It fail to build runc master branch(00f6b56) on debian wheezy with go 1.3 for the reason of range syntax compatibility

go build -o runc .
# github.com/opencontainers/runc
./events.go:61: syntax error: unexpected range, expecting {
./events.go:68: syntax error: argument to go/defer must be function call
./events.go:69: syntax error: need trailing comma before newline in composite literal
./events.go:70: non-declaration statement outside function body
./events.go:73: non-declaration statement outside function body
./events.go:92: non-declaration statement outside function body
./events.go:93: non-declaration statement outside function body
./events.go:94: syntax error: unexpected }
make: *** [all] Error 2

hi all,

I am using a centos base image to running runc instance .

After enter into the runc instance , I could found the default generated network interface file:
/etc/sysconfig/network-scripts/ifcfg-ens3

After config the above file , what confused me is that : there is no support such as :

1. service network restart or
2. /etc/init.d/network
   none above files exists in the runc instance .

Why I need the network interface is because that I want run a network service in runc , such as :

python -m SimpleHTTPServer 8000

And above service can visited from outside of runc environment .

Can I archive this with runc ?

In some older kernels setting memory swappiness fails. This happens even when
nobody tries to configure swappiness from docker UI because we would still get
some default value from host config.
With this we treat -1 value as default value and skip the enforcement
of swappiness.

In your OPEN CONTAINER PROJECT homepage, you say:

The specification will be available at https://github.com/opencontainers/specs.

but that is still missing.

I was occasionally getting this error when running docker:

> docker run --rm -ti busybox
Error response from daemon: Cannot start container ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba: [8] System error: write /sys/fs/cgroup/cpuset/system.slice/docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope/cgroup.procs: no space left on device

After investigating a bit I found the cause of the problem.

I get this error because cpuset.mems in the container's cpuset cgroup directory is empty. In that case, libcontainer sets that file to the value of the parent and does this recursively until it finds an existing parent.

An example might be easier to understand, if the container's cpuset cgroup directory is

/sys/fs/cgroup/cpuset/system.slice/docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope

and the current existing directories are

/sys/fs/cgroup/cpuset/

libcontainer will start at docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope, go to the parent and then go one more level up to cpuset because system.slice doesn't exist. Then it will set /sys/fs/cgroup/cpuset/system.slice/cpuset.mems to the value in /sys/fs/cgroup/cpuset/cpuset.mems and /sys/fs/cgroup/cpuset/system.slice/docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope/cpuset.mems to that same value.

This works fine when /sys/fs/cgroup/system.slice doesn't exist. But if it exists and has an empty value, /sys/fs/cgroup/cpuset/system.slice/docker-ca65deb2d7972d5a1772023ad82d843bb639fcfea9d75e78e0f99fcad9e683ba.scope/cpuset.mems will also end up with an empty value, causing the error.

The solution could be keeping the recursion until you find the first non-empty value or you're out of the cpuset controller.

/cc @crosbymichael @kayrus @alban

make

go get github.com/tools/godep
unexpected fault address 0x2b2a00000011
fatal error: fault
[signal 0xb code=0x1 addr=0x2b2a00000011]

goroutine 5 [running]:

:0                                                                         

:0                                                                         

:0                                                                         

:0                                                                         

:0                                                                         

:0                                                                         

:0                                                                         

goroutine 1 [select]:
main.$nested27
/build/buildd/gccgo-go-1.2.1/src/cmd/go/http.go:57
main.httpsOrHTTP
/build/buildd/gccgo-go-1.2.1/src/cmd/go/http.go:65
main.repoRootForImportDynamic
/build/buildd/gccgo-go-1.2.1/src/cmd/go/vcs.go:468
main.repoRootForImportPath
/build/buildd/gccgo-go-1.2.1/src/cmd/go/vcs.go:362
main.downloadPackage
/build/buildd/gccgo-go-1.2.1/src/cmd/go/get.go:269
main.download
/build/buildd/gccgo-go-1.2.1/src/cmd/go/get.go:166
main.download
/build/buildd/gccgo-go-1.2.1/src/cmd/go/get.go:232
main.runGet
/build/buildd/gccgo-go-1.2.1/src/cmd/go/get.go:72
main.main
/build/buildd/gccgo-go-1.2.1/src/cmd/go/main.go:161

goroutine 3 [syscall]:
goroutine in C code; stack unavailable
make: *** [all] Error 2

Hello,

runc is working fine. thanks for that.

However, I would like to get networking connectivity inside the container first and then next stage to get container talking to the host and eventually to the internet.

I've defined network key in container.json as such:

$ cat container.json                                                                                                                                          [...]
    "network": [
    {
        "type": "loopback",
        "address": "127.0.0.1/0",
        "gateway": "localhost"
    },
    {
        "type": "veth",
            "name": "net",
        "bridge": "br0",
        "address": "172.17.42.2",
        "gateway": "172.17.42.1",
        "host_interface_name": "veth0"
    }
    ],
[...]

However, i can't connect to a listening socket inside the container:

root@shell:~# cat test.py 
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
s.bind(('127.0.0.1', 1234))
s.listen(0)
while True:
    m = s.accept()
    print 'ack'
(virtualenv)root@shell:~# python test.py &
[1] 21
(virtualenv)root@shell:~# netstat -tupan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:1234          0.0.0.0:*               LISTEN      21/python    
(virtualenv)root@shell:~# echo a >/dev/tcp/127.0.0.1/1234
bash: connect: Network is unreachable
bash: /dev/tcp/127.0.0.1/1234: Network is unreachable
(virtualenv)root@shell:~# ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
(virtualenv)root@shell:~# ifconfig lo 127.0.0.1 up
SIOCSIFADDR: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
SIOCSIFFLAGS: Operation not permitted

Some sys details below:

$ runc -v
runc version 0.1
$ uname -a
Linux octopus 3.19.0-22-generic #22-Ubuntu SMP Tue Jun 16 17:15:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 15.04
Release:    15.04
Codename:   vivid

How to get interface lo up and get the socket talking?
Thanks.

When I pulled the latest runc from repo, I could not start the container due to the following error

FATA[0000] Container start failed: [7] Invalid configuration: unable to restrict sys entries without a private MNT namespace

Upon investigating. Looks like the namespaces had been moved from PortableSpec to struct Linux in spec_linux.go

File spec_linux.go
for _, ns := range spec.Linux.Namespaces {

Above for loop is not executed because spec.Linux.Namespaces is empty.

Same thing is applicable for spec.Linux.Devices which has been moved from Portable Spec to Linux struct.

Note:
if I make the following changes ( added back Namespaces and Devices in PortableSpec struct)

spec.Linux.Namespaces --> spec.Namespaces,
spec.Linux.Devices --> spec.Devices

Then I'm able to start the container

Thanks
Rajasec

Hello,
I am unable to launch the container. It keeps trying to find daemon user.

$ cd /container
$ runc
Unable to find user daemon
WARN[0000] exit status 1                                
Timestamp: 2015-06-23 14:20:51.598848353 +0000 UTC
Code: System error

Message: Unable to find user daemon

Frames:

---
0: func·006
Package: github.com/opencontainers/runc/libcontainer
File: factory_linux.go@225

---
1: StartInitialization
Package: github.com/opencontainers/runc/libcontainer.(*LinuxFactory)
File: factory_linux.go@236

---
2: init·1
Package: main
File: main.go@33

---
3: init
Package: main
File: utils.go@173

---
4: main
Package: runtime
File: proc.go@58

---
5: goexit
Package: runtime
File: asm_amd64.s@2232

Some sys details below:

$ runc -v
runc version 0.1
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 15.04
Release:    15.04
Codename:   vivid
$ uname -a
Linux octopus 3.19.0-22-generic #22-Ubuntu SMP Tue Jun 16 17:15:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
$ go version
go version go1.4 linux/amd64
$ cat /container/container.json
{
    "version": "0.1",
    "os": "linux",
    "arch": "amd64",
    "processes": [
        {
            "tty": true,
        "user": "daemon",
            "args": [
                "sh"
            ],
            "env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "TERM=xterm"
            ],
            "cwd": ""
        }
    ],
    "root": {
        "path": "rootfs",
        "readonly": true
    },
    "cpus": 1.1,
    "memory": 1024,
    "hostname": "shell",
    "namespaces": [
        {
            "type": "mount"
        },
        {
            "type": "ipc"
        },
        {
            "type": "uts"
        }
    ],
    "capabilities": [
        "AUDIT_WRITE",
        "KILL",
        "NET_BIND_SERVICE"
    ],
    "devices": [
        "null",
        "random",
        "full",
        "tty",
        "zero",
        "urandom"
    ],
    "mounts": [
        {
            "type": "proc",
            "source": "proc",
            "destination": "/proc",
            "options": ""
        },
        {
            "type": "tmpfs",
            "source": "tmpfs",
            "destination": "/dev",
            "options": "nosuid,strictatime,mode=755,size=65536k"
        },
        {
            "type": "devpts",
            "source": "devpts",
            "destination": "/dev/pts",
            "options": "nosuid,noexec,newinstance,ptmxmode=0666,mode=0620,gid=5"
        },
        {
            "type": "tmpfs",
            "source": "shm",
            "destination": "/dev/shm",
            "options": "nosuid,noexec,nodev,mode=1777,size=65536k"
        },
        {
            "type": "mqueue",
            "source": "mqueue",
            "destination": "/dev/mqueue",
            "options": "nosuid,noexec,nodev"
        },
        {
            "type": "sysfs",
            "source": "sysfs",
            "destination": "/sys",
            "options": "nosuid,noexec,nodev"
        }
    ]
}
$ id daemon
uid=1(daemon) gid=1(daemon) groups=1(daemon)

When a container is launched with a bind mount between /dev (on the host) and /dev (in the container), all subsequent attempts to open /dev/ptmx fail.

setupPtmx() in libcontainer/rootfs_linux.go will unconditionally remove /dev/ptmx and then symlink it to /dev/pts/ptmx , which is a character file that is untouchable by unprivileged users. This prevents unprivileged programs which rely on getpt from running on the host (such as X terminals, screen, and tmux).

I discovered this via docker, but it happens in any libcontainer app if /dev/ is shared with the container before setupPtmx. Is there a reason for libcontainer to touch /dev (at all) if it's mounted directly from the host? I have tested this on Fedora 22 and 21, SELinux is set to permissive, as well as Arch Linux without SELinux.

I can reproduce this consistently.

uname -a: Linux wtemple.localdomain 4.0.6-300.fc22.x86_64 #1 SMP Tue Jun 23 13:58:53 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

config.json:

{
    "version": "0.1.1",
    "platform": {
        "os": "linux",
        "arch": "amd64"
    },
    "process": {
        "terminal": true,
        "user": "root",
        "args": [
            "/bin/sh"
        ],
        "env": [
            "PATH=/bin,/sbin"
        ],
        "cwd": ""
    },
    "root": {
        "path": "rootfs",
        "readonly": true
    },
    "hostname": "shell",
    "mounts": [
        {
            "type": "proc",
            "source": "proc",
            "destination": "/proc",
            "options": ""
        },
        {
            "type": "sysfs",
            "source": "sysfs",
            "destination": "/sys",
            "options": "nosuid,noexec,nodev"
        },
        {
            "type": "bind",
            "source": "/dev",
            "destination": "/dev",
            "options": "bind"
        }
    ],
    "linux": {
        "namespaces": [
            {
                "type": "process"
            },
            {
                "type": "network"
            },
            {
                "type": "mount"
            },
            {
                "type": "ipc"
            },
            {
                "type": "uts"
            }
        ],
        "capabilities": [
            "AUDIT_WRITE",
            "KILL",
            "NET_BIND_SERVICE"
        ],
        "devices": [
            "null"
        ]
    }
}

I can execute runc with the absolute path, however, execute runc as a command (type only "runc"), an error occur.

1. When execute with full path

   $ sudo /usr/local/bin/runc
   / $ 

2. When execute as a command
   /home/hitsu/work/runC is my working directory.

sudo runc
Timestamp: 2015-06-26 09:09:39.184956634 +0900 JST
Code: System error

Message: fork/exec /home/hitsu/work/runC/runc: no such file or directory

Frames:
---
0: start
Package: github.com/opencontainers/runc/libcontainer.(*initProcess)
File: process_linux.go@183
---
1: Start
Package: github.com/opencontainers/runc/libcontainer.(*linuxContainer)
File: container_linux.go@107
---
2: execContainer
Package: main
File: run.go@41
---
3: func·006
Package: main
File: main.go@89
---
4: Run
Package: github.com/codegangsta/cli.(*App)
File: app.go@159
---
5: main
Package: main
File: main.go@104
---
6: main
Package: runtime
File: proc.go@63
---
7: goexit
Package: runtime
File: asm_amd64.s@2232

Currently, in projects that consume the SELinux api from libcontainer, you need to differentiate files for builds for linux and other platforms. It might be really convenient to have an implementation of SelinuxEnabled for non-supported platforms. Thoughts? @mrunalp @crosbymichael @rhatdan @vbatts

Currently the version is 1. From experience with the Docker remote API, we regretted bitterly not starting with a 0.x version number, it would have made it easier to break things later.

We should change this before opening the repo if possible.

I modified the config.json file under resources
"blkioWeightDevice": "500"

After starting the container
it fails to start the container, Error thrown out
Container start failed: [8] System error: write /sys/fs/cgroup/blkio/user/1000.user/c2.session/runc/blkio.weight_device: invalid argument

cgroups/fs/blkio_test.go
Even the blkio_test.go is setting the weight device value in /tmp folder as destination which is the reason for passing the tests. If the destination is /sys tests would have been failed.

Kernel : 3.18.8
Machine : Ubuntu

When I'm running "make test", I run into failing tests during integration/checkpoint_test.go TestCheckpoint (among others, all with the same error).

See below for an example of one of the errors.

When I look at the config that is being used for container.start(&pconfig) it does not have cgroups designated under mounts. Should that exist in the test config being passed in or is there something I am missing for my environment? I cloned the repo at commit 9be9157

Test output below
=== RUN TestCheckpoint
time="2015-08-06T20:44:48Z" level=warning msg="signal: killed"
:make: *** [localtest] Error 1
make: *** [test] Error 2
--- FAIL: TestCheckpoint (0.14s)
checkpoint_test.go:99: [8] System error: mountpoint for cgroup not found

Is there a possibility that i can see runc using in these ways

1)Taking a Ubuntu image and check for installed services

           runc -c services.json

services.json

{
"services":[{
"sname":"Nginx",
"parentfolder":"/var/lib/nginx",
"conffolder":"/etc/nginx",
"sservicestatus":"stopped"
}]
}

The service checks can be implemented any.

2)Can we execute commands like how we use to execute commands on Docker

   docker exec <container-id> command

   runc -e echo "Hello World"

3)Can we have more information about the Spec file we create for any container to run.

I'm hoping we can get a new tag added, so I can make a pull request upstream in docker. I'm getting emails every day or two about the current docker C/R branch not working, and the only blocker to fixing it is merging in the latest runc changes.

When using a config with user namespaces with go1.5, run gets a permission issue trying to call setgroups(0, []). The reason is in go1.5 setting the uid_map causes the segroups to be set to deny.

An obvious fix is to not setgroups if there are no additional groups specified:

diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
index 3e78d4b..30cd42a 100644
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -168,8 +168,10 @@ func setupUser(config *initConfig) error {
        }

        suppGroups := append(execUser.Sgids, addGroups...)
-       if err := syscall.Setgroups(suppGroups); err != nil {
-               return err
+       if len(suppGroups) != 0 {
+               if err := syscall.Setgroups(suppGroups); err != nil {
+                       return err
+               }
        }

But this doesn't help the case where we actually want to set groups. We could also set the SysProcAttr.GidMappingsEnableSetgroups = true when we create the process, but this flag only exists in 1.5 so we need some build flags to only set it in go1.5. Also we may only want it to be true if AdditionalGids are set in the json.

see moby/moby#15053

Seems that seccomp currently supports linux/amd64 only right now. There is only a file jump_amd64.go, and no jump_386.go, jump_arm.go nor jump_arm64.go.

Any plans to support linux/386, linux/arm and linux/arm64 soon?

It is unclear if this project requires DCO signoff

http://developercertificate.org

At the very least there should be a CONTRIBUTING.md

This is how it might look like:

FROM alpine:3.2

COPY . /go/src/github.com/opencontainers/runc

RUN apk --update add go alpine-sdk linux-headers && \
    cd /go/src/github.com/opencontainers/runc && \
    GOPATH=/go PATH=$PATH:/go/bin make && \
    cp /go/src/github.com/opencontainers/runc/runc /bin/runc && \
    apk del go alpine-sdk linux-headers && \
    rm -rf /go

CMD ["/bin/sh"]

docker run --rm -it --privileged \
  -v /usr/local/bin/docker:/usr/bin/docker \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /sys/fs/cgroup:/sys/fs/cgroup runc

I managed to run debian:jessie image with this (f1006a365a06 is a running debian image):

/ # cd
~ # docker export f1006a365a06 > debian.tar
~ # mkdir /container
~ # mkdir /container/rootfs
~ # cd /container/rootfs/
/container/rootfs # tar xf ~/debian.tar
/container/rootfs # nano ../container.json
/bin/sh: nano: not found
/container/rootfs # nano ../container.json
/container/rootfs # apk add nano
(1/3) Installing ncurses-terminfo-base (5.9-r3)
(2/3) Installing ncurses-widec-libs (5.9-r3)
(3/3) Installing nano (2.4.1-r0)
Executing busybox-1.23.2-r0.trigger
OK: 6 MiB in 18 packages
/container/rootfs # nano ../container.json
/container/rootfs # cd ..
/container # runc
$ uname -a
Linux shell 4.0.5-boot2docker #1 SMP Tue Jun 16 01:39:56 UTC 2015 x86_64 GNU/Linux
$ /bin/bash
debconf.conf    debian_version  default/        deluser.conf
daemon@shell:/$ cat /etc/debian_version
8.1

Exporting compiled runc binary is also possible:

docker run --rm runc cat /bin/runc > runc

Does it even make sense to have it in this repo?

hi team,

According to the README.md introduction:
To run a container that you received just execute runc with the JSON format as the argument or have a container.json file in the current working directory.

But the runc command line told me that , the file needed is : config.json not container.json .

So first , I move the content from container.json to config.json , the runc command show me another error :

FATA[0000] Container start failed: Rootfs ("/opt/usr/runc/rootfs") does not exist

I read the document from rootfs , It told that : rootfs "which is
always present in 2.6 systems."

https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt

Then , I create a directory on /opt/usr/runc/rootfs/ , and run runc, but failed again:

FATA[0000] Container start failed: [7] Invalid configuration: unable to set hostname without a private UTS namespace

In my config.json file , the hostname is equal as hostname command output .

What should I change in config.json file for runc ?

thanks

Right now runc requires to be run as root where technically it should be possible to run containers as unprivileged user (at least if user namespaces are used)

host:~/runcdir# ls -l ../runc
-rwxr-xr-x 1 root root 7467584  6月 23 06:30 ../runc

host:~/runcdir# ls -l
total 8
-rw-r--r--  1 root root 1457  6月 23 06:31 container.json
drwxr-xr-x 21 root root 4096  6月 23 05:06 rootfs

host:~/runcdir# ../runc
Timestamp: 2015-06-23 06:31:13.157456619 +0900 JST
Code: System error

Message: fork/exec ../runc: no such file or directory

Frames:

---
0: start
Package: github.com/opencontainers/runc/libcontainer.(*initProcess)
File: process_linux.go@183

---
1: Start
Package: github.com/opencontainers/runc/libcontainer.(*linuxContainer)
File: container_linux.go@107

---
2: execContainer
Package: main
File: run.go@41

---
3: func·006
Package: main
File: main.go@88

4: Run
Package: github.com/codegangsta/cli.(*App)
File: app.go@159

---
5: main
Package: main
File: main.go@96

---
6: main
Package: runtime
File: proc.go@63

---
7: goexit
Package: runtime
File: asm_amd64.s@2232

absolute path OK

host:~/runcdir# /root/runc
$ 
host:~/runcdir# ~/runc
$ 

Because ../runc is not exist ../runc when chdir to rootfs.
I think this is irregular.
But I want you to fix it.

I see there are several build issues, myself met build issues too, I wonder why we don't use Dockerfile to setup an unified environment for building?

I thought runc was considered as an independent project which won't depend on Docker or other projects, but then I see we still use Docker for test, so I think we can use Docker for build as well.

Is there any specific reasons why we don't use Dockerfile? Thanks.

In general we want to map system features as closely as possible. If the system can do it, oc should be able to express it.

Since Linux allows arbitrary nesting of namespaces and cgroups, it would be great if oc could support that. That would allow anyone to experiment with new combinations of these features, and come up with new, competing abstractions, without us having to imagine all possible abstractions in advance.

Hi,

I've done the clone of runc repository from github

git clone https://github.com/opencontainers/runc

The Dockerfile contents of libcontainer
ENV GOPATH $GOPATH:/go/src/github.com/opencontainers/runc/libcontainer/vendor

Looks like there is no specific vendor inside libcontainer.

When I tried to build the makefile inside libcontainer, build fails.

Thanks

I have included multiple process inside my container.json file and started runc.

runc gave following warning!!!
runc only supports one(1) process for the container

I was looking for "supervisord" kind of daemon to start my multiple services inside my container..
So I tried to modify the container.json to start multiple process and it gave the above mentioned message.

is it anything intentional as per runc design to have one process per container ?

Thanks
Rajasec

I can't get this to run on my debian jessie machine(s) because of (seemingly) multiple issues.

I created rootfs with docker export $(docker create busybox) > busybox.tar; mkdir rootfs; tar -C rootfs -xf busybox.tar

After creating container.json with runc spec | sed 's/daemon/root/' > container.json i get the following error running runc:

WARN[0000] signal: killed                               
FATA[0000] Container start failed: [8] System error: open /sys/fs/cgroup/cpu/user.slice/test/cpu.cfs_quota_us: permission denied 

If i run it again the error changes:

WARN[0000] signal: killed                               
FATA[0000] Container start failed: [8] System error: mkdir : no such file or directory 

runc --debug output looks exactly the same. No more details.

Running strace i can see that the code actually does try to use mkdir("") after reading an empty string from /proc/self/mountinfo:

427 open("/proc/self/mountinfo", O_RDONLY|O_CLOEXEC) = 25
428 read(25, "14 19 0:14 / /sys rw,nosuid,node"..., 4096) = 2919
429 read(25, "", 4096)                      = 0
430 stat("", 0xc2080b06c0)                  = -1 ENOENT (No such file or directory)
431 mkdir("", 0755)                         = -1 ENOENT (No such file or directory)
432 lstat("", 0xc2080b0750)                 = -1 ENOENT (No such file or directory)

If i remove the cpu (and memory) definitions from container.json i get that mkdir error directly.

Hi all,

I am trying to run a service, i.e mysql, inside a container. I gathered the ubuntu rootfs from docker pull ubuntu:latest.

Although whoami returns root, sudo command fails with sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted

As a result, I can't apt-get install or do any other sudo tasks.
How can I get around this issue?

Thanks in advance,

After starting my container using runc ( latest OCF format 0.1.1), I tried to do the checkpoint for my running container using

runc checkpoint

Error thrown:
criu failed: Type NOTIFY errno 0

We'd like the Docker daemon to be able to die and discover its containers upon restarting.

What are good implementations for achieving this? Having the daemon set some ID (caller ID?) in the containers' state?

It would also need to have a way of reattaching to standard streams of those running containers.

We also need to keep in mind the scenario when multiple docker daemons (or equivalent) spawn their own sets of containers; there shouldn't be interference between those instances.

Hi

I've created the OCP spec from the command
runc spec > container.json

runc encounters following error

Here is the error
WARN[0000] signal: killed
Timestamp: 2015-06-24 07:18:33.31193264 +0530 IST
Code: System error

Message: write /sys/fs/cgroup/memory/user/1000.user/4.session/sdc/memory.swappiness: invalid argument

My image is Ubuntu container from docker repository.

Here is the entire error log
runc
WARN[0000] signal: killed
Timestamp: 2015-06-24 07:18:33.31193264 +0530 IST
Code: System error

Message: write /sys/fs/cgroup/memory/user/1000.user/4.session/raj/memory.swappiness: invalid argument

Frames:

0: start
Package: github.com/opencontainers/runc/libcontainer.(*initProcess)

File: process_linux.go@197

1: Start
Package: github.com/opencontainers/runc/libcontainer.(*linuxContainer)

File: container_linux.go@107

2: execContainer
Package: main

File: run.go@41

3: func·006
Package: main

File: main.go@88

4: Run
Package: github.com/codegangsta/cli.(*App)

File: app.go@159

5: main
Package: main

File: main.go@96

6: main
Package: runtime

File: proc.go@63

7: goexit
Package: runtime
File: asm_amd64.s@2232

I can't run setuidgid inside a runc container. Here are the steps to reproduce:

• Pull an image with setuidgid and bash installed
• Use this config:

{
    "version": "pre-draft",
    "platform": {
        "os": "linux",
        "arch": "amd64"
    },
    "process": {
        "terminal": true,
        "user": {
            "uid": 0,
            "gid": 0,
            "additionalGids": null
        },
        "args": [
            "bash"
        ],
        "env": [
            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
            "TERM=xterm"
        ],
        "cwd": ""
    },
    "root": {
        "path": ".",
        "readonly": false
    },
    "hostname": "shell",
    "mounts": [
        {
            "type": "proc",
            "source": "proc",
            "destination": "/proc",
            "options": ""
        },
        {
            "type": "tmpfs",
            "source": "tmpfs",
            "destination": "/dev",
            "options": "nosuid,strictatime,mode=755,size=65536k"
        },
        {
            "type": "devpts",
            "source": "devpts",
            "destination": "/dev/pts",
            "options": "nosuid,noexec,newinstance,ptmxmode=0666,mode=0620,gid=5"
        },
        {
            "type": "tmpfs",
            "source": "shm",
            "destination": "/dev/shm",
            "options": "nosuid,noexec,nodev,mode=1777,size=65536k"
        },
        {
            "type": "mqueue",
            "source": "mqueue",
            "destination": "/dev/mqueue",
            "options": "nosuid,noexec,nodev"
        },
        {
            "type": "sysfs",
            "source": "sysfs",
            "destination": "/sys",
            "options": "nosuid,noexec,nodev"
        },
        {
            "type": "cgroup",
            "source": "cgroup",
            "destination": "/sys/fs/cgroup",
            "options": "nosuid,noexec,nodev,relatime,ro"
        }
    ],
    "linux": {
        "uidMappings": null,
        "gidMappings": null,
        "rlimits": null,
        "sysctl": null,
        "resources": {
            "disableOOMKiller": false,
            "memory": {
                "limit": 0,
                "reservation": 0,
                "swap": 0,
                "kernel": 0,
                "swappiness": -1
            },
            "cpu": {
                "shares": 0,
                "quota": 0,
                "period": 0,
                "realtimeRuntime": 0,
                "realtimePeriod": 0,
                "cpus": "",
                "mems": ""
            },
            "blockIO": {
                "blkioWeight": 0,
                "blkioWeightDevice": "",
                "blkioThrottleReadBpsDevice": "",
                "blkioThrottleWriteBpsDevice": "",
                "blkioThrottleReadIopsDevice": "",
                "blkioThrottleWriteIopsDevice": ""
            },
            "hugepageLimits": null,
            "network": {
                "classId": "",
                "priorities": null
            }
        },
        "namespaces": [
            {
                "type": "process",
                "path": ""
            },
            {
                "type": "network",
                "path": ""
            },
            {
                "type": "ipc",
                "path": ""
            },
            {
                "type": "uts",
                "path": ""
            },
            {
                "type": "mount",
                "path": ""
            }
        ],
        "capabilities": [
            "CHOWN",
            "DAC_OVERRIDE",
            "FSETID",
            "FOWNER",
            "MKNOD",
            "NET_RAW",
            "SETGID",
            "SETUID",
            "SETFCAP",
            "SETPCAP",
            "NET_BIND_SERVICE",
            "SYS_CHROOT",
            "KILL",
            "AUDIT_WRITE"
        ],
        "devices": [
            "null",
            "random",
            "full",
            "tty",
            "zero",
            "urandom"
        ]
    }
}

• start runc this will start bash as root
• create a group: addgroup --quiet --gid 7999 u7999
• add the user:

adduser --shell /bin/bash --disabled-password --force-badname --no-create-home --uid 7999 --gid 7999 --gecos '' --quiet  u7999

• start bash as the new user: setuidgid u7999 /bin/bash

This will output the error: setuidgid: fatal: unable to run /bin/bash: access denied

This is working with docker but not with runc. I have had a look a the default libcontainer config of docker, and it looks similar to the config I'm using here.

I notice that almost all functions within the main package are private. Is there any advice you can give for using Runc as a library inside another Go application?
If this isn't possible yet, should I repackage the core functions and make a pull request (in other words, is it in the project's interest to account for such use cases?)

We live in an international world.

In the part of the world called Sweden, your project is named masturbation. C on its own in Swedish is pronounced k, and:

The sells in the enterprises might not come. And then it would be over prematurely.

Just thought you wanted to know. ;)

As discussed, we like the idea of having 2 different kinds of configuration in the manifest: 1) os-specific config (for example: create a new pid namespace, or set cgroup foo to bar, or drop CAP_SYSADMIN), and 2) os-independent config (for example: execute /bin/bash, or set environment DEBUG to 1).

Currently these 2 different kinds of configs are mixed in the manifest. We should segment them more clearly, to make more visible the tradeoff between control and portability, and to allow for new sections to be created for other OSes - Windows, Solaris, FreeBSD etc.

There are different build flags for different features in runc. Things like selinux and apparmor all have build flags to enable them in the build because of the various platforms that it supports. I think the default make file should add all the build flags and it should be safe.

With the following process configuration:

"process": {
        "terminal": true,
        "user": {
            "uid": 0,
            "gid": 0,
            "additionalGids": null
        },
        "args": [
            "bash"
        ],
        "env": [
            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
            "TERM=xterm"
        ],
        "cwd": ""
    },

I can run sudo runc to start a container which gives me a bash process I can use to interact with the newly created container. To stop the container, I'd run exit.

My question is: How do you stop the container if "terminal": false,?
I read through the code, and it seems like hitting Ctrl+C (^C) should stop it, but it doesn't stop the main process. It just wont quit.

Is there an other place I can look to see running containers and stop them from there?

I'm running runc version 0.2 on Ubuntu 14.04 64bit. And go version go1.4.1 linux/amd64.

I was able to run runc successfully..

Later after exit of the container, I could not launch any of my container image ( eventhough I had rootfs and container.json properly placed)

Code: Id already in use
Message: Container with id exists: runc

I've ensure that no runc process was running earlier.
ps -eaf |grep -i runc
root 10077 9934 0 21:53 pts/31 00:00:00 grep --color=auto -i runc

Thanks
Rajasec

Failed to build on Fedora 21, below is the make output

# make
go build -o runc .
# _/home/git/dev/runc
./events.go:61: syntax error: unexpected range, expecting {
./events.go:68: syntax error: argument to go/defer must be function call
./events.go:69: syntax error: need trailing comma before newline in composite literal
./events.go:70: non-declaration statement outside function body
./events.go:73: non-declaration statement outside function body
./events.go:92: non-declaration statement outside function body
./events.go:93: non-declaration statement outside function body
./events.go:94: syntax error: unexpected }
Makefile:7: recipe for target 'all' failed
make: *** [all] Error 2

After reverting 5aa82c9, make succeeded.

# git revert 5aa82c95
# make
go build -o runc .

My golang version is

# rpm -qa |grep golang
golang-pkg-linux-amd64-1.3.3-1.fc21.noarch
golang-src-1.3.3-1.fc21.noarch
golang-1.3.3-1.fc21.x86_64
golang-pkg-bin-linux-amd64-1.3.3-1.fc21.x86_64

Well, maybe a stupid question, but how can I find the log of libcontainer during my debug?

like the output of logrus.Warn(err)

Attempting to run a container in an existing user namespace simply ignores the path value and creates a new user namespace:

{
    "version": "pre-draft",
    "platform": {
        "os": "linux",
        "arch": "amd64"
    },
    "process": {
        "terminal": true,
        "args": [
            "/bin/bash"
        ]
    },
    "linux": {
        "uidMappings": [
            {
                "from": 0,
                "to": 1000,
                "count": 1
            }
        ],
        "gidMappings": [
            {
                "from": 0,
                "to": 1000,
                "count": 1
            }
        ],
        "namespaces": [
            {
                "type": "user",
                "path": "/proc/8660/ns/user"
            }
        ]
    }
}

$ sudo ls -lah /proc/$$/ns/user
lrwxrwxrwx 1 vishvananda vishvananda 0 Jul  7 06:06 /proc/38377/ns/user -> user:[4026531837]
$ sudo ls -lah /proc/8660/ns/user
lrwxrwxrwx 1 root root 0 Jul  8 00:05 /proc/8660/ns/user -> user:[4026532754]
$ sudo ls -lah /proc/14833/ns/user
lrwxrwxrwx 1 vishvananda vishvananda 0 Jul  8 01:14 /proc/14833/ns/user -> user:[4026532751]

It looks like the code will need some modification because you can't join an existing user namespace once you are in multithreaded code.

In my ubuntu system based on 15.04 Kernel : 3.19.0-15. I've enabled the Apparmor compilation so that it is not compiling libcontainer/apparmor/apparmor_disabled.go. After adding the apparmor_profile path in config.json and spec.go. I've tried to start the container, it fails to start the container saying "No such file or directory"
FATA[0000] Container start failed: [8] System error: no such file or directory

ApplyProfile function received the right string ( profile name) from config.json for loading the profile
Upon executing C.aa_change_onexec(cName), it says " No such file or directory". Infact the apparmor profile existed in rootfs under /etc/apparmor.d/

Now, as I see abs and rel paths for --cgroup-parent creates identical cgroup hierarchy.

ls /sys/fs/cgroup/memory/system.slice/docker-65c642b685216ddeb40b3ea34892ac97faa1dc3487e9c8dfcf0fdf7ed05d0941.scope/test/7f299d5c524193189cabcc01df143c88abe95ac1e274b36926340e000a5e786c/

it looks like this for both cases. Seems like for --cgroup-parent it should be like

ls /sys/fs/cgroup/memory/system.slice/docker-65c642b685216ddeb40b3ea34892ac97faa1dc3487e9c8dfcf0fdf7ed05d0941.scope/7f299d5c524193189cabcc01df143c88abe95ac1e274b36926340e000a5e786c/test

right?
ping @vishh @mrunalp

In opencontainers/runtime-spec#102, @vbatts pointed me towards the 2015-08-05 meeting for notes about discussing things on the mailing list. Looking through the minutes and video (after 26:02), it sounds like the new policy is to push discusion-worthy topics to the mailing list first, so they get broader exposure in a medium that's easier to archive than GitHub's inline comments. I'm not sure if that discussion is just about the spec, or if it also extends to runC. But as far as I can tell (see opencontainers/web#5), runC's maintainer list and guide currently apply to all OCI projects, including the spec. In any case, if the list-first approach was intendend to cover runC, I'd suggest adapting the language in the maintainer guide, which is currently pushing pull-requests for all discussion.

In the minutes, @vbatts was taking point for documenting the list-first approach, but I thought I'd file an issue about the guide's wording to help remember that it may also need updating.

running a coontainer from a systemd service fails with the following error

Jul 01 23:43:43 rhanna runc[18807]: time="2015-07-01T23:43:43+02:00" level=fatal msg="Container start failed: inappropriate ioctl for device"

I can run it without systemd successfully.
my unit file

[Unit]
Description=Skype in a sandbox
Documentation=http://skype.com
After=network.target

[Service]
ExecStart=/usr/local/bin/runc
WorkingDirectory=/var/lib/machines/skype

[Install]
WantedBy=multi-user.target

trying to start a container with a bind mount
it failes with error

Timestamp: 2015-06-29 14:24:38.112196007 +0200 CEST
Code: System error

Message: no such device

Frames:

---
0: setupRootfs
Package: github.com/opencontainers/runc/libcontainer
File: rootfs_linux.go@37

---
1: Init
Package: github.com/opencontainers/runc/libcontainer.(*linuxStandardInit)
File: standard_init_linux.go@52

---
2: StartInitialization
Package: github.com/opencontainers/runc/libcontainer.(*LinuxFactory)
File: factory_linux.go@242

---
3: init·1
Package: main
File: main.go@36

---
4: init
Package: main
File: utils.go@173

---
5: main
Package: runtime
File: proc.go@58

---
6: goexit
Package: runtime
File: asm_amd64.s@2232
WARN[0000] exit status 1                                
FATA[0000] Container start failed: [8] System error: no such device 

this is the added part apart from the default spec + user modification
{
"type": "bind",
"source": "/home/user",
"destination": "/home/user",
"options": ""
}