commit | 86a85582d2aa137dd5d9c4e021e65f9585161f30 | [log] [tgz] |
---|---|---|
author | Ido Yariv <ido@wizery.com> | Fri Jul 31 20:33:31 2015 |
committer | Ido Yariv <ido@wizery.com> | Mon Aug 03 18:59:15 2015 |
tree | 69fa8be4dca932c7518e926dc7ed542a7fa0e9fa | |
parent | 2fbe13aac3195a48ae6145e8cc08dd3c366d9fb6 [diff] |
Don't set /proc/<PID>/setgroups to deny in Go1.5 A boolean field named GidMappingsEnableSetgroups was added to SysProcAttr in Go1.5. This field determines the value of the process's setgroups proc entry. Since the default is to set the entry to 'deny', calling setgroups will fail on systems running kernels 3.19+. Set GidMappingsEnableSetgroups to true so setgroups wont be set to 'deny'. Signed-off-by: Ido Yariv <ido@wizery.com>
runc
is a CLI tool for spawning and running containers according to the OCF specification.
Currently runc
is an implementation of the OCF specification. We are currently sprinting to have a v1 of the spec out within a quick timeframe of a few weeks, ~July 2015, so the runc
config format will be constantly changing until the spec is finalized. However, we encourage you to try out the tool and give feedback.
How does runc
integrate with the Open Container Format? runc
depends on the types specified in the specs repository. Whenever the specification is updated and ready to be versioned runc
will update it's dependency on the specs repository and support the update spec.
# create a 'github.com/opencontainers' in your GOPATH/src cd github.com/opencontainers git clone https://github.com/opencontainers/runc cd runc make sudo make install
To run a container that you received just execute runc
with the JSON format as the argument or have a config.json
file in the current working directory.
runc / $ ps PID USER COMMAND 1 daemon sh 5 daemon sh / $
Below is a sample config.json
configuration file. It assumes that the file-system is found in a directory called rootfs
and there is a user named daemon
defined within that file-system.
{ "version": "pre-draft", "platform": { "os": "linux", "arch": "amd64" }, "process": { "terminal": true, "user": { "uid": 0, "gid": 0, "additionalGids": null }, "args": [ "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "TERM=xterm" ], "cwd": "" }, "root": { "path": "rootfs", "readonly": true }, "hostname": "shell", "mounts": [ { "type": "proc", "source": "proc", "destination": "/proc", "options": "" }, { "type": "tmpfs", "source": "tmpfs", "destination": "/dev", "options": "nosuid,strictatime,mode=755,size=65536k" }, { "type": "devpts", "source": "devpts", "destination": "/dev/pts", "options": "nosuid,noexec,newinstance,ptmxmode=0666,mode=0620,gid=5" }, { "type": "tmpfs", "source": "shm", "destination": "/dev/shm", "options": "nosuid,noexec,nodev,mode=1777,size=65536k" }, { "type": "mqueue", "source": "mqueue", "destination": "/dev/mqueue", "options": "nosuid,noexec,nodev" }, { "type": "sysfs", "source": "sysfs", "destination": "/sys", "options": "nosuid,noexec,nodev" }, { "type": "cgroup", "source": "cgroup", "destination": "/sys/fs/cgroup", "options": "nosuid,noexec,nodev,relatime,ro" } ], "linux": { "uidMapping": null, "gidMapping": null, "rlimits": null, "systemProperties": null, "resources": { "disableOOMKiller": false, "memory": { "limit": 0, "reservation": 0, "swap": 0, "kernel": 0, "swappiness": -1 }, "cpu": { "shares": 0, "quota": 0, "period": 0, "realtimeRuntime": 0, "realtimePeriod": 0, "cpus": "", "mems": "" }, "blockIO": { "blkioWeight": 0, "blkioWeightDevice": "", "blkioThrottleReadBpsDevice": "", "blkioThrottleWriteBpsDevice": "", "blkioThrottleReadIopsDevice": "", "blkioThrottleWriteIopsDevice": "" }, "hugepageLimits": null, "network": { "classId": "", "priorities": null } }, "namespaces": [ { "type": "process", "path": "" }, { "type": "network", "path": "" }, { "type": "ipc", "path": "" }, { "type": "uts", "path": "" }, { "type": "mount", "path": "" } ], "capabilities": [ "AUDIT_WRITE", "KILL", "NET_BIND_SERVICE" ], "devices": [ "null", "random", "full", "tty", "zero", "urandom" ] } }
To test using Docker's busybox
image follow these steps:
docker
and download the busybox
image: docker pull busybox
docker export $(docker create busybox) > busybox.tar
mkdir rootfs tar -C rootfs -xf busybox.tar
config.json
using the example from above. You can also generate a spec using runc spec
, redirecting the output into config.json
runc
and you should be placed into a shell where you can run ps
:$ runc / # ps PID USER COMMAND 1 root sh 9 root ps
[Unit] Description=Minecraft Build Server Documentation=http://minecraft.net After=network.target [Service] CPUQuota=200% MemoryLimit=1536M ExecStart=/usr/local/bin/runc Restart=on-failure WorkingDirectory=/containers/minecraftbuild [Install] WantedBy=multi-user.target