5 files changed, 76 insertions, 41 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 33e738efc..703f34827 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -463,6 +463,10 @@ func hostInetFilters() seccomp.SyscallRules {
 				seccomp.MatchAny{},
 				seccomp.EqualTo(unix.SIOCGIFFLAGS),
 			},
+			{
+				seccomp.MatchAny{},
+				seccomp.EqualTo(unix.SIOCGIFCONF),
+			},
 		},
 		unix.SYS_LISTEN:   {},
 		unix.SYS_READV:    {},
diff --git a/runsc/cmd/chroot.go b/runsc/cmd/chroot.go
index 7b11b3367..1fe9c6435 100644
--- a/runsc/cmd/chroot.go
+++ b/runsc/cmd/chroot.go
@@ -59,6 +59,23 @@ func pivotRoot(root string) error {
 	return nil
 }
 
+func copyFile(dst, src string) error {
+	in, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer in.Close()
+
+	out, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = out.ReadFrom(in)
+	return err
+}
+
 // setUpChroot creates an empty directory with runsc mounted at /runsc and proc
 // mounted at /proc.
 func setUpChroot(pidns bool) error {
@@ -78,6 +95,14 @@ func setUpChroot(pidns bool) error {
 		return fmt.Errorf("error mounting tmpfs in choot: %v", err)
 	}
 
+	if err := os.Mkdir(filepath.Join(chroot, "etc"), 0755); err != nil {
+		return fmt.Errorf("error creating /etc in chroot: %v", err)
+	}
+
+	if err := copyFile(filepath.Join(chroot, "etc/localtime"), "/etc/localtime"); err != nil {
+		log.Warningf("Failed to copy /etc/localtime: %v. UTC timezone will be used.", err)
+	}
+
 	if pidns {
 		flags := uint32(unix.MS_NOSUID | unix.MS_NODEV | unix.MS_NOEXEC | unix.MS_RDONLY)
 		if err := mountInChroot(chroot, "proc", "/proc", "proc", flags); err != nil {
diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go
index 20e05f141..2193e9040 100644
--- a/runsc/cmd/gofer.go
+++ b/runsc/cmd/gofer.go
@@ -285,16 +285,22 @@ func setupRootFS(spec *specs.Spec, conf *config.Config) error {
 
 		// Prepare tree structure for pivot_root(2).
 		if err := os.Mkdir("/proc/proc", 0755); err != nil {
-			Fatalf("%v", err)
+			Fatalf("error creating /proc/proc: %v", err)
 		}
 		if err := os.Mkdir("/proc/root", 0755); err != nil {
-			Fatalf("%v", err)
+			Fatalf("error creating /proc/root: %v", err)
+		}
+		if err := os.Mkdir("/proc/etc", 0755); err != nil {
+			Fatalf("error creating /proc/etc: %v", err)
 		}
 		// This cannot use SafeMount because there's no available procfs. But we
 		// know that /proc is an empty tmpfs mount, so this is safe.
 		if err := unix.Mount("runsc-proc", "/proc/proc", "proc", flags|unix.MS_RDONLY, ""); err != nil {
 			Fatalf("error mounting proc: %v", err)
 		}
+		if err := copyFile("/proc/etc/localtime", "/etc/localtime"); err != nil {
+			log.Warningf("Failed to copy /etc/localtime: %v. UTC timezone will be used.", err)
+		}
 		root = "/proc/root"
 		procPath = "/proc/proc"
 	}
@@ -409,7 +415,7 @@ func resolveMounts(conf *config.Config, mounts []specs.Mount, root string) ([]sp
 			panic(fmt.Sprintf("%q could not be made relative to %q: %v", dst, root, err))
 		}
 
-		opts, err := adjustMountOptions(filepath.Join(root, relDst), m.Options)
+		opts, err := adjustMountOptions(conf, filepath.Join(root, relDst), m.Options)
 		if err != nil {
 			return nil, err
 		}
@@ -475,7 +481,7 @@ func resolveSymlinksImpl(root, base, rel string, followCount uint) (string, erro
 }
 
 // adjustMountOptions adds 'overlayfs_stale_read' if mounting over overlayfs.
-func adjustMountOptions(path string, opts []string) ([]string, error) {
+func adjustMountOptions(conf *config.Config, path string, opts []string) ([]string, error) {
 	rv := make([]string, len(opts))
 	copy(rv, opts)
 
diff --git a/runsc/container/container.go b/runsc/container/container.go
index 7f066905a..6a9a07afe 100644
--- a/runsc/container/container.go
+++ b/runsc/container/container.go
@@ -789,30 +789,31 @@ func (c *Container) stop() error {
 }
 
 func (c *Container) waitForStopped() error {
+	if c.GoferPid == 0 {
+		return nil
+	}
+
+	if c.IsSandboxRunning() {
+		if err := c.SignalContainer(unix.Signal(0), false); err == nil {
+			return fmt.Errorf("container is still running")
+		}
+	}
+
+	if c.goferIsChild {
+		// The gofer process is a child of the current process,
+		// so we can wait it and collect its zombie.
+		if _, err := unix.Wait4(int(c.GoferPid), nil, 0, nil); err != nil {
+			return fmt.Errorf("error waiting the gofer process: %v", err)
+		}
+		c.GoferPid = 0
+		return nil
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	b := backoff.WithContext(backoff.NewConstantBackOff(100*time.Millisecond), ctx)
 	op := func() error {
-		if c.IsSandboxRunning() {
-			if err := c.SignalContainer(unix.Signal(0), false); err == nil {
-				return fmt.Errorf("container is still running")
-			}
-		}
-		if c.GoferPid == 0 {
-			return nil
-		}
-		if c.goferIsChild {
-			// The gofer process is a child of the current process,
-			// so we can wait it and collect its zombie.
-			wpid, err := unix.Wait4(int(c.GoferPid), nil, unix.WNOHANG, nil)
-			if err != nil {
-				return fmt.Errorf("error waiting the gofer process: %v", err)
-			}
-			if wpid == 0 {
-				return fmt.Errorf("gofer is still running")
-			}
-
-		} else if err := unix.Kill(c.GoferPid, 0); err == nil {
+		if err := unix.Kill(c.GoferPid, 0); err == nil {
 			return fmt.Errorf("gofer is still running")
 		}
 		c.GoferPid = 0
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go
index 48efbb0b8..5fb7dc834 100644
--- a/runsc/sandbox/sandbox.go
+++ b/runsc/sandbox/sandbox.go
@@ -1157,27 +1157,26 @@ func (s *Sandbox) destroyContainer(cid string) error {
 }
 
 func (s *Sandbox) waitForStopped() error {
+	if s.child {
+		s.statusMu.Lock()
+		defer s.statusMu.Unlock()
+		if s.Pid == 0 {
+			return nil
+		}
+		// The sandbox process is a child of the current process,
+		// so we can wait it and collect its zombie.
+		if _, err := unix.Wait4(int(s.Pid), &s.status, 0, nil); err != nil {
+			return fmt.Errorf("error waiting the sandbox process: %v", err)
+		}
+		s.Pid = 0
+		return nil
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	b := backoff.WithContext(backoff.NewConstantBackOff(100*time.Millisecond), ctx)
 	op := func() error {
-		if s.child {
-			s.statusMu.Lock()
-			defer s.statusMu.Unlock()
-			if s.Pid == 0 {
-				return nil
-			}
-			// The sandbox process is a child of the current process,
-			// so we can wait it and collect its zombie.
-			wpid, err := unix.Wait4(int(s.Pid), &s.status, unix.WNOHANG, nil)
-			if err != nil {
-				return fmt.Errorf("error waiting the sandbox process: %v", err)
-			}
-			if wpid == 0 {
-				return fmt.Errorf("sandbox is still running")
-			}
-			s.Pid = 0
-		} else if s.IsRunning() {
+		if s.IsRunning() {
 			return fmt.Errorf("sandbox is still running")
 		}
 		return nil