Commit Graph

10 Commits (b0c2236fc553f75dd1f822f83291bc9599958ddb)

Author SHA1 Message Date
Anda Xu 7f64188f17 add missing supplementary group IDs
Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-06-29 18:50:03 -07:00
Tonis Tiigi 3b874e95f1 executor: runtime check if seccomp is supported
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-05-24 16:34:35 -07:00
Tonis Tiigi 566e28c174 snapshot: update mounts to mountable interface
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-04-27 17:58:24 -07:00
Ian Campbell ddae5a6ea4 Make llb.ReadonlyRootFS usable with common container images
e.g. with busybox image:

    OCI runtime create failed: container_linux.go:348:
    starting container process caused "process_linux.go:402:
    container init caused \"rootfs_linux.go:58:
    mounting \\\"proc\\\" to rootfs \\\"/.../rootfs\\\" at \\\"/proc\\\"
    caused \\\"mkdir /.../rootfs/proc: read-only file system\\\"\"": unknown

This is because we were setting the underlying snapshot readonly so the various
mountpoints (here /proc) cannot be created. This would not be necessary if
those mountpoints were present in images but they typically are not.

The right way to get around this (used e.g. by `ctr`) is to use a writeable
snapshot but to set root readonly in the OCI spec. In this configuration the
rootfs is writeable when mounts are processed but is then made readonly by the
runtime (runc) just before entering the user specified binary within the
container.

This involved a surprising amount of plumbing.

Use this new found ability in the dockerfile converter's `dispatchCopy`
function.

Signed-off-by: Ian Campbell <ijc@docker.com>
2018-04-03 11:04:07 +01:00
Tonis Tiigi 6e40e83d35 Remove net/context dependencies
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-01-17 09:11:22 -08:00
Tonis Tiigi b8dc00de71 vendor: update containerd to 1.0.1-rc0
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-01-11 17:49:09 -08:00
Akihiro Suda 571e14e003
Merge pull request #203 from tonistiigi/user
Add support for setting user
2017-12-13 13:06:07 +09:00
Tonis Tiigi 4c1ffbcc45 containerd: fix cancellation issue
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-12-12 19:15:29 -08:00
Tonis Tiigi 7a5390f355 worker: add support for custom user
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-12-12 10:26:30 -08:00
Akihiro Suda c3aa849014 multi-worker daemon
- [X] put multiples workers in a single binary ("-tags containerd standalone")
- [X] add worker selector to LLB vertex metadata
- [X] s/worker/executor/g
- [X] introduce the new "worker" concept https://github.com/moby/buildkit/pull/176#discussion_r153693928
- [X] fix up CLI
- [X] fix up tests
- allow using multiples workers (requires inter-vertex cache copier, HUGE!) --> will be separate PR

Implementation notes:
- "Workers" are renamed to "executors" now
- The new "worker" instance holds an "executor" instance and its
related stuffs such as the snapshotter
- The default worker is "runc-overlay"

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2017-12-12 15:17:58 +09:00