip link set $link name $name`
-func LinkSetName(link Link, name string) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_SETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- data := nl.NewRtAttr(syscall.IFLA_IFNAME, []byte(name))
- req.AddData(data)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// LinkSetHardwareAddr sets the hardware address of the link device.
-// Equivalent to: `ip link set $link address $hwaddr`
-func LinkSetHardwareAddr(link Link, hwaddr net.HardwareAddr) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_SETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- data := nl.NewRtAttr(syscall.IFLA_ADDRESS, []byte(hwaddr))
- req.AddData(data)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// LinkSetMaster sets the master of the link device.
-// Equivalent to: `ip link set $link master $master`
-func LinkSetMaster(link Link, master *Bridge) error {
- index := 0
- if master != nil {
- masterBase := master.Attrs()
- ensureIndex(masterBase)
- index = masterBase.Index
- }
- return LinkSetMasterByIndex(link, index)
-}
-
-// LinkSetMasterByIndex sets the master of the link device.
-// Equivalent to: `ip link set $link master $master`
-func LinkSetMasterByIndex(link Link, masterIndex int) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_SETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- b := make([]byte, 4)
- native.PutUint32(b, uint32(masterIndex))
-
- data := nl.NewRtAttr(syscall.IFLA_MASTER, b)
- req.AddData(data)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// LinkSetNsPid puts the device into a new network namespace. The
-// pid must be a pid of a running process.
-// Equivalent to: `ip link set $link netns $pid`
-func LinkSetNsPid(link Link, nspid int) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_SETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- b := make([]byte, 4)
- native.PutUint32(b, uint32(nspid))
-
- data := nl.NewRtAttr(syscall.IFLA_NET_NS_PID, b)
- req.AddData(data)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// LinkSetNsFd puts the device into a new network namespace. The
-// fd must be an open file descriptor to a network namespace.
-// Similar to: `ip link set $link netns $ns`
-func LinkSetNsFd(link Link, fd int) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_SETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- b := make([]byte, 4)
- native.PutUint32(b, uint32(fd))
-
- data := nl.NewRtAttr(nl.IFLA_NET_NS_FD, b)
- req.AddData(data)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-func boolAttr(val bool) []byte {
- var v uint8
- if val {
- v = 1
- }
- return nl.Uint8Attr(v)
-}
-
-type vxlanPortRange struct {
- Lo, Hi uint16
-}
-
-func addVxlanAttrs(vxlan *Vxlan, linkInfo *nl.RtAttr) {
- data := nl.NewRtAttrChild(linkInfo, nl.IFLA_INFO_DATA, nil)
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_ID, nl.Uint32Attr(uint32(vxlan.VxlanId)))
- if vxlan.VtepDevIndex != 0 {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_LINK, nl.Uint32Attr(uint32(vxlan.VtepDevIndex)))
- }
- if vxlan.SrcAddr != nil {
- ip := vxlan.SrcAddr.To4()
- if ip != nil {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_LOCAL, []byte(ip))
- } else {
- ip = vxlan.SrcAddr.To16()
- if ip != nil {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_LOCAL6, []byte(ip))
- }
- }
- }
- if vxlan.Group != nil {
- group := vxlan.Group.To4()
- if group != nil {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_GROUP, []byte(group))
- } else {
- group = vxlan.Group.To16()
- if group != nil {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_GROUP6, []byte(group))
- }
- }
- }
-
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_TTL, nl.Uint8Attr(uint8(vxlan.TTL)))
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_TOS, nl.Uint8Attr(uint8(vxlan.TOS)))
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_LEARNING, boolAttr(vxlan.Learning))
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_PROXY, boolAttr(vxlan.Proxy))
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_RSC, boolAttr(vxlan.RSC))
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_L2MISS, boolAttr(vxlan.L2miss))
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_L3MISS, boolAttr(vxlan.L3miss))
-
- if vxlan.GBP {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_GBP, boolAttr(vxlan.GBP))
- }
-
- if vxlan.NoAge {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_AGEING, nl.Uint32Attr(0))
- } else if vxlan.Age > 0 {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_AGEING, nl.Uint32Attr(uint32(vxlan.Age)))
- }
- if vxlan.Limit > 0 {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_LIMIT, nl.Uint32Attr(uint32(vxlan.Limit)))
- }
- if vxlan.Port > 0 {
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_PORT, nl.Uint16Attr(uint16(vxlan.Port)))
- }
- if vxlan.PortLow > 0 || vxlan.PortHigh > 0 {
- pr := vxlanPortRange{uint16(vxlan.PortLow), uint16(vxlan.PortHigh)}
-
- buf := new(bytes.Buffer)
- binary.Write(buf, binary.BigEndian, &pr)
-
- nl.NewRtAttrChild(data, nl.IFLA_VXLAN_PORT_RANGE, buf.Bytes())
- }
-}
-
-// LinkAdd adds a new link device. The type and features of the device
-// are taken fromt the parameters in the link object.
-// Equivalent to: `ip link add $link`
-func LinkAdd(link Link) error {
- // TODO: set mtu and hardware address
- // TODO: support extra data for macvlan
- base := link.Attrs()
-
- if base.Name == "" {
- return fmt.Errorf("LinkAttrs.Name cannot be empty!")
- }
-
- req := nl.NewNetlinkRequest(syscall.RTM_NEWLINK, syscall.NLM_F_CREATE|syscall.NLM_F_EXCL|syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- req.AddData(msg)
-
- if base.ParentIndex != 0 {
- b := make([]byte, 4)
- native.PutUint32(b, uint32(base.ParentIndex))
- data := nl.NewRtAttr(syscall.IFLA_LINK, b)
- req.AddData(data)
- } else if link.Type() == "ipvlan" {
- return fmt.Errorf("Can't create ipvlan link without ParentIndex")
- }
-
- nameData := nl.NewRtAttr(syscall.IFLA_IFNAME, nl.ZeroTerminated(base.Name))
- req.AddData(nameData)
-
- if base.MTU > 0 {
- mtu := nl.NewRtAttr(syscall.IFLA_MTU, nl.Uint32Attr(uint32(base.MTU)))
- req.AddData(mtu)
- }
-
- if base.TxQLen >= 0 {
- qlen := nl.NewRtAttr(syscall.IFLA_TXQLEN, nl.Uint32Attr(uint32(base.TxQLen)))
- req.AddData(qlen)
- }
-
- if base.Namespace != nil {
- var attr *nl.RtAttr
- switch base.Namespace.(type) {
- case NsPid:
- val := nl.Uint32Attr(uint32(base.Namespace.(NsPid)))
- attr = nl.NewRtAttr(syscall.IFLA_NET_NS_PID, val)
- case NsFd:
- val := nl.Uint32Attr(uint32(base.Namespace.(NsFd)))
- attr = nl.NewRtAttr(nl.IFLA_NET_NS_FD, val)
- }
-
- req.AddData(attr)
- }
-
- linkInfo := nl.NewRtAttr(syscall.IFLA_LINKINFO, nil)
- nl.NewRtAttrChild(linkInfo, nl.IFLA_INFO_KIND, nl.NonZeroTerminated(link.Type()))
-
- if vlan, ok := link.(*Vlan); ok {
- b := make([]byte, 2)
- native.PutUint16(b, uint16(vlan.VlanId))
- data := nl.NewRtAttrChild(linkInfo, nl.IFLA_INFO_DATA, nil)
- nl.NewRtAttrChild(data, nl.IFLA_VLAN_ID, b)
- } else if veth, ok := link.(*Veth); ok {
- data := nl.NewRtAttrChild(linkInfo, nl.IFLA_INFO_DATA, nil)
- peer := nl.NewRtAttrChild(data, nl.VETH_INFO_PEER, nil)
- nl.NewIfInfomsgChild(peer, syscall.AF_UNSPEC)
- nl.NewRtAttrChild(peer, syscall.IFLA_IFNAME, nl.ZeroTerminated(veth.PeerName))
- if base.TxQLen >= 0 {
- nl.NewRtAttrChild(peer, syscall.IFLA_TXQLEN, nl.Uint32Attr(uint32(base.TxQLen)))
- }
- if base.MTU > 0 {
- nl.NewRtAttrChild(peer, syscall.IFLA_MTU, nl.Uint32Attr(uint32(base.MTU)))
- }
-
- } else if vxlan, ok := link.(*Vxlan); ok {
- addVxlanAttrs(vxlan, linkInfo)
- } else if ipv, ok := link.(*IPVlan); ok {
- data := nl.NewRtAttrChild(linkInfo, nl.IFLA_INFO_DATA, nil)
- nl.NewRtAttrChild(data, nl.IFLA_IPVLAN_MODE, nl.Uint16Attr(uint16(ipv.Mode)))
- } else if macv, ok := link.(*Macvlan); ok {
- if macv.Mode != MACVLAN_MODE_DEFAULT {
- data := nl.NewRtAttrChild(linkInfo, nl.IFLA_INFO_DATA, nil)
- nl.NewRtAttrChild(data, nl.IFLA_MACVLAN_MODE, nl.Uint32Attr(macvlanModes[macv.Mode]))
- }
- }
-
- req.AddData(linkInfo)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- if err != nil {
- return err
- }
-
- ensureIndex(base)
-
- // can't set master during create, so set it afterwards
- if base.MasterIndex != 0 {
- // TODO: verify MasterIndex is actually a bridge?
- return LinkSetMasterByIndex(link, base.MasterIndex)
- }
- return nil
-}
-
-// LinkDel deletes link device. Either Index or Name must be set in
-// the link object for it to be deleted. The other values are ignored.
-// Equivalent to: `ip link del $link`
-func LinkDel(link Link) error {
- base := link.Attrs()
-
- ensureIndex(base)
-
- req := nl.NewNetlinkRequest(syscall.RTM_DELLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-func linkByNameDump(name string) (Link, error) {
- links, err := LinkList()
- if err != nil {
- return nil, err
- }
-
- for _, link := range links {
- if link.Attrs().Name == name {
- return link, nil
- }
- }
- return nil, fmt.Errorf("Link %s not found", name)
-}
-
-// LinkByName finds a link by name and returns a pointer to the object.
-func LinkByName(name string) (Link, error) {
- if lookupByDump {
- return linkByNameDump(name)
- }
-
- req := nl.NewNetlinkRequest(syscall.RTM_GETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- req.AddData(msg)
-
- nameData := nl.NewRtAttr(syscall.IFLA_IFNAME, nl.ZeroTerminated(name))
- req.AddData(nameData)
-
- link, err := execGetLink(req)
- if err == syscall.EINVAL {
- // older kernels don't support looking up via IFLA_IFNAME
- // so fall back to dumping all links
- lookupByDump = true
- return linkByNameDump(name)
- }
-
- return link, err
-}
-
-// LinkByIndex finds a link by index and returns a pointer to the object.
-func LinkByIndex(index int) (Link, error) {
- req := nl.NewNetlinkRequest(syscall.RTM_GETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- msg.Index = int32(index)
- req.AddData(msg)
-
- return execGetLink(req)
-}
-
-func execGetLink(req *nl.NetlinkRequest) (Link, error) {
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- if err != nil {
- if errno, ok := err.(syscall.Errno); ok {
- if errno == syscall.ENODEV {
- return nil, fmt.Errorf("Link not found")
- }
- }
- return nil, err
- }
-
- switch {
- case len(msgs) == 0:
- return nil, fmt.Errorf("Link not found")
-
- case len(msgs) == 1:
- return linkDeserialize(msgs[0])
-
- default:
- return nil, fmt.Errorf("More than one link found")
- }
-}
-
-// linkDeserialize deserializes a raw message received from netlink into
-// a link object.
-func linkDeserialize(m []byte) (Link, error) {
- msg := nl.DeserializeIfInfomsg(m)
-
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- base := LinkAttrs{Index: int(msg.Index), Flags: linkFlags(msg.Flags)}
- var link Link
- linkType := ""
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case syscall.IFLA_LINKINFO:
- infos, err := nl.ParseRouteAttr(attr.Value)
- if err != nil {
- return nil, err
- }
- for _, info := range infos {
- switch info.Attr.Type {
- case nl.IFLA_INFO_KIND:
- linkType = string(info.Value[:len(info.Value)-1])
- switch linkType {
- case "dummy":
- link = &Dummy{}
- case "ifb":
- link = &Ifb{}
- case "bridge":
- link = &Bridge{}
- case "vlan":
- link = &Vlan{}
- case "veth":
- link = &Veth{}
- case "vxlan":
- link = &Vxlan{}
- case "ipvlan":
- link = &IPVlan{}
- case "macvlan":
- link = &Macvlan{}
- case "macvtap":
- link = &Macvtap{}
- default:
- link = &GenericLink{LinkType: linkType}
- }
- case nl.IFLA_INFO_DATA:
- data, err := nl.ParseRouteAttr(info.Value)
- if err != nil {
- return nil, err
- }
- switch linkType {
- case "vlan":
- parseVlanData(link, data)
- case "vxlan":
- parseVxlanData(link, data)
- case "ipvlan":
- parseIPVlanData(link, data)
- case "macvlan":
- parseMacvlanData(link, data)
- case "macvtap":
- parseMacvtapData(link, data)
- }
- }
- }
- case syscall.IFLA_ADDRESS:
- var nonzero bool
- for _, b := range attr.Value {
- if b != 0 {
- nonzero = true
- }
- }
- if nonzero {
- base.HardwareAddr = attr.Value[:]
- }
- case syscall.IFLA_IFNAME:
- base.Name = string(attr.Value[:len(attr.Value)-1])
- case syscall.IFLA_MTU:
- base.MTU = int(native.Uint32(attr.Value[0:4]))
- case syscall.IFLA_LINK:
- base.ParentIndex = int(native.Uint32(attr.Value[0:4]))
- case syscall.IFLA_MASTER:
- base.MasterIndex = int(native.Uint32(attr.Value[0:4]))
- case syscall.IFLA_TXQLEN:
- base.TxQLen = int(native.Uint32(attr.Value[0:4]))
- }
- }
- // Links that don't have IFLA_INFO_KIND are hardware devices
- if link == nil {
- link = &Device{}
- }
- *link.Attrs() = base
-
- return link, nil
-}
-
-// LinkList gets a list of link devices.
-// Equivalent to: `ip link show`
-func LinkList() ([]Link, error) {
- // NOTE(vish): This duplicates functionality in net/iface_linux.go, but we need
- // to get the message ourselves to parse link type.
- req := nl.NewNetlinkRequest(syscall.RTM_GETLINK, syscall.NLM_F_DUMP)
-
- msg := nl.NewIfInfomsg(syscall.AF_UNSPEC)
- req.AddData(msg)
-
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, syscall.RTM_NEWLINK)
- if err != nil {
- return nil, err
- }
-
- var res []Link
- for _, m := range msgs {
- link, err := linkDeserialize(m)
- if err != nil {
- return nil, err
- }
- res = append(res, link)
- }
-
- return res, nil
-}
-
-func LinkSetHairpin(link Link, mode bool) error {
- return setProtinfoAttr(link, mode, nl.IFLA_BRPORT_MODE)
-}
-
-func LinkSetGuard(link Link, mode bool) error {
- return setProtinfoAttr(link, mode, nl.IFLA_BRPORT_GUARD)
-}
-
-func LinkSetFastLeave(link Link, mode bool) error {
- return setProtinfoAttr(link, mode, nl.IFLA_BRPORT_FAST_LEAVE)
-}
-
-func LinkSetLearning(link Link, mode bool) error {
- return setProtinfoAttr(link, mode, nl.IFLA_BRPORT_LEARNING)
-}
-
-func LinkSetRootBlock(link Link, mode bool) error {
- return setProtinfoAttr(link, mode, nl.IFLA_BRPORT_PROTECT)
-}
-
-func LinkSetFlood(link Link, mode bool) error {
- return setProtinfoAttr(link, mode, nl.IFLA_BRPORT_UNICAST_FLOOD)
-}
-
-func setProtinfoAttr(link Link, mode bool, attr int) error {
- base := link.Attrs()
- ensureIndex(base)
- req := nl.NewNetlinkRequest(syscall.RTM_SETLINK, syscall.NLM_F_ACK)
-
- msg := nl.NewIfInfomsg(syscall.AF_BRIDGE)
- msg.Index = int32(base.Index)
- req.AddData(msg)
-
- br := nl.NewRtAttr(syscall.IFLA_PROTINFO|syscall.NLA_F_NESTED, nil)
- nl.NewRtAttrChild(br, attr, boolToByte(mode))
- req.AddData(br)
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- if err != nil {
- return err
- }
- return nil
-}
-
-func parseVlanData(link Link, data []syscall.NetlinkRouteAttr) {
- vlan := link.(*Vlan)
- for _, datum := range data {
- switch datum.Attr.Type {
- case nl.IFLA_VLAN_ID:
- vlan.VlanId = int(native.Uint16(datum.Value[0:2]))
- }
- }
-}
-
-func parseVxlanData(link Link, data []syscall.NetlinkRouteAttr) {
- vxlan := link.(*Vxlan)
- for _, datum := range data {
- switch datum.Attr.Type {
- case nl.IFLA_VXLAN_ID:
- vxlan.VxlanId = int(native.Uint32(datum.Value[0:4]))
- case nl.IFLA_VXLAN_LINK:
- vxlan.VtepDevIndex = int(native.Uint32(datum.Value[0:4]))
- case nl.IFLA_VXLAN_LOCAL:
- vxlan.SrcAddr = net.IP(datum.Value[0:4])
- case nl.IFLA_VXLAN_LOCAL6:
- vxlan.SrcAddr = net.IP(datum.Value[0:16])
- case nl.IFLA_VXLAN_GROUP:
- vxlan.Group = net.IP(datum.Value[0:4])
- case nl.IFLA_VXLAN_GROUP6:
- vxlan.Group = net.IP(datum.Value[0:16])
- case nl.IFLA_VXLAN_TTL:
- vxlan.TTL = int(datum.Value[0])
- case nl.IFLA_VXLAN_TOS:
- vxlan.TOS = int(datum.Value[0])
- case nl.IFLA_VXLAN_LEARNING:
- vxlan.Learning = int8(datum.Value[0]) != 0
- case nl.IFLA_VXLAN_PROXY:
- vxlan.Proxy = int8(datum.Value[0]) != 0
- case nl.IFLA_VXLAN_RSC:
- vxlan.RSC = int8(datum.Value[0]) != 0
- case nl.IFLA_VXLAN_L2MISS:
- vxlan.L2miss = int8(datum.Value[0]) != 0
- case nl.IFLA_VXLAN_L3MISS:
- vxlan.L3miss = int8(datum.Value[0]) != 0
- case nl.IFLA_VXLAN_GBP:
- vxlan.GBP = int8(datum.Value[0]) != 0
- case nl.IFLA_VXLAN_AGEING:
- vxlan.Age = int(native.Uint32(datum.Value[0:4]))
- vxlan.NoAge = vxlan.Age == 0
- case nl.IFLA_VXLAN_LIMIT:
- vxlan.Limit = int(native.Uint32(datum.Value[0:4]))
- case nl.IFLA_VXLAN_PORT:
- vxlan.Port = int(native.Uint16(datum.Value[0:2]))
- case nl.IFLA_VXLAN_PORT_RANGE:
- buf := bytes.NewBuffer(datum.Value[0:4])
- var pr vxlanPortRange
- if binary.Read(buf, binary.BigEndian, &pr) != nil {
- vxlan.PortLow = int(pr.Lo)
- vxlan.PortHigh = int(pr.Hi)
- }
- }
- }
-}
-
-func parseIPVlanData(link Link, data []syscall.NetlinkRouteAttr) {
- ipv := link.(*IPVlan)
- for _, datum := range data {
- if datum.Attr.Type == nl.IFLA_IPVLAN_MODE {
- ipv.Mode = IPVlanMode(native.Uint32(datum.Value[0:4]))
- return
- }
- }
-}
-
-func parseMacvtapData(link Link, data []syscall.NetlinkRouteAttr) {
- macv := link.(*Macvtap)
- parseMacvlanData(&macv.Macvlan, data)
-}
-
-func parseMacvlanData(link Link, data []syscall.NetlinkRouteAttr) {
- macv := link.(*Macvlan)
- for _, datum := range data {
- if datum.Attr.Type == nl.IFLA_MACVLAN_MODE {
- switch native.Uint32(datum.Value[0:4]) {
- case nl.MACVLAN_MODE_PRIVATE:
- macv.Mode = MACVLAN_MODE_PRIVATE
- case nl.MACVLAN_MODE_VEPA:
- macv.Mode = MACVLAN_MODE_VEPA
- case nl.MACVLAN_MODE_BRIDGE:
- macv.Mode = MACVLAN_MODE_BRIDGE
- case nl.MACVLAN_MODE_PASSTHRU:
- macv.Mode = MACVLAN_MODE_PASSTHRU
- case nl.MACVLAN_MODE_SOURCE:
- macv.Mode = MACVLAN_MODE_SOURCE
- }
- return
- }
- }
-}
-
-// copied from pkg/net_linux.go
-func linkFlags(rawFlags uint32) net.Flags {
- var f net.Flags
- if rawFlags&syscall.IFF_UP != 0 {
- f |= net.FlagUp
- }
- if rawFlags&syscall.IFF_BROADCAST != 0 {
- f |= net.FlagBroadcast
- }
- if rawFlags&syscall.IFF_LOOPBACK != 0 {
- f |= net.FlagLoopback
- }
- if rawFlags&syscall.IFF_POINTOPOINT != 0 {
- f |= net.FlagPointToPoint
- }
- if rawFlags&syscall.IFF_MULTICAST != 0 {
- f |= net.FlagMulticast
- }
- return f
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/neigh.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/neigh.go
deleted file mode 100644
index 0e5eb90c9ebe0743f0082250d7efa2889b0593e7..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/neigh.go
+++ /dev/null
@@ -1,22 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "net"
-)
-
-// Neigh represents a link layer neighbor from netlink.
-type Neigh struct {
- LinkIndex int
- Family int
- State int
- Type int
- Flags int
- IP net.IP
- HardwareAddr net.HardwareAddr
-}
-
-// String returns $ip/$hwaddr $label
-func (neigh *Neigh) String() string {
- return fmt.Sprintf("%s %s", neigh.IP, neigh.HardwareAddr)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/neigh_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/neigh_linux.go
deleted file mode 100644
index 620a0ee708845e2fb05e9c7375c529d803472075..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/neigh_linux.go
+++ /dev/null
@@ -1,189 +0,0 @@
-package netlink
-
-import (
- "net"
- "syscall"
- "unsafe"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-const (
- NDA_UNSPEC = iota
- NDA_DST
- NDA_LLADDR
- NDA_CACHEINFO
- NDA_PROBES
- NDA_VLAN
- NDA_PORT
- NDA_VNI
- NDA_IFINDEX
- NDA_MAX = NDA_IFINDEX
-)
-
-// Neighbor Cache Entry States.
-const (
- NUD_NONE = 0x00
- NUD_INCOMPLETE = 0x01
- NUD_REACHABLE = 0x02
- NUD_STALE = 0x04
- NUD_DELAY = 0x08
- NUD_PROBE = 0x10
- NUD_FAILED = 0x20
- NUD_NOARP = 0x40
- NUD_PERMANENT = 0x80
-)
-
-// Neighbor Flags
-const (
- NTF_USE = 0x01
- NTF_SELF = 0x02
- NTF_MASTER = 0x04
- NTF_PROXY = 0x08
- NTF_ROUTER = 0x80
-)
-
-type Ndmsg struct {
- Family uint8
- Index uint32
- State uint16
- Flags uint8
- Type uint8
-}
-
-func deserializeNdmsg(b []byte) *Ndmsg {
- var dummy Ndmsg
- return (*Ndmsg)(unsafe.Pointer(&b[0:unsafe.Sizeof(dummy)][0]))
-}
-
-func (msg *Ndmsg) Serialize() []byte {
- return (*(*[unsafe.Sizeof(*msg)]byte)(unsafe.Pointer(msg)))[:]
-}
-
-func (msg *Ndmsg) Len() int {
- return int(unsafe.Sizeof(*msg))
-}
-
-// NeighAdd will add an IP to MAC mapping to the ARP table
-// Equivalent to: `ip neigh add ....`
-func NeighAdd(neigh *Neigh) error {
- return neighAdd(neigh, syscall.NLM_F_CREATE|syscall.NLM_F_EXCL)
-}
-
-// NeighAdd will add or replace an IP to MAC mapping to the ARP table
-// Equivalent to: `ip neigh replace....`
-func NeighSet(neigh *Neigh) error {
- return neighAdd(neigh, syscall.NLM_F_CREATE)
-}
-
-// NeighAppend will append an entry to FDB
-// Equivalent to: `bridge fdb append...`
-func NeighAppend(neigh *Neigh) error {
- return neighAdd(neigh, syscall.NLM_F_CREATE|syscall.NLM_F_APPEND)
-}
-
-func neighAdd(neigh *Neigh, mode int) error {
- req := nl.NewNetlinkRequest(syscall.RTM_NEWNEIGH, mode|syscall.NLM_F_ACK)
- return neighHandle(neigh, req)
-}
-
-// NeighDel will delete an IP address from a link device.
-// Equivalent to: `ip addr del $addr dev $link`
-func NeighDel(neigh *Neigh) error {
- req := nl.NewNetlinkRequest(syscall.RTM_DELNEIGH, syscall.NLM_F_ACK)
- return neighHandle(neigh, req)
-}
-
-func neighHandle(neigh *Neigh, req *nl.NetlinkRequest) error {
- var family int
- if neigh.Family > 0 {
- family = neigh.Family
- } else {
- family = nl.GetIPFamily(neigh.IP)
- }
-
- msg := Ndmsg{
- Family: uint8(family),
- Index: uint32(neigh.LinkIndex),
- State: uint16(neigh.State),
- Type: uint8(neigh.Type),
- Flags: uint8(neigh.Flags),
- }
- req.AddData(&msg)
-
- ipData := neigh.IP.To4()
- if ipData == nil {
- ipData = neigh.IP.To16()
- }
-
- dstData := nl.NewRtAttr(NDA_DST, ipData)
- req.AddData(dstData)
-
- hwData := nl.NewRtAttr(NDA_LLADDR, []byte(neigh.HardwareAddr))
- req.AddData(hwData)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// NeighList gets a list of IP-MAC mappings in the system (ARP table).
-// Equivalent to: `ip neighbor show`.
-// The list can be filtered by link and ip family.
-func NeighList(linkIndex, family int) ([]Neigh, error) {
- req := nl.NewNetlinkRequest(syscall.RTM_GETNEIGH, syscall.NLM_F_DUMP)
- msg := Ndmsg{
- Family: uint8(family),
- }
- req.AddData(&msg)
-
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, syscall.RTM_NEWNEIGH)
- if err != nil {
- return nil, err
- }
-
- var res []Neigh
- for _, m := range msgs {
- ndm := deserializeNdmsg(m)
- if linkIndex != 0 && int(ndm.Index) != linkIndex {
- // Ignore messages from other interfaces
- continue
- }
-
- neigh, err := NeighDeserialize(m)
- if err != nil {
- continue
- }
-
- res = append(res, *neigh)
- }
-
- return res, nil
-}
-
-func NeighDeserialize(m []byte) (*Neigh, error) {
- msg := deserializeNdmsg(m)
-
- neigh := Neigh{
- LinkIndex: int(msg.Index),
- Family: int(msg.Family),
- State: int(msg.State),
- Type: int(msg.Type),
- Flags: int(msg.Flags),
- }
-
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case NDA_DST:
- neigh.IP = net.IP(attr.Value)
- case NDA_LLADDR:
- neigh.HardwareAddr = net.HardwareAddr(attr.Value)
- }
- }
-
- return &neigh, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/netlink.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/netlink.go
deleted file mode 100644
index 41ebdb11f1c17626f0ac85b4816ddd7d33407933..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/netlink.go
+++ /dev/null
@@ -1,39 +0,0 @@
-// Package netlink provides a simple library for netlink. Netlink is
-// the interface a user-space program in linux uses to communicate with
-// the kernel. It can be used to add and remove interfaces, set up ip
-// addresses and routes, and confiugre ipsec. Netlink communication
-// requires elevated privileges, so in most cases this code needs to
-// be run as root. The low level primitives for netlink are contained
-// in the nl subpackage. This package attempts to provide a high-level
-// interface that is loosly modeled on the iproute2 cli.
-package netlink
-
-import (
- "net"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-const (
- // Family type definitions
- FAMILY_ALL = nl.FAMILY_ALL
- FAMILY_V4 = nl.FAMILY_V4
- FAMILY_V6 = nl.FAMILY_V6
-)
-
-// ParseIPNet parses a string in ip/net format and returns a net.IPNet.
-// This is valuable because addresses in netlink are often IPNets and
-// ParseCIDR returns an IPNet with the IP part set to the base IP of the
-// range.
-func ParseIPNet(s string) (*net.IPNet, error) {
- ip, ipNet, err := net.ParseCIDR(s)
- if err != nil {
- return nil, err
- }
- return &net.IPNet{IP: ip, Mask: ipNet.Mask}, nil
-}
-
-// NewIPNet generates an IPNet from an ip address using a netmask of 32.
-func NewIPNet(ip net.IP) *net.IPNet {
- return &net.IPNet{IP: ip, Mask: net.CIDRMask(32, 32)}
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/netlink_unspecified.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/netlink_unspecified.go
deleted file mode 100644
index 10c49c1bfce8fa9cc88c1ce1bfcde65e17cdae52..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/netlink_unspecified.go
+++ /dev/null
@@ -1,143 +0,0 @@
-// +build !linux
-
-package netlink
-
-import (
- "errors"
-)
-
-var (
- ErrNotImplemented = errors.New("not implemented")
-)
-
-func LinkSetUp(link *Link) error {
- return ErrNotImplemented
-}
-
-func LinkSetDown(link *Link) error {
- return ErrNotImplemented
-}
-
-func LinkSetMTU(link *Link, mtu int) error {
- return ErrNotImplemented
-}
-
-func LinkSetMaster(link *Link, master *Link) error {
- return ErrNotImplemented
-}
-
-func LinkSetNsPid(link *Link, nspid int) error {
- return ErrNotImplemented
-}
-
-func LinkSetNsFd(link *Link, fd int) error {
- return ErrNotImplemented
-}
-
-func LinkAdd(link *Link) error {
- return ErrNotImplemented
-}
-
-func LinkDel(link *Link) error {
- return ErrNotImplemented
-}
-
-func SetHairpin(link Link, mode bool) error {
- return ErrNotImplemented
-}
-
-func SetGuard(link Link, mode bool) error {
- return ErrNotImplemented
-}
-
-func SetFastLeave(link Link, mode bool) error {
- return ErrNotImplemented
-}
-
-func SetLearning(link Link, mode bool) error {
- return ErrNotImplemented
-}
-
-func SetRootBlock(link Link, mode bool) error {
- return ErrNotImplemented
-}
-
-func SetFlood(link Link, mode bool) error {
- return ErrNotImplemented
-}
-
-func LinkList() ([]Link, error) {
- return nil, ErrNotImplemented
-}
-
-func AddrAdd(link *Link, addr *Addr) error {
- return ErrNotImplemented
-}
-
-func AddrDel(link *Link, addr *Addr) error {
- return ErrNotImplemented
-}
-
-func AddrList(link *Link, family int) ([]Addr, error) {
- return nil, ErrNotImplemented
-}
-
-func RouteAdd(route *Route) error {
- return ErrNotImplemented
-}
-
-func RouteDel(route *Route) error {
- return ErrNotImplemented
-}
-
-func RouteList(link *Link, family int) ([]Route, error) {
- return nil, ErrNotImplemented
-}
-
-func XfrmPolicyAdd(policy *XfrmPolicy) error {
- return ErrNotImplemented
-}
-
-func XfrmPolicyDel(policy *XfrmPolicy) error {
- return ErrNotImplemented
-}
-
-func XfrmPolicyList(family int) ([]XfrmPolicy, error) {
- return nil, ErrNotImplemented
-}
-
-func XfrmStateAdd(policy *XfrmState) error {
- return ErrNotImplemented
-}
-
-func XfrmStateDel(policy *XfrmState) error {
- return ErrNotImplemented
-}
-
-func XfrmStateList(family int) ([]XfrmState, error) {
- return nil, ErrNotImplemented
-}
-
-func NeighAdd(neigh *Neigh) error {
- return ErrNotImplemented
-}
-
-func NeighSet(neigh *Neigh) error {
- return ErrNotImplemented
-}
-
-func NeighAppend(neigh *Neigh) error {
- return ErrNotImplemented
-}
-
-func NeighDel(neigh *Neigh) error {
- return ErrNotImplemented
-}
-
-func NeighList(linkIndex, family int) ([]Neigh, error) {
- return nil, ErrNotImplemented
-}
-
-func NeighDeserialize(m []byte) (*Ndmsg, *Neigh, error) {
- return nil, nil, ErrNotImplemented
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/addr_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/addr_linux.go
deleted file mode 100644
index 17088fa0c0a1b699f4ccb076f215bfaaa97d0cd8..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/addr_linux.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package nl
-
-import (
- "syscall"
- "unsafe"
-)
-
-type IfAddrmsg struct {
- syscall.IfAddrmsg
-}
-
-func NewIfAddrmsg(family int) *IfAddrmsg {
- return &IfAddrmsg{
- IfAddrmsg: syscall.IfAddrmsg{
- Family: uint8(family),
- },
- }
-}
-
-// struct ifaddrmsg {
-// __u8 ifa_family;
-// __u8 ifa_prefixlen; /* The prefix length */
-// __u8 ifa_flags; /* Flags */
-// __u8 ifa_scope; /* Address scope */
-// __u32 ifa_index; /* Link index */
-// };
-
-// type IfAddrmsg struct {
-// Family uint8
-// Prefixlen uint8
-// Flags uint8
-// Scope uint8
-// Index uint32
-// }
-// SizeofIfAddrmsg = 0x8
-
-func DeserializeIfAddrmsg(b []byte) *IfAddrmsg {
- return (*IfAddrmsg)(unsafe.Pointer(&b[0:syscall.SizeofIfAddrmsg][0]))
-}
-
-func (msg *IfAddrmsg) Serialize() []byte {
- return (*(*[syscall.SizeofIfAddrmsg]byte)(unsafe.Pointer(msg)))[:]
-}
-
-func (msg *IfAddrmsg) Len() int {
- return syscall.SizeofIfAddrmsg
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/link_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/link_linux.go
deleted file mode 100644
index 1f9ab088f0f3dad9cfd6d60d21404c1d813a9070..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/link_linux.go
+++ /dev/null
@@ -1,104 +0,0 @@
-package nl
-
-const (
- DEFAULT_CHANGE = 0xFFFFFFFF
-)
-
-const (
- IFLA_INFO_UNSPEC = iota
- IFLA_INFO_KIND
- IFLA_INFO_DATA
- IFLA_INFO_XSTATS
- IFLA_INFO_MAX = IFLA_INFO_XSTATS
-)
-
-const (
- IFLA_VLAN_UNSPEC = iota
- IFLA_VLAN_ID
- IFLA_VLAN_FLAGS
- IFLA_VLAN_EGRESS_QOS
- IFLA_VLAN_INGRESS_QOS
- IFLA_VLAN_PROTOCOL
- IFLA_VLAN_MAX = IFLA_VLAN_PROTOCOL
-)
-
-const (
- VETH_INFO_UNSPEC = iota
- VETH_INFO_PEER
- VETH_INFO_MAX = VETH_INFO_PEER
-)
-
-const (
- IFLA_VXLAN_UNSPEC = iota
- IFLA_VXLAN_ID
- IFLA_VXLAN_GROUP
- IFLA_VXLAN_LINK
- IFLA_VXLAN_LOCAL
- IFLA_VXLAN_TTL
- IFLA_VXLAN_TOS
- IFLA_VXLAN_LEARNING
- IFLA_VXLAN_AGEING
- IFLA_VXLAN_LIMIT
- IFLA_VXLAN_PORT_RANGE
- IFLA_VXLAN_PROXY
- IFLA_VXLAN_RSC
- IFLA_VXLAN_L2MISS
- IFLA_VXLAN_L3MISS
- IFLA_VXLAN_PORT
- IFLA_VXLAN_GROUP6
- IFLA_VXLAN_LOCAL6
- IFLA_VXLAN_UDP_CSUM
- IFLA_VXLAN_UDP_ZERO_CSUM6_TX
- IFLA_VXLAN_UDP_ZERO_CSUM6_RX
- IFLA_VXLAN_REMCSUM_TX
- IFLA_VXLAN_REMCSUM_RX
- IFLA_VXLAN_GBP
- IFLA_VXLAN_REMCSUM_NOPARTIAL
- IFLA_VXLAN_FLOWBASED
- IFLA_VXLAN_MAX = IFLA_VXLAN_FLOWBASED
-)
-
-const (
- BRIDGE_MODE_UNSPEC = iota
- BRIDGE_MODE_HAIRPIN
-)
-
-const (
- IFLA_BRPORT_UNSPEC = iota
- IFLA_BRPORT_STATE
- IFLA_BRPORT_PRIORITY
- IFLA_BRPORT_COST
- IFLA_BRPORT_MODE
- IFLA_BRPORT_GUARD
- IFLA_BRPORT_PROTECT
- IFLA_BRPORT_FAST_LEAVE
- IFLA_BRPORT_LEARNING
- IFLA_BRPORT_UNICAST_FLOOD
- IFLA_BRPORT_MAX = IFLA_BRPORT_UNICAST_FLOOD
-)
-
-const (
- IFLA_IPVLAN_UNSPEC = iota
- IFLA_IPVLAN_MODE
- IFLA_IPVLAN_MAX = IFLA_IPVLAN_MODE
-)
-
-const (
- // not defined in syscall
- IFLA_NET_NS_FD = 28
-)
-
-const (
- IFLA_MACVLAN_UNSPEC = iota
- IFLA_MACVLAN_MODE
- IFLA_MACVLAN_FLAGS
- IFLA_MACVLAN_MAX = IFLA_MACVLAN_FLAGS
-)
-
-const (
- MACVLAN_MODE_PRIVATE = 1
- MACVLAN_MODE_VEPA = 2
- MACVLAN_MODE_BRIDGE = 4
- MACVLAN_MODE_PASSTHRU = 8
- MACVLAN_MODE_SOURCE = 16
-)
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/nl_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/nl_linux.go
deleted file mode 100644
index 8dbd92b819e12a1ab5f5e539f3a8be145e7c0870..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/nl_linux.go
+++ /dev/null
@@ -1,418 +0,0 @@
-// Package nl has low level primitives for making Netlink calls.
-package nl
-
-import (
- "bytes"
- "encoding/binary"
- "fmt"
- "net"
- "sync/atomic"
- "syscall"
- "unsafe"
-)
-
-const (
- // Family type definitions
- FAMILY_ALL = syscall.AF_UNSPEC
- FAMILY_V4 = syscall.AF_INET
- FAMILY_V6 = syscall.AF_INET6
-)
-
-var nextSeqNr uint32
-
-// GetIPFamily returns the family type of a net.IP.
-func GetIPFamily(ip net.IP) int {
- if len(ip) <= net.IPv4len {
- return FAMILY_V4
- }
- if ip.To4() != nil {
- return FAMILY_V4
- }
- return FAMILY_V6
-}
-
-var nativeEndian binary.ByteOrder
-
-// Get native endianness for the system
-func NativeEndian() binary.ByteOrder {
- if nativeEndian == nil {
- var x uint32 = 0x01020304
- if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
- nativeEndian = binary.BigEndian
- } else {
- nativeEndian = binary.LittleEndian
- }
- }
- return nativeEndian
-}
-
-// Byte swap a 16 bit value if we aren't big endian
-func Swap16(i uint16) uint16 {
- if NativeEndian() == binary.BigEndian {
- return i
- }
- return (i&0xff00)>>8 | (i&0xff)<<8
-}
-
-// Byte swap a 32 bit value if aren't big endian
-func Swap32(i uint32) uint32 {
- if NativeEndian() == binary.BigEndian {
- return i
- }
- return (i&0xff000000)>>24 | (i&0xff0000)>>8 | (i&0xff00)<<8 | (i&0xff)<<24
-}
-
-type NetlinkRequestData interface {
- Len() int
- Serialize() []byte
-}
-
-// IfInfomsg is related to links, but it is used for list requests as well
-type IfInfomsg struct {
- syscall.IfInfomsg
-}
-
-// Create an IfInfomsg with family specified
-func NewIfInfomsg(family int) *IfInfomsg {
- return &IfInfomsg{
- IfInfomsg: syscall.IfInfomsg{
- Family: uint8(family),
- },
- }
-}
-
-func DeserializeIfInfomsg(b []byte) *IfInfomsg {
- return (*IfInfomsg)(unsafe.Pointer(&b[0:syscall.SizeofIfInfomsg][0]))
-}
-
-func (msg *IfInfomsg) Serialize() []byte {
- return (*(*[syscall.SizeofIfInfomsg]byte)(unsafe.Pointer(msg)))[:]
-}
-
-func (msg *IfInfomsg) Len() int {
- return syscall.SizeofIfInfomsg
-}
-
-func rtaAlignOf(attrlen int) int {
- return (attrlen + syscall.RTA_ALIGNTO - 1) & ^(syscall.RTA_ALIGNTO - 1)
-}
-
-func NewIfInfomsgChild(parent *RtAttr, family int) *IfInfomsg {
- msg := NewIfInfomsg(family)
- parent.children = append(parent.children, msg)
- return msg
-}
-
-// Extend RtAttr to handle data and children
-type RtAttr struct {
- syscall.RtAttr
- Data []byte
- children []NetlinkRequestData
-}
-
-// Create a new Extended RtAttr object
-func NewRtAttr(attrType int, data []byte) *RtAttr {
- return &RtAttr{
- RtAttr: syscall.RtAttr{
- Type: uint16(attrType),
- },
- children: []NetlinkRequestData{},
- Data: data,
- }
-}
-
-// Create a new RtAttr obj anc add it as a child of an existing object
-func NewRtAttrChild(parent *RtAttr, attrType int, data []byte) *RtAttr {
- attr := NewRtAttr(attrType, data)
- parent.children = append(parent.children, attr)
- return attr
-}
-
-func (a *RtAttr) Len() int {
- if len(a.children) == 0 {
- return (syscall.SizeofRtAttr + len(a.Data))
- }
-
- l := 0
- for _, child := range a.children {
- l += rtaAlignOf(child.Len())
- }
- l += syscall.SizeofRtAttr
- return rtaAlignOf(l + len(a.Data))
-}
-
-// Serialize the RtAttr into a byte array
-// This can't just unsafe.cast because it must iterate through children.
-func (a *RtAttr) Serialize() []byte {
- native := NativeEndian()
-
- length := a.Len()
- buf := make([]byte, rtaAlignOf(length))
-
- if a.Data != nil {
- copy(buf[4:], a.Data)
- } else {
- next := 4
- for _, child := range a.children {
- childBuf := child.Serialize()
- copy(buf[next:], childBuf)
- next += rtaAlignOf(len(childBuf))
- }
- }
-
- if l := uint16(length); l != 0 {
- native.PutUint16(buf[0:2], l)
- }
- native.PutUint16(buf[2:4], a.Type)
- return buf
-}
-
-type NetlinkRequest struct {
- syscall.NlMsghdr
- Data []NetlinkRequestData
-}
-
-// Serialize the Netlink Request into a byte array
-func (req *NetlinkRequest) Serialize() []byte {
- length := syscall.SizeofNlMsghdr
- dataBytes := make([][]byte, len(req.Data))
- for i, data := range req.Data {
- dataBytes[i] = data.Serialize()
- length = length + len(dataBytes[i])
- }
- req.Len = uint32(length)
- b := make([]byte, length)
- hdr := (*(*[syscall.SizeofNlMsghdr]byte)(unsafe.Pointer(req)))[:]
- next := syscall.SizeofNlMsghdr
- copy(b[0:next], hdr)
- for _, data := range dataBytes {
- for _, dataByte := range data {
- b[next] = dataByte
- next = next + 1
- }
- }
- return b
-}
-
-func (req *NetlinkRequest) AddData(data NetlinkRequestData) {
- if data != nil {
- req.Data = append(req.Data, data)
- }
-}
-
-// Execute the request against a the given sockType.
-// Returns a list of netlink messages in seriaized format, optionally filtered
-// by resType.
-func (req *NetlinkRequest) Execute(sockType int, resType uint16) ([][]byte, error) {
- s, err := getNetlinkSocket(sockType)
- if err != nil {
- return nil, err
- }
- defer s.Close()
-
- if err := s.Send(req); err != nil {
- return nil, err
- }
-
- pid, err := s.GetPid()
- if err != nil {
- return nil, err
- }
-
- var res [][]byte
-
-done:
- for {
- msgs, err := s.Receive()
- if err != nil {
- return nil, err
- }
- for _, m := range msgs {
- if m.Header.Seq != req.Seq {
- return nil, fmt.Errorf("Wrong Seq nr %d, expected 1", m.Header.Seq)
- }
- if m.Header.Pid != pid {
- return nil, fmt.Errorf("Wrong pid %d, expected %d", m.Header.Pid, pid)
- }
- if m.Header.Type == syscall.NLMSG_DONE {
- break done
- }
- if m.Header.Type == syscall.NLMSG_ERROR {
- native := NativeEndian()
- error := int32(native.Uint32(m.Data[0:4]))
- if error == 0 {
- break done
- }
- return nil, syscall.Errno(-error)
- }
- if resType != 0 && m.Header.Type != resType {
- continue
- }
- res = append(res, m.Data)
- if m.Header.Flags&syscall.NLM_F_MULTI == 0 {
- break done
- }
- }
- }
- return res, nil
-}
-
-// Create a new netlink request from proto and flags
-// Note the Len value will be inaccurate once data is added until
-// the message is serialized
-func NewNetlinkRequest(proto, flags int) *NetlinkRequest {
- return &NetlinkRequest{
- NlMsghdr: syscall.NlMsghdr{
- Len: uint32(syscall.SizeofNlMsghdr),
- Type: uint16(proto),
- Flags: syscall.NLM_F_REQUEST | uint16(flags),
- Seq: atomic.AddUint32(&nextSeqNr, 1),
- },
- }
-}
-
-type NetlinkSocket struct {
- fd int
- lsa syscall.SockaddrNetlink
-}
-
-func getNetlinkSocket(protocol int) (*NetlinkSocket, error) {
- fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, protocol)
- if err != nil {
- return nil, err
- }
- s := &NetlinkSocket{
- fd: fd,
- }
- s.lsa.Family = syscall.AF_NETLINK
- if err := syscall.Bind(fd, &s.lsa); err != nil {
- syscall.Close(fd)
- return nil, err
- }
-
- return s, nil
-}
-
-// Create a netlink socket with a given protocol (e.g. NETLINK_ROUTE)
-// and subscribe it to multicast groups passed in variable argument list.
-// Returns the netlink socket on which Receive() method can be called
-// to retrieve the messages from the kernel.
-func Subscribe(protocol int, groups ...uint) (*NetlinkSocket, error) {
- fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, protocol)
- if err != nil {
- return nil, err
- }
- s := &NetlinkSocket{
- fd: fd,
- }
- s.lsa.Family = syscall.AF_NETLINK
-
- for _, g := range groups {
- s.lsa.Groups |= (1 << (g - 1))
- }
-
- if err := syscall.Bind(fd, &s.lsa); err != nil {
- syscall.Close(fd)
- return nil, err
- }
-
- return s, nil
-}
-
-func (s *NetlinkSocket) Close() {
- syscall.Close(s.fd)
-}
-
-func (s *NetlinkSocket) Send(request *NetlinkRequest) error {
- if err := syscall.Sendto(s.fd, request.Serialize(), 0, &s.lsa); err != nil {
- return err
- }
- return nil
-}
-
-func (s *NetlinkSocket) Receive() ([]syscall.NetlinkMessage, error) {
- rb := make([]byte, syscall.Getpagesize())
- nr, _, err := syscall.Recvfrom(s.fd, rb, 0)
- if err != nil {
- return nil, err
- }
- if nr < syscall.NLMSG_HDRLEN {
- return nil, fmt.Errorf("Got short response from netlink")
- }
- rb = rb[:nr]
- return syscall.ParseNetlinkMessage(rb)
-}
-
-func (s *NetlinkSocket) GetPid() (uint32, error) {
- lsa, err := syscall.Getsockname(s.fd)
- if err != nil {
- return 0, err
- }
- switch v := lsa.(type) {
- case *syscall.SockaddrNetlink:
- return v.Pid, nil
- }
- return 0, fmt.Errorf("Wrong socket type")
-}
-
-func ZeroTerminated(s string) []byte {
- bytes := make([]byte, len(s)+1)
- for i := 0; i < len(s); i++ {
- bytes[i] = s[i]
- }
- bytes[len(s)] = 0
- return bytes
-}
-
-func NonZeroTerminated(s string) []byte {
- bytes := make([]byte, len(s))
- for i := 0; i < len(s); i++ {
- bytes[i] = s[i]
- }
- return bytes
-}
-
-func BytesToString(b []byte) string {
- n := bytes.Index(b, []byte{0})
- return string(b[:n])
-}
-
-func Uint8Attr(v uint8) []byte {
- return []byte{byte(v)}
-}
-
-func Uint16Attr(v uint16) []byte {
- native := NativeEndian()
- bytes := make([]byte, 2)
- native.PutUint16(bytes, v)
- return bytes
-}
-
-func Uint32Attr(v uint32) []byte {
- native := NativeEndian()
- bytes := make([]byte, 4)
- native.PutUint32(bytes, v)
- return bytes
-}
-
-func ParseRouteAttr(b []byte) ([]syscall.NetlinkRouteAttr, error) {
- var attrs []syscall.NetlinkRouteAttr
- for len(b) >= syscall.SizeofRtAttr {
- a, vbuf, alen, err := netlinkRouteAttrAndValue(b)
- if err != nil {
- return nil, err
- }
- ra := syscall.NetlinkRouteAttr{Attr: *a, Value: vbuf[:int(a.Len)-syscall.SizeofRtAttr]}
- attrs = append(attrs, ra)
- b = b[alen:]
- }
- return attrs, nil
-}
-
-func netlinkRouteAttrAndValue(b []byte) (*syscall.RtAttr, []byte, int, error) {
- a := (*syscall.RtAttr)(unsafe.Pointer(&b[0]))
- if int(a.Len) < syscall.SizeofRtAttr || int(a.Len) > len(b) {
- return nil, nil, 0, syscall.EINVAL
- }
- return a, b[syscall.SizeofRtAttr:], rtaAlignOf(int(a.Len)), nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/route_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/route_linux.go
deleted file mode 100644
index 447e83e5ae5e46649d175642b54a979df8c15cd6..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/route_linux.go
+++ /dev/null
@@ -1,42 +0,0 @@
-package nl
-
-import (
- "syscall"
- "unsafe"
-)
-
-type RtMsg struct {
- syscall.RtMsg
-}
-
-func NewRtMsg() *RtMsg {
- return &RtMsg{
- RtMsg: syscall.RtMsg{
- Table: syscall.RT_TABLE_MAIN,
- Scope: syscall.RT_SCOPE_UNIVERSE,
- Protocol: syscall.RTPROT_BOOT,
- Type: syscall.RTN_UNICAST,
- },
- }
-}
-
-func NewRtDelMsg() *RtMsg {
- return &RtMsg{
- RtMsg: syscall.RtMsg{
- Table: syscall.RT_TABLE_MAIN,
- Scope: syscall.RT_SCOPE_NOWHERE,
- },
- }
-}
-
-func (msg *RtMsg) Len() int {
- return syscall.SizeofRtMsg
-}
-
-func DeserializeRtMsg(b []byte) *RtMsg {
- return (*RtMsg)(unsafe.Pointer(&b[0:syscall.SizeofRtMsg][0]))
-}
-
-func (msg *RtMsg) Serialize() []byte {
- return (*(*[syscall.SizeofRtMsg]byte)(unsafe.Pointer(msg)))[:]
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/tc_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/tc_linux.go
deleted file mode 100644
index c9bfe8dfd8a0d0084459ac927ebb3c2642da8e55..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/tc_linux.go
+++ /dev/null
@@ -1,359 +0,0 @@
-package nl
-
-import (
- "unsafe"
-)
-
-// Message types
-const (
- TCA_UNSPEC = iota
- TCA_KIND
- TCA_OPTIONS
- TCA_STATS
- TCA_XSTATS
- TCA_RATE
- TCA_FCNT
- TCA_STATS2
- TCA_STAB
- TCA_MAX = TCA_STAB
-)
-
-const (
- TCA_ACT_TAB = 1
- TCAA_MAX = 1
-)
-
-const (
- TCA_PRIO_UNSPEC = iota
- TCA_PRIO_MQ
- TCA_PRIO_MAX = TCA_PRIO_MQ
-)
-
-const (
- SizeofTcMsg = 0x14
- SizeofTcActionMsg = 0x04
- SizeofTcPrioMap = 0x14
- SizeofTcRateSpec = 0x0c
- SizeofTcTbfQopt = 2*SizeofTcRateSpec + 0x0c
- SizeofTcU32Key = 0x10
- SizeofTcU32Sel = 0x10 // without keys
- SizeofTcMirred = 0x1c
-)
-
-// struct tcmsg {
-// unsigned char tcm_family;
-// unsigned char tcm__pad1;
-// unsigned short tcm__pad2;
-// int tcm_ifindex;
-// __u32 tcm_handle;
-// __u32 tcm_parent;
-// __u32 tcm_info;
-// };
-
-type TcMsg struct {
- Family uint8
- Pad [3]byte
- Ifindex int32
- Handle uint32
- Parent uint32
- Info uint32
-}
-
-func (msg *TcMsg) Len() int {
- return SizeofTcMsg
-}
-
-func DeserializeTcMsg(b []byte) *TcMsg {
- return (*TcMsg)(unsafe.Pointer(&b[0:SizeofTcMsg][0]))
-}
-
-func (x *TcMsg) Serialize() []byte {
- return (*(*[SizeofTcMsg]byte)(unsafe.Pointer(x)))[:]
-}
-
-// struct tcamsg {
-// unsigned char tca_family;
-// unsigned char tca__pad1;
-// unsigned short tca__pad2;
-// };
-
-type TcActionMsg struct {
- Family uint8
- Pad [3]byte
-}
-
-func (msg *TcActionMsg) Len() int {
- return SizeofTcActionMsg
-}
-
-func DeserializeTcActionMsg(b []byte) *TcActionMsg {
- return (*TcActionMsg)(unsafe.Pointer(&b[0:SizeofTcActionMsg][0]))
-}
-
-func (x *TcActionMsg) Serialize() []byte {
- return (*(*[SizeofTcActionMsg]byte)(unsafe.Pointer(x)))[:]
-}
-
-const (
- TC_PRIO_MAX = 15
-)
-
-// struct tc_prio_qopt {
-// int bands; /* Number of bands */
-// __u8 priomap[TC_PRIO_MAX+1]; /* Map: logical priority -> PRIO band */
-// };
-
-type TcPrioMap struct {
- Bands int32
- Priomap [TC_PRIO_MAX + 1]uint8
-}
-
-func (msg *TcPrioMap) Len() int {
- return SizeofTcPrioMap
-}
-
-func DeserializeTcPrioMap(b []byte) *TcPrioMap {
- return (*TcPrioMap)(unsafe.Pointer(&b[0:SizeofTcPrioMap][0]))
-}
-
-func (x *TcPrioMap) Serialize() []byte {
- return (*(*[SizeofTcPrioMap]byte)(unsafe.Pointer(x)))[:]
-}
-
-const (
- TCA_TBF_UNSPEC = iota
- TCA_TBF_PARMS
- TCA_TBF_RTAB
- TCA_TBF_PTAB
- TCA_TBF_RATE64
- TCA_TBF_PRATE64
- TCA_TBF_BURST
- TCA_TBF_PBURST
- TCA_TBF_MAX = TCA_TBF_PBURST
-)
-
-// struct tc_ratespec {
-// unsigned char cell_log;
-// __u8 linklayer; /* lower 4 bits */
-// unsigned short overhead;
-// short cell_align;
-// unsigned short mpu;
-// __u32 rate;
-// };
-
-type TcRateSpec struct {
- CellLog uint8
- Linklayer uint8
- Overhead uint16
- CellAlign int16
- Mpu uint16
- Rate uint32
-}
-
-func (msg *TcRateSpec) Len() int {
- return SizeofTcRateSpec
-}
-
-func DeserializeTcRateSpec(b []byte) *TcRateSpec {
- return (*TcRateSpec)(unsafe.Pointer(&b[0:SizeofTcRateSpec][0]))
-}
-
-func (x *TcRateSpec) Serialize() []byte {
- return (*(*[SizeofTcRateSpec]byte)(unsafe.Pointer(x)))[:]
-}
-
-// struct tc_tbf_qopt {
-// struct tc_ratespec rate;
-// struct tc_ratespec peakrate;
-// __u32 limit;
-// __u32 buffer;
-// __u32 mtu;
-// };
-
-type TcTbfQopt struct {
- Rate TcRateSpec
- Peakrate TcRateSpec
- Limit uint32
- Buffer uint32
- Mtu uint32
-}
-
-func (msg *TcTbfQopt) Len() int {
- return SizeofTcTbfQopt
-}
-
-func DeserializeTcTbfQopt(b []byte) *TcTbfQopt {
- return (*TcTbfQopt)(unsafe.Pointer(&b[0:SizeofTcTbfQopt][0]))
-}
-
-func (x *TcTbfQopt) Serialize() []byte {
- return (*(*[SizeofTcTbfQopt]byte)(unsafe.Pointer(x)))[:]
-}
-
-const (
- TCA_U32_UNSPEC = iota
- TCA_U32_CLASSID
- TCA_U32_HASH
- TCA_U32_LINK
- TCA_U32_DIVISOR
- TCA_U32_SEL
- TCA_U32_POLICE
- TCA_U32_ACT
- TCA_U32_INDEV
- TCA_U32_PCNT
- TCA_U32_MARK
- TCA_U32_MAX = TCA_U32_MARK
-)
-
-// struct tc_u32_key {
-// __be32 mask;
-// __be32 val;
-// int off;
-// int offmask;
-// };
-
-type TcU32Key struct {
- Mask uint32 // big endian
- Val uint32 // big endian
- Off int32
- OffMask int32
-}
-
-func (msg *TcU32Key) Len() int {
- return SizeofTcU32Key
-}
-
-func DeserializeTcU32Key(b []byte) *TcU32Key {
- return (*TcU32Key)(unsafe.Pointer(&b[0:SizeofTcU32Key][0]))
-}
-
-func (x *TcU32Key) Serialize() []byte {
- return (*(*[SizeofTcU32Key]byte)(unsafe.Pointer(x)))[:]
-}
-
-// struct tc_u32_sel {
-// unsigned char flags;
-// unsigned char offshift;
-// unsigned char nkeys;
-//
-// __be16 offmask;
-// __u16 off;
-// short offoff;
-//
-// short hoff;
-// __be32 hmask;
-// struct tc_u32_key keys[0];
-// };
-
-const (
- TC_U32_TERMINAL = 1 << iota
- TC_U32_OFFSET = 1 << iota
- TC_U32_VAROFFSET = 1 << iota
- TC_U32_EAT = 1 << iota
-)
-
-type TcU32Sel struct {
- Flags uint8
- Offshift uint8
- Nkeys uint8
- Pad uint8
- Offmask uint16 // big endian
- Off uint16
- Offoff int16
- Hoff int16
- Hmask uint32 // big endian
- Keys []TcU32Key
-}
-
-func (msg *TcU32Sel) Len() int {
- return SizeofTcU32Sel + int(msg.Nkeys)*SizeofTcU32Key
-}
-
-func DeserializeTcU32Sel(b []byte) *TcU32Sel {
- x := &TcU32Sel{}
- copy((*(*[SizeofTcU32Sel]byte)(unsafe.Pointer(x)))[:], b)
- next := SizeofTcU32Sel
- var i uint8
- for i = 0; i < x.Nkeys; i++ {
- x.Keys = append(x.Keys, *DeserializeTcU32Key(b[next:]))
- next += SizeofTcU32Key
- }
- return x
-}
-
-func (x *TcU32Sel) Serialize() []byte {
- // This can't just unsafe.cast because it must iterate through keys.
- buf := make([]byte, x.Len())
- copy(buf, (*(*[SizeofTcU32Sel]byte)(unsafe.Pointer(x)))[:])
- next := SizeofTcU32Sel
- for _, key := range x.Keys {
- keyBuf := key.Serialize()
- copy(buf[next:], keyBuf)
- next += SizeofTcU32Key
- }
- return buf
-}
-
-const (
- TCA_ACT_MIRRED = 8
-)
-
-const (
- TCA_MIRRED_UNSPEC = iota
- TCA_MIRRED_TM
- TCA_MIRRED_PARMS
- TCA_MIRRED_MAX = TCA_MIRRED_PARMS
-)
-
-const (
- TCA_EGRESS_REDIR = 1 /* packet redirect to EGRESS*/
- TCA_EGRESS_MIRROR = 2 /* mirror packet to EGRESS */
- TCA_INGRESS_REDIR = 3 /* packet redirect to INGRESS*/
- TCA_INGRESS_MIRROR = 4 /* mirror packet to INGRESS */
-)
-
-const (
- TC_ACT_UNSPEC = int32(-1)
- TC_ACT_OK = 0
- TC_ACT_RECLASSIFY = 1
- TC_ACT_SHOT = 2
- TC_ACT_PIPE = 3
- TC_ACT_STOLEN = 4
- TC_ACT_QUEUED = 5
- TC_ACT_REPEAT = 6
- TC_ACT_JUMP = 0x10000000
-)
-
-// #define tc_gen \
-// __u32 index; \
-// __u32 capab; \
-// int action; \
-// int refcnt; \
-// int bindcnt
-// struct tc_mirred {
-// tc_gen;
-// int eaction; /* one of IN/EGRESS_MIRROR/REDIR */
-// __u32 ifindex; /* ifindex of egress port */
-// };
-
-type TcMirred struct {
- Index uint32
- Capab uint32
- Action int32
- Refcnt int32
- Bindcnt int32
- Eaction int32
- Ifindex uint32
-}
-
-func (msg *TcMirred) Len() int {
- return SizeofTcMirred
-}
-
-func DeserializeTcMirred(b []byte) *TcMirred {
- return (*TcMirred)(unsafe.Pointer(&b[0:SizeofTcMirred][0]))
-}
-
-func (x *TcMirred) Serialize() []byte {
- return (*(*[SizeofTcMirred]byte)(unsafe.Pointer(x)))[:]
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_linux.go
deleted file mode 100644
index d24637d27880f74792d875d91a11b35f13c2ffd9..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_linux.go
+++ /dev/null
@@ -1,258 +0,0 @@
-package nl
-
-import (
- "bytes"
- "net"
- "unsafe"
-)
-
-// Infinity for packet and byte counts
-const (
- XFRM_INF = ^uint64(0)
-)
-
-// Message Types
-const (
- XFRM_MSG_BASE = 0x10
- XFRM_MSG_NEWSA = 0x10
- XFRM_MSG_DELSA = 0x11
- XFRM_MSG_GETSA = 0x12
- XFRM_MSG_NEWPOLICY = 0x13
- XFRM_MSG_DELPOLICY = 0x14
- XFRM_MSG_GETPOLICY = 0x15
- XFRM_MSG_ALLOCSPI = 0x16
- XFRM_MSG_ACQUIRE = 0x17
- XFRM_MSG_EXPIRE = 0x18
- XFRM_MSG_UPDPOLICY = 0x19
- XFRM_MSG_UPDSA = 0x1a
- XFRM_MSG_POLEXPIRE = 0x1b
- XFRM_MSG_FLUSHSA = 0x1c
- XFRM_MSG_FLUSHPOLICY = 0x1d
- XFRM_MSG_NEWAE = 0x1e
- XFRM_MSG_GETAE = 0x1f
- XFRM_MSG_REPORT = 0x20
- XFRM_MSG_MIGRATE = 0x21
- XFRM_MSG_NEWSADINFO = 0x22
- XFRM_MSG_GETSADINFO = 0x23
- XFRM_MSG_NEWSPDINFO = 0x24
- XFRM_MSG_GETSPDINFO = 0x25
- XFRM_MSG_MAPPING = 0x26
- XFRM_MSG_MAX = 0x26
- XFRM_NR_MSGTYPES = 0x17
-)
-
-// Attribute types
-const (
- /* Netlink message attributes. */
- XFRMA_UNSPEC = 0x00
- XFRMA_ALG_AUTH = 0x01 /* struct xfrm_algo */
- XFRMA_ALG_CRYPT = 0x02 /* struct xfrm_algo */
- XFRMA_ALG_COMP = 0x03 /* struct xfrm_algo */
- XFRMA_ENCAP = 0x04 /* struct xfrm_algo + struct xfrm_encap_tmpl */
- XFRMA_TMPL = 0x05 /* 1 or more struct xfrm_user_tmpl */
- XFRMA_SA = 0x06 /* struct xfrm_usersa_info */
- XFRMA_POLICY = 0x07 /* struct xfrm_userpolicy_info */
- XFRMA_SEC_CTX = 0x08 /* struct xfrm_sec_ctx */
- XFRMA_LTIME_VAL = 0x09
- XFRMA_REPLAY_VAL = 0x0a
- XFRMA_REPLAY_THRESH = 0x0b
- XFRMA_ETIMER_THRESH = 0x0c
- XFRMA_SRCADDR = 0x0d /* xfrm_address_t */
- XFRMA_COADDR = 0x0e /* xfrm_address_t */
- XFRMA_LASTUSED = 0x0f /* unsigned long */
- XFRMA_POLICY_TYPE = 0x10 /* struct xfrm_userpolicy_type */
- XFRMA_MIGRATE = 0x11
- XFRMA_ALG_AEAD = 0x12 /* struct xfrm_algo_aead */
- XFRMA_KMADDRESS = 0x13 /* struct xfrm_user_kmaddress */
- XFRMA_ALG_AUTH_TRUNC = 0x14 /* struct xfrm_algo_auth */
- XFRMA_MARK = 0x15 /* struct xfrm_mark */
- XFRMA_TFCPAD = 0x16 /* __u32 */
- XFRMA_REPLAY_ESN_VAL = 0x17 /* struct xfrm_replay_esn */
- XFRMA_SA_EXTRA_FLAGS = 0x18 /* __u32 */
- XFRMA_MAX = 0x18
-)
-
-const (
- SizeofXfrmAddress = 0x10
- SizeofXfrmSelector = 0x38
- SizeofXfrmLifetimeCfg = 0x40
- SizeofXfrmLifetimeCur = 0x20
- SizeofXfrmId = 0x18
-)
-
-// typedef union {
-// __be32 a4;
-// __be32 a6[4];
-// } xfrm_address_t;
-
-type XfrmAddress [SizeofXfrmAddress]byte
-
-func (x *XfrmAddress) ToIP() net.IP {
- var empty = [12]byte{}
- ip := make(net.IP, net.IPv6len)
- if bytes.Equal(x[4:16], empty[:]) {
- ip[10] = 0xff
- ip[11] = 0xff
- copy(ip[12:16], x[0:4])
- } else {
- copy(ip[:], x[:])
- }
- return ip
-}
-
-func (x *XfrmAddress) ToIPNet(prefixlen uint8) *net.IPNet {
- ip := x.ToIP()
- if GetIPFamily(ip) == FAMILY_V4 {
- return &net.IPNet{IP: ip, Mask: net.CIDRMask(int(prefixlen), 32)}
- }
- return &net.IPNet{IP: ip, Mask: net.CIDRMask(int(prefixlen), 128)}
-}
-
-func (x *XfrmAddress) FromIP(ip net.IP) {
- var empty = [16]byte{}
- if len(ip) < net.IPv4len {
- copy(x[4:16], empty[:])
- } else if GetIPFamily(ip) == FAMILY_V4 {
- copy(x[0:4], ip.To4()[0:4])
- copy(x[4:16], empty[:12])
- } else {
- copy(x[0:16], ip.To16()[0:16])
- }
-}
-
-func DeserializeXfrmAddress(b []byte) *XfrmAddress {
- return (*XfrmAddress)(unsafe.Pointer(&b[0:SizeofXfrmAddress][0]))
-}
-
-func (x *XfrmAddress) Serialize() []byte {
- return (*(*[SizeofXfrmAddress]byte)(unsafe.Pointer(x)))[:]
-}
-
-// struct xfrm_selector {
-// xfrm_address_t daddr;
-// xfrm_address_t saddr;
-// __be16 dport;
-// __be16 dport_mask;
-// __be16 sport;
-// __be16 sport_mask;
-// __u16 family;
-// __u8 prefixlen_d;
-// __u8 prefixlen_s;
-// __u8 proto;
-// int ifindex;
-// __kernel_uid32_t user;
-// };
-
-type XfrmSelector struct {
- Daddr XfrmAddress
- Saddr XfrmAddress
- Dport uint16 // big endian
- DportMask uint16 // big endian
- Sport uint16 // big endian
- SportMask uint16 // big endian
- Family uint16
- PrefixlenD uint8
- PrefixlenS uint8
- Proto uint8
- Pad [3]byte
- Ifindex int32
- User uint32
-}
-
-func (msg *XfrmSelector) Len() int {
- return SizeofXfrmSelector
-}
-
-func DeserializeXfrmSelector(b []byte) *XfrmSelector {
- return (*XfrmSelector)(unsafe.Pointer(&b[0:SizeofXfrmSelector][0]))
-}
-
-func (msg *XfrmSelector) Serialize() []byte {
- return (*(*[SizeofXfrmSelector]byte)(unsafe.Pointer(msg)))[:]
-}
-
-// struct xfrm_lifetime_cfg {
-// __u64 soft_byte_limit;
-// __u64 hard_byte_limit;
-// __u64 soft_packet_limit;
-// __u64 hard_packet_limit;
-// __u64 soft_add_expires_seconds;
-// __u64 hard_add_expires_seconds;
-// __u64 soft_use_expires_seconds;
-// __u64 hard_use_expires_seconds;
-// };
-//
-
-type XfrmLifetimeCfg struct {
- SoftByteLimit uint64
- HardByteLimit uint64
- SoftPacketLimit uint64
- HardPacketLimit uint64
- SoftAddExpiresSeconds uint64
- HardAddExpiresSeconds uint64
- SoftUseExpiresSeconds uint64
- HardUseExpiresSeconds uint64
-}
-
-func (msg *XfrmLifetimeCfg) Len() int {
- return SizeofXfrmLifetimeCfg
-}
-
-func DeserializeXfrmLifetimeCfg(b []byte) *XfrmLifetimeCfg {
- return (*XfrmLifetimeCfg)(unsafe.Pointer(&b[0:SizeofXfrmLifetimeCfg][0]))
-}
-
-func (msg *XfrmLifetimeCfg) Serialize() []byte {
- return (*(*[SizeofXfrmLifetimeCfg]byte)(unsafe.Pointer(msg)))[:]
-}
-
-// struct xfrm_lifetime_cur {
-// __u64 bytes;
-// __u64 packets;
-// __u64 add_time;
-// __u64 use_time;
-// };
-
-type XfrmLifetimeCur struct {
- Bytes uint64
- Packets uint64
- AddTime uint64
- UseTime uint64
-}
-
-func (msg *XfrmLifetimeCur) Len() int {
- return SizeofXfrmLifetimeCur
-}
-
-func DeserializeXfrmLifetimeCur(b []byte) *XfrmLifetimeCur {
- return (*XfrmLifetimeCur)(unsafe.Pointer(&b[0:SizeofXfrmLifetimeCur][0]))
-}
-
-func (msg *XfrmLifetimeCur) Serialize() []byte {
- return (*(*[SizeofXfrmLifetimeCur]byte)(unsafe.Pointer(msg)))[:]
-}
-
-// struct xfrm_id {
-// xfrm_address_t daddr;
-// __be32 spi;
-// __u8 proto;
-// };
-
-type XfrmId struct {
- Daddr XfrmAddress
- Spi uint32 // big endian
- Proto uint8
- Pad [3]byte
-}
-
-func (msg *XfrmId) Len() int {
- return SizeofXfrmId
-}
-
-func DeserializeXfrmId(b []byte) *XfrmId {
- return (*XfrmId)(unsafe.Pointer(&b[0:SizeofXfrmId][0]))
-}
-
-func (msg *XfrmId) Serialize() []byte {
- return (*(*[SizeofXfrmId]byte)(unsafe.Pointer(msg)))[:]
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_policy_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_policy_linux.go
deleted file mode 100644
index 66f7e03d2d7f2a73a796eb8013adc018e6aa039f..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_policy_linux.go
+++ /dev/null
@@ -1,119 +0,0 @@
-package nl
-
-import (
- "unsafe"
-)
-
-const (
- SizeofXfrmUserpolicyId = 0x40
- SizeofXfrmUserpolicyInfo = 0xa8
- SizeofXfrmUserTmpl = 0x40
-)
-
-// struct xfrm_userpolicy_id {
-// struct xfrm_selector sel;
-// __u32 index;
-// __u8 dir;
-// };
-//
-
-type XfrmUserpolicyId struct {
- Sel XfrmSelector
- Index uint32
- Dir uint8
- Pad [3]byte
-}
-
-func (msg *XfrmUserpolicyId) Len() int {
- return SizeofXfrmUserpolicyId
-}
-
-func DeserializeXfrmUserpolicyId(b []byte) *XfrmUserpolicyId {
- return (*XfrmUserpolicyId)(unsafe.Pointer(&b[0:SizeofXfrmUserpolicyId][0]))
-}
-
-func (msg *XfrmUserpolicyId) Serialize() []byte {
- return (*(*[SizeofXfrmUserpolicyId]byte)(unsafe.Pointer(msg)))[:]
-}
-
-// struct xfrm_userpolicy_info {
-// struct xfrm_selector sel;
-// struct xfrm_lifetime_cfg lft;
-// struct xfrm_lifetime_cur curlft;
-// __u32 priority;
-// __u32 index;
-// __u8 dir;
-// __u8 action;
-// #define XFRM_POLICY_ALLOW 0
-// #define XFRM_POLICY_BLOCK 1
-// __u8 flags;
-// #define XFRM_POLICY_LOCALOK 1 /* Allow user to override global policy */
-// /* Automatically expand selector to include matching ICMP payloads. */
-// #define XFRM_POLICY_ICMP 2
-// __u8 share;
-// };
-
-type XfrmUserpolicyInfo struct {
- Sel XfrmSelector
- Lft XfrmLifetimeCfg
- Curlft XfrmLifetimeCur
- Priority uint32
- Index uint32
- Dir uint8
- Action uint8
- Flags uint8
- Share uint8
- Pad [4]byte
-}
-
-func (msg *XfrmUserpolicyInfo) Len() int {
- return SizeofXfrmUserpolicyInfo
-}
-
-func DeserializeXfrmUserpolicyInfo(b []byte) *XfrmUserpolicyInfo {
- return (*XfrmUserpolicyInfo)(unsafe.Pointer(&b[0:SizeofXfrmUserpolicyInfo][0]))
-}
-
-func (msg *XfrmUserpolicyInfo) Serialize() []byte {
- return (*(*[SizeofXfrmUserpolicyInfo]byte)(unsafe.Pointer(msg)))[:]
-}
-
-// struct xfrm_user_tmpl {
-// struct xfrm_id id;
-// __u16 family;
-// xfrm_address_t saddr;
-// __u32 reqid;
-// __u8 mode;
-// __u8 share;
-// __u8 optional;
-// __u32 aalgos;
-// __u32 ealgos;
-// __u32 calgos;
-// }
-
-type XfrmUserTmpl struct {
- XfrmId XfrmId
- Family uint16
- Pad1 [2]byte
- Saddr XfrmAddress
- Reqid uint32
- Mode uint8
- Share uint8
- Optional uint8
- Pad2 byte
- Aalgos uint32
- Ealgos uint32
- Calgos uint32
-}
-
-func (msg *XfrmUserTmpl) Len() int {
- return SizeofXfrmUserTmpl
-}
-
-func DeserializeXfrmUserTmpl(b []byte) *XfrmUserTmpl {
- return (*XfrmUserTmpl)(unsafe.Pointer(&b[0:SizeofXfrmUserTmpl][0]))
-}
-
-func (msg *XfrmUserTmpl) Serialize() []byte {
- return (*(*[SizeofXfrmUserTmpl]byte)(unsafe.Pointer(msg)))[:]
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_state_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_state_linux.go
deleted file mode 100644
index 4876ce458371f5828807198dc92476e77ec47b55..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/xfrm_state_linux.go
+++ /dev/null
@@ -1,221 +0,0 @@
-package nl
-
-import (
- "unsafe"
-)
-
-const (
- SizeofXfrmUsersaId = 0x18
- SizeofXfrmStats = 0x0c
- SizeofXfrmUsersaInfo = 0xe0
- SizeofXfrmAlgo = 0x44
- SizeofXfrmAlgoAuth = 0x48
- SizeofXfrmEncapTmpl = 0x18
-)
-
-// struct xfrm_usersa_id {
-// xfrm_address_t daddr;
-// __be32 spi;
-// __u16 family;
-// __u8 proto;
-// };
-
-type XfrmUsersaId struct {
- Daddr XfrmAddress
- Spi uint32 // big endian
- Family uint16
- Proto uint8
- Pad byte
-}
-
-func (msg *XfrmUsersaId) Len() int {
- return SizeofXfrmUsersaId
-}
-
-func DeserializeXfrmUsersaId(b []byte) *XfrmUsersaId {
- return (*XfrmUsersaId)(unsafe.Pointer(&b[0:SizeofXfrmUsersaId][0]))
-}
-
-func (msg *XfrmUsersaId) Serialize() []byte {
- return (*(*[SizeofXfrmUsersaId]byte)(unsafe.Pointer(msg)))[:]
-}
-
-// struct xfrm_stats {
-// __u32 replay_window;
-// __u32 replay;
-// __u32 integrity_failed;
-// };
-
-type XfrmStats struct {
- ReplayWindow uint32
- Replay uint32
- IntegrityFailed uint32
-}
-
-func (msg *XfrmStats) Len() int {
- return SizeofXfrmStats
-}
-
-func DeserializeXfrmStats(b []byte) *XfrmStats {
- return (*XfrmStats)(unsafe.Pointer(&b[0:SizeofXfrmStats][0]))
-}
-
-func (msg *XfrmStats) Serialize() []byte {
- return (*(*[SizeofXfrmStats]byte)(unsafe.Pointer(msg)))[:]
-}
-
-// struct xfrm_usersa_info {
-// struct xfrm_selector sel;
-// struct xfrm_id id;
-// xfrm_address_t saddr;
-// struct xfrm_lifetime_cfg lft;
-// struct xfrm_lifetime_cur curlft;
-// struct xfrm_stats stats;
-// __u32 seq;
-// __u32 reqid;
-// __u16 family;
-// __u8 mode; /* XFRM_MODE_xxx */
-// __u8 replay_window;
-// __u8 flags;
-// #define XFRM_STATE_NOECN 1
-// #define XFRM_STATE_DECAP_DSCP 2
-// #define XFRM_STATE_NOPMTUDISC 4
-// #define XFRM_STATE_WILDRECV 8
-// #define XFRM_STATE_ICMP 16
-// #define XFRM_STATE_AF_UNSPEC 32
-// #define XFRM_STATE_ALIGN4 64
-// #define XFRM_STATE_ESN 128
-// };
-//
-// #define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1
-//
-
-type XfrmUsersaInfo struct {
- Sel XfrmSelector
- Id XfrmId
- Saddr XfrmAddress
- Lft XfrmLifetimeCfg
- Curlft XfrmLifetimeCur
- Stats XfrmStats
- Seq uint32
- Reqid uint32
- Family uint16
- Mode uint8
- ReplayWindow uint8
- Flags uint8
- Pad [7]byte
-}
-
-func (msg *XfrmUsersaInfo) Len() int {
- return SizeofXfrmUsersaInfo
-}
-
-func DeserializeXfrmUsersaInfo(b []byte) *XfrmUsersaInfo {
- return (*XfrmUsersaInfo)(unsafe.Pointer(&b[0:SizeofXfrmUsersaInfo][0]))
-}
-
-func (msg *XfrmUsersaInfo) Serialize() []byte {
- return (*(*[SizeofXfrmUsersaInfo]byte)(unsafe.Pointer(msg)))[:]
-}
-
-// struct xfrm_algo {
-// char alg_name[64];
-// unsigned int alg_key_len; /* in bits */
-// char alg_key[0];
-// };
-
-type XfrmAlgo struct {
- AlgName [64]byte
- AlgKeyLen uint32
- AlgKey []byte
-}
-
-func (msg *XfrmAlgo) Len() int {
- return SizeofXfrmAlgo + int(msg.AlgKeyLen/8)
-}
-
-func DeserializeXfrmAlgo(b []byte) *XfrmAlgo {
- ret := XfrmAlgo{}
- copy(ret.AlgName[:], b[0:64])
- ret.AlgKeyLen = *(*uint32)(unsafe.Pointer(&b[64]))
- ret.AlgKey = b[68:ret.Len()]
- return &ret
-}
-
-func (msg *XfrmAlgo) Serialize() []byte {
- b := make([]byte, msg.Len())
- copy(b[0:64], msg.AlgName[:])
- copy(b[64:68], (*(*[4]byte)(unsafe.Pointer(&msg.AlgKeyLen)))[:])
- copy(b[68:msg.Len()], msg.AlgKey[:])
- return b
-}
-
-// struct xfrm_algo_auth {
-// char alg_name[64];
-// unsigned int alg_key_len; /* in bits */
-// unsigned int alg_trunc_len; /* in bits */
-// char alg_key[0];
-// };
-
-type XfrmAlgoAuth struct {
- AlgName [64]byte
- AlgKeyLen uint32
- AlgTruncLen uint32
- AlgKey []byte
-}
-
-func (msg *XfrmAlgoAuth) Len() int {
- return SizeofXfrmAlgoAuth + int(msg.AlgKeyLen/8)
-}
-
-func DeserializeXfrmAlgoAuth(b []byte) *XfrmAlgoAuth {
- ret := XfrmAlgoAuth{}
- copy(ret.AlgName[:], b[0:64])
- ret.AlgKeyLen = *(*uint32)(unsafe.Pointer(&b[64]))
- ret.AlgTruncLen = *(*uint32)(unsafe.Pointer(&b[68]))
- ret.AlgKey = b[72:ret.Len()]
- return &ret
-}
-
-func (msg *XfrmAlgoAuth) Serialize() []byte {
- b := make([]byte, msg.Len())
- copy(b[0:64], msg.AlgName[:])
- copy(b[64:68], (*(*[4]byte)(unsafe.Pointer(&msg.AlgKeyLen)))[:])
- copy(b[68:72], (*(*[4]byte)(unsafe.Pointer(&msg.AlgTruncLen)))[:])
- copy(b[72:msg.Len()], msg.AlgKey[:])
- return b
-}
-
-// struct xfrm_algo_aead {
-// char alg_name[64];
-// unsigned int alg_key_len; /* in bits */
-// unsigned int alg_icv_len; /* in bits */
-// char alg_key[0];
-// }
-
-// struct xfrm_encap_tmpl {
-// __u16 encap_type;
-// __be16 encap_sport;
-// __be16 encap_dport;
-// xfrm_address_t encap_oa;
-// };
-
-type XfrmEncapTmpl struct {
- EncapType uint16
- EncapSport uint16 // big endian
- EncapDport uint16 // big endian
- Pad [2]byte
- EncapOa XfrmAddress
-}
-
-func (msg *XfrmEncapTmpl) Len() int {
- return SizeofXfrmEncapTmpl
-}
-
-func DeserializeXfrmEncapTmpl(b []byte) *XfrmEncapTmpl {
- return (*XfrmEncapTmpl)(unsafe.Pointer(&b[0:SizeofXfrmEncapTmpl][0]))
-}
-
-func (msg *XfrmEncapTmpl) Serialize() []byte {
- return (*(*[SizeofXfrmEncapTmpl]byte)(unsafe.Pointer(msg)))[:]
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/protinfo.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/protinfo.go
deleted file mode 100644
index f39ab8f4e8886d0ee99dff287d184437a7f3546a..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/protinfo.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package netlink
-
-import (
- "strings"
-)
-
-// Protinfo represents bridge flags from netlink.
-type Protinfo struct {
- Hairpin bool
- Guard bool
- FastLeave bool
- RootBlock bool
- Learning bool
- Flood bool
-}
-
-// String returns a list of enabled flags
-func (prot *Protinfo) String() string {
- var boolStrings []string
- if prot.Hairpin {
- boolStrings = append(boolStrings, "Hairpin")
- }
- if prot.Guard {
- boolStrings = append(boolStrings, "Guard")
- }
- if prot.FastLeave {
- boolStrings = append(boolStrings, "FastLeave")
- }
- if prot.RootBlock {
- boolStrings = append(boolStrings, "RootBlock")
- }
- if prot.Learning {
- boolStrings = append(boolStrings, "Learning")
- }
- if prot.Flood {
- boolStrings = append(boolStrings, "Flood")
- }
- return strings.Join(boolStrings, " ")
-}
-
-func boolToByte(x bool) []byte {
- if x {
- return []byte{1}
- }
- return []byte{0}
-}
-
-func byteToBool(x byte) bool {
- if uint8(x) != 0 {
- return true
- }
- return false
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/protinfo_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/protinfo_linux.go
deleted file mode 100644
index 7181eba100dd6e04b67afa70c0c0cd06108caf91..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/protinfo_linux.go
+++ /dev/null
@@ -1,60 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "syscall"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-func LinkGetProtinfo(link Link) (Protinfo, error) {
- base := link.Attrs()
- ensureIndex(base)
- var pi Protinfo
- req := nl.NewNetlinkRequest(syscall.RTM_GETLINK, syscall.NLM_F_DUMP)
- msg := nl.NewIfInfomsg(syscall.AF_BRIDGE)
- req.AddData(msg)
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- if err != nil {
- return pi, err
- }
-
- for _, m := range msgs {
- ans := nl.DeserializeIfInfomsg(m)
- if int(ans.Index) != base.Index {
- continue
- }
- attrs, err := nl.ParseRouteAttr(m[ans.Len():])
- if err != nil {
- return pi, err
- }
- for _, attr := range attrs {
- if attr.Attr.Type != syscall.IFLA_PROTINFO|syscall.NLA_F_NESTED {
- continue
- }
- infos, err := nl.ParseRouteAttr(attr.Value)
- if err != nil {
- return pi, err
- }
- var pi Protinfo
- for _, info := range infos {
- switch info.Attr.Type {
- case nl.IFLA_BRPORT_MODE:
- pi.Hairpin = byteToBool(info.Value[0])
- case nl.IFLA_BRPORT_GUARD:
- pi.Guard = byteToBool(info.Value[0])
- case nl.IFLA_BRPORT_FAST_LEAVE:
- pi.FastLeave = byteToBool(info.Value[0])
- case nl.IFLA_BRPORT_PROTECT:
- pi.RootBlock = byteToBool(info.Value[0])
- case nl.IFLA_BRPORT_LEARNING:
- pi.Learning = byteToBool(info.Value[0])
- case nl.IFLA_BRPORT_UNICAST_FLOOD:
- pi.Flood = byteToBool(info.Value[0])
- }
- }
- return pi, nil
- }
- }
- return pi, fmt.Errorf("Device with index %d not found", base.Index)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/qdisc.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/qdisc.go
deleted file mode 100644
index 8e3d020fd4c0de8847700fd989dfebc4068db4b7..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/qdisc.go
+++ /dev/null
@@ -1,138 +0,0 @@
-package netlink
-
-import (
- "fmt"
-)
-
-const (
- HANDLE_NONE = 0
- HANDLE_INGRESS = 0xFFFFFFF1
- HANDLE_ROOT = 0xFFFFFFFF
- PRIORITY_MAP_LEN = 16
-)
-
-type Qdisc interface {
- Attrs() *QdiscAttrs
- Type() string
-}
-
-// Qdisc represents a netlink qdisc. A qdisc is associated with a link,
-// has a handle, a parent and a refcnt. The root qdisc of a device should
-// have parent == HANDLE_ROOT.
-type QdiscAttrs struct {
- LinkIndex int
- Handle uint32
- Parent uint32
- Refcnt uint32 // read only
-}
-
-func (q QdiscAttrs) String() string {
- return fmt.Sprintf("{LinkIndex: %d, Handle: %s, Parent: %s, Refcnt: %s}", q.LinkIndex, HandleStr(q.Handle), HandleStr(q.Parent), q.Refcnt)
-}
-
-func MakeHandle(major, minor uint16) uint32 {
- return (uint32(major) << 16) | uint32(minor)
-}
-
-func MajorMinor(handle uint32) (uint16, uint16) {
- return uint16((handle & 0xFFFF0000) >> 16), uint16(handle & 0x0000FFFFF)
-}
-
-func HandleStr(handle uint32) string {
- switch handle {
- case HANDLE_NONE:
- return "none"
- case HANDLE_INGRESS:
- return "ingress"
- case HANDLE_ROOT:
- return "root"
- default:
- major, minor := MajorMinor(handle)
- return fmt.Sprintf("%x:%x", major, minor)
- }
-}
-
-// PfifoFast is the default qdisc created by the kernel if one has not
-// been defined for the interface
-type PfifoFast struct {
- QdiscAttrs
- Bands uint8
- PriorityMap [PRIORITY_MAP_LEN]uint8
-}
-
-func (qdisc *PfifoFast) Attrs() *QdiscAttrs {
- return &qdisc.QdiscAttrs
-}
-
-func (qdisc *PfifoFast) Type() string {
- return "pfifo_fast"
-}
-
-// Prio is a basic qdisc that works just like PfifoFast
-type Prio struct {
- QdiscAttrs
- Bands uint8
- PriorityMap [PRIORITY_MAP_LEN]uint8
-}
-
-func NewPrio(attrs QdiscAttrs) *Prio {
- return &Prio{
- QdiscAttrs: attrs,
- Bands: 3,
- PriorityMap: [PRIORITY_MAP_LEN]uint8{1, 2, 2, 2, 1, 2, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1},
- }
-}
-
-func (qdisc *Prio) Attrs() *QdiscAttrs {
- return &qdisc.QdiscAttrs
-}
-
-func (qdisc *Prio) Type() string {
- return "prio"
-}
-
-// Tbf is a classful qdisc that rate limits based on tokens
-type Tbf struct {
- QdiscAttrs
- // TODO: handle 64bit rate properly
- Rate uint64
- Limit uint32
- Buffer uint32
- // TODO: handle other settings
-}
-
-func (qdisc *Tbf) Attrs() *QdiscAttrs {
- return &qdisc.QdiscAttrs
-}
-
-func (qdisc *Tbf) Type() string {
- return "tbf"
-}
-
-// Ingress is a qdisc for adding ingress filters
-type Ingress struct {
- QdiscAttrs
-}
-
-func (qdisc *Ingress) Attrs() *QdiscAttrs {
- return &qdisc.QdiscAttrs
-}
-
-func (qdisc *Ingress) Type() string {
- return "ingress"
-}
-
-// GenericQdisc qdiscs represent types that are not currently understood
-// by this netlink library.
-type GenericQdisc struct {
- QdiscAttrs
- QdiscType string
-}
-
-func (qdisc *GenericQdisc) Attrs() *QdiscAttrs {
- return &qdisc.QdiscAttrs
-}
-
-func (qdisc *GenericQdisc) Type() string {
- return qdisc.QdiscType
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/qdisc_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/qdisc_linux.go
deleted file mode 100644
index 2531c9dd13c4b4f223a044cba07150ef2a815a36..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/qdisc_linux.go
+++ /dev/null
@@ -1,263 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "io/ioutil"
- "strconv"
- "strings"
- "syscall"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-// QdiscDel will delete a qdisc from the system.
-// Equivalent to: `tc qdisc del $qdisc`
-func QdiscDel(qdisc Qdisc) error {
- req := nl.NewNetlinkRequest(syscall.RTM_DELQDISC, syscall.NLM_F_ACK)
- base := qdisc.Attrs()
- msg := &nl.TcMsg{
- Family: nl.FAMILY_ALL,
- Ifindex: int32(base.LinkIndex),
- Handle: base.Handle,
- Parent: base.Parent,
- }
- req.AddData(msg)
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// QdiscAdd will add a qdisc to the system.
-// Equivalent to: `tc qdisc add $qdisc`
-func QdiscAdd(qdisc Qdisc) error {
- req := nl.NewNetlinkRequest(syscall.RTM_NEWQDISC, syscall.NLM_F_CREATE|syscall.NLM_F_EXCL|syscall.NLM_F_ACK)
- base := qdisc.Attrs()
- msg := &nl.TcMsg{
- Family: nl.FAMILY_ALL,
- Ifindex: int32(base.LinkIndex),
- Handle: base.Handle,
- Parent: base.Parent,
- }
- req.AddData(msg)
- req.AddData(nl.NewRtAttr(nl.TCA_KIND, nl.ZeroTerminated(qdisc.Type())))
-
- options := nl.NewRtAttr(nl.TCA_OPTIONS, nil)
- if prio, ok := qdisc.(*Prio); ok {
- tcmap := nl.TcPrioMap{
- Bands: int32(prio.Bands),
- Priomap: prio.PriorityMap,
- }
- options = nl.NewRtAttr(nl.TCA_OPTIONS, tcmap.Serialize())
- } else if tbf, ok := qdisc.(*Tbf); ok {
- opt := nl.TcTbfQopt{}
- // TODO: handle rate > uint32
- opt.Rate.Rate = uint32(tbf.Rate)
- opt.Limit = tbf.Limit
- opt.Buffer = tbf.Buffer
- nl.NewRtAttrChild(options, nl.TCA_TBF_PARMS, opt.Serialize())
- } else if _, ok := qdisc.(*Ingress); ok {
- // ingress filters must use the proper handle
- if msg.Parent != HANDLE_INGRESS {
- return fmt.Errorf("Ingress filters must set Parent to HANDLE_INGRESS")
- }
- }
- req.AddData(options)
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// QdiscList gets a list of qdiscs in the system.
-// Equivalent to: `tc qdisc show`.
-// The list can be filtered by link.
-func QdiscList(link Link) ([]Qdisc, error) {
- req := nl.NewNetlinkRequest(syscall.RTM_GETQDISC, syscall.NLM_F_DUMP)
- index := int32(0)
- if link != nil {
- base := link.Attrs()
- ensureIndex(base)
- index = int32(base.Index)
- }
- msg := &nl.TcMsg{
- Family: nl.FAMILY_ALL,
- Ifindex: index,
- }
- req.AddData(msg)
-
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, syscall.RTM_NEWQDISC)
- if err != nil {
- return nil, err
- }
-
- var res []Qdisc
- for _, m := range msgs {
- msg := nl.DeserializeTcMsg(m)
-
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- // skip qdiscs from other interfaces
- if link != nil && msg.Ifindex != index {
- continue
- }
-
- base := QdiscAttrs{
- LinkIndex: int(msg.Ifindex),
- Handle: msg.Handle,
- Parent: msg.Parent,
- Refcnt: msg.Info,
- }
- var qdisc Qdisc
- qdiscType := ""
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case nl.TCA_KIND:
- qdiscType = string(attr.Value[:len(attr.Value)-1])
- switch qdiscType {
- case "pfifo_fast":
- qdisc = &PfifoFast{}
- case "prio":
- qdisc = &Prio{}
- case "tbf":
- qdisc = &Tbf{}
- case "ingress":
- qdisc = &Ingress{}
- default:
- qdisc = &GenericQdisc{QdiscType: qdiscType}
- }
- case nl.TCA_OPTIONS:
- switch qdiscType {
- case "pfifo_fast":
- // pfifo returns TcPrioMap directly without wrapping it in rtattr
- if err := parsePfifoFastData(qdisc, attr.Value); err != nil {
- return nil, err
- }
- case "prio":
- // prio returns TcPrioMap directly without wrapping it in rtattr
- if err := parsePrioData(qdisc, attr.Value); err != nil {
- return nil, err
- }
- case "tbf":
- data, err := nl.ParseRouteAttr(attr.Value)
- if err != nil {
- return nil, err
- }
- if err := parseTbfData(qdisc, data); err != nil {
- return nil, err
- }
- // no options for ingress
- }
- }
- }
- *qdisc.Attrs() = base
- res = append(res, qdisc)
- }
-
- return res, nil
-}
-
-func parsePfifoFastData(qdisc Qdisc, value []byte) error {
- pfifo := qdisc.(*PfifoFast)
- tcmap := nl.DeserializeTcPrioMap(value)
- pfifo.PriorityMap = tcmap.Priomap
- pfifo.Bands = uint8(tcmap.Bands)
- return nil
-}
-
-func parsePrioData(qdisc Qdisc, value []byte) error {
- prio := qdisc.(*Prio)
- tcmap := nl.DeserializeTcPrioMap(value)
- prio.PriorityMap = tcmap.Priomap
- prio.Bands = uint8(tcmap.Bands)
- return nil
-}
-
-func parseTbfData(qdisc Qdisc, data []syscall.NetlinkRouteAttr) error {
- native = nl.NativeEndian()
- tbf := qdisc.(*Tbf)
- for _, datum := range data {
- switch datum.Attr.Type {
- case nl.TCA_TBF_PARMS:
- opt := nl.DeserializeTcTbfQopt(datum.Value)
- tbf.Rate = uint64(opt.Rate.Rate)
- tbf.Limit = opt.Limit
- tbf.Buffer = opt.Buffer
- case nl.TCA_TBF_RATE64:
- tbf.Rate = native.Uint64(datum.Value[0:4])
- }
- }
- return nil
-}
-
-const (
- TIME_UNITS_PER_SEC = 1000000
-)
-
-var (
- tickInUsec float64 = 0.0
- clockFactor float64 = 0.0
-)
-
-func initClock() {
- data, err := ioutil.ReadFile("/proc/net/psched")
- if err != nil {
- return
- }
- parts := strings.Split(strings.TrimSpace(string(data)), " ")
- if len(parts) < 3 {
- return
- }
- var vals [3]uint64
- for i := range vals {
- val, err := strconv.ParseUint(parts[i], 16, 32)
- if err != nil {
- return
- }
- vals[i] = val
- }
- // compatibility
- if vals[2] == 1000000000 {
- vals[0] = vals[1]
- }
- clockFactor = float64(vals[2]) / TIME_UNITS_PER_SEC
- tickInUsec = float64(vals[0]) / float64(vals[1]) * clockFactor
-}
-
-func TickInUsec() float64 {
- if tickInUsec == 0.0 {
- initClock()
- }
- return tickInUsec
-}
-
-func ClockFactor() float64 {
- if clockFactor == 0.0 {
- initClock()
- }
- return clockFactor
-}
-
-func time2Tick(time uint32) uint32 {
- return uint32(float64(time) * TickInUsec())
-}
-
-func tick2Time(tick uint32) uint32 {
- return uint32(float64(tick) / TickInUsec())
-}
-
-func time2Ktime(time uint32) uint32 {
- return uint32(float64(time) * ClockFactor())
-}
-
-func ktime2Time(ktime uint32) uint32 {
- return uint32(float64(ktime) / ClockFactor())
-}
-
-func burst(rate uint64, buffer uint32) uint32 {
- return uint32(float64(rate) * float64(tick2Time(buffer)) / TIME_UNITS_PER_SEC)
-}
-
-func latency(rate uint64, limit, buffer uint32) float64 {
- return TIME_UNITS_PER_SEC*(float64(limit)/float64(rate)) - float64(tick2Time(buffer))
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/route.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/route.go
deleted file mode 100644
index 6218546f8028b63fb73a49de48af0d87ae353983..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/route.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "net"
- "syscall"
-)
-
-// Scope is an enum representing a route scope.
-type Scope uint8
-
-const (
- SCOPE_UNIVERSE Scope = syscall.RT_SCOPE_UNIVERSE
- SCOPE_SITE Scope = syscall.RT_SCOPE_SITE
- SCOPE_LINK Scope = syscall.RT_SCOPE_LINK
- SCOPE_HOST Scope = syscall.RT_SCOPE_HOST
- SCOPE_NOWHERE Scope = syscall.RT_SCOPE_NOWHERE
-)
-
-// Route represents a netlink route. A route is associated with a link,
-// has a destination network, an optional source ip, and optional
-// gateway. Advanced route parameters and non-main routing tables are
-// currently not supported.
-type Route struct {
- LinkIndex int
- Scope Scope
- Dst *net.IPNet
- Src net.IP
- Gw net.IP
-}
-
-func (r Route) String() string {
- return fmt.Sprintf("{Ifindex: %d Dst: %s Src: %s Gw: %s}", r.LinkIndex, r.Dst,
- r.Src, r.Gw)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/route_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/route_linux.go
deleted file mode 100644
index 9e76d4414488e689ee75f74d1a804a0dbf7f6955..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/route_linux.go
+++ /dev/null
@@ -1,225 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "net"
- "syscall"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-// RtAttr is shared so it is in netlink_linux.go
-
-// RouteAdd will add a route to the system.
-// Equivalent to: `ip route add $route`
-func RouteAdd(route *Route) error {
- req := nl.NewNetlinkRequest(syscall.RTM_NEWROUTE, syscall.NLM_F_CREATE|syscall.NLM_F_EXCL|syscall.NLM_F_ACK)
- return routeHandle(route, req, nl.NewRtMsg())
-}
-
-// RouteAdd will delete a route from the system.
-// Equivalent to: `ip route del $route`
-func RouteDel(route *Route) error {
- req := nl.NewNetlinkRequest(syscall.RTM_DELROUTE, syscall.NLM_F_ACK)
- return routeHandle(route, req, nl.NewRtDelMsg())
-}
-
-func routeHandle(route *Route, req *nl.NetlinkRequest, msg *nl.RtMsg) error {
- if (route.Dst == nil || route.Dst.IP == nil) && route.Src == nil && route.Gw == nil {
- return fmt.Errorf("one of Dst.IP, Src, or Gw must not be nil")
- }
-
- msg.Scope = uint8(route.Scope)
- family := -1
- var rtAttrs []*nl.RtAttr
-
- if route.Dst != nil && route.Dst.IP != nil {
- dstLen, _ := route.Dst.Mask.Size()
- msg.Dst_len = uint8(dstLen)
- dstFamily := nl.GetIPFamily(route.Dst.IP)
- family = dstFamily
- var dstData []byte
- if dstFamily == FAMILY_V4 {
- dstData = route.Dst.IP.To4()
- } else {
- dstData = route.Dst.IP.To16()
- }
- rtAttrs = append(rtAttrs, nl.NewRtAttr(syscall.RTA_DST, dstData))
- }
-
- if route.Src != nil {
- srcFamily := nl.GetIPFamily(route.Src)
- if family != -1 && family != srcFamily {
- return fmt.Errorf("source and destination ip are not the same IP family")
- }
- family = srcFamily
- var srcData []byte
- if srcFamily == FAMILY_V4 {
- srcData = route.Src.To4()
- } else {
- srcData = route.Src.To16()
- }
- // The commonly used src ip for routes is actually PREFSRC
- rtAttrs = append(rtAttrs, nl.NewRtAttr(syscall.RTA_PREFSRC, srcData))
- }
-
- if route.Gw != nil {
- gwFamily := nl.GetIPFamily(route.Gw)
- if family != -1 && family != gwFamily {
- return fmt.Errorf("gateway, source, and destination ip are not the same IP family")
- }
- family = gwFamily
- var gwData []byte
- if gwFamily == FAMILY_V4 {
- gwData = route.Gw.To4()
- } else {
- gwData = route.Gw.To16()
- }
- rtAttrs = append(rtAttrs, nl.NewRtAttr(syscall.RTA_GATEWAY, gwData))
- }
-
- msg.Family = uint8(family)
-
- req.AddData(msg)
- for _, attr := range rtAttrs {
- req.AddData(attr)
- }
-
- var (
- b = make([]byte, 4)
- native = nl.NativeEndian()
- )
- native.PutUint32(b, uint32(route.LinkIndex))
-
- req.AddData(nl.NewRtAttr(syscall.RTA_OIF, b))
-
- _, err := req.Execute(syscall.NETLINK_ROUTE, 0)
- return err
-}
-
-// RouteList gets a list of routes in the system.
-// Equivalent to: `ip route show`.
-// The list can be filtered by link and ip family.
-func RouteList(link Link, family int) ([]Route, error) {
- req := nl.NewNetlinkRequest(syscall.RTM_GETROUTE, syscall.NLM_F_DUMP)
- msg := nl.NewIfInfomsg(family)
- req.AddData(msg)
-
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, syscall.RTM_NEWROUTE)
- if err != nil {
- return nil, err
- }
-
- index := 0
- if link != nil {
- base := link.Attrs()
- ensureIndex(base)
- index = base.Index
- }
-
- native := nl.NativeEndian()
- var res []Route
-MsgLoop:
- for _, m := range msgs {
- msg := nl.DeserializeRtMsg(m)
-
- if msg.Flags&syscall.RTM_F_CLONED != 0 {
- // Ignore cloned routes
- continue
- }
-
- if msg.Table != syscall.RT_TABLE_MAIN {
- // Ignore non-main tables
- continue
- }
-
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- route := Route{Scope: Scope(msg.Scope)}
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case syscall.RTA_GATEWAY:
- route.Gw = net.IP(attr.Value)
- case syscall.RTA_PREFSRC:
- route.Src = net.IP(attr.Value)
- case syscall.RTA_DST:
- route.Dst = &net.IPNet{
- IP: attr.Value,
- Mask: net.CIDRMask(int(msg.Dst_len), 8*len(attr.Value)),
- }
- case syscall.RTA_OIF:
- routeIndex := int(native.Uint32(attr.Value[0:4]))
- if link != nil && routeIndex != index {
- // Ignore routes from other interfaces
- continue MsgLoop
- }
- route.LinkIndex = routeIndex
- }
- }
- res = append(res, route)
- }
-
- return res, nil
-}
-
-// RouteGet gets a route to a specific destination from the host system.
-// Equivalent to: 'ip route get'.
-func RouteGet(destination net.IP) ([]Route, error) {
- req := nl.NewNetlinkRequest(syscall.RTM_GETROUTE, syscall.NLM_F_REQUEST)
- family := nl.GetIPFamily(destination)
- var destinationData []byte
- var bitlen uint8
- if family == FAMILY_V4 {
- destinationData = destination.To4()
- bitlen = 32
- } else {
- destinationData = destination.To16()
- bitlen = 128
- }
- msg := &nl.RtMsg{}
- msg.Family = uint8(family)
- msg.Dst_len = bitlen
- req.AddData(msg)
-
- rtaDst := nl.NewRtAttr(syscall.RTA_DST, destinationData)
- req.AddData(rtaDst)
-
- msgs, err := req.Execute(syscall.NETLINK_ROUTE, syscall.RTM_NEWROUTE)
- if err != nil {
- return nil, err
- }
-
- native := nl.NativeEndian()
- var res []Route
- for _, m := range msgs {
- msg := nl.DeserializeRtMsg(m)
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- route := Route{}
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case syscall.RTA_GATEWAY:
- route.Gw = net.IP(attr.Value)
- case syscall.RTA_PREFSRC:
- route.Src = net.IP(attr.Value)
- case syscall.RTA_DST:
- route.Dst = &net.IPNet{
- IP: attr.Value,
- Mask: net.CIDRMask(int(msg.Dst_len), 8*len(attr.Value)),
- }
- case syscall.RTA_OIF:
- routeIndex := int(native.Uint32(attr.Value[0:4]))
- route.LinkIndex = routeIndex
- }
- }
- res = append(res, route)
- }
- return res, nil
-
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm.go
deleted file mode 100644
index 621ffb6c6847ec42384cc59a0c0244037bc03af0..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm.go
+++ /dev/null
@@ -1,64 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "syscall"
-)
-
-// Proto is an enum representing an ipsec protocol.
-type Proto uint8
-
-const (
- XFRM_PROTO_ROUTE2 Proto = syscall.IPPROTO_ROUTING
- XFRM_PROTO_ESP Proto = syscall.IPPROTO_ESP
- XFRM_PROTO_AH Proto = syscall.IPPROTO_AH
- XFRM_PROTO_HAO Proto = syscall.IPPROTO_DSTOPTS
- XFRM_PROTO_COMP Proto = syscall.IPPROTO_COMP
- XFRM_PROTO_IPSEC_ANY Proto = syscall.IPPROTO_RAW
-)
-
-func (p Proto) String() string {
- switch p {
- case XFRM_PROTO_ROUTE2:
- return "route2"
- case XFRM_PROTO_ESP:
- return "esp"
- case XFRM_PROTO_AH:
- return "ah"
- case XFRM_PROTO_HAO:
- return "hao"
- case XFRM_PROTO_COMP:
- return "comp"
- case XFRM_PROTO_IPSEC_ANY:
- return "ipsec-any"
- }
- return fmt.Sprintf("%d", p)
-}
-
-// Mode is an enum representing an ipsec transport.
-type Mode uint8
-
-const (
- XFRM_MODE_TRANSPORT Mode = iota
- XFRM_MODE_TUNNEL
- XFRM_MODE_ROUTEOPTIMIZATION
- XFRM_MODE_IN_TRIGGER
- XFRM_MODE_BEET
- XFRM_MODE_MAX
-)
-
-func (m Mode) String() string {
- switch m {
- case XFRM_MODE_TRANSPORT:
- return "transport"
- case XFRM_MODE_TUNNEL:
- return "tunnel"
- case XFRM_MODE_ROUTEOPTIMIZATION:
- return "ro"
- case XFRM_MODE_IN_TRIGGER:
- return "in_trigger"
- case XFRM_MODE_BEET:
- return "beet"
- }
- return fmt.Sprintf("%d", m)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_policy.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_policy.go
deleted file mode 100644
index d85c65d2d2a75ab97aeb937c295ef66db66c0fac..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_policy.go
+++ /dev/null
@@ -1,59 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "net"
-)
-
-// Dir is an enum representing an ipsec template direction.
-type Dir uint8
-
-const (
- XFRM_DIR_IN Dir = iota
- XFRM_DIR_OUT
- XFRM_DIR_FWD
- XFRM_SOCKET_IN
- XFRM_SOCKET_OUT
- XFRM_SOCKET_FWD
-)
-
-func (d Dir) String() string {
- switch d {
- case XFRM_DIR_IN:
- return "dir in"
- case XFRM_DIR_OUT:
- return "dir out"
- case XFRM_DIR_FWD:
- return "dir fwd"
- case XFRM_SOCKET_IN:
- return "socket in"
- case XFRM_SOCKET_OUT:
- return "socket out"
- case XFRM_SOCKET_FWD:
- return "socket fwd"
- }
- return fmt.Sprintf("socket %d", d-XFRM_SOCKET_IN)
-}
-
-// XfrmPolicyTmpl encapsulates a rule for the base addresses of an ipsec
-// policy. These rules are matched with XfrmState to determine encryption
-// and authentication algorithms.
-type XfrmPolicyTmpl struct {
- Dst net.IP
- Src net.IP
- Proto Proto
- Mode Mode
- Reqid int
-}
-
-// XfrmPolicy represents an ipsec policy. It represents the overlay network
-// and has a list of XfrmPolicyTmpls representing the base addresses of
-// the policy.
-type XfrmPolicy struct {
- Dst *net.IPNet
- Src *net.IPNet
- Dir Dir
- Priority int
- Index int
- Tmpls []XfrmPolicyTmpl
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_policy_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_policy_linux.go
deleted file mode 100644
index 2daf6dc8b3374ba22c795071209e3cf5b0750c55..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_policy_linux.go
+++ /dev/null
@@ -1,127 +0,0 @@
-package netlink
-
-import (
- "syscall"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-func selFromPolicy(sel *nl.XfrmSelector, policy *XfrmPolicy) {
- sel.Family = uint16(nl.GetIPFamily(policy.Dst.IP))
- sel.Daddr.FromIP(policy.Dst.IP)
- sel.Saddr.FromIP(policy.Src.IP)
- prefixlenD, _ := policy.Dst.Mask.Size()
- sel.PrefixlenD = uint8(prefixlenD)
- prefixlenS, _ := policy.Src.Mask.Size()
- sel.PrefixlenS = uint8(prefixlenS)
-}
-
-// XfrmPolicyAdd will add an xfrm policy to the system.
-// Equivalent to: `ip xfrm policy add $policy`
-func XfrmPolicyAdd(policy *XfrmPolicy) error {
- req := nl.NewNetlinkRequest(nl.XFRM_MSG_NEWPOLICY, syscall.NLM_F_CREATE|syscall.NLM_F_EXCL|syscall.NLM_F_ACK)
-
- msg := &nl.XfrmUserpolicyInfo{}
- selFromPolicy(&msg.Sel, policy)
- msg.Priority = uint32(policy.Priority)
- msg.Index = uint32(policy.Index)
- msg.Dir = uint8(policy.Dir)
- msg.Lft.SoftByteLimit = nl.XFRM_INF
- msg.Lft.HardByteLimit = nl.XFRM_INF
- msg.Lft.SoftPacketLimit = nl.XFRM_INF
- msg.Lft.HardPacketLimit = nl.XFRM_INF
- req.AddData(msg)
-
- tmplData := make([]byte, nl.SizeofXfrmUserTmpl*len(policy.Tmpls))
- for i, tmpl := range policy.Tmpls {
- start := i * nl.SizeofXfrmUserTmpl
- userTmpl := nl.DeserializeXfrmUserTmpl(tmplData[start : start+nl.SizeofXfrmUserTmpl])
- userTmpl.XfrmId.Daddr.FromIP(tmpl.Dst)
- userTmpl.Saddr.FromIP(tmpl.Src)
- userTmpl.XfrmId.Proto = uint8(tmpl.Proto)
- userTmpl.Mode = uint8(tmpl.Mode)
- userTmpl.Reqid = uint32(tmpl.Reqid)
- userTmpl.Aalgos = ^uint32(0)
- userTmpl.Ealgos = ^uint32(0)
- userTmpl.Calgos = ^uint32(0)
- }
- if len(tmplData) > 0 {
- tmpls := nl.NewRtAttr(nl.XFRMA_TMPL, tmplData)
- req.AddData(tmpls)
- }
-
- _, err := req.Execute(syscall.NETLINK_XFRM, 0)
- return err
-}
-
-// XfrmPolicyDel will delete an xfrm policy from the system. Note that
-// the Tmpls are ignored when matching the policy to delete.
-// Equivalent to: `ip xfrm policy del $policy`
-func XfrmPolicyDel(policy *XfrmPolicy) error {
- req := nl.NewNetlinkRequest(nl.XFRM_MSG_DELPOLICY, syscall.NLM_F_ACK)
-
- msg := &nl.XfrmUserpolicyId{}
- selFromPolicy(&msg.Sel, policy)
- msg.Index = uint32(policy.Index)
- msg.Dir = uint8(policy.Dir)
- req.AddData(msg)
-
- _, err := req.Execute(syscall.NETLINK_XFRM, 0)
- return err
-}
-
-// XfrmPolicyList gets a list of xfrm policies in the system.
-// Equivalent to: `ip xfrm policy show`.
-// The list can be filtered by ip family.
-func XfrmPolicyList(family int) ([]XfrmPolicy, error) {
- req := nl.NewNetlinkRequest(nl.XFRM_MSG_GETPOLICY, syscall.NLM_F_DUMP)
-
- msg := nl.NewIfInfomsg(family)
- req.AddData(msg)
-
- msgs, err := req.Execute(syscall.NETLINK_XFRM, nl.XFRM_MSG_NEWPOLICY)
- if err != nil {
- return nil, err
- }
-
- var res []XfrmPolicy
- for _, m := range msgs {
- msg := nl.DeserializeXfrmUserpolicyInfo(m)
-
- if family != FAMILY_ALL && family != int(msg.Sel.Family) {
- continue
- }
-
- var policy XfrmPolicy
-
- policy.Dst = msg.Sel.Daddr.ToIPNet(msg.Sel.PrefixlenD)
- policy.Src = msg.Sel.Saddr.ToIPNet(msg.Sel.PrefixlenS)
- policy.Priority = int(msg.Priority)
- policy.Index = int(msg.Index)
- policy.Dir = Dir(msg.Dir)
-
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case nl.XFRMA_TMPL:
- max := len(attr.Value)
- for i := 0; i < max; i += nl.SizeofXfrmUserTmpl {
- var resTmpl XfrmPolicyTmpl
- tmpl := nl.DeserializeXfrmUserTmpl(attr.Value[i : i+nl.SizeofXfrmUserTmpl])
- resTmpl.Dst = tmpl.XfrmId.Daddr.ToIP()
- resTmpl.Src = tmpl.Saddr.ToIP()
- resTmpl.Proto = Proto(tmpl.XfrmId.Proto)
- resTmpl.Mode = Mode(tmpl.Mode)
- resTmpl.Reqid = int(tmpl.Reqid)
- policy.Tmpls = append(policy.Tmpls, resTmpl)
- }
- }
- }
- res = append(res, policy)
- }
- return res, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state.go
deleted file mode 100644
index 5b8f2df708e6ccb2c321f241acc6c33782d38a57..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state.go
+++ /dev/null
@@ -1,53 +0,0 @@
-package netlink
-
-import (
- "net"
-)
-
-// XfrmStateAlgo represents the algorithm to use for the ipsec encryption.
-type XfrmStateAlgo struct {
- Name string
- Key []byte
- TruncateLen int // Auth only
-}
-
-// EncapType is an enum representing an ipsec template direction.
-type EncapType uint8
-
-const (
- XFRM_ENCAP_ESPINUDP_NONIKE EncapType = iota + 1
- XFRM_ENCAP_ESPINUDP
-)
-
-func (e EncapType) String() string {
- switch e {
- case XFRM_ENCAP_ESPINUDP_NONIKE:
- return "espinudp-nonike"
- case XFRM_ENCAP_ESPINUDP:
- return "espinudp"
- }
- return "unknown"
-}
-
-// XfrmEncap represents the encapsulation to use for the ipsec encryption.
-type XfrmStateEncap struct {
- Type EncapType
- SrcPort int
- DstPort int
- OriginalAddress net.IP
-}
-
-// XfrmState represents the state of an ipsec policy. It optionally
-// contains an XfrmStateAlgo for encryption and one for authentication.
-type XfrmState struct {
- Dst net.IP
- Src net.IP
- Proto Proto
- Mode Mode
- Spi int
- Reqid int
- ReplayWindow int
- Auth *XfrmStateAlgo
- Crypt *XfrmStateAlgo
- Encap *XfrmStateEncap
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state_linux.go b/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state_linux.go
deleted file mode 100644
index 5f44ec8525e075c65a17ee3df842c5a3c6c965ef..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state_linux.go
+++ /dev/null
@@ -1,181 +0,0 @@
-package netlink
-
-import (
- "fmt"
- "syscall"
-
- "github.com/vishvananda/netlink/nl"
-)
-
-func writeStateAlgo(a *XfrmStateAlgo) []byte {
- algo := nl.XfrmAlgo{
- AlgKeyLen: uint32(len(a.Key) * 8),
- AlgKey: a.Key,
- }
- end := len(a.Name)
- if end > 64 {
- end = 64
- }
- copy(algo.AlgName[:end], a.Name)
- return algo.Serialize()
-}
-
-func writeStateAlgoAuth(a *XfrmStateAlgo) []byte {
- algo := nl.XfrmAlgoAuth{
- AlgKeyLen: uint32(len(a.Key) * 8),
- AlgTruncLen: uint32(a.TruncateLen),
- AlgKey: a.Key,
- }
- end := len(a.Name)
- if end > 64 {
- end = 64
- }
- copy(algo.AlgName[:end], a.Name)
- return algo.Serialize()
-}
-
-// XfrmStateAdd will add an xfrm state to the system.
-// Equivalent to: `ip xfrm state add $state`
-func XfrmStateAdd(state *XfrmState) error {
- // A state with spi 0 can't be deleted so don't allow it to be set
- if state.Spi == 0 {
- return fmt.Errorf("Spi must be set when adding xfrm state.")
- }
- req := nl.NewNetlinkRequest(nl.XFRM_MSG_NEWSA, syscall.NLM_F_CREATE|syscall.NLM_F_EXCL|syscall.NLM_F_ACK)
-
- msg := &nl.XfrmUsersaInfo{}
- msg.Family = uint16(nl.GetIPFamily(state.Dst))
- msg.Id.Daddr.FromIP(state.Dst)
- msg.Saddr.FromIP(state.Src)
- msg.Id.Proto = uint8(state.Proto)
- msg.Mode = uint8(state.Mode)
- msg.Id.Spi = nl.Swap32(uint32(state.Spi))
- msg.Reqid = uint32(state.Reqid)
- msg.ReplayWindow = uint8(state.ReplayWindow)
- msg.Lft.SoftByteLimit = nl.XFRM_INF
- msg.Lft.HardByteLimit = nl.XFRM_INF
- msg.Lft.SoftPacketLimit = nl.XFRM_INF
- msg.Lft.HardPacketLimit = nl.XFRM_INF
- req.AddData(msg)
-
- if state.Auth != nil {
- out := nl.NewRtAttr(nl.XFRMA_ALG_AUTH_TRUNC, writeStateAlgoAuth(state.Auth))
- req.AddData(out)
- }
- if state.Crypt != nil {
- out := nl.NewRtAttr(nl.XFRMA_ALG_CRYPT, writeStateAlgo(state.Crypt))
- req.AddData(out)
- }
- if state.Encap != nil {
- encapData := make([]byte, nl.SizeofXfrmEncapTmpl)
- encap := nl.DeserializeXfrmEncapTmpl(encapData)
- encap.EncapType = uint16(state.Encap.Type)
- encap.EncapSport = nl.Swap16(uint16(state.Encap.SrcPort))
- encap.EncapDport = nl.Swap16(uint16(state.Encap.DstPort))
- encap.EncapOa.FromIP(state.Encap.OriginalAddress)
- out := nl.NewRtAttr(nl.XFRMA_ENCAP, encapData)
- req.AddData(out)
- }
-
- _, err := req.Execute(syscall.NETLINK_XFRM, 0)
- return err
-}
-
-// XfrmStateDel will delete an xfrm state from the system. Note that
-// the Algos are ignored when matching the state to delete.
-// Equivalent to: `ip xfrm state del $state`
-func XfrmStateDel(state *XfrmState) error {
- req := nl.NewNetlinkRequest(nl.XFRM_MSG_DELSA, syscall.NLM_F_ACK)
-
- msg := &nl.XfrmUsersaId{}
- msg.Daddr.FromIP(state.Dst)
- msg.Family = uint16(nl.GetIPFamily(state.Dst))
- msg.Proto = uint8(state.Proto)
- msg.Spi = nl.Swap32(uint32(state.Spi))
- req.AddData(msg)
-
- saddr := nl.XfrmAddress{}
- saddr.FromIP(state.Src)
- srcdata := nl.NewRtAttr(nl.XFRMA_SRCADDR, saddr.Serialize())
-
- req.AddData(srcdata)
-
- _, err := req.Execute(syscall.NETLINK_XFRM, 0)
- return err
-}
-
-// XfrmStateList gets a list of xfrm states in the system.
-// Equivalent to: `ip xfrm state show`.
-// The list can be filtered by ip family.
-func XfrmStateList(family int) ([]XfrmState, error) {
- req := nl.NewNetlinkRequest(nl.XFRM_MSG_GETSA, syscall.NLM_F_DUMP)
-
- msg := nl.NewIfInfomsg(family)
- req.AddData(msg)
-
- msgs, err := req.Execute(syscall.NETLINK_XFRM, nl.XFRM_MSG_NEWSA)
- if err != nil {
- return nil, err
- }
-
- var res []XfrmState
- for _, m := range msgs {
- msg := nl.DeserializeXfrmUsersaInfo(m)
-
- if family != FAMILY_ALL && family != int(msg.Family) {
- continue
- }
-
- var state XfrmState
-
- state.Dst = msg.Id.Daddr.ToIP()
- state.Src = msg.Saddr.ToIP()
- state.Proto = Proto(msg.Id.Proto)
- state.Mode = Mode(msg.Mode)
- state.Spi = int(nl.Swap32(msg.Id.Spi))
- state.Reqid = int(msg.Reqid)
- state.ReplayWindow = int(msg.ReplayWindow)
-
- attrs, err := nl.ParseRouteAttr(m[msg.Len():])
- if err != nil {
- return nil, err
- }
-
- for _, attr := range attrs {
- switch attr.Attr.Type {
- case nl.XFRMA_ALG_AUTH, nl.XFRMA_ALG_CRYPT:
- var resAlgo *XfrmStateAlgo
- if attr.Attr.Type == nl.XFRMA_ALG_AUTH {
- if state.Auth == nil {
- state.Auth = new(XfrmStateAlgo)
- }
- resAlgo = state.Auth
- } else {
- state.Crypt = new(XfrmStateAlgo)
- resAlgo = state.Crypt
- }
- algo := nl.DeserializeXfrmAlgo(attr.Value[:])
- (*resAlgo).Name = nl.BytesToString(algo.AlgName[:])
- (*resAlgo).Key = algo.AlgKey
- case nl.XFRMA_ALG_AUTH_TRUNC:
- if state.Auth == nil {
- state.Auth = new(XfrmStateAlgo)
- }
- algo := nl.DeserializeXfrmAlgoAuth(attr.Value[:])
- state.Auth.Name = nl.BytesToString(algo.AlgName[:])
- state.Auth.Key = algo.AlgKey
- state.Auth.TruncateLen = int(algo.AlgTruncLen)
- case nl.XFRMA_ENCAP:
- encap := nl.DeserializeXfrmEncapTmpl(attr.Value[:])
- state.Encap = new(XfrmStateEncap)
- state.Encap.Type = EncapType(encap.EncapType)
- state.Encap.SrcPort = int(nl.Swap16(encap.EncapSport))
- state.Encap.DstPort = int(nl.Swap16(encap.EncapDport))
- state.Encap.OriginalAddress = encap.EncapOa.ToIP()
- }
-
- }
- res = append(res, state)
- }
- return res, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/checkpoint.go b/vendor/github.com/opencontainers/runc/checkpoint.go
index 81de35a8c1c526f2b255cd32e112c413544f5e77..ae01ea3c0764dacb643873d0451b5bb6f21330c4 100644
--- a/vendor/github.com/opencontainers/runc/checkpoint.go
+++ b/vendor/github.com/opencontainers/runc/checkpoint.go
@@ -4,11 +4,17 @@ package main
import (
"fmt"
+ "os"
"strconv"
"strings"
- "github.com/codegangsta/cli"
"github.com/opencontainers/runc/libcontainer"
+ "github.com/opencontainers/runc/libcontainer/system"
+ "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/sirupsen/logrus"
+ "github.com/urfave/cli"
+
+ "golang.org/x/sys/unix"
)
var checkpointCommand = cli.Command{
@@ -22,27 +28,49 @@ checkpointed.`,
Flags: []cli.Flag{
cli.StringFlag{Name: "image-path", Value: "", Usage: "path for saving criu image files"},
cli.StringFlag{Name: "work-path", Value: "", Usage: "path for saving work files and logs"},
+ cli.StringFlag{Name: "parent-path", Value: "", Usage: "path for previous criu image files in pre-dump"},
cli.BoolFlag{Name: "leave-running", Usage: "leave the process running after checkpointing"},
cli.BoolFlag{Name: "tcp-established", Usage: "allow open tcp connections"},
cli.BoolFlag{Name: "ext-unix-sk", Usage: "allow external unix sockets"},
cli.BoolFlag{Name: "shell-job", Usage: "allow shell jobs"},
+ cli.BoolFlag{Name: "lazy-pages", Usage: "use userfaultfd to lazily restore memory pages"},
+ cli.StringFlag{Name: "status-fd", Value: "", Usage: "criu writes \\0 to this FD once lazy-pages is ready"},
cli.StringFlag{Name: "page-server", Value: "", Usage: "ADDRESS:PORT of the page server"},
cli.BoolFlag{Name: "file-locks", Usage: "handle file locks, for safety"},
- cli.StringFlag{Name: "manage-cgroups-mode", Value: "", Usage: "cgroups mode: 'soft' (default), 'full' and 'strict'."},
+ cli.BoolFlag{Name: "pre-dump", Usage: "dump container's memory information only, leave the container running after this"},
+ cli.StringFlag{Name: "manage-cgroups-mode", Value: "", Usage: "cgroups mode: 'soft' (default), 'full' and 'strict'"},
+ cli.StringSliceFlag{Name: "empty-ns", Usage: "create a namespace, but don't restore its properties"},
+ cli.BoolFlag{Name: "auto-dedup", Usage: "enable auto deduplication of memory images"},
},
- Action: func(context *cli.Context) {
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
+ // XXX: Currently this is untested with rootless containers.
+ if os.Geteuid() != 0 || system.RunningInUserNS() {
+ logrus.Warn("runc checkpoint is untested with rootless containers")
+ }
+
container, err := getContainer(context)
if err != nil {
- fatal(err)
+ return err
+ }
+ status, err := container.Status()
+ if err != nil {
+ return err
+ }
+ if status == libcontainer.Created || status == libcontainer.Stopped {
+ fatalf("Container cannot be checkpointed in %s state", status.String())
}
defer destroy(container)
options := criuOptions(context)
// these are the mandatory criu options for a container
setPageServer(context, options)
setManageCgroupsMode(context, options)
- if err := container.Checkpoint(options); err != nil {
- fatal(err)
+ if err := setEmptyNsMask(context, options); err != nil {
+ return err
}
+ return container.Checkpoint(options)
},
}
@@ -87,3 +115,23 @@ func setManageCgroupsMode(context *cli.Context, options *libcontainer.CriuOpts)
}
}
}
+
+var namespaceMapping = map[specs.LinuxNamespaceType]int{
+ specs.NetworkNamespace: unix.CLONE_NEWNET,
+}
+
+func setEmptyNsMask(context *cli.Context, options *libcontainer.CriuOpts) error {
+ /* Runc doesn't manage network devices and their configuration */
+ nsmask := unix.CLONE_NEWNET
+
+ for _, ns := range context.StringSlice("empty-ns") {
+ f, exists := namespaceMapping[specs.LinuxNamespaceType(ns)]
+ if !exists {
+ return fmt.Errorf("namespace %q is not supported", ns)
+ }
+ nsmask |= f
+ }
+
+ options.EmptyNs = uint32(nsmask)
+ return nil
+}
diff --git a/vendor/github.com/opencontainers/runc/contrib/cmd/recvtty/recvtty.go b/vendor/github.com/opencontainers/runc/contrib/cmd/recvtty/recvtty.go
new file mode 100644
index 0000000000000000000000000000000000000000..a658b8d20202af5c8ad83150ee9ce3703cc6a514
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/contrib/cmd/recvtty/recvtty.go
@@ -0,0 +1,238 @@
+/*
+ * Copyright 2016 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package main
+
+import (
+ "fmt"
+ "io"
+ "io/ioutil"
+ "net"
+ "os"
+ "strings"
+
+ "github.com/containerd/console"
+ "github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/urfave/cli"
+)
+
+// version will be populated by the Makefile, read from
+// VERSION file of the source code.
+var version = ""
+
+// gitCommit will be the hash that the binary was built from
+// and will be populated by the Makefile
+var gitCommit = ""
+
+const (
+ usage = `Open Container Initiative contrib/cmd/recvtty
+
+recvtty is a reference implementation of a consumer of runC's --console-socket
+API. It has two main modes of operation:
+
+ * single: Only permit one terminal to be sent to the socket, which is
+ then hooked up to the stdio of the recvtty process. This is useful
+ for rudimentary shell management of a container.
+
+ * null: Permit as many terminals to be sent to the socket, but they
+ are read to /dev/null. This is used for testing, and imitates the
+ old runC API's --console=/dev/pts/ptmx hack which would allow for a
+ similar trick. This is probably not what you want to use, unless
+ you're doing something like our bats integration tests.
+
+To use recvtty, just specify a socket path at which you want to receive
+terminals:
+
+ $ recvtty [--mode <single|null>] socket.sock
+`
+)
+
+func bail(err error) {
+ fmt.Fprintf(os.Stderr, "[recvtty] fatal error: %v\n", err)
+ os.Exit(1)
+}
+
+func handleSingle(path string) error {
+ // Open a socket.
+ ln, err := net.Listen("unix", path)
+ if err != nil {
+ return err
+ }
+ defer ln.Close()
+
+ // We only accept a single connection, since we can only really have
+ // one reader for os.Stdin. Plus this is all a PoC.
+ conn, err := ln.Accept()
+ if err != nil {
+ return err
+ }
+ defer conn.Close()
+
+ // Close ln, to allow for other instances to take over.
+ ln.Close()
+
+ // Get the fd of the connection.
+ unixconn, ok := conn.(*net.UnixConn)
+ if !ok {
+ return fmt.Errorf("failed to cast to unixconn")
+ }
+
+ socket, err := unixconn.File()
+ if err != nil {
+ return err
+ }
+ defer socket.Close()
+
+ // Get the master file descriptor from runC.
+ master, err := utils.RecvFd(socket)
+ if err != nil {
+ return err
+ }
+ c, err := console.ConsoleFromFile(master)
+ if err != nil {
+ return err
+ }
+ console.ClearONLCR(c.Fd())
+
+ // Copy from our stdio to the master fd.
+ quitChan := make(chan struct{})
+ go func() {
+ io.Copy(os.Stdout, c)
+ quitChan <- struct{}{}
+ }()
+ go func() {
+ io.Copy(c, os.Stdin)
+ quitChan <- struct{}{}
+ }()
+
+ // Only close the master fd once we've stopped copying.
+ <-quitChan
+ c.Close()
+ return nil
+}
+
+func handleNull(path string) error {
+ // Open a socket.
+ ln, err := net.Listen("unix", path)
+ if err != nil {
+ return err
+ }
+ defer ln.Close()
+
+ // As opposed to handleSingle we accept as many connections as we get, but
+ // we don't interact with Stdin at all (and we copy stdout to /dev/null).
+ for {
+ conn, err := ln.Accept()
+ if err != nil {
+ return err
+ }
+ go func(conn net.Conn) {
+ // Don't leave references lying around.
+ defer conn.Close()
+
+ // Get the fd of the connection.
+ unixconn, ok := conn.(*net.UnixConn)
+ if !ok {
+ return
+ }
+
+ socket, err := unixconn.File()
+ if err != nil {
+ return
+ }
+ defer socket.Close()
+
+ // Get the master file descriptor from runC.
+ master, err := utils.RecvFd(socket)
+ if err != nil {
+ return
+ }
+
+ // Just do a dumb copy to /dev/null.
+ devnull, err := os.OpenFile("/dev/null", os.O_RDWR, 0)
+ if err != nil {
+ // TODO: Handle this nicely.
+ return
+ }
+
+ io.Copy(devnull, master)
+ devnull.Close()
+ }(conn)
+ }
+}
+
+func main() {
+ app := cli.NewApp()
+ app.Name = "recvtty"
+ app.Usage = usage
+
+ // Set version to be the same as runC.
+ var v []string
+ if version != "" {
+ v = append(v, version)
+ }
+ if gitCommit != "" {
+ v = append(v, fmt.Sprintf("commit: %s", gitCommit))
+ }
+ app.Version = strings.Join(v, "\n")
+
+ // Set the flags.
+ app.Flags = []cli.Flag{
+ cli.StringFlag{
+ Name: "mode, m",
+ Value: "single",
+ Usage: "Mode of operation (single or null)",
+ },
+ cli.StringFlag{
+ Name: "pid-file",
+ Value: "",
+ Usage: "Path to write daemon process ID to",
+ },
+ }
+
+ app.Action = func(ctx *cli.Context) error {
+ args := ctx.Args()
+ if len(args) != 1 {
+ return fmt.Errorf("need to specify a single socket path")
+ }
+ path := ctx.Args()[0]
+
+ pidPath := ctx.String("pid-file")
+ if pidPath != "" {
+ pid := fmt.Sprintf("%d\n", os.Getpid())
+ if err := ioutil.WriteFile(pidPath, []byte(pid), 0644); err != nil {
+ return err
+ }
+ }
+
+ switch ctx.String("mode") {
+ case "single":
+ if err := handleSingle(path); err != nil {
+ return err
+ }
+ case "null":
+ if err := handleNull(path); err != nil {
+ return err
+ }
+ default:
+ return fmt.Errorf("need to select a valid mode: %s", ctx.String("mode"))
+ }
+ return nil
+ }
+ if err := app.Run(os.Args); err != nil {
+ bail(err)
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/create.go b/vendor/github.com/opencontainers/runc/create.go
new file mode 100644
index 0000000000000000000000000000000000000000..5f3ac60958e66b90471330df95d9ef7b2ad21ed1
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/create.go
@@ -0,0 +1,74 @@
+package main
+
+import (
+ "os"
+
+ "github.com/urfave/cli"
+)
+
+var createCommand = cli.Command{
+ Name: "create",
+ Usage: "create a container",
+ ArgsUsage: `<container-id>
+
+Where "<container-id>" is your name for the instance of the container that you
+are starting. The name you provide for the container instance must be unique on
+your host.`,
+ Description: `The create command creates an instance of a container for a bundle. The bundle
+is a directory with a specification file named "` + specConfig + `" and a root
+filesystem.
+
+The specification file includes an args parameter. The args parameter is used
+to specify command(s) that get run when the container is started. To change the
+command(s) that get executed on start, edit the args parameter of the spec. See
+"runc spec --help" for more explanation.`,
+ Flags: []cli.Flag{
+ cli.StringFlag{
+ Name: "bundle, b",
+ Value: "",
+ Usage: `path to the root of the bundle directory, defaults to the current directory`,
+ },
+ cli.StringFlag{
+ Name: "console-socket",
+ Value: "",
+ Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal",
+ },
+ cli.StringFlag{
+ Name: "pid-file",
+ Value: "",
+ Usage: "specify the file to write the process id to",
+ },
+ cli.BoolFlag{
+ Name: "no-pivot",
+ Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk",
+ },
+ cli.BoolFlag{
+ Name: "no-new-keyring",
+ Usage: "do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key",
+ },
+ cli.IntFlag{
+ Name: "preserve-fds",
+ Usage: "Pass N additional file descriptors to the container (stdio + $LISTEN_FDS + N in total)",
+ },
+ },
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
+ if err := revisePidFile(context); err != nil {
+ return err
+ }
+ spec, err := setupSpec(context)
+ if err != nil {
+ return err
+ }
+ status, err := startContainer(context, spec, CT_ACT_CREATE, nil)
+ if err != nil {
+ return err
+ }
+ // exit with the container's exit status so any external supervisor is
+ // notified of the exit with the correct exit status.
+ os.Exit(status)
+ return nil
+ },
+}
diff --git a/vendor/github.com/opencontainers/runc/delete.go b/vendor/github.com/opencontainers/runc/delete.go
index 4f46564e14040f503634e957073f3d8c047bee05..fb6f38eddf71239ddeac72d7d80d6d81411610fb 100644
--- a/vendor/github.com/opencontainers/runc/delete.go
+++ b/vendor/github.com/opencontainers/runc/delete.go
@@ -1,24 +1,89 @@
+// +build !solaris
+
package main
-import "github.com/codegangsta/cli"
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+ "syscall"
+ "time"
+
+ "github.com/opencontainers/runc/libcontainer"
+ "github.com/urfave/cli"
+
+ "golang.org/x/sys/unix"
+)
+
+func killContainer(container libcontainer.Container) error {
+ _ = container.Signal(unix.SIGKILL, false)
+ for i := 0; i < 100; i++ {
+ time.Sleep(100 * time.Millisecond)
+ if err := container.Signal(syscall.Signal(0), false); err != nil {
+ destroy(container)
+ return nil
+ }
+ }
+ return fmt.Errorf("container init still running")
+}
var deleteCommand = cli.Command{
Name: "delete",
- Usage: "delete any resources held by the container often used with detached containers",
+ Usage: "delete any resources held by the container often used with detached container",
ArgsUsage: `<container-id>
Where "<container-id>" is the name for the instance of the container.
-
+
+EXAMPLE:
For example, if the container id is "ubuntu01" and runc list currently shows the
-status of "ubuntu01" as "destroyed" the following will delete resources held for
-"ubuntu01" removing "ubuntu01" from the runc list of containers:
-
+status of "ubuntu01" as "stopped" the following will delete resources held for
+"ubuntu01" removing "ubuntu01" from the runc list of containers:
+
# runc delete ubuntu01`,
- Action: func(context *cli.Context) {
+ Flags: []cli.Flag{
+ cli.BoolFlag{
+ Name: "force, f",
+ Usage: "Forcibly deletes the container if it is still running (uses SIGKILL)",
+ },
+ },
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
+
+ id := context.Args().First()
+ force := context.Bool("force")
container, err := getContainer(context)
if err != nil {
- fatal(err)
+ if lerr, ok := err.(libcontainer.Error); ok && lerr.Code() == libcontainer.ContainerNotExists {
+ // if there was an aborted start or something of the sort then the container's directory could exist but
+ // libcontainer does not see it because the state.json file inside that directory was never created.
+ path := filepath.Join(context.GlobalString("root"), id)
+ if e := os.RemoveAll(path); e != nil {
+ fmt.Fprintf(os.Stderr, "remove %s: %v\n", path, e)
+ }
+ if force {
+ return nil
+ }
+ }
+ return err
}
- destroy(container)
+ s, err := container.Status()
+ if err != nil {
+ return err
+ }
+ switch s {
+ case libcontainer.Stopped:
+ destroy(container)
+ case libcontainer.Created:
+ return killContainer(container)
+ default:
+ if force {
+ return killContainer(container)
+ }
+ return fmt.Errorf("cannot delete container %s that is not stopped: %s\n", id, s)
+ }
+
+ return nil
},
}
diff --git a/vendor/github.com/opencontainers/runc/events.go b/vendor/github.com/opencontainers/runc/events.go
index e741480af4bf73ce4e451fcee518911be10d6df0..cfe369e1ecdf98cafc4a2cfbc283b35160f5bd3e 100644
--- a/vendor/github.com/opencontainers/runc/events.go
+++ b/vendor/github.com/opencontainers/runc/events.go
@@ -4,13 +4,17 @@ package main
import (
"encoding/json"
+ "fmt"
"os"
"sync"
"time"
- "github.com/sirupsen/logrus"
- "github.com/codegangsta/cli"
"github.com/opencontainers/runc/libcontainer"
+ "github.com/opencontainers/runc/libcontainer/cgroups"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
+
+ "github.com/sirupsen/logrus"
+ "github.com/urfave/cli"
)
// event struct for encoding the event data to json.
@@ -20,9 +24,116 @@ type event struct {
Data interface{} `json:"data,omitempty"`
}
+// stats is the runc specific stats structure for stability when encoding and decoding stats.
+type stats struct {
+ CPU cpu `json:"cpu"`
+ Memory memory `json:"memory"`
+ Pids pids `json:"pids"`
+ Blkio blkio `json:"blkio"`
+ Hugetlb map[string]hugetlb `json:"hugetlb"`
+ IntelRdt intelRdt `json:"intel_rdt"`
+}
+
+type hugetlb struct {
+ Usage uint64 `json:"usage,omitempty"`
+ Max uint64 `json:"max,omitempty"`
+ Failcnt uint64 `json:"failcnt"`
+}
+
+type blkioEntry struct {
+ Major uint64 `json:"major,omitempty"`
+ Minor uint64 `json:"minor,omitempty"`
+ Op string `json:"op,omitempty"`
+ Value uint64 `json:"value,omitempty"`
+}
+
+type blkio struct {
+ IoServiceBytesRecursive []blkioEntry `json:"ioServiceBytesRecursive,omitempty"`
+ IoServicedRecursive []blkioEntry `json:"ioServicedRecursive,omitempty"`
+ IoQueuedRecursive []blkioEntry `json:"ioQueueRecursive,omitempty"`
+ IoServiceTimeRecursive []blkioEntry `json:"ioServiceTimeRecursive,omitempty"`
+ IoWaitTimeRecursive []blkioEntry `json:"ioWaitTimeRecursive,omitempty"`
+ IoMergedRecursive []blkioEntry `json:"ioMergedRecursive,omitempty"`
+ IoTimeRecursive []blkioEntry `json:"ioTimeRecursive,omitempty"`
+ SectorsRecursive []blkioEntry `json:"sectorsRecursive,omitempty"`
+}
+
+type pids struct {
+ Current uint64 `json:"current,omitempty"`
+ Limit uint64 `json:"limit,omitempty"`
+}
+
+type throttling struct {
+ Periods uint64 `json:"periods,omitempty"`
+ ThrottledPeriods uint64 `json:"throttledPeriods,omitempty"`
+ ThrottledTime uint64 `json:"throttledTime,omitempty"`
+}
+
+type cpuUsage struct {
+ // Units: nanoseconds.
+ Total uint64 `json:"total,omitempty"`
+ Percpu []uint64 `json:"percpu,omitempty"`
+ Kernel uint64 `json:"kernel"`
+ User uint64 `json:"user"`
+}
+
+type cpu struct {
+ Usage cpuUsage `json:"usage,omitempty"`
+ Throttling throttling `json:"throttling,omitempty"`
+}
+
+type memoryEntry struct {
+ Limit uint64 `json:"limit"`
+ Usage uint64 `json:"usage,omitempty"`
+ Max uint64 `json:"max,omitempty"`
+ Failcnt uint64 `json:"failcnt"`
+}
+
+type memory struct {
+ Cache uint64 `json:"cache,omitempty"`
+ Usage memoryEntry `json:"usage,omitempty"`
+ Swap memoryEntry `json:"swap,omitempty"`
+ Kernel memoryEntry `json:"kernel,omitempty"`
+ KernelTCP memoryEntry `json:"kernelTCP,omitempty"`
+ Raw map[string]uint64 `json:"raw,omitempty"`
+}
+
+type l3CacheInfo struct {
+ CbmMask string `json:"cbm_mask,omitempty"`
+ MinCbmBits uint64 `json:"min_cbm_bits,omitempty"`
+ NumClosids uint64 `json:"num_closids,omitempty"`
+}
+
+type memBwInfo struct {
+ BandwidthGran uint64 `json:"bandwidth_gran,omitempty"`
+ DelayLinear uint64 `json:"delay_linear,omitempty"`
+ MinBandwidth uint64 `json:"min_bandwidth,omitempty"`
+ NumClosids uint64 `json:"num_closids,omitempty"`
+}
+
+type intelRdt struct {
+ // The read-only L3 cache information
+ L3CacheInfo *l3CacheInfo `json:"l3_cache_info,omitempty"`
+
+ // The read-only L3 cache schema in root
+ L3CacheSchemaRoot string `json:"l3_cache_schema_root,omitempty"`
+
+ // The L3 cache schema in 'container_id' group
+ L3CacheSchema string `json:"l3_cache_schema,omitempty"`
+
+ // The read-only memory bandwidth information
+ MemBwInfo *memBwInfo `json:"mem_bw_info,omitempty"`
+
+ // The read-only memory bandwidth schema in root
+ MemBwSchemaRoot string `json:"mem_bw_schema_root,omitempty"`
+
+ // The memory bandwidth schema in 'container_id' group
+ MemBwSchema string `json:"mem_bw_schema,omitempty"`
+}
+
var eventsCommand = cli.Command{
Name: "events",
- Usage: "display container events such as OOM notifications, cpu, memory, IO and network stats",
+ Usage: "display container events such as OOM notifications, cpu, memory, and IO usage statistics",
ArgsUsage: `<container-id>
Where "<container-id>" is the name for the instance of the container.`,
@@ -32,10 +143,24 @@ information is displayed once every 5 seconds.`,
cli.DurationFlag{Name: "interval", Value: 5 * time.Second, Usage: "set the stats collection interval"},
cli.BoolFlag{Name: "stats", Usage: "display the container's stats then exit"},
},
- Action: func(context *cli.Context) {
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
container, err := getContainer(context)
if err != nil {
- fatal(err)
+ return err
+ }
+ duration := context.Duration("interval")
+ if duration <= 0 {
+ return fmt.Errorf("duration interval must be greater than 0")
+ }
+ status, err := container.Status()
+ if err != nil {
+ return err
+ }
+ if status == libcontainer.Stopped {
+ return fmt.Errorf("container with id %s is not running", container.ID())
}
var (
stats = make(chan *libcontainer.Stats, 1)
@@ -55,12 +180,12 @@ information is displayed once every 5 seconds.`,
if context.Bool("stats") {
s, err := container.Stats()
if err != nil {
- fatal(err)
+ return err
}
- events <- &event{Type: "stats", ID: container.ID(), Data: s}
+ events <- &event{Type: "stats", ID: container.ID(), Data: convertLibcontainerStats(s)}
close(events)
group.Wait()
- return
+ return nil
}
go func() {
for range time.Tick(context.Duration("interval")) {
@@ -74,7 +199,7 @@ information is displayed once every 5 seconds.`,
}()
n, err := container.NotifyOOM()
if err != nil {
- fatal(err)
+ return err
}
for {
select {
@@ -88,7 +213,7 @@ information is displayed once every 5 seconds.`,
n = nil
}
case s := <-stats:
- events <- &event{Type: "stats", ID: container.ID(), Data: s}
+ events <- &event{Type: "stats", ID: container.ID(), Data: convertLibcontainerStats(s)}
}
if n == nil {
close(events)
@@ -96,5 +221,107 @@ information is displayed once every 5 seconds.`,
}
}
group.Wait()
+ return nil
},
}
+
+func convertLibcontainerStats(ls *libcontainer.Stats) *stats {
+ cg := ls.CgroupStats
+ if cg == nil {
+ return nil
+ }
+ var s stats
+ s.Pids.Current = cg.PidsStats.Current
+ s.Pids.Limit = cg.PidsStats.Limit
+
+ s.CPU.Usage.Kernel = cg.CpuStats.CpuUsage.UsageInKernelmode
+ s.CPU.Usage.User = cg.CpuStats.CpuUsage.UsageInUsermode
+ s.CPU.Usage.Total = cg.CpuStats.CpuUsage.TotalUsage
+ s.CPU.Usage.Percpu = cg.CpuStats.CpuUsage.PercpuUsage
+ s.CPU.Throttling.Periods = cg.CpuStats.ThrottlingData.Periods
+ s.CPU.Throttling.ThrottledPeriods = cg.CpuStats.ThrottlingData.ThrottledPeriods
+ s.CPU.Throttling.ThrottledTime = cg.CpuStats.ThrottlingData.ThrottledTime
+
+ s.Memory.Cache = cg.MemoryStats.Cache
+ s.Memory.Kernel = convertMemoryEntry(cg.MemoryStats.KernelUsage)
+ s.Memory.KernelTCP = convertMemoryEntry(cg.MemoryStats.KernelTCPUsage)
+ s.Memory.Swap = convertMemoryEntry(cg.MemoryStats.SwapUsage)
+ s.Memory.Usage = convertMemoryEntry(cg.MemoryStats.Usage)
+ s.Memory.Raw = cg.MemoryStats.Stats
+
+ s.Blkio.IoServiceBytesRecursive = convertBlkioEntry(cg.BlkioStats.IoServiceBytesRecursive)
+ s.Blkio.IoServicedRecursive = convertBlkioEntry(cg.BlkioStats.IoServicedRecursive)
+ s.Blkio.IoQueuedRecursive = convertBlkioEntry(cg.BlkioStats.IoQueuedRecursive)
+ s.Blkio.IoServiceTimeRecursive = convertBlkioEntry(cg.BlkioStats.IoServiceTimeRecursive)
+ s.Blkio.IoWaitTimeRecursive = convertBlkioEntry(cg.BlkioStats.IoWaitTimeRecursive)
+ s.Blkio.IoMergedRecursive = convertBlkioEntry(cg.BlkioStats.IoMergedRecursive)
+ s.Blkio.IoTimeRecursive = convertBlkioEntry(cg.BlkioStats.IoTimeRecursive)
+ s.Blkio.SectorsRecursive = convertBlkioEntry(cg.BlkioStats.SectorsRecursive)
+
+ s.Hugetlb = make(map[string]hugetlb)
+ for k, v := range cg.HugetlbStats {
+ s.Hugetlb[k] = convertHugtlb(v)
+ }
+
+ if is := ls.IntelRdtStats; is != nil {
+ if intelrdt.IsCatEnabled() {
+ s.IntelRdt.L3CacheInfo = convertL3CacheInfo(is.L3CacheInfo)
+ s.IntelRdt.L3CacheSchemaRoot = is.L3CacheSchemaRoot
+ s.IntelRdt.L3CacheSchema = is.L3CacheSchema
+ }
+ if intelrdt.IsMbaEnabled() {
+ s.IntelRdt.MemBwInfo = convertMemBwInfo(is.MemBwInfo)
+ s.IntelRdt.MemBwSchemaRoot = is.MemBwSchemaRoot
+ s.IntelRdt.MemBwSchema = is.MemBwSchema
+ }
+ }
+
+ return &s
+}
+
+func convertHugtlb(c cgroups.HugetlbStats) hugetlb {
+ return hugetlb{
+ Usage: c.Usage,
+ Max: c.MaxUsage,
+ Failcnt: c.Failcnt,
+ }
+}
+
+func convertMemoryEntry(c cgroups.MemoryData) memoryEntry {
+ return memoryEntry{
+ Limit: c.Limit,
+ Usage: c.Usage,
+ Max: c.MaxUsage,
+ Failcnt: c.Failcnt,
+ }
+}
+
+func convertBlkioEntry(c []cgroups.BlkioStatEntry) []blkioEntry {
+ var out []blkioEntry
+ for _, e := range c {
+ out = append(out, blkioEntry{
+ Major: e.Major,
+ Minor: e.Minor,
+ Op: e.Op,
+ Value: e.Value,
+ })
+ }
+ return out
+}
+
+func convertL3CacheInfo(i *intelrdt.L3CacheInfo) *l3CacheInfo {
+ return &l3CacheInfo{
+ CbmMask: i.CbmMask,
+ MinCbmBits: i.MinCbmBits,
+ NumClosids: i.NumClosids,
+ }
+}
+
+func convertMemBwInfo(i *intelrdt.MemBwInfo) *memBwInfo {
+ return &memBwInfo{
+ BandwidthGran: i.BandwidthGran,
+ DelayLinear: i.DelayLinear,
+ MinBandwidth: i.MinBandwidth,
+ NumClosids: i.NumClosids,
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/exec.go b/vendor/github.com/opencontainers/runc/exec.go
index 0f7fe8819c321fe53a2cf5aca90280476c74dfe7..ae8e60e4263a7db844204d4412fedb4fa06fb686 100644
--- a/vendor/github.com/opencontainers/runc/exec.go
+++ b/vendor/github.com/opencontainers/runc/exec.go
@@ -9,26 +9,30 @@ import (
"strconv"
"strings"
- "github.com/codegangsta/cli"
- "github.com/opencontainers/specs/specs-go"
+ "github.com/opencontainers/runc/libcontainer"
+ "github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/urfave/cli"
)
var execCommand = cli.Command{
Name: "exec",
Usage: "execute new process inside the container",
- ArgsUsage: `<container-id> <container command>
+ ArgsUsage: `<container-id> <command> [command options] || -p process.json <container-id>
Where "<container-id>" is the name for the instance of the container and
-"<container command>" is the command to be executed in the container.
+"<command>" is the command to be executed in the container.
+"<command>" can't be empty unless a "-p" flag provided.
+EXAMPLE:
For example, if the container is configured to run the linux ps command the
following will output a list of processes running in the container:
-
+
# runc exec <container-id> ps`,
Flags: []cli.Flag{
cli.StringFlag{
- Name: "console",
- Usage: "specify the pty slave path for use with the container",
+ Name: "console-socket",
+ Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal",
},
cli.StringFlag{
Name: "cwd",
@@ -46,6 +50,10 @@ following will output a list of processes running in the container:
Name: "user, u",
Usage: "UID (format: <uid>[:<gid>])",
},
+ cli.Int64SliceFlag{
+ Name: "additional-gids, g",
+ Usage: "additional gids",
+ },
cli.StringFlag{
Name: "process, p",
Usage: "path to the process.json",
@@ -76,17 +84,26 @@ following will output a list of processes running in the container:
Value: &cli.StringSlice{},
Usage: "add a capability to the bounding set for the process",
},
+ cli.BoolFlag{
+ Name: "no-subreaper",
+ Usage: "disable the use of the subreaper used to reap reparented processes",
+ Hidden: true,
+ },
},
- Action: func(context *cli.Context) {
- if os.Geteuid() != 0 {
- fatalf("runc should be run as root")
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, minArgs); err != nil {
+ return err
+ }
+ if err := revisePidFile(context); err != nil {
+ return err
}
status, err := execProcess(context)
- if err != nil {
- fatalf("exec failed: %v", err)
+ if err == nil {
+ os.Exit(status)
}
- os.Exit(status)
+ return fmt.Errorf("exec failed: %v", err)
},
+ SkipArgReorder: true,
}
func execProcess(context *cli.Context) (int, error) {
@@ -94,17 +111,38 @@ func execProcess(context *cli.Context) (int, error) {
if err != nil {
return -1, err
}
+ status, err := container.Status()
+ if err != nil {
+ return -1, err
+ }
+ if status == libcontainer.Stopped {
+ return -1, fmt.Errorf("cannot exec a container that has stopped")
+ }
+ path := context.String("process")
+ if path == "" && len(context.Args()) == 1 {
+ return -1, fmt.Errorf("process args cannot be empty")
+ }
detach := context.Bool("detach")
state, err := container.State()
if err != nil {
return -1, err
}
- bundle := searchLabels(state.Config.Labels, "bundle")
+ bundle := utils.SearchLabels(state.Config.Labels, "bundle")
p, err := getProcess(context, bundle)
if err != nil {
return -1, err
}
- return runProcess(container, p, nil, context.String("console"), context.String("pid-file"), detach)
+ r := &runner{
+ enableSubreaper: false,
+ shouldDestroy: false,
+ container: container,
+ consoleSocket: context.String("console-socket"),
+ detach: detach,
+ pidFile: context.String("pid-file"),
+ action: CT_ACT_RUN,
+ init: false,
+ }
+ return r.run(p)
}
func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
@@ -118,7 +156,7 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
if err := json.NewDecoder(f).Decode(&p); err != nil {
return nil, err
}
- return &p, nil
+ return &p, validateProcessSpec(&p)
}
// process via cli flags
if err := os.Chdir(bundle); err != nil {
@@ -141,12 +179,17 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
p.SelinuxLabel = l
}
if caps := context.StringSlice("cap"); len(caps) > 0 {
- p.Capabilities = caps
+ for _, c := range caps {
+ p.Capabilities.Bounding = append(p.Capabilities.Bounding, c)
+ p.Capabilities.Inheritable = append(p.Capabilities.Inheritable, c)
+ p.Capabilities.Effective = append(p.Capabilities.Effective, c)
+ p.Capabilities.Permitted = append(p.Capabilities.Permitted, c)
+ p.Capabilities.Ambient = append(p.Capabilities.Ambient, c)
+ }
}
// append the passed env variables
- for _, e := range context.StringSlice("env") {
- p.Env = append(p.Env, e)
- }
+ p.Env = append(p.Env, context.StringSlice("env")...)
+
// set the tty
if context.IsSet("tty") {
p.Terminal = context.Bool("tty")
@@ -170,5 +213,11 @@ func getProcess(context *cli.Context, bundle string) (*specs.Process, error) {
}
p.User.UID = uint32(uid)
}
- return &p, nil
+ for _, gid := range context.Int64Slice("additional-gids") {
+ if gid < 0 {
+ return nil, fmt.Errorf("additional-gids must be a positive number %d", gid)
+ }
+ p.User.AdditionalGids = append(p.User.AdditionalGids, uint32(gid))
+ }
+ return p, nil
}
diff --git a/vendor/github.com/opencontainers/runc/init.go b/vendor/github.com/opencontainers/runc/init.go
new file mode 100644
index 0000000000000000000000000000000000000000..c8f4531923df822e5c7c96eef3c214a5e8f4dc68
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/init.go
@@ -0,0 +1,31 @@
+package main
+
+import (
+ "os"
+ "runtime"
+
+ "github.com/opencontainers/runc/libcontainer"
+ _ "github.com/opencontainers/runc/libcontainer/nsenter"
+ "github.com/urfave/cli"
+)
+
+func init() {
+ if len(os.Args) > 1 && os.Args[1] == "init" {
+ runtime.GOMAXPROCS(1)
+ runtime.LockOSThread()
+ }
+}
+
+var initCommand = cli.Command{
+ Name: "init",
+ Usage: `initialize the namespaces and launch the process (do not call it outside of runc)`,
+ Action: func(context *cli.Context) error {
+ factory, _ := libcontainer.New("")
+ if err := factory.StartInitialization(); err != nil {
+ // as the error is sent back to the parent there is no need to log
+ // or write it to stderr because the parent process will handle this
+ os.Exit(1)
+ }
+ panic("libcontainer: container init failed to exec")
+ },
+}
diff --git a/vendor/github.com/opencontainers/runc/kill.go b/vendor/github.com/opencontainers/runc/kill.go
index 3da8aaf6dbb69a1b47222ec821dfe872536c71c3..c2d7929694122063d79f5963d04abb56ed665c21 100644
--- a/vendor/github.com/opencontainers/runc/kill.go
+++ b/vendor/github.com/opencontainers/runc/kill.go
@@ -8,63 +8,38 @@ import (
"strings"
"syscall"
- "github.com/codegangsta/cli"
+ "github.com/urfave/cli"
)
-var signalMap = map[string]syscall.Signal{
- "ABRT": syscall.SIGABRT,
- "ALRM": syscall.SIGALRM,
- "BUS": syscall.SIGBUS,
- "CHLD": syscall.SIGCHLD,
- "CLD": syscall.SIGCLD,
- "CONT": syscall.SIGCONT,
- "FPE": syscall.SIGFPE,
- "HUP": syscall.SIGHUP,
- "ILL": syscall.SIGILL,
- "INT": syscall.SIGINT,
- "IO": syscall.SIGIO,
- "IOT": syscall.SIGIOT,
- "KILL": syscall.SIGKILL,
- "PIPE": syscall.SIGPIPE,
- "POLL": syscall.SIGPOLL,
- "PROF": syscall.SIGPROF,
- "PWR": syscall.SIGPWR,
- "QUIT": syscall.SIGQUIT,
- "SEGV": syscall.SIGSEGV,
- "STKFLT": syscall.SIGSTKFLT,
- "STOP": syscall.SIGSTOP,
- "SYS": syscall.SIGSYS,
- "TERM": syscall.SIGTERM,
- "TRAP": syscall.SIGTRAP,
- "TSTP": syscall.SIGTSTP,
- "TTIN": syscall.SIGTTIN,
- "TTOU": syscall.SIGTTOU,
- "UNUSED": syscall.SIGUNUSED,
- "URG": syscall.SIGURG,
- "USR1": syscall.SIGUSR1,
- "USR2": syscall.SIGUSR2,
- "VTALRM": syscall.SIGVTALRM,
- "WINCH": syscall.SIGWINCH,
- "XCPU": syscall.SIGXCPU,
- "XFSZ": syscall.SIGXFSZ,
-}
-
var killCommand = cli.Command{
Name: "kill",
Usage: "kill sends the specified signal (default: SIGTERM) to the container's init process",
- ArgsUsage: `<container-id> <signal>
+ ArgsUsage: `<container-id> [signal]
Where "<container-id>" is the name for the instance of the container and
-"<signal>" is the signal to be sent to the init process.
-
+"[signal]" is the signal to be sent to the init process.
+
+EXAMPLE:
For example, if the container id is "ubuntu01" the following will send a "KILL"
signal to the init process of the "ubuntu01" container:
# runc kill ubuntu01 KILL`,
- Action: func(context *cli.Context) {
+ Flags: []cli.Flag{
+ cli.BoolFlag{
+ Name: "all, a",
+ Usage: "send the specified signal to all processes inside the container",
+ },
+ },
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, minArgs); err != nil {
+ return err
+ }
+ if err := checkArgs(context, 2, maxArgs); err != nil {
+ return err
+ }
container, err := getContainer(context)
if err != nil {
- fatal(err)
+ return err
}
sigstr := context.Args().Get(1)
@@ -74,12 +49,9 @@ signal to the init process of the "ubuntu01" container:
signal, err := parseSignal(sigstr)
if err != nil {
- fatal(err)
- }
-
- if err := container.Signal(signal); err != nil {
- fatal(err)
+ return err
}
+ return container.Signal(signal, context.Bool("all"))
},
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go
index 22c17f5272c7c5fdc80679e821fc749578f327ed..7fff0627fa1b3d9d4a0f018e7ece22953c1f0129 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go
@@ -2,14 +2,10 @@
package apparmor
-// #cgo LDFLAGS: -lapparmor
-// #include <sys/apparmor.h>
-// #include <stdlib.h>
-import "C"
import (
+ "fmt"
"io/ioutil"
"os"
- "unsafe"
)
// IsEnabled returns true if apparmor is enabled for the host.
@@ -23,16 +19,36 @@ func IsEnabled() bool {
return false
}
+func setprocattr(attr, value string) error {
+ // Under AppArmor you can only change your own attr, so use /proc/self/
+ // instead of /proc/<tid>/ like libapparmor does
+ path := fmt.Sprintf("/proc/self/attr/%s", attr)
+
+ f, err := os.OpenFile(path, os.O_WRONLY, 0)
+ if err != nil {
+ return err
+ }
+ defer f.Close()
+
+ _, err = fmt.Fprintf(f, "%s", value)
+ return err
+}
+
+// changeOnExec reimplements aa_change_onexec from libapparmor in Go
+func changeOnExec(name string) error {
+ value := "exec " + name
+ if err := setprocattr("exec", value); err != nil {
+ return fmt.Errorf("apparmor failed to apply profile: %s", err)
+ }
+ return nil
+}
+
// ApplyProfile will apply the profile with the specified name to the process after
// the next exec.
func ApplyProfile(name string) error {
if name == "" {
return nil
}
- cName := C.CString(name)
- defer C.free(unsafe.Pointer(cName))
- if _, err := C.aa_change_onexec(cName); err != nil {
- return err
- }
- return nil
+
+ return changeOnExec(name)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/capabilities_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/capabilities_linux.go
index 4eda56d1abb830c73f91586639b6a7910c303f56..7c66f5725803fd04564294470cb5b9c9509e199b 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/capabilities_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/capabilities_linux.go
@@ -4,13 +4,13 @@ package libcontainer
import (
"fmt"
- "os"
"strings"
+ "github.com/opencontainers/runc/libcontainer/configs"
"github.com/syndtr/gocapability/capability"
)
-const allCapabilityTypes = capability.CAPS | capability.BOUNDS
+const allCapabilityTypes = capability.CAPS | capability.BOUNDS | capability.AMBS
var capabilityMap map[string]capability.Cap
@@ -30,40 +30,84 @@ func init() {
}
}
-func newCapWhitelist(caps []string) (*whitelist, error) {
- l := []capability.Cap{}
- for _, c := range caps {
+func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilities, error) {
+ bounding := []capability.Cap{}
+ for _, c := range capConfig.Bounding {
v, ok := capabilityMap[c]
if !ok {
return nil, fmt.Errorf("unknown capability %q", c)
}
- l = append(l, v)
+ bounding = append(bounding, v)
}
- pid, err := capability.NewPid(os.Getpid())
+ effective := []capability.Cap{}
+ for _, c := range capConfig.Effective {
+ v, ok := capabilityMap[c]
+ if !ok {
+ return nil, fmt.Errorf("unknown capability %q", c)
+ }
+ effective = append(effective, v)
+ }
+ inheritable := []capability.Cap{}
+ for _, c := range capConfig.Inheritable {
+ v, ok := capabilityMap[c]
+ if !ok {
+ return nil, fmt.Errorf("unknown capability %q", c)
+ }
+ inheritable = append(inheritable, v)
+ }
+ permitted := []capability.Cap{}
+ for _, c := range capConfig.Permitted {
+ v, ok := capabilityMap[c]
+ if !ok {
+ return nil, fmt.Errorf("unknown capability %q", c)
+ }
+ permitted = append(permitted, v)
+ }
+ ambient := []capability.Cap{}
+ for _, c := range capConfig.Ambient {
+ v, ok := capabilityMap[c]
+ if !ok {
+ return nil, fmt.Errorf("unknown capability %q", c)
+ }
+ ambient = append(ambient, v)
+ }
+ pid, err := capability.NewPid(0)
if err != nil {
return nil, err
}
- return &whitelist{
- keep: l,
- pid: pid,
+ return &containerCapabilities{
+ bounding: bounding,
+ effective: effective,
+ inheritable: inheritable,
+ permitted: permitted,
+ ambient: ambient,
+ pid: pid,
}, nil
}
-type whitelist struct {
- pid capability.Capabilities
- keep []capability.Cap
+type containerCapabilities struct {
+ pid capability.Capabilities
+ bounding []capability.Cap
+ effective []capability.Cap
+ inheritable []capability.Cap
+ permitted []capability.Cap
+ ambient []capability.Cap
}
-// dropBoundingSet drops the capability bounding set to those specified in the whitelist.
-func (w *whitelist) dropBoundingSet() error {
- w.pid.Clear(capability.BOUNDS)
- w.pid.Set(capability.BOUNDS, w.keep...)
- return w.pid.Apply(capability.BOUNDS)
+// ApplyBoundingSet sets the capability bounding set to those specified in the whitelist.
+func (c *containerCapabilities) ApplyBoundingSet() error {
+ c.pid.Clear(capability.BOUNDS)
+ c.pid.Set(capability.BOUNDS, c.bounding...)
+ return c.pid.Apply(capability.BOUNDS)
}
-// drop drops all capabilities for the current process except those specified in the whitelist.
-func (w *whitelist) drop() error {
- w.pid.Clear(allCapabilityTypes)
- w.pid.Set(allCapabilityTypes, w.keep...)
- return w.pid.Apply(allCapabilityTypes)
+// Apply sets all the capabilities for the current process in the config.
+func (c *containerCapabilities) ApplyCaps() error {
+ c.pid.Clear(allCapabilityTypes)
+ c.pid.Set(capability.BOUNDS, c.bounding...)
+ c.pid.Set(capability.PERMITTED, c.permitted...)
+ c.pid.Set(capability.INHERITABLE, c.inheritable...)
+ c.pid.Set(capability.EFFECTIVE, c.effective...)
+ c.pid.Set(capability.AMBIENT, c.ambient...)
+ return c.pid.Apply(allCapabilityTypes)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
index c8f7796567b9400b4f4ec22c46aca7fcb6a84aff..25ff5158933ac86865f62cd92e9974221f98a1d3 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
@@ -9,7 +9,7 @@ import (
)
type Manager interface {
- // Apply cgroup configuration to the process with the specified pid
+ // Applies cgroup configuration to the process with the specified pid
Apply(pid int) error
// Returns the PIDs inside the cgroup set
@@ -27,9 +27,9 @@ type Manager interface {
// Destroys the cgroup set
Destroy() error
- // NewCgroupManager() and LoadCgroupManager() require following attributes:
+ // The option func SystemdCgroups() and Cgroupfs() require following attributes:
// Paths map[string]string
- // Cgroups *cgroups.Cgroup
+ // Cgroups *configs.Cgroup
// Paths maps cgroup subsystem to path at which it is mounted.
// Cgroups specifies specific cgroup settings for the various subsystems
@@ -37,7 +37,7 @@ type Manager interface {
// restore the object later.
GetPaths() map[string]string
- // Set the cgroup as configured.
+ // Sets the cgroup as configured.
Set(container *configs.Config) error
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
index 6def4ea54230dd2b2f3057ffa5b7406951c95eb8..f672ba27377b20aea4fda7e9b5cfd6e16c65ac02 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
@@ -3,18 +3,18 @@
package fs
import (
- "errors"
"fmt"
"io"
"io/ioutil"
"os"
"path/filepath"
- "strconv"
"sync"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/pkg/errors"
+ "golang.org/x/sys/unix"
)
var (
@@ -33,11 +33,10 @@ var (
&FreezerGroup{},
&NameGroup{GroupName: "name=systemd", Join: true},
}
- CgroupProcesses = "cgroup.procs"
HugePageSizes, _ = cgroups.GetHugePageSize()
)
-var errSubsystemDoesNotExist = errors.New("cgroup: subsystem does not exist")
+var errSubsystemDoesNotExist = fmt.Errorf("cgroup: subsystem does not exist")
type subsystemSet []subsystem
@@ -64,9 +63,10 @@ type subsystem interface {
}
type Manager struct {
- mu sync.Mutex
- Cgroups *configs.Cgroup
- Paths map[string]string
+ mu sync.Mutex
+ Cgroups *configs.Cgroup
+ Rootless bool // ignore permission-related errors
+ Paths map[string]string
}
// The absolute path to the root of the cgroup hierarchies.
@@ -102,10 +102,39 @@ type cgroupData struct {
pid int
}
+// isIgnorableError returns whether err is a permission error (in the loose
+// sense of the word). This includes EROFS (which for an unprivileged user is
+// basically a permission error) and EACCES (for similar reasons) as well as
+// the normal EPERM.
+func isIgnorableError(rootless bool, err error) bool {
+ // We do not ignore errors if we are root.
+ if !rootless {
+ return false
+ }
+ // Is it an ordinary EPERM?
+ if os.IsPermission(errors.Cause(err)) {
+ return true
+ }
+
+ // Try to handle other errnos.
+ var errno error
+ switch err := errors.Cause(err).(type) {
+ case *os.PathError:
+ errno = err.Err
+ case *os.LinkError:
+ errno = err.Err
+ case *os.SyscallError:
+ errno = err.Err
+ }
+ return errno == unix.EROFS || errno == unix.EPERM || errno == unix.EACCES
+}
+
func (m *Manager) Apply(pid int) (err error) {
if m.Cgroups == nil {
return nil
}
+ m.mu.Lock()
+ defer m.mu.Unlock()
var c = m.Cgroups
@@ -114,8 +143,8 @@ func (m *Manager) Apply(pid int) (err error) {
return err
}
+ m.Paths = make(map[string]string)
if c.Paths != nil {
- paths := make(map[string]string)
for name, path := range c.Paths {
_, err := d.path(name)
if err != nil {
@@ -124,37 +153,44 @@ func (m *Manager) Apply(pid int) (err error) {
}
return err
}
- paths[name] = path
+ m.Paths[name] = path
}
- m.Paths = paths
return cgroups.EnterPid(m.Paths, pid)
}
- m.mu.Lock()
- defer m.mu.Unlock()
- paths := make(map[string]string)
for _, sys := range subsystems {
- if err := sys.Apply(d); err != nil {
- return err
- }
// TODO: Apply should, ideally, be reentrant or be broken up into a separate
// create and join phase so that the cgroup hierarchy for a container can be
// created then join consists of writing the process pids to cgroup.procs
p, err := d.path(sys.Name())
if err != nil {
- if cgroups.IsNotFound(err) {
+ // The non-presence of the devices subsystem is
+ // considered fatal for security reasons.
+ if cgroups.IsNotFound(err) && sys.Name() != "devices" {
+ continue
+ }
+ return err
+ }
+ m.Paths[sys.Name()] = p
+
+ if err := sys.Apply(d); err != nil {
+ // In the case of rootless (including euid=0 in userns), where an explicit cgroup path hasn't
+ // been set, we don't bail on error in case of permission problems.
+ // Cases where limits have been set (and we couldn't create our own
+ // cgroup) are handled by Set.
+ if isIgnorableError(m.Rootless, err) && m.Cgroups.Path == "" {
+ delete(m.Paths, sys.Name())
continue
}
return err
}
- paths[sys.Name()] = p
+
}
- m.Paths = paths
return nil
}
func (m *Manager) Destroy() error {
- if m.Cgroups.Paths != nil {
+ if m.Cgroups == nil || m.Cgroups.Paths != nil {
return nil
}
m.mu.Lock()
@@ -190,19 +226,27 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
}
func (m *Manager) Set(container *configs.Config) error {
- for _, sys := range subsystems {
- // Generate fake cgroup data.
- d, err := getCgroupData(container.Cgroups, -1)
- if err != nil {
- return err
- }
- // Get the path, but don't error out if the cgroup wasn't found.
- path, err := d.path(sys.Name())
- if err != nil && !cgroups.IsNotFound(err) {
- return err
- }
+ // If Paths are set, then we are just joining cgroups paths
+ // and there is no need to set any values.
+ if m.Cgroups.Paths != nil {
+ return nil
+ }
+ paths := m.GetPaths()
+ for _, sys := range subsystems {
+ path := paths[sys.Name()]
if err := sys.Set(path, container.Cgroups); err != nil {
+ if m.Rootless && sys.Name() == "devices" {
+ continue
+ }
+ // When m.Rootless is true, errors from the device subsystem are ignored because it is really not expected to work.
+ // However, errors from other subsystems are not ignored.
+ // see @test "runc create (rootless + limits + no cgrouppath + no permission) fails with informative error"
+ if path == "" {
+ // We never created a path for this cgroup, so we cannot set
+ // limits for it (though we have already tried at this point).
+ return fmt.Errorf("cannot set %s limit: container could not join or create cgroup", sys.Name())
+ }
return err
}
}
@@ -218,14 +262,8 @@ func (m *Manager) Set(container *configs.Config) error {
// Freeze toggles the container's freezer cgroup depending on the state
// provided
func (m *Manager) Freeze(state configs.FreezerState) error {
- d, err := getCgroupData(m.Cgroups, 0)
- if err != nil {
- return err
- }
- dir, err := d.path("freezer")
- if err != nil {
- return err
- }
+ paths := m.GetPaths()
+ dir := paths["freezer"]
prevState := m.Cgroups.Resources.Freezer
m.Cgroups.Resources.Freezer = state
freezer, err := subsystems.Get("freezer")
@@ -241,28 +279,13 @@ func (m *Manager) Freeze(state configs.FreezerState) error {
}
func (m *Manager) GetPids() ([]int, error) {
- dir, err := getCgroupPath(m.Cgroups)
- if err != nil {
- return nil, err
- }
- return cgroups.GetPids(dir)
+ paths := m.GetPaths()
+ return cgroups.GetPids(paths["devices"])
}
func (m *Manager) GetAllPids() ([]int, error) {
- dir, err := getCgroupPath(m.Cgroups)
- if err != nil {
- return nil, err
- }
- return cgroups.GetAllPids(dir)
-}
-
-func getCgroupPath(c *configs.Cgroup) (string, error) {
- d, err := getCgroupData(c, 0)
- if err != nil {
- return "", err
- }
-
- return d.path("devices")
+ paths := m.GetPaths()
+ return cgroups.GetAllPids(paths["devices"])
}
func getCgroupData(c *configs.Cgroup, pid int) (*cgroupData, error) {
@@ -293,25 +316,8 @@ func getCgroupData(c *configs.Cgroup, pid int) (*cgroupData, error) {
}, nil
}
-func (raw *cgroupData) parentPath(subsystem, mountpoint, root string) (string, error) {
- // Use GetThisCgroupDir instead of GetInitCgroupDir, because the creating
- // process could in container and shared pid namespace with host, and
- // /proc/1/cgroup could point to whole other world of cgroups.
- initPath, err := cgroups.GetThisCgroupDir(subsystem)
- if err != nil {
- return "", err
- }
- // This is needed for nested containers, because in /proc/self/cgroup we
- // see pathes from host, which don't exist in container.
- relDir, err := filepath.Rel(root, initPath)
- if err != nil {
- return "", err
- }
- return filepath.Join(mountpoint, relDir), nil
-}
-
func (raw *cgroupData) path(subsystem string) (string, error) {
- mnt, root, err := cgroups.FindCgroupMountpointAndRoot(subsystem)
+ mnt, err := cgroups.FindCgroupMountpoint(raw.root, subsystem)
// If we didn't mount the subsystem, there is no point we make the path.
if err != nil {
return "", err
@@ -319,11 +325,14 @@ func (raw *cgroupData) path(subsystem string) (string, error) {
// If the cgroup name/path is absolute do not look relative to the cgroup of the init process.
if filepath.IsAbs(raw.innerPath) {
- // Sometimes subsystems can be mounted togethger as 'cpu,cpuacct'.
+ // Sometimes subsystems can be mounted together as 'cpu,cpuacct'.
return filepath.Join(raw.root, filepath.Base(mnt), raw.innerPath), nil
}
- parentPath, err := raw.parentPath(subsystem, mnt, root)
+ // Use GetOwnCgroupPath instead of GetInitCgroupPath, because the creating
+ // process could in container and shared pid namespace with host, and
+ // /proc/1/cgroup could point to whole other world of cgroups.
+ parentPath, err := cgroups.GetOwnCgroupPath(subsystem)
if err != nil {
return "", err
}
@@ -339,7 +348,7 @@ func (raw *cgroupData) join(subsystem string) (string, error) {
if err := os.MkdirAll(path, 0755); err != nil {
return "", err
}
- if err := writeFile(path, CgroupProcesses, strconv.Itoa(raw.pid)); err != nil {
+ if err := cgroups.WriteCgroupProc(path, raw.pid); err != nil {
return "", err
}
return path, nil
@@ -349,9 +358,12 @@ func writeFile(dir, file, data string) error {
// Normally dir should not be empty, one case is that cgroup subsystem
// is not mounted, we will get empty dir, and we want it fail here.
if dir == "" {
- return fmt.Errorf("no such directory for %s.", file)
+ return fmt.Errorf("no such directory for %s", file)
+ }
+ if err := ioutil.WriteFile(filepath.Join(dir, file), []byte(data), 0700); err != nil {
+ return fmt.Errorf("failed to write %v to %v: %v", data, file, err)
}
- return ioutil.WriteFile(filepath.Join(dir, file), []byte(data), 0700)
+ return nil
}
func readFile(dir, file string) (string, error) {
@@ -369,8 +381,8 @@ func removePath(p string, err error) error {
return nil
}
-func CheckCpushares(path string, c int64) error {
- var cpuShares int64
+func CheckCpushares(path string, c uint64) error {
+ var cpuShares uint64
if c == 0 {
return nil
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go
index a4ef28a60f87e459d212108234674676e113d474..e240a8313a2091a1e40983514c21a5016809ecbf 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go
@@ -22,41 +22,64 @@ func (s *CpuGroup) Name() string {
func (s *CpuGroup) Apply(d *cgroupData) error {
// We always want to join the cpu group, to allow fair cpu scheduling
// on a container basis
- _, err := d.join("cpu")
+ path, err := d.path("cpu")
if err != nil && !cgroups.IsNotFound(err) {
return err
}
- return nil
+ return s.ApplyDir(path, d.config, d.pid)
}
-func (s *CpuGroup) Set(path string, cgroup *configs.Cgroup) error {
- if cgroup.Resources.CpuShares != 0 {
- if err := writeFile(path, "cpu.shares", strconv.FormatInt(cgroup.Resources.CpuShares, 10)); err != nil {
+func (s *CpuGroup) ApplyDir(path string, cgroup *configs.Cgroup, pid int) error {
+ // This might happen if we have no cpu cgroup mounted.
+ // Just do nothing and don't fail.
+ if path == "" {
+ return nil
+ }
+ if err := os.MkdirAll(path, 0755); err != nil {
+ return err
+ }
+ // We should set the real-Time group scheduling settings before moving
+ // in the process because if the process is already in SCHED_RR mode
+ // and no RT bandwidth is set, adding it will fail.
+ if err := s.SetRtSched(path, cgroup); err != nil {
+ return err
+ }
+ // because we are not using d.join we need to place the pid into the procs file
+ // unlike the other subsystems
+ return cgroups.WriteCgroupProc(path, pid)
+}
+
+func (s *CpuGroup) SetRtSched(path string, cgroup *configs.Cgroup) error {
+ if cgroup.Resources.CpuRtPeriod != 0 {
+ if err := writeFile(path, "cpu.rt_period_us", strconv.FormatUint(cgroup.Resources.CpuRtPeriod, 10)); err != nil {
return err
}
}
- if cgroup.Resources.CpuPeriod != 0 {
- if err := writeFile(path, "cpu.cfs_period_us", strconv.FormatInt(cgroup.Resources.CpuPeriod, 10)); err != nil {
+ if cgroup.Resources.CpuRtRuntime != 0 {
+ if err := writeFile(path, "cpu.rt_runtime_us", strconv.FormatInt(cgroup.Resources.CpuRtRuntime, 10)); err != nil {
return err
}
}
- if cgroup.Resources.CpuQuota != 0 {
- if err := writeFile(path, "cpu.cfs_quota_us", strconv.FormatInt(cgroup.Resources.CpuQuota, 10)); err != nil {
+ return nil
+}
+
+func (s *CpuGroup) Set(path string, cgroup *configs.Cgroup) error {
+ if cgroup.Resources.CpuShares != 0 {
+ if err := writeFile(path, "cpu.shares", strconv.FormatUint(cgroup.Resources.CpuShares, 10)); err != nil {
return err
}
}
- if cgroup.Resources.CpuRtPeriod != 0 {
- if err := writeFile(path, "cpu.rt_period_us", strconv.FormatInt(cgroup.Resources.CpuRtPeriod, 10)); err != nil {
+ if cgroup.Resources.CpuPeriod != 0 {
+ if err := writeFile(path, "cpu.cfs_period_us", strconv.FormatUint(cgroup.Resources.CpuPeriod, 10)); err != nil {
return err
}
}
- if cgroup.Resources.CpuRtRuntime != 0 {
- if err := writeFile(path, "cpu.rt_runtime_us", strconv.FormatInt(cgroup.Resources.CpuRtRuntime, 10)); err != nil {
+ if cgroup.Resources.CpuQuota != 0 {
+ if err := writeFile(path, "cpu.cfs_quota_us", strconv.FormatInt(cgroup.Resources.CpuQuota, 10)); err != nil {
return err
}
}
-
- return nil
+ return s.SetRtSched(path, cgroup)
}
func (s *CpuGroup) Remove(d *cgroupData) error {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu_test.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu_test.go
index 554fd5e85df53bd6623c6399bcd0558057f2eb5c..6369c91ad65433c0da245b5af106b27a0a350e57 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu_test.go
@@ -106,13 +106,13 @@ func TestCpuStats(t *testing.T) {
defer helper.cleanup()
const (
- kNrPeriods = 2000
- kNrThrottled = 200
- kThrottledTime = uint64(18446744073709551615)
+ nrPeriods = 2000
+ nrThrottled = 200
+ throttledTime = uint64(18446744073709551615)
)
cpuStatContent := fmt.Sprintf("nr_periods %d\n nr_throttled %d\n throttled_time %d\n",
- kNrPeriods, kNrThrottled, kThrottledTime)
+ nrPeriods, nrThrottled, throttledTime)
helper.writeFileContents(map[string]string{
"cpu.stat": cpuStatContent,
})
@@ -125,9 +125,9 @@ func TestCpuStats(t *testing.T) {
}
expectedStats := cgroups.ThrottlingData{
- Periods: kNrPeriods,
- ThrottledPeriods: kNrThrottled,
- ThrottledTime: kThrottledTime}
+ Periods: nrPeriods,
+ ThrottledPeriods: nrThrottled,
+ ThrottledTime: throttledTime}
expectThrottlingDataEquals(t, expectedStats, actualStats.CpuStats.ThrottlingData)
}
@@ -161,3 +161,49 @@ func TestInvalidCpuStat(t *testing.T) {
t.Fatal("Expected failed stat parsing.")
}
}
+
+func TestCpuSetRtSchedAtApply(t *testing.T) {
+ helper := NewCgroupTestUtil("cpu", t)
+ defer helper.cleanup()
+
+ const (
+ rtRuntimeBefore = 0
+ rtRuntimeAfter = 5000
+ rtPeriodBefore = 0
+ rtPeriodAfter = 7000
+ )
+
+ helper.writeFileContents(map[string]string{
+ "cpu.rt_runtime_us": strconv.Itoa(rtRuntimeBefore),
+ "cpu.rt_period_us": strconv.Itoa(rtPeriodBefore),
+ })
+
+ helper.CgroupData.config.Resources.CpuRtRuntime = rtRuntimeAfter
+ helper.CgroupData.config.Resources.CpuRtPeriod = rtPeriodAfter
+ cpu := &CpuGroup{}
+ if err := cpu.ApplyDir(helper.CgroupPath, helper.CgroupData.config, 1234); err != nil {
+ t.Fatal(err)
+ }
+
+ rtRuntime, err := getCgroupParamUint(helper.CgroupPath, "cpu.rt_runtime_us")
+ if err != nil {
+ t.Fatalf("Failed to parse cpu.rt_runtime_us - %s", err)
+ }
+ if rtRuntime != rtRuntimeAfter {
+ t.Fatal("Got the wrong value, set cpu.rt_runtime_us failed.")
+ }
+ rtPeriod, err := getCgroupParamUint(helper.CgroupPath, "cpu.rt_period_us")
+ if err != nil {
+ t.Fatalf("Failed to parse cpu.rt_period_us - %s", err)
+ }
+ if rtPeriod != rtPeriodAfter {
+ t.Fatal("Got the wrong value, set cpu.rt_period_us failed.")
+ }
+ pid, err := getCgroupParamUint(helper.CgroupPath, "cgroup.procs")
+ if err != nil {
+ t.Fatalf("Failed to parse cgroup.procs - %s", err)
+ }
+ if pid != 1234 {
+ t.Fatal("Got the wrong value, set cgroup.procs failed.")
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
index cbe62bd983aad33ae6478cc1469a313c30428dc0..5a1d152ea1dbd70eb2010020efac4f0bb689fac0 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
@@ -8,7 +8,6 @@ import (
"io/ioutil"
"os"
"path/filepath"
- "strconv"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
@@ -58,20 +57,34 @@ func (s *CpusetGroup) ApplyDir(dir string, cgroup *configs.Cgroup, pid int) erro
if dir == "" {
return nil
}
- root, err := getCgroupRoot()
+ mountInfo, err := ioutil.ReadFile("/proc/self/mountinfo")
if err != nil {
return err
}
- if err := s.ensureParent(dir, root); err != nil {
+ root := filepath.Dir(cgroups.GetClosestMountpointAncestor(dir, string(mountInfo)))
+ // 'ensureParent' start with parent because we don't want to
+ // explicitly inherit from parent, it could conflict with
+ // 'cpuset.cpu_exclusive'.
+ if err := s.ensureParent(filepath.Dir(dir), root); err != nil {
return err
}
- // because we are not using d.join we need to place the pid into the procs file
- // unlike the other subsystems
- if err := writeFile(dir, "cgroup.procs", strconv.Itoa(pid)); err != nil {
+ if err := os.MkdirAll(dir, 0755); err != nil {
+ return err
+ }
+ // We didn't inherit cpuset configs from parent, but we have
+ // to ensure cpuset configs are set before moving task into the
+ // cgroup.
+ // The logic is, if user specified cpuset configs, use these
+ // specified configs, otherwise, inherit from parent. This makes
+ // cpuset configs work correctly with 'cpuset.cpu_exclusive', and
+ // keep backward compatibility.
+ if err := s.ensureCpusAndMems(dir, cgroup); err != nil {
return err
}
- return nil
+ // because we are not using d.join we need to place the pid into the procs file
+ // unlike the other subsystems
+ return cgroups.WriteCgroupProc(dir, pid)
}
func (s *CpusetGroup) getSubsystemSettings(parent string) (cpus []byte, mems []byte, err error) {
@@ -137,3 +150,10 @@ func (s *CpusetGroup) copyIfNeeded(current, parent string) error {
func (s *CpusetGroup) isEmpty(b []byte) bool {
return len(bytes.Trim(b, "\n")) == 0
}
+
+func (s *CpusetGroup) ensureCpusAndMems(path string, cgroup *configs.Cgroup) error {
+ if err := s.Set(path, cgroup); err != nil {
+ return err
+ }
+ return s.copyIfNeeded(path, filepath.Dir(path))
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices.go
index 5f783310947df5f0ec61bf1b07cd98b65e4326a6..0ac5b4ed70037dc52f6a87f91fb90abd4838ab7c 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices.go
@@ -43,21 +43,23 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
}
return nil
}
- if !cgroup.Resources.AllowAllDevices {
- if err := writeFile(path, "devices.deny", "a"); err != nil {
- return err
- }
-
- for _, dev := range cgroup.Resources.AllowedDevices {
- if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil {
+ if cgroup.Resources.AllowAllDevices != nil {
+ if *cgroup.Resources.AllowAllDevices == false {
+ if err := writeFile(path, "devices.deny", "a"); err != nil {
return err
}
+
+ for _, dev := range cgroup.Resources.AllowedDevices {
+ if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil {
+ return err
+ }
+ }
+ return nil
}
- return nil
- }
- if err := writeFile(path, "devices.allow", "a"); err != nil {
- return err
+ if err := writeFile(path, "devices.allow", "a"); err != nil {
+ return err
+ }
}
for _, dev := range cgroup.Resources.DeniedDevices {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices_test.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices_test.go
index ee44084eec40079fa7e085e10a99b9c32dd0e5b1..fc635b990f56a828654fb3c9b66d414c1578b76a 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices_test.go
@@ -40,8 +40,8 @@ func TestDevicesSetAllow(t *testing.T) {
helper.writeFileContents(map[string]string{
"devices.deny": "a",
})
-
- helper.CgroupData.config.Resources.AllowAllDevices = false
+ allowAllDevices := false
+ helper.CgroupData.config.Resources.AllowAllDevices = &allowAllDevices
helper.CgroupData.config.Resources.AllowedDevices = allowedDevices
devices := &DevicesGroup{}
if err := devices.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {
@@ -56,6 +56,19 @@ func TestDevicesSetAllow(t *testing.T) {
if value != allowedList {
t.Fatal("Got the wrong value, set devices.allow failed.")
}
+
+ // When AllowAllDevices is nil, devices.allow file should not be modified.
+ helper.CgroupData.config.Resources.AllowAllDevices = nil
+ if err := devices.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {
+ t.Fatal(err)
+ }
+ value, err = getCgroupParamString(helper.CgroupPath, "devices.allow")
+ if err != nil {
+ t.Fatalf("Failed to parse devices.allow - %s", err)
+ }
+ if value != allowedList {
+ t.Fatal("devices policy shouldn't have changed on AllowedAllDevices=nil.")
+ }
}
func TestDevicesSetDeny(t *testing.T) {
@@ -66,7 +79,8 @@ func TestDevicesSetDeny(t *testing.T) {
"devices.allow": "a",
})
- helper.CgroupData.config.Resources.AllowAllDevices = true
+ allowAllDevices := true
+ helper.CgroupData.config.Resources.AllowAllDevices = &allowAllDevices
helper.CgroupData.config.Resources.DeniedDevices = deniedDevices
devices := &DevicesGroup{}
if err := devices.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer.go
index e70dfe3b950f7780f9b3f7057ff0995b664057d3..4b19f8a970d731a409603b4a98adef8f100b3b3d 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer.go
@@ -29,11 +29,15 @@ func (s *FreezerGroup) Apply(d *cgroupData) error {
func (s *FreezerGroup) Set(path string, cgroup *configs.Cgroup) error {
switch cgroup.Resources.Freezer {
case configs.Frozen, configs.Thawed:
- if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
- return err
- }
-
for {
+ // In case this loop does not exit because it doesn't get the expected
+ // state, let's write again this state, hoping it's going to be properly
+ // set this time. Otherwise, this loop could run infinitely, waiting for
+ // a state change that would never happen.
+ if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
+ return err
+ }
+
state, err := readFile(path, "freezer.state")
if err != nil {
return err
@@ -41,6 +45,7 @@ func (s *FreezerGroup) Set(path string, cgroup *configs.Cgroup) error {
if strings.TrimSpace(state) == string(cgroup.Resources.Freezer) {
break
}
+
time.Sleep(1 * time.Millisecond)
}
case configs.Undefined:
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/kmem.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/kmem.go
new file mode 100644
index 0000000000000000000000000000000000000000..69b5a1946c72e96c49bf09eda68af0590cead0ed
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/kmem.go
@@ -0,0 +1,62 @@
+// +build linux,!nokmem
+
+package fs
+
+import (
+ "errors"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strconv"
+ "syscall" // for Errno type only
+
+ "github.com/opencontainers/runc/libcontainer/cgroups"
+ "golang.org/x/sys/unix"
+)
+
+const cgroupKernelMemoryLimit = "memory.kmem.limit_in_bytes"
+
+func EnableKernelMemoryAccounting(path string) error {
+ // Ensure that kernel memory is available in this kernel build. If it
+ // isn't, we just ignore it because EnableKernelMemoryAccounting is
+ // automatically called for all memory limits.
+ if !cgroups.PathExists(filepath.Join(path, cgroupKernelMemoryLimit)) {
+ return nil
+ }
+ // We have to limit the kernel memory here as it won't be accounted at all
+ // until a limit is set on the cgroup and limit cannot be set once the
+ // cgroup has children, or if there are already tasks in the cgroup.
+ for _, i := range []int64{1, -1} {
+ if err := setKernelMemory(path, i); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+func setKernelMemory(path string, kernelMemoryLimit int64) error {
+ if path == "" {
+ return fmt.Errorf("no such directory for %s", cgroupKernelMemoryLimit)
+ }
+ if !cgroups.PathExists(filepath.Join(path, cgroupKernelMemoryLimit)) {
+ // We have specifically been asked to set a kmem limit. If the kernel
+ // doesn't support it we *must* error out.
+ return errors.New("kernel memory accounting not supported by this kernel")
+ }
+ if err := ioutil.WriteFile(filepath.Join(path, cgroupKernelMemoryLimit), []byte(strconv.FormatInt(kernelMemoryLimit, 10)), 0700); err != nil {
+ // Check if the error number returned by the syscall is "EBUSY"
+ // The EBUSY signal is returned on attempts to write to the
+ // memory.kmem.limit_in_bytes file if the cgroup has children or
+ // once tasks have been attached to the cgroup
+ if pathErr, ok := err.(*os.PathError); ok {
+ if errNo, ok := pathErr.Err.(syscall.Errno); ok {
+ if errNo == unix.EBUSY {
+ return fmt.Errorf("failed to set %s, because either tasks have already joined this cgroup or it has children", cgroupKernelMemoryLimit)
+ }
+ }
+ }
+ return fmt.Errorf("failed to write %v to %v: %v", kernelMemoryLimit, cgroupKernelMemoryLimit, err)
+ }
+ return nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/kmem_disabled.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/kmem_disabled.go
new file mode 100644
index 0000000000000000000000000000000000000000..ac290fd7a02a7298b6c15aa07378e33d0343c8d4
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/kmem_disabled.go
@@ -0,0 +1,15 @@
+// +build linux,nokmem
+
+package fs
+
+import (
+ "errors"
+)
+
+func EnableKernelMemoryAccounting(path string) error {
+ return nil
+}
+
+func setKernelMemory(path string, kernelMemoryLimit int64) error {
+ return errors.New("kernel memory accounting disabled in this runc build")
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go
index e3fd327e91fc60e847980bb1abfd634c79284918..d5310d569f2689d442131a6d6c6b3fa1d0df21c5 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go
@@ -14,6 +14,11 @@ import (
"github.com/opencontainers/runc/libcontainer/configs"
)
+const (
+ cgroupMemorySwapLimit = "memory.memsw.limit_in_bytes"
+ cgroupMemoryLimit = "memory.limit_in_bytes"
+)
+
type MemoryGroup struct {
}
@@ -25,20 +30,23 @@ func (s *MemoryGroup) Apply(d *cgroupData) (err error) {
path, err := d.path("memory")
if err != nil && !cgroups.IsNotFound(err) {
return err
+ } else if path == "" {
+ return nil
}
if memoryAssigned(d.config) {
- if path != "" {
+ if _, err := os.Stat(path); os.IsNotExist(err) {
if err := os.MkdirAll(path, 0755); err != nil {
return err
}
- }
- // We have to set kernel memory here, as we can't change it once
- // processes have been attached.
- if err := s.SetKernelMemory(path, d.config); err != nil {
- return err
+ // Only enable kernel memory accouting when this cgroup
+ // is created by libcontainer, otherwise we might get
+ // error when people use `cgroupsPath` to join an existed
+ // cgroup whose kernel memory is not initialized.
+ if err := EnableKernelMemoryAccounting(path); err != nil {
+ return err
+ }
}
}
-
defer func() {
if err != nil {
os.RemoveAll(path)
@@ -54,30 +62,77 @@ func (s *MemoryGroup) Apply(d *cgroupData) (err error) {
return nil
}
-func (s *MemoryGroup) SetKernelMemory(path string, cgroup *configs.Cgroup) error {
- // This has to be done separately because it has special constraints (it
- // can't be done after there are processes attached to the cgroup).
- if cgroup.Resources.KernelMemory > 0 {
- if err := writeFile(path, "memory.kmem.limit_in_bytes", strconv.FormatInt(cgroup.Resources.KernelMemory, 10)); err != nil {
+func setMemoryAndSwap(path string, cgroup *configs.Cgroup) error {
+ // If the memory update is set to -1 we should also
+ // set swap to -1, it means unlimited memory.
+ if cgroup.Resources.Memory == -1 {
+ // Only set swap if it's enabled in kernel
+ if cgroups.PathExists(filepath.Join(path, cgroupMemorySwapLimit)) {
+ cgroup.Resources.MemorySwap = -1
+ }
+ }
+
+ // When memory and swap memory are both set, we need to handle the cases
+ // for updating container.
+ if cgroup.Resources.Memory != 0 && cgroup.Resources.MemorySwap != 0 {
+ memoryUsage, err := getMemoryData(path, "")
+ if err != nil {
return err
}
+
+ // When update memory limit, we should adapt the write sequence
+ // for memory and swap memory, so it won't fail because the new
+ // value and the old value don't fit kernel's validation.
+ if cgroup.Resources.MemorySwap == -1 || memoryUsage.Limit < uint64(cgroup.Resources.MemorySwap) {
+ if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
+ return err
+ }
+ if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
+ return err
+ }
+ } else {
+ if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
+ return err
+ }
+ if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
+ return err
+ }
+ }
+ } else {
+ if cgroup.Resources.Memory != 0 {
+ if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
+ return err
+ }
+ }
+ if cgroup.Resources.MemorySwap != 0 {
+ if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
+ return err
+ }
+ }
}
+
return nil
}
func (s *MemoryGroup) Set(path string, cgroup *configs.Cgroup) error {
- if cgroup.Resources.Memory != 0 {
- if err := writeFile(path, "memory.limit_in_bytes", strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
+ if err := setMemoryAndSwap(path, cgroup); err != nil {
+ return err
+ }
+
+ if cgroup.Resources.KernelMemory != 0 {
+ if err := setKernelMemory(path, cgroup.Resources.KernelMemory); err != nil {
return err
}
}
+
if cgroup.Resources.MemoryReservation != 0 {
if err := writeFile(path, "memory.soft_limit_in_bytes", strconv.FormatInt(cgroup.Resources.MemoryReservation, 10)); err != nil {
return err
}
}
- if cgroup.Resources.MemorySwap > 0 {
- if err := writeFile(path, "memory.memsw.limit_in_bytes", strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
+
+ if cgroup.Resources.KernelMemoryTCP != 0 {
+ if err := writeFile(path, "memory.kmem.tcp.limit_in_bytes", strconv.FormatInt(cgroup.Resources.KernelMemoryTCP, 10)); err != nil {
return err
}
}
@@ -88,12 +143,12 @@ func (s *MemoryGroup) Set(path string, cgroup *configs.Cgroup) error {
}
if cgroup.Resources.MemorySwappiness == nil || int64(*cgroup.Resources.MemorySwappiness) == -1 {
return nil
- } else if int64(*cgroup.Resources.MemorySwappiness) >= 0 && int64(*cgroup.Resources.MemorySwappiness) <= 100 {
- if err := writeFile(path, "memory.swappiness", strconv.FormatInt(*cgroup.Resources.MemorySwappiness, 10)); err != nil {
+ } else if *cgroup.Resources.MemorySwappiness <= 100 {
+ if err := writeFile(path, "memory.swappiness", strconv.FormatUint(*cgroup.Resources.MemorySwappiness, 10)); err != nil {
return err
}
} else {
- return fmt.Errorf("invalid value:%d. valid memory swappiness range is 0-100", int64(*cgroup.Resources.MemorySwappiness))
+ return fmt.Errorf("invalid value:%d. valid memory swappiness range is 0-100", *cgroup.Resources.MemorySwappiness)
}
return nil
@@ -139,7 +194,20 @@ func (s *MemoryGroup) GetStats(path string, stats *cgroups.Stats) error {
return err
}
stats.MemoryStats.KernelUsage = kernelUsage
+ kernelTCPUsage, err := getMemoryData(path, "kmem.tcp")
+ if err != nil {
+ return err
+ }
+ stats.MemoryStats.KernelTCPUsage = kernelTCPUsage
+ useHierarchy := strings.Join([]string{"memory", "use_hierarchy"}, ".")
+ value, err := getCgroupParamUint(path, useHierarchy)
+ if err != nil {
+ return err
+ }
+ if value == 1 {
+ stats.MemoryStats.UseHierarchy = true
+ }
return nil
}
@@ -148,8 +216,9 @@ func memoryAssigned(cgroup *configs.Cgroup) bool {
cgroup.Resources.MemoryReservation != 0 ||
cgroup.Resources.MemorySwap > 0 ||
cgroup.Resources.KernelMemory > 0 ||
+ cgroup.Resources.KernelMemoryTCP > 0 ||
cgroup.Resources.OomKillDisable ||
- (cgroup.Resources.MemorySwappiness != nil && *cgroup.Resources.MemorySwappiness != -1)
+ (cgroup.Resources.MemorySwappiness != nil && int64(*cgroup.Resources.MemorySwappiness) != -1)
}
func getMemoryData(path, name string) (cgroups.MemoryData, error) {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory_test.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory_test.go
index 8321ce97c74f2c3e732f7558957f84e1c495517b..4e0ae7b26e53d74ebcadd88902deceb738997e24 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory_test.go
@@ -12,10 +12,11 @@ import (
const (
memoryStatContents = `cache 512
rss 1024`
- memoryUsageContents = "2048\n"
- memoryMaxUsageContents = "4096\n"
- memoryFailcnt = "100\n"
- memoryLimitContents = "8192\n"
+ memoryUsageContents = "2048\n"
+ memoryMaxUsageContents = "4096\n"
+ memoryFailcnt = "100\n"
+ memoryLimitContents = "8192\n"
+ memoryUseHierarchyContents = "1\n"
)
func TestMemorySetMemory(t *testing.T) {
@@ -86,6 +87,94 @@ func TestMemorySetMemoryswap(t *testing.T) {
}
}
+func TestMemorySetMemoryLargerThanSwap(t *testing.T) {
+ helper := NewCgroupTestUtil("memory", t)
+ defer helper.cleanup()
+
+ const (
+ memoryBefore = 314572800 // 300M
+ memoryswapBefore = 524288000 // 500M
+ memoryAfter = 629145600 // 600M
+ memoryswapAfter = 838860800 // 800M
+ )
+
+ helper.writeFileContents(map[string]string{
+ "memory.limit_in_bytes": strconv.Itoa(memoryBefore),
+ "memory.memsw.limit_in_bytes": strconv.Itoa(memoryswapBefore),
+ // Set will call getMemoryData when memory and swap memory are
+ // both set, fake these fields so we don't get error.
+ "memory.usage_in_bytes": "0",
+ "memory.max_usage_in_bytes": "0",
+ "memory.failcnt": "0",
+ })
+
+ helper.CgroupData.config.Resources.Memory = memoryAfter
+ helper.CgroupData.config.Resources.MemorySwap = memoryswapAfter
+ memory := &MemoryGroup{}
+ if err := memory.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {
+ t.Fatal(err)
+ }
+
+ value, err := getCgroupParamUint(helper.CgroupPath, "memory.limit_in_bytes")
+ if err != nil {
+ t.Fatalf("Failed to parse memory.limit_in_bytes - %s", err)
+ }
+ if value != memoryAfter {
+ t.Fatal("Got the wrong value, set memory.limit_in_bytes failed.")
+ }
+ value, err = getCgroupParamUint(helper.CgroupPath, "memory.memsw.limit_in_bytes")
+ if err != nil {
+ t.Fatalf("Failed to parse memory.memsw.limit_in_bytes - %s", err)
+ }
+ if value != memoryswapAfter {
+ t.Fatal("Got the wrong value, set memory.memsw.limit_in_bytes failed.")
+ }
+}
+
+func TestMemorySetSwapSmallerThanMemory(t *testing.T) {
+ helper := NewCgroupTestUtil("memory", t)
+ defer helper.cleanup()
+
+ const (
+ memoryBefore = 629145600 // 600M
+ memoryswapBefore = 838860800 // 800M
+ memoryAfter = 314572800 // 300M
+ memoryswapAfter = 524288000 // 500M
+ )
+
+ helper.writeFileContents(map[string]string{
+ "memory.limit_in_bytes": strconv.Itoa(memoryBefore),
+ "memory.memsw.limit_in_bytes": strconv.Itoa(memoryswapBefore),
+ // Set will call getMemoryData when memory and swap memory are
+ // both set, fake these fields so we don't get error.
+ "memory.usage_in_bytes": "0",
+ "memory.max_usage_in_bytes": "0",
+ "memory.failcnt": "0",
+ })
+
+ helper.CgroupData.config.Resources.Memory = memoryAfter
+ helper.CgroupData.config.Resources.MemorySwap = memoryswapAfter
+ memory := &MemoryGroup{}
+ if err := memory.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {
+ t.Fatal(err)
+ }
+
+ value, err := getCgroupParamUint(helper.CgroupPath, "memory.limit_in_bytes")
+ if err != nil {
+ t.Fatalf("Failed to parse memory.limit_in_bytes - %s", err)
+ }
+ if value != memoryAfter {
+ t.Fatal("Got the wrong value, set memory.limit_in_bytes failed.")
+ }
+ value, err = getCgroupParamUint(helper.CgroupPath, "memory.memsw.limit_in_bytes")
+ if err != nil {
+ t.Fatalf("Failed to parse memory.memsw.limit_in_bytes - %s", err)
+ }
+ if value != memoryswapAfter {
+ t.Fatal("Got the wrong value, set memory.memsw.limit_in_bytes failed.")
+ }
+}
+
func TestMemorySetKernelMemory(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
@@ -101,7 +190,7 @@ func TestMemorySetKernelMemory(t *testing.T) {
helper.CgroupData.config.Resources.KernelMemory = kernelMemoryAfter
memory := &MemoryGroup{}
- if err := memory.SetKernelMemory(helper.CgroupPath, helper.CgroupData.config); err != nil {
+ if err := memory.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {
t.Fatal(err)
}
@@ -114,12 +203,40 @@ func TestMemorySetKernelMemory(t *testing.T) {
}
}
+func TestMemorySetKernelMemoryTCP(t *testing.T) {
+ helper := NewCgroupTestUtil("memory", t)
+ defer helper.cleanup()
+
+ const (
+ kernelMemoryTCPBefore = 314572800 // 300M
+ kernelMemoryTCPAfter = 524288000 // 500M
+ )
+
+ helper.writeFileContents(map[string]string{
+ "memory.kmem.tcp.limit_in_bytes": strconv.Itoa(kernelMemoryTCPBefore),
+ })
+
+ helper.CgroupData.config.Resources.KernelMemoryTCP = kernelMemoryTCPAfter
+ memory := &MemoryGroup{}
+ if err := memory.Set(helper.CgroupPath, helper.CgroupData.config); err != nil {
+ t.Fatal(err)
+ }
+
+ value, err := getCgroupParamUint(helper.CgroupPath, "memory.kmem.tcp.limit_in_bytes")
+ if err != nil {
+ t.Fatalf("Failed to parse memory.kmem.tcp.limit_in_bytes - %s", err)
+ }
+ if value != kernelMemoryTCPAfter {
+ t.Fatal("Got the wrong value, set memory.kmem.tcp.limit_in_bytes failed.")
+ }
+}
+
func TestMemorySetMemorySwappinessDefault(t *testing.T) {
helper := NewCgroupTestUtil("memory", t)
defer helper.cleanup()
swappinessBefore := 60 //default is 60
- swappinessAfter := int64(0)
+ swappinessAfter := uint64(0)
helper.writeFileContents(map[string]string{
"memory.swappiness": strconv.Itoa(swappinessBefore),
@@ -135,7 +252,7 @@ func TestMemorySetMemorySwappinessDefault(t *testing.T) {
if err != nil {
t.Fatalf("Failed to parse memory.swappiness - %s", err)
}
- if int64(value) != swappinessAfter {
+ if value != swappinessAfter {
t.Fatalf("Got the wrong value (%d), set memory.swappiness = %d failed.", value, swappinessAfter)
}
}
@@ -157,6 +274,7 @@ func TestMemoryStats(t *testing.T) {
"memory.kmem.max_usage_in_bytes": memoryMaxUsageContents,
"memory.kmem.failcnt": memoryFailcnt,
"memory.kmem.limit_in_bytes": memoryLimitContents,
+ "memory.use_hierarchy": memoryUseHierarchyContents,
})
memory := &MemoryGroup{}
@@ -165,7 +283,7 @@ func TestMemoryStats(t *testing.T) {
if err != nil {
t.Fatal(err)
}
- expectedStats := cgroups.MemoryStats{Cache: 512, Usage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, SwapUsage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, KernelUsage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, Stats: map[string]uint64{"cache": 512, "rss": 1024}}
+ expectedStats := cgroups.MemoryStats{Cache: 512, Usage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, SwapUsage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, KernelUsage: cgroups.MemoryData{Usage: 2048, MaxUsage: 4096, Failcnt: 100, Limit: 8192}, Stats: map[string]uint64{"cache": 512, "rss": 1024}, UseHierarchy: true}
expectMemoryStatEquals(t, expectedStats, actualStats.MemoryStats)
}
@@ -314,11 +432,11 @@ func TestMemorySetOomControl(t *testing.T) {
defer helper.cleanup()
const (
- oom_kill_disable = 1 // disable oom killer, default is 0
+ oomKillDisable = 1 // disable oom killer, default is 0
)
helper.writeFileContents(map[string]string{
- "memory.oom_control": strconv.Itoa(oom_kill_disable),
+ "memory.oom_control": strconv.Itoa(oomKillDisable),
})
memory := &MemoryGroup{}
@@ -331,7 +449,7 @@ func TestMemorySetOomControl(t *testing.T) {
t.Fatalf("Failed to parse memory.oom_control - %s", err)
}
- if value != oom_kill_disable {
+ if value != oomKillDisable {
t.Fatalf("Got the wrong value, set memory.oom_control failed.")
}
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls.go
index 8a4054ba8776c00b013b02371d691e86b764a9ba..8e74b645eac78129bfa39a4d32b889bd12abfca6 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls.go
@@ -3,6 +3,8 @@
package fs
import (
+ "strconv"
+
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
)
@@ -23,8 +25,8 @@ func (s *NetClsGroup) Apply(d *cgroupData) error {
}
func (s *NetClsGroup) Set(path string, cgroup *configs.Cgroup) error {
- if cgroup.Resources.NetClsClassid != "" {
- if err := writeFile(path, "net_cls.classid", cgroup.Resources.NetClsClassid); err != nil {
+ if cgroup.Resources.NetClsClassid != 0 {
+ if err := writeFile(path, "net_cls.classid", strconv.FormatUint(uint64(cgroup.Resources.NetClsClassid), 10)); err != nil {
return err
}
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls_test.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls_test.go
index 974bd9d887754c35c5203e094f1491f8f64f58db..c00e8a8d6f4d0872b95f2856838ae8748207cf7f 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls_test.go
@@ -3,12 +3,13 @@
package fs
import (
+ "strconv"
"testing"
)
const (
- classidBefore = "0x100002"
- classidAfter = "0x100001"
+ classidBefore = 0x100002
+ classidAfter = 0x100001
)
func TestNetClsSetClassid(t *testing.T) {
@@ -16,7 +17,7 @@ func TestNetClsSetClassid(t *testing.T) {
defer helper.cleanup()
helper.writeFileContents(map[string]string{
- "net_cls.classid": classidBefore,
+ "net_cls.classid": strconv.FormatUint(classidBefore, 10),
})
helper.CgroupData.config.Resources.NetClsClassid = classidAfter
@@ -28,7 +29,7 @@ func TestNetClsSetClassid(t *testing.T) {
// As we are in mock environment, we can't get correct value of classid from
// net_cls.classid.
// So. we just judge if we successfully write classid into file
- value, err := getCgroupParamString(helper.CgroupPath, "net_cls.classid")
+ value, err := getCgroupParamUint(helper.CgroupPath, "net_cls.classid")
if err != nil {
t.Fatalf("Failed to parse net_cls.classid - %s", err)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids.go
index 96cbb896cb19827fd65398e7ee4b958658508685..f1e37205518b0759535d10103ecb4caee8512c2f 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids.go
@@ -4,6 +4,7 @@ package fs
import (
"fmt"
+ "path/filepath"
"strconv"
"github.com/opencontainers/runc/libcontainer/cgroups"
@@ -47,11 +48,26 @@ func (s *PidsGroup) Remove(d *cgroupData) error {
}
func (s *PidsGroup) GetStats(path string, stats *cgroups.Stats) error {
- value, err := getCgroupParamUint(path, "pids.current")
+ current, err := getCgroupParamUint(path, "pids.current")
if err != nil {
return fmt.Errorf("failed to parse pids.current - %s", err)
}
- stats.PidsStats.Current = value
+ maxString, err := getCgroupParamString(path, "pids.max")
+ if err != nil {
+ return fmt.Errorf("failed to parse pids.max - %s", err)
+ }
+
+ // Default if pids.max == "max" is 0 -- which represents "no limit".
+ var max uint64
+ if maxString != "max" {
+ max, err = parseUint(maxString, 10, 64)
+ if err != nil {
+ return fmt.Errorf("failed to parse pids.max - unable to parse %q as a uint from Cgroup file %q", maxString, filepath.Join(path, "pids.max"))
+ }
+ }
+
+ stats.PidsStats.Current = current
+ stats.PidsStats.Limit = max
return nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids_test.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids_test.go
index 06b11927aa833e8ad41f9ddd4b44621809c5f8c9..10671247ba38e4c5d8ec05fb9e713f55d5ea7679 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids_test.go
@@ -80,4 +80,32 @@ func TestPidsStats(t *testing.T) {
if stats.PidsStats.Current != 1337 {
t.Fatalf("Expected %d, got %d for pids.current", 1337, stats.PidsStats.Current)
}
+
+ if stats.PidsStats.Limit != maxLimited {
+ t.Fatalf("Expected %d, got %d for pids.max", maxLimited, stats.PidsStats.Limit)
+ }
+}
+
+func TestPidsStatsUnlimited(t *testing.T) {
+ helper := NewCgroupTestUtil("pids", t)
+ defer helper.cleanup()
+
+ helper.writeFileContents(map[string]string{
+ "pids.current": strconv.Itoa(4096),
+ "pids.max": "max",
+ })
+
+ pids := &PidsGroup{}
+ stats := *cgroups.NewStats()
+ if err := pids.GetStats(helper.CgroupPath, &stats); err != nil {
+ t.Fatal(err)
+ }
+
+ if stats.PidsStats.Current != 4096 {
+ t.Fatalf("Expected %d, got %d for pids.current", 4096, stats.PidsStats.Current)
+ }
+
+ if stats.PidsStats.Limit != 0 {
+ t.Fatalf("Expected %d, got %d for pids.max", 0, stats.PidsStats.Limit)
+ }
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/stats_util_test.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/stats_util_test.go
index d0ab047418f4a630a0936edb2c00a01bcdd2cba5..c5a8d185824b8240ae8e988a0eaf7f6a94268d6d 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/stats_util_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/stats_util_test.go
@@ -6,8 +6,9 @@ import (
"fmt"
"testing"
- "github.com/sirupsen/logrus"
"github.com/opencontainers/runc/libcontainer/cgroups"
+
+ "github.com/sirupsen/logrus"
)
func blkioStatEntryEquals(expected, actual []cgroups.BlkioStatEntry) error {
@@ -84,6 +85,11 @@ func expectMemoryStatEquals(t *testing.T, expected, actual cgroups.MemoryStats)
expectMemoryDataEquals(t, expected.SwapUsage, actual.SwapUsage)
expectMemoryDataEquals(t, expected.KernelUsage, actual.KernelUsage)
+ if expected.UseHierarchy != actual.UseHierarchy {
+ logrus.Printf("Expected memory use hierarchy %v, but found %v\n", expected.UseHierarchy, actual.UseHierarchy)
+ t.Fail()
+ }
+
for key, expValue := range expected.Stats {
actValue, ok := actual.Stats[key]
if !ok {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/utils.go
index 852b18391d0bcd53c31e8b3866c087160cca3c53..5ff0a1615048cba54b107c2dcabd3458eabdc6f3 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/utils.go
@@ -12,7 +12,6 @@ import (
)
var (
- ErrNotSupportStat = errors.New("stats are not supported for subsystem")
ErrNotValidFormat = errors.New("line is not a valid key value format")
)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go
index a9a074347336f004d928ffe783289199aa5224ee..8eeedc55b078f203681b3fb99af6a38bfb4c6e92 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/stats.go
@@ -11,6 +11,7 @@ type ThrottlingData struct {
ThrottledTime uint64 `json:"throttled_time,omitempty"`
}
+// CpuUsage denotes the usage of a CPU.
// All CPU stats are aggregate since container inception.
type CpuUsage struct {
// Total CPU time consumed.
@@ -47,13 +48,20 @@ type MemoryStats struct {
// usage of memory + swap
SwapUsage MemoryData `json:"swap_usage,omitempty"`
// usage of kernel memory
- KernelUsage MemoryData `json:"kernel_usage,omitempty"`
- Stats map[string]uint64 `json:"stats,omitempty"`
+ KernelUsage MemoryData `json:"kernel_usage,omitempty"`
+ // usage of kernel TCP memory
+ KernelTCPUsage MemoryData `json:"kernel_tcp_usage,omitempty"`
+ // if true, memory usage is accounted for throughout a hierarchy of cgroups.
+ UseHierarchy bool `json:"use_hierarchy"`
+
+ Stats map[string]uint64 `json:"stats,omitempty"`
}
type PidsStats struct {
// number of pids in the cgroup
Current uint64 `json:"current,omitempty"`
+ // active pids hard limit
+ Limit uint64 `json:"limit,omitempty"`
}
type BlkioStatEntry struct {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_nosystemd.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_nosystemd.go
index 7de9ae6050bd91e80a85f299829a6c11d6b1355e..a65d8e4432dad7f666aa963bc88b6a1f0df81d68 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_nosystemd.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_nosystemd.go
@@ -1,4 +1,4 @@
-// +build !linux
+// +build !linux static_build
package systemd
@@ -43,7 +43,7 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
}
func (m *Manager) Set(container *configs.Config) error {
- return nil, fmt.Errorf("Systemd not supported")
+ return fmt.Errorf("Systemd not supported")
}
func (m *Manager) Freeze(state configs.FreezerState) error {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go
index 63a14b4caf38da6060aaf62d595c6dbde20cbc90..e8defe3a1ee26a4ca3dcb3400a151debd7867eee 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go
@@ -1,4 +1,4 @@
-// +build linux
+// +build linux,!static_build
package systemd
@@ -6,9 +6,9 @@ import (
"errors"
"fmt"
"io/ioutil"
+ "math"
"os"
"path/filepath"
- "strconv"
"strings"
"sync"
"time"
@@ -19,6 +19,7 @@ import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fs"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/sirupsen/logrus"
)
type Manager struct {
@@ -67,13 +68,17 @@ var subsystems = subsystemSet{
const (
testScopeWait = 4
+ testSliceWait = 4
)
var (
connLock sync.Mutex
theConn *systemdDbus.Conn
hasStartTransientUnit bool
+ hasStartTransientSliceUnit bool
hasTransientDefaultDependencies bool
+ hasDelegateScope bool
+ hasDelegateSlice bool
)
func newProp(name string, units interface{}) systemdDbus.Property {
@@ -146,18 +151,66 @@ func UseSystemd() bool {
// Not critical because of the stop unit logic above.
theConn.StopUnit(scope, "replace", nil)
- }
- return hasStartTransientUnit
-}
-func getIfaceForUnit(unitName string) string {
- if strings.HasSuffix(unitName, ".scope") {
- return "Scope"
- }
- if strings.HasSuffix(unitName, ".service") {
- return "Service"
+ // Assume StartTransientUnit on a scope allows Delegate
+ hasDelegateScope = true
+ dlScope := newProp("Delegate", true)
+ if _, err := theConn.StartTransientUnit(scope, "replace", []systemdDbus.Property{dlScope}, nil); err != nil {
+ if dbusError, ok := err.(dbus.Error); ok {
+ if strings.Contains(dbusError.Name, "org.freedesktop.DBus.Error.PropertyReadOnly") {
+ hasDelegateScope = false
+ }
+ }
+ }
+
+ // Assume we have the ability to start a transient unit as a slice
+ // This was broken until systemd v229, but has been back-ported on RHEL environments >= 219
+ // For details, see: https://bugzilla.redhat.com/show_bug.cgi?id=1370299
+ hasStartTransientSliceUnit = true
+
+ // To ensure simple clean-up, we create a slice off the root with no hierarchy
+ slice := fmt.Sprintf("libcontainer_%d_systemd_test_default.slice", os.Getpid())
+ if _, err := theConn.StartTransientUnit(slice, "replace", nil, nil); err != nil {
+ if _, ok := err.(dbus.Error); ok {
+ hasStartTransientSliceUnit = false
+ }
+ }
+
+ for i := 0; i <= testSliceWait; i++ {
+ if _, err := theConn.StopUnit(slice, "replace", nil); err != nil {
+ if dbusError, ok := err.(dbus.Error); ok {
+ if strings.Contains(dbusError.Name, "org.freedesktop.systemd1.NoSuchUnit") {
+ hasStartTransientSliceUnit = false
+ break
+ }
+ }
+ } else {
+ break
+ }
+ time.Sleep(time.Millisecond)
+ }
+
+ // Not critical because of the stop unit logic above.
+ theConn.StopUnit(slice, "replace", nil)
+
+ // Assume StartTransientUnit on a slice allows Delegate
+ hasDelegateSlice = true
+ dlSlice := newProp("Delegate", true)
+ if _, err := theConn.StartTransientUnit(slice, "replace", []systemdDbus.Property{dlSlice}, nil); err != nil {
+ if dbusError, ok := err.(dbus.Error); ok {
+ // Starting with systemd v237, Delegate is not even a property of slices anymore,
+ // so the D-Bus call fails with "InvalidArgs" error.
+ if strings.Contains(dbusError.Name, "org.freedesktop.DBus.Error.PropertyReadOnly") || strings.Contains(dbusError.Name, "org.freedesktop.DBus.Error.InvalidArgs") {
+ hasDelegateSlice = false
+ }
+ }
+ }
+
+ // Not critical because of the stop unit logic above.
+ theConn.StopUnit(scope, "replace", nil)
+ theConn.StopUnit(slice, "replace", nil)
}
- return "Unit"
+ return hasStartTransientUnit
}
func (m *Manager) Apply(pid int) error {
@@ -189,11 +242,36 @@ func (m *Manager) Apply(pid int) error {
slice = c.Parent
}
- properties = append(properties,
- systemdDbus.PropSlice(slice),
- systemdDbus.PropDescription("docker container "+c.Name),
- newProp("PIDs", []uint32{uint32(pid)}),
- )
+ properties = append(properties, systemdDbus.PropDescription("libcontainer container "+c.Name))
+
+ // if we create a slice, the parent is defined via a Wants=
+ if strings.HasSuffix(unitName, ".slice") {
+ // This was broken until systemd v229, but has been back-ported on RHEL environments >= 219
+ if !hasStartTransientSliceUnit {
+ return fmt.Errorf("systemd version does not support ability to start a slice as transient unit")
+ }
+ properties = append(properties, systemdDbus.PropWants(slice))
+ } else {
+ // otherwise, we use Slice=
+ properties = append(properties, systemdDbus.PropSlice(slice))
+ }
+
+ // only add pid if its valid, -1 is used w/ general slice creation.
+ if pid != -1 {
+ properties = append(properties, newProp("PIDs", []uint32{uint32(pid)}))
+ }
+
+ // Check if we can delegate. This is only supported on systemd versions 218 and above.
+ if strings.HasSuffix(unitName, ".slice") {
+ if hasDelegateSlice {
+ // systemd 237 and above no longer allows delegation on a slice
+ properties = append(properties, newProp("Delegate", true))
+ }
+ } else {
+ if hasDelegateScope {
+ properties = append(properties, newProp("Delegate", true))
+ }
+ }
// Always enable accounting, this gets us the same behaviour as the fs implementation,
// plus the kernel has some problems with joining the memory cgroup at a later time.
@@ -214,7 +292,27 @@ func (m *Manager) Apply(pid int) error {
if c.Resources.CpuShares != 0 {
properties = append(properties,
- newProp("CPUShares", uint64(c.Resources.CpuShares)))
+ newProp("CPUShares", c.Resources.CpuShares))
+ }
+
+ // cpu.cfs_quota_us and cpu.cfs_period_us are controlled by systemd.
+ if c.Resources.CpuQuota != 0 && c.Resources.CpuPeriod != 0 {
+ // corresponds to USEC_INFINITY in systemd
+ // if USEC_INFINITY is provided, CPUQuota is left unbound by systemd
+ // always setting a property value ensures we can apply a quota and remove it later
+ cpuQuotaPerSecUSec := uint64(math.MaxUint64)
+ if c.Resources.CpuQuota > 0 {
+ // systemd converts CPUQuotaPerSecUSec (microseconds per CPU second) to CPUQuota
+ // (integer percentage of CPU) internally. This means that if a fractional percent of
+ // CPU is indicated by Resources.CpuQuota, we need to round up to the nearest
+ // 10ms (1% of a second) such that child cgroups can set the cpu.cfs_quota_us they expect.
+ cpuQuotaPerSecUSec = uint64(c.Resources.CpuQuota*1000000) / c.Resources.CpuPeriod
+ if cpuQuotaPerSecUSec%10000 != 0 {
+ cpuQuotaPerSecUSec = ((cpuQuotaPerSecUSec / 10000) + 1) * 10000
+ }
+ }
+ properties = append(properties,
+ newProp("CPUQuotaPerSecUSec", cpuQuotaPerSecUSec))
}
if c.Resources.BlkioWeight != 0 {
@@ -222,17 +320,28 @@ func (m *Manager) Apply(pid int) error {
newProp("BlockIOWeight", uint64(c.Resources.BlkioWeight)))
}
- // We need to set kernel memory before processes join cgroup because
- // kmem.limit_in_bytes can only be set when the cgroup is empty.
- // And swap memory limit needs to be set after memory limit, only
- // memory limit is handled by systemd, so it's kind of ugly here.
- if c.Resources.KernelMemory > 0 {
+ if c.Resources.PidsLimit > 0 {
+ properties = append(properties,
+ newProp("TasksAccounting", true),
+ newProp("TasksMax", uint64(c.Resources.PidsLimit)))
+ }
+
+ // We have to set kernel memory here, as we can't change it once
+ // processes have been attached to the cgroup.
+ if c.Resources.KernelMemory != 0 {
if err := setKernelMemory(c); err != nil {
return err
}
}
- if _, err := theConn.StartTransientUnit(unitName, "replace", properties, nil); err != nil {
+ statusChan := make(chan string, 1)
+ if _, err := theConn.StartTransientUnit(unitName, "replace", properties, statusChan); err == nil {
+ select {
+ case <-statusChan:
+ case <-time.After(time.Second):
+ logrus.Warnf("Timed out while waiting for StartTransientUnit(%s) completion signal from dbus. Continuing...", unitName)
+ }
+ } else if !isUnitExists(err) {
return err
}
@@ -277,15 +386,6 @@ func (m *Manager) GetPaths() map[string]string {
return paths
}
-func writeFile(dir, file, data string) error {
- // Normally dir should not be empty, one case is that cgroup subsystem
- // is not mounted, we will get empty dir, and we want it fail here.
- if dir == "" {
- return fmt.Errorf("no such directory for %s.", file)
- }
- return ioutil.WriteFile(filepath.Join(dir, file), []byte(data), 0700)
-}
-
func join(c *configs.Cgroup, subsystem string, pid int) (string, error) {
path, err := getSubsystemPath(c, subsystem)
if err != nil {
@@ -294,10 +394,9 @@ func join(c *configs.Cgroup, subsystem string, pid int) (string, error) {
if err := os.MkdirAll(path, 0755); err != nil {
return "", err
}
- if err := writeFile(path, "cgroup.procs", strconv.Itoa(pid)); err != nil {
+ if err := cgroups.WriteCgroupProc(path, pid); err != nil {
return "", err
}
-
return path, nil
}
@@ -307,7 +406,6 @@ func joinCgroups(c *configs.Cgroup, pid int) error {
switch name {
case "name=systemd":
// let systemd handle this
- break
case "cpuset":
path, err := getSubsystemPath(c, name)
if err != nil && !cgroups.IsNotFound(err) {
@@ -317,7 +415,6 @@ func joinCgroups(c *configs.Cgroup, pid int) error {
if err := s.ApplyDir(path, c, pid); err != nil {
return err
}
- break
default:
_, err := join(c, name, pid)
if err != nil {
@@ -339,10 +436,10 @@ func joinCgroups(c *configs.Cgroup, pid int) error {
return nil
}
-// systemd represents slice heirarchy using `-`, so we need to follow suit when
+// systemd represents slice hierarchy using `-`, so we need to follow suit when
// generating the path of slice. Essentially, test-a-b.slice becomes
-// test.slice/test-a.slice/test-a-b.slice.
-func expandSlice(slice string) (string, error) {
+// /test.slice/test-a.slice/test-a-b.slice.
+func ExpandSlice(slice string) (string, error) {
suffix := ".slice"
// Name has to end with ".slice", but can't be just ".slice".
if len(slice) < len(suffix) || !strings.HasSuffix(slice, suffix) {
@@ -356,6 +453,10 @@ func expandSlice(slice string) (string, error) {
var path, prefix string
sliceName := strings.TrimSuffix(slice, suffix)
+ // if input was -.slice, we should just return root now
+ if sliceName == "-" {
+ return "/", nil
+ }
for _, component := range strings.Split(sliceName, "-") {
// test--a.slice isn't permitted, nor is -test.slice.
if component == "" {
@@ -363,30 +464,31 @@ func expandSlice(slice string) (string, error) {
}
// Append the component to the path and to the prefix.
- path += prefix + component + suffix + "/"
+ path += "/" + prefix + component + suffix
prefix += component + "-"
}
-
return path, nil
}
func getSubsystemPath(c *configs.Cgroup, subsystem string) (string, error) {
- mountpoint, err := cgroups.FindCgroupMountpoint(subsystem)
+ mountpoint, err := cgroups.FindCgroupMountpoint(c.Path, subsystem)
if err != nil {
return "", err
}
- initPath, err := cgroups.GetInitCgroupDir(subsystem)
+ initPath, err := cgroups.GetInitCgroup(subsystem)
if err != nil {
return "", err
}
+ // if pid 1 is systemd 226 or later, it will be in init.scope, not the root
+ initPath = strings.TrimSuffix(filepath.Clean(initPath), "init.scope")
slice := "system.slice"
if c.Parent != "" {
slice = c.Parent
}
- slice, err = expandSlice(slice)
+ slice, err = ExpandSlice(slice)
if err != nil {
return "", err
}
@@ -447,6 +549,11 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
}
func (m *Manager) Set(container *configs.Config) error {
+ // If Paths are set, then we are just joining cgroups paths
+ // and there is no need to set any values.
+ if m.Cgroups.Paths != nil {
+ return nil
+ }
for _, sys := range subsystems {
// Get the subsystem path, but don't error out for not found cgroups.
path, err := getSubsystemPath(container.Cgroups, sys.Name())
@@ -468,7 +575,11 @@ func (m *Manager) Set(container *configs.Config) error {
}
func getUnitName(c *configs.Cgroup) string {
- return fmt.Sprintf("%s-%s.scope", c.ScopePrefix, c.Name)
+ // by default, we create a scope unless the user explicitly asks for a slice.
+ if !strings.HasSuffix(c.Name, ".slice") {
+ return fmt.Sprintf("%s-%s.scope", c.ScopePrefix, c.Name)
+ }
+ return c.Name
}
func setKernelMemory(c *configs.Cgroup) error {
@@ -480,8 +591,24 @@ func setKernelMemory(c *configs.Cgroup) error {
if err := os.MkdirAll(path, 0755); err != nil {
return err
}
+ // do not try to enable the kernel memory if we already have
+ // tasks in the cgroup.
+ content, err := ioutil.ReadFile(filepath.Join(path, "tasks"))
+ if err != nil {
+ return err
+ }
+ if len(content) > 0 {
+ return nil
+ }
+ return fs.EnableKernelMemoryAccounting(path)
+}
- // This doesn't get called by manager.Set, so we need to do it here.
- s := &fs.MemoryGroup{}
- return s.SetKernelMemory(path, c)
+// isUnitExists returns true if the error is that a systemd unit already exists.
+func isUnitExists(err error) bool {
+ if err != nil {
+ if dbusError, ok := err.(dbus.Error); ok {
+ return strings.Contains(dbusError.Name, "org.freedesktop.systemd1.UnitExists")
+ }
+ }
+ return false
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
index 006800dcfae52ceee1b47588d8c6a4c4e44ce1a1..ea571ad937ff26c4fd5a9506ffdfce904f86f4ba 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
@@ -13,61 +13,82 @@ import (
"strings"
"time"
- "github.com/docker/go-units"
+ units "github.com/docker/go-units"
)
-const cgroupNamePrefix = "name="
+const (
+ CgroupNamePrefix = "name="
+ CgroupProcesses = "cgroup.procs"
+)
+
+// https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
+func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) {
+ mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem)
+ return mnt, err
+}
-// https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
-func FindCgroupMountpoint(subsystem string) (string, error) {
+func FindCgroupMountpointAndRoot(cgroupPath, subsystem string) (string, string, error) {
// We are not using mount.GetMounts() because it's super-inefficient,
// parsing it directly sped up x10 times because of not using Sscanf.
// It was one of two major performance drawbacks in container start.
+ if !isSubsystemAvailable(subsystem) {
+ return "", "", NewNotFoundError(subsystem)
+ }
+
f, err := os.Open("/proc/self/mountinfo")
if err != nil {
- return "", err
+ return "", "", err
}
defer f.Close()
- scanner := bufio.NewScanner(f)
+ return findCgroupMountpointAndRootFromReader(f, cgroupPath, subsystem)
+}
+
+func findCgroupMountpointAndRootFromReader(reader io.Reader, cgroupPath, subsystem string) (string, string, error) {
+ scanner := bufio.NewScanner(reader)
for scanner.Scan() {
txt := scanner.Text()
- fields := strings.Split(txt, " ")
- for _, opt := range strings.Split(fields[len(fields)-1], ",") {
- if opt == subsystem {
- return fields[4], nil
+ fields := strings.Fields(txt)
+ if len(fields) < 5 {
+ continue
+ }
+ if strings.HasPrefix(fields[4], cgroupPath) {
+ for _, opt := range strings.Split(fields[len(fields)-1], ",") {
+ if opt == subsystem {
+ return fields[4], fields[3], nil
+ }
}
}
}
if err := scanner.Err(); err != nil {
- return "", err
+ return "", "", err
}
- return "", NewNotFoundError(subsystem)
+ return "", "", NewNotFoundError(subsystem)
}
-func FindCgroupMountpointAndRoot(subsystem string) (string, string, error) {
- f, err := os.Open("/proc/self/mountinfo")
+func isSubsystemAvailable(subsystem string) bool {
+ cgroups, err := ParseCgroupFile("/proc/self/cgroup")
if err != nil {
- return "", "", err
+ return false
}
- defer f.Close()
+ _, avail := cgroups[subsystem]
+ return avail
+}
- scanner := bufio.NewScanner(f)
- for scanner.Scan() {
- txt := scanner.Text()
- fields := strings.Split(txt, " ")
- for _, opt := range strings.Split(fields[len(fields)-1], ",") {
- if opt == subsystem {
- return fields[4], fields[3], nil
- }
+func GetClosestMountpointAncestor(dir, mountinfo string) string {
+ deepestMountPoint := ""
+ for _, mountInfoEntry := range strings.Split(mountinfo, "\n") {
+ mountInfoParts := strings.Fields(mountInfoEntry)
+ if len(mountInfoParts) < 5 {
+ continue
+ }
+ mountPoint := mountInfoParts[4]
+ if strings.HasPrefix(mountPoint, deepestMountPoint) && strings.HasPrefix(dir, mountPoint) {
+ deepestMountPoint = mountPoint
}
}
- if err := scanner.Err(); err != nil {
- return "", "", err
- }
-
- return "", "", NewNotFoundError(subsystem)
+ return deepestMountPoint
}
func FindCgroupMountpointDir() (string, error) {
@@ -92,7 +113,7 @@ func FindCgroupMountpointDir() (string, error) {
}
if postSeparatorFields[0] == "cgroup" {
- // Check that the mount is properly formated.
+ // Check that the mount is properly formatted.
if numPostFields < 3 {
return "", fmt.Errorf("Error found less than 3 fields post '-' in %q", text)
}
@@ -113,7 +134,7 @@ type Mount struct {
Subsystems []string
}
-func (m Mount) GetThisCgroupDir(cgroups map[string]string) (string, error) {
+func (m Mount) GetOwnCgroup(cgroups map[string]string) (string, error) {
if len(m.Subsystems) == 0 {
return "", fmt.Errorf("no subsystem for mount")
}
@@ -121,16 +142,17 @@ func (m Mount) GetThisCgroupDir(cgroups map[string]string) (string, error) {
return getControllerPath(m.Subsystems[0], cgroups)
}
-func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) {
+func getCgroupMountsHelper(ss map[string]bool, mi io.Reader, all bool) ([]Mount, error) {
res := make([]Mount, 0, len(ss))
scanner := bufio.NewScanner(mi)
- for scanner.Scan() {
+ numFound := 0
+ for scanner.Scan() && numFound < len(ss) {
txt := scanner.Text()
sepIdx := strings.Index(txt, " - ")
if sepIdx == -1 {
return nil, fmt.Errorf("invalid mountinfo format")
}
- if txt[sepIdx+3:sepIdx+9] != "cgroup" {
+ if txt[sepIdx+3:sepIdx+10] == "cgroup2" || txt[sepIdx+3:sepIdx+9] != "cgroup" {
continue
}
fields := strings.Split(txt, " ")
@@ -139,14 +161,20 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) {
Root: fields[3],
}
for _, opt := range strings.Split(fields[len(fields)-1], ",") {
- if strings.HasPrefix(opt, cgroupNamePrefix) {
- m.Subsystems = append(m.Subsystems, opt[len(cgroupNamePrefix):])
+ seen, known := ss[opt]
+ if !known || (!all && seen) {
+ continue
}
- if ss[opt] {
- m.Subsystems = append(m.Subsystems, opt)
+ ss[opt] = true
+ if strings.HasPrefix(opt, CgroupNamePrefix) {
+ opt = opt[len(CgroupNamePrefix):]
}
+ m.Subsystems = append(m.Subsystems, opt)
+ numFound++
+ }
+ if len(m.Subsystems) > 0 || all {
+ res = append(res, m)
}
- res = append(res, m)
}
if err := scanner.Err(); err != nil {
return nil, err
@@ -154,26 +182,28 @@ func getCgroupMountsHelper(ss map[string]bool, mi io.Reader) ([]Mount, error) {
return res, nil
}
-func GetCgroupMounts() ([]Mount, error) {
+// GetCgroupMounts returns the mounts for the cgroup subsystems.
+// all indicates whether to return just the first instance or all the mounts.
+func GetCgroupMounts(all bool) ([]Mount, error) {
f, err := os.Open("/proc/self/mountinfo")
if err != nil {
return nil, err
}
defer f.Close()
- all, err := GetAllSubsystems()
+ allSubsystems, err := ParseCgroupFile("/proc/self/cgroup")
if err != nil {
return nil, err
}
allMap := make(map[string]bool)
- for _, s := range all {
- allMap[s] = true
+ for s := range allSubsystems {
+ allMap[s] = false
}
- return getCgroupMountsHelper(allMap, f)
+ return getCgroupMountsHelper(allMap, f, all)
}
-// Returns all the cgroup subsystems supported by the kernel
+// GetAllSubsystems returns all the cgroup subsystems supported by the kernel
func GetAllSubsystems() ([]string, error) {
f, err := os.Open("/proc/cgroups")
if err != nil {
@@ -185,9 +215,6 @@ func GetAllSubsystems() ([]string, error) {
s := bufio.NewScanner(f)
for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
text := s.Text()
if text[0] != '#' {
parts := strings.Fields(text)
@@ -196,11 +223,14 @@ func GetAllSubsystems() ([]string, error) {
}
}
}
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
return subsystems, nil
}
-// Returns the relative path to the cgroup docker is running in.
-func GetThisCgroupDir(subsystem string) (string, error) {
+// GetOwnCgroup returns the relative path to the cgroup docker is running in.
+func GetOwnCgroup(subsystem string) (string, error) {
cgroups, err := ParseCgroupFile("/proc/self/cgroup")
if err != nil {
return "", err
@@ -209,8 +239,16 @@ func GetThisCgroupDir(subsystem string) (string, error) {
return getControllerPath(subsystem, cgroups)
}
-func GetInitCgroupDir(subsystem string) (string, error) {
+func GetOwnCgroupPath(subsystem string) (string, error) {
+ cgroup, err := GetOwnCgroup(subsystem)
+ if err != nil {
+ return "", err
+ }
+
+ return getCgroupPathHelper(subsystem, cgroup)
+}
+func GetInitCgroup(subsystem string) (string, error) {
cgroups, err := ParseCgroupFile("/proc/1/cgroup")
if err != nil {
return "", err
@@ -219,8 +257,33 @@ func GetInitCgroupDir(subsystem string) (string, error) {
return getControllerPath(subsystem, cgroups)
}
+func GetInitCgroupPath(subsystem string) (string, error) {
+ cgroup, err := GetInitCgroup(subsystem)
+ if err != nil {
+ return "", err
+ }
+
+ return getCgroupPathHelper(subsystem, cgroup)
+}
+
+func getCgroupPathHelper(subsystem, cgroup string) (string, error) {
+ mnt, root, err := FindCgroupMountpointAndRoot("", subsystem)
+ if err != nil {
+ return "", err
+ }
+
+ // This is needed for nested containers, because in /proc/self/cgroup we
+ // see paths from host, which don't exist in container.
+ relCgroup, err := filepath.Rel(root, cgroup)
+ if err != nil {
+ return "", err
+ }
+
+ return filepath.Join(mnt, relCgroup), nil
+}
+
func readProcsFile(dir string) ([]int, error) {
- f, err := os.Open(filepath.Join(dir, "cgroup.procs"))
+ f, err := os.Open(filepath.Join(dir, CgroupProcesses))
if err != nil {
return nil, err
}
@@ -243,6 +306,8 @@ func readProcsFile(dir string) ([]int, error) {
return out, nil
}
+// ParseCgroupFile parses the given cgroup file, typically from
+// /proc/<pid>/cgroup, into a map of subgroups to cgroup names.
func ParseCgroupFile(path string) (map[string]string, error) {
f, err := os.Open(path)
if err != nil {
@@ -250,21 +315,35 @@ func ParseCgroupFile(path string) (map[string]string, error) {
}
defer f.Close()
- s := bufio.NewScanner(f)
+ return parseCgroupFromReader(f)
+}
+
+// helper function for ParseCgroupFile to make testing easier
+func parseCgroupFromReader(r io.Reader) (map[string]string, error) {
+ s := bufio.NewScanner(r)
cgroups := make(map[string]string)
for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
text := s.Text()
- parts := strings.Split(text, ":")
+ // from cgroups(7):
+ // /proc/[pid]/cgroup
+ // ...
+ // For each cgroup hierarchy ... there is one entry
+ // containing three colon-separated fields of the form:
+ // hierarchy-ID:subsystem-list:cgroup-path
+ parts := strings.SplitN(text, ":", 3)
+ if len(parts) < 3 {
+ return nil, fmt.Errorf("invalid cgroup entry: must contain at least two colons: %v", text)
+ }
for _, subs := range strings.Split(parts[1], ",") {
cgroups[subs] = parts[2]
}
}
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
+
return cgroups, nil
}
@@ -274,7 +353,7 @@ func getControllerPath(subsystem string, cgroups map[string]string) (string, err
return p, nil
}
- if p, ok := cgroups[cgroupNamePrefix+subsystem]; ok {
+ if p, ok := cgroups[CgroupNamePrefix+subsystem]; ok {
return p, nil
}
@@ -291,8 +370,7 @@ func PathExists(path string) bool {
func EnterPid(cgroupPaths map[string]string, pid int) error {
for _, path := range cgroupPaths {
if PathExists(path) {
- if err := ioutil.WriteFile(filepath.Join(path, "cgroup.procs"),
- []byte(strconv.Itoa(pid)), 0700); err != nil {
+ if err := WriteCgroupProc(path, pid); err != nil {
return err
}
}
@@ -326,7 +404,7 @@ func RemovePaths(paths map[string]string) (err error) {
return nil
}
}
- return fmt.Errorf("Failed to remove paths: %s", paths)
+ return fmt.Errorf("Failed to remove paths: %v", paths)
}
func GetHugePageSize() ([]string, error) {
@@ -361,7 +439,7 @@ func GetAllPids(path string) ([]int, error) {
// collect pids from all sub-cgroups
err := filepath.Walk(path, func(p string, info os.FileInfo, iErr error) error {
dir, file := filepath.Split(p)
- if file != "cgroup.procs" {
+ if file != CgroupProcesses {
return nil
}
if iErr != nil {
@@ -376,3 +454,20 @@ func GetAllPids(path string) ([]int, error) {
})
return pids, err
}
+
+// WriteCgroupProc writes the specified pid into the cgroup's cgroup.procs file
+func WriteCgroupProc(dir string, pid int) error {
+ // Normally dir should not be empty, one case is that cgroup subsystem
+ // is not mounted, we will get empty dir, and we want it fail here.
+ if dir == "" {
+ return fmt.Errorf("no such directory for %s", CgroupProcesses)
+ }
+
+ // Don't attach any pid to the cgroup if -1 is specified as a pid
+ if pid != -1 {
+ if err := ioutil.WriteFile(filepath.Join(dir, CgroupProcesses), []byte(strconv.Itoa(pid)), 0700); err != nil {
+ return fmt.Errorf("failed to write %v to %v: %v", pid, CgroupProcesses, err)
+ }
+ }
+ return nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils_test.go b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils_test.go
index 47bbd5e2345890704776ec0f9c5059307726998b..fcca9d73a59487003f624c30acd77f0a69f4fa27 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils_test.go
@@ -4,6 +4,8 @@ package cgroups
import (
"bytes"
+ "fmt"
+ "reflect"
"strings"
"testing"
)
@@ -91,6 +93,90 @@ const systemdMountinfo = `115 83 0:32 / / rw,relatime - aufs none rw,si=c0bd3d3,
136 117 0:12 /1 /dev/console rw,nosuid,noexec,relatime - devpts none rw,gid=5,mode=620,ptmxmode=000
84 115 0:40 / /tmp rw,relatime - tmpfs none rw`
+const bedrockMountinfo = `120 17 0:28 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:16 - tmpfs tmpfs ro,mode=755
+124 28 0:28 / /bedrock/strata/arch/sys/fs/cgroup rw,nosuid,nodev,noexec shared:16 - tmpfs tmpfs ro,mode=755
+123 53 0:28 / /bedrock/strata/fallback/sys/fs/cgroup rw,nosuid,nodev,noexec shared:16 - tmpfs tmpfs ro,mode=755
+122 71 0:28 / /bedrock/strata/gentoo/sys/fs/cgroup rw,nosuid,nodev,noexec shared:16 - tmpfs tmpfs ro,mode=755
+121 89 0:28 / /bedrock/strata/kde/sys/fs/cgroup rw,nosuid,nodev,noexec shared:16 - tmpfs tmpfs ro,mode=755
+125 120 0:29 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
+129 124 0:29 / /bedrock/strata/arch/sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
+128 123 0:29 / /bedrock/strata/fallback/sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
+127 122 0:29 / /bedrock/strata/gentoo/sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
+126 121 0:29 / /bedrock/strata/kde/sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
+140 120 0:32 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:48 - cgroup cgroup rw,net_cls,net_prio
+144 124 0:32 / /bedrock/strata/arch/sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:48 - cgroup cgroup rw,net_cls,net_prio
+143 123 0:32 / /bedrock/strata/fallback/sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:48 - cgroup cgroup rw,net_cls,net_prio
+142 122 0:32 / /bedrock/strata/gentoo/sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:48 - cgroup cgroup rw,net_cls,net_prio
+141 121 0:32 / /bedrock/strata/kde/sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:48 - cgroup cgroup rw,net_cls,net_prio
+145 120 0:33 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:49 - cgroup cgroup rw,blkio
+149 124 0:33 / /bedrock/strata/arch/sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:49 - cgroup cgroup rw,blkio
+148 123 0:33 / /bedrock/strata/fallback/sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:49 - cgroup cgroup rw,blkio
+147 122 0:33 / /bedrock/strata/gentoo/sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:49 - cgroup cgroup rw,blkio
+146 121 0:33 / /bedrock/strata/kde/sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:49 - cgroup cgroup rw,blkio
+150 120 0:34 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:50 - cgroup cgroup rw,cpu,cpuacct
+154 124 0:34 / /bedrock/strata/arch/sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:50 - cgroup cgroup rw,cpu,cpuacct
+153 123 0:34 / /bedrock/strata/fallback/sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:50 - cgroup cgroup rw,cpu,cpuacct
+152 122 0:34 / /bedrock/strata/gentoo/sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:50 - cgroup cgroup rw,cpu,cpuacct
+151 121 0:34 / /bedrock/strata/kde/sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:50 - cgroup cgroup rw,cpu,cpuacct
+155 120 0:35 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:51 - cgroup cgroup rw,cpuset
+159 124 0:35 / /bedrock/strata/arch/sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:51 - cgroup cgroup rw,cpuset
+158 123 0:35 / /bedrock/strata/fallback/sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:51 - cgroup cgroup rw,cpuset
+157 122 0:35 / /bedrock/strata/gentoo/sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:51 - cgroup cgroup rw,cpuset
+156 121 0:35 / /bedrock/strata/kde/sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:51 - cgroup cgroup rw,cpuset
+160 120 0:36 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:52 - cgroup cgroup rw,devices
+164 124 0:36 / /bedrock/strata/arch/sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:52 - cgroup cgroup rw,devices
+163 123 0:36 / /bedrock/strata/fallback/sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:52 - cgroup cgroup rw,devices
+162 122 0:36 / /bedrock/strata/gentoo/sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:52 - cgroup cgroup rw,devices
+161 121 0:36 / /bedrock/strata/kde/sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:52 - cgroup cgroup rw,devices
+165 120 0:37 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:53 - cgroup cgroup rw,memory
+169 124 0:37 / /bedrock/strata/arch/sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:53 - cgroup cgroup rw,memory
+168 123 0:37 / /bedrock/strata/fallback/sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:53 - cgroup cgroup rw,memory
+167 122 0:37 / /bedrock/strata/gentoo/sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:53 - cgroup cgroup rw,memory
+166 121 0:37 / /bedrock/strata/kde/sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:53 - cgroup cgroup rw,memory
+170 120 0:38 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:54 - cgroup cgroup rw,freezer
+174 124 0:38 / /bedrock/strata/arch/sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:54 - cgroup cgroup rw,freezer
+173 123 0:38 / /bedrock/strata/fallback/sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:54 - cgroup cgroup rw,freezer
+172 122 0:38 / /bedrock/strata/gentoo/sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:54 - cgroup cgroup rw,freezer
+171 121 0:38 / /bedrock/strata/kde/sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:54 - cgroup cgroup rw,freezer
+175 120 0:39 / /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:55 - cgroup cgroup rw,pids
+179 124 0:39 / /bedrock/strata/arch/sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:55 - cgroup cgroup rw,pids
+178 123 0:39 / /bedrock/strata/fallback/sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:55 - cgroup cgroup rw,pids
+177 122 0:39 / /bedrock/strata/gentoo/sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:55 - cgroup cgroup rw,pids
+176 121 0:39 / /bedrock/strata/kde/sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:55 - cgroup cgroup rw,pids
+180 120 0:40 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:56 - cgroup cgroup rw,perf_event
+184 124 0:40 / /bedrock/strata/arch/sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:56 - cgroup cgroup rw,perf_event
+183 123 0:40 / /bedrock/strata/fallback/sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:56 - cgroup cgroup rw,perf_event
+182 122 0:40 / /bedrock/strata/gentoo/sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:56 - cgroup cgroup rw,perf_event
+181 121 0:40 / /bedrock/strata/kde/sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:56 - cgroup cgroup rw,perf_event`
+
+const cgroup2Mountinfo = `18 64 0:18 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sysfs rw,seclabel
+19 64 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
+20 64 0:6 / /dev rw,nosuid shared:2 - devtmpfs devtmpfs rw,seclabel,size=8171204k,nr_inodes=2042801,mode=755
+21 18 0:19 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs securityfs rw
+22 20 0:20 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw,seclabel
+23 20 0:21 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=000
+24 64 0:22 / /run rw,nosuid,nodev shared:24 - tmpfs tmpfs rw,seclabel,mode=755
+25 18 0:23 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:8 - tmpfs tmpfs ro,seclabel,mode=755
+26 25 0:24 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup2 cgroup rw
+27 18 0:25 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:20 - pstore pstore rw,seclabel
+28 18 0:26 / /sys/firmware/efi/efivars rw,nosuid,nodev,noexec,relatime shared:21 - efivarfs efivarfs rw
+29 25 0:27 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:10 - cgroup cgroup rw,cpu,cpuacct
+30 25 0:28 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,memory
+31 25 0:29 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:12 - cgroup cgroup rw,net_cls,net_prio
+32 25 0:30 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:13 - cgroup cgroup rw,blkio
+33 25 0:31 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:14 - cgroup cgroup rw,perf_event
+34 25 0:32 / /sys/fs/cgroup/hugetlb rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,hugetlb
+35 25 0:33 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,freezer
+36 25 0:34 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,cpuset
+37 25 0:35 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,devices
+38 25 0:36 / /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:19 - cgroup cgroup rw,pids
+61 18 0:37 / /sys/kernel/config rw,relatime shared:22 - configfs configfs rw
+64 0 253:0 / / rw,relatime shared:1 - ext4 /dev/mapper/fedora_dhcp--16--129-root rw,seclabel,data=ordered
+39 18 0:17 / /sys/fs/selinux rw,relatime shared:23 - selinuxfs selinuxfs rw
+40 20 0:16 / /dev/mqueue rw,relatime shared:25 - mqueue mqueue rw,seclabel
+41 20 0:39 / /dev/hugepages rw,relatime shared:26 - hugetlbfs hugetlbfs rw,seclabel
+`
+
func TestGetCgroupMounts(t *testing.T) {
type testData struct {
mountInfo string
@@ -102,37 +188,52 @@ func TestGetCgroupMounts(t *testing.T) {
mountInfo: fedoraMountinfo,
root: "/",
subsystems: map[string]bool{
- "cpuset": true,
- "cpu": true,
- "cpuacct": true,
- "memory": true,
- "devices": true,
- "freezer": true,
- "net_cls": true,
- "blkio": true,
- "perf_event": true,
- "hugetlb": true,
+ "cpuset": false,
+ "cpu": false,
+ "cpuacct": false,
+ "memory": false,
+ "devices": false,
+ "freezer": false,
+ "net_cls": false,
+ "blkio": false,
+ "perf_event": false,
+ "hugetlb": false,
},
},
{
mountInfo: systemdMountinfo,
root: "/system.slice/docker-dc4eaa1a34ec4d593bc0125d31eea823a1d76ae483aeb1409cca80304e34da2e.scope",
subsystems: map[string]bool{
- "cpuset": true,
- "cpu": true,
- "cpuacct": true,
- "memory": true,
- "devices": true,
- "freezer": true,
- "net_cls": true,
- "blkio": true,
- "perf_event": true,
+ "cpuset": false,
+ "cpu": false,
+ "cpuacct": false,
+ "memory": false,
+ "devices": false,
+ "freezer": false,
+ "net_cls": false,
+ "blkio": false,
+ "perf_event": false,
+ },
+ },
+ {
+ mountInfo: bedrockMountinfo,
+ root: "/",
+ subsystems: map[string]bool{
+ "cpuset": false,
+ "cpu": false,
+ "cpuacct": false,
+ "memory": false,
+ "devices": false,
+ "freezer": false,
+ "net_cls": false,
+ "blkio": false,
+ "perf_event": false,
},
},
}
for _, td := range testTable {
mi := bytes.NewBufferString(td.mountInfo)
- cgMounts, err := getCgroupMountsHelper(td.subsystems, mi)
+ cgMounts, err := getCgroupMountsHelper(td.subsystems, mi, false)
if err != nil {
t.Fatal(err)
}
@@ -169,24 +270,154 @@ func TestGetCgroupMounts(t *testing.T) {
func BenchmarkGetCgroupMounts(b *testing.B) {
subsystems := map[string]bool{
- "cpuset": true,
- "cpu": true,
- "cpuacct": true,
- "memory": true,
- "devices": true,
- "freezer": true,
- "net_cls": true,
- "blkio": true,
- "perf_event": true,
- "hugetlb": true,
+ "cpuset": false,
+ "cpu": false,
+ "cpuacct": false,
+ "memory": false,
+ "devices": false,
+ "freezer": false,
+ "net_cls": false,
+ "blkio": false,
+ "perf_event": false,
+ "hugetlb": false,
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
b.StopTimer()
mi := bytes.NewBufferString(fedoraMountinfo)
b.StartTimer()
- if _, err := getCgroupMountsHelper(subsystems, mi); err != nil {
+ if _, err := getCgroupMountsHelper(subsystems, mi, false); err != nil {
b.Fatal(err)
}
}
}
+
+func TestParseCgroupString(t *testing.T) {
+ testCases := []struct {
+ input string
+ expectedError error
+ expectedOutput map[string]string
+ }{
+ {
+ // Taken from a CoreOS instance running systemd 225 with CPU/Mem
+ // accounting enabled in systemd
+ input: `9:blkio:/
+8:freezer:/
+7:perf_event:/
+6:devices:/system.slice/system-sshd.slice
+5:cpuset:/
+4:cpu,cpuacct:/system.slice/system-sshd.slice/sshd@126-10.240.0.15:22-xxx.yyy.zzz.aaa:33678.service
+3:net_cls,net_prio:/
+2:memory:/system.slice/system-sshd.slice/sshd@126-10.240.0.15:22-xxx.yyy.zzz.aaa:33678.service
+1:name=systemd:/system.slice/system-sshd.slice/sshd@126-10.240.0.15:22-xxx.yyy.zzz.aaa:33678.service`,
+ expectedOutput: map[string]string{
+ "name=systemd": "/system.slice/system-sshd.slice/sshd@126-10.240.0.15:22-xxx.yyy.zzz.aaa:33678.service",
+ "blkio": "/",
+ "freezer": "/",
+ "perf_event": "/",
+ "devices": "/system.slice/system-sshd.slice",
+ "cpuset": "/",
+ "cpu": "/system.slice/system-sshd.slice/sshd@126-10.240.0.15:22-xxx.yyy.zzz.aaa:33678.service",
+ "cpuacct": "/system.slice/system-sshd.slice/sshd@126-10.240.0.15:22-xxx.yyy.zzz.aaa:33678.service",
+ "net_cls": "/",
+ "net_prio": "/",
+ "memory": "/system.slice/system-sshd.slice/sshd@126-10.240.0.15:22-xxx.yyy.zzz.aaa:33678.service",
+ },
+ },
+ {
+ input: `malformed input`,
+ expectedError: fmt.Errorf(`invalid cgroup entry: must contain at least two colons: malformed input`),
+ },
+ }
+
+ for ndx, testCase := range testCases {
+ out, err := parseCgroupFromReader(strings.NewReader(testCase.input))
+ if err != nil {
+ if testCase.expectedError == nil || testCase.expectedError.Error() != err.Error() {
+ t.Errorf("%v: expected error %v, got error %v", ndx, testCase.expectedError, err)
+ }
+ } else {
+ if !reflect.DeepEqual(testCase.expectedOutput, out) {
+ t.Errorf("%v: expected output %v, got error %v", ndx, testCase.expectedOutput, out)
+ }
+ }
+ }
+
+}
+
+func TestIgnoreCgroup2Mount(t *testing.T) {
+ subsystems := map[string]bool{
+ "cpuset": false,
+ "cpu": false,
+ "cpuacct": false,
+ "memory": false,
+ "devices": false,
+ "freezer": false,
+ "net_cls": false,
+ "blkio": false,
+ "perf_event": false,
+ "pids": false,
+ "name=systemd": false,
+ }
+
+ mi := bytes.NewBufferString(cgroup2Mountinfo)
+ cgMounts, err := getCgroupMountsHelper(subsystems, mi, false)
+ if err != nil {
+ t.Fatal(err)
+ }
+ for _, m := range cgMounts {
+ if m.Mountpoint == "/sys/fs/cgroup/systemd" {
+ t.Errorf("parsed a cgroup2 mount at /sys/fs/cgroup/systemd instead of ignoring it")
+ }
+ }
+}
+
+func TestGetClosestMountpointAncestor(t *testing.T) {
+ fakeMountInfo := ` 18 24 0:17 / /sys rw,nosuid,nodev,noexec,relatime - sysfs sysfs rw
+100 99 1:31 / /foo/bar rw,relatime - fake fake rw,fake
+100 99 1:31 / /foo/bar/baz2 rw,relatime - fake fake rw,fake
+100 99 1:31 / /foo/bar/baz rw,relatime - fake fake rw,fake
+100 99 1:31 / /foo/bar/bazza rw,relatime - fake fake rw,fake
+100 99 1:31 / /foo/bar/baz3 rw,relatime - fake fake rw,fake
+100 99 1:31 / /foo rw,relatime - fake fake rw,fake
+100 99 1:31 / /unrelated rw,relatime - fake fake rw,fake
+100 99 1:31 / / rw,relatime - fake fake rw,fake
+`
+ testCases := []struct {
+ input string
+ output string
+ }{
+ {input: "/foo/bar/baz/a/b/c", output: "/foo/bar/baz"},
+ {input: "/foo/bar/baz", output: "/foo/bar/baz"},
+ {input: "/foo/bar/bazza", output: "/foo/bar/bazza"},
+ {input: "/a/b/c/d", output: "/"},
+ }
+
+ for _, c := range testCases {
+ mountpoint := GetClosestMountpointAncestor(c.input, fakeMountInfo)
+ if mountpoint != c.output {
+ t.Errorf("expected %s, got %s", c.output, mountpoint)
+ }
+ }
+}
+
+func TestFindCgroupMountpointAndRoot(t *testing.T) {
+ fakeMountInfo := `
+35 27 0:29 / /foo rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,devices
+35 27 0:29 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,devices
+`
+ testCases := []struct {
+ cgroupPath string
+ output string
+ }{
+ {cgroupPath: "/sys/fs", output: "/sys/fs/cgroup/devices"},
+ {cgroupPath: "", output: "/foo"},
+ }
+
+ for _, c := range testCases {
+ mountpoint, _, _ := findCgroupMountpointAndRootFromReader(strings.NewReader(fakeMountInfo), c.cgroupPath, "devices")
+ if mountpoint != c.output {
+ t.Errorf("expected %s, got %s", c.output, mountpoint)
+ }
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/compat_1.5_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/compat_1.5_linux.go
deleted file mode 100644
index c7bdf1f60a01f3f72dd20c7403253128638d8af3..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/compat_1.5_linux.go
+++ /dev/null
@@ -1,10 +0,0 @@
-// +build linux,!go1.5
-
-package libcontainer
-
-import "syscall"
-
-// GidMappingsEnableSetgroups was added in Go 1.5, so do nothing when building
-// with earlier versions
-func enableSetgroups(sys *syscall.SysProcAttr) {
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
similarity index 86%
rename from vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go
rename to vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
index 2ea00658f51a2a6606355231f2cbf94661c0703a..e15a662f52288966e6a88fbb85c60f5e7705f240 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_linux.go
@@ -1,5 +1,3 @@
-// +build linux freebsd
-
package configs
type FreezerState string
@@ -22,7 +20,7 @@ type Cgroup struct {
// The path is assumed to be relative to the host system cgroup mountpoint.
Path string `json:"path"`
- // ScopePrefix decribes prefix for the scope name
+ // ScopePrefix describes prefix for the scope name
ScopePrefix string `json:"scope_prefix"`
// Paths represent the absolute cgroups paths to join.
@@ -36,7 +34,7 @@ type Cgroup struct {
type Resources struct {
// If this is true allow access to any kind of device within the container. If false, allow access only to devices explicitly listed in the allowed_devices list.
// Deprecated
- AllowAllDevices bool `json:"allow_all_devices,omitempty"`
+ AllowAllDevices *bool `json:"allow_all_devices,omitempty"`
// Deprecated
AllowedDevices []*Device `json:"allowed_devices,omitempty"`
// Deprecated
@@ -56,20 +54,23 @@ type Resources struct {
// Kernel memory limit (in bytes)
KernelMemory int64 `json:"kernel_memory"`
+ // Kernel memory limit for TCP use (in bytes)
+ KernelMemoryTCP int64 `json:"kernel_memory_tcp"`
+
// CPU shares (relative weight vs. other containers)
- CpuShares int64 `json:"cpu_shares"`
+ CpuShares uint64 `json:"cpu_shares"`
// CPU hardcap limit (in usecs). Allowed cpu time in a given period.
CpuQuota int64 `json:"cpu_quota"`
// CPU period to be used for hardcapping (in usecs). 0 to use system default.
- CpuPeriod int64 `json:"cpu_period"`
+ CpuPeriod uint64 `json:"cpu_period"`
// How many time CPU will use in realtime scheduling (in usecs).
- CpuRtRuntime int64 `json:"cpu_quota"`
+ CpuRtRuntime int64 `json:"cpu_rt_quota"`
// CPU period to be used for realtime scheduling (in usecs).
- CpuRtPeriod int64 `json:"cpu_period"`
+ CpuRtPeriod uint64 `json:"cpu_rt_period"`
// CPU to use
CpusetCpus string `json:"cpuset_cpus"`
@@ -92,7 +93,7 @@ type Resources struct {
// IO read rate limit per cgroup per device, bytes per second.
BlkioThrottleReadBpsDevice []*ThrottleDevice `json:"blkio_throttle_read_bps_device"`
- // IO write rate limit per cgroup per divice, bytes per second.
+ // IO write rate limit per cgroup per device, bytes per second.
BlkioThrottleWriteBpsDevice []*ThrottleDevice `json:"blkio_throttle_write_bps_device"`
// IO read rate limit per cgroup per device, IO per second.
@@ -111,11 +112,11 @@ type Resources struct {
OomKillDisable bool `json:"oom_kill_disable"`
// Tuning swappiness behaviour per cgroup
- MemorySwappiness *int64 `json:"memory_swappiness"`
+ MemorySwappiness *uint64 `json:"memory_swappiness"`
// Set priority of network traffic for container
NetPrioIfpriomap []*IfPrioMap `json:"net_prio_ifpriomap"`
// Set class identifier for container's network packets
- NetClsClassid string `json:"net_cls_classid"`
+ NetClsClassid uint32 `json:"net_cls_classid_u"`
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go
deleted file mode 100644
index 95e2830a43602596f7e03d06575dba710d0d4b12..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/cgroup_unsupported.go
+++ /dev/null
@@ -1,6 +0,0 @@
-// +build !windows,!linux,!freebsd
-
-package configs
-
-type Cgroup struct {
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
index 3b6d5c07720b7a0b68e6d2e5c9aed97f505965c0..7728522fef60d5d1142a5f6b5fc33245b6a50e49 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/config.go
@@ -3,7 +3,11 @@ package configs
import (
"bytes"
"encoding/json"
+ "fmt"
"os/exec"
+ "time"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
)
@@ -31,7 +35,7 @@ type Seccomp struct {
Syscalls []*Syscall `json:"syscalls"`
}
-// An action to be taken upon rule match in Seccomp
+// Action is taken upon rule match in Seccomp
type Action int
const (
@@ -42,7 +46,7 @@ const (
Trace
)
-// A comparison operator to be used when matching syscall arguments in Seccomp
+// Operator is a comparison operator to be used when matching syscall arguments in Seccomp
type Operator int
const (
@@ -55,7 +59,7 @@ const (
MaskEqualTo
)
-// A rule to match a specific syscall argument in Seccomp
+// Arg is a rule to match a specific syscall argument in Seccomp
type Arg struct {
Index uint `json:"index"`
Value uint64 `json:"value"`
@@ -63,7 +67,7 @@ type Arg struct {
Op Operator `json:"op"`
}
-// An rule to match a syscall in Seccomp
+// Syscall is a rule to match a syscall in Seccomp
type Syscall struct {
Name string `json:"name"`
Action Action `json:"action"`
@@ -83,11 +87,6 @@ type Config struct {
// that the parent process dies.
ParentDeathSignal int `json:"parent_death_signal"`
- // PivotDir allows a custom directory inside the container's root filesystem to be used as pivot, when NoPivotRoot is not set.
- // When a custom PivotDir not set, a temporary dir inside the root filesystem will be used. The pivot dir needs to be writeable.
- // This is required when using read only root filesystems. In these cases, a read/writeable path can be (bind) mounted somewhere inside the root filesystem to act as pivot.
- PivotDir string `json:"pivot_dir"`
-
// Path to a directory containing the container's root filesystem.
Rootfs string `json:"rootfs"`
@@ -115,8 +114,8 @@ type Config struct {
Namespaces Namespaces `json:"namespaces"`
// Capabilities specify the capabilities to keep when executing the process inside the container
- // All capbilities not specified will be dropped from the processes capability mask
- Capabilities []string `json:"capabilities"`
+ // All capabilities not specified will be dropped from the processes capability mask
+ Capabilities *Capabilities `json:"capabilities"`
// Networks specifies the container's network setup to be created
Networks []*Network `json:"networks"`
@@ -142,13 +141,10 @@ type Config struct {
// OomScoreAdj specifies the adjustment to be made by the kernel when calculating oom scores
// for a process. Valid values are between the range [-1000, '1000'], where processes with
- // higher scores are preferred for being killed.
+ // higher scores are preferred for being killed. If it is unset then we don't touch the current
+ // value.
// More information about kernel oom score calculation here: https://lwn.net/Articles/317814/
- OomScoreAdj int `json:"oom_score_adj"`
-
- // AdditionalGroups specifies the gids that should be added to supplementary groups
- // in addition to those that the user belongs to.
- AdditionalGroups []string `json:"additional_groups"`
+ OomScoreAdj *int `json:"oom_score_adj,omitempty"`
// UidMappings is an array of User ID mappings for User Namespaces
UidMappings []IDMap `json:"uid_mappings"`
@@ -185,6 +181,24 @@ type Config struct {
// Labels are user defined metadata that is stored in the config and populated on the state
Labels []string `json:"labels"`
+
+ // NoNewKeyring will not allocated a new session keyring for the container. It will use the
+ // callers keyring in this case.
+ NoNewKeyring bool `json:"no_new_keyring"`
+
+ // IntelRdt specifies settings for Intel RDT group that the container is placed into
+ // to limit the resources (e.g., L3 cache, memory bandwidth) the container has available
+ IntelRdt *IntelRdt `json:"intel_rdt,omitempty"`
+
+ // RootlessEUID is set when the runc was launched with non-zero EUID.
+ // Note that RootlessEUID is set to false when launched with EUID=0 in userns.
+ // When RootlessEUID is set, runc creates a new userns for the container.
+ // (config.json needs to contain userns settings)
+ RootlessEUID bool `json:"rootless_euid,omitempty"`
+
+ // RootlessCgroups is set when unlikely to have the full access to cgroups.
+ // When RootlessCgroups is set, cgroups errors are ignored.
+ RootlessCgroups bool `json:"rootless_cgroups,omitempty"`
}
type Hooks struct {
@@ -199,6 +213,19 @@ type Hooks struct {
Poststop []Hook
}
+type Capabilities struct {
+ // Bounding is the set of capabilities checked by the kernel.
+ Bounding []string
+ // Effective is the set of capabilities checked by the kernel.
+ Effective []string
+ // Inheritable is the capabilities preserved across execve.
+ Inheritable []string
+ // Permitted is the limiting superset for effective capabilities.
+ Permitted []string
+ // Ambient is the ambient set of capabilities that are kept.
+ Ambient []string
+}
+
func (hooks *Hooks) UnmarshalJSON(b []byte) error {
var state struct {
Prestart []CommandHook
@@ -245,42 +272,35 @@ func (hooks Hooks) MarshalJSON() ([]byte, error) {
})
}
-// HookState is the payload provided to a hook on execution.
-type HookState struct {
- Version string `json:"version"`
- ID string `json:"id"`
- Pid int `json:"pid"`
- Root string `json:"root"`
-}
-
type Hook interface {
// Run executes the hook with the provided state.
- Run(HookState) error
+ Run(*specs.State) error
}
-// NewFunctionHooks will call the provided function when the hook is run.
-func NewFunctionHook(f func(HookState) error) FuncHook {
+// NewFunctionHook will call the provided function when the hook is run.
+func NewFunctionHook(f func(*specs.State) error) FuncHook {
return FuncHook{
run: f,
}
}
type FuncHook struct {
- run func(HookState) error
+ run func(*specs.State) error
}
-func (f FuncHook) Run(s HookState) error {
+func (f FuncHook) Run(s *specs.State) error {
return f.run(s)
}
type Command struct {
- Path string `json:"path"`
- Args []string `json:"args"`
- Env []string `json:"env"`
- Dir string `json:"dir"`
+ Path string `json:"path"`
+ Args []string `json:"args"`
+ Env []string `json:"env"`
+ Dir string `json:"dir"`
+ Timeout *time.Duration `json:"timeout"`
}
-// NewCommandHooks will execute the provided command when the hook is run.
+// NewCommandHook will execute the provided command when the hook is run.
func NewCommandHook(cmd Command) CommandHook {
return CommandHook{
Command: cmd,
@@ -291,16 +311,43 @@ type CommandHook struct {
Command
}
-func (c Command) Run(s HookState) error {
+func (c Command) Run(s *specs.State) error {
b, err := json.Marshal(s)
if err != nil {
return err
}
+ var stdout, stderr bytes.Buffer
cmd := exec.Cmd{
- Path: c.Path,
- Args: c.Args,
- Env: c.Env,
- Stdin: bytes.NewReader(b),
+ Path: c.Path,
+ Args: c.Args,
+ Env: c.Env,
+ Stdin: bytes.NewReader(b),
+ Stdout: &stdout,
+ Stderr: &stderr,
+ }
+ if err := cmd.Start(); err != nil {
+ return err
+ }
+ errC := make(chan error, 1)
+ go func() {
+ err := cmd.Wait()
+ if err != nil {
+ err = fmt.Errorf("error running hook: %v, stdout: %s, stderr: %s", err, stdout.String(), stderr.String())
+ }
+ errC <- err
+ }()
+ var timerCh <-chan time.Time
+ if c.Timeout != nil {
+ timer := time.NewTimer(*c.Timeout)
+ defer timer.Stop()
+ timerCh = timer.C
+ }
+ select {
+ case err := <-errC:
+ return err
+ case <-timerCh:
+ cmd.Process.Kill()
+ cmd.Wait()
+ return fmt.Errorf("hook ran past specified timeout of %.1fs", c.Timeout.Seconds())
}
- return cmd.Run()
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux.go
new file mode 100644
index 0000000000000000000000000000000000000000..07da10804540de7292d918347f755367d985b23b
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux.go
@@ -0,0 +1,61 @@
+package configs
+
+import "fmt"
+
+// HostUID gets the translated uid for the process on host which could be
+// different when user namespaces are enabled.
+func (c Config) HostUID(containerId int) (int, error) {
+ if c.Namespaces.Contains(NEWUSER) {
+ if c.UidMappings == nil {
+ return -1, fmt.Errorf("User namespaces enabled, but no uid mappings found.")
+ }
+ id, found := c.hostIDFromMapping(containerId, c.UidMappings)
+ if !found {
+ return -1, fmt.Errorf("User namespaces enabled, but no user mapping found.")
+ }
+ return id, nil
+ }
+ // Return unchanged id.
+ return containerId, nil
+}
+
+// HostRootUID gets the root uid for the process on host which could be non-zero
+// when user namespaces are enabled.
+func (c Config) HostRootUID() (int, error) {
+ return c.HostUID(0)
+}
+
+// HostGID gets the translated gid for the process on host which could be
+// different when user namespaces are enabled.
+func (c Config) HostGID(containerId int) (int, error) {
+ if c.Namespaces.Contains(NEWUSER) {
+ if c.GidMappings == nil {
+ return -1, fmt.Errorf("User namespaces enabled, but no gid mappings found.")
+ }
+ id, found := c.hostIDFromMapping(containerId, c.GidMappings)
+ if !found {
+ return -1, fmt.Errorf("User namespaces enabled, but no group mapping found.")
+ }
+ return id, nil
+ }
+ // Return unchanged id.
+ return containerId, nil
+}
+
+// HostRootGID gets the root gid for the process on host which could be non-zero
+// when user namespaces are enabled.
+func (c Config) HostRootGID() (int, error) {
+ return c.HostGID(0)
+}
+
+// Utility function that gets a host ID for a container ID from user namespace map
+// if that ID is present in the map.
+func (c Config) hostIDFromMapping(containerID int, uMap []IDMap) (int, bool) {
+ for _, m := range uMap {
+ if (containerID >= m.ContainerID) && (containerID <= (m.ContainerID + m.Size - 1)) {
+ hostID := m.HostID + (containerID - m.ContainerID)
+ return hostID, true
+ }
+ }
+ return -1, false
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config_unix_test.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux_test.go
similarity index 71%
rename from vendor/github.com/opencontainers/runc/libcontainer/configs/config_unix_test.go
rename to vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux_test.go
index 27d07d4e816b02633397d54bbd3d281752b353df..9c5f0febed6b5282be73052f0a95f09db4707dbc 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config_unix_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/config_linux_test.go
@@ -1,5 +1,3 @@
-// +build linux freebsd
-
package configs
import (
@@ -10,30 +8,6 @@ import (
"testing"
)
-// Checks whether the expected capability is specified in the capabilities.
-func contains(expected string, values []string) bool {
- for _, v := range values {
- if v == expected {
- return true
- }
- }
- return false
-}
-
-func containsDevice(expected *Device, values []*Device) bool {
- for _, d := range values {
- if d.Path == expected.Path &&
- d.Permissions == expected.Permissions &&
- d.FileMode == expected.FileMode &&
- d.Major == expected.Major &&
- d.Minor == expected.Minor &&
- d.Type == expected.Type {
- return true
- }
- }
- return false
-}
-
func loadConfig(name string) (*Config, error) {
f, err := os.Open(filepath.Join("../sample_configs", name))
if err != nil {
@@ -89,11 +63,11 @@ func TestRemoveNamespace(t *testing.T) {
}
}
-func TestHostUIDNoUSERNS(t *testing.T) {
+func TestHostRootUIDNoUSERNS(t *testing.T) {
config := &Config{
Namespaces: Namespaces{},
}
- uid, err := config.HostUID()
+ uid, err := config.HostRootUID()
if err != nil {
t.Fatal(err)
}
@@ -102,7 +76,7 @@ func TestHostUIDNoUSERNS(t *testing.T) {
}
}
-func TestHostUIDWithUSERNS(t *testing.T) {
+func TestHostRootUIDWithUSERNS(t *testing.T) {
config := &Config{
Namespaces: Namespaces{{Type: NEWUSER}},
UidMappings: []IDMap{
@@ -113,7 +87,7 @@ func TestHostUIDWithUSERNS(t *testing.T) {
},
},
}
- uid, err := config.HostUID()
+ uid, err := config.HostRootUID()
if err != nil {
t.Fatal(err)
}
@@ -122,11 +96,11 @@ func TestHostUIDWithUSERNS(t *testing.T) {
}
}
-func TestHostGIDNoUSERNS(t *testing.T) {
+func TestHostRootGIDNoUSERNS(t *testing.T) {
config := &Config{
Namespaces: Namespaces{},
}
- uid, err := config.HostGID()
+ uid, err := config.HostRootGID()
if err != nil {
t.Fatal(err)
}
@@ -135,7 +109,7 @@ func TestHostGIDNoUSERNS(t *testing.T) {
}
}
-func TestHostGIDWithUSERNS(t *testing.T) {
+func TestHostRootGIDWithUSERNS(t *testing.T) {
config := &Config{
Namespaces: Namespaces{{Type: NEWUSER}},
GidMappings: []IDMap{
@@ -146,7 +120,7 @@ func TestHostGIDWithUSERNS(t *testing.T) {
},
},
}
- uid, err := config.HostGID()
+ uid, err := config.HostRootGID()
if err != nil {
t.Fatal(err)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config_test.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..c89a764de1adae7ccf8c941bb109391ee5ef9257
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/config_test.go
@@ -0,0 +1,195 @@
+package configs_test
+
+import (
+ "encoding/json"
+ "fmt"
+ "os"
+ "reflect"
+ "testing"
+ "time"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestUnmarshalHooks(t *testing.T) {
+ timeout := time.Second
+
+ prestartCmd := configs.NewCommandHook(configs.Command{
+ Path: "/var/vcap/hooks/prestart",
+ Args: []string{"--pid=123"},
+ Env: []string{"FOO=BAR"},
+ Dir: "/var/vcap",
+ Timeout: &timeout,
+ })
+ prestart, err := json.Marshal(prestartCmd.Command)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ hook := configs.Hooks{}
+ err = hook.UnmarshalJSON([]byte(fmt.Sprintf(`{"Prestart" :[%s]}`, prestart)))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ if !reflect.DeepEqual(hook.Prestart[0], prestartCmd) {
+ t.Errorf("Expected prestart to equal %+v but it was %+v",
+ prestartCmd, hook.Prestart[0])
+ }
+}
+
+func TestUnmarshalHooksWithInvalidData(t *testing.T) {
+ hook := configs.Hooks{}
+ err := hook.UnmarshalJSON([]byte(`{invalid-json}`))
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestMarshalHooks(t *testing.T) {
+ timeout := time.Second
+
+ prestartCmd := configs.NewCommandHook(configs.Command{
+ Path: "/var/vcap/hooks/prestart",
+ Args: []string{"--pid=123"},
+ Env: []string{"FOO=BAR"},
+ Dir: "/var/vcap",
+ Timeout: &timeout,
+ })
+
+ hook := configs.Hooks{
+ Prestart: []configs.Hook{prestartCmd},
+ }
+ hooks, err := hook.MarshalJSON()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ h := `{"poststart":null,"poststop":null,"prestart":[{"path":"/var/vcap/hooks/prestart","args":["--pid=123"],"env":["FOO=BAR"],"dir":"/var/vcap","timeout":1000000000}]}`
+ if string(hooks) != h {
+ t.Errorf("Expected hooks %s to equal %s", string(hooks), h)
+ }
+}
+
+func TestMarshalUnmarshalHooks(t *testing.T) {
+ timeout := time.Second
+
+ prestart := configs.NewCommandHook(configs.Command{
+ Path: "/var/vcap/hooks/prestart",
+ Args: []string{"--pid=123"},
+ Env: []string{"FOO=BAR"},
+ Dir: "/var/vcap",
+ Timeout: &timeout,
+ })
+
+ hook := configs.Hooks{
+ Prestart: []configs.Hook{prestart},
+ }
+ hooks, err := hook.MarshalJSON()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ umMhook := configs.Hooks{}
+ err = umMhook.UnmarshalJSON(hooks)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if !reflect.DeepEqual(umMhook.Prestart[0], prestart) {
+ t.Errorf("Expected hooks to be equal after mashaling -> unmarshaling them: %+v, %+v", umMhook.Prestart[0], prestart)
+ }
+}
+
+func TestMarshalHooksWithUnexpectedType(t *testing.T) {
+ fHook := configs.NewFunctionHook(func(*specs.State) error {
+ return nil
+ })
+ hook := configs.Hooks{
+ Prestart: []configs.Hook{fHook},
+ }
+ hooks, err := hook.MarshalJSON()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ h := `{"poststart":null,"poststop":null,"prestart":null}`
+ if string(hooks) != h {
+ t.Errorf("Expected hooks %s to equal %s", string(hooks), h)
+ }
+}
+
+func TestFuncHookRun(t *testing.T) {
+ state := &specs.State{
+ Version: "1",
+ ID: "1",
+ Status: "created",
+ Pid: 1,
+ Bundle: "/bundle",
+ }
+
+ fHook := configs.NewFunctionHook(func(s *specs.State) error {
+ if !reflect.DeepEqual(state, s) {
+ t.Errorf("Expected state %+v to equal %+v", state, s)
+ }
+ return nil
+ })
+
+ fHook.Run(state)
+}
+
+func TestCommandHookRun(t *testing.T) {
+ state := &specs.State{
+ Version: "1",
+ ID: "1",
+ Status: "created",
+ Pid: 1,
+ Bundle: "/bundle",
+ }
+ timeout := time.Second
+
+ cmdHook := configs.NewCommandHook(configs.Command{
+ Path: os.Args[0],
+ Args: []string{os.Args[0], "-test.run=TestHelperProcess"},
+ Env: []string{"FOO=BAR"},
+ Dir: "/",
+ Timeout: &timeout,
+ })
+
+ err := cmdHook.Run(state)
+ if err != nil {
+ t.Errorf(fmt.Sprintf("Expected error to not occur but it was %+v", err))
+ }
+}
+
+func TestCommandHookRunTimeout(t *testing.T) {
+ state := &specs.State{
+ Version: "1",
+ ID: "1",
+ Status: "created",
+ Pid: 1,
+ Bundle: "/bundle",
+ }
+ timeout := (10 * time.Millisecond)
+
+ cmdHook := configs.NewCommandHook(configs.Command{
+ Path: os.Args[0],
+ Args: []string{os.Args[0], "-test.run=TestHelperProcessWithTimeout"},
+ Env: []string{"FOO=BAR"},
+ Dir: "/",
+ Timeout: &timeout,
+ })
+
+ err := cmdHook.Run(state)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestHelperProcess(*testing.T) {
+ fmt.Println("Helper Process")
+ os.Exit(0)
+}
+func TestHelperProcessWithTimeout(*testing.T) {
+ time.Sleep(time.Second)
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/config_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/config_unix.go
deleted file mode 100644
index c447f3ef29f4d3669d0f435258d7e9fc3763a75e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/config_unix.go
+++ /dev/null
@@ -1,51 +0,0 @@
-// +build freebsd linux
-
-package configs
-
-import "fmt"
-
-// Gets the root uid for the process on host which could be non-zero
-// when user namespaces are enabled.
-func (c Config) HostUID() (int, error) {
- if c.Namespaces.Contains(NEWUSER) {
- if c.UidMappings == nil {
- return -1, fmt.Errorf("User namespaces enabled, but no user mappings found.")
- }
- id, found := c.hostIDFromMapping(0, c.UidMappings)
- if !found {
- return -1, fmt.Errorf("User namespaces enabled, but no root user mapping found.")
- }
- return id, nil
- }
- // Return default root uid 0
- return 0, nil
-}
-
-// Gets the root gid for the process on host which could be non-zero
-// when user namespaces are enabled.
-func (c Config) HostGID() (int, error) {
- if c.Namespaces.Contains(NEWUSER) {
- if c.GidMappings == nil {
- return -1, fmt.Errorf("User namespaces enabled, but no gid mappings found.")
- }
- id, found := c.hostIDFromMapping(0, c.GidMappings)
- if !found {
- return -1, fmt.Errorf("User namespaces enabled, but no root group mapping found.")
- }
- return id, nil
- }
- // Return default root gid 0
- return 0, nil
-}
-
-// Utility function that gets a host ID for a container ID from user namespace map
-// if that ID is present in the map.
-func (c Config) hostIDFromMapping(containerID int, uMap []IDMap) (int, bool) {
- for _, m := range uMap {
- if (containerID >= m.ContainerID) && (containerID <= (m.ContainerID + m.Size - 1)) {
- hostID := m.HostID + (containerID - m.ContainerID)
- return hostID, true
- }
- }
- return -1, false
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
index e45299264c8fb9943219f5d62599295471237886..e4f423c523ff4d042a4b8f6d4d1d47993b429a65 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/device_defaults.go
@@ -1,9 +1,9 @@
-// +build linux freebsd
+// +build linux
package configs
var (
- // These are devices that are to be both allowed and created.
+ // DefaultSimpleDevices are devices that are to be both allowed and created.
DefaultSimpleDevices = []*Device{
// /dev/null and zero
{
@@ -107,19 +107,5 @@ var (
Permissions: "rwm",
},
}, DefaultSimpleDevices...)
- DefaultAutoCreatedDevices = append([]*Device{
- {
- // /dev/fuse is created but not allowed.
- // This is to allow java to work. Because java
- // Insists on there being a /dev/fuse
- // https://github.com/docker/docker/issues/514
- // https://github.com/docker/docker/issues/2393
- //
- Path: "/dev/fuse",
- Type: 'c',
- Major: 10,
- Minor: 229,
- Permissions: "rwm",
- },
- }, DefaultSimpleDevices...)
+ DefaultAutoCreatedDevices = append([]*Device{}, DefaultSimpleDevices...)
)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go
new file mode 100644
index 0000000000000000000000000000000000000000..57e9f037d97978724319a3b5e65ad88daa31d9bb
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/intelrdt.go
@@ -0,0 +1,13 @@
+package configs
+
+type IntelRdt struct {
+ // The schema for L3 cache id and capacity bitmask (CBM)
+ // Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
+ L3CacheSchema string `json:"l3_cache_schema,omitempty"`
+
+ // The schema of memory bandwidth per L3 cache id
+ // Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."
+ // The unit of memory bandwidth is specified in "percentages" by
+ // default, and in "MBps" if MBA Software Controller is enabled.
+ MemBwSchema string `json:"memBwSchema,omitempty"`
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/mount.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/mount.go
index cc770c916f945728b895baead139f94a4a701f48..670757ddb5f448bbaf126d294d70173f50c1b2f4 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/mount.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/mount.go
@@ -1,5 +1,11 @@
package configs
+const (
+ // EXT_COPYUP is a directive to copy up the contents of a directory when
+ // a tmpfs is mounted over it.
+ EXT_COPYUP = 1 << iota
+)
+
type Mount struct {
// Source path for the mount.
Source string `json:"source"`
@@ -22,6 +28,9 @@ type Mount struct {
// Relabel source if set, "z" indicates shared, "Z" indicates unshared.
Relabel string `json:"relabel"`
+ // Extensions are additional flags that are specific to runc.
+ Extensions int `json:"extensions"`
+
// Optional Command to be run before Source is mounted.
PremountCmds []Command `json:"premount_cmds"`
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
similarity index 78%
rename from vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unix.go
rename to vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
index b9c820d0627d053a724115ccbd74404729c188d8..1bbaef9bd94136276b14d68d0d1136c38964dc6a 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_linux.go
@@ -1,5 +1,3 @@
-// +build linux freebsd
-
package configs
import (
@@ -9,12 +7,13 @@ import (
)
const (
- NEWNET NamespaceType = "NEWNET"
- NEWPID NamespaceType = "NEWPID"
- NEWNS NamespaceType = "NEWNS"
- NEWUTS NamespaceType = "NEWUTS"
- NEWIPC NamespaceType = "NEWIPC"
- NEWUSER NamespaceType = "NEWUSER"
+ NEWNET NamespaceType = "NEWNET"
+ NEWPID NamespaceType = "NEWPID"
+ NEWNS NamespaceType = "NEWNS"
+ NEWUTS NamespaceType = "NEWUTS"
+ NEWIPC NamespaceType = "NEWIPC"
+ NEWUSER NamespaceType = "NEWUSER"
+ NEWCGROUP NamespaceType = "NEWCGROUP"
)
var (
@@ -22,8 +21,8 @@ var (
supportedNamespaces = make(map[NamespaceType]bool)
)
-// nsToFile converts the namespace type to its filename
-func nsToFile(ns NamespaceType) string {
+// NsName converts the namespace type to its filename
+func NsName(ns NamespaceType) string {
switch ns {
case NEWNET:
return "net"
@@ -37,6 +36,8 @@ func nsToFile(ns NamespaceType) string {
return "user"
case NEWUTS:
return "uts"
+ case NEWCGROUP:
+ return "cgroup"
}
return ""
}
@@ -50,7 +51,7 @@ func IsNamespaceSupported(ns NamespaceType) bool {
if ok {
return supported
}
- nsFile := nsToFile(ns)
+ nsFile := NsName(ns)
// if the namespace type is unknown, just return false
if nsFile == "" {
return false
@@ -64,12 +65,13 @@ func IsNamespaceSupported(ns NamespaceType) bool {
func NamespaceTypes() []NamespaceType {
return []NamespaceType{
+ NEWUSER, // Keep user NS always first, don't move it.
+ NEWIPC,
+ NEWUTS,
NEWNET,
NEWPID,
NEWNS,
- NEWUTS,
- NEWIPC,
- NEWUSER,
+ NEWCGROUP,
}
}
@@ -81,10 +83,7 @@ type Namespace struct {
}
func (n *Namespace) GetPath(pid int) string {
- if n.Path != "" {
- return n.Path
- }
- return fmt.Sprintf("/proc/%d/ns/%s", pid, nsToFile(n.Type))
+ return fmt.Sprintf("/proc/%d/ns/%s", pid, NsName(n.Type))
}
func (n *Namespaces) Remove(t NamespaceType) bool {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go
index c962999efd4bc849ff9b5e5f6b3dc33dbe417608..2dc7adfc9660a5279465d7c7482c1fec8b7fe22c 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall.go
@@ -2,23 +2,24 @@
package configs
-import "syscall"
+import "golang.org/x/sys/unix"
func (n *Namespace) Syscall() int {
return namespaceInfo[n.Type]
}
var namespaceInfo = map[NamespaceType]int{
- NEWNET: syscall.CLONE_NEWNET,
- NEWNS: syscall.CLONE_NEWNS,
- NEWUSER: syscall.CLONE_NEWUSER,
- NEWIPC: syscall.CLONE_NEWIPC,
- NEWUTS: syscall.CLONE_NEWUTS,
- NEWPID: syscall.CLONE_NEWPID,
+ NEWNET: unix.CLONE_NEWNET,
+ NEWNS: unix.CLONE_NEWNS,
+ NEWUSER: unix.CLONE_NEWUSER,
+ NEWIPC: unix.CLONE_NEWIPC,
+ NEWUTS: unix.CLONE_NEWUTS,
+ NEWPID: unix.CLONE_NEWPID,
+ NEWCGROUP: unix.CLONE_NEWCGROUP,
}
// CloneFlags parses the container's Namespaces options to set the correct
-// flags on clone, unshare. This functions returns flags only for new namespaces.
+// flags on clone, unshare. This function returns flags only for new namespaces.
func (n *Namespaces) CloneFlags() uintptr {
var flag int
for _, v := range *n {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall_unsupported.go
index 1644588dc79d273b69af58fc6419b7c99997333f..5d9a5c81f3fd5c77c97d1a8036838ee717f66cf1 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall_unsupported.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_syscall_unsupported.go
@@ -4,12 +4,10 @@ package configs
func (n *Namespace) Syscall() int {
panic("No namespace syscall support")
- return 0
}
// CloneFlags parses the container's Namespaces options to set the correct
-// flags on clone, unshare. This functions returns flags only for new namespaces.
+// flags on clone, unshare. This function returns flags only for new namespaces.
func (n *Namespaces) CloneFlags() uintptr {
panic("No namespace syscall support")
- return uintptr(0)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unsupported.go
index 9a74033ceabe2bed7f5c2ef47c044ac705575a2e..19bf713de3a3a9b9cd04d3107258256dc9d1b48f 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unsupported.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/namespaces_unsupported.go
@@ -1,4 +1,4 @@
-// +build !linux,!freebsd
+// +build !linux
package configs
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/config.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/config.go
deleted file mode 100644
index e155ca1204e5eadc7bd651f6668d530ee4a65d13..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/config.go
+++ /dev/null
@@ -1,138 +0,0 @@
-package validate
-
-import (
- "fmt"
- "os"
- "path/filepath"
- "strings"
-
- "github.com/opencontainers/runc/libcontainer/configs"
-)
-
-type Validator interface {
- Validate(*configs.Config) error
-}
-
-func New() Validator {
- return &ConfigValidator{}
-}
-
-type ConfigValidator struct {
-}
-
-func (v *ConfigValidator) Validate(config *configs.Config) error {
- if err := v.rootfs(config); err != nil {
- return err
- }
- if err := v.network(config); err != nil {
- return err
- }
- if err := v.hostname(config); err != nil {
- return err
- }
- if err := v.security(config); err != nil {
- return err
- }
- if err := v.usernamespace(config); err != nil {
- return err
- }
- if err := v.sysctl(config); err != nil {
- return err
- }
- return nil
-}
-
-// rootfs validates the the rootfs is an absolute path and is not a symlink
-// to the container's root filesystem.
-func (v *ConfigValidator) rootfs(config *configs.Config) error {
- cleaned, err := filepath.Abs(config.Rootfs)
- if err != nil {
- return err
- }
- if cleaned, err = filepath.EvalSymlinks(cleaned); err != nil {
- return err
- }
- if config.Rootfs != cleaned {
- return fmt.Errorf("%s is not an absolute path or is a symlink", config.Rootfs)
- }
- return nil
-}
-
-func (v *ConfigValidator) network(config *configs.Config) error {
- if !config.Namespaces.Contains(configs.NEWNET) {
- if len(config.Networks) > 0 || len(config.Routes) > 0 {
- return fmt.Errorf("unable to apply network settings without a private NET namespace")
- }
- }
- return nil
-}
-
-func (v *ConfigValidator) hostname(config *configs.Config) error {
- if config.Hostname != "" && !config.Namespaces.Contains(configs.NEWUTS) {
- return fmt.Errorf("unable to set hostname without a private UTS namespace")
- }
- return nil
-}
-
-func (v *ConfigValidator) security(config *configs.Config) error {
- // restrict sys without mount namespace
- if (len(config.MaskPaths) > 0 || len(config.ReadonlyPaths) > 0) &&
- !config.Namespaces.Contains(configs.NEWNS) {
- return fmt.Errorf("unable to restrict sys entries without a private MNT namespace")
- }
- return nil
-}
-
-func (v *ConfigValidator) usernamespace(config *configs.Config) error {
- if config.Namespaces.Contains(configs.NEWUSER) {
- if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
- return fmt.Errorf("USER namespaces aren't enabled in the kernel")
- }
- } else {
- if config.UidMappings != nil || config.GidMappings != nil {
- return fmt.Errorf("User namespace mappings specified, but USER namespace isn't enabled in the config")
- }
- }
- return nil
-}
-
-// sysctl validates that the specified sysctl keys are valid or not.
-// /proc/sys isn't completely namespaced and depending on which namespaces
-// are specified, a subset of sysctls are permitted.
-func (v *ConfigValidator) sysctl(config *configs.Config) error {
- validSysctlPrefixes := []string{}
- validSysctlMap := make(map[string]bool)
- if config.Namespaces.Contains(configs.NEWNET) {
- validSysctlPrefixes = append(validSysctlPrefixes, "net.")
- }
- if config.Namespaces.Contains(configs.NEWIPC) {
- validSysctlPrefixes = append(validSysctlPrefixes, "fs.mqueue.")
- validSysctlMap = map[string]bool{
- "kernel.msgmax": true,
- "kernel.msgmnb": true,
- "kernel.msgmni": true,
- "kernel.sem": true,
- "kernel.shmall": true,
- "kernel.shmmax": true,
- "kernel.shmmni": true,
- "kernel.shm_rmid_forced": true,
- }
- }
- for s := range config.Sysctl {
- if validSysctlMap[s] {
- continue
- }
- valid := false
- for _, vp := range validSysctlPrefixes {
- if strings.HasPrefix(s, vp) {
- valid = true
- break
- }
- }
- if !valid {
- return fmt.Errorf("sysctl %q is not permitted in the config", s)
- }
- }
-
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless.go
new file mode 100644
index 0000000000000000000000000000000000000000..393d9e81ee92b1b629f3fd7ba7a6dce63cf21dd8
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless.go
@@ -0,0 +1,89 @@
+package validate
+
+import (
+ "fmt"
+ "strings"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+)
+
+// rootlessEUID makes sure that the config can be applied when runc
+// is being executed as a non-root user (euid != 0) in the current user namespace.
+func (v *ConfigValidator) rootlessEUID(config *configs.Config) error {
+ if err := rootlessEUIDMappings(config); err != nil {
+ return err
+ }
+ if err := rootlessEUIDMount(config); err != nil {
+ return err
+ }
+
+ // XXX: We currently can't verify the user config at all, because
+ // configs.Config doesn't store the user-related configs. So this
+ // has to be verified by setupUser() in init_linux.go.
+
+ return nil
+}
+
+func hasIDMapping(id int, mappings []configs.IDMap) bool {
+ for _, m := range mappings {
+ if id >= m.ContainerID && id < m.ContainerID+m.Size {
+ return true
+ }
+ }
+ return false
+}
+
+func rootlessEUIDMappings(config *configs.Config) error {
+ if !config.Namespaces.Contains(configs.NEWUSER) {
+ return fmt.Errorf("rootless container requires user namespaces")
+ }
+
+ if len(config.UidMappings) == 0 {
+ return fmt.Errorf("rootless containers requires at least one UID mapping")
+ }
+ if len(config.GidMappings) == 0 {
+ return fmt.Errorf("rootless containers requires at least one GID mapping")
+ }
+ return nil
+}
+
+// mount verifies that the user isn't trying to set up any mounts they don't have
+// the rights to do. In addition, it makes sure that no mount has a `uid=` or
+// `gid=` option that doesn't resolve to root.
+func rootlessEUIDMount(config *configs.Config) error {
+ // XXX: We could whitelist allowed devices at this point, but I'm not
+ // convinced that's a good idea. The kernel is the best arbiter of
+ // access control.
+
+ for _, mount := range config.Mounts {
+ // Check that the options list doesn't contain any uid= or gid= entries
+ // that don't resolve to root.
+ for _, opt := range strings.Split(mount.Data, ",") {
+ if strings.HasPrefix(opt, "uid=") {
+ var uid int
+ n, err := fmt.Sscanf(opt, "uid=%d", &uid)
+ if n != 1 || err != nil {
+ // Ignore unknown mount options.
+ continue
+ }
+ if !hasIDMapping(uid, config.UidMappings) {
+ return fmt.Errorf("cannot specify uid= mount options for unmapped uid in rootless containers")
+ }
+ }
+
+ if strings.HasPrefix(opt, "gid=") {
+ var gid int
+ n, err := fmt.Sscanf(opt, "gid=%d", &gid)
+ if n != 1 || err != nil {
+ // Ignore unknown mount options.
+ continue
+ }
+ if !hasIDMapping(gid, config.GidMappings) {
+ return fmt.Errorf("cannot specify gid= mount options for unmapped gid in rootless containers")
+ }
+ }
+ }
+ }
+
+ return nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless_test.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..59d15575dd7c48e4695e3354836107a72d29819a
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/rootless_test.go
@@ -0,0 +1,155 @@
+package validate
+
+import (
+ "testing"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+)
+
+func rootlessEUIDConfig() *configs.Config {
+ return &configs.Config{
+ Rootfs: "/var",
+ RootlessEUID: true,
+ RootlessCgroups: true,
+ Namespaces: configs.Namespaces(
+ []configs.Namespace{
+ {Type: configs.NEWUSER},
+ },
+ ),
+ UidMappings: []configs.IDMap{
+ {
+ HostID: 1337,
+ ContainerID: 0,
+ Size: 1,
+ },
+ },
+ GidMappings: []configs.IDMap{
+ {
+ HostID: 7331,
+ ContainerID: 0,
+ Size: 1,
+ },
+ },
+ }
+}
+
+func TestValidateRootlessEUID(t *testing.T) {
+ validator := New()
+
+ config := rootlessEUIDConfig()
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected error to not occur: %+v", err)
+ }
+}
+
+/* rootlessEUIDMappings */
+
+func TestValidateRootlessEUIDUserns(t *testing.T) {
+ validator := New()
+
+ config := rootlessEUIDConfig()
+ config.Namespaces = nil
+ if err := validator.Validate(config); err == nil {
+ t.Errorf("Expected error to occur if user namespaces not set")
+ }
+}
+
+func TestValidateRootlessEUIDMappingUid(t *testing.T) {
+ validator := New()
+
+ config := rootlessEUIDConfig()
+ config.UidMappings = nil
+ if err := validator.Validate(config); err == nil {
+ t.Errorf("Expected error to occur if no uid mappings provided")
+ }
+}
+
+func TestValidateNonZeroEUIDMappingGid(t *testing.T) {
+ validator := New()
+
+ config := rootlessEUIDConfig()
+ config.GidMappings = nil
+ if err := validator.Validate(config); err == nil {
+ t.Errorf("Expected error to occur if no gid mappings provided")
+ }
+}
+
+/* rootlessEUIDMount() */
+
+func TestValidateRootlessEUIDMountUid(t *testing.T) {
+ config := rootlessEUIDConfig()
+ validator := New()
+
+ config.Mounts = []*configs.Mount{
+ {
+ Source: "devpts",
+ Destination: "/dev/pts",
+ Device: "devpts",
+ },
+ }
+
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected error to not occur when uid= not set in mount options: %+v", err)
+ }
+
+ config.Mounts[0].Data = "uid=5"
+ if err := validator.Validate(config); err == nil {
+ t.Errorf("Expected error to occur when setting uid=5 in mount options")
+ }
+
+ config.Mounts[0].Data = "uid=0"
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected error to not occur when setting uid=0 in mount options: %+v", err)
+ }
+
+ config.Mounts[0].Data = "uid=2"
+ config.UidMappings[0].Size = 10
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected error to not occur when setting uid=2 in mount options and UidMapping[0].size is 10")
+ }
+
+ config.Mounts[0].Data = "uid=20"
+ config.UidMappings[0].Size = 10
+ if err := validator.Validate(config); err == nil {
+ t.Errorf("Expected error to occur when setting uid=20 in mount options and UidMapping[0].size is 10")
+ }
+}
+
+func TestValidateRootlessEUIDMountGid(t *testing.T) {
+ config := rootlessEUIDConfig()
+ validator := New()
+
+ config.Mounts = []*configs.Mount{
+ {
+ Source: "devpts",
+ Destination: "/dev/pts",
+ Device: "devpts",
+ },
+ }
+
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected error to not occur when gid= not set in mount options: %+v", err)
+ }
+
+ config.Mounts[0].Data = "gid=5"
+ if err := validator.Validate(config); err == nil {
+ t.Errorf("Expected error to occur when setting gid=5 in mount options")
+ }
+
+ config.Mounts[0].Data = "gid=0"
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected error to not occur when setting gid=0 in mount options: %+v", err)
+ }
+
+ config.Mounts[0].Data = "gid=5"
+ config.GidMappings[0].Size = 10
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected error to not occur when setting gid=5 in mount options and GidMapping[0].size is 10")
+ }
+
+ config.Mounts[0].Data = "gid=11"
+ config.GidMappings[0].Size = 10
+ if err := validator.Validate(config); err == nil {
+ t.Errorf("Expected error to occur when setting gid=11 in mount options and GidMapping[0].size is 10")
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
new file mode 100644
index 0000000000000000000000000000000000000000..3b42f30107a0da14f1cc35a9cd22a0c255bca9b7
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator.go
@@ -0,0 +1,245 @@
+package validate
+
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+ "strings"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
+ selinux "github.com/opencontainers/selinux/go-selinux"
+)
+
+type Validator interface {
+ Validate(*configs.Config) error
+}
+
+func New() Validator {
+ return &ConfigValidator{}
+}
+
+type ConfigValidator struct {
+}
+
+func (v *ConfigValidator) Validate(config *configs.Config) error {
+ if err := v.rootfs(config); err != nil {
+ return err
+ }
+ if err := v.network(config); err != nil {
+ return err
+ }
+ if err := v.hostname(config); err != nil {
+ return err
+ }
+ if err := v.security(config); err != nil {
+ return err
+ }
+ if err := v.usernamespace(config); err != nil {
+ return err
+ }
+ if err := v.cgroupnamespace(config); err != nil {
+ return err
+ }
+ if err := v.sysctl(config); err != nil {
+ return err
+ }
+ if err := v.intelrdt(config); err != nil {
+ return err
+ }
+ if config.RootlessEUID {
+ if err := v.rootlessEUID(config); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+// rootfs validates if the rootfs is an absolute path and is not a symlink
+// to the container's root filesystem.
+func (v *ConfigValidator) rootfs(config *configs.Config) error {
+ if _, err := os.Stat(config.Rootfs); err != nil {
+ if os.IsNotExist(err) {
+ return fmt.Errorf("rootfs (%s) does not exist", config.Rootfs)
+ }
+ return err
+ }
+ cleaned, err := filepath.Abs(config.Rootfs)
+ if err != nil {
+ return err
+ }
+ if cleaned, err = filepath.EvalSymlinks(cleaned); err != nil {
+ return err
+ }
+ if filepath.Clean(config.Rootfs) != cleaned {
+ return fmt.Errorf("%s is not an absolute path or is a symlink", config.Rootfs)
+ }
+ return nil
+}
+
+func (v *ConfigValidator) network(config *configs.Config) error {
+ if !config.Namespaces.Contains(configs.NEWNET) {
+ if len(config.Networks) > 0 || len(config.Routes) > 0 {
+ return fmt.Errorf("unable to apply network settings without a private NET namespace")
+ }
+ }
+ return nil
+}
+
+func (v *ConfigValidator) hostname(config *configs.Config) error {
+ if config.Hostname != "" && !config.Namespaces.Contains(configs.NEWUTS) {
+ return fmt.Errorf("unable to set hostname without a private UTS namespace")
+ }
+ return nil
+}
+
+func (v *ConfigValidator) security(config *configs.Config) error {
+ // restrict sys without mount namespace
+ if (len(config.MaskPaths) > 0 || len(config.ReadonlyPaths) > 0) &&
+ !config.Namespaces.Contains(configs.NEWNS) {
+ return fmt.Errorf("unable to restrict sys entries without a private MNT namespace")
+ }
+ if config.ProcessLabel != "" && !selinux.GetEnabled() {
+ return fmt.Errorf("selinux label is specified in config, but selinux is disabled or not supported")
+ }
+
+ return nil
+}
+
+func (v *ConfigValidator) usernamespace(config *configs.Config) error {
+ if config.Namespaces.Contains(configs.NEWUSER) {
+ if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
+ return fmt.Errorf("USER namespaces aren't enabled in the kernel")
+ }
+ } else {
+ if config.UidMappings != nil || config.GidMappings != nil {
+ return fmt.Errorf("User namespace mappings specified, but USER namespace isn't enabled in the config")
+ }
+ }
+ return nil
+}
+
+func (v *ConfigValidator) cgroupnamespace(config *configs.Config) error {
+ if config.Namespaces.Contains(configs.NEWCGROUP) {
+ if _, err := os.Stat("/proc/self/ns/cgroup"); os.IsNotExist(err) {
+ return fmt.Errorf("cgroup namespaces aren't enabled in the kernel")
+ }
+ }
+ return nil
+}
+
+// sysctl validates that the specified sysctl keys are valid or not.
+// /proc/sys isn't completely namespaced and depending on which namespaces
+// are specified, a subset of sysctls are permitted.
+func (v *ConfigValidator) sysctl(config *configs.Config) error {
+ validSysctlMap := map[string]bool{
+ "kernel.msgmax": true,
+ "kernel.msgmnb": true,
+ "kernel.msgmni": true,
+ "kernel.sem": true,
+ "kernel.shmall": true,
+ "kernel.shmmax": true,
+ "kernel.shmmni": true,
+ "kernel.shm_rmid_forced": true,
+ }
+
+ for s := range config.Sysctl {
+ if validSysctlMap[s] || strings.HasPrefix(s, "fs.mqueue.") {
+ if config.Namespaces.Contains(configs.NEWIPC) {
+ continue
+ } else {
+ return fmt.Errorf("sysctl %q is not allowed in the hosts ipc namespace", s)
+ }
+ }
+ if strings.HasPrefix(s, "net.") {
+ if config.Namespaces.Contains(configs.NEWNET) {
+ if path := config.Namespaces.PathOf(configs.NEWNET); path != "" {
+ if err := checkHostNs(s, path); err != nil {
+ return err
+ }
+ }
+ continue
+ } else {
+ return fmt.Errorf("sysctl %q is not allowed in the hosts network namespace", s)
+ }
+ }
+ if config.Namespaces.Contains(configs.NEWUTS) {
+ switch s {
+ case "kernel.domainname":
+ // This is namespaced and there's no explicit OCI field for it.
+ continue
+ case "kernel.hostname":
+ // This is namespaced but there's a conflicting (dedicated) OCI field for it.
+ return fmt.Errorf("sysctl %q is not allowed as it conflicts with the OCI %q field", s, "hostname")
+ }
+ }
+ return fmt.Errorf("sysctl %q is not in a separate kernel namespace", s)
+ }
+
+ return nil
+}
+
+func (v *ConfigValidator) intelrdt(config *configs.Config) error {
+ if config.IntelRdt != nil {
+ if !intelrdt.IsCatEnabled() && !intelrdt.IsMbaEnabled() {
+ return fmt.Errorf("intelRdt is specified in config, but Intel RDT is not supported or enabled")
+ }
+
+ if !intelrdt.IsCatEnabled() && config.IntelRdt.L3CacheSchema != "" {
+ return fmt.Errorf("intelRdt.l3CacheSchema is specified in config, but Intel RDT/CAT is not enabled")
+ }
+ if !intelrdt.IsMbaEnabled() && config.IntelRdt.MemBwSchema != "" {
+ return fmt.Errorf("intelRdt.memBwSchema is specified in config, but Intel RDT/MBA is not enabled")
+ }
+
+ if intelrdt.IsCatEnabled() && config.IntelRdt.L3CacheSchema == "" {
+ return fmt.Errorf("Intel RDT/CAT is enabled and intelRdt is specified in config, but intelRdt.l3CacheSchema is empty")
+ }
+ if intelrdt.IsMbaEnabled() && config.IntelRdt.MemBwSchema == "" {
+ return fmt.Errorf("Intel RDT/MBA is enabled and intelRdt is specified in config, but intelRdt.memBwSchema is empty")
+ }
+ }
+
+ return nil
+}
+
+func isSymbolicLink(path string) (bool, error) {
+ fi, err := os.Lstat(path)
+ if err != nil {
+ return false, err
+ }
+
+ return fi.Mode()&os.ModeSymlink == os.ModeSymlink, nil
+}
+
+// checkHostNs checks whether network sysctl is used in host namespace.
+func checkHostNs(sysctlConfig string, path string) error {
+ var currentProcessNetns = "/proc/self/ns/net"
+ // readlink on the current processes network namespace
+ destOfCurrentProcess, err := os.Readlink(currentProcessNetns)
+ if err != nil {
+ return fmt.Errorf("read soft link %q error", currentProcessNetns)
+ }
+
+ // First check if the provided path is a symbolic link
+ symLink, err := isSymbolicLink(path)
+ if err != nil {
+ return fmt.Errorf("could not check that %q is a symlink: %v", path, err)
+ }
+
+ if symLink == false {
+ // The provided namespace is not a symbolic link,
+ // it is not the host namespace.
+ return nil
+ }
+
+ // readlink on the path provided in the struct
+ destOfContainer, err := os.Readlink(path)
+ if err != nil {
+ return fmt.Errorf("read soft link %q error", path)
+ }
+ if destOfContainer == destOfCurrentProcess {
+ return fmt.Errorf("sysctl %q is not allowed in the hosts network namespace", sysctlConfig)
+ }
+ return nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator_test.go b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..f6826fb3efc11316e83cfaf0983ed2b376cc18c4
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/configs/validate/validator_test.go
@@ -0,0 +1,267 @@
+package validate_test
+
+import (
+ "os"
+ "testing"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/configs/validate"
+)
+
+func TestValidate(t *testing.T) {
+ config := &configs.Config{
+ Rootfs: "/var",
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err != nil {
+ t.Errorf("Expected error to not occur: %+v", err)
+ }
+}
+
+func TestValidateWithInvalidRootfs(t *testing.T) {
+ dir := "rootfs"
+ os.Symlink("/var", dir)
+ defer os.Remove(dir)
+
+ config := &configs.Config{
+ Rootfs: dir,
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestValidateNetworkWithoutNETNamespace(t *testing.T) {
+ network := &configs.Network{Type: "loopback"}
+ config := &configs.Config{
+ Rootfs: "/var",
+ Namespaces: []configs.Namespace{},
+ Networks: []*configs.Network{network},
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestValidateNetworkRoutesWithoutNETNamespace(t *testing.T) {
+ route := &configs.Route{Gateway: "255.255.255.0"}
+ config := &configs.Config{
+ Rootfs: "/var",
+ Namespaces: []configs.Namespace{},
+ Routes: []*configs.Route{route},
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestValidateHostname(t *testing.T) {
+ config := &configs.Config{
+ Rootfs: "/var",
+ Hostname: "runc",
+ Namespaces: configs.Namespaces(
+ []configs.Namespace{
+ {Type: configs.NEWUTS},
+ },
+ ),
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err != nil {
+ t.Errorf("Expected error to not occur: %+v", err)
+ }
+}
+
+func TestValidateHostnameWithoutUTSNamespace(t *testing.T) {
+ config := &configs.Config{
+ Rootfs: "/var",
+ Hostname: "runc",
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestValidateSecurityWithMaskPaths(t *testing.T) {
+ config := &configs.Config{
+ Rootfs: "/var",
+ MaskPaths: []string{"/proc/kcore"},
+ Namespaces: configs.Namespaces(
+ []configs.Namespace{
+ {Type: configs.NEWNS},
+ },
+ ),
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err != nil {
+ t.Errorf("Expected error to not occur: %+v", err)
+ }
+}
+
+func TestValidateSecurityWithROPaths(t *testing.T) {
+ config := &configs.Config{
+ Rootfs: "/var",
+ ReadonlyPaths: []string{"/proc/sys"},
+ Namespaces: configs.Namespaces(
+ []configs.Namespace{
+ {Type: configs.NEWNS},
+ },
+ ),
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err != nil {
+ t.Errorf("Expected error to not occur: %+v", err)
+ }
+}
+
+func TestValidateSecurityWithoutNEWNS(t *testing.T) {
+ config := &configs.Config{
+ Rootfs: "/var",
+ MaskPaths: []string{"/proc/kcore"},
+ ReadonlyPaths: []string{"/proc/sys"},
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestValidateUsernamespace(t *testing.T) {
+ if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
+ t.Skip("userns is unsupported")
+ }
+ config := &configs.Config{
+ Rootfs: "/var",
+ Namespaces: configs.Namespaces(
+ []configs.Namespace{
+ {Type: configs.NEWUSER},
+ },
+ ),
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err != nil {
+ t.Errorf("expected error to not occur %+v", err)
+ }
+}
+
+func TestValidateUsernamespaceWithoutUserNS(t *testing.T) {
+ uidMap := configs.IDMap{ContainerID: 123}
+ config := &configs.Config{
+ Rootfs: "/var",
+ UidMappings: []configs.IDMap{uidMap},
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestValidateSysctl(t *testing.T) {
+ sysctl := map[string]string{
+ "fs.mqueue.ctl": "ctl",
+ "net.ctl": "ctl",
+ "kernel.ctl": "ctl",
+ }
+
+ for k, v := range sysctl {
+ config := &configs.Config{
+ Rootfs: "/var",
+ Sysctl: map[string]string{k: v},
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+ }
+}
+
+func TestValidateValidSysctl(t *testing.T) {
+ sysctl := map[string]string{
+ "fs.mqueue.ctl": "ctl",
+ "net.ctl": "ctl",
+ "kernel.msgmax": "ctl",
+ }
+
+ for k, v := range sysctl {
+ config := &configs.Config{
+ Rootfs: "/var",
+ Sysctl: map[string]string{k: v},
+ Namespaces: []configs.Namespace{
+ {
+ Type: configs.NEWNET,
+ },
+ {
+ Type: configs.NEWIPC,
+ },
+ },
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err != nil {
+ t.Errorf("Expected error to not occur with {%s=%s} but got: %q", k, v, err)
+ }
+ }
+}
+
+func TestValidateSysctlWithSameNs(t *testing.T) {
+ config := &configs.Config{
+ Rootfs: "/var",
+ Sysctl: map[string]string{"net.ctl": "ctl"},
+ Namespaces: configs.Namespaces(
+ []configs.Namespace{
+ {
+ Type: configs.NEWNET,
+ Path: "/proc/self/ns/net",
+ },
+ },
+ ),
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
+
+func TestValidateSysctlWithoutNETNamespace(t *testing.T) {
+ config := &configs.Config{
+ Rootfs: "/var",
+ Sysctl: map[string]string{"net.ctl": "ctl"},
+ Namespaces: []configs.Namespace{},
+ }
+
+ validator := validate.New()
+ err := validator.Validate(config)
+ if err == nil {
+ t.Error("Expected error to occur but it was nil")
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/console.go b/vendor/github.com/opencontainers/runc/libcontainer/console.go
deleted file mode 100644
index 042a2a2e481b45d603432ba21682ea4a42f8bd32..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/console.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package libcontainer
-
-import "io"
-
-// Console represents a pseudo TTY.
-type Console interface {
- io.ReadWriter
- io.Closer
-
- // Path returns the filesystem path to the slave side of the pty.
- Path() string
-
- // Fd returns the fd for the master of the pty.
- Fd() uintptr
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/console_freebsd.go b/vendor/github.com/opencontainers/runc/libcontainer/console_freebsd.go
deleted file mode 100644
index 3c89eda0799297996e6455413849540a966b8087..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/console_freebsd.go
+++ /dev/null
@@ -1,13 +0,0 @@
-// +build freebsd
-
-package libcontainer
-
-import (
- "errors"
-)
-
-// NewConsole returns an initalized console that can be used within a container by copying bytes
-// from the master side to the slave that is attached as the tty for the container's init process.
-func NewConsole(uid, gid int) (Console, error) {
- return nil, errors.New("libcontainer console is not supported on FreeBSD")
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/console_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/console_linux.go
index 7af771b65e3d6ef95d029c30aec3bd3ff5a84f2b..9997e93ed4f3fbc1c5a90c3df0a7d7233377e94b 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/console_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/console_linux.go
@@ -1,145 +1,41 @@
package libcontainer
import (
- "fmt"
"os"
- "path/filepath"
- "syscall"
- "unsafe"
- "github.com/opencontainers/runc/libcontainer/label"
+ "golang.org/x/sys/unix"
)
-// NewConsole returns an initalized console that can be used within a container by copying bytes
-// from the master side to the slave that is attached as the tty for the container's init process.
-func NewConsole(uid, gid int) (Console, error) {
- master, err := os.OpenFile("/dev/ptmx", syscall.O_RDWR|syscall.O_NOCTTY|syscall.O_CLOEXEC, 0)
- if err != nil {
- return nil, err
- }
- console, err := ptsname(master)
- if err != nil {
- return nil, err
- }
- if err := unlockpt(master); err != nil {
- return nil, err
- }
- if err := os.Chmod(console, 0600); err != nil {
- return nil, err
- }
- if err := os.Chown(console, uid, gid); err != nil {
- return nil, err
- }
- return &linuxConsole{
- slavePath: console,
- master: master,
- }, nil
-}
-
-// newConsoleFromPath is an internal function returning an initialized console for use inside
-// a container's MNT namespace.
-func newConsoleFromPath(slavePath string) *linuxConsole {
- return &linuxConsole{
- slavePath: slavePath,
- }
-}
-
-// linuxConsole is a linux psuedo TTY for use within a container.
-type linuxConsole struct {
- master *os.File
- slavePath string
-}
-
-func (c *linuxConsole) Fd() uintptr {
- return c.master.Fd()
-}
-
-func (c *linuxConsole) Path() string {
- return c.slavePath
-}
-
-func (c *linuxConsole) Read(b []byte) (int, error) {
- return c.master.Read(b)
-}
-
-func (c *linuxConsole) Write(b []byte) (int, error) {
- return c.master.Write(b)
-}
-
-func (c *linuxConsole) Close() error {
- if m := c.master; m != nil {
- return m.Close()
- }
- return nil
-}
-
// mount initializes the console inside the rootfs mounting with the specified mount label
// and applying the correct ownership of the console.
-func (c *linuxConsole) mount(rootfs, mountLabel string) error {
- oldMask := syscall.Umask(0000)
- defer syscall.Umask(oldMask)
- if err := label.SetFileLabel(c.slavePath, mountLabel); err != nil {
- return err
- }
- dest := filepath.Join(rootfs, "/dev/console")
- f, err := os.Create(dest)
+func mountConsole(slavePath string) error {
+ oldMask := unix.Umask(0000)
+ defer unix.Umask(oldMask)
+ f, err := os.Create("/dev/console")
if err != nil && !os.IsExist(err) {
return err
}
if f != nil {
f.Close()
}
- return syscall.Mount(c.slavePath, dest, "bind", syscall.MS_BIND, "")
+ return unix.Mount(slavePath, "/dev/console", "bind", unix.MS_BIND, "")
}
// dupStdio opens the slavePath for the console and dups the fds to the current
// processes stdio, fd 0,1,2.
-func (c *linuxConsole) dupStdio() error {
- slave, err := c.open(syscall.O_RDWR)
+func dupStdio(slavePath string) error {
+ fd, err := unix.Open(slavePath, unix.O_RDWR, 0)
if err != nil {
- return err
+ return &os.PathError{
+ Op: "open",
+ Path: slavePath,
+ Err: err,
+ }
}
- fd := int(slave.Fd())
for _, i := range []int{0, 1, 2} {
- if err := syscall.Dup3(fd, i, 0); err != nil {
+ if err := unix.Dup3(fd, i, 0); err != nil {
return err
}
}
return nil
}
-
-// open is a clone of os.OpenFile without the O_CLOEXEC used to open the pty slave.
-func (c *linuxConsole) open(flag int) (*os.File, error) {
- r, e := syscall.Open(c.slavePath, flag, 0)
- if e != nil {
- return nil, &os.PathError{
- Op: "open",
- Path: c.slavePath,
- Err: e,
- }
- }
- return os.NewFile(uintptr(r), c.slavePath), nil
-}
-
-func ioctl(fd uintptr, flag, data uintptr) error {
- if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, fd, flag, data); err != 0 {
- return err
- }
- return nil
-}
-
-// unlockpt unlocks the slave pseudoterminal device corresponding to the master pseudoterminal referred to by f.
-// unlockpt should be called before opening the slave side of a pty.
-func unlockpt(f *os.File) error {
- var u int32
- return ioctl(f.Fd(), syscall.TIOCSPTLCK, uintptr(unsafe.Pointer(&u)))
-}
-
-// ptsname retrieves the name of the first available pts for the given master.
-func ptsname(f *os.File) (string, error) {
- var n int32
- if err := ioctl(f.Fd(), syscall.TIOCGPTN, uintptr(unsafe.Pointer(&n))); err != nil {
- return "", err
- }
- return fmt.Sprintf("/dev/pts/%d", n), nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/console_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/console_windows.go
deleted file mode 100644
index a68c02f66b45f1d8a26b1a588855259e7dd5f441..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/console_windows.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package libcontainer
-
-// NewConsole returns an initalized console that can be used within a container
-func NewConsole(uid, gid int) (Console, error) {
- return &windowsConsole{}, nil
-}
-
-// windowsConsole is a Windows psuedo TTY for use within a container.
-type windowsConsole struct {
-}
-
-func (c *windowsConsole) Fd() uintptr {
- return 0
-}
-
-func (c *windowsConsole) Path() string {
- return ""
-}
-
-func (c *windowsConsole) Read(b []byte) (int, error) {
- return 0, nil
-}
-
-func (c *windowsConsole) Write(b []byte) (int, error) {
- return 0, nil
-}
-
-func (c *windowsConsole) Close() error {
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/container.go b/vendor/github.com/opencontainers/runc/libcontainer/container.go
index 32daa97675a9935b768b9f19c055d5dc3848d651..ba7541c5fd68f3c860c03cffa8f1d9d997aaf6d3 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/container.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/container.go
@@ -1,4 +1,4 @@
-// Libcontainer provides a native Go implementation for creating containers
+// Package libcontainer provides a native Go implementation for creating containers
// with namespaces, cgroups, capabilities, and filesystem access controls.
// It allows you to manage the lifecycle of the container performing additional operations
// after the container is created.
@@ -9,26 +9,23 @@ import (
"time"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runtime-spec/specs-go"
)
-// The status of a container.
+// Status is the status of a container.
type Status int
const (
- // The container exists but has not been run yet
+ // Created is the status that denotes the container exists but has not been run yet.
Created Status = iota
-
- // The container exists and is running.
+ // Running is the status that denotes the container exists and is running.
Running
-
- // The container exists, it is in the process of being paused.
+ // Pausing is the status that denotes the container exists, it is in the process of being paused.
Pausing
-
- // The container exists, but all its processes are paused.
+ // Paused is the status that denotes the container exists, but all its processes are paused.
Paused
-
- // The container does not exist.
- Destroyed
+ // Stopped is the status that denotes the container does not have a created or running process.
+ Stopped
)
func (s Status) String() string {
@@ -41,8 +38,8 @@ func (s Status) String() string {
return "pausing"
case Paused:
return "paused"
- case Destroyed:
- return "destroyed"
+ case Stopped:
+ return "stopped"
default:
return "unknown"
}
@@ -58,7 +55,7 @@ type BaseState struct {
InitProcessPid int `json:"init_process_pid"`
// InitProcessStartTime is the init process start time in clock cycles since boot time.
- InitProcessStartTime string `json:"init_process_start"`
+ InitProcessStartTime uint64 `json:"init_process_start"`
// Created is the unix timestamp for the creation time of the container in UTC
Created time.Time `json:"created"`
@@ -67,7 +64,7 @@ type BaseState struct {
Config configs.Config `json:"config"`
}
-// A libcontainer container object.
+// BaseContainer is a libcontainer container object.
//
// Each container is thread-safe within the same process. Since a container can
// be destroyed by a separate process, any function may return that the container
@@ -79,23 +76,29 @@ type BaseContainer interface {
// Returns the current status of the container.
//
// errors:
- // ContainerDestroyed - Container no longer exists,
+ // ContainerNotExists - Container no longer exists,
// Systemerror - System error.
Status() (Status, error)
// State returns the current container's state information.
//
// errors:
- // Systemerror - System error.
+ // SystemError - System error.
State() (*State, error)
+ // OCIState returns the current container's state information.
+ //
+ // errors:
+ // SystemError - System error.
+ OCIState() (*specs.State, error)
+
// Returns the current config of the container.
Config() configs.Config
// Returns the PIDs inside this container. The PIDs are in the namespace of the calling process.
//
// errors:
- // ContainerDestroyed - Container no longer exists,
+ // ContainerNotExists - Container no longer exists,
// Systemerror - System error.
//
// Some of the returned PIDs may no longer refer to processes in the Container, unless
@@ -105,7 +108,7 @@ type BaseContainer interface {
// Returns statistics for the container.
//
// errors:
- // ContainerDestroyed - Container no longer exists,
+ // ContainerNotExists - Container no longer exists,
// Systemerror - System error.
Stats() (*Stats, error)
@@ -114,31 +117,57 @@ type BaseContainer interface {
// We can use this to change resources when containers are running.
//
// errors:
- // Systemerror - System error.
+ // SystemError - System error.
Set(config configs.Config) error
// Start a process inside the container. Returns error if process fails to
// start. You can track process lifecycle with passed Process structure.
//
// errors:
- // ContainerDestroyed - Container no longer exists,
+ // ContainerNotExists - Container no longer exists,
// ConfigInvalid - config is invalid,
// ContainerPaused - Container is paused,
- // Systemerror - System error.
+ // SystemError - System error.
Start(process *Process) (err error)
- // Destroys the container after killing all running processes.
+ // Run immediately starts the process inside the container. Returns error if process
+ // fails to start. It does not block waiting for the exec fifo after start returns but
+ // opens the fifo after start returns.
+ //
+ // errors:
+ // ContainerNotExists - Container no longer exists,
+ // ConfigInvalid - config is invalid,
+ // ContainerPaused - Container is paused,
+ // SystemError - System error.
+ Run(process *Process) (err error)
+
+ // Destroys the container, if its in a valid state, after killing any
+ // remaining running processes.
//
// Any event registrations are removed before the container is destroyed.
// No error is returned if the container is already destroyed.
//
+ // Running containers must first be stopped using Signal(..).
+ // Paused containers must first be resumed using Resume(..).
+ //
// errors:
- // Systemerror - System error.
+ // ContainerNotStopped - Container is still running,
+ // ContainerPaused - Container is paused,
+ // SystemError - System error.
Destroy() error
// Signal sends the provided signal code to the container's initial process.
//
+ // If all is specified the signal is sent to all processes in the container
+ // including the initial process.
+ //
// errors:
- // Systemerror - System error.
- Signal(s os.Signal) error
+ // SystemError - System error.
+ Signal(s os.Signal, all bool) error
+
+ // Exec signals the container to exec the users process at the end of the init.
+ //
+ // errors:
+ // SystemError - System error.
+ Exec() error
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
index a03debbb2da3ebf342576436e983c64a19188ea1..ef443f6fc16f6c38529a2afc8a66881366c8b166 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
@@ -5,43 +5,53 @@ package libcontainer
import (
"bytes"
"encoding/json"
+ "errors"
"fmt"
"io"
"io/ioutil"
+ "net"
"os"
"os/exec"
"path/filepath"
"reflect"
"strings"
"sync"
- "syscall"
+ "syscall" // only for SysProcAttr and Signal
"time"
- "github.com/sirupsen/logrus"
- "github.com/golang/protobuf/proto"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/criurpc"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
+ "github.com/opencontainers/runc/libcontainer/system"
"github.com/opencontainers/runc/libcontainer/utils"
- "github.com/syndtr/gocapability/capability"
+ "github.com/opencontainers/runtime-spec/specs-go"
+
+ "github.com/golang/protobuf/proto"
+ "github.com/sirupsen/logrus"
"github.com/vishvananda/netlink/nl"
+ "golang.org/x/sys/unix"
)
const stdioFdCount = 3
type linuxContainer struct {
- id string
- root string
- config *configs.Config
- cgroupManager cgroups.Manager
- initPath string
- initArgs []string
- initProcess parentProcess
- criuPath string
- m sync.Mutex
- criuVersion int
- state containerState
- created time.Time
+ id string
+ root string
+ config *configs.Config
+ cgroupManager cgroups.Manager
+ intelRdtManager intelrdt.Manager
+ initPath string
+ initArgs []string
+ initProcess parentProcess
+ initProcessStartTime uint64
+ criuPath string
+ newuidmapPath string
+ newgidmapPath string
+ m sync.Mutex
+ criuVersion int
+ state containerState
+ created time.Time
}
// State represents a running container's state
@@ -50,6 +60,10 @@ type State struct {
// Platform specific fields below here
+ // Specified if the container was started under the rootless mode.
+ // Set to true if BaseState.Config.RootlessEUID && BaseState.Config.RootlessCgroups
+ Rootless bool `json:"rootless"`
+
// Path to all the cgroups setup for a container. Key is cgroup subsystem name
// with the value as the path.
CgroupPaths map[string]string `json:"cgroup_paths"`
@@ -60,9 +74,12 @@ type State struct {
// Container's standard descriptors (std{in,out,err}), needed for checkpoint and restore
ExternalDescriptors []string `json:"external_descriptors,omitempty"`
+
+ // Intel RDT "resource control" filesystem path
+ IntelRdtPath string `json:"intel_rdt_path"`
}
-// A libcontainer container object.
+// Container is a libcontainer container object.
//
// Each container is thread-safe within the same process. Since a container can
// be destroyed by a separate process, any function may return that the container
@@ -78,19 +95,20 @@ type Container interface {
// Systemerror - System error.
Checkpoint(criuOpts *CriuOpts) error
- // Restore restores the checkpointed container to a running state using the criu(8) utiity.
+ // Restore restores the checkpointed container to a running state using the criu(8) utility.
//
// errors:
// Systemerror - System error.
Restore(process *Process, criuOpts *CriuOpts) error
- // If the Container state is RUNNING or PAUSING, sets the Container state to PAUSING and pauses
+ // If the Container state is RUNNING or CREATED, sets the Container state to PAUSING and pauses
// the execution of any user processes. Asynchronously, when the container finished being paused the
// state is changed to PAUSED.
// If the Container state is PAUSED, do nothing.
//
// errors:
- // ContainerDestroyed - Container no longer exists,
+ // ContainerNotExists - Container no longer exists,
+ // ContainerNotRunning - Container not running or created,
// Systemerror - System error.
Pause() error
@@ -99,7 +117,8 @@ type Container interface {
// If the Container state is RUNNING, do nothing.
//
// errors:
- // ContainerDestroyed - Container no longer exists,
+ // ContainerNotExists - Container no longer exists,
+ // ContainerNotPaused - Container is not paused,
// Systemerror - System error.
Resume() error
@@ -138,10 +157,16 @@ func (c *linuxContainer) State() (*State, error) {
return c.currentState()
}
+func (c *linuxContainer) OCIState() (*specs.State, error) {
+ c.m.Lock()
+ defer c.m.Unlock()
+ return c.currentOCIState()
+}
+
func (c *linuxContainer) Processes() ([]int, error) {
pids, err := c.cgroupManager.GetAllPids()
if err != nil {
- return nil, newSystemError(err)
+ return nil, newSystemErrorWithCause(err, "getting all container pids from cgroups")
}
return pids, nil
}
@@ -152,14 +177,19 @@ func (c *linuxContainer) Stats() (*Stats, error) {
stats = &Stats{}
)
if stats.CgroupStats, err = c.cgroupManager.GetStats(); err != nil {
- return stats, newSystemError(err)
+ return stats, newSystemErrorWithCause(err, "getting container stats from cgroups")
+ }
+ if c.intelRdtManager != nil {
+ if stats.IntelRdtStats, err = c.intelRdtManager.GetStats(); err != nil {
+ return stats, newSystemErrorWithCause(err, "getting container's Intel RDT stats")
+ }
}
for _, iface := range c.config.Networks {
switch iface.Type {
case "veth":
istats, err := getNetworkInterfaceStats(iface.HostInterfaceName)
if err != nil {
- return stats, newSystemError(err)
+ return stats, newSystemErrorWithCausef(err, "getting network stats for interface %q", iface.HostInterfaceName)
}
stats.Interfaces = append(stats.Interfaces, istats)
}
@@ -170,52 +200,172 @@ func (c *linuxContainer) Stats() (*Stats, error) {
func (c *linuxContainer) Set(config configs.Config) error {
c.m.Lock()
defer c.m.Unlock()
+ status, err := c.currentStatus()
+ if err != nil {
+ return err
+ }
+ if status == Stopped {
+ return newGenericError(fmt.Errorf("container not running"), ContainerNotRunning)
+ }
+ if err := c.cgroupManager.Set(&config); err != nil {
+ // Set configs back
+ if err2 := c.cgroupManager.Set(c.config); err2 != nil {
+ logrus.Warnf("Setting back cgroup configs failed due to error: %v, your state.json and actual configs might be inconsistent.", err2)
+ }
+ return err
+ }
+ if c.intelRdtManager != nil {
+ if err := c.intelRdtManager.Set(&config); err != nil {
+ // Set configs back
+ if err2 := c.intelRdtManager.Set(c.config); err2 != nil {
+ logrus.Warnf("Setting back intelrdt configs failed due to error: %v, your state.json and actual configs might be inconsistent.", err2)
+ }
+ return err
+ }
+ }
+ // After config setting succeed, update config and states
c.config = &config
- return c.cgroupManager.Set(c.config)
+ _, err = c.updateState(nil)
+ return err
}
func (c *linuxContainer) Start(process *Process) error {
c.m.Lock()
defer c.m.Unlock()
- status, err := c.currentStatus()
+ if process.Init {
+ if err := c.createExecFifo(); err != nil {
+ return err
+ }
+ }
+ if err := c.start(process); err != nil {
+ if process.Init {
+ c.deleteExecFifo()
+ }
+ return err
+ }
+ return nil
+}
+
+func (c *linuxContainer) Run(process *Process) error {
+ if err := c.Start(process); err != nil {
+ return err
+ }
+ if process.Init {
+ return c.exec()
+ }
+ return nil
+}
+
+func (c *linuxContainer) Exec() error {
+ c.m.Lock()
+ defer c.m.Unlock()
+ return c.exec()
+}
+
+func (c *linuxContainer) exec() error {
+ path := filepath.Join(c.root, execFifoFilename)
+
+ fifoOpen := make(chan struct{})
+ select {
+ case <-awaitProcessExit(c.initProcess.pid(), fifoOpen):
+ return errors.New("container process is already dead")
+ case result := <-awaitFifoOpen(path):
+ close(fifoOpen)
+ if result.err != nil {
+ return result.err
+ }
+ f := result.file
+ defer f.Close()
+ if err := readFromExecFifo(f); err != nil {
+ return err
+ }
+ return os.Remove(path)
+ }
+}
+
+func readFromExecFifo(execFifo io.Reader) error {
+ data, err := ioutil.ReadAll(execFifo)
if err != nil {
return err
}
- doInit := status == Destroyed
- parent, err := c.newParentProcess(process, doInit)
+ if len(data) <= 0 {
+ return fmt.Errorf("cannot start an already running container")
+ }
+ return nil
+}
+
+func awaitProcessExit(pid int, exit <-chan struct{}) <-chan struct{} {
+ isDead := make(chan struct{})
+ go func() {
+ for {
+ select {
+ case <-exit:
+ return
+ case <-time.After(time.Millisecond * 100):
+ stat, err := system.Stat(pid)
+ if err != nil || stat.State == system.Zombie {
+ close(isDead)
+ return
+ }
+ }
+ }
+ }()
+ return isDead
+}
+
+func awaitFifoOpen(path string) <-chan openResult {
+ fifoOpened := make(chan openResult)
+ go func() {
+ f, err := os.OpenFile(path, os.O_RDONLY, 0)
+ if err != nil {
+ fifoOpened <- openResult{err: newSystemErrorWithCause(err, "open exec fifo for reading")}
+ return
+ }
+ fifoOpened <- openResult{file: f}
+ }()
+ return fifoOpened
+}
+
+type openResult struct {
+ file *os.File
+ err error
+}
+
+func (c *linuxContainer) start(process *Process) error {
+ parent, err := c.newParentProcess(process)
if err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "creating new parent process")
}
if err := parent.start(); err != nil {
// terminate the process to ensure that it properly is reaped.
- if err := parent.terminate(); err != nil {
+ if err := ignoreTerminateErrors(parent.terminate()); err != nil {
logrus.Warn(err)
}
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "starting container process")
}
// generate a timestamp indicating when the container was started
c.created = time.Now().UTC()
-
- c.state = &runningState{
- c: c,
- }
- if doInit {
- if err := c.updateState(parent); err != nil {
+ if process.Init {
+ c.state = &createdState{
+ c: c,
+ }
+ state, err := c.updateState(parent)
+ if err != nil {
return err
}
+ c.initProcessStartTime = state.InitProcessStartTime
+
if c.config.Hooks != nil {
- s := configs.HookState{
- Version: c.config.Version,
- ID: c.id,
- Pid: parent.pid(),
- Root: c.config.Rootfs,
+ s, err := c.currentOCIState()
+ if err != nil {
+ return err
}
- for _, hook := range c.config.Hooks.Poststart {
+ for i, hook := range c.config.Hooks.Poststart {
if err := hook.Run(s); err != nil {
- if err := parent.terminate(); err != nil {
+ if err := ignoreTerminateErrors(parent.terminate()); err != nil {
logrus.Warn(err)
}
- return newSystemError(err)
+ return newSystemErrorWithCausef(err, "running poststart hook %d", i)
}
}
}
@@ -223,33 +373,96 @@ func (c *linuxContainer) Start(process *Process) error {
return nil
}
-func (c *linuxContainer) Signal(s os.Signal) error {
- if err := c.initProcess.signal(s); err != nil {
- return newSystemError(err)
+func (c *linuxContainer) Signal(s os.Signal, all bool) error {
+ if all {
+ return signalAllProcesses(c.cgroupManager, s)
}
+ status, err := c.currentStatus()
+ if err != nil {
+ return err
+ }
+ // to avoid a PID reuse attack
+ if status == Running || status == Created || status == Paused {
+ if err := c.initProcess.signal(s); err != nil {
+ return newSystemErrorWithCause(err, "signaling init process")
+ }
+ return nil
+ }
+ return newGenericError(fmt.Errorf("container not running"), ContainerNotRunning)
+}
+
+func (c *linuxContainer) createExecFifo() error {
+ rootuid, err := c.Config().HostRootUID()
+ if err != nil {
+ return err
+ }
+ rootgid, err := c.Config().HostRootGID()
+ if err != nil {
+ return err
+ }
+
+ fifoName := filepath.Join(c.root, execFifoFilename)
+ if _, err := os.Stat(fifoName); err == nil {
+ return fmt.Errorf("exec fifo %s already exists", fifoName)
+ }
+ oldMask := unix.Umask(0000)
+ if err := unix.Mkfifo(fifoName, 0622); err != nil {
+ unix.Umask(oldMask)
+ return err
+ }
+ unix.Umask(oldMask)
+ return os.Chown(fifoName, rootuid, rootgid)
+}
+
+func (c *linuxContainer) deleteExecFifo() {
+ fifoName := filepath.Join(c.root, execFifoFilename)
+ os.Remove(fifoName)
+}
+
+// includeExecFifo opens the container's execfifo as a pathfd, so that the
+// container cannot access the statedir (and the FIFO itself remains
+// un-opened). It then adds the FifoFd to the given exec.Cmd as an inherited
+// fd, with _LIBCONTAINER_FIFOFD set to its fd number.
+func (c *linuxContainer) includeExecFifo(cmd *exec.Cmd) error {
+ fifoName := filepath.Join(c.root, execFifoFilename)
+ fifoFd, err := unix.Open(fifoName, unix.O_PATH|unix.O_CLOEXEC, 0)
+ if err != nil {
+ return err
+ }
+
+ cmd.ExtraFiles = append(cmd.ExtraFiles, os.NewFile(uintptr(fifoFd), fifoName))
+ cmd.Env = append(cmd.Env,
+ fmt.Sprintf("_LIBCONTAINER_FIFOFD=%d", stdioFdCount+len(cmd.ExtraFiles)-1))
return nil
}
-func (c *linuxContainer) newParentProcess(p *Process, doInit bool) (parentProcess, error) {
- parentPipe, childPipe, err := newPipe()
+func (c *linuxContainer) newParentProcess(p *Process) (parentProcess, error) {
+ parentPipe, childPipe, err := utils.NewSockPair("init")
if err != nil {
- return nil, newSystemError(err)
+ return nil, newSystemErrorWithCause(err, "creating new init pipe")
}
cmd, err := c.commandTemplate(p, childPipe)
if err != nil {
- return nil, newSystemError(err)
+ return nil, newSystemErrorWithCause(err, "creating new command template")
}
- if !doInit {
+ if !p.Init {
return c.newSetnsProcess(p, cmd, parentPipe, childPipe)
}
+
+ // We only set up fifoFd if we're not doing a `runc exec`. The historic
+ // reason for this is that previously we would pass a dirfd that allowed
+ // for container rootfs escape (and not doing it in `runc exec` avoided
+ // that problem), but we no longer do that. However, there's no need to do
+ // this for `runc exec` so we just keep it this way to be safe.
+ if err := c.includeExecFifo(cmd); err != nil {
+ return nil, newSystemErrorWithCause(err, "including execfifo in cmd.Exec setup")
+ }
return c.newInitProcess(p, cmd, parentPipe, childPipe)
}
func (c *linuxContainer) commandTemplate(p *Process, childPipe *os.File) (*exec.Cmd, error) {
- cmd := &exec.Cmd{
- Path: c.initPath,
- Args: c.initArgs,
- }
+ cmd := exec.Command(c.initPath, c.initArgs[1:]...)
+ cmd.Args[0] = c.initArgs[0]
cmd.Stdin = p.Stdin
cmd.Stdout = p.Stdout
cmd.Stderr = p.Stderr
@@ -257,8 +470,18 @@ func (c *linuxContainer) commandTemplate(p *Process, childPipe *os.File) (*exec.
if cmd.SysProcAttr == nil {
cmd.SysProcAttr = &syscall.SysProcAttr{}
}
- cmd.ExtraFiles = append(p.ExtraFiles, childPipe)
- cmd.Env = append(cmd.Env, fmt.Sprintf("_LIBCONTAINER_INITPIPE=%d", stdioFdCount+len(cmd.ExtraFiles)-1))
+ cmd.Env = append(cmd.Env, fmt.Sprintf("GOMAXPROCS=%s", os.Getenv("GOMAXPROCS")))
+ cmd.ExtraFiles = append(cmd.ExtraFiles, p.ExtraFiles...)
+ if p.ConsoleSocket != nil {
+ cmd.ExtraFiles = append(cmd.ExtraFiles, p.ConsoleSocket)
+ cmd.Env = append(cmd.Env,
+ fmt.Sprintf("_LIBCONTAINER_CONSOLE=%d", stdioFdCount+len(cmd.ExtraFiles)-1),
+ )
+ }
+ cmd.ExtraFiles = append(cmd.ExtraFiles, childPipe)
+ cmd.Env = append(cmd.Env,
+ fmt.Sprintf("_LIBCONTAINER_INITPIPE=%d", stdioFdCount+len(cmd.ExtraFiles)-1),
+ )
// NOTE: when running a container with no PID namespace and the parent process spawning the container is
// PID1 the pdeathsig is being delivered to the container's init process by the kernel for some reason
// even with the parent still running.
@@ -277,44 +500,48 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
}
}
_, sharePidns := nsMaps[configs.NEWPID]
- data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps, "")
+ data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps)
if err != nil {
return nil, err
}
- return &initProcess{
- cmd: cmd,
- childPipe: childPipe,
- parentPipe: parentPipe,
- manager: c.cgroupManager,
- config: c.newInitConfig(p),
- container: c,
- process: p,
- bootstrapData: data,
- sharePidns: sharePidns,
- }, nil
+ init := &initProcess{
+ cmd: cmd,
+ childPipe: childPipe,
+ parentPipe: parentPipe,
+ manager: c.cgroupManager,
+ intelRdtManager: c.intelRdtManager,
+ config: c.newInitConfig(p),
+ container: c,
+ process: p,
+ bootstrapData: data,
+ sharePidns: sharePidns,
+ }
+ c.initProcess = init
+ return init, nil
}
func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, parentPipe, childPipe *os.File) (*setnsProcess, error) {
cmd.Env = append(cmd.Env, "_LIBCONTAINER_INITTYPE="+string(initSetns))
state, err := c.currentState()
if err != nil {
- return nil, newSystemError(err)
+ return nil, newSystemErrorWithCause(err, "getting container's current state")
}
- // for setns process, we dont have to set cloneflags as the process namespaces
+ // for setns process, we don't have to set cloneflags as the process namespaces
// will only be set via setns syscall
- data, err := c.bootstrapData(0, state.NamespacePaths, p.consolePath)
+ data, err := c.bootstrapData(0, state.NamespacePaths)
if err != nil {
return nil, err
}
- // TODO: set on container for process management
return &setnsProcess{
- cmd: cmd,
- cgroupPaths: c.cgroupManager.GetPaths(),
- childPipe: childPipe,
- parentPipe: parentPipe,
- config: c.newInitConfig(p),
- process: p,
- bootstrapData: data,
+ cmd: cmd,
+ cgroupPaths: c.cgroupManager.GetPaths(),
+ rootlessCgroups: c.config.RootlessCgroups,
+ intelRdtPath: state.IntelRdtPath,
+ childPipe: childPipe,
+ parentPipe: parentPipe,
+ config: c.newInitConfig(p),
+ process: p,
+ bootstrapData: data,
}, nil
}
@@ -324,12 +551,14 @@ func (c *linuxContainer) newInitConfig(process *Process) *initConfig {
Args: process.Args,
Env: process.Env,
User: process.User,
+ AdditionalGroups: process.AdditionalGroups,
Cwd: process.Cwd,
- Console: process.consolePath,
Capabilities: process.Capabilities,
PassedFilesCount: len(process.ExtraFiles),
ContainerId: c.ID(),
NoNewPrivileges: c.config.NoNewPrivileges,
+ RootlessEUID: c.config.RootlessEUID,
+ RootlessCgroups: c.config.RootlessCgroups,
AppArmorProfile: c.config.AppArmorProfile,
ProcessLabel: c.config.ProcessLabel,
Rlimits: c.config.Rlimits,
@@ -346,17 +575,12 @@ func (c *linuxContainer) newInitConfig(process *Process) *initConfig {
if len(process.Rlimits) > 0 {
cfg.Rlimits = process.Rlimits
}
+ cfg.CreateConsole = process.ConsoleSocket != nil
+ cfg.ConsoleWidth = process.ConsoleWidth
+ cfg.ConsoleHeight = process.ConsoleHeight
return cfg
}
-func newPipe() (parent *os.File, child *os.File, err error) {
- fds, err := syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0)
- if err != nil {
- return nil, nil, err
- }
- return os.NewFile(uintptr(fds[1]), "parent"), os.NewFile(uintptr(fds[0]), "child"), nil
-}
-
func (c *linuxContainer) Destroy() error {
c.m.Lock()
defer c.m.Unlock()
@@ -370,15 +594,16 @@ func (c *linuxContainer) Pause() error {
if err != nil {
return err
}
- if status != Running {
- return newGenericError(fmt.Errorf("container not running"), ContainerNotRunning)
- }
- if err := c.cgroupManager.Freeze(configs.Frozen); err != nil {
- return err
+ switch status {
+ case Running, Created:
+ if err := c.cgroupManager.Freeze(configs.Frozen); err != nil {
+ return err
+ }
+ return c.state.transition(&pausedState{
+ c: c,
+ })
}
- return c.state.transition(&pausedState{
- c: c,
- })
+ return newGenericError(fmt.Errorf("container not running or created: %s", status), ContainerNotRunning)
}
func (c *linuxContainer) Resume() error {
@@ -400,36 +625,93 @@ func (c *linuxContainer) Resume() error {
}
func (c *linuxContainer) NotifyOOM() (<-chan struct{}, error) {
+ // XXX(cyphar): This requires cgroups.
+ if c.config.RootlessCgroups {
+ logrus.Warn("getting OOM notifications may fail if you don't have the full access to cgroups")
+ }
return notifyOnOOM(c.cgroupManager.GetPaths())
}
func (c *linuxContainer) NotifyMemoryPressure(level PressureLevel) (<-chan struct{}, error) {
+ // XXX(cyphar): This requires cgroups.
+ if c.config.RootlessCgroups {
+ logrus.Warn("getting memory pressure notifications may fail if you don't have the full access to cgroups")
+ }
return notifyMemoryPressure(c.cgroupManager.GetPaths(), level)
}
-// XXX debug support, remove when debugging done.
-func addArgsFromEnv(evar string, args *[]string) {
- if e := os.Getenv(evar); e != "" {
- for _, f := range strings.Fields(e) {
- *args = append(*args, f)
- }
+var criuFeatures *criurpc.CriuFeatures
+
+func (c *linuxContainer) checkCriuFeatures(criuOpts *CriuOpts, rpcOpts *criurpc.CriuOpts, criuFeat *criurpc.CriuFeatures) error {
+
+ var t criurpc.CriuReqType
+ t = criurpc.CriuReqType_FEATURE_CHECK
+
+ // criu 1.8 => 10800
+ if err := c.checkCriuVersion(10800); err != nil {
+ // Feature checking was introduced with CRIU 1.8.
+ // Ignore the feature check if an older CRIU version is used
+ // and just act as before.
+ // As all automated PR testing is done using CRIU 1.7 this
+ // code will not be tested by automated PR testing.
+ return nil
}
- fmt.Printf(">>> criu %v\n", *args)
-}
-// check Criu version greater than or equal to min_version
-func (c *linuxContainer) checkCriuVersion(min_version string) error {
- var x, y, z, versionReq int
+ // make sure the features we are looking for are really not from
+ // some previous check
+ criuFeatures = nil
+
+ req := &criurpc.CriuReq{
+ Type: &t,
+ // Theoretically this should not be necessary but CRIU
+ // segfaults if Opts is empty.
+ // Fixed in CRIU 2.12
+ Opts: rpcOpts,
+ Features: criuFeat,
+ }
- _, err := fmt.Sscanf(min_version, "%d.%d.%d\n", &x, &y, &z) // 1.5.2
+ err := c.criuSwrk(nil, req, criuOpts, false, nil)
if err != nil {
- _, err = fmt.Sscanf(min_version, "Version: %d.%d\n", &x, &y) // 1.6
+ logrus.Debugf("%s", err)
+ return fmt.Errorf("CRIU feature check failed")
}
- versionReq = x*10000 + y*100 + z
- out, err := exec.Command(c.criuPath, "-V").Output()
+ logrus.Debugf("Feature check says: %s", criuFeatures)
+ missingFeatures := false
+
+ // The outer if checks if the fields actually exist
+ if (criuFeat.MemTrack != nil) &&
+ (criuFeatures.MemTrack != nil) {
+ // The inner if checks if they are set to true
+ if *criuFeat.MemTrack && !*criuFeatures.MemTrack {
+ missingFeatures = true
+ logrus.Debugf("CRIU does not support MemTrack")
+ }
+ }
+
+ // This needs to be repeated for every new feature check.
+ // Is there a way to put this in a function. Reflection?
+ if (criuFeat.LazyPages != nil) &&
+ (criuFeatures.LazyPages != nil) {
+ if *criuFeat.LazyPages && !*criuFeatures.LazyPages {
+ missingFeatures = true
+ logrus.Debugf("CRIU does not support LazyPages")
+ }
+ }
+
+ if missingFeatures {
+ return fmt.Errorf("CRIU is missing features")
+ }
+
+ return nil
+}
+
+func parseCriuVersion(path string) (int, error) {
+ var x, y, z int
+
+ out, err := exec.Command(path, "-V").Output()
if err != nil {
- return fmt.Errorf("Unable to execute CRIU command: %s", c.criuPath)
+ return 0, fmt.Errorf("Unable to execute CRIU command: %s", path)
}
x = 0
@@ -441,18 +723,18 @@ func (c *linuxContainer) checkCriuVersion(min_version string) error {
if sp := strings.Index(string(out), "GitID"); sp > 0 {
version = string(out)[sp:ep]
} else {
- return fmt.Errorf("Unable to parse the CRIU version: %s", c.criuPath)
+ return 0, fmt.Errorf("Unable to parse the CRIU version: %s", path)
}
- n, err := fmt.Sscanf(string(version), "GitID: v%d.%d.%d", &x, &y, &z) // 1.5.2
+ n, err := fmt.Sscanf(version, "GitID: v%d.%d.%d", &x, &y, &z) // 1.5.2
if err != nil {
- n, err = fmt.Sscanf(string(version), "GitID: v%d.%d", &x, &y) // 1.6
+ n, err = fmt.Sscanf(version, "GitID: v%d.%d", &x, &y) // 1.6
y++
} else {
z++
}
if n < 2 || err != nil {
- return fmt.Errorf("Unable to parse the CRIU version: %s %d %s", version, n, err)
+ return 0, fmt.Errorf("Unable to parse the CRIU version: %s %d %s", version, n, err)
}
} else {
// criu release version format
@@ -461,19 +743,81 @@ func (c *linuxContainer) checkCriuVersion(min_version string) error {
n, err = fmt.Sscanf(string(out), "Version: %d.%d\n", &x, &y) // 1.6
}
if n < 2 || err != nil {
- return fmt.Errorf("Unable to parse the CRIU version: %s %d %s", out, n, err)
+ return 0, fmt.Errorf("Unable to parse the CRIU version: %s %d %s", out, n, err)
}
}
- c.criuVersion = x*10000 + y*100 + z
+ return x*10000 + y*100 + z, nil
+}
- if c.criuVersion < versionReq {
- return fmt.Errorf("CRIU version must be %s or higher", min_version)
+func compareCriuVersion(criuVersion int, minVersion int) error {
+ // simple function to perform the actual version compare
+ if criuVersion < minVersion {
+ return fmt.Errorf("CRIU version %d must be %d or higher", criuVersion, minVersion)
}
return nil
}
+// This is used to store the result of criu version RPC
+var criuVersionRPC *criurpc.CriuVersion
+
+// checkCriuVersion checks Criu version greater than or equal to minVersion
+func (c *linuxContainer) checkCriuVersion(minVersion int) error {
+
+ // If the version of criu has already been determined there is no need
+ // to ask criu for the version again. Use the value from c.criuVersion.
+ if c.criuVersion != 0 {
+ return compareCriuVersion(c.criuVersion, minVersion)
+ }
+
+ // First try if this version of CRIU support the version RPC.
+ // The CRIU version RPC was introduced with CRIU 3.0.
+
+ // First, reset the variable for the RPC answer to nil
+ criuVersionRPC = nil
+
+ var t criurpc.CriuReqType
+ t = criurpc.CriuReqType_VERSION
+ req := &criurpc.CriuReq{
+ Type: &t,
+ }
+
+ err := c.criuSwrk(nil, req, nil, false, nil)
+ if err != nil {
+ return fmt.Errorf("CRIU version check failed: %s", err)
+ }
+
+ if criuVersionRPC != nil {
+ logrus.Debugf("CRIU version: %s", criuVersionRPC)
+ // major and minor are always set
+ c.criuVersion = int(*criuVersionRPC.Major) * 10000
+ c.criuVersion += int(*criuVersionRPC.Minor) * 100
+ if criuVersionRPC.Sublevel != nil {
+ c.criuVersion += int(*criuVersionRPC.Sublevel)
+ }
+ if criuVersionRPC.Gitid != nil {
+ // runc's convention is that a CRIU git release is
+ // always the same as increasing the minor by 1
+ c.criuVersion -= (c.criuVersion % 100)
+ c.criuVersion += 100
+ }
+ return compareCriuVersion(c.criuVersion, minVersion)
+ }
+
+ // This is CRIU without the version RPC and therefore
+ // older than 3.0. Parsing the output is required.
+
+ // This can be remove once runc does not work with criu older than 3.0
+
+ c.criuVersion, err = parseCriuVersion(c.criuPath)
+ if err != nil {
+ return err
+ }
+
+ return compareCriuVersion(c.criuVersion, minVersion)
+}
+
const descriptorsFilename = "descriptors.json"
func (c *linuxContainer) addCriuDumpMount(req *criurpc.CriuReq, m *configs.Mount) {
@@ -489,11 +833,86 @@ func (c *linuxContainer) addCriuDumpMount(req *criurpc.CriuReq, m *configs.Mount
req.Opts.ExtMnt = append(req.Opts.ExtMnt, extMnt)
}
+func (c *linuxContainer) addMaskPaths(req *criurpc.CriuReq) error {
+ for _, path := range c.config.MaskPaths {
+ fi, err := os.Stat(fmt.Sprintf("/proc/%d/root/%s", c.initProcess.pid(), path))
+ if err != nil {
+ if os.IsNotExist(err) {
+ continue
+ }
+ return err
+ }
+ if fi.IsDir() {
+ continue
+ }
+
+ extMnt := &criurpc.ExtMountMap{
+ Key: proto.String(path),
+ Val: proto.String("/dev/null"),
+ }
+ req.Opts.ExtMnt = append(req.Opts.ExtMnt, extMnt)
+ }
+ return nil
+}
+
+func waitForCriuLazyServer(r *os.File, status string) error {
+
+ data := make([]byte, 1)
+ _, err := r.Read(data)
+ if err != nil {
+ return err
+ }
+ fd, err := os.OpenFile(status, os.O_TRUNC|os.O_WRONLY, os.ModeAppend)
+ if err != nil {
+ return err
+ }
+ _, err = fd.Write(data)
+ if err != nil {
+ return err
+ }
+ fd.Close()
+
+ return nil
+}
+
+func (c *linuxContainer) handleCriuConfigurationFile(rpcOpts *criurpc.CriuOpts) {
+ // CRIU will evaluate a configuration starting with release 3.11.
+ // Settings in the configuration file will overwrite RPC settings.
+ // Look for annotations. The annotation 'org.criu.config'
+ // specifies if CRIU should use a different, container specific
+ // configuration file.
+ _, annotations := utils.Annotations(c.config.Labels)
+ configFile, exists := annotations["org.criu.config"]
+ if exists {
+ // If the annotation 'org.criu.config' exists and is set
+ // to a non-empty string, tell CRIU to use that as a
+ // configuration file. If the file does not exist, CRIU
+ // will just ignore it.
+ if configFile != "" {
+ rpcOpts.ConfigFile = proto.String(configFile)
+ }
+ // If 'org.criu.config' exists and is set to an empty
+ // string, a runc specific CRIU configuration file will
+ // be not set at all.
+ } else {
+ // If the mentioned annotation has not been found, specify
+ // a default CRIU configuration file.
+ rpcOpts.ConfigFile = proto.String("/etc/criu/runc.conf")
+ }
+}
+
func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
c.m.Lock()
defer c.m.Unlock()
- if err := c.checkCriuVersion("1.5.2"); err != nil {
+ // Checkpoint is unlikely to work if os.Geteuid() != 0 || system.RunningInUserNS().
+ // (CLI prints a warning)
+ // TODO(avagin): Figure out how to make this work nicely. CRIU 2.0 has
+ // support for doing unprivileged dumps, but the setup of
+ // rootless containers might make this complicated.
+
+ // criu 1.5.2 => 10502
+ if err := c.checkCriuVersion(10502); err != nil {
return err
}
@@ -528,19 +947,57 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
defer imageDir.Close()
rpcOpts := criurpc.CriuOpts{
- ImagesDirFd: proto.Int32(int32(imageDir.Fd())),
- WorkDirFd: proto.Int32(int32(workDir.Fd())),
- LogLevel: proto.Int32(4),
- LogFile: proto.String("dump.log"),
- Root: proto.String(c.config.Rootfs),
- ManageCgroups: proto.Bool(true),
- NotifyScripts: proto.Bool(true),
- Pid: proto.Int32(int32(c.initProcess.pid())),
- ShellJob: proto.Bool(criuOpts.ShellJob),
- LeaveRunning: proto.Bool(criuOpts.LeaveRunning),
- TcpEstablished: proto.Bool(criuOpts.TcpEstablished),
- ExtUnixSk: proto.Bool(criuOpts.ExternalUnixConnections),
- FileLocks: proto.Bool(criuOpts.FileLocks),
+ ImagesDirFd: proto.Int32(int32(imageDir.Fd())),
+ WorkDirFd: proto.Int32(int32(workDir.Fd())),
+ LogLevel: proto.Int32(4),
+ LogFile: proto.String("dump.log"),
+ Root: proto.String(c.config.Rootfs),
+ ManageCgroups: proto.Bool(true),
+ NotifyScripts: proto.Bool(true),
+ Pid: proto.Int32(int32(c.initProcess.pid())),
+ ShellJob: proto.Bool(criuOpts.ShellJob),
+ LeaveRunning: proto.Bool(criuOpts.LeaveRunning),
+ TcpEstablished: proto.Bool(criuOpts.TcpEstablished),
+ ExtUnixSk: proto.Bool(criuOpts.ExternalUnixConnections),
+ FileLocks: proto.Bool(criuOpts.FileLocks),
+ EmptyNs: proto.Uint32(criuOpts.EmptyNs),
+ OrphanPtsMaster: proto.Bool(true),
+ AutoDedup: proto.Bool(criuOpts.AutoDedup),
+ LazyPages: proto.Bool(criuOpts.LazyPages),
+ }
+
+ c.handleCriuConfigurationFile(&rpcOpts)
+
+ // If the container is running in a network namespace and has
+ // a path to the network namespace configured, we will dump
+ // that network namespace as an external namespace and we
+ // will expect that the namespace exists during restore.
+ // This basically means that CRIU will ignore the namespace
+ // and expect to be setup correctly.
+ nsPath := c.config.Namespaces.PathOf(configs.NEWNET)
+ if nsPath != "" {
+ // For this to work we need at least criu 3.11.0 => 31100.
+ // As there was already a successful version check we will
+ // not error out if it fails. runc will just behave as it used
+ // to do and ignore external network namespaces.
+ err := c.checkCriuVersion(31100)
+ if err == nil {
+ // CRIU expects the information about an external namespace
+ // like this: --external net[<inode>]:<key>
+ // This <key> is always 'extRootNetNS'.
+ var netns syscall.Stat_t
+ err = syscall.Stat(nsPath, &netns)
+ if err != nil {
+ return err
+ }
+ criuExternal := fmt.Sprintf("net[%d]:extRootNetNS", netns.Ino)
+ rpcOpts.External = append(rpcOpts.External, criuExternal)
+ }
+ }
+
+ fcg := c.cgroupManager.GetPaths()["freezer"]
+ if fcg != "" {
+ rpcOpts.FreezeCgroup = proto.String(fcg)
}
// append optional criu opts, e.g., page-server and port
@@ -551,50 +1008,98 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
}
}
+ //pre-dump may need parentImage param to complete iterative migration
+ if criuOpts.ParentImage != "" {
+ rpcOpts.ParentImg = proto.String(criuOpts.ParentImage)
+ rpcOpts.TrackMem = proto.Bool(true)
+ }
+
// append optional manage cgroups mode
if criuOpts.ManageCgroupsMode != 0 {
- if err := c.checkCriuVersion("1.7"); err != nil {
+ // criu 1.7 => 10700
+ if err := c.checkCriuVersion(10700); err != nil {
return err
}
- rpcOpts.ManageCgroupsMode = proto.Uint32(uint32(criuOpts.ManageCgroupsMode))
+ mode := criurpc.CriuCgMode(criuOpts.ManageCgroupsMode)
+ rpcOpts.ManageCgroupsMode = &mode
}
- t := criurpc.CriuReqType_DUMP
+ var t criurpc.CriuReqType
+ if criuOpts.PreDump {
+ feat := criurpc.CriuFeatures{
+ MemTrack: proto.Bool(true),
+ }
+
+ if err := c.checkCriuFeatures(criuOpts, &rpcOpts, &feat); err != nil {
+ return err
+ }
+
+ t = criurpc.CriuReqType_PRE_DUMP
+ } else {
+ t = criurpc.CriuReqType_DUMP
+ }
req := &criurpc.CriuReq{
Type: &t,
Opts: &rpcOpts,
}
- for _, m := range c.config.Mounts {
- switch m.Device {
- case "bind":
- c.addCriuDumpMount(req, m)
- break
- case "cgroup":
- binds, err := getCgroupMounts(m)
- if err != nil {
- return err
- }
- for _, b := range binds {
- c.addCriuDumpMount(req, b)
+ if criuOpts.LazyPages {
+ // lazy migration requested; check if criu supports it
+ feat := criurpc.CriuFeatures{
+ LazyPages: proto.Bool(true),
+ }
+
+ if err := c.checkCriuFeatures(criuOpts, &rpcOpts, &feat); err != nil {
+ return err
+ }
+
+ statusRead, statusWrite, err := os.Pipe()
+ if err != nil {
+ return err
+ }
+ rpcOpts.StatusFd = proto.Int32(int32(statusWrite.Fd()))
+ go waitForCriuLazyServer(statusRead, criuOpts.StatusFd)
+ }
+
+ //no need to dump these information in pre-dump
+ if !criuOpts.PreDump {
+ for _, m := range c.config.Mounts {
+ switch m.Device {
+ case "bind":
+ c.addCriuDumpMount(req, m)
+ case "cgroup":
+ binds, err := getCgroupMounts(m)
+ if err != nil {
+ return err
+ }
+ for _, b := range binds {
+ c.addCriuDumpMount(req, b)
+ }
}
- break
}
- }
- // Write the FD info to a file in the image directory
+ if err := c.addMaskPaths(req); err != nil {
+ return err
+ }
- fdsJSON, err := json.Marshal(c.initProcess.externalDescriptors())
- if err != nil {
- return err
- }
+ for _, node := range c.config.Devices {
+ m := &configs.Mount{Destination: node.Path, Source: node.Path}
+ c.addCriuDumpMount(req, m)
+ }
- err = ioutil.WriteFile(filepath.Join(criuOpts.ImagesDirectory, descriptorsFilename), fdsJSON, 0655)
- if err != nil {
- return err
+ // Write the FD info to a file in the image directory
+ fdsJSON, err := json.Marshal(c.initProcess.externalDescriptors())
+ if err != nil {
+ return err
+ }
+
+ err = ioutil.WriteFile(filepath.Join(criuOpts.ImagesDirectory, descriptorsFilename), fdsJSON, 0655)
+ if err != nil {
+ return err
+ }
}
- err = c.criuSwrk(nil, req, criuOpts, false)
+ err = c.criuSwrk(nil, req, criuOpts, false, nil)
if err != nil {
return err
}
@@ -614,10 +1119,39 @@ func (c *linuxContainer) addCriuRestoreMount(req *criurpc.CriuReq, m *configs.Mo
req.Opts.ExtMnt = append(req.Opts.ExtMnt, extMnt)
}
+func (c *linuxContainer) restoreNetwork(req *criurpc.CriuReq, criuOpts *CriuOpts) {
+ for _, iface := range c.config.Networks {
+ switch iface.Type {
+ case "veth":
+ veth := new(criurpc.CriuVethPair)
+ veth.IfOut = proto.String(iface.HostInterfaceName)
+ veth.IfIn = proto.String(iface.Name)
+ req.Opts.Veths = append(req.Opts.Veths, veth)
+ case "loopback":
+ // Do nothing
+ }
+ }
+ for _, i := range criuOpts.VethPairs {
+ veth := new(criurpc.CriuVethPair)
+ veth.IfOut = proto.String(i.HostInterfaceName)
+ veth.IfIn = proto.String(i.ContainerInterfaceName)
+ req.Opts.Veths = append(req.Opts.Veths, veth)
+ }
+}
+
func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
c.m.Lock()
defer c.m.Unlock()
- if err := c.checkCriuVersion("1.5.2"); err != nil {
+
+ var extraFiles []*os.File
+
+ // Restore is unlikely to work if os.Geteuid() != 0 || system.RunningInUserNS().
+ // (CLI prints a warning)
+ // TODO(avagin): Figure out how to make this work nicely. CRIU doesn't have
+ // support for unprivileged restore at the moment.
+
+ // criu 1.5.2 => 10502
+ if err := c.checkCriuVersion(10502); err != nil {
return err
}
if criuOpts.WorkDirectory == "" {
@@ -655,36 +1189,73 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
if err != nil {
return err
}
- err = syscall.Mount(c.config.Rootfs, root, "", syscall.MS_BIND|syscall.MS_REC, "")
+ err = unix.Mount(c.config.Rootfs, root, "", unix.MS_BIND|unix.MS_REC, "")
if err != nil {
return err
}
- defer syscall.Unmount(root, syscall.MNT_DETACH)
+ defer unix.Unmount(root, unix.MNT_DETACH)
t := criurpc.CriuReqType_RESTORE
req := &criurpc.CriuReq{
Type: &t,
Opts: &criurpc.CriuOpts{
- ImagesDirFd: proto.Int32(int32(imageDir.Fd())),
- WorkDirFd: proto.Int32(int32(workDir.Fd())),
- EvasiveDevices: proto.Bool(true),
- LogLevel: proto.Int32(4),
- LogFile: proto.String("restore.log"),
- RstSibling: proto.Bool(true),
- Root: proto.String(root),
- ManageCgroups: proto.Bool(true),
- NotifyScripts: proto.Bool(true),
- ShellJob: proto.Bool(criuOpts.ShellJob),
- ExtUnixSk: proto.Bool(criuOpts.ExternalUnixConnections),
- TcpEstablished: proto.Bool(criuOpts.TcpEstablished),
- FileLocks: proto.Bool(criuOpts.FileLocks),
+ ImagesDirFd: proto.Int32(int32(imageDir.Fd())),
+ WorkDirFd: proto.Int32(int32(workDir.Fd())),
+ EvasiveDevices: proto.Bool(true),
+ LogLevel: proto.Int32(4),
+ LogFile: proto.String("restore.log"),
+ RstSibling: proto.Bool(true),
+ Root: proto.String(root),
+ ManageCgroups: proto.Bool(true),
+ NotifyScripts: proto.Bool(true),
+ ShellJob: proto.Bool(criuOpts.ShellJob),
+ ExtUnixSk: proto.Bool(criuOpts.ExternalUnixConnections),
+ TcpEstablished: proto.Bool(criuOpts.TcpEstablished),
+ FileLocks: proto.Bool(criuOpts.FileLocks),
+ EmptyNs: proto.Uint32(criuOpts.EmptyNs),
+ OrphanPtsMaster: proto.Bool(true),
+ AutoDedup: proto.Bool(criuOpts.AutoDedup),
+ LazyPages: proto.Bool(criuOpts.LazyPages),
},
}
+ c.handleCriuConfigurationFile(req.Opts)
+
+ // Same as during checkpointing. If the container has a specific network namespace
+ // assigned to it, this now expects that the checkpoint will be restored in a
+ // already created network namespace.
+ nsPath := c.config.Namespaces.PathOf(configs.NEWNET)
+ if nsPath != "" {
+ // For this to work we need at least criu 3.11.0 => 31100.
+ // As there was already a successful version check we will
+ // not error out if it fails. runc will just behave as it used
+ // to do and ignore external network namespaces.
+ err := c.checkCriuVersion(31100)
+ if err == nil {
+ // CRIU wants the information about an existing network namespace
+ // like this: --inherit-fd fd[<fd>]:<key>
+ // The <key> needs to be the same as during checkpointing.
+ // We are always using 'extRootNetNS' as the key in this.
+ netns, err := os.Open(nsPath)
+ defer netns.Close()
+ if err != nil {
+ logrus.Errorf("If a specific network namespace is defined it must exist: %s", err)
+ return fmt.Errorf("Requested network namespace %v does not exist", nsPath)
+ }
+ inheritFd := new(criurpc.InheritFd)
+ inheritFd.Key = proto.String("extRootNetNS")
+ // The offset of four is necessary because 0, 1, 2 and 3 is already
+ // used by stdin, stdout, stderr, 'criu swrk' socket.
+ inheritFd.Fd = proto.Int32(int32(4 + len(extraFiles)))
+ req.Opts.InheritFd = append(req.Opts.InheritFd, inheritFd)
+ // All open FDs need to be transferred to CRIU via extraFiles
+ extraFiles = append(extraFiles, netns)
+ }
+ }
+
for _, m := range c.config.Mounts {
switch m.Device {
case "bind":
c.addCriuRestoreMount(req, m)
- break
case "cgroup":
binds, err := getCgroupMounts(m)
if err != nil {
@@ -693,34 +1264,31 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
for _, b := range binds {
c.addCriuRestoreMount(req, b)
}
- break
}
}
- for _, iface := range c.config.Networks {
- switch iface.Type {
- case "veth":
- veth := new(criurpc.CriuVethPair)
- veth.IfOut = proto.String(iface.HostInterfaceName)
- veth.IfIn = proto.String(iface.Name)
- req.Opts.Veths = append(req.Opts.Veths, veth)
- break
- case "loopback":
- break
- }
+
+ if len(c.config.MaskPaths) > 0 {
+ m := &configs.Mount{Destination: "/dev/null", Source: "/dev/null"}
+ c.addCriuRestoreMount(req, m)
}
- for _, i := range criuOpts.VethPairs {
- veth := new(criurpc.CriuVethPair)
- veth.IfOut = proto.String(i.HostInterfaceName)
- veth.IfIn = proto.String(i.ContainerInterfaceName)
- req.Opts.Veths = append(req.Opts.Veths, veth)
+
+ for _, node := range c.config.Devices {
+ m := &configs.Mount{Destination: node.Path, Source: node.Path}
+ c.addCriuRestoreMount(req, m)
+ }
+
+ if criuOpts.EmptyNs&unix.CLONE_NEWNET == 0 {
+ c.restoreNetwork(req, criuOpts)
}
// append optional manage cgroups mode
if criuOpts.ManageCgroupsMode != 0 {
- if err := c.checkCriuVersion("1.7"); err != nil {
+ // criu 1.7 => 10700
+ if err := c.checkCriuVersion(10700); err != nil {
return err
}
- req.Opts.ManageCgroupsMode = proto.Uint32(uint32(criuOpts.ManageCgroupsMode))
+ mode := criurpc.CriuCgMode(criuOpts.ManageCgroupsMode)
+ req.Opts.ManageCgroupsMode = &mode
}
var (
@@ -742,14 +1310,19 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
req.Opts.InheritFd = append(req.Opts.InheritFd, inheritFd)
}
}
- return c.criuSwrk(process, req, criuOpts, true)
+ return c.criuSwrk(process, req, criuOpts, true, extraFiles)
}
func (c *linuxContainer) criuApplyCgroups(pid int, req *criurpc.CriuReq) error {
+ // XXX: Do we need to deal with this case? AFAIK criu still requires root.
if err := c.cgroupManager.Apply(pid); err != nil {
return err
}
+ if err := c.cgroupManager.Set(c.config); err != nil {
+ return newSystemError(err)
+ }
+
path := fmt.Sprintf("/proc/%d/cgroup", pid)
cgroupsPaths, err := cgroups.ParseCgroupFile(path)
if err != nil {
@@ -767,20 +1340,39 @@ func (c *linuxContainer) criuApplyCgroups(pid int, req *criurpc.CriuReq) error {
return nil
}
-func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *CriuOpts, applyCgroups bool) error {
- fds, err := syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_SEQPACKET|syscall.SOCK_CLOEXEC, 0)
+func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *CriuOpts, applyCgroups bool, extraFiles []*os.File) error {
+ fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_SEQPACKET|unix.SOCK_CLOEXEC, 0)
if err != nil {
return err
}
- logPath := filepath.Join(opts.WorkDirectory, req.GetOpts().GetLogFile())
+ var logPath string
+ if opts != nil {
+ logPath = filepath.Join(opts.WorkDirectory, req.GetOpts().GetLogFile())
+ } else {
+ // For the VERSION RPC 'opts' is set to 'nil' and therefore
+ // opts.WorkDirectory does not exist. Set logPath to "".
+ logPath = ""
+ }
criuClient := os.NewFile(uintptr(fds[0]), "criu-transport-client")
+ criuClientFileCon, err := net.FileConn(criuClient)
+ criuClient.Close()
+ if err != nil {
+ return err
+ }
+
+ criuClientCon := criuClientFileCon.(*net.UnixConn)
+ defer criuClientCon.Close()
+
criuServer := os.NewFile(uintptr(fds[1]), "criu-transport-server")
- defer criuClient.Close()
defer criuServer.Close()
args := []string{"swrk", "3"}
- logrus.Debugf("Using CRIU %d at: %s", c.criuVersion, c.criuPath)
+ if c.criuVersion != 0 {
+ // If the CRIU Version is still '0' then this is probably
+ // the initial CRIU run to detect the version. Skip it.
+ logrus.Debugf("Using CRIU %d at: %s", c.criuVersion, c.criuPath)
+ }
logrus.Debugf("Using CRIU with following args: %s", args)
cmd := exec.Command(c.criuPath, args...)
if process != nil {
@@ -789,6 +1381,9 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *
cmd.Stderr = process.Stderr
}
cmd.ExtraFiles = append(cmd.ExtraFiles, criuServer)
+ if extraFiles != nil {
+ cmd.ExtraFiles = append(cmd.ExtraFiles, extraFiles...)
+ }
if err := cmd.Start(); err != nil {
return err
@@ -796,7 +1391,7 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *
criuServer.Close()
defer func() {
- criuClient.Close()
+ criuClientCon.Close()
_, err := cmd.Process.Wait()
if err != nil {
return
@@ -819,29 +1414,38 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *
}
logrus.Debugf("Using CRIU in %s mode", req.GetType().String())
- val := reflect.ValueOf(req.GetOpts())
- v := reflect.Indirect(val)
- for i := 0; i < v.NumField(); i++ {
- st := v.Type()
- name := st.Field(i).Name
- if strings.HasPrefix(name, "XXX_") {
- continue
+ // In the case of criurpc.CriuReqType_FEATURE_CHECK req.GetOpts()
+ // should be empty. For older CRIU versions it still will be
+ // available but empty. criurpc.CriuReqType_VERSION actually
+ // has no req.GetOpts().
+ if !(req.GetType() == criurpc.CriuReqType_FEATURE_CHECK ||
+ req.GetType() == criurpc.CriuReqType_VERSION) {
+
+ val := reflect.ValueOf(req.GetOpts())
+ v := reflect.Indirect(val)
+ for i := 0; i < v.NumField(); i++ {
+ st := v.Type()
+ name := st.Field(i).Name
+ if strings.HasPrefix(name, "XXX_") {
+ continue
+ }
+ value := val.MethodByName("Get" + name).Call([]reflect.Value{})
+ logrus.Debugf("CRIU option %s with value %v", name, value[0])
}
- value := val.MethodByName("Get" + name).Call([]reflect.Value{})
- logrus.Debugf("CRIU option %s with value %v", name, value[0])
}
data, err := proto.Marshal(req)
if err != nil {
return err
}
- _, err = criuClient.Write(data)
+ _, err = criuClientCon.Write(data)
if err != nil {
return err
}
buf := make([]byte, 10*4096)
+ oob := make([]byte, 4096)
for true {
- n, err := criuClient.Read(buf)
+ n, oobn, _, _, err := criuClientCon.ReadMsgUnix(buf, oob)
if err != nil {
return err
}
@@ -859,13 +1463,25 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *
}
if !resp.GetSuccess() {
typeString := req.GetType().String()
+ if typeString == "VERSION" {
+ // If the VERSION RPC fails this probably means that the CRIU
+ // version is too old for this RPC. Just return 'nil'.
+ return nil
+ }
return fmt.Errorf("criu failed: type %s errno %d\nlog file: %s", typeString, resp.GetCrErrno(), logPath)
}
t := resp.GetType()
switch {
+ case t == criurpc.CriuReqType_VERSION:
+ logrus.Debugf("CRIU version: %s", resp)
+ criuVersionRPC = resp.GetVersion()
+ break
+ case t == criurpc.CriuReqType_FEATURE_CHECK:
+ logrus.Debugf("Feature check says: %s", resp)
+ criuFeatures = resp.GetFeatures()
case t == criurpc.CriuReqType_NOTIFY:
- if err := c.criuNotifications(resp, process, opts, extFds); err != nil {
+ if err := c.criuNotifications(resp, process, opts, extFds, oob[:oobn]); err != nil {
return err
}
t = criurpc.CriuReqType_NOTIFY
@@ -877,14 +1493,14 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *
if err != nil {
return err
}
- n, err = criuClient.Write(data)
+ _, err = criuClientCon.Write(data)
if err != nil {
return err
}
continue
case t == criurpc.CriuReqType_RESTORE:
case t == criurpc.CriuReqType_DUMP:
- break
+ case t == criurpc.CriuReqType_PRE_DUMP:
default:
return fmt.Errorf("unable to parse the response %s", resp.String())
}
@@ -892,13 +1508,22 @@ func (c *linuxContainer) criuSwrk(process *Process, req *criurpc.CriuReq, opts *
break
}
+ criuClientCon.CloseWrite()
// cmd.Wait() waits cmd.goroutines which are used for proxying file descriptors.
// Here we want to wait only the CRIU process.
st, err := cmd.Process.Wait()
if err != nil {
return err
}
- if !st.Success() {
+
+ // In pre-dump mode CRIU is in a loop and waits for
+ // the final DUMP command.
+ // The current runc pre-dump approach, however, is
+ // start criu in PRE_DUMP once for a single pre-dump
+ // and not the whole series of pre-dump, pre-dump, ...m, dump
+ // If we got the message CriuReqType_PRE_DUMP it means
+ // CRIU was successful and we need to forcefully stop CRIU
+ if !st.Success() && *req.Type != criurpc.CriuReqType_PRE_DUMP {
return fmt.Errorf("criu failed: %s\nlog file: %s", st.String(), logPath)
}
return nil
@@ -932,11 +1557,12 @@ func unlockNetwork(config *configs.Config) error {
return nil
}
-func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Process, opts *CriuOpts, fds []string) error {
+func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Process, opts *CriuOpts, fds []string, oob []byte) error {
notify := resp.GetNotify()
if notify == nil {
return fmt.Errorf("invalid response: %s", resp.String())
}
+ logrus.Debugf("notify: %s\n", notify.GetScript())
switch {
case notify.GetScript() == "post-dump":
f, err := os.Create(filepath.Join(c.root, "checkpoint"))
@@ -952,6 +1578,19 @@ func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Proc
if err := lockNetwork(c.config); err != nil {
return err
}
+ case notify.GetScript() == "setup-namespaces":
+ if c.config.Hooks != nil {
+ s, err := c.currentOCIState()
+ if err != nil {
+ return nil
+ }
+ s.Pid = int(notify.GetPid())
+ for i, hook := range c.config.Hooks.Prestart {
+ if err := hook.Run(s); err != nil {
+ return newSystemErrorWithCausef(err, "running prestart hook %d", i)
+ }
+ }
+ }
case notify.GetScript() == "post-restore":
pid := notify.GetPid()
r, err := newRestoredProcess(int(pid), fds)
@@ -965,7 +1604,9 @@ func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Proc
}); err != nil {
return err
}
- if err := c.updateState(r); err != nil {
+ // create a timestamp indicating when the restored checkpoint was started
+ c.created = time.Now().UTC()
+ if _, err := c.updateState(r); err != nil {
return err
}
if err := os.Remove(filepath.Join(c.root, "checkpoint")); err != nil {
@@ -973,17 +1614,40 @@ func (c *linuxContainer) criuNotifications(resp *criurpc.CriuResp, process *Proc
logrus.Error(err)
}
}
+ case notify.GetScript() == "orphan-pts-master":
+ scm, err := unix.ParseSocketControlMessage(oob)
+ if err != nil {
+ return err
+ }
+ fds, err := unix.ParseUnixRights(&scm[0])
+ if err != nil {
+ return err
+ }
+
+ master := os.NewFile(uintptr(fds[0]), "orphan-pts-master")
+ defer master.Close()
+
+ // While we can access console.master, using the API is a good idea.
+ if err := utils.SendFd(process.ConsoleSocket, master.Name(), master.Fd()); err != nil {
+ return err
+ }
}
return nil
}
-func (c *linuxContainer) updateState(process parentProcess) error {
- c.initProcess = process
+func (c *linuxContainer) updateState(process parentProcess) (*State, error) {
+ if process != nil {
+ c.initProcess = process
+ }
state, err := c.currentState()
if err != nil {
- return err
+ return nil, err
+ }
+ err = c.saveState(state)
+ if err != nil {
+ return nil, err
}
- return c.saveState(state)
+ return state, nil
}
func (c *linuxContainer) saveState(s *State) error {
@@ -1018,44 +1682,59 @@ func (c *linuxContainer) refreshState() error {
if paused {
return c.state.transition(&pausedState{c: c})
}
- running, err := c.isRunning()
+ t, err := c.runType()
if err != nil {
return err
}
- if running {
+ switch t {
+ case Created:
+ return c.state.transition(&createdState{c: c})
+ case Running:
return c.state.transition(&runningState{c: c})
}
return c.state.transition(&stoppedState{c: c})
}
-func (c *linuxContainer) isRunning() (bool, error) {
+func (c *linuxContainer) runType() (Status, error) {
if c.initProcess == nil {
- return false, nil
+ return Stopped, nil
}
- // return Running if the init process is alive
- if err := syscall.Kill(c.initProcess.pid(), 0); err != nil {
- if err == syscall.ESRCH {
- return false, nil
- }
- return false, newSystemError(err)
+ pid := c.initProcess.pid()
+ stat, err := system.Stat(pid)
+ if err != nil {
+ return Stopped, nil
+ }
+ if stat.StartTime != c.initProcessStartTime || stat.State == system.Zombie || stat.State == system.Dead {
+ return Stopped, nil
}
- return true, nil
+ // We'll create exec fifo and blocking on it after container is created,
+ // and delete it after start container.
+ if _, err := os.Stat(filepath.Join(c.root, execFifoFilename)); err == nil {
+ return Created, nil
+ }
+ return Running, nil
}
func (c *linuxContainer) isPaused() (bool, error) {
- data, err := ioutil.ReadFile(filepath.Join(c.cgroupManager.GetPaths()["freezer"], "freezer.state"))
+ fcg := c.cgroupManager.GetPaths()["freezer"]
+ if fcg == "" {
+ // A container doesn't have a freezer cgroup
+ return false, nil
+ }
+ data, err := ioutil.ReadFile(filepath.Join(fcg, "freezer.state"))
if err != nil {
+ // If freezer cgroup is not mounted, the container would just be not paused.
if os.IsNotExist(err) {
return false, nil
}
- return false, newSystemError(err)
+ return false, newSystemErrorWithCause(err, "checking if container is paused")
}
return bytes.Equal(bytes.TrimSpace(data), []byte("FROZEN")), nil
}
func (c *linuxContainer) currentState() (*State, error) {
var (
- startTime string
+ startTime uint64
externalDescriptors []string
pid = -1
)
@@ -1064,6 +1743,10 @@ func (c *linuxContainer) currentState() (*State, error) {
startTime, _ = c.initProcess.startTime()
externalDescriptors = c.initProcess.externalDescriptors()
}
+ intelRdtPath, err := intelrdt.GetIntelRdtPath(c.ID())
+ if err != nil {
+ intelRdtPath = ""
+ }
state := &State{
BaseState: BaseState{
ID: c.ID(),
@@ -1072,7 +1755,9 @@ func (c *linuxContainer) currentState() (*State, error) {
InitProcessStartTime: startTime,
Created: c.created,
},
+ Rootless: c.config.RootlessEUID && c.config.RootlessCgroups,
CgroupPaths: c.cgroupManager.GetPaths(),
+ IntelRdtPath: intelRdtPath,
NamespacePaths: make(map[configs.NamespaceType]string),
ExternalDescriptors: externalDescriptors,
}
@@ -1093,39 +1778,57 @@ func (c *linuxContainer) currentState() (*State, error) {
return state, nil
}
+func (c *linuxContainer) currentOCIState() (*specs.State, error) {
+ bundle, annotations := utils.Annotations(c.config.Labels)
+ state := &specs.State{
+ Version: specs.Version,
+ ID: c.ID(),
+ Bundle: bundle,
+ Annotations: annotations,
+ }
+ status, err := c.currentStatus()
+ if err != nil {
+ return nil, err
+ }
+ state.Status = status.String()
+ if status != Stopped {
+ if c.initProcess != nil {
+ state.Pid = c.initProcess.pid()
+ }
+ }
+ return state, nil
+}
+
// orderNamespacePaths sorts namespace paths into a list of paths that we
// can setns in order.
func (c *linuxContainer) orderNamespacePaths(namespaces map[configs.NamespaceType]string) ([]string, error) {
paths := []string{}
- nsTypes := []configs.NamespaceType{
- configs.NEWIPC,
- configs.NEWUTS,
- configs.NEWNET,
- configs.NEWPID,
- configs.NEWNS,
- }
- // join userns if the init process explicitly requires NEWUSER
- if c.config.Namespaces.Contains(configs.NEWUSER) {
- nsTypes = append(nsTypes, configs.NEWUSER)
- }
- for _, nsType := range nsTypes {
- if p, ok := namespaces[nsType]; ok && p != "" {
+ for _, ns := range configs.NamespaceTypes() {
+
+ // Remove namespaces that we don't need to join.
+ if !c.config.Namespaces.Contains(ns) {
+ continue
+ }
+
+ if p, ok := namespaces[ns]; ok && p != "" {
// check if the requested namespace is supported
- if !configs.IsNamespaceSupported(nsType) {
- return nil, newSystemError(fmt.Errorf("namespace %s is not supported", nsType))
+ if !configs.IsNamespaceSupported(ns) {
+ return nil, newSystemError(fmt.Errorf("namespace %s is not supported", ns))
}
// only set to join this namespace if it exists
if _, err := os.Lstat(p); err != nil {
- return nil, newSystemError(err)
+ return nil, newSystemErrorWithCausef(err, "running lstat on namespace path %q", p)
}
// do not allow namespace path with comma as we use it to separate
// the namespace paths
if strings.ContainsRune(p, ',') {
return nil, newSystemError(fmt.Errorf("invalid path %s", p))
}
- paths = append(paths, p)
+ paths = append(paths, fmt.Sprintf("%s:%s", configs.NsName(ns), p))
}
+
}
+
return paths, nil
}
@@ -1146,7 +1849,7 @@ func encodeIDMapping(idMap []configs.IDMap) ([]byte, error) {
// such as one that uses nsenter package to bootstrap the container's
// init process correctly, i.e. with correct namespaces, uid/gid
// mapping etc.
-func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string, consolePath string) (io.Reader, error) {
+func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string) (io.Reader, error) {
// create the netlink message
r := nl.NewNetlinkRequest(int(InitMsg), 0)
@@ -1156,14 +1859,6 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
Value: uint32(cloneFlags),
})
- // write console path
- if consolePath != "" {
- r.AddData(&Bytemsg{
- Type: ConsolePathAttr,
- Value: []byte(consolePath),
- })
- }
-
// write custom namespace paths
if len(nsMaps) > 0 {
nsPaths, err := c.orderNamespacePaths(nsMaps)
@@ -1181,6 +1876,12 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
if !joinExistingUser {
// write uid mappings
if len(c.config.UidMappings) > 0 {
+ if c.config.RootlessEUID && c.newuidmapPath != "" {
+ r.AddData(&Bytemsg{
+ Type: UidmapPathAttr,
+ Value: []byte(c.newuidmapPath),
+ })
+ }
b, err := encodeIDMapping(c.config.UidMappings)
if err != nil {
return nil, err
@@ -1193,7 +1894,7 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
// write gid mappings
if len(c.config.GidMappings) > 0 {
- b, err := encodeIDMapping(c.config.UidMappings)
+ b, err := encodeIDMapping(c.config.GidMappings)
if err != nil {
return nil, err
}
@@ -1201,12 +1902,13 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
Type: GidmapAttr,
Value: b,
})
- // check if we have CAP_SETGID to setgroup properly
- pid, err := capability.NewPid(os.Getpid())
- if err != nil {
- return nil, err
+ if c.config.RootlessEUID && c.newgidmapPath != "" {
+ r.AddData(&Bytemsg{
+ Type: GidmapPathAttr,
+ Value: []byte(c.newgidmapPath),
+ })
}
- if !pid.Get(capability.EFFECTIVE, capability.CAP_SETGID) {
+ if requiresRootOrMappingTool(c.config) {
r.AddData(&Boolmsg{
Type: SetgroupAttr,
Value: true,
@@ -1215,5 +1917,41 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
}
}
+ if c.config.OomScoreAdj != nil {
+ // write oom_score_adj
+ r.AddData(&Bytemsg{
+ Type: OomScoreAdjAttr,
+ Value: []byte(fmt.Sprintf("%d", *c.config.OomScoreAdj)),
+ })
+ }
+
+ // write rootless
+ r.AddData(&Boolmsg{
+ Type: RootlessEUIDAttr,
+ Value: c.config.RootlessEUID,
+ })
+
return bytes.NewReader(r.Serialize()), nil
}
+
+// ignoreTerminateErrors returns nil if the given err matches an error known
+// to indicate that the terminate occurred successfully or err was nil, otherwise
+// err is returned unaltered.
+func ignoreTerminateErrors(err error) error {
+ if err == nil {
+ return nil
+ }
+ s := err.Error()
+ switch {
+ case strings.Contains(s, "process already finished"), strings.Contains(s, "Wait was already called"):
+ return nil
+ }
+ return err
+}
+
+func requiresRootOrMappingTool(c *configs.Config) bool {
+ gidMap := []configs.IDMap{
+ {ContainerID: 0, HostID: os.Getegid(), Size: 1},
+ }
+ return !reflect.DeepEqual(c.GidMappings, gidMap)
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/container_linux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/container_linux_test.go
index 3af30bce9707ee50dbdb7793245a2f20f3ca69b0..29ddbfad30d4c28150b27b4ccd485f5df97aa133 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/container_linux_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/container_linux_test.go
@@ -4,11 +4,14 @@ package libcontainer
import (
"fmt"
+ "io/ioutil"
"os"
"testing"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
+ "github.com/opencontainers/runc/libcontainer/system"
)
type mockCgroupManager struct {
@@ -18,6 +21,11 @@ type mockCgroupManager struct {
paths map[string]string
}
+type mockIntelRdtManager struct {
+ stats *intelrdt.Stats
+ path string
+}
+
func (m *mockCgroupManager) GetPids() ([]int, error) {
return m.pids, nil
}
@@ -50,9 +58,29 @@ func (m *mockCgroupManager) Freeze(state configs.FreezerState) error {
return nil
}
+func (m *mockIntelRdtManager) Apply(pid int) error {
+ return nil
+}
+
+func (m *mockIntelRdtManager) GetStats() (*intelrdt.Stats, error) {
+ return m.stats, nil
+}
+
+func (m *mockIntelRdtManager) Destroy() error {
+ return nil
+}
+
+func (m *mockIntelRdtManager) GetPath() string {
+ return m.path
+}
+
+func (m *mockIntelRdtManager) Set(container *configs.Config) error {
+ return nil
+}
+
type mockProcess struct {
_pid int
- started string
+ started uint64
}
func (m *mockProcess) terminate() error {
@@ -63,7 +91,7 @@ func (m *mockProcess) pid() int {
return m._pid
}
-func (m *mockProcess) startTime() (string, error) {
+func (m *mockProcess) startTime() (uint64, error) {
return m.started, nil
}
@@ -79,11 +107,11 @@ func (m *mockProcess) signal(_ os.Signal) error {
return nil
}
-func (p *mockProcess) externalDescriptors() []string {
+func (m *mockProcess) externalDescriptors() []string {
return []string{}
}
-func (p *mockProcess) setExternalDescriptors(newFds []string) {
+func (m *mockProcess) setExternalDescriptors(newFds []string) {
}
func TestGetContainerPids(t *testing.T) {
@@ -117,6 +145,12 @@ func TestGetContainerStats(t *testing.T) {
},
},
},
+ intelRdtManager: &mockIntelRdtManager{
+ stats: &intelrdt.Stats{
+ L3CacheSchema: "L3:0=f;1=f0",
+ MemBwSchema: "MB:0=20;1=70",
+ },
+ },
}
stats, err := container.Stats()
if err != nil {
@@ -126,15 +160,32 @@ func TestGetContainerStats(t *testing.T) {
t.Fatal("cgroup stats are nil")
}
if stats.CgroupStats.MemoryStats.Usage.Usage != 1024 {
- t.Fatalf("expected memory usage 1024 but recevied %d", stats.CgroupStats.MemoryStats.Usage.Usage)
+ t.Fatalf("expected memory usage 1024 but received %d", stats.CgroupStats.MemoryStats.Usage.Usage)
+ }
+ if intelrdt.IsCatEnabled() {
+ if stats.IntelRdtStats == nil {
+ t.Fatal("intel rdt stats are nil")
+ }
+ if stats.IntelRdtStats.L3CacheSchema != "L3:0=f;1=f0" {
+ t.Fatalf("expected L3CacheSchema L3:0=f;1=f0 but received %s", stats.IntelRdtStats.L3CacheSchema)
+ }
+ }
+ if intelrdt.IsMbaEnabled() {
+ if stats.IntelRdtStats == nil {
+ t.Fatal("intel rdt stats are nil")
+ }
+ if stats.IntelRdtStats.MemBwSchema != "MB:0=20;1=70" {
+ t.Fatalf("expected MemBwSchema MB:0=20;1=70 but received %s", stats.IntelRdtStats.MemBwSchema)
+ }
}
}
func TestGetContainerState(t *testing.T) {
var (
- pid = os.Getpid()
- expectedMemoryPath = "/sys/fs/cgroup/memory/myid"
- expectedNetworkPath = "/networks/fd"
+ pid = os.Getpid()
+ expectedMemoryPath = "/sys/fs/cgroup/memory/myid"
+ expectedNetworkPath = fmt.Sprintf("/proc/%d/ns/net", pid)
+ expectedIntelRdtPath = "/sys/fs/resctrl/myid"
)
container := &linuxContainer{
id: "myid",
@@ -150,7 +201,7 @@ func TestGetContainerState(t *testing.T) {
},
initProcess: &mockProcess{
_pid: pid,
- started: "010",
+ started: 10,
},
cgroupManager: &mockCgroupManager{
pids: []int{1, 2, 3},
@@ -165,6 +216,13 @@ func TestGetContainerState(t *testing.T) {
"memory": expectedMemoryPath,
},
},
+ intelRdtManager: &mockIntelRdtManager{
+ stats: &intelrdt.Stats{
+ L3CacheSchema: "L3:0=f0;1=f",
+ MemBwSchema: "MB:0=70;1=20",
+ },
+ path: expectedIntelRdtPath,
+ },
}
container.state = &createdState{c: container}
state, err := container.State()
@@ -174,8 +232,8 @@ func TestGetContainerState(t *testing.T) {
if state.InitProcessPid != pid {
t.Fatalf("expected pid %d but received %d", pid, state.InitProcessPid)
}
- if state.InitProcessStartTime != "010" {
- t.Fatalf("expected process start time 010 but received %s", state.InitProcessStartTime)
+ if state.InitProcessStartTime != 10 {
+ t.Fatalf("expected process start time 10 but received %d", state.InitProcessStartTime)
}
paths := state.CgroupPaths
if paths == nil {
@@ -184,6 +242,15 @@ func TestGetContainerState(t *testing.T) {
if memPath := paths["memory"]; memPath != expectedMemoryPath {
t.Fatalf("expected memory path %q but received %q", expectedMemoryPath, memPath)
}
+ if intelrdt.IsCatEnabled() || intelrdt.IsMbaEnabled() {
+ intelRdtPath := state.IntelRdtPath
+ if intelRdtPath == "" {
+ t.Fatal("intel rdt path should not be empty")
+ }
+ if intelRdtPath != expectedIntelRdtPath {
+ t.Fatalf("expected intel rdt path %q but received %q", expectedIntelRdtPath, intelRdtPath)
+ }
+ }
for _, ns := range container.config.Namespaces {
path := state.NamespacePaths[ns.Type]
if path == "" {
@@ -216,3 +283,73 @@ func TestGetContainerState(t *testing.T) {
}
}
}
+
+func TestGetContainerStateAfterUpdate(t *testing.T) {
+ var (
+ pid = os.Getpid()
+ )
+ stat, err := system.Stat(pid)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ rootDir, err := ioutil.TempDir("", "TestGetContainerStateAfterUpdate")
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer os.RemoveAll(rootDir)
+
+ container := &linuxContainer{
+ root: rootDir,
+ id: "myid",
+ config: &configs.Config{
+ Namespaces: []configs.Namespace{
+ {Type: configs.NEWPID},
+ {Type: configs.NEWNS},
+ {Type: configs.NEWNET},
+ {Type: configs.NEWUTS},
+ {Type: configs.NEWIPC},
+ },
+ Cgroups: &configs.Cgroup{
+ Resources: &configs.Resources{
+ Memory: 1024,
+ },
+ },
+ },
+ initProcess: &mockProcess{
+ _pid: pid,
+ started: stat.StartTime,
+ },
+ cgroupManager: &mockCgroupManager{},
+ }
+ container.state = &createdState{c: container}
+ state, err := container.State()
+ if err != nil {
+ t.Fatal(err)
+ }
+ if state.InitProcessPid != pid {
+ t.Fatalf("expected pid %d but received %d", pid, state.InitProcessPid)
+ }
+ if state.InitProcessStartTime != stat.StartTime {
+ t.Fatalf("expected process start time %d but received %d", stat.StartTime, state.InitProcessStartTime)
+ }
+ if state.Config.Cgroups.Resources.Memory != 1024 {
+ t.Fatalf("expected Memory to be 1024 but received %q", state.Config.Cgroups.Memory)
+ }
+
+ // Set initProcessStartTime so we fake to be running
+ container.initProcessStartTime = state.InitProcessStartTime
+ container.state = &runningState{c: container}
+ newConfig := container.Config()
+ newConfig.Cgroups.Resources.Memory = 2048
+ if err := container.Set(newConfig); err != nil {
+ t.Fatal(err)
+ }
+ state, err = container.State()
+ if err != nil {
+ t.Fatal(err)
+ }
+ if state.Config.Cgroups.Resources.Memory != 2048 {
+ t.Fatalf("expected Memory to be 2048 but received %q", state.Config.Cgroups.Memory)
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/container_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/container_windows.go
deleted file mode 100644
index bb84ff7402b9176f445fc524918afbad49867da8..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/container_windows.go
+++ /dev/null
@@ -1,20 +0,0 @@
-package libcontainer
-
-// State represents a running container's state
-type State struct {
- BaseState
-
- // Platform specific fields below here
-}
-
-// A libcontainer container object.
-//
-// Each container is thread-safe within the same process. Since a container can
-// be destroyed by a separate process, any function may return that the container
-// was not found.
-type Container interface {
- BaseContainer
-
- // Methods below here are platform specific
-
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/criu_opts_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/criu_opts_linux.go
similarity index 52%
rename from vendor/github.com/opencontainers/runc/libcontainer/criu_opts_unix.go
rename to vendor/github.com/opencontainers/runc/libcontainer/criu_opts_linux.go
index a2a816bd952ea14b081f8ea43e2be7bd2e07d9e9..a2e344fc4b67248d1e6f728b7478856b24d4eb65 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/criu_opts_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/criu_opts_linux.go
@@ -1,15 +1,13 @@
-// +build linux freebsd
-
package libcontainer
// cgroup restoring strategy provided by criu
-type cg_mode uint32
+type cgMode uint32
const (
- CRIU_CG_MODE_SOFT cg_mode = 3 + iota // restore cgroup properties if only dir created by criu
- CRIU_CG_MODE_FULL // always restore all cgroups and their properties
- CRIU_CG_MODE_STRICT // restore all, requiring them to not present in the system
- CRIU_CG_MODE_DEFAULT // the same as CRIU_CG_MODE_SOFT
+ CRIU_CG_MODE_SOFT cgMode = 3 + iota // restore cgroup properties if only dir created by criu
+ CRIU_CG_MODE_FULL // always restore all cgroups and their properties
+ CRIU_CG_MODE_STRICT // restore all, requiring them to not present in the system
+ CRIU_CG_MODE_DEFAULT // the same as CRIU_CG_MODE_SOFT
)
type CriuPageServerInfo struct {
@@ -25,12 +23,18 @@ type VethPairName struct {
type CriuOpts struct {
ImagesDirectory string // directory for storing image files
WorkDirectory string // directory to cd and write logs/pidfiles/stats to
+ ParentImage string // directory for storing parent image files in pre-dump and dump
LeaveRunning bool // leave container in running state after checkpoint
TcpEstablished bool // checkpoint/restore established TCP connections
ExternalUnixConnections bool // allow external unix connections
ShellJob bool // allow to dump and restore shell jobs
FileLocks bool // handle file locks, for safety
+ PreDump bool // call criu predump to perform iterative checkpoint
PageServer CriuPageServerInfo // allow to dump to criu page server
VethPairs []VethPairName // pass the veth to criu when restore
- ManageCgroupsMode cg_mode // dump or restore cgroup mode
+ ManageCgroupsMode cgMode // dump or restore cgroup mode
+ EmptyNs uint32 // don't c/r properties for namespace from this mask
+ AutoDedup bool // auto deduplication for incremental dumps
+ LazyPages bool // restore memory pages lazily using userfaultfd
+ StatusFd string // fd for feedback when lazy server is ready
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/criu_opts_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/criu_opts_windows.go
deleted file mode 100644
index bc9207703a1dee26b46818a1815843557855db04..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/criu_opts_windows.go
+++ /dev/null
@@ -1,6 +0,0 @@
-package libcontainer
-
-// TODO Windows: This can ultimately be entirely factored out as criu is
-// a Unix concept not relevant on Windows.
-type CriuOpts struct {
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/criurpc/criurpc.pb.go b/vendor/github.com/opencontainers/runc/libcontainer/criurpc/criurpc.pb.go
index 193b6df1db27209d00b55418adca34f6b5bad874..1332d3fe3fc9cac65b7a6c14d788cf4297668ed9 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/criurpc/criurpc.pb.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/criurpc/criurpc.pb.go
@@ -1,6 +1,5 @@
-// Code generated by protoc-gen-go.
+// Code generated by protoc-gen-go. DO NOT EDIT.
// source: criurpc.proto
-// DO NOT EDIT!
/*
Package criurpc is a generated protocol buffer package.
@@ -12,6 +11,7 @@ It has these top-level messages:
CriuPageServerInfo
CriuVethPair
ExtMountMap
+ JoinNamespace
InheritFd
CgroupRoot
UnixSk
@@ -19,18 +19,77 @@ It has these top-level messages:
CriuDumpResp
CriuRestoreResp
CriuNotify
+ CriuFeatures
CriuReq
CriuResp
+ CriuVersion
*/
package criurpc
import proto "github.com/golang/protobuf/proto"
+import fmt "fmt"
import math "math"
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
+var _ = fmt.Errorf
var _ = math.Inf
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
+
+type CriuCgMode int32
+
+const (
+ CriuCgMode_IGNORE CriuCgMode = 0
+ CriuCgMode_CG_NONE CriuCgMode = 1
+ CriuCgMode_PROPS CriuCgMode = 2
+ CriuCgMode_SOFT CriuCgMode = 3
+ CriuCgMode_FULL CriuCgMode = 4
+ CriuCgMode_STRICT CriuCgMode = 5
+ CriuCgMode_DEFAULT CriuCgMode = 6
+)
+
+var CriuCgMode_name = map[int32]string{
+ 0: "IGNORE",
+ 1: "CG_NONE",
+ 2: "PROPS",
+ 3: "SOFT",
+ 4: "FULL",
+ 5: "STRICT",
+ 6: "DEFAULT",
+}
+var CriuCgMode_value = map[string]int32{
+ "IGNORE": 0,
+ "CG_NONE": 1,
+ "PROPS": 2,
+ "SOFT": 3,
+ "FULL": 4,
+ "STRICT": 5,
+ "DEFAULT": 6,
+}
+
+func (x CriuCgMode) Enum() *CriuCgMode {
+ p := new(CriuCgMode)
+ *p = x
+ return p
+}
+func (x CriuCgMode) String() string {
+ return proto.EnumName(CriuCgMode_name, int32(x))
+}
+func (x *CriuCgMode) UnmarshalJSON(data []byte) error {
+ value, err := proto.UnmarshalJSONEnum(CriuCgMode_value, data, "CriuCgMode")
+ if err != nil {
+ return err
+ }
+ *x = CriuCgMode(value)
+ return nil
+}
+func (CriuCgMode) EnumDescriptor() ([]byte, []int) { return fileDescriptor0, []int{0} }
+
type CriuReqType int32
const (
@@ -43,18 +102,22 @@ const (
CriuReqType_NOTIFY CriuReqType = 6
CriuReqType_CPUINFO_DUMP CriuReqType = 7
CriuReqType_CPUINFO_CHECK CriuReqType = 8
+ CriuReqType_FEATURE_CHECK CriuReqType = 9
+ CriuReqType_VERSION CriuReqType = 10
)
var CriuReqType_name = map[int32]string{
- 0: "EMPTY",
- 1: "DUMP",
- 2: "RESTORE",
- 3: "CHECK",
- 4: "PRE_DUMP",
- 5: "PAGE_SERVER",
- 6: "NOTIFY",
- 7: "CPUINFO_DUMP",
- 8: "CPUINFO_CHECK",
+ 0: "EMPTY",
+ 1: "DUMP",
+ 2: "RESTORE",
+ 3: "CHECK",
+ 4: "PRE_DUMP",
+ 5: "PAGE_SERVER",
+ 6: "NOTIFY",
+ 7: "CPUINFO_DUMP",
+ 8: "CPUINFO_CHECK",
+ 9: "FEATURE_CHECK",
+ 10: "VERSION",
}
var CriuReqType_value = map[string]int32{
"EMPTY": 0,
@@ -66,6 +129,8 @@ var CriuReqType_value = map[string]int32{
"NOTIFY": 6,
"CPUINFO_DUMP": 7,
"CPUINFO_CHECK": 8,
+ "FEATURE_CHECK": 9,
+ "VERSION": 10,
}
func (x CriuReqType) Enum() *CriuReqType {
@@ -84,6 +149,7 @@ func (x *CriuReqType) UnmarshalJSON(data []byte) error {
*x = CriuReqType(value)
return nil
}
+func (CriuReqType) EnumDescriptor() ([]byte, []int) { return fileDescriptor0, []int{1} }
type CriuPageServerInfo struct {
Address *string `protobuf:"bytes,1,opt,name=address" json:"address,omitempty"`
@@ -93,9 +159,10 @@ type CriuPageServerInfo struct {
XXX_unrecognized []byte `json:"-"`
}
-func (m *CriuPageServerInfo) Reset() { *m = CriuPageServerInfo{} }
-func (m *CriuPageServerInfo) String() string { return proto.CompactTextString(m) }
-func (*CriuPageServerInfo) ProtoMessage() {}
+func (m *CriuPageServerInfo) Reset() { *m = CriuPageServerInfo{} }
+func (m *CriuPageServerInfo) String() string { return proto.CompactTextString(m) }
+func (*CriuPageServerInfo) ProtoMessage() {}
+func (*CriuPageServerInfo) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} }
func (m *CriuPageServerInfo) GetAddress() string {
if m != nil && m.Address != nil {
@@ -126,14 +193,15 @@ func (m *CriuPageServerInfo) GetFd() int32 {
}
type CriuVethPair struct {
- IfIn *string `protobuf:"bytes,1,req,name=if_in" json:"if_in,omitempty"`
- IfOut *string `protobuf:"bytes,2,req,name=if_out" json:"if_out,omitempty"`
+ IfIn *string `protobuf:"bytes,1,req,name=if_in,json=ifIn" json:"if_in,omitempty"`
+ IfOut *string `protobuf:"bytes,2,req,name=if_out,json=ifOut" json:"if_out,omitempty"`
XXX_unrecognized []byte `json:"-"`
}
-func (m *CriuVethPair) Reset() { *m = CriuVethPair{} }
-func (m *CriuVethPair) String() string { return proto.CompactTextString(m) }
-func (*CriuVethPair) ProtoMessage() {}
+func (m *CriuVethPair) Reset() { *m = CriuVethPair{} }
+func (m *CriuVethPair) String() string { return proto.CompactTextString(m) }
+func (*CriuVethPair) ProtoMessage() {}
+func (*CriuVethPair) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} }
func (m *CriuVethPair) GetIfIn() string {
if m != nil && m.IfIn != nil {
@@ -155,9 +223,10 @@ type ExtMountMap struct {
XXX_unrecognized []byte `json:"-"`
}
-func (m *ExtMountMap) Reset() { *m = ExtMountMap{} }
-func (m *ExtMountMap) String() string { return proto.CompactTextString(m) }
-func (*ExtMountMap) ProtoMessage() {}
+func (m *ExtMountMap) Reset() { *m = ExtMountMap{} }
+func (m *ExtMountMap) String() string { return proto.CompactTextString(m) }
+func (*ExtMountMap) ProtoMessage() {}
+func (*ExtMountMap) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} }
func (m *ExtMountMap) GetKey() string {
if m != nil && m.Key != nil {
@@ -173,15 +242,49 @@ func (m *ExtMountMap) GetVal() string {
return ""
}
+type JoinNamespace struct {
+ Ns *string `protobuf:"bytes,1,req,name=ns" json:"ns,omitempty"`
+ NsFile *string `protobuf:"bytes,2,req,name=ns_file,json=nsFile" json:"ns_file,omitempty"`
+ ExtraOpt *string `protobuf:"bytes,3,opt,name=extra_opt,json=extraOpt" json:"extra_opt,omitempty"`
+ XXX_unrecognized []byte `json:"-"`
+}
+
+func (m *JoinNamespace) Reset() { *m = JoinNamespace{} }
+func (m *JoinNamespace) String() string { return proto.CompactTextString(m) }
+func (*JoinNamespace) ProtoMessage() {}
+func (*JoinNamespace) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} }
+
+func (m *JoinNamespace) GetNs() string {
+ if m != nil && m.Ns != nil {
+ return *m.Ns
+ }
+ return ""
+}
+
+func (m *JoinNamespace) GetNsFile() string {
+ if m != nil && m.NsFile != nil {
+ return *m.NsFile
+ }
+ return ""
+}
+
+func (m *JoinNamespace) GetExtraOpt() string {
+ if m != nil && m.ExtraOpt != nil {
+ return *m.ExtraOpt
+ }
+ return ""
+}
+
type InheritFd struct {
Key *string `protobuf:"bytes,1,req,name=key" json:"key,omitempty"`
Fd *int32 `protobuf:"varint,2,req,name=fd" json:"fd,omitempty"`
XXX_unrecognized []byte `json:"-"`
}
-func (m *InheritFd) Reset() { *m = InheritFd{} }
-func (m *InheritFd) String() string { return proto.CompactTextString(m) }
-func (*InheritFd) ProtoMessage() {}
+func (m *InheritFd) Reset() { *m = InheritFd{} }
+func (m *InheritFd) String() string { return proto.CompactTextString(m) }
+func (*InheritFd) ProtoMessage() {}
+func (*InheritFd) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} }
func (m *InheritFd) GetKey() string {
if m != nil && m.Key != nil {
@@ -203,9 +306,10 @@ type CgroupRoot struct {
XXX_unrecognized []byte `json:"-"`
}
-func (m *CgroupRoot) Reset() { *m = CgroupRoot{} }
-func (m *CgroupRoot) String() string { return proto.CompactTextString(m) }
-func (*CgroupRoot) ProtoMessage() {}
+func (m *CgroupRoot) Reset() { *m = CgroupRoot{} }
+func (m *CgroupRoot) String() string { return proto.CompactTextString(m) }
+func (*CgroupRoot) ProtoMessage() {}
+func (*CgroupRoot) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{5} }
func (m *CgroupRoot) GetCtrl() string {
if m != nil && m.Ctrl != nil {
@@ -226,9 +330,10 @@ type UnixSk struct {
XXX_unrecognized []byte `json:"-"`
}
-func (m *UnixSk) Reset() { *m = UnixSk{} }
-func (m *UnixSk) String() string { return proto.CompactTextString(m) }
-func (*UnixSk) ProtoMessage() {}
+func (m *UnixSk) Reset() { *m = UnixSk{} }
+func (m *UnixSk) String() string { return proto.CompactTextString(m) }
+func (*UnixSk) ProtoMessage() {}
+func (*UnixSk) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{6} }
func (m *UnixSk) GetInode() uint32 {
if m != nil && m.Inode != nil {
@@ -238,49 +343,67 @@ func (m *UnixSk) GetInode() uint32 {
}
type CriuOpts struct {
- ImagesDirFd *int32 `protobuf:"varint,1,req,name=images_dir_fd" json:"images_dir_fd,omitempty"`
- Pid *int32 `protobuf:"varint,2,opt,name=pid" json:"pid,omitempty"`
- LeaveRunning *bool `protobuf:"varint,3,opt,name=leave_running" json:"leave_running,omitempty"`
- ExtUnixSk *bool `protobuf:"varint,4,opt,name=ext_unix_sk" json:"ext_unix_sk,omitempty"`
- TcpEstablished *bool `protobuf:"varint,5,opt,name=tcp_established" json:"tcp_established,omitempty"`
- EvasiveDevices *bool `protobuf:"varint,6,opt,name=evasive_devices" json:"evasive_devices,omitempty"`
- ShellJob *bool `protobuf:"varint,7,opt,name=shell_job" json:"shell_job,omitempty"`
- FileLocks *bool `protobuf:"varint,8,opt,name=file_locks" json:"file_locks,omitempty"`
- LogLevel *int32 `protobuf:"varint,9,opt,name=log_level,def=2" json:"log_level,omitempty"`
- LogFile *string `protobuf:"bytes,10,opt,name=log_file" json:"log_file,omitempty"`
- Ps *CriuPageServerInfo `protobuf:"bytes,11,opt,name=ps" json:"ps,omitempty"`
- NotifyScripts *bool `protobuf:"varint,12,opt,name=notify_scripts" json:"notify_scripts,omitempty"`
- Root *string `protobuf:"bytes,13,opt,name=root" json:"root,omitempty"`
- ParentImg *string `protobuf:"bytes,14,opt,name=parent_img" json:"parent_img,omitempty"`
- TrackMem *bool `protobuf:"varint,15,opt,name=track_mem" json:"track_mem,omitempty"`
- AutoDedup *bool `protobuf:"varint,16,opt,name=auto_dedup" json:"auto_dedup,omitempty"`
- WorkDirFd *int32 `protobuf:"varint,17,opt,name=work_dir_fd" json:"work_dir_fd,omitempty"`
- LinkRemap *bool `protobuf:"varint,18,opt,name=link_remap" json:"link_remap,omitempty"`
- Veths []*CriuVethPair `protobuf:"bytes,19,rep,name=veths" json:"veths,omitempty"`
- CpuCap *uint32 `protobuf:"varint,20,opt,name=cpu_cap,def=4294967295" json:"cpu_cap,omitempty"`
- ForceIrmap *bool `protobuf:"varint,21,opt,name=force_irmap" json:"force_irmap,omitempty"`
- ExecCmd []string `protobuf:"bytes,22,rep,name=exec_cmd" json:"exec_cmd,omitempty"`
- ExtMnt []*ExtMountMap `protobuf:"bytes,23,rep,name=ext_mnt" json:"ext_mnt,omitempty"`
- ManageCgroups *bool `protobuf:"varint,24,opt,name=manage_cgroups" json:"manage_cgroups,omitempty"`
- CgRoot []*CgroupRoot `protobuf:"bytes,25,rep,name=cg_root" json:"cg_root,omitempty"`
- RstSibling *bool `protobuf:"varint,26,opt,name=rst_sibling" json:"rst_sibling,omitempty"`
- InheritFd []*InheritFd `protobuf:"bytes,27,rep,name=inherit_fd" json:"inherit_fd,omitempty"`
- AutoExtMnt *bool `protobuf:"varint,28,opt,name=auto_ext_mnt" json:"auto_ext_mnt,omitempty"`
- ExtSharing *bool `protobuf:"varint,29,opt,name=ext_sharing" json:"ext_sharing,omitempty"`
- ExtMasters *bool `protobuf:"varint,30,opt,name=ext_masters" json:"ext_masters,omitempty"`
- SkipMnt []string `protobuf:"bytes,31,rep,name=skip_mnt" json:"skip_mnt,omitempty"`
- EnableFs []string `protobuf:"bytes,32,rep,name=enable_fs" json:"enable_fs,omitempty"`
- UnixSkIno []*UnixSk `protobuf:"bytes,33,rep,name=unix_sk_ino" json:"unix_sk_ino,omitempty"`
- ManageCgroupsMode *uint32 `protobuf:"varint,34,opt,name=manage_cgroups_mode" json:"manage_cgroups_mode,omitempty"`
- XXX_unrecognized []byte `json:"-"`
-}
-
-func (m *CriuOpts) Reset() { *m = CriuOpts{} }
-func (m *CriuOpts) String() string { return proto.CompactTextString(m) }
-func (*CriuOpts) ProtoMessage() {}
+ ImagesDirFd *int32 `protobuf:"varint,1,req,name=images_dir_fd,json=imagesDirFd" json:"images_dir_fd,omitempty"`
+ Pid *int32 `protobuf:"varint,2,opt,name=pid" json:"pid,omitempty"`
+ LeaveRunning *bool `protobuf:"varint,3,opt,name=leave_running,json=leaveRunning" json:"leave_running,omitempty"`
+ ExtUnixSk *bool `protobuf:"varint,4,opt,name=ext_unix_sk,json=extUnixSk" json:"ext_unix_sk,omitempty"`
+ TcpEstablished *bool `protobuf:"varint,5,opt,name=tcp_established,json=tcpEstablished" json:"tcp_established,omitempty"`
+ EvasiveDevices *bool `protobuf:"varint,6,opt,name=evasive_devices,json=evasiveDevices" json:"evasive_devices,omitempty"`
+ ShellJob *bool `protobuf:"varint,7,opt,name=shell_job,json=shellJob" json:"shell_job,omitempty"`
+ FileLocks *bool `protobuf:"varint,8,opt,name=file_locks,json=fileLocks" json:"file_locks,omitempty"`
+ LogLevel *int32 `protobuf:"varint,9,opt,name=log_level,json=logLevel,def=2" json:"log_level,omitempty"`
+ LogFile *string `protobuf:"bytes,10,opt,name=log_file,json=logFile" json:"log_file,omitempty"`
+ Ps *CriuPageServerInfo `protobuf:"bytes,11,opt,name=ps" json:"ps,omitempty"`
+ NotifyScripts *bool `protobuf:"varint,12,opt,name=notify_scripts,json=notifyScripts" json:"notify_scripts,omitempty"`
+ Root *string `protobuf:"bytes,13,opt,name=root" json:"root,omitempty"`
+ ParentImg *string `protobuf:"bytes,14,opt,name=parent_img,json=parentImg" json:"parent_img,omitempty"`
+ TrackMem *bool `protobuf:"varint,15,opt,name=track_mem,json=trackMem" json:"track_mem,omitempty"`
+ AutoDedup *bool `protobuf:"varint,16,opt,name=auto_dedup,json=autoDedup" json:"auto_dedup,omitempty"`
+ WorkDirFd *int32 `protobuf:"varint,17,opt,name=work_dir_fd,json=workDirFd" json:"work_dir_fd,omitempty"`
+ LinkRemap *bool `protobuf:"varint,18,opt,name=link_remap,json=linkRemap" json:"link_remap,omitempty"`
+ Veths []*CriuVethPair `protobuf:"bytes,19,rep,name=veths" json:"veths,omitempty"`
+ CpuCap *uint32 `protobuf:"varint,20,opt,name=cpu_cap,json=cpuCap,def=4294967295" json:"cpu_cap,omitempty"`
+ ForceIrmap *bool `protobuf:"varint,21,opt,name=force_irmap,json=forceIrmap" json:"force_irmap,omitempty"`
+ ExecCmd []string `protobuf:"bytes,22,rep,name=exec_cmd,json=execCmd" json:"exec_cmd,omitempty"`
+ ExtMnt []*ExtMountMap `protobuf:"bytes,23,rep,name=ext_mnt,json=extMnt" json:"ext_mnt,omitempty"`
+ ManageCgroups *bool `protobuf:"varint,24,opt,name=manage_cgroups,json=manageCgroups" json:"manage_cgroups,omitempty"`
+ CgRoot []*CgroupRoot `protobuf:"bytes,25,rep,name=cg_root,json=cgRoot" json:"cg_root,omitempty"`
+ RstSibling *bool `protobuf:"varint,26,opt,name=rst_sibling,json=rstSibling" json:"rst_sibling,omitempty"`
+ InheritFd []*InheritFd `protobuf:"bytes,27,rep,name=inherit_fd,json=inheritFd" json:"inherit_fd,omitempty"`
+ AutoExtMnt *bool `protobuf:"varint,28,opt,name=auto_ext_mnt,json=autoExtMnt" json:"auto_ext_mnt,omitempty"`
+ ExtSharing *bool `protobuf:"varint,29,opt,name=ext_sharing,json=extSharing" json:"ext_sharing,omitempty"`
+ ExtMasters *bool `protobuf:"varint,30,opt,name=ext_masters,json=extMasters" json:"ext_masters,omitempty"`
+ SkipMnt []string `protobuf:"bytes,31,rep,name=skip_mnt,json=skipMnt" json:"skip_mnt,omitempty"`
+ EnableFs []string `protobuf:"bytes,32,rep,name=enable_fs,json=enableFs" json:"enable_fs,omitempty"`
+ UnixSkIno []*UnixSk `protobuf:"bytes,33,rep,name=unix_sk_ino,json=unixSkIno" json:"unix_sk_ino,omitempty"`
+ ManageCgroupsMode *CriuCgMode `protobuf:"varint,34,opt,name=manage_cgroups_mode,json=manageCgroupsMode,enum=CriuCgMode" json:"manage_cgroups_mode,omitempty"`
+ GhostLimit *uint32 `protobuf:"varint,35,opt,name=ghost_limit,json=ghostLimit,def=1048576" json:"ghost_limit,omitempty"`
+ IrmapScanPaths []string `protobuf:"bytes,36,rep,name=irmap_scan_paths,json=irmapScanPaths" json:"irmap_scan_paths,omitempty"`
+ External []string `protobuf:"bytes,37,rep,name=external" json:"external,omitempty"`
+ EmptyNs *uint32 `protobuf:"varint,38,opt,name=empty_ns,json=emptyNs" json:"empty_ns,omitempty"`
+ JoinNs []*JoinNamespace `protobuf:"bytes,39,rep,name=join_ns,json=joinNs" json:"join_ns,omitempty"`
+ CgroupProps *string `protobuf:"bytes,41,opt,name=cgroup_props,json=cgroupProps" json:"cgroup_props,omitempty"`
+ CgroupPropsFile *string `protobuf:"bytes,42,opt,name=cgroup_props_file,json=cgroupPropsFile" json:"cgroup_props_file,omitempty"`
+ CgroupDumpController []string `protobuf:"bytes,43,rep,name=cgroup_dump_controller,json=cgroupDumpController" json:"cgroup_dump_controller,omitempty"`
+ FreezeCgroup *string `protobuf:"bytes,44,opt,name=freeze_cgroup,json=freezeCgroup" json:"freeze_cgroup,omitempty"`
+ Timeout *uint32 `protobuf:"varint,45,opt,name=timeout" json:"timeout,omitempty"`
+ TcpSkipInFlight *bool `protobuf:"varint,46,opt,name=tcp_skip_in_flight,json=tcpSkipInFlight" json:"tcp_skip_in_flight,omitempty"`
+ WeakSysctls *bool `protobuf:"varint,47,opt,name=weak_sysctls,json=weakSysctls" json:"weak_sysctls,omitempty"`
+ LazyPages *bool `protobuf:"varint,48,opt,name=lazy_pages,json=lazyPages" json:"lazy_pages,omitempty"`
+ StatusFd *int32 `protobuf:"varint,49,opt,name=status_fd,json=statusFd" json:"status_fd,omitempty"`
+ OrphanPtsMaster *bool `protobuf:"varint,50,opt,name=orphan_pts_master,json=orphanPtsMaster" json:"orphan_pts_master,omitempty"`
+ ConfigFile *string `protobuf:"bytes,51,opt,name=config_file,json=configFile" json:"config_file,omitempty"`
+ XXX_unrecognized []byte `json:"-"`
+}
+
+func (m *CriuOpts) Reset() { *m = CriuOpts{} }
+func (m *CriuOpts) String() string { return proto.CompactTextString(m) }
+func (*CriuOpts) ProtoMessage() {}
+func (*CriuOpts) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{7} }
const Default_CriuOpts_LogLevel int32 = 2
const Default_CriuOpts_CpuCap uint32 = 4294967295
+const Default_CriuOpts_GhostLimit uint32 = 1048576
func (m *CriuOpts) GetImagesDirFd() int32 {
if m != nil && m.ImagesDirFd != nil {
@@ -513,21 +636,134 @@ func (m *CriuOpts) GetUnixSkIno() []*UnixSk {
return nil
}
-func (m *CriuOpts) GetManageCgroupsMode() uint32 {
+func (m *CriuOpts) GetManageCgroupsMode() CriuCgMode {
if m != nil && m.ManageCgroupsMode != nil {
return *m.ManageCgroupsMode
}
+ return CriuCgMode_IGNORE
+}
+
+func (m *CriuOpts) GetGhostLimit() uint32 {
+ if m != nil && m.GhostLimit != nil {
+ return *m.GhostLimit
+ }
+ return Default_CriuOpts_GhostLimit
+}
+
+func (m *CriuOpts) GetIrmapScanPaths() []string {
+ if m != nil {
+ return m.IrmapScanPaths
+ }
+ return nil
+}
+
+func (m *CriuOpts) GetExternal() []string {
+ if m != nil {
+ return m.External
+ }
+ return nil
+}
+
+func (m *CriuOpts) GetEmptyNs() uint32 {
+ if m != nil && m.EmptyNs != nil {
+ return *m.EmptyNs
+ }
+ return 0
+}
+
+func (m *CriuOpts) GetJoinNs() []*JoinNamespace {
+ if m != nil {
+ return m.JoinNs
+ }
+ return nil
+}
+
+func (m *CriuOpts) GetCgroupProps() string {
+ if m != nil && m.CgroupProps != nil {
+ return *m.CgroupProps
+ }
+ return ""
+}
+
+func (m *CriuOpts) GetCgroupPropsFile() string {
+ if m != nil && m.CgroupPropsFile != nil {
+ return *m.CgroupPropsFile
+ }
+ return ""
+}
+
+func (m *CriuOpts) GetCgroupDumpController() []string {
+ if m != nil {
+ return m.CgroupDumpController
+ }
+ return nil
+}
+
+func (m *CriuOpts) GetFreezeCgroup() string {
+ if m != nil && m.FreezeCgroup != nil {
+ return *m.FreezeCgroup
+ }
+ return ""
+}
+
+func (m *CriuOpts) GetTimeout() uint32 {
+ if m != nil && m.Timeout != nil {
+ return *m.Timeout
+ }
+ return 0
+}
+
+func (m *CriuOpts) GetTcpSkipInFlight() bool {
+ if m != nil && m.TcpSkipInFlight != nil {
+ return *m.TcpSkipInFlight
+ }
+ return false
+}
+
+func (m *CriuOpts) GetWeakSysctls() bool {
+ if m != nil && m.WeakSysctls != nil {
+ return *m.WeakSysctls
+ }
+ return false
+}
+
+func (m *CriuOpts) GetLazyPages() bool {
+ if m != nil && m.LazyPages != nil {
+ return *m.LazyPages
+ }
+ return false
+}
+
+func (m *CriuOpts) GetStatusFd() int32 {
+ if m != nil && m.StatusFd != nil {
+ return *m.StatusFd
+ }
return 0
}
+func (m *CriuOpts) GetOrphanPtsMaster() bool {
+ if m != nil && m.OrphanPtsMaster != nil {
+ return *m.OrphanPtsMaster
+ }
+ return false
+}
+
+func (m *CriuOpts) GetConfigFile() string {
+ if m != nil && m.ConfigFile != nil {
+ return *m.ConfigFile
+ }
+ return ""
+}
+
type CriuDumpResp struct {
Restored *bool `protobuf:"varint,1,opt,name=restored" json:"restored,omitempty"`
XXX_unrecognized []byte `json:"-"`
}
-func (m *CriuDumpResp) Reset() { *m = CriuDumpResp{} }
-func (m *CriuDumpResp) String() string { return proto.CompactTextString(m) }
-func (*CriuDumpResp) ProtoMessage() {}
+func (m *CriuDumpResp) Reset() { *m = CriuDumpResp{} }
+func (m *CriuDumpResp) String() string { return proto.CompactTextString(m) }
+func (*CriuDumpResp) ProtoMessage() {}
+func (*CriuDumpResp) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{8} }
func (m *CriuDumpResp) GetRestored() bool {
if m != nil && m.Restored != nil {
@@ -541,9 +777,10 @@ type CriuRestoreResp struct {
XXX_unrecognized []byte `json:"-"`
}
-func (m *CriuRestoreResp) Reset() { *m = CriuRestoreResp{} }
-func (m *CriuRestoreResp) String() string { return proto.CompactTextString(m) }
-func (*CriuRestoreResp) ProtoMessage() {}
+func (m *CriuRestoreResp) Reset() { *m = CriuRestoreResp{} }
+func (m *CriuRestoreResp) String() string { return proto.CompactTextString(m) }
+func (*CriuRestoreResp) ProtoMessage() {}
+func (*CriuRestoreResp) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{9} }
func (m *CriuRestoreResp) GetPid() int32 {
if m != nil && m.Pid != nil {
@@ -558,9 +795,10 @@ type CriuNotify struct {
XXX_unrecognized []byte `json:"-"`
}
-func (m *CriuNotify) Reset() { *m = CriuNotify{} }
-func (m *CriuNotify) String() string { return proto.CompactTextString(m) }
-func (*CriuNotify) ProtoMessage() {}
+func (m *CriuNotify) Reset() { *m = CriuNotify{} }
+func (m *CriuNotify) String() string { return proto.CompactTextString(m) }
+func (*CriuNotify) ProtoMessage() {}
+func (*CriuNotify) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{10} }
func (m *CriuNotify) GetScript() string {
if m != nil && m.Script != nil {
@@ -576,21 +814,55 @@ func (m *CriuNotify) GetPid() int32 {
return 0
}
+//
+// List of features which can queried via
+// CRIU_REQ_TYPE__FEATURE_CHECK
+type CriuFeatures struct {
+ MemTrack *bool `protobuf:"varint,1,opt,name=mem_track,json=memTrack" json:"mem_track,omitempty"`
+ LazyPages *bool `protobuf:"varint,2,opt,name=lazy_pages,json=lazyPages" json:"lazy_pages,omitempty"`
+ XXX_unrecognized []byte `json:"-"`
+}
+
+func (m *CriuFeatures) Reset() { *m = CriuFeatures{} }
+func (m *CriuFeatures) String() string { return proto.CompactTextString(m) }
+func (*CriuFeatures) ProtoMessage() {}
+func (*CriuFeatures) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{11} }
+
+func (m *CriuFeatures) GetMemTrack() bool {
+ if m != nil && m.MemTrack != nil {
+ return *m.MemTrack
+ }
+ return false
+}
+
+func (m *CriuFeatures) GetLazyPages() bool {
+ if m != nil && m.LazyPages != nil {
+ return *m.LazyPages
+ }
+ return false
+}
+
type CriuReq struct {
Type *CriuReqType `protobuf:"varint,1,req,name=type,enum=CriuReqType" json:"type,omitempty"`
Opts *CriuOpts `protobuf:"bytes,2,opt,name=opts" json:"opts,omitempty"`
- NotifySuccess *bool `protobuf:"varint,3,opt,name=notify_success" json:"notify_success,omitempty"`
+ NotifySuccess *bool `protobuf:"varint,3,opt,name=notify_success,json=notifySuccess" json:"notify_success,omitempty"`
//
// When set service won't close the connection but
// will wait for more req-s to appear. Works not
// for all request types.
- KeepOpen *bool `protobuf:"varint,4,opt,name=keep_open" json:"keep_open,omitempty"`
- XXX_unrecognized []byte `json:"-"`
+ KeepOpen *bool `protobuf:"varint,4,opt,name=keep_open,json=keepOpen" json:"keep_open,omitempty"`
+ //
+ // 'features' can be used to query which features
+ // are supported by the installed criu/kernel
+ // via RPC.
+ Features *CriuFeatures `protobuf:"bytes,5,opt,name=features" json:"features,omitempty"`
+ XXX_unrecognized []byte `json:"-"`
}
-func (m *CriuReq) Reset() { *m = CriuReq{} }
-func (m *CriuReq) String() string { return proto.CompactTextString(m) }
-func (*CriuReq) ProtoMessage() {}
+func (m *CriuReq) Reset() { *m = CriuReq{} }
+func (m *CriuReq) String() string { return proto.CompactTextString(m) }
+func (*CriuReq) ProtoMessage() {}
+func (*CriuReq) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{12} }
func (m *CriuReq) GetType() CriuReqType {
if m != nil && m.Type != nil {
@@ -620,6 +892,13 @@ func (m *CriuReq) GetKeepOpen() bool {
return false
}
+func (m *CriuReq) GetFeatures() *CriuFeatures {
+ if m != nil {
+ return m.Features
+ }
+ return nil
+}
+
type CriuResp struct {
Type *CriuReqType `protobuf:"varint,1,req,name=type,enum=CriuReqType" json:"type,omitempty"`
Success *bool `protobuf:"varint,2,req,name=success" json:"success,omitempty"`
@@ -627,13 +906,17 @@ type CriuResp struct {
Restore *CriuRestoreResp `protobuf:"bytes,4,opt,name=restore" json:"restore,omitempty"`
Notify *CriuNotify `protobuf:"bytes,5,opt,name=notify" json:"notify,omitempty"`
Ps *CriuPageServerInfo `protobuf:"bytes,6,opt,name=ps" json:"ps,omitempty"`
- CrErrno *int32 `protobuf:"varint,7,opt,name=cr_errno" json:"cr_errno,omitempty"`
+ CrErrno *int32 `protobuf:"varint,7,opt,name=cr_errno,json=crErrno" json:"cr_errno,omitempty"`
+ Features *CriuFeatures `protobuf:"bytes,8,opt,name=features" json:"features,omitempty"`
+ CrErrmsg *string `protobuf:"bytes,9,opt,name=cr_errmsg,json=crErrmsg" json:"cr_errmsg,omitempty"`
+ Version *CriuVersion `protobuf:"bytes,10,opt,name=version" json:"version,omitempty"`
XXX_unrecognized []byte `json:"-"`
}
-func (m *CriuResp) Reset() { *m = CriuResp{} }
-func (m *CriuResp) String() string { return proto.CompactTextString(m) }
-func (*CriuResp) ProtoMessage() {}
+func (m *CriuResp) Reset() { *m = CriuResp{} }
+func (m *CriuResp) String() string { return proto.CompactTextString(m) }
+func (*CriuResp) ProtoMessage() {}
+func (*CriuResp) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{13} }
func (m *CriuResp) GetType() CriuReqType {
if m != nil && m.Type != nil {
@@ -684,6 +967,220 @@ func (m *CriuResp) GetCrErrno() int32 {
return 0
}
+func (m *CriuResp) GetFeatures() *CriuFeatures {
+ if m != nil {
+ return m.Features
+ }
+ return nil
+}
+
+func (m *CriuResp) GetCrErrmsg() string {
+ if m != nil && m.CrErrmsg != nil {
+ return *m.CrErrmsg
+ }
+ return ""
+}
+
+func (m *CriuResp) GetVersion() *CriuVersion {
+ if m != nil {
+ return m.Version
+ }
+ return nil
+}
+
+// Answer for criu_req_type.VERSION requests
+type CriuVersion struct {
+ Major *int32 `protobuf:"varint,1,req,name=major" json:"major,omitempty"`
+ Minor *int32 `protobuf:"varint,2,req,name=minor" json:"minor,omitempty"`
+ Gitid *string `protobuf:"bytes,3,opt,name=gitid" json:"gitid,omitempty"`
+ Sublevel *int32 `protobuf:"varint,4,opt,name=sublevel" json:"sublevel,omitempty"`
+ Extra *int32 `protobuf:"varint,5,opt,name=extra" json:"extra,omitempty"`
+ Name *string `protobuf:"bytes,6,opt,name=name" json:"name,omitempty"`
+ XXX_unrecognized []byte `json:"-"`
+}
+
+func (m *CriuVersion) Reset() { *m = CriuVersion{} }
+func (m *CriuVersion) String() string { return proto.CompactTextString(m) }
+func (*CriuVersion) ProtoMessage() {}
+func (*CriuVersion) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{14} }
+
+func (m *CriuVersion) GetMajor() int32 {
+ if m != nil && m.Major != nil {
+ return *m.Major
+ }
+ return 0
+}
+
+func (m *CriuVersion) GetMinor() int32 {
+ if m != nil && m.Minor != nil {
+ return *m.Minor
+ }
+ return 0
+}
+
+func (m *CriuVersion) GetGitid() string {
+ if m != nil && m.Gitid != nil {
+ return *m.Gitid
+ }
+ return ""
+}
+
+func (m *CriuVersion) GetSublevel() int32 {
+ if m != nil && m.Sublevel != nil {
+ return *m.Sublevel
+ }
+ return 0
+}
+
+func (m *CriuVersion) GetExtra() int32 {
+ if m != nil && m.Extra != nil {
+ return *m.Extra
+ }
+ return 0
+}
+
+func (m *CriuVersion) GetName() string {
+ if m != nil && m.Name != nil {
+ return *m.Name
+ }
+ return ""
+}
+
func init() {
+ proto.RegisterType((*CriuPageServerInfo)(nil), "criu_page_server_info")
+ proto.RegisterType((*CriuVethPair)(nil), "criu_veth_pair")
+ proto.RegisterType((*ExtMountMap)(nil), "ext_mount_map")
+ proto.RegisterType((*JoinNamespace)(nil), "join_namespace")
+ proto.RegisterType((*InheritFd)(nil), "inherit_fd")
+ proto.RegisterType((*CgroupRoot)(nil), "cgroup_root")
+ proto.RegisterType((*UnixSk)(nil), "unix_sk")
+ proto.RegisterType((*CriuOpts)(nil), "criu_opts")
+ proto.RegisterType((*CriuDumpResp)(nil), "criu_dump_resp")
+ proto.RegisterType((*CriuRestoreResp)(nil), "criu_restore_resp")
+ proto.RegisterType((*CriuNotify)(nil), "criu_notify")
+ proto.RegisterType((*CriuFeatures)(nil), "criu_features")
+ proto.RegisterType((*CriuReq)(nil), "criu_req")
+ proto.RegisterType((*CriuResp)(nil), "criu_resp")
+ proto.RegisterType((*CriuVersion)(nil), "criu_version")
+ proto.RegisterEnum("CriuCgMode", CriuCgMode_name, CriuCgMode_value)
proto.RegisterEnum("CriuReqType", CriuReqType_name, CriuReqType_value)
}
+
+func init() { proto.RegisterFile("criurpc.proto", fileDescriptor0) }
+
+var fileDescriptor0 = []byte{
+ // 1795 bytes of a gzipped FileDescriptorProto
+ 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x56, 0xdd, 0x72, 0x5b, 0xb7,
+ 0x11, 0x0e, 0x29, 0xf1, 0x0f, 0xfc, 0x31, 0x0d, 0xff, 0x04, 0x4e, 0x6a, 0x9b, 0xa1, 0xe3, 0x44,
+ 0x55, 0x5c, 0x36, 0x61, 0xec, 0xb8, 0xce, 0xb4, 0x17, 0x1e, 0x89, 0x74, 0xd9, 0x48, 0x22, 0x07,
+ 0x94, 0x3c, 0x93, 0x2b, 0xcc, 0xd1, 0x39, 0x20, 0x05, 0xf3, 0x1c, 0x9c, 0x53, 0x00, 0x54, 0x24,
+ 0x3f, 0x48, 0x9f, 0xa2, 0xcf, 0xd0, 0x57, 0xea, 0x65, 0x6f, 0x3b, 0xbb, 0x00, 0x65, 0x29, 0xc9,
+ 0xb4, 0xb9, 0xc3, 0x7e, 0xbb, 0x00, 0xf6, 0x7f, 0x97, 0xb4, 0x63, 0xa3, 0xd6, 0xa6, 0x88, 0x07,
+ 0x85, 0xc9, 0x5d, 0xde, 0x5f, 0x92, 0x7b, 0x00, 0x88, 0x22, 0x5a, 0x4a, 0x61, 0xa5, 0x39, 0x97,
+ 0x46, 0x28, 0xbd, 0xc8, 0x29, 0x23, 0xb5, 0x28, 0x49, 0x8c, 0xb4, 0x96, 0x95, 0x7a, 0xa5, 0x9d,
+ 0x06, 0xdf, 0x90, 0x94, 0x92, 0xed, 0x22, 0x37, 0x8e, 0x95, 0x7b, 0xa5, 0x9d, 0x0a, 0xc7, 0x33,
+ 0xed, 0x92, 0xad, 0x42, 0x25, 0x6c, 0x0b, 0x21, 0x38, 0xd2, 0x0e, 0x29, 0x2f, 0x12, 0xb6, 0x8d,
+ 0x40, 0x79, 0x91, 0xf4, 0xff, 0x4c, 0x3a, 0xf8, 0xd1, 0xb9, 0x74, 0x67, 0xa2, 0x88, 0x94, 0xa1,
+ 0x77, 0x48, 0x45, 0x2d, 0x84, 0xd2, 0xac, 0xd4, 0x2b, 0xef, 0x34, 0xf8, 0xb6, 0x5a, 0x4c, 0x34,
+ 0xbd, 0x47, 0xaa, 0x6a, 0x21, 0xf2, 0x35, 0x3c, 0x0f, 0x68, 0x45, 0x2d, 0xa6, 0x6b, 0xd7, 0xff,
+ 0x96, 0xb4, 0xe5, 0x85, 0x13, 0x59, 0xbe, 0xd6, 0x4e, 0x64, 0x51, 0x01, 0x1f, 0xae, 0xe4, 0x65,
+ 0xb8, 0x0a, 0x47, 0x40, 0xce, 0xa3, 0x34, 0x5c, 0x83, 0x63, 0xff, 0x2d, 0xe9, 0xbc, 0xcb, 0x95,
+ 0x16, 0x3a, 0xca, 0xa4, 0x2d, 0xa2, 0x58, 0x82, 0x52, 0xda, 0x86, 0x4b, 0x65, 0x6d, 0xe9, 0xc7,
+ 0xa4, 0xa6, 0xad, 0x58, 0xa8, 0x54, 0x86, 0x7b, 0x55, 0x6d, 0xc7, 0x2a, 0x95, 0xf4, 0x53, 0xd2,
+ 0x90, 0x17, 0xce, 0x44, 0x22, 0x2f, 0x1c, 0x5a, 0xd5, 0xe0, 0x75, 0x04, 0xa6, 0x85, 0xeb, 0x0f,
+ 0x08, 0x51, 0xfa, 0x4c, 0x1a, 0xe5, 0xc4, 0x22, 0xf9, 0x15, 0x4d, 0xbc, 0xe9, 0xf0, 0xa0, 0x37,
+ 0xfd, 0x05, 0x69, 0xc6, 0x4b, 0x93, 0xaf, 0x0b, 0x61, 0xf2, 0xdc, 0x81, 0xff, 0x62, 0x67, 0xd2,
+ 0xe0, 0x56, 0x3c, 0xa3, 0x4f, 0x23, 0x77, 0x16, 0xb4, 0xc0, 0x73, 0xff, 0x31, 0xa9, 0xad, 0xb5,
+ 0xba, 0x10, 0x76, 0x45, 0xef, 0x92, 0x8a, 0xd2, 0x79, 0x22, 0xf1, 0x97, 0x36, 0xf7, 0x44, 0xff,
+ 0xdf, 0x6d, 0xd2, 0x40, 0x9f, 0xe6, 0x85, 0xb3, 0xb4, 0x4f, 0xda, 0x2a, 0x8b, 0x96, 0xd2, 0x8a,
+ 0x44, 0x19, 0xb1, 0x48, 0x50, 0xb6, 0xc2, 0x9b, 0x1e, 0xdc, 0x57, 0x66, 0x9c, 0x6c, 0xc2, 0x54,
+ 0xfe, 0x10, 0xa6, 0x27, 0xa4, 0x9d, 0xca, 0xe8, 0x5c, 0x0a, 0xb3, 0xd6, 0x5a, 0xe9, 0x25, 0x1a,
+ 0x5b, 0xe7, 0x2d, 0x04, 0xb9, 0xc7, 0xe8, 0x23, 0xd2, 0x04, 0xef, 0x07, 0x6d, 0x30, 0xa8, 0x75,
+ 0x0e, 0x0e, 0x3a, 0xd1, 0xea, 0x62, 0xbe, 0xa2, 0x5f, 0x92, 0x5b, 0x2e, 0x2e, 0x84, 0xb4, 0x2e,
+ 0x3a, 0x4d, 0x95, 0x3d, 0x93, 0x09, 0xab, 0xa0, 0x4c, 0xc7, 0xc5, 0xc5, 0xe8, 0x03, 0x0a, 0x82,
+ 0xf2, 0x3c, 0xb2, 0xea, 0x5c, 0x8a, 0x44, 0x9e, 0xab, 0x58, 0x5a, 0x56, 0xf5, 0x82, 0x01, 0xde,
+ 0xf7, 0x28, 0xf8, 0xdf, 0x9e, 0xc9, 0x34, 0x15, 0xef, 0xf2, 0x53, 0x56, 0x43, 0x91, 0x3a, 0x02,
+ 0x7f, 0xcb, 0x4f, 0xe9, 0x43, 0x42, 0x20, 0x64, 0x22, 0xcd, 0xe3, 0x95, 0x65, 0x75, 0xaf, 0x0d,
+ 0x20, 0x07, 0x00, 0xd0, 0x47, 0xa4, 0x91, 0xe6, 0x4b, 0x91, 0xca, 0x73, 0x99, 0xb2, 0x06, 0x98,
+ 0xfa, 0x7d, 0x69, 0xc8, 0xeb, 0x69, 0xbe, 0x3c, 0x00, 0x88, 0x3e, 0x20, 0x70, 0xf6, 0x51, 0x27,
+ 0x3e, 0xb5, 0xd3, 0x7c, 0x89, 0x61, 0xff, 0x82, 0x94, 0x0b, 0xcb, 0x9a, 0xbd, 0xd2, 0x4e, 0x73,
+ 0x78, 0x7f, 0xf0, 0xab, 0x85, 0xc1, 0xcb, 0x85, 0xa5, 0x4f, 0x49, 0x47, 0xe7, 0x4e, 0x2d, 0x2e,
+ 0x85, 0x8d, 0x8d, 0x2a, 0x9c, 0x65, 0x2d, 0xd4, 0xa2, 0xed, 0xd1, 0xb9, 0x07, 0x21, 0xaa, 0x10,
+ 0x71, 0xd6, 0xf6, 0x91, 0xc6, 0xe8, 0x3f, 0x24, 0xa4, 0x88, 0x8c, 0xd4, 0x4e, 0xa8, 0x6c, 0xc9,
+ 0x3a, 0xc8, 0x69, 0x78, 0x64, 0x92, 0x2d, 0xc1, 0x70, 0x67, 0xa2, 0x78, 0x25, 0x32, 0x99, 0xb1,
+ 0x5b, 0xde, 0x70, 0x04, 0x0e, 0x65, 0x06, 0x77, 0xa3, 0xb5, 0xcb, 0x45, 0x22, 0x93, 0x75, 0xc1,
+ 0xba, 0xde, 0x70, 0x40, 0xf6, 0x01, 0x80, 0x30, 0xfd, 0x94, 0x9b, 0xd5, 0x26, 0xfe, 0xb7, 0x31,
+ 0xca, 0x0d, 0x80, 0x7c, 0xf4, 0x1f, 0x12, 0x92, 0x2a, 0xbd, 0x12, 0x46, 0x66, 0x51, 0xc1, 0xa8,
+ 0xbf, 0x0e, 0x08, 0x07, 0x80, 0x3e, 0x25, 0x15, 0x28, 0x4e, 0xcb, 0xee, 0xf4, 0xb6, 0x76, 0x9a,
+ 0xc3, 0x5b, 0x83, 0x9b, 0xf5, 0xca, 0x3d, 0x97, 0x3e, 0x21, 0xb5, 0xb8, 0x58, 0x8b, 0x38, 0x2a,
+ 0xd8, 0xdd, 0x5e, 0x69, 0xa7, 0xfd, 0x3d, 0x79, 0x3e, 0x7c, 0xf5, 0xfc, 0xd5, 0x77, 0x2f, 0x87,
+ 0xaf, 0x5e, 0xf0, 0x6a, 0x5c, 0xac, 0xf7, 0xa2, 0x82, 0x3e, 0x26, 0xcd, 0x45, 0x6e, 0x62, 0x29,
+ 0x94, 0x81, 0xbf, 0xee, 0xe1, 0x5f, 0x04, 0xa1, 0x09, 0x20, 0x10, 0x04, 0x79, 0x21, 0x63, 0x11,
+ 0x67, 0x09, 0xbb, 0xdf, 0xdb, 0x82, 0x20, 0x00, 0xbd, 0x97, 0x41, 0x92, 0xd4, 0xb0, 0xd6, 0xb5,
+ 0x63, 0x1f, 0xa3, 0x26, 0x9d, 0xc1, 0x8d, 0xda, 0xe7, 0x55, 0x79, 0xe1, 0x0e, 0xb5, 0x83, 0x28,
+ 0x64, 0x91, 0x86, 0xf8, 0xf8, 0xf2, 0xb2, 0x8c, 0xf9, 0x28, 0x78, 0x74, 0xcf, 0x83, 0xf4, 0x29,
+ 0xa9, 0xc5, 0x4b, 0x2c, 0x3d, 0xf6, 0x00, 0xdf, 0x6b, 0x0d, 0xae, 0x95, 0x23, 0xaf, 0xc6, 0x4b,
+ 0x0e, 0x81, 0x79, 0x4c, 0x9a, 0xc6, 0x3a, 0x61, 0xd5, 0x69, 0x0a, 0x75, 0xf0, 0x89, 0x57, 0xd9,
+ 0x58, 0x37, 0xf7, 0x08, 0xdd, 0xbd, 0x5e, 0xf6, 0xec, 0x53, 0x7c, 0xaa, 0x39, 0xf8, 0x00, 0xf1,
+ 0x46, 0x38, 0x8f, 0x13, 0xda, 0x23, 0x2d, 0x8c, 0xd4, 0xc6, 0x90, 0xdf, 0xf9, 0xd7, 0x00, 0x1b,
+ 0x79, 0xe5, 0x1f, 0xfb, 0x9a, 0xb2, 0x67, 0x91, 0x81, 0xef, 0x1e, 0x7a, 0x01, 0x79, 0xe1, 0xe6,
+ 0x1e, 0xd9, 0x08, 0x64, 0x91, 0x75, 0xd2, 0x58, 0xf6, 0xe8, 0x4a, 0xe0, 0xd0, 0x23, 0xe0, 0x42,
+ 0xbb, 0x52, 0x05, 0xbe, 0xff, 0xd8, 0xbb, 0x10, 0x68, 0x78, 0x1c, 0xda, 0x97, 0x8e, 0x4e, 0x53,
+ 0x29, 0x16, 0x96, 0xf5, 0x90, 0x57, 0xf7, 0xc0, 0xd8, 0xd2, 0x1d, 0xd2, 0x0c, 0x95, 0x2c, 0x94,
+ 0xce, 0xd9, 0x67, 0x68, 0x48, 0x7d, 0x10, 0x30, 0xde, 0x58, 0x63, 0x51, 0x4f, 0x74, 0x4e, 0xff,
+ 0x42, 0xee, 0xdc, 0x74, 0xb0, 0xc8, 0xa0, 0x09, 0xf5, 0x7b, 0xa5, 0x9d, 0xce, 0xb0, 0xed, 0xf3,
+ 0x23, 0x5e, 0x22, 0xc8, 0x6f, 0xdf, 0x70, 0xfa, 0x61, 0x9e, 0x48, 0xf8, 0x68, 0x79, 0x96, 0x5b,
+ 0x27, 0x52, 0x95, 0x29, 0xc7, 0x9e, 0x60, 0xb6, 0xd4, 0xbe, 0xf9, 0xfa, 0xf9, 0x9f, 0x5e, 0xbc,
+ 0xfc, 0x8e, 0x13, 0xe4, 0x1d, 0x00, 0x8b, 0xee, 0x90, 0x2e, 0x26, 0x8a, 0xb0, 0x71, 0xa4, 0x05,
+ 0x74, 0x3f, 0xcb, 0x3e, 0x47, 0xb5, 0x3b, 0x88, 0xcf, 0xe3, 0x48, 0xcf, 0x00, 0xa5, 0x9f, 0x40,
+ 0xde, 0x38, 0x69, 0x74, 0x94, 0xb2, 0xa7, 0xc1, 0xb0, 0x40, 0x63, 0x4e, 0x65, 0x85, 0xbb, 0x14,
+ 0xda, 0xb2, 0x2f, 0xe0, 0x33, 0x5e, 0x43, 0xfa, 0x08, 0x6c, 0xae, 0xf9, 0x51, 0x60, 0xd9, 0x97,
+ 0x21, 0xbb, 0x6f, 0x8e, 0x06, 0x5e, 0x05, 0xfa, 0xc8, 0xd2, 0xcf, 0x48, 0x2b, 0x64, 0x47, 0x61,
+ 0xf2, 0xc2, 0xb2, 0xdf, 0x63, 0x85, 0x86, 0x06, 0x3e, 0x03, 0x88, 0xee, 0x92, 0xdb, 0xd7, 0x45,
+ 0x7c, 0x27, 0xd9, 0x45, 0xb9, 0x5b, 0xd7, 0xe4, 0xb0, 0xa3, 0x3c, 0x27, 0xf7, 0x83, 0x6c, 0xb2,
+ 0xce, 0x0a, 0x11, 0xe7, 0xda, 0x99, 0x3c, 0x4d, 0xa5, 0x61, 0x5f, 0xa1, 0xf6, 0x77, 0x3d, 0x77,
+ 0x7f, 0x9d, 0x15, 0x7b, 0x57, 0x3c, 0xe8, 0xca, 0x0b, 0x23, 0xe5, 0xfb, 0x8d, 0xe3, 0xd9, 0x33,
+ 0x7c, 0xbd, 0xe5, 0x41, 0xef, 0x63, 0x98, 0xd0, 0x4e, 0x65, 0x12, 0x66, 0xe5, 0x1f, 0xbc, 0xb5,
+ 0x81, 0xa4, 0x5f, 0x11, 0x0a, 0xfd, 0x18, 0xb3, 0x43, 0x69, 0xb1, 0x48, 0xd5, 0xf2, 0xcc, 0xb1,
+ 0x01, 0x66, 0x10, 0x74, 0xea, 0xf9, 0x4a, 0x15, 0x13, 0x3d, 0x46, 0x18, 0x0c, 0xfe, 0x49, 0x46,
+ 0x2b, 0x61, 0x2f, 0x6d, 0xec, 0x52, 0xcb, 0xfe, 0x88, 0x62, 0x4d, 0xc0, 0xe6, 0x1e, 0xc2, 0xc6,
+ 0x11, 0xbd, 0xbf, 0xc4, 0x5e, 0x68, 0xd9, 0xd7, 0xa1, 0x71, 0x44, 0xef, 0x2f, 0x67, 0x00, 0x60,
+ 0xb3, 0x76, 0x91, 0x5b, 0x5b, 0xa8, 0x8b, 0x6f, 0xb0, 0xeb, 0xd4, 0x3d, 0x30, 0x4e, 0xc0, 0x59,
+ 0xb9, 0x29, 0xce, 0x20, 0xac, 0xce, 0x86, 0x6c, 0x66, 0x43, 0xaf, 0x8a, 0x67, 0xcc, 0x9c, 0xf5,
+ 0x29, 0x0d, 0x29, 0x1f, 0xe7, 0x7a, 0xa1, 0x42, 0x73, 0xfe, 0x16, 0x8d, 0x26, 0x1e, 0x02, 0x6f,
+ 0xf6, 0x9f, 0x85, 0x25, 0x02, 0x7d, 0x69, 0xa4, 0x2d, 0x20, 0x1f, 0x8c, 0xb4, 0x2e, 0x37, 0x32,
+ 0xc1, 0x81, 0x5a, 0xe7, 0x57, 0x74, 0xff, 0x29, 0xb9, 0x8d, 0xd2, 0x01, 0xf0, 0x17, 0xc2, 0x08,
+ 0xf4, 0xc3, 0x11, 0x8e, 0xfd, 0x97, 0xa4, 0x89, 0x62, 0xbe, 0x77, 0xd3, 0xfb, 0xa4, 0xea, 0x9b,
+ 0x7a, 0x18, 0xd0, 0x81, 0xfa, 0xe5, 0xec, 0xec, 0xff, 0xe0, 0x97, 0x29, 0xb1, 0x90, 0x91, 0x5b,
+ 0x1b, 0xef, 0x88, 0x4c, 0x66, 0x02, 0xfb, 0xf5, 0x46, 0x9b, 0x4c, 0x66, 0xc7, 0x40, 0xff, 0xcc,
+ 0x89, 0xe5, 0x9f, 0x39, 0xb1, 0xff, 0xaf, 0x12, 0xa9, 0x07, 0x6d, 0xff, 0x4e, 0xfb, 0x64, 0xdb,
+ 0x5d, 0x16, 0x7e, 0xdc, 0x77, 0x86, 0x9d, 0xc1, 0x86, 0x21, 0x00, 0xe5, 0xc8, 0xa3, 0x8f, 0xc8,
+ 0x36, 0xcc, 0x7d, 0x7c, 0xa9, 0x39, 0x24, 0x83, 0xab, 0x4d, 0x80, 0x23, 0x7e, 0x7d, 0x46, 0xad,
+ 0xe3, 0x18, 0xf6, 0xb8, 0xad, 0x1b, 0x33, 0xca, 0x83, 0xa0, 0xf3, 0x4a, 0xca, 0x42, 0xe4, 0x85,
+ 0xd4, 0x61, 0xb2, 0xd7, 0x01, 0x98, 0x16, 0x52, 0xd3, 0x5d, 0x52, 0xdf, 0x18, 0x87, 0x13, 0xbd,
+ 0xb9, 0xd1, 0x65, 0x83, 0xf2, 0x2b, 0x7e, 0xff, 0x3f, 0xe5, 0xb0, 0x8d, 0xa0, 0x9b, 0x7f, 0x8b,
+ 0x05, 0x8c, 0xd4, 0x36, 0xaa, 0xc1, 0xde, 0x53, 0xe7, 0x1b, 0x92, 0x3e, 0x21, 0xdb, 0x10, 0x62,
+ 0xd4, 0xf8, 0x6a, 0x12, 0x5d, 0x05, 0x9d, 0x23, 0x93, 0x3e, 0x23, 0xb5, 0x10, 0x59, 0xd4, 0xbb,
+ 0x39, 0xa4, 0x83, 0x5f, 0x84, 0x9b, 0x6f, 0x44, 0xe8, 0xe7, 0xa4, 0xea, 0x0d, 0x0f, 0x86, 0xb4,
+ 0x06, 0xd7, 0x82, 0xce, 0x03, 0x2f, 0x2c, 0x00, 0xd5, 0xff, 0xbb, 0x00, 0x3c, 0x80, 0x60, 0x09,
+ 0x69, 0x8c, 0xce, 0x71, 0x3d, 0xa9, 0xf0, 0x5a, 0x6c, 0x46, 0x40, 0xde, 0xf0, 0x59, 0xfd, 0x7f,
+ 0xfb, 0x0c, 0x9c, 0xef, 0x9f, 0xc9, 0xec, 0x12, 0x57, 0x95, 0x06, 0xaf, 0xe3, 0x3b, 0x99, 0x5d,
+ 0xc2, 0x1c, 0x3c, 0x97, 0xc6, 0xaa, 0x5c, 0xe3, 0x9a, 0xd2, 0xdc, 0x74, 0xdc, 0x00, 0xf2, 0x0d,
+ 0xb7, 0xff, 0x8f, 0x12, 0x69, 0x5d, 0xe7, 0xc0, 0xba, 0x98, 0x45, 0xef, 0x72, 0x13, 0xb2, 0xdc,
+ 0x13, 0x88, 0x2a, 0x9d, 0x9b, 0xb0, 0x99, 0x7a, 0x02, 0xd0, 0xa5, 0x72, 0x61, 0x77, 0x6f, 0x70,
+ 0x4f, 0x40, 0x59, 0xd9, 0xf5, 0xa9, 0x5f, 0xa1, 0xb6, 0x43, 0x45, 0x07, 0x1a, 0x6e, 0xe0, 0x2a,
+ 0x8c, 0x8e, 0xac, 0x70, 0x4f, 0xc0, 0xae, 0x03, 0xcd, 0x14, 0x7d, 0xd7, 0xe0, 0x78, 0xde, 0x15,
+ 0x41, 0xaf, 0x30, 0x23, 0x28, 0x21, 0xd5, 0xc9, 0x9b, 0xa3, 0x29, 0x1f, 0x75, 0x3f, 0xa2, 0x4d,
+ 0x52, 0xdb, 0x7b, 0x23, 0x8e, 0xa6, 0x47, 0xa3, 0x6e, 0x89, 0x36, 0x48, 0x65, 0xc6, 0xa7, 0xb3,
+ 0x79, 0xb7, 0x4c, 0xeb, 0x64, 0x7b, 0x3e, 0x1d, 0x1f, 0x77, 0xb7, 0xe0, 0x34, 0x3e, 0x39, 0x38,
+ 0xe8, 0x6e, 0xc3, 0xbd, 0xf9, 0x31, 0x9f, 0xec, 0x1d, 0x77, 0x2b, 0x70, 0x6f, 0x7f, 0x34, 0x7e,
+ 0x7d, 0x72, 0x70, 0xdc, 0xad, 0xee, 0xfe, 0xb3, 0x14, 0x4a, 0x70, 0x93, 0x59, 0xf0, 0xd2, 0xe8,
+ 0x70, 0x76, 0xfc, 0x63, 0xf7, 0x23, 0xb8, 0xbf, 0x7f, 0x72, 0x38, 0xeb, 0x96, 0xe0, 0x0e, 0x1f,
+ 0xcd, 0x8f, 0xe1, 0xe3, 0x32, 0x48, 0xec, 0xfd, 0x75, 0xb4, 0xf7, 0x43, 0x77, 0x8b, 0xb6, 0x48,
+ 0x7d, 0xc6, 0x47, 0x02, 0xa5, 0xb6, 0xe9, 0x2d, 0xd2, 0x9c, 0xbd, 0x7e, 0x33, 0x12, 0xf3, 0x11,
+ 0x7f, 0x3b, 0xe2, 0xdd, 0x0a, 0x7c, 0x7b, 0x34, 0x3d, 0x9e, 0x8c, 0x7f, 0xec, 0x56, 0x69, 0x97,
+ 0xb4, 0xf6, 0x66, 0x27, 0x93, 0xa3, 0xf1, 0xd4, 0x8b, 0xd7, 0xe8, 0x6d, 0xd2, 0xde, 0x20, 0xfe,
+ 0xbd, 0x3a, 0x40, 0xe3, 0xd1, 0xeb, 0xe3, 0x13, 0x3e, 0x0a, 0x50, 0x03, 0xbe, 0x7e, 0x3b, 0xe2,
+ 0xf3, 0xc9, 0xf4, 0xa8, 0x4b, 0xfe, 0x1b, 0x00, 0x00, 0xff, 0xff, 0xc2, 0x38, 0x55, 0x41, 0x7c,
+ 0x0d, 0x00, 0x00,
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
similarity index 58%
rename from vendor/github.com/opencontainers/runc/libcontainer/devices/devices_unix.go
rename to vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
index c02b73e3e6a39939a4bb6f82869bef270795e925..5e2ab0581e2fb0dbd4dd0a4a14b6cb4a09da3395 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices.go
@@ -1,16 +1,14 @@
-// +build linux freebsd
-
package devices
import (
"errors"
- "fmt"
"io/ioutil"
"os"
"path/filepath"
- "syscall"
"github.com/opencontainers/runc/libcontainer/configs"
+
+ "golang.org/x/sys/unix"
)
var (
@@ -19,45 +17,46 @@ var (
// Testing dependencies
var (
- osLstat = os.Lstat
+ unixLstat = unix.Lstat
ioutilReadDir = ioutil.ReadDir
)
-// Given the path to a device and it's cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct.
+// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the information about a linux device and return that information as a Device struct.
func DeviceFromPath(path, permissions string) (*configs.Device, error) {
- fileInfo, err := osLstat(path)
+ var stat unix.Stat_t
+ err := unixLstat(path, &stat)
if err != nil {
return nil, err
}
+
var (
- devType rune
- mode = fileInfo.Mode()
- fileModePermissionBits = os.FileMode.Perm(mode)
+ devNumber = uint64(stat.Rdev)
+ major = unix.Major(devNumber)
+ minor = unix.Minor(devNumber)
)
- switch {
- case mode&os.ModeDevice == 0:
+ if major == 0 {
return nil, ErrNotADevice
- case mode&os.ModeCharDevice != 0:
- fileModePermissionBits |= syscall.S_IFCHR
- devType = 'c'
- default:
- fileModePermissionBits |= syscall.S_IFBLK
- devType = 'b'
}
- stat_t, ok := fileInfo.Sys().(*syscall.Stat_t)
- if !ok {
- return nil, fmt.Errorf("cannot determine the device number for device %s", path)
+
+ var (
+ devType rune
+ mode = stat.Mode
+ )
+ switch {
+ case mode&unix.S_IFBLK == unix.S_IFBLK:
+ devType = 'b'
+ case mode&unix.S_IFCHR == unix.S_IFCHR:
+ devType = 'c'
}
- devNumber := int(stat_t.Rdev)
return &configs.Device{
Type: devType,
Path: path,
- Major: Major(devNumber),
- Minor: Minor(devNumber),
+ Major: int64(major),
+ Minor: int64(minor),
Permissions: permissions,
- FileMode: fileModePermissionBits,
- Uid: stat_t.Uid,
- Gid: stat_t.Gid,
+ FileMode: os.FileMode(mode),
+ Uid: stat.Uid,
+ Gid: stat.Gid,
}, nil
}
@@ -75,7 +74,8 @@ func getDevices(path string) ([]*configs.Device, error) {
switch {
case f.IsDir():
switch f.Name() {
- case "pts", "shm", "fd", "mqueue":
+ // ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
+ case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts":
continue
default:
sub, err := getDevices(filepath.Join(path, f.Name()))
@@ -94,6 +94,9 @@ func getDevices(path string) ([]*configs.Device, error) {
if err == ErrNotADevice {
continue
}
+ if os.IsNotExist(err) {
+ continue
+ }
return nil, err
}
out = append(out, device)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_test.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_test.go
index 50ea78bc3f58115fa25f5e3bdee40ea9591e7e7d..0afa9d9212dc3bdf3a6a9692c22e71404c3427c2 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_test.go
@@ -1,19 +1,19 @@
-// +build linux freebsd
-
package devices
import (
"errors"
"os"
"testing"
+
+ "golang.org/x/sys/unix"
)
func TestDeviceFromPathLstatFailure(t *testing.T) {
testError := errors.New("test error")
- // Override os.Lstat to inject error.
- osLstat = func(path string) (os.FileInfo, error) {
- return nil, testError
+ // Override unix.Lstat to inject error.
+ unixLstat = func(path string, stat *unix.Stat_t) error {
+ return testError
}
_, err := DeviceFromPath("", "")
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_unsupported.go
deleted file mode 100644
index 1e84033daff8297f2e183a1dad5dace4094f3c2c..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/devices_unsupported.go
+++ /dev/null
@@ -1,3 +0,0 @@
-// +build windows
-
-package devices
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/number.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/number.go
deleted file mode 100644
index 885b6e5dd9363d5a746b6753bee90e394d81bfbd..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/devices/number.go
+++ /dev/null
@@ -1,24 +0,0 @@
-// +build linux freebsd
-
-package devices
-
-/*
-
-This code provides support for manipulating linux device numbers. It should be replaced by normal syscall functions once http://code.google.com/p/go/issues/detail?id=8106 is solved.
-
-You can read what they are here:
-
- - http://www.makelinux.net/ldd3/chp-3-sect-2
- - http://www.linux-tutorial.info/modules.php?name=MContent&pageid=94
-
-Note! These are NOT the same as the MAJOR(dev_t device);, MINOR(dev_t device); and MKDEV(int major, int minor); functions as defined in <linux/kdev_t.h> as the representation of device numbers used by go is different than the one used internally to the kernel! - https://github.com/torvalds/linux/blob/master/include/linux/kdev_t.h#L9
-
-*/
-
-func Major(devNumber int) int64 {
- return int64((devNumber >> 8) & 0xfff)
-}
-
-func Minor(devNumber int) int64 {
- return int64((devNumber & 0xff) | ((devNumber >> 12) & 0xfff00))
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/error.go b/vendor/github.com/opencontainers/runc/libcontainer/error.go
index b50aaae84ed51828044402cb6bf67a1e293f1b48..21a3789ba18de06dfb69cfe04c19d8e37890f697 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/error.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/error.go
@@ -2,7 +2,7 @@ package libcontainer
import "io"
-// API error code type.
+// ErrorCode is the API error code type.
type ErrorCode int
// API error codes.
@@ -56,13 +56,13 @@ func (c ErrorCode) String() string {
}
}
-// API Error type.
+// Error is the API error type.
type Error interface {
error
- // Returns a verbose string including the error message
- // and a representation of the stack trace suitable for
- // printing.
+ // Returns an error if it failed to write the detail of the Error to w.
+ // The detail of the Error may include the error message and a
+ // representation of the stack trace.
Detail(w io.Writer) error
// Returns the error code for this error.
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/error_test.go b/vendor/github.com/opencontainers/runc/libcontainer/error_test.go
index 4bf4c9f5d492af9177cd614aae3c896e2d6dcb80..36841ad83c89220b0f3b33c4d95aa7b93bdcdac5 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/error_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/error_test.go
@@ -4,12 +4,17 @@ import "testing"
func TestErrorCode(t *testing.T) {
codes := map[ErrorCode]string{
- IdInUse: "Id already in use",
- InvalidIdFormat: "Invalid format",
- ContainerPaused: "Container paused",
- ConfigInvalid: "Invalid configuration",
- SystemError: "System error",
- ContainerNotExists: "Container does not exist",
+ IdInUse: "Id already in use",
+ InvalidIdFormat: "Invalid format",
+ ContainerPaused: "Container paused",
+ ConfigInvalid: "Invalid configuration",
+ SystemError: "System error",
+ ContainerNotExists: "Container does not exist",
+ ContainerNotStopped: "Container is not stopped",
+ ContainerNotRunning: "Container is not running",
+ ConsoleExists: "Console exists for process",
+ ContainerNotPaused: "Container is not paused",
+ NoProcessOps: "No process operations",
}
for code, expected := range codes {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/factory.go b/vendor/github.com/opencontainers/runc/libcontainer/factory.go
index f0ccb52e39d308de22ef47f3a67c56f6e9de68fa..0986cd77e3fe05fa6ec2534d12bbb57a688ae78d 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/factory.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/factory.go
@@ -10,7 +10,7 @@ type Factory interface {
// between 1 and 1024 characters, inclusive.
//
// The id must not already be in use by an existing container. Containers created using
- // a factory with the same path (and file system) must have distinct ids.
+ // a factory with the same path (and filesystem) must have distinct ids.
//
// Returns the new container with a running process.
//
@@ -28,7 +28,6 @@ type Factory interface {
//
// errors:
// Path does not exist
- // Container is stopped
// System error
Load(id string) (Container, error)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go
index eb327be78933d205256f9bbf18600da07943fec8..e35957c31482c8a84c9c0d485cdcb9c661edac21 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go
@@ -6,57 +6,43 @@ import (
"encoding/json"
"fmt"
"os"
- "os/exec"
"path/filepath"
"regexp"
+ "runtime/debug"
"strconv"
- "syscall"
- "github.com/docker/docker/pkg/mount"
+ "github.com/cyphar/filepath-securejoin"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/cgroups/fs"
"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/configs/validate"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
+ "github.com/opencontainers/runc/libcontainer/mount"
"github.com/opencontainers/runc/libcontainer/utils"
+
+ "golang.org/x/sys/unix"
)
const (
- stateFilename = "state.json"
+ stateFilename = "state.json"
+ execFifoFilename = "exec.fifo"
)
-var (
- idRegex = regexp.MustCompile(`^[\w_-]+$`)
- maxIdLen = 1024
-)
+var idRegex = regexp.MustCompile(`^[\w+-\.]+$`)
// InitArgs returns an options func to configure a LinuxFactory with the
-// provided init arguments.
+// provided init binary path and arguments.
func InitArgs(args ...string) func(*LinuxFactory) error {
- return func(l *LinuxFactory) error {
- name := args[0]
- if filepath.Base(name) == name {
- if lp, err := exec.LookPath(name); err == nil {
- name = lp
+ return func(l *LinuxFactory) (err error) {
+ if len(args) > 0 {
+ // Resolve relative paths to ensure that its available
+ // after directory changes.
+ if args[0], err = filepath.Abs(args[0]); err != nil {
+ return newGenericError(err, ConfigInvalid)
}
- } else {
- abs, err := filepath.Abs(name)
- if err != nil {
- return err
- }
- name = abs
}
- l.InitPath = "/proc/self/exe"
- l.InitArgs = append([]string{name}, args[1:]...)
- return nil
- }
-}
-// InitPath returns an options func to configure a LinuxFactory with the
-// provided absolute path to the init binary and arguements.
-func InitPath(path string, args ...string) func(*LinuxFactory) error {
- return func(l *LinuxFactory) error {
- l.InitPath = path
l.InitArgs = args
return nil
}
@@ -74,9 +60,9 @@ func SystemdCgroups(l *LinuxFactory) error {
return nil
}
-// Cgroupfs is an options func to configure a LinuxFactory to return
-// containers that use the native cgroups filesystem implementation to
-// create and manage cgroups.
+// Cgroupfs is an options func to configure a LinuxFactory to return containers
+// that use the native cgroups filesystem implementation to create and manage
+// cgroups.
func Cgroupfs(l *LinuxFactory) error {
l.NewCgroupsManager = func(config *configs.Cgroup, paths map[string]string) cgroups.Manager {
return &fs.Manager{
@@ -87,6 +73,37 @@ func Cgroupfs(l *LinuxFactory) error {
return nil
}
+// RootlessCgroupfs is an options func to configure a LinuxFactory to return
+// containers that use the native cgroups filesystem implementation to create
+// and manage cgroups. The difference between RootlessCgroupfs and Cgroupfs is
+// that RootlessCgroupfs can transparently handle permission errors that occur
+// during rootless container (including euid=0 in userns) setup (while still allowing cgroup usage if
+// they've been set up properly).
+func RootlessCgroupfs(l *LinuxFactory) error {
+ l.NewCgroupsManager = func(config *configs.Cgroup, paths map[string]string) cgroups.Manager {
+ return &fs.Manager{
+ Cgroups: config,
+ Rootless: true,
+ Paths: paths,
+ }
+ }
+ return nil
+}
+
+// IntelRdtfs is an options func to configure a LinuxFactory to return
+// containers that use the Intel RDT "resource control" filesystem to
+// create and manage Intel RDT resources (e.g., L3 cache, memory bandwidth).
+func IntelRdtFs(l *LinuxFactory) error {
+ l.NewIntelRdtManager = func(config *configs.Config, id string, path string) intelrdt.Manager {
+ return &intelrdt.IntelRdtManager{
+ Config: config,
+ Id: id,
+ Path: path,
+ }
+ }
+ return nil
+}
+
// TmpfsRoot is an option func to mount LinuxFactory.Root to tmpfs.
func TmpfsRoot(l *LinuxFactory) error {
mounted, err := mount.Mounted(l.Root)
@@ -94,13 +111,22 @@ func TmpfsRoot(l *LinuxFactory) error {
return err
}
if !mounted {
- if err := syscall.Mount("tmpfs", l.Root, "tmpfs", 0, ""); err != nil {
+ if err := unix.Mount("tmpfs", l.Root, "tmpfs", 0, ""); err != nil {
return err
}
}
return nil
}
+// CriuPath returns an option func to configure a LinuxFactory with the
+// provided criupath
+func CriuPath(criupath string) func(*LinuxFactory) error {
+ return func(l *LinuxFactory) error {
+ l.CriuPath = criupath
+ return nil
+ }
+}
+
// New returns a linux based container factory based in the root directory and
// configures the factory with the provided option funcs.
func New(root string, options ...func(*LinuxFactory) error) (Factory, error) {
@@ -111,12 +137,16 @@ func New(root string, options ...func(*LinuxFactory) error) (Factory, error) {
}
l := &LinuxFactory{
Root: root,
+ InitPath: "/proc/self/exe",
+ InitArgs: []string{os.Args[0], "init"},
Validator: validate.New(),
CriuPath: "criu",
}
- InitArgs(os.Args[0], "init")(l)
Cgroupfs(l)
for _, opt := range options {
+ if opt == nil {
+ continue
+ }
if err := opt(l); err != nil {
return nil, err
}
@@ -129,7 +159,8 @@ type LinuxFactory struct {
// Root directory for the factory to store state.
Root string
- // InitPath is the absolute path to the init binary.
+ // InitPath is the path for calling the init responsibilities for spawning
+ // a container.
InitPath string
// InitArgs are arguments for calling the init responsibilities for spawning
@@ -140,11 +171,19 @@ type LinuxFactory struct {
// containers.
CriuPath string
+ // New{u,g}uidmapPath is the path to the binaries used for mapping with
+ // rootless containers.
+ NewuidmapPath string
+ NewgidmapPath string
+
// Validator provides validation to container configurations.
Validator validate.Validator
// NewCgroupsManager returns an initialized cgroups manager for a single container.
NewCgroupsManager func(config *configs.Cgroup, paths map[string]string) cgroups.Manager
+
+ // NewIntelRdtManager returns an initialized Intel RDT manager for a single container.
+ NewIntelRdtManager func(config *configs.Config, id string, path string) intelrdt.Manager
}
func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, error) {
@@ -157,13 +196,19 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
if err := l.Validator.Validate(config); err != nil {
return nil, newGenericError(err, ConfigInvalid)
}
- containerRoot := filepath.Join(l.Root, id)
+ containerRoot, err := securejoin.SecureJoin(l.Root, id)
+ if err != nil {
+ return nil, err
+ }
if _, err := os.Stat(containerRoot); err == nil {
return nil, newGenericError(fmt.Errorf("container with id exists: %v", id), IdInUse)
} else if !os.IsNotExist(err) {
return nil, newGenericError(err, SystemError)
}
- if err := os.MkdirAll(containerRoot, 0700); err != nil {
+ if err := os.MkdirAll(containerRoot, 0711); err != nil {
+ return nil, newGenericError(err, SystemError)
+ }
+ if err := os.Chown(containerRoot, unix.Geteuid(), unix.Getegid()); err != nil {
return nil, newGenericError(err, SystemError)
}
c := &linuxContainer{
@@ -173,8 +218,13 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
initPath: l.InitPath,
initArgs: l.InitArgs,
criuPath: l.CriuPath,
+ newuidmapPath: l.NewuidmapPath,
+ newgidmapPath: l.NewgidmapPath,
cgroupManager: l.NewCgroupsManager(config.Cgroups, nil),
}
+ if intelrdt.IsCatEnabled() || intelrdt.IsMbaEnabled() {
+ c.intelRdtManager = l.NewIntelRdtManager(config, id, "")
+ }
c.state = &stoppedState{c: c}
return c, nil
}
@@ -183,8 +233,15 @@ func (l *LinuxFactory) Load(id string) (Container, error) {
if l.Root == "" {
return nil, newGenericError(fmt.Errorf("invalid root"), ConfigInvalid)
}
- containerRoot := filepath.Join(l.Root, id)
- state, err := l.loadState(containerRoot)
+ //when load, we need to check id is valid or not.
+ if err := l.validateID(id); err != nil {
+ return nil, err
+ }
+ containerRoot, err := securejoin.SecureJoin(l.Root, id)
+ if err != nil {
+ return nil, err
+ }
+ state, err := l.loadState(containerRoot, id)
if err != nil {
return nil, err
}
@@ -194,20 +251,26 @@ func (l *LinuxFactory) Load(id string) (Container, error) {
fds: state.ExternalDescriptors,
}
c := &linuxContainer{
- initProcess: r,
- id: id,
- config: &state.Config,
- initPath: l.InitPath,
- initArgs: l.InitArgs,
- criuPath: l.CriuPath,
- cgroupManager: l.NewCgroupsManager(state.Config.Cgroups, state.CgroupPaths),
- root: containerRoot,
- created: state.Created,
+ initProcess: r,
+ initProcessStartTime: state.InitProcessStartTime,
+ id: id,
+ config: &state.Config,
+ initPath: l.InitPath,
+ initArgs: l.InitArgs,
+ criuPath: l.CriuPath,
+ newuidmapPath: l.NewuidmapPath,
+ newgidmapPath: l.NewgidmapPath,
+ cgroupManager: l.NewCgroupsManager(state.Config.Cgroups, state.CgroupPaths),
+ root: containerRoot,
+ created: state.Created,
}
- c.state = &createdState{c: c, s: Created}
+ c.state = &loadedState{c: c}
if err := c.refreshState(); err != nil {
return nil, err
}
+ if intelrdt.IsCatEnabled() || intelrdt.IsMbaEnabled() {
+ c.intelRdtManager = l.NewIntelRdtManager(&state.Config, id, state.IntelRdtPath)
+ }
return c, nil
}
@@ -218,56 +281,83 @@ func (l *LinuxFactory) Type() string {
// StartInitialization loads a container by opening the pipe fd from the parent to read the configuration and state
// This is a low level implementation detail of the reexec and should not be consumed externally
func (l *LinuxFactory) StartInitialization() (err error) {
- fdStr := os.Getenv("_LIBCONTAINER_INITPIPE")
- pipefd, err := strconv.Atoi(fdStr)
+ var (
+ pipefd, fifofd int
+ consoleSocket *os.File
+ envInitPipe = os.Getenv("_LIBCONTAINER_INITPIPE")
+ envFifoFd = os.Getenv("_LIBCONTAINER_FIFOFD")
+ envConsole = os.Getenv("_LIBCONTAINER_CONSOLE")
+ )
+
+ // Get the INITPIPE.
+ pipefd, err = strconv.Atoi(envInitPipe)
if err != nil {
- return fmt.Errorf("error converting env var _LIBCONTAINER_INITPIPE(%q) to an int: %s", fdStr, err)
+ return fmt.Errorf("unable to convert _LIBCONTAINER_INITPIPE=%s to int: %s", envInitPipe, err)
}
+
var (
pipe = os.NewFile(uintptr(pipefd), "pipe")
it = initType(os.Getenv("_LIBCONTAINER_INITTYPE"))
)
defer pipe.Close()
+
+ // Only init processes have FIFOFD.
+ fifofd = -1
+ if it == initStandard {
+ if fifofd, err = strconv.Atoi(envFifoFd); err != nil {
+ return fmt.Errorf("unable to convert _LIBCONTAINER_FIFOFD=%s to int: %s", envFifoFd, err)
+ }
+ }
+
+ if envConsole != "" {
+ console, err := strconv.Atoi(envConsole)
+ if err != nil {
+ return fmt.Errorf("unable to convert _LIBCONTAINER_CONSOLE=%s to int: %s", envConsole, err)
+ }
+ consoleSocket = os.NewFile(uintptr(console), "console-socket")
+ defer consoleSocket.Close()
+ }
+
// clear the current process's environment to clean any libcontainer
// specific env vars.
os.Clearenv()
- i, err := newContainerInit(it, pipe)
- if err != nil {
- l.sendError(nil, pipe, err)
- return err
- }
- if err := i.Init(); err != nil {
- if !isExecError(err) {
- l.sendError(i, pipe, err)
+
+ defer func() {
+ // We have an error during the initialization of the container's init,
+ // send it back to the parent process in the form of an initError.
+ if werr := utils.WriteJSON(pipe, syncT{procError}); werr != nil {
+ fmt.Fprintln(os.Stderr, err)
+ return
+ }
+ if werr := utils.WriteJSON(pipe, newSystemError(err)); werr != nil {
+ fmt.Fprintln(os.Stderr, err)
+ return
}
+ }()
+ defer func() {
+ if e := recover(); e != nil {
+ err = fmt.Errorf("panic from initialization: %v, %v", e, string(debug.Stack()))
+ }
+ }()
+
+ i, err := newContainerInit(it, pipe, consoleSocket, fifofd)
+ if err != nil {
return err
}
- return nil
-}
-func (l *LinuxFactory) sendError(i initer, pipe *os.File, err error) {
- // We have an error during the initialization of the container's init,
- // send it back to the parent process in the form of an initError.
- // If container's init successed, syscall.Exec will not return, hence
- // this defer function will never be called.
- if i != nil {
- if _, ok := i.(*linuxStandardInit); ok {
- // Synchronisation only necessary for standard init.
- if err := utils.WriteJSON(pipe, syncT{procError}); err != nil {
- panic(err)
- }
- }
- }
- if err := utils.WriteJSON(pipe, newSystemError(err)); err != nil {
- panic(err)
- }
+ // If Init succeeds, syscall.Exec will not return, hence none of the defers will be called.
+ return i.Init()
}
-func (l *LinuxFactory) loadState(root string) (*State, error) {
- f, err := os.Open(filepath.Join(root, stateFilename))
+func (l *LinuxFactory) loadState(root, id string) (*State, error) {
+ stateFilePath, err := securejoin.SecureJoin(root, stateFilename)
+ if err != nil {
+ return nil, err
+ }
+ f, err := os.Open(stateFilePath)
if err != nil {
if os.IsNotExist(err) {
- return nil, newGenericError(err, ContainerNotExists)
+ return nil, newGenericError(fmt.Errorf("container %q does not exist", id), ContainerNotExists)
}
return nil, newGenericError(err, SystemError)
}
@@ -280,16 +370,27 @@ func (l *LinuxFactory) loadState(root string) (*State, error) {
}
func (l *LinuxFactory) validateID(id string) error {
- if !idRegex.MatchString(id) {
- return newGenericError(fmt.Errorf("invalid id format: %v", id), InvalidIdFormat)
- }
- if len(id) > maxIdLen {
+ if !idRegex.MatchString(id) || string(os.PathSeparator)+id != utils.CleanPath(string(os.PathSeparator)+id) {
return newGenericError(fmt.Errorf("invalid id format: %v", id), InvalidIdFormat)
}
+
return nil
}
-func isExecError(err error) bool {
- _, ok := err.(*exec.Error)
- return ok
+// NewuidmapPath returns an option func to configure a LinuxFactory with the
+// provided ..
+func NewuidmapPath(newuidmapPath string) func(*LinuxFactory) error {
+ return func(l *LinuxFactory) error {
+ l.NewuidmapPath = newuidmapPath
+ return nil
+ }
+}
+
+// NewgidmapPath returns an option func to configure a LinuxFactory with the
+// provided ..
+func NewgidmapPath(newgidmapPath string) func(*LinuxFactory) error {
+ return func(l *LinuxFactory) error {
+ l.NewgidmapPath = newgidmapPath
+ return nil
+ }
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/factory_linux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/factory_linux_test.go
index ea3b5132d77bbd37e39970d0a27547e3ecd5bff4..8d0ca8a4743893c7a52b900811767b9490a637bf 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/factory_linux_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/factory_linux_test.go
@@ -7,12 +7,14 @@ import (
"os"
"path/filepath"
"reflect"
- "syscall"
"testing"
- "github.com/docker/docker/pkg/mount"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/mount"
"github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/opencontainers/runtime-spec/specs-go"
+
+ "golang.org/x/sys/unix"
)
func newTestRoot() (string, error) {
@@ -49,6 +51,32 @@ func TestFactoryNew(t *testing.T) {
}
}
+func TestFactoryNewIntelRdt(t *testing.T) {
+ root, rerr := newTestRoot()
+ if rerr != nil {
+ t.Fatal(rerr)
+ }
+ defer os.RemoveAll(root)
+ factory, err := New(root, Cgroupfs, IntelRdtFs)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if factory == nil {
+ t.Fatal("factory should not be nil")
+ }
+ lfactory, ok := factory.(*LinuxFactory)
+ if !ok {
+ t.Fatal("expected linux factory returned on linux based systems")
+ }
+ if lfactory.Root != root {
+ t.Fatalf("expected factory root to be %q but received %q", root, lfactory.Root)
+ }
+
+ if factory.Type() != "libcontainer" {
+ t.Fatalf("unexpected factory type: %q, expected %q", factory.Type(), "libcontainer")
+ }
+}
+
func TestFactoryNewTmpfs(t *testing.T) {
root, rerr := newTestRoot()
if rerr != nil {
@@ -99,7 +127,7 @@ func TestFactoryNewTmpfs(t *testing.T) {
if !found {
t.Fatalf("Factory Root is not listed in mounts list")
}
- defer syscall.Unmount(root, syscall.MNT_DETACH)
+ defer unix.Unmount(root, unix.MNT_DETACH)
}
func TestFactoryLoadNotExists(t *testing.T) {
@@ -163,7 +191,7 @@ func TestFactoryLoadContainer(t *testing.T) {
if err := marshal(filepath.Join(root, id, stateFilename), expectedState); err != nil {
t.Fatal(err)
}
- factory, err := New(root, Cgroupfs)
+ factory, err := New(root, Cgroupfs, IntelRdtFs)
if err != nil {
t.Fatal(err)
}
@@ -202,6 +230,6 @@ func marshal(path string, v interface{}) error {
type unserializableHook struct{}
-func (unserializableHook) Run(configs.HookState) error {
+func (unserializableHook) Run(*specs.State) error {
return nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/generic_error.go b/vendor/github.com/opencontainers/runc/libcontainer/generic_error.go
index 93bb7570db20c4b359ec26a0213dabf32cf2f2ca..6e7de2fe7e0715a8309e4c9a8be0687e40cb9912 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/generic_error.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/generic_error.go
@@ -9,20 +9,6 @@ import (
"github.com/opencontainers/runc/libcontainer/stacktrace"
)
-type syncType uint8
-
-const (
- procReady syncType = iota
- procError
- procRun
- procHooks
- procResume
-)
-
-type syncT struct {
- Type syncType `json:"type"`
-}
-
var errorTemplate = template.Must(template.New("error").Parse(`Timestamp: {{.Timestamp}}
Code: {{.ECode}}
{{if .Message }}
@@ -52,14 +38,27 @@ func newGenericError(err error, c ErrorCode) Error {
}
func newSystemError(err error) Error {
- if le, ok := err.(Error); ok {
- return le
- }
+ return createSystemError(err, "")
+}
+
+func newSystemErrorWithCausef(err error, cause string, v ...interface{}) Error {
+ return createSystemError(err, fmt.Sprintf(cause, v...))
+}
+
+func newSystemErrorWithCause(err error, cause string) Error {
+ return createSystemError(err, cause)
+}
+
+// createSystemError creates the specified error with the correct number of
+// stack frames skipped. This is only to be called by the other functions for
+// formatting the error.
+func createSystemError(err error, cause string) Error {
gerr := &genericError{
Timestamp: time.Now(),
Err: err,
ECode: SystemError,
- Stack: stacktrace.Capture(1),
+ Cause: cause,
+ Stack: stacktrace.Capture(2),
}
if err != nil {
gerr.Message = err.Error()
@@ -71,12 +70,17 @@ type genericError struct {
Timestamp time.Time
ECode ErrorCode
Err error `json:"-"`
+ Cause string
Message string
Stack stacktrace.Stacktrace
}
func (e *genericError) Error() string {
- return fmt.Sprintf("[%d] %s: %s", e.ECode, e.ECode, e.Message)
+ if e.Cause == "" {
+ return e.Message
+ }
+ frame := e.Stack.Frames[0]
+ return fmt.Sprintf("%s:%d: %s caused %q", frame.File, frame.Line, e.Cause, e.Message)
}
func (e *genericError) Code() ErrorCode {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/generic_error_test.go b/vendor/github.com/opencontainers/runc/libcontainer/generic_error_test.go
index 292d2a36bdcebdbfd433aa41ab9a4b89acee4d80..8fbdd4d381f95943606ee0a2555f10573a91316d 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/generic_error_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/generic_error_test.go
@@ -12,3 +12,38 @@ func TestErrorDetail(t *testing.T) {
t.Fatal(derr)
}
}
+
+func TestErrorWithCode(t *testing.T) {
+ err := newGenericError(fmt.Errorf("test error"), SystemError)
+ if code := err.Code(); code != SystemError {
+ t.Fatalf("expected err code %q but %q", SystemError, code)
+ }
+}
+
+func TestErrorWithError(t *testing.T) {
+ cc := []struct {
+ errmsg string
+ cause string
+ }{
+ {
+ errmsg: "test error",
+ },
+ {
+ errmsg: "test error",
+ cause: "test",
+ },
+ }
+
+ for _, v := range cc {
+ err := newSystemErrorWithCause(fmt.Errorf(v.errmsg), v.cause)
+
+ msg := err.Error()
+ if v.cause == "" && msg != v.errmsg {
+ t.Fatalf("expected err(%q) equal errmsg(%q)", msg, v.errmsg)
+ }
+ if v.cause != "" && msg == v.errmsg {
+ t.Fatalf("unexpected err(%q) equal errmsg(%q)", msg, v.errmsg)
+ }
+
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
index d54a2d1e4c0678ae8bfe633eaccfd157c8b1c4a0..cd7ff67a7023b423469236e3d812cf3ea511e502 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
@@ -9,16 +9,20 @@ import (
"io/ioutil"
"net"
"os"
- "strconv"
"strings"
- "syscall"
+ "syscall" // only for Errno
+ "unsafe"
- "github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
+
+ "github.com/containerd/console"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/system"
"github.com/opencontainers/runc/libcontainer/user"
"github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/pkg/errors"
+ "github.com/sirupsen/logrus"
"github.com/vishvananda/netlink"
)
@@ -30,7 +34,8 @@ const (
)
type pid struct {
- Pid int `json:"pid"`
+ Pid int `json:"pid"`
+ PidFirstChild int `json:"pid_first"`
}
// network is an internal struct used to setup container networks.
@@ -44,27 +49,32 @@ type network struct {
// initConfig is used for transferring parameters from Exec() to Init()
type initConfig struct {
- Args []string `json:"args"`
- Env []string `json:"env"`
- Cwd string `json:"cwd"`
- Capabilities []string `json:"capabilities"`
- ProcessLabel string `json:"process_label"`
- AppArmorProfile string `json:"apparmor_profile"`
- NoNewPrivileges bool `json:"no_new_privileges"`
- User string `json:"user"`
- Config *configs.Config `json:"config"`
- Console string `json:"console"`
- Networks []*network `json:"network"`
- PassedFilesCount int `json:"passed_files_count"`
- ContainerId string `json:"containerid"`
- Rlimits []configs.Rlimit `json:"rlimits"`
+ Args []string `json:"args"`
+ Env []string `json:"env"`
+ Cwd string `json:"cwd"`
+ Capabilities *configs.Capabilities `json:"capabilities"`
+ ProcessLabel string `json:"process_label"`
+ AppArmorProfile string `json:"apparmor_profile"`
+ NoNewPrivileges bool `json:"no_new_privileges"`
+ User string `json:"user"`
+ AdditionalGroups []string `json:"additional_groups"`
+ Config *configs.Config `json:"config"`
+ Networks []*network `json:"network"`
+ PassedFilesCount int `json:"passed_files_count"`
+ ContainerId string `json:"containerid"`
+ Rlimits []configs.Rlimit `json:"rlimits"`
+ CreateConsole bool `json:"create_console"`
+ ConsoleWidth uint16 `json:"console_width"`
+ ConsoleHeight uint16 `json:"console_height"`
+ RootlessEUID bool `json:"rootless_euid,omitempty"`
+ RootlessCgroups bool `json:"rootless_cgroups,omitempty"`
}
type initer interface {
Init() error
}
-func newContainerInit(t initType, pipe *os.File) (initer, error) {
+func newContainerInit(t initType, pipe *os.File, consoleSocket *os.File, fifoFd int) (initer, error) {
var config *initConfig
if err := json.NewDecoder(pipe).Decode(&config); err != nil {
return nil, err
@@ -75,13 +85,17 @@ func newContainerInit(t initType, pipe *os.File) (initer, error) {
switch t {
case initSetns:
return &linuxSetnsInit{
- config: config,
+ pipe: pipe,
+ consoleSocket: consoleSocket,
+ config: config,
}, nil
case initStandard:
return &linuxStandardInit{
- pipe: pipe,
- parentPid: syscall.Getppid(),
- config: config,
+ pipe: pipe,
+ consoleSocket: consoleSocket,
+ parentPid: unix.Getppid(),
+ config: config,
+ fifoFd: fifoFd,
}, nil
}
return nil, fmt.Errorf("unknown init type %q", t)
@@ -110,62 +124,103 @@ func finalizeNamespace(config *initConfig) error {
// inherited are marked close-on-exec so they stay out of the
// container
if err := utils.CloseExecFrom(config.PassedFilesCount + 3); err != nil {
- return err
+ return errors.Wrap(err, "close exec fds")
}
- capabilities := config.Config.Capabilities
+ capabilities := &configs.Capabilities{}
if config.Capabilities != nil {
capabilities = config.Capabilities
+ } else if config.Config.Capabilities != nil {
+ capabilities = config.Config.Capabilities
}
- w, err := newCapWhitelist(capabilities)
+ w, err := newContainerCapList(capabilities)
if err != nil {
return err
}
// drop capabilities in bounding set before changing user
- if err := w.dropBoundingSet(); err != nil {
- return err
+ if err := w.ApplyBoundingSet(); err != nil {
+ return errors.Wrap(err, "apply bounding set")
}
// preserve existing capabilities while we change users
if err := system.SetKeepCaps(); err != nil {
- return err
+ return errors.Wrap(err, "set keep caps")
}
if err := setupUser(config); err != nil {
- return err
+ return errors.Wrap(err, "setup user")
}
if err := system.ClearKeepCaps(); err != nil {
- return err
+ return errors.Wrap(err, "clear keep caps")
}
- // drop all other capabilities
- if err := w.drop(); err != nil {
- return err
+ if err := w.ApplyCaps(); err != nil {
+ return errors.Wrap(err, "apply caps")
}
if config.Cwd != "" {
- if err := syscall.Chdir(config.Cwd); err != nil {
- return err
+ if err := unix.Chdir(config.Cwd); err != nil {
+ return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
}
}
return nil
}
+// setupConsole sets up the console from inside the container, and sends the
+// master pty fd to the config.Pipe (using cmsg). This is done to ensure that
+// consoles are scoped to a container properly (see runc#814 and the many
+// issues related to that). This has to be run *after* we've pivoted to the new
+// rootfs (and the users' configuration is entirely set up).
+func setupConsole(socket *os.File, config *initConfig, mount bool) error {
+ defer socket.Close()
+ // At this point, /dev/ptmx points to something that we would expect. We
+ // used to change the owner of the slave path, but since the /dev/pts mount
+ // can have gid=X set (at the users' option). So touching the owner of the
+ // slave PTY is not necessary, as the kernel will handle that for us. Note
+ // however, that setupUser (specifically fixStdioPermissions) *will* change
+ // the UID owner of the console to be the user the process will run as (so
+ // they can actually control their console).
+
+ pty, slavePath, err := console.NewPty()
+ if err != nil {
+ return err
+ }
+
+ if config.ConsoleHeight != 0 && config.ConsoleWidth != 0 {
+ err = pty.Resize(console.WinSize{
+ Height: config.ConsoleHeight,
+ Width: config.ConsoleWidth,
+ })
+
+ if err != nil {
+ return err
+ }
+ }
+
+ // After we return from here, we don't need the console anymore.
+ defer pty.Close()
+
+ // Mount the console inside our rootfs.
+ if mount {
+ if err := mountConsole(slavePath); err != nil {
+ return err
+ }
+ }
+ // While we can access console.master, using the API is a good idea.
+ if err := utils.SendFd(socket, pty.Name(), pty.Fd()); err != nil {
+ return err
+ }
+ // Now, dup over all the things.
+ return dupStdio(slavePath)
+}
+
// syncParentReady sends to the given pipe a JSON payload which indicates that
// the init is ready to Exec the child process. It then waits for the parent to
// indicate that it is cleared to Exec.
func syncParentReady(pipe io.ReadWriter) error {
// Tell parent.
- if err := utils.WriteJSON(pipe, syncT{procReady}); err != nil {
+ if err := writeSync(pipe, procReady); err != nil {
return err
}
+
// Wait for parent to give the all-clear.
- var procSync syncT
- if err := json.NewDecoder(pipe).Decode(&procSync); err != nil {
- if err == io.EOF {
- return fmt.Errorf("parent closed synchronisation channel")
- }
- if procSync.Type != procRun {
- return fmt.Errorf("invalid synchronisation flag from parent")
- }
- }
- return nil
+ return readSync(pipe, procRun)
}
// syncParentHooks sends to the given pipe a JSON payload which indicates that
@@ -173,66 +228,96 @@ func syncParentReady(pipe io.ReadWriter) error {
// indicate that it is cleared to resume.
func syncParentHooks(pipe io.ReadWriter) error {
// Tell parent.
- if err := utils.WriteJSON(pipe, syncT{procHooks}); err != nil {
+ if err := writeSync(pipe, procHooks); err != nil {
return err
}
+
// Wait for parent to give the all-clear.
- var procSync syncT
- if err := json.NewDecoder(pipe).Decode(&procSync); err != nil {
- if err == io.EOF {
- return fmt.Errorf("parent closed synchronisation channel")
- }
- if procSync.Type != procResume {
- return fmt.Errorf("invalid synchronisation flag from parent")
- }
- }
- return nil
+ return readSync(pipe, procResume)
}
// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
// Set up defaults.
defaultExecUser := user.ExecUser{
- Uid: syscall.Getuid(),
- Gid: syscall.Getgid(),
+ Uid: 0,
+ Gid: 0,
Home: "/",
}
+
passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
+
groupPath, err := user.GetGroupPath()
if err != nil {
return err
}
+
execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
if err != nil {
return err
}
var addGroups []int
- if len(config.Config.AdditionalGroups) > 0 {
- addGroups, err = user.GetAdditionalGroupsPath(config.Config.AdditionalGroups, groupPath)
+ if len(config.AdditionalGroups) > 0 {
+ addGroups, err = user.GetAdditionalGroupsPath(config.AdditionalGroups, groupPath)
if err != nil {
return err
}
}
- // before we change to the container's user make sure that the processes STDIO
- // is correctly owned by the user that we are switching to.
- if err := fixStdioPermissions(execUser); err != nil {
+
+ // Rather than just erroring out later in setuid(2) and setgid(2), check
+ // that the user is mapped here.
+ if _, err := config.Config.HostUID(execUser.Uid); err != nil {
+ return fmt.Errorf("cannot set uid to unmapped user in user namespace")
+ }
+ if _, err := config.Config.HostGID(execUser.Gid); err != nil {
+ return fmt.Errorf("cannot set gid to unmapped user in user namespace")
+ }
+
+ if config.RootlessEUID {
+ // We cannot set any additional groups in a rootless container and thus
+ // we bail if the user asked us to do so. TODO: We currently can't do
+ // this check earlier, but if libcontainer.Process.User was typesafe
+ // this might work.
+ if len(addGroups) > 0 {
+ return fmt.Errorf("cannot set any additional groups in a rootless container")
+ }
+ }
+
+ // Before we change to the container's user make sure that the processes
+ // STDIO is correctly owned by the user that we are switching to.
+ if err := fixStdioPermissions(config, execUser); err != nil {
return err
}
- suppGroups := append(execUser.Sgids, addGroups...)
- if err := syscall.Setgroups(suppGroups); err != nil {
+
+ setgroups, err := ioutil.ReadFile("/proc/self/setgroups")
+ if err != nil && !os.IsNotExist(err) {
return err
}
+ // This isn't allowed in an unprivileged user namespace since Linux 3.19.
+ // There's nothing we can do about /etc/group entries, so we silently
+ // ignore setting groups here (since the user didn't explicitly ask us to
+ // set the group).
+ allowSupGroups := !config.RootlessEUID && strings.TrimSpace(string(setgroups)) != "deny"
+
+ if allowSupGroups {
+ suppGroups := append(execUser.Sgids, addGroups...)
+ if err := unix.Setgroups(suppGroups); err != nil {
+ return err
+ }
+ }
+
if err := system.Setgid(execUser.Gid); err != nil {
return err
}
if err := system.Setuid(execUser.Uid); err != nil {
return err
}
+
// if we didn't get HOME already, set it based on the user's HOME
if envHome := os.Getenv("HOME"); envHome == "" {
if err := os.Setenv("HOME", execUser.Home); err != nil {
@@ -245,9 +330,9 @@ func setupUser(config *initConfig) error {
// fixStdioPermissions fixes the permissions of PID 1's STDIO within the container to the specified user.
// The ownership needs to match because it is created outside of the container and needs to be
// localized.
-func fixStdioPermissions(u *user.ExecUser) error {
- var null syscall.Stat_t
- if err := syscall.Stat("/dev/null", &null); err != nil {
+func fixStdioPermissions(config *initConfig, u *user.ExecUser) error {
+ var null unix.Stat_t
+ if err := unix.Stat("/dev/null", &null); err != nil {
return err
}
for _, fd := range []uintptr{
@@ -255,15 +340,32 @@ func fixStdioPermissions(u *user.ExecUser) error {
os.Stderr.Fd(),
os.Stdout.Fd(),
} {
- var s syscall.Stat_t
- if err := syscall.Fstat(int(fd), &s); err != nil {
+ var s unix.Stat_t
+ if err := unix.Fstat(int(fd), &s); err != nil {
return err
}
- // skip chown of /dev/null if it was used as one of the STDIO fds.
+
+ // Skip chown of /dev/null if it was used as one of the STDIO fds.
if s.Rdev == null.Rdev {
continue
}
- if err := syscall.Fchown(int(fd), u.Uid, u.Gid); err != nil {
+
+ // We only change the uid owner (as it is possible for the mount to
+ // prefer a different gid, and there's no reason for us to change it).
+ // The reason why we don't just leave the default uid=X mount setup is
+ // that users expect to be able to actually use their console. Without
+ // this code, you couldn't effectively run as a non-root user inside a
+ // container and also have a console set up.
+ if err := unix.Fchown(int(fd), u.Uid, int(s.Gid)); err != nil {
+ // If we've hit an EINVAL then s.Gid isn't mapped in the user
+ // namespace. If we've hit an EPERM then the inode's current owner
+ // is not mapped in our user namespace (in particular,
+ // privileged_wrt_inode_uidgid() has failed). In either case, we
+ // are in a configuration where it's better for us to just not
+ // touch the stdio rather than bail at this point.
+ if err == unix.EINVAL || err == unix.EPERM {
+ continue
+ }
return err
}
}
@@ -316,26 +418,60 @@ func setupRoute(config *configs.Config) error {
return nil
}
-func setupRlimits(limits []configs.Rlimit) error {
+func setupRlimits(limits []configs.Rlimit, pid int) error {
for _, rlimit := range limits {
- l := &syscall.Rlimit{Max: rlimit.Hard, Cur: rlimit.Soft}
- if err := syscall.Setrlimit(rlimit.Type, l); err != nil {
+ if err := system.Prlimit(pid, rlimit.Type, unix.Rlimit{Max: rlimit.Hard, Cur: rlimit.Soft}); err != nil {
return fmt.Errorf("error setting rlimit type %v: %v", rlimit.Type, err)
}
}
return nil
}
-func setOomScoreAdj(oomScoreAdj int, pid int) error {
- path := fmt.Sprintf("/proc/%d/oom_score_adj", pid)
+const _P_PID = 1
+
+type siginfo struct {
+ si_signo int32
+ si_errno int32
+ si_code int32
+ // below here is a union; si_pid is the only field we use
+ si_pid int32
+ // Pad to 128 bytes as detailed in blockUntilWaitable
+ pad [96]byte
+}
+
+// isWaitable returns true if the process has exited false otherwise.
+// Its based off blockUntilWaitable in src/os/wait_waitid.go
+func isWaitable(pid int) (bool, error) {
+ si := &siginfo{}
+ _, _, e := unix.Syscall6(unix.SYS_WAITID, _P_PID, uintptr(pid), uintptr(unsafe.Pointer(si)), unix.WEXITED|unix.WNOWAIT|unix.WNOHANG, 0, 0)
+ if e != 0 {
+ return false, os.NewSyscallError("waitid", e)
+ }
- return ioutil.WriteFile(path, []byte(strconv.Itoa(oomScoreAdj)), 0600)
+ return si.si_pid != 0, nil
}
-// killCgroupProcesses freezes then iterates over all the processes inside the
-// manager's cgroups sending a SIGKILL to each process then waiting for them to
-// exit.
-func killCgroupProcesses(m cgroups.Manager) error {
+// isNoChildren returns true if err represents a unix.ECHILD (formerly syscall.ECHILD) false otherwise
+func isNoChildren(err error) bool {
+ switch err := err.(type) {
+ case syscall.Errno:
+ if err == unix.ECHILD {
+ return true
+ }
+ case *os.SyscallError:
+ if err.Err == unix.ECHILD {
+ return true
+ }
+ }
+ return false
+}
+
+// signalAllProcesses freezes then iterates over all the processes inside the
+// manager's cgroups sending the signal s to them.
+// If s is SIGKILL then it will wait for each process to exit.
+// For all other signals it will check if the process is ready to report its
+// exit status and only if it is will a wait be performed.
+func signalAllProcesses(m cgroups.Manager, s os.Signal) error {
var procs []*os.Process
if err := m.Freeze(configs.Frozen); err != nil {
logrus.Warn(err)
@@ -346,19 +482,54 @@ func killCgroupProcesses(m cgroups.Manager) error {
return err
}
for _, pid := range pids {
- if p, err := os.FindProcess(pid); err == nil {
- procs = append(procs, p)
- if err := p.Kill(); err != nil {
- logrus.Warn(err)
- }
+ p, err := os.FindProcess(pid)
+ if err != nil {
+ logrus.Warn(err)
+ continue
+ }
+ procs = append(procs, p)
+ if err := p.Signal(s); err != nil {
+ logrus.Warn(err)
}
}
if err := m.Freeze(configs.Thawed); err != nil {
logrus.Warn(err)
}
+
+ subreaper, err := system.GetSubreaper()
+ if err != nil {
+ // The error here means that PR_GET_CHILD_SUBREAPER is not
+ // supported because this code might run on a kernel older
+ // than 3.4. We don't want to throw an error in that case,
+ // and we simplify things, considering there is no subreaper
+ // set.
+ subreaper = 0
+ }
+
for _, p := range procs {
- if _, err := p.Wait(); err != nil {
- logrus.Warn(err)
+ if s != unix.SIGKILL {
+ if ok, err := isWaitable(p.Pid); err != nil {
+ if !isNoChildren(err) {
+ logrus.Warn("signalAllProcesses: ", p.Pid, err)
+ }
+ continue
+ } else if !ok {
+ // Not ready to report so don't wait
+ continue
+ }
+ }
+
+ // In case a subreaper has been setup, this code must not
+ // wait for the process. Otherwise, we cannot be sure the
+ // current process will be reaped by the subreaper, while
+ // the subreaper might be waiting for this process in order
+ // to retrieve its exit code.
+ if subreaper == 0 {
+ if _, err := p.Wait(); err != nil {
+ if !isNoChildren(err) {
+ logrus.Warn("wait: ", err)
+ }
+ }
}
}
return nil
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/integration/checkpoint_test.go b/vendor/github.com/opencontainers/runc/libcontainer/integration/checkpoint_test.go
index a71c172a3c2ca388e82b94969704ad2490244d0e..63fa14f0f74ac15e19fa80a6d8d67c9e8f979cd6 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/integration/checkpoint_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/integration/checkpoint_test.go
@@ -5,13 +5,15 @@ import (
"bytes"
"io/ioutil"
"os"
+ "os/exec"
"path/filepath"
"strings"
- "syscall"
"testing"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/configs"
+
+ "golang.org/x/sys/unix"
)
func showFile(t *testing.T, fname string) error {
@@ -38,7 +40,22 @@ func showFile(t *testing.T, fname string) error {
return nil
}
+func TestUsernsCheckpoint(t *testing.T) {
+ if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
+ t.Skip("userns is unsupported")
+ }
+ cmd := exec.Command("criu", "check", "--feature", "userns")
+ if err := cmd.Run(); err != nil {
+ t.Skip("Unable to c/r a container with userns")
+ }
+ testCheckpoint(t, true)
+}
+
func TestCheckpoint(t *testing.T) {
+ testCheckpoint(t, false)
+}
+
+func testCheckpoint(t *testing.T, userns bool) {
if testing.Short() {
return
}
@@ -59,9 +76,15 @@ func TestCheckpoint(t *testing.T) {
config.Mounts = append(config.Mounts, &configs.Mount{
Destination: "/sys/fs/cgroup",
Device: "cgroup",
- Flags: defaultMountFlags | syscall.MS_RDONLY,
+ Flags: defaultMountFlags | unix.MS_RDONLY,
})
+ if userns {
+ config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
+ }
+
factory, err := libcontainer.New(root, libcontainer.Cgroupfs)
if err != nil {
@@ -87,9 +110,10 @@ func TestCheckpoint(t *testing.T) {
Env: standardEnvironment,
Stdin: stdinR,
Stdout: &stdout,
+ Init: true,
}
- err = container.Start(&pconfig)
+ err = container.Run(&pconfig)
stdinR.Close()
defer stdinW.Close()
if err != nil {
@@ -106,6 +130,33 @@ func TestCheckpoint(t *testing.T) {
t.Fatal(err)
}
+ parentDir, err := ioutil.TempDir("", "criu-parent")
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer os.RemoveAll(parentDir)
+
+ preDumpOpts := &libcontainer.CriuOpts{
+ ImagesDirectory: parentDir,
+ WorkDirectory: parentDir,
+ PreDump: true,
+ }
+ preDumpLog := filepath.Join(preDumpOpts.WorkDirectory, "dump.log")
+
+ if err := container.Checkpoint(preDumpOpts); err != nil {
+ showFile(t, preDumpLog)
+ t.Fatal(err)
+ }
+
+ state, err := container.Status()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ if state != libcontainer.Running {
+ t.Fatal("Unexpected preDump state: ", state)
+ }
+
imagesDir, err := ioutil.TempDir("", "criu")
if err != nil {
t.Fatal(err)
@@ -115,6 +166,7 @@ func TestCheckpoint(t *testing.T) {
checkpointOpts := &libcontainer.CriuOpts{
ImagesDirectory: imagesDir,
WorkDirectory: imagesDir,
+ ParentImage: "../criu-parent",
}
dumpLog := filepath.Join(checkpointOpts.WorkDirectory, "dump.log")
restoreLog := filepath.Join(checkpointOpts.WorkDirectory, "restore.log")
@@ -124,12 +176,12 @@ func TestCheckpoint(t *testing.T) {
t.Fatal(err)
}
- state, err := container.Status()
+ state, err = container.Status()
if err != nil {
t.Fatal(err)
}
- if state != libcontainer.Running {
+ if state != libcontainer.Stopped {
t.Fatal("Unexpected state checkpoint: ", state)
}
@@ -154,6 +206,7 @@ func TestCheckpoint(t *testing.T) {
Cwd: "/",
Stdin: restoreStdinR,
Stdout: &stdout,
+ Init: true,
}
err = container.Restore(restoreProcessConfig, checkpointOpts)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/integration/exec_test.go b/vendor/github.com/opencontainers/runc/libcontainer/integration/exec_test.go
index 22a9afbfc251d61d58241db255f8b545cf618cd7..eb0f987fc8e8c139f67e06212430870eb139e195 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/integration/exec_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/integration/exec_test.go
@@ -2,6 +2,7 @@ package integration
import (
"bytes"
+ "encoding/json"
"fmt"
"io/ioutil"
"os"
@@ -10,12 +11,14 @@ import (
"reflect"
"strconv"
"strings"
- "syscall"
"testing"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runtime-spec/specs-go"
+
+ "golang.org/x/sys/unix"
)
func TestExecPS(t *testing.T) {
@@ -38,12 +41,12 @@ func testExecPS(t *testing.T, userns bool) {
defer remove(rootfs)
config := newTemplateConfig(rootfs)
if userns {
- config.UidMappings = []configs.IDMap{{0, 0, 1000}}
- config.GidMappings = []configs.IDMap{{0, 0, 1000}}
+ config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
}
- buffers, exitCode, err := runContainer(config, "", "ps")
+ buffers, exitCode, err := runContainer(config, "", "ps", "-o", "pid,user,comm")
if err != nil {
t.Fatalf("%s: %s", buffers, err)
}
@@ -158,6 +161,18 @@ func TestIPCBadPath(t *testing.T) {
}
func TestRlimit(t *testing.T) {
+ testRlimit(t, false)
+}
+
+func TestUsernsRlimit(t *testing.T) {
+ if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
+ t.Skip("userns is unsupported")
+ }
+
+ testRlimit(t, true)
+}
+
+func testRlimit(t *testing.T, userns bool) {
if testing.Short() {
return
}
@@ -167,6 +182,19 @@ func TestRlimit(t *testing.T) {
defer remove(rootfs)
config := newTemplateConfig(rootfs)
+ if userns {
+ config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
+ }
+
+ // ensure limit is lower than what the config requests to test that in a user namespace
+ // the Setrlimit call happens early enough that we still have permissions to raise the limit.
+ ok(t, unix.Setrlimit(unix.RLIMIT_NOFILE, &unix.Rlimit{
+ Max: 1024,
+ Cur: 1024,
+ }))
+
out, _, err := runContainer(config, "", "/bin/sh", "-c", "ulimit -n")
ok(t, err)
if limit := strings.TrimSpace(out.Stdout.String()); limit != "1025" {
@@ -174,17 +202,6 @@ func TestRlimit(t *testing.T) {
}
}
-func newTestRoot() (string, error) {
- dir, err := ioutil.TempDir("", "libcontainer")
- if err != nil {
- return "", err
- }
- if err := os.MkdirAll(dir, 0700); err != nil {
- return "", err
- }
- return dir, nil
-}
-
func TestEnter(t *testing.T) {
if testing.Short() {
return
@@ -215,8 +232,9 @@ func TestEnter(t *testing.T) {
Env: standardEnvironment,
Stdin: stdinR,
Stdout: &stdout,
+ Init: true,
}
- err = container.Start(&pconfig)
+ err = container.Run(&pconfig)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -234,7 +252,7 @@ func TestEnter(t *testing.T) {
pconfig2.Stdin = stdinR2
pconfig2.Stdout = &stdout2
- err = container.Start(&pconfig2)
+ err = container.Run(&pconfig2)
stdinR2.Close()
defer stdinW2.Close()
ok(t, err)
@@ -304,8 +322,9 @@ func TestProcessEnv(t *testing.T) {
},
Stdin: nil,
Stdout: &stdout,
+ Init: true,
}
- err = container.Start(&pconfig)
+ err = container.Run(&pconfig)
ok(t, err)
// Wait for process
@@ -324,7 +343,7 @@ func TestProcessEnv(t *testing.T) {
}
}
-func TestProcessCaps(t *testing.T) {
+func TestProcessEmptyCaps(t *testing.T) {
if testing.Short() {
return
}
@@ -337,23 +356,78 @@ func TestProcessCaps(t *testing.T) {
defer remove(rootfs)
config := newTemplateConfig(rootfs)
+ config.Capabilities = nil
container, err := factory.Create("test", config)
ok(t, err)
defer container.Destroy()
- processCaps := append(config.Capabilities, "CAP_NET_ADMIN")
+ var stdout bytes.Buffer
+ pconfig := libcontainer.Process{
+ Cwd: "/",
+ Args: []string{"sh", "-c", "cat /proc/self/status"},
+ Env: standardEnvironment,
+ Stdin: nil,
+ Stdout: &stdout,
+ Init: true,
+ }
+ err = container.Run(&pconfig)
+ ok(t, err)
+
+ // Wait for process
+ waitProcess(&pconfig, t)
+
+ outputStatus := string(stdout.Bytes())
+
+ lines := strings.Split(outputStatus, "\n")
+
+ effectiveCapsLine := ""
+ for _, l := range lines {
+ line := strings.TrimSpace(l)
+ if strings.Contains(line, "CapEff:") {
+ effectiveCapsLine = line
+ break
+ }
+ }
+
+ if effectiveCapsLine == "" {
+ t.Fatal("Couldn't find effective caps: ", outputStatus)
+ }
+}
+
+func TestProcessCaps(t *testing.T) {
+ if testing.Short() {
+ return
+ }
+ root, err := newTestRoot()
+ ok(t, err)
+ defer os.RemoveAll(root)
+
+ rootfs, err := newRootfs()
+ ok(t, err)
+ defer remove(rootfs)
+
+ config := newTemplateConfig(rootfs)
+
+ container, err := factory.Create("test", config)
+ ok(t, err)
+ defer container.Destroy()
var stdout bytes.Buffer
pconfig := libcontainer.Process{
Cwd: "/",
Args: []string{"sh", "-c", "cat /proc/self/status"},
Env: standardEnvironment,
- Capabilities: processCaps,
Stdin: nil,
Stdout: &stdout,
+ Capabilities: &configs.Capabilities{},
+ Init: true,
}
- err = container.Start(&pconfig)
+ pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
+ pconfig.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_NET_ADMIN")
+ pconfig.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_NET_ADMIN")
+ pconfig.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_NET_ADMIN")
+ err = container.Run(&pconfig)
ok(t, err)
// Wait for process
@@ -406,7 +480,6 @@ func TestAdditionalGroups(t *testing.T) {
defer remove(rootfs)
config := newTemplateConfig(rootfs)
- config.AdditionalGroups = []string{"plugdev", "audio"}
factory, err := libcontainer.New(root, libcontainer.Cgroupfs)
ok(t, err)
@@ -417,13 +490,15 @@ func TestAdditionalGroups(t *testing.T) {
var stdout bytes.Buffer
pconfig := libcontainer.Process{
- Cwd: "/",
- Args: []string{"sh", "-c", "id", "-Gn"},
- Env: standardEnvironment,
- Stdin: nil,
- Stdout: &stdout,
+ Cwd: "/",
+ Args: []string{"sh", "-c", "id", "-Gn"},
+ Env: standardEnvironment,
+ Stdin: nil,
+ Stdout: &stdout,
+ AdditionalGroups: []string{"plugdev", "audio"},
+ Init: true,
}
- err = container.Start(&pconfig)
+ err = container.Run(&pconfig)
ok(t, err)
// Wait for process
@@ -482,8 +557,9 @@ func testFreeze(t *testing.T, systemd bool) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(pconfig)
+ err = container.Run(pconfig)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -588,9 +664,9 @@ func testPids(t *testing.T, systemd bool) {
}
// Enforce a restrictive limit. 64 * /bin/true + 1 * shell should cause this
- // to fail reliabily.
+ // to fail reliability.
config.Cgroups.Resources.PidsLimit = 64
- out, ret, err := runContainer(config, "", "/bin/sh", "-c", `
+ out, _, err := runContainer(config, "", "/bin/sh", "-c", `
/bin/true | /bin/true | /bin/true | /bin/true | /bin/true | /bin/true | bin/true | /bin/true |
/bin/true | /bin/true | /bin/true | /bin/true | /bin/true | /bin/true | bin/true | /bin/true |
/bin/true | /bin/true | /bin/true | /bin/true | /bin/true | /bin/true | bin/true | /bin/true |
@@ -693,8 +769,9 @@ func TestContainerState(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(p)
+ err = container.Run(p)
if err != nil {
t.Fatal(err)
}
@@ -738,7 +815,13 @@ func TestPassExtraFiles(t *testing.T) {
var stdout bytes.Buffer
pipeout1, pipein1, err := os.Pipe()
+ if err != nil {
+ t.Fatal(err)
+ }
pipeout2, pipein2, err := os.Pipe()
+ if err != nil {
+ t.Fatal(err)
+ }
process := libcontainer.Process{
Cwd: "/",
Args: []string{"sh", "-c", "cd /proc/$$/fd; echo -n *; echo -n 1 >3; echo -n 2 >4"},
@@ -746,8 +829,9 @@ func TestPassExtraFiles(t *testing.T) {
ExtraFiles: []*os.File{pipein1, pipein2},
Stdin: nil,
Stdout: &stdout,
+ Init: true,
}
- err = container.Start(&process)
+ err = container.Run(&process)
if err != nil {
t.Fatal(err)
}
@@ -806,7 +890,7 @@ func TestMountCmds(t *testing.T) {
Source: tmpDir,
Destination: "/tmp",
Device: "bind",
- Flags: syscall.MS_BIND | syscall.MS_REC,
+ Flags: unix.MS_BIND | unix.MS_REC,
PremountCmds: []configs.Command{
{Path: "touch", Args: []string{filepath.Join(tmpDir, "hello")}},
{Path: "touch", Args: []string{filepath.Join(tmpDir, "world")}},
@@ -827,8 +911,9 @@ func TestMountCmds(t *testing.T) {
Cwd: "/",
Args: []string{"sh", "-c", "env"},
Env: standardEnvironment,
+ Init: true,
}
- err = container.Start(&pconfig)
+ err = container.Run(&pconfig)
if err != nil {
t.Fatal(err)
}
@@ -876,8 +961,9 @@ func TestSysctl(t *testing.T) {
Env: standardEnvironment,
Stdin: nil,
Stdout: &stdout,
+ Init: true,
}
- err = container.Start(&pconfig)
+ err = container.Run(&pconfig)
ok(t, err)
// Wait for process
@@ -901,7 +987,7 @@ func TestMountCgroupRO(t *testing.T) {
config.Mounts = append(config.Mounts, &configs.Mount{
Destination: "/sys/fs/cgroup",
Device: "cgroup",
- Flags: defaultMountFlags | syscall.MS_RDONLY,
+ Flags: defaultMountFlags | unix.MS_RDONLY,
})
buffers, exitCode, err := runContainer(config, "", "mount")
@@ -1000,7 +1086,7 @@ func TestOomScoreAdj(t *testing.T) {
defer remove(rootfs)
config := newTemplateConfig(rootfs)
- config.OomScoreAdj = 200
+ config.OomScoreAdj = ptrInt(200)
factory, err := libcontainer.New(root, libcontainer.Cgroupfs)
ok(t, err)
@@ -1016,8 +1102,9 @@ func TestOomScoreAdj(t *testing.T) {
Env: standardEnvironment,
Stdin: nil,
Stdout: &stdout,
+ Init: true,
}
- err = container.Start(&pconfig)
+ err = container.Run(&pconfig)
ok(t, err)
// Wait for process
@@ -1025,8 +1112,8 @@ func TestOomScoreAdj(t *testing.T) {
outputOomScoreAdj := strings.TrimSpace(string(stdout.Bytes()))
// Check that the oom_score_adj matches the value that was set as part of config.
- if outputOomScoreAdj != strconv.Itoa(config.OomScoreAdj) {
- t.Fatalf("Expected oom_score_adj %d; got %q", config.OomScoreAdj, outputOomScoreAdj)
+ if outputOomScoreAdj != strconv.Itoa(*config.OomScoreAdj) {
+ t.Fatalf("Expected oom_score_adj %d; got %q", *config.OomScoreAdj, outputOomScoreAdj)
}
}
@@ -1034,31 +1121,83 @@ func TestHook(t *testing.T) {
if testing.Short() {
return
}
- root, err := newTestRoot()
+
+ bundle, err := newTestBundle()
ok(t, err)
- defer os.RemoveAll(root)
+ defer remove(bundle)
rootfs, err := newRootfs()
ok(t, err)
defer remove(rootfs)
config := newTemplateConfig(rootfs)
+ expectedBundle := bundle
+ config.Labels = append(config.Labels, fmt.Sprintf("bundle=%s", expectedBundle))
+
+ getRootfsFromBundle := func(bundle string) (string, error) {
+ f, err := os.Open(filepath.Join(bundle, "config.json"))
+ if err != nil {
+ return "", err
+ }
+
+ var config configs.Config
+ if err = json.NewDecoder(f).Decode(&config); err != nil {
+ return "", err
+ }
+ return config.Rootfs, nil
+ }
+
config.Hooks = &configs.Hooks{
Prestart: []configs.Hook{
- configs.NewFunctionHook(func(s configs.HookState) error {
- f, err := os.Create(filepath.Join(s.Root, "test"))
+ configs.NewFunctionHook(func(s *specs.State) error {
+ if s.Bundle != expectedBundle {
+ t.Fatalf("Expected prestart hook bundlePath '%s'; got '%s'", expectedBundle, s.Bundle)
+ }
+
+ root, err := getRootfsFromBundle(s.Bundle)
+ if err != nil {
+ return err
+ }
+ f, err := os.Create(filepath.Join(root, "test"))
if err != nil {
return err
}
return f.Close()
}),
},
+ Poststart: []configs.Hook{
+ configs.NewFunctionHook(func(s *specs.State) error {
+ if s.Bundle != expectedBundle {
+ t.Fatalf("Expected poststart hook bundlePath '%s'; got '%s'", expectedBundle, s.Bundle)
+ }
+
+ root, err := getRootfsFromBundle(s.Bundle)
+ if err != nil {
+ return err
+ }
+ return ioutil.WriteFile(filepath.Join(root, "test"), []byte("hello world"), 0755)
+ }),
+ },
Poststop: []configs.Hook{
- configs.NewFunctionHook(func(s configs.HookState) error {
- return os.RemoveAll(filepath.Join(s.Root, "test"))
+ configs.NewFunctionHook(func(s *specs.State) error {
+ if s.Bundle != expectedBundle {
+ t.Fatalf("Expected poststop hook bundlePath '%s'; got '%s'", expectedBundle, s.Bundle)
+ }
+
+ root, err := getRootfsFromBundle(s.Bundle)
+ if err != nil {
+ return err
+ }
+ return os.RemoveAll(filepath.Join(root, "test"))
}),
},
}
+
+ // write config of json format into config.json under bundle
+ f, err := os.OpenFile(filepath.Join(bundle, "config.json"), os.O_CREATE|os.O_RDWR, 0644)
+ ok(t, err)
+ ok(t, json.NewEncoder(f).Encode(config))
+
container, err := factory.Create("test", config)
ok(t, err)
@@ -1069,8 +1208,9 @@ func TestHook(t *testing.T) {
Env: standardEnvironment,
Stdin: nil,
Stdout: &stdout,
+ Init: true,
}
- err = container.Start(&pconfig)
+ err = container.Run(&pconfig)
ok(t, err)
// Wait for process
@@ -1084,8 +1224,18 @@ func TestHook(t *testing.T) {
t.Fatalf("ls output doesn't have the expected file: %s", outputLs)
}
+ // Check that the file is written by the poststart hook
+ testFilePath := filepath.Join(rootfs, "test")
+ contents, err := ioutil.ReadFile(testFilePath)
+ if err != nil {
+ t.Fatalf("cannot read file '%s': %s", testFilePath, err)
+ }
+ if string(contents) != "hello world" {
+ t.Fatalf("Expected test file to contain 'hello world'; got '%s'", string(contents))
+ }
+
if err := container.Destroy(); err != nil {
- t.Fatalf("container destory %s", err)
+ t.Fatalf("container destroy %s", err)
}
fi, err := os.Stat(filepath.Join(rootfs, "test"))
if err == nil || !os.IsNotExist(err) {
@@ -1114,10 +1264,7 @@ func TestSTDIOPermissions(t *testing.T) {
}
func unmountOp(path string) error {
- if err := syscall.Unmount(path, syscall.MNT_DETACH); err != nil {
- return err
- }
- return nil
+ return unix.Unmount(path, unix.MNT_DETACH)
}
// Launch container with rootfsPropagation in rslave mode. Also
@@ -1139,7 +1286,7 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
defer remove(rootfs)
config := newTemplateConfig(rootfs)
- config.RootPropagation = syscall.MS_SLAVE | syscall.MS_REC
+ config.RootPropagation = unix.MS_SLAVE | unix.MS_REC
// Bind mount a volume
dir1host, err := ioutil.TempDir("", "mnt1host")
@@ -1148,9 +1295,9 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
// Make this dir a "shared" mount point. This will make sure a
// slave relationship can be established in container.
- err = syscall.Mount(dir1host, dir1host, "bind", syscall.MS_BIND|syscall.MS_REC, "")
+ err = unix.Mount(dir1host, dir1host, "bind", unix.MS_BIND|unix.MS_REC, "")
ok(t, err)
- err = syscall.Mount("", dir1host, "", syscall.MS_SHARED|syscall.MS_REC, "")
+ err = unix.Mount("", dir1host, "", unix.MS_SHARED|unix.MS_REC, "")
ok(t, err)
defer unmountOp(dir1host)
@@ -1158,7 +1305,7 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
Source: dir1host,
Destination: dir1cont,
Device: "bind",
- Flags: syscall.MS_BIND | syscall.MS_REC})
+ Flags: unix.MS_BIND | unix.MS_REC})
// TODO: systemd specific processing
f := factory
@@ -1175,9 +1322,10 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(pconfig)
+ err = container.Run(pconfig)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -1188,7 +1336,7 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
ok(t, err)
defer os.RemoveAll(dir2host)
- err = syscall.Mount(dir2host, dir2host, "bind", syscall.MS_BIND, "")
+ err = unix.Mount(dir2host, dir2host, "bind", unix.MS_BIND, "")
defer unmountOp(dir2host)
ok(t, err)
@@ -1206,7 +1354,7 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
Stdout: &stdout2,
}
- err = container.Start(pconfig2)
+ err = container.Run(pconfig2)
stdinR2.Close()
defer stdinW2.Close()
ok(t, err)
@@ -1256,7 +1404,7 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
ok(t, err)
defer remove(rootfs)
config := newTemplateConfig(rootfs)
- config.RootPropagation = syscall.MS_PRIVATE
+ config.RootPropagation = unix.MS_PRIVATE
// Bind mount a volume
dir1host, err := ioutil.TempDir("", "mnt1host")
@@ -1265,9 +1413,9 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
// Make this dir a "shared" mount point. This will make sure a
// shared relationship can be established in container.
- err = syscall.Mount(dir1host, dir1host, "bind", syscall.MS_BIND|syscall.MS_REC, "")
+ err = unix.Mount(dir1host, dir1host, "bind", unix.MS_BIND|unix.MS_REC, "")
ok(t, err)
- err = syscall.Mount("", dir1host, "", syscall.MS_SHARED|syscall.MS_REC, "")
+ err = unix.Mount("", dir1host, "", unix.MS_SHARED|unix.MS_REC, "")
ok(t, err)
defer unmountOp(dir1host)
@@ -1275,7 +1423,7 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
Source: dir1host,
Destination: dir1cont,
Device: "bind",
- Flags: syscall.MS_BIND | syscall.MS_REC})
+ Flags: unix.MS_BIND | unix.MS_REC})
// TODO: systemd specific processing
f := factory
@@ -1292,9 +1440,10 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(pconfig)
+ err = container.Run(pconfig)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -1314,19 +1463,22 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
stdinR2, stdinW2, err := os.Pipe()
ok(t, err)
- // Provide CAP_SYS_ADMIN
- processCaps := append(config.Capabilities, "CAP_SYS_ADMIN")
-
pconfig2 := &libcontainer.Process{
Cwd: "/",
Args: []string{"mount", "--bind", dir2cont, dir2cont},
Env: standardEnvironment,
Stdin: stdinR2,
Stdout: &stdout2,
- Capabilities: processCaps,
+ Capabilities: &configs.Capabilities{},
}
- err = container.Start(pconfig2)
+ // Provide CAP_SYS_ADMIN
+ pconfig2.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_SYS_ADMIN")
+ pconfig2.Capabilities.Permitted = append(config.Capabilities.Permitted, "CAP_SYS_ADMIN")
+ pconfig2.Capabilities.Effective = append(config.Capabilities.Effective, "CAP_SYS_ADMIN")
+ pconfig2.Capabilities.Inheritable = append(config.Capabilities.Inheritable, "CAP_SYS_ADMIN")
+
+ err = container.Run(pconfig2)
stdinR2.Close()
defer stdinW2.Close()
ok(t, err)
@@ -1397,8 +1549,9 @@ func TestInitJoinPID(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR1,
+ Init: true,
}
- err = container1.Start(init1)
+ err = container1.Run(init1)
stdinR1.Close()
defer stdinW1.Close()
ok(t, err)
@@ -1408,7 +1561,7 @@ func TestInitJoinPID(t *testing.T) {
ok(t, err)
pidns1 := state1.NamespacePaths[configs.NEWPID]
- // Start a container inside the existing pidns but with different cgroups
+ // Run a container inside the existing pidns but with different cgroups
config2 := newTemplateConfig(rootfs)
config2.Namespaces.Add(configs.NEWPID, pidns1)
config2.Cgroups.Path = "integration/test2"
@@ -1423,8 +1576,9 @@ func TestInitJoinPID(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR2,
+ Init: true,
}
- err = container2.Start(init2)
+ err = container2.Run(init2)
stdinR2.Close()
defer stdinW2.Close()
ok(t, err)
@@ -1454,7 +1608,7 @@ func TestInitJoinPID(t *testing.T) {
Env: standardEnvironment,
Stdout: buffers.Stdout,
}
- err = container1.Start(ps)
+ err = container1.Run(ps)
ok(t, err)
waitProcess(ps, t)
@@ -1488,8 +1642,8 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
// Execute a long-running container
config1 := newTemplateConfig(rootfs)
- config1.UidMappings = []configs.IDMap{{0, 0, 1000}}
- config1.GidMappings = []configs.IDMap{{0, 0, 1000}}
+ config1.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config1.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
config1.Namespaces = append(config1.Namespaces, configs.Namespace{Type: configs.NEWUSER})
container1, err := newContainer(config1)
ok(t, err)
@@ -1502,8 +1656,9 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR1,
+ Init: true,
}
- err = container1.Start(init1)
+ err = container1.Run(init1)
stdinR1.Close()
defer stdinW1.Close()
ok(t, err)
@@ -1514,14 +1669,14 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
netns1 := state1.NamespacePaths[configs.NEWNET]
userns1 := state1.NamespacePaths[configs.NEWUSER]
- // Start a container inside the existing pidns but with different cgroups
+ // Run a container inside the existing pidns but with different cgroups
rootfs2, err := newRootfs()
ok(t, err)
defer remove(rootfs2)
config2 := newTemplateConfig(rootfs2)
- config2.UidMappings = []configs.IDMap{{0, 0, 1000}}
- config2.GidMappings = []configs.IDMap{{0, 0, 1000}}
+ config2.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config2.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
config2.Namespaces.Add(configs.NEWNET, netns1)
config2.Namespaces.Add(configs.NEWUSER, userns1)
config2.Cgroups.Path = "integration/test2"
@@ -1536,8 +1691,9 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR2,
+ Init: true,
}
- err = container2.Start(init2)
+ err = container2.Run(init2)
stdinR2.Close()
defer stdinW2.Close()
ok(t, err)
@@ -1568,3 +1724,110 @@ func TestInitJoinNetworkAndUser(t *testing.T) {
stdinW1.Close()
waitProcess(init1, t)
}
+
+func TestTmpfsCopyUp(t *testing.T) {
+ if testing.Short() {
+ return
+ }
+ root, err := newTestRoot()
+ ok(t, err)
+ defer os.RemoveAll(root)
+
+ rootfs, err := newRootfs()
+ ok(t, err)
+ defer remove(rootfs)
+
+ config := newTemplateConfig(rootfs)
+
+ config.Mounts = append(config.Mounts, &configs.Mount{
+ Source: "tmpfs",
+ Destination: "/etc",
+ Device: "tmpfs",
+ Extensions: configs.EXT_COPYUP,
+ })
+
+ factory, err := libcontainer.New(root, libcontainer.Cgroupfs)
+ ok(t, err)
+
+ container, err := factory.Create("test", config)
+ ok(t, err)
+ defer container.Destroy()
+
+ var stdout bytes.Buffer
+ pconfig := libcontainer.Process{
+ Args: []string{"ls", "/etc/passwd"},
+ Env: standardEnvironment,
+ Stdin: nil,
+ Stdout: &stdout,
+ Init: true,
+ }
+ err = container.Run(&pconfig)
+ ok(t, err)
+
+ // Wait for process
+ waitProcess(&pconfig, t)
+
+ outputLs := string(stdout.Bytes())
+
+ // Check that the ls output has /etc/passwd
+ if !strings.Contains(outputLs, "/etc/passwd") {
+ t.Fatalf("/etc/passwd not copied up as expected: %v", outputLs)
+ }
+}
+
+func TestCGROUPPrivate(t *testing.T) {
+ if _, err := os.Stat("/proc/self/ns/cgroup"); os.IsNotExist(err) {
+ t.Skip("cgroupns is unsupported")
+ }
+ if testing.Short() {
+ return
+ }
+
+ rootfs, err := newRootfs()
+ ok(t, err)
+ defer remove(rootfs)
+
+ l, err := os.Readlink("/proc/1/ns/cgroup")
+ ok(t, err)
+
+ config := newTemplateConfig(rootfs)
+ config.Namespaces.Add(configs.NEWCGROUP, "")
+ buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/cgroup")
+ ok(t, err)
+
+ if exitCode != 0 {
+ t.Fatalf("exit code not 0. code %d stderr %q", exitCode, buffers.Stderr)
+ }
+
+ if actual := strings.Trim(buffers.Stdout.String(), "\n"); actual == l {
+ t.Fatalf("cgroup link should be private to the container but equals host %q %q", actual, l)
+ }
+}
+
+func TestCGROUPHost(t *testing.T) {
+ if _, err := os.Stat("/proc/self/ns/cgroup"); os.IsNotExist(err) {
+ t.Skip("cgroupns is unsupported")
+ }
+ if testing.Short() {
+ return
+ }
+
+ rootfs, err := newRootfs()
+ ok(t, err)
+ defer remove(rootfs)
+
+ l, err := os.Readlink("/proc/1/ns/cgroup")
+ ok(t, err)
+
+ config := newTemplateConfig(rootfs)
+ buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/cgroup")
+ ok(t, err)
+
+ if exitCode != 0 {
+ t.Fatalf("exit code not 0. code %d stderr %q", exitCode, buffers.Stderr)
+ }
+
+ if actual := strings.Trim(buffers.Stdout.String(), "\n"); actual != l {
+ t.Fatalf("cgroup link not equal to host link %q %q", actual, l)
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/integration/execin_test.go b/vendor/github.com/opencontainers/runc/libcontainer/integration/execin_test.go
index 98dd2ac088fe77b076866b00b659d6bc5d72735c..14f8a596406f1779ef5633d296cf5b7a0555ff1c 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/integration/execin_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/integration/execin_test.go
@@ -5,15 +5,17 @@ import (
"fmt"
"io"
"os"
- "os/exec"
"strconv"
"strings"
- "syscall"
"testing"
"time"
+ "github.com/containerd/console"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/utils"
+
+ "golang.org/x/sys/unix"
)
func TestExecIn(t *testing.T) {
@@ -36,8 +38,9 @@ func TestExecIn(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -52,7 +55,7 @@ func TestExecIn(t *testing.T) {
Stderr: buffers.Stderr,
}
- err = container.Start(ps)
+ err = container.Run(ps)
ok(t, err)
waitProcess(ps, t)
stdinW.Close()
@@ -62,16 +65,39 @@ func TestExecIn(t *testing.T) {
if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
t.Fatalf("unexpected running process, output %q", out)
}
+ if strings.Contains(out, "\r") {
+ t.Fatalf("unexpected carriage-return in output")
+ }
+}
+
+func TestExecInUsernsRlimit(t *testing.T) {
+ if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
+ t.Skip("userns is unsupported")
+ }
+
+ testExecInRlimit(t, true)
}
func TestExecInRlimit(t *testing.T) {
+ testExecInRlimit(t, false)
+}
+
+func testExecInRlimit(t *testing.T, userns bool) {
if testing.Short() {
return
}
+
rootfs, err := newRootfs()
ok(t, err)
defer remove(rootfs)
+
config := newTemplateConfig(rootfs)
+ if userns {
+ config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
+ }
+
container, err := newContainer(config)
ok(t, err)
defer container.Destroy()
@@ -83,8 +109,9 @@ func TestExecInRlimit(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -97,8 +124,13 @@ func TestExecInRlimit(t *testing.T) {
Stdin: buffers.Stdin,
Stdout: buffers.Stdout,
Stderr: buffers.Stderr,
+ Rlimits: []configs.Rlimit{
+ // increase process rlimit higher than container rlimit to test per-process limit
+ {Type: unix.RLIMIT_NOFILE, Hard: 1026, Soft: 1026},
+ },
+ Init: true,
}
- err = container.Start(ps)
+ err = container.Run(ps)
ok(t, err)
waitProcess(ps, t)
@@ -106,8 +138,67 @@ func TestExecInRlimit(t *testing.T) {
waitProcess(process, t)
out := buffers.Stdout.String()
- if limit := strings.TrimSpace(out); limit != "1025" {
- t.Fatalf("expected rlimit to be 1025, got %s", limit)
+ if limit := strings.TrimSpace(out); limit != "1026" {
+ t.Fatalf("expected rlimit to be 1026, got %s", limit)
+ }
+}
+
+func TestExecInAdditionalGroups(t *testing.T) {
+ if testing.Short() {
+ return
+ }
+
+ rootfs, err := newRootfs()
+ ok(t, err)
+ defer remove(rootfs)
+
+ config := newTemplateConfig(rootfs)
+ container, err := newContainer(config)
+ ok(t, err)
+ defer container.Destroy()
+
+ // Execute a first process in the container
+ stdinR, stdinW, err := os.Pipe()
+ ok(t, err)
+ process := &libcontainer.Process{
+ Cwd: "/",
+ Args: []string{"cat"},
+ Env: standardEnvironment,
+ Stdin: stdinR,
+ Init: true,
+ }
+ err = container.Run(process)
+ stdinR.Close()
+ defer stdinW.Close()
+ ok(t, err)
+
+ var stdout bytes.Buffer
+ pconfig := libcontainer.Process{
+ Cwd: "/",
+ Args: []string{"sh", "-c", "id", "-Gn"},
+ Env: standardEnvironment,
+ Stdin: nil,
+ Stdout: &stdout,
+ AdditionalGroups: []string{"plugdev", "audio"},
+ }
+ err = container.Run(&pconfig)
+ ok(t, err)
+
+ // Wait for process
+ waitProcess(&pconfig, t)
+
+ stdinW.Close()
+ waitProcess(process, t)
+
+ outputGroups := string(stdout.Bytes())
+
+ // Check that the groups output has the groups that we specified
+ if !strings.Contains(outputGroups, "audio") {
+ t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)
+ }
+
+ if !strings.Contains(outputGroups, "plugdev") {
+ t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)
}
}
@@ -131,8 +222,9 @@ func TestExecInError(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
stdinR.Close()
defer func() {
stdinW.Close()
@@ -142,26 +234,24 @@ func TestExecInError(t *testing.T) {
}()
ok(t, err)
- var out bytes.Buffer
- unexistent := &libcontainer.Process{
- Cwd: "/",
- Args: []string{"unexistent"},
- Env: standardEnvironment,
- Stdout: &out,
- Stderr: &out,
- }
- err = container.Start(unexistent)
- if err != nil {
- t.Fatal(err)
- }
- ws, err := unexistent.Wait()
- if err != nil {
- if _, ok := err.(*exec.ExitError); !ok {
- t.Fatal(err)
+ for i := 0; i < 42; i++ {
+ var out bytes.Buffer
+ unexistent := &libcontainer.Process{
+ Cwd: "/",
+ Args: []string{"unexistent"},
+ Env: standardEnvironment,
+ Stderr: &out,
+ }
+ err = container.Run(unexistent)
+ if err == nil {
+ t.Fatal("Should be an error")
+ }
+ if !strings.Contains(err.Error(), "executable file not found") {
+ t.Fatalf("Should be error about not found executable, got %s", err)
+ }
+ if !bytes.Contains(out.Bytes(), []byte("executable file not found")) {
+ t.Fatalf("executable file not found error not delivered to stdio:\n%s", out.String())
}
- }
- if s := ws.Sys().(syscall.WaitStatus).ExitStatus(); s != 127 {
- t.Fatalf("expected wait status of 127 but received %d", s)
}
}
@@ -185,8 +275,9 @@ func TestExecInTTY(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -197,15 +288,51 @@ func TestExecInTTY(t *testing.T) {
Args: []string{"ps"},
Env: standardEnvironment,
}
- console, err := ps.NewConsole(0)
+ parent, child, err := utils.NewSockPair("console")
+ if err != nil {
+ ok(t, err)
+ }
+ defer parent.Close()
+ defer child.Close()
+ ps.ConsoleSocket = child
+ type cdata struct {
+ c console.Console
+ err error
+ }
+ dc := make(chan *cdata, 1)
+ go func() {
+ f, err := utils.RecvFd(parent)
+ if err != nil {
+ dc <- &cdata{
+ err: err,
+ }
+ return
+ }
+ c, err := console.ConsoleFromFile(f)
+ if err != nil {
+ dc <- &cdata{
+ err: err,
+ }
+ return
+ }
+ console.ClearONLCR(c.Fd())
+ dc <- &cdata{
+ c: c,
+ }
+ }()
+ err = container.Run(ps)
+ ok(t, err)
+ data := <-dc
+ if data.err != nil {
+ ok(t, data.err)
+ }
+ console := data.c
copy := make(chan struct{})
go func() {
io.Copy(&stdout, console)
close(copy)
}()
ok(t, err)
- err = container.Start(ps)
- ok(t, err)
select {
case <-time.After(5 * time.Second):
t.Fatal("Waiting for copy timed out")
@@ -217,9 +344,12 @@ func TestExecInTTY(t *testing.T) {
waitProcess(process, t)
out := stdout.String()
- if !strings.Contains(out, "cat") || !strings.Contains(string(out), "ps") {
+ if !strings.Contains(out, "cat") || !strings.Contains(out, "ps") {
t.Fatalf("unexpected running process, output %q", out)
}
+ if strings.Contains(out, "\r") {
+ t.Fatalf("unexpected carriage-return in output")
+ }
}
func TestExecInEnvironment(t *testing.T) {
@@ -242,8 +372,9 @@ func TestExecInEnvironment(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -261,8 +392,9 @@ func TestExecInEnvironment(t *testing.T) {
Stdin: buffers.Stdin,
Stdout: buffers.Stdout,
Stderr: buffers.Stderr,
+ Init: true,
}
- err = container.Start(process2)
+ err = container.Run(process2)
ok(t, err)
waitProcess(process2, t)
@@ -306,8 +438,9 @@ func TestExecinPassExtraFiles(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
stdinR.Close()
defer stdinW.Close()
if err != nil {
@@ -316,7 +449,13 @@ func TestExecinPassExtraFiles(t *testing.T) {
var stdout bytes.Buffer
pipeout1, pipein1, err := os.Pipe()
+ if err != nil {
+ t.Fatal(err)
+ }
pipeout2, pipein2, err := os.Pipe()
+ if err != nil {
+ t.Fatal(err)
+ }
inprocess := &libcontainer.Process{
Cwd: "/",
Args: []string{"sh", "-c", "cd /proc/$$/fd; echo -n *; echo -n 1 >3; echo -n 2 >4"},
@@ -325,7 +464,7 @@ func TestExecinPassExtraFiles(t *testing.T) {
Stdin: nil,
Stdout: &stdout,
}
- err = container.Start(inprocess)
+ err = container.Run(inprocess)
if err != nil {
t.Fatal(err)
}
@@ -367,7 +506,7 @@ func TestExecInOomScoreAdj(t *testing.T) {
ok(t, err)
defer remove(rootfs)
config := newTemplateConfig(rootfs)
- config.OomScoreAdj = 200
+ config.OomScoreAdj = ptrInt(200)
container, err := newContainer(config)
ok(t, err)
defer container.Destroy()
@@ -379,8 +518,9 @@ func TestExecInOomScoreAdj(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -394,7 +534,7 @@ func TestExecInOomScoreAdj(t *testing.T) {
Stdout: buffers.Stdout,
Stderr: buffers.Stderr,
}
- err = container.Start(ps)
+ err = container.Run(ps)
ok(t, err)
waitProcess(ps, t)
@@ -402,8 +542,8 @@ func TestExecInOomScoreAdj(t *testing.T) {
waitProcess(process, t)
out := buffers.Stdout.String()
- if oomScoreAdj := strings.TrimSpace(out); oomScoreAdj != strconv.Itoa(config.OomScoreAdj) {
- t.Fatalf("expected oomScoreAdj to be %d, got %s", config.OomScoreAdj, oomScoreAdj)
+ if oomScoreAdj := strings.TrimSpace(out); oomScoreAdj != strconv.Itoa(*config.OomScoreAdj) {
+ t.Fatalf("expected oomScoreAdj to be %d, got %s", *config.OomScoreAdj, oomScoreAdj)
}
}
@@ -418,8 +558,8 @@ func TestExecInUserns(t *testing.T) {
ok(t, err)
defer remove(rootfs)
config := newTemplateConfig(rootfs)
- config.UidMappings = []configs.IDMap{{0, 0, 1000}}
- config.GidMappings = []configs.IDMap{{0, 0, 1000}}
+ config.UidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
+ config.GidMappings = []configs.IDMap{{HostID: 0, ContainerID: 0, Size: 1000}}
config.Namespaces = append(config.Namespaces, configs.Namespace{Type: configs.NEWUSER})
container, err := newContainer(config)
ok(t, err)
@@ -434,8 +574,9 @@ func TestExecInUserns(t *testing.T) {
Args: []string{"cat"},
Env: standardEnvironment,
Stdin: stdinR,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
stdinR.Close()
defer stdinW.Close()
ok(t, err)
@@ -455,7 +596,7 @@ func TestExecInUserns(t *testing.T) {
Stdout: buffers.Stdout,
Stderr: os.Stderr,
}
- err = container.Start(process2)
+ err = container.Run(process2)
ok(t, err)
waitProcess(process2, t)
stdinW.Close()
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/integration/init_test.go b/vendor/github.com/opencontainers/runc/libcontainer/integration/init_test.go
index a892d988d09f31c367c793cd8c9237916b83f04e..8b1e53d99b9ca58f1dbeaaf38a2193a45b6701a8 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/integration/init_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/integration/init_test.go
@@ -1,17 +1,15 @@
package integration
import (
- "fmt"
"os"
- "os/exec"
"runtime"
- "strconv"
"testing"
- "github.com/sirupsen/logrus"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
_ "github.com/opencontainers/runc/libcontainer/nsenter"
+
+ "github.com/sirupsen/logrus"
)
// init runs the libcontainer initialization code because of the busybox style needs
@@ -27,25 +25,8 @@ func init() {
logrus.Fatalf("unable to initialize for container: %s", err)
}
if err := factory.StartInitialization(); err != nil {
- // return proper unix error codes
- if exerr, ok := err.(*exec.Error); ok {
- switch exerr.Err {
- case os.ErrPermission:
- fmt.Fprintln(os.Stderr, err)
- os.Exit(126)
- case exec.ErrNotFound:
- fmt.Fprintln(os.Stderr, err)
- os.Exit(127)
- default:
- if os.IsNotExist(exerr.Err) {
- fmt.Fprintf(os.Stderr, "exec: %s: %v\n", strconv.Quote(exerr.Name), os.ErrNotExist)
- os.Exit(127)
- }
- }
- }
logrus.Fatal(err)
}
- panic("init: init failed to start contianer")
}
var (
@@ -56,19 +37,19 @@ var (
func TestMain(m *testing.M) {
var (
err error
- ret int = 0
+ ret int
)
logrus.SetOutput(os.Stderr)
logrus.SetLevel(logrus.InfoLevel)
- factory, err = libcontainer.New(".", libcontainer.Cgroupfs)
+ factory, err = libcontainer.New("/run/libctTests", libcontainer.Cgroupfs)
if err != nil {
logrus.Error(err)
os.Exit(1)
}
if systemd.UseSystemd() {
- systemdFactory, err = libcontainer.New(".", libcontainer.SystemdCgroups)
+ systemdFactory, err = libcontainer.New("/run/libctTests", libcontainer.SystemdCgroups)
if err != nil {
logrus.Error(err)
os.Exit(1)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/integration/seccomp_test.go b/vendor/github.com/opencontainers/runc/libcontainer/integration/seccomp_test.go
index 820773e64fbaa5d6f8962ff3a5af8765a9b81406..77f1a8d465506c4c68471966c3bea6e3d0ff1ca3 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/integration/seccomp_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/integration/seccomp_test.go
@@ -48,9 +48,10 @@ func TestSeccompDenyGetcwd(t *testing.T) {
Stdin: buffers.Stdin,
Stdout: buffers.Stdout,
Stderr: buffers.Stderr,
+ Init: true,
}
- err = container.Start(pwd)
+ err = container.Run(pwd)
if err != nil {
t.Fatal(err)
}
@@ -101,8 +102,8 @@ func TestSeccompPermitWriteConditional(t *testing.T) {
Args: []*configs.Arg{
{
Index: 0,
- Value: 1,
- Op: configs.GreaterThan,
+ Value: 2,
+ Op: configs.EqualTo,
},
},
},
@@ -123,9 +124,10 @@ func TestSeccompPermitWriteConditional(t *testing.T) {
Stdin: buffers.Stdin,
Stdout: buffers.Stdout,
Stderr: buffers.Stderr,
+ Init: true,
}
- err = container.Start(dmesg)
+ err = container.Run(dmesg)
if err != nil {
t.Fatal(err)
}
@@ -162,8 +164,8 @@ func TestSeccompDenyWriteConditional(t *testing.T) {
Args: []*configs.Arg{
{
Index: 0,
- Value: 1,
- Op: configs.GreaterThan,
+ Value: 2,
+ Op: configs.EqualTo,
},
},
},
@@ -184,9 +186,10 @@ func TestSeccompDenyWriteConditional(t *testing.T) {
Stdin: buffers.Stdin,
Stdout: buffers.Stdout,
Stderr: buffers.Stderr,
+ Init: true,
}
- err = container.Start(dmesg)
+ err = container.Run(dmesg)
if err != nil {
t.Fatal(err)
}
@@ -217,3 +220,203 @@ func TestSeccompDenyWriteConditional(t *testing.T) {
t.Fatalf("Expected output %s but got %s\n", expected, actual)
}
}
+
+func TestSeccompPermitWriteMultipleConditions(t *testing.T) {
+ if testing.Short() {
+ return
+ }
+
+ rootfs, err := newRootfs()
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer remove(rootfs)
+
+ config := newTemplateConfig(rootfs)
+ config.Seccomp = &configs.Seccomp{
+ DefaultAction: configs.Allow,
+ Syscalls: []*configs.Syscall{
+ {
+ Name: "write",
+ Action: configs.Errno,
+ Args: []*configs.Arg{
+ {
+ Index: 0,
+ Value: 2,
+ Op: configs.EqualTo,
+ },
+ {
+ Index: 2,
+ Value: 0,
+ Op: configs.NotEqualTo,
+ },
+ },
+ },
+ },
+ }
+
+ buffers, exitCode, err := runContainer(config, "", "ls", "/")
+ if err != nil {
+ t.Fatalf("%s: %s", buffers, err)
+ }
+ if exitCode != 0 {
+ t.Fatalf("exit code not 0. code %d buffers %s", exitCode, buffers)
+ }
+ // We don't need to verify the actual thing printed
+ // Just that something was written to stdout
+ if len(buffers.Stdout.String()) == 0 {
+ t.Fatalf("Nothing was written to stdout, write call failed!\n")
+ }
+}
+
+func TestSeccompDenyWriteMultipleConditions(t *testing.T) {
+ if testing.Short() {
+ return
+ }
+
+ // Only test if library version is v2.2.1 or higher
+ // Conditional filtering will always error in v2.2.0 and lower
+ major, minor, micro := libseccomp.GetLibraryVersion()
+ if (major == 2 && minor < 2) || (major == 2 && minor == 2 && micro < 1) {
+ return
+ }
+
+ rootfs, err := newRootfs()
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer remove(rootfs)
+
+ config := newTemplateConfig(rootfs)
+ config.Seccomp = &configs.Seccomp{
+ DefaultAction: configs.Allow,
+ Syscalls: []*configs.Syscall{
+ {
+ Name: "write",
+ Action: configs.Errno,
+ Args: []*configs.Arg{
+ {
+ Index: 0,
+ Value: 2,
+ Op: configs.EqualTo,
+ },
+ {
+ Index: 2,
+ Value: 0,
+ Op: configs.NotEqualTo,
+ },
+ },
+ },
+ },
+ }
+
+ buffers, exitCode, err := runContainer(config, "", "ls", "/does_not_exist")
+ if err == nil {
+ t.Fatalf("Expecting error return, instead got 0")
+ }
+ if exitCode == 0 {
+ t.Fatalf("Busybox should fail with negative exit code, instead got %d!", exitCode)
+ }
+
+ expected := ""
+ actual := strings.Trim(buffers.Stderr.String(), "\n")
+ if actual != expected {
+ t.Fatalf("Expected output %s but got %s\n", expected, actual)
+ }
+}
+
+func TestSeccompMultipleConditionSameArgDeniesStdout(t *testing.T) {
+ if testing.Short() {
+ return
+ }
+
+ rootfs, err := newRootfs()
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer remove(rootfs)
+
+ // Prevent writing to both stdout and stderr
+ config := newTemplateConfig(rootfs)
+ config.Seccomp = &configs.Seccomp{
+ DefaultAction: configs.Allow,
+ Syscalls: []*configs.Syscall{
+ {
+ Name: "write",
+ Action: configs.Errno,
+ Args: []*configs.Arg{
+ {
+ Index: 0,
+ Value: 1,
+ Op: configs.EqualTo,
+ },
+ {
+ Index: 0,
+ Value: 2,
+ Op: configs.EqualTo,
+ },
+ },
+ },
+ },
+ }
+
+ buffers, exitCode, err := runContainer(config, "", "ls", "/")
+ if err != nil {
+ t.Fatalf("%s: %s", buffers, err)
+ }
+ if exitCode != 0 {
+ t.Fatalf("exit code not 0. code %d buffers %s", exitCode, buffers)
+ }
+ // Verify that nothing was printed
+ if len(buffers.Stdout.String()) != 0 {
+ t.Fatalf("Something was written to stdout, write call succeeded!\n")
+ }
+}
+
+func TestSeccompMultipleConditionSameArgDeniesStderr(t *testing.T) {
+ if testing.Short() {
+ return
+ }
+
+ rootfs, err := newRootfs()
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer remove(rootfs)
+
+ // Prevent writing to both stdout and stderr
+ config := newTemplateConfig(rootfs)
+ config.Seccomp = &configs.Seccomp{
+ DefaultAction: configs.Allow,
+ Syscalls: []*configs.Syscall{
+ {
+ Name: "write",
+ Action: configs.Errno,
+ Args: []*configs.Arg{
+ {
+ Index: 0,
+ Value: 1,
+ Op: configs.EqualTo,
+ },
+ {
+ Index: 0,
+ Value: 2,
+ Op: configs.EqualTo,
+ },
+ },
+ },
+ },
+ }
+
+ buffers, exitCode, err := runContainer(config, "", "ls", "/does_not_exist")
+ if err == nil {
+ t.Fatalf("Expecting error return, instead got 0")
+ }
+ if exitCode == 0 {
+ t.Fatalf("Busybox should fail with negative exit code, instead got %d!", exitCode)
+ }
+ // Verify nothing was printed
+ if len(buffers.Stderr.String()) != 0 {
+ t.Fatalf("Something was written to stderr, write call succeeded!\n")
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/integration/template_test.go b/vendor/github.com/opencontainers/runc/libcontainer/integration/template_test.go
index f54a849acf6d2fd93107b759128cce37a30b0fb6..5f7cab53b67cf740f21ba4eff72ff6f2cdf8d1e8 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/integration/template_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/integration/template_test.go
@@ -1,9 +1,9 @@
package integration
import (
- "syscall"
-
"github.com/opencontainers/runc/libcontainer/configs"
+
+ "golang.org/x/sys/unix"
)
var standardEnvironment = []string{
@@ -13,30 +13,97 @@ var standardEnvironment = []string{
"TERM=xterm",
}
-const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
+const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
// newTemplateConfig returns a base template for running a container
//
// it uses a network strategy of just setting a loopback interface
// and the default setup for devices
func newTemplateConfig(rootfs string) *configs.Config {
+ allowAllDevices := false
return &configs.Config{
Rootfs: rootfs,
- Capabilities: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
+ Capabilities: &configs.Capabilities{
+ Bounding: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+ Permitted: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+ Inheritable: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+ Ambient: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
+ Effective: []string{
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FSETID",
+ "CAP_FOWNER",
+ "CAP_MKNOD",
+ "CAP_NET_RAW",
+ "CAP_SETGID",
+ "CAP_SETUID",
+ "CAP_SETFCAP",
+ "CAP_SETPCAP",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SYS_CHROOT",
+ "CAP_KILL",
+ "CAP_AUDIT_WRITE",
+ },
},
Namespaces: configs.Namespaces([]configs.Namespace{
{Type: configs.NEWNS},
@@ -49,12 +116,13 @@ func newTemplateConfig(rootfs string) *configs.Config {
Path: "integration/test",
Resources: &configs.Resources{
MemorySwappiness: nil,
- AllowAllDevices: false,
+ AllowAllDevices: &allowAllDevices,
AllowedDevices: configs.DefaultAllowedDevices,
},
},
MaskPaths: []string{
"/proc/kcore",
+ "/sys/firmware",
},
ReadonlyPaths: []string{
"/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
@@ -72,14 +140,14 @@ func newTemplateConfig(rootfs string) *configs.Config {
Source: "tmpfs",
Destination: "/dev",
Device: "tmpfs",
- Flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME,
+ Flags: unix.MS_NOSUID | unix.MS_STRICTATIME,
Data: "mode=755",
},
{
Source: "devpts",
Destination: "/dev/pts",
Device: "devpts",
- Flags: syscall.MS_NOSUID | syscall.MS_NOEXEC,
+ Flags: unix.MS_NOSUID | unix.MS_NOEXEC,
Data: "newinstance,ptmxmode=0666,mode=0620,gid=5",
},
{
@@ -89,17 +157,20 @@ func newTemplateConfig(rootfs string) *configs.Config {
Data: "mode=1777,size=65536k",
Flags: defaultMountFlags,
},
- {
- Source: "mqueue",
- Destination: "/dev/mqueue",
- Device: "mqueue",
- Flags: defaultMountFlags,
- },
+ /*
+ CI is broken on the debian based kernels with this
+ {
+ Source: "mqueue",
+ Destination: "/dev/mqueue",
+ Device: "mqueue",
+ Flags: defaultMountFlags,
+ },
+ */
{
Source: "sysfs",
Destination: "/sys",
Device: "sysfs",
- Flags: defaultMountFlags | syscall.MS_RDONLY,
+ Flags: defaultMountFlags | unix.MS_RDONLY,
},
},
Networks: []*configs.Network{
@@ -111,7 +182,7 @@ func newTemplateConfig(rootfs string) *configs.Config {
},
Rlimits: []configs.Rlimit{
{
- Type: syscall.RLIMIT_NOFILE,
+ Type: unix.RLIMIT_NOFILE,
Hard: uint64(1025),
Soft: uint64(1025),
},
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/integration/utils_test.go b/vendor/github.com/opencontainers/runc/libcontainer/integration/utils_test.go
index e2ca10e00827699e9e5204bc62c4382a78dd1e67..541d42eb86be79825c323baa282d938ab6d706ad 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/integration/utils_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/integration/utils_test.go
@@ -2,6 +2,8 @@ package integration
import (
"bytes"
+ "crypto/md5"
+ "encoding/hex"
"fmt"
"io/ioutil"
"os"
@@ -11,11 +13,16 @@ import (
"strings"
"syscall"
"testing"
+ "time"
"github.com/opencontainers/runc/libcontainer"
"github.com/opencontainers/runc/libcontainer/configs"
)
+func ptrInt(v int) *int {
+ return &v
+}
+
func newStdBuffers() *stdBuffers {
return &stdBuffers{
Stdin: bytes.NewBuffer(nil),
@@ -62,6 +69,28 @@ func waitProcess(p *libcontainer.Process, t *testing.T) {
}
}
+func newTestRoot() (string, error) {
+ dir, err := ioutil.TempDir("", "libcontainer")
+ if err != nil {
+ return "", err
+ }
+ if err := os.MkdirAll(dir, 0700); err != nil {
+ return "", err
+ }
+ return dir, nil
+}
+
+func newTestBundle() (string, error) {
+ dir, err := ioutil.TempDir("", "bundle")
+ if err != nil {
+ return "", err
+ }
+ if err := os.MkdirAll(dir, 0700); err != nil {
+ return "", err
+ }
+ return dir, nil
+}
+
// newRootfs creates a new tmp directory and copies the busybox root filesystem
func newRootfs() (string, error) {
dir, err := ioutil.TempDir("", "")
@@ -84,7 +113,7 @@ func remove(dir string) {
// copyBusybox copies the rootfs for a busybox container created for the test image
// into the new directory for the specific test
func copyBusybox(dest string) error {
- out, err := exec.Command("sh", "-c", fmt.Sprintf("cp -R /busybox/* %s/", dest)).CombinedOutput()
+ out, err := exec.Command("sh", "-c", fmt.Sprintf("cp -a /busybox/* %s/", dest)).CombinedOutput()
if err != nil {
return fmt.Errorf("copy error %q: %q", err, out)
}
@@ -92,7 +121,9 @@ func copyBusybox(dest string) error {
}
func newContainer(config *configs.Config) (libcontainer.Container, error) {
- return newContainerWithName("testCT", config)
+ h := md5.New()
+ h.Write([]byte(time.Now().String()))
+ return newContainerWithName(hex.EncodeToString(h.Sum(nil)), config)
}
func newContainerWithName(name string, config *configs.Config) (libcontainer.Container, error) {
@@ -121,9 +152,10 @@ func runContainer(config *configs.Config, console string, args ...string) (buffe
Stdin: buffers.Stdin,
Stdout: buffers.Stdout,
Stderr: buffers.Stderr,
+ Init: true,
}
- err = container.Start(process)
+ err = container.Run(process)
if err != nil {
return buffers, -1, err
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/intelrdt.go b/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/intelrdt.go
new file mode 100644
index 0000000000000000000000000000000000000000..9be62646628d4e80dcef7fcf5f470b92de185446
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/intelrdt.go
@@ -0,0 +1,773 @@
+// +build linux
+
+package intelrdt
+
+import (
+ "bufio"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "strconv"
+ "strings"
+ "sync"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+)
+
+/*
+ * About Intel RDT features:
+ * Intel platforms with new Xeon CPU support Resource Director Technology (RDT).
+ * Cache Allocation Technology (CAT) and Memory Bandwidth Allocation (MBA) are
+ * two sub-features of RDT.
+ *
+ * Cache Allocation Technology (CAT) provides a way for the software to restrict
+ * cache allocation to a defined 'subset' of L3 cache which may be overlapping
+ * with other 'subsets'. The different subsets are identified by class of
+ * service (CLOS) and each CLOS has a capacity bitmask (CBM).
+ *
+ * Memory Bandwidth Allocation (MBA) provides indirect and approximate throttle
+ * over memory bandwidth for the software. A user controls the resource by
+ * indicating the percentage of maximum memory bandwidth or memory bandwidth
+ * limit in MBps unit if MBA Software Controller is enabled.
+ *
+ * More details about Intel RDT CAT and MBA can be found in the section 17.18
+ * of Intel Software Developer Manual:
+ * https://software.intel.com/en-us/articles/intel-sdm
+ *
+ * About Intel RDT kernel interface:
+ * In Linux 4.10 kernel or newer, the interface is defined and exposed via
+ * "resource control" filesystem, which is a "cgroup-like" interface.
+ *
+ * Comparing with cgroups, it has similar process management lifecycle and
+ * interfaces in a container. But unlike cgroups' hierarchy, it has single level
+ * filesystem layout.
+ *
+ * CAT and MBA features are introduced in Linux 4.10 and 4.12 kernel via
+ * "resource control" filesystem.
+ *
+ * Intel RDT "resource control" filesystem hierarchy:
+ * mount -t resctrl resctrl /sys/fs/resctrl
+ * tree /sys/fs/resctrl
+ * /sys/fs/resctrl/
+ * |-- info
+ * | |-- L3
+ * | | |-- cbm_mask
+ * | | |-- min_cbm_bits
+ * | | |-- num_closids
+ * | |-- MB
+ * | |-- bandwidth_gran
+ * | |-- delay_linear
+ * | |-- min_bandwidth
+ * | |-- num_closids
+ * |-- ...
+ * |-- schemata
+ * |-- tasks
+ * |-- <container_id>
+ * |-- ...
+ * |-- schemata
+ * |-- tasks
+ *
+ * For runc, we can make use of `tasks` and `schemata` configuration for L3
+ * cache and memory bandwidth resources constraints.
+ *
+ * The file `tasks` has a list of tasks that belongs to this group (e.g.,
+ * <container_id>" group). Tasks can be added to a group by writing the task ID
+ * to the "tasks" file (which will automatically remove them from the previous
+ * group to which they belonged). New tasks created by fork(2) and clone(2) are
+ * added to the same group as their parent.
+ *
+ * The file `schemata` has a list of all the resources available to this group.
+ * Each resource (L3 cache, memory bandwidth) has its own line and format.
+ *
+ * L3 cache schema:
+ * It has allocation bitmasks/values for L3 cache on each socket, which
+ * contains L3 cache id and capacity bitmask (CBM).
+ * Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
+ * For example, on a two-socket machine, the schema line could be "L3:0=ff;1=c0"
+ * which means L3 cache id 0's CBM is 0xff, and L3 cache id 1's CBM is 0xc0.
+ *
+ * The valid L3 cache CBM is a *contiguous bits set* and number of bits that can
+ * be set is less than the max bit. The max bits in the CBM is varied among
+ * supported Intel CPU models. Kernel will check if it is valid when writing.
+ * e.g., default value 0xfffff in root indicates the max bits of CBM is 20
+ * bits, which mapping to entire L3 cache capacity. Some valid CBM values to
+ * set in a group: 0xf, 0xf0, 0x3ff, 0x1f00 and etc.
+ *
+ * Memory bandwidth schema:
+ * It has allocation values for memory bandwidth on each socket, which contains
+ * L3 cache id and memory bandwidth.
+ * Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."
+ * For example, on a two-socket machine, the schema line could be "MB:0=20;1=70"
+ *
+ * The minimum bandwidth percentage value for each CPU model is predefined and
+ * can be looked up through "info/MB/min_bandwidth". The bandwidth granularity
+ * that is allocated is also dependent on the CPU model and can be looked up at
+ * "info/MB/bandwidth_gran". The available bandwidth control steps are:
+ * min_bw + N * bw_gran. Intermediate values are rounded to the next control
+ * step available on the hardware.
+ *
+ * If MBA Software Controller is enabled through mount option "-o mba_MBps":
+ * mount -t resctrl resctrl -o mba_MBps /sys/fs/resctrl
+ * We could specify memory bandwidth in "MBps" (Mega Bytes per second) unit
+ * instead of "percentages". The kernel underneath would use a software feedback
+ * mechanism or a "Software Controller" which reads the actual bandwidth using
+ * MBM counters and adjust the memory bandwidth percentages to ensure:
+ * "actual memory bandwidth < user specified memory bandwidth".
+ *
+ * For example, on a two-socket machine, the schema line could be
+ * "MB:0=5000;1=7000" which means 5000 MBps memory bandwidth limit on socket 0
+ * and 7000 MBps memory bandwidth limit on socket 1.
+ *
+ * For more information about Intel RDT kernel interface:
+ * https://www.kernel.org/doc/Documentation/x86/intel_rdt_ui.txt
+ *
+ * An example for runc:
+ * Consider a two-socket machine with two L3 caches where the default CBM is
+ * 0x7ff and the max CBM length is 11 bits, and minimum memory bandwidth of 10%
+ * with a memory bandwidth granularity of 10%.
+ *
+ * Tasks inside the container only have access to the "upper" 7/11 of L3 cache
+ * on socket 0 and the "lower" 5/11 L3 cache on socket 1, and may use a
+ * maximum memory bandwidth of 20% on socket 0 and 70% on socket 1.
+ *
+ * "linux": {
+ * "intelRdt": {
+ * "l3CacheSchema": "L3:0=7f0;1=1f",
+ * "memBwSchema": "MB:0=20;1=70"
+ * }
+ * }
+ */
+
+type Manager interface {
+ // Applies Intel RDT configuration to the process with the specified pid
+ Apply(pid int) error
+
+ // Returns statistics for Intel RDT
+ GetStats() (*Stats, error)
+
+ // Destroys the Intel RDT 'container_id' group
+ Destroy() error
+
+ // Returns Intel RDT path to save in a state file and to be able to
+ // restore the object later
+ GetPath() string
+
+ // Set Intel RDT "resource control" filesystem as configured.
+ Set(container *configs.Config) error
+}
+
+// This implements interface Manager
+type IntelRdtManager struct {
+ mu sync.Mutex
+ Config *configs.Config
+ Id string
+ Path string
+}
+
+const (
+ IntelRdtTasks = "tasks"
+)
+
+var (
+ // The absolute root path of the Intel RDT "resource control" filesystem
+ intelRdtRoot string
+ intelRdtRootLock sync.Mutex
+
+ // The flag to indicate if Intel RDT/CAT is enabled
+ isCatEnabled bool
+ // The flag to indicate if Intel RDT/MBA is enabled
+ isMbaEnabled bool
+ // The flag to indicate if Intel RDT/MBA Software Controller is enabled
+ isMbaScEnabled bool
+)
+
+type intelRdtData struct {
+ root string
+ config *configs.Config
+ pid int
+}
+
+// Check if Intel RDT sub-features are enabled in init()
+func init() {
+ // 1. Check if hardware and kernel support Intel RDT sub-features
+ // "cat_l3" flag for CAT and "mba" flag for MBA
+ isCatFlagSet, isMbaFlagSet, err := parseCpuInfoFile("/proc/cpuinfo")
+ if err != nil {
+ return
+ }
+
+ // 2. Check if Intel RDT "resource control" filesystem is mounted
+ // The user guarantees to mount the filesystem
+ if !isIntelRdtMounted() {
+ return
+ }
+
+ // 3. Double check if Intel RDT sub-features are available in
+ // "resource control" filesystem. Intel RDT sub-features can be
+ // selectively disabled or enabled by kernel command line
+ // (e.g., rdt=!l3cat,mba) in 4.14 and newer kernel
+ if isCatFlagSet {
+ if _, err := os.Stat(filepath.Join(intelRdtRoot, "info", "L3")); err == nil {
+ isCatEnabled = true
+ }
+ }
+ if isMbaScEnabled {
+ // We confirm MBA Software Controller is enabled in step 2,
+ // MBA should be enabled because MBA Software Controller
+ // depends on MBA
+ isMbaEnabled = true
+ } else if isMbaFlagSet {
+ if _, err := os.Stat(filepath.Join(intelRdtRoot, "info", "MB")); err == nil {
+ isMbaEnabled = true
+ }
+ }
+}
+
+// Return the mount point path of Intel RDT "resource control" filesysem
+func findIntelRdtMountpointDir() (string, error) {
+ f, err := os.Open("/proc/self/mountinfo")
+ if err != nil {
+ return "", err
+ }
+ defer f.Close()
+
+ s := bufio.NewScanner(f)
+ for s.Scan() {
+ text := s.Text()
+ fields := strings.Split(text, " ")
+ // Safe as mountinfo encodes mountpoints with spaces as \040.
+ index := strings.Index(text, " - ")
+ postSeparatorFields := strings.Fields(text[index+3:])
+ numPostFields := len(postSeparatorFields)
+
+ // This is an error as we can't detect if the mount is for "Intel RDT"
+ if numPostFields == 0 {
+ return "", fmt.Errorf("Found no fields post '-' in %q", text)
+ }
+
+ if postSeparatorFields[0] == "resctrl" {
+ // Check that the mount is properly formatted.
+ if numPostFields < 3 {
+ return "", fmt.Errorf("Error found less than 3 fields post '-' in %q", text)
+ }
+
+ // Check if MBA Software Controller is enabled through mount option "-o mba_MBps"
+ if strings.Contains(postSeparatorFields[2], "mba_MBps") {
+ isMbaScEnabled = true
+ }
+
+ return fields[4], nil
+ }
+ }
+ if err := s.Err(); err != nil {
+ return "", err
+ }
+
+ return "", NewNotFoundError("Intel RDT")
+}
+
+// Gets the root path of Intel RDT "resource control" filesystem
+func getIntelRdtRoot() (string, error) {
+ intelRdtRootLock.Lock()
+ defer intelRdtRootLock.Unlock()
+
+ if intelRdtRoot != "" {
+ return intelRdtRoot, nil
+ }
+
+ root, err := findIntelRdtMountpointDir()
+ if err != nil {
+ return "", err
+ }
+
+ if _, err := os.Stat(root); err != nil {
+ return "", err
+ }
+
+ intelRdtRoot = root
+ return intelRdtRoot, nil
+}
+
+func isIntelRdtMounted() bool {
+ _, err := getIntelRdtRoot()
+ if err != nil {
+ return false
+ }
+
+ return true
+}
+
+func parseCpuInfoFile(path string) (bool, bool, error) {
+ isCatFlagSet := false
+ isMbaFlagSet := false
+
+ f, err := os.Open(path)
+ if err != nil {
+ return false, false, err
+ }
+ defer f.Close()
+
+ s := bufio.NewScanner(f)
+ for s.Scan() {
+ if err := s.Err(); err != nil {
+ return false, false, err
+ }
+
+ line := s.Text()
+
+ // Search "cat_l3" and "mba" flags in first "flags" line
+ if strings.Contains(line, "flags") {
+ flags := strings.Split(line, " ")
+ // "cat_l3" flag for CAT and "mba" flag for MBA
+ for _, flag := range flags {
+ switch flag {
+ case "cat_l3":
+ isCatFlagSet = true
+ case "mba":
+ isMbaFlagSet = true
+ }
+ }
+ return isCatFlagSet, isMbaFlagSet, nil
+ }
+ }
+ return isCatFlagSet, isMbaFlagSet, nil
+}
+
+func parseUint(s string, base, bitSize int) (uint64, error) {
+ value, err := strconv.ParseUint(s, base, bitSize)
+ if err != nil {
+ intValue, intErr := strconv.ParseInt(s, base, bitSize)
+ // 1. Handle negative values greater than MinInt64 (and)
+ // 2. Handle negative values lesser than MinInt64
+ if intErr == nil && intValue < 0 {
+ return 0, nil
+ } else if intErr != nil && intErr.(*strconv.NumError).Err == strconv.ErrRange && intValue < 0 {
+ return 0, nil
+ }
+
+ return value, err
+ }
+
+ return value, nil
+}
+
+// Gets a single uint64 value from the specified file.
+func getIntelRdtParamUint(path, file string) (uint64, error) {
+ fileName := filepath.Join(path, file)
+ contents, err := ioutil.ReadFile(fileName)
+ if err != nil {
+ return 0, err
+ }
+
+ res, err := parseUint(strings.TrimSpace(string(contents)), 10, 64)
+ if err != nil {
+ return res, fmt.Errorf("unable to parse %q as a uint from file %q", string(contents), fileName)
+ }
+ return res, nil
+}
+
+// Gets a string value from the specified file
+func getIntelRdtParamString(path, file string) (string, error) {
+ contents, err := ioutil.ReadFile(filepath.Join(path, file))
+ if err != nil {
+ return "", err
+ }
+
+ return strings.TrimSpace(string(contents)), nil
+}
+
+func writeFile(dir, file, data string) error {
+ if dir == "" {
+ return fmt.Errorf("no such directory for %s", file)
+ }
+ if err := ioutil.WriteFile(filepath.Join(dir, file), []byte(data+"\n"), 0700); err != nil {
+ return fmt.Errorf("failed to write %v to %v: %v", data, file, err)
+ }
+ return nil
+}
+
+func getIntelRdtData(c *configs.Config, pid int) (*intelRdtData, error) {
+ rootPath, err := getIntelRdtRoot()
+ if err != nil {
+ return nil, err
+ }
+ return &intelRdtData{
+ root: rootPath,
+ config: c,
+ pid: pid,
+ }, nil
+}
+
+// Get the read-only L3 cache information
+func getL3CacheInfo() (*L3CacheInfo, error) {
+ l3CacheInfo := &L3CacheInfo{}
+
+ rootPath, err := getIntelRdtRoot()
+ if err != nil {
+ return l3CacheInfo, err
+ }
+
+ path := filepath.Join(rootPath, "info", "L3")
+ cbmMask, err := getIntelRdtParamString(path, "cbm_mask")
+ if err != nil {
+ return l3CacheInfo, err
+ }
+ minCbmBits, err := getIntelRdtParamUint(path, "min_cbm_bits")
+ if err != nil {
+ return l3CacheInfo, err
+ }
+ numClosids, err := getIntelRdtParamUint(path, "num_closids")
+ if err != nil {
+ return l3CacheInfo, err
+ }
+
+ l3CacheInfo.CbmMask = cbmMask
+ l3CacheInfo.MinCbmBits = minCbmBits
+ l3CacheInfo.NumClosids = numClosids
+
+ return l3CacheInfo, nil
+}
+
+// Get the read-only memory bandwidth information
+func getMemBwInfo() (*MemBwInfo, error) {
+ memBwInfo := &MemBwInfo{}
+
+ rootPath, err := getIntelRdtRoot()
+ if err != nil {
+ return memBwInfo, err
+ }
+
+ path := filepath.Join(rootPath, "info", "MB")
+ bandwidthGran, err := getIntelRdtParamUint(path, "bandwidth_gran")
+ if err != nil {
+ return memBwInfo, err
+ }
+ delayLinear, err := getIntelRdtParamUint(path, "delay_linear")
+ if err != nil {
+ return memBwInfo, err
+ }
+ minBandwidth, err := getIntelRdtParamUint(path, "min_bandwidth")
+ if err != nil {
+ return memBwInfo, err
+ }
+ numClosids, err := getIntelRdtParamUint(path, "num_closids")
+ if err != nil {
+ return memBwInfo, err
+ }
+
+ memBwInfo.BandwidthGran = bandwidthGran
+ memBwInfo.DelayLinear = delayLinear
+ memBwInfo.MinBandwidth = minBandwidth
+ memBwInfo.NumClosids = numClosids
+
+ return memBwInfo, nil
+}
+
+// Get diagnostics for last filesystem operation error from file info/last_cmd_status
+func getLastCmdStatus() (string, error) {
+ rootPath, err := getIntelRdtRoot()
+ if err != nil {
+ return "", err
+ }
+
+ path := filepath.Join(rootPath, "info")
+ lastCmdStatus, err := getIntelRdtParamString(path, "last_cmd_status")
+ if err != nil {
+ return "", err
+ }
+
+ return lastCmdStatus, nil
+}
+
+// WriteIntelRdtTasks writes the specified pid into the "tasks" file
+func WriteIntelRdtTasks(dir string, pid int) error {
+ if dir == "" {
+ return fmt.Errorf("no such directory for %s", IntelRdtTasks)
+ }
+
+ // Don't attach any pid if -1 is specified as a pid
+ if pid != -1 {
+ if err := ioutil.WriteFile(filepath.Join(dir, IntelRdtTasks), []byte(strconv.Itoa(pid)), 0700); err != nil {
+ return fmt.Errorf("failed to write %v to %v: %v", pid, IntelRdtTasks, err)
+ }
+ }
+ return nil
+}
+
+// Check if Intel RDT/CAT is enabled
+func IsCatEnabled() bool {
+ return isCatEnabled
+}
+
+// Check if Intel RDT/MBA is enabled
+func IsMbaEnabled() bool {
+ return isMbaEnabled
+}
+
+// Check if Intel RDT/MBA Software Controller is enabled
+func IsMbaScEnabled() bool {
+ return isMbaScEnabled
+}
+
+// Get the 'container_id' path in Intel RDT "resource control" filesystem
+func GetIntelRdtPath(id string) (string, error) {
+ rootPath, err := getIntelRdtRoot()
+ if err != nil {
+ return "", err
+ }
+
+ path := filepath.Join(rootPath, id)
+ return path, nil
+}
+
+// Applies Intel RDT configuration to the process with the specified pid
+func (m *IntelRdtManager) Apply(pid int) (err error) {
+ // If intelRdt is not specified in config, we do nothing
+ if m.Config.IntelRdt == nil {
+ return nil
+ }
+ d, err := getIntelRdtData(m.Config, pid)
+ if err != nil && !IsNotFound(err) {
+ return err
+ }
+
+ m.mu.Lock()
+ defer m.mu.Unlock()
+ path, err := d.join(m.Id)
+ if err != nil {
+ return err
+ }
+
+ m.Path = path
+ return nil
+}
+
+// Destroys the Intel RDT 'container_id' group
+func (m *IntelRdtManager) Destroy() error {
+ m.mu.Lock()
+ defer m.mu.Unlock()
+ if err := os.RemoveAll(m.Path); err != nil {
+ return err
+ }
+ m.Path = ""
+ return nil
+}
+
+// Returns Intel RDT path to save in a state file and to be able to
+// restore the object later
+func (m *IntelRdtManager) GetPath() string {
+ if m.Path == "" {
+ m.Path, _ = GetIntelRdtPath(m.Id)
+ }
+ return m.Path
+}
+
+// Returns statistics for Intel RDT
+func (m *IntelRdtManager) GetStats() (*Stats, error) {
+ // If intelRdt is not specified in config
+ if m.Config.IntelRdt == nil {
+ return nil, nil
+ }
+
+ m.mu.Lock()
+ defer m.mu.Unlock()
+ stats := NewStats()
+
+ rootPath, err := getIntelRdtRoot()
+ if err != nil {
+ return nil, err
+ }
+ // The read-only L3 cache and memory bandwidth schemata in root
+ tmpRootStrings, err := getIntelRdtParamString(rootPath, "schemata")
+ if err != nil {
+ return nil, err
+ }
+ schemaRootStrings := strings.Split(tmpRootStrings, "\n")
+
+ // The L3 cache and memory bandwidth schemata in 'container_id' group
+ tmpStrings, err := getIntelRdtParamString(m.GetPath(), "schemata")
+ if err != nil {
+ return nil, err
+ }
+ schemaStrings := strings.Split(tmpStrings, "\n")
+
+ if IsCatEnabled() {
+ // The read-only L3 cache information
+ l3CacheInfo, err := getL3CacheInfo()
+ if err != nil {
+ return nil, err
+ }
+ stats.L3CacheInfo = l3CacheInfo
+
+ // The read-only L3 cache schema in root
+ for _, schemaRoot := range schemaRootStrings {
+ if strings.Contains(schemaRoot, "L3") {
+ stats.L3CacheSchemaRoot = strings.TrimSpace(schemaRoot)
+ }
+ }
+
+ // The L3 cache schema in 'container_id' group
+ for _, schema := range schemaStrings {
+ if strings.Contains(schema, "L3") {
+ stats.L3CacheSchema = strings.TrimSpace(schema)
+ }
+ }
+ }
+
+ if IsMbaEnabled() {
+ // The read-only memory bandwidth information
+ memBwInfo, err := getMemBwInfo()
+ if err != nil {
+ return nil, err
+ }
+ stats.MemBwInfo = memBwInfo
+
+ // The read-only memory bandwidth information
+ for _, schemaRoot := range schemaRootStrings {
+ if strings.Contains(schemaRoot, "MB") {
+ stats.MemBwSchemaRoot = strings.TrimSpace(schemaRoot)
+ }
+ }
+
+ // The memory bandwidth schema in 'container_id' group
+ for _, schema := range schemaStrings {
+ if strings.Contains(schema, "MB") {
+ stats.MemBwSchema = strings.TrimSpace(schema)
+ }
+ }
+ }
+
+ return stats, nil
+}
+
+// Set Intel RDT "resource control" filesystem as configured.
+func (m *IntelRdtManager) Set(container *configs.Config) error {
+ // About L3 cache schema:
+ // It has allocation bitmasks/values for L3 cache on each socket,
+ // which contains L3 cache id and capacity bitmask (CBM).
+ // Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
+ // For example, on a two-socket machine, the schema line could be:
+ // L3:0=ff;1=c0
+ // which means L3 cache id 0's CBM is 0xff, and L3 cache id 1's CBM
+ // is 0xc0.
+ //
+ // The valid L3 cache CBM is a *contiguous bits set* and number of
+ // bits that can be set is less than the max bit. The max bits in the
+ // CBM is varied among supported Intel CPU models. Kernel will check
+ // if it is valid when writing. e.g., default value 0xfffff in root
+ // indicates the max bits of CBM is 20 bits, which mapping to entire
+ // L3 cache capacity. Some valid CBM values to set in a group:
+ // 0xf, 0xf0, 0x3ff, 0x1f00 and etc.
+ //
+ //
+ // About memory bandwidth schema:
+ // It has allocation values for memory bandwidth on each socket, which
+ // contains L3 cache id and memory bandwidth.
+ // Format: "MB:<cache_id0>=bandwidth0;<cache_id1>=bandwidth1;..."
+ // For example, on a two-socket machine, the schema line could be:
+ // "MB:0=20;1=70"
+ //
+ // The minimum bandwidth percentage value for each CPU model is
+ // predefined and can be looked up through "info/MB/min_bandwidth".
+ // The bandwidth granularity that is allocated is also dependent on
+ // the CPU model and can be looked up at "info/MB/bandwidth_gran".
+ // The available bandwidth control steps are: min_bw + N * bw_gran.
+ // Intermediate values are rounded to the next control step available
+ // on the hardware.
+ //
+ // If MBA Software Controller is enabled through mount option
+ // "-o mba_MBps": mount -t resctrl resctrl -o mba_MBps /sys/fs/resctrl
+ // We could specify memory bandwidth in "MBps" (Mega Bytes per second)
+ // unit instead of "percentages". The kernel underneath would use a
+ // software feedback mechanism or a "Software Controller" which reads
+ // the actual bandwidth using MBM counters and adjust the memory
+ // bandwidth percentages to ensure:
+ // "actual memory bandwidth < user specified memory bandwidth".
+ //
+ // For example, on a two-socket machine, the schema line could be
+ // "MB:0=5000;1=7000" which means 5000 MBps memory bandwidth limit on
+ // socket 0 and 7000 MBps memory bandwidth limit on socket 1.
+ if container.IntelRdt != nil {
+ path := m.GetPath()
+ l3CacheSchema := container.IntelRdt.L3CacheSchema
+ memBwSchema := container.IntelRdt.MemBwSchema
+
+ // Write a single joint schema string to schemata file
+ if l3CacheSchema != "" && memBwSchema != "" {
+ if err := writeFile(path, "schemata", l3CacheSchema+"\n"+memBwSchema); err != nil {
+ return NewLastCmdError(err)
+ }
+ }
+
+ // Write only L3 cache schema string to schemata file
+ if l3CacheSchema != "" && memBwSchema == "" {
+ if err := writeFile(path, "schemata", l3CacheSchema); err != nil {
+ return NewLastCmdError(err)
+ }
+ }
+
+ // Write only memory bandwidth schema string to schemata file
+ if l3CacheSchema == "" && memBwSchema != "" {
+ if err := writeFile(path, "schemata", memBwSchema); err != nil {
+ return NewLastCmdError(err)
+ }
+ }
+ }
+
+ return nil
+}
+
+func (raw *intelRdtData) join(id string) (string, error) {
+ path := filepath.Join(raw.root, id)
+ if err := os.MkdirAll(path, 0755); err != nil {
+ return "", NewLastCmdError(err)
+ }
+
+ if err := WriteIntelRdtTasks(path, raw.pid); err != nil {
+ return "", NewLastCmdError(err)
+ }
+ return path, nil
+}
+
+type NotFoundError struct {
+ ResourceControl string
+}
+
+func (e *NotFoundError) Error() string {
+ return fmt.Sprintf("mountpoint for %s not found", e.ResourceControl)
+}
+
+func NewNotFoundError(res string) error {
+ return &NotFoundError{
+ ResourceControl: res,
+ }
+}
+
+func IsNotFound(err error) bool {
+ if err == nil {
+ return false
+ }
+ _, ok := err.(*NotFoundError)
+ return ok
+}
+
+type LastCmdError struct {
+ LastCmdStatus string
+ Err error
+}
+
+func (e *LastCmdError) Error() string {
+ return fmt.Sprintf(e.Err.Error() + ", last_cmd_status: " + e.LastCmdStatus)
+}
+
+func NewLastCmdError(err error) error {
+ lastCmdStatus, err1 := getLastCmdStatus()
+ if err1 == nil {
+ return &LastCmdError{
+ LastCmdStatus: lastCmdStatus,
+ Err: err,
+ }
+ }
+ return err
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/intelrdt_test.go b/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/intelrdt_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..a19b961b019e811c47a33e2a6b4716a740870f07
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/intelrdt_test.go
@@ -0,0 +1,122 @@
+// +build linux
+
+package intelrdt
+
+import (
+ "strings"
+ "testing"
+)
+
+func TestIntelRdtSetL3CacheSchema(t *testing.T) {
+ if !IsCatEnabled() {
+ return
+ }
+
+ helper := NewIntelRdtTestUtil(t)
+ defer helper.cleanup()
+
+ const (
+ l3CacheSchemaBefore = "L3:0=f;1=f0"
+ l3CacheSchemeAfter = "L3:0=f0;1=f"
+ )
+
+ helper.writeFileContents(map[string]string{
+ "schemata": l3CacheSchemaBefore + "\n",
+ })
+
+ helper.IntelRdtData.config.IntelRdt.L3CacheSchema = l3CacheSchemeAfter
+ intelrdt := &IntelRdtManager{
+ Config: helper.IntelRdtData.config,
+ Path: helper.IntelRdtPath,
+ }
+ if err := intelrdt.Set(helper.IntelRdtData.config); err != nil {
+ t.Fatal(err)
+ }
+
+ tmpStrings, err := getIntelRdtParamString(helper.IntelRdtPath, "schemata")
+ if err != nil {
+ t.Fatalf("Failed to parse file 'schemata' - %s", err)
+ }
+ values := strings.Split(tmpStrings, "\n")
+ value := values[0]
+
+ if value != l3CacheSchemeAfter {
+ t.Fatal("Got the wrong value, set 'schemata' failed.")
+ }
+}
+
+func TestIntelRdtSetMemBwSchema(t *testing.T) {
+ if !IsMbaEnabled() {
+ return
+ }
+
+ helper := NewIntelRdtTestUtil(t)
+ defer helper.cleanup()
+
+ const (
+ memBwSchemaBefore = "MB:0=20;1=70"
+ memBwSchemeAfter = "MB:0=70;1=20"
+ )
+
+ helper.writeFileContents(map[string]string{
+ "schemata": memBwSchemaBefore + "\n",
+ })
+
+ helper.IntelRdtData.config.IntelRdt.MemBwSchema = memBwSchemeAfter
+ intelrdt := &IntelRdtManager{
+ Config: helper.IntelRdtData.config,
+ Path: helper.IntelRdtPath,
+ }
+ if err := intelrdt.Set(helper.IntelRdtData.config); err != nil {
+ t.Fatal(err)
+ }
+
+ tmpStrings, err := getIntelRdtParamString(helper.IntelRdtPath, "schemata")
+ if err != nil {
+ t.Fatalf("Failed to parse file 'schemata' - %s", err)
+ }
+ values := strings.Split(tmpStrings, "\n")
+ value := values[0]
+
+ if value != memBwSchemeAfter {
+ t.Fatal("Got the wrong value, set 'schemata' failed.")
+ }
+}
+
+func TestIntelRdtSetMemBwScSchema(t *testing.T) {
+ if !IsMbaScEnabled() {
+ return
+ }
+
+ helper := NewIntelRdtTestUtil(t)
+ defer helper.cleanup()
+
+ const (
+ memBwScSchemaBefore = "MB:0=5000;1=7000"
+ memBwScSchemeAfter = "MB:0=9000;1=4000"
+ )
+
+ helper.writeFileContents(map[string]string{
+ "schemata": memBwScSchemaBefore + "\n",
+ })
+
+ helper.IntelRdtData.config.IntelRdt.MemBwSchema = memBwScSchemeAfter
+ intelrdt := &IntelRdtManager{
+ Config: helper.IntelRdtData.config,
+ Path: helper.IntelRdtPath,
+ }
+ if err := intelrdt.Set(helper.IntelRdtData.config); err != nil {
+ t.Fatal(err)
+ }
+
+ tmpStrings, err := getIntelRdtParamString(helper.IntelRdtPath, "schemata")
+ if err != nil {
+ t.Fatalf("Failed to parse file 'schemata' - %s", err)
+ }
+ values := strings.Split(tmpStrings, "\n")
+ value := values[0]
+
+ if value != memBwScSchemeAfter {
+ t.Fatal("Got the wrong value, set 'schemata' failed.")
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/stats.go b/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/stats.go
new file mode 100644
index 0000000000000000000000000000000000000000..df5686f3b808c2a74b6faf9b7596c0bec2a5bf94
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/stats.go
@@ -0,0 +1,40 @@
+// +build linux
+
+package intelrdt
+
+type L3CacheInfo struct {
+ CbmMask string `json:"cbm_mask,omitempty"`
+ MinCbmBits uint64 `json:"min_cbm_bits,omitempty"`
+ NumClosids uint64 `json:"num_closids,omitempty"`
+}
+
+type MemBwInfo struct {
+ BandwidthGran uint64 `json:"bandwidth_gran,omitempty"`
+ DelayLinear uint64 `json:"delay_linear,omitempty"`
+ MinBandwidth uint64 `json:"min_bandwidth,omitempty"`
+ NumClosids uint64 `json:"num_closids,omitempty"`
+}
+
+type Stats struct {
+ // The read-only L3 cache information
+ L3CacheInfo *L3CacheInfo `json:"l3_cache_info,omitempty"`
+
+ // The read-only L3 cache schema in root
+ L3CacheSchemaRoot string `json:"l3_cache_schema_root,omitempty"`
+
+ // The L3 cache schema in 'container_id' group
+ L3CacheSchema string `json:"l3_cache_schema,omitempty"`
+
+ // The read-only memory bandwidth information
+ MemBwInfo *MemBwInfo `json:"mem_bw_info,omitempty"`
+
+ // The read-only memory bandwidth schema in root
+ MemBwSchemaRoot string `json:"mem_bw_schema_root,omitempty"`
+
+ // The memory bandwidth schema in 'container_id' group
+ MemBwSchema string `json:"mem_bw_schema,omitempty"`
+}
+
+func NewStats() *Stats {
+ return &Stats{}
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/util_test.go b/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/util_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..970b6ce360e52896b80142ac0bb9aa36745ec6e2
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/intelrdt/util_test.go
@@ -0,0 +1,67 @@
+// +build linux
+
+/*
+ * Utility for testing Intel RDT operations.
+ * Creates a mock of the Intel RDT "resource control" filesystem for the duration of the test.
+ */
+package intelrdt
+
+import (
+ "io/ioutil"
+ "os"
+ "path/filepath"
+ "testing"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+)
+
+type intelRdtTestUtil struct {
+ // intelRdt data to use in tests
+ IntelRdtData *intelRdtData
+
+ // Path to the mock Intel RDT "resource control" filesystem directory
+ IntelRdtPath string
+
+ // Temporary directory to store mock Intel RDT "resource control" filesystem
+ tempDir string
+ t *testing.T
+}
+
+// Creates a new test util
+func NewIntelRdtTestUtil(t *testing.T) *intelRdtTestUtil {
+ d := &intelRdtData{
+ config: &configs.Config{
+ IntelRdt: &configs.IntelRdt{},
+ },
+ }
+ tempDir, err := ioutil.TempDir("", "intelrdt_test")
+ if err != nil {
+ t.Fatal(err)
+ }
+ d.root = tempDir
+ testIntelRdtPath := filepath.Join(d.root, "resctrl")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ // Ensure the full mock Intel RDT "resource control" filesystem path exists
+ err = os.MkdirAll(testIntelRdtPath, 0755)
+ if err != nil {
+ t.Fatal(err)
+ }
+ return &intelRdtTestUtil{IntelRdtData: d, IntelRdtPath: testIntelRdtPath, tempDir: tempDir, t: t}
+}
+
+func (c *intelRdtTestUtil) cleanup() {
+ os.RemoveAll(c.tempDir)
+}
+
+// Write the specified contents on the mock of the specified Intel RDT "resource control" files
+func (c *intelRdtTestUtil) writeFileContents(fileContents map[string]string) {
+ for file, contents := range fileContents {
+ err := writeFile(c.IntelRdtPath, file, contents)
+ if err != nil {
+ c.t.Fatal(err)
+ }
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/keys/keyctl.go b/vendor/github.com/opencontainers/runc/libcontainer/keys/keyctl.go
index c37ca2133037c24d76ca2c16886cc4d62c19eef5..74dedd56ca8928d3ea777ae071b7bac013381303 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/keys/keyctl.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/keys/keyctl.go
@@ -1,51 +1,37 @@
// +build linux
-package keyctl
+package keys
import (
"fmt"
- "syscall"
- "strings"
"strconv"
- "unsafe"
-)
+ "strings"
+
+ "github.com/pkg/errors"
-const KEYCTL_JOIN_SESSION_KEYRING = 1
-const KEYCTL_SETPERM = 5
-const KEYCTL_DESCRIBE = 6
+ "golang.org/x/sys/unix"
+)
type KeySerial uint32
func JoinSessionKeyring(name string) (KeySerial, error) {
- var _name *byte = nil
- var err error
-
- if len(name) > 0 {
- _name, err = syscall.BytePtrFromString(name)
- if err != nil {
- return KeySerial(0), err
- }
- }
-
- sessKeyId, _, errn := syscall.Syscall(syscall.SYS_KEYCTL, KEYCTL_JOIN_SESSION_KEYRING, uintptr(unsafe.Pointer(_name)), 0)
- if errn != 0 {
- return 0, fmt.Errorf("could not create session key: %v", errn)
+ sessKeyId, err := unix.KeyctlJoinSessionKeyring(name)
+ if err != nil {
+ return 0, errors.Wrap(err, "create session key")
}
return KeySerial(sessKeyId), nil
}
-// modify permissions on a keyring by reading the current permissions,
+// ModKeyringPerm modifies permissions on a keyring by reading the current permissions,
// anding the bits with the given mask (clearing permissions) and setting
// additional permission bits
func ModKeyringPerm(ringId KeySerial, mask, setbits uint32) error {
- dest := make([]byte, 1024)
- destBytes := unsafe.Pointer(&dest[0])
-
- if _, _, err := syscall.Syscall6(syscall.SYS_KEYCTL, uintptr(KEYCTL_DESCRIBE), uintptr(ringId), uintptr(destBytes), uintptr(len(dest)), 0, 0); err != 0 {
+ dest, err := unix.KeyctlString(unix.KEYCTL_DESCRIBE, int(ringId))
+ if err != nil {
return err
}
- res := strings.Split(string(dest), ";")
+ res := strings.Split(dest, ";")
if len(res) < 5 {
return fmt.Errorf("Destination buffer for key description is too small")
}
@@ -58,10 +44,5 @@ func ModKeyringPerm(ringId KeySerial, mask, setbits uint32) error {
perm := (uint32(perm64) & mask) | setbits
- if _, _, err := syscall.Syscall(syscall.SYS_KEYCTL, uintptr(KEYCTL_SETPERM), uintptr(ringId), uintptr(perm)); err != 0 {
- return err
- }
-
- return nil
+ return unix.KeyctlSetperm(int(ringId), perm)
}
-
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/label/label.go b/vendor/github.com/opencontainers/runc/libcontainer/label/label.go
deleted file mode 100644
index 97dc6baef4cac761856161568481b07f48768e97..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/label/label.go
+++ /dev/null
@@ -1,76 +0,0 @@
-// +build !selinux !linux
-
-package label
-
-// InitLabels returns the process label and file labels to be used within
-// the container. A list of options can be passed into this function to alter
-// the labels.
-func InitLabels(options []string) (string, string, error) {
- return "", "", nil
-}
-
-func GenLabels(options string) (string, string, error) {
- return "", "", nil
-}
-
-func FormatMountLabel(src string, mountLabel string) string {
- return src
-}
-
-func SetProcessLabel(processLabel string) error {
- return nil
-}
-
-func SetFileLabel(path string, fileLabel string) error {
- return nil
-}
-
-func SetFileCreateLabel(fileLabel string) error {
- return nil
-}
-
-func Relabel(path string, fileLabel string, shared bool) error {
- return nil
-}
-
-func GetPidLabel(pid int) (string, error) {
- return "", nil
-}
-
-func Init() {
-}
-
-func ReserveLabel(label string) error {
- return nil
-}
-
-func UnreserveLabel(label string) error {
- return nil
-}
-
-// DupSecOpt takes an process label and returns security options that
-// can be used to set duplicate labels on future container processes
-func DupSecOpt(src string) []string {
- return nil
-}
-
-// DisableSecOpt returns a security opt that can disable labeling
-// support for future container processes
-func DisableSecOpt() []string {
- return nil
-}
-
-// Validate checks that the label does not include unexpected options
-func Validate(label string) error {
- return nil
-}
-
-// RelabelNeeded checks whether the user requested a relabel
-func RelabelNeeded(label string) bool {
- return false
-}
-
-// IsShared checks that the label includes a "shared" mark
-func IsShared(label string) bool {
- return false
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go b/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go
deleted file mode 100644
index e561cbfed7b9d12bec2e8d6dbc6474ea50de3faa..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux.go
+++ /dev/null
@@ -1,192 +0,0 @@
-// +build selinux,linux
-
-package label
-
-import (
- "fmt"
- "strings"
-
- "github.com/opencontainers/runc/libcontainer/selinux"
-)
-
-// Valid Label Options
-var validOptions = map[string]bool{
- "disable": true,
- "type": true,
- "user": true,
- "role": true,
- "level": true,
-}
-
-var ErrIncompatibleLabel = fmt.Errorf("Bad SELinux option z and Z can not be used together")
-
-// InitLabels returns the process label and file labels to be used within
-// the container. A list of options can be passed into this function to alter
-// the labels. The labels returned will include a random MCS String, that is
-// guaranteed to be unique.
-func InitLabels(options []string) (string, string, error) {
- if !selinux.SelinuxEnabled() {
- return "", "", nil
- }
- processLabel, mountLabel := selinux.GetLxcContexts()
- if processLabel != "" {
- pcon := selinux.NewContext(processLabel)
- mcon := selinux.NewContext(mountLabel)
- for _, opt := range options {
- if opt == "disable" {
- return "", "", nil
- }
- if i := strings.Index(opt, ":"); i == -1 {
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable' or \n'user, role, level, type' followed by ':' and a value", opt)
- }
- con := strings.SplitN(opt, ":", 2)
- if !validOptions[con[0]] {
- return "", "", fmt.Errorf("Bad label option %q, valid options 'disable, user, role, level, type'", con[0])
-
- }
- pcon[con[0]] = con[1]
- if con[0] == "level" || con[0] == "user" {
- mcon[con[0]] = con[1]
- }
- }
- processLabel = pcon.Get()
- mountLabel = mcon.Get()
- }
- return processLabel, mountLabel, nil
-}
-
-// DEPRECATED: The GenLabels function is only to be used during the transition to the official API.
-func GenLabels(options string) (string, string, error) {
- return InitLabels(strings.Fields(options))
-}
-
-// FormatMountLabel returns a string to be used by the mount command.
-// The format of this string will be used to alter the labeling of the mountpoint.
-// The string returned is suitable to be used as the options field of the mount command.
-// If you need to have additional mount point options, you can pass them in as
-// the first parameter. Second parameter is the label that you wish to apply
-// to all content in the mount point.
-func FormatMountLabel(src, mountLabel string) string {
- if mountLabel != "" {
- switch src {
- case "":
- src = fmt.Sprintf("context=%q", mountLabel)
- default:
- src = fmt.Sprintf("%s,context=%q", src, mountLabel)
- }
- }
- return src
-}
-
-// SetProcessLabel takes a process label and tells the kernel to assign the
-// label to the next program executed by the current process.
-func SetProcessLabel(processLabel string) error {
- if processLabel == "" {
- return nil
- }
- return selinux.Setexeccon(processLabel)
-}
-
-// GetProcessLabel returns the process label that the kernel will assign
-// to the next program executed by the current process. If "" is returned
-// this indicates that the default labeling will happen for the process.
-func GetProcessLabel() (string, error) {
- return selinux.Getexeccon()
-}
-
-// SetFileLabel modifies the "path" label to the specified file label
-func SetFileLabel(path string, fileLabel string) error {
- if selinux.SelinuxEnabled() && fileLabel != "" {
- return selinux.Setfilecon(path, fileLabel)
- }
- return nil
-}
-
-// Tell the kernel the label for all files to be created
-func SetFileCreateLabel(fileLabel string) error {
- if selinux.SelinuxEnabled() {
- return selinux.Setfscreatecon(fileLabel)
- }
- return nil
-}
-
-// Change the label of path to the filelabel string.
-// It changes the MCS label to s0 if shared is true.
-// This will allow all containers to share the content.
-func Relabel(path string, fileLabel string, shared bool) error {
- if !selinux.SelinuxEnabled() {
- return nil
- }
-
- if fileLabel == "" {
- return nil
- }
-
- exclude_paths := map[string]bool{"/": true, "/usr": true, "/etc": true}
- if exclude_paths[path] {
- return fmt.Errorf("Relabeling of %s is not allowed", path)
- }
-
- if shared {
- c := selinux.NewContext(fileLabel)
- c["level"] = "s0"
- fileLabel = c.Get()
- }
- return selinux.Chcon(path, fileLabel, true)
-}
-
-// GetPidLabel will return the label of the process running with the specified pid
-func GetPidLabel(pid int) (string, error) {
- return selinux.Getpidcon(pid)
-}
-
-// Init initialises the labeling system
-func Init() {
- selinux.SelinuxEnabled()
-}
-
-// ReserveLabel will record the fact that the MCS label has already been used.
-// This will prevent InitLabels from using the MCS label in a newly created
-// container
-func ReserveLabel(label string) error {
- selinux.ReserveLabel(label)
- return nil
-}
-
-// UnreserveLabel will remove the reservation of the MCS label.
-// This will allow InitLabels to use the MCS label in a newly created
-// containers
-func UnreserveLabel(label string) error {
- selinux.FreeLxcContexts(label)
- return nil
-}
-
-// DupSecOpt takes an process label and returns security options that
-// can be used to set duplicate labels on future container processes
-func DupSecOpt(src string) []string {
- return selinux.DupSecOpt(src)
-}
-
-// DisableSecOpt returns a security opt that can disable labeling
-// support for future container processes
-func DisableSecOpt() []string {
- return selinux.DisableSecOpt()
-}
-
-// Validate checks that the label does not include unexpected options
-func Validate(label string) error {
- if strings.Contains(label, "z") && strings.Contains(label, "Z") {
- return ErrIncompatibleLabel
- }
- return nil
-}
-
-// RelabelNeeded checks whether the user requested a relabel
-func RelabelNeeded(label string) bool {
- return strings.Contains(label, "z") || strings.Contains(label, "Z")
-}
-
-// IsShared checks that the label includes a "shared" mark
-func IsShared(label string) bool {
- return strings.Contains(label, "z")
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux_test.go
deleted file mode 100644
index c2a19f5b1c503141286e298afef5691ae935a06b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/label/label_selinux_test.go
+++ /dev/null
@@ -1,144 +0,0 @@
-// +build selinux,linux
-
-package label
-
-import (
- "os"
- "strings"
- "testing"
-
- "github.com/opencontainers/runc/libcontainer/selinux"
-)
-
-func TestInit(t *testing.T) {
- if selinux.SelinuxEnabled() {
- var testNull []string
- plabel, mlabel, err := InitLabels(testNull)
- if err != nil {
- t.Log("InitLabels Failed")
- t.Fatal(err)
- }
- testDisabled := []string{"disable"}
- plabel, mlabel, err = InitLabels(testDisabled)
- if err != nil {
- t.Log("InitLabels Disabled Failed")
- t.Fatal(err)
- }
- if plabel != "" {
- t.Log("InitLabels Disabled Failed")
- t.Fatal()
- }
- testUser := []string{"user:user_u", "role:user_r", "type:user_t", "level:s0:c1,c15"}
- plabel, mlabel, err = InitLabels(testUser)
- if err != nil {
- t.Log("InitLabels User Failed")
- t.Fatal(err)
- }
- if plabel != "user_u:user_r:user_t:s0:c1,c15" || mlabel != "user_u:object_r:svirt_sandbox_file_t:s0:c1,c15" {
- t.Log("InitLabels User Match Failed")
- t.Log(plabel, mlabel)
- t.Fatal(err)
- }
-
- testBadData := []string{"user", "role:user_r", "type:user_t", "level:s0:c1,c15"}
- plabel, mlabel, err = InitLabels(testBadData)
- if err == nil {
- t.Log("InitLabels Bad Failed")
- t.Fatal(err)
- }
- }
-}
-func TestDuplicateLabel(t *testing.T) {
- secopt := DupSecOpt("system_u:system_r:svirt_lxc_net_t:s0:c1,c2")
- t.Log(secopt)
- for _, opt := range secopt {
- con := strings.SplitN(opt, ":", 3)
- if len(con) != 3 || con[0] != "label" {
- t.Errorf("Invalid DupSecOpt return value")
- continue
- }
- if con[1] == "user" {
- if con[2] != "system_u" {
- t.Errorf("DupSecOpt Failed user incorrect")
- }
- continue
- }
- if con[1] == "role" {
- if con[2] != "system_r" {
- t.Errorf("DupSecOpt Failed role incorrect")
- }
- continue
- }
- if con[1] == "type" {
- if con[2] != "svirt_lxc_net_t" {
- t.Errorf("DupSecOpt Failed type incorrect")
- }
- continue
- }
- if con[1] == "level" {
- if con[2] != "s0:c1,c2" {
- t.Errorf("DupSecOpt Failed level incorrect")
- }
- continue
- }
- t.Errorf("DupSecOpt Failed invalid field %q", con[1])
- }
- secopt = DisableSecOpt()
- if secopt[0] != "label:disable" {
- t.Errorf("DisableSecOpt Failed level incorrect")
- }
-}
-func TestRelabel(t *testing.T) {
- testdir := "/tmp/test"
- if err := os.Mkdir(testdir, 0755); err != nil {
- t.Fatal(err)
- }
- defer os.RemoveAll(testdir)
- label := "system_u:system_r:svirt_sandbox_file_t:s0:c1,c2"
- if err := Relabel(testdir, "", true); err != nil {
- t.Fatal("Relabel with no label failed: %v", err)
- }
- if err := Relabel(testdir, label, true); err != nil {
- t.Fatal("Relabel shared failed: %v", err)
- }
- if err := Relabel(testdir, label, false); err != nil {
- t.Fatal("Relabel unshared failed: %v", err)
- }
- if err := Relabel("/etc", label, false); err == nil {
- t.Fatal("Relabel /etc succeeded")
- }
- if err := Relabel("/", label, false); err == nil {
- t.Fatal("Relabel / succeeded")
- }
- if err := Relabel("/usr", label, false); err == nil {
- t.Fatal("Relabel /usr succeeded")
- }
-}
-
-func TestValidate(t *testing.T) {
- if err := Validate("zZ"); err != ErrIncompatibleLabel {
- t.Fatalf("Expected incompatible error, got %v", err)
- }
- if err := Validate("Z"); err != nil {
- t.Fatal(err)
- }
- if err := Validate("z"); err != nil {
- t.Fatal(err)
- }
- if err := Validate(""); err != nil {
- t.Fatal(err)
- }
-}
-
-func TestIsShared(t *testing.T) {
- if shared := IsShared("Z"); shared {
- t.Fatal("Expected label `Z` to not be shared, got %v", shared)
- }
- if shared := IsShared("z"); !shared {
- t.Fatal("Expected label `z` to be shared, got %v", shared)
- }
- if shared := IsShared("Zz"); !shared {
- t.Fatal("Expected label `Zz` to be shared, got %v", shared)
- }
-
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/message_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/message_linux.go
index 166301338c1dba9399b30243e6ccb2f1d361f826..1d4f5033aa2f8d447dfcedd72e411791d6580734 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/message_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/message_linux.go
@@ -3,23 +3,23 @@
package libcontainer
import (
- "syscall"
-
"github.com/vishvananda/netlink/nl"
+ "golang.org/x/sys/unix"
)
// list of known message types we want to send to bootstrap program
// The number is randomly chosen to not conflict with known netlink types
const (
- InitMsg uint16 = 62000
- CloneFlagsAttr uint16 = 27281
- ConsolePathAttr uint16 = 27282
- NsPathsAttr uint16 = 27283
- UidmapAttr uint16 = 27284
- GidmapAttr uint16 = 27285
- SetgroupAttr uint16 = 27286
- // When syscall.NLA_HDRLEN is in gccgo, take this out.
- syscall_NLA_HDRLEN = (syscall.SizeofNlAttr + syscall.NLA_ALIGNTO - 1) & ^(syscall.NLA_ALIGNTO - 1)
+ InitMsg uint16 = 62000
+ CloneFlagsAttr uint16 = 27281
+ NsPathsAttr uint16 = 27282
+ UidmapAttr uint16 = 27283
+ GidmapAttr uint16 = 27284
+ SetgroupAttr uint16 = 27285
+ OomScoreAdjAttr uint16 = 27286
+ RootlessEUIDAttr uint16 = 27287
+ UidmapPathAttr uint16 = 27288
+ GidmapPathAttr uint16 = 27289
)
type Int32msg struct {
@@ -27,7 +27,8 @@ type Int32msg struct {
Value uint32
}
-// int32msg has the following representation
+// Serialize serializes the message.
+// Int32msg has the following representation
// | nlattr len | nlattr type |
// | uint32 value |
func (msg *Int32msg) Serialize() []byte {
@@ -40,10 +41,10 @@ func (msg *Int32msg) Serialize() []byte {
}
func (msg *Int32msg) Len() int {
- return syscall_NLA_HDRLEN + 4
+ return unix.NLA_HDRLEN + 4
}
-// bytemsg has the following representation
+// Bytemsg has the following representation
// | nlattr len | nlattr type |
// | value | pad |
type Bytemsg struct {
@@ -53,7 +54,7 @@ type Bytemsg struct {
func (msg *Bytemsg) Serialize() []byte {
l := msg.Len()
- buf := make([]byte, (l+syscall.NLA_ALIGNTO-1) & ^(syscall.NLA_ALIGNTO-1))
+ buf := make([]byte, (l+unix.NLA_ALIGNTO-1) & ^(unix.NLA_ALIGNTO-1))
native := nl.NativeEndian()
native.PutUint16(buf[0:2], uint16(l))
native.PutUint16(buf[2:4], msg.Type)
@@ -62,7 +63,7 @@ func (msg *Bytemsg) Serialize() []byte {
}
func (msg *Bytemsg) Len() int {
- return syscall_NLA_HDRLEN + len(msg.Value) + 1 // null-terminated
+ return unix.NLA_HDRLEN + len(msg.Value) + 1 // null-terminated
}
type Boolmsg struct {
@@ -76,13 +77,13 @@ func (msg *Boolmsg) Serialize() []byte {
native.PutUint16(buf[0:2], uint16(msg.Len()))
native.PutUint16(buf[2:4], msg.Type)
if msg.Value {
- buf[4] = 1
+ native.PutUint32(buf[4:8], uint32(1))
} else {
- buf[4] = 0
+ native.PutUint32(buf[4:8], uint32(0))
}
return buf
}
func (msg *Boolmsg) Len() int {
- return syscall_NLA_HDRLEN + 1
+ return unix.NLA_HDRLEN + 4 // alignment
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/mount/mount.go b/vendor/github.com/opencontainers/runc/libcontainer/mount/mount.go
new file mode 100644
index 0000000000000000000000000000000000000000..e8965e081bb1a95ae688eee9097d6d3250bca1b0
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/mount/mount.go
@@ -0,0 +1,23 @@
+package mount
+
+// GetMounts retrieves a list of mounts for the current running process.
+func GetMounts() ([]*Info, error) {
+ return parseMountTable()
+}
+
+// Mounted looks at /proc/self/mountinfo to determine of the specified
+// mountpoint has been mounted
+func Mounted(mountpoint string) (bool, error) {
+ entries, err := parseMountTable()
+ if err != nil {
+ return false, err
+ }
+
+ // Search the table for the mountpoint
+ for _, e := range entries {
+ if e.Mountpoint == mountpoint {
+ return true, nil
+ }
+ }
+ return false, nil
+}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/mount/mount_linux.go
similarity index 86%
rename from vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_linux.go
rename to vendor/github.com/opencontainers/runc/libcontainer/mount/mount_linux.go
index be69fee1d7bbf0383ae1c1dd6564652e1cfaa818..1e5191928decfc5e95aa1d9fe0b080274046494c 100644
--- a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/mount/mount_linux.go
@@ -80,16 +80,3 @@ func parseInfoFile(r io.Reader) ([]*Info, error) {
}
return out, nil
}
-
-// PidMountInfo collects the mounts for a specific process ID. If the process
-// ID is unknown, it is better to use `GetMounts` which will inspect
-// "/proc/self/mountinfo" instead.
-func PidMountInfo(pid int) ([]*Info, error) {
- f, err := os.Open(fmt.Sprintf("/proc/%d/mountinfo", pid))
- if err != nil {
- return nil, err
- }
- defer f.Close()
-
- return parseInfoFile(f)
-}
diff --git a/vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo.go b/vendor/github.com/opencontainers/runc/libcontainer/mount/mountinfo.go
similarity index 100%
rename from vendor/github.com/opencontainers/runc/Godeps/_workspace/src/github.com/docker/docker/pkg/mount/mountinfo.go
rename to vendor/github.com/opencontainers/runc/libcontainer/mount/mountinfo.go
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/network_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/network_linux.go
index 5075bee4db5c4d2bdcf5320954c26ae9ce7ca396..569c53f6e8a178090085144cfebf09a6da44fbad 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/network_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/network_linux.go
@@ -5,18 +5,15 @@ package libcontainer
import (
"fmt"
"io/ioutil"
- "net"
"path/filepath"
"strconv"
"strings"
"github.com/opencontainers/runc/libcontainer/configs"
- "github.com/opencontainers/runc/libcontainer/utils"
"github.com/vishvananda/netlink"
)
var strategies = map[string]networkStrategy{
- "veth": &veth{},
"loopback": &loopback{},
}
@@ -103,157 +100,3 @@ func (l *loopback) attach(n *configs.Network) (err error) {
func (l *loopback) detach(n *configs.Network) (err error) {
return nil
}
-
-// veth is a network strategy that uses a bridge and creates
-// a veth pair, one that is attached to the bridge on the host and the other
-// is placed inside the container's namespace
-type veth struct {
-}
-
-func (v *veth) detach(n *configs.Network) (err error) {
- return netlink.LinkSetMaster(&netlink.Device{LinkAttrs: netlink.LinkAttrs{Name: n.HostInterfaceName}}, nil)
-}
-
-// attach a container network interface to an external network
-func (v *veth) attach(n *configs.Network) (err error) {
- brl, err := netlink.LinkByName(n.Bridge)
- if err != nil {
- return err
- }
- br, ok := brl.(*netlink.Bridge)
- if !ok {
- return fmt.Errorf("Wrong device type %T", brl)
- }
- host, err := netlink.LinkByName(n.HostInterfaceName)
- if err != nil {
- return err
- }
-
- if err := netlink.LinkSetMaster(host, br); err != nil {
- return err
- }
- if err := netlink.LinkSetMTU(host, n.Mtu); err != nil {
- return err
- }
- if n.HairpinMode {
- if err := netlink.LinkSetHairpin(host, true); err != nil {
- return err
- }
- }
- if err := netlink.LinkSetUp(host); err != nil {
- return err
- }
-
- return nil
-}
-
-func (v *veth) create(n *network, nspid int) (err error) {
- tmpName, err := v.generateTempPeerName()
- if err != nil {
- return err
- }
- n.TempVethPeerName = tmpName
- if n.Bridge == "" {
- return fmt.Errorf("bridge is not specified")
- }
- veth := &netlink.Veth{
- LinkAttrs: netlink.LinkAttrs{
- Name: n.HostInterfaceName,
- TxQLen: n.TxQueueLen,
- },
- PeerName: n.TempVethPeerName,
- }
- if err := netlink.LinkAdd(veth); err != nil {
- return err
- }
- defer func() {
- if err != nil {
- netlink.LinkDel(veth)
- }
- }()
- if err := v.attach(&n.Network); err != nil {
- return err
- }
- child, err := netlink.LinkByName(n.TempVethPeerName)
- if err != nil {
- return err
- }
- return netlink.LinkSetNsPid(child, nspid)
-}
-
-func (v *veth) generateTempPeerName() (string, error) {
- return utils.GenerateRandomName("veth", 7)
-}
-
-func (v *veth) initialize(config *network) error {
- peer := config.TempVethPeerName
- if peer == "" {
- return fmt.Errorf("peer is not specified")
- }
- child, err := netlink.LinkByName(peer)
- if err != nil {
- return err
- }
- if err := netlink.LinkSetDown(child); err != nil {
- return err
- }
- if err := netlink.LinkSetName(child, config.Name); err != nil {
- return err
- }
- // get the interface again after we changed the name as the index also changes.
- if child, err = netlink.LinkByName(config.Name); err != nil {
- return err
- }
- if config.MacAddress != "" {
- mac, err := net.ParseMAC(config.MacAddress)
- if err != nil {
- return err
- }
- if err := netlink.LinkSetHardwareAddr(child, mac); err != nil {
- return err
- }
- }
- ip, err := netlink.ParseAddr(config.Address)
- if err != nil {
- return err
- }
- if err := netlink.AddrAdd(child, ip); err != nil {
- return err
- }
- if config.IPv6Address != "" {
- ip6, err := netlink.ParseAddr(config.IPv6Address)
- if err != nil {
- return err
- }
- if err := netlink.AddrAdd(child, ip6); err != nil {
- return err
- }
- }
- if err := netlink.LinkSetMTU(child, config.Mtu); err != nil {
- return err
- }
- if err := netlink.LinkSetUp(child); err != nil {
- return err
- }
- if config.Gateway != "" {
- gw := net.ParseIP(config.Gateway)
- if err := netlink.RouteAdd(&netlink.Route{
- Scope: netlink.SCOPE_UNIVERSE,
- LinkIndex: child.Attrs().Index,
- Gw: gw,
- }); err != nil {
- return err
- }
- }
- if config.IPv6Gateway != "" {
- gw := net.ParseIP(config.IPv6Gateway)
- if err := netlink.RouteAdd(&netlink.Route{
- Scope: netlink.SCOPE_UNIVERSE,
- LinkIndex: child.Attrs().Index,
- Gw: gw,
- }); err != nil {
- return err
- }
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/notify_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/notify_linux.go
index 839a50c55a35a9365f226c35b9a1ec9f44952908..47a06783d6fe546c28dab888867570e547dc14d8 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/notify_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/notify_linux.go
@@ -7,7 +7,8 @@ import (
"io/ioutil"
"os"
"path/filepath"
- "syscall"
+
+ "golang.org/x/sys/unix"
)
const oomCgroupName = "memory"
@@ -25,13 +26,13 @@ func registerMemoryEvent(cgDir string, evName string, arg string) (<-chan struct
if err != nil {
return nil, err
}
- fd, _, syserr := syscall.RawSyscall(syscall.SYS_EVENTFD2, 0, syscall.FD_CLOEXEC, 0)
- if syserr != 0 {
+ fd, err := unix.Eventfd(0, unix.EFD_CLOEXEC)
+ if err != nil {
evFile.Close()
- return nil, syserr
+ return nil, err
}
- eventfd := os.NewFile(fd, "eventfd")
+ eventfd := os.NewFile(uintptr(fd), "eventfd")
eventControlPath := filepath.Join(cgDir, "cgroup.event_control")
data := fmt.Sprintf("%d %d %s", eventfd.Fd(), evFile.Fd(), arg)
@@ -43,9 +44,9 @@ func registerMemoryEvent(cgDir string, evName string, arg string) (<-chan struct
ch := make(chan struct{})
go func() {
defer func() {
- close(ch)
eventfd.Close()
evFile.Close()
+ close(ch)
}()
buf := make([]byte, 8)
for {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/notify_linux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/notify_linux_test.go
index 9aa4f3b3f46fc88c220e5a186b1386ba3ee4e303..1e15ae2c3b55028865132b2c77f66ec7d519e52e 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/notify_linux_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/notify_linux_test.go
@@ -8,9 +8,10 @@ import (
"io/ioutil"
"os"
"path/filepath"
- "syscall"
"testing"
"time"
+
+ "golang.org/x/sys/unix"
)
type notifyFunc func(paths map[string]string) (<-chan struct{}, error)
@@ -52,21 +53,17 @@ func testMemoryNotification(t *testing.T, evName string, notify notifyFunc, targ
t.Fatalf("invalid control data %q: %s", data, err)
}
- // re-open the eventfd
- efd, err := syscall.Dup(eventFd)
- if err != nil {
- t.Fatal("unable to reopen eventfd:", err)
- }
- defer syscall.Close(efd)
-
+ // dup the eventfd
+ efd, err := unix.Dup(eventFd)
if err != nil {
- t.Fatal("unable to dup event fd:", err)
+ t.Fatal("unable to dup eventfd:", err)
}
+ defer unix.Close(efd)
buf := make([]byte, 8)
binary.LittleEndian.PutUint64(buf, 1)
- if _, err := syscall.Write(efd, buf); err != nil {
+ if _, err := unix.Write(efd, buf); err != nil {
t.Fatal("unable to write to eventfd:", err)
}
@@ -81,7 +78,7 @@ func testMemoryNotification(t *testing.T, evName string, notify notifyFunc, targ
if err := os.RemoveAll(memoryPath); err != nil {
t.Fatal(err)
}
- if _, err := syscall.Write(efd, buf); err != nil {
+ if _, err := unix.Write(efd, buf); err != nil {
t.Fatal("unable to write to eventfd:", err)
}
@@ -92,14 +89,15 @@ func testMemoryNotification(t *testing.T, evName string, notify notifyFunc, targ
t.Fatal("expected no notification to be triggered")
}
case <-time.After(100 * time.Millisecond):
+ t.Fatal("channel not closed after 100ms")
}
- if _, _, err := syscall.Syscall(syscall.SYS_FCNTL, uintptr(evFd), syscall.F_GETFD, 0); err != syscall.EBADF {
- t.Error("expected event control to be closed")
+ if _, _, err := unix.Syscall(unix.SYS_FCNTL, uintptr(evFd), unix.F_GETFD, 0); err != unix.EBADF {
+ t.Errorf("expected event control to be closed, but received error %s", err.Error())
}
- if _, _, err := syscall.Syscall(syscall.SYS_FCNTL, uintptr(eventFd), syscall.F_GETFD, 0); err != syscall.EBADF {
- t.Error("expected event fd to be closed")
+ if _, _, err := unix.Syscall(unix.SYS_FCNTL, uintptr(eventFd), unix.F_GETFD, 0); err != unix.EBADF {
+ t.Errorf("expected event fd to be closed, but received error %s", err.Error())
}
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/namespace.h b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/namespace.h
new file mode 100644
index 0000000000000000000000000000000000000000..9e9bdca05e171cd27a1ba314372ad5af3e621d4d
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/namespace.h
@@ -0,0 +1,32 @@
+#ifndef NSENTER_NAMESPACE_H
+#define NSENTER_NAMESPACE_H
+
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE
+#endif
+#include <sched.h>
+
+/* All of these are taken from include/uapi/linux/sched.h */
+#ifndef CLONE_NEWNS
+# define CLONE_NEWNS 0x00020000 /* New mount namespace group */
+#endif
+#ifndef CLONE_NEWCGROUP
+# define CLONE_NEWCGROUP 0x02000000 /* New cgroup namespace */
+#endif
+#ifndef CLONE_NEWUTS
+# define CLONE_NEWUTS 0x04000000 /* New utsname namespace */
+#endif
+#ifndef CLONE_NEWIPC
+# define CLONE_NEWIPC 0x08000000 /* New ipc namespace */
+#endif
+#ifndef CLONE_NEWUSER
+# define CLONE_NEWUSER 0x10000000 /* New user namespace */
+#endif
+#ifndef CLONE_NEWPID
+# define CLONE_NEWPID 0x20000000 /* New pid namespace */
+#endif
+#ifndef CLONE_NEWNET
+# define CLONE_NEWNET 0x40000000 /* New network namespace */
+#endif
+
+#endif /* NSENTER_NAMESPACE_H */
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_test.go b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_test.go
index f7b12be9f840838857af2da32c13ed34a8785133..532155535de3fb17b7dc5d44666ed731006eb517 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_test.go
@@ -9,11 +9,12 @@ import (
"os"
"os/exec"
"strings"
- "syscall"
"testing"
"github.com/opencontainers/runc/libcontainer"
"github.com/vishvananda/netlink/nl"
+
+ "golang.org/x/sys/unix"
)
type pid struct {
@@ -29,7 +30,7 @@ func TestNsenterValidPaths(t *testing.T) {
namespaces := []string{
// join pid ns of the current process
- fmt.Sprintf("/proc/%d/ns/pid", os.Getpid()),
+ fmt.Sprintf("pid:/proc/%d/ns/pid", os.Getpid()),
}
cmd := &exec.Cmd{
Path: os.Args[0],
@@ -47,7 +48,7 @@ func TestNsenterValidPaths(t *testing.T) {
r := nl.NewNetlinkRequest(int(libcontainer.InitMsg), 0)
r.AddData(&libcontainer.Int32msg{
Type: libcontainer.CloneFlagsAttr,
- Value: uint32(syscall.CLONE_NEWNET),
+ Value: uint32(unix.CLONE_NEWNET),
})
r.AddData(&libcontainer.Bytemsg{
Type: libcontainer.NsPathsAttr,
@@ -60,6 +61,9 @@ func TestNsenterValidPaths(t *testing.T) {
decoder := json.NewDecoder(parent)
var pid *pid
+ if err := cmd.Wait(); err != nil {
+ t.Fatalf("nsenter exits with a non-zero exit status")
+ }
if err := decoder.Decode(&pid); err != nil {
dir, _ := ioutil.ReadDir(fmt.Sprintf("/proc/%d/ns", os.Getpid()))
for _, d := range dir {
@@ -68,9 +72,6 @@ func TestNsenterValidPaths(t *testing.T) {
t.Fatalf("%v", err)
}
- if err := cmd.Wait(); err != nil {
- t.Fatalf("nsenter exits with a non-zero exit status")
- }
p, err := os.FindProcess(pid.Pid)
if err != nil {
t.Fatalf("%v", err)
@@ -87,7 +88,47 @@ func TestNsenterInvalidPaths(t *testing.T) {
namespaces := []string{
// join pid ns of the current process
- fmt.Sprintf("/proc/%d/ns/pid", -1),
+ fmt.Sprintf("pid:/proc/%d/ns/pid", -1),
+ }
+ cmd := &exec.Cmd{
+ Path: os.Args[0],
+ Args: args,
+ ExtraFiles: []*os.File{child},
+ Env: []string{"_LIBCONTAINER_INITPIPE=3"},
+ }
+
+ if err := cmd.Start(); err != nil {
+ t.Fatal(err)
+ }
+ // write cloneFlags
+ r := nl.NewNetlinkRequest(int(libcontainer.InitMsg), 0)
+ r.AddData(&libcontainer.Int32msg{
+ Type: libcontainer.CloneFlagsAttr,
+ Value: uint32(unix.CLONE_NEWNET),
+ })
+ r.AddData(&libcontainer.Bytemsg{
+ Type: libcontainer.NsPathsAttr,
+ Value: []byte(strings.Join(namespaces, ",")),
+ })
+ if _, err := io.Copy(parent, bytes.NewReader(r.Serialize())); err != nil {
+ t.Fatal(err)
+ }
+
+ if err := cmd.Wait(); err == nil {
+ t.Fatalf("nsenter exits with a zero exit status")
+ }
+}
+
+func TestNsenterIncorrectPathType(t *testing.T) {
+ args := []string{"nsenter-exec"}
+ parent, child, err := newPipe()
+ if err != nil {
+ t.Fatalf("failed to create pipe %v", err)
+ }
+
+ namespaces := []string{
+ // join pid ns of the current process
+ fmt.Sprintf("net:/proc/%d/ns/pid", os.Getpid()),
}
cmd := &exec.Cmd{
Path: os.Args[0],
@@ -103,7 +144,7 @@ func TestNsenterInvalidPaths(t *testing.T) {
r := nl.NewNetlinkRequest(int(libcontainer.InitMsg), 0)
r.AddData(&libcontainer.Int32msg{
Type: libcontainer.CloneFlagsAttr,
- Value: uint32(syscall.CLONE_NEWNET),
+ Value: uint32(unix.CLONE_NEWNET),
})
r.AddData(&libcontainer.Bytemsg{
Type: libcontainer.NsPathsAttr,
@@ -126,7 +167,7 @@ func init() {
}
func newPipe() (parent *os.File, child *os.File, err error) {
- fds, err := syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0)
+ fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
if err != nil {
return nil, nil, err
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c
index a52b7dc37878bc19e2b030f49f3b4e8d5405a6fc..28269dfc027fd4e4315147a5e77da74af969e6a3 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c
+++ b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c
@@ -1,454 +1,995 @@
+
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
-#include <linux/limits.h>
-#include <sys/socket.h>
-#include <linux/netlink.h>
+#include <grp.h>
#include <sched.h>
#include <setjmp.h>
#include <signal.h>
+#include <stdarg.h>
+#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
+#include <stdbool.h>
#include <string.h>
+#include <unistd.h>
+
#include <sys/ioctl.h>
-#include <sys/types.h>
#include <sys/prctl.h>
-#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
-#include <bits/sockaddr.h>
+#include <linux/limits.h>
+#include <linux/netlink.h>
#include <linux/types.h>
-// All arguments should be above the stack because it grows down
-struct clone_arg {
+/* Get all of the CLONE_NEW* flags. */
+#include "namespace.h"
+
+/* Synchronisation values. */
+enum sync_t {
+ SYNC_USERMAP_PLS = 0x40, /* Request parent to map our users. */
+ SYNC_USERMAP_ACK = 0x41, /* Mapping finished by the parent. */
+ SYNC_RECVPID_PLS = 0x42, /* Tell parent we're sending the PID. */
+ SYNC_RECVPID_ACK = 0x43, /* PID was correctly received by parent. */
+ SYNC_GRANDCHILD = 0x44, /* The grandchild is ready to run. */
+ SYNC_CHILD_READY = 0x45, /* The child or grandchild is ready to return. */
+
+ /* XXX: This doesn't help with segfaults and other such issues. */
+ SYNC_ERR = 0xFF, /* Fatal error, no turning back. The error code follows. */
+};
+
+/*
+ * Synchronisation value for cgroup namespace setup.
+ * The same constant is defined in process_linux.go as "createCgroupns".
+ */
+#define CREATECGROUPNS 0x80
+
+/* longjmp() arguments. */
+#define JUMP_PARENT 0x00
+#define JUMP_CHILD 0xA0
+#define JUMP_INIT 0xA1
+
+/* JSON buffer. */
+#define JSON_MAX 4096
+
+/* Assume the stack grows down, so arguments should be above it. */
+struct clone_t {
/*
* Reserve some space for clone() to locate arguments
* and retcode in this place
*/
- char stack[4096] __attribute__((aligned(16)));
- char stack_ptr[0];
+ char stack[4096] __attribute__ ((aligned(16)));
+ char stack_ptr[0];
+
+ /* There's two children. This is used to execute the different code. */
jmp_buf *env;
+ int jmpval;
};
-struct nsenter_config {
+struct nlconfig_t {
+ char *data;
+
+ /* Process settings. */
uint32_t cloneflags;
- char *uidmap;
- int uidmap_len;
- char *gidmap;
- int gidmap_len;
- uint8_t is_setgroup;
+ char *oom_score_adj;
+ size_t oom_score_adj_len;
+
+ /* User namespace settings. */
+ char *uidmap;
+ size_t uidmap_len;
+ char *gidmap;
+ size_t gidmap_len;
+ char *namespaces;
+ size_t namespaces_len;
+ uint8_t is_setgroup;
+
+ /* Rootless container settings. */
+ uint8_t is_rootless_euid; /* boolean */
+ char *uidmappath;
+ size_t uidmappath_len;
+ char *gidmappath;
+ size_t gidmappath_len;
};
-// list of known message types we want to send to bootstrap program
-// These are defined in libcontainer/message_linux.go
-#define INIT_MSG 62000
-#define CLONE_FLAGS_ATTR 27281
-#define CONSOLE_PATH_ATTR 27282
-#define NS_PATHS_ATTR 27283
-#define UIDMAP_ATTR 27284
-#define GIDMAP_ATTR 27285
-#define SETGROUP_ATTR 27286
-
-// Use raw setns syscall for versions of glibc that don't include it
-// (namely glibc-2.12)
+/*
+ * List of netlink message types sent to us as part of bootstrapping the init.
+ * These constants are defined in libcontainer/message_linux.go.
+ */
+#define INIT_MSG 62000
+#define CLONE_FLAGS_ATTR 27281
+#define NS_PATHS_ATTR 27282
+#define UIDMAP_ATTR 27283
+#define GIDMAP_ATTR 27284
+#define SETGROUP_ATTR 27285
+#define OOM_SCORE_ADJ_ATTR 27286
+#define ROOTLESS_EUID_ATTR 27287
+#define UIDMAPPATH_ATTR 27288
+#define GIDMAPPATH_ATTR 27289
+
+/*
+ * Use the raw syscall for versions of glibc which don't include a function for
+ * it, namely (glibc 2.12).
+ */
#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 14
- #define _GNU_SOURCE
- #include "syscall.h"
- #if defined(__NR_setns) && !defined(SYS_setns)
- #define SYS_setns __NR_setns
- #endif
-
- #ifdef SYS_setns
- int setns(int fd, int nstype)
- {
- return syscall(SYS_setns, fd, nstype);
- }
- #endif
+# define _GNU_SOURCE
+# include "syscall.h"
+# if !defined(SYS_setns) && defined(__NR_setns)
+# define SYS_setns __NR_setns
+# endif
+
+#ifndef SYS_setns
+# error "setns(2) syscall not supported by glibc version"
#endif
-#define pr_perror(fmt, ...) \
- fprintf(stderr, "nsenter: " fmt ": %m\n", ##__VA_ARGS__)
-
-static int child_func(void *_arg)
+int setns(int fd, int nstype)
{
- struct clone_arg *arg = (struct clone_arg *)_arg;
- longjmp(*arg->env, 1);
+ return syscall(SYS_setns, fd, nstype);
}
+#endif
-static int clone_parent(jmp_buf *env, int flags) __attribute__((noinline));
-static int clone_parent(jmp_buf *env, int flags)
+/* XXX: This is ugly. */
+static int syncfd = -1;
+
+/* TODO(cyphar): Fix this so it correctly deals with syncT. */
+#define bail(fmt, ...) \
+ do { \
+ int ret = __COUNTER__ + 1; \
+ fprintf(stderr, "nsenter: " fmt ": %m\n", ##__VA_ARGS__); \
+ if (syncfd >= 0) { \
+ enum sync_t s = SYNC_ERR; \
+ if (write(syncfd, &s, sizeof(s)) != sizeof(s)) \
+ fprintf(stderr, "nsenter: failed: write(s)"); \
+ if (write(syncfd, &ret, sizeof(ret)) != sizeof(ret)) \
+ fprintf(stderr, "nsenter: failed: write(ret)"); \
+ } \
+ exit(ret); \
+ } while(0)
+
+static int write_file(char *data, size_t data_len, char *pathfmt, ...)
{
- struct clone_arg ca;
- int child;
-
- ca.env = env;
- child = clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD | flags,
- &ca);
- if (child == -1 && errno == EINVAL) {
- if (unshare(flags)) {
- pr_perror("Unable to unshare namespaces");
- return -1;
- }
- child = clone(child_func, ca.stack_ptr, SIGCHLD | CLONE_PARENT,
- &ca);
+ int fd, len, ret = 0;
+ char path[PATH_MAX];
+
+ va_list ap;
+ va_start(ap, pathfmt);
+ len = vsnprintf(path, PATH_MAX, pathfmt, ap);
+ va_end(ap);
+ if (len < 0)
+ return -1;
+
+ fd = open(path, O_RDWR);
+ if (fd < 0) {
+ return -1;
+ }
+
+ len = write(fd, data, data_len);
+ if (len != data_len) {
+ ret = -1;
+ goto out;
}
- return child;
+
+ out:
+ close(fd);
+ return ret;
}
-// get init pipe from the parent. It's used to read bootstrap data, and to
-// write pid to after nsexec finishes setting up the environment.
-static int get_init_pipe()
-{
- char buf[PATH_MAX];
- char *initpipe;
- int pipenum = -1;
+enum policy_t {
+ SETGROUPS_DEFAULT = 0,
+ SETGROUPS_ALLOW,
+ SETGROUPS_DENY,
+};
- initpipe = getenv("_LIBCONTAINER_INITPIPE");
- if (initpipe == NULL) {
- return -1;
+/* This *must* be called before we touch gid_map. */
+static void update_setgroups(int pid, enum policy_t setgroup)
+{
+ char *policy;
+
+ switch (setgroup) {
+ case SETGROUPS_ALLOW:
+ policy = "allow";
+ break;
+ case SETGROUPS_DENY:
+ policy = "deny";
+ break;
+ case SETGROUPS_DEFAULT:
+ default:
+ /* Nothing to do. */
+ return;
}
- pipenum = atoi(initpipe);
- snprintf(buf, sizeof(buf), "%d", pipenum);
- if (strcmp(initpipe, buf)) {
- pr_perror("Unable to parse _LIBCONTAINER_INITPIPE");
- exit(1);
+ if (write_file(policy, strlen(policy), "/proc/%d/setgroups", pid) < 0) {
+ /*
+ * If the kernel is too old to support /proc/pid/setgroups,
+ * open(2) or write(2) will return ENOENT. This is fine.
+ */
+ if (errno != ENOENT)
+ bail("failed to write '%s' to /proc/%d/setgroups", policy, pid);
}
-
- return pipenum;
}
-// num_namespaces returns the number of additional namespaces to setns. The
-// argument is a comma-separated string of namespace paths.
-static int num_namespaces(char *nspaths)
+static int try_mapping_tool(const char *app, int pid, char *map, size_t map_len)
{
- int i;
- int size = 0;
+ int child;
- for (i = 0; nspaths[i]; i++) {
- if (nspaths[i] == ',') {
- size += 1;
+ /*
+ * If @app is NULL, execve will segfault. Just check it here and bail (if
+ * we're in this path, the caller is already getting desperate and there
+ * isn't a backup to this failing). This usually would be a configuration
+ * or programming issue.
+ */
+ if (!app)
+ bail("mapping tool not present");
+
+ child = fork();
+ if (child < 0)
+ bail("failed to fork");
+
+ if (!child) {
+#define MAX_ARGV 20
+ char *argv[MAX_ARGV];
+ char *envp[] = { NULL };
+ char pid_fmt[16];
+ int argc = 0;
+ char *next;
+
+ snprintf(pid_fmt, 16, "%d", pid);
+
+ argv[argc++] = (char *)app;
+ argv[argc++] = pid_fmt;
+ /*
+ * Convert the map string into a list of argument that
+ * newuidmap/newgidmap can understand.
+ */
+
+ while (argc < MAX_ARGV) {
+ if (*map == '\0') {
+ argv[argc++] = NULL;
+ break;
+ }
+ argv[argc++] = map;
+ next = strpbrk(map, "\n ");
+ if (next == NULL)
+ break;
+ *next++ = '\0';
+ map = next + strspn(next, "\n ");
+ }
+
+ execve(app, argv, envp);
+ bail("failed to execv");
+ } else {
+ int status;
+
+ while (true) {
+ if (waitpid(child, &status, 0) < 0) {
+ if (errno == EINTR)
+ continue;
+ bail("failed to waitpid");
+ }
+ if (WIFEXITED(status) || WIFSIGNALED(status))
+ return WEXITSTATUS(status);
}
}
- return size + 1;
+ return -1;
}
-static uint32_t readint32(char *buf)
+static void update_uidmap(const char *path, int pid, char *map, size_t map_len)
{
- return *(uint32_t *)buf;
+ if (map == NULL || map_len <= 0)
+ return;
+
+ if (write_file(map, map_len, "/proc/%d/uid_map", pid) < 0) {
+ if (errno != EPERM)
+ bail("failed to update /proc/%d/uid_map", pid);
+ if (try_mapping_tool(path, pid, map, map_len))
+ bail("failed to use newuid map on %d", pid);
+ }
}
-static uint8_t readint8(char *buf)
+static void update_gidmap(const char *path, int pid, char *map, size_t map_len)
{
- return *(uint8_t *)buf;
+ if (map == NULL || map_len <= 0)
+ return;
+
+ if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0) {
+ if (errno != EPERM)
+ bail("failed to update /proc/%d/gid_map", pid);
+ if (try_mapping_tool(path, pid, map, map_len))
+ bail("failed to use newgid map on %d", pid);
+ }
}
-static void update_process_idmap(char *pathfmt, int pid, char *map, int map_len)
+static void update_oom_score_adj(char *data, size_t len)
{
- char buf[PATH_MAX];
- int len;
- int fd;
-
- len = snprintf(buf, sizeof(buf), pathfmt, pid);
- if (len < 0) {
- pr_perror("failed to construct '%s' for %d", pathfmt, pid);
- exit(1);
- }
+ if (data == NULL || len <= 0)
+ return;
- fd = open(buf, O_RDWR);
- if (fd == -1) {
- pr_perror("failed to open %s", buf);
- exit(1);
- }
+ if (write_file(data, len, "/proc/self/oom_score_adj") < 0)
+ bail("failed to update /proc/self/oom_score_adj");
+}
- len = write(fd, map, map_len);
- if (len == -1) {
- pr_perror("failed to write to %s", buf);
- exit(1);
- } else if (len != map_len) {
- fprintf(stderr, "Failed to write data to %s (%d/%d)",
- buf, len, map_len);
- exit(1);
- }
+/* A dummy function that just jumps to the given jumpval. */
+static int child_func(void *arg) __attribute__ ((noinline));
+static int child_func(void *arg)
+{
+ struct clone_t *ca = (struct clone_t *)arg;
+ longjmp(*ca->env, ca->jmpval);
+}
- close(fd);
+static int clone_parent(jmp_buf *env, int jmpval) __attribute__ ((noinline));
+static int clone_parent(jmp_buf *env, int jmpval)
+{
+ struct clone_t ca = {
+ .env = env,
+ .jmpval = jmpval,
+ };
+
+ return clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD, &ca);
}
-static void update_process_uidmap(int pid, char *map, int map_len)
+/*
+ * Gets the init pipe fd from the environment, which is used to read the
+ * bootstrap data and tell the parent what the new pid is after we finish
+ * setting up the environment.
+ */
+static int initpipe(void)
{
- if ((map == NULL) || (map_len <= 0)) {
- return;
- }
+ int pipenum;
+ char *initpipe, *endptr;
+
+ initpipe = getenv("_LIBCONTAINER_INITPIPE");
+ if (initpipe == NULL || *initpipe == '\0')
+ return -1;
+
+ pipenum = strtol(initpipe, &endptr, 10);
+ if (*endptr != '\0')
+ bail("unable to parse _LIBCONTAINER_INITPIPE");
- update_process_idmap("/proc/%d/uid_map", pid, map, map_len);
+ return pipenum;
}
-static void update_process_gidmap(int pid, uint8_t is_setgroup, char *map, int map_len)
+/* Returns the clone(2) flag for a namespace, given the name of a namespace. */
+static int nsflag(char *name)
{
- if ((map == NULL) || (map_len <= 0)) {
- return;
- }
+ if (!strcmp(name, "cgroup"))
+ return CLONE_NEWCGROUP;
+ else if (!strcmp(name, "ipc"))
+ return CLONE_NEWIPC;
+ else if (!strcmp(name, "mnt"))
+ return CLONE_NEWNS;
+ else if (!strcmp(name, "net"))
+ return CLONE_NEWNET;
+ else if (!strcmp(name, "pid"))
+ return CLONE_NEWPID;
+ else if (!strcmp(name, "user"))
+ return CLONE_NEWUSER;
+ else if (!strcmp(name, "uts"))
+ return CLONE_NEWUTS;
+
+ /* If we don't recognise a name, fallback to 0. */
+ return 0;
+}
- if (is_setgroup == 1) {
- int fd;
- int len;
- char buf[PATH_MAX];
+static uint32_t readint32(char *buf)
+{
+ return *(uint32_t *) buf;
+}
- len = snprintf(buf, sizeof(buf), "/proc/%d/setgroups", pid);
- if (len < 0) {
- pr_perror("failed to get setgroups path for %d", pid);
- exit(1);
- }
+static uint8_t readint8(char *buf)
+{
+ return *(uint8_t *) buf;
+}
- fd = open(buf, O_RDWR);
- if (fd == -1) {
- pr_perror("failed to open %s", buf);
- exit(1);
- }
- if (write(fd, "allow", 5) != 5) {
- // If the kernel is too old to support
- // /proc/PID/setgroups, write will return
- // ENOENT; this is OK.
- if (errno != ENOENT) {
- pr_perror("failed to write allow to %s", buf);
- exit(1);
- }
+static void nl_parse(int fd, struct nlconfig_t *config)
+{
+ size_t len, size;
+ struct nlmsghdr hdr;
+ char *data, *current;
+
+ /* Retrieve the netlink header. */
+ len = read(fd, &hdr, NLMSG_HDRLEN);
+ if (len != NLMSG_HDRLEN)
+ bail("invalid netlink header length %zu", len);
+
+ if (hdr.nlmsg_type == NLMSG_ERROR)
+ bail("failed to read netlink message");
+
+ if (hdr.nlmsg_type != INIT_MSG)
+ bail("unexpected msg type %d", hdr.nlmsg_type);
+
+ /* Retrieve data. */
+ size = NLMSG_PAYLOAD(&hdr, 0);
+ current = data = malloc(size);
+ if (!data)
+ bail("failed to allocate %zu bytes of memory for nl_payload", size);
+
+ len = read(fd, data, size);
+ if (len != size)
+ bail("failed to read netlink payload, %zu != %zu", len, size);
+
+ /* Parse the netlink payload. */
+ config->data = data;
+ while (current < data + size) {
+ struct nlattr *nlattr = (struct nlattr *)current;
+ size_t payload_len = nlattr->nla_len - NLA_HDRLEN;
+
+ /* Advance to payload. */
+ current += NLA_HDRLEN;
+
+ /* Handle payload. */
+ switch (nlattr->nla_type) {
+ case CLONE_FLAGS_ATTR:
+ config->cloneflags = readint32(current);
+ break;
+ case ROOTLESS_EUID_ATTR:
+ config->is_rootless_euid = readint8(current); /* boolean */
+ break;
+ case OOM_SCORE_ADJ_ATTR:
+ config->oom_score_adj = current;
+ config->oom_score_adj_len = payload_len;
+ break;
+ case NS_PATHS_ATTR:
+ config->namespaces = current;
+ config->namespaces_len = payload_len;
+ break;
+ case UIDMAP_ATTR:
+ config->uidmap = current;
+ config->uidmap_len = payload_len;
+ break;
+ case GIDMAP_ATTR:
+ config->gidmap = current;
+ config->gidmap_len = payload_len;
+ break;
+ case UIDMAPPATH_ATTR:
+ config->uidmappath = current;
+ config->uidmappath_len = payload_len;
+ break;
+ case GIDMAPPATH_ATTR:
+ config->gidmappath = current;
+ config->gidmappath_len = payload_len;
+ break;
+ case SETGROUP_ATTR:
+ config->is_setgroup = readint8(current);
+ break;
+ default:
+ bail("unknown netlink message type %d", nlattr->nla_type);
}
- close(fd);
- }
- update_process_idmap("/proc/%d/gid_map", pid, map, map_len);
+ current += NLA_ALIGN(payload_len);
+ }
}
+void nl_free(struct nlconfig_t *config)
+{
+ free(config->data);
+}
-static void start_child(int pipenum, jmp_buf *env, int syncpipe[2],
- struct nsenter_config *config)
+void join_namespaces(char *nslist)
{
- int len;
- int childpid;
- char buf[PATH_MAX];
- uint8_t syncbyte = 1;
-
- // We must fork to actually enter the PID namespace, use CLONE_PARENT
- // so the child can have the right parent, and we don't need to forward
- // the child's exit code or resend its death signal.
- childpid = clone_parent(env, config->cloneflags);
- if (childpid < 0) {
- pr_perror("Unable to fork");
- exit(1);
- }
+ int num = 0, i;
+ char *saveptr = NULL;
+ char *namespace = strtok_r(nslist, ",", &saveptr);
+ struct namespace_t {
+ int fd;
+ int ns;
+ char type[PATH_MAX];
+ char path[PATH_MAX];
+ } *namespaces = NULL;
+
+ if (!namespace || !strlen(namespace) || !strlen(nslist))
+ bail("ns paths are empty");
- // update uid_map and gid_map for the child process if they
- // were provided
- update_process_uidmap(childpid, config->uidmap, config->uidmap_len);
+ /*
+ * We have to open the file descriptors first, since after
+ * we join the mnt namespace we might no longer be able to
+ * access the paths.
+ */
+ do {
+ int fd;
+ char *path;
+ struct namespace_t *ns;
+
+ /* Resize the namespace array. */
+ namespaces = realloc(namespaces, ++num * sizeof(struct namespace_t));
+ if (!namespaces)
+ bail("failed to reallocate namespace array");
+ ns = &namespaces[num - 1];
+
+ /* Split 'ns:path'. */
+ path = strstr(namespace, ":");
+ if (!path)
+ bail("failed to parse %s", namespace);
+ *path++ = '\0';
+
+ fd = open(path, O_RDONLY);
+ if (fd < 0)
+ bail("failed to open %s", path);
+
+ ns->fd = fd;
+ ns->ns = nsflag(namespace);
+ strncpy(ns->path, path, PATH_MAX - 1);
+ ns->path[PATH_MAX - 1] = '\0';
+ } while ((namespace = strtok_r(NULL, ",", &saveptr)) != NULL);
+
+ /*
+ * The ordering in which we join namespaces is important. We should
+ * always join the user namespace *first*. This is all guaranteed
+ * from the container_linux.go side of this, so we're just going to
+ * follow the order given to us.
+ */
- update_process_gidmap(childpid, config->is_setgroup, config->gidmap, config->gidmap_len);
+ for (i = 0; i < num; i++) {
+ struct namespace_t ns = namespaces[i];
- // Send the sync signal to the child
- close(syncpipe[0]);
- syncbyte = 1;
- if (write(syncpipe[1], &syncbyte, 1) != 1) {
- pr_perror("failed to write sync byte to child");
- exit(1);
- }
+ if (setns(ns.fd, ns.ns) < 0)
+ bail("failed to setns to %s", ns.path);
- // Send the child pid back to our parent
- len = snprintf(buf, sizeof(buf), "{ \"pid\" : %d }\n", childpid);
- if ((len < 0) || (write(pipenum, buf, len) != len)) {
- pr_perror("Unable to send a child pid");
- kill(childpid, SIGKILL);
- exit(1);
+ close(ns.fd);
}
- exit(0);
+ free(namespaces);
}
-static void process_nl_attributes(int pipenum, char *data, int data_size)
+void nsexec(void)
{
- jmp_buf env;
- struct nsenter_config config = {0};
- struct nlattr *nlattr;
- int payload_len;
- int start = 0;
- int consolefd = -1;
- int syncpipe[2] = {-1, -1};
-
- while (start < data_size) {
- nlattr = (struct nlattr *)(data + start);
- start += NLA_HDRLEN;
- payload_len = nlattr->nla_len - NLA_HDRLEN;
-
- if (nlattr->nla_type == CLONE_FLAGS_ATTR) {
- config.cloneflags = readint32(data + start);
- } else if (nlattr->nla_type == CONSOLE_PATH_ATTR) {
- // get the console path before setns because it may
- // change mnt namespace
- consolefd = open(data + start, O_RDWR);
- if (consolefd < 0) {
- pr_perror("Failed to open console %s",
- data + start);
- exit(1);
- }
- } else if (nlattr->nla_type == NS_PATHS_ATTR) {
- // if custom namespaces are required, open all
- // descriptors and perform setns on them
- int i;
- int nslen = num_namespaces(data + start);
- int fds[nslen];
- char *nslist[nslen];
- char *ns;
- char *saveptr;
-
- for (i = 0; i < nslen; i++) {
- char *str = NULL;
-
- if (i == 0) {
- str = data + start;
- }
- ns = strtok_r(str, ",", &saveptr);
- if (ns == NULL) {
- break;
- }
- fds[i] = open(ns, O_RDONLY);
- if (fds[i] == -1) {
- pr_perror("Failed to open %s", ns);
- exit(1);
- }
- nslist[i] = ns;
- }
+ int pipenum;
+ jmp_buf env;
+ int sync_child_pipe[2], sync_grandchild_pipe[2];
+ struct nlconfig_t config = { 0 };
+
+ /*
+ * If we don't have an init pipe, just return to the go routine.
+ * We'll only get an init pipe for start or exec.
+ */
+ pipenum = initpipe();
+ if (pipenum == -1)
+ return;
+
+ /* Parse all of the netlink configuration. */
+ nl_parse(pipenum, &config);
+
+ /* Set oom_score_adj. This has to be done before !dumpable because
+ * /proc/self/oom_score_adj is not writeable unless you're an privileged
+ * user (if !dumpable is set). All children inherit their parent's
+ * oom_score_adj value on fork(2) so this will always be propagated
+ * properly.
+ */
+ update_oom_score_adj(config.oom_score_adj, config.oom_score_adj_len);
+
+ /*
+ * Make the process non-dumpable, to avoid various race conditions that
+ * could cause processes in namespaces we're joining to access host
+ * resources (or potentially execute code).
+ *
+ * However, if the number of namespaces we are joining is 0, we are not
+ * going to be switching to a different security context. Thus setting
+ * ourselves to be non-dumpable only breaks things (like rootless
+ * containers), which is the recommendation from the kernel folks.
+ */
+ if (config.namespaces) {
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) < 0)
+ bail("failed to set process as non-dumpable");
+ }
+
+ /* Pipe so we can tell the child when we've finished setting up. */
+ if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sync_child_pipe) < 0)
+ bail("failed to setup sync pipe between parent and child");
+
+ /*
+ * We need a new socketpair to sync with grandchild so we don't have
+ * race condition with child.
+ */
+ if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sync_grandchild_pipe) < 0)
+ bail("failed to setup sync pipe between parent and grandchild");
- for (i = 0; i < nslen; i++) {
- if (setns(fds[i], 0) != 0) {
- pr_perror("Failed to setns to %s", nslist[i]);
- exit(1);
+ /* TODO: Currently we aren't dealing with child deaths properly. */
+
+ /*
+ * Okay, so this is quite annoying.
+ *
+ * In order for this unsharing code to be more extensible we need to split
+ * up unshare(CLONE_NEWUSER) and clone() in various ways. The ideal case
+ * would be if we did clone(CLONE_NEWUSER) and the other namespaces
+ * separately, but because of SELinux issues we cannot really do that. But
+ * we cannot just dump the namespace flags into clone(...) because several
+ * usecases (such as rootless containers) require more granularity around
+ * the namespace setup. In addition, some older kernels had issues where
+ * CLONE_NEWUSER wasn't handled before other namespaces (but we cannot
+ * handle this while also dealing with SELinux so we choose SELinux support
+ * over broken kernel support).
+ *
+ * However, if we unshare(2) the user namespace *before* we clone(2), then
+ * all hell breaks loose.
+ *
+ * The parent no longer has permissions to do many things (unshare(2) drops
+ * all capabilities in your old namespace), and the container cannot be set
+ * up to have more than one {uid,gid} mapping. This is obviously less than
+ * ideal. In order to fix this, we have to first clone(2) and then unshare.
+ *
+ * Unfortunately, it's not as simple as that. We have to fork to enter the
+ * PID namespace (the PID namespace only applies to children). Since we'll
+ * have to double-fork, this clone_parent() call won't be able to get the
+ * PID of the _actual_ init process (without doing more synchronisation than
+ * I can deal with at the moment). So we'll just get the parent to send it
+ * for us, the only job of this process is to update
+ * /proc/pid/{setgroups,uid_map,gid_map}.
+ *
+ * And as a result of the above, we also need to setns(2) in the first child
+ * because if we join a PID namespace in the topmost parent then our child
+ * will be in that namespace (and it will not be able to give us a PID value
+ * that makes sense without resorting to sending things with cmsg).
+ *
+ * This also deals with an older issue caused by dumping cloneflags into
+ * clone(2): On old kernels, CLONE_PARENT didn't work with CLONE_NEWPID, so
+ * we have to unshare(2) before clone(2) in order to do this. This was fixed
+ * in upstream commit 1f7f4dde5c945f41a7abc2285be43d918029ecc5, and was
+ * introduced by 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e. As far as we're
+ * aware, the last mainline kernel which had this bug was Linux 3.12.
+ * However, we cannot comment on which kernels the broken patch was
+ * backported to.
+ *
+ * -- Aleksa "what has my life come to?" Sarai
+ */
+
+ switch (setjmp(env)) {
+ /*
+ * Stage 0: We're in the parent. Our job is just to create a new child
+ * (stage 1: JUMP_CHILD) process and write its uid_map and
+ * gid_map. That process will go on to create a new process, then
+ * it will send us its PID which we will send to the bootstrap
+ * process.
+ */
+ case JUMP_PARENT:{
+ int len;
+ pid_t child, first_child = -1;
+ bool ready = false;
+
+ /* For debugging. */
+ prctl(PR_SET_NAME, (unsigned long)"runc:[0:PARENT]", 0, 0, 0);
+
+ /* Start the process of getting a container. */
+ child = clone_parent(&env, JUMP_CHILD);
+ if (child < 0)
+ bail("unable to fork: child_func");
+
+ /*
+ * State machine for synchronisation with the children.
+ *
+ * Father only return when both child and grandchild are
+ * ready, so we can receive all possible error codes
+ * generated by children.
+ */
+ while (!ready) {
+ enum sync_t s;
+ int ret;
+
+ syncfd = sync_child_pipe[1];
+ close(sync_child_pipe[0]);
+
+ if (read(syncfd, &s, sizeof(s)) != sizeof(s))
+ bail("failed to sync with child: next state");
+
+ switch (s) {
+ case SYNC_ERR:
+ /* We have to mirror the error code of the child. */
+ if (read(syncfd, &ret, sizeof(ret)) != sizeof(ret))
+ bail("failed to sync with child: read(error code)");
+
+ exit(ret);
+ case SYNC_USERMAP_PLS:
+ /*
+ * Enable setgroups(2) if we've been asked to. But we also
+ * have to explicitly disable setgroups(2) if we're
+ * creating a rootless container for single-entry mapping.
+ * i.e. config.is_setgroup == false.
+ * (this is required since Linux 3.19).
+ *
+ * For rootless multi-entry mapping, config.is_setgroup shall be true and
+ * newuidmap/newgidmap shall be used.
+ */
+
+ if (config.is_rootless_euid && !config.is_setgroup)
+ update_setgroups(child, SETGROUPS_DENY);
+
+ /* Set up mappings. */
+ update_uidmap(config.uidmappath, child, config.uidmap, config.uidmap_len);
+ update_gidmap(config.gidmappath, child, config.gidmap, config.gidmap_len);
+
+ s = SYNC_USERMAP_ACK;
+ if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
+ kill(child, SIGKILL);
+ bail("failed to sync with child: write(SYNC_USERMAP_ACK)");
+ }
+ break;
+ case SYNC_RECVPID_PLS:{
+ first_child = child;
+
+ /* Get the init_func pid. */
+ if (read(syncfd, &child, sizeof(child)) != sizeof(child)) {
+ kill(first_child, SIGKILL);
+ bail("failed to sync with child: read(childpid)");
+ }
+
+ /* Send ACK. */
+ s = SYNC_RECVPID_ACK;
+ if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
+ kill(first_child, SIGKILL);
+ kill(child, SIGKILL);
+ bail("failed to sync with child: write(SYNC_RECVPID_ACK)");
+ }
+
+ /* Send the init_func pid back to our parent.
+ *
+ * Send the init_func pid and the pid of the first child back to our parent.
+ * We need to send both back because we can't reap the first child we created (CLONE_PARENT).
+ * It becomes the responsibility of our parent to reap the first child.
+ */
+ len = dprintf(pipenum, "{\"pid\": %d, \"pid_first\": %d}\n", child, first_child);
+ if (len < 0) {
+ kill(child, SIGKILL);
+ bail("unable to generate JSON for child pid");
+ }
+ }
+ break;
+ case SYNC_CHILD_READY:
+ ready = true;
+ break;
+ default:
+ bail("unexpected sync value: %u", s);
}
- close(fds[i]);
}
- } else if (nlattr->nla_type == UIDMAP_ATTR) {
- config.uidmap = data + start;
- config.uidmap_len = payload_len;
- } else if (nlattr->nla_type == GIDMAP_ATTR) {
- config.gidmap = data + start;
- config.gidmap_len = payload_len;
- } else if (nlattr->nla_type == SETGROUP_ATTR) {
- config.is_setgroup = readint8(data + start);
- } else {
- pr_perror("Unknown netlink message type %d",
- nlattr->nla_type);
- exit(1);
- }
- start += NLA_ALIGN(payload_len);
- }
+ /* Now sync with grandchild. */
- // required clone_flags to be passed
- if (config.cloneflags == -1) {
- pr_perror("Missing clone_flags");
- exit(1);
- }
- // prepare sync pipe between parent and child. We need this to let the
- // child
- // know that the parent has finished setting up
- if (pipe(syncpipe) != 0) {
- pr_perror("Failed to setup sync pipe between parent and child");
- exit(1);
- }
+ ready = false;
+ while (!ready) {
+ enum sync_t s;
+ int ret;
- if (setjmp(env) == 1) {
- // Child
- uint8_t s = 0;
+ syncfd = sync_grandchild_pipe[1];
+ close(sync_grandchild_pipe[0]);
- // close the writing side of pipe
- close(syncpipe[1]);
+ s = SYNC_GRANDCHILD;
+ if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
+ kill(child, SIGKILL);
+ bail("failed to sync with child: write(SYNC_GRANDCHILD)");
+ }
- // sync with parent
- if ((read(syncpipe[0], &s, 1) != 1) || (s != 1)) {
- pr_perror("Failed to read sync byte from parent");
- exit(1);
- }
+ if (read(syncfd, &s, sizeof(s)) != sizeof(s))
+ bail("failed to sync with child: next state");
- if (setsid() == -1) {
- pr_perror("setsid failed");
- exit(1);
- }
+ switch (s) {
+ case SYNC_ERR:
+ /* We have to mirror the error code of the child. */
+ if (read(syncfd, &ret, sizeof(ret)) != sizeof(ret))
+ bail("failed to sync with child: read(error code)");
- if (setuid(0) == -1) {
- pr_perror("setuid failed");
- exit(1);
+ exit(ret);
+ case SYNC_CHILD_READY:
+ ready = true;
+ break;
+ default:
+ bail("unexpected sync value: %u", s);
+ }
+ }
+ exit(0);
}
- if (setgid(0) == -1) {
- pr_perror("setgid failed");
- exit(1);
- }
+ /*
+ * Stage 1: We're in the first child process. Our job is to join any
+ * provided namespaces in the netlink payload and unshare all
+ * of the requested namespaces. If we've been asked to
+ * CLONE_NEWUSER, we will ask our parent (stage 0) to set up
+ * our user mappings for us. Then, we create a new child
+ * (stage 2: JUMP_INIT) for PID namespace. We then send the
+ * child's PID to our parent (stage 0).
+ */
+ case JUMP_CHILD:{
+ pid_t child;
+ enum sync_t s;
+
+ /* We're in a child and thus need to tell the parent if we die. */
+ syncfd = sync_child_pipe[0];
+ close(sync_child_pipe[1]);
+
+ /* For debugging. */
+ prctl(PR_SET_NAME, (unsigned long)"runc:[1:CHILD]", 0, 0, 0);
+
+ /*
+ * We need to setns first. We cannot do this earlier (in stage 0)
+ * because of the fact that we forked to get here (the PID of
+ * [stage 2: JUMP_INIT]) would be meaningless). We could send it
+ * using cmsg(3) but that's just annoying.
+ */
+ if (config.namespaces)
+ join_namespaces(config.namespaces);
+
+ /*
+ * Deal with user namespaces first. They are quite special, as they
+ * affect our ability to unshare other namespaces and are used as
+ * context for privilege checks.
+ *
+ * We don't unshare all namespaces in one go. The reason for this
+ * is that, while the kernel documentation may claim otherwise,
+ * there are certain cases where unsharing all namespaces at once
+ * will result in namespace objects being owned incorrectly.
+ * Ideally we should just fix these kernel bugs, but it's better to
+ * be safe than sorry, and fix them separately.
+ *
+ * A specific case of this is that the SELinux label of the
+ * internal kern-mount that mqueue uses will be incorrect if the
+ * UTS namespace is cloned before the USER namespace is mapped.
+ * I've also heard of similar problems with the network namespace
+ * in some scenarios. This also mirrors how LXC deals with this
+ * problem.
+ */
+ if (config.cloneflags & CLONE_NEWUSER) {
+ if (unshare(CLONE_NEWUSER) < 0)
+ bail("failed to unshare user namespace");
+ config.cloneflags &= ~CLONE_NEWUSER;
+
+ /*
+ * We don't have the privileges to do any mapping here (see the
+ * clone_parent rant). So signal our parent to hook us up.
+ */
+
+ /* Switching is only necessary if we joined namespaces. */
+ if (config.namespaces) {
+ if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) < 0)
+ bail("failed to set process as dumpable");
+ }
+ s = SYNC_USERMAP_PLS;
+ if (write(syncfd, &s, sizeof(s)) != sizeof(s))
+ bail("failed to sync with parent: write(SYNC_USERMAP_PLS)");
+
+ /* ... wait for mapping ... */
+
+ if (read(syncfd, &s, sizeof(s)) != sizeof(s))
+ bail("failed to sync with parent: read(SYNC_USERMAP_ACK)");
+ if (s != SYNC_USERMAP_ACK)
+ bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s);
+ /* Switching is only necessary if we joined namespaces. */
+ if (config.namespaces) {
+ if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) < 0)
+ bail("failed to set process as dumpable");
+ }
- if (consolefd != -1) {
- if (ioctl(consolefd, TIOCSCTTY, 0) == -1) {
- pr_perror("ioctl TIOCSCTTY failed");
- exit(1);
+ /* Become root in the namespace proper. */
+ if (setresuid(0, 0, 0) < 0)
+ bail("failed to become root in user namespace");
}
- if (dup3(consolefd, STDIN_FILENO, 0) != STDIN_FILENO) {
- pr_perror("Failed to dup stdin");
- exit(1);
+ /*
+ * Unshare all of the namespaces. Now, it should be noted that this
+ * ordering might break in the future (especially with rootless
+ * containers). But for now, it's not possible to split this into
+ * CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues.
+ *
+ * Note that we don't merge this with clone() because there were
+ * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
+ * was broken, so we'll just do it the long way anyway.
+ */
+ if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
+ bail("failed to unshare namespaces");
+
+ /*
+ * TODO: What about non-namespace clone flags that we're dropping here?
+ *
+ * We fork again because of PID namespace, setns(2) or unshare(2) don't
+ * change the PID namespace of the calling process, because doing so
+ * would change the caller's idea of its own PID (as reported by getpid()),
+ * which would break many applications and libraries, so we must fork
+ * to actually enter the new PID namespace.
+ */
+ child = clone_parent(&env, JUMP_INIT);
+ if (child < 0)
+ bail("unable to fork: init_func");
+
+ /* Send the child to our parent, which knows what it's doing. */
+ s = SYNC_RECVPID_PLS;
+ if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
+ kill(child, SIGKILL);
+ bail("failed to sync with parent: write(SYNC_RECVPID_PLS)");
}
- if (dup3(consolefd, STDOUT_FILENO, 0) != STDOUT_FILENO) {
- pr_perror("Failed to dup stdout");
- exit(1);
+ if (write(syncfd, &child, sizeof(child)) != sizeof(child)) {
+ kill(child, SIGKILL);
+ bail("failed to sync with parent: write(childpid)");
}
- if (dup3(consolefd, STDERR_FILENO, 0) != STDERR_FILENO) {
- pr_perror("Failed to dup stderr");
- exit(1);
- }
- }
- // Finish executing, let the Go runtime take over.
- return;
- }
+ /* ... wait for parent to get the pid ... */
- // Parent
- start_child(pipenum, &env, syncpipe, &config);
-}
+ if (read(syncfd, &s, sizeof(s)) != sizeof(s)) {
+ kill(child, SIGKILL);
+ bail("failed to sync with parent: read(SYNC_RECVPID_ACK)");
+ }
+ if (s != SYNC_RECVPID_ACK) {
+ kill(child, SIGKILL);
+ bail("failed to sync with parent: SYNC_RECVPID_ACK: got %u", s);
+ }
-void nsexec(void)
-{
- int pipenum;
+ s = SYNC_CHILD_READY;
+ if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
+ kill(child, SIGKILL);
+ bail("failed to sync with parent: write(SYNC_CHILD_READY)");
+ }
- // if we dont have init pipe, then just return to the parent
- pipenum = get_init_pipe();
- if (pipenum == -1) {
- return;
- }
+ /* Our work is done. [Stage 2: JUMP_INIT] is doing the rest of the work. */
+ exit(0);
+ }
- // Retrieve the netlink header
- struct nlmsghdr nl_msg_hdr;
- int len;
+ /*
+ * Stage 2: We're the final child process, and the only process that will
+ * actually return to the Go runtime. Our job is to just do the
+ * final cleanup steps and then return to the Go runtime to allow
+ * init_linux.go to run.
+ */
+ case JUMP_INIT:{
+ /*
+ * We're inside the child now, having jumped from the
+ * start_child() code after forking in the parent.
+ */
+ enum sync_t s;
+
+ /* We're in a child and thus need to tell the parent if we die. */
+ syncfd = sync_grandchild_pipe[0];
+ close(sync_grandchild_pipe[1]);
+ close(sync_child_pipe[0]);
+ close(sync_child_pipe[1]);
+
+ /* For debugging. */
+ prctl(PR_SET_NAME, (unsigned long)"runc:[2:INIT]", 0, 0, 0);
+
+ if (read(syncfd, &s, sizeof(s)) != sizeof(s))
+ bail("failed to sync with parent: read(SYNC_GRANDCHILD)");
+ if (s != SYNC_GRANDCHILD)
+ bail("failed to sync with parent: SYNC_GRANDCHILD: got %u", s);
+
+ if (setsid() < 0)
+ bail("setsid failed");
+
+ if (setuid(0) < 0)
+ bail("setuid failed");
+
+ if (setgid(0) < 0)
+ bail("setgid failed");
+
+ if (!config.is_rootless_euid && config.is_setgroup) {
+ if (setgroups(0, NULL) < 0)
+ bail("setgroups failed");
+ }
- if ((len = read(pipenum, &nl_msg_hdr, NLMSG_HDRLEN)) != NLMSG_HDRLEN) {
- pr_perror("Invalid netlink header length %d", len);
- exit(1);
- }
+ /* ... wait until our topmost parent has finished cgroup setup in p.manager.Apply() ... */
+ if (config.cloneflags & CLONE_NEWCGROUP) {
+ uint8_t value;
+ if (read(pipenum, &value, sizeof(value)) != sizeof(value))
+ bail("read synchronisation value failed");
+ if (value == CREATECGROUPNS) {
+ if (unshare(CLONE_NEWCGROUP) < 0)
+ bail("failed to unshare cgroup namespace");
+ } else
+ bail("received unknown synchronisation value");
+ }
- if (nl_msg_hdr.nlmsg_type == NLMSG_ERROR) {
- pr_perror("Failed to read netlink message");
- exit(1);
- }
+ s = SYNC_CHILD_READY;
+ if (write(syncfd, &s, sizeof(s)) != sizeof(s))
+ bail("failed to sync with patent: write(SYNC_CHILD_READY)");
- if (nl_msg_hdr.nlmsg_type != INIT_MSG) {
- pr_perror("Unexpected msg type %d", nl_msg_hdr.nlmsg_type);
- exit(1);
- }
+ /* Close sync pipes. */
+ close(sync_grandchild_pipe[0]);
- // Retrieve data
- int nl_total_size = NLMSG_PAYLOAD(&nl_msg_hdr, 0);
- char data[nl_total_size];
+ /* Free netlink data. */
+ nl_free(&config);
- if ((len = read(pipenum, data, nl_total_size)) != nl_total_size) {
- pr_perror("Failed to read netlink payload, %d != %d", len,
- nl_total_size);
- exit(1);
+ /* Finish executing, let the Go runtime take over. */
+ return;
+ }
+ default:
+ bail("unexpected jump value");
}
- process_nl_attributes(pipenum, data, nl_total_size);
+ /* Should never be reached. */
+ bail("should never be reached");
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/process.go b/vendor/github.com/opencontainers/runc/libcontainer/process.go
index 91e8ef56f7e614b16e9bfcfbb85f0699b7b5743c..9a7c60141216fba9b024da83f42424610c84cd46 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/process.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/process.go
@@ -28,6 +28,10 @@ type Process struct {
// local to the container's user and group configuration.
User string
+ // AdditionalGroups specifies the gids that should be added to supplementary groups
+ // in addition to those that the user belongs to.
+ AdditionalGroups []string
+
// Cwd will change the processes current working directory inside the container's rootfs.
Cwd string
@@ -43,12 +47,13 @@ type Process struct {
// ExtraFiles specifies additional open files to be inherited by the container
ExtraFiles []*os.File
- // consolePath is the path to the console allocated to the container.
- consolePath string
+ // Initial sizings for the console
+ ConsoleWidth uint16
+ ConsoleHeight uint16
// Capabilities specify the capabilities to keep when executing the process inside the container
// All capabilities not specified will be dropped from the processes capability mask
- Capabilities []string
+ Capabilities *configs.Capabilities
// AppArmorProfile specifies the profile to apply to the process and is
// changed at the time the process is execed
@@ -64,6 +69,12 @@ type Process struct {
// If Rlimits are not set, the container will inherit rlimits from the parent process
Rlimits []configs.Rlimit
+ // ConsoleSocket provides the masterfd console.
+ ConsoleSocket *os.File
+
+ // Init specifies whether the process is the first process in the container.
+ Init bool
+
ops processOperations
}
@@ -100,22 +111,3 @@ type IO struct {
Stdout io.ReadCloser
Stderr io.ReadCloser
}
-
-// NewConsole creates new console for process and returns it
-func (p *Process) NewConsole(rootuid int) (Console, error) {
- console, err := NewConsole(rootuid, rootuid)
- if err != nil {
- return nil, err
- }
- p.consolePath = console.Path()
- return console, nil
-}
-
-// ConsoleFromPath sets the process's console with the path provided
-func (p *Process) ConsoleFromPath(path string) error {
- if p.consolePath != "" {
- return newGenericError(fmt.Errorf("console path already exists for process"), ConsoleExists)
- }
- p.consolePath = path
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go
index 9ff43861512a44efdc44ad75d642b61ceb1dea4d..e8ffac9fa58cacf7ddf0e4beb2886ae97da72bd3 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/process_linux.go
@@ -11,14 +11,21 @@ import (
"os/exec"
"path/filepath"
"strconv"
- "syscall"
+ "syscall" // only for Signal
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
"github.com/opencontainers/runc/libcontainer/system"
"github.com/opencontainers/runc/libcontainer/utils"
+
+ "golang.org/x/sys/unix"
)
+// Synchronisation value for cgroup namespace setup.
+// The same constant is defined in nsexec.c as "CREATECGROUPNS".
+const createCgroupns = 0x80
+
type parentProcess interface {
// pid returns the pid for the running process.
pid() int
@@ -32,8 +39,8 @@ type parentProcess interface {
// wait waits on the process returning the process state.
wait() (*os.ProcessState, error)
- // startTime return's the process start time.
- startTime() (string, error)
+ // startTime returns the process start time.
+ startTime() (uint64, error)
signal(os.Signal) error
@@ -43,18 +50,21 @@ type parentProcess interface {
}
type setnsProcess struct {
- cmd *exec.Cmd
- parentPipe *os.File
- childPipe *os.File
- cgroupPaths map[string]string
- config *initConfig
- fds []string
- process *Process
- bootstrapData io.Reader
+ cmd *exec.Cmd
+ parentPipe *os.File
+ childPipe *os.File
+ cgroupPaths map[string]string
+ rootlessCgroups bool
+ intelRdtPath string
+ config *initConfig
+ fds []string
+ process *Process
+ bootstrapData io.Reader
}
-func (p *setnsProcess) startTime() (string, error) {
- return system.GetProcessStartTime(p.pid())
+func (p *setnsProcess) startTime() (uint64, error) {
+ stat, err := system.Stat(p.pid())
+ return stat.StartTime, err
}
func (p *setnsProcess) signal(sig os.Signal) error {
@@ -62,7 +72,7 @@ func (p *setnsProcess) signal(sig os.Signal) error {
if !ok {
return errors.New("os: unsupported signal type")
}
- return syscall.Kill(p.pid(), s)
+ return unix.Kill(p.pid(), s)
}
func (p *setnsProcess) start() (err error) {
@@ -70,42 +80,59 @@ func (p *setnsProcess) start() (err error) {
err = p.cmd.Start()
p.childPipe.Close()
if err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "starting setns process")
}
if p.bootstrapData != nil {
if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "copying bootstrap data to pipe")
}
}
if err = p.execSetns(); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "executing setns process")
}
if len(p.cgroupPaths) > 0 {
- if err := cgroups.EnterPid(p.cgroupPaths, p.pid()); err != nil {
- return newSystemError(err)
+ if err := cgroups.EnterPid(p.cgroupPaths, p.pid()); err != nil && !p.rootlessCgroups {
+ return newSystemErrorWithCausef(err, "adding pid %d to cgroups", p.pid())
}
}
- if err := utils.WriteJSON(p.parentPipe, p.config); err != nil {
- return newSystemError(err)
+ if p.intelRdtPath != "" {
+ // if Intel RDT "resource control" filesystem path exists
+ _, err := os.Stat(p.intelRdtPath)
+ if err == nil {
+ if err := intelrdt.WriteIntelRdtTasks(p.intelRdtPath, p.pid()); err != nil {
+ return newSystemErrorWithCausef(err, "adding pid %d to Intel RDT resource control filesystem", p.pid())
+ }
+ }
}
- // set oom_score_adj
- if err := setOomScoreAdj(p.config.Config.OomScoreAdj, p.pid()); err != nil {
- return newSystemError(err)
+ // set rlimits, this has to be done here because we lose permissions
+ // to raise the limits once we enter a user-namespace
+ if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
+ return newSystemErrorWithCause(err, "setting rlimits for process")
}
-
- if err := syscall.Shutdown(int(p.parentPipe.Fd()), syscall.SHUT_WR); err != nil {
- return newSystemError(err)
+ if err := utils.WriteJSON(p.parentPipe, p.config); err != nil {
+ return newSystemErrorWithCause(err, "writing config to pipe")
}
- // wait for the child process to fully complete and receive an error message
- // if one was encoutered
- var ierr *genericError
- if err := json.NewDecoder(p.parentPipe).Decode(&ierr); err != nil && err != io.EOF {
- return newSystemError(err)
+
+ ierr := parseSync(p.parentPipe, func(sync *syncT) error {
+ switch sync.Type {
+ case procReady:
+ // This shouldn't happen.
+ panic("unexpected procReady in setns")
+ case procHooks:
+ // This shouldn't happen.
+ panic("unexpected procHooks in setns")
+ default:
+ return newSystemError(fmt.Errorf("invalid JSON payload from child"))
+ }
+ })
+
+ if err := unix.Shutdown(int(p.parentPipe.Fd()), unix.SHUT_WR); err != nil {
+ return newSystemErrorWithCause(err, "calling shutdown on init pipe")
}
// Must be done after Shutdown so the child will exit and we can wait for it.
if ierr != nil {
p.wait()
- return newSystemError(ierr)
+ return ierr
}
return nil
}
@@ -118,7 +145,7 @@ func (p *setnsProcess) execSetns() error {
status, err := p.cmd.Process.Wait()
if err != nil {
p.cmd.Wait()
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "waiting on setns process to finish")
}
if !status.Success() {
p.cmd.Wait()
@@ -127,8 +154,18 @@ func (p *setnsProcess) execSetns() error {
var pid *pid
if err := json.NewDecoder(p.parentPipe).Decode(&pid); err != nil {
p.cmd.Wait()
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "reading pid from init pipe")
+ }
+
+ // Clean up the zombie parent process
+ firstChildProcess, err := os.FindProcess(pid.PidFirstChild)
+ if err != nil {
+ return err
}
+
+ // Ignore the error in case the child has already been reaped for any reason
+ _, _ = firstChildProcess.Wait()
+
process, err := os.FindProcess(pid.Pid)
if err != nil {
return err
@@ -139,7 +176,7 @@ func (p *setnsProcess) execSetns() error {
}
// terminate sends a SIGKILL to the forked process for the setns routine then waits to
-// avoid the process becomming a zombie.
+// avoid the process becoming a zombie.
func (p *setnsProcess) terminate() error {
if p.cmd.Process == nil {
return nil
@@ -171,16 +208,17 @@ func (p *setnsProcess) setExternalDescriptors(newFds []string) {
}
type initProcess struct {
- cmd *exec.Cmd
- parentPipe *os.File
- childPipe *os.File
- config *initConfig
- manager cgroups.Manager
- container *linuxContainer
- fds []string
- process *Process
- bootstrapData io.Reader
- sharePidns bool
+ cmd *exec.Cmd
+ parentPipe *os.File
+ childPipe *os.File
+ config *initConfig
+ manager cgroups.Manager
+ intelRdtManager intelrdt.Manager
+ container *linuxContainer
+ fds []string
+ process *Process
+ bootstrapData io.Reader
+ sharePidns bool
}
func (p *initProcess) pid() int {
@@ -191,12 +229,17 @@ func (p *initProcess) externalDescriptors() []string {
return p.fds
}
-// execSetns runs the process that executes C code to perform the setns calls
-// because setns support requires the C process to fork off a child and perform the setns
-// before the go runtime boots, we wait on the process to die and receive the child's pid
-// over the provided pipe.
-// This is called by initProcess.start function
-func (p *initProcess) execSetns() error {
+// getChildPid receives the final child's pid over the provided pipe.
+func (p *initProcess) getChildPid() (int, error) {
+ var pid pid
+ if err := json.NewDecoder(p.parentPipe).Decode(&pid); err != nil {
+ p.cmd.Wait()
+ return -1, err
+ }
+ return pid.Pid, nil
+}
+
+func (p *initProcess) waitForChildExit(childPid int) error {
status, err := p.cmd.Process.Wait()
if err != nil {
p.cmd.Wait()
@@ -206,16 +249,13 @@ func (p *initProcess) execSetns() error {
p.cmd.Wait()
return &exec.ExitError{ProcessState: status}
}
- var pid *pid
- if err := json.NewDecoder(p.parentPipe).Decode(&pid); err != nil {
- p.cmd.Wait()
- return err
- }
- process, err := os.FindProcess(pid.Pid)
+
+ process, err := os.FindProcess(childPid)
if err != nil {
return err
}
p.cmd.Process = process
+ p.process.ops = p
return nil
}
@@ -226,27 +266,67 @@ func (p *initProcess) start() error {
p.childPipe.Close()
if err != nil {
p.process.ops = nil
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "starting init process command")
+ }
+ // Do this before syncing with child so that no children can escape the
+ // cgroup. We don't need to worry about not doing this and not being root
+ // because we'd be using the rootless cgroup manager in that case.
+ if err := p.manager.Apply(p.pid()); err != nil {
+ return newSystemErrorWithCause(err, "applying cgroup configuration for process")
+ }
+ if p.intelRdtManager != nil {
+ if err := p.intelRdtManager.Apply(p.pid()); err != nil {
+ return newSystemErrorWithCause(err, "applying Intel RDT configuration for process")
+ }
}
+ defer func() {
+ if err != nil {
+ // TODO: should not be the responsibility to call here
+ p.manager.Destroy()
+ if p.intelRdtManager != nil {
+ p.intelRdtManager.Destroy()
+ }
+ }
+ }()
+
if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil {
- return err
+ return newSystemErrorWithCause(err, "copying bootstrap data to pipe")
}
- if err := p.execSetns(); err != nil {
- return newSystemError(err)
+ childPid, err := p.getChildPid()
+ if err != nil {
+ return newSystemErrorWithCause(err, "getting the final child's pid from pipe")
}
+
// Save the standard descriptor names before the container process
// can potentially move them (e.g., via dup2()). If we don't do this now,
// we won't know at checkpoint time which file descriptor to look up.
- fds, err := getPipeFds(p.pid())
+ fds, err := getPipeFds(childPid)
if err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", childPid)
}
p.setExternalDescriptors(fds)
// Do this before syncing with child so that no children
// can escape the cgroup
- if err := p.manager.Apply(p.pid()); err != nil {
- return newSystemError(err)
+ if err := p.manager.Apply(childPid); err != nil {
+ return newSystemErrorWithCause(err, "applying cgroup configuration for process")
+ }
+ if p.intelRdtManager != nil {
+ if err := p.intelRdtManager.Apply(childPid); err != nil {
+ return newSystemErrorWithCause(err, "applying Intel RDT configuration for process")
+ }
+ }
+ // Now it's time to setup cgroup namesapce
+ if p.config.Config.Namespaces.Contains(configs.NEWCGROUP) && p.config.Config.Namespaces.PathOf(configs.NEWCGROUP) == "" {
+ if _, err := p.parentPipe.Write([]byte{createCgroupns}); err != nil {
+ return newSystemErrorWithCause(err, "sending synchronization value to init process")
+ }
+ }
+
+ // Wait for our first child to exit
+ if err := p.waitForChildExit(childPid); err != nil {
+ return newSystemErrorWithCause(err, "waiting for our first child to exit")
}
+
defer func() {
if err != nil {
// TODO: should not be the responsibility to call here
@@ -254,104 +334,106 @@ func (p *initProcess) start() error {
}
}()
if err := p.createNetworkInterfaces(); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "creating network interfaces")
}
if err := p.sendConfig(); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "sending config to init process")
}
var (
- procSync syncT
sentRun bool
sentResume bool
- ierr *genericError
)
- dec := json.NewDecoder(p.parentPipe)
-loop:
- for {
- if err := dec.Decode(&procSync); err != nil {
- if err == io.EOF {
- break loop
- }
- return newSystemError(err)
- }
- switch procSync.Type {
+ ierr := parseSync(p.parentPipe, func(sync *syncT) error {
+ switch sync.Type {
case procReady:
- if err := p.manager.Set(p.config.Config); err != nil {
- return newSystemError(err)
- }
- // set oom_score_adj
- if err := setOomScoreAdj(p.config.Config.OomScoreAdj, p.pid()); err != nil {
- return newSystemError(err)
+ // set rlimits, this has to be done here because we lose permissions
+ // to raise the limits once we enter a user-namespace
+ if err := setupRlimits(p.config.Rlimits, p.pid()); err != nil {
+ return newSystemErrorWithCause(err, "setting rlimits for ready process")
}
// call prestart hooks
if !p.config.Config.Namespaces.Contains(configs.NEWNS) {
+ // Setup cgroup before prestart hook, so that the prestart hook could apply cgroup permissions.
+ if err := p.manager.Set(p.config.Config); err != nil {
+ return newSystemErrorWithCause(err, "setting cgroup config for ready process")
+ }
+ if p.intelRdtManager != nil {
+ if err := p.intelRdtManager.Set(p.config.Config); err != nil {
+ return newSystemErrorWithCause(err, "setting Intel RDT config for ready process")
+ }
+ }
+
if p.config.Config.Hooks != nil {
- s := configs.HookState{
- Version: p.container.config.Version,
- ID: p.container.id,
- Pid: p.pid(),
- Root: p.config.Config.Rootfs,
+ s, err := p.container.currentOCIState()
+ if err != nil {
+ return err
}
- for _, hook := range p.config.Config.Hooks.Prestart {
+ // initProcessStartTime hasn't been set yet.
+ s.Pid = p.cmd.Process.Pid
+ s.Status = "creating"
+ for i, hook := range p.config.Config.Hooks.Prestart {
if err := hook.Run(s); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCausef(err, "running prestart hook %d", i)
}
}
}
}
// Sync with child.
- if err := utils.WriteJSON(p.parentPipe, syncT{procRun}); err != nil {
- return newSystemError(err)
+ if err := writeSync(p.parentPipe, procRun); err != nil {
+ return newSystemErrorWithCause(err, "writing syncT 'run'")
}
sentRun = true
case procHooks:
+ // Setup cgroup before prestart hook, so that the prestart hook could apply cgroup permissions.
+ if err := p.manager.Set(p.config.Config); err != nil {
+ return newSystemErrorWithCause(err, "setting cgroup config for procHooks process")
+ }
+ if p.intelRdtManager != nil {
+ if err := p.intelRdtManager.Set(p.config.Config); err != nil {
+ return newSystemErrorWithCause(err, "setting Intel RDT config for procHooks process")
+ }
+ }
if p.config.Config.Hooks != nil {
- s := configs.HookState{
- Version: p.container.config.Version,
- ID: p.container.id,
- Pid: p.pid(),
- Root: p.config.Config.Rootfs,
+ s, err := p.container.currentOCIState()
+ if err != nil {
+ return err
}
- for _, hook := range p.config.Config.Hooks.Prestart {
+ // initProcessStartTime hasn't been set yet.
+ s.Pid = p.cmd.Process.Pid
+ s.Status = "creating"
+ for i, hook := range p.config.Config.Hooks.Prestart {
if err := hook.Run(s); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCausef(err, "running prestart hook %d", i)
}
}
}
// Sync with child.
- if err := utils.WriteJSON(p.parentPipe, syncT{procResume}); err != nil {
- return newSystemError(err)
+ if err := writeSync(p.parentPipe, procResume); err != nil {
+ return newSystemErrorWithCause(err, "writing syncT 'resume'")
}
sentResume = true
- case procError:
- // wait for the child process to fully complete and receive an error message
- // if one was encoutered
- if err := dec.Decode(&ierr); err != nil && err != io.EOF {
- return newSystemError(err)
- }
- if ierr != nil {
- break loop
- }
- // Programmer error.
- panic("No error following JSON procError payload.")
default:
- return newSystemError(fmt.Errorf("invalid JSON synchronisation payload from child"))
+ return newSystemError(fmt.Errorf("invalid JSON payload from child"))
}
- }
+
+ return nil
+ })
+
if !sentRun {
- return newSystemError(fmt.Errorf("could not synchronise with container process"))
+ return newSystemErrorWithCause(ierr, "container init")
}
if p.config.Config.Namespaces.Contains(configs.NEWNS) && !sentResume {
return newSystemError(fmt.Errorf("could not synchronise after executing prestart hooks with container process"))
}
- if err := syscall.Shutdown(int(p.parentPipe.Fd()), syscall.SHUT_WR); err != nil {
- return newSystemError(err)
+ if err := unix.Shutdown(int(p.parentPipe.Fd()), unix.SHUT_WR); err != nil {
+ return newSystemErrorWithCause(err, "shutting down init pipe")
}
+
// Must be done after Shutdown so the child will exit and we can wait for it.
if ierr != nil {
p.wait()
- return newSystemError(ierr)
+ return ierr
}
return nil
}
@@ -363,7 +445,7 @@ func (p *initProcess) wait() (*os.ProcessState, error) {
}
// we should kill all processes in cgroup when init is died if we use host PID namespace
if p.sharePidns {
- killCgroupProcesses(p.manager)
+ signalAllProcesses(p.manager, unix.SIGKILL)
}
return p.cmd.ProcessState, nil
}
@@ -379,8 +461,9 @@ func (p *initProcess) terminate() error {
return err
}
-func (p *initProcess) startTime() (string, error) {
- return system.GetProcessStartTime(p.pid())
+func (p *initProcess) startTime() (uint64, error) {
+ stat, err := system.Stat(p.pid())
+ return stat.StartTime, err
}
func (p *initProcess) sendConfig() error {
@@ -412,7 +495,7 @@ func (p *initProcess) signal(sig os.Signal) error {
if !ok {
return errors.New("os: unsupported signal type")
}
- return syscall.Kill(p.pid(), s)
+ return unix.Kill(p.pid(), s)
}
func (p *initProcess) setExternalDescriptors(newFds []string) {
@@ -424,9 +507,17 @@ func getPipeFds(pid int) ([]string, error) {
dirPath := filepath.Join("/proc", strconv.Itoa(pid), "/fd")
for i := 0; i < 3; i++ {
+ // XXX: This breaks if the path is not a valid symlink (which can
+ // happen in certain particularly unlucky mount namespace setups).
f := filepath.Join(dirPath, strconv.Itoa(i))
target, err := os.Readlink(f)
if err != nil {
+ // Ignore permission errors, for rootless containers and other
+ // non-dumpable processes. if we can't get the fd for a particular
+ // file, there's not much we can do.
+ if os.IsPermission(err) {
+ continue
+ }
return fds, err
}
fds[i] = target
@@ -434,16 +525,18 @@ func getPipeFds(pid int) ([]string, error) {
return fds, nil
}
-// InitializeIO creates pipes for use with the process's STDIO
-// and returns the opposite side for each
-func (p *Process) InitializeIO(rootuid int) (i *IO, err error) {
+// InitializeIO creates pipes for use with the process's stdio and returns the
+// opposite side for each. Do not use this if you want to have a pseudoterminal
+// set up for you by libcontainer (TODO: fix that too).
+// TODO: This is mostly unnecessary, and should be handled by clients.
+func (p *Process) InitializeIO(rootuid, rootgid int) (i *IO, err error) {
var fds []uintptr
i = &IO{}
// cleanup in case of an error
defer func() {
if err != nil {
for _, fd := range fds {
- syscall.Close(int(fd))
+ unix.Close(int(fd))
}
}
}()
@@ -466,9 +559,9 @@ func (p *Process) InitializeIO(rootuid int) (i *IO, err error) {
}
fds = append(fds, r.Fd(), w.Fd())
p.Stderr, i.Stderr = w, r
- // change ownership of the pipes incase we are in a user namespace
+ // change ownership of the pipes in case we are in a user namespace
for _, fd := range fds {
- if err := syscall.Fchown(int(fd), rootuid, rootuid); err != nil {
+ if err := unix.Fchown(int(fd), rootuid, rootgid); err != nil {
return nil, err
}
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/restored_process.go b/vendor/github.com/opencontainers/runc/libcontainer/restored_process.go
index a96f4ca5f5a428416e64ee9985b06d7326eb3277..408916ad936ce2ea6571b1f55bea421438035137 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/restored_process.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/restored_process.go
@@ -17,20 +17,20 @@ func newRestoredProcess(pid int, fds []string) (*restoredProcess, error) {
if err != nil {
return nil, err
}
- started, err := system.GetProcessStartTime(pid)
+ stat, err := system.Stat(pid)
if err != nil {
return nil, err
}
return &restoredProcess{
proc: proc,
- processStartTime: started,
+ processStartTime: stat.StartTime,
fds: fds,
}, nil
}
type restoredProcess struct {
proc *os.Process
- processStartTime string
+ processStartTime uint64
fds []string
}
@@ -60,7 +60,7 @@ func (p *restoredProcess) wait() (*os.ProcessState, error) {
return st, nil
}
-func (p *restoredProcess) startTime() (string, error) {
+func (p *restoredProcess) startTime() (uint64, error) {
return p.processStartTime, nil
}
@@ -81,7 +81,7 @@ func (p *restoredProcess) setExternalDescriptors(newFds []string) {
// a persisted state.
type nonChildProcess struct {
processPid int
- processStartTime string
+ processStartTime uint64
fds []string
}
@@ -101,7 +101,7 @@ func (p *nonChildProcess) wait() (*os.ProcessState, error) {
return nil, newGenericError(fmt.Errorf("restored process cannot be waited on"), SystemError)
}
-func (p *nonChildProcess) startTime() (string, error) {
+func (p *nonChildProcess) startTime() (uint64, error) {
return p.processStartTime, nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
index 1a880fe9ee4b23f88570408f6c02d28cad89a126..6bd6da74acef667eb41c68c529304e80522e6196 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
@@ -11,112 +11,178 @@ import (
"path"
"path/filepath"
"strings"
- "syscall"
"time"
- "github.com/docker/docker/pkg/mount"
- "github.com/docker/docker/pkg/symlink"
+ "github.com/cyphar/filepath-securejoin"
+ "github.com/mrunalp/fileutils"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
- "github.com/opencontainers/runc/libcontainer/label"
+ "github.com/opencontainers/runc/libcontainer/mount"
"github.com/opencontainers/runc/libcontainer/system"
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/opencontainers/selinux/go-selinux/label"
+
+ "golang.org/x/sys/unix"
)
-const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
+const defaultMountFlags = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
-// setupRootfs sets up the devices, mount points, and filesystems for use inside a
-// new mount namespace.
-func setupRootfs(config *configs.Config, console *linuxConsole, pipe io.ReadWriter) (err error) {
+// needsSetupDev returns true if /dev needs to be set up.
+func needsSetupDev(config *configs.Config) bool {
+ for _, m := range config.Mounts {
+ if m.Device == "bind" && libcontainerUtils.CleanPath(m.Destination) == "/dev" {
+ return false
+ }
+ }
+ return true
+}
+
+// prepareRootfs sets up the devices, mount points, and filesystems for use
+// inside a new mount namespace. It doesn't set anything as ro. You must call
+// finalizeRootfs after this function to finish setting up the rootfs.
+func prepareRootfs(pipe io.ReadWriter, iConfig *initConfig) (err error) {
+ config := iConfig.Config
if err := prepareRoot(config); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "preparing rootfs")
}
- setupDev := len(config.Devices) != 0
+ hasCgroupns := config.Namespaces.Contains(configs.NEWCGROUP)
+ setupDev := needsSetupDev(config)
for _, m := range config.Mounts {
for _, precmd := range m.PremountCmds {
if err := mountCmd(precmd); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "running premount command")
}
}
- if err := mountToRootfs(m, config.Rootfs, config.MountLabel); err != nil {
- return newSystemError(err)
+ if err := mountToRootfs(m, config.Rootfs, config.MountLabel, hasCgroupns); err != nil {
+ return newSystemErrorWithCausef(err, "mounting %q to rootfs %q at %q", m.Source, config.Rootfs, m.Destination)
}
for _, postcmd := range m.PostmountCmds {
if err := mountCmd(postcmd); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "running postmount command")
}
}
}
+
if setupDev {
if err := createDevices(config); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "creating device nodes")
}
- if err := setupPtmx(config, console); err != nil {
- return newSystemError(err)
+ if err := setupPtmx(config); err != nil {
+ return newSystemErrorWithCause(err, "setting up ptmx")
}
if err := setupDevSymlinks(config.Rootfs); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "setting up /dev symlinks")
}
}
+
// Signal the parent to run the pre-start hooks.
// The hooks are run after the mounts are setup, but before we switch to the new
// root, so that the old root is still available in the hooks for any mount
// manipulations.
+ // Note that iConfig.Cwd is not guaranteed to exist here.
if err := syncParentHooks(pipe); err != nil {
return err
}
- if err := syscall.Chdir(config.Rootfs); err != nil {
- return newSystemError(err)
+
+ // The reason these operations are done here rather than in finalizeRootfs
+ // is because the console-handling code gets quite sticky if we have to set
+ // up the console before doing the pivot_root(2). This is because the
+ // Console API has to also work with the ExecIn case, which means that the
+ // API must be able to deal with being inside as well as outside the
+ // container. It's just cleaner to do this here (at the expense of the
+ // operation not being perfectly split).
+
+ if err := unix.Chdir(config.Rootfs); err != nil {
+ return newSystemErrorWithCausef(err, "changing dir to %q", config.Rootfs)
}
+
if config.NoPivotRoot {
err = msMoveRoot(config.Rootfs)
+ } else if config.Namespaces.Contains(configs.NEWNS) {
+ err = pivotRoot(config.Rootfs)
} else {
- err = pivotRoot(config.Rootfs, config.PivotDir)
+ err = chroot(config.Rootfs)
}
if err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "jailing process inside rootfs")
}
+
if setupDev {
if err := reOpenDevNull(); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "reopening /dev/null inside container")
}
}
- // remount dev as ro if specifed
+
+ if cwd := iConfig.Cwd; cwd != "" {
+ // Note that spec.Process.Cwd can contain unclean value like "../../../../foo/bar...".
+ // However, we are safe to call MkDirAll directly because we are in the jail here.
+ if err := os.MkdirAll(cwd, 0755); err != nil {
+ return err
+ }
+ }
+
+ return nil
+}
+
+// finalizeRootfs sets anything to ro if necessary. You must call
+// prepareRootfs first.
+func finalizeRootfs(config *configs.Config) (err error) {
+ // remount dev as ro if specified
for _, m := range config.Mounts {
- if m.Destination == "/dev" {
- if m.Flags&syscall.MS_RDONLY != 0 {
- if err := remountReadonly(m.Destination); err != nil {
- return newSystemError(err)
+ if libcontainerUtils.CleanPath(m.Destination) == "/dev" {
+ if m.Flags&unix.MS_RDONLY == unix.MS_RDONLY {
+ if err := remountReadonly(m); err != nil {
+ return newSystemErrorWithCausef(err, "remounting %q as readonly", m.Destination)
}
}
break
}
}
+
// set rootfs ( / ) as readonly
if config.Readonlyfs {
if err := setReadonly(); err != nil {
- return newSystemError(err)
+ return newSystemErrorWithCause(err, "setting rootfs as readonly")
}
}
- syscall.Umask(0022)
+
+ unix.Umask(0022)
return nil
}
-func mountCmd(cmd configs.Command) error {
+// /tmp has to be mounted as private to allow MS_MOVE to work in all situations
+func prepareTmp(topTmpDir string) (string, error) {
+ tmpdir, err := ioutil.TempDir(topTmpDir, "runctop")
+ if err != nil {
+ return "", err
+ }
+ if err := unix.Mount(tmpdir, tmpdir, "bind", unix.MS_BIND, ""); err != nil {
+ return "", err
+ }
+ if err := unix.Mount("", tmpdir, "", uintptr(unix.MS_PRIVATE), ""); err != nil {
+ return "", err
+ }
+ return tmpdir, nil
+}
+
+func cleanupTmp(tmpdir string) error {
+ unix.Unmount(tmpdir, 0)
+ return os.RemoveAll(tmpdir)
+}
+func mountCmd(cmd configs.Command) error {
command := exec.Command(cmd.Path, cmd.Args[:]...)
command.Env = cmd.Env
command.Dir = cmd.Dir
if out, err := command.CombinedOutput(); err != nil {
return fmt.Errorf("%#v failed: %s: %v", cmd, string(out), err)
}
-
return nil
}
-func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
+func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error {
var (
dest = m.Destination
)
@@ -140,18 +206,50 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
if err := mountPropagate(m, rootfs, ""); err != nil {
return err
}
+ return label.SetFileLabel(dest, mountLabel)
}
- return label.SetFileLabel(dest, mountLabel)
+ return nil
case "tmpfs":
+ copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
+ tmpDir := ""
stat, err := os.Stat(dest)
if err != nil {
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
}
+ if copyUp {
+ tmpdir, err := prepareTmp("/tmp")
+ if err != nil {
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to setup tmpdir")
+ }
+ defer cleanupTmp(tmpdir)
+ tmpDir, err = ioutil.TempDir(tmpdir, "runctmpdir")
+ if err != nil {
+ return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
+ }
+ defer os.RemoveAll(tmpDir)
+ m.Destination = tmpDir
+ }
if err := mountPropagate(m, rootfs, mountLabel); err != nil {
return err
}
+ if copyUp {
+ if err := fileutils.CopyDirectory(dest, tmpDir); err != nil {
+ errMsg := fmt.Errorf("tmpcopyup: failed to copy %s to %s: %v", dest, tmpDir, err)
+ if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
+ return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
+ }
+ return errMsg
+ }
+ if err := unix.Mount(tmpDir, dest, "", unix.MS_MOVE, ""); err != nil {
+ errMsg := fmt.Errorf("tmpcopyup: failed to move mount %s to %s: %v", tmpDir, dest, err)
+ if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
+ return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
+ }
+ return errMsg
+ }
+ }
if stat != nil {
if err = os.Chmod(dest, stat.Mode()); err != nil {
return err
@@ -169,7 +267,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
// any previous mounts can invalidate the next mount's destination.
// this can happen when a user specifies mounts within other mounts to cause breakouts or other
// evil stuff to try to escape the container's rootfs.
- if dest, err = symlink.FollowSymlinkInScope(filepath.Join(rootfs, m.Destination), rootfs); err != nil {
+ if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
return err
}
if err := checkMountDestination(rootfs, dest); err != nil {
@@ -185,7 +283,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
}
// bind mount won't change mount options, we need remount to make mount options effective.
// first check that we have non-default options required before attempting a remount
- if m.Flags&^(syscall.MS_REC|syscall.MS_REMOUNT|syscall.MS_BIND) != 0 {
+ if m.Flags&^(unix.MS_REC|unix.MS_REMOUNT|unix.MS_BIND) != 0 {
// only remount if unique mount options are set
if err := remount(m, rootfs); err != nil {
return err
@@ -221,48 +319,71 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
Data: "mode=755",
PropagationFlags: m.PropagationFlags,
}
- if err := mountToRootfs(tmpfs, rootfs, mountLabel); err != nil {
+ if err := mountToRootfs(tmpfs, rootfs, mountLabel, enableCgroupns); err != nil {
return err
}
for _, b := range binds {
- if err := mountToRootfs(b, rootfs, mountLabel); err != nil {
- return err
+ if enableCgroupns {
+ subsystemPath := filepath.Join(rootfs, b.Destination)
+ if err := os.MkdirAll(subsystemPath, 0755); err != nil {
+ return err
+ }
+ flags := defaultMountFlags
+ if m.Flags&unix.MS_RDONLY != 0 {
+ flags = flags | unix.MS_RDONLY
+ }
+ cgroupmount := &configs.Mount{
+ Source: "cgroup",
+ Device: "cgroup",
+ Destination: subsystemPath,
+ Flags: flags,
+ Data: filepath.Base(subsystemPath),
+ }
+ if err := mountNewCgroup(cgroupmount); err != nil {
+ return err
+ }
+ } else {
+ if err := mountToRootfs(b, rootfs, mountLabel, enableCgroupns); err != nil {
+ return err
+ }
}
}
- // create symlinks for merged cgroups
- cwd, err := os.Getwd()
- if err != nil {
- return err
- }
- if err := os.Chdir(filepath.Join(rootfs, m.Destination)); err != nil {
- return err
- }
for _, mc := range merged {
for _, ss := range strings.Split(mc, ",") {
- if err := os.Symlink(mc, ss); err != nil {
- // if cgroup already exists, then okay(it could have been created before)
- if os.IsExist(err) {
- continue
- }
- os.Chdir(cwd)
+ // symlink(2) is very dumb, it will just shove the path into
+ // the link and doesn't do any checks or relative path
+ // conversion. Also, don't error out if the cgroup already exists.
+ if err := os.Symlink(mc, filepath.Join(rootfs, m.Destination, ss)); err != nil && !os.IsExist(err) {
return err
}
}
}
- if err := os.Chdir(cwd); err != nil {
- return err
- }
- if m.Flags&syscall.MS_RDONLY != 0 {
+ if m.Flags&unix.MS_RDONLY != 0 {
// remount cgroup root as readonly
mcgrouproot := &configs.Mount{
+ Source: m.Destination,
+ Device: "bind",
Destination: m.Destination,
- Flags: defaultMountFlags | syscall.MS_RDONLY,
+ Flags: defaultMountFlags | unix.MS_RDONLY | unix.MS_BIND,
}
if err := remount(mcgrouproot, rootfs); err != nil {
return err
}
}
default:
+ // ensure that the destination of the mount is resolved of symlinks at mount time because
+ // any previous mounts can invalidate the next mount's destination.
+ // this can happen when a user specifies mounts within other mounts to cause breakouts or other
+ // evil stuff to try to escape the container's rootfs.
+ var err error
+ if dest, err = securejoin.SecureJoin(rootfs, m.Destination); err != nil {
+ return err
+ }
+ if err := checkMountDestination(rootfs, dest); err != nil {
+ return err
+ }
+ // update the mount with the correct dest after symlinks are resolved.
+ m.Destination = dest
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
@@ -272,7 +393,7 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string) error {
}
func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
- mounts, err := cgroups.GetCgroupMounts()
+ mounts, err := cgroups.GetCgroupMounts(false)
if err != nil {
return nil, err
}
@@ -285,7 +406,7 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
var binds []*configs.Mount
for _, mm := range mounts {
- dir, err := mm.GetThisCgroupDir(cgroupPaths)
+ dir, err := mm.GetOwnCgroup(cgroupPaths)
if err != nil {
return nil, err
}
@@ -296,8 +417,8 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
binds = append(binds, &configs.Mount{
Device: "bind",
Source: filepath.Join(mm.Mountpoint, relDir),
- Destination: filepath.Join(m.Destination, strings.Join(mm.Subsystems, ",")),
- Flags: syscall.MS_BIND | syscall.MS_REC | m.Flags,
+ Destination: filepath.Join(m.Destination, filepath.Base(mm.Mountpoint)),
+ Flags: unix.MS_BIND | unix.MS_REC | m.Flags,
PropagationFlags: m.PropagationFlags,
})
}
@@ -308,9 +429,6 @@ func getCgroupMounts(m *configs.Mount) ([]*configs.Mount, error) {
// checkMountDestination checks to ensure that the mount destination is not over the top of /proc.
// dest is required to be an abs path and have any symlinks resolved before calling this function.
func checkMountDestination(rootfs, dest string) error {
- if libcontainerUtils.CleanPath(rootfs) == libcontainerUtils.CleanPath(dest) {
- return fmt.Errorf("mounting into / is prohibited")
- }
invalidDestinations := []string{
"/proc",
}
@@ -322,6 +440,9 @@ func checkMountDestination(rootfs, dest string) error {
"/proc/diskstats",
"/proc/meminfo",
"/proc/stat",
+ "/proc/swaps",
+ "/proc/uptime",
+ "/proc/loadavg",
"/proc/net/dev",
}
for _, valid := range validDestinations {
@@ -338,7 +459,7 @@ func checkMountDestination(rootfs, dest string) error {
if err != nil {
return err
}
- if path == "." || !strings.HasPrefix(path, "..") {
+ if path != "." && !strings.HasPrefix(path, "..") {
return fmt.Errorf("%q cannot be mounted because it is located inside %q", dest, invalid)
}
}
@@ -374,22 +495,22 @@ func setupDevSymlinks(rootfs string) error {
// needs to be called after we chroot/pivot into the container's rootfs so that any
// symlinks are resolved locally.
func reOpenDevNull() error {
- var stat, devNullStat syscall.Stat_t
+ var stat, devNullStat unix.Stat_t
file, err := os.OpenFile("/dev/null", os.O_RDWR, 0)
if err != nil {
return fmt.Errorf("Failed to open /dev/null - %s", err)
}
defer file.Close()
- if err := syscall.Fstat(int(file.Fd()), &devNullStat); err != nil {
+ if err := unix.Fstat(int(file.Fd()), &devNullStat); err != nil {
return err
}
for fd := 0; fd < 3; fd++ {
- if err := syscall.Fstat(fd, &stat); err != nil {
+ if err := unix.Fstat(fd, &stat); err != nil {
return err
}
if stat.Rdev == devNullStat.Rdev {
// Close and re-open the fd.
- if err := syscall.Dup3(int(file.Fd()), fd, 0); err != nil {
+ if err := unix.Dup3(int(file.Fd()), fd, 0); err != nil {
return err
}
}
@@ -400,16 +521,16 @@ func reOpenDevNull() error {
// Create the device nodes in the container.
func createDevices(config *configs.Config) error {
useBindMount := system.RunningInUserNS() || config.Namespaces.Contains(configs.NEWUSER)
- oldMask := syscall.Umask(0000)
+ oldMask := unix.Umask(0000)
for _, node := range config.Devices {
// containers running in a user namespace are not allowed to mknod
// devices so we can just bind mount it from the host.
if err := createDeviceNode(config.Rootfs, node, useBindMount); err != nil {
- syscall.Umask(oldMask)
+ unix.Umask(oldMask)
return err
}
}
- syscall.Umask(oldMask)
+ unix.Umask(oldMask)
return nil
}
@@ -421,7 +542,7 @@ func bindMountDeviceNode(dest string, node *configs.Device) error {
if f != nil {
f.Close()
}
- return syscall.Mount(node.Path, dest, "bind", syscall.MS_BIND, "")
+ return unix.Mount(node.Path, dest, "bind", unix.MS_BIND, "")
}
// Creates the device node in the rootfs of the container.
@@ -448,17 +569,19 @@ func createDeviceNode(rootfs string, node *configs.Device, bind bool) error {
func mknodDevice(dest string, node *configs.Device) error {
fileMode := node.FileMode
switch node.Type {
- case 'c':
- fileMode |= syscall.S_IFCHR
+ case 'c', 'u':
+ fileMode |= unix.S_IFCHR
case 'b':
- fileMode |= syscall.S_IFBLK
+ fileMode |= unix.S_IFBLK
+ case 'p':
+ fileMode |= unix.S_IFIFO
default:
return fmt.Errorf("%c is not a valid device type for device %s", node.Type, node.Path)
}
- if err := syscall.Mknod(dest, uint32(fileMode), node.Mkdev()); err != nil {
+ if err := unix.Mknod(dest, uint32(fileMode), node.Mkdev()); err != nil {
return err
}
- return syscall.Chown(dest, int(node.Uid), int(node.Gid))
+ return unix.Chown(dest, int(node.Uid), int(node.Gid))
}
func getMountInfo(mountinfo []*mount.Info, dir string) *mount.Info {
@@ -504,10 +627,10 @@ func getParentMount(rootfs string) (string, string, error) {
}
// Make parent mount private if it was shared
-func rootfsParentMountPrivate(config *configs.Config) error {
+func rootfsParentMountPrivate(rootfs string) error {
sharedMount := false
- parentMount, optionalOpts, err := getParentMount(config.Rootfs)
+ parentMount, optionalOpts, err := getParentMount(rootfs)
if err != nil {
return err
}
@@ -525,33 +648,36 @@ func rootfsParentMountPrivate(config *configs.Config) error {
// shared. Secondly when we bind mount rootfs it will propagate to
// parent namespace and we don't want that to happen.
if sharedMount {
- return syscall.Mount("", parentMount, "", syscall.MS_PRIVATE, "")
+ return unix.Mount("", parentMount, "", unix.MS_PRIVATE, "")
}
return nil
}
func prepareRoot(config *configs.Config) error {
- flag := syscall.MS_SLAVE | syscall.MS_REC
+ flag := unix.MS_SLAVE | unix.MS_REC
if config.RootPropagation != 0 {
flag = config.RootPropagation
}
- if err := syscall.Mount("", "/", "", uintptr(flag), ""); err != nil {
+ if err := unix.Mount("", "/", "", uintptr(flag), ""); err != nil {
return err
}
- if err := rootfsParentMountPrivate(config); err != nil {
+ // Make parent mount private to make sure following bind mount does
+ // not propagate in other namespaces. Also it will help with kernel
+ // check pass in pivot_root. (IS_SHARED(new_mnt->mnt_parent))
+ if err := rootfsParentMountPrivate(config.Rootfs); err != nil {
return err
}
- return syscall.Mount(config.Rootfs, config.Rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, "")
+ return unix.Mount(config.Rootfs, config.Rootfs, "bind", unix.MS_BIND|unix.MS_REC, "")
}
func setReadonly() error {
- return syscall.Mount("/", "/", "bind", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, "")
+ return unix.Mount("/", "/", "bind", unix.MS_BIND|unix.MS_REMOUNT|unix.MS_RDONLY|unix.MS_REC, "")
}
-func setupPtmx(config *configs.Config, console *linuxConsole) error {
+func setupPtmx(config *configs.Config) error {
ptmx := filepath.Join(config.Rootfs, "dev/ptmx")
if err := os.Remove(ptmx); err != nil && !os.IsNotExist(err) {
return err
@@ -559,59 +685,115 @@ func setupPtmx(config *configs.Config, console *linuxConsole) error {
if err := os.Symlink("pts/ptmx", ptmx); err != nil {
return fmt.Errorf("symlink dev ptmx %s", err)
}
- if console != nil {
- return console.mount(config.Rootfs, config.MountLabel)
- }
return nil
}
-func pivotRoot(rootfs, pivotBaseDir string) (err error) {
- if pivotBaseDir == "" {
- pivotBaseDir = "/"
- }
- tmpDir := filepath.Join(rootfs, pivotBaseDir)
- if err := os.MkdirAll(tmpDir, 0755); err != nil {
- return fmt.Errorf("can't create tmp dir %s, error %v", tmpDir, err)
+// pivotRoot will call pivot_root such that rootfs becomes the new root
+// filesystem, and everything else is cleaned up.
+func pivotRoot(rootfs string) error {
+ // While the documentation may claim otherwise, pivot_root(".", ".") is
+ // actually valid. What this results in is / being the new root but
+ // /proc/self/cwd being the old root. Since we can play around with the cwd
+ // with pivot_root this allows us to pivot without creating directories in
+ // the rootfs. Shout-outs to the LXC developers for giving us this idea.
+
+ oldroot, err := unix.Open("/", unix.O_DIRECTORY|unix.O_RDONLY, 0)
+ if err != nil {
+ return err
}
- pivotDir, err := ioutil.TempDir(tmpDir, ".pivot_root")
+ defer unix.Close(oldroot)
+
+ newroot, err := unix.Open(rootfs, unix.O_DIRECTORY|unix.O_RDONLY, 0)
if err != nil {
- return fmt.Errorf("can't create pivot_root dir %s, error %v", pivotDir, err)
+ return err
}
- defer func() {
- errVal := os.Remove(pivotDir)
- if err == nil {
- err = errVal
- }
- }()
- if err := syscall.PivotRoot(rootfs, pivotDir); err != nil {
+ defer unix.Close(newroot)
+
+ // Change to the new root so that the pivot_root actually acts on it.
+ if err := unix.Fchdir(newroot); err != nil {
+ return err
+ }
+
+ if err := unix.PivotRoot(".", "."); err != nil {
return fmt.Errorf("pivot_root %s", err)
}
- if err := syscall.Chdir("/"); err != nil {
- return fmt.Errorf("chdir / %s", err)
+
+ // Currently our "." is oldroot (according to the current kernel code).
+ // However, purely for safety, we will fchdir(oldroot) since there isn't
+ // really any guarantee from the kernel what /proc/self/cwd will be after a
+ // pivot_root(2).
+
+ if err := unix.Fchdir(oldroot); err != nil {
+ return err
}
- // path to pivot dir now changed, update
- pivotDir = filepath.Join(pivotBaseDir, filepath.Base(pivotDir))
- // Make pivotDir rprivate to make sure any of the unmounts don't
- // propagate to parent.
- if err := syscall.Mount("", pivotDir, "", syscall.MS_PRIVATE|syscall.MS_REC, ""); err != nil {
+ // Make oldroot rslave to make sure our unmounts don't propagate to the
+ // host (and thus bork the machine). We don't use rprivate because this is
+ // known to cause issues due to races where we still have a reference to a
+ // mount while a process in the host namespace are trying to operate on
+ // something they think has no mounts (devicemapper in particular).
+ if err := unix.Mount("", ".", "", unix.MS_SLAVE|unix.MS_REC, ""); err != nil {
+ return err
+ }
+ // Preform the unmount. MNT_DETACH allows us to unmount /proc/self/cwd.
+ if err := unix.Unmount(".", unix.MNT_DETACH); err != nil {
return err
}
- if err := syscall.Unmount(pivotDir, syscall.MNT_DETACH); err != nil {
- return fmt.Errorf("unmount pivot_root dir %s", err)
+ // Switch back to our shiny new root.
+ if err := unix.Chdir("/"); err != nil {
+ return fmt.Errorf("chdir / %s", err)
}
return nil
}
func msMoveRoot(rootfs string) error {
- if err := syscall.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {
+ mountinfos, err := mount.GetMounts()
+ if err != nil {
return err
}
- if err := syscall.Chroot("."); err != nil {
+
+ absRootfs, err := filepath.Abs(rootfs)
+ if err != nil {
return err
}
- return syscall.Chdir("/")
+
+ for _, info := range mountinfos {
+ p, err := filepath.Abs(info.Mountpoint)
+ if err != nil {
+ return err
+ }
+ // Umount every syfs and proc file systems, except those under the container rootfs
+ if (info.Fstype != "proc" && info.Fstype != "sysfs") || filepath.HasPrefix(p, absRootfs) {
+ continue
+ }
+ // Be sure umount events are not propagated to the host.
+ if err := unix.Mount("", p, "", unix.MS_SLAVE|unix.MS_REC, ""); err != nil {
+ return err
+ }
+ if err := unix.Unmount(p, unix.MNT_DETACH); err != nil {
+ if err != unix.EINVAL && err != unix.EPERM {
+ return err
+ } else {
+ // If we have not privileges for umounting (e.g. rootless), then
+ // cover the path.
+ if err := unix.Mount("tmpfs", p, "tmpfs", 0, ""); err != nil {
+ return err
+ }
+ }
+ }
+ }
+ if err := unix.Mount(rootfs, "/", "", unix.MS_MOVE, ""); err != nil {
+ return err
+ }
+ return chroot(rootfs)
+}
+
+func chroot(rootfs string) error {
+ if err := unix.Chroot("."); err != nil {
+ return err
+ }
+ return unix.Chdir("/")
}
// createIfNotExists creates a file or a directory only if it does not already exist.
@@ -634,18 +816,34 @@ func createIfNotExists(path string, isDir bool) error {
return nil
}
-// remountReadonly will bind over the top of an existing path and ensure that it is read-only.
-func remountReadonly(path string) error {
+// readonlyPath will make a path read only.
+func readonlyPath(path string) error {
+ if err := unix.Mount(path, path, "", unix.MS_BIND|unix.MS_REC, ""); err != nil {
+ if os.IsNotExist(err) {
+ return nil
+ }
+ return err
+ }
+ return unix.Mount(path, path, "", unix.MS_BIND|unix.MS_REMOUNT|unix.MS_RDONLY|unix.MS_REC, "")
+}
+
+// remountReadonly will remount an existing mount point and ensure that it is read-only.
+func remountReadonly(m *configs.Mount) error {
+ var (
+ dest = m.Destination
+ flags = m.Flags
+ )
for i := 0; i < 5; i++ {
- if err := syscall.Mount("", path, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil && !os.IsNotExist(err) {
+ // There is a special case in the kernel for
+ // MS_REMOUNT | MS_BIND, which allows us to change only the
+ // flags even as an unprivileged user (i.e. user namespace)
+ // assuming we don't drop any security related flags (nodev,
+ // nosuid, etc.). So, let's use that case so that we can do
+ // this re-mount without failing in a userns.
+ flags |= unix.MS_REMOUNT | unix.MS_BIND | unix.MS_RDONLY
+ if err := unix.Mount("", dest, "", uintptr(flags), ""); err != nil {
switch err {
- case syscall.EINVAL:
- // Probably not a mountpoint, use bind-mount
- if err := syscall.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {
- return err
- }
- return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC|defaultMountFlags, "")
- case syscall.EBUSY:
+ case unix.EBUSY:
time.Sleep(100 * time.Millisecond)
continue
default:
@@ -654,13 +852,19 @@ func remountReadonly(path string) error {
}
return nil
}
- return fmt.Errorf("unable to mount %s as readonly max retries reached", path)
+ return fmt.Errorf("unable to mount %s as readonly max retries reached", dest)
}
-// maskFile bind mounts /dev/null over the top of the specified path inside a container
-// to avoid security issues from processes reading information from non-namespace aware mounts ( proc/kcore ).
-func maskFile(path string) error {
- if err := syscall.Mount("/dev/null", path, "", syscall.MS_BIND, ""); err != nil && !os.IsNotExist(err) {
+// maskPath masks the top of the specified path inside a container to avoid
+// security issues from processes reading information from non-namespace aware
+// mounts ( proc/kcore ).
+// For files, maskPath bind mounts /dev/null over the top of the specified path.
+// For directories, maskPath mounts read-only tmpfs over the top of the specified path.
+func maskPath(path string, mountLabel string) error {
+ if err := unix.Mount("/dev/null", path, "", unix.MS_BIND, ""); err != nil && !os.IsNotExist(err) {
+ if err == unix.ENOTDIR {
+ return unix.Mount("tmpfs", path, "tmpfs", unix.MS_RDONLY, label.FormatMountLabel("", mountLabel))
+ }
return err
}
return nil
@@ -680,10 +884,7 @@ func remount(m *configs.Mount, rootfs string) error {
if !strings.HasPrefix(dest, rootfs) {
dest = filepath.Join(rootfs, dest)
}
- if err := syscall.Mount(m.Source, dest, m.Device, uintptr(m.Flags|syscall.MS_REMOUNT), ""); err != nil {
- return err
- }
- return nil
+ return unix.Mount(m.Source, dest, m.Device, uintptr(m.Flags|unix.MS_REMOUNT), "")
}
// Do the mount operation followed by additional mounts required to take care
@@ -694,21 +895,38 @@ func mountPropagate(m *configs.Mount, rootfs string, mountLabel string) error {
data = label.FormatMountLabel(m.Data, mountLabel)
flags = m.Flags
)
- if dest == "/dev" {
- flags &= ^syscall.MS_RDONLY
+ if libcontainerUtils.CleanPath(dest) == "/dev" {
+ flags &= ^unix.MS_RDONLY
}
- if !strings.HasPrefix(dest, rootfs) {
+
+ copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
+ if !(copyUp || strings.HasPrefix(dest, rootfs)) {
dest = filepath.Join(rootfs, dest)
}
- if err := syscall.Mount(m.Source, dest, m.Device, uintptr(flags), data); err != nil {
+ if err := unix.Mount(m.Source, dest, m.Device, uintptr(flags), data); err != nil {
return err
}
for _, pflag := range m.PropagationFlags {
- if err := syscall.Mount("", dest, "", uintptr(pflag), ""); err != nil {
+ if err := unix.Mount("", dest, "", uintptr(pflag), ""); err != nil {
return err
}
}
return nil
}
+
+func mountNewCgroup(m *configs.Mount) error {
+ var (
+ data = m.Data
+ source = m.Source
+ )
+ if data == "systemd" {
+ data = cgroups.CgroupNamePrefix + data
+ source = "systemd"
+ }
+ if err := unix.Mount(source, m.Destination, m.Device, uintptr(m.Flags), data); err != nil {
+ return err
+ }
+ return nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux_test.go
index a3bb07708b93a6a7666cf008a0e4e3f62eb59038..d755984bc0f9eb0995f251a007eef32f42ecd59e 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux_test.go
@@ -2,16 +2,28 @@
package libcontainer
-import "testing"
+import (
+ "testing"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+)
func TestCheckMountDestOnProc(t *testing.T) {
- dest := "/rootfs/proc/"
+ dest := "/rootfs/proc/sys"
err := checkMountDestination("/rootfs", dest)
if err == nil {
t.Fatal("destination inside proc should return an error")
}
}
+func TestCheckMountDestOnProcChroot(t *testing.T) {
+ dest := "/rootfs/proc/"
+ err := checkMountDestination("/rootfs", dest)
+ if err != nil {
+ t.Fatal("destination inside proc when using chroot should not return an error")
+ }
+}
+
func TestCheckMountDestInSys(t *testing.T) {
dest := "/rootfs//sys/fs/cgroup"
err := checkMountDestination("/rootfs", dest)
@@ -28,10 +40,62 @@ func TestCheckMountDestFalsePositive(t *testing.T) {
}
}
-func TestCheckMountRoot(t *testing.T) {
- dest := "/rootfs"
- err := checkMountDestination("/rootfs", dest)
- if err == nil {
- t.Fatal(err)
+func TestNeedsSetupDev(t *testing.T) {
+ config := &configs.Config{
+ Mounts: []*configs.Mount{
+ {
+ Device: "bind",
+ Source: "/dev",
+ Destination: "/dev",
+ },
+ },
+ }
+ if needsSetupDev(config) {
+ t.Fatal("expected needsSetupDev to be false, got true")
+ }
+}
+
+func TestNeedsSetupDevStrangeSource(t *testing.T) {
+ config := &configs.Config{
+ Mounts: []*configs.Mount{
+ {
+ Device: "bind",
+ Source: "/devx",
+ Destination: "/dev",
+ },
+ },
+ }
+ if needsSetupDev(config) {
+ t.Fatal("expected needsSetupDev to be false, got true")
+ }
+}
+
+func TestNeedsSetupDevStrangeDest(t *testing.T) {
+ config := &configs.Config{
+ Mounts: []*configs.Mount{
+ {
+ Device: "bind",
+ Source: "/dev",
+ Destination: "/devx",
+ },
+ },
+ }
+ if !needsSetupDev(config) {
+ t.Fatal("expected needsSetupDev to be true, got false")
+ }
+}
+
+func TestNeedsSetupDevStrangeSourceDest(t *testing.T) {
+ config := &configs.Config{
+ Mounts: []*configs.Mount{
+ {
+ Device: "bind",
+ Source: "/devx",
+ Destination: "/devx",
+ },
+ },
+ }
+ if !needsSetupDev(config) {
+ t.Fatal("expected needsSetupDev to be true, got false")
}
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go
index 3b9a7595f2bf07fb303ef20adb795277845f1fa1..ded5a6bbc8bba9e0291b26d4402839a2daea1680 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/config.go
@@ -36,6 +36,11 @@ var archs = map[string]string{
"SCMP_ARCH_MIPSEL": "mipsel",
"SCMP_ARCH_MIPSEL64": "mipsel64",
"SCMP_ARCH_MIPSEL64N32": "mipsel64n32",
+ "SCMP_ARCH_PPC": "ppc",
+ "SCMP_ARCH_PPC64": "ppc64",
+ "SCMP_ARCH_PPC64LE": "ppc64le",
+ "SCMP_ARCH_S390": "s390",
+ "SCMP_ARCH_S390X": "s390x",
}
// ConvertStringToOperator converts a string into a Seccomp comparison operator.
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go
index 623e227748d849bc6d015ffeecfc574425105f76..d99f3fe640c6ddd28aa4e835c8cc0586b9189a56 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go
@@ -5,24 +5,26 @@ package seccomp
import (
"bufio"
"fmt"
- "log"
"os"
"strings"
- "syscall"
"github.com/opencontainers/runc/libcontainer/configs"
libseccomp "github.com/seccomp/libseccomp-golang"
+
+ "golang.org/x/sys/unix"
)
var (
actAllow = libseccomp.ActAllow
actTrap = libseccomp.ActTrap
actKill = libseccomp.ActKill
- actTrace = libseccomp.ActTrace.SetReturnCode(int16(syscall.EPERM))
- actErrno = libseccomp.ActErrno.SetReturnCode(int16(syscall.EPERM))
+ actTrace = libseccomp.ActTrace.SetReturnCode(int16(unix.EPERM))
+ actErrno = libseccomp.ActErrno.SetReturnCode(int16(unix.EPERM))
+)
- // SeccompModeFilter refers to the syscall argument SECCOMP_MODE_FILTER.
- SeccompModeFilter = uintptr(2)
+const (
+ // Linux system calls can have at most 6 arguments
+ syscallMaxArguments int = 6
)
// Filters given syscalls in a container, preventing them from being used
@@ -48,11 +50,11 @@ func InitSeccomp(config *configs.Seccomp) error {
for _, arch := range config.Architectures {
scmpArch, err := libseccomp.GetArchFromString(arch)
if err != nil {
- return err
+ return fmt.Errorf("error validating Seccomp architecture: %s", err)
}
if err := filter.AddArch(scmpArch); err != nil {
- return err
+ return fmt.Errorf("error adding architecture to seccomp filter: %s", err)
}
}
@@ -85,9 +87,9 @@ func IsEnabled() bool {
s, err := parseStatusFile("/proc/self/status")
if err != nil {
// Check if Seccomp is supported, via CONFIG_SECCOMP.
- if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_SECCOMP, 0, 0); err != syscall.EINVAL {
+ if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
// Make sure the kernel has CONFIG_SECCOMP_FILTER.
- if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_SECCOMP, SeccompModeFilter, 0); err != syscall.EINVAL {
+ if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
return true
}
}
@@ -167,36 +169,61 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
// Ignore it, don't error out
callNum, err := libseccomp.GetSyscallFromName(call.Name)
if err != nil {
- log.Printf("Error resolving syscall name %s: %s - ignoring syscall.", call.Name, err)
return nil
}
// Convert the call's action to the libseccomp equivalent
callAct, err := getAction(call.Action)
if err != nil {
- return err
+ return fmt.Errorf("action in seccomp profile is invalid: %s", err)
}
// Unconditional match - just add the rule
if len(call.Args) == 0 {
if err = filter.AddRule(callNum, callAct); err != nil {
- return err
+ return fmt.Errorf("error adding seccomp filter rule for syscall %s: %s", call.Name, err)
}
} else {
- // Conditional match - convert the per-arg rules into library format
+ // If two or more arguments have the same condition,
+ // Revert to old behavior, adding each condition as a separate rule
+ argCounts := make([]uint, syscallMaxArguments)
conditions := []libseccomp.ScmpCondition{}
for _, cond := range call.Args {
newCond, err := getCondition(cond)
if err != nil {
- return err
+ return fmt.Errorf("error creating seccomp syscall condition for syscall %s: %s", call.Name, err)
}
+ argCounts[cond.Index] += 1
+
conditions = append(conditions, newCond)
}
- if err = filter.AddRuleConditional(callNum, callAct, conditions); err != nil {
- return err
+ hasMultipleArgs := false
+ for _, count := range argCounts {
+ if count > 1 {
+ hasMultipleArgs = true
+ break
+ }
+ }
+
+ if hasMultipleArgs {
+ // Revert to old behavior
+ // Add each condition attached to a separate rule
+ for _, cond := range conditions {
+ condArr := []libseccomp.ScmpCondition{cond}
+
+ if err = filter.AddRuleConditional(callNum, callAct, condArr); err != nil {
+ return fmt.Errorf("error adding seccomp rule for syscall %s: %s", call.Name, err)
+ }
+ }
+ } else {
+ // No conditions share same argument
+ // Use new, proper behavior
+ if err = filter.AddRuleConditional(callNum, callAct, conditions); err != nil {
+ return fmt.Errorf("error adding seccomp rule for syscall %s: %s", call.Name, err)
+ }
}
}
@@ -214,10 +241,6 @@ func parseStatusFile(path string) (map[string]string, error) {
status := make(map[string]string)
for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
text := s.Text()
parts := strings.Split(text, ":")
@@ -227,5 +250,9 @@ func parseStatusFile(path string) (map[string]string, error) {
status[parts[0]] = parts[1]
}
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
+
return status, nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_unsupported.go
index 888483e7687f7f18ba18c30f7da1aead621e5e97..44df1ad4c269a80447e2ffee69fed29803b55d84 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_unsupported.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_unsupported.go
@@ -10,7 +10,7 @@ import (
var ErrSeccompNotEnabled = errors.New("seccomp: config provided but seccomp not supported")
-// Seccomp not supported, do nothing
+// InitSeccomp does nothing because seccomp is not supported.
func InitSeccomp(config *configs.Seccomp) error {
if config != nil {
return ErrSeccompNotEnabled
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/selinux/selinux.go b/vendor/github.com/opencontainers/runc/libcontainer/selinux/selinux.go
deleted file mode 100644
index 3bdce10ca3c787d321d697f2b26821fe65b07c8e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/selinux/selinux.go
+++ /dev/null
@@ -1,479 +0,0 @@
-// +build linux
-
-package selinux
-
-import (
- "bufio"
- "crypto/rand"
- "encoding/binary"
- "fmt"
- "io"
- "os"
- "path/filepath"
- "regexp"
- "strconv"
- "strings"
- "syscall"
-
- "github.com/docker/docker/pkg/mount"
- "github.com/opencontainers/runc/libcontainer/system"
-)
-
-const (
- Enforcing = 1
- Permissive = 0
- Disabled = -1
- selinuxDir = "/etc/selinux/"
- selinuxConfig = selinuxDir + "config"
- selinuxTypeTag = "SELINUXTYPE"
- selinuxTag = "SELINUX"
- selinuxPath = "/sys/fs/selinux"
- xattrNameSelinux = "security.selinux"
- stRdOnly = 0x01
-)
-
-var (
- assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
- mcsList = make(map[string]bool)
- selinuxfs = "unknown"
- selinuxEnabled = false // Stores whether selinux is currently enabled
- selinuxEnabledChecked = false // Stores whether selinux enablement has been checked or established yet
-)
-
-type SELinuxContext map[string]string
-
-// SetDisabled disables selinux support for the package
-func SetDisabled() {
- selinuxEnabled, selinuxEnabledChecked = false, true
-}
-
-// getSelinuxMountPoint returns the path to the mountpoint of an selinuxfs
-// filesystem or an empty string if no mountpoint is found. Selinuxfs is
-// a proc-like pseudo-filesystem that exposes the selinux policy API to
-// processes. The existence of an selinuxfs mount is used to determine
-// whether selinux is currently enabled or not.
-func getSelinuxMountPoint() string {
- if selinuxfs != "unknown" {
- return selinuxfs
- }
- selinuxfs = ""
-
- mounts, err := mount.GetMounts()
- if err != nil {
- return selinuxfs
- }
- for _, mount := range mounts {
- if mount.Fstype == "selinuxfs" {
- selinuxfs = mount.Mountpoint
- break
- }
- }
- if selinuxfs != "" {
- var buf syscall.Statfs_t
- syscall.Statfs(selinuxfs, &buf)
- if (buf.Flags & stRdOnly) == 1 {
- selinuxfs = ""
- }
- }
- return selinuxfs
-}
-
-// SelinuxEnabled returns whether selinux is currently enabled.
-func SelinuxEnabled() bool {
- if selinuxEnabledChecked {
- return selinuxEnabled
- }
- selinuxEnabledChecked = true
- if fs := getSelinuxMountPoint(); fs != "" {
- if con, _ := Getcon(); con != "kernel" {
- selinuxEnabled = true
- }
- }
- return selinuxEnabled
-}
-
-func readConfig(target string) (value string) {
- var (
- val, key string
- bufin *bufio.Reader
- )
-
- in, err := os.Open(selinuxConfig)
- if err != nil {
- return ""
- }
- defer in.Close()
-
- bufin = bufio.NewReader(in)
-
- for done := false; !done; {
- var line string
- if line, err = bufin.ReadString('\n'); err != nil {
- if err != io.EOF {
- return ""
- }
- done = true
- }
- line = strings.TrimSpace(line)
- if len(line) == 0 {
- // Skip blank lines
- continue
- }
- if line[0] == ';' || line[0] == '#' {
- // Skip comments
- continue
- }
- if groups := assignRegex.FindStringSubmatch(line); groups != nil {
- key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
- if key == target {
- return strings.Trim(val, "\"")
- }
- }
- }
- return ""
-}
-
-func getSELinuxPolicyRoot() string {
- return selinuxDir + readConfig(selinuxTypeTag)
-}
-
-func readCon(name string) (string, error) {
- var val string
-
- in, err := os.Open(name)
- if err != nil {
- return "", err
- }
- defer in.Close()
-
- _, err = fmt.Fscanf(in, "%s", &val)
- return val, err
-}
-
-// Setfilecon sets the SELinux label for this path or returns an error.
-func Setfilecon(path string, scon string) error {
- return system.Lsetxattr(path, xattrNameSelinux, []byte(scon), 0)
-}
-
-// Getfilecon returns the SELinux label for this path or returns an error.
-func Getfilecon(path string) (string, error) {
- con, err := system.Lgetxattr(path, xattrNameSelinux)
- if err != nil {
- return "", err
- }
- // Trim the NUL byte at the end of the byte buffer, if present.
- if len(con) > 0 && con[len(con)-1] == '\x00' {
- con = con[:len(con)-1]
- }
- return string(con), nil
-}
-
-func Setfscreatecon(scon string) error {
- return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/fscreate", syscall.Gettid()), scon)
-}
-
-func Getfscreatecon() (string, error) {
- return readCon(fmt.Sprintf("/proc/self/task/%d/attr/fscreate", syscall.Gettid()))
-}
-
-// Getcon returns the SELinux label of the current process thread, or an error.
-func Getcon() (string, error) {
- return readCon(fmt.Sprintf("/proc/self/task/%d/attr/current", syscall.Gettid()))
-}
-
-// Getpidcon returns the SELinux label of the given pid, or an error.
-func Getpidcon(pid int) (string, error) {
- return readCon(fmt.Sprintf("/proc/%d/attr/current", pid))
-}
-
-func Getexeccon() (string, error) {
- return readCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()))
-}
-
-func writeCon(name string, val string) error {
- out, err := os.OpenFile(name, os.O_WRONLY, 0)
- if err != nil {
- return err
- }
- defer out.Close()
-
- if val != "" {
- _, err = out.Write([]byte(val))
- } else {
- _, err = out.Write(nil)
- }
- return err
-}
-
-func Setexeccon(scon string) error {
- return writeCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid()), scon)
-}
-
-func (c SELinuxContext) Get() string {
- return fmt.Sprintf("%s:%s:%s:%s", c["user"], c["role"], c["type"], c["level"])
-}
-
-func NewContext(scon string) SELinuxContext {
- c := make(SELinuxContext)
-
- if len(scon) != 0 {
- con := strings.SplitN(scon, ":", 4)
- c["user"] = con[0]
- c["role"] = con[1]
- c["type"] = con[2]
- c["level"] = con[3]
- }
- return c
-}
-
-func ReserveLabel(scon string) {
- if len(scon) != 0 {
- con := strings.SplitN(scon, ":", 4)
- mcsAdd(con[3])
- }
-}
-
-func selinuxEnforcePath() string {
- return fmt.Sprintf("%s/enforce", selinuxPath)
-}
-
-func SelinuxGetEnforce() int {
- var enforce int
-
- enforceS, err := readCon(selinuxEnforcePath())
- if err != nil {
- return -1
- }
-
- enforce, err = strconv.Atoi(string(enforceS))
- if err != nil {
- return -1
- }
- return enforce
-}
-
-func SelinuxSetEnforce(mode int) error {
- return writeCon(selinuxEnforcePath(), fmt.Sprintf("%d", mode))
-}
-
-func SelinuxGetEnforceMode() int {
- switch readConfig(selinuxTag) {
- case "enforcing":
- return Enforcing
- case "permissive":
- return Permissive
- }
- return Disabled
-}
-
-func mcsAdd(mcs string) error {
- if mcsList[mcs] {
- return fmt.Errorf("MCS Label already exists")
- }
- mcsList[mcs] = true
- return nil
-}
-
-func mcsDelete(mcs string) {
- mcsList[mcs] = false
-}
-
-func IntToMcs(id int, catRange uint32) string {
- var (
- SETSIZE = int(catRange)
- TIER = SETSIZE
- ORD = id
- )
-
- if id < 1 || id > 523776 {
- return ""
- }
-
- for ORD > TIER {
- ORD = ORD - TIER
- TIER -= 1
- }
- TIER = SETSIZE - TIER
- ORD = ORD + TIER
- return fmt.Sprintf("s0:c%d,c%d", TIER, ORD)
-}
-
-func uniqMcs(catRange uint32) string {
- var (
- n uint32
- c1, c2 uint32
- mcs string
- )
-
- for {
- binary.Read(rand.Reader, binary.LittleEndian, &n)
- c1 = n % catRange
- binary.Read(rand.Reader, binary.LittleEndian, &n)
- c2 = n % catRange
- if c1 == c2 {
- continue
- } else {
- if c1 > c2 {
- t := c1
- c1 = c2
- c2 = t
- }
- }
- mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
- if err := mcsAdd(mcs); err != nil {
- continue
- }
- break
- }
- return mcs
-}
-
-func FreeLxcContexts(scon string) {
- if len(scon) != 0 {
- con := strings.SplitN(scon, ":", 4)
- mcsDelete(con[3])
- }
-}
-
-func GetLxcContexts() (processLabel string, fileLabel string) {
- var (
- val, key string
- bufin *bufio.Reader
- )
-
- if !SelinuxEnabled() {
- return "", ""
- }
- lxcPath := fmt.Sprintf("%s/contexts/lxc_contexts", getSELinuxPolicyRoot())
- in, err := os.Open(lxcPath)
- if err != nil {
- return "", ""
- }
- defer in.Close()
-
- bufin = bufio.NewReader(in)
-
- for done := false; !done; {
- var line string
- if line, err = bufin.ReadString('\n'); err != nil {
- if err == io.EOF {
- done = true
- } else {
- goto exit
- }
- }
- line = strings.TrimSpace(line)
- if len(line) == 0 {
- // Skip blank lines
- continue
- }
- if line[0] == ';' || line[0] == '#' {
- // Skip comments
- continue
- }
- if groups := assignRegex.FindStringSubmatch(line); groups != nil {
- key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
- if key == "process" {
- processLabel = strings.Trim(val, "\"")
- }
- if key == "file" {
- fileLabel = strings.Trim(val, "\"")
- }
- }
- }
-
- if processLabel == "" || fileLabel == "" {
- return "", ""
- }
-
-exit:
- // mcs := IntToMcs(os.Getpid(), 1024)
- mcs := uniqMcs(1024)
- scon := NewContext(processLabel)
- scon["level"] = mcs
- processLabel = scon.Get()
- scon = NewContext(fileLabel)
- scon["level"] = mcs
- fileLabel = scon.Get()
- return processLabel, fileLabel
-}
-
-func SecurityCheckContext(val string) error {
- return writeCon(fmt.Sprintf("%s.context", selinuxPath), val)
-}
-
-func CopyLevel(src, dest string) (string, error) {
- if src == "" {
- return "", nil
- }
- if err := SecurityCheckContext(src); err != nil {
- return "", err
- }
- if err := SecurityCheckContext(dest); err != nil {
- return "", err
- }
- scon := NewContext(src)
- tcon := NewContext(dest)
- mcsDelete(tcon["level"])
- mcsAdd(scon["level"])
- tcon["level"] = scon["level"]
- return tcon.Get(), nil
-}
-
-// Prevent users from relabing system files
-func badPrefix(fpath string) error {
- var badprefixes = []string{"/usr"}
-
- for _, prefix := range badprefixes {
- if fpath == prefix || strings.HasPrefix(fpath, fmt.Sprintf("%s/", prefix)) {
- return fmt.Errorf("Relabeling content in %s is not allowed.", prefix)
- }
- }
- return nil
-}
-
-// Change the fpath file object to the SELinux label scon.
-// If the fpath is a directory and recurse is true Chcon will walk the
-// directory tree setting the label
-func Chcon(fpath string, scon string, recurse bool) error {
- if scon == "" {
- return nil
- }
- if err := badPrefix(fpath); err != nil {
- return err
- }
- callback := func(p string, info os.FileInfo, err error) error {
- return Setfilecon(p, scon)
- }
-
- if recurse {
- return filepath.Walk(fpath, callback)
- }
-
- return Setfilecon(fpath, scon)
-}
-
-// DupSecOpt takes an SELinux process label and returns security options that
-// can will set the SELinux Type and Level for future container processes
-func DupSecOpt(src string) []string {
- if src == "" {
- return nil
- }
- con := NewContext(src)
- if con["user"] == "" ||
- con["role"] == "" ||
- con["type"] == "" ||
- con["level"] == "" {
- return nil
- }
- return []string{"label:user:" + con["user"],
- "label:role:" + con["role"],
- "label:type:" + con["type"],
- "label:level:" + con["level"]}
-}
-
-// DisableSecOpt returns a security opt that can be used to disabling SELinux
-// labeling support for future container processes
-func DisableSecOpt() []string {
- return []string{"label:disable"}
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/selinux/selinux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/selinux/selinux_test.go
deleted file mode 100644
index c2d561bf5ff6c472a7470ccb152f5942b6f6fcae..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/selinux/selinux_test.go
+++ /dev/null
@@ -1,75 +0,0 @@
-// +build linux,selinux
-
-package selinux_test
-
-import (
- "os"
- "testing"
-
- "github.com/opencontainers/runc/libcontainer/selinux"
-)
-
-func TestSetfilecon(t *testing.T) {
- if selinux.SelinuxEnabled() {
- tmp := "selinux_test"
- out, _ := os.OpenFile(tmp, os.O_WRONLY|os.O_CREATE, 0)
- out.Close()
- err := selinux.Setfilecon(tmp, "system_u:object_r:bin_t:s0")
- if err != nil {
- t.Log("Setfilecon failed")
- t.Fatal(err)
- }
- os.Remove(tmp)
- }
-}
-
-func TestSELinux(t *testing.T) {
- var (
- err error
- plabel, flabel string
- )
-
- if selinux.SelinuxEnabled() {
- t.Log("Enabled")
- plabel, flabel = selinux.GetLxcContexts()
- t.Log(plabel)
- t.Log(flabel)
- selinux.FreeLxcContexts(plabel)
- plabel, flabel = selinux.GetLxcContexts()
- t.Log(plabel)
- t.Log(flabel)
- selinux.FreeLxcContexts(plabel)
- t.Log("getenforce ", selinux.SelinuxGetEnforce())
- mode := selinux.SelinuxGetEnforceMode()
- t.Log("getenforcemode ", mode)
-
- defer selinux.SelinuxSetEnforce(mode)
- if err := selinux.SelinuxSetEnforce(selinux.Enforcing); err != nil {
- t.Fatalf("enforcing selinux failed: %v", err)
- }
- if err := selinux.SelinuxSetEnforce(selinux.Permissive); err != nil {
- t.Fatalf("setting selinux mode to permissive failed: %v", err)
- }
- selinux.SelinuxSetEnforce(mode)
-
- pid := os.Getpid()
- t.Logf("PID:%d MCS:%s\n", pid, selinux.IntToMcs(pid, 1023))
- err = selinux.Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0")
- if err == nil {
- t.Log(selinux.Getfscreatecon())
- } else {
- t.Log("setfscreatecon failed", err)
- t.Fatal(err)
- }
- err = selinux.Setfscreatecon("")
- if err == nil {
- t.Log(selinux.Getfscreatecon())
- } else {
- t.Log("setfscreatecon failed", err)
- t.Fatal(err)
- }
- t.Log(selinux.Getpidcon(1))
- } else {
- t.Log("Disabled")
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/setgroups_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/setgroups_linux.go
deleted file mode 100644
index c7bdb605aa88a24cad730d04b01a6b5ab5095f80..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/setgroups_linux.go
+++ /dev/null
@@ -1,11 +0,0 @@
-// +build linux,go1.5
-
-package libcontainer
-
-import "syscall"
-
-// Set the GidMappingsEnableSetgroups member to true, so the process's
-// setgroups proc entry wont be set to 'deny' if GidMappings are set
-func enableSetgroups(sys *syscall.SysProcAttr) {
- sys.GidMappingsEnableSetgroups = true
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
index 33ef68e5aae3cb51b8801b808878e3f3533c0ccf..6613bb65cb582a5a54c895d2d6691a5b2e7872e0 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/setns_init_linux.go
@@ -5,18 +5,24 @@ package libcontainer
import (
"fmt"
"os"
+ "runtime"
"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/keys"
- "github.com/opencontainers/runc/libcontainer/label"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runc/libcontainer/system"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/pkg/errors"
+
+ "golang.org/x/sys/unix"
)
// linuxSetnsInit performs the container's initialization for running a new process
// inside an existing container.
type linuxSetnsInit struct {
- config *initConfig
+ pipe *os.File
+ consoleSocket *os.File
+ config *initConfig
}
func (l *linuxSetnsInit) getSessionRingName() string {
@@ -24,19 +30,42 @@ func (l *linuxSetnsInit) getSessionRingName() string {
}
func (l *linuxSetnsInit) Init() error {
- // do not inherit the parent's session keyring
- if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil {
- return err
+ runtime.LockOSThread()
+ defer runtime.UnlockOSThread()
+
+ if !l.config.Config.NoNewKeyring {
+ // Do not inherit the parent's session keyring.
+ if _, err := keys.JoinSessionKeyring(l.getSessionRingName()); err != nil {
+ // Same justification as in standart_init_linux.go as to why we
+ // don't bail on ENOSYS.
+ //
+ // TODO(cyphar): And we should have logging here too.
+ if errors.Cause(err) != unix.ENOSYS {
+ return errors.Wrap(err, "join session keyring")
+ }
+ }
}
- if err := setupRlimits(l.config.Rlimits); err != nil {
- return err
+ if l.config.CreateConsole {
+ if err := setupConsole(l.consoleSocket, l.config, false); err != nil {
+ return err
+ }
+ if err := system.Setctty(); err != nil {
+ return err
+ }
}
if l.config.NoNewPrivileges {
- if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+ if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
return err
}
}
- if l.config.Config.Seccomp != nil {
+ if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
+ return err
+ }
+ defer label.SetProcessLabel("")
+ // Without NoNewPrivileges seccomp is a privileged operation, so we need to
+ // do this before dropping capabilities; otherwise do it as late as possible
+ // just before execve so as few syscalls take place after it as possible.
+ if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {
if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
return err
}
@@ -47,9 +76,12 @@ func (l *linuxSetnsInit) Init() error {
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
return err
}
- if l.config.ProcessLabel != "" {
- if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
- return err
+ // Set seccomp as close to execve as possible, so as few syscalls take
+ // place afterward (reducing the amount of syscalls that users need to
+ // enable in their seccomp profiles).
+ if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
+ if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
+ return newSystemErrorWithCause(err, "init seccomp")
}
}
return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/specconv/example.go b/vendor/github.com/opencontainers/runc/libcontainer/specconv/example.go
new file mode 100644
index 0000000000000000000000000000000000000000..827ca9e781d9b9bac199df9c1cac72253a7cf4d9
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/specconv/example.go
@@ -0,0 +1,221 @@
+package specconv
+
+import (
+ "os"
+ "strings"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// Example returns an example spec file, with many options set so a user can
+// see what a standard spec file looks like.
+func Example() *specs.Spec {
+ return &specs.Spec{
+ Version: specs.Version,
+ Root: &specs.Root{
+ Path: "rootfs",
+ Readonly: true,
+ },
+ Process: &specs.Process{
+ Terminal: true,
+ User: specs.User{},
+ Args: []string{
+ "sh",
+ },
+ Env: []string{
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "TERM=xterm",
+ },
+ Cwd: "/",
+ NoNewPrivileges: true,
+ Capabilities: &specs.LinuxCapabilities{
+ Bounding: []string{
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ },
+ Permitted: []string{
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ },
+ Inheritable: []string{
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ },
+ Ambient: []string{
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ },
+ Effective: []string{
+ "CAP_AUDIT_WRITE",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ },
+ },
+ Rlimits: []specs.POSIXRlimit{
+ {
+ Type: "RLIMIT_NOFILE",
+ Hard: uint64(1024),
+ Soft: uint64(1024),
+ },
+ },
+ },
+ Hostname: "runc",
+ Mounts: []specs.Mount{
+ {
+ Destination: "/proc",
+ Type: "proc",
+ Source: "proc",
+ Options: nil,
+ },
+ {
+ Destination: "/dev",
+ Type: "tmpfs",
+ Source: "tmpfs",
+ Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
+ },
+ {
+ Destination: "/dev/pts",
+ Type: "devpts",
+ Source: "devpts",
+ Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
+ },
+ {
+ Destination: "/dev/shm",
+ Type: "tmpfs",
+ Source: "shm",
+ Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
+ },
+ {
+ Destination: "/dev/mqueue",
+ Type: "mqueue",
+ Source: "mqueue",
+ Options: []string{"nosuid", "noexec", "nodev"},
+ },
+ {
+ Destination: "/sys",
+ Type: "sysfs",
+ Source: "sysfs",
+ Options: []string{"nosuid", "noexec", "nodev", "ro"},
+ },
+ {
+ Destination: "/sys/fs/cgroup",
+ Type: "cgroup",
+ Source: "cgroup",
+ Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
+ },
+ },
+ Linux: &specs.Linux{
+ MaskedPaths: []string{
+ "/proc/kcore",
+ "/proc/latency_stats",
+ "/proc/timer_list",
+ "/proc/timer_stats",
+ "/proc/sched_debug",
+ "/sys/firmware",
+ "/proc/scsi",
+ },
+ ReadonlyPaths: []string{
+ "/proc/asound",
+ "/proc/bus",
+ "/proc/fs",
+ "/proc/irq",
+ "/proc/sys",
+ "/proc/sysrq-trigger",
+ },
+ Resources: &specs.LinuxResources{
+ Devices: []specs.LinuxDeviceCgroup{
+ {
+ Allow: false,
+ Access: "rwm",
+ },
+ },
+ },
+ Namespaces: []specs.LinuxNamespace{
+ {
+ Type: "pid",
+ },
+ {
+ Type: "network",
+ },
+ {
+ Type: "ipc",
+ },
+ {
+ Type: "uts",
+ },
+ {
+ Type: "mount",
+ },
+ },
+ },
+ }
+}
+
+// ToRootless converts the given spec file into one that should work with
+// rootless containers (euid != 0), by removing incompatible options and adding others that
+// are needed.
+func ToRootless(spec *specs.Spec) {
+ var namespaces []specs.LinuxNamespace
+
+ // Remove networkns from the spec.
+ for _, ns := range spec.Linux.Namespaces {
+ switch ns.Type {
+ case specs.NetworkNamespace, specs.UserNamespace:
+ // Do nothing.
+ default:
+ namespaces = append(namespaces, ns)
+ }
+ }
+ // Add userns to the spec.
+ namespaces = append(namespaces, specs.LinuxNamespace{
+ Type: specs.UserNamespace,
+ })
+ spec.Linux.Namespaces = namespaces
+
+ // Add mappings for the current user.
+ spec.Linux.UIDMappings = []specs.LinuxIDMapping{{
+ HostID: uint32(os.Geteuid()),
+ ContainerID: 0,
+ Size: 1,
+ }}
+ spec.Linux.GIDMappings = []specs.LinuxIDMapping{{
+ HostID: uint32(os.Getegid()),
+ ContainerID: 0,
+ Size: 1,
+ }}
+
+ // Fix up mounts.
+ var mounts []specs.Mount
+ for _, mount := range spec.Mounts {
+ // Ignore all mounts that are under /sys.
+ if strings.HasPrefix(mount.Destination, "/sys") {
+ continue
+ }
+
+ // Remove all gid= and uid= mappings.
+ var options []string
+ for _, option := range mount.Options {
+ if !strings.HasPrefix(option, "gid=") && !strings.HasPrefix(option, "uid=") {
+ options = append(options, option)
+ }
+ }
+
+ mount.Options = options
+ mounts = append(mounts, mount)
+ }
+ // Add the sysfs mount as an rbind.
+ mounts = append(mounts, specs.Mount{
+ Source: "/sys",
+ Destination: "/sys",
+ Type: "none",
+ Options: []string{"rbind", "nosuid", "noexec", "nodev", "ro"},
+ })
+ spec.Mounts = mounts
+
+ // Remove cgroup settings.
+ spec.Linux.Resources = nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/specconv/spec_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/specconv/spec_linux.go
new file mode 100644
index 0000000000000000000000000000000000000000..a15798923630acd6743f308ea15320056df95931
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/specconv/spec_linux.go
@@ -0,0 +1,837 @@
+// +build linux
+
+// Package specconv implements conversion of specifications to libcontainer
+// configurations
+package specconv
+
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+ "strings"
+ "time"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/seccomp"
+ libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/opencontainers/runtime-spec/specs-go"
+
+ "golang.org/x/sys/unix"
+)
+
+const wildcard = -1
+
+var namespaceMapping = map[specs.LinuxNamespaceType]configs.NamespaceType{
+ specs.PIDNamespace: configs.NEWPID,
+ specs.NetworkNamespace: configs.NEWNET,
+ specs.MountNamespace: configs.NEWNS,
+ specs.UserNamespace: configs.NEWUSER,
+ specs.IPCNamespace: configs.NEWIPC,
+ specs.UTSNamespace: configs.NEWUTS,
+ specs.CgroupNamespace: configs.NEWCGROUP,
+}
+
+var mountPropagationMapping = map[string]int{
+ "rprivate": unix.MS_PRIVATE | unix.MS_REC,
+ "private": unix.MS_PRIVATE,
+ "rslave": unix.MS_SLAVE | unix.MS_REC,
+ "slave": unix.MS_SLAVE,
+ "rshared": unix.MS_SHARED | unix.MS_REC,
+ "shared": unix.MS_SHARED,
+ "runbindable": unix.MS_UNBINDABLE | unix.MS_REC,
+ "unbindable": unix.MS_UNBINDABLE,
+ "": 0,
+}
+
+var allowedDevices = []*configs.Device{
+ // allow mknod for any device
+ {
+ Type: 'c',
+ Major: wildcard,
+ Minor: wildcard,
+ Permissions: "m",
+ Allow: true,
+ },
+ {
+ Type: 'b',
+ Major: wildcard,
+ Minor: wildcard,
+ Permissions: "m",
+ Allow: true,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/null",
+ Major: 1,
+ Minor: 3,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/random",
+ Major: 1,
+ Minor: 8,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/full",
+ Major: 1,
+ Minor: 7,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/tty",
+ Major: 5,
+ Minor: 0,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/zero",
+ Major: 1,
+ Minor: 5,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/urandom",
+ Major: 1,
+ Minor: 9,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ {
+ Path: "/dev/console",
+ Type: 'c',
+ Major: 5,
+ Minor: 1,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ // /dev/pts/ - pts namespaces are "coming soon"
+ {
+ Path: "",
+ Type: 'c',
+ Major: 136,
+ Minor: wildcard,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ {
+ Path: "",
+ Type: 'c',
+ Major: 5,
+ Minor: 2,
+ Permissions: "rwm",
+ Allow: true,
+ },
+ // tuntap
+ {
+ Path: "",
+ Type: 'c',
+ Major: 10,
+ Minor: 200,
+ Permissions: "rwm",
+ Allow: true,
+ },
+}
+
+type CreateOpts struct {
+ CgroupName string
+ UseSystemdCgroup bool
+ NoPivotRoot bool
+ NoNewKeyring bool
+ Spec *specs.Spec
+ RootlessEUID bool
+ RootlessCgroups bool
+}
+
+// CreateLibcontainerConfig creates a new libcontainer configuration from a
+// given specification and a cgroup name
+func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
+ // runc's cwd will always be the bundle path
+ rcwd, err := os.Getwd()
+ if err != nil {
+ return nil, err
+ }
+ cwd, err := filepath.Abs(rcwd)
+ if err != nil {
+ return nil, err
+ }
+ spec := opts.Spec
+ if spec.Root == nil {
+ return nil, fmt.Errorf("Root must be specified")
+ }
+ rootfsPath := spec.Root.Path
+ if !filepath.IsAbs(rootfsPath) {
+ rootfsPath = filepath.Join(cwd, rootfsPath)
+ }
+ labels := []string{}
+ for k, v := range spec.Annotations {
+ labels = append(labels, fmt.Sprintf("%s=%s", k, v))
+ }
+ config := &configs.Config{
+ Rootfs: rootfsPath,
+ NoPivotRoot: opts.NoPivotRoot,
+ Readonlyfs: spec.Root.Readonly,
+ Hostname: spec.Hostname,
+ Labels: append(labels, fmt.Sprintf("bundle=%s", cwd)),
+ NoNewKeyring: opts.NoNewKeyring,
+ RootlessEUID: opts.RootlessEUID,
+ RootlessCgroups: opts.RootlessCgroups,
+ }
+
+ exists := false
+ for _, m := range spec.Mounts {
+ config.Mounts = append(config.Mounts, createLibcontainerMount(cwd, m))
+ }
+ if err := createDevices(spec, config); err != nil {
+ return nil, err
+ }
+ c, err := createCgroupConfig(opts)
+ if err != nil {
+ return nil, err
+ }
+ config.Cgroups = c
+ // set linux-specific config
+ if spec.Linux != nil {
+ if config.RootPropagation, exists = mountPropagationMapping[spec.Linux.RootfsPropagation]; !exists {
+ return nil, fmt.Errorf("rootfsPropagation=%v is not supported", spec.Linux.RootfsPropagation)
+ }
+ if config.NoPivotRoot && (config.RootPropagation&unix.MS_PRIVATE != 0) {
+ return nil, fmt.Errorf("rootfsPropagation of [r]private is not safe without pivot_root")
+ }
+
+ for _, ns := range spec.Linux.Namespaces {
+ t, exists := namespaceMapping[ns.Type]
+ if !exists {
+ return nil, fmt.Errorf("namespace %q does not exist", ns)
+ }
+ if config.Namespaces.Contains(t) {
+ return nil, fmt.Errorf("malformed spec file: duplicated ns %q", ns)
+ }
+ config.Namespaces.Add(t, ns.Path)
+ }
+ if config.Namespaces.Contains(configs.NEWNET) && config.Namespaces.PathOf(configs.NEWNET) == "" {
+ config.Networks = []*configs.Network{
+ {
+ Type: "loopback",
+ },
+ }
+ }
+ if config.Namespaces.Contains(configs.NEWUSER) {
+ if err := setupUserNamespace(spec, config); err != nil {
+ return nil, err
+ }
+ }
+ config.MaskPaths = spec.Linux.MaskedPaths
+ config.ReadonlyPaths = spec.Linux.ReadonlyPaths
+ config.MountLabel = spec.Linux.MountLabel
+ config.Sysctl = spec.Linux.Sysctl
+ if spec.Linux.Seccomp != nil {
+ seccomp, err := SetupSeccomp(spec.Linux.Seccomp)
+ if err != nil {
+ return nil, err
+ }
+ config.Seccomp = seccomp
+ }
+ if spec.Linux.IntelRdt != nil {
+ config.IntelRdt = &configs.IntelRdt{}
+ if spec.Linux.IntelRdt.L3CacheSchema != "" {
+ config.IntelRdt.L3CacheSchema = spec.Linux.IntelRdt.L3CacheSchema
+ }
+ if spec.Linux.IntelRdt.MemBwSchema != "" {
+ config.IntelRdt.MemBwSchema = spec.Linux.IntelRdt.MemBwSchema
+ }
+ }
+ }
+ if spec.Process != nil {
+ config.OomScoreAdj = spec.Process.OOMScoreAdj
+ if spec.Process.SelinuxLabel != "" {
+ config.ProcessLabel = spec.Process.SelinuxLabel
+ }
+ if spec.Process.Capabilities != nil {
+ config.Capabilities = &configs.Capabilities{
+ Bounding: spec.Process.Capabilities.Bounding,
+ Effective: spec.Process.Capabilities.Effective,
+ Permitted: spec.Process.Capabilities.Permitted,
+ Inheritable: spec.Process.Capabilities.Inheritable,
+ Ambient: spec.Process.Capabilities.Ambient,
+ }
+ }
+ }
+ createHooks(spec, config)
+ config.Version = specs.Version
+ return config, nil
+}
+
+func createLibcontainerMount(cwd string, m specs.Mount) *configs.Mount {
+ flags, pgflags, data, ext := parseMountOptions(m.Options)
+ source := m.Source
+ device := m.Type
+ if flags&unix.MS_BIND != 0 {
+ if device == "" {
+ device = "bind"
+ }
+ if !filepath.IsAbs(source) {
+ source = filepath.Join(cwd, m.Source)
+ }
+ }
+ return &configs.Mount{
+ Device: device,
+ Source: source,
+ Destination: m.Destination,
+ Data: data,
+ Flags: flags,
+ PropagationFlags: pgflags,
+ Extensions: ext,
+ }
+}
+
+func createCgroupConfig(opts *CreateOpts) (*configs.Cgroup, error) {
+ var (
+ myCgroupPath string
+
+ spec = opts.Spec
+ useSystemdCgroup = opts.UseSystemdCgroup
+ name = opts.CgroupName
+ )
+
+ c := &configs.Cgroup{
+ Resources: &configs.Resources{},
+ }
+
+ if spec.Linux != nil && spec.Linux.CgroupsPath != "" {
+ myCgroupPath = libcontainerUtils.CleanPath(spec.Linux.CgroupsPath)
+ if useSystemdCgroup {
+ myCgroupPath = spec.Linux.CgroupsPath
+ }
+ }
+
+ if useSystemdCgroup {
+ if myCgroupPath == "" {
+ c.Parent = "system.slice"
+ c.ScopePrefix = "runc"
+ c.Name = name
+ } else {
+ // Parse the path from expected "slice:prefix:name"
+ // for e.g. "system.slice:docker:1234"
+ parts := strings.Split(myCgroupPath, ":")
+ if len(parts) != 3 {
+ return nil, fmt.Errorf("expected cgroupsPath to be of format \"slice:prefix:name\" for systemd cgroups")
+ }
+ c.Parent = parts[0]
+ c.ScopePrefix = parts[1]
+ c.Name = parts[2]
+ }
+ } else {
+ if myCgroupPath == "" {
+ c.Name = name
+ }
+ c.Path = myCgroupPath
+ }
+
+ // In rootless containers, any attempt to make cgroup changes is likely to fail.
+ // libcontainer will validate this but ignores the error.
+ c.Resources.AllowedDevices = allowedDevices
+ if spec.Linux != nil {
+ r := spec.Linux.Resources
+ if r == nil {
+ return c, nil
+ }
+ for i, d := range spec.Linux.Resources.Devices {
+ var (
+ t = "a"
+ major = int64(-1)
+ minor = int64(-1)
+ )
+ if d.Type != "" {
+ t = d.Type
+ }
+ if d.Major != nil {
+ major = *d.Major
+ }
+ if d.Minor != nil {
+ minor = *d.Minor
+ }
+ if d.Access == "" {
+ return nil, fmt.Errorf("device access at %d field cannot be empty", i)
+ }
+ dt, err := stringToCgroupDeviceRune(t)
+ if err != nil {
+ return nil, err
+ }
+ dd := &configs.Device{
+ Type: dt,
+ Major: major,
+ Minor: minor,
+ Permissions: d.Access,
+ Allow: d.Allow,
+ }
+ c.Resources.Devices = append(c.Resources.Devices, dd)
+ }
+ if r.Memory != nil {
+ if r.Memory.Limit != nil {
+ c.Resources.Memory = *r.Memory.Limit
+ }
+ if r.Memory.Reservation != nil {
+ c.Resources.MemoryReservation = *r.Memory.Reservation
+ }
+ if r.Memory.Swap != nil {
+ c.Resources.MemorySwap = *r.Memory.Swap
+ }
+ if r.Memory.Kernel != nil {
+ c.Resources.KernelMemory = *r.Memory.Kernel
+ }
+ if r.Memory.KernelTCP != nil {
+ c.Resources.KernelMemoryTCP = *r.Memory.KernelTCP
+ }
+ if r.Memory.Swappiness != nil {
+ c.Resources.MemorySwappiness = r.Memory.Swappiness
+ }
+ if r.Memory.DisableOOMKiller != nil {
+ c.Resources.OomKillDisable = *r.Memory.DisableOOMKiller
+ }
+ }
+ if r.CPU != nil {
+ if r.CPU.Shares != nil {
+ c.Resources.CpuShares = *r.CPU.Shares
+ }
+ if r.CPU.Quota != nil {
+ c.Resources.CpuQuota = *r.CPU.Quota
+ }
+ if r.CPU.Period != nil {
+ c.Resources.CpuPeriod = *r.CPU.Period
+ }
+ if r.CPU.RealtimeRuntime != nil {
+ c.Resources.CpuRtRuntime = *r.CPU.RealtimeRuntime
+ }
+ if r.CPU.RealtimePeriod != nil {
+ c.Resources.CpuRtPeriod = *r.CPU.RealtimePeriod
+ }
+ if r.CPU.Cpus != "" {
+ c.Resources.CpusetCpus = r.CPU.Cpus
+ }
+ if r.CPU.Mems != "" {
+ c.Resources.CpusetMems = r.CPU.Mems
+ }
+ }
+ if r.Pids != nil {
+ c.Resources.PidsLimit = r.Pids.Limit
+ }
+ if r.BlockIO != nil {
+ if r.BlockIO.Weight != nil {
+ c.Resources.BlkioWeight = *r.BlockIO.Weight
+ }
+ if r.BlockIO.LeafWeight != nil {
+ c.Resources.BlkioLeafWeight = *r.BlockIO.LeafWeight
+ }
+ if r.BlockIO.WeightDevice != nil {
+ for _, wd := range r.BlockIO.WeightDevice {
+ var weight, leafWeight uint16
+ if wd.Weight != nil {
+ weight = *wd.Weight
+ }
+ if wd.LeafWeight != nil {
+ leafWeight = *wd.LeafWeight
+ }
+ weightDevice := configs.NewWeightDevice(wd.Major, wd.Minor, weight, leafWeight)
+ c.Resources.BlkioWeightDevice = append(c.Resources.BlkioWeightDevice, weightDevice)
+ }
+ }
+ if r.BlockIO.ThrottleReadBpsDevice != nil {
+ for _, td := range r.BlockIO.ThrottleReadBpsDevice {
+ rate := td.Rate
+ throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, rate)
+ c.Resources.BlkioThrottleReadBpsDevice = append(c.Resources.BlkioThrottleReadBpsDevice, throttleDevice)
+ }
+ }
+ if r.BlockIO.ThrottleWriteBpsDevice != nil {
+ for _, td := range r.BlockIO.ThrottleWriteBpsDevice {
+ rate := td.Rate
+ throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, rate)
+ c.Resources.BlkioThrottleWriteBpsDevice = append(c.Resources.BlkioThrottleWriteBpsDevice, throttleDevice)
+ }
+ }
+ if r.BlockIO.ThrottleReadIOPSDevice != nil {
+ for _, td := range r.BlockIO.ThrottleReadIOPSDevice {
+ rate := td.Rate
+ throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, rate)
+ c.Resources.BlkioThrottleReadIOPSDevice = append(c.Resources.BlkioThrottleReadIOPSDevice, throttleDevice)
+ }
+ }
+ if r.BlockIO.ThrottleWriteIOPSDevice != nil {
+ for _, td := range r.BlockIO.ThrottleWriteIOPSDevice {
+ rate := td.Rate
+ throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, rate)
+ c.Resources.BlkioThrottleWriteIOPSDevice = append(c.Resources.BlkioThrottleWriteIOPSDevice, throttleDevice)
+ }
+ }
+ }
+ for _, l := range r.HugepageLimits {
+ c.Resources.HugetlbLimit = append(c.Resources.HugetlbLimit, &configs.HugepageLimit{
+ Pagesize: l.Pagesize,
+ Limit: l.Limit,
+ })
+ }
+ if r.Network != nil {
+ if r.Network.ClassID != nil {
+ c.Resources.NetClsClassid = *r.Network.ClassID
+ }
+ for _, m := range r.Network.Priorities {
+ c.Resources.NetPrioIfpriomap = append(c.Resources.NetPrioIfpriomap, &configs.IfPrioMap{
+ Interface: m.Name,
+ Priority: int64(m.Priority),
+ })
+ }
+ }
+ }
+ // append the default allowed devices to the end of the list
+ c.Resources.Devices = append(c.Resources.Devices, allowedDevices...)
+ return c, nil
+}
+
+func stringToCgroupDeviceRune(s string) (rune, error) {
+ switch s {
+ case "a":
+ return 'a', nil
+ case "b":
+ return 'b', nil
+ case "c":
+ return 'c', nil
+ default:
+ return 0, fmt.Errorf("invalid cgroup device type %q", s)
+ }
+}
+
+func stringToDeviceRune(s string) (rune, error) {
+ switch s {
+ case "p":
+ return 'p', nil
+ case "u":
+ return 'u', nil
+ case "b":
+ return 'b', nil
+ case "c":
+ return 'c', nil
+ default:
+ return 0, fmt.Errorf("invalid device type %q", s)
+ }
+}
+
+func createDevices(spec *specs.Spec, config *configs.Config) error {
+ // add whitelisted devices
+ config.Devices = []*configs.Device{
+ {
+ Type: 'c',
+ Path: "/dev/null",
+ Major: 1,
+ Minor: 3,
+ FileMode: 0666,
+ Uid: 0,
+ Gid: 0,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/random",
+ Major: 1,
+ Minor: 8,
+ FileMode: 0666,
+ Uid: 0,
+ Gid: 0,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/full",
+ Major: 1,
+ Minor: 7,
+ FileMode: 0666,
+ Uid: 0,
+ Gid: 0,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/tty",
+ Major: 5,
+ Minor: 0,
+ FileMode: 0666,
+ Uid: 0,
+ Gid: 0,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/zero",
+ Major: 1,
+ Minor: 5,
+ FileMode: 0666,
+ Uid: 0,
+ Gid: 0,
+ },
+ {
+ Type: 'c',
+ Path: "/dev/urandom",
+ Major: 1,
+ Minor: 9,
+ FileMode: 0666,
+ Uid: 0,
+ Gid: 0,
+ },
+ }
+ // merge in additional devices from the spec
+ if spec.Linux != nil {
+ for _, d := range spec.Linux.Devices {
+ var uid, gid uint32
+ var filemode os.FileMode = 0666
+
+ if d.UID != nil {
+ uid = *d.UID
+ }
+ if d.GID != nil {
+ gid = *d.GID
+ }
+ dt, err := stringToDeviceRune(d.Type)
+ if err != nil {
+ return err
+ }
+ if d.FileMode != nil {
+ filemode = *d.FileMode
+ }
+ device := &configs.Device{
+ Type: dt,
+ Path: d.Path,
+ Major: d.Major,
+ Minor: d.Minor,
+ FileMode: filemode,
+ Uid: uid,
+ Gid: gid,
+ }
+ config.Devices = append(config.Devices, device)
+ }
+ }
+ return nil
+}
+
+func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
+ create := func(m specs.LinuxIDMapping) configs.IDMap {
+ return configs.IDMap{
+ HostID: int(m.HostID),
+ ContainerID: int(m.ContainerID),
+ Size: int(m.Size),
+ }
+ }
+ if spec.Linux != nil {
+ for _, m := range spec.Linux.UIDMappings {
+ config.UidMappings = append(config.UidMappings, create(m))
+ }
+ for _, m := range spec.Linux.GIDMappings {
+ config.GidMappings = append(config.GidMappings, create(m))
+ }
+ }
+ rootUID, err := config.HostRootUID()
+ if err != nil {
+ return err
+ }
+ rootGID, err := config.HostRootGID()
+ if err != nil {
+ return err
+ }
+ for _, node := range config.Devices {
+ node.Uid = uint32(rootUID)
+ node.Gid = uint32(rootGID)
+ }
+ return nil
+}
+
+// parseMountOptions parses the string and returns the flags, propagation
+// flags and any mount data that it contains.
+func parseMountOptions(options []string) (int, []int, string, int) {
+ var (
+ flag int
+ pgflag []int
+ data []string
+ extFlags int
+ )
+ flags := map[string]struct {
+ clear bool
+ flag int
+ }{
+ "acl": {false, unix.MS_POSIXACL},
+ "async": {true, unix.MS_SYNCHRONOUS},
+ "atime": {true, unix.MS_NOATIME},
+ "bind": {false, unix.MS_BIND},
+ "defaults": {false, 0},
+ "dev": {true, unix.MS_NODEV},
+ "diratime": {true, unix.MS_NODIRATIME},
+ "dirsync": {false, unix.MS_DIRSYNC},
+ "exec": {true, unix.MS_NOEXEC},
+ "iversion": {false, unix.MS_I_VERSION},
+ "lazytime": {false, unix.MS_LAZYTIME},
+ "loud": {true, unix.MS_SILENT},
+ "mand": {false, unix.MS_MANDLOCK},
+ "noacl": {true, unix.MS_POSIXACL},
+ "noatime": {false, unix.MS_NOATIME},
+ "nodev": {false, unix.MS_NODEV},
+ "nodiratime": {false, unix.MS_NODIRATIME},
+ "noexec": {false, unix.MS_NOEXEC},
+ "noiversion": {true, unix.MS_I_VERSION},
+ "nolazytime": {true, unix.MS_LAZYTIME},
+ "nomand": {true, unix.MS_MANDLOCK},
+ "norelatime": {true, unix.MS_RELATIME},
+ "nostrictatime": {true, unix.MS_STRICTATIME},
+ "nosuid": {false, unix.MS_NOSUID},
+ "rbind": {false, unix.MS_BIND | unix.MS_REC},
+ "relatime": {false, unix.MS_RELATIME},
+ "remount": {false, unix.MS_REMOUNT},
+ "ro": {false, unix.MS_RDONLY},
+ "rw": {true, unix.MS_RDONLY},
+ "silent": {false, unix.MS_SILENT},
+ "strictatime": {false, unix.MS_STRICTATIME},
+ "suid": {true, unix.MS_NOSUID},
+ "sync": {false, unix.MS_SYNCHRONOUS},
+ }
+ propagationFlags := map[string]int{
+ "private": unix.MS_PRIVATE,
+ "shared": unix.MS_SHARED,
+ "slave": unix.MS_SLAVE,
+ "unbindable": unix.MS_UNBINDABLE,
+ "rprivate": unix.MS_PRIVATE | unix.MS_REC,
+ "rshared": unix.MS_SHARED | unix.MS_REC,
+ "rslave": unix.MS_SLAVE | unix.MS_REC,
+ "runbindable": unix.MS_UNBINDABLE | unix.MS_REC,
+ }
+ extensionFlags := map[string]struct {
+ clear bool
+ flag int
+ }{
+ "tmpcopyup": {false, configs.EXT_COPYUP},
+ }
+ for _, o := range options {
+ // If the option does not exist in the flags table or the flag
+ // is not supported on the platform,
+ // then it is a data value for a specific fs type
+ if f, exists := flags[o]; exists && f.flag != 0 {
+ if f.clear {
+ flag &= ^f.flag
+ } else {
+ flag |= f.flag
+ }
+ } else if f, exists := propagationFlags[o]; exists && f != 0 {
+ pgflag = append(pgflag, f)
+ } else if f, exists := extensionFlags[o]; exists && f.flag != 0 {
+ if f.clear {
+ extFlags &= ^f.flag
+ } else {
+ extFlags |= f.flag
+ }
+ } else {
+ data = append(data, o)
+ }
+ }
+ return flag, pgflag, strings.Join(data, ","), extFlags
+}
+
+func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
+ if config == nil {
+ return nil, nil
+ }
+
+ // No default action specified, no syscalls listed, assume seccomp disabled
+ if config.DefaultAction == "" && len(config.Syscalls) == 0 {
+ return nil, nil
+ }
+
+ newConfig := new(configs.Seccomp)
+ newConfig.Syscalls = []*configs.Syscall{}
+
+ if len(config.Architectures) > 0 {
+ newConfig.Architectures = []string{}
+ for _, arch := range config.Architectures {
+ newArch, err := seccomp.ConvertStringToArch(string(arch))
+ if err != nil {
+ return nil, err
+ }
+ newConfig.Architectures = append(newConfig.Architectures, newArch)
+ }
+ }
+
+ // Convert default action from string representation
+ newDefaultAction, err := seccomp.ConvertStringToAction(string(config.DefaultAction))
+ if err != nil {
+ return nil, err
+ }
+ newConfig.DefaultAction = newDefaultAction
+
+ // Loop through all syscall blocks and convert them to libcontainer format
+ for _, call := range config.Syscalls {
+ newAction, err := seccomp.ConvertStringToAction(string(call.Action))
+ if err != nil {
+ return nil, err
+ }
+
+ for _, name := range call.Names {
+ newCall := configs.Syscall{
+ Name: name,
+ Action: newAction,
+ Args: []*configs.Arg{},
+ }
+ // Loop through all the arguments of the syscall and convert them
+ for _, arg := range call.Args {
+ newOp, err := seccomp.ConvertStringToOperator(string(arg.Op))
+ if err != nil {
+ return nil, err
+ }
+
+ newArg := configs.Arg{
+ Index: arg.Index,
+ Value: arg.Value,
+ ValueTwo: arg.ValueTwo,
+ Op: newOp,
+ }
+
+ newCall.Args = append(newCall.Args, &newArg)
+ }
+ newConfig.Syscalls = append(newConfig.Syscalls, &newCall)
+ }
+ }
+
+ return newConfig, nil
+}
+
+func createHooks(rspec *specs.Spec, config *configs.Config) {
+ config.Hooks = &configs.Hooks{}
+ if rspec.Hooks != nil {
+
+ for _, h := range rspec.Hooks.Prestart {
+ cmd := createCommandHook(h)
+ config.Hooks.Prestart = append(config.Hooks.Prestart, configs.NewCommandHook(cmd))
+ }
+ for _, h := range rspec.Hooks.Poststart {
+ cmd := createCommandHook(h)
+ config.Hooks.Poststart = append(config.Hooks.Poststart, configs.NewCommandHook(cmd))
+ }
+ for _, h := range rspec.Hooks.Poststop {
+ cmd := createCommandHook(h)
+ config.Hooks.Poststop = append(config.Hooks.Poststop, configs.NewCommandHook(cmd))
+ }
+ }
+}
+
+func createCommandHook(h specs.Hook) configs.Command {
+ cmd := configs.Command{
+ Path: h.Path,
+ Args: h.Args,
+ Env: h.Env,
+ }
+ if h.Timeout != nil {
+ d := time.Duration(*h.Timeout) * time.Second
+ cmd.Timeout = &d
+ }
+ return cmd
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/specconv/spec_linux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/specconv/spec_linux_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..50c620cbad6212c1ce8bbe46a07eef648ccb2a09
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/specconv/spec_linux_test.go
@@ -0,0 +1,450 @@
+// +build linux
+
+package specconv
+
+import (
+ "os"
+ "strings"
+ "testing"
+
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/configs/validate"
+ "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestCreateCommandHookTimeout(t *testing.T) {
+ timeout := 3600
+ hook := specs.Hook{
+ Path: "/some/hook/path",
+ Args: []string{"--some", "thing"},
+ Env: []string{"SOME=value"},
+ Timeout: &timeout,
+ }
+ command := createCommandHook(hook)
+ timeoutStr := command.Timeout.String()
+ if timeoutStr != "1h0m0s" {
+ t.Errorf("Expected the Timeout to be 1h0m0s, got: %s", timeoutStr)
+ }
+}
+
+func TestCreateHooks(t *testing.T) {
+ rspec := &specs.Spec{
+ Hooks: &specs.Hooks{
+ Prestart: []specs.Hook{
+ {
+ Path: "/some/hook/path",
+ },
+ {
+ Path: "/some/hook2/path",
+ Args: []string{"--some", "thing"},
+ },
+ },
+ Poststart: []specs.Hook{
+ {
+ Path: "/some/hook/path",
+ Args: []string{"--some", "thing"},
+ Env: []string{"SOME=value"},
+ },
+ {
+ Path: "/some/hook2/path",
+ },
+ {
+ Path: "/some/hook3/path",
+ },
+ },
+ Poststop: []specs.Hook{
+ {
+ Path: "/some/hook/path",
+ Args: []string{"--some", "thing"},
+ Env: []string{"SOME=value"},
+ },
+ {
+ Path: "/some/hook2/path",
+ },
+ {
+ Path: "/some/hook3/path",
+ },
+ {
+ Path: "/some/hook4/path",
+ Args: []string{"--some", "thing"},
+ },
+ },
+ },
+ }
+ conf := &configs.Config{}
+ createHooks(rspec, conf)
+
+ prestart := conf.Hooks.Prestart
+
+ if len(prestart) != 2 {
+ t.Error("Expected 2 Prestart hooks")
+ }
+
+ poststart := conf.Hooks.Poststart
+
+ if len(poststart) != 3 {
+ t.Error("Expected 3 Poststart hooks")
+ }
+
+ poststop := conf.Hooks.Poststop
+
+ if len(poststop) != 4 {
+ t.Error("Expected 4 Poststop hooks")
+ }
+
+}
+func TestSetupSeccomp(t *testing.T) {
+ conf := &specs.LinuxSeccomp{
+ DefaultAction: "SCMP_ACT_ERRNO",
+ Architectures: []specs.Arch{specs.ArchX86_64, specs.ArchARM},
+ Syscalls: []specs.LinuxSyscall{
+ {
+ Names: []string{"clone"},
+ Action: "SCMP_ACT_ALLOW",
+ Args: []specs.LinuxSeccompArg{
+ {
+ Index: 0,
+ Value: 2080505856,
+ ValueTwo: 0,
+ Op: "SCMP_CMP_MASKED_EQ",
+ },
+ },
+ },
+ {
+ Names: []string{
+ "select",
+ "semctl",
+ "semget",
+ "semop",
+ "semtimedop",
+ "send",
+ "sendfile",
+ },
+ Action: "SCMP_ACT_ALLOW",
+ },
+ },
+ }
+ seccomp, err := SetupSeccomp(conf)
+
+ if err != nil {
+ t.Errorf("Couldn't create Seccomp config: %v", err)
+ }
+
+ if seccomp.DefaultAction != 2 { // SCMP_ACT_ERRNO
+ t.Error("Wrong conversion for DefaultAction")
+ }
+
+ if len(seccomp.Architectures) != 2 {
+ t.Error("Wrong number of architectures")
+ }
+
+ if seccomp.Architectures[0] != "amd64" || seccomp.Architectures[1] != "arm" {
+ t.Error("Expected architectures are not found")
+ }
+
+ calls := seccomp.Syscalls
+
+ callsLength := len(calls)
+ if callsLength != 8 {
+ t.Errorf("Expected 8 syscalls, got :%d", callsLength)
+ }
+
+ for i, call := range calls {
+ if i == 0 {
+ expectedCloneSyscallArgs := configs.Arg{
+ Index: 0,
+ Op: 7, // SCMP_CMP_MASKED_EQ
+ Value: 2080505856,
+ ValueTwo: 0,
+ }
+ if expectedCloneSyscallArgs != *call.Args[0] {
+ t.Errorf("Wrong arguments conversion for the clone syscall under test")
+ }
+ }
+ if call.Action != 4 {
+ t.Error("Wrong conversion for the clone syscall action")
+ }
+
+ }
+
+}
+
+func TestLinuxCgroupWithMemoryResource(t *testing.T) {
+ cgroupsPath := "/user/cgroups/path/id"
+
+ spec := &specs.Spec{}
+ devices := []specs.LinuxDeviceCgroup{
+ {
+ Allow: false,
+ Access: "rwm",
+ },
+ }
+
+ limit := int64(100)
+ reservation := int64(50)
+ swap := int64(20)
+ kernel := int64(40)
+ kernelTCP := int64(45)
+ swappiness := uint64(1)
+ swappinessPtr := &swappiness
+ disableOOMKiller := true
+ resources := &specs.LinuxResources{
+ Devices: devices,
+ Memory: &specs.LinuxMemory{
+ Limit: &limit,
+ Reservation: &reservation,
+ Swap: &swap,
+ Kernel: &kernel,
+ KernelTCP: &kernelTCP,
+ Swappiness: swappinessPtr,
+ DisableOOMKiller: &disableOOMKiller,
+ },
+ }
+ spec.Linux = &specs.Linux{
+ CgroupsPath: cgroupsPath,
+ Resources: resources,
+ }
+
+ opts := &CreateOpts{
+ CgroupName: "ContainerID",
+ UseSystemdCgroup: false,
+ Spec: spec,
+ }
+
+ cgroup, err := createCgroupConfig(opts)
+ if err != nil {
+ t.Errorf("Couldn't create Cgroup config: %v", err)
+ }
+
+ if cgroup.Path != cgroupsPath {
+ t.Errorf("Wrong cgroupsPath, expected '%s' got '%s'", cgroupsPath, cgroup.Path)
+ }
+ if cgroup.Resources.Memory != limit {
+ t.Errorf("Expected to have %d as memory limit, got %d", limit, cgroup.Resources.Memory)
+ }
+ if cgroup.Resources.MemoryReservation != reservation {
+ t.Errorf("Expected to have %d as memory reservation, got %d", reservation, cgroup.Resources.MemoryReservation)
+ }
+ if cgroup.Resources.MemorySwap != swap {
+ t.Errorf("Expected to have %d as swap, got %d", swap, cgroup.Resources.MemorySwap)
+ }
+ if cgroup.Resources.KernelMemory != kernel {
+ t.Errorf("Expected to have %d as Kernel Memory, got %d", kernel, cgroup.Resources.KernelMemory)
+ }
+ if cgroup.Resources.KernelMemoryTCP != kernelTCP {
+ t.Errorf("Expected to have %d as TCP Kernel Memory, got %d", kernelTCP, cgroup.Resources.KernelMemoryTCP)
+ }
+ if cgroup.Resources.MemorySwappiness != swappinessPtr {
+ t.Errorf("Expected to have %d as memory swappiness, got %d", swappinessPtr, cgroup.Resources.MemorySwappiness)
+ }
+ if cgroup.Resources.OomKillDisable != disableOOMKiller {
+ t.Errorf("The OOMKiller should be enabled")
+ }
+}
+
+func TestLinuxCgroupSystemd(t *testing.T) {
+ cgroupsPath := "parent:scopeprefix:name"
+
+ spec := &specs.Spec{}
+ spec.Linux = &specs.Linux{
+ CgroupsPath: cgroupsPath,
+ }
+
+ opts := &CreateOpts{
+ UseSystemdCgroup: true,
+ Spec: spec,
+ }
+
+ cgroup, err := createCgroupConfig(opts)
+
+ if err != nil {
+ t.Errorf("Couldn't create Cgroup config: %v", err)
+ }
+
+ expectedParent := "parent"
+ if cgroup.Parent != expectedParent {
+ t.Errorf("Expected to have %s as Parent instead of %s", expectedParent, cgroup.Parent)
+ }
+
+ expectedScopePrefix := "scopeprefix"
+ if cgroup.ScopePrefix != expectedScopePrefix {
+ t.Errorf("Expected to have %s as ScopePrefix instead of %s", expectedScopePrefix, cgroup.ScopePrefix)
+ }
+
+ expectedName := "name"
+ if cgroup.Name != expectedName {
+ t.Errorf("Expected to have %s as Name instead of %s", expectedName, cgroup.Name)
+ }
+}
+
+func TestLinuxCgroupSystemdWithEmptyPath(t *testing.T) {
+ cgroupsPath := ""
+
+ spec := &specs.Spec{}
+ spec.Linux = &specs.Linux{
+ CgroupsPath: cgroupsPath,
+ }
+
+ opts := &CreateOpts{
+ CgroupName: "ContainerID",
+ UseSystemdCgroup: true,
+ Spec: spec,
+ }
+
+ cgroup, err := createCgroupConfig(opts)
+
+ if err != nil {
+ t.Errorf("Couldn't create Cgroup config: %v", err)
+ }
+
+ expectedParent := "system.slice"
+ if cgroup.Parent != expectedParent {
+ t.Errorf("Expected to have %s as Parent instead of %s", expectedParent, cgroup.Parent)
+ }
+
+ expectedScopePrefix := "runc"
+ if cgroup.ScopePrefix != expectedScopePrefix {
+ t.Errorf("Expected to have %s as ScopePrefix instead of %s", expectedScopePrefix, cgroup.ScopePrefix)
+ }
+
+ if cgroup.Name != opts.CgroupName {
+ t.Errorf("Expected to have %s as Name instead of %s", opts.CgroupName, cgroup.Name)
+ }
+}
+
+func TestLinuxCgroupSystemdWithInvalidPath(t *testing.T) {
+ cgroupsPath := "/user/cgroups/path/id"
+
+ spec := &specs.Spec{}
+ spec.Linux = &specs.Linux{
+ CgroupsPath: cgroupsPath,
+ }
+
+ opts := &CreateOpts{
+ CgroupName: "ContainerID",
+ UseSystemdCgroup: true,
+ Spec: spec,
+ }
+
+ _, err := createCgroupConfig(opts)
+ if err == nil {
+ t.Error("Expected to produce an error if not using the correct format for cgroup paths belonging to systemd")
+ }
+}
+func TestLinuxCgroupsPathSpecified(t *testing.T) {
+ cgroupsPath := "/user/cgroups/path/id"
+
+ spec := &specs.Spec{}
+ spec.Linux = &specs.Linux{
+ CgroupsPath: cgroupsPath,
+ }
+
+ opts := &CreateOpts{
+ CgroupName: "ContainerID",
+ UseSystemdCgroup: false,
+ Spec: spec,
+ }
+
+ cgroup, err := createCgroupConfig(opts)
+ if err != nil {
+ t.Errorf("Couldn't create Cgroup config: %v", err)
+ }
+
+ if cgroup.Path != cgroupsPath {
+ t.Errorf("Wrong cgroupsPath, expected '%s' got '%s'", cgroupsPath, cgroup.Path)
+ }
+}
+
+func TestLinuxCgroupsPathNotSpecified(t *testing.T) {
+ spec := &specs.Spec{}
+ opts := &CreateOpts{
+ CgroupName: "ContainerID",
+ UseSystemdCgroup: false,
+ Spec: spec,
+ }
+
+ cgroup, err := createCgroupConfig(opts)
+ if err != nil {
+ t.Errorf("Couldn't create Cgroup config: %v", err)
+ }
+
+ if cgroup.Path != "" {
+ t.Errorf("Wrong cgroupsPath, expected it to be empty string, got '%s'", cgroup.Path)
+ }
+}
+
+func TestSpecconvExampleValidate(t *testing.T) {
+ spec := Example()
+ spec.Root.Path = "/"
+
+ opts := &CreateOpts{
+ CgroupName: "ContainerID",
+ UseSystemdCgroup: false,
+ Spec: spec,
+ }
+
+ config, err := CreateLibcontainerConfig(opts)
+ if err != nil {
+ t.Errorf("Couldn't create libcontainer config: %v", err)
+ }
+
+ validator := validate.New()
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected specconv to produce valid container config: %v", err)
+ }
+}
+
+func TestDupNamespaces(t *testing.T) {
+ spec := &specs.Spec{
+ Root: &specs.Root{
+ Path: "rootfs",
+ },
+ Linux: &specs.Linux{
+ Namespaces: []specs.LinuxNamespace{
+ {
+ Type: "pid",
+ },
+ {
+ Type: "pid",
+ Path: "/proc/1/ns/pid",
+ },
+ },
+ },
+ }
+
+ _, err := CreateLibcontainerConfig(&CreateOpts{
+ Spec: spec,
+ })
+
+ if !strings.Contains(err.Error(), "malformed spec file: duplicated ns") {
+ t.Errorf("Duplicated namespaces should be forbidden")
+ }
+}
+
+func TestNonZeroEUIDCompatibleSpecconvValidate(t *testing.T) {
+ if _, err := os.Stat("/proc/self/ns/user"); os.IsNotExist(err) {
+ t.Skip("userns is unsupported")
+ }
+
+ spec := Example()
+ spec.Root.Path = "/"
+ ToRootless(spec)
+
+ opts := &CreateOpts{
+ CgroupName: "ContainerID",
+ UseSystemdCgroup: false,
+ Spec: spec,
+ RootlessEUID: true,
+ RootlessCgroups: true,
+ }
+
+ config, err := CreateLibcontainerConfig(opts)
+ if err != nil {
+ t.Errorf("Couldn't create libcontainer config: %v", err)
+ }
+
+ validator := validate.New()
+ if err := validator.Validate(config); err != nil {
+ t.Errorf("Expected specconv to produce valid rootless container config: %v", err)
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/stacktrace/capture.go b/vendor/github.com/opencontainers/runc/libcontainer/stacktrace/capture.go
index 5ee6e37a3a4d2baa5ca735b046f5deb1c8574ee3..0bbe1495040923cc6f4566b7b3416260ca4464bf 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/stacktrace/capture.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/stacktrace/capture.go
@@ -2,14 +2,14 @@ package stacktrace
import "runtime"
-// Caputure captures a stacktrace for the current calling go program
+// Capture captures a stacktrace for the current calling go program
//
// skip is the number of frames to skip
func Capture(userSkip int) Stacktrace {
var (
skip = userSkip + 1 // add one for our own function
frames []Frame
- prevPc uintptr = 0
+ prevPc uintptr
)
for i := skip; ; i++ {
pc, file, line, ok := runtime.Caller(i)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/stacktrace/capture_test.go b/vendor/github.com/opencontainers/runc/libcontainer/stacktrace/capture_test.go
index 7e99a2661a9aca4ba4d01381b57769a56a737c50..978f6c408adba075ecf7303e5ff95666006e8b83 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/stacktrace/capture_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/stacktrace/capture_test.go
@@ -19,9 +19,9 @@ func TestCaptureTestFunc(t *testing.T) {
// the first frame is the caller
frame := stack.Frames[0]
if expected := "captureFunc"; frame.Function != expected {
- t.Fatalf("expteced function %q but recevied %q", expected, frame.Function)
+ t.Fatalf("expected function %q but received %q", expected, frame.Function)
}
- expected := "github.com/opencontainers/runc/libcontainer/stacktrace"
+ expected := "/runc/libcontainer/stacktrace"
if !strings.HasSuffix(frame.Package, expected) {
t.Fatalf("expected package %q but received %q", expected, frame.Package)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
index 2e10150539b4b43aa8fae8ceecd3cbcca4933bc4..ad7ee8d8c8a6eba1885208aec691853de5030b47 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/standard_init_linux.go
@@ -4,129 +4,152 @@ package libcontainer
import (
"fmt"
- "io"
"os"
- "syscall"
+ "os/exec"
+ "runtime"
+ "syscall" //only for Exec
"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/keys"
- "github.com/opencontainers/runc/libcontainer/label"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runc/libcontainer/system"
+ "github.com/opencontainers/selinux/go-selinux/label"
+ "github.com/pkg/errors"
+
+ "golang.org/x/sys/unix"
)
type linuxStandardInit struct {
- pipe io.ReadWriter
- parentPid int
- config *initConfig
+ pipe *os.File
+ consoleSocket *os.File
+ parentPid int
+ fifoFd int
+ config *initConfig
}
func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) {
var newperms uint32
if l.config.Config.Namespaces.Contains(configs.NEWUSER) {
- // with user ns we need 'other' search permissions
+ // With user ns we need 'other' search permissions.
newperms = 0x8
} else {
- // without user ns we need 'UID' search permissions
+ // Without user ns we need 'UID' search permissions.
newperms = 0x80000
}
- // create a unique per session container name that we can
- // join in setns; however, other containers can also join it
+ // Create a unique per session container name that we can join in setns;
+ // However, other containers can also join it.
return fmt.Sprintf("_ses.%s", l.config.ContainerId), 0xffffffff, newperms
}
-// PR_SET_NO_NEW_PRIVS isn't exposed in Golang so we define it ourselves copying the value
-// the kernel
-const PR_SET_NO_NEW_PRIVS = 0x26
-
func (l *linuxStandardInit) Init() error {
- ringname, keepperms, newperms := l.getSessionRingParams()
+ runtime.LockOSThread()
+ defer runtime.UnlockOSThread()
+ if !l.config.Config.NoNewKeyring {
+ ringname, keepperms, newperms := l.getSessionRingParams()
- // do not inherit the parent's session keyring
- sessKeyId, err := keyctl.JoinSessionKeyring(ringname)
- if err != nil {
- return err
- }
- // make session keyring searcheable
- if err := keyctl.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
- return err
- }
-
- var console *linuxConsole
- if l.config.Console != "" {
- console = newConsoleFromPath(l.config.Console)
- if err := console.dupStdio(); err != nil {
- return err
- }
- }
- if console != nil {
- if err := system.Setctty(); err != nil {
- return err
+ // Do not inherit the parent's session keyring.
+ if sessKeyId, err := keys.JoinSessionKeyring(ringname); err != nil {
+ // If keyrings aren't supported then it is likely we are on an
+ // older kernel (or inside an LXC container). While we could bail,
+ // the security feature we are using here is best-effort (it only
+ // really provides marginal protection since VFS credentials are
+ // the only significant protection of keyrings).
+ //
+ // TODO(cyphar): Log this so people know what's going on, once we
+ // have proper logging in 'runc init'.
+ if errors.Cause(err) != unix.ENOSYS {
+ return errors.Wrap(err, "join session keyring")
+ }
+ } else {
+ // Make session keyring searcheable. If we've gotten this far we
+ // bail on any error -- we don't want to have a keyring with bad
+ // permissions.
+ if err := keys.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
+ return errors.Wrap(err, "mod keyring permissions")
+ }
}
}
+
if err := setupNetwork(l.config); err != nil {
return err
}
if err := setupRoute(l.config.Config); err != nil {
return err
}
- if err := setupRlimits(l.config.Rlimits); err != nil {
+
+ label.Init()
+ if err := prepareRootfs(l.pipe, l.config); err != nil {
return err
}
+ // Set up the console. This has to be done *before* we finalize the rootfs,
+ // but *after* we've given the user the chance to set up all of the mounts
+ // they wanted.
+ if l.config.CreateConsole {
+ if err := setupConsole(l.consoleSocket, l.config, true); err != nil {
+ return err
+ }
+ if err := system.Setctty(); err != nil {
+ return errors.Wrap(err, "setctty")
+ }
+ }
- label.Init()
- // InitializeMountNamespace() can be executed only for a new mount namespace
+ // Finish the rootfs setup.
if l.config.Config.Namespaces.Contains(configs.NEWNS) {
- if err := setupRootfs(l.config.Config, console, l.pipe); err != nil {
+ if err := finalizeRootfs(l.config.Config); err != nil {
return err
}
}
+
if hostname := l.config.Config.Hostname; hostname != "" {
- if err := syscall.Sethostname([]byte(hostname)); err != nil {
- return err
+ if err := unix.Sethostname([]byte(hostname)); err != nil {
+ return errors.Wrap(err, "sethostname")
}
}
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
- return err
- }
- if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
- return err
+ return errors.Wrap(err, "apply apparmor profile")
}
for key, value := range l.config.Config.Sysctl {
if err := writeSystemProperty(key, value); err != nil {
- return err
+ return errors.Wrapf(err, "write sysctl key %s", key)
}
}
for _, path := range l.config.Config.ReadonlyPaths {
- if err := remountReadonly(path); err != nil {
- return err
+ if err := readonlyPath(path); err != nil {
+ return errors.Wrapf(err, "readonly path %s", path)
}
}
for _, path := range l.config.Config.MaskPaths {
- if err := maskFile(path); err != nil {
- return err
+ if err := maskPath(path, l.config.Config.MountLabel); err != nil {
+ return errors.Wrapf(err, "mask path %s", path)
}
}
pdeath, err := system.GetParentDeathSignal()
if err != nil {
- return err
+ return errors.Wrap(err, "get pdeath signal")
}
if l.config.NoNewPrivileges {
- if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
- return err
+ if err := unix.Prctl(unix.PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
+ return errors.Wrap(err, "set nonewprivileges")
}
}
// Tell our parent that we're ready to Execv. This must be done before the
// Seccomp rules have been applied, because we need to be able to read and
// write to a socket.
if err := syncParentReady(l.pipe); err != nil {
- return err
+ return errors.Wrap(err, "sync ready")
}
- if l.config.Config.Seccomp != nil {
+ if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
+ return errors.Wrap(err, "set process label")
+ }
+ defer label.SetProcessLabel("")
+ // Without NoNewPrivileges seccomp is a privileged operation, so we need to
+ // do this before dropping capabilities; otherwise do it as late as possible
+ // just before execve so as few syscalls take place after it as possible.
+ if l.config.Config.Seccomp != nil && !l.config.NoNewPrivileges {
if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
return err
}
@@ -137,14 +160,51 @@ func (l *linuxStandardInit) Init() error {
// finalizeNamespace can change user/group which clears the parent death
// signal, so we restore it here.
if err := pdeath.Restore(); err != nil {
+ return errors.Wrap(err, "restore pdeath signal")
+ }
+ // Compare the parent from the initial start of the init process and make
+ // sure that it did not change. if the parent changes that means it died
+ // and we were reparented to something else so we should just kill ourself
+ // and not cause problems for someone else.
+ if unix.Getppid() != l.parentPid {
+ return unix.Kill(unix.Getpid(), unix.SIGKILL)
+ }
+ // Check for the arg before waiting to make sure it exists and it is
+ // returned as a create time error.
+ name, err := exec.LookPath(l.config.Args[0])
+ if err != nil {
return err
}
- // compare the parent from the inital start of the init process and make sure that it did not change.
- // if the parent changes that means it died and we were reparened to something else so we should
- // just kill ourself and not cause problems for someone else.
- if syscall.Getppid() != l.parentPid {
- return syscall.Kill(syscall.Getpid(), syscall.SIGKILL)
+ // Close the pipe to signal that we have completed our init.
+ l.pipe.Close()
+ // Wait for the FIFO to be opened on the other side before exec-ing the
+ // user process. We open it through /proc/self/fd/$fd, because the fd that
+ // was given to us was an O_PATH fd to the fifo itself. Linux allows us to
+ // re-open an O_PATH fd through /proc.
+ fd, err := unix.Open(fmt.Sprintf("/proc/self/fd/%d", l.fifoFd), unix.O_WRONLY|unix.O_CLOEXEC, 0)
+ if err != nil {
+ return newSystemErrorWithCause(err, "open exec fifo")
+ }
+ if _, err := unix.Write(fd, []byte("0")); err != nil {
+ return newSystemErrorWithCause(err, "write 0 exec fifo")
+ }
+ // Close the O_PATH fifofd fd before exec because the kernel resets
+ // dumpable in the wrong order. This has been fixed in newer kernels, but
+ // we keep this to ensure CVE-2016-9962 doesn't re-emerge on older kernels.
+ // N.B. the core issue itself (passing dirfds to the host filesystem) has
+ // since been resolved.
+ // https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+ unix.Close(l.fifoFd)
+ // Set seccomp as close to execve as possible, so as few syscalls take
+ // place afterward (reducing the amount of syscalls that users need to
+ // enable in their seccomp profiles).
+ if l.config.Config.Seccomp != nil && l.config.NoNewPrivileges {
+ if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
+ return newSystemErrorWithCause(err, "init seccomp")
+ }
}
-
- return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
+ if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
+ return newSystemErrorWithCause(err, "exec user process")
+ }
+ return nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/state_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/state_linux.go
index 1813172bf603a6cbbdb8ab1d325fa41df108f6f4..5c16a423f741ffb7167758988b50503e86999368 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/state_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/state_linux.go
@@ -7,8 +7,10 @@ import (
"os"
"path/filepath"
- "github.com/sirupsen/logrus"
"github.com/opencontainers/runc/libcontainer/configs"
+
+ "github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
func newStateTransitionError(from, to containerState) error {
@@ -37,11 +39,16 @@ type containerState interface {
func destroy(c *linuxContainer) error {
if !c.config.Namespaces.Contains(configs.NEWPID) {
- if err := killCgroupProcesses(c.cgroupManager); err != nil {
+ if err := signalAllProcesses(c.cgroupManager, unix.SIGKILL); err != nil {
logrus.Warn(err)
}
}
err := c.cgroupManager.Destroy()
+ if c.intelRdtManager != nil {
+ if ierr := c.intelRdtManager.Destroy(); err == nil {
+ err = ierr
+ }
+ }
if rerr := os.RemoveAll(c.root); err == nil {
err = rerr
}
@@ -55,10 +62,9 @@ func destroy(c *linuxContainer) error {
func runPoststopHooks(c *linuxContainer) error {
if c.config.Hooks != nil {
- s := configs.HookState{
- Version: c.config.Version,
- ID: c.id,
- Root: c.config.Rootfs,
+ s, err := c.currentOCIState()
+ if err != nil {
+ return err
}
for _, hook := range c.config.Hooks.Poststop {
if err := hook.Run(s); err != nil {
@@ -75,15 +81,12 @@ type stoppedState struct {
}
func (b *stoppedState) status() Status {
- return Destroyed
+ return Stopped
}
func (b *stoppedState) transition(s containerState) error {
switch s.(type) {
- case *runningState:
- b.c.state = s
- return nil
- case *restoredState:
+ case *runningState, *restoredState:
b.c.state = s
return nil
case *stoppedState:
@@ -108,11 +111,11 @@ func (r *runningState) status() Status {
func (r *runningState) transition(s containerState) error {
switch s.(type) {
case *stoppedState:
- running, err := r.c.isRunning()
+ t, err := r.c.runType()
if err != nil {
return err
}
- if running {
+ if t == Running {
return newGenericError(fmt.Errorf("container still running"), ContainerNotStopped)
}
r.c.state = s
@@ -127,16 +130,40 @@ func (r *runningState) transition(s containerState) error {
}
func (r *runningState) destroy() error {
- running, err := r.c.isRunning()
+ t, err := r.c.runType()
if err != nil {
return err
}
- if running {
+ if t == Running {
return newGenericError(fmt.Errorf("container is not destroyed"), ContainerNotStopped)
}
return destroy(r.c)
}
+type createdState struct {
+ c *linuxContainer
+}
+
+func (i *createdState) status() Status {
+ return Created
+}
+
+func (i *createdState) transition(s containerState) error {
+ switch s.(type) {
+ case *runningState, *pausedState, *stoppedState:
+ i.c.state = s
+ return nil
+ case *createdState:
+ return nil
+ }
+ return newStateTransitionError(i, s)
+}
+
+func (i *createdState) destroy() error {
+ i.c.initProcess.signal(unix.SIGKILL)
+ return destroy(i.c)
+}
+
// pausedState represents a container that is currently pause. It cannot be destroyed in a
// paused state and must transition back to running first.
type pausedState struct {
@@ -159,11 +186,11 @@ func (p *pausedState) transition(s containerState) error {
}
func (p *pausedState) destroy() error {
- isRunning, err := p.c.isRunning()
+ t, err := p.c.runType()
if err != nil {
return err
}
- if !isRunning {
+ if t != Running && t != Created {
if err := p.c.cgroupManager.Freeze(configs.Thawed); err != nil {
return err
}
@@ -172,8 +199,8 @@ func (p *pausedState) destroy() error {
return newGenericError(fmt.Errorf("container is paused"), ContainerPaused)
}
-// restoredState is the same as the running state but also has accociated checkpoint
-// information that maybe need destroyed when the container is stopped and destory is called.
+// restoredState is the same as the running state but also has associated checkpoint
+// information that maybe need destroyed when the container is stopped and destroy is called.
type restoredState struct {
imageDir string
c *linuxContainer
@@ -185,9 +212,7 @@ func (r *restoredState) status() Status {
func (r *restoredState) transition(s containerState) error {
switch s.(type) {
- case *stoppedState:
- return nil
- case *runningState:
+ case *stoppedState, *runningState:
return nil
}
return newStateTransitionError(r, s)
@@ -202,23 +227,23 @@ func (r *restoredState) destroy() error {
return destroy(r.c)
}
-// createdState is used whenever a container is restored, loaded, or setting additional
+// loadedState is used whenever a container is restored, loaded, or setting additional
// processes inside and it should not be destroyed when it is exiting.
-type createdState struct {
+type loadedState struct {
c *linuxContainer
s Status
}
-func (n *createdState) status() Status {
+func (n *loadedState) status() Status {
return n.s
}
-func (n *createdState) transition(s containerState) error {
+func (n *loadedState) transition(s containerState) error {
n.c.state = s
return nil
}
-func (n *createdState) destroy() error {
+func (n *loadedState) destroy() error {
if err := n.c.refreshState(); err != nil {
return err
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/state_linux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/state_linux_test.go
index 417d9c22eda68b45a888bdd9af5b213ab6483cbd..6ef516b757acb314cd4f1245ef50d6b23f994fce 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/state_linux_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/state_linux_test.go
@@ -2,15 +2,21 @@
package libcontainer
-import "testing"
+import (
+ "reflect"
+ "testing"
+)
+
+var states = map[containerState]Status{
+ &createdState{}: Created,
+ &runningState{}: Running,
+ &restoredState{}: Running,
+ &pausedState{}: Paused,
+ &stoppedState{}: Stopped,
+ &loadedState{s: Running}: Running,
+}
func TestStateStatus(t *testing.T) {
- states := map[containerState]Status{
- &stoppedState{}: Destroyed,
- &runningState{}: Running,
- &restoredState{}: Running,
- &pausedState{}: Paused,
- }
for s, status := range states {
if s.status() != status {
t.Fatalf("state returned %s but expected %s", s.status(), status)
@@ -23,57 +29,88 @@ func isStateTransitionError(err error) bool {
return ok
}
-func TestStoppedStateTransition(t *testing.T) {
- s := &stoppedState{c: &linuxContainer{}}
- valid := []containerState{
- &stoppedState{},
- &runningState{},
- &restoredState{},
+func testTransitions(t *testing.T, initialState containerState, valid []containerState) {
+ validMap := map[reflect.Type]interface{}{}
+ for _, validState := range valid {
+ validMap[reflect.TypeOf(validState)] = nil
+ t.Run(validState.status().String(), func(t *testing.T) {
+ if err := initialState.transition(validState); err != nil {
+ t.Fatal(err)
+ }
+ })
}
- for _, v := range valid {
- if err := s.transition(v); err != nil {
- t.Fatal(err)
+ for state := range states {
+ if _, ok := validMap[reflect.TypeOf(state)]; ok {
+ continue
}
- }
- err := s.transition(&pausedState{})
- if err == nil {
- t.Fatal("transition to paused state should fail")
- }
- if !isStateTransitionError(err) {
- t.Fatal("expected stateTransitionError")
+ t.Run(state.status().String(), func(t *testing.T) {
+ err := initialState.transition(state)
+ if err == nil {
+ t.Fatal("transition should fail")
+ }
+ if !isStateTransitionError(err) {
+ t.Fatal("expected stateTransitionError")
+ }
+ })
}
}
+func TestStoppedStateTransition(t *testing.T) {
+ testTransitions(
+ t,
+ &stoppedState{c: &linuxContainer{}},
+ []containerState{
+ &stoppedState{},
+ &runningState{},
+ &restoredState{},
+ },
+ )
+}
+
func TestPausedStateTransition(t *testing.T) {
- s := &pausedState{c: &linuxContainer{}}
- valid := []containerState{
- &pausedState{},
- &runningState{},
- &stoppedState{},
- }
- for _, v := range valid {
- if err := s.transition(v); err != nil {
- t.Fatal(err)
- }
- }
+ testTransitions(
+ t,
+ &pausedState{c: &linuxContainer{}},
+ []containerState{
+ &pausedState{},
+ &runningState{},
+ &stoppedState{},
+ },
+ )
}
func TestRestoredStateTransition(t *testing.T) {
- s := &restoredState{c: &linuxContainer{}}
- valid := []containerState{
- &stoppedState{},
- &runningState{},
- }
- for _, v := range valid {
- if err := s.transition(v); err != nil {
- t.Fatal(err)
- }
- }
- err := s.transition(&createdState{})
- if err == nil {
- t.Fatal("transition to created state should fail")
- }
- if !isStateTransitionError(err) {
- t.Fatal("expected stateTransitionError")
- }
+ testTransitions(
+ t,
+ &restoredState{c: &linuxContainer{}},
+ []containerState{
+ &stoppedState{},
+ &runningState{},
+ },
+ )
+}
+
+func TestRunningStateTransition(t *testing.T) {
+ testTransitions(
+ t,
+ &runningState{c: &linuxContainer{}},
+ []containerState{
+ &stoppedState{},
+ &pausedState{},
+ &runningState{},
+ },
+ )
+}
+
+func TestCreatedStateTransition(t *testing.T) {
+ testTransitions(
+ t,
+ &createdState{c: &linuxContainer{}},
+ []containerState{
+ &stoppedState{},
+ &pausedState{},
+ &runningState{},
+ &createdState{},
+ },
+ )
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/stats_freebsd.go b/vendor/github.com/opencontainers/runc/libcontainer/stats_freebsd.go
deleted file mode 100644
index f8d1d689ceea6049411b02e4d0e924e8580a5c15..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/stats_freebsd.go
+++ /dev/null
@@ -1,5 +0,0 @@
-package libcontainer
-
-type Stats struct {
- Interfaces []*NetworkInterface
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/stats_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/stats_linux.go
index c629dc67de96df8426456ce87bca3c889f5decf4..29fd641e9dd1079b62177f0d197861d7873cd887 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/stats_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/stats_linux.go
@@ -1,8 +1,10 @@
package libcontainer
import "github.com/opencontainers/runc/libcontainer/cgroups"
+import "github.com/opencontainers/runc/libcontainer/intelrdt"
type Stats struct {
- Interfaces []*NetworkInterface
- CgroupStats *cgroups.Stats
+ Interfaces []*NetworkInterface
+ CgroupStats *cgroups.Stats
+ IntelRdtStats *intelrdt.Stats
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/stats_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/stats_windows.go
deleted file mode 100644
index f8d1d689ceea6049411b02e4d0e924e8580a5c15..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/stats_windows.go
+++ /dev/null
@@ -1,5 +0,0 @@
-package libcontainer
-
-type Stats struct {
- Interfaces []*NetworkInterface
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/sync.go b/vendor/github.com/opencontainers/runc/libcontainer/sync.go
new file mode 100644
index 0000000000000000000000000000000000000000..a8704a2679df9678cbfcc43232c97cf271f77797
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/sync.go
@@ -0,0 +1,104 @@
+package libcontainer
+
+import (
+ "encoding/json"
+ "fmt"
+ "io"
+
+ "github.com/opencontainers/runc/libcontainer/utils"
+)
+
+type syncType string
+
+// Constants that are used for synchronisation between the parent and child
+// during container setup. They come in pairs (with procError being a generic
+// response which is followed by a &genericError).
+//
+// [ child ] <-> [ parent ]
+//
+// procHooks --> [run hooks]
+// <-- procResume
+//
+// procConsole -->
+// <-- procConsoleReq
+// [send(fd)] --> [recv(fd)]
+// <-- procConsoleAck
+//
+// procReady --> [final setup]
+// <-- procRun
+const (
+ procError syncType = "procError"
+ procReady syncType = "procReady"
+ procRun syncType = "procRun"
+ procHooks syncType = "procHooks"
+ procResume syncType = "procResume"
+)
+
+type syncT struct {
+ Type syncType `json:"type"`
+}
+
+// writeSync is used to write to a synchronisation pipe. An error is returned
+// if there was a problem writing the payload.
+func writeSync(pipe io.Writer, sync syncType) error {
+ return utils.WriteJSON(pipe, syncT{sync})
+}
+
+// readSync is used to read from a synchronisation pipe. An error is returned
+// if we got a genericError, the pipe was closed, or we got an unexpected flag.
+func readSync(pipe io.Reader, expected syncType) error {
+ var procSync syncT
+ if err := json.NewDecoder(pipe).Decode(&procSync); err != nil {
+ if err == io.EOF {
+ return fmt.Errorf("parent closed synchronisation channel")
+ }
+
+ if procSync.Type == procError {
+ var ierr genericError
+
+ if err := json.NewDecoder(pipe).Decode(&ierr); err != nil {
+ return fmt.Errorf("failed reading error from parent: %v", err)
+ }
+
+ return &ierr
+ }
+
+ if procSync.Type != expected {
+ return fmt.Errorf("invalid synchronisation flag from parent")
+ }
+ }
+ return nil
+}
+
+// parseSync runs the given callback function on each syncT received from the
+// child. It will return once io.EOF is returned from the given pipe.
+func parseSync(pipe io.Reader, fn func(*syncT) error) error {
+ dec := json.NewDecoder(pipe)
+ for {
+ var sync syncT
+ if err := dec.Decode(&sync); err != nil {
+ if err == io.EOF {
+ break
+ }
+ return err
+ }
+
+ // We handle this case outside fn for cleanliness reasons.
+ var ierr *genericError
+ if sync.Type == procError {
+ if err := dec.Decode(&ierr); err != nil && err != io.EOF {
+ return newSystemErrorWithCause(err, "decoding proc error from init")
+ }
+ if ierr != nil {
+ return ierr
+ }
+ // Programmer error.
+ panic("No error following JSON procError payload.")
+ }
+
+ if err := fn(&sync); err != nil {
+ return err
+ }
+ }
+ return nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
index babf55048b805bf9e174a0ccf410a2e07e714590..a4ae8901acc06c79331c32615c24c3b913e26f92 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
@@ -3,14 +3,28 @@
package system
import (
- "bufio"
- "fmt"
"os"
"os/exec"
- "syscall"
+ "syscall" // only for exec
"unsafe"
+
+ "github.com/opencontainers/runc/libcontainer/user"
+ "golang.org/x/sys/unix"
)
+// If arg2 is nonzero, set the "child subreaper" attribute of the
+// calling process; if arg2 is zero, unset the attribute. When a
+// process is marked as a child subreaper, all of the children
+// that it creates, and their descendants, will be marked as
+// having a subreaper. In effect, a subreaper fulfills the role
+// of init(1) for its descendant processes. Upon termination of
+// a process that is orphaned (i.e., its immediate parent has
+// already terminated) and marked as having a subreaper, the
+// nearest still living ancestor subreaper will receive a SIGCHLD
+// signal and be able to wait(2) on the process to discover its
+// termination status.
+const PR_SET_CHILD_SUBREAPER = 36
+
type ParentDeathSignal int
func (p ParentDeathSignal) Restore() error {
@@ -40,8 +54,16 @@ func Execv(cmd string, args []string, env []string) error {
return syscall.Exec(name, args, env)
}
+func Prlimit(pid, resource int, limit unix.Rlimit) error {
+ _, _, err := unix.RawSyscall6(unix.SYS_PRLIMIT64, uintptr(pid), uintptr(resource), uintptr(unsafe.Pointer(&limit)), uintptr(unsafe.Pointer(&limit)), 0, 0)
+ if err != 0 {
+ return err
+ }
+ return nil
+}
+
func SetParentDeathSignal(sig uintptr) error {
- if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, sig, 0); err != 0 {
+ if err := unix.Prctl(unix.PR_SET_PDEATHSIG, sig, 0, 0, 0); err != nil {
return err
}
return nil
@@ -49,15 +71,14 @@ func SetParentDeathSignal(sig uintptr) error {
func GetParentDeathSignal() (ParentDeathSignal, error) {
var sig int
- _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0)
- if err != 0 {
+ if err := unix.Prctl(unix.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0, 0, 0); err != nil {
return -1, err
}
return ParentDeathSignal(sig), nil
}
func SetKeepCaps() error {
- if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_KEEPCAPS, 1, 0); err != 0 {
+ if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 1, 0, 0, 0); err != nil {
return err
}
@@ -65,7 +86,7 @@ func SetKeepCaps() error {
}
func ClearKeepCaps() error {
- if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_KEEPCAPS, 0, 0); err != 0 {
+ if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 0, 0, 0, 0); err != nil {
return err
}
@@ -73,50 +94,62 @@ func ClearKeepCaps() error {
}
func Setctty() error {
- if _, _, err := syscall.RawSyscall(syscall.SYS_IOCTL, 0, uintptr(syscall.TIOCSCTTY), 0); err != 0 {
+ if err := unix.IoctlSetInt(0, unix.TIOCSCTTY, 0); err != nil {
return err
}
return nil
}
-/*
- * Detect whether we are currently running in a user namespace.
- * Copied from github.com/lxc/lxd/shared/util.go
- */
+// RunningInUserNS detects whether we are currently running in a user namespace.
+// Originally copied from github.com/lxc/lxd/shared/util.go
func RunningInUserNS() bool {
- file, err := os.Open("/proc/self/uid_map")
- if err != nil {
- /*
- * This kernel-provided file only exists if user namespaces are
- * supported
- */
- return false
- }
- defer file.Close()
-
- buf := bufio.NewReader(file)
- l, _, err := buf.ReadLine()
+ uidmap, err := user.CurrentProcessUIDMap()
if err != nil {
+ // This kernel-provided file only exists if user namespaces are supported
return false
}
+ return UIDMapInUserNS(uidmap)
+}
- line := string(l)
- var a, b, c int64
- fmt.Sscanf(line, "%d %d %d", &a, &b, &c)
+func UIDMapInUserNS(uidmap []user.IDMap) bool {
/*
* We assume we are in the initial user namespace if we have a full
* range - 4294967295 uids starting at uid 0.
*/
- if a == 0 && b == 0 && c == 4294967295 {
+ if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 {
return false
}
return true
}
-func Prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) {
- _, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0)
- if e1 != 0 {
- err = e1
+// GetParentNSeuid returns the euid within the parent user namespace
+func GetParentNSeuid() int64 {
+ euid := int64(os.Geteuid())
+ uidmap, err := user.CurrentProcessUIDMap()
+ if err != nil {
+ // This kernel-provided file only exists if user namespaces are supported
+ return euid
+ }
+ for _, um := range uidmap {
+ if um.ID <= euid && euid <= um.ID+um.Count-1 {
+ return um.ParentID + euid - um.ID
+ }
+ }
+ return euid
+}
+
+// SetSubreaper sets the value i as the subreaper setting for the calling process
+func SetSubreaper(i int) error {
+ return unix.Prctl(PR_SET_CHILD_SUBREAPER, uintptr(i), 0, 0, 0)
+}
+
+// GetSubreaper returns the subreaper setting for the calling process
+func GetSubreaper() (int, error) {
+ var i uintptr
+
+ if err := unix.Prctl(unix.PR_GET_CHILD_SUBREAPER, uintptr(unsafe.Pointer(&i)), 0, 0, 0); err != nil {
+ return -1, err
}
- return
+
+ return int(i), nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/linux_test.go b/vendor/github.com/opencontainers/runc/libcontainer/system/linux_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..4d613d8473da8ea4e6330691d7f2472f5b220279
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/linux_test.go
@@ -0,0 +1,45 @@
+// +build linux
+
+package system
+
+import (
+ "strings"
+ "testing"
+
+ "github.com/opencontainers/runc/libcontainer/user"
+)
+
+func TestUIDMapInUserNS(t *testing.T) {
+ cases := []struct {
+ s string
+ expected bool
+ }{
+ {
+ s: " 0 0 4294967295\n",
+ expected: false,
+ },
+ {
+ s: " 0 0 1\n",
+ expected: true,
+ },
+ {
+ s: " 0 1001 1\n 1 231072 65536\n",
+ expected: true,
+ },
+ {
+ // file exist but empty (the initial state when userns is created. see man 7 user_namespaces)
+ s: "",
+ expected: true,
+ },
+ }
+ for _, c := range cases {
+ uidmap, err := user.ParseIDMap(strings.NewReader(c.s))
+ if err != nil {
+ t.Fatal(err)
+ }
+ actual := UIDMapInUserNS(uidmap)
+ if c.expected != actual {
+ t.Fatalf("expected %v, got %v for %q", c.expected, actual, c.s)
+ }
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go b/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go
index 37808a29f6adbe8d5b84e79c06f2eef0066b86ac..79232a43715b2d42c895ee421707c798d14c430e 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go
@@ -1,27 +1,113 @@
package system
import (
+ "fmt"
"io/ioutil"
"path/filepath"
"strconv"
"strings"
)
-// look in /proc to find the process start time so that we can verify
-// that this pid has started after ourself
+// State is the status of a process.
+type State rune
+
+const ( // Only values for Linux 3.14 and later are listed here
+ Dead State = 'X'
+ DiskSleep State = 'D'
+ Running State = 'R'
+ Sleeping State = 'S'
+ Stopped State = 'T'
+ TracingStop State = 't'
+ Zombie State = 'Z'
+)
+
+// String forms of the state from proc(5)'s documentation for
+// /proc/[pid]/status' "State" field.
+func (s State) String() string {
+ switch s {
+ case Dead:
+ return "dead"
+ case DiskSleep:
+ return "disk sleep"
+ case Running:
+ return "running"
+ case Sleeping:
+ return "sleeping"
+ case Stopped:
+ return "stopped"
+ case TracingStop:
+ return "tracing stop"
+ case Zombie:
+ return "zombie"
+ default:
+ return fmt.Sprintf("unknown (%c)", s)
+ }
+}
+
+// Stat_t represents the information from /proc/[pid]/stat, as
+// described in proc(5) with names based on the /proc/[pid]/status
+// fields.
+type Stat_t struct {
+ // PID is the process ID.
+ PID uint
+
+ // Name is the command run by the process.
+ Name string
+
+ // State is the state of the process.
+ State State
+
+ // StartTime is the number of clock ticks after system boot (since
+ // Linux 2.6).
+ StartTime uint64
+}
+
+// Stat returns a Stat_t instance for the specified process.
+func Stat(pid int) (stat Stat_t, err error) {
+ bytes, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "stat"))
+ if err != nil {
+ return stat, err
+ }
+ return parseStat(string(bytes))
+}
+
+// GetProcessStartTime is deprecated. Use Stat(pid) and
+// Stat_t.StartTime instead.
func GetProcessStartTime(pid int) (string, error) {
- data, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "stat"))
+ stat, err := Stat(pid)
if err != nil {
return "", err
}
+ return fmt.Sprintf("%d", stat.StartTime), nil
+}
+
+func parseStat(data string) (stat Stat_t, err error) {
+ // From proc(5), field 2 could contain space and is inside `(` and `)`.
+ // The following is an example:
+ // 89653 (gunicorn: maste) S 89630 89653 89653 0 -1 4194560 29689 28896 0 3 146 32 76 19 20 0 1 0 2971844 52965376 3920 18446744073709551615 1 1 0 0 0 0 0 16781312 137447943 0 0 0 17 1 0 0 0 0 0 0 0 0 0 0 0 0 0
+ i := strings.LastIndex(data, ")")
+ if i <= 2 || i >= len(data)-1 {
+ return stat, fmt.Errorf("invalid stat data: %q", data)
+ }
+
+ parts := strings.SplitN(data[:i], "(", 2)
+ if len(parts) != 2 {
+ return stat, fmt.Errorf("invalid stat data: %q", data)
+ }
+
+ stat.Name = parts[1]
+ _, err = fmt.Sscanf(parts[0], "%d", &stat.PID)
+ if err != nil {
+ return stat, err
+ }
- parts := strings.Split(string(data), " ")
- // the starttime is located at pos 22
- // from the man page
- //
- // starttime %llu (was %lu before Linux 2.6)
- // (22) The time the process started after system boot. In kernels before Linux 2.6, this
- // value was expressed in jiffies. Since Linux 2.6, the value is expressed in clock ticks
- // (divide by sysconf(_SC_CLK_TCK)).
- return parts[22-1], nil // starts at 1
+ // parts indexes should be offset by 3 from the field number given
+ // proc(5), because parts is zero-indexed and we've removed fields
+ // one (PID) and two (Name) in the paren-split.
+ parts = strings.Split(data[i+2:], " ")
+ var state int
+ fmt.Sscanf(parts[3-3], "%c", &state)
+ stat.State = State(state)
+ fmt.Sscanf(parts[22-3], "%d", &stat.StartTime)
+ return stat, nil
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/proc_test.go b/vendor/github.com/opencontainers/runc/libcontainer/system/proc_test.go
new file mode 100644
index 0000000000000000000000000000000000000000..7e1acc5bcb45b4f42ead7a7c4732e5f1281c9e7d
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/proc_test.go
@@ -0,0 +1,45 @@
+package system
+
+import "testing"
+
+func TestParseStartTime(t *testing.T) {
+ data := map[string]Stat_t{
+ "4902 (gunicorn: maste) S 4885 4902 4902 0 -1 4194560 29683 29929 61 83 78 16 96 17 20 0 1 0 9126532 52965376 1903 18446744073709551615 4194304 7461796 140733928751520 140733928698072 139816984959091 0 0 16781312 137447943 1 0 0 17 3 0 0 9 0 0 9559488 10071156 33050624 140733928758775 140733928758945 140733928758945 140733928759264 0": {
+ PID: 4902,
+ Name: "gunicorn: maste",
+ State: 'S',
+ StartTime: 9126532,
+ },
+ "9534 (cat) R 9323 9534 9323 34828 9534 4194304 95 0 0 0 0 0 0 0 20 0 1 0 9214966 7626752 168 18446744073709551615 4194304 4240332 140732237651568 140732237650920 140570710391216 0 0 0 0 0 0 0 17 1 0 0 0 0 0 6340112 6341364 21553152 140732237653865 140732237653885 140732237653885 140732237656047 0": {
+ PID: 9534,
+ Name: "cat",
+ State: 'R',
+ StartTime: 9214966,
+ },
+
+ "24767 (irq/44-mei_me) S 2 0 0 0 -1 2129984 0 0 0 0 0 0 0 0 -51 0 1 0 8722075 0 0 18446744073709551615 0 0 0 0 0 0 0 2147483647 0 0 0 0 17 1 50 1 0 0 0 0 0 0 0 0 0 0 0": {
+ PID: 24767,
+ Name: "irq/44-mei_me",
+ State: 'S',
+ StartTime: 8722075,
+ },
+ }
+ for line, expected := range data {
+ st, err := parseStat(line)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if st.PID != expected.PID {
+ t.Fatalf("expected PID %q but received %q", expected.PID, st.PID)
+ }
+ if st.State != expected.State {
+ t.Fatalf("expected state %q but received %q", expected.State, st.State)
+ }
+ if st.Name != expected.Name {
+ t.Fatalf("expected name %q but received %q", expected.Name, st.Name)
+ }
+ if st.StartTime != expected.StartTime {
+ t.Fatalf("expected start time %q but received %q", expected.StartTime, st.StartTime)
+ }
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/setns_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/setns_linux.go
deleted file mode 100644
index 615ff4c82742d01be896af2e8dfde6d1d8d59fce..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/setns_linux.go
+++ /dev/null
@@ -1,40 +0,0 @@
-package system
-
-import (
- "fmt"
- "runtime"
- "syscall"
-)
-
-// Via http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7b21fddd087678a70ad64afc0f632e0f1071b092
-//
-// We need different setns values for the different platforms and arch
-// We are declaring the macro here because the SETNS syscall does not exist in th stdlib
-var setNsMap = map[string]uintptr{
- "linux/386": 346,
- "linux/arm64": 268,
- "linux/amd64": 308,
- "linux/arm": 375,
- "linux/ppc": 350,
- "linux/ppc64": 350,
- "linux/ppc64le": 350,
- "linux/s390x": 339,
-}
-
-var sysSetns = setNsMap[fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH)]
-
-func SysSetns() uint32 {
- return uint32(sysSetns)
-}
-
-func Setns(fd uintptr, flags uintptr) error {
- ns, exists := setNsMap[fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH)]
- if !exists {
- return fmt.Errorf("unsupported platform %s/%s", runtime.GOOS, runtime.GOARCH)
- }
- _, _, err := syscall.RawSyscall(ns, fd, flags, 0)
- if err != 0 {
- return err
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go
similarity index 61%
rename from vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go
rename to vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go
index c99006518907cf732991111230ff54a12bec797a..c5ca5d86235b94180fb4f55dcbe8285e07505142 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_386.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go
@@ -1,14 +1,15 @@
-// +build linux,386
+// +build linux
+// +build 386 arm
package system
import (
- "syscall"
+ "golang.org/x/sys/unix"
)
// Setuid sets the uid of the calling thread to the specified uid.
func Setuid(uid int) (err error) {
- _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
+ _, _, e1 := unix.RawSyscall(unix.SYS_SETUID32, uintptr(uid), 0, 0)
if e1 != 0 {
err = e1
}
@@ -17,7 +18,7 @@ func Setuid(uid int) (err error) {
// Setgid sets the gid of the calling thread to the specified gid.
func Setgid(gid int) (err error) {
- _, _, e1 := syscall.RawSyscall(syscall.SYS_SETGID32, uintptr(gid), 0, 0)
+ _, _, e1 := unix.RawSyscall(unix.SYS_SETGID32, uintptr(gid), 0, 0)
if e1 != 0 {
err = e1
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
index 0816bf8281698f4202c28cfeea7293d3252569b0..11c3faafbf0bd29f65afa1cfe7b66e7558c9e7a2 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
@@ -1,14 +1,15 @@
-// +build linux,arm64 linux,amd64 linux,ppc linux,ppc64 linux,ppc64le linux,s390x
+// +build linux
+// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le s390x
package system
import (
- "syscall"
+ "golang.org/x/sys/unix"
)
// Setuid sets the uid of the calling thread to the specified uid.
func Setuid(uid int) (err error) {
- _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID, uintptr(uid), 0, 0)
+ _, _, e1 := unix.RawSyscall(unix.SYS_SETUID, uintptr(uid), 0, 0)
if e1 != 0 {
err = e1
}
@@ -17,7 +18,7 @@ func Setuid(uid int) (err error) {
// Setgid sets the gid of the calling thread to the specified gid.
func Setgid(gid int) (err error) {
- _, _, e1 := syscall.RawSyscall(syscall.SYS_SETGID, uintptr(gid), 0, 0)
+ _, _, e1 := unix.RawSyscall(unix.SYS_SETGID, uintptr(gid), 0, 0)
if e1 != 0 {
err = e1
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_arm.go b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_arm.go
deleted file mode 100644
index 3f780f312bd575f98329fd5447872c100bc55333..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_arm.go
+++ /dev/null
@@ -1,25 +0,0 @@
-// +build linux,arm
-
-package system
-
-import (
- "syscall"
-)
-
-// Setuid sets the uid of the calling thread to the specified uid.
-func Setuid(uid int) (err error) {
- _, _, e1 := syscall.RawSyscall(syscall.SYS_SETUID32, uintptr(uid), 0, 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
-
-// Setgid sets the gid of the calling thread to the specified gid.
-func Setgid(gid int) (err error) {
- _, _, e1 := syscall.RawSyscall(syscall.SYS_SETGID32, uintptr(gid), 0, 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
index b3a07cba3efa1dc0aa1f8ec95237874f2516a68f..b8434f10500b3c6301d6da9be0353d2ad8921dda 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
@@ -1,4 +1,4 @@
-// +build cgo,linux cgo,freebsd
+// +build cgo,linux
package system
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
index e7cfd62b293c4dff41f626e4a1cf82bcb4dc1a27..b94be74a6648bbec4819744a7fd3366b48acec87 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
@@ -2,8 +2,26 @@
package system
+import (
+ "os"
+
+ "github.com/opencontainers/runc/libcontainer/user"
+)
+
// RunningInUserNS is a stub for non-Linux systems
// Always returns false
func RunningInUserNS() bool {
return false
}
+
+// UIDMapInUserNS is a stub for non-Linux systems
+// Always returns false
+func UIDMapInUserNS(uidmap []user.IDMap) bool {
+ return false
+}
+
+// GetParentNSeuid returns the euid within the parent user namespace
+// Always returns os.Geteuid on non-linux
+func GetParentNSeuid() int {
+ return os.Geteuid()
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go
index 30f74dfb1b4aebc396adc2c39eb7160ebd85e77f..a6823fc99b2c83d08d3b8ba51bab6c66f79c41f7 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go
@@ -1,99 +1,35 @@
package system
-import (
- "syscall"
- "unsafe"
-)
-
-var _zero uintptr
-
-// Returns the size of xattrs and nil error
-// Requires path, takes allocated []byte or nil as last argument
-func Llistxattr(path string, dest []byte) (size int, err error) {
- pathBytes, err := syscall.BytePtrFromString(path)
- if err != nil {
- return -1, err
- }
- var newpathBytes unsafe.Pointer
- if len(dest) > 0 {
- newpathBytes = unsafe.Pointer(&dest[0])
- } else {
- newpathBytes = unsafe.Pointer(&_zero)
- }
-
- _size, _, errno := syscall.Syscall6(syscall.SYS_LLISTXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(newpathBytes), uintptr(len(dest)), 0, 0, 0)
- size = int(_size)
- if errno != 0 {
- return -1, errno
- }
-
- return size, nil
-}
+import "golang.org/x/sys/unix"
// Returns a []byte slice if the xattr is set and nil otherwise
// Requires path and its attribute as arguments
func Lgetxattr(path string, attr string) ([]byte, error) {
var sz int
- pathBytes, err := syscall.BytePtrFromString(path)
- if err != nil {
- return nil, err
- }
- attrBytes, err := syscall.BytePtrFromString(attr)
- if err != nil {
- return nil, err
- }
-
// Start with a 128 length byte array
- sz = 128
- dest := make([]byte, sz)
- destBytes := unsafe.Pointer(&dest[0])
- _sz, _, errno := syscall.Syscall6(syscall.SYS_LGETXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(unsafe.Pointer(attrBytes)), uintptr(destBytes), uintptr(len(dest)), 0, 0)
+ dest := make([]byte, 128)
+ sz, errno := unix.Lgetxattr(path, attr, dest)
switch {
- case errno == syscall.ENODATA:
+ case errno == unix.ENODATA:
return nil, errno
- case errno == syscall.ENOTSUP:
+ case errno == unix.ENOTSUP:
return nil, errno
- case errno == syscall.ERANGE:
+ case errno == unix.ERANGE:
// 128 byte array might just not be good enough,
- // A dummy buffer is used ``uintptr(0)`` to get real size
+ // A dummy buffer is used to get the real size
// of the xattrs on disk
- _sz, _, errno = syscall.Syscall6(syscall.SYS_LGETXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(unsafe.Pointer(attrBytes)), uintptr(unsafe.Pointer(nil)), uintptr(0), 0, 0)
- sz = int(_sz)
- if sz < 0 {
+ sz, errno = unix.Lgetxattr(path, attr, []byte{})
+ if errno != nil {
return nil, errno
}
dest = make([]byte, sz)
- destBytes := unsafe.Pointer(&dest[0])
- _sz, _, errno = syscall.Syscall6(syscall.SYS_LGETXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(unsafe.Pointer(attrBytes)), uintptr(destBytes), uintptr(len(dest)), 0, 0)
- if errno != 0 {
+ sz, errno = unix.Lgetxattr(path, attr, dest)
+ if errno != nil {
return nil, errno
}
- case errno != 0:
+ case errno != nil:
return nil, errno
}
- sz = int(_sz)
return dest[:sz], nil
}
-
-func Lsetxattr(path string, attr string, data []byte, flags int) error {
- pathBytes, err := syscall.BytePtrFromString(path)
- if err != nil {
- return err
- }
- attrBytes, err := syscall.BytePtrFromString(attr)
- if err != nil {
- return err
- }
- var dataBytes unsafe.Pointer
- if len(data) > 0 {
- dataBytes = unsafe.Pointer(&data[0])
- } else {
- dataBytes = unsafe.Pointer(&_zero)
- }
- _, _, errno := syscall.Syscall6(syscall.SYS_LSETXATTR, uintptr(unsafe.Pointer(pathBytes)), uintptr(unsafe.Pointer(attrBytes)), uintptr(dataBytes), uintptr(len(data)), uintptr(flags), 0)
- if errno != 0 {
- return errno
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go
index 6f8a982ff72a697e61f800ce2e36f281e65ff8c4..6fd8dd0d44aa55aeeef76948d45b599e5aaa45ff 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go
@@ -2,107 +2,40 @@ package user
import (
"errors"
- "fmt"
- "syscall"
)
var (
// The current operating system does not provide the required data for user lookups.
ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
+ // No matching entries found in file.
+ ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
+ ErrNoGroupEntries = errors.New("no matching entries in group file")
)
-func lookupUser(filter func(u User) bool) (User, error) {
- // Get operating system-specific passwd reader-closer.
- passwd, err := GetPasswd()
- if err != nil {
- return User{}, err
- }
- defer passwd.Close()
-
- // Get the users.
- users, err := ParsePasswdFilter(passwd, filter)
- if err != nil {
- return User{}, err
- }
-
- // No user entries found.
- if len(users) == 0 {
- return User{}, fmt.Errorf("no matching entries in passwd file")
- }
-
- // Assume the first entry is the "correct" one.
- return users[0], nil
-}
-
-// CurrentUser looks up the current user by their user id in /etc/passwd. If the
-// user cannot be found (or there is no /etc/passwd file on the filesystem),
-// then CurrentUser returns an error.
-func CurrentUser() (User, error) {
- return LookupUid(syscall.Getuid())
-}
-
// LookupUser looks up a user by their username in /etc/passwd. If the user
// cannot be found (or there is no /etc/passwd file on the filesystem), then
// LookupUser returns an error.
func LookupUser(username string) (User, error) {
- return lookupUser(func(u User) bool {
- return u.Name == username
- })
+ return lookupUser(username)
}
// LookupUid looks up a user by their user id in /etc/passwd. If the user cannot
// be found (or there is no /etc/passwd file on the filesystem), then LookupId
// returns an error.
func LookupUid(uid int) (User, error) {
- return lookupUser(func(u User) bool {
- return u.Uid == uid
- })
-}
-
-func lookupGroup(filter func(g Group) bool) (Group, error) {
- // Get operating system-specific group reader-closer.
- group, err := GetGroup()
- if err != nil {
- return Group{}, err
- }
- defer group.Close()
-
- // Get the users.
- groups, err := ParseGroupFilter(group, filter)
- if err != nil {
- return Group{}, err
- }
-
- // No user entries found.
- if len(groups) == 0 {
- return Group{}, fmt.Errorf("no matching entries in group file")
- }
-
- // Assume the first entry is the "correct" one.
- return groups[0], nil
-}
-
-// CurrentGroup looks up the current user's group by their primary group id's
-// entry in /etc/passwd. If the group cannot be found (or there is no
-// /etc/group file on the filesystem), then CurrentGroup returns an error.
-func CurrentGroup() (Group, error) {
- return LookupGid(syscall.Getgid())
+ return lookupUid(uid)
}
// LookupGroup looks up a group by its name in /etc/group. If the group cannot
// be found (or there is no /etc/group file on the filesystem), then LookupGroup
// returns an error.
func LookupGroup(groupname string) (Group, error) {
- return lookupGroup(func(g Group) bool {
- return g.Name == groupname
- })
+ return lookupGroup(groupname)
}
// LookupGid looks up a group by its group id in /etc/group. If the group cannot
// be found (or there is no /etc/group file on the filesystem), then LookupGid
// returns an error.
func LookupGid(gid int) (Group, error) {
- return lookupGroup(func(g Group) bool {
- return g.Gid == gid
- })
+ return lookupGid(gid)
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go
index 758b734c225abc5b068fe94356cc2129be88fe16..92b5ae8de0177f6001fff3a8e840be3837a3d6ef 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go
@@ -5,6 +5,9 @@ package user
import (
"io"
"os"
+ "strconv"
+
+ "golang.org/x/sys/unix"
)
// Unix-specific path to the passwd and group formatted files.
@@ -13,6 +16,76 @@ const (
unixGroupPath = "/etc/group"
)
+func lookupUser(username string) (User, error) {
+ return lookupUserFunc(func(u User) bool {
+ return u.Name == username
+ })
+}
+
+func lookupUid(uid int) (User, error) {
+ return lookupUserFunc(func(u User) bool {
+ return u.Uid == uid
+ })
+}
+
+func lookupUserFunc(filter func(u User) bool) (User, error) {
+ // Get operating system-specific passwd reader-closer.
+ passwd, err := GetPasswd()
+ if err != nil {
+ return User{}, err
+ }
+ defer passwd.Close()
+
+ // Get the users.
+ users, err := ParsePasswdFilter(passwd, filter)
+ if err != nil {
+ return User{}, err
+ }
+
+ // No user entries found.
+ if len(users) == 0 {
+ return User{}, ErrNoPasswdEntries
+ }
+
+ // Assume the first entry is the "correct" one.
+ return users[0], nil
+}
+
+func lookupGroup(groupname string) (Group, error) {
+ return lookupGroupFunc(func(g Group) bool {
+ return g.Name == groupname
+ })
+}
+
+func lookupGid(gid int) (Group, error) {
+ return lookupGroupFunc(func(g Group) bool {
+ return g.Gid == gid
+ })
+}
+
+func lookupGroupFunc(filter func(g Group) bool) (Group, error) {
+ // Get operating system-specific group reader-closer.
+ group, err := GetGroup()
+ if err != nil {
+ return Group{}, err
+ }
+ defer group.Close()
+
+ // Get the users.
+ groups, err := ParseGroupFilter(group, filter)
+ if err != nil {
+ return Group{}, err
+ }
+
+ // No user entries found.
+ if len(groups) == 0 {
+ return Group{}, ErrNoGroupEntries
+ }
+
+ // Assume the first entry is the "correct" one.
+ return groups[0], nil
+}
+
func GetPasswdPath() (string, error) {
return unixPasswdPath, nil
}
@@ -28,3 +101,44 @@ func GetGroupPath() (string, error) {
func GetGroup() (io.ReadCloser, error) {
return os.Open(unixGroupPath)
}
+
+// CurrentUser looks up the current user by their user id in /etc/passwd. If the
+// user cannot be found (or there is no /etc/passwd file on the filesystem),
+// then CurrentUser returns an error.
+func CurrentUser() (User, error) {
+ return LookupUid(unix.Getuid())
+}
+
+// CurrentGroup looks up the current user's group by their primary group id's
+// entry in /etc/passwd. If the group cannot be found (or there is no
+// /etc/group file on the filesystem), then CurrentGroup returns an error.
+func CurrentGroup() (Group, error) {
+ return LookupGid(unix.Getgid())
+}
+
+func currentUserSubIDs(fileName string) ([]SubID, error) {
+ u, err := CurrentUser()
+ if err != nil {
+ return nil, err
+ }
+ filter := func(entry SubID) bool {
+ return entry.Name == u.Name || entry.Name == strconv.Itoa(u.Uid)
+ }
+ return ParseSubIDFileFilter(fileName, filter)
+}
+
+func CurrentUserSubUIDs() ([]SubID, error) {
+ return currentUserSubIDs("/etc/subuid")
+}
+
+func CurrentUserSubGIDs() ([]SubID, error) {
+ return currentUserSubIDs("/etc/subgid")
+}
+
+func CurrentProcessUIDMap() ([]IDMap, error) {
+ return ParseIDMapFile("/proc/self/uid_map")
+}
+
+func CurrentProcessGIDMap() ([]IDMap, error) {
+ return ParseIDMapFile("/proc/self/gid_map")
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unsupported.go
deleted file mode 100644
index 7217948870c51d215eb7f1bc0bf4c01eeba76993..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unsupported.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// +build !darwin,!dragonfly,!freebsd,!linux,!netbsd,!openbsd,!solaris
-
-package user
-
-import "io"
-
-func GetPasswdPath() (string, error) {
- return "", ErrUnsupported
-}
-
-func GetPasswd() (io.ReadCloser, error) {
- return nil, ErrUnsupported
-}
-
-func GetGroupPath() (string, error) {
- return "", ErrUnsupported
-}
-
-func GetGroup() (io.ReadCloser, error) {
- return nil, ErrUnsupported
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go
new file mode 100644
index 0000000000000000000000000000000000000000..65cd40e9287b99d56df3a246128b72c1b8bc9e4c
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go
@@ -0,0 +1,40 @@
+// +build windows
+
+package user
+
+import (
+ "fmt"
+ "os/user"
+)
+
+func lookupUser(username string) (User, error) {
+ u, err := user.Lookup(username)
+ if err != nil {
+ return User{}, err
+ }
+ return userFromOS(u)
+}
+
+func lookupUid(uid int) (User, error) {
+ u, err := user.LookupId(fmt.Sprintf("%d", uid))
+ if err != nil {
+ return User{}, err
+ }
+ return userFromOS(u)
+}
+
+func lookupGroup(groupname string) (Group, error) {
+ g, err := user.LookupGroup(groupname)
+ if err != nil {
+ return Group{}, err
+ }
+ return groupFromOS(g)
+}
+
+func lookupGid(gid int) (Group, error) {
+ g, err := user.LookupGroupId(fmt.Sprintf("%d", gid))
+ if err != nil {
+ return Group{}, err
+ }
+ return groupFromOS(g)
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
index e6375ea4dd53ffd7423f8fa7693801024ae8b063..7b912bbf8b44fef879ac7b47c0d6a03e00ee1224 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
@@ -5,6 +5,7 @@ import (
"fmt"
"io"
"os"
+ "os/user"
"strconv"
"strings"
)
@@ -15,7 +16,7 @@ const (
)
var (
- ErrRange = fmt.Errorf("Uids and gids must be in range %d-%d", minId, maxId)
+ ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId)
)
type User struct {
@@ -28,6 +29,28 @@ type User struct {
Shell string
}
+// userFromOS converts an os/user.(*User) to local User
+//
+// (This does not include Pass, Shell or Gecos)
+func userFromOS(u *user.User) (User, error) {
+ newUser := User{
+ Name: u.Username,
+ Home: u.HomeDir,
+ }
+ id, err := strconv.Atoi(u.Uid)
+ if err != nil {
+ return newUser, err
+ }
+ newUser.Uid = id
+
+ id, err = strconv.Atoi(u.Gid)
+ if err != nil {
+ return newUser, err
+ }
+ newUser.Gid = id
+ return newUser, nil
+}
+
type Group struct {
Name string
Pass string
@@ -35,36 +58,73 @@ type Group struct {
List []string
}
+// groupFromOS converts an os/user.(*Group) to local Group
+//
+// (This does not include Pass, Shell or Gecos)
+func groupFromOS(g *user.Group) (Group, error) {
+ newGroup := Group{
+ Name: g.Name,
+ }
+
+ id, err := strconv.Atoi(g.Gid)
+ if err != nil {
+ return newGroup, err
+ }
+ newGroup.Gid = id
+
+ return newGroup, nil
+}
+
+// SubID represents an entry in /etc/sub{u,g}id
+type SubID struct {
+ Name string
+ SubID int64
+ Count int64
+}
+
+// IDMap represents an entry in /proc/PID/{u,g}id_map
+type IDMap struct {
+ ID int64
+ ParentID int64
+ Count int64
+}
+
func parseLine(line string, v ...interface{}) {
- if line == "" {
+ parseParts(strings.Split(line, ":"), v...)
+}
+
+func parseParts(parts []string, v ...interface{}) {
+ if len(parts) == 0 {
return
}
- parts := strings.Split(line, ":")
for i, p := range parts {
+ // Ignore cases where we don't have enough fields to populate the arguments.
+ // Some configuration files like to misbehave.
if len(v) <= i {
- // if we have more "parts" than we have places to put them, bail for great "tolerance" of naughty configuration files
break
}
+ // Use the type of the argument to figure out how to parse it, scanf() style.
+ // This is legit.
switch e := v[i].(type) {
case *string:
- // "root", "adm", "/bin/bash"
*e = p
case *int:
- // "0", "4", "1000"
- // ignore string to int conversion errors, for great "tolerance" of naughty configuration files
+ // "numbers", with conversion errors ignored because of some misbehaving configuration files.
*e, _ = strconv.Atoi(p)
+ case *int64:
+ *e, _ = strconv.ParseInt(p, 10, 64)
case *[]string:
- // "", "root", "root,adm,daemon"
+ // Comma-separated lists.
if p != "" {
*e = strings.Split(p, ",")
} else {
*e = []string{}
}
default:
- // panic, because this is a programming/logic error, not a runtime one
- panic("parseLine expects only pointers! argument " + strconv.Itoa(i) + " is not a pointer!")
+ // Someone goof'd when writing code using this function. Scream so they can hear us.
+ panic(fmt.Sprintf("parseLine only accepts {*string, *int, *int64, *[]string} as arguments! %#v is not a pointer!", e))
}
}
}
@@ -106,8 +166,8 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
return nil, err
}
- text := strings.TrimSpace(s.Text())
- if text == "" {
+ line := strings.TrimSpace(s.Text())
+ if line == "" {
continue
}
@@ -117,10 +177,7 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
// root:x:0:0:root:/root:/bin/bash
// adm:x:3:4:adm:/var/adm:/bin/false
p := User{}
- parseLine(
- text,
- &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell,
- )
+ parseLine(line, &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell)
if filter == nil || filter(p) {
out = append(out, p)
@@ -135,6 +192,7 @@ func ParseGroupFile(path string) ([]Group, error) {
if err != nil {
return nil, err
}
+
defer group.Close()
return ParseGroup(group)
}
@@ -178,10 +236,7 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
// root:x:0:root
// adm:x:4:root,adm,daemon
p := Group{}
- parseLine(
- text,
- &p.Name, &p.Pass, &p.Gid, &p.List,
- )
+ parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List)
if filter == nil || filter(p) {
out = append(out, p)
@@ -192,9 +247,10 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
}
type ExecUser struct {
- Uid, Gid int
- Sgids []int
- Home string
+ Uid int
+ Gid int
+ Sgids []int
+ Home string
}
// GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the
@@ -202,18 +258,16 @@ type ExecUser struct {
// files cannot be opened for any reason, the error is ignored and a nil
// io.Reader is passed instead.
func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath string) (*ExecUser, error) {
- passwd, err := os.Open(passwdPath)
- if err != nil {
- passwd = nil
- } else {
- defer passwd.Close()
+ var passwd, group io.Reader
+
+ if passwdFile, err := os.Open(passwdPath); err == nil {
+ passwd = passwdFile
+ defer passwdFile.Close()
}
- group, err := os.Open(groupPath)
- if err != nil {
- group = nil
- } else {
- defer group.Close()
+ if groupFile, err := os.Open(groupPath); err == nil {
+ group = groupFile
+ defer groupFile.Close()
}
return GetExecUser(userSpec, defaults, passwd, group)
@@ -235,12 +289,12 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath
// * "uid:gid
// * "user:gid"
// * "uid:group"
+//
+// It should be noted that if you specify a numeric user or group id, they will
+// not be evaluated as usernames (only the metadata will be filled). So attempting
+// to parse a user with user.Name = "1337" will produce the user with a UID of
+// 1337.
func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (*ExecUser, error) {
- var (
- userArg, groupArg string
- name string
- )
-
if defaults == nil {
defaults = new(ExecUser)
}
@@ -258,87 +312,113 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (
user.Sgids = []int{}
}
- // allow for userArg to have either "user" syntax, or optionally "user:group" syntax
+ // Allow for userArg to have either "user" syntax, or optionally "user:group" syntax
+ var userArg, groupArg string
parseLine(userSpec, &userArg, &groupArg)
+ // Convert userArg and groupArg to be numeric, so we don't have to execute
+ // Atoi *twice* for each iteration over lines.
+ uidArg, uidErr := strconv.Atoi(userArg)
+ gidArg, gidErr := strconv.Atoi(groupArg)
+
+ // Find the matching user.
users, err := ParsePasswdFilter(passwd, func(u User) bool {
if userArg == "" {
+ // Default to current state of the user.
return u.Uid == user.Uid
}
- return u.Name == userArg || strconv.Itoa(u.Uid) == userArg
+
+ if uidErr == nil {
+ // If the userArg is numeric, always treat it as a UID.
+ return uidArg == u.Uid
+ }
+
+ return u.Name == userArg
})
+
+ // If we can't find the user, we have to bail.
if err != nil && passwd != nil {
if userArg == "" {
userArg = strconv.Itoa(user.Uid)
}
- return nil, fmt.Errorf("Unable to find user %v: %v", userArg, err)
+ return nil, fmt.Errorf("unable to find user %s: %v", userArg, err)
}
- haveUser := users != nil && len(users) > 0
- if haveUser {
- // if we found any user entries that matched our filter, let's take the first one as "correct"
- name = users[0].Name
+ var matchedUserName string
+ if len(users) > 0 {
+ // First match wins, even if there's more than one matching entry.
+ matchedUserName = users[0].Name
user.Uid = users[0].Uid
user.Gid = users[0].Gid
user.Home = users[0].Home
} else if userArg != "" {
- // we asked for a user but didn't find them... let's check to see if we wanted a numeric user
- user.Uid, err = strconv.Atoi(userArg)
- if err != nil {
- // not numeric - we have to bail
- return nil, fmt.Errorf("Unable to find user %v", userArg)
+ // If we can't find a user with the given username, the only other valid
+ // option is if it's a numeric username with no associated entry in passwd.
+
+ if uidErr != nil {
+ // Not numeric.
+ return nil, fmt.Errorf("unable to find user %s: %v", userArg, ErrNoPasswdEntries)
}
+ user.Uid = uidArg
// Must be inside valid uid range.
if user.Uid < minId || user.Uid > maxId {
return nil, ErrRange
}
- // if userArg couldn't be found in /etc/passwd but is numeric, just roll with it - this is legit
+ // Okay, so it's numeric. We can just roll with this.
}
- if groupArg != "" || name != "" {
+ // On to the groups. If we matched a username, we need to do this because of
+ // the supplementary group IDs.
+ if groupArg != "" || matchedUserName != "" {
groups, err := ParseGroupFilter(group, func(g Group) bool {
- // Explicit group format takes precedence.
- if groupArg != "" {
- return g.Name == groupArg || strconv.Itoa(g.Gid) == groupArg
+ // If the group argument isn't explicit, we'll just search for it.
+ if groupArg == "" {
+ // Check if user is a member of this group.
+ for _, u := range g.List {
+ if u == matchedUserName {
+ return true
+ }
+ }
+ return false
}
- // Check if user is a member.
- for _, u := range g.List {
- if u == name {
- return true
- }
+ if gidErr == nil {
+ // If the groupArg is numeric, always treat it as a GID.
+ return gidArg == g.Gid
}
- return false
+ return g.Name == groupArg
})
if err != nil && group != nil {
- return nil, fmt.Errorf("Unable to find groups for user %v: %v", users[0].Name, err)
+ return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err)
}
- haveGroup := groups != nil && len(groups) > 0
+ // Only start modifying user.Gid if it is in explicit form.
if groupArg != "" {
- if haveGroup {
- // if we found any group entries that matched our filter, let's take the first one as "correct"
+ if len(groups) > 0 {
+ // First match wins, even if there's more than one matching entry.
user.Gid = groups[0].Gid
} else {
- // we asked for a group but didn't find id... let's check to see if we wanted a numeric group
- user.Gid, err = strconv.Atoi(groupArg)
- if err != nil {
- // not numeric - we have to bail
- return nil, fmt.Errorf("Unable to find group %v", groupArg)
+ // If we can't find a group with the given name, the only other valid
+ // option is if it's a numeric group name with no associated entry in group.
+
+ if gidErr != nil {
+ // Not numeric.
+ return nil, fmt.Errorf("unable to find group %s: %v", groupArg, ErrNoGroupEntries)
}
+ user.Gid = gidArg
- // Ensure gid is inside gid range.
+ // Must be inside valid gid range.
if user.Gid < minId || user.Gid > maxId {
return nil, ErrRange
}
- // if groupArg couldn't be found in /etc/group but is numeric, just roll with it - this is legit
+ // Okay, so it's numeric. We can just roll with this.
}
- } else if haveGroup {
- // If implicit group format, fill supplementary gids.
+ } else if len(groups) > 0 {
+ // Supplementary group ids only make sense if in the implicit form.
user.Sgids = make([]int, len(groups))
for i, group := range groups {
user.Sgids[i] = group.Gid
@@ -410,9 +490,119 @@ func GetAdditionalGroups(additionalGroups []string, group io.Reader) ([]int, err
// that opens the groupPath given and gives it as an argument to
// GetAdditionalGroups.
func GetAdditionalGroupsPath(additionalGroups []string, groupPath string) ([]int, error) {
- group, err := os.Open(groupPath)
- if err == nil {
- defer group.Close()
+ var group io.Reader
+
+ if groupFile, err := os.Open(groupPath); err == nil {
+ group = groupFile
+ defer groupFile.Close()
}
return GetAdditionalGroups(additionalGroups, group)
}
+
+func ParseSubIDFile(path string) ([]SubID, error) {
+ subid, err := os.Open(path)
+ if err != nil {
+ return nil, err
+ }
+ defer subid.Close()
+ return ParseSubID(subid)
+}
+
+func ParseSubID(subid io.Reader) ([]SubID, error) {
+ return ParseSubIDFilter(subid, nil)
+}
+
+func ParseSubIDFileFilter(path string, filter func(SubID) bool) ([]SubID, error) {
+ subid, err := os.Open(path)
+ if err != nil {
+ return nil, err
+ }
+ defer subid.Close()
+ return ParseSubIDFilter(subid, filter)
+}
+
+func ParseSubIDFilter(r io.Reader, filter func(SubID) bool) ([]SubID, error) {
+ if r == nil {
+ return nil, fmt.Errorf("nil source for subid-formatted data")
+ }
+
+ var (
+ s = bufio.NewScanner(r)
+ out = []SubID{}
+ )
+
+ for s.Scan() {
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
+
+ line := strings.TrimSpace(s.Text())
+ if line == "" {
+ continue
+ }
+
+ // see: man 5 subuid
+ p := SubID{}
+ parseLine(line, &p.Name, &p.SubID, &p.Count)
+
+ if filter == nil || filter(p) {
+ out = append(out, p)
+ }
+ }
+
+ return out, nil
+}
+
+func ParseIDMapFile(path string) ([]IDMap, error) {
+ r, err := os.Open(path)
+ if err != nil {
+ return nil, err
+ }
+ defer r.Close()
+ return ParseIDMap(r)
+}
+
+func ParseIDMap(r io.Reader) ([]IDMap, error) {
+ return ParseIDMapFilter(r, nil)
+}
+
+func ParseIDMapFileFilter(path string, filter func(IDMap) bool) ([]IDMap, error) {
+ r, err := os.Open(path)
+ if err != nil {
+ return nil, err
+ }
+ defer r.Close()
+ return ParseIDMapFilter(r, filter)
+}
+
+func ParseIDMapFilter(r io.Reader, filter func(IDMap) bool) ([]IDMap, error) {
+ if r == nil {
+ return nil, fmt.Errorf("nil source for idmap-formatted data")
+ }
+
+ var (
+ s = bufio.NewScanner(r)
+ out = []IDMap{}
+ )
+
+ for s.Scan() {
+ if err := s.Err(); err != nil {
+ return nil, err
+ }
+
+ line := strings.TrimSpace(s.Text())
+ if line == "" {
+ continue
+ }
+
+ // see: man 7 user_namespaces
+ p := IDMap{}
+ parseParts(strings.Fields(line), &p.ID, &p.ParentID, &p.Count)
+
+ if filter == nil || filter(p) {
+ out = append(out, p)
+ }
+ }
+
+ return out, nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user_test.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user_test.go
index 53b2289bf039c735a3d991806aebe97dd3435ff6..24ee559e13a48a5dc21490e308eab593d07593b0 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/user_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/user/user_test.go
@@ -7,6 +7,8 @@ import (
"strconv"
"strings"
"testing"
+
+ "github.com/opencontainers/runc/libcontainer/utils"
)
func TestUserParseLine(t *testing.T) {
@@ -101,12 +103,16 @@ func TestValidGetExecUser(t *testing.T) {
const passwdContent = `
root:x:0:0:root user:/root:/bin/bash
adm:x:42:43:adm:/var/adm:/bin/false
+111:x:222:333::/var/garbage
+odd:x:111:112::/home/odd:::::
this is just some garbage data
`
const groupContent = `
root:x:0:root
adm:x:43:
grp:x:1234:root,adm
+444:x:555:111
+odd:x:444:
this is just some garbage data
`
defaultExecUser := ExecUser{
@@ -192,6 +198,26 @@ this is just some garbage data
Home: defaultExecUser.Home,
},
},
+
+ // Regression tests for #695.
+ {
+ ref: "111",
+ expected: ExecUser{
+ Uid: 111,
+ Gid: 112,
+ Sgids: defaultExecUser.Sgids,
+ Home: "/home/odd",
+ },
+ },
+ {
+ ref: "111:444",
+ expected: ExecUser{
+ Uid: 111,
+ Gid: 444,
+ Sgids: defaultExecUser.Sgids,
+ Home: "/home/odd",
+ },
+ },
}
for _, test := range tests {
@@ -206,6 +232,7 @@ this is just some garbage data
}
if !reflect.DeepEqual(test.expected, *execUser) {
+ t.Logf("ref: %v", test.ref)
t.Logf("got: %#v", execUser)
t.Logf("expected: %#v", test.expected)
t.Fail()
@@ -218,6 +245,7 @@ func TestInvalidGetExecUser(t *testing.T) {
const passwdContent = `
root:x:0:0:root user:/root:/bin/bash
adm:x:42:43:adm:/var/adm:/bin/false
+-42:x:12:13:broken:/very/broken
this is just some garbage data
`
const groupContent = `
@@ -240,6 +268,8 @@ this is just some garbage data
"-1:0",
"0:-3",
"-5:-2",
+ "-42",
+ "-43",
}
for _, test := range tests {
@@ -354,6 +384,12 @@ this is just some garbage data
}
func TestGetAdditionalGroups(t *testing.T) {
+ type foo struct {
+ groups []string
+ expected []int
+ hasError bool
+ }
+
const groupContent = `
root:x:0:root
adm:x:43:
@@ -361,11 +397,7 @@ grp:x:1234:root,adm
adm:x:4343:root,adm-duplicate
this is just some garbage data
`
- tests := []struct {
- groups []string
- expected []int
- hasError bool
- }{
+ tests := []foo{
{
// empty group
groups: []string{},
@@ -408,12 +440,15 @@ this is just some garbage data
expected: nil,
hasError: true,
},
- {
+ }
+
+ if utils.GetIntSize() > 4 {
+ tests = append(tests, foo{
// groups with too large id
groups: []string{strconv.Itoa(1 << 31)},
expected: nil,
hasError: true,
- },
+ })
}
for _, test := range tests {
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
new file mode 100644
index 0000000000000000000000000000000000000000..c8a9364d54d776c37e226c17bb111a04aa85c048
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/cmsg.go
@@ -0,0 +1,93 @@
+// +build linux
+
+package utils
+
+/*
+ * Copyright 2016, 2017 SUSE LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import (
+ "fmt"
+ "os"
+
+ "golang.org/x/sys/unix"
+)
+
+// MaxSendfdLen is the maximum length of the name of a file descriptor being
+// sent using SendFd. The name of the file handle returned by RecvFd will never
+// be larger than this value.
+const MaxNameLen = 4096
+
+// oobSpace is the size of the oob slice required to store a single FD. Note
+// that unix.UnixRights appears to make the assumption that fd is always int32,
+// so sizeof(fd) = 4.
+var oobSpace = unix.CmsgSpace(4)
+
+// RecvFd waits for a file descriptor to be sent over the given AF_UNIX
+// socket. The file name of the remote file descriptor will be recreated
+// locally (it is sent as non-auxiliary data in the same payload).
+func RecvFd(socket *os.File) (*os.File, error) {
+ // For some reason, unix.Recvmsg uses the length rather than the capacity
+ // when passing the msg_controllen and other attributes to recvmsg. So we
+ // have to actually set the length.
+ name := make([]byte, MaxNameLen)
+ oob := make([]byte, oobSpace)
+
+ sockfd := socket.Fd()
+ n, oobn, _, _, err := unix.Recvmsg(int(sockfd), name, oob, 0)
+ if err != nil {
+ return nil, err
+ }
+
+ if n >= MaxNameLen || oobn != oobSpace {
+ return nil, fmt.Errorf("recvfd: incorrect number of bytes read (n=%d oobn=%d)", n, oobn)
+ }
+
+ // Truncate.
+ name = name[:n]
+ oob = oob[:oobn]
+
+ scms, err := unix.ParseSocketControlMessage(oob)
+ if err != nil {
+ return nil, err
+ }
+ if len(scms) != 1 {
+ return nil, fmt.Errorf("recvfd: number of SCMs is not 1: %d", len(scms))
+ }
+ scm := scms[0]
+
+ fds, err := unix.ParseUnixRights(&scm)
+ if err != nil {
+ return nil, err
+ }
+ if len(fds) != 1 {
+ return nil, fmt.Errorf("recvfd: number of fds is not 1: %d", len(fds))
+ }
+ fd := uintptr(fds[0])
+
+ return os.NewFile(fd, string(name)), nil
+}
+
+// SendFd sends a file descriptor over the given AF_UNIX socket. In
+// addition, the file.Name() of the given file will also be sent as
+// non-auxiliary data in the same payload (allowing to send contextual
+// information for a file descriptor).
+func SendFd(socket *os.File, name string, fd uintptr) error {
+ if len(name) >= MaxNameLen {
+ return fmt.Errorf("sendfd: filename too long: %s", name)
+ }
+ oob := unix.UnixRights(int(fd))
+ return unix.Sendmsg(int(socket.Fd()), []byte(name), oob, nil, 0)
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go
index 68ae3c477b4e7ecb5c025a85cd935be3c1d5f5a3..40ccfaa1a01aa660893382fe5474dec2275fabcc 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils.go
@@ -1,32 +1,20 @@
package utils
import (
- "crypto/rand"
- "encoding/hex"
"encoding/json"
"io"
"os"
"path/filepath"
- "syscall"
+ "strings"
+ "unsafe"
+
+ "golang.org/x/sys/unix"
)
const (
exitSignalOffset = 128
)
-// GenerateRandomName returns a new name joined with a prefix. This size
-// specified is used to truncate the randomly generated value
-func GenerateRandomName(prefix string, size int) (string, error) {
- id := make([]byte, 32)
- if _, err := io.ReadFull(rand.Reader, id); err != nil {
- return "", err
- }
- if size > 64 {
- size = 64
- }
- return prefix + hex.EncodeToString(id)[:size], nil
-}
-
// ResolveRootfs ensures that the current working directory is
// not a symlink and returns the absolute path to the rootfs
func ResolveRootfs(uncleanRootfs string) (string, error) {
@@ -39,7 +27,7 @@ func ResolveRootfs(uncleanRootfs string) (string, error) {
// ExitStatus returns the correct exit status for a process based on if it
// was signaled or exited cleanly
-func ExitStatus(status syscall.WaitStatus) int {
+func ExitStatus(status unix.WaitStatus) int {
if status.Signaled() {
return exitSignalOffset + int(status.Signal())
}
@@ -84,3 +72,41 @@ func CleanPath(path string) string {
// Clean the path again for good measure.
return filepath.Clean(path)
}
+
+// SearchLabels searches a list of key-value pairs for the provided key and
+// returns the corresponding value. The pairs must be separated with '='.
+func SearchLabels(labels []string, query string) string {
+ for _, l := range labels {
+ parts := strings.SplitN(l, "=", 2)
+ if len(parts) < 2 {
+ continue
+ }
+ if parts[0] == query {
+ return parts[1]
+ }
+ }
+ return ""
+}
+
+// Annotations returns the bundle path and user defined annotations from the
+// libcontainer state. We need to remove the bundle because that is a label
+// added by libcontainer.
+func Annotations(labels []string) (bundle string, userAnnotations map[string]string) {
+ userAnnotations = make(map[string]string)
+ for _, l := range labels {
+ parts := strings.SplitN(l, "=", 2)
+ if len(parts) < 2 {
+ continue
+ }
+ if parts[0] == "bundle" {
+ bundle = parts[1]
+ } else {
+ userAnnotations[parts[0]] = parts[1]
+ }
+ }
+ return
+}
+
+func GetIntSize() int {
+ return int(unsafe.Sizeof(1))
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_test.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_test.go
index 813180a8a44bd5884bdbbd8860b6d1539ba47e8a..395eedcf66a322e0e23c9367e4fce055fe340f39 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_test.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_test.go
@@ -1,25 +1,142 @@
package utils
-import "testing"
+import (
+ "bytes"
+ "fmt"
+ "os"
+ "path/filepath"
+ "testing"
-func TestGenerateName(t *testing.T) {
- name, err := GenerateRandomName("veth", 5)
+ "golang.org/x/sys/unix"
+)
+
+var labelTest = []struct {
+ labels []string
+ query string
+ expectedValue string
+}{
+ {[]string{"bundle=/path/to/bundle"}, "bundle", "/path/to/bundle"},
+ {[]string{"test=a", "test=b"}, "bundle", ""},
+ {[]string{"bundle=a", "test=b", "bundle=c"}, "bundle", "a"},
+ {[]string{"", "test=a", "bundle=b"}, "bundle", "b"},
+ {[]string{"test", "bundle=a"}, "bundle", "a"},
+ {[]string{"test=a", "bundle="}, "bundle", ""},
+}
+
+func TestSearchLabels(t *testing.T) {
+ for _, tt := range labelTest {
+ if v := SearchLabels(tt.labels, tt.query); v != tt.expectedValue {
+ t.Errorf("expected value '%s' for query '%s'; got '%s'", tt.expectedValue, tt.query, v)
+ }
+ }
+}
+
+func TestResolveRootfs(t *testing.T) {
+ dir := "rootfs"
+ os.Mkdir(dir, 0600)
+ defer os.Remove(dir)
+
+ path, err := ResolveRootfs(dir)
if err != nil {
t.Fatal(err)
}
+ pwd, err := os.Getwd()
+ if err != nil {
+ t.Fatal(err)
+ }
+ if path != fmt.Sprintf("%s/%s", pwd, "rootfs") {
+ t.Errorf("expected rootfs to be abs and was %s", path)
+ }
+}
+
+func TestResolveRootfsWithSymlink(t *testing.T) {
+ dir := "rootfs"
+ tmpDir, _ := filepath.EvalSymlinks(os.TempDir())
+ os.Symlink(tmpDir, dir)
+ defer os.Remove(dir)
+
+ path, err := ResolveRootfs(dir)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ if path != tmpDir {
+ t.Errorf("expected rootfs to be the real path %s and was %s", path, os.TempDir())
+ }
+}
+
+func TestResolveRootfsWithNonExistingDir(t *testing.T) {
+ _, err := ResolveRootfs("foo")
+ if err == nil {
+ t.Error("expected error to happen but received nil")
+ }
+}
+
+func TestExitStatus(t *testing.T) {
+ status := unix.WaitStatus(0)
+ ex := ExitStatus(status)
+ if ex != 0 {
+ t.Errorf("expected exit status to equal 0 and received %d", ex)
+ }
+}
- expected := 5 + len("veth")
- if len(name) != expected {
- t.Fatalf("expected name to be %d chars but received %d", expected, len(name))
+func TestExitStatusSignaled(t *testing.T) {
+ status := unix.WaitStatus(2)
+ ex := ExitStatus(status)
+ if ex != 130 {
+ t.Errorf("expected exit status to equal 130 and received %d", ex)
}
+}
- name, err = GenerateRandomName("veth", 65)
+func TestWriteJSON(t *testing.T) {
+ person := struct {
+ Name string
+ Age int
+ }{
+ Name: "Alice",
+ Age: 30,
+ }
+
+ var b bytes.Buffer
+ err := WriteJSON(&b, person)
if err != nil {
t.Fatal(err)
}
- expected = 64 + len("veth")
- if len(name) != expected {
- t.Fatalf("expected name to be %d chars but received %d", expected, len(name))
+ expected := `{"Name":"Alice","Age":30}`
+ if b.String() != expected {
+ t.Errorf("expected to write %s but was %s", expected, b.String())
+ }
+}
+
+func TestCleanPath(t *testing.T) {
+ path := CleanPath("")
+ if path != "" {
+ t.Errorf("expected to receive empty string and received %s", path)
+ }
+
+ path = CleanPath("rootfs")
+ if path != "rootfs" {
+ t.Errorf("expected to receive 'rootfs' and received %s", path)
+ }
+
+ path = CleanPath("../../../var")
+ if path != "var" {
+ t.Errorf("expected to receive 'var' and received %s", path)
+ }
+
+ path = CleanPath("/../../../var")
+ if path != "/var" {
+ t.Errorf("expected to receive '/var' and received %s", path)
+ }
+
+ path = CleanPath("/foo/bar/")
+ if path != "/foo/bar" {
+ t.Errorf("expected to receive '/foo/bar' and received %s", path)
+ }
+
+ path = CleanPath("/foo/bar/../")
+ if path != "/foo" {
+ t.Errorf("expected to receive '/foo' and received %s", path)
}
}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
index 408918f27dadd4cdee6738a190d43003fe9d34f5..c96088988a6de8323b7516a6d84423e6dabf6772 100644
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
@@ -4,8 +4,10 @@ package utils
import (
"io/ioutil"
+ "os"
"strconv"
- "syscall"
+
+ "golang.org/x/sys/unix"
)
func CloseExecFrom(minFd int) error {
@@ -25,9 +27,18 @@ func CloseExecFrom(minFd int) error {
continue
}
- // intentionally ignore errors from syscall.CloseOnExec
- syscall.CloseOnExec(fd)
+ // intentionally ignore errors from unix.CloseOnExec
+ unix.CloseOnExec(fd)
// the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)
}
return nil
}
+
+// NewSockPair returns a new unix socket pair
+func NewSockPair(name string) (parent *os.File, child *os.File, err error) {
+ fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
+ if err != nil {
+ return nil, nil, err
+ }
+ return os.NewFile(uintptr(fds[1]), name+"-p"), os.NewFile(uintptr(fds[0]), name+"-c"), nil
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/xattr/errors.go b/vendor/github.com/opencontainers/runc/libcontainer/xattr/errors.go
deleted file mode 100644
index 8cd77418ccfbaf7898ad09f83720cde9db7601b7..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/xattr/errors.go
+++ /dev/null
@@ -1,8 +0,0 @@
-package xattr
-
-import (
- "fmt"
- "runtime"
-)
-
-var ErrNotSupportedPlatform = fmt.Errorf("platform and architecture is not supported %s %s", runtime.GOOS, runtime.GOARCH)
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_linux.go
deleted file mode 100644
index 933a75272e28752b9cf249979ac5d6fdc6f7b63b..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_linux.go
+++ /dev/null
@@ -1,53 +0,0 @@
-// +build linux
-
-package xattr
-
-import (
- "syscall"
-
- "github.com/opencontainers/runc/libcontainer/system"
-)
-
-func XattrEnabled(path string) bool {
- if Setxattr(path, "user.test", "") == syscall.ENOTSUP {
- return false
- }
- return true
-}
-
-func stringsfromByte(buf []byte) (result []string) {
- offset := 0
- for index, b := range buf {
- if b == 0 {
- result = append(result, string(buf[offset:index]))
- offset = index + 1
- }
- }
- return
-}
-
-func Listxattr(path string) ([]string, error) {
- size, err := system.Llistxattr(path, nil)
- if err != nil {
- return nil, err
- }
- buf := make([]byte, size)
- read, err := system.Llistxattr(path, buf)
- if err != nil {
- return nil, err
- }
- names := stringsfromByte(buf[:read])
- return names, nil
-}
-
-func Getxattr(path, attr string) (string, error) {
- value, err := system.Lgetxattr(path, attr)
- if err != nil {
- return "", err
- }
- return string(value), nil
-}
-
-func Setxattr(path, xattr, value string) error {
- return system.Lsetxattr(path, xattr, []byte(value), 0)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_test.go b/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_test.go
deleted file mode 100644
index 1805568a34ba08b18be8f9ebb5900ea5129aa43e..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_test.go
+++ /dev/null
@@ -1,78 +0,0 @@
-// +build linux
-
-package xattr_test
-
-import (
- "os"
- "testing"
-
- "github.com/opencontainers/runc/libcontainer/xattr"
-)
-
-func TestXattr(t *testing.T) {
- tmp := "xattr_test"
- out, err := os.OpenFile(tmp, os.O_WRONLY|os.O_CREATE, 0)
- if err != nil {
- t.Fatal("failed")
- }
- defer os.Remove(tmp)
- attr := "user.test"
- out.Close()
-
- if !xattr.XattrEnabled(tmp) {
- t.Log("Disabled")
- t.Fatal("failed")
- }
- t.Log("Success")
-
- err = xattr.Setxattr(tmp, attr, "test")
- if err != nil {
- t.Fatal("failed")
- }
-
- var value string
- value, err = xattr.Getxattr(tmp, attr)
- if err != nil {
- t.Fatal("failed")
- }
- if value != "test" {
- t.Fatal("failed")
- }
- t.Log("Success")
-
- var names []string
- names, err = xattr.Listxattr(tmp)
- if err != nil {
- t.Fatal("failed")
- }
-
- var found int
- for _, name := range names {
- if name == attr {
- found = 1
- }
- }
- // Listxattr doesn't return trusted.* and system.* namespace
- // attrs when run in unprevileged mode.
- if found != 1 {
- t.Fatal("failed")
- }
- t.Log("Success")
-
- big := "0000000000000000000000000000000000000000000000000000000000000000000008c6419ad822dfe29283fb3ac98dcc5908810cb31f4cfe690040c42c144b7492eicompslf20dxmlpgz"
- // Test for long xattrs larger than 128 bytes
- err = xattr.Setxattr(tmp, attr, big)
- if err != nil {
- t.Fatal("failed to add long value")
- }
- value, err = xattr.Getxattr(tmp, attr)
- if err != nil {
- t.Fatal("failed to get long value")
- }
- t.Log("Success")
-
- if value != big {
- t.Fatal("failed, value doesn't match")
- }
- t.Log("Success")
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_unsupported.go
deleted file mode 100644
index 821dea3be1156e5994c3e13ef15465d0fa98a073..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/xattr/xattr_unsupported.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// +build !linux
-
-package xattr
-
-func Listxattr(path string) ([]string, error) {
- return nil, ErrNotSupportedPlatform
-}
-
-func Getxattr(path, attr string) (string, error) {
- return "", ErrNotSupportedPlatform
-}
-
-func Setxattr(path, xattr, value string) error {
- return ErrNotSupportedPlatform
-}
diff --git a/vendor/github.com/opencontainers/runc/list.go b/vendor/github.com/opencontainers/runc/list.go
index 894717a9bc754d44705557cbde4c2c99e66c049f..0313d8cc25028381293587a9565c76f222df2e5a 100644
--- a/vendor/github.com/opencontainers/runc/list.go
+++ b/vendor/github.com/opencontainers/runc/list.go
@@ -7,14 +7,16 @@ import (
"io/ioutil"
"os"
"path/filepath"
- "strings"
+ "syscall"
"text/tabwriter"
"time"
"encoding/json"
- "github.com/sirupsen/logrus"
- "github.com/codegangsta/cli"
+ "github.com/opencontainers/runc/libcontainer"
+ "github.com/opencontainers/runc/libcontainer/user"
+ "github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/urfave/cli"
)
const formatOptions = `table or json`
@@ -22,6 +24,8 @@ const formatOptions = `table or json`
// containerState represents the platform agnostic pieces relating to a
// running container's status and state
type containerState struct {
+ // Version is the OCI version for the container
+ Version string `json:"ociVersion"`
// ID is the container ID
ID string `json:"id"`
// InitProcessPid is the init process id in the parent namespace
@@ -30,56 +34,82 @@ type containerState struct {
Status string `json:"status"`
// Bundle is the path on the filesystem to the bundle
Bundle string `json:"bundle"`
+ // Rootfs is a path to a directory containing the container's root filesystem.
+ Rootfs string `json:"rootfs"`
// Created is the unix timestamp for the creation time of the container in UTC
Created time.Time `json:"created"`
+ // Annotations is the user defined annotations added to the config.
+ Annotations map[string]string `json:"annotations,omitempty"`
+ // The owner of the state directory (the owner of the container).
+ Owner string `json:"owner"`
}
var listCommand = cli.Command{
Name: "list",
Usage: "lists containers started by runc with the given root",
+ ArgsUsage: `
+
+Where the given root is specified via the global option "--root"
+(default: "/run/runc").
+
+EXAMPLE 1:
+To list containers created via the default "--root":
+ # runc list
+
+EXAMPLE 2:
+To list containers created using a non-default value for "--root":
+ # runc --root value list`,
Flags: []cli.Flag{
cli.StringFlag{
Name: "format, f",
- Value: "",
- Usage: `select one of: ` + formatOptions + `.
-
-The default format is table. The following will output the list of containers
-in json format:
-
- # runc list -f json`,
+ Value: "table",
+ Usage: `select one of: ` + formatOptions,
+ },
+ cli.BoolFlag{
+ Name: "quiet, q",
+ Usage: "display only container IDs",
},
},
- Action: func(context *cli.Context) {
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 0, exactArgs); err != nil {
+ return err
+ }
s, err := getContainers(context)
if err != nil {
- logrus.Fatal(err)
+ return err
+ }
+
+ if context.Bool("quiet") {
+ for _, item := range s {
+ fmt.Println(item.ID)
+ }
+ return nil
}
switch context.String("format") {
- case "", "table":
+ case "table":
w := tabwriter.NewWriter(os.Stdout, 12, 1, 3, ' ', 0)
- fmt.Fprint(w, "ID\tPID\tSTATUS\tBUNDLE\tCREATED\n")
+ fmt.Fprint(w, "ID\tPID\tSTATUS\tBUNDLE\tCREATED\tOWNER\n")
for _, item := range s {
- fmt.Fprintf(w, "%s\t%d\t%s\t%s\t%s\n",
+ fmt.Fprintf(w, "%s\t%d\t%s\t%s\t%s\t%s\n",
item.ID,
item.InitProcessPid,
item.Status,
item.Bundle,
- item.Created.Format(time.RFC3339Nano))
+ item.Created.Format(time.RFC3339Nano),
+ item.Owner)
}
if err := w.Flush(); err != nil {
- logrus.Fatal(err)
+ return err
}
case "json":
- data, err := json.Marshal(s)
- if err != nil {
- logrus.Fatal(err)
+ if err := json.NewEncoder(os.Stdout).Encode(s); err != nil {
+ return err
}
- os.Stdout.Write(data)
-
default:
- logrus.Fatal("invalid format option")
+ return fmt.Errorf("invalid format option")
}
+ return nil
},
}
@@ -95,44 +125,51 @@ func getContainers(context *cli.Context) ([]containerState, error) {
}
list, err := ioutil.ReadDir(absRoot)
if err != nil {
- logrus.Fatal(err)
+ fatal(err)
}
var s []containerState
for _, item := range list {
if item.IsDir() {
+ // This cast is safe on Linux.
+ stat := item.Sys().(*syscall.Stat_t)
+ owner, err := user.LookupUid(int(stat.Uid))
+ if err != nil {
+ owner.Name = fmt.Sprintf("#%d", stat.Uid)
+ }
+
container, err := factory.Load(item.Name())
if err != nil {
- return nil, err
+ fmt.Fprintf(os.Stderr, "load container %s: %v\n", item.Name(), err)
+ continue
}
containerStatus, err := container.Status()
if err != nil {
- return nil, err
+ fmt.Fprintf(os.Stderr, "status for %s: %v\n", item.Name(), err)
+ continue
}
state, err := container.State()
if err != nil {
- return nil, err
+ fmt.Fprintf(os.Stderr, "state for %s: %v\n", item.Name(), err)
+ continue
+ }
+ pid := state.BaseState.InitProcessPid
+ if containerStatus == libcontainer.Stopped {
+ pid = 0
}
+ bundle, annotations := utils.Annotations(state.Config.Labels)
s = append(s, containerState{
+ Version: state.BaseState.Config.Version,
ID: state.BaseState.ID,
- InitProcessPid: state.BaseState.InitProcessPid,
+ InitProcessPid: pid,
Status: containerStatus.String(),
- Bundle: searchLabels(state.Config.Labels, "bundle"),
- Created: state.BaseState.Created})
+ Bundle: bundle,
+ Rootfs: state.BaseState.Config.Rootfs,
+ Created: state.BaseState.Created,
+ Annotations: annotations,
+ Owner: owner.Name,
+ })
}
}
return s, nil
}
-
-func searchLabels(labels []string, query string) string {
- for _, l := range labels {
- parts := strings.SplitN(l, "=", 2)
- if len(parts) < 2 {
- continue
- }
- if parts[0] == query {
- return parts[1]
- }
- }
- return ""
-}
diff --git a/vendor/github.com/opencontainers/runc/main.go b/vendor/github.com/opencontainers/runc/main.go
index 259b9d6ef0603a4e2898a9db215434d6175dc56b..072447d17da14be72376343d7d1fc1c8731f3b26 100644
--- a/vendor/github.com/opencontainers/runc/main.go
+++ b/vendor/github.com/opencontainers/runc/main.go
@@ -2,20 +2,30 @@ package main
import (
"fmt"
+ "io"
"os"
+ "strings"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
- "github.com/codegangsta/cli"
- "github.com/opencontainers/specs/specs-go"
+ "github.com/urfave/cli"
)
+// version will be populated by the Makefile, read from
+// VERSION file of the source code.
+var version = ""
+
+// gitCommit will be the hash that the binary was built from
+// and will be populated by the Makefile
+var gitCommit = ""
+
const (
- version = "0.0.9"
specConfig = "config.json"
usage = `Open Container Initiative runtime
-
+
runc is a command line client for running applications packaged according to
-the Open Container Format (OCF) and is a compliant implementation of the
+the Open Container Initiative (OCI) format and is a compliant implementation of the
Open Container Initiative specification.
runc integrates well with existing process supervisors to provide a production
@@ -25,11 +35,11 @@ direct child of the process supervisor.
Containers are configured using bundles. A bundle for a container is a directory
that includes a specification file named "` + specConfig + `" and a root filesystem.
-The root filesystem contains the contents of the container.
+The root filesystem contains the contents of the container.
To start a new instance of a container:
- # runc start [ -b bundle ] <container-id>
+ # runc run [ -b bundle ] <container-id>
Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
@@ -41,7 +51,33 @@ func main() {
app := cli.NewApp()
app.Name = "runc"
app.Usage = usage
- app.Version = fmt.Sprintf("%s\nspec version %s", version, specs.Version)
+
+ var v []string
+ if version != "" {
+ v = append(v, version)
+ }
+ if gitCommit != "" {
+ v = append(v, fmt.Sprintf("commit: %s", gitCommit))
+ }
+ v = append(v, fmt.Sprintf("spec: %s", specs.Version))
+ app.Version = strings.Join(v, "\n")
+
+ root := "/run/runc"
+ if shouldHonorXDGRuntimeDir() {
+ if runtimeDir := os.Getenv("XDG_RUNTIME_DIR"); runtimeDir != "" {
+ root = runtimeDir + "/runc"
+ // According to the XDG specification, we need to set anything in
+ // XDG_RUNTIME_DIR to have a sticky bit if we don't want it to get
+ // auto-pruned.
+ if err := os.MkdirAll(root, 0700); err != nil {
+ fatal(err)
+ }
+ if err := os.Chmod(root, 0700|os.ModeSticky); err != nil {
+ fatal(err)
+ }
+ }
+ }
+
app.Flags = []cli.Flag{
cli.BoolFlag{
Name: "debug",
@@ -59,7 +95,7 @@ func main() {
},
cli.StringFlag{
Name: "root",
- Value: "/run/runc",
+ Value: root,
Usage: "root directory for storage of container state (this should be located in tmpfs)",
},
cli.StringFlag{
@@ -67,9 +103,19 @@ func main() {
Value: "criu",
Usage: "path to the criu binary used for checkpoint and restore",
},
+ cli.BoolFlag{
+ Name: "systemd-cgroup",
+ Usage: "enable systemd cgroup support, expects cgroupsPath to be of form \"slice:prefix:name\" for e.g. \"system.slice:runc:434234\"",
+ },
+ cli.StringFlag{
+ Name: "rootless",
+ Value: "auto",
+ Usage: "ignore cgroup permission errors ('true', 'false', or 'auto')",
+ },
}
app.Commands = []cli.Command{
checkpointCommand,
+ createCommand,
deleteCommand,
eventsCommand,
execCommand,
@@ -77,18 +123,21 @@ func main() {
killCommand,
listCommand,
pauseCommand,
+ psCommand,
restoreCommand,
resumeCommand,
+ runCommand,
specCommand,
startCommand,
stateCommand,
+ updateCommand,
}
app.Before = func(context *cli.Context) error {
if context.GlobalBool("debug") {
logrus.SetLevel(logrus.DebugLevel)
}
if path := context.GlobalString("log"); path != "" {
- f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
+ f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND|os.O_SYNC, 0666)
if err != nil {
return err
}
@@ -100,11 +149,24 @@ func main() {
case "json":
logrus.SetFormatter(new(logrus.JSONFormatter))
default:
- logrus.Fatalf("unknown log-format %q", context.GlobalString("log-format"))
+ return fmt.Errorf("unknown log-format %q", context.GlobalString("log-format"))
}
return nil
}
+ // If the command returns an error, cli takes upon itself to print
+ // the error on cli.ErrWriter and exit.
+ // Use our own writer here to ensure the log gets sent to the right location.
+ cli.ErrWriter = &FatalWriter{cli.ErrWriter}
if err := app.Run(os.Args); err != nil {
fatal(err)
}
}
+
+type FatalWriter struct {
+ cliErrWriter io.Writer
+}
+
+func (f *FatalWriter) Write(p []byte) (n int, err error) {
+ logrus.Error(string(p))
+ return f.cliErrWriter.Write(p)
+}
diff --git a/vendor/github.com/opencontainers/runc/main_unix.go b/vendor/github.com/opencontainers/runc/main_unix.go
deleted file mode 100644
index 7bbec9fa834e791f97220c094baf1c61054139e5..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/main_unix.go
+++ /dev/null
@@ -1,5 +0,0 @@
-// +build linux
-
-package main
-
-import _ "github.com/opencontainers/runc/libcontainer/nsenter"
diff --git a/vendor/github.com/opencontainers/runc/main_unsupported.go b/vendor/github.com/opencontainers/runc/main_unsupported.go
deleted file mode 100644
index 3a83f4c10ac17116302beb4ff1bb67212753a2b3..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/main_unsupported.go
+++ /dev/null
@@ -1,17 +0,0 @@
-// +build !linux
-
-package main
-
-import "github.com/codegangsta/cli"
-
-var (
- checkpointCommand cli.Command
- eventsCommand cli.Command
- restoreCommand cli.Command
- specCommand cli.Command
- killCommand cli.Command
-)
-
-func runAction(*cli.Context) {
- fatalf("Current OS is not supported yet")
-}
diff --git a/vendor/github.com/opencontainers/runc/notify_socket.go b/vendor/github.com/opencontainers/runc/notify_socket.go
new file mode 100644
index 0000000000000000000000000000000000000000..b890b5b1c1af2d1feb26bfd1ec4850e0815546cb
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/notify_socket.go
@@ -0,0 +1,109 @@
+// +build linux
+
+package main
+
+import (
+ "bytes"
+ "fmt"
+ "net"
+ "path/filepath"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
+
+ "github.com/sirupsen/logrus"
+ "github.com/urfave/cli"
+)
+
+type notifySocket struct {
+ socket *net.UnixConn
+ host string
+ socketPath string
+}
+
+func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *notifySocket {
+ if notifySocketHost == "" {
+ return nil
+ }
+
+ root := filepath.Join(context.GlobalString("root"), id)
+ path := filepath.Join(root, "notify.sock")
+
+ notifySocket := ¬ifySocket{
+ socket: nil,
+ host: notifySocketHost,
+ socketPath: path,
+ }
+
+ return notifySocket
+}
+
+func (s *notifySocket) Close() error {
+ return s.socket.Close()
+}
+
+// If systemd is supporting sd_notify protocol, this function will add support
+// for sd_notify protocol from within the container.
+func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) {
+ mount := specs.Mount{Destination: s.host, Source: s.socketPath, Options: []string{"bind"}}
+ spec.Mounts = append(spec.Mounts, mount)
+ spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", s.host))
+}
+
+func (s *notifySocket) setupSocket() error {
+ addr := net.UnixAddr{
+ Name: s.socketPath,
+ Net: "unixgram",
+ }
+
+ socket, err := net.ListenUnixgram("unixgram", &addr)
+ if err != nil {
+ return err
+ }
+
+ s.socket = socket
+ return nil
+}
+
+// pid1 must be set only with -d, as it is used to set the new process as the main process
+// for the service in systemd
+func (s *notifySocket) run(pid1 int) {
+ buf := make([]byte, 512)
+ notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"}
+ client, err := net.DialUnix("unixgram", nil, ¬ifySocketHostAddr)
+ if err != nil {
+ logrus.Error(err)
+ return
+ }
+ for {
+ r, err := s.socket.Read(buf)
+ if err != nil {
+ break
+ }
+ var out bytes.Buffer
+ for _, line := range bytes.Split(buf[0:r], []byte{'\n'}) {
+ if bytes.HasPrefix(line, []byte("READY=")) {
+ _, err = out.Write(line)
+ if err != nil {
+ return
+ }
+
+ _, err = out.Write([]byte{'\n'})
+ if err != nil {
+ return
+ }
+
+ _, err = client.Write(out.Bytes())
+ if err != nil {
+ return
+ }
+
+ // now we can inform systemd to use pid1 as the pid to monitor
+ if pid1 > 0 {
+ newPid := fmt.Sprintf("MAINPID=%d\n", pid1)
+ client.Write([]byte(newPid))
+ }
+ return
+ }
+ }
+ }
+}
diff --git a/vendor/github.com/opencontainers/runc/pause.go b/vendor/github.com/opencontainers/runc/pause.go
index ccec7bbef9d205b2303c1eb7ce25ff172644c58d..224c79f3368d933aaa802fa0b54090d2d9d79d66 100644
--- a/vendor/github.com/opencontainers/runc/pause.go
+++ b/vendor/github.com/opencontainers/runc/pause.go
@@ -2,7 +2,10 @@
package main
-import "github.com/codegangsta/cli"
+import (
+ "github.com/sirupsen/logrus"
+ "github.com/urfave/cli"
+)
var pauseCommand = cli.Command{
Name: "pause",
@@ -13,15 +16,23 @@ Where "<container-id>" is the name for the instance of the container to be
paused. `,
Description: `The pause command suspends all processes in the instance of the container.
-Use runc list to identiy instances of containers and their current status.`,
- Action: func(context *cli.Context) {
- container, err := getContainer(context)
+Use runc list to identify instances of containers and their current status.`,
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
+ rootlessCg, err := shouldUseRootlessCgroupManager(context)
if err != nil {
- fatal(err)
+ return err
+ }
+ if rootlessCg {
+ logrus.Warnf("runc pause may fail if you don't have the full access to cgroups")
}
- if err := container.Pause(); err != nil {
- fatal(err)
+ container, err := getContainer(context)
+ if err != nil {
+ return err
}
+ return container.Pause()
},
}
@@ -34,14 +45,22 @@ Where "<container-id>" is the name for the instance of the container to be
resumed.`,
Description: `The resume command resumes all processes in the instance of the container.
-Use runc list to identiy instances of containers and their current status.`,
- Action: func(context *cli.Context) {
- container, err := getContainer(context)
+Use runc list to identify instances of containers and their current status.`,
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
+ rootlessCg, err := shouldUseRootlessCgroupManager(context)
if err != nil {
- fatal(err)
+ return err
+ }
+ if rootlessCg {
+ logrus.Warn("runc resume may fail if you don't have the full access to cgroups")
}
- if err := container.Resume(); err != nil {
- fatal(err)
+ container, err := getContainer(context)
+ if err != nil {
+ return err
}
+ return container.Resume()
},
}
diff --git a/vendor/github.com/opencontainers/runc/ps.go b/vendor/github.com/opencontainers/runc/ps.go
new file mode 100644
index 0000000000000000000000000000000000000000..e7f635f4f497db97f815a319ae3bcf8f8b9f5337
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/ps.go
@@ -0,0 +1,113 @@
+// +build linux
+
+package main
+
+import (
+ "encoding/json"
+ "fmt"
+ "os"
+ "os/exec"
+ "strconv"
+ "strings"
+
+ "github.com/sirupsen/logrus"
+ "github.com/urfave/cli"
+)
+
+var psCommand = cli.Command{
+ Name: "ps",
+ Usage: "ps displays the processes running inside a container",
+ ArgsUsage: `<container-id> [ps options]`,
+ Flags: []cli.Flag{
+ cli.StringFlag{
+ Name: "format, f",
+ Value: "table",
+ Usage: `select one of: ` + formatOptions,
+ },
+ },
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, minArgs); err != nil {
+ return err
+ }
+ rootlessCg, err := shouldUseRootlessCgroupManager(context)
+ if err != nil {
+ return err
+ }
+ if rootlessCg {
+ logrus.Warn("runc ps may fail if you don't have the full access to cgroups")
+ }
+
+ container, err := getContainer(context)
+ if err != nil {
+ return err
+ }
+
+ pids, err := container.Processes()
+ if err != nil {
+ return err
+ }
+
+ switch context.String("format") {
+ case "table":
+ case "json":
+ return json.NewEncoder(os.Stdout).Encode(pids)
+ default:
+ return fmt.Errorf("invalid format option")
+ }
+
+ // [1:] is to remove command name, ex:
+ // context.Args(): [containet_id ps_arg1 ps_arg2 ...]
+ // psArgs: [ps_arg1 ps_arg2 ...]
+ //
+ psArgs := context.Args()[1:]
+ if len(psArgs) == 0 {
+ psArgs = []string{"-ef"}
+ }
+
+ cmd := exec.Command("ps", psArgs...)
+ output, err := cmd.CombinedOutput()
+ if err != nil {
+ return fmt.Errorf("%s: %s", err, output)
+ }
+
+ lines := strings.Split(string(output), "\n")
+ pidIndex, err := getPidIndex(lines[0])
+ if err != nil {
+ return err
+ }
+
+ fmt.Println(lines[0])
+ for _, line := range lines[1:] {
+ if len(line) == 0 {
+ continue
+ }
+ fields := strings.Fields(line)
+ p, err := strconv.Atoi(fields[pidIndex])
+ if err != nil {
+ return fmt.Errorf("unexpected pid '%s': %s", fields[pidIndex], err)
+ }
+
+ for _, pid := range pids {
+ if pid == p {
+ fmt.Println(line)
+ break
+ }
+ }
+ }
+ return nil
+ },
+ SkipArgReorder: true,
+}
+
+func getPidIndex(title string) (int, error) {
+ titles := strings.Fields(title)
+
+ pidIndex := -1
+ for i, name := range titles {
+ if name == "PID" {
+ return i, nil
+ }
+ }
+
+ return pidIndex, fmt.Errorf("couldn't find PID field in ps output")
+}
diff --git a/vendor/github.com/opencontainers/runc/restore.go b/vendor/github.com/opencontainers/runc/restore.go
index e964df4f121177479718d7a3f19da53b5b1730be..0a08cd12267805da303958836df43b6a3f550374 100644
--- a/vendor/github.com/opencontainers/runc/restore.go
+++ b/vendor/github.com/opencontainers/runc/restore.go
@@ -4,13 +4,11 @@ package main
import (
"os"
- "syscall"
- "github.com/sirupsen/logrus"
- "github.com/codegangsta/cli"
"github.com/opencontainers/runc/libcontainer"
- "github.com/opencontainers/runc/libcontainer/configs"
- "github.com/opencontainers/specs/specs-go"
+ "github.com/opencontainers/runc/libcontainer/system"
+ "github.com/sirupsen/logrus"
+ "github.com/urfave/cli"
)
var restoreCommand = cli.Command{
@@ -23,6 +21,11 @@ restored.`,
Description: `Restores the saved state of the container instance that was previously saved
using the runc checkpoint command.`,
Flags: []cli.Flag{
+ cli.StringFlag{
+ Name: "console-socket",
+ Value: "",
+ Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal",
+ },
cli.StringFlag{
Name: "image-path",
Value: "",
@@ -52,7 +55,7 @@ using the runc checkpoint command.`,
cli.StringFlag{
Name: "manage-cgroups-mode",
Value: "",
- Usage: "cgroups mode: 'soft' (default), 'full' and 'strict'.",
+ Usage: "cgroups mode: 'soft' (default), 'full' and 'strict'",
},
cli.StringFlag{
Name: "bundle, b",
@@ -68,99 +71,55 @@ using the runc checkpoint command.`,
Value: "",
Usage: "specify the file to write the process id to",
},
+ cli.BoolFlag{
+ Name: "no-subreaper",
+ Usage: "disable the use of the subreaper used to reap reparented processes",
+ },
+ cli.BoolFlag{
+ Name: "no-pivot",
+ Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk",
+ },
+ cli.StringSliceFlag{
+ Name: "empty-ns",
+ Usage: "create a namespace, but don't restore its properties",
+ },
+ cli.BoolFlag{
+ Name: "auto-dedup",
+ Usage: "enable auto deduplication of memory images",
+ },
+ cli.BoolFlag{
+ Name: "lazy-pages",
+ Usage: "use userfaultfd to lazily restore memory pages",
+ },
},
- Action: func(context *cli.Context) {
- imagePath := context.String("image-path")
- id := context.Args().First()
- if id == "" {
- fatal(errEmptyID)
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
}
- if imagePath == "" {
- imagePath = getDefaultImagePath(context)
+ // XXX: Currently this is untested with rootless containers.
+ if os.Geteuid() != 0 || system.RunningInUserNS() {
+ logrus.Warn("runc checkpoint is untested with rootless containers")
}
- bundle := context.String("bundle")
- if bundle != "" {
- if err := os.Chdir(bundle); err != nil {
- fatal(err)
- }
- }
- spec, err := loadSpec(specConfig)
+
+ spec, err := setupSpec(context)
if err != nil {
- fatal(err)
+ return err
}
- config, err := createLibcontainerConfig(id, spec)
- if err != nil {
- fatal(err)
+ options := criuOptions(context)
+ if err := setEmptyNsMask(context, options); err != nil {
+ return err
}
- status, err := restoreContainer(context, spec, config, imagePath)
+ status, err := startContainer(context, spec, CT_ACT_RESTORE, options)
if err != nil {
- fatal(err)
+ return err
}
+ // exit with the container's exit status so any external supervisor is
+ // notified of the exit with the correct exit status.
os.Exit(status)
+ return nil
},
}
-func restoreContainer(context *cli.Context, spec *specs.Spec, config *configs.Config, imagePath string) (code int, err error) {
- var (
- rootuid = 0
- id = context.Args().First()
- )
- factory, err := loadFactory(context)
- if err != nil {
- return -1, err
- }
- container, err := factory.Load(id)
- if err != nil {
- container, err = factory.Create(id, config)
- if err != nil {
- return -1, err
- }
- }
- options := criuOptions(context)
-
- status, err := container.Status()
- if err != nil {
- logrus.Error(err)
- }
- if status == libcontainer.Running {
- fatalf("Container with id %s already running", id)
- }
-
- setManageCgroupsMode(context, options)
-
- // ensure that the container is always removed if we were the process
- // that created it.
- detach := context.Bool("detach")
- if !detach {
- defer destroy(container)
- }
- process := &libcontainer.Process{}
- tty, err := setupIO(process, rootuid, "", false, detach)
- if err != nil {
- return -1, err
- }
- defer tty.Close()
- handler := newSignalHandler(tty)
- defer handler.Close()
- if err := container.Restore(process, options); err != nil {
- return -1, err
- }
- if err := tty.ClosePostStart(); err != nil {
- return -1, err
- }
- if pidFile := context.String("pid-file"); pidFile != "" {
- if err := createPidFile(pidFile, process); err != nil {
- process.Signal(syscall.SIGKILL)
- process.Wait()
- return -1, err
- }
- }
- if detach {
- return 0, nil
- }
- return handler.forward(process)
-}
-
func criuOptions(context *cli.Context) *libcontainer.CriuOpts {
imagePath := getCheckpointImagePath(context)
if err := os.MkdirAll(imagePath, 0655); err != nil {
@@ -169,10 +128,15 @@ func criuOptions(context *cli.Context) *libcontainer.CriuOpts {
return &libcontainer.CriuOpts{
ImagesDirectory: imagePath,
WorkDirectory: context.String("work-path"),
+ ParentImage: context.String("parent-path"),
LeaveRunning: context.Bool("leave-running"),
TcpEstablished: context.Bool("tcp-established"),
ExternalUnixConnections: context.Bool("ext-unix-sk"),
ShellJob: context.Bool("shell-job"),
FileLocks: context.Bool("file-locks"),
+ PreDump: context.Bool("pre-dump"),
+ AutoDedup: context.Bool("auto-dedup"),
+ LazyPages: context.Bool("lazy-pages"),
+ StatusFd: context.String("status-fd"),
}
}
diff --git a/vendor/github.com/opencontainers/runc/rlimit_linux.go b/vendor/github.com/opencontainers/runc/rlimit_linux.go
index a29682808c196bba715c976dfa9c1de3d022d34b..c97a0fb4e8200c7e4bf3ba17824a913cc8380c08 100644
--- a/vendor/github.com/opencontainers/runc/rlimit_linux.go
+++ b/vendor/github.com/opencontainers/runc/rlimit_linux.go
@@ -22,28 +22,28 @@ const (
)
var rlimitMap = map[string]int{
- "RLIMIT_CPU": RLIMIT_CPU,
- "RLIMIT_FSIZE": RLIMIT_FSIZE,
- "RLIMIT_DATA": RLIMIT_DATA,
- "RLIMIT_STACK": RLIMIT_STACK,
- "RLIMIT_CORE": RLIMIT_CORE,
- "RLIMIT_RSS": RLIMIT_RSS,
- "RLIMIT_NPROC": RLIMIT_NPROC,
- "RLIMIT_NOFILE": RLIMIT_NOFILE,
- "RLIMIT_MEMLOCK": RLIMIT_MEMLOCK,
- "RLIMIT_AS": RLIMIT_AS,
- "RLIMIT_LOCKS": RLIMIT_LOCKS,
- "RLIMIT_SGPENDING": RLIMIT_SIGPENDING,
- "RLIMIT_MSGQUEUE": RLIMIT_MSGQUEUE,
- "RLIMIT_NICE": RLIMIT_NICE,
- "RLIMIT_RTPRIO": RLIMIT_RTPRIO,
- "RLIMIT_RTTIME": RLIMIT_RTTIME,
+ "RLIMIT_CPU": RLIMIT_CPU,
+ "RLIMIT_FSIZE": RLIMIT_FSIZE,
+ "RLIMIT_DATA": RLIMIT_DATA,
+ "RLIMIT_STACK": RLIMIT_STACK,
+ "RLIMIT_CORE": RLIMIT_CORE,
+ "RLIMIT_RSS": RLIMIT_RSS,
+ "RLIMIT_NPROC": RLIMIT_NPROC,
+ "RLIMIT_NOFILE": RLIMIT_NOFILE,
+ "RLIMIT_MEMLOCK": RLIMIT_MEMLOCK,
+ "RLIMIT_AS": RLIMIT_AS,
+ "RLIMIT_LOCKS": RLIMIT_LOCKS,
+ "RLIMIT_SIGPENDING": RLIMIT_SIGPENDING,
+ "RLIMIT_MSGQUEUE": RLIMIT_MSGQUEUE,
+ "RLIMIT_NICE": RLIMIT_NICE,
+ "RLIMIT_RTPRIO": RLIMIT_RTPRIO,
+ "RLIMIT_RTTIME": RLIMIT_RTTIME,
}
func strToRlimit(key string) (int, error) {
rl, ok := rlimitMap[key]
if !ok {
- return 0, fmt.Errorf("Wrong rlimit value: %s", key)
+ return 0, fmt.Errorf("wrong rlimit value: %s", key)
}
return rl, nil
}
diff --git a/vendor/github.com/opencontainers/runc/rootless_linux.go b/vendor/github.com/opencontainers/runc/rootless_linux.go
new file mode 100644
index 0000000000000000000000000000000000000000..3c425dc655302bd61de3833bc70cecb49761f6ce
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/rootless_linux.go
@@ -0,0 +1,58 @@
+// +build linux
+
+package main
+
+import (
+ "os"
+
+ "github.com/opencontainers/runc/libcontainer/system"
+ "github.com/urfave/cli"
+)
+
+func shouldUseRootlessCgroupManager(context *cli.Context) (bool, error) {
+ if context != nil {
+ b, err := parseBoolOrAuto(context.GlobalString("rootless"))
+ if err != nil {
+ return false, err
+ }
+ // nil b stands for "auto detect"
+ if b != nil {
+ return *b, nil
+ }
+
+ if context.GlobalBool("systemd-cgroup") {
+ return false, nil
+ }
+ }
+ if os.Geteuid() != 0 {
+ return true, nil
+ }
+ if !system.RunningInUserNS() {
+ // euid == 0 , in the initial ns (i.e. the real root)
+ return false, nil
+ }
+ // euid = 0, in a userns.
+ // As we are unaware of cgroups path, we can't determine whether we have the full
+ // access to the cgroups path.
+ // Either way, we can safely decide to use the rootless cgroups manager.
+ return true, nil
+}
+
+func shouldHonorXDGRuntimeDir() bool {
+ if os.Getenv("XDG_RUNTIME_DIR") == "" {
+ return false
+ }
+ if os.Geteuid() != 0 {
+ return true
+ }
+ if !system.RunningInUserNS() {
+ // euid == 0 , in the initial ns (i.e. the real root)
+ // in this case, we should use /run/runc and ignore
+ // $XDG_RUNTIME_DIR (e.g. /run/user/0) for backward
+ // compatibility.
+ return false
+ }
+ // euid = 0, in a userns.
+ u, ok := os.LookupEnv("USER")
+ return !ok || u != "root"
+}
diff --git a/vendor/github.com/opencontainers/runc/run.go b/vendor/github.com/opencontainers/runc/run.go
new file mode 100644
index 0000000000000000000000000000000000000000..f8d6317844d44ea940d14f3e4a30a06191ae2df8
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/run.go
@@ -0,0 +1,84 @@
+// +build linux
+
+package main
+
+import (
+ "os"
+
+ "github.com/urfave/cli"
+)
+
+// default action is to start a container
+var runCommand = cli.Command{
+ Name: "run",
+ Usage: "create and run a container",
+ ArgsUsage: `<container-id>
+
+Where "<container-id>" is your name for the instance of the container that you
+are starting. The name you provide for the container instance must be unique on
+your host.`,
+ Description: `The run command creates an instance of a container for a bundle. The bundle
+is a directory with a specification file named "` + specConfig + `" and a root
+filesystem.
+
+The specification file includes an args parameter. The args parameter is used
+to specify command(s) that get run when the container is started. To change the
+command(s) that get executed on start, edit the args parameter of the spec. See
+"runc spec --help" for more explanation.`,
+ Flags: []cli.Flag{
+ cli.StringFlag{
+ Name: "bundle, b",
+ Value: "",
+ Usage: `path to the root of the bundle directory, defaults to the current directory`,
+ },
+ cli.StringFlag{
+ Name: "console-socket",
+ Value: "",
+ Usage: "path to an AF_UNIX socket which will receive a file descriptor referencing the master end of the console's pseudoterminal",
+ },
+ cli.BoolFlag{
+ Name: "detach, d",
+ Usage: "detach from the container's process",
+ },
+ cli.StringFlag{
+ Name: "pid-file",
+ Value: "",
+ Usage: "specify the file to write the process id to",
+ },
+ cli.BoolFlag{
+ Name: "no-subreaper",
+ Usage: "disable the use of the subreaper used to reap reparented processes",
+ },
+ cli.BoolFlag{
+ Name: "no-pivot",
+ Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk",
+ },
+ cli.BoolFlag{
+ Name: "no-new-keyring",
+ Usage: "do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key",
+ },
+ cli.IntFlag{
+ Name: "preserve-fds",
+ Usage: "Pass N additional file descriptors to the container (stdio + $LISTEN_FDS + N in total)",
+ },
+ },
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
+ if err := revisePidFile(context); err != nil {
+ return err
+ }
+ spec, err := setupSpec(context)
+ if err != nil {
+ return err
+ }
+ status, err := startContainer(context, spec, CT_ACT_RUN, nil)
+ if err == nil {
+ // exit with the container's exit status so any external supervisor is
+ // notified of the exit with the correct exit status.
+ os.Exit(status)
+ }
+ return err
+ },
+}
diff --git a/vendor/github.com/opencontainers/runc/signalmap.go b/vendor/github.com/opencontainers/runc/signalmap.go
new file mode 100644
index 0000000000000000000000000000000000000000..f9a6347730b2b136fe9dd5e70e100166c9295803
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/signalmap.go
@@ -0,0 +1,47 @@
+// +build linux
+// +build !mips,!mipsle,!mips64,!mips64le
+
+package main
+
+import (
+ "syscall"
+
+ "golang.org/x/sys/unix"
+)
+
+var signalMap = map[string]syscall.Signal{
+ "ABRT": unix.SIGABRT,
+ "ALRM": unix.SIGALRM,
+ "BUS": unix.SIGBUS,
+ "CHLD": unix.SIGCHLD,
+ "CLD": unix.SIGCLD,
+ "CONT": unix.SIGCONT,
+ "FPE": unix.SIGFPE,
+ "HUP": unix.SIGHUP,
+ "ILL": unix.SIGILL,
+ "INT": unix.SIGINT,
+ "IO": unix.SIGIO,
+ "IOT": unix.SIGIOT,
+ "KILL": unix.SIGKILL,
+ "PIPE": unix.SIGPIPE,
+ "POLL": unix.SIGPOLL,
+ "PROF": unix.SIGPROF,
+ "PWR": unix.SIGPWR,
+ "QUIT": unix.SIGQUIT,
+ "SEGV": unix.SIGSEGV,
+ "STKFLT": unix.SIGSTKFLT,
+ "STOP": unix.SIGSTOP,
+ "SYS": unix.SIGSYS,
+ "TERM": unix.SIGTERM,
+ "TRAP": unix.SIGTRAP,
+ "TSTP": unix.SIGTSTP,
+ "TTIN": unix.SIGTTIN,
+ "TTOU": unix.SIGTTOU,
+ "URG": unix.SIGURG,
+ "USR1": unix.SIGUSR1,
+ "USR2": unix.SIGUSR2,
+ "VTALRM": unix.SIGVTALRM,
+ "WINCH": unix.SIGWINCH,
+ "XCPU": unix.SIGXCPU,
+ "XFSZ": unix.SIGXFSZ,
+}
diff --git a/vendor/github.com/opencontainers/runc/signalmap_mipsx.go b/vendor/github.com/opencontainers/runc/signalmap_mipsx.go
new file mode 100644
index 0000000000000000000000000000000000000000..046bf1529942b2663e5cf6bfd7413ac3849c1f66
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/signalmap_mipsx.go
@@ -0,0 +1,45 @@
+// +build linux,mips linux,mipsle linux,mips64 linux,mips64le
+
+package main
+
+import (
+ "syscall"
+
+ "golang.org/x/sys/unix"
+)
+
+var signalMap = map[string]syscall.Signal{
+ "ABRT": unix.SIGABRT,
+ "ALRM": unix.SIGALRM,
+ "BUS": unix.SIGBUS,
+ "CHLD": unix.SIGCHLD,
+ "CLD": unix.SIGCLD,
+ "CONT": unix.SIGCONT,
+ "FPE": unix.SIGFPE,
+ "HUP": unix.SIGHUP,
+ "ILL": unix.SIGILL,
+ "INT": unix.SIGINT,
+ "IO": unix.SIGIO,
+ "IOT": unix.SIGIOT,
+ "KILL": unix.SIGKILL,
+ "PIPE": unix.SIGPIPE,
+ "POLL": unix.SIGPOLL,
+ "PROF": unix.SIGPROF,
+ "PWR": unix.SIGPWR,
+ "QUIT": unix.SIGQUIT,
+ "SEGV": unix.SIGSEGV,
+ "STOP": unix.SIGSTOP,
+ "SYS": unix.SIGSYS,
+ "TERM": unix.SIGTERM,
+ "TRAP": unix.SIGTRAP,
+ "TSTP": unix.SIGTSTP,
+ "TTIN": unix.SIGTTIN,
+ "TTOU": unix.SIGTTOU,
+ "URG": unix.SIGURG,
+ "USR1": unix.SIGUSR1,
+ "USR2": unix.SIGUSR2,
+ "VTALRM": unix.SIGVTALRM,
+ "WINCH": unix.SIGWINCH,
+ "XCPU": unix.SIGXCPU,
+ "XFSZ": unix.SIGXFSZ,
+}
diff --git a/vendor/github.com/opencontainers/runc/signals.go b/vendor/github.com/opencontainers/runc/signals.go
index 3e40e5e2c1d7c8494f51ad5842d6a1d263255b7f..b67f65a03e14199a01473ffa316b81ef445a8187 100644
--- a/vendor/github.com/opencontainers/runc/signals.go
+++ b/vendor/github.com/opencontainers/runc/signals.go
@@ -5,26 +5,37 @@ package main
import (
"os"
"os/signal"
- "syscall"
+ "syscall" // only for Signal
- "github.com/sirupsen/logrus"
"github.com/opencontainers/runc/libcontainer"
+ "github.com/opencontainers/runc/libcontainer/system"
"github.com/opencontainers/runc/libcontainer/utils"
+
+ "github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
const signalBufferSize = 2048
// newSignalHandler returns a signal handler for processing SIGCHLD and SIGWINCH signals
// while still forwarding all other signals to the process.
-func newSignalHandler(tty *tty) *signalHandler {
+// If notifySocket is present, use it to read systemd notifications from the container and
+// forward them to notifySocketHost.
+func newSignalHandler(enableSubreaper bool, notifySocket *notifySocket) *signalHandler {
+ if enableSubreaper {
+ // set us as the subreaper before registering the signal handler for the container
+ if err := system.SetSubreaper(1); err != nil {
+ logrus.Warn(err)
+ }
+ }
// ensure that we have a large buffer size so that we do not miss any signals
- // incase we are not processing them fast enough.
+ // in case we are not processing them fast enough.
s := make(chan os.Signal, signalBufferSize)
// handle all signals for the process.
signal.Notify(s)
return &signalHandler{
- tty: tty,
- signals: s,
+ signals: s,
+ notifySocket: notifySocket,
}
}
@@ -36,26 +47,42 @@ type exit struct {
}
type signalHandler struct {
- signals chan os.Signal
- tty *tty
+ signals chan os.Signal
+ notifySocket *notifySocket
}
// forward handles the main signal event loop forwarding, resizing, or reaping depending
// on the signal received.
-func (h *signalHandler) forward(process *libcontainer.Process) (int, error) {
+func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach bool) (int, error) {
// make sure we know the pid of our main process so that we can return
// after it dies.
+ if detach && h.notifySocket == nil {
+ return 0, nil
+ }
+
pid1, err := process.Pid()
if err != nil {
return -1, err
}
- // perform the initial tty resize.
- h.tty.resize()
+
+ if h.notifySocket != nil {
+ if detach {
+ h.notifySocket.run(pid1)
+ return 0, nil
+ }
+ go h.notifySocket.run(0)
+ }
+
+ // Perform the initial tty resize. Always ignore errors resizing because
+ // stdout might have disappeared (due to races with when SIGHUP is sent).
+ _ = tty.resize()
+ // Handle and forward signals.
for s := range h.signals {
switch s {
- case syscall.SIGWINCH:
- h.tty.resize()
- case syscall.SIGCHLD:
+ case unix.SIGWINCH:
+ // Ignore errors resizing, as above.
+ _ = tty.resize()
+ case unix.SIGCHLD:
exits, err := h.reap()
if err != nil {
logrus.Error(err)
@@ -70,12 +97,15 @@ func (h *signalHandler) forward(process *libcontainer.Process) (int, error) {
// status because we must ensure that any of the go specific process
// fun such as flushing pipes are complete before we return.
process.Wait()
+ if h.notifySocket != nil {
+ h.notifySocket.Close()
+ }
return e.status, nil
}
}
default:
logrus.Debugf("sending signal to process %s", s)
- if err := syscall.Kill(pid1, s.(syscall.Signal)); err != nil {
+ if err := unix.Kill(pid1, s.(syscall.Signal)); err != nil {
logrus.Error(err)
}
}
@@ -87,13 +117,13 @@ func (h *signalHandler) forward(process *libcontainer.Process) (int, error) {
// then returns all exits to the main event loop for further processing.
func (h *signalHandler) reap() (exits []exit, err error) {
var (
- ws syscall.WaitStatus
- rus syscall.Rusage
+ ws unix.WaitStatus
+ rus unix.Rusage
)
for {
- pid, err := syscall.Wait4(-1, &ws, syscall.WNOHANG, &rus)
+ pid, err := unix.Wait4(-1, &ws, unix.WNOHANG, &rus)
if err != nil {
- if err == syscall.ECHILD {
+ if err == unix.ECHILD {
return exits, nil
}
return nil, err
@@ -107,10 +137,3 @@ func (h *signalHandler) reap() (exits []exit, err error) {
})
}
}
-
-func (h *signalHandler) Close() error {
- if h.tty != nil {
- return h.tty.Close()
- }
- return nil
-}
diff --git a/vendor/github.com/opencontainers/runc/spec.go b/vendor/github.com/opencontainers/runc/spec.go
index d5d66fcc9efd1f00ff26ebf6fc3e2506b93bbe5c..322a83d7ad97f024708465f182877a21d3bdec93 100644
--- a/vendor/github.com/opencontainers/runc/spec.go
+++ b/vendor/github.com/opencontainers/runc/spec.go
@@ -7,140 +7,85 @@ import (
"fmt"
"io/ioutil"
"os"
- "path/filepath"
- "runtime"
- "strconv"
- "strings"
- "syscall"
- "github.com/codegangsta/cli"
- "github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
- "github.com/opencontainers/runc/libcontainer/seccomp"
- libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
- "github.com/opencontainers/specs/specs-go"
+ "github.com/opencontainers/runc/libcontainer/specconv"
+ "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/urfave/cli"
)
var specCommand = cli.Command{
- Name: "spec",
- Usage: "create a new specification file",
- ArgsUsage: "",
- Description: `The spec command creates the new specification file named "` + specConfig + `" for the bundle." `,
+ Name: "spec",
+ Usage: "create a new specification file",
+ ArgsUsage: "",
+ Description: `The spec command creates the new specification file named "` + specConfig + `" for
+the bundle.
+
+The spec generated is just a starter file. Editing of the spec is required to
+achieve desired results. For example, the newly generated spec includes an args
+parameter that is initially set to call the "sh" command when the container is
+started. Calling "sh" may work for an ubuntu container or busybox, but will not
+work for containers that do not include the "sh" program.
+
+EXAMPLE:
+ To run docker's hello-world container one needs to set the args parameter
+in the spec to call hello. This can be done using the sed command or a text
+editor. The following commands create a bundle for hello-world, change the
+default args parameter in the spec from "sh" to "/hello", then run the hello
+command in a new hello-world container named container1:
+
+ mkdir hello
+ cd hello
+ docker pull hello-world
+ docker export $(docker create hello-world) > hello-world.tar
+ mkdir rootfs
+ tar -C rootfs -xf hello-world.tar
+ runc spec
+ sed -i 's;"sh";"/hello";' ` + specConfig + `
+ runc run container1
+
+In the run command above, "container1" is the name for the instance of the
+container that you are starting. The name you provide for the container instance
+must be unique on your host.
+
+An alternative for generating a customized spec config is to use "oci-runtime-tool", the
+sub-command "oci-runtime-tool generate" has lots of options that can be used to do any
+customizations as you want, see runtime-tools (https://github.com/opencontainers/runtime-tools)
+to get more information.
+
+When starting a container through runc, runc needs root privilege. If not
+already running as root, you can use sudo to give runc root privilege. For
+example: "sudo runc start container1" will give runc root privilege to start the
+container on your host.
+
+Alternatively, you can start a rootless container, which has the ability to run
+without root privileges. For this to work, the specification file needs to be
+adjusted accordingly. You can pass the parameter --rootless to this command to
+generate a proper rootless spec file.
+
+Note that --rootless is not needed when you execute runc as the root in a user namespace
+created by an unprivileged user.
+`,
Flags: []cli.Flag{
cli.StringFlag{
Name: "bundle, b",
Value: "",
Usage: "path to the root of the bundle directory",
},
+ cli.BoolFlag{
+ Name: "rootless",
+ Usage: "generate a configuration for a rootless container",
+ },
},
- Action: func(context *cli.Context) {
- spec := specs.Spec{
- Version: specs.Version,
- Platform: specs.Platform{
- OS: runtime.GOOS,
- Arch: runtime.GOARCH,
- },
- Root: specs.Root{
- Path: "rootfs",
- Readonly: true,
- },
- Process: specs.Process{
- Terminal: true,
- User: specs.User{},
- Args: []string{
- "sh",
- },
- Env: []string{
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
- "TERM=xterm",
- },
- Cwd: "/",
- NoNewPrivileges: true,
- Capabilities: []string{
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE",
- },
- Rlimits: []specs.Rlimit{
- {
- Type: "RLIMIT_NOFILE",
- Hard: uint64(1024),
- Soft: uint64(1024),
- },
- },
- },
- Hostname: "runc",
- Mounts: []specs.Mount{
- {
- Destination: "/proc",
- Type: "proc",
- Source: "proc",
- Options: nil,
- },
- {
- Destination: "/dev",
- Type: "tmpfs",
- Source: "tmpfs",
- Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
- },
- {
- Destination: "/dev/pts",
- Type: "devpts",
- Source: "devpts",
- Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"},
- },
- {
- Destination: "/dev/shm",
- Type: "tmpfs",
- Source: "shm",
- Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"},
- },
- {
- Destination: "/dev/mqueue",
- Type: "mqueue",
- Source: "mqueue",
- Options: []string{"nosuid", "noexec", "nodev"},
- },
- {
- Destination: "/sys",
- Type: "sysfs",
- Source: "sysfs",
- Options: []string{"nosuid", "noexec", "nodev", "ro"},
- },
- {
- Destination: "/sys/fs/cgroup",
- Type: "cgroup",
- Source: "cgroup",
- Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"},
- },
- },
- Linux: specs.Linux{
- Resources: &specs.Resources{
- Devices: []specs.DeviceCgroup{
- {
- Allow: false,
- Access: sPtr("rwm"),
- },
- },
- },
- Namespaces: []specs.Namespace{
- {
- Type: "pid",
- },
- {
- Type: "network",
- },
- {
- Type: "ipc",
- },
- {
- Type: "uts",
- },
- {
- Type: "mount",
- },
- },
- },
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 0, exactArgs); err != nil {
+ return err
+ }
+ spec := specconv.Example()
+
+ rootless := context.Bool("rootless")
+ if rootless {
+ specconv.ToRootless(spec)
}
checkNoFile := func(name string) error {
@@ -156,61 +101,21 @@ var specCommand = cli.Command{
bundle := context.String("bundle")
if bundle != "" {
if err := os.Chdir(bundle); err != nil {
- fatal(err)
+ return err
}
}
if err := checkNoFile(specConfig); err != nil {
- fatal(err)
+ return err
}
- data, err := json.MarshalIndent(&spec, "", "\t")
+ data, err := json.MarshalIndent(spec, "", "\t")
if err != nil {
- fatal(err)
- }
- if err := ioutil.WriteFile(specConfig, data, 0666); err != nil {
- fatal(err)
+ return err
}
+ return ioutil.WriteFile(specConfig, data, 0666)
},
}
-func sPtr(s string) *string { return &s }
-func rPtr(r rune) *rune { return &r }
-func iPtr(i int64) *int64 { return &i }
-func u32Ptr(i int64) *uint32 { u := uint32(i); return &u }
-func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
-
-var namespaceMapping = map[specs.NamespaceType]configs.NamespaceType{
- specs.PIDNamespace: configs.NEWPID,
- specs.NetworkNamespace: configs.NEWNET,
- specs.MountNamespace: configs.NEWNS,
- specs.UserNamespace: configs.NEWUSER,
- specs.IPCNamespace: configs.NEWIPC,
- specs.UTSNamespace: configs.NEWUTS,
-}
-
-var mountPropagationMapping = map[string]int{
- "rprivate": syscall.MS_PRIVATE | syscall.MS_REC,
- "private": syscall.MS_PRIVATE,
- "rslave": syscall.MS_SLAVE | syscall.MS_REC,
- "slave": syscall.MS_SLAVE,
- "rshared": syscall.MS_SHARED | syscall.MS_REC,
- "shared": syscall.MS_SHARED,
- "": syscall.MS_PRIVATE | syscall.MS_REC,
-}
-
-// validateSpec validates the fields in the spec
-// TODO: Add validation for other fields where applicable
-func validateSpec(spec *specs.Spec) error {
- if spec.Process.Cwd == "" {
- return fmt.Errorf("Cwd property must not be empty")
- }
- if !filepath.IsAbs(spec.Process.Cwd) {
- return fmt.Errorf("Cwd must be an absolute path")
- }
- return nil
-}
-
// loadSpec loads the specification from the provided path.
-// If the path is empty then the default path will be "config.json"
func loadSpec(cPath string) (spec *specs.Spec, err error) {
cf, err := os.Open(cPath)
if err != nil {
@@ -224,575 +129,17 @@ func loadSpec(cPath string) (spec *specs.Spec, err error) {
if err = json.NewDecoder(cf).Decode(&spec); err != nil {
return nil, err
}
- return spec, validateSpec(spec)
-}
-
-func createLibcontainerConfig(cgroupName string, spec *specs.Spec) (*configs.Config, error) {
- // runc's cwd will always be the bundle path
- rcwd, err := os.Getwd()
- if err != nil {
- return nil, err
- }
- cwd, err := filepath.Abs(rcwd)
- if err != nil {
- return nil, err
- }
- rootfsPath := spec.Root.Path
- if !filepath.IsAbs(rootfsPath) {
- rootfsPath = filepath.Join(cwd, rootfsPath)
- }
- config := &configs.Config{
- Rootfs: rootfsPath,
- Readonlyfs: spec.Root.Readonly,
- Hostname: spec.Hostname,
- Labels: []string{
- "bundle=" + cwd,
- },
- }
-
- exists := false
- if config.RootPropagation, exists = mountPropagationMapping[spec.Linux.RootfsPropagation]; !exists {
- return nil, fmt.Errorf("rootfsPropagation=%v is not supported", spec.Linux.RootfsPropagation)
- }
-
- for _, ns := range spec.Linux.Namespaces {
- t, exists := namespaceMapping[ns.Type]
- if !exists {
- return nil, fmt.Errorf("namespace %q does not exist", ns)
- }
- config.Namespaces.Add(t, ns.Path)
- }
- if config.Namespaces.Contains(configs.NEWNET) {
- config.Networks = []*configs.Network{
- {
- Type: "loopback",
- },
- }
- }
- for _, m := range spec.Mounts {
- config.Mounts = append(config.Mounts, createLibcontainerMount(cwd, m))
- }
- if err := createDevices(spec, config); err != nil {
- return nil, err
- }
- if err := setupUserNamespace(spec, config); err != nil {
- return nil, err
- }
- c, err := createCgroupConfig(cgroupName, spec)
- if err != nil {
- return nil, err
- }
- config.Cgroups = c
- // set extra path masking for libcontainer for the various unsafe places in proc
- config.MaskPaths = maskedPaths
- config.ReadonlyPaths = readonlyPaths
- if spec.Linux.Seccomp != nil {
- seccomp, err := setupSeccomp(spec.Linux.Seccomp)
- if err != nil {
- return nil, err
- }
- config.Seccomp = seccomp
- }
- config.Sysctl = spec.Linux.Sysctl
- if oomScoreAdj := spec.Linux.Resources.OOMScoreAdj; oomScoreAdj != nil {
- config.OomScoreAdj = *oomScoreAdj
- }
- for _, g := range spec.Process.User.AdditionalGids {
- config.AdditionalGroups = append(config.AdditionalGroups, strconv.FormatUint(uint64(g), 10))
- }
- createHooks(spec, config)
- config.Version = specs.Version
- return config, nil
-}
-
-func createLibcontainerMount(cwd string, m specs.Mount) *configs.Mount {
- flags, pgflags, data := parseMountOptions(m.Options)
- source := m.Source
- if m.Type == "bind" {
- if !filepath.IsAbs(source) {
- source = filepath.Join(cwd, m.Source)
- }
- }
- return &configs.Mount{
- Device: m.Type,
- Source: source,
- Destination: m.Destination,
- Data: data,
- Flags: flags,
- PropagationFlags: pgflags,
- }
-}
-
-func createCgroupConfig(name string, spec *specs.Spec) (*configs.Cgroup, error) {
- var (
- err error
- myCgroupPath string
- )
-
- if spec.Linux.CgroupsPath != nil {
- myCgroupPath = libcontainerUtils.CleanPath(*spec.Linux.CgroupsPath)
- } else {
- myCgroupPath, err = cgroups.GetThisCgroupDir("devices")
- if err != nil {
- return nil, err
- }
- myCgroupPath = filepath.Join(myCgroupPath, name)
- }
-
- c := &configs.Cgroup{
- Path: myCgroupPath,
- Resources: &configs.Resources{},
- }
- c.Resources.AllowedDevices = allowedDevices
- r := spec.Linux.Resources
- if r == nil {
- return c, nil
- }
- for i, d := range spec.Linux.Resources.Devices {
- var (
- t = "a"
- major = int64(-1)
- minor = int64(-1)
- )
- if d.Type != nil {
- t = *d.Type
- }
- if d.Major != nil {
- major = *d.Major
- }
- if d.Minor != nil {
- minor = *d.Minor
- }
- if d.Access == nil || *d.Access == "" {
- return nil, fmt.Errorf("device access at %d field canot be empty", i)
- }
- dt, err := stringToDeviceRune(t)
- if err != nil {
- return nil, err
- }
- dd := &configs.Device{
- Type: dt,
- Major: major,
- Minor: minor,
- Permissions: *d.Access,
- Allow: d.Allow,
- }
- c.Resources.Devices = append(c.Resources.Devices, dd)
- }
- // append the default allowed devices to the end of the list
- c.Resources.Devices = append(c.Resources.Devices, allowedDevices...)
- if r.Memory != nil {
- if r.Memory.Limit != nil {
- c.Resources.Memory = int64(*r.Memory.Limit)
- }
- if r.Memory.Reservation != nil {
- c.Resources.MemoryReservation = int64(*r.Memory.Reservation)
- }
- if r.Memory.Swap != nil {
- c.Resources.MemorySwap = int64(*r.Memory.Swap)
- }
- if r.Memory.Kernel != nil {
- c.Resources.KernelMemory = int64(*r.Memory.Kernel)
- }
- if r.Memory.Swappiness != nil {
- swappiness := int64(*r.Memory.Swappiness)
- c.Resources.MemorySwappiness = &swappiness
- }
- }
- if r.CPU != nil {
- if r.CPU.Shares != nil {
- c.Resources.CpuShares = int64(*r.CPU.Shares)
- }
- if r.CPU.Quota != nil {
- c.Resources.CpuQuota = int64(*r.CPU.Quota)
- }
- if r.CPU.Period != nil {
- c.Resources.CpuPeriod = int64(*r.CPU.Period)
- }
- if r.CPU.RealtimeRuntime != nil {
- c.Resources.CpuRtRuntime = int64(*r.CPU.RealtimeRuntime)
- }
- if r.CPU.RealtimePeriod != nil {
- c.Resources.CpuRtPeriod = int64(*r.CPU.RealtimePeriod)
- }
- if r.CPU.Cpus != nil {
- c.Resources.CpusetCpus = *r.CPU.Cpus
- }
- if r.CPU.Mems != nil {
- c.Resources.CpusetMems = *r.CPU.Mems
- }
- }
- if r.Pids != nil {
- c.Resources.PidsLimit = *r.Pids.Limit
- }
- if r.BlockIO != nil {
- if r.BlockIO.Weight != nil {
- c.Resources.BlkioWeight = *r.BlockIO.Weight
- }
- if r.BlockIO.LeafWeight != nil {
- c.Resources.BlkioLeafWeight = *r.BlockIO.LeafWeight
- }
- if r.BlockIO.WeightDevice != nil {
- for _, wd := range r.BlockIO.WeightDevice {
- weightDevice := configs.NewWeightDevice(wd.Major, wd.Minor, *wd.Weight, *wd.LeafWeight)
- c.Resources.BlkioWeightDevice = append(c.Resources.BlkioWeightDevice, weightDevice)
- }
- }
- if r.BlockIO.ThrottleReadBpsDevice != nil {
- for _, td := range r.BlockIO.ThrottleReadBpsDevice {
- throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, *td.Rate)
- c.Resources.BlkioThrottleReadBpsDevice = append(c.Resources.BlkioThrottleReadBpsDevice, throttleDevice)
- }
- }
- if r.BlockIO.ThrottleWriteBpsDevice != nil {
- for _, td := range r.BlockIO.ThrottleWriteBpsDevice {
- throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, *td.Rate)
- c.Resources.BlkioThrottleWriteBpsDevice = append(c.Resources.BlkioThrottleWriteBpsDevice, throttleDevice)
- }
- }
- if r.BlockIO.ThrottleReadIOPSDevice != nil {
- for _, td := range r.BlockIO.ThrottleReadIOPSDevice {
- throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, *td.Rate)
- c.Resources.BlkioThrottleReadIOPSDevice = append(c.Resources.BlkioThrottleReadIOPSDevice, throttleDevice)
- }
- }
- if r.BlockIO.ThrottleWriteIOPSDevice != nil {
- for _, td := range r.BlockIO.ThrottleWriteIOPSDevice {
- throttleDevice := configs.NewThrottleDevice(td.Major, td.Minor, *td.Rate)
- c.Resources.BlkioThrottleWriteIOPSDevice = append(c.Resources.BlkioThrottleWriteIOPSDevice, throttleDevice)
- }
- }
- }
- for _, l := range r.HugepageLimits {
- c.Resources.HugetlbLimit = append(c.Resources.HugetlbLimit, &configs.HugepageLimit{
- Pagesize: *l.Pagesize,
- Limit: *l.Limit,
- })
- }
- if r.DisableOOMKiller != nil {
- c.Resources.OomKillDisable = *r.DisableOOMKiller
- }
- if r.Network != nil {
- if r.Network.ClassID != nil {
- c.Resources.NetClsClassid = string(*r.Network.ClassID)
- }
- for _, m := range r.Network.Priorities {
- c.Resources.NetPrioIfpriomap = append(c.Resources.NetPrioIfpriomap, &configs.IfPrioMap{
- Interface: m.Name,
- Priority: int64(m.Priority),
- })
- }
- }
- return c, nil
-}
-
-func stringToDeviceRune(s string) (rune, error) {
- switch s {
- case "a":
- return 'a', nil
- case "b":
- return 'b', nil
- case "c":
- return 'c', nil
- default:
- return 0, fmt.Errorf("invalid device type %q", s)
- }
+ return spec, validateProcessSpec(spec.Process)
}
-func createDevices(spec *specs.Spec, config *configs.Config) error {
- // add whitelisted devices
- config.Devices = []*configs.Device{
- {
- Type: 'c',
- Path: "/dev/null",
- Major: 1,
- Minor: 3,
- FileMode: 0666,
- Uid: 0,
- Gid: 0,
- },
- {
- Type: 'c',
- Path: "/dev/random",
- Major: 1,
- Minor: 8,
- FileMode: 0666,
- Uid: 0,
- Gid: 0,
- },
- {
- Type: 'c',
- Path: "/dev/full",
- Major: 1,
- Minor: 7,
- FileMode: 0666,
- Uid: 0,
- Gid: 0,
- },
- {
- Type: 'c',
- Path: "/dev/tty",
- Major: 5,
- Minor: 0,
- FileMode: 0666,
- Uid: 0,
- Gid: 0,
- },
- {
- Type: 'c',
- Path: "/dev/zero",
- Major: 1,
- Minor: 5,
- FileMode: 0666,
- Uid: 0,
- Gid: 0,
- },
- {
- Type: 'c',
- Path: "/dev/urandom",
- Major: 1,
- Minor: 9,
- FileMode: 0666,
- Uid: 0,
- Gid: 0,
- },
- }
- // merge in additional devices from the spec
- for _, d := range spec.Linux.Devices {
- var uid, gid uint32
- if d.UID != nil {
- uid = *d.UID
- }
- if d.GID != nil {
- gid = *d.GID
- }
- dt, err := stringToDeviceRune(d.Type)
- if err != nil {
- return err
- }
- device := &configs.Device{
- Type: dt,
- Path: d.Path,
- Major: d.Major,
- Minor: d.Minor,
- FileMode: *d.FileMode,
- Uid: uid,
- Gid: gid,
- }
- config.Devices = append(config.Devices, device)
- }
- return nil
-}
-
-func setupUserNamespace(spec *specs.Spec, config *configs.Config) error {
- if len(spec.Linux.UIDMappings) == 0 {
- return nil
- }
- // do not override the specified user namespace path
- if config.Namespaces.PathOf(configs.NEWUSER) == "" {
- config.Namespaces.Add(configs.NEWUSER, "")
- }
- create := func(m specs.IDMapping) configs.IDMap {
- return configs.IDMap{
- HostID: int(m.HostID),
- ContainerID: int(m.ContainerID),
- Size: int(m.Size),
- }
- }
- for _, m := range spec.Linux.UIDMappings {
- config.UidMappings = append(config.UidMappings, create(m))
- }
- for _, m := range spec.Linux.GIDMappings {
- config.GidMappings = append(config.GidMappings, create(m))
- }
- rootUID, err := config.HostUID()
- if err != nil {
- return err
- }
- rootGID, err := config.HostGID()
- if err != nil {
- return err
- }
- for _, node := range config.Devices {
- node.Uid = uint32(rootUID)
- node.Gid = uint32(rootGID)
- }
- return nil
-}
-
-func createLibContainerRlimit(rlimit specs.Rlimit) (configs.Rlimit, error) {
+func createLibContainerRlimit(rlimit specs.POSIXRlimit) (configs.Rlimit, error) {
rl, err := strToRlimit(rlimit.Type)
if err != nil {
return configs.Rlimit{}, err
}
return configs.Rlimit{
Type: rl,
- Hard: uint64(rlimit.Hard),
- Soft: uint64(rlimit.Soft),
+ Hard: rlimit.Hard,
+ Soft: rlimit.Soft,
}, nil
}
-
-// parseMountOptions parses the string and returns the flags, propagation
-// flags and any mount data that it contains.
-func parseMountOptions(options []string) (int, []int, string) {
- var (
- flag int
- pgflag []int
- data []string
- )
- flags := map[string]struct {
- clear bool
- flag int
- }{
- "async": {true, syscall.MS_SYNCHRONOUS},
- "atime": {true, syscall.MS_NOATIME},
- "bind": {false, syscall.MS_BIND},
- "defaults": {false, 0},
- "dev": {true, syscall.MS_NODEV},
- "diratime": {true, syscall.MS_NODIRATIME},
- "dirsync": {false, syscall.MS_DIRSYNC},
- "exec": {true, syscall.MS_NOEXEC},
- "mand": {false, syscall.MS_MANDLOCK},
- "noatime": {false, syscall.MS_NOATIME},
- "nodev": {false, syscall.MS_NODEV},
- "nodiratime": {false, syscall.MS_NODIRATIME},
- "noexec": {false, syscall.MS_NOEXEC},
- "nomand": {true, syscall.MS_MANDLOCK},
- "norelatime": {true, syscall.MS_RELATIME},
- "nostrictatime": {true, syscall.MS_STRICTATIME},
- "nosuid": {false, syscall.MS_NOSUID},
- "rbind": {false, syscall.MS_BIND | syscall.MS_REC},
- "relatime": {false, syscall.MS_RELATIME},
- "remount": {false, syscall.MS_REMOUNT},
- "ro": {false, syscall.MS_RDONLY},
- "rw": {true, syscall.MS_RDONLY},
- "strictatime": {false, syscall.MS_STRICTATIME},
- "suid": {true, syscall.MS_NOSUID},
- "sync": {false, syscall.MS_SYNCHRONOUS},
- }
- propagationFlags := map[string]struct {
- clear bool
- flag int
- }{
- "private": {false, syscall.MS_PRIVATE},
- "shared": {false, syscall.MS_SHARED},
- "slave": {false, syscall.MS_SLAVE},
- "unbindable": {false, syscall.MS_UNBINDABLE},
- "rprivate": {false, syscall.MS_PRIVATE | syscall.MS_REC},
- "rshared": {false, syscall.MS_SHARED | syscall.MS_REC},
- "rslave": {false, syscall.MS_SLAVE | syscall.MS_REC},
- "runbindable": {false, syscall.MS_UNBINDABLE | syscall.MS_REC},
- }
- for _, o := range options {
- // If the option does not exist in the flags table or the flag
- // is not supported on the platform,
- // then it is a data value for a specific fs type
- if f, exists := flags[o]; exists && f.flag != 0 {
- if f.clear {
- flag &= ^f.flag
- } else {
- flag |= f.flag
- }
- } else if f, exists := propagationFlags[o]; exists && f.flag != 0 {
- pgflag = append(pgflag, f.flag)
- } else {
- data = append(data, o)
- }
- }
- return flag, pgflag, strings.Join(data, ",")
-}
-
-func setupSeccomp(config *specs.Seccomp) (*configs.Seccomp, error) {
- if config == nil {
- return nil, nil
- }
-
- // No default action specified, no syscalls listed, assume seccomp disabled
- if config.DefaultAction == "" && len(config.Syscalls) == 0 {
- return nil, nil
- }
-
- newConfig := new(configs.Seccomp)
- newConfig.Syscalls = []*configs.Syscall{}
-
- if len(config.Architectures) > 0 {
- newConfig.Architectures = []string{}
- for _, arch := range config.Architectures {
- newArch, err := seccomp.ConvertStringToArch(string(arch))
- if err != nil {
- return nil, err
- }
- newConfig.Architectures = append(newConfig.Architectures, newArch)
- }
- }
-
- // Convert default action from string representation
- newDefaultAction, err := seccomp.ConvertStringToAction(string(config.DefaultAction))
- if err != nil {
- return nil, err
- }
- newConfig.DefaultAction = newDefaultAction
-
- // Loop through all syscall blocks and convert them to libcontainer format
- for _, call := range config.Syscalls {
- newAction, err := seccomp.ConvertStringToAction(string(call.Action))
- if err != nil {
- return nil, err
- }
-
- newCall := configs.Syscall{
- Name: call.Name,
- Action: newAction,
- Args: []*configs.Arg{},
- }
-
- // Loop through all the arguments of the syscall and convert them
- for _, arg := range call.Args {
- newOp, err := seccomp.ConvertStringToOperator(string(arg.Op))
- if err != nil {
- return nil, err
- }
-
- newArg := configs.Arg{
- Index: arg.Index,
- Value: arg.Value,
- ValueTwo: arg.ValueTwo,
- Op: newOp,
- }
-
- newCall.Args = append(newCall.Args, &newArg)
- }
-
- newConfig.Syscalls = append(newConfig.Syscalls, &newCall)
- }
-
- return newConfig, nil
-}
-
-func createHooks(rspec *specs.Spec, config *configs.Config) {
- config.Hooks = &configs.Hooks{}
- for _, h := range rspec.Hooks.Prestart {
- cmd := configs.Command{
- Path: h.Path,
- Args: h.Args,
- Env: h.Env,
- }
- config.Hooks.Prestart = append(config.Hooks.Prestart, configs.NewCommandHook(cmd))
- }
- for _, h := range rspec.Hooks.Poststart {
- cmd := configs.Command{
- Path: h.Path,
- Args: h.Args,
- Env: h.Env,
- }
- config.Hooks.Poststart = append(config.Hooks.Poststart, configs.NewCommandHook(cmd))
- }
- for _, h := range rspec.Hooks.Poststop {
- cmd := configs.Command{
- Path: h.Path,
- Args: h.Args,
- Env: h.Env,
- }
- config.Hooks.Poststop = append(config.Hooks.Poststop, configs.NewCommandHook(cmd))
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/spec_test.go b/vendor/github.com/opencontainers/runc/spec_test.go
deleted file mode 100644
index 156ee62cdd98e05704f1d8a96e4307d866a16d9d..0000000000000000000000000000000000000000
--- a/vendor/github.com/opencontainers/runc/spec_test.go
+++ /dev/null
@@ -1,39 +0,0 @@
-// build +linux
-
-package main
-
-import (
- "strings"
- "testing"
-
- "github.com/opencontainers/specs/specs-go"
-)
-
-func TestLinuxCgroupsPathSpecified(t *testing.T) {
- cgroupsPath := "/user/cgroups/path/id"
-
- spec := &specs.Spec{}
- spec.Linux.CgroupsPath = &cgroupsPath
-
- cgroup, err := createCgroupConfig("ContainerID", spec)
- if err != nil {
- t.Errorf("Couldn't create Cgroup config: %v", err)
- }
-
- if cgroup.Path != cgroupsPath {
- t.Errorf("Wrong cgroupsPath, expected '%s' got '%s'", cgroupsPath, cgroup.Path)
- }
-}
-
-func TestLinuxCgroupsPathNotSpecified(t *testing.T) {
- spec := &specs.Spec{}
-
- cgroup, err := createCgroupConfig("ContainerID", spec)
- if err != nil {
- t.Errorf("Couldn't create Cgroup config: %v", err)
- }
-
- if !strings.HasSuffix(cgroup.Path, "/ContainerID") {
- t.Errorf("Wrong cgroupsPath, expected it to have suffix '%s' got '%s'", "/ContainerID", cgroup.Path)
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/start.go b/vendor/github.com/opencontainers/runc/start.go
index f846bd1e9ffa172efaffd0332dba19dbc318db9d..2bb698b20952985f3a7aaee4f79b691e3f241f63 100644
--- a/vendor/github.com/opencontainers/runc/start.go
+++ b/vendor/github.com/opencontainers/runc/start.go
@@ -1,123 +1,43 @@
-// +build linux
-
package main
import (
- "os"
- "runtime"
+ "errors"
+ "fmt"
- "github.com/codegangsta/cli"
- "github.com/coreos/go-systemd/activation"
"github.com/opencontainers/runc/libcontainer"
- "github.com/opencontainers/specs/specs-go"
+ "github.com/urfave/cli"
)
-// default action is to start a container
var startCommand = cli.Command{
Name: "start",
- Usage: "create and run a container",
+ Usage: "executes the user defined process in a created container",
ArgsUsage: `<container-id>
Where "<container-id>" is your name for the instance of the container that you
are starting. The name you provide for the container instance must be unique on
your host.`,
- Description: `The start command creates an instance of a container for a bundle. The bundle
-is a directory with a specification file and a root filesystem.`,
- Flags: []cli.Flag{
- cli.StringFlag{
- Name: "bundle, b",
- Value: "",
- Usage: `path to the root of the bundle directory, defaults to the current directory`,
- },
- cli.StringFlag{
- Name: "console",
- Value: "",
- Usage: "specify the pty slave path for use with the container",
- },
- cli.BoolFlag{
- Name: "detach,d",
- Usage: "detach from the container's process",
- },
- cli.StringFlag{
- Name: "pid-file",
- Value: "",
- Usage: "specify the file to write the process id to",
- },
- },
- Action: func(context *cli.Context) {
- bundle := context.String("bundle")
- if bundle != "" {
- if err := os.Chdir(bundle); err != nil {
- fatal(err)
- }
+ Description: `The start command executes the user defined process in a created container.`,
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
}
- spec, err := loadSpec(specConfig)
+ container, err := getContainer(context)
if err != nil {
- fatal(err)
- }
-
- notifySocket := os.Getenv("NOTIFY_SOCKET")
- if notifySocket != "" {
- setupSdNotify(spec, notifySocket)
+ return err
}
-
- if os.Geteuid() != 0 {
- fatalf("runc should be run as root")
- }
-
- status, err := startContainer(context, spec)
+ status, err := container.Status()
if err != nil {
- fatalf("Container start failed: %v", err)
+ return err
}
- // exit with the container's exit status so any external supervisor is
- // notified of the exit with the correct exit status.
- os.Exit(status)
- },
-}
-
-var initCommand = cli.Command{
- Name: "init",
- Usage: `init is used to initialize the containers namespaces and launch the users process.
- This command should not be called outside of runc.
- `,
- Action: func(context *cli.Context) {
- runtime.GOMAXPROCS(1)
- runtime.LockOSThread()
- factory, _ := libcontainer.New("")
- if err := factory.StartInitialization(); err != nil {
- fatal(err)
+ switch status {
+ case libcontainer.Created:
+ return container.Exec()
+ case libcontainer.Stopped:
+ return errors.New("cannot start a container that has stopped")
+ case libcontainer.Running:
+ return errors.New("cannot start an already running container")
+ default:
+ return fmt.Errorf("cannot start a container in the %s state\n", status)
}
- panic("libcontainer: container init failed to exec")
},
}
-
-func startContainer(context *cli.Context, spec *specs.Spec) (int, error) {
- id := context.Args().First()
- if id == "" {
- return -1, errEmptyID
- }
- container, err := createContainer(context, id, spec)
- if err != nil {
- return -1, err
- }
-
- // ensure that the container is always removed if we were the process
- // that created it.
- detach := context.Bool("detach")
- if !detach {
- defer destroy(container)
- }
-
- // Support on-demand socket activation by passing file descriptors into the container init process.
- listenFDs := []*os.File{}
- if os.Getenv("LISTEN_FDS") != "" {
- listenFDs = activation.Files(false)
- }
-
- status, err := runProcess(container, &spec.Process, listenFDs, context.String("console"), context.String("pid-file"), detach)
- if err != nil {
- destroy(container)
- return -1, err
- }
- return status, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/state.go b/vendor/github.com/opencontainers/runc/state.go
index 0b1fbc9b9c22bbceb9415c683f9acde8d96744a0..718813c36bef6ed944709bf4a162ed85d959d929 100644
--- a/vendor/github.com/opencontainers/runc/state.go
+++ b/vendor/github.com/opencontainers/runc/state.go
@@ -5,32 +5,12 @@ package main
import (
"encoding/json"
"os"
- "time"
- "github.com/codegangsta/cli"
+ "github.com/opencontainers/runc/libcontainer"
+ "github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/urfave/cli"
)
-// cState represents the platform agnostic pieces relating to a running
-// container's status and state. Note: The fields in this structure adhere to
-// the opencontainers/specs/specs-go requirement for json fields that must be returned
-// in a state command.
-type cState struct {
- // Version is the OCI version for the container
- Version string `json:"ociVersion"`
- // ID is the container ID
- ID string `json:"id"`
- // InitProcessPid is the init process id in the parent namespace
- InitProcessPid int `json:"pid"`
- // Bundle is the path on the filesystem to the bundle
- Bundle string `json:"bundlePath"`
- // Rootfs is a path to a directory containing the container's root filesystem.
- Rootfs string `json:"rootfsPath"`
- // Status is the current status of the container, running, paused, ...
- Status string `json:"status"`
- // Created is the unix timestamp for the creation time of the container in UTC
- Created time.Time `json:"created"`
-}
-
var stateCommand = cli.Command{
Name: "state",
Usage: "output the state of a container",
@@ -39,31 +19,42 @@ var stateCommand = cli.Command{
Where "<container-id>" is your name for the instance of the container.`,
Description: `The state command outputs current state information for the
instance of a container.`,
- Action: func(context *cli.Context) {
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
container, err := getContainer(context)
if err != nil {
- fatal(err)
+ return err
}
containerStatus, err := container.Status()
if err != nil {
- fatal(err)
+ return err
}
state, err := container.State()
if err != nil {
- fatal(err)
+ return err
}
- cs := cState{
+ pid := state.BaseState.InitProcessPid
+ if containerStatus == libcontainer.Stopped {
+ pid = 0
+ }
+ bundle, annotations := utils.Annotations(state.Config.Labels)
+ cs := containerState{
Version: state.BaseState.Config.Version,
ID: state.BaseState.ID,
- InitProcessPid: state.BaseState.InitProcessPid,
+ InitProcessPid: pid,
Status: containerStatus.String(),
- Bundle: searchLabels(state.Config.Labels, "bundle"),
+ Bundle: bundle,
Rootfs: state.BaseState.Config.Rootfs,
- Created: state.BaseState.Created}
+ Created: state.BaseState.Created,
+ Annotations: annotations,
+ }
data, err := json.MarshalIndent(cs, "", " ")
if err != nil {
- fatal(err)
+ return err
}
os.Stdout.Write(data)
+ return nil
},
}
diff --git a/vendor/github.com/opencontainers/runc/tty.go b/vendor/github.com/opencontainers/runc/tty.go
index fd531068fe7abc151a7ec9c55ee53d95befb9b31..6106c2db36879a4fcf8d153ebb05a3cace9d86c2 100644
--- a/vendor/github.com/opencontainers/runc/tty.go
+++ b/vendor/github.com/opencontainers/runc/tty.go
@@ -6,26 +6,34 @@ import (
"fmt"
"io"
"os"
+ "os/signal"
"sync"
- "github.com/docker/docker/pkg/term"
+ "github.com/containerd/console"
"github.com/opencontainers/runc/libcontainer"
+ "github.com/opencontainers/runc/libcontainer/utils"
)
-// newTty creates a new tty for use with the container. If a tty is not to be
-// created for the process, pipes are created so that the TTY of the parent
-// process are not inherited by the container.
-func newTty(create bool, p *libcontainer.Process, rootuid int, console string) (*tty, error) {
- if create {
- return createTty(p, rootuid, console)
- }
- return createStdioPipes(p, rootuid)
+type tty struct {
+ epoller *console.Epoller
+ console *console.EpollConsole
+ stdin console.Console
+ closers []io.Closer
+ postStart []io.Closer
+ wg sync.WaitGroup
+ consoleC chan error
+}
+
+func (t *tty) copyIO(w io.Writer, r io.ReadCloser) {
+ defer t.wg.Done()
+ io.Copy(w, r)
+ r.Close()
}
-// setup standard pipes so that the TTY of the calling runc process
-// is not inherited by the container.
-func createStdioPipes(p *libcontainer.Process, rootuid int) (*tty, error) {
- i, err := p.InitializeIO(rootuid)
+// setup pipes for the process so that advanced features like c/r are able to easily checkpoint
+// and restore the process's IO without depending on a host specific path or device
+func setupProcessPipes(p *libcontainer.Process, rootuid, rootgid int) (*tty, error) {
+ i, err := p.InitializeIO(rootuid, rootgid)
if err != nil {
return nil, err
}
@@ -56,45 +64,71 @@ func createStdioPipes(p *libcontainer.Process, rootuid int) (*tty, error) {
return t, nil
}
-func (t *tty) copyIO(w io.Writer, r io.ReadCloser) {
- defer t.wg.Done()
- io.Copy(w, r)
- r.Close()
+func inheritStdio(process *libcontainer.Process) error {
+ process.Stdin = os.Stdin
+ process.Stdout = os.Stdout
+ process.Stderr = os.Stderr
+ return nil
}
-func createTty(p *libcontainer.Process, rootuid int, consolePath string) (*tty, error) {
- if consolePath != "" {
- if err := p.ConsoleFromPath(consolePath); err != nil {
- return nil, err
- }
- return &tty{}, nil
+func (t *tty) recvtty(process *libcontainer.Process, socket *os.File) (Err error) {
+ f, err := utils.RecvFd(socket)
+ if err != nil {
+ return err
}
- console, err := p.NewConsole(rootuid)
+ cons, err := console.ConsoleFromFile(f)
if err != nil {
- return nil, err
+ return err
+ }
+ console.ClearONLCR(cons.Fd())
+ epoller, err := console.NewEpoller()
+ if err != nil {
+ return err
}
- go io.Copy(console, os.Stdin)
- go io.Copy(os.Stdout, console)
+ epollConsole, err := epoller.Add(cons)
+ if err != nil {
+ return err
+ }
+ defer func() {
+ if Err != nil {
+ epollConsole.Close()
+ }
+ }()
+ go epoller.Wait()
+ go io.Copy(epollConsole, os.Stdin)
+ t.wg.Add(1)
+ go t.copyIO(os.Stdout, epollConsole)
- state, err := term.SetRawTerminal(os.Stdin.Fd())
+ // set raw mode to stdin and also handle interrupt
+ stdin, err := console.ConsoleFromFile(os.Stdin)
if err != nil {
- return nil, fmt.Errorf("failed to set the terminal from the stdin: %v", err)
+ return err
}
- return &tty{
- console: console,
- state: state,
- closers: []io.Closer{
- console,
- },
- }, nil
+ if err := stdin.SetRaw(); err != nil {
+ return fmt.Errorf("failed to set the terminal from the stdin: %v", err)
+ }
+ go handleInterrupt(stdin)
+
+ t.epoller = epoller
+ t.stdin = stdin
+ t.console = epollConsole
+ t.closers = []io.Closer{epollConsole}
+ return nil
}
-type tty struct {
- console libcontainer.Console
- state *term.State
- closers []io.Closer
- postStart []io.Closer
- wg sync.WaitGroup
+func handleInterrupt(c console.Console) {
+ sigchan := make(chan os.Signal, 1)
+ signal.Notify(sigchan, os.Interrupt)
+ <-sigchan
+ c.Reset()
+ os.Exit(0)
+}
+
+func (t *tty) waitConsole() error {
+ if t.consoleC != nil {
+ return <-t.consoleC
+ }
+ return nil
}
// ClosePostStart closes any fds that are provided to the container and dup2'd
@@ -106,20 +140,24 @@ func (t *tty) ClosePostStart() error {
return nil
}
-// Close closes all open fds for the tty and/or restores the orignal
+// Close closes all open fds for the tty and/or restores the original
// stdin state to what it was prior to the container execution
func (t *tty) Close() error {
// ensure that our side of the fds are always closed
for _, c := range t.postStart {
c.Close()
}
- // wait for the copy routines to finish before closing the fds
+ // the process is gone at this point, shutting down the console if we have
+ // one and wait for all IO to be finished
+ if t.console != nil && t.epoller != nil {
+ t.console.Shutdown(t.epoller.CloseConsole)
+ }
t.wg.Wait()
for _, c := range t.closers {
c.Close()
}
- if t.state != nil {
- term.RestoreTerminal(os.Stdin.Fd(), t.state)
+ if t.stdin != nil {
+ t.stdin.Reset()
}
return nil
}
@@ -128,9 +166,5 @@ func (t *tty) resize() error {
if t.console == nil {
return nil
}
- ws, err := term.GetWinsize(os.Stdin.Fd())
- if err != nil {
- return err
- }
- return term.SetWinsize(t.console.Fd(), ws)
+ return t.console.ResizeFrom(console.Current())
}
diff --git a/vendor/github.com/opencontainers/runc/update.go b/vendor/github.com/opencontainers/runc/update.go
new file mode 100644
index 0000000000000000000000000000000000000000..05dc4b516ba2e991e37e6a9430787beda538ae54
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/update.go
@@ -0,0 +1,304 @@
+// +build linux
+
+package main
+
+import (
+ "encoding/json"
+ "fmt"
+ "os"
+ "strconv"
+
+ "github.com/docker/go-units"
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
+ "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/urfave/cli"
+)
+
+func i64Ptr(i int64) *int64 { return &i }
+func u64Ptr(i uint64) *uint64 { return &i }
+func u16Ptr(i uint16) *uint16 { return &i }
+
+var updateCommand = cli.Command{
+ Name: "update",
+ Usage: "update container resource constraints",
+ ArgsUsage: `<container-id>`,
+ Flags: []cli.Flag{
+ cli.StringFlag{
+ Name: "resources, r",
+ Value: "",
+ Usage: `path to the file containing the resources to update or '-' to read from the standard input
+
+The accepted format is as follow (unchanged values can be omitted):
+
+{
+ "memory": {
+ "limit": 0,
+ "reservation": 0,
+ "swap": 0,
+ "kernel": 0,
+ "kernelTCP": 0
+ },
+ "cpu": {
+ "shares": 0,
+ "quota": 0,
+ "period": 0,
+ "realtimeRuntime": 0,
+ "realtimePeriod": 0,
+ "cpus": "",
+ "mems": ""
+ },
+ "blockIO": {
+ "weight": 0
+ }
+}
+
+Note: if data is to be read from a file or the standard input, all
+other options are ignored.
+`,
+ },
+
+ cli.IntFlag{
+ Name: "blkio-weight",
+ Usage: "Specifies per cgroup weight, range is from 10 to 1000",
+ },
+ cli.StringFlag{
+ Name: "cpu-period",
+ Usage: "CPU CFS period to be used for hardcapping (in usecs). 0 to use system default",
+ },
+ cli.StringFlag{
+ Name: "cpu-quota",
+ Usage: "CPU CFS hardcap limit (in usecs). Allowed cpu time in a given period",
+ },
+ cli.StringFlag{
+ Name: "cpu-share",
+ Usage: "CPU shares (relative weight vs. other containers)",
+ },
+ cli.StringFlag{
+ Name: "cpu-rt-period",
+ Usage: "CPU realtime period to be used for hardcapping (in usecs). 0 to use system default",
+ },
+ cli.StringFlag{
+ Name: "cpu-rt-runtime",
+ Usage: "CPU realtime hardcap limit (in usecs). Allowed cpu time in a given period",
+ },
+ cli.StringFlag{
+ Name: "cpuset-cpus",
+ Usage: "CPU(s) to use",
+ },
+ cli.StringFlag{
+ Name: "cpuset-mems",
+ Usage: "Memory node(s) to use",
+ },
+ cli.StringFlag{
+ Name: "kernel-memory",
+ Usage: "Kernel memory limit (in bytes)",
+ },
+ cli.StringFlag{
+ Name: "kernel-memory-tcp",
+ Usage: "Kernel memory limit (in bytes) for tcp buffer",
+ },
+ cli.StringFlag{
+ Name: "memory",
+ Usage: "Memory limit (in bytes)",
+ },
+ cli.StringFlag{
+ Name: "memory-reservation",
+ Usage: "Memory reservation or soft_limit (in bytes)",
+ },
+ cli.StringFlag{
+ Name: "memory-swap",
+ Usage: "Total memory usage (memory + swap); set '-1' to enable unlimited swap",
+ },
+ cli.IntFlag{
+ Name: "pids-limit",
+ Usage: "Maximum number of pids allowed in the container",
+ },
+ cli.StringFlag{
+ Name: "l3-cache-schema",
+ Usage: "The string of Intel RDT/CAT L3 cache schema",
+ },
+ cli.StringFlag{
+ Name: "mem-bw-schema",
+ Usage: "The string of Intel RDT/MBA memory bandwidth schema",
+ },
+ },
+ Action: func(context *cli.Context) error {
+ if err := checkArgs(context, 1, exactArgs); err != nil {
+ return err
+ }
+ container, err := getContainer(context)
+ if err != nil {
+ return err
+ }
+
+ r := specs.LinuxResources{
+ Memory: &specs.LinuxMemory{
+ Limit: i64Ptr(0),
+ Reservation: i64Ptr(0),
+ Swap: i64Ptr(0),
+ Kernel: i64Ptr(0),
+ KernelTCP: i64Ptr(0),
+ },
+ CPU: &specs.LinuxCPU{
+ Shares: u64Ptr(0),
+ Quota: i64Ptr(0),
+ Period: u64Ptr(0),
+ RealtimeRuntime: i64Ptr(0),
+ RealtimePeriod: u64Ptr(0),
+ Cpus: "",
+ Mems: "",
+ },
+ BlockIO: &specs.LinuxBlockIO{
+ Weight: u16Ptr(0),
+ },
+ Pids: &specs.LinuxPids{
+ Limit: 0,
+ },
+ }
+
+ config := container.Config()
+
+ if in := context.String("resources"); in != "" {
+ var (
+ f *os.File
+ err error
+ )
+ switch in {
+ case "-":
+ f = os.Stdin
+ default:
+ f, err = os.Open(in)
+ if err != nil {
+ return err
+ }
+ }
+ err = json.NewDecoder(f).Decode(&r)
+ if err != nil {
+ return err
+ }
+ } else {
+ if val := context.Int("blkio-weight"); val != 0 {
+ r.BlockIO.Weight = u16Ptr(uint16(val))
+ }
+ if val := context.String("cpuset-cpus"); val != "" {
+ r.CPU.Cpus = val
+ }
+ if val := context.String("cpuset-mems"); val != "" {
+ r.CPU.Mems = val
+ }
+
+ for _, pair := range []struct {
+ opt string
+ dest *uint64
+ }{
+
+ {"cpu-period", r.CPU.Period},
+ {"cpu-rt-period", r.CPU.RealtimePeriod},
+ {"cpu-share", r.CPU.Shares},
+ } {
+ if val := context.String(pair.opt); val != "" {
+ var err error
+ *pair.dest, err = strconv.ParseUint(val, 10, 64)
+ if err != nil {
+ return fmt.Errorf("invalid value for %s: %s", pair.opt, err)
+ }
+ }
+ }
+ for _, pair := range []struct {
+ opt string
+ dest *int64
+ }{
+
+ {"cpu-quota", r.CPU.Quota},
+ {"cpu-rt-runtime", r.CPU.RealtimeRuntime},
+ } {
+ if val := context.String(pair.opt); val != "" {
+ var err error
+ *pair.dest, err = strconv.ParseInt(val, 10, 64)
+ if err != nil {
+ return fmt.Errorf("invalid value for %s: %s", pair.opt, err)
+ }
+ }
+ }
+ for _, pair := range []struct {
+ opt string
+ dest *int64
+ }{
+ {"memory", r.Memory.Limit},
+ {"memory-swap", r.Memory.Swap},
+ {"kernel-memory", r.Memory.Kernel},
+ {"kernel-memory-tcp", r.Memory.KernelTCP},
+ {"memory-reservation", r.Memory.Reservation},
+ } {
+ if val := context.String(pair.opt); val != "" {
+ var v int64
+
+ if val != "-1" {
+ v, err = units.RAMInBytes(val)
+ if err != nil {
+ return fmt.Errorf("invalid value for %s: %s", pair.opt, err)
+ }
+ } else {
+ v = -1
+ }
+ *pair.dest = v
+ }
+ }
+ r.Pids.Limit = int64(context.Int("pids-limit"))
+ }
+
+ // Update the value
+ config.Cgroups.Resources.BlkioWeight = *r.BlockIO.Weight
+ config.Cgroups.Resources.CpuPeriod = *r.CPU.Period
+ config.Cgroups.Resources.CpuQuota = *r.CPU.Quota
+ config.Cgroups.Resources.CpuShares = *r.CPU.Shares
+ config.Cgroups.Resources.CpuRtPeriod = *r.CPU.RealtimePeriod
+ config.Cgroups.Resources.CpuRtRuntime = *r.CPU.RealtimeRuntime
+ config.Cgroups.Resources.CpusetCpus = r.CPU.Cpus
+ config.Cgroups.Resources.CpusetMems = r.CPU.Mems
+ config.Cgroups.Resources.KernelMemory = *r.Memory.Kernel
+ config.Cgroups.Resources.KernelMemoryTCP = *r.Memory.KernelTCP
+ config.Cgroups.Resources.Memory = *r.Memory.Limit
+ config.Cgroups.Resources.MemoryReservation = *r.Memory.Reservation
+ config.Cgroups.Resources.MemorySwap = *r.Memory.Swap
+ config.Cgroups.Resources.PidsLimit = r.Pids.Limit
+
+ // Update Intel RDT
+ l3CacheSchema := context.String("l3-cache-schema")
+ memBwSchema := context.String("mem-bw-schema")
+ if l3CacheSchema != "" && !intelrdt.IsCatEnabled() {
+ return fmt.Errorf("Intel RDT/CAT: l3 cache schema is not enabled")
+ }
+
+ if memBwSchema != "" && !intelrdt.IsMbaEnabled() {
+ return fmt.Errorf("Intel RDT/MBA: memory bandwidth schema is not enabled")
+ }
+
+ if l3CacheSchema != "" || memBwSchema != "" {
+ // If intelRdt is not specified in original configuration, we just don't
+ // Apply() to create intelRdt group or attach tasks for this container.
+ // In update command, we could re-enable through IntelRdtManager.Apply()
+ // and then update intelrdt constraint.
+ if config.IntelRdt == nil {
+ state, err := container.State()
+ if err != nil {
+ return err
+ }
+ config.IntelRdt = &configs.IntelRdt{}
+ intelRdtManager := intelrdt.IntelRdtManager{
+ Config: &config,
+ Id: container.ID(),
+ Path: state.IntelRdtPath,
+ }
+ if err := intelRdtManager.Apply(state.InitProcessPid); err != nil {
+ return err
+ }
+ }
+ config.IntelRdt.L3CacheSchema = l3CacheSchema
+ config.IntelRdt.MemBwSchema = memBwSchema
+ }
+
+ return container.Set(config)
+ },
+}
diff --git a/vendor/github.com/opencontainers/runc/utils.go b/vendor/github.com/opencontainers/runc/utils.go
index 269fd9d7d9630c46056e555f624dc0fd6053cc51..5165336fba7e9b8aa6246c3e8d113fa1645ec13b 100644
--- a/vendor/github.com/opencontainers/runc/utils.go
+++ b/vendor/github.com/opencontainers/runc/utils.go
@@ -1,383 +1,94 @@
-// +build linux
-
package main
import (
- "errors"
"fmt"
"os"
- "os/exec"
"path/filepath"
"strconv"
- "syscall"
+ "strings"
+
+ "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
- "github.com/codegangsta/cli"
- "github.com/opencontainers/runc/libcontainer"
- "github.com/opencontainers/runc/libcontainer/configs"
- "github.com/opencontainers/specs/specs-go"
+ "github.com/urfave/cli"
)
-const wildcard = -1
-
-var errEmptyID = errors.New("container id cannot be empty")
-
-var allowedDevices = []*configs.Device{
- // allow mknod for any device
- {
- Type: 'c',
- Major: wildcard,
- Minor: wildcard,
- Permissions: "m",
- Allow: true,
- },
- {
- Type: 'b',
- Major: wildcard,
- Minor: wildcard,
- Permissions: "m",
- Allow: true,
- },
- {
- Type: 'c',
- Path: "/dev/null",
- Major: 1,
- Minor: 3,
- Permissions: "rwm",
- Allow: true,
- },
- {
- Type: 'c',
- Path: "/dev/random",
- Major: 1,
- Minor: 8,
- Permissions: "rwm",
- Allow: true,
- },
- {
- Type: 'c',
- Path: "/dev/full",
- Major: 1,
- Minor: 7,
- Permissions: "rwm",
- Allow: true,
- },
- {
- Type: 'c',
- Path: "/dev/tty",
- Major: 5,
- Minor: 0,
- Permissions: "rwm",
- Allow: true,
- },
- {
- Type: 'c',
- Path: "/dev/zero",
- Major: 1,
- Minor: 5,
- Permissions: "rwm",
- Allow: true,
- },
- {
- Type: 'c',
- Path: "/dev/urandom",
- Major: 1,
- Minor: 9,
- Permissions: "rwm",
- Allow: true,
- },
- {
- Path: "/dev/console",
- Type: 'c',
- Major: 5,
- Minor: 1,
- Permissions: "rwm",
- Allow: true,
- },
- // /dev/pts/ - pts namespaces are "coming soon"
- {
- Path: "",
- Type: 'c',
- Major: 136,
- Minor: wildcard,
- Permissions: "rwm",
- Allow: true,
- },
- {
- Path: "",
- Type: 'c',
- Major: 5,
- Minor: 2,
- Permissions: "rwm",
- Allow: true,
- },
- // tuntap
- {
- Path: "",
- Type: 'c',
- Major: 10,
- Minor: 200,
- Permissions: "rwm",
- Allow: true,
- },
-}
-
-var (
- maskedPaths = []string{
- "/proc/kcore",
- "/proc/latency_stats",
- "/proc/timer_stats",
- "/proc/sched_debug",
- }
- readonlyPaths = []string{
- "/proc/asound",
- "/proc/bus",
- "/proc/fs",
- "/proc/irq",
- "/proc/sys",
- "/proc/sysrq-trigger",
- }
+const (
+ exactArgs = iota
+ minArgs
+ maxArgs
)
-var container libcontainer.Container
+func checkArgs(context *cli.Context, expected, checkType int) error {
+ var err error
+ cmdName := context.Command.Name
+ switch checkType {
+ case exactArgs:
+ if context.NArg() != expected {
+ err = fmt.Errorf("%s: %q requires exactly %d argument(s)", os.Args[0], cmdName, expected)
+ }
+ case minArgs:
+ if context.NArg() < expected {
+ err = fmt.Errorf("%s: %q requires a minimum of %d argument(s)", os.Args[0], cmdName, expected)
+ }
+ case maxArgs:
+ if context.NArg() > expected {
+ err = fmt.Errorf("%s: %q requires a maximum of %d argument(s)", os.Args[0], cmdName, expected)
+ }
+ }
-func containerPreload(context *cli.Context) error {
- c, err := getContainer(context)
if err != nil {
+ fmt.Printf("Incorrect Usage.\n\n")
+ cli.ShowCommandHelp(context, cmdName)
return err
}
- container = c
return nil
}
-// loadFactory returns the configured factory instance for execing containers.
-func loadFactory(context *cli.Context) (libcontainer.Factory, error) {
- var (
- debug = "false"
- root = context.GlobalString("root")
- )
- if context.GlobalBool("debug") {
- debug = "true"
- }
- abs, err := filepath.Abs(root)
- if err != nil {
- return nil, err
- }
- logAbs, err := filepath.Abs(context.GlobalString("log"))
- if err != nil {
- return nil, err
- }
- return libcontainer.New(abs, libcontainer.Cgroupfs, func(l *libcontainer.LinuxFactory) error {
- l.CriuPath = context.GlobalString("criu")
- return nil
- },
- libcontainer.InitArgs(os.Args[0],
- "--log", logAbs,
- "--log-format", context.GlobalString("log-format"),
- fmt.Sprintf("--debug=%s", debug),
- "init"),
- )
-}
-
-// getContainer returns the specified container instance by loading it from state
-// with the default factory.
-func getContainer(context *cli.Context) (libcontainer.Container, error) {
- id := context.Args().First()
- if id == "" {
- return nil, errEmptyID
- }
- factory, err := loadFactory(context)
- if err != nil {
- return nil, err
- }
- return factory.Load(id)
-}
-
// fatal prints the error's details if it is a libcontainer specific error type
// then exits the program with an exit status of 1.
func fatal(err error) {
// make sure the error is written to the logger
logrus.Error(err)
- // return proper unix error codes
- if exerr, ok := err.(*exec.Error); ok {
- switch exerr.Err {
- case os.ErrPermission:
- fmt.Fprintln(os.Stderr, err)
- os.Exit(126)
- case exec.ErrNotFound:
- fmt.Fprintln(os.Stderr, err)
- os.Exit(127)
- default:
- if os.IsNotExist(exerr.Err) {
- fmt.Fprintf(os.Stderr, "exec: %s: %v\n", strconv.Quote(exerr.Name), os.ErrNotExist)
- os.Exit(127)
- }
- }
- }
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
-func fatalf(t string, v ...interface{}) {
- fatal(fmt.Errorf(t, v...))
-}
-
-func getDefaultImagePath(context *cli.Context) string {
- cwd, err := os.Getwd()
- if err != nil {
- panic(err)
- }
- return filepath.Join(cwd, "checkpoint")
-}
-
-// newProcess returns a new libcontainer Process with the arguments from the
-// spec and stdio from the current process.
-func newProcess(p specs.Process) (*libcontainer.Process, error) {
- lp := &libcontainer.Process{
- Args: p.Args,
- Env: p.Env,
- // TODO: fix libcontainer's API to better support uid/gid in a typesafe way.
- User: fmt.Sprintf("%d:%d", p.User.UID, p.User.GID),
- Cwd: p.Cwd,
- Capabilities: p.Capabilities,
- Label: p.SelinuxLabel,
- NoNewPrivileges: &p.NoNewPrivileges,
- AppArmorProfile: p.ApparmorProfile,
- }
- for _, rlimit := range p.Rlimits {
- rl, err := createLibContainerRlimit(rlimit)
- if err != nil {
- return nil, err
- }
- lp.Rlimits = append(lp.Rlimits, rl)
- }
- return lp, nil
-}
-
-func dupStdio(process *libcontainer.Process, rootuid int) error {
- process.Stdin = os.Stdin
- process.Stdout = os.Stdout
- process.Stderr = os.Stderr
- for _, fd := range []uintptr{
- os.Stdin.Fd(),
- os.Stdout.Fd(),
- os.Stderr.Fd(),
- } {
- if err := syscall.Fchown(int(fd), rootuid, rootuid); err != nil {
- return err
- }
- }
- return nil
-}
-
-// If systemd is supporting sd_notify protocol, this function will add support
-// for sd_notify protocol from within the container.
-func setupSdNotify(spec *specs.Spec, notifySocket string) {
- spec.Mounts = append(spec.Mounts, specs.Mount{Destination: notifySocket, Type: "bind", Source: notifySocket, Options: []string{"bind"}})
- spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", notifySocket))
-}
-
-func destroy(container libcontainer.Container) {
- if err := container.Destroy(); err != nil {
- logrus.Error(err)
- }
-}
-
-// setupIO sets the proper IO on the process depending on the configuration
-// If there is a nil error then there must be a non nil tty returned
-func setupIO(process *libcontainer.Process, rootuid int, console string, createTTY, detach bool) (*tty, error) {
- // detach and createTty will not work unless a console path is passed
- // so error out here before changing any terminal settings
- if createTTY && detach && console == "" {
- return nil, fmt.Errorf("cannot allocate tty if runc will detach")
- }
- if createTTY {
- return createTty(process, rootuid, console)
- }
- if detach {
- if err := dupStdio(process, rootuid); err != nil {
+// setupSpec performs initial setup based on the cli.Context for the container
+func setupSpec(context *cli.Context) (*specs.Spec, error) {
+ bundle := context.String("bundle")
+ if bundle != "" {
+ if err := os.Chdir(bundle); err != nil {
return nil, err
}
- return &tty{}, nil
- }
- return createStdioPipes(process, rootuid)
-}
-
-func createPidFile(path string, process *libcontainer.Process) error {
- pid, err := process.Pid()
- if err != nil {
- return err
- }
- f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
- if err != nil {
- return err
- }
- defer f.Close()
- _, err = fmt.Fprintf(f, "%d", pid)
- return err
-}
-
-func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcontainer.Container, error) {
- config, err := createLibcontainerConfig(id, spec)
- if err != nil {
- return nil, err
- }
-
- if _, err := os.Stat(config.Rootfs); err != nil {
- if os.IsNotExist(err) {
- return nil, fmt.Errorf("rootfs (%q) does not exist", config.Rootfs)
- }
- return nil, err
}
-
- factory, err := loadFactory(context)
+ spec, err := loadSpec(specConfig)
if err != nil {
return nil, err
}
- return factory.Create(id, config)
+ return spec, nil
}
-// runProcess will create a new process in the specified container
-// by executing the process specified in the 'config'.
-func runProcess(container libcontainer.Container, config *specs.Process, listenFDs []*os.File, console string, pidFile string, detach bool) (int, error) {
- process, err := newProcess(*config)
- if err != nil {
- return -1, err
- }
-
- // Add extra file descriptors if needed
- if len(listenFDs) > 0 {
- process.Env = append(process.Env, fmt.Sprintf("LISTEN_FDS=%d", len(listenFDs)), "LISTEN_PID=1")
- process.ExtraFiles = append(process.ExtraFiles, listenFDs...)
+func revisePidFile(context *cli.Context) error {
+ pidFile := context.String("pid-file")
+ if pidFile == "" {
+ return nil
}
- rootuid, err := container.Config().HostUID()
+ // convert pid-file to an absolute path so we can write to the right
+ // file after chdir to bundle
+ pidFile, err := filepath.Abs(pidFile)
if err != nil {
- return -1, err
+ return err
}
+ return context.Set("pid-file", pidFile)
+}
- tty, err := setupIO(process, rootuid, console, config.Terminal, detach)
- if err != nil {
- return -1, err
- }
- defer tty.Close()
- handler := newSignalHandler(tty)
- defer handler.Close()
- if err := container.Start(process); err != nil {
- return -1, err
- }
- if err := tty.ClosePostStart(); err != nil {
- return -1, err
- }
- if pidFile != "" {
- if err := createPidFile(pidFile, process); err != nil {
- process.Signal(syscall.SIGKILL)
- process.Wait()
- return -1, err
- }
- }
- if detach {
- return 0, nil
+// parseBoolOrAuto returns (nil, nil) if s is empty or "auto"
+func parseBoolOrAuto(s string) (*bool, error) {
+ if s == "" || strings.ToLower(s) == "auto" {
+ return nil, nil
}
- return handler.forward(process)
+ b, err := strconv.ParseBool(s)
+ return &b, err
}
diff --git a/vendor/github.com/opencontainers/runc/utils_linux.go b/vendor/github.com/opencontainers/runc/utils_linux.go
new file mode 100644
index 0000000000000000000000000000000000000000..a37b1c3dfa4269baf1b27f6b27837a817dd8caca
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/utils_linux.go
@@ -0,0 +1,439 @@
+// +build linux
+
+package main
+
+import (
+ "errors"
+ "fmt"
+ "net"
+ "os"
+ "os/exec"
+ "path/filepath"
+ "strconv"
+
+ "github.com/opencontainers/runc/libcontainer"
+ "github.com/opencontainers/runc/libcontainer/cgroups/systemd"
+ "github.com/opencontainers/runc/libcontainer/configs"
+ "github.com/opencontainers/runc/libcontainer/intelrdt"
+ "github.com/opencontainers/runc/libcontainer/specconv"
+ "github.com/opencontainers/runc/libcontainer/utils"
+ "github.com/opencontainers/runtime-spec/specs-go"
+
+ "github.com/coreos/go-systemd/activation"
+ "github.com/sirupsen/logrus"
+ "github.com/urfave/cli"
+ "golang.org/x/sys/unix"
+)
+
+var errEmptyID = errors.New("container id cannot be empty")
+
+// loadFactory returns the configured factory instance for execing containers.
+func loadFactory(context *cli.Context) (libcontainer.Factory, error) {
+ root := context.GlobalString("root")
+ abs, err := filepath.Abs(root)
+ if err != nil {
+ return nil, err
+ }
+
+ // We default to cgroupfs, and can only use systemd if the system is a
+ // systemd box.
+ cgroupManager := libcontainer.Cgroupfs
+ rootlessCg, err := shouldUseRootlessCgroupManager(context)
+ if err != nil {
+ return nil, err
+ }
+ if rootlessCg {
+ cgroupManager = libcontainer.RootlessCgroupfs
+ }
+ if context.GlobalBool("systemd-cgroup") {
+ if systemd.UseSystemd() {
+ cgroupManager = libcontainer.SystemdCgroups
+ } else {
+ return nil, fmt.Errorf("systemd cgroup flag passed, but systemd support for managing cgroups is not available")
+ }
+ }
+
+ intelRdtManager := libcontainer.IntelRdtFs
+ if !intelrdt.IsCatEnabled() && !intelrdt.IsMbaEnabled() {
+ intelRdtManager = nil
+ }
+
+ // We resolve the paths for {newuidmap,newgidmap} from the context of runc,
+ // to avoid doing a path lookup in the nsexec context. TODO: The binary
+ // names are not currently configurable.
+ newuidmap, err := exec.LookPath("newuidmap")
+ if err != nil {
+ newuidmap = ""
+ }
+ newgidmap, err := exec.LookPath("newgidmap")
+ if err != nil {
+ newgidmap = ""
+ }
+
+ return libcontainer.New(abs, cgroupManager, intelRdtManager,
+ libcontainer.CriuPath(context.GlobalString("criu")),
+ libcontainer.NewuidmapPath(newuidmap),
+ libcontainer.NewgidmapPath(newgidmap))
+}
+
+// getContainer returns the specified container instance by loading it from state
+// with the default factory.
+func getContainer(context *cli.Context) (libcontainer.Container, error) {
+ id := context.Args().First()
+ if id == "" {
+ return nil, errEmptyID
+ }
+ factory, err := loadFactory(context)
+ if err != nil {
+ return nil, err
+ }
+ return factory.Load(id)
+}
+
+func fatalf(t string, v ...interface{}) {
+ fatal(fmt.Errorf(t, v...))
+}
+
+func getDefaultImagePath(context *cli.Context) string {
+ cwd, err := os.Getwd()
+ if err != nil {
+ panic(err)
+ }
+ return filepath.Join(cwd, "checkpoint")
+}
+
+// newProcess returns a new libcontainer Process with the arguments from the
+// spec and stdio from the current process.
+func newProcess(p specs.Process, init bool) (*libcontainer.Process, error) {
+ lp := &libcontainer.Process{
+ Args: p.Args,
+ Env: p.Env,
+ // TODO: fix libcontainer's API to better support uid/gid in a typesafe way.
+ User: fmt.Sprintf("%d:%d", p.User.UID, p.User.GID),
+ Cwd: p.Cwd,
+ Label: p.SelinuxLabel,
+ NoNewPrivileges: &p.NoNewPrivileges,
+ AppArmorProfile: p.ApparmorProfile,
+ Init: init,
+ }
+
+ if p.ConsoleSize != nil {
+ lp.ConsoleWidth = uint16(p.ConsoleSize.Width)
+ lp.ConsoleHeight = uint16(p.ConsoleSize.Height)
+ }
+
+ if p.Capabilities != nil {
+ lp.Capabilities = &configs.Capabilities{}
+ lp.Capabilities.Bounding = p.Capabilities.Bounding
+ lp.Capabilities.Effective = p.Capabilities.Effective
+ lp.Capabilities.Inheritable = p.Capabilities.Inheritable
+ lp.Capabilities.Permitted = p.Capabilities.Permitted
+ lp.Capabilities.Ambient = p.Capabilities.Ambient
+ }
+ for _, gid := range p.User.AdditionalGids {
+ lp.AdditionalGroups = append(lp.AdditionalGroups, strconv.FormatUint(uint64(gid), 10))
+ }
+ for _, rlimit := range p.Rlimits {
+ rl, err := createLibContainerRlimit(rlimit)
+ if err != nil {
+ return nil, err
+ }
+ lp.Rlimits = append(lp.Rlimits, rl)
+ }
+ return lp, nil
+}
+
+func destroy(container libcontainer.Container) {
+ if err := container.Destroy(); err != nil {
+ logrus.Error(err)
+ }
+}
+
+// setupIO modifies the given process config according to the options.
+func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, detach bool, sockpath string) (*tty, error) {
+ if createTTY {
+ process.Stdin = nil
+ process.Stdout = nil
+ process.Stderr = nil
+ t := &tty{}
+ if !detach {
+ parent, child, err := utils.NewSockPair("console")
+ if err != nil {
+ return nil, err
+ }
+ process.ConsoleSocket = child
+ t.postStart = append(t.postStart, parent, child)
+ t.consoleC = make(chan error, 1)
+ go func() {
+ if err := t.recvtty(process, parent); err != nil {
+ t.consoleC <- err
+ }
+ t.consoleC <- nil
+ }()
+ } else {
+ // the caller of runc will handle receiving the console master
+ conn, err := net.Dial("unix", sockpath)
+ if err != nil {
+ return nil, err
+ }
+ uc, ok := conn.(*net.UnixConn)
+ if !ok {
+ return nil, fmt.Errorf("casting to UnixConn failed")
+ }
+ t.postStart = append(t.postStart, uc)
+ socket, err := uc.File()
+ if err != nil {
+ return nil, err
+ }
+ t.postStart = append(t.postStart, socket)
+ process.ConsoleSocket = socket
+ }
+ return t, nil
+ }
+ // when runc will detach the caller provides the stdio to runc via runc's 0,1,2
+ // and the container's process inherits runc's stdio.
+ if detach {
+ if err := inheritStdio(process); err != nil {
+ return nil, err
+ }
+ return &tty{}, nil
+ }
+ return setupProcessPipes(process, rootuid, rootgid)
+}
+
+// createPidFile creates a file with the processes pid inside it atomically
+// it creates a temp file with the paths filename + '.' infront of it
+// then renames the file
+func createPidFile(path string, process *libcontainer.Process) error {
+ pid, err := process.Pid()
+ if err != nil {
+ return err
+ }
+ var (
+ tmpDir = filepath.Dir(path)
+ tmpName = filepath.Join(tmpDir, fmt.Sprintf(".%s", filepath.Base(path)))
+ )
+ f, err := os.OpenFile(tmpName, os.O_RDWR|os.O_CREATE|os.O_EXCL|os.O_SYNC, 0666)
+ if err != nil {
+ return err
+ }
+ _, err = fmt.Fprintf(f, "%d", pid)
+ f.Close()
+ if err != nil {
+ return err
+ }
+ return os.Rename(tmpName, path)
+}
+
+func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcontainer.Container, error) {
+ rootlessCg, err := shouldUseRootlessCgroupManager(context)
+ if err != nil {
+ return nil, err
+ }
+ config, err := specconv.CreateLibcontainerConfig(&specconv.CreateOpts{
+ CgroupName: id,
+ UseSystemdCgroup: context.GlobalBool("systemd-cgroup"),
+ NoPivotRoot: context.Bool("no-pivot"),
+ NoNewKeyring: context.Bool("no-new-keyring"),
+ Spec: spec,
+ RootlessEUID: os.Geteuid() != 0,
+ RootlessCgroups: rootlessCg,
+ })
+ if err != nil {
+ return nil, err
+ }
+
+ factory, err := loadFactory(context)
+ if err != nil {
+ return nil, err
+ }
+ return factory.Create(id, config)
+}
+
+type runner struct {
+ init bool
+ enableSubreaper bool
+ shouldDestroy bool
+ detach bool
+ listenFDs []*os.File
+ preserveFDs int
+ pidFile string
+ consoleSocket string
+ container libcontainer.Container
+ action CtAct
+ notifySocket *notifySocket
+ criuOpts *libcontainer.CriuOpts
+}
+
+func (r *runner) run(config *specs.Process) (int, error) {
+ if err := r.checkTerminal(config); err != nil {
+ r.destroy()
+ return -1, err
+ }
+ process, err := newProcess(*config, r.init)
+ if err != nil {
+ r.destroy()
+ return -1, err
+ }
+ if len(r.listenFDs) > 0 {
+ process.Env = append(process.Env, fmt.Sprintf("LISTEN_FDS=%d", len(r.listenFDs)), "LISTEN_PID=1")
+ process.ExtraFiles = append(process.ExtraFiles, r.listenFDs...)
+ }
+ baseFd := 3 + len(process.ExtraFiles)
+ for i := baseFd; i < baseFd+r.preserveFDs; i++ {
+ process.ExtraFiles = append(process.ExtraFiles, os.NewFile(uintptr(i), "PreserveFD:"+strconv.Itoa(i)))
+ }
+ rootuid, err := r.container.Config().HostRootUID()
+ if err != nil {
+ r.destroy()
+ return -1, err
+ }
+ rootgid, err := r.container.Config().HostRootGID()
+ if err != nil {
+ r.destroy()
+ return -1, err
+ }
+ var (
+ detach = r.detach || (r.action == CT_ACT_CREATE)
+ )
+ // Setting up IO is a two stage process. We need to modify process to deal
+ // with detaching containers, and then we get a tty after the container has
+ // started.
+ handler := newSignalHandler(r.enableSubreaper, r.notifySocket)
+ tty, err := setupIO(process, rootuid, rootgid, config.Terminal, detach, r.consoleSocket)
+ if err != nil {
+ r.destroy()
+ return -1, err
+ }
+ defer tty.Close()
+
+ switch r.action {
+ case CT_ACT_CREATE:
+ err = r.container.Start(process)
+ case CT_ACT_RESTORE:
+ err = r.container.Restore(process, r.criuOpts)
+ case CT_ACT_RUN:
+ err = r.container.Run(process)
+ default:
+ panic("Unknown action")
+ }
+ if err != nil {
+ r.destroy()
+ return -1, err
+ }
+ if err := tty.waitConsole(); err != nil {
+ r.terminate(process)
+ r.destroy()
+ return -1, err
+ }
+ if err = tty.ClosePostStart(); err != nil {
+ r.terminate(process)
+ r.destroy()
+ return -1, err
+ }
+ if r.pidFile != "" {
+ if err = createPidFile(r.pidFile, process); err != nil {
+ r.terminate(process)
+ r.destroy()
+ return -1, err
+ }
+ }
+ status, err := handler.forward(process, tty, detach)
+ if err != nil {
+ r.terminate(process)
+ }
+ if detach {
+ return 0, nil
+ }
+ r.destroy()
+ return status, err
+}
+
+func (r *runner) destroy() {
+ if r.shouldDestroy {
+ destroy(r.container)
+ }
+}
+
+func (r *runner) terminate(p *libcontainer.Process) {
+ _ = p.Signal(unix.SIGKILL)
+ _, _ = p.Wait()
+}
+
+func (r *runner) checkTerminal(config *specs.Process) error {
+ detach := r.detach || (r.action == CT_ACT_CREATE)
+ // Check command-line for sanity.
+ if detach && config.Terminal && r.consoleSocket == "" {
+ return fmt.Errorf("cannot allocate tty if runc will detach without setting console socket")
+ }
+ if (!detach || !config.Terminal) && r.consoleSocket != "" {
+ return fmt.Errorf("cannot use console socket if runc will not detach or allocate tty")
+ }
+ return nil
+}
+
+func validateProcessSpec(spec *specs.Process) error {
+ if spec.Cwd == "" {
+ return fmt.Errorf("Cwd property must not be empty")
+ }
+ if !filepath.IsAbs(spec.Cwd) {
+ return fmt.Errorf("Cwd must be an absolute path")
+ }
+ if len(spec.Args) == 0 {
+ return fmt.Errorf("args must not be empty")
+ }
+ return nil
+}
+
+type CtAct uint8
+
+const (
+ CT_ACT_CREATE CtAct = iota + 1
+ CT_ACT_RUN
+ CT_ACT_RESTORE
+)
+
+func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOpts *libcontainer.CriuOpts) (int, error) {
+ id := context.Args().First()
+ if id == "" {
+ return -1, errEmptyID
+ }
+
+ notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id)
+ if notifySocket != nil {
+ notifySocket.setupSpec(context, spec)
+ }
+
+ container, err := createContainer(context, id, spec)
+ if err != nil {
+ return -1, err
+ }
+
+ if notifySocket != nil {
+ err := notifySocket.setupSocket()
+ if err != nil {
+ return -1, err
+ }
+ }
+
+ // Support on-demand socket activation by passing file descriptors into the container init process.
+ listenFDs := []*os.File{}
+ if os.Getenv("LISTEN_FDS") != "" {
+ listenFDs = activation.Files(false)
+ }
+ r := &runner{
+ enableSubreaper: !context.Bool("no-subreaper"),
+ shouldDestroy: true,
+ container: container,
+ listenFDs: listenFDs,
+ notifySocket: notifySocket,
+ consoleSocket: context.String("console-socket"),
+ detach: context.Bool("detach"),
+ pidFile: context.String("pid-file"),
+ preserveFDs: context.Int("preserve-fds"),
+ action: action,
+ criuOpts: criuOpts,
+ init: true,
+ }
+ return r.run(spec.Process)
+}