summaryrefslogtreecommitdiff
path: root/daemon/exec_linux.go
Commit message (Collapse)AuthorAgeFilesLines
* c8d: Set the process user on execDjordje Lukic2023-04-071-3/+53
| | | | | | | This change makes is possible to run `docker exec -u <UID> ...` when the containerd integration is activated. Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
* Refactor libcontainerd to minimize c8d RPCsCory Snider2022-08-241-7/+6
| | | | | | | | | | | | | | | | | | | | | | | | The containerd client is very chatty at the best of times. Because the libcontained API is stateless and references containers and processes by string ID for every method call, the implementation is essentially forced to use the containerd client in a way which amplifies the number of redundant RPCs invoked to perform any operation. The libcontainerd remote implementation has to reload the containerd container, task and/or process metadata for nearly every operation. This in turn amplifies the number of context switches between dockerd and containerd to perform any container operation or handle a containerd event, increasing the load on the system which could otherwise be allocated to workloads. Overhaul the libcontainerd interface to reduce the impedance mismatch with the containerd client so that the containerd client can be used more efficiently. Split the API out into container, task and process interfaces which the consumer is expected to retain so that libcontainerd can retain state---especially the analogous containerd client objects---without having to manage any state-store inside the libcontainerd client. Signed-off-by: Cory Snider <csnider@mirantis.com>
* oci: inheritable capability set should be emptySamuel Karp2022-02-081-6/+4
| | | | | | | | | The Linux kernel never sets the Inheritable capability flag to anything other than empty. Moby should have the same behavior, and leave it to userspace code within the container to set a non-empty value if desired. Reported-by: Andrew G. Morgan <morgan@kernel.org> Signed-off-by: Samuel Karp <skarp@amazon.com>
* Use containerd's apparmor package to detect if apparmor can be usedSebastiaan van Stijn2021-04-081-2/+2
| | | | | | | | | | | The runc/libcontainer apparmor package on master no longer checks if apparmor_parser is enabled, or if we are running docker-in-docker. While those checks are not relevant to runc (as it doesn't load the profile), these checks _are_ relevant to us (and containerd). So switching to use the containerd apparmor package, which does include the needed checks. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Simplify getUser() to use libcontainer built-in functionalitySebastiaan van Stijn2020-09-091-6/+2
| | | | Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* daemon: fix capitalization of some functionsSebastiaan van Stijn2020-04-141-2/+2
| | | | Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* daemon: use constants for AppArmor profilesSebastiaan van Stijn2019-10-131-3/+3
| | | | Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* goimports: fix importsSebastiaan van Stijn2019-09-181-1/+1
| | | | | | | Format the source according to latest goimports. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Export all spec generation optsMichael Crosby2019-04-101-2/+4
| | | | Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
* Move caps and device spec utils to `oci` pkgMichael Crosby2018-12-111-1/+1
| | | | Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
* Fix AppArmor not being applied to Exec processesSebastiaan van Stijn2018-03-021-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Exec processes do not automatically inherit AppArmor profiles from the container. This patch sets the AppArmor profile for the exec process. Before this change: apparmor_parser -q -r <<EOF #include <tunables/global> profile deny-write flags=(attach_disconnected) { #include <abstractions/base> file, network, deny /tmp/** w, capability, } EOF docker run -dit --security-opt "apparmor=deny-write" --name aa busybox docker exec aa sh -c 'mkdir /tmp/test' (no error) With this change applied: docker exec aa sh -c 'mkdir /tmp/test' mkdir: can't create directory '/tmp/test': Permission denied Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Add canonical import commentDaniel Nephin2018-02-051-1/+1
| | | | Signed-off-by: Daniel Nephin <dnephin@docker.com>
* Update libcontainerd to use containerd 1.0Kenfe-Mickael Laventure2017-10-201-4/+10
| | | | Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
* daemon: also ensureDefaultApparmorProfile in exec pathAleksa Sarai2017-03-131-0/+23
| | | | | | | | | | When 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") was merged, it didn't correctly handle the exec path if AppArmor profiles were deleted. Fix this by duplicating the ensureDefaultApparmorProfile code in the exec code. Fixes: 567ef8e7858c ("daemon: switch to 'ensure' workflow for AppArmor profiles") Signed-off-by: Aleksa Sarai <asarai@suse.de>
* Remove hacked Windows OCI spec, compile fixupsJohn Howard2016-09-271-1/+2
| | | | Signed-off-by: John Howard <jhoward@microsoft.com>
* Replace execdrivers with containerd implementationTonis Tiigi2016-03-181-0/+26
| | | | | | Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com> Signed-off-by: Anusha Ragunathan <anusha@docker.com>
* Remove LXC support.David Calavera2015-11-051-18/+0
| | | | | | | | The LXC driver was deprecated in Docker 1.8. Following the deprecation rules, we can remove a deprecated feature after two major releases. LXC won't be supported anymore starting on Docker 1.10. Signed-off-by: David Calavera <david.calavera@gmail.com>
* Windows: Split ContainerExecCreatejhowardmsft2015-05-061-0/+18
Signed-off-by: John Howard <jhoward@microsoft.com>
View Lorry Controller Status