opencontainers / runc Goto Github PK
View Code? Open in Web Editor NEWCLI tool for spawning and running containers according to the OCI specification
Home Page: https://www.opencontainers.org/
License: Apache License 2.0
CLI tool for spawning and running containers according to the OCI specification
Home Page: https://www.opencontainers.org/
License: Apache License 2.0
It fail to build runc master branch(00f6b56) on debian wheezy with go 1.3 for the reason of range syntax compatibility
go build -o runc .
# github.com/opencontainers/runc
./events.go:61: syntax error: unexpected range, expecting {
./events.go:68: syntax error: argument to go/defer must be function call
./events.go:69: syntax error: need trailing comma before newline in composite literal
./events.go:70: non-declaration statement outside function body
./events.go:73: non-declaration statement outside function body
./events.go:92: non-declaration statement outside function body
./events.go:93: non-declaration statement outside function body
./events.go:94: syntax error: unexpected }
make: *** [all] Error 2
hi all,
I am using a centos base image to running runc instance .
After enter into the runc instance , I could found the default generated network interface file:
/etc/sysconfig/network-scripts/ifcfg-ens3
After config the above file , what confused me is that : there is no support such as :
Why I need the network interface is because that I want run a network service in runc , such as :
python -m SimpleHTTPServer 8000
And above service can visited from outside of runc environment .
Can I archive this with runc ?
In some older kernels setting memory swappiness fails. This happens even when
nobody tries to configure swappiness from docker UI because we would still get
some default value from host config.
With this we treat -1 value as default value and skip the enforcement
of swappiness.
In your OPEN CONTAINER PROJECT homepage, you say:
The specification will be available at https://github.com/opencontainers/specs.
but that is still missing.
I was occasionally getting this error when running docker:
> docker run --rm -ti busybox
Error response from daemon: Cannot start container ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba: [8] System error: write /sys/fs/cgroup/cpuset/system.slice/docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope/cgroup.procs: no space left on device
After investigating a bit I found the cause of the problem.
I get this error because cpuset.mems
in the container's cpuset cgroup directory is empty. In that case, libcontainer sets that file to the value of the parent and does this recursively until it finds an existing parent.
An example might be easier to understand, if the container's cpuset cgroup directory is
/sys/fs/cgroup/cpuset/system.slice/docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope
and the current existing directories are
/sys/fs/cgroup/cpuset/
libcontainer will start at docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope
, go to the parent and then go one more level up to cpuset
because system.slice
doesn't exist. Then it will set /sys/fs/cgroup/cpuset/system.slice/cpuset.mems
to the value in /sys/fs/cgroup/cpuset/cpuset.mems
and /sys/fs/cgroup/cpuset/system.slice/docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope/cpuset.mems
to that same value.
This works fine when /sys/fs/cgroup/system.slice
doesn't exist. But if it exists and has an empty value, /sys/fs/cgroup/cpuset/system.slice/docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope/cpuset.mems
will also end up with an empty value, causing the error.
The solution could be keeping the recursion until you find the first non-empty value or you're out of the cpuset controller.
go get github.com/tools/godep
unexpected fault address 0x2b2a00000011
fatal error: fault
[signal 0xb code=0x1 addr=0x2b2a00000011]
goroutine 5 [running]:
:0
:0
:0
:0
:0
:0
:0
goroutine 1 [select]:
main.$nested27
/build/buildd/gccgo-go-1.2.1/src/cmd/go/http.go:57
main.httpsOrHTTP
/build/buildd/gccgo-go-1.2.1/src/cmd/go/http.go:65
main.repoRootForImportDynamic
/build/buildd/gccgo-go-1.2.1/src/cmd/go/vcs.go:468
main.repoRootForImportPath
/build/buildd/gccgo-go-1.2.1/src/cmd/go/vcs.go:362
main.downloadPackage
/build/buildd/gccgo-go-1.2.1/src/cmd/go/get.go:269
main.download
/build/buildd/gccgo-go-1.2.1/src/cmd/go/get.go:166
main.download
/build/buildd/gccgo-go-1.2.1/src/cmd/go/get.go:232
main.runGet
/build/buildd/gccgo-go-1.2.1/src/cmd/go/get.go:72
main.main
/build/buildd/gccgo-go-1.2.1/src/cmd/go/main.go:161
goroutine 3 [syscall]:
goroutine in C code; stack unavailable
make: *** [all] Error 2
Hello,
runc is working fine. thanks for that.
However, I would like to get networking connectivity inside the container first and then next stage to get container talking to the host and eventually to the internet.
I've defined network
key in container.json
as such:
$ cat container.json [...]
"network": [
{
"type": "loopback",
"address": "127.0.0.1/0",
"gateway": "localhost"
},
{
"type": "veth",
"name": "net",
"bridge": "br0",
"address": "172.17.42.2",
"gateway": "172.17.42.1",
"host_interface_name": "veth0"
}
],
[...]
However, i can't connect to a listening socket inside the container:
root@shell:~# cat test.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
s.bind(('127.0.0.1', 1234))
s.listen(0)
while True:
m = s.accept()
print 'ack'
(virtualenv)root@shell:~# python test.py &
[1] 21
(virtualenv)root@shell:~# netstat -tupan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN 21/python
(virtualenv)root@shell:~# echo a >/dev/tcp/127.0.0.1/1234
bash: connect: Network is unreachable
bash: /dev/tcp/127.0.0.1/1234: Network is unreachable
(virtualenv)root@shell:~# ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
(virtualenv)root@shell:~# ifconfig lo 127.0.0.1 up
SIOCSIFADDR: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
Some sys details below:
$ runc -v
runc version 0.1
$ uname -a
Linux octopus 3.19.0-22-generic #22-Ubuntu SMP Tue Jun 16 17:15:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 15.04
Release: 15.04
Codename: vivid
How to get interface lo
up and get the socket talking?
Thanks.
When I pulled the latest runc from repo, I could not start the container due to the following error
FATA[0000] Container start failed: [7] Invalid configuration: unable to restrict sys entries without a private MNT namespace
Upon investigating. Looks like the namespaces had been moved from PortableSpec to struct Linux in spec_linux.go
File spec_linux.go
for _, ns := range spec.Linux.Namespaces {
Above for loop is not executed because spec.Linux.Namespaces is empty.
Same thing is applicable for spec.Linux.Devices which has been moved from Portable Spec to Linux struct.
Note:
if I make the following changes ( added back Namespaces and Devices in PortableSpec struct)
spec.Linux.Namespaces --> spec.Namespaces,
spec.Linux.Devices --> spec.Devices
Then I'm able to start the container
Thanks
Rajasec
Hello,
I am unable to launch the container. It keeps trying to find daemon user.
$ cd /container
$ runc
Unable to find user daemon
WARN[0000] exit status 1
Timestamp: 2015-06-23 14:20:51.598848353 +0000 UTC
Code: System error
Message: Unable to find user daemon
Frames:
---
0: func·006
Package: github.com/opencontainers/runc/libcontainer
File: factory_linux.go@225
---
1: StartInitialization
Package: github.com/opencontainers/runc/libcontainer.(*LinuxFactory)
File: factory_linux.go@236
---
2: init·1
Package: main
File: main.go@33
---
3: init
Package: main
File: utils.go@173
---
4: main
Package: runtime
File: proc.go@58
---
5: goexit
Package: runtime
File: asm_amd64.s@2232
Some sys details below:
$ runc -v
runc version 0.1
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 15.04
Release: 15.04
Codename: vivid
$ uname -a
Linux octopus 3.19.0-22-generic #22-Ubuntu SMP Tue Jun 16 17:15:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
$ go version
go version go1.4 linux/amd64
$ cat /container/container.json
{
"version": "0.1",
"os": "linux",
"arch": "amd64",
"processes": [
{
"tty": true,
"user": "daemon",
"args": [
"sh"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": ""
}
],
"root": {
"path": "rootfs",
"readonly": true
},
"cpus": 1.1,
"memory": 1024,
"hostname": "shell",
"namespaces": [
{
"type": "mount"
},
{
"type": "ipc"
},
{
"type": "uts"
}
],
"capabilities": [
"AUDIT_WRITE",
"KILL",
"NET_BIND_SERVICE"
],
"devices": [
"null",
"random",
"full",
"tty",
"zero",
"urandom"
],
"mounts": [
{
"type": "proc",
"source": "proc",
"destination": "/proc",
"options": ""
},
{
"type": "tmpfs",
"source": "tmpfs",
"destination": "/dev",
"options": "nosuid,strictatime,mode=755,size=65536k"
},
{
"type": "devpts",
"source": "devpts",
"destination": "/dev/pts",
"options": "nosuid,noexec,newinstance,ptmxmode=0666,mode=0620,gid=5"
},
{
"type": "tmpfs",
"source": "shm",
"destination": "/dev/shm",
"options": "nosuid,noexec,nodev,mode=1777,size=65536k"
},
{
"type": "mqueue",
"source": "mqueue",
"destination": "/dev/mqueue",
"options": "nosuid,noexec,nodev"
},
{
"type": "sysfs",
"source": "sysfs",
"destination": "/sys",
"options": "nosuid,noexec,nodev"
}
]
}
$ id daemon
uid=1(daemon) gid=1(daemon) groups=1(daemon)
When a container is launched with a bind mount between /dev (on the host) and /dev (in the container), all subsequent attempts to open /dev/ptmx fail.
setupPtmx()
in libcontainer/rootfs_linux.go
will unconditionally remove /dev/ptmx
and then symlink it to /dev/pts/ptmx
, which is a character file that is untouchable by unprivileged users. This prevents unprivileged programs which rely on getpt
from running on the host (such as X terminals, screen, and tmux).
I discovered this via docker, but it happens in any libcontainer app if /dev/ is shared with the container before setupPtmx
. Is there a reason for libcontainer to touch /dev (at all) if it's mounted directly from the host? I have tested this on Fedora 22 and 21, SELinux is set to permissive, as well as Arch Linux without SELinux.
I can reproduce this consistently.
uname -a
: Linux wtemple.localdomain 4.0.6-300.fc22.x86_64 #1 SMP Tue Jun 23 13:58:53 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
config.json
:
{
"version": "0.1.1",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": true,
"user": "root",
"args": [
"/bin/sh"
],
"env": [
"PATH=/bin,/sbin"
],
"cwd": ""
},
"root": {
"path": "rootfs",
"readonly": true
},
"hostname": "shell",
"mounts": [
{
"type": "proc",
"source": "proc",
"destination": "/proc",
"options": ""
},
{
"type": "sysfs",
"source": "sysfs",
"destination": "/sys",
"options": "nosuid,noexec,nodev"
},
{
"type": "bind",
"source": "/dev",
"destination": "/dev",
"options": "bind"
}
],
"linux": {
"namespaces": [
{
"type": "process"
},
{
"type": "network"
},
{
"type": "mount"
},
{
"type": "ipc"
},
{
"type": "uts"
}
],
"capabilities": [
"AUDIT_WRITE",
"KILL",
"NET_BIND_SERVICE"
],
"devices": [
"null"
]
}
}
I can execute runc with the absolute path, however, execute runc as a command (type only "runc"), an error occur.
When execute with full path
$ sudo /usr/local/bin/runc
/ $
When execute as a command
/home/hitsu/work/runC
is my working directory.
sudo runc
Timestamp: 2015-06-26 09:09:39.184956634 +0900 JST
Code: System error
Message: fork/exec /home/hitsu/work/runC/runc: no such file or directory
Frames:
---
0: start
Package: github.com/opencontainers/runc/libcontainer.(*initProcess)
File: process_linux.go@183
---
1: Start
Package: github.com/opencontainers/runc/libcontainer.(*linuxContainer)
File: container_linux.go@107
---
2: execContainer
Package: main
File: run.go@41
---
3: func·006
Package: main
File: main.go@89
---
4: Run
Package: github.com/codegangsta/cli.(*App)
File: app.go@159
---
5: main
Package: main
File: main.go@104
---
6: main
Package: runtime
File: proc.go@63
---
7: goexit
Package: runtime
File: asm_amd64.s@2232
Currently, in projects that consume the SELinux api from libcontainer, you need to differentiate files for builds for linux and other platforms. It might be really convenient to have an implementation of SelinuxEnabled
for non-supported platforms. Thoughts? @mrunalp @crosbymichael @rhatdan @vbatts
Currently the version is 1
. From experience with the Docker remote API, we regretted bitterly not starting with a 0.x version number, it would have made it easier to break things later.
We should change this before opening the repo if possible.
I modified the config.json file under resources
"blkioWeightDevice": "500"
After starting the container
it fails to start the container, Error thrown out
Container start failed: [8] System error: write /sys/fs/cgroup/blkio/user/1000.user/c2.session/runc/blkio.weight_device: invalid argument
cgroups/fs/blkio_test.go
Even the blkio_test.go is setting the weight device value in /tmp folder as destination which is the reason for passing the tests. If the destination is /sys tests would have been failed.
Kernel : 3.18.8
Machine : Ubuntu
When I'm running "make test", I run into failing tests during integration/checkpoint_test.go TestCheckpoint (among others, all with the same error).
See below for an example of one of the errors.
When I look at the config that is being used for container.start(&pconfig) it does not have cgroups designated under mounts. Should that exist in the test config being passed in or is there something I am missing for my environment? I cloned the repo at commit 9be9157
Test output below
=== RUN TestCheckpoint
time="2015-08-06T20:44:48Z" level=warning msg="signal: killed"
:make: *** [localtest] Error 1
make: *** [test] Error 2
--- FAIL: TestCheckpoint (0.14s)
checkpoint_test.go:99: [8] System error: mountpoint for cgroup not found
Is there a possibility that i can see runc using in these ways
1)Taking a Ubuntu image and check for installed services
runc -c services.json
services.json
{
"services":[{
"sname":"Nginx",
"parentfolder":"/var/lib/nginx",
"conffolder":"/etc/nginx",
"sservicestatus":"stopped"
}]
}
The service checks can be implemented any.
2)Can we execute commands like how we use to execute commands on Docker
docker exec <container-id> command
runc -e echo "Hello World"
3)Can we have more information about the Spec file we create for any container to run.
I'm hoping we can get a new tag added, so I can make a pull request upstream in docker. I'm getting emails every day or two about the current docker C/R branch not working, and the only blocker to fixing it is merging in the latest runc changes.
When using a config with user namespaces with go1.5, run gets a permission issue trying to call setgroups(0, []). The reason is in go1.5 setting the uid_map causes the segroups to be set to deny.
An obvious fix is to not setgroups if there are no additional groups specified:
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index 3e78d4b..30cd42a 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -168,8 +168,10 @@ func setupUser(config *initConfig) error {
}
suppGroups := append(execUser.Sgids, addGroups...)
- if err := syscall.Setgroups(suppGroups); err != nil {
- return err
+ if len(suppGroups) != 0 {
+ if err := syscall.Setgroups(suppGroups); err != nil {
+ return err
+ }
}
But this doesn't help the case where we actually want to set groups. We could also set the SysProcAttr.GidMappingsEnableSetgroups = true when we create the process, but this flag only exists in 1.5 so we need some build flags to only set it in go1.5. Also we may only want it to be true if AdditionalGids are set in the json.
see moby/moby#15053
Seems that seccomp
currently supports linux/amd64
only right now. There is only a file jump_amd64.go, and no jump_386.go
, jump_arm.go
nor jump_arm64.go
.
Any plans to support linux/386
, linux/arm
and linux/arm64
soon?
It is unclear if this project requires DCO signoff
http://developercertificate.org
At the very least there should be a CONTRIBUTING.md
This is how it might look like:
FROM alpine:3.2
COPY . /go/src/github.com/opencontainers/runc
RUN apk --update add go alpine-sdk linux-headers && \
cd /go/src/github.com/opencontainers/runc && \
GOPATH=/go PATH=$PATH:/go/bin make && \
cp /go/src/github.com/opencontainers/runc/runc /bin/runc && \
apk del go alpine-sdk linux-headers && \
rm -rf /go
CMD ["/bin/sh"]
docker run --rm -it --privileged \
-v /usr/local/bin/docker:/usr/bin/docker \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup runc
I managed to run debian:jessie
image with this (f1006a365a06
is a running debian image):
/ # cd
~ # docker export f1006a365a06 > debian.tar
~ # mkdir /container
~ # mkdir /container/rootfs
~ # cd /container/rootfs/
/container/rootfs # tar xf ~/debian.tar
/container/rootfs # nano ../container.json
/bin/sh: nano: not found
/container/rootfs # nano ../container.json
/container/rootfs # apk add nano
(1/3) Installing ncurses-terminfo-base (5.9-r3)
(2/3) Installing ncurses-widec-libs (5.9-r3)
(3/3) Installing nano (2.4.1-r0)
Executing busybox-1.23.2-r0.trigger
OK: 6 MiB in 18 packages
/container/rootfs # nano ../container.json
/container/rootfs # cd ..
/container # runc
$ uname -a
Linux shell 4.0.5-boot2docker #1 SMP Tue Jun 16 01:39:56 UTC 2015 x86_64 GNU/Linux
$ /bin/bash
debconf.conf debian_version default/ deluser.conf
daemon@shell:/$ cat /etc/debian_version
8.1
Exporting compiled runc
binary is also possible:
docker run --rm runc cat /bin/runc > runc
Does it even make sense to have it in this repo?
hi team,
According to the README.md introduction:
To run a container that you received just execute runc with the JSON format as the argument or have a container.json file in the current working directory.
But the runc command line told me that , the file needed is : config.json not container.json .
So first , I move the content from container.json to config.json , the runc command show me another error :
FATA[0000] Container start failed: Rootfs ("/opt/usr/runc/rootfs") does not exist
I read the document from rootfs , It told that : rootfs "which is
always present in 2.6 systems."
https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt
Then , I create a directory on /opt/usr/runc/rootfs/ , and run runc, but failed again:
FATA[0000] Container start failed: [7] Invalid configuration: unable to set hostname without a private UTS namespace
In my config.json file , the hostname is equal as hostname command output .
What should I change in config.json file for runc ?
thanks
Right now runc requires to be run as root where technically it should be possible to run containers as unprivileged user (at least if user namespaces are used)
host:~/runcdir# ls -l ../runc
-rwxr-xr-x 1 root root 7467584 6月 23 06:30 ../runc
host:~/runcdir# ls -l
total 8
-rw-r--r-- 1 root root 1457 6月 23 06:31 container.json
drwxr-xr-x 21 root root 4096 6月 23 05:06 rootfs
host:~/runcdir# ../runc
Timestamp: 2015-06-23 06:31:13.157456619 +0900 JST
Code: System error
Message: fork/exec ../runc: no such file or directory
Frames:
---
0: start
Package: github.com/opencontainers/runc/libcontainer.(*initProcess)
File: process_linux.go@183
---
1: Start
Package: github.com/opencontainers/runc/libcontainer.(*linuxContainer)
File: container_linux.go@107
---
2: execContainer
Package: main
File: run.go@41
---
3: func·006
Package: main
File: main.go@88
4: Run
Package: github.com/codegangsta/cli.(*App)
File: app.go@159
---
5: main
Package: main
File: main.go@96
---
6: main
Package: runtime
File: proc.go@63
---
7: goexit
Package: runtime
File: asm_amd64.s@2232
absolute path OK
host:~/runcdir# /root/runc
$
host:~/runcdir# ~/runc
$
Because ../runc
is not exist ../runc
when chdir
to rootfs.
I think this is irregular.
But I want you to fix it.
Edwards-MacBook-Air:src emv$ git clone https://github.com/opencontainers/runc.git
Cloning into 'runc'...
remote: Counting objects: 7237, done.
remote: Total 7237 (delta 0), reused 0 (delta 0), pack-reused 7237
Receiving objects: 100% (7237/7237), 1.59 MiB | 1.67 MiB/s, done.
Resolving deltas: 100% (4531/4531), done.
Checking connectivity... done.
Edwards-MacBook-Air:src emv$ cd runc
Edwards-MacBook-Air:runc emv$ ls
Godeps Makefile checkpoint.go libcontainer restore.go signals.go spec_linux.go utils.go
LICENSE README.md events.go main.go run.go spec.go tty.go
Edwards-MacBook-Air:runc emv$ make
go get github.com/tools/godep
godep go build -o runc .
checkpoint.go:9:2: cannot find package "github.com/opencontainers/runc/libcontainer" in any of:
/usr/local/go/src/pkg/github.com/opencontainers/runc/libcontainer (from $GOROOT)
/Users/emv/src/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer (from $GOPATH)
/Users/emv/src/github.com/opencontainers/runc/libcontainer
restore.go:11:2: cannot find package "github.com/opencontainers/runc/libcontainer/configs" in any of:
/usr/local/go/src/pkg/github.com/opencontainers/runc/libcontainer/configs (from $GOROOT)
/Users/emv/src/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/configs (from $GOPATH)
/Users/emv/src/github.com/opencontainers/runc/libcontainer/configs
main.go:10:2: cannot find package "github.com/opencontainers/runc/libcontainer/nsenter" in any of:
/usr/local/go/src/pkg/github.com/opencontainers/runc/libcontainer/nsenter (from $GOROOT)
/Users/emv/src/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/nsenter (from $GOPATH)
/Users/emv/src/github.com/opencontainers/runc/libcontainer/nsenter
restore.go:12:2: cannot find package "github.com/opencontainers/runc/libcontainer/utils" in any of:
/usr/local/go/src/pkg/github.com/opencontainers/runc/libcontainer/utils (from $GOROOT)
/Users/emv/src/runc/Godeps/_workspace/src/github.com/opencontainers/runc/libcontainer/utils (from $GOPATH)
/Users/emv/src/github.com/opencontainers/runc/libcontainer/utils
godep: go exit status 1
make: *** [all] Error 1
Edwards-MacBook-Air:runc emv$ uname
Darwin
Edwards-MacBook-Air:runc emv$
I see there are several build issues, myself met build issues too, I wonder why we don't use Dockerfile to setup an unified environment for building?
I thought runc was considered as an independent project which won't depend on Docker or other projects, but then I see we still use Docker for test, so I think we can use Docker for build as well.
Is there any specific reasons why we don't use Dockerfile? Thanks.
In general we want to map system features as closely as possible. If the system can do it, oc
should be able to express it.
Since Linux allows arbitrary nesting of namespaces and cgroups, it would be great if oc
could support that. That would allow anyone to experiment with new combinations of these features, and come up with new, competing abstractions, without us having to imagine all possible abstractions in advance.
Hi,
I've done the clone of runc repository from github
git clone https://github.com/opencontainers/runc
The Dockerfile contents of libcontainer
ENV GOPATH $GOPATH:/go/src/github.com/opencontainers/runc/libcontainer/vendor
Looks like there is no specific vendor inside libcontainer.
When I tried to build the makefile inside libcontainer, build fails.
Thanks
I have included multiple process inside my container.json file and started runc.
runc gave following warning!!!
runc only supports one(1) process for the container
I was looking for "supervisord" kind of daemon to start my multiple services inside my container..
So I tried to modify the container.json to start multiple process and it gave the above mentioned message.
is it anything intentional as per runc design to have one process per container ?
Thanks
Rajasec
I can't get this to run on my debian jessie machine(s) because of (seemingly) multiple issues.
I created rootfs with docker export $(docker create busybox) > busybox.tar; mkdir rootfs; tar -C rootfs -xf busybox.tar
After creating container.json with runc spec | sed 's/daemon/root/' > container.json
i get the following error running runc
:
WARN[0000] signal: killed
FATA[0000] Container start failed: [8] System error: open /sys/fs/cgroup/cpu/user.slice/test/cpu.cfs_quota_us: permission denied
If i run it again the error changes:
WARN[0000] signal: killed
FATA[0000] Container start failed: [8] System error: mkdir : no such file or directory
runc --debug
output looks exactly the same. No more details.
Running strace i can see that the code actually does try to use mkdir("")
after reading an empty string from /proc/self/mountinfo
:
427 open("/proc/self/mountinfo", O_RDONLY|O_CLOEXEC) = 25
428 read(25, "14 19 0:14 / /sys rw,nosuid,node"..., 4096) = 2919
429 read(25, "", 4096) = 0
430 stat("", 0xc2080b06c0) = -1 ENOENT (No such file or directory)
431 mkdir("", 0755) = -1 ENOENT (No such file or directory)
432 lstat("", 0xc2080b0750) = -1 ENOENT (No such file or directory)
If i remove the cpu (and memory) definitions from container.json i get that mkdir error directly.
Hi all,
I am trying to run a service, i.e mysql, inside a container. I gathered the ubuntu rootfs from docker pull ubuntu:latest.
Although whoami
returns root
, sudo command fails with sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
As a result, I can't apt-get install or do any other sudo tasks.
How can I get around this issue?
Thanks in advance,
After starting my container using runc ( latest OCF format 0.1.1), I tried to do the checkpoint for my running container using
runc checkpoint
Error thrown:
criu failed: Type NOTIFY errno 0
We'd like the Docker daemon to be able to die and discover its containers upon restarting.
What are good implementations for achieving this? Having the daemon set some ID (caller ID?) in the containers' state?
It would also need to have a way of reattaching to standard streams of those running containers.
We also need to keep in mind the scenario when multiple docker daemons (or equivalent) spawn their own sets of containers; there shouldn't be interference between those instances.
Hi
I've created the OCP spec from the command
runc spec > container.json
runc encounters following error
Here is the error
WARN[0000] signal: killed
Timestamp: 2015-06-24 07:18:33.31193264 +0530 IST
Code: System error
Message: write /sys/fs/cgroup/memory/user/1000.user/4.session/sdc/memory.swappiness: invalid argument
My image is Ubuntu container from docker repository.
Here is the entire error log
runc
WARN[0000] signal: killed
Timestamp: 2015-06-24 07:18:33.31193264 +0530 IST
Code: System error
Message: write /sys/fs/cgroup/memory/user/1000.user/4.session/raj/memory.swappiness: invalid argument
0: start
Package: github.com/opencontainers/runc/libcontainer.(*initProcess)
1: Start
Package: github.com/opencontainers/runc/libcontainer.(*linuxContainer)
2: execContainer
Package: main
3: func·006
Package: main
4: Run
Package: github.com/codegangsta/cli.(*App)
5: main
Package: main
6: main
Package: runtime
7: goexit
Package: runtime
File: asm_amd64.s@2232
I can't run setuidgid
inside a runc
container. Here are the steps to reproduce:
{
"version": "pre-draft",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0,
"additionalGids": null
},
"args": [
"bash"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": ""
},
"root": {
"path": ".",
"readonly": false
},
"hostname": "shell",
"mounts": [
{
"type": "proc",
"source": "proc",
"destination": "/proc",
"options": ""
},
{
"type": "tmpfs",
"source": "tmpfs",
"destination": "/dev",
"options": "nosuid,strictatime,mode=755,size=65536k"
},
{
"type": "devpts",
"source": "devpts",
"destination": "/dev/pts",
"options": "nosuid,noexec,newinstance,ptmxmode=0666,mode=0620,gid=5"
},
{
"type": "tmpfs",
"source": "shm",
"destination": "/dev/shm",
"options": "nosuid,noexec,nodev,mode=1777,size=65536k"
},
{
"type": "mqueue",
"source": "mqueue",
"destination": "/dev/mqueue",
"options": "nosuid,noexec,nodev"
},
{
"type": "sysfs",
"source": "sysfs",
"destination": "/sys",
"options": "nosuid,noexec,nodev"
},
{
"type": "cgroup",
"source": "cgroup",
"destination": "/sys/fs/cgroup",
"options": "nosuid,noexec,nodev,relatime,ro"
}
],
"linux": {
"uidMappings": null,
"gidMappings": null,
"rlimits": null,
"sysctl": null,
"resources": {
"disableOOMKiller": false,
"memory": {
"limit": 0,
"reservation": 0,
"swap": 0,
"kernel": 0,
"swappiness": -1
},
"cpu": {
"shares": 0,
"quota": 0,
"period": 0,
"realtimeRuntime": 0,
"realtimePeriod": 0,
"cpus": "",
"mems": ""
},
"blockIO": {
"blkioWeight": 0,
"blkioWeightDevice": "",
"blkioThrottleReadBpsDevice": "",
"blkioThrottleWriteBpsDevice": "",
"blkioThrottleReadIopsDevice": "",
"blkioThrottleWriteIopsDevice": ""
},
"hugepageLimits": null,
"network": {
"classId": "",
"priorities": null
}
},
"namespaces": [
{
"type": "process",
"path": ""
},
{
"type": "network",
"path": ""
},
{
"type": "ipc",
"path": ""
},
{
"type": "uts",
"path": ""
},
{
"type": "mount",
"path": ""
}
],
"capabilities": [
"CHOWN",
"DAC_OVERRIDE",
"FSETID",
"FOWNER",
"MKNOD",
"NET_RAW",
"SETGID",
"SETUID",
"SETFCAP",
"SETPCAP",
"NET_BIND_SERVICE",
"SYS_CHROOT",
"KILL",
"AUDIT_WRITE"
],
"devices": [
"null",
"random",
"full",
"tty",
"zero",
"urandom"
]
}
}
runc
this will start bash as rootaddgroup --quiet --gid 7999 u7999
adduser --shell /bin/bash --disabled-password --force-badname --no-create-home --uid 7999 --gid 7999 --gecos '' --quiet u7999
setuidgid u7999 /bin/bash
This will output the error: setuidgid: fatal: unable to run /bin/bash: access denied
This is working with docker but not with runc
. I have had a look a the default libcontainer config of docker, and it looks similar to the config I'm using here.
I notice that almost all functions within the main package are private. Is there any advice you can give for using Runc as a library inside another Go application?
If this isn't possible yet, should I repackage the core functions and make a pull request (in other words, is it in the project's interest to account for such use cases?)
As discussed, we like the idea of having 2 different kinds of configuration in the manifest: 1) os-specific config (for example: create a new pid namespace
, or set cgroup foo to bar
, or drop CAP_SYSADMIN
), and 2) os-independent config (for example: execute /bin/bash
, or set environment DEBUG to 1
).
Currently these 2 different kinds of configs are mixed in the manifest. We should segment them more clearly, to make more visible the tradeoff between control and portability, and to allow for new sections to be created for other OSes - Windows, Solaris, FreeBSD etc.
There are different build flags for different features in runc. Things like selinux and apparmor all have build flags to enable them in the build because of the various platforms that it supports. I think the default make file should add all the build flags and it should be safe.
With the following process configuration:
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0,
"additionalGids": null
},
"args": [
"bash"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": ""
},
I can run sudo runc
to start a container which gives me a bash process I can use to interact with the newly created container. To stop the container, I'd run exit
.
My question is: How do you stop the container if "terminal": false,
?
I read through the code, and it seems like hitting Ctrl+C
(^C) should stop it, but it doesn't stop the main process. It just wont quit.
Is there an other place I can look to see running containers and stop them from there?
I'm running runc version 0.2
on Ubuntu 14.04 64bit
. And go version go1.4.1 linux/amd64
.
I was able to run runc successfully..
Later after exit of the container, I could not launch any of my container image ( eventhough I had rootfs and container.json properly placed)
Code: Id already in use
Message: Container with id exists: runc
I've ensure that no runc process was running earlier.
ps -eaf |grep -i runc
root 10077 9934 0 21:53 pts/31 00:00:00 grep --color=auto -i runc
Thanks
Rajasec
Failed to build on Fedora 21, below is the make output
# make
go build -o runc .
# _/home/git/dev/runc
./events.go:61: syntax error: unexpected range, expecting {
./events.go:68: syntax error: argument to go/defer must be function call
./events.go:69: syntax error: need trailing comma before newline in composite literal
./events.go:70: non-declaration statement outside function body
./events.go:73: non-declaration statement outside function body
./events.go:92: non-declaration statement outside function body
./events.go:93: non-declaration statement outside function body
./events.go:94: syntax error: unexpected }
Makefile:7: recipe for target 'all' failed
make: *** [all] Error 2
After reverting 5aa82c9, make succeeded.
# git revert 5aa82c95
# make
go build -o runc .
My golang version is
# rpm -qa |grep golang
golang-pkg-linux-amd64-1.3.3-1.fc21.noarch
golang-src-1.3.3-1.fc21.noarch
golang-1.3.3-1.fc21.x86_64
golang-pkg-bin-linux-amd64-1.3.3-1.fc21.x86_64
Well, maybe a stupid question, but how can I find the log of libcontainer during my debug?
like the output of logrus.Warn(err)
Attempting to run a container in an existing user namespace simply ignores the path value and creates a new user namespace:
{
"version": "pre-draft",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": true,
"args": [
"/bin/bash"
]
},
"linux": {
"uidMappings": [
{
"from": 0,
"to": 1000,
"count": 1
}
],
"gidMappings": [
{
"from": 0,
"to": 1000,
"count": 1
}
],
"namespaces": [
{
"type": "user",
"path": "/proc/8660/ns/user"
}
]
}
}
$ sudo ls -lah /proc/$$/ns/user
lrwxrwxrwx 1 vishvananda vishvananda 0 Jul 7 06:06 /proc/38377/ns/user -> user:[4026531837]
$ sudo ls -lah /proc/8660/ns/user
lrwxrwxrwx 1 root root 0 Jul 8 00:05 /proc/8660/ns/user -> user:[4026532754]
$ sudo ls -lah /proc/14833/ns/user
lrwxrwxrwx 1 vishvananda vishvananda 0 Jul 8 01:14 /proc/14833/ns/user -> user:[4026532751]
It looks like the code will need some modification because you can't join an existing user namespace once you are in multithreaded code.
In my ubuntu system based on 15.04 Kernel : 3.19.0-15. I've enabled the Apparmor compilation so that it is not compiling libcontainer/apparmor/apparmor_disabled.go. After adding the apparmor_profile path in config.json and spec.go. I've tried to start the container, it fails to start the container saying "No such file or directory"
FATA[0000] Container start failed: [8] System error: no such file or directory
ApplyProfile function received the right string ( profile name) from config.json for loading the profile
Upon executing C.aa_change_onexec(cName), it says " No such file or directory". Infact the apparmor profile existed in rootfs under /etc/apparmor.d/
Now, as I see abs and rel paths for --cgroup-parent
creates identical cgroup hierarchy.
ls /sys/fs/cgroup/memory/system.slice/docker-65c642b685216ddeb40b3ea34892ac97faa1dc3487e9c8dfcf0fdf7ed05d0941.scope/test/7f299d5c524193189cabcc01df143c88abe95ac1e274b36926340e000a5e786c/
it looks like this for both cases. Seems like for --cgroup-parent
it should be like
ls /sys/fs/cgroup/memory/system.slice/docker-65c642b685216ddeb40b3ea34892ac97faa1dc3487e9c8dfcf0fdf7ed05d0941.scope/7f299d5c524193189cabcc01df143c88abe95ac1e274b36926340e000a5e786c/test
In opencontainers/runtime-spec#102, @vbatts pointed me towards the 2015-08-05 meeting for notes about discussing things on the mailing list. Looking through the minutes and video (after 26:02), it sounds like the new policy is to push discusion-worthy topics to the mailing list first, so they get broader exposure in a medium that's easier to archive than GitHub's inline comments. I'm not sure if that discussion is just about the spec, or if it also extends to runC. But as far as I can tell (see opencontainers/web#5), runC's maintainer list and guide currently apply to all OCI projects, including the spec. In any case, if the list-first approach was intendend to cover runC, I'd suggest adapting the language in the maintainer guide, which is currently pushing pull-requests for all discussion.
In the minutes, @vbatts was taking point for documenting the list-first approach, but I thought I'd file an issue about the guide's wording to help remember that it may also need updating.
running a coontainer from a systemd service fails with the following error
Jul 01 23:43:43 rhanna runc[18807]: time="2015-07-01T23:43:43+02:00" level=fatal msg="Container start failed: inappropriate ioctl for device"
I can run it without systemd successfully.
my unit file
[Unit]
Description=Skype in a sandbox
Documentation=http://skype.com
After=network.target
[Service]
ExecStart=/usr/local/bin/runc
WorkingDirectory=/var/lib/machines/skype
[Install]
WantedBy=multi-user.target
trying to start a container with a bind mount
it failes with error
Timestamp: 2015-06-29 14:24:38.112196007 +0200 CEST
Code: System error
Message: no such device
Frames:
---
0: setupRootfs
Package: github.com/opencontainers/runc/libcontainer
File: rootfs_linux.go@37
---
1: Init
Package: github.com/opencontainers/runc/libcontainer.(*linuxStandardInit)
File: standard_init_linux.go@52
---
2: StartInitialization
Package: github.com/opencontainers/runc/libcontainer.(*LinuxFactory)
File: factory_linux.go@242
---
3: init·1
Package: main
File: main.go@36
---
4: init
Package: main
File: utils.go@173
---
5: main
Package: runtime
File: proc.go@58
---
6: goexit
Package: runtime
File: asm_amd64.s@2232
WARN[0000] exit status 1
FATA[0000] Container start failed: [8] System error: no such device
this is the added part apart from the default spec + user modification
{
"type": "bind",
"source": "/home/user",
"destination": "/home/user",
"options": ""
}
[root@localhost runc]# make
go build -o runc .
# github.com/opencontainers/runc
./events.go:25: undefined: cli.DurationFlag
./events.go:59: context.Duration undefined (type *cli.Context has no field or method Duration)
Makefile:2: recipe for target 'all' failed
make: *** [all] Error 2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.