Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

exec: failed to write to cgroup.procs #476

Closed
chavafg opened this issue Mar 12, 2019 · 15 comments
Closed

exec: failed to write to cgroup.procs #476

chavafg opened this issue Mar 12, 2019 · 15 comments
Assignees
@chavafg

Comments

@chavafg
Copy link
Contributor

chavafg commented Mar 12, 2019

Description of problem

There have been some random failures with the hot plug CPUs and cri-o tests. Digging a little bit more into the failures, both are failing when running an exec command as follows:

cri-o failure:

05:34:59 # time="2019-03-11 11:34:57.715914943Z" level=debug msg="Received container exit code: -1, message: rpc error: code = Internal desc = Could not run process: container_linux.go:348: starting container process caused "process_linux.go:90: adding pid 169 to cgroups caused \"failed to write 169 to cgroup.procs: write /sys/fs/cgroup/cpu,cpuacct/Burstable/pod_123-456/crio-1e4648d38f30013bbdba2249f0eb8b7c043ef40d904fb5276c9ac71b4ba054f9/cgroup.procs: invalid argument\""
05:34:59 # " 
05:34:59 # time="2019-03-11T11:34:57Z" level=fatal msg="execing command in container synchronously failed: rpc error: code = Unknown desc = command error: rpc error: code = Internal desc = Could not run process: container_linux.go:348: starting container process caused "process_linux.go:90: adding pid 169 to cgroups caused \"failed to write 169 to cgroup.procs: write /sys/fs/cgroup/cpu,cpuacct/Burstable/pod_123-456/crio-1e4648d38f30013bbdba2249f0eb8b7c043ef40d904fb5276c9ac71b4ba054f9/cgroup.procs: invalid argument\""
05:34:59 # , stdout: , stderr: , exit code -1"

docker failure:

Running command '/usr/bin/docker [docker exec TRpJ2dq55fITz0QLTuH49SPporH9nE cat /sys/fs/cgroup/cpuset/cpuset.cpus]'
command failed error 'exit status 126'
[docker exec TRpJ2dq55fITz0QLTuH49SPporH9nE cat /sys/fs/cgroup/cpuset/cpuset.cpus]
Timeout: 60 seconds
Exit Code: 126
Stdout: OCI runtime exec failed: rpc error: code = Internal desc = Could not run process: container_linux.go:348: starting container process caused "process_linux.go:90: adding pid 128 to cgroups caused \"failed to write 128 to cgroup.procs: write /sys/fs/cgroup/cpu,cpuacct/docker/c81e621e3f3c96e7c1c05af8b814f9c507fbbe4fb017d50c8a3fa3edf2499b73/cgroup.procs: invalid argument\"": unknown

Some jobs affected by this issue:
http://jenkins.katacontainers.io/job/kata-containers-tests-fedora-PR/1236/consoleText
http://jenkins.katacontainers.io/job/kata-containers-tests-ubuntu-18-04-PR/126/consoleText
http://jenkins.katacontainers.io/job/kata-containers-tests-ubuntu-nemu/79/consoleText
@chavafg chavafg mentioned this issue Mar 12, 2019
Closed
@devimc
Copy link

devimc commented Mar 12, 2019

seems like this is a known issue that was already fixed opencontainers/runc#1916

@jodh-intel
Copy link
Contributor

Does someone want to pick up re-vendoring runc with this issue?

@chavafg
Copy link
Contributor Author

chavafg commented Mar 13, 2019

I can do it, but to what revision should I revendor?
ccb5efd37fb7c86364786e9137e22948751de7ed is v1.0.0-rc6, which is latest release and has the fix in it.
or do we want a newer revision?

@devimc
Copy link

devimc commented Mar 13, 2019

@chavafg use f414f497b50a61750ea3af9fccf998a3db687cea that is one before the cve

chavafg added a commit to chavafg/agent that referenced this issue Mar 13, 2019
@chavafg
vendor: Update vendor/github.com/opencontainers/runc
34eb1dd 
This runc revision contains fixes for:
`failed to write to cgroup.procs` when running `exec`
command.

Fixes: kata-containers#476.

Signed-off-by: Salvador Fuentes <[email protected]>
@chavafg chavafg mentioned this issue Mar 13, 2019
Closed
@chavafg chavafg self-assigned this Mar 13, 2019
@chavafg chavafg mentioned this issue Mar 13, 2019
Merged
@sboeuf
Copy link

sboeuf commented Mar 18, 2019

@devimc could you investigate this issue as it seems to cause a bunch of instabilities in our CI. Also, from what I gathered from @chavafg feedback, #477 might not be enough.
@chavafg @devimc please let us know what is the status on this issue as we want to fix it asap to get a more reliable CI, as we're delaying PRs right now because the CI never gets green on the first pass.

sboeuf pushed a commit to sboeuf/agent that referenced this issue Mar 18, 2019
vendor: Update libcontainer vendoring
8396b2a 
The agent vendoring needs to be updated regarding the libcontainer
dependency so that it does not run into the following issue:

  "failed to write to cgroups.proc"

when running "kata-runtime exec" commands.

Commit bd3c4f844abed063a0d0a8575eb596159f33732c is included through
this vendoring:

    Fix race in runc exec

    There is a race in runc exec when the init process stops just before
    the check for the container status. It is then wrongly assumed that
    we are trying to start an init process instead of an exec process.

    This commit add an Init field to libcontainer Process to distinguish
    between init and exec processes to prevent this race.

In order to prevent from breaking Kata Containers with this commit,
we have to provide explicit information if the process is the init
process or not, depending if we're creating a new container or exec'ing
a process on an existing container.

The patch is part of this vendoring update.

Fixes kata-containers#476

Signed-off-by: Sebastien Boeuf <[email protected]>
@sboeuf sboeuf mentioned this issue Mar 18, 2019
Merged
sboeuf pushed a commit to sboeuf/agent that referenced this issue Mar 18, 2019
vendor: Update libcontainer vendoring
6f36cf3 
The agent vendoring needs to be updated regarding the libcontainer
dependency so that it does not run into the following issue:

  "failed to write to cgroups.proc"

when running "kata-runtime exec" commands.

Commit bd3c4f844abed063a0d0a8575eb596159f33732c is included through
this vendoring:

    Fix race in runc exec

    There is a race in runc exec when the init process stops just before
    the check for the container status. It is then wrongly assumed that
    we are trying to start an init process instead of an exec process.

    This commit add an Init field to libcontainer Process to distinguish
    between init and exec processes to prevent this race.

In order to prevent from breaking Kata Containers with this commit,
we have to provide explicit information if the process is the init
process or not, depending if we're creating a new container or exec'ing
a process on an existing container.

The patch is part of this vendoring update.

Fixes kata-containers#476

Signed-off-by: Sebastien Boeuf <[email protected]>
@sboeuf
Copy link

sboeuf commented Mar 18, 2019

@devimc @chavafg I've opened #490 to fix the revendoring of libcontainer. PTAL

sboeuf pushed a commit to sboeuf/agent that referenced this issue Mar 18, 2019
vendor: Update libcontainer vendoring
04a75fe 
The agent vendoring needs to be updated regarding the libcontainer
dependency so that it does not run into the following issue:

  "failed to write to cgroups.proc"

when running "kata-runtime exec" commands.

Fixes kata-containers#476

Signed-off-by: Sebastien Boeuf <[email protected]>
sboeuf pushed a commit to sboeuf/agent that referenced this issue Mar 19, 2019
vendor: Update libcontainer vendoring
a3277aa 
The agent vendoring needs to be updated regarding the libcontainer
dependency so that it does not run into the following issue:

  "failed to write to cgroups.proc"

when running "kata-runtime exec" commands.

Shortlog since last vendoring of github.com/opencontainers/runc:

    9fe7c939 Add a Travis-CI job for systemd cgroup driver
    5369f9ad Skip CRIU tests when $RUNC_USE_SYSTEMD for now
    d4586090 Update tests that depend on cgroupfs paths to consider systemd cgroups
    a9056a34 Add $RUNC_USE_SYSTEMD to use systemd cgroup driver in tests
    4b2b9782 Add cgroup name to error message
    6f714aa9 Use getenv not secure_getenv
    dbf6e48d README: link to /org/security/
    2d4a37b4 nsenter: cloned_binary: userspace copy fallback if sendfile fails
    16612d74 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
    af9da0a4 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
    2429d593 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
    7cb3cde1 fix preserve-fds flag may cause runc hang
    5b775bf2 nsenter: cloned_binary: detect and handle short copies
    52f4e0fa exec: expose --preserve-fds
    f1da0d30 switched travis to xenial
    9edb5494 Use vendored in CRIU Go bindings
    bfca1e62 Vendor in go-criu
    bb7d8b1f nsexec (CVE-2019-5736): avoid parsing environ
    cd41feb4 Remove detection for scope properties, which have always been broken
    7354546c Create mountpoints also on restore
    f661e023 factor out bind mount mountpoint creation
    0a8e4117 nsenter: clone /proc/self/exe to avoid exposing host binary to container
    ec069fe3 Vendor opencontainers/runtime-spec 29686dbc
    4a600c04 Update vendored golang.org/x/sys to latest
    565325fc integration: fix mis-use of libcontainer.Factory
    dd50c7e3 Add 'org.criu.config' annotation documentation
    5f32bb94 Update runc-checkpoint man-page
    28a697cc rootfs: umount all procfs and sysfs with --no-pivot
    f0192337 systemd: fix setting kernel memory limit
    acb75d0e libcontainer: intelrdt: fix null intelrdt path issue in Destroy()
    403986c5 Add CRIU patch to fix checkpoint test
    6f3e13cc Added test for container specific CRIU configuration files
    e1579630 Enable CRIU configuration files
    360ba8a2 Update criurpc definition for latest features
    0855bce4 Fix .Fatalf() error message
    bdf3524b Retry adding pids to cgroups when EINVAL occurs
    769d6c4a Fix some typos
    dce70cdf cr: get pid from criu notify when restore
    8a4629f7 cgroups: nokmem: error out on explicitly-set kmemcg limits
    07d1ad44 kill: allow to signal paused containers
    30817421 Modify check-config.sh in accordance with Moby Project updates
    a0200001 MAINTAINERS: remove @vmarmol
    2efedb02 MAINTAINERS: remove @rjnagal
    87a18899 may kill other process when container has been stopped
    061dfe95 VERSION: back to development
    ccb5efd3 VERSION: release v1.0.0~rc6
    bc0b0471 Small fixes for CRIU based test cases
    37634277 Bump CRIU to 3.11
    48189715 add missing intelRdt parameters in 'runc update' manpage
    e2386860 libcontainer: Set 'status' in hook stdin
    95af9eff libcontainer: intelrdt: add support for Intel RDT/MBA Software Controller in runc
    714a4d46 rootless: fix potential panic in shouldUseRootlessCgroupManager
    16d55f17 libcontainer: fix potential panic if spec.Process is nil
    95d1aa18 test: fix TestDupNamespaces
    f1b1407e readme: add nokmem build tag
    1e0d04c6 Makefile: rm cgo tag
    6a2c1559 libcontainer: ability to compile without kmem
    df3fa115 Add support for cgroup namespace
    869add33 rootless: fix running with /proc/self/setgroups set to deny
    5c6b9c3c libcontainer: map PidsLimit to systemd's TasksMax property
    9a3a8a5e libcontainer: implement CLONE_NEWCGROUP
    630fb5b8 Bump Travis versions
    6c307f8f libcontainer: intelrdt: add user-friendly diagnostics for Intel RDT operation errors
    d59b17d6 libcontainer: intelrdt: Add more check if sub-features are enabled
    f0973392 libcontainer: intelrdt: add test cases for Intel RDT/MBA
    1ed597bf libcontainer: intelrdt: add update command support for Intel RDT/MBA
    27560ace libcontainer: intelrdt: add support for Intel RDT/MBA in runc
    c1cece7e libcontainer: intelrdt: add Intel RDT/MBA docs in SPEC.md
    bd905416 vendor: bump runtime-spec to 5684b8af48c1
    0b412e94 various cleanups to address linter issues
    0d011647 Fix travis Go: tip
    36f84720 fix build break
    1499c746 Move spec.Linux.IntelRdt check to spec.Linux != nil block
    26bdc0dc clarify license information
    a1d5398a Respect container's cgroup path
    5de99cd3 tty: clean up epollConsole closing
    ec0d23a9 tty: close epollConsole on errors
    40f14684 keyring: handle ENOSYS with keyctl(KEYCTL_JOIN_SESSION_KEYRING)
    5963cf2a test: add more test case for CleanPath
    06f789cf Disable rootless mode except RootlessCgMgr when executed as the root in userns
    feb90346 doc: fix typo
    4eb30fcd code optimization: use securejoin.SecureJoin and CleanPath
    4fae8fcc code optimization after review
    d2d226e8 fix unexpected delete bug when container id is ..
    3ce8fac7 libcontainer: add /proc/loadavg to the white list of bind mount
    636b6640 linux: drop check for /proc as invalid dest
    b34d6d8a libcontainer: CurrentGroupSubGIDs -> CurrentUserSubGIDs
    fe3d5c4c Remove unused veth setup code
    832ac8a5 tests: add external network namespace tests
    fa43a72a criu: restore into existing namespace when specified
    b399167f Add docker proxy settings for make test in a proxy environment
    62a4763a When doing a copyup, /tmp can not be a shared mount point
    4803faf0 cr: don't restore net namespace by default
    cb3e35b5 Add missing data to man page
    26ec8a97 Revert "libcontainer/rootfs_linux: minor cleanup"
    e389f575 Dockerfile: update criu to v3.10 + checkpoint-restore/criu@27034e7c
    34ed6269 Update outdated nsenter README content
    a2faaa13 Fix duplicate entries and missing entries in getCgroupMountsHelper
    0880503b Add an explanation for TESTPATH
    3321aa1a Fix regression with mounts with non-absolute source path
    b681b58e Fix the problem TESTFLAGS is not to be used in Makefile correctly
    8187fb74 cr: don't dump network devices and their configuration
    46221e39 criu tests: rename criu feature check
    7fb79f31 Add osusergo flag to static build
    53fddb54 Pass GOMAXPROCS to init processes
    472fcb30 docs: add information about terminals
    e5a7c61f Add test for testing cgroup mounts on bedrock linux
    5ee0648b Stop relying on number of subsystems for cgroups
    823c06ea libcontainer: improve "kernel.{domainname,hostname}" sysctl handling
    d18a45f6 Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys
    a0e99e7a libcontainer: devices: fix mips builds
    39f679c4 travis: test cross compilation
    c205e9fb libcontainer: fix compilation on GOARCH=arm GOARM=6 (32 bits)
    cbcc85d3 runc: not require uid/gid mappings if euid()==0
    aa3fee6c SELinux labels are tied to the thread
    bd3c4f84 Fix race in runc exec
    63bb0fe9 Fix merge conflict
    939d5a37 cgroup: clean up isIgnorableError for skippable EROFS
    c9381573 libcontainer: remove extra CAP_SETGID check for SetgroupAttr
    b515963c systemd cpu quota ignores -1
    fd0febd3 Wrap error messages during init
    cdb7f23d main: add condition to isRootless()
    f103de57 main: support rootless mode in userns
    9c7d8bc1 libcontainer: add parser for /etc/sub{u,g}id and /proc/PID/{u,g}id_map
    40680b2d Make the setupSeccomp function public.
    1b27db67 libcontainer/rootfs_linux: minor cleanup
    165ee453 Make channel for StartTransientUnit buffered
    1a506462 nsexec.c: fix GCC 8 warning
    4521d4b1 Only configure networking when creating a net ns
    0e16bd9b Detect whether Delegate is available on both slices and scopes
    8ab251f2 Fix systemd.Apply() to check for DBus error before waiting on a channel.
    73f3dc63 libcontainer: allow setgroup in rootless mode
    ed58366c libcontainer: fix Boolmsg alignment
    fd3a6e6c libcontainer: handle unset oomScoreAdj corectly
    03e58598 rootless: cgroup: treat EROFS as a skippable error
    0aa6e4e5 libcontainer/specconv/spec_linux: Support empty 'type' for bind mounts
    5a46c2ba nsenter: move namespace creation after userns creation

Fixes kata-containers#476

Signed-off-by: Sebastien Boeuf <[email protected]>
@devimc
Copy link

devimc commented Mar 19, 2019

thanks @sboeuf

@chavafg chavafg mentioned this issue Mar 19, 2019
Closed
@chavafg
Copy link
Contributor Author

chavafg commented Apr 2, 2019

Reopening this issue as #490 was reverted and we are still getting exec failures.

@chavafg chavafg reopened this Apr 2, 2019
@sboeuf
Copy link

sboeuf commented Apr 2, 2019

@lifupan did you get a chance to investigate the failures related to the new libcontainer vendoring?

@lifupan
Copy link
Member

lifupan commented Apr 2, 2019

@lifupan did you get a chance to investigate the failures related to the new libcontainer vendoring?

Hi @sboeuf , yes, actually I've dug on this issue and had found some clue about it.

@sboeuf
Copy link

sboeuf commented Apr 2, 2019

Oh nice, please share and submit any fix you got :)

@lifupan
Copy link
Member

lifupan commented Apr 3, 2019

Hi @sboeuf some info to update here:
I had found the root cause for shimv,2 failed on latest libcontainer, but the fix will bring
another issue for shimv2, I'm debugging on how to solve it definitely, once I had figure out the patch,
I'll send it later.

@sboeuf
Copy link

sboeuf commented Apr 3, 2019

Great! Thanks @lifupan 👍

@chavafg chavafg mentioned this issue Apr 3, 2019
Merged
@lifupan
Copy link
Member

lifupan commented Apr 11, 2019
edited
Loading

Hi @sboeuf
Since those PR kata-containers/runtime#1494 and
#526
have been merged, I think it's time to make your patches return.

@sboeuf
Copy link

sboeuf commented Apr 11, 2019

@lifupan thanks for the heads up! Let's resubmit the vendoring update.

sboeuf pushed a commit to sboeuf/agent that referenced this issue Apr 11, 2019
vendor: Update libcontainer vendoring
6e558f7 
The agent vendoring needs to be updated regarding the libcontainer
dependency so that it does not run into the following issue:

  "failed to write to cgroups.proc"

when running "kata-runtime exec" commands.

Shortlog since last vendoring of github.com/opencontainers/runc:

    9fe7c939 Add a Travis-CI job for systemd cgroup driver
    5369f9ad Skip CRIU tests when $RUNC_USE_SYSTEMD for now
    d4586090 Update tests that depend on cgroupfs paths to consider systemd cgroups
    a9056a34 Add $RUNC_USE_SYSTEMD to use systemd cgroup driver in tests
    4b2b9782 Add cgroup name to error message
    6f714aa9 Use getenv not secure_getenv
    dbf6e48d README: link to /org/security/
    2d4a37b4 nsenter: cloned_binary: userspace copy fallback if sendfile fails
    16612d74 nsenter: cloned_binary: try to ro-bind /proc/self/exe before copying
    af9da0a4 nsenter: cloned_binary: use the runc statedir for O_TMPFILE
    2429d593 nsenter: cloned_binary: expand and add pre-3.11 fallbacks
    7cb3cde1 fix preserve-fds flag may cause runc hang
    5b775bf2 nsenter: cloned_binary: detect and handle short copies
    52f4e0fa exec: expose --preserve-fds
    f1da0d30 switched travis to xenial
    9edb5494 Use vendored in CRIU Go bindings
    bfca1e62 Vendor in go-criu
    bb7d8b1f nsexec (CVE-2019-5736): avoid parsing environ
    cd41feb4 Remove detection for scope properties, which have always been broken
    7354546c Create mountpoints also on restore
    f661e023 factor out bind mount mountpoint creation
    0a8e4117 nsenter: clone /proc/self/exe to avoid exposing host binary to container
    ec069fe3 Vendor opencontainers/runtime-spec 29686dbc
    4a600c04 Update vendored golang.org/x/sys to latest
    565325fc integration: fix mis-use of libcontainer.Factory
    dd50c7e3 Add 'org.criu.config' annotation documentation
    5f32bb94 Update runc-checkpoint man-page
    28a697cc rootfs: umount all procfs and sysfs with --no-pivot
    f0192337 systemd: fix setting kernel memory limit
    acb75d0e libcontainer: intelrdt: fix null intelrdt path issue in Destroy()
    403986c5 Add CRIU patch to fix checkpoint test
    6f3e13cc Added test for container specific CRIU configuration files
    e1579630 Enable CRIU configuration files
    360ba8a2 Update criurpc definition for latest features
    0855bce4 Fix .Fatalf() error message
    bdf3524b Retry adding pids to cgroups when EINVAL occurs
    769d6c4a Fix some typos
    dce70cdf cr: get pid from criu notify when restore
    8a4629f7 cgroups: nokmem: error out on explicitly-set kmemcg limits
    07d1ad44 kill: allow to signal paused containers
    30817421 Modify check-config.sh in accordance with Moby Project updates
    a0200001 MAINTAINERS: remove @vmarmol
    2efedb02 MAINTAINERS: remove @rjnagal
    87a18899 may kill other process when container has been stopped
    061dfe95 VERSION: back to development
    ccb5efd3 VERSION: release v1.0.0~rc6
    bc0b0471 Small fixes for CRIU based test cases
    37634277 Bump CRIU to 3.11
    48189715 add missing intelRdt parameters in 'runc update' manpage
    e2386860 libcontainer: Set 'status' in hook stdin
    95af9eff libcontainer: intelrdt: add support for Intel RDT/MBA Software Controller in runc
    714a4d46 rootless: fix potential panic in shouldUseRootlessCgroupManager
    16d55f17 libcontainer: fix potential panic if spec.Process is nil
    95d1aa18 test: fix TestDupNamespaces
    f1b1407e readme: add nokmem build tag
    1e0d04c6 Makefile: rm cgo tag
    6a2c1559 libcontainer: ability to compile without kmem
    df3fa115 Add support for cgroup namespace
    869add33 rootless: fix running with /proc/self/setgroups set to deny
    5c6b9c3c libcontainer: map PidsLimit to systemd's TasksMax property
    9a3a8a5e libcontainer: implement CLONE_NEWCGROUP
    630fb5b8 Bump Travis versions
    6c307f8f libcontainer: intelrdt: add user-friendly diagnostics for Intel RDT operation errors
    d59b17d6 libcontainer: intelrdt: Add more check if sub-features are enabled
    f0973392 libcontainer: intelrdt: add test cases for Intel RDT/MBA
    1ed597bf libcontainer: intelrdt: add update command support for Intel RDT/MBA
    27560ace libcontainer: intelrdt: add support for Intel RDT/MBA in runc
    c1cece7e libcontainer: intelrdt: add Intel RDT/MBA docs in SPEC.md
    bd905416 vendor: bump runtime-spec to 5684b8af48c1
    0b412e94 various cleanups to address linter issues
    0d011647 Fix travis Go: tip
    36f84720 fix build break
    1499c746 Move spec.Linux.IntelRdt check to spec.Linux != nil block
    26bdc0dc clarify license information
    a1d5398a Respect container's cgroup path
    5de99cd3 tty: clean up epollConsole closing
    ec0d23a9 tty: close epollConsole on errors
    40f14684 keyring: handle ENOSYS with keyctl(KEYCTL_JOIN_SESSION_KEYRING)
    5963cf2a test: add more test case for CleanPath
    06f789cf Disable rootless mode except RootlessCgMgr when executed as the root in userns
    feb90346 doc: fix typo
    4eb30fcd code optimization: use securejoin.SecureJoin and CleanPath
    4fae8fcc code optimization after review
    d2d226e8 fix unexpected delete bug when container id is ..
    3ce8fac7 libcontainer: add /proc/loadavg to the white list of bind mount
    636b6640 linux: drop check for /proc as invalid dest
    b34d6d8a libcontainer: CurrentGroupSubGIDs -> CurrentUserSubGIDs
    fe3d5c4c Remove unused veth setup code
    832ac8a5 tests: add external network namespace tests
    fa43a72a criu: restore into existing namespace when specified
    b399167f Add docker proxy settings for make test in a proxy environment
    62a4763a When doing a copyup, /tmp can not be a shared mount point
    4803faf0 cr: don't restore net namespace by default
    cb3e35b5 Add missing data to man page
    26ec8a97 Revert "libcontainer/rootfs_linux: minor cleanup"
    e389f575 Dockerfile: update criu to v3.10 + checkpoint-restore/criu@27034e7c
    34ed6269 Update outdated nsenter README content
    a2faaa13 Fix duplicate entries and missing entries in getCgroupMountsHelper
    0880503b Add an explanation for TESTPATH
    3321aa1a Fix regression with mounts with non-absolute source path
    b681b58e Fix the problem TESTFLAGS is not to be used in Makefile correctly
    8187fb74 cr: don't dump network devices and their configuration
    46221e39 criu tests: rename criu feature check
    7fb79f31 Add osusergo flag to static build
    53fddb54 Pass GOMAXPROCS to init processes
    472fcb30 docs: add information about terminals
    e5a7c61f Add test for testing cgroup mounts on bedrock linux
    5ee0648b Stop relying on number of subsystems for cgroups
    823c06ea libcontainer: improve "kernel.{domainname,hostname}" sysctl handling
    d18a45f6 Stop using unix.SIGUNUSED which has been removed from golang.org/x/sys
    a0e99e7a libcontainer: devices: fix mips builds
    39f679c4 travis: test cross compilation
    c205e9fb libcontainer: fix compilation on GOARCH=arm GOARM=6 (32 bits)
    cbcc85d3 runc: not require uid/gid mappings if euid()==0
    aa3fee6c SELinux labels are tied to the thread
    bd3c4f84 Fix race in runc exec
    63bb0fe9 Fix merge conflict
    939d5a37 cgroup: clean up isIgnorableError for skippable EROFS
    c9381573 libcontainer: remove extra CAP_SETGID check for SetgroupAttr
    b515963c systemd cpu quota ignores -1
    fd0febd3 Wrap error messages during init
    cdb7f23d main: add condition to isRootless()
    f103de57 main: support rootless mode in userns
    9c7d8bc1 libcontainer: add parser for /etc/sub{u,g}id and /proc/PID/{u,g}id_map
    40680b2d Make the setupSeccomp function public.
    1b27db67 libcontainer/rootfs_linux: minor cleanup
    165ee453 Make channel for StartTransientUnit buffered
    1a506462 nsexec.c: fix GCC 8 warning
    4521d4b1 Only configure networking when creating a net ns
    0e16bd9b Detect whether Delegate is available on both slices and scopes
    8ab251f2 Fix systemd.Apply() to check for DBus error before waiting on a channel.
    73f3dc63 libcontainer: allow setgroup in rootless mode
    ed58366c libcontainer: fix Boolmsg alignment
    fd3a6e6c libcontainer: handle unset oomScoreAdj corectly
    03e58598 rootless: cgroup: treat EROFS as a skippable error
    0aa6e4e5 libcontainer/specconv/spec_linux: Support empty 'type' for bind mounts
    5a46c2ba nsenter: move namespace creation after userns creation

Fixes kata-containers#476

Signed-off-by: Sebastien Boeuf <[email protected]>
@sboeuf sboeuf mentioned this issue Apr 11, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chavafg chavafg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

vendor: Update vendor/github.com/opencontainers/runc chavafg/agent
5 participants
@chavafg @devimc @lifupan @jodh-intel @sboeuf