Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: moby/moby
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.10.2
Choose a base ref
...
head repository: hallyn/docker
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.10.0.serge.2
Choose a head ref
  • 6 commits
  • 12 files changed
  • 1 contributor

Commits on Feb 16, 2016

  1. Do not create devices when in user namespace 

    When we launch a container in a new user namespace, we cannot create
devices, so we bind mount the host's devices into place instead.

If we are running in a user namespace (i.e. nested in a container),
then we need to do the same thing.  Add a function to detect that
and check for it before doing mknod.

Signed-off-by: Serge Hallyn <[email protected]>
    @hallyn
    hallyn committed Feb 16, 2016
    Configuration menu
    Copy the full SHA
    d81b659 View commit details
    Browse the repository at this point in the history

  2. Do not allow access to /dev/tty{0,1} 

    These are the real host devices, container should not generally
have or need them.

Signed-off-by: Serge Hallyn <[email protected]>
    @hallyn
    hallyn committed Feb 16, 2016
    Configuration menu
    Copy the full SHA
    f9998ce View commit details
    Browse the repository at this point in the history

  3. Don't create devices if in a user namespace 

    If we are running in a user namespace, don't try to mknod as
it won't be allowed.  libcontainer will bind-mount the host's
devices over files in the container anyway, so it's not needed.

Signed-off-by: Serge Hallyn <[email protected]>
    @hallyn
    hallyn committed Feb 16, 2016
    Configuration menu
    Copy the full SHA
    78f5e69 View commit details
    Browse the repository at this point in the history

  4. archive: Don't create devices if in a user namespace 

    The chrootarchive package does a chroot (without mounting /proc) before
its work, so we cannot check /proc/self/uid_map when we need to.  So
compute it in advance and pass it along with the tar options.

Signed-off-by: Serge Hallyn <[email protected]>
    @hallyn
    hallyn committed Feb 16, 2016
    Configuration menu
    Copy the full SHA
    b019404 View commit details
    Browse the repository at this point in the history

  5. Do not set devices cgroup entries if in a user namespace 

    kernel won't allow it.

Signed-off-by: Serge Hallyn <[email protected]>
    @hallyn
    hallyn committed Feb 16, 2016
    Configuration menu
    Copy the full SHA
    832031a View commit details
    Browse the repository at this point in the history

Commits on Feb 25, 2016

  1. cgroup namespaces: ignore the mount.Root if we have cgroup namespaces 

    We should do this in a better way, in particular by verifying through
/proc/self/cgroup whether the mount.Root is our cgroup prefix, but
this suffices at the moment:  if we have cgroup namespaces and are
running inside an lxc or lxd container, the mount prefix will always
be wrong.

Signed-off-by: Serge Hallyn <[email protected]>
    @hallyn
    hallyn committed Feb 25, 2016
    Configuration menu
    Copy the full SHA
    ab8e54b View commit details
    Browse the repository at this point in the history
Loading