summaryrefslogtreecommitdiffhomepage
path: root/vendor/github.com/opencontainers
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/opencontainers')
-rw-r--r--vendor/github.com/opencontainers/go-digest/LICENSE191
-rw-r--r--vendor/github.com/opencontainers/go-digest/LICENSE.docs425
-rw-r--r--vendor/github.com/opencontainers/go-digest/README.md104
-rw-r--r--vendor/github.com/opencontainers/go-digest/algorithm.go192
-rw-r--r--vendor/github.com/opencontainers/go-digest/digest.go156
-rw-r--r--vendor/github.com/opencontainers/go-digest/digester.go39
-rw-r--r--vendor/github.com/opencontainers/go-digest/doc.go56
-rw-r--r--vendor/github.com/opencontainers/go-digest/verifiers.go45
-rw-r--r--vendor/github.com/opencontainers/runc/LICENSE191
-rw-r--r--vendor/github.com/opencontainers/runc/NOTICE17
-rw-r--r--vendor/github.com/opencontainers/runc/README.md269
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/README.md330
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/nsenter/README.md44
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c516
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/nsenter/namespace.h32
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter.go12
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_gccgo.go25
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_unsupported.go5
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c1006
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/linux.go155
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/proc.go113
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go26
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go26
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go12
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go15
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go27
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go35
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go41
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go144
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go40
-rw-r--r--vendor/github.com/opencontainers/runc/libcontainer/user/user.go608
-rw-r--r--vendor/github.com/opencontainers/runc/vendor.conf26
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/LICENSE191
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/README.md153
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/specs-go/config.go632
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/specs-go/state.go17
-rw-r--r--vendor/github.com/opencontainers/runtime-spec/specs-go/version.go18
37 files changed, 0 insertions, 5934 deletions
diff --git a/vendor/github.com/opencontainers/go-digest/LICENSE b/vendor/github.com/opencontainers/go-digest/LICENSE
deleted file mode 100644
index 0ea3ff81e..000000000
--- a/vendor/github.com/opencontainers/go-digest/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- https://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- Copyright 2016 Docker, Inc.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/go-digest/LICENSE.docs b/vendor/github.com/opencontainers/go-digest/LICENSE.docs
deleted file mode 100644
index e26cd4fc8..000000000
--- a/vendor/github.com/opencontainers/go-digest/LICENSE.docs
+++ /dev/null
@@ -1,425 +0,0 @@
-Attribution-ShareAlike 4.0 International
-
-=======================================================================
-
-Creative Commons Corporation ("Creative Commons") is not a law firm and
-does not provide legal services or legal advice. Distribution of
-Creative Commons public licenses does not create a lawyer-client or
-other relationship. Creative Commons makes its licenses and related
-information available on an "as-is" basis. Creative Commons gives no
-warranties regarding its licenses, any material licensed under their
-terms and conditions, or any related information. Creative Commons
-disclaims all liability for damages resulting from their use to the
-fullest extent possible.
-
-Using Creative Commons Public Licenses
-
-Creative Commons public licenses provide a standard set of terms and
-conditions that creators and other rights holders may use to share
-original works of authorship and other material subject to copyright
-and certain other rights specified in the public license below. The
-following considerations are for informational purposes only, are not
-exhaustive, and do not form part of our licenses.
-
- Considerations for licensors: Our public licenses are
- intended for use by those authorized to give the public
- permission to use material in ways otherwise restricted by
- copyright and certain other rights. Our licenses are
- irrevocable. Licensors should read and understand the terms
- and conditions of the license they choose before applying it.
- Licensors should also secure all rights necessary before
- applying our licenses so that the public can reuse the
- material as expected. Licensors should clearly mark any
- material not subject to the license. This includes other CC-
- licensed material, or material used under an exception or
- limitation to copyright. More considerations for licensors:
- wiki.creativecommons.org/Considerations_for_licensors
-
- Considerations for the public: By using one of our public
- licenses, a licensor grants the public permission to use the
- licensed material under specified terms and conditions. If
- the licensor's permission is not necessary for any reason--for
- example, because of any applicable exception or limitation to
- copyright--then that use is not regulated by the license. Our
- licenses grant only permissions under copyright and certain
- other rights that a licensor has authority to grant. Use of
- the licensed material may still be restricted for other
- reasons, including because others have copyright or other
- rights in the material. A licensor may make special requests,
- such as asking that all changes be marked or described.
- Although not required by our licenses, you are encouraged to
- respect those requests where reasonable. More_considerations
- for the public:
- wiki.creativecommons.org/Considerations_for_licensees
-
-=======================================================================
-
-Creative Commons Attribution-ShareAlike 4.0 International Public
-License
-
-By exercising the Licensed Rights (defined below), You accept and agree
-to be bound by the terms and conditions of this Creative Commons
-Attribution-ShareAlike 4.0 International Public License ("Public
-License"). To the extent this Public License may be interpreted as a
-contract, You are granted the Licensed Rights in consideration of Your
-acceptance of these terms and conditions, and the Licensor grants You
-such rights in consideration of benefits the Licensor receives from
-making the Licensed Material available under these terms and
-conditions.
-
-
-Section 1 -- Definitions.
-
- a. Adapted Material means material subject to Copyright and Similar
- Rights that is derived from or based upon the Licensed Material
- and in which the Licensed Material is translated, altered,
- arranged, transformed, or otherwise modified in a manner requiring
- permission under the Copyright and Similar Rights held by the
- Licensor. For purposes of this Public License, where the Licensed
- Material is a musical work, performance, or sound recording,
- Adapted Material is always produced where the Licensed Material is
- synched in timed relation with a moving image.
-
- b. Adapter's License means the license You apply to Your Copyright
- and Similar Rights in Your contributions to Adapted Material in
- accordance with the terms and conditions of this Public License.
-
- c. BY-SA Compatible License means a license listed at
- creativecommons.org/compatiblelicenses, approved by Creative
- Commons as essentially the equivalent of this Public License.
-
- d. Copyright and Similar Rights means copyright and/or similar rights
- closely related to copyright including, without limitation,
- performance, broadcast, sound recording, and Sui Generis Database
- Rights, without regard to how the rights are labeled or
- categorized. For purposes of this Public License, the rights
- specified in Section 2(b)(1)-(2) are not Copyright and Similar
- Rights.
-
- e. Effective Technological Measures means those measures that, in the
- absence of proper authority, may not be circumvented under laws
- fulfilling obligations under Article 11 of the WIPO Copyright
- Treaty adopted on December 20, 1996, and/or similar international
- agreements.
-
- f. Exceptions and Limitations means fair use, fair dealing, and/or
- any other exception or limitation to Copyright and Similar Rights
- that applies to Your use of the Licensed Material.
-
- g. License Elements means the license attributes listed in the name
- of a Creative Commons Public License. The License Elements of this
- Public License are Attribution and ShareAlike.
-
- h. Licensed Material means the artistic or literary work, database,
- or other material to which the Licensor applied this Public
- License.
-
- i. Licensed Rights means the rights granted to You subject to the
- terms and conditions of this Public License, which are limited to
- all Copyright and Similar Rights that apply to Your use of the
- Licensed Material and that the Licensor has authority to license.
-
- j. Licensor means the individual(s) or entity(ies) granting rights
- under this Public License.
-
- k. Share means to provide material to the public by any means or
- process that requires permission under the Licensed Rights, such
- as reproduction, public display, public performance, distribution,
- dissemination, communication, or importation, and to make material
- available to the public including in ways that members of the
- public may access the material from a place and at a time
- individually chosen by them.
-
- l. Sui Generis Database Rights means rights other than copyright
- resulting from Directive 96/9/EC of the European Parliament and of
- the Council of 11 March 1996 on the legal protection of databases,
- as amended and/or succeeded, as well as other essentially
- equivalent rights anywhere in the world.
-
- m. You means the individual or entity exercising the Licensed Rights
- under this Public License. Your has a corresponding meaning.
-
-
-Section 2 -- Scope.
-
- a. License grant.
-
- 1. Subject to the terms and conditions of this Public License,
- the Licensor hereby grants You a worldwide, royalty-free,
- non-sublicensable, non-exclusive, irrevocable license to
- exercise the Licensed Rights in the Licensed Material to:
-
- a. reproduce and Share the Licensed Material, in whole or
- in part; and
-
- b. produce, reproduce, and Share Adapted Material.
-
- 2. Exceptions and Limitations. For the avoidance of doubt, where
- Exceptions and Limitations apply to Your use, this Public
- License does not apply, and You do not need to comply with
- its terms and conditions.
-
- 3. Term. The term of this Public License is specified in Section
- 6(a).
-
- 4. Media and formats; technical modifications allowed. The
- Licensor authorizes You to exercise the Licensed Rights in
- all media and formats whether now known or hereafter created,
- and to make technical modifications necessary to do so. The
- Licensor waives and/or agrees not to assert any right or
- authority to forbid You from making technical modifications
- necessary to exercise the Licensed Rights, including
- technical modifications necessary to circumvent Effective
- Technological Measures. For purposes of this Public License,
- simply making modifications authorized by this Section 2(a)
- (4) never produces Adapted Material.
-
- 5. Downstream recipients.
-
- a. Offer from the Licensor -- Licensed Material. Every
- recipient of the Licensed Material automatically
- receives an offer from the Licensor to exercise the
- Licensed Rights under the terms and conditions of this
- Public License.
-
- b. Additional offer from the Licensor -- Adapted Material.
- Every recipient of Adapted Material from You
- automatically receives an offer from the Licensor to
- exercise the Licensed Rights in the Adapted Material
- under the conditions of the Adapter's License You apply.
-
- c. No downstream restrictions. You may not offer or impose
- any additional or different terms or conditions on, or
- apply any Effective Technological Measures to, the
- Licensed Material if doing so restricts exercise of the
- Licensed Rights by any recipient of the Licensed
- Material.
-
- 6. No endorsement. Nothing in this Public License constitutes or
- may be construed as permission to assert or imply that You
- are, or that Your use of the Licensed Material is, connected
- with, or sponsored, endorsed, or granted official status by,
- the Licensor or others designated to receive attribution as
- provided in Section 3(a)(1)(A)(i).
-
- b. Other rights.
-
- 1. Moral rights, such as the right of integrity, are not
- licensed under this Public License, nor are publicity,
- privacy, and/or other similar personality rights; however, to
- the extent possible, the Licensor waives and/or agrees not to
- assert any such rights held by the Licensor to the limited
- extent necessary to allow You to exercise the Licensed
- Rights, but not otherwise.
-
- 2. Patent and trademark rights are not licensed under this
- Public License.
-
- 3. To the extent possible, the Licensor waives any right to
- collect royalties from You for the exercise of the Licensed
- Rights, whether directly or through a collecting society
- under any voluntary or waivable statutory or compulsory
- licensing scheme. In all other cases the Licensor expressly
- reserves any right to collect such royalties.
-
-
-Section 3 -- License Conditions.
-
-Your exercise of the Licensed Rights is expressly made subject to the
-following conditions.
-
- a. Attribution.
-
- 1. If You Share the Licensed Material (including in modified
- form), You must:
-
- a. retain the following if it is supplied by the Licensor
- with the Licensed Material:
-
- i. identification of the creator(s) of the Licensed
- Material and any others designated to receive
- attribution, in any reasonable manner requested by
- the Licensor (including by pseudonym if
- designated);
-
- ii. a copyright notice;
-
- iii. a notice that refers to this Public License;
-
- iv. a notice that refers to the disclaimer of
- warranties;
-
- v. a URI or hyperlink to the Licensed Material to the
- extent reasonably practicable;
-
- b. indicate if You modified the Licensed Material and
- retain an indication of any previous modifications; and
-
- c. indicate the Licensed Material is licensed under this
- Public License, and include the text of, or the URI or
- hyperlink to, this Public License.
-
- 2. You may satisfy the conditions in Section 3(a)(1) in any
- reasonable manner based on the medium, means, and context in
- which You Share the Licensed Material. For example, it may be
- reasonable to satisfy the conditions by providing a URI or
- hyperlink to a resource that includes the required
- information.
-
- 3. If requested by the Licensor, You must remove any of the
- information required by Section 3(a)(1)(A) to the extent
- reasonably practicable.
-
- b. ShareAlike.
-
- In addition to the conditions in Section 3(a), if You Share
- Adapted Material You produce, the following conditions also apply.
-
- 1. The Adapter's License You apply must be a Creative Commons
- license with the same License Elements, this version or
- later, or a BY-SA Compatible License.
-
- 2. You must include the text of, or the URI or hyperlink to, the
- Adapter's License You apply. You may satisfy this condition
- in any reasonable manner based on the medium, means, and
- context in which You Share Adapted Material.
-
- 3. You may not offer or impose any additional or different terms
- or conditions on, or apply any Effective Technological
- Measures to, Adapted Material that restrict exercise of the
- rights granted under the Adapter's License You apply.
-
-
-Section 4 -- Sui Generis Database Rights.
-
-Where the Licensed Rights include Sui Generis Database Rights that
-apply to Your use of the Licensed Material:
-
- a. for the avoidance of doubt, Section 2(a)(1) grants You the right
- to extract, reuse, reproduce, and Share all or a substantial
- portion of the contents of the database;
-
- b. if You include all or a substantial portion of the database
- contents in a database in which You have Sui Generis Database
- Rights, then the database in which You have Sui Generis Database
- Rights (but not its individual contents) is Adapted Material,
-
- including for purposes of Section 3(b); and
- c. You must comply with the conditions in Section 3(a) if You Share
- all or a substantial portion of the contents of the database.
-
-For the avoidance of doubt, this Section 4 supplements and does not
-replace Your obligations under this Public License where the Licensed
-Rights include other Copyright and Similar Rights.
-
-
-Section 5 -- Disclaimer of Warranties and Limitation of Liability.
-
- a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
- EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
- AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
- ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
- IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
- WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
- ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
- KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
- ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
-
- b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
- TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
- NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
- INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
- COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
- USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
- ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
- DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
- IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
-
- c. The disclaimer of warranties and limitation of liability provided
- above shall be interpreted in a manner that, to the extent
- possible, most closely approximates an absolute disclaimer and
- waiver of all liability.
-
-
-Section 6 -- Term and Termination.
-
- a. This Public License applies for the term of the Copyright and
- Similar Rights licensed here. However, if You fail to comply with
- this Public License, then Your rights under this Public License
- terminate automatically.
-
- b. Where Your right to use the Licensed Material has terminated under
- Section 6(a), it reinstates:
-
- 1. automatically as of the date the violation is cured, provided
- it is cured within 30 days of Your discovery of the
- violation; or
-
- 2. upon express reinstatement by the Licensor.
-
- For the avoidance of doubt, this Section 6(b) does not affect any
- right the Licensor may have to seek remedies for Your violations
- of this Public License.
-
- c. For the avoidance of doubt, the Licensor may also offer the
- Licensed Material under separate terms or conditions or stop
- distributing the Licensed Material at any time; however, doing so
- will not terminate this Public License.
-
- d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
- License.
-
-
-Section 7 -- Other Terms and Conditions.
-
- a. The Licensor shall not be bound by any additional or different
- terms or conditions communicated by You unless expressly agreed.
-
- b. Any arrangements, understandings, or agreements regarding the
- Licensed Material not stated herein are separate from and
- independent of the terms and conditions of this Public License.
-
-
-Section 8 -- Interpretation.
-
- a. For the avoidance of doubt, this Public License does not, and
- shall not be interpreted to, reduce, limit, restrict, or impose
- conditions on any use of the Licensed Material that could lawfully
- be made without permission under this Public License.
-
- b. To the extent possible, if any provision of this Public License is
- deemed unenforceable, it shall be automatically reformed to the
- minimum extent necessary to make it enforceable. If the provision
- cannot be reformed, it shall be severed from this Public License
- without affecting the enforceability of the remaining terms and
- conditions.
-
- c. No term or condition of this Public License will be waived and no
- failure to comply consented to unless expressly agreed to by the
- Licensor.
-
- d. Nothing in this Public License constitutes or may be interpreted
- as a limitation upon, or waiver of, any privileges and immunities
- that apply to the Licensor or You, including from the legal
- processes of any jurisdiction or authority.
-
-
-=======================================================================
-
-Creative Commons is not a party to its public licenses.
-Notwithstanding, Creative Commons may elect to apply one of its public
-licenses to material it publishes and in those instances will be
-considered the "Licensor." Except for the limited purpose of indicating
-that material is shared under a Creative Commons public license or as
-otherwise permitted by the Creative Commons policies published at
-creativecommons.org/policies, Creative Commons does not authorize the
-use of the trademark "Creative Commons" or any other trademark or logo
-of Creative Commons without its prior written consent including,
-without limitation, in connection with any unauthorized modifications
-to any of its public licenses or any other arrangements,
-understandings, or agreements concerning use of licensed material. For
-the avoidance of doubt, this paragraph does not form part of the public
-licenses.
-
-Creative Commons may be contacted at creativecommons.org.
diff --git a/vendor/github.com/opencontainers/go-digest/README.md b/vendor/github.com/opencontainers/go-digest/README.md
deleted file mode 100644
index 25aac3470..000000000
--- a/vendor/github.com/opencontainers/go-digest/README.md
+++ /dev/null
@@ -1,104 +0,0 @@
-# go-digest
-
-[![GoDoc](https://godoc.org/github.com/opencontainers/go-digest?status.svg)](https://godoc.org/github.com/opencontainers/go-digest) [![Go Report Card](https://goreportcard.com/badge/github.com/opencontainers/go-digest)](https://goreportcard.com/report/github.com/opencontainers/go-digest) [![Build Status](https://travis-ci.org/opencontainers/go-digest.svg?branch=master)](https://travis-ci.org/opencontainers/go-digest)
-
-Common digest package used across the container ecosystem.
-
-Please see the [godoc](https://godoc.org/github.com/opencontainers/go-digest) for more information.
-
-# What is a digest?
-
-A digest is just a hash.
-
-The most common use case for a digest is to create a content
-identifier for use in [Content Addressable Storage](https://en.wikipedia.org/wiki/Content-addressable_storage)
-systems:
-
-```go
-id := digest.FromBytes([]byte("my content"))
-```
-
-In the example above, the id can be used to uniquely identify
-the byte slice "my content". This allows two disparate applications
-to agree on a verifiable identifier without having to trust one
-another.
-
-An identifying digest can be verified, as follows:
-
-```go
-if id != digest.FromBytes([]byte("my content")) {
- return errors.New("the content has changed!")
-}
-```
-
-A `Verifier` type can be used to handle cases where an `io.Reader`
-makes more sense:
-
-```go
-rd := getContent()
-verifier := id.Verifier()
-io.Copy(verifier, rd)
-
-if !verifier.Verified() {
- return errors.New("the content has changed!")
-}
-```
-
-Using [Merkle DAGs](https://en.wikipedia.org/wiki/Merkle_tree), this
-can power a rich, safe, content distribution system.
-
-# Usage
-
-While the [godoc](https://godoc.org/github.com/opencontainers/go-digest) is
-considered the best resource, a few important items need to be called
-out when using this package.
-
-1. Make sure to import the hash implementations into your application
- or the package will panic. You should have something like the
- following in the main (or other entrypoint) of your application:
-
- ```go
- import (
- _ "crypto/sha256"
- _ "crypto/sha512"
- )
- ```
- This may seem inconvenient but it allows you replace the hash
- implementations with others, such as https://github.com/stevvooe/resumable.
-
-2. Even though `digest.Digest` may be assemable as a string, _always_
- verify your input with `digest.Parse` or use `Digest.Validate`
- when accepting untrusted input. While there are measures to
- avoid common problems, this will ensure you have valid digests
- in the rest of your application.
-
-# Stability
-
-The Go API, at this stage, is considered stable, unless otherwise noted.
-
-As always, before using a package export, read the [godoc](https://godoc.org/github.com/opencontainers/go-digest).
-
-# Contributing
-
-This package is considered fairly complete. It has been in production
-in thousands (millions?) of deployments and is fairly battle-hardened.
-New additions will be met with skepticism. If you think there is a
-missing feature, please file a bug clearly describing the problem and
-the alternatives you tried before submitting a PR.
-
-# Reporting security issues
-
-Please DO NOT file a public issue, instead send your report privately to
-security@opencontainers.org.
-
-The maintainers take security seriously. If you discover a security issue,
-please bring it to their attention right away!
-
-If you are reporting a security issue, do not create an issue or file a pull
-request on GitHub. Instead, disclose the issue responsibly by sending an email
-to security@opencontainers.org (which is inhabited only by the maintainers of
-the various OCI projects).
-
-# Copyright and license
-
-Copyright © 2016 Docker, Inc. All rights reserved, except as follows. Code is released under the [Apache 2.0 license](LICENSE). This `README.md` file and the [`CONTRIBUTING.md`](CONTRIBUTING.md) file are licensed under the Creative Commons Attribution 4.0 International License under the terms and conditions set forth in the file [`LICENSE.docs`](LICENSE.docs). You may obtain a duplicate copy of the same license, titled CC BY-SA 4.0, at http://creativecommons.org/licenses/by-sa/4.0/.
diff --git a/vendor/github.com/opencontainers/go-digest/algorithm.go b/vendor/github.com/opencontainers/go-digest/algorithm.go
deleted file mode 100644
index 8813bd26f..000000000
--- a/vendor/github.com/opencontainers/go-digest/algorithm.go
+++ /dev/null
@@ -1,192 +0,0 @@
-// Copyright 2017 Docker, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package digest
-
-import (
- "crypto"
- "fmt"
- "hash"
- "io"
- "regexp"
-)
-
-// Algorithm identifies and implementation of a digester by an identifier.
-// Note the that this defines both the hash algorithm used and the string
-// encoding.
-type Algorithm string
-
-// supported digest types
-const (
- SHA256 Algorithm = "sha256" // sha256 with hex encoding (lower case only)
- SHA384 Algorithm = "sha384" // sha384 with hex encoding (lower case only)
- SHA512 Algorithm = "sha512" // sha512 with hex encoding (lower case only)
-
- // Canonical is the primary digest algorithm used with the distribution
- // project. Other digests may be used but this one is the primary storage
- // digest.
- Canonical = SHA256
-)
-
-var (
- // TODO(stevvooe): Follow the pattern of the standard crypto package for
- // registration of digests. Effectively, we are a registerable set and
- // common symbol access.
-
- // algorithms maps values to hash.Hash implementations. Other algorithms
- // may be available but they cannot be calculated by the digest package.
- algorithms = map[Algorithm]crypto.Hash{
- SHA256: crypto.SHA256,
- SHA384: crypto.SHA384,
- SHA512: crypto.SHA512,
- }
-
- // anchoredEncodedRegexps contains anchored regular expressions for hex-encoded digests.
- // Note that /A-F/ disallowed.
- anchoredEncodedRegexps = map[Algorithm]*regexp.Regexp{
- SHA256: regexp.MustCompile(`^[a-f0-9]{64}$`),
- SHA384: regexp.MustCompile(`^[a-f0-9]{96}$`),
- SHA512: regexp.MustCompile(`^[a-f0-9]{128}$`),
- }
-)
-
-// Available returns true if the digest type is available for use. If this
-// returns false, Digester and Hash will return nil.
-func (a Algorithm) Available() bool {
- h, ok := algorithms[a]
- if !ok {
- return false
- }
-
- // check availability of the hash, as well
- return h.Available()
-}
-
-func (a Algorithm) String() string {
- return string(a)
-}
-
-// Size returns number of bytes returned by the hash.
-func (a Algorithm) Size() int {
- h, ok := algorithms[a]
- if !ok {
- return 0
- }
- return h.Size()
-}
-
-// Set implemented to allow use of Algorithm as a command line flag.
-func (a *Algorithm) Set(value string) error {
- if value == "" {
- *a = Canonical
- } else {
- // just do a type conversion, support is queried with Available.
- *a = Algorithm(value)
- }
-
- if !a.Available() {
- return ErrDigestUnsupported
- }
-
- return nil
-}
-
-// Digester returns a new digester for the specified algorithm. If the algorithm
-// does not have a digester implementation, nil will be returned. This can be
-// checked by calling Available before calling Digester.
-func (a Algorithm) Digester() Digester {
- return &digester{
- alg: a,
- hash: a.Hash(),
- }
-}
-
-// Hash returns a new hash as used by the algorithm. If not available, the
-// method will panic. Check Algorithm.Available() before calling.
-func (a Algorithm) Hash() hash.Hash {
- if !a.Available() {
- // Empty algorithm string is invalid
- if a == "" {
- panic(fmt.Sprintf("empty digest algorithm, validate before calling Algorithm.Hash()"))
- }
-
- // NOTE(stevvooe): A missing hash is usually a programming error that
- // must be resolved at compile time. We don't import in the digest
- // package to allow users to choose their hash implementation (such as
- // when using stevvooe/resumable or a hardware accelerated package).
- //
- // Applications that may want to resolve the hash at runtime should
- // call Algorithm.Available before call Algorithm.Hash().
- panic(fmt.Sprintf("%v not available (make sure it is imported)", a))
- }
-
- return algorithms[a].New()
-}
-
-// Encode encodes the raw bytes of a digest, typically from a hash.Hash, into
-// the encoded portion of the digest.
-func (a Algorithm) Encode(d []byte) string {
- // TODO(stevvooe): Currently, all algorithms use a hex encoding. When we
- // add support for back registration, we can modify this accordingly.
- return fmt.Sprintf("%x", d)
-}
-
-// FromReader returns the digest of the reader using the algorithm.
-func (a Algorithm) FromReader(rd io.Reader) (Digest, error) {
- digester := a.Digester()
-
- if _, err := io.Copy(digester.Hash(), rd); err != nil {
- return "", err
- }
-
- return digester.Digest(), nil
-}
-
-// FromBytes digests the input and returns a Digest.
-func (a Algorithm) FromBytes(p []byte) Digest {
- digester := a.Digester()
-
- if _, err := digester.Hash().Write(p); err != nil {
- // Writes to a Hash should never fail. None of the existing
- // hash implementations in the stdlib or hashes vendored
- // here can return errors from Write. Having a panic in this
- // condition instead of having FromBytes return an error value
- // avoids unnecessary error handling paths in all callers.
- panic("write to hash function returned error: " + err.Error())
- }
-
- return digester.Digest()
-}
-
-// FromString digests the string input and returns a Digest.
-func (a Algorithm) FromString(s string) Digest {
- return a.FromBytes([]byte(s))
-}
-
-// Validate validates the encoded portion string
-func (a Algorithm) Validate(encoded string) error {
- r, ok := anchoredEncodedRegexps[a]
- if !ok {
- return ErrDigestUnsupported
- }
- // Digests much always be hex-encoded, ensuring that their hex portion will
- // always be size*2
- if a.Size()*2 != len(encoded) {
- return ErrDigestInvalidLength
- }
- if r.MatchString(encoded) {
- return nil
- }
- return ErrDigestInvalidFormat
-}
diff --git a/vendor/github.com/opencontainers/go-digest/digest.go b/vendor/github.com/opencontainers/go-digest/digest.go
deleted file mode 100644
index ad398cba2..000000000
--- a/vendor/github.com/opencontainers/go-digest/digest.go
+++ /dev/null
@@ -1,156 +0,0 @@
-// Copyright 2017 Docker, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package digest
-
-import (
- "fmt"
- "hash"
- "io"
- "regexp"
- "strings"
-)
-
-// Digest allows simple protection of hex formatted digest strings, prefixed
-// by their algorithm. Strings of type Digest have some guarantee of being in
-// the correct format and it provides quick access to the components of a
-// digest string.
-//
-// The following is an example of the contents of Digest types:
-//
-// sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc
-//
-// This allows to abstract the digest behind this type and work only in those
-// terms.
-type Digest string
-
-// NewDigest returns a Digest from alg and a hash.Hash object.
-func NewDigest(alg Algorithm, h hash.Hash) Digest {
- return NewDigestFromBytes(alg, h.Sum(nil))
-}
-
-// NewDigestFromBytes returns a new digest from the byte contents of p.
-// Typically, this can come from hash.Hash.Sum(...) or xxx.SumXXX(...)
-// functions. This is also useful for rebuilding digests from binary
-// serializations.
-func NewDigestFromBytes(alg Algorithm, p []byte) Digest {
- return NewDigestFromEncoded(alg, alg.Encode(p))
-}
-
-// NewDigestFromHex is deprecated. Please use NewDigestFromEncoded.
-func NewDigestFromHex(alg, hex string) Digest {
- return NewDigestFromEncoded(Algorithm(alg), hex)
-}
-
-// NewDigestFromEncoded returns a Digest from alg and the encoded digest.
-func NewDigestFromEncoded(alg Algorithm, encoded string) Digest {
- return Digest(fmt.Sprintf("%s:%s", alg, encoded))
-}
-
-// DigestRegexp matches valid digest types.
-var DigestRegexp = regexp.MustCompile(`[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+`)
-
-// DigestRegexpAnchored matches valid digest types, anchored to the start and end of the match.
-var DigestRegexpAnchored = regexp.MustCompile(`^` + DigestRegexp.String() + `$`)
-
-var (
- // ErrDigestInvalidFormat returned when digest format invalid.
- ErrDigestInvalidFormat = fmt.Errorf("invalid checksum digest format")
-
- // ErrDigestInvalidLength returned when digest has invalid length.
- ErrDigestInvalidLength = fmt.Errorf("invalid checksum digest length")
-
- // ErrDigestUnsupported returned when the digest algorithm is unsupported.
- ErrDigestUnsupported = fmt.Errorf("unsupported digest algorithm")
-)
-
-// Parse parses s and returns the validated digest object. An error will
-// be returned if the format is invalid.
-func Parse(s string) (Digest, error) {
- d := Digest(s)
- return d, d.Validate()
-}
-
-// FromReader consumes the content of rd until io.EOF, returning canonical digest.
-func FromReader(rd io.Reader) (Digest, error) {
- return Canonical.FromReader(rd)
-}
-
-// FromBytes digests the input and returns a Digest.
-func FromBytes(p []byte) Digest {
- return Canonical.FromBytes(p)
-}
-
-// FromString digests the input and returns a Digest.
-func FromString(s string) Digest {
- return Canonical.FromString(s)
-}
-
-// Validate checks that the contents of d is a valid digest, returning an
-// error if not.
-func (d Digest) Validate() error {
- s := string(d)
- i := strings.Index(s, ":")
- if i <= 0 || i+1 == len(s) {
- return ErrDigestInvalidFormat
- }
- algorithm, encoded := Algorithm(s[:i]), s[i+1:]
- if !algorithm.Available() {
- if !DigestRegexpAnchored.MatchString(s) {
- return ErrDigestInvalidFormat
- }
- return ErrDigestUnsupported
- }
- return algorithm.Validate(encoded)
-}
-
-// Algorithm returns the algorithm portion of the digest. This will panic if
-// the underlying digest is not in a valid format.
-func (d Digest) Algorithm() Algorithm {
- return Algorithm(d[:d.sepIndex()])
-}
-
-// Verifier returns a writer object that can be used to verify a stream of
-// content against the digest. If the digest is invalid, the method will panic.
-func (d Digest) Verifier() Verifier {
- return hashVerifier{
- hash: d.Algorithm().Hash(),
- digest: d,
- }
-}
-
-// Encoded returns the encoded portion of the digest. This will panic if the
-// underlying digest is not in a valid format.
-func (d Digest) Encoded() string {
- return string(d[d.sepIndex()+1:])
-}
-
-// Hex is deprecated. Please use Digest.Encoded.
-func (d Digest) Hex() string {
- return d.Encoded()
-}
-
-func (d Digest) String() string {
- return string(d)
-}
-
-func (d Digest) sepIndex() int {
- i := strings.Index(string(d), ":")
-
- if i < 0 {
- panic(fmt.Sprintf("no ':' separator in digest %q", d))
- }
-
- return i
-}
diff --git a/vendor/github.com/opencontainers/go-digest/digester.go b/vendor/github.com/opencontainers/go-digest/digester.go
deleted file mode 100644
index 36fa2728e..000000000
--- a/vendor/github.com/opencontainers/go-digest/digester.go
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright 2017 Docker, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package digest
-
-import "hash"
-
-// Digester calculates the digest of written data. Writes should go directly
-// to the return value of Hash, while calling Digest will return the current
-// value of the digest.
-type Digester interface {
- Hash() hash.Hash // provides direct access to underlying hash instance.
- Digest() Digest
-}
-
-// digester provides a simple digester definition that embeds a hasher.
-type digester struct {
- alg Algorithm
- hash hash.Hash
-}
-
-func (d *digester) Hash() hash.Hash {
- return d.hash
-}
-
-func (d *digester) Digest() Digest {
- return NewDigest(d.alg, d.hash)
-}
diff --git a/vendor/github.com/opencontainers/go-digest/doc.go b/vendor/github.com/opencontainers/go-digest/doc.go
deleted file mode 100644
index 491ea1ef1..000000000
--- a/vendor/github.com/opencontainers/go-digest/doc.go
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copyright 2017 Docker, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package digest provides a generalized type to opaquely represent message
-// digests and their operations within the registry. The Digest type is
-// designed to serve as a flexible identifier in a content-addressable system.
-// More importantly, it provides tools and wrappers to work with
-// hash.Hash-based digests with little effort.
-//
-// Basics
-//
-// The format of a digest is simply a string with two parts, dubbed the
-// "algorithm" and the "digest", separated by a colon:
-//
-// <algorithm>:<digest>
-//
-// An example of a sha256 digest representation follows:
-//
-// sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc
-//
-// In this case, the string "sha256" is the algorithm and the hex bytes are
-// the "digest".
-//
-// Because the Digest type is simply a string, once a valid Digest is
-// obtained, comparisons are cheap, quick and simple to express with the
-// standard equality operator.
-//
-// Verification
-//
-// The main benefit of using the Digest type is simple verification against a
-// given digest. The Verifier interface, modeled after the stdlib hash.Hash
-// interface, provides a common write sink for digest verification. After
-// writing is complete, calling the Verifier.Verified method will indicate
-// whether or not the stream of bytes matches the target digest.
-//
-// Missing Features
-//
-// In addition to the above, we intend to add the following features to this
-// package:
-//
-// 1. A Digester type that supports write sink digest calculation.
-//
-// 2. Suspend and resume of ongoing digest calculations to support efficient digest verification in the registry.
-//
-package digest
diff --git a/vendor/github.com/opencontainers/go-digest/verifiers.go b/vendor/github.com/opencontainers/go-digest/verifiers.go
deleted file mode 100644
index 32125e918..000000000
--- a/vendor/github.com/opencontainers/go-digest/verifiers.go
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright 2017 Docker, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package digest
-
-import (
- "hash"
- "io"
-)
-
-// Verifier presents a general verification interface to be used with message
-// digests and other byte stream verifications. Users instantiate a Verifier
-// from one of the various methods, write the data under test to it then check
-// the result with the Verified method.
-type Verifier interface {
- io.Writer
-
- // Verified will return true if the content written to Verifier matches
- // the digest.
- Verified() bool
-}
-
-type hashVerifier struct {
- digest Digest
- hash hash.Hash
-}
-
-func (hv hashVerifier) Write(p []byte) (n int, err error) {
- return hv.hash.Write(p)
-}
-
-func (hv hashVerifier) Verified() bool {
- return hv.digest == NewDigest(hv.digest.Algorithm(), hv.hash)
-}
diff --git a/vendor/github.com/opencontainers/runc/LICENSE b/vendor/github.com/opencontainers/runc/LICENSE
deleted file mode 100644
index 27448585a..000000000
--- a/vendor/github.com/opencontainers/runc/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- Copyright 2014 Docker, Inc.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/runc/NOTICE b/vendor/github.com/opencontainers/runc/NOTICE
deleted file mode 100644
index 5c97abce4..000000000
--- a/vendor/github.com/opencontainers/runc/NOTICE
+++ /dev/null
@@ -1,17 +0,0 @@
-runc
-
-Copyright 2012-2015 Docker, Inc.
-
-This product includes software developed at Docker, Inc. (http://www.docker.com).
-
-The following is courtesy of our legal counsel:
-
-
-Use and transfer of Docker may be subject to certain restrictions by the
-United States and other governments.
-It is your responsibility to ensure that your use and/or transfer does not
-violate applicable laws.
-
-For more information, please see http://www.bis.doc.gov
-
-See also http://www.apache.org/dev/crypto.html and/or seek legal counsel.
diff --git a/vendor/github.com/opencontainers/runc/README.md b/vendor/github.com/opencontainers/runc/README.md
deleted file mode 100644
index 11fa4138b..000000000
--- a/vendor/github.com/opencontainers/runc/README.md
+++ /dev/null
@@ -1,269 +0,0 @@
-# runc
-
-[![Build Status](https://travis-ci.org/opencontainers/runc.svg?branch=master)](https://travis-ci.org/opencontainers/runc)
-[![Go Report Card](https://goreportcard.com/badge/github.com/opencontainers/runc)](https://goreportcard.com/report/github.com/opencontainers/runc)
-[![GoDoc](https://godoc.org/github.com/opencontainers/runc?status.svg)](https://godoc.org/github.com/opencontainers/runc)
-
-## Introduction
-
-`runc` is a CLI tool for spawning and running containers according to the OCI specification.
-
-## Releases
-
-`runc` depends on and tracks the [runtime-spec](https://github.com/opencontainers/runtime-spec) repository.
-We will try to make sure that `runc` and the OCI specification major versions stay in lockstep.
-This means that `runc` 1.0.0 should implement the 1.0 version of the specification.
-
-You can find official releases of `runc` on the [release](https://github.com/opencontainers/runc/releases) page.
-
-## Security
-
-Reporting process and disclosure communications are outlined in [/org/security](https://github.com/opencontainers/org/blob/master/security/)
-
-## Building
-
-`runc` currently supports the Linux platform with various architecture support.
-It must be built with Go version 1.6 or higher in order for some features to function properly.
-
-In order to enable seccomp support you will need to install `libseccomp` on your platform.
-> e.g. `libseccomp-devel` for CentOS, or `libseccomp-dev` for Ubuntu
-
-Otherwise, if you do not want to build `runc` with seccomp support you can add `BUILDTAGS=""` when running make.
-
-```bash
-# create a 'github.com/opencontainers' in your GOPATH/src
-cd github.com/opencontainers
-git clone https://github.com/opencontainers/runc
-cd runc
-
-make
-sudo make install
-```
-
-You can also use `go get` to install to your `GOPATH`, assuming that you have a `github.com` parent folder already created under `src`:
-
-```bash
-go get github.com/opencontainers/runc
-cd $GOPATH/src/github.com/opencontainers/runc
-make
-sudo make install
-```
-
-`runc` will be installed to `/usr/local/sbin/runc` on your system.
-
-
-#### Build Tags
-
-`runc` supports optional build tags for compiling support of various features.
-To add build tags to the make option the `BUILDTAGS` variable must be set.
-
-```bash
-make BUILDTAGS='seccomp apparmor'
-```
-
-| Build Tag | Feature | Dependency |
-|-----------|------------------------------------|-------------|
-| seccomp | Syscall filtering | libseccomp |
-| selinux | selinux process and mount labeling | <none> |
-| apparmor | apparmor profile support | <none> |
-| ambient | ambient capability support | kernel 4.3 |
-| nokmem | disable kernel memory account | <none> |
-
-
-### Running the test suite
-
-`runc` currently supports running its test suite via Docker.
-To run the suite just type `make test`.
-
-```bash
-make test
-```
-
-There are additional make targets for running the tests outside of a container but this is not recommended as the tests are written with the expectation that they can write and remove anywhere.
-
-You can run a specific test case by setting the `TESTFLAGS` variable.
-
-```bash
-# make test TESTFLAGS="-run=SomeTestFunction"
-```
-
-You can run a specific integration test by setting the `TESTPATH` variable.
-
-```bash
-# make test TESTPATH="/checkpoint.bats"
-```
-
-You can run a test in your proxy environment by setting `DOCKER_BUILD_PROXY` and `DOCKER_RUN_PROXY` variables.
-
-```bash
-# make test DOCKER_BUILD_PROXY="--build-arg HTTP_PROXY=http://yourproxy/" DOCKER_RUN_PROXY="-e HTTP_PROXY=http://yourproxy/"
-```
-
-### Dependencies Management
-
-`runc` uses [vndr](https://github.com/LK4D4/vndr) for dependencies management.
-Please refer to [vndr](https://github.com/LK4D4/vndr) for how to add or update
-new dependencies.
-
-## Using runc
-
-### Creating an OCI Bundle
-
-In order to use runc you must have your container in the format of an OCI bundle.
-If you have Docker installed you can use its `export` method to acquire a root filesystem from an existing Docker container.
-
-```bash
-# create the top most bundle directory
-mkdir /mycontainer
-cd /mycontainer
-
-# create the rootfs directory
-mkdir rootfs
-
-# export busybox via Docker into the rootfs directory
-docker export $(docker create busybox) | tar -C rootfs -xvf -
-```
-
-After a root filesystem is populated you just generate a spec in the format of a `config.json` file inside your bundle.
-`runc` provides a `spec` command to generate a base template spec that you are then able to edit.
-To find features and documentation for fields in the spec please refer to the [specs](https://github.com/opencontainers/runtime-spec) repository.
-
-```bash
-runc spec
-```
-
-### Running Containers
-
-Assuming you have an OCI bundle from the previous step you can execute the container in two different ways.
-
-The first way is to use the convenience command `run` that will handle creating, starting, and deleting the container after it exits.
-
-```bash
-# run as root
-cd /mycontainer
-runc run mycontainerid
-```
-
-If you used the unmodified `runc spec` template this should give you a `sh` session inside the container.
-
-The second way to start a container is using the specs lifecycle operations.
-This gives you more power over how the container is created and managed while it is running.
-This will also launch the container in the background so you will have to edit the `config.json` to remove the `terminal` setting for the simple examples here.
-Your process field in the `config.json` should look like this below with `"terminal": false` and `"args": ["sleep", "5"]`.
-
-
-```json
- "process": {
- "terminal": false,
- "user": {
- "uid": 0,
- "gid": 0
- },
- "args": [
- "sleep", "5"
- ],
- "env": [
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
- "TERM=xterm"
- ],
- "cwd": "/",
- "capabilities": {
- "bounding": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE"
- ],
- "effective": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE"
- ],
- "inheritable": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE"
- ],
- "permitted": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE"
- ],
- "ambient": [
- "CAP_AUDIT_WRITE",
- "CAP_KILL",
- "CAP_NET_BIND_SERVICE"
- ]
- },
- "rlimits": [
- {
- "type": "RLIMIT_NOFILE",
- "hard": 1024,
- "soft": 1024
- }
- ],
- "noNewPrivileges": true
- },
-```
-
-Now we can go through the lifecycle operations in your shell.
-
-
-```bash
-# run as root
-cd /mycontainer
-runc create mycontainerid
-
-# view the container is created and in the "created" state
-runc list
-
-# start the process inside the container
-runc start mycontainerid
-
-# after 5 seconds view that the container has exited and is now in the stopped state
-runc list
-
-# now delete the container
-runc delete mycontainerid
-```
-
-This allows higher level systems to augment the containers creation logic with setup of various settings after the container is created and/or before it is deleted. For example, the container's network stack is commonly set up after `create` but before `start`.
-
-#### Rootless containers
-`runc` has the ability to run containers without root privileges. This is called `rootless`. You need to pass some parameters to `runc` in order to run rootless containers. See below and compare with the previous version. Run the following commands as an ordinary user:
-```bash
-# Same as the first example
-mkdir ~/mycontainer
-cd ~/mycontainer
-mkdir rootfs
-docker export $(docker create busybox) | tar -C rootfs -xvf -
-
-# The --rootless parameter instructs runc spec to generate a configuration for a rootless container, which will allow you to run the container as a non-root user.
-runc spec --rootless
-
-# The --root parameter tells runc where to store the container state. It must be writable by the user.
-runc --root /tmp/runc run mycontainerid
-```
-
-#### Supervisors
-
-`runc` can be used with process supervisors and init systems to ensure that containers are restarted when they exit.
-An example systemd unit file looks something like this.
-
-```systemd
-[Unit]
-Description=Start My Container
-
-[Service]
-Type=forking
-ExecStart=/usr/local/sbin/runc run -d --pid-file /run/mycontainerid.pid mycontainerid
-ExecStopPost=/usr/local/sbin/runc delete mycontainerid
-WorkingDirectory=/mycontainer
-PIDFile=/run/mycontainerid.pid
-
-[Install]
-WantedBy=multi-user.target
-```
-
-## License
-
-The code and docs are released under the [Apache 2.0 license](LICENSE).
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/README.md b/vendor/github.com/opencontainers/runc/libcontainer/README.md
deleted file mode 100644
index 1d7fa04c0..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/README.md
+++ /dev/null
@@ -1,330 +0,0 @@
-# libcontainer
-
-[![GoDoc](https://godoc.org/github.com/opencontainers/runc/libcontainer?status.svg)](https://godoc.org/github.com/opencontainers/runc/libcontainer)
-
-Libcontainer provides a native Go implementation for creating containers
-with namespaces, cgroups, capabilities, and filesystem access controls.
-It allows you to manage the lifecycle of the container performing additional operations
-after the container is created.
-
-
-#### Container
-A container is a self contained execution environment that shares the kernel of the
-host system and which is (optionally) isolated from other containers in the system.
-
-#### Using libcontainer
-
-Because containers are spawned in a two step process you will need a binary that
-will be executed as the init process for the container. In libcontainer, we use
-the current binary (/proc/self/exe) to be executed as the init process, and use
-arg "init", we call the first step process "bootstrap", so you always need a "init"
-function as the entry of "bootstrap".
-
-In addition to the go init function the early stage bootstrap is handled by importing
-[nsenter](https://github.com/opencontainers/runc/blob/master/libcontainer/nsenter/README.md).
-
-```go
-import (
- _ "github.com/opencontainers/runc/libcontainer/nsenter"
-)
-
-func init() {
- if len(os.Args) > 1 && os.Args[1] == "init" {
- runtime.GOMAXPROCS(1)
- runtime.LockOSThread()
- factory, _ := libcontainer.New("")
- if err := factory.StartInitialization(); err != nil {
- logrus.Fatal(err)
- }
- panic("--this line should have never been executed, congratulations--")
- }
-}
-```
-
-Then to create a container you first have to initialize an instance of a factory
-that will handle the creation and initialization for a container.
-
-```go
-factory, err := libcontainer.New("/var/lib/container", libcontainer.Cgroupfs, libcontainer.InitArgs(os.Args[0], "init"))
-if err != nil {
- logrus.Fatal(err)
- return
-}
-```
-
-Once you have an instance of the factory created we can create a configuration
-struct describing how the container is to be created. A sample would look similar to this:
-
-```go
-defaultMountFlags := unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
-config := &configs.Config{
- Rootfs: "/your/path/to/rootfs",
- Capabilities: &configs.Capabilities{
- Bounding: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- Effective: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- Inheritable: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- Permitted: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- Ambient: []string{
- "CAP_CHOWN",
- "CAP_DAC_OVERRIDE",
- "CAP_FSETID",
- "CAP_FOWNER",
- "CAP_MKNOD",
- "CAP_NET_RAW",
- "CAP_SETGID",
- "CAP_SETUID",
- "CAP_SETFCAP",
- "CAP_SETPCAP",
- "CAP_NET_BIND_SERVICE",
- "CAP_SYS_CHROOT",
- "CAP_KILL",
- "CAP_AUDIT_WRITE",
- },
- },
- Namespaces: configs.Namespaces([]configs.Namespace{
- {Type: configs.NEWNS},
- {Type: configs.NEWUTS},
- {Type: configs.NEWIPC},
- {Type: configs.NEWPID},
- {Type: configs.NEWUSER},
- {Type: configs.NEWNET},
- {Type: configs.NEWCGROUP},
- }),
- Cgroups: &configs.Cgroup{
- Name: "test-container",
- Parent: "system",
- Resources: &configs.Resources{
- MemorySwappiness: nil,
- AllowAllDevices: nil,
- AllowedDevices: configs.DefaultAllowedDevices,
- },
- },
- MaskPaths: []string{
- "/proc/kcore",
- "/sys/firmware",
- },
- ReadonlyPaths: []string{
- "/proc/sys", "/proc/sysrq-trigger", "/proc/irq", "/proc/bus",
- },
- Devices: configs.DefaultAutoCreatedDevices,
- Hostname: "testing",
- Mounts: []*configs.Mount{
- {
- Source: "proc",
- Destination: "/proc",
- Device: "proc",
- Flags: defaultMountFlags,
- },
- {
- Source: "tmpfs",
- Destination: "/dev",
- Device: "tmpfs",
- Flags: unix.MS_NOSUID | unix.MS_STRICTATIME,
- Data: "mode=755",
- },
- {
- Source: "devpts",
- Destination: "/dev/pts",
- Device: "devpts",
- Flags: unix.MS_NOSUID | unix.MS_NOEXEC,
- Data: "newinstance,ptmxmode=0666,mode=0620,gid=5",
- },
- {
- Device: "tmpfs",
- Source: "shm",
- Destination: "/dev/shm",
- Data: "mode=1777,size=65536k",
- Flags: defaultMountFlags,
- },
- {
- Source: "mqueue",
- Destination: "/dev/mqueue",
- Device: "mqueue",
- Flags: defaultMountFlags,
- },
- {
- Source: "sysfs",
- Destination: "/sys",
- Device: "sysfs",
- Flags: defaultMountFlags | unix.MS_RDONLY,
- },
- },
- UidMappings: []configs.IDMap{
- {
- ContainerID: 0,
- HostID: 1000,
- Size: 65536,
- },
- },
- GidMappings: []configs.IDMap{
- {
- ContainerID: 0,
- HostID: 1000,
- Size: 65536,
- },
- },
- Networks: []*configs.Network{
- {
- Type: "loopback",
- Address: "127.0.0.1/0",
- Gateway: "localhost",
- },
- },
- Rlimits: []configs.Rlimit{
- {
- Type: unix.RLIMIT_NOFILE,
- Hard: uint64(1025),
- Soft: uint64(1025),
- },
- },
-}
-```
-
-Once you have the configuration populated you can create a container:
-
-```go
-container, err := factory.Create("container-id", config)
-if err != nil {
- logrus.Fatal(err)
- return
-}
-```
-
-To spawn bash as the initial process inside the container and have the
-processes pid returned in order to wait, signal, or kill the process:
-
-```go
-process := &libcontainer.Process{
- Args: []string{"/bin/bash"},
- Env: []string{"PATH=/bin"},
- User: "daemon",
- Stdin: os.Stdin,
- Stdout: os.Stdout,
- Stderr: os.Stderr,
-}
-
-err := container.Run(process)
-if err != nil {
- container.Destroy()
- logrus.Fatal(err)
- return
-}
-
-// wait for the process to finish.
-_, err := process.Wait()
-if err != nil {
- logrus.Fatal(err)
-}
-
-// destroy the container.
-container.Destroy()
-```
-
-Additional ways to interact with a running container are:
-
-```go
-// return all the pids for all processes running inside the container.
-processes, err := container.Processes()
-
-// get detailed cpu, memory, io, and network statistics for the container and
-// it's processes.
-stats, err := container.Stats()
-
-// pause all processes inside the container.
-container.Pause()
-
-// resume all paused processes.
-container.Resume()
-
-// send signal to container's init process.
-container.Signal(signal)
-
-// update container resource constraints.
-container.Set(config)
-
-// get current status of the container.
-status, err := container.Status()
-
-// get current container's state information.
-state, err := container.State()
-```
-
-
-#### Checkpoint & Restore
-
-libcontainer now integrates [CRIU](http://criu.org/) for checkpointing and restoring containers.
-This let's you save the state of a process running inside a container to disk, and then restore
-that state into a new process, on the same machine or on another machine.
-
-`criu` version 1.5.2 or higher is required to use checkpoint and restore.
-If you don't already have `criu` installed, you can build it from source, following the
-[online instructions](http://criu.org/Installation). `criu` is also installed in the docker image
-generated when building libcontainer with docker.
-
-
-## Copyright and license
-
-Code and documentation copyright 2014 Docker, inc.
-The code and documentation are released under the [Apache 2.0 license](../LICENSE).
-The documentation is also released under Creative Commons Attribution 4.0 International License.
-You may obtain a copy of the license, titled CC-BY-4.0, at http://creativecommons.org/licenses/by/4.0/.
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/README.md b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/README.md
deleted file mode 100644
index 9ec6c3931..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/README.md
+++ /dev/null
@@ -1,44 +0,0 @@
-## nsenter
-
-The `nsenter` package registers a special init constructor that is called before
-the Go runtime has a chance to boot. This provides us the ability to `setns` on
-existing namespaces and avoid the issues that the Go runtime has with multiple
-threads. This constructor will be called if this package is registered,
-imported, in your go application.
-
-The `nsenter` package will `import "C"` and it uses [cgo](https://golang.org/cmd/cgo/)
-package. In cgo, if the import of "C" is immediately preceded by a comment, that comment,
-called the preamble, is used as a header when compiling the C parts of the package.
-So every time we import package `nsenter`, the C code function `nsexec()` would be
-called. And package `nsenter` is only imported in `init.go`, so every time the runc
-`init` command is invoked, that C code is run.
-
-Because `nsexec()` must be run before the Go runtime in order to use the
-Linux kernel namespace, you must `import` this library into a package if
-you plan to use `libcontainer` directly. Otherwise Go will not execute
-the `nsexec()` constructor, which means that the re-exec will not cause
-the namespaces to be joined. You can import it like this:
-
-```go
-import _ "github.com/opencontainers/runc/libcontainer/nsenter"
-```
-
-`nsexec()` will first get the file descriptor number for the init pipe
-from the environment variable `_LIBCONTAINER_INITPIPE` (which was opened
-by the parent and kept open across the fork-exec of the `nsexec()` init
-process). The init pipe is used to read bootstrap data (namespace paths,
-clone flags, uid and gid mappings, and the console path) from the parent
-process. `nsexec()` will then call `setns(2)` to join the namespaces
-provided in the bootstrap data (if available), `clone(2)` a child process
-with the provided clone flags, update the user and group ID mappings, do
-some further miscellaneous setup steps, and then send the PID of the
-child process to the parent of the `nsexec()` "caller". Finally,
-the parent `nsexec()` will exit and the child `nsexec()` process will
-return to allow the Go runtime take over.
-
-NOTE: We do both `setns(2)` and `clone(2)` even if we don't have any
-`CLONE_NEW*` clone flags because we must fork a new process in order to
-enter the PID namespace.
-
-
-
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c
deleted file mode 100644
index ad10f1406..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/cloned_binary.c
+++ /dev/null
@@ -1,516 +0,0 @@
-/*
- * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
- * Copyright (C) 2019 SUSE LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define _GNU_SOURCE
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdbool.h>
-#include <string.h>
-#include <limits.h>
-#include <fcntl.h>
-#include <errno.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/statfs.h>
-#include <sys/vfs.h>
-#include <sys/mman.h>
-#include <sys/mount.h>
-#include <sys/sendfile.h>
-#include <sys/syscall.h>
-
-/* Use our own wrapper for memfd_create. */
-#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
-# define SYS_memfd_create __NR_memfd_create
-#endif
-/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
-#ifndef MFD_CLOEXEC
-# define MFD_CLOEXEC 0x0001U
-# define MFD_ALLOW_SEALING 0x0002U
-#endif
-int memfd_create(const char *name, unsigned int flags)
-{
-#ifdef SYS_memfd_create
- return syscall(SYS_memfd_create, name, flags);
-#else
- errno = ENOSYS;
- return -1;
-#endif
-}
-
-
-/* This comes directly from <linux/fcntl.h>. */
-#ifndef F_LINUX_SPECIFIC_BASE
-# define F_LINUX_SPECIFIC_BASE 1024
-#endif
-#ifndef F_ADD_SEALS
-# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
-# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
-#endif
-#ifndef F_SEAL_SEAL
-# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
-# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
-# define F_SEAL_GROW 0x0004 /* prevent file from growing */
-# define F_SEAL_WRITE 0x0008 /* prevent writes */
-#endif
-
-#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY"
-#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
-#define RUNC_MEMFD_SEALS \
- (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
-
-static void *must_realloc(void *ptr, size_t size)
-{
- void *old = ptr;
- do {
- ptr = realloc(old, size);
- } while(!ptr);
- return ptr;
-}
-
-/*
- * Verify whether we are currently in a self-cloned program (namely, is
- * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
- * for shmem files), and we want to be sure it's actually sealed.
- */
-static int is_self_cloned(void)
-{
- int fd, ret, is_cloned = 0;
- struct stat statbuf = {};
- struct statfs fsbuf = {};
-
- fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
- if (fd < 0)
- return -ENOTRECOVERABLE;
-
- /*
- * Is the binary a fully-sealed memfd? We don't need CLONED_BINARY_ENV for
- * this, because you cannot write to a sealed memfd no matter what (so
- * sharing it isn't a bad thing -- and an admin could bind-mount a sealed
- * memfd to /usr/bin/runc to allow re-use).
- */
- ret = fcntl(fd, F_GET_SEALS);
- if (ret >= 0) {
- is_cloned = (ret == RUNC_MEMFD_SEALS);
- goto out;
- }
-
- /*
- * All other forms require CLONED_BINARY_ENV, since they are potentially
- * writeable (or we can't tell if they're fully safe) and thus we must
- * check the environment as an extra layer of defence.
- */
- if (!getenv(CLONED_BINARY_ENV)) {
- is_cloned = false;
- goto out;
- }
-
- /*
- * Is the binary on a read-only filesystem? We can't detect bind-mounts in
- * particular (in-kernel they are identical to regular mounts) but we can
- * at least be sure that it's read-only. In addition, to make sure that
- * it's *our* bind-mount we check CLONED_BINARY_ENV.
- */
- if (fstatfs(fd, &fsbuf) >= 0)
- is_cloned |= (fsbuf.f_flags & MS_RDONLY);
-
- /*
- * Okay, we're a tmpfile -- or we're currently running on RHEL <=7.6
- * which appears to have a borked backport of F_GET_SEALS. Either way,
- * having a file which has no hardlinks indicates that we aren't using
- * a host-side "runc" binary and this is something that a container
- * cannot fake (because unlinking requires being able to resolve the
- * path that you want to unlink).
- */
- if (fstat(fd, &statbuf) >= 0)
- is_cloned |= (statbuf.st_nlink == 0);
-
-out:
- close(fd);
- return is_cloned;
-}
-
-/* Read a given file into a new buffer, and providing the length. */
-static char *read_file(char *path, size_t *length)
-{
- int fd;
- char buf[4096], *copy = NULL;
-
- if (!length)
- return NULL;
-
- fd = open(path, O_RDONLY | O_CLOEXEC);
- if (fd < 0)
- return NULL;
-
- *length = 0;
- for (;;) {
- ssize_t n;
-
- n = read(fd, buf, sizeof(buf));
- if (n < 0)
- goto error;
- if (!n)
- break;
-
- copy = must_realloc(copy, (*length + n) * sizeof(*copy));
- memcpy(copy + *length, buf, n);
- *length += n;
- }
- close(fd);
- return copy;
-
-error:
- close(fd);
- free(copy);
- return NULL;
-}
-
-/*
- * A poor-man's version of "xargs -0". Basically parses a given block of
- * NUL-delimited data, within the given length and adds a pointer to each entry
- * to the array of pointers.
- */
-static int parse_xargs(char *data, int data_length, char ***output)
-{
- int num = 0;
- char *cur = data;
-
- if (!data || *output != NULL)
- return -1;
-
- while (cur < data + data_length) {
- num++;
- *output = must_realloc(*output, (num + 1) * sizeof(**output));
- (*output)[num - 1] = cur;
- cur += strlen(cur) + 1;
- }
- (*output)[num] = NULL;
- return num;
-}
-
-/*
- * "Parse" out argv from /proc/self/cmdline.
- * This is necessary because we are running in a context where we don't have a
- * main() that we can just get the arguments from.
- */
-static int fetchve(char ***argv)
-{
- char *cmdline = NULL;
- size_t cmdline_size;
-
- cmdline = read_file("/proc/self/cmdline", &cmdline_size);
- if (!cmdline)
- goto error;
-
- if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
- goto error;
-
- return 0;
-
-error:
- free(cmdline);
- return -EINVAL;
-}
-
-enum {
- EFD_NONE = 0,
- EFD_MEMFD,
- EFD_FILE,
-};
-
-/*
- * This comes from <linux/fcntl.h>. We can't hard-code __O_TMPFILE because it
- * changes depending on the architecture. If we don't have O_TMPFILE we always
- * have the mkostemp(3) fallback.
- */
-#ifndef O_TMPFILE
-# if defined(__O_TMPFILE) && defined(O_DIRECTORY)
-# define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
-# endif
-#endif
-
-static int make_execfd(int *fdtype)
-{
- int fd = -1;
- char template[PATH_MAX] = {0};
- char *prefix = getenv("_LIBCONTAINER_STATEDIR");
-
- if (!prefix || *prefix != '/')
- prefix = "/tmp";
- if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
- return -1;
-
- /*
- * Now try memfd, it's much nicer than actually creating a file in STATEDIR
- * since it's easily detected thanks to sealing and also doesn't require
- * assumptions about STATEDIR.
- */
- *fdtype = EFD_MEMFD;
- fd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
- if (fd >= 0)
- return fd;
- if (errno != ENOSYS && errno != EINVAL)
- goto error;
-
-#ifdef O_TMPFILE
- /*
- * Try O_TMPFILE to avoid races where someone might snatch our file. Note
- * that O_EXCL isn't actually a security measure here (since you can just
- * fd re-open it and clear O_EXCL).
- */
- *fdtype = EFD_FILE;
- fd = open(prefix, O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0700);
- if (fd >= 0) {
- struct stat statbuf = {};
- bool working_otmpfile = false;
-
- /*
- * open(2) ignores unknown O_* flags -- yeah, I was surprised when I
- * found this out too. As a result we can't check for EINVAL. However,
- * if we get nlink != 0 (or EISDIR) then we know that this kernel
- * doesn't support O_TMPFILE.
- */
- if (fstat(fd, &statbuf) >= 0)
- working_otmpfile = (statbuf.st_nlink == 0);
-
- if (working_otmpfile)
- return fd;
-
- /* Pretend that we got EISDIR since O_TMPFILE failed. */
- close(fd);
- errno = EISDIR;
- }
- if (errno != EISDIR)
- goto error;
-#endif /* defined(O_TMPFILE) */
-
- /*
- * Our final option is to create a temporary file the old-school way, and
- * then unlink it so that nothing else sees it by accident.
- */
- *fdtype = EFD_FILE;
- fd = mkostemp(template, O_CLOEXEC);
- if (fd >= 0) {
- if (unlink(template) >= 0)
- return fd;
- close(fd);
- }
-
-error:
- *fdtype = EFD_NONE;
- return -1;
-}
-
-static int seal_execfd(int *fd, int fdtype)
-{
- switch (fdtype) {
- case EFD_MEMFD:
- return fcntl(*fd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
- case EFD_FILE: {
- /* Need to re-open our pseudo-memfd as an O_PATH to avoid execve(2) giving -ETXTBSY. */
- int newfd;
- char fdpath[PATH_MAX] = {0};
-
- if (fchmod(*fd, 0100) < 0)
- return -1;
-
- if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", *fd) < 0)
- return -1;
-
- newfd = open(fdpath, O_PATH | O_CLOEXEC);
- if (newfd < 0)
- return -1;
-
- close(*fd);
- *fd = newfd;
- return 0;
- }
- default:
- break;
- }
- return -1;
-}
-
-static int try_bindfd(void)
-{
- int fd, ret = -1;
- char template[PATH_MAX] = {0};
- char *prefix = getenv("_LIBCONTAINER_STATEDIR");
-
- if (!prefix || *prefix != '/')
- prefix = "/tmp";
- if (snprintf(template, sizeof(template), "%s/runc.XXXXXX", prefix) < 0)
- return ret;
-
- /*
- * We need somewhere to mount it, mounting anything over /proc/self is a
- * BAD idea on the host -- even if we do it temporarily.
- */
- fd = mkstemp(template);
- if (fd < 0)
- return ret;
- close(fd);
-
- /*
- * For obvious reasons this won't work in rootless mode because we haven't
- * created a userns+mntns -- but getting that to work will be a bit
- * complicated and it's only worth doing if someone actually needs it.
- */
- ret = -EPERM;
- if (mount("/proc/self/exe", template, "", MS_BIND, "") < 0)
- goto out;
- if (mount("", template, "", MS_REMOUNT | MS_BIND | MS_RDONLY, "") < 0)
- goto out_umount;
-
-
- /* Get read-only handle that we're sure can't be made read-write. */
- ret = open(template, O_PATH | O_CLOEXEC);
-
-out_umount:
- /*
- * Make sure the MNT_DETACH works, otherwise we could get remounted
- * read-write and that would be quite bad (the fd would be made read-write
- * too, invalidating the protection).
- */
- if (umount2(template, MNT_DETACH) < 0) {
- if (ret >= 0)
- close(ret);
- ret = -ENOTRECOVERABLE;
- }
-
-out:
- /*
- * We don't care about unlink errors, the worst that happens is that
- * there's an empty file left around in STATEDIR.
- */
- unlink(template);
- return ret;
-}
-
-static ssize_t fd_to_fd(int outfd, int infd)
-{
- ssize_t total = 0;
- char buffer[4096];
-
- for (;;) {
- ssize_t nread, nwritten = 0;
-
- nread = read(infd, buffer, sizeof(buffer));
- if (nread < 0)
- return -1;
- if (!nread)
- break;
-
- do {
- ssize_t n = write(outfd, buffer + nwritten, nread - nwritten);
- if (n < 0)
- return -1;
- nwritten += n;
- } while(nwritten < nread);
-
- total += nwritten;
- }
-
- return total;
-}
-
-static int clone_binary(void)
-{
- int binfd, execfd;
- struct stat statbuf = {};
- size_t sent = 0;
- int fdtype = EFD_NONE;
-
- /*
- * Before we resort to copying, let's try creating an ro-binfd in one shot
- * by getting a handle for a read-only bind-mount of the execfd.
- */
- execfd = try_bindfd();
- if (execfd >= 0)
- return execfd;
-
- /*
- * Dammit, that didn't work -- time to copy the binary to a safe place we
- * can seal the contents.
- */
- execfd = make_execfd(&fdtype);
- if (execfd < 0 || fdtype == EFD_NONE)
- return -ENOTRECOVERABLE;
-
- binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
- if (binfd < 0)
- goto error;
-
- if (fstat(binfd, &statbuf) < 0)
- goto error_binfd;
-
- while (sent < statbuf.st_size) {
- int n = sendfile(execfd, binfd, NULL, statbuf.st_size - sent);
- if (n < 0) {
- /* sendfile can fail so we fallback to a dumb user-space copy. */
- n = fd_to_fd(execfd, binfd);
- if (n < 0)
- goto error_binfd;
- }
- sent += n;
- }
- close(binfd);
- if (sent != statbuf.st_size)
- goto error;
-
- if (seal_execfd(&execfd, fdtype) < 0)
- goto error;
-
- return execfd;
-
-error_binfd:
- close(binfd);
-error:
- close(execfd);
- return -EIO;
-}
-
-/* Get cheap access to the environment. */
-extern char **environ;
-
-int ensure_cloned_binary(void)
-{
- int execfd;
- char **argv = NULL;
-
- /* Check that we're not self-cloned, and if we are then bail. */
- int cloned = is_self_cloned();
- if (cloned > 0 || cloned == -ENOTRECOVERABLE)
- return cloned;
-
- if (fetchve(&argv) < 0)
- return -EINVAL;
-
- execfd = clone_binary();
- if (execfd < 0)
- return -EIO;
-
- if (putenv(CLONED_BINARY_ENV "=1"))
- goto error;
-
- fexecve(execfd, argv, environ);
-error:
- close(execfd);
- return -ENOEXEC;
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/namespace.h b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/namespace.h
deleted file mode 100644
index 9e9bdca05..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/namespace.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef NSENTER_NAMESPACE_H
-#define NSENTER_NAMESPACE_H
-
-#ifndef _GNU_SOURCE
-# define _GNU_SOURCE
-#endif
-#include <sched.h>
-
-/* All of these are taken from include/uapi/linux/sched.h */
-#ifndef CLONE_NEWNS
-# define CLONE_NEWNS 0x00020000 /* New mount namespace group */
-#endif
-#ifndef CLONE_NEWCGROUP
-# define CLONE_NEWCGROUP 0x02000000 /* New cgroup namespace */
-#endif
-#ifndef CLONE_NEWUTS
-# define CLONE_NEWUTS 0x04000000 /* New utsname namespace */
-#endif
-#ifndef CLONE_NEWIPC
-# define CLONE_NEWIPC 0x08000000 /* New ipc namespace */
-#endif
-#ifndef CLONE_NEWUSER
-# define CLONE_NEWUSER 0x10000000 /* New user namespace */
-#endif
-#ifndef CLONE_NEWPID
-# define CLONE_NEWPID 0x20000000 /* New pid namespace */
-#endif
-#ifndef CLONE_NEWNET
-# define CLONE_NEWNET 0x40000000 /* New network namespace */
-#endif
-
-#endif /* NSENTER_NAMESPACE_H */
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter.go b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter.go
deleted file mode 100644
index 07f4d63e4..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// +build linux,!gccgo
-
-package nsenter
-
-/*
-#cgo CFLAGS: -Wall
-extern void nsexec();
-void __attribute__((constructor)) init(void) {
- nsexec();
-}
-*/
-import "C"
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_gccgo.go b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_gccgo.go
deleted file mode 100644
index 63c7a3ec2..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_gccgo.go
+++ /dev/null
@@ -1,25 +0,0 @@
-// +build linux,gccgo
-
-package nsenter
-
-/*
-#cgo CFLAGS: -Wall
-extern void nsexec();
-void __attribute__((constructor)) init(void) {
- nsexec();
-}
-*/
-import "C"
-
-// AlwaysFalse is here to stay false
-// (and be exported so the compiler doesn't optimize out its reference)
-var AlwaysFalse bool
-
-func init() {
- if AlwaysFalse {
- // by referencing this C init() in a noop test, it will ensure the compiler
- // links in the C function.
- // https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65134
- C.init()
- }
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_unsupported.go
deleted file mode 100644
index ac701ca39..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsenter_unsupported.go
+++ /dev/null
@@ -1,5 +0,0 @@
-// +build !linux !cgo
-
-package nsenter
-
-import "C"
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c b/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c
deleted file mode 100644
index 7750af35e..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/nsenter/nsexec.c
+++ /dev/null
@@ -1,1006 +0,0 @@
-
-#define _GNU_SOURCE
-#include <endian.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <grp.h>
-#include <sched.h>
-#include <setjmp.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdbool.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdbool.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <sys/ioctl.h>
-#include <sys/prctl.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-
-#include <linux/limits.h>
-#include <linux/netlink.h>
-#include <linux/types.h>
-
-/* Get all of the CLONE_NEW* flags. */
-#include "namespace.h"
-
-/* Synchronisation values. */
-enum sync_t {
- SYNC_USERMAP_PLS = 0x40, /* Request parent to map our users. */
- SYNC_USERMAP_ACK = 0x41, /* Mapping finished by the parent. */
- SYNC_RECVPID_PLS = 0x42, /* Tell parent we're sending the PID. */
- SYNC_RECVPID_ACK = 0x43, /* PID was correctly received by parent. */
- SYNC_GRANDCHILD = 0x44, /* The grandchild is ready to run. */
- SYNC_CHILD_READY = 0x45, /* The child or grandchild is ready to return. */
-
- /* XXX: This doesn't help with segfaults and other such issues. */
- SYNC_ERR = 0xFF, /* Fatal error, no turning back. The error code follows. */
-};
-
-/*
- * Synchronisation value for cgroup namespace setup.
- * The same constant is defined in process_linux.go as "createCgroupns".
- */
-#define CREATECGROUPNS 0x80
-
-/* longjmp() arguments. */
-#define JUMP_PARENT 0x00
-#define JUMP_CHILD 0xA0
-#define JUMP_INIT 0xA1
-
-/* JSON buffer. */
-#define JSON_MAX 4096
-
-/* Assume the stack grows down, so arguments should be above it. */
-struct clone_t {
- /*
- * Reserve some space for clone() to locate arguments
- * and retcode in this place
- */
- char stack[4096] __attribute__ ((aligned(16)));
- char stack_ptr[0];
-
- /* There's two children. This is used to execute the different code. */
- jmp_buf *env;
- int jmpval;
-};
-
-struct nlconfig_t {
- char *data;
-
- /* Process settings. */
- uint32_t cloneflags;
- char *oom_score_adj;
- size_t oom_score_adj_len;
-
- /* User namespace settings. */
- char *uidmap;
- size_t uidmap_len;
- char *gidmap;
- size_t gidmap_len;
- char *namespaces;
- size_t namespaces_len;
- uint8_t is_setgroup;
-
- /* Rootless container settings. */
- uint8_t is_rootless_euid; /* boolean */
- char *uidmappath;
- size_t uidmappath_len;
- char *gidmappath;
- size_t gidmappath_len;
-};
-
-/*
- * List of netlink message types sent to us as part of bootstrapping the init.
- * These constants are defined in libcontainer/message_linux.go.
- */
-#define INIT_MSG 62000
-#define CLONE_FLAGS_ATTR 27281
-#define NS_PATHS_ATTR 27282
-#define UIDMAP_ATTR 27283
-#define GIDMAP_ATTR 27284
-#define SETGROUP_ATTR 27285
-#define OOM_SCORE_ADJ_ATTR 27286
-#define ROOTLESS_EUID_ATTR 27287
-#define UIDMAPPATH_ATTR 27288
-#define GIDMAPPATH_ATTR 27289
-
-/*
- * Use the raw syscall for versions of glibc which don't include a function for
- * it, namely (glibc 2.12).
- */
-#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 14
-# define _GNU_SOURCE
-# include "syscall.h"
-# if !defined(SYS_setns) && defined(__NR_setns)
-# define SYS_setns __NR_setns
-# endif
-
-#ifndef SYS_setns
-# error "setns(2) syscall not supported by glibc version"
-#endif
-
-int setns(int fd, int nstype)
-{
- return syscall(SYS_setns, fd, nstype);
-}
-#endif
-
-/* XXX: This is ugly. */
-static int syncfd = -1;
-
-/* TODO(cyphar): Fix this so it correctly deals with syncT. */
-#define bail(fmt, ...) \
- do { \
- int ret = __COUNTER__ + 1; \
- fprintf(stderr, "nsenter: " fmt ": %m\n", ##__VA_ARGS__); \
- if (syncfd >= 0) { \
- enum sync_t s = SYNC_ERR; \
- if (write(syncfd, &s, sizeof(s)) != sizeof(s)) \
- fprintf(stderr, "nsenter: failed: write(s)"); \
- if (write(syncfd, &ret, sizeof(ret)) != sizeof(ret)) \
- fprintf(stderr, "nsenter: failed: write(ret)"); \
- } \
- exit(ret); \
- } while(0)
-
-static int write_file(char *data, size_t data_len, char *pathfmt, ...)
-{
- int fd, len, ret = 0;
- char path[PATH_MAX];
-
- va_list ap;
- va_start(ap, pathfmt);
- len = vsnprintf(path, PATH_MAX, pathfmt, ap);
- va_end(ap);
- if (len < 0)
- return -1;
-
- fd = open(path, O_RDWR);
- if (fd < 0) {
- return -1;
- }
-
- len = write(fd, data, data_len);
- if (len != data_len) {
- ret = -1;
- goto out;
- }
-
- out:
- close(fd);
- return ret;
-}
-
-enum policy_t {
- SETGROUPS_DEFAULT = 0,
- SETGROUPS_ALLOW,
- SETGROUPS_DENY,
-};
-
-/* This *must* be called before we touch gid_map. */
-static void update_setgroups(int pid, enum policy_t setgroup)
-{
- char *policy;
-
- switch (setgroup) {
- case SETGROUPS_ALLOW:
- policy = "allow";
- break;
- case SETGROUPS_DENY:
- policy = "deny";
- break;
- case SETGROUPS_DEFAULT:
- default:
- /* Nothing to do. */
- return;
- }
-
- if (write_file(policy, strlen(policy), "/proc/%d/setgroups", pid) < 0) {
- /*
- * If the kernel is too old to support /proc/pid/setgroups,
- * open(2) or write(2) will return ENOENT. This is fine.
- */
- if (errno != ENOENT)
- bail("failed to write '%s' to /proc/%d/setgroups", policy, pid);
- }
-}
-
-static int try_mapping_tool(const char *app, int pid, char *map, size_t map_len)
-{
- int child;
-
- /*
- * If @app is NULL, execve will segfault. Just check it here and bail (if
- * we're in this path, the caller is already getting desperate and there
- * isn't a backup to this failing). This usually would be a configuration
- * or programming issue.
- */
- if (!app)
- bail("mapping tool not present");
-
- child = fork();
- if (child < 0)
- bail("failed to fork");
-
- if (!child) {
-#define MAX_ARGV 20
- char *argv[MAX_ARGV];
- char *envp[] = { NULL };
- char pid_fmt[16];
- int argc = 0;
- char *next;
-
- snprintf(pid_fmt, 16, "%d", pid);
-
- argv[argc++] = (char *)app;
- argv[argc++] = pid_fmt;
- /*
- * Convert the map string into a list of argument that
- * newuidmap/newgidmap can understand.
- */
-
- while (argc < MAX_ARGV) {
- if (*map == '\0') {
- argv[argc++] = NULL;
- break;
- }
- argv[argc++] = map;
- next = strpbrk(map, "\n ");
- if (next == NULL)
- break;
- *next++ = '\0';
- map = next + strspn(next, "\n ");
- }
-
- execve(app, argv, envp);
- bail("failed to execv");
- } else {
- int status;
-
- while (true) {
- if (waitpid(child, &status, 0) < 0) {
- if (errno == EINTR)
- continue;
- bail("failed to waitpid");
- }
- if (WIFEXITED(status) || WIFSIGNALED(status))
- return WEXITSTATUS(status);
- }
- }
-
- return -1;
-}
-
-static void update_uidmap(const char *path, int pid, char *map, size_t map_len)
-{
- if (map == NULL || map_len <= 0)
- return;
-
- if (write_file(map, map_len, "/proc/%d/uid_map", pid) < 0) {
- if (errno != EPERM)
- bail("failed to update /proc/%d/uid_map", pid);
- if (try_mapping_tool(path, pid, map, map_len))
- bail("failed to use newuid map on %d", pid);
- }
-}
-
-static void update_gidmap(const char *path, int pid, char *map, size_t map_len)
-{
- if (map == NULL || map_len <= 0)
- return;
-
- if (write_file(map, map_len, "/proc/%d/gid_map", pid) < 0) {
- if (errno != EPERM)
- bail("failed to update /proc/%d/gid_map", pid);
- if (try_mapping_tool(path, pid, map, map_len))
- bail("failed to use newgid map on %d", pid);
- }
-}
-
-static void update_oom_score_adj(char *data, size_t len)
-{
- if (data == NULL || len <= 0)
- return;
-
- if (write_file(data, len, "/proc/self/oom_score_adj") < 0)
- bail("failed to update /proc/self/oom_score_adj");
-}
-
-/* A dummy function that just jumps to the given jumpval. */
-static int child_func(void *arg) __attribute__ ((noinline));
-static int child_func(void *arg)
-{
- struct clone_t *ca = (struct clone_t *)arg;
- longjmp(*ca->env, ca->jmpval);
-}
-
-static int clone_parent(jmp_buf *env, int jmpval) __attribute__ ((noinline));
-static int clone_parent(jmp_buf *env, int jmpval)
-{
- struct clone_t ca = {
- .env = env,
- .jmpval = jmpval,
- };
-
- return clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD, &ca);
-}
-
-/*
- * Gets the init pipe fd from the environment, which is used to read the
- * bootstrap data and tell the parent what the new pid is after we finish
- * setting up the environment.
- */
-static int initpipe(void)
-{
- int pipenum;
- char *initpipe, *endptr;
-
- initpipe = getenv("_LIBCONTAINER_INITPIPE");
- if (initpipe == NULL || *initpipe == '\0')
- return -1;
-
- pipenum = strtol(initpipe, &endptr, 10);
- if (*endptr != '\0')
- bail("unable to parse _LIBCONTAINER_INITPIPE");
-
- return pipenum;
-}
-
-/* Returns the clone(2) flag for a namespace, given the name of a namespace. */
-static int nsflag(char *name)
-{
- if (!strcmp(name, "cgroup"))
- return CLONE_NEWCGROUP;
- else if (!strcmp(name, "ipc"))
- return CLONE_NEWIPC;
- else if (!strcmp(name, "mnt"))
- return CLONE_NEWNS;
- else if (!strcmp(name, "net"))
- return CLONE_NEWNET;
- else if (!strcmp(name, "pid"))
- return CLONE_NEWPID;
- else if (!strcmp(name, "user"))
- return CLONE_NEWUSER;
- else if (!strcmp(name, "uts"))
- return CLONE_NEWUTS;
-
- /* If we don't recognise a name, fallback to 0. */
- return 0;
-}
-
-static uint32_t readint32(char *buf)
-{
- return *(uint32_t *) buf;
-}
-
-static uint8_t readint8(char *buf)
-{
- return *(uint8_t *) buf;
-}
-
-static void nl_parse(int fd, struct nlconfig_t *config)
-{
- size_t len, size;
- struct nlmsghdr hdr;
- char *data, *current;
-
- /* Retrieve the netlink header. */
- len = read(fd, &hdr, NLMSG_HDRLEN);
- if (len != NLMSG_HDRLEN)
- bail("invalid netlink header length %zu", len);
-
- if (hdr.nlmsg_type == NLMSG_ERROR)
- bail("failed to read netlink message");
-
- if (hdr.nlmsg_type != INIT_MSG)
- bail("unexpected msg type %d", hdr.nlmsg_type);
-
- /* Retrieve data. */
- size = NLMSG_PAYLOAD(&hdr, 0);
- current = data = malloc(size);
- if (!data)
- bail("failed to allocate %zu bytes of memory for nl_payload", size);
-
- len = read(fd, data, size);
- if (len != size)
- bail("failed to read netlink payload, %zu != %zu", len, size);
-
- /* Parse the netlink payload. */
- config->data = data;
- while (current < data + size) {
- struct nlattr *nlattr = (struct nlattr *)current;
- size_t payload_len = nlattr->nla_len - NLA_HDRLEN;
-
- /* Advance to payload. */
- current += NLA_HDRLEN;
-
- /* Handle payload. */
- switch (nlattr->nla_type) {
- case CLONE_FLAGS_ATTR:
- config->cloneflags = readint32(current);
- break;
- case ROOTLESS_EUID_ATTR:
- config->is_rootless_euid = readint8(current); /* boolean */
- break;
- case OOM_SCORE_ADJ_ATTR:
- config->oom_score_adj = current;
- config->oom_score_adj_len = payload_len;
- break;
- case NS_PATHS_ATTR:
- config->namespaces = current;
- config->namespaces_len = payload_len;
- break;
- case UIDMAP_ATTR:
- config->uidmap = current;
- config->uidmap_len = payload_len;
- break;
- case GIDMAP_ATTR:
- config->gidmap = current;
- config->gidmap_len = payload_len;
- break;
- case UIDMAPPATH_ATTR:
- config->uidmappath = current;
- config->uidmappath_len = payload_len;
- break;
- case GIDMAPPATH_ATTR:
- config->gidmappath = current;
- config->gidmappath_len = payload_len;
- break;
- case SETGROUP_ATTR:
- config->is_setgroup = readint8(current);
- break;
- default:
- bail("unknown netlink message type %d", nlattr->nla_type);
- }
-
- current += NLA_ALIGN(payload_len);
- }
-}
-
-void nl_free(struct nlconfig_t *config)
-{
- free(config->data);
-}
-
-void join_namespaces(char *nslist)
-{
- int num = 0, i;
- char *saveptr = NULL;
- char *namespace = strtok_r(nslist, ",", &saveptr);
- struct namespace_t {
- int fd;
- int ns;
- char type[PATH_MAX];
- char path[PATH_MAX];
- } *namespaces = NULL;
-
- if (!namespace || !strlen(namespace) || !strlen(nslist))
- bail("ns paths are empty");
-
- /*
- * We have to open the file descriptors first, since after
- * we join the mnt namespace we might no longer be able to
- * access the paths.
- */
- do {
- int fd;
- char *path;
- struct namespace_t *ns;
-
- /* Resize the namespace array. */
- namespaces = realloc(namespaces, ++num * sizeof(struct namespace_t));
- if (!namespaces)
- bail("failed to reallocate namespace array");
- ns = &namespaces[num - 1];
-
- /* Split 'ns:path'. */
- path = strstr(namespace, ":");
- if (!path)
- bail("failed to parse %s", namespace);
- *path++ = '\0';
-
- fd = open(path, O_RDONLY);
- if (fd < 0)
- bail("failed to open %s", path);
-
- ns->fd = fd;
- ns->ns = nsflag(namespace);
- strncpy(ns->path, path, PATH_MAX - 1);
- ns->path[PATH_MAX - 1] = '\0';
- } while ((namespace = strtok_r(NULL, ",", &saveptr)) != NULL);
-
- /*
- * The ordering in which we join namespaces is important. We should
- * always join the user namespace *first*. This is all guaranteed
- * from the container_linux.go side of this, so we're just going to
- * follow the order given to us.
- */
-
- for (i = 0; i < num; i++) {
- struct namespace_t ns = namespaces[i];
-
- if (setns(ns.fd, ns.ns) < 0)
- bail("failed to setns to %s", ns.path);
-
- close(ns.fd);
- }
-
- free(namespaces);
-}
-
-/* Defined in cloned_binary.c. */
-extern int ensure_cloned_binary(void);
-
-void nsexec(void)
-{
- int pipenum;
- jmp_buf env;
- int sync_child_pipe[2], sync_grandchild_pipe[2];
- struct nlconfig_t config = { 0 };
-
- /*
- * If we don't have an init pipe, just return to the go routine.
- * We'll only get an init pipe for start or exec.
- */
- pipenum = initpipe();
- if (pipenum == -1)
- return;
-
- /*
- * We need to re-exec if we are not in a cloned binary. This is necessary
- * to ensure that containers won't be able to access the host binary
- * through /proc/self/exe. See CVE-2019-5736.
- */
- if (ensure_cloned_binary() < 0)
- bail("could not ensure we are a cloned binary");
-
- /* Parse all of the netlink configuration. */
- nl_parse(pipenum, &config);
-
- /* Set oom_score_adj. This has to be done before !dumpable because
- * /proc/self/oom_score_adj is not writeable unless you're an privileged
- * user (if !dumpable is set). All children inherit their parent's
- * oom_score_adj value on fork(2) so this will always be propagated
- * properly.
- */
- update_oom_score_adj(config.oom_score_adj, config.oom_score_adj_len);
-
- /*
- * Make the process non-dumpable, to avoid various race conditions that
- * could cause processes in namespaces we're joining to access host
- * resources (or potentially execute code).
- *
- * However, if the number of namespaces we are joining is 0, we are not
- * going to be switching to a different security context. Thus setting
- * ourselves to be non-dumpable only breaks things (like rootless
- * containers), which is the recommendation from the kernel folks.
- */
- if (config.namespaces) {
- if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) < 0)
- bail("failed to set process as non-dumpable");
- }
-
- /* Pipe so we can tell the child when we've finished setting up. */
- if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sync_child_pipe) < 0)
- bail("failed to setup sync pipe between parent and child");
-
- /*
- * We need a new socketpair to sync with grandchild so we don't have
- * race condition with child.
- */
- if (socketpair(AF_LOCAL, SOCK_STREAM, 0, sync_grandchild_pipe) < 0)
- bail("failed to setup sync pipe between parent and grandchild");
-
- /* TODO: Currently we aren't dealing with child deaths properly. */
-
- /*
- * Okay, so this is quite annoying.
- *
- * In order for this unsharing code to be more extensible we need to split
- * up unshare(CLONE_NEWUSER) and clone() in various ways. The ideal case
- * would be if we did clone(CLONE_NEWUSER) and the other namespaces
- * separately, but because of SELinux issues we cannot really do that. But
- * we cannot just dump the namespace flags into clone(...) because several
- * usecases (such as rootless containers) require more granularity around
- * the namespace setup. In addition, some older kernels had issues where
- * CLONE_NEWUSER wasn't handled before other namespaces (but we cannot
- * handle this while also dealing with SELinux so we choose SELinux support
- * over broken kernel support).
- *
- * However, if we unshare(2) the user namespace *before* we clone(2), then
- * all hell breaks loose.
- *
- * The parent no longer has permissions to do many things (unshare(2) drops
- * all capabilities in your old namespace), and the container cannot be set
- * up to have more than one {uid,gid} mapping. This is obviously less than
- * ideal. In order to fix this, we have to first clone(2) and then unshare.
- *
- * Unfortunately, it's not as simple as that. We have to fork to enter the
- * PID namespace (the PID namespace only applies to children). Since we'll
- * have to double-fork, this clone_parent() call won't be able to get the
- * PID of the _actual_ init process (without doing more synchronisation than
- * I can deal with at the moment). So we'll just get the parent to send it
- * for us, the only job of this process is to update
- * /proc/pid/{setgroups,uid_map,gid_map}.
- *
- * And as a result of the above, we also need to setns(2) in the first child
- * because if we join a PID namespace in the topmost parent then our child
- * will be in that namespace (and it will not be able to give us a PID value
- * that makes sense without resorting to sending things with cmsg).
- *
- * This also deals with an older issue caused by dumping cloneflags into
- * clone(2): On old kernels, CLONE_PARENT didn't work with CLONE_NEWPID, so
- * we have to unshare(2) before clone(2) in order to do this. This was fixed
- * in upstream commit 1f7f4dde5c945f41a7abc2285be43d918029ecc5, and was
- * introduced by 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e. As far as we're
- * aware, the last mainline kernel which had this bug was Linux 3.12.
- * However, we cannot comment on which kernels the broken patch was
- * backported to.
- *
- * -- Aleksa "what has my life come to?" Sarai
- */
-
- switch (setjmp(env)) {
- /*
- * Stage 0: We're in the parent. Our job is just to create a new child
- * (stage 1: JUMP_CHILD) process and write its uid_map and
- * gid_map. That process will go on to create a new process, then
- * it will send us its PID which we will send to the bootstrap
- * process.
- */
- case JUMP_PARENT:{
- int len;
- pid_t child, first_child = -1;
- bool ready = false;
-
- /* For debugging. */
- prctl(PR_SET_NAME, (unsigned long)"runc:[0:PARENT]", 0, 0, 0);
-
- /* Start the process of getting a container. */
- child = clone_parent(&env, JUMP_CHILD);
- if (child < 0)
- bail("unable to fork: child_func");
-
- /*
- * State machine for synchronisation with the children.
- *
- * Father only return when both child and grandchild are
- * ready, so we can receive all possible error codes
- * generated by children.
- */
- while (!ready) {
- enum sync_t s;
- int ret;
-
- syncfd = sync_child_pipe[1];
- close(sync_child_pipe[0]);
-
- if (read(syncfd, &s, sizeof(s)) != sizeof(s))
- bail("failed to sync with child: next state");
-
- switch (s) {
- case SYNC_ERR:
- /* We have to mirror the error code of the child. */
- if (read(syncfd, &ret, sizeof(ret)) != sizeof(ret))
- bail("failed to sync with child: read(error code)");
-
- exit(ret);
- case SYNC_USERMAP_PLS:
- /*
- * Enable setgroups(2) if we've been asked to. But we also
- * have to explicitly disable setgroups(2) if we're
- * creating a rootless container for single-entry mapping.
- * i.e. config.is_setgroup == false.
- * (this is required since Linux 3.19).
- *
- * For rootless multi-entry mapping, config.is_setgroup shall be true and
- * newuidmap/newgidmap shall be used.
- */
-
- if (config.is_rootless_euid && !config.is_setgroup)
- update_setgroups(child, SETGROUPS_DENY);
-
- /* Set up mappings. */
- update_uidmap(config.uidmappath, child, config.uidmap, config.uidmap_len);
- update_gidmap(config.gidmappath, child, config.gidmap, config.gidmap_len);
-
- s = SYNC_USERMAP_ACK;
- if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
- kill(child, SIGKILL);
- bail("failed to sync with child: write(SYNC_USERMAP_ACK)");
- }
- break;
- case SYNC_RECVPID_PLS:{
- first_child = child;
-
- /* Get the init_func pid. */
- if (read(syncfd, &child, sizeof(child)) != sizeof(child)) {
- kill(first_child, SIGKILL);
- bail("failed to sync with child: read(childpid)");
- }
-
- /* Send ACK. */
- s = SYNC_RECVPID_ACK;
- if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
- kill(first_child, SIGKILL);
- kill(child, SIGKILL);
- bail("failed to sync with child: write(SYNC_RECVPID_ACK)");
- }
-
- /* Send the init_func pid back to our parent.
- *
- * Send the init_func pid and the pid of the first child back to our parent.
- * We need to send both back because we can't reap the first child we created (CLONE_PARENT).
- * It becomes the responsibility of our parent to reap the first child.
- */
- len = dprintf(pipenum, "{\"pid\": %d, \"pid_first\": %d}\n", child, first_child);
- if (len < 0) {
- kill(child, SIGKILL);
- bail("unable to generate JSON for child pid");
- }
- }
- break;
- case SYNC_CHILD_READY:
- ready = true;
- break;
- default:
- bail("unexpected sync value: %u", s);
- }
- }
-
- /* Now sync with grandchild. */
-
- ready = false;
- while (!ready) {
- enum sync_t s;
- int ret;
-
- syncfd = sync_grandchild_pipe[1];
- close(sync_grandchild_pipe[0]);
-
- s = SYNC_GRANDCHILD;
- if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
- kill(child, SIGKILL);
- bail("failed to sync with child: write(SYNC_GRANDCHILD)");
- }
-
- if (read(syncfd, &s, sizeof(s)) != sizeof(s))
- bail("failed to sync with child: next state");
-
- switch (s) {
- case SYNC_ERR:
- /* We have to mirror the error code of the child. */
- if (read(syncfd, &ret, sizeof(ret)) != sizeof(ret))
- bail("failed to sync with child: read(error code)");
-
- exit(ret);
- case SYNC_CHILD_READY:
- ready = true;
- break;
- default:
- bail("unexpected sync value: %u", s);
- }
- }
- exit(0);
- }
-
- /*
- * Stage 1: We're in the first child process. Our job is to join any
- * provided namespaces in the netlink payload and unshare all
- * of the requested namespaces. If we've been asked to
- * CLONE_NEWUSER, we will ask our parent (stage 0) to set up
- * our user mappings for us. Then, we create a new child
- * (stage 2: JUMP_INIT) for PID namespace. We then send the
- * child's PID to our parent (stage 0).
- */
- case JUMP_CHILD:{
- pid_t child;
- enum sync_t s;
-
- /* We're in a child and thus need to tell the parent if we die. */
- syncfd = sync_child_pipe[0];
- close(sync_child_pipe[1]);
-
- /* For debugging. */
- prctl(PR_SET_NAME, (unsigned long)"runc:[1:CHILD]", 0, 0, 0);
-
- /*
- * We need to setns first. We cannot do this earlier (in stage 0)
- * because of the fact that we forked to get here (the PID of
- * [stage 2: JUMP_INIT]) would be meaningless). We could send it
- * using cmsg(3) but that's just annoying.
- */
- if (config.namespaces)
- join_namespaces(config.namespaces);
-
- /*
- * Deal with user namespaces first. They are quite special, as they
- * affect our ability to unshare other namespaces and are used as
- * context for privilege checks.
- *
- * We don't unshare all namespaces in one go. The reason for this
- * is that, while the kernel documentation may claim otherwise,
- * there are certain cases where unsharing all namespaces at once
- * will result in namespace objects being owned incorrectly.
- * Ideally we should just fix these kernel bugs, but it's better to
- * be safe than sorry, and fix them separately.
- *
- * A specific case of this is that the SELinux label of the
- * internal kern-mount that mqueue uses will be incorrect if the
- * UTS namespace is cloned before the USER namespace is mapped.
- * I've also heard of similar problems with the network namespace
- * in some scenarios. This also mirrors how LXC deals with this
- * problem.
- */
- if (config.cloneflags & CLONE_NEWUSER) {
- if (unshare(CLONE_NEWUSER) < 0)
- bail("failed to unshare user namespace");
- config.cloneflags &= ~CLONE_NEWUSER;
-
- /*
- * We don't have the privileges to do any mapping here (see the
- * clone_parent rant). So signal our parent to hook us up.
- */
-
- /* Switching is only necessary if we joined namespaces. */
- if (config.namespaces) {
- if (prctl(PR_SET_DUMPABLE, 1, 0, 0, 0) < 0)
- bail("failed to set process as dumpable");
- }
- s = SYNC_USERMAP_PLS;
- if (write(syncfd, &s, sizeof(s)) != sizeof(s))
- bail("failed to sync with parent: write(SYNC_USERMAP_PLS)");
-
- /* ... wait for mapping ... */
-
- if (read(syncfd, &s, sizeof(s)) != sizeof(s))
- bail("failed to sync with parent: read(SYNC_USERMAP_ACK)");
- if (s != SYNC_USERMAP_ACK)
- bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s);
- /* Switching is only necessary if we joined namespaces. */
- if (config.namespaces) {
- if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) < 0)
- bail("failed to set process as dumpable");
- }
-
- /* Become root in the namespace proper. */
- if (setresuid(0, 0, 0) < 0)
- bail("failed to become root in user namespace");
- }
- /*
- * Unshare all of the namespaces. Now, it should be noted that this
- * ordering might break in the future (especially with rootless
- * containers). But for now, it's not possible to split this into
- * CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues.
- *
- * Note that we don't merge this with clone() because there were
- * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
- * was broken, so we'll just do it the long way anyway.
- */
- if (unshare(config.cloneflags & ~CLONE_NEWCGROUP) < 0)
- bail("failed to unshare namespaces");
-
- /*
- * TODO: What about non-namespace clone flags that we're dropping here?
- *
- * We fork again because of PID namespace, setns(2) or unshare(2) don't
- * change the PID namespace of the calling process, because doing so
- * would change the caller's idea of its own PID (as reported by getpid()),
- * which would break many applications and libraries, so we must fork
- * to actually enter the new PID namespace.
- */
- child = clone_parent(&env, JUMP_INIT);
- if (child < 0)
- bail("unable to fork: init_func");
-
- /* Send the child to our parent, which knows what it's doing. */
- s = SYNC_RECVPID_PLS;
- if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
- kill(child, SIGKILL);
- bail("failed to sync with parent: write(SYNC_RECVPID_PLS)");
- }
- if (write(syncfd, &child, sizeof(child)) != sizeof(child)) {
- kill(child, SIGKILL);
- bail("failed to sync with parent: write(childpid)");
- }
-
- /* ... wait for parent to get the pid ... */
-
- if (read(syncfd, &s, sizeof(s)) != sizeof(s)) {
- kill(child, SIGKILL);
- bail("failed to sync with parent: read(SYNC_RECVPID_ACK)");
- }
- if (s != SYNC_RECVPID_ACK) {
- kill(child, SIGKILL);
- bail("failed to sync with parent: SYNC_RECVPID_ACK: got %u", s);
- }
-
- s = SYNC_CHILD_READY;
- if (write(syncfd, &s, sizeof(s)) != sizeof(s)) {
- kill(child, SIGKILL);
- bail("failed to sync with parent: write(SYNC_CHILD_READY)");
- }
-
- /* Our work is done. [Stage 2: JUMP_INIT] is doing the rest of the work. */
- exit(0);
- }
-
- /*
- * Stage 2: We're the final child process, and the only process that will
- * actually return to the Go runtime. Our job is to just do the
- * final cleanup steps and then return to the Go runtime to allow
- * init_linux.go to run.
- */
- case JUMP_INIT:{
- /*
- * We're inside the child now, having jumped from the
- * start_child() code after forking in the parent.
- */
- enum sync_t s;
-
- /* We're in a child and thus need to tell the parent if we die. */
- syncfd = sync_grandchild_pipe[0];
- close(sync_grandchild_pipe[1]);
- close(sync_child_pipe[0]);
- close(sync_child_pipe[1]);
-
- /* For debugging. */
- prctl(PR_SET_NAME, (unsigned long)"runc:[2:INIT]", 0, 0, 0);
-
- if (read(syncfd, &s, sizeof(s)) != sizeof(s))
- bail("failed to sync with parent: read(SYNC_GRANDCHILD)");
- if (s != SYNC_GRANDCHILD)
- bail("failed to sync with parent: SYNC_GRANDCHILD: got %u", s);
-
- if (setsid() < 0)
- bail("setsid failed");
-
- if (setuid(0) < 0)
- bail("setuid failed");
-
- if (setgid(0) < 0)
- bail("setgid failed");
-
- if (!config.is_rootless_euid && config.is_setgroup) {
- if (setgroups(0, NULL) < 0)
- bail("setgroups failed");
- }
-
- /* ... wait until our topmost parent has finished cgroup setup in p.manager.Apply() ... */
- if (config.cloneflags & CLONE_NEWCGROUP) {
- uint8_t value;
- if (read(pipenum, &value, sizeof(value)) != sizeof(value))
- bail("read synchronisation value failed");
- if (value == CREATECGROUPNS) {
- if (unshare(CLONE_NEWCGROUP) < 0)
- bail("failed to unshare cgroup namespace");
- } else
- bail("received unknown synchronisation value");
- }
-
- s = SYNC_CHILD_READY;
- if (write(syncfd, &s, sizeof(s)) != sizeof(s))
- bail("failed to sync with patent: write(SYNC_CHILD_READY)");
-
- /* Close sync pipes. */
- close(sync_grandchild_pipe[0]);
-
- /* Free netlink data. */
- nl_free(&config);
-
- /* Finish executing, let the Go runtime take over. */
- return;
- }
- default:
- bail("unexpected jump value");
- }
-
- /* Should never be reached. */
- bail("should never be reached");
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
deleted file mode 100644
index a4ae8901a..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/linux.go
+++ /dev/null
@@ -1,155 +0,0 @@
-// +build linux
-
-package system
-
-import (
- "os"
- "os/exec"
- "syscall" // only for exec
- "unsafe"
-
- "github.com/opencontainers/runc/libcontainer/user"
- "golang.org/x/sys/unix"
-)
-
-// If arg2 is nonzero, set the "child subreaper" attribute of the
-// calling process; if arg2 is zero, unset the attribute. When a
-// process is marked as a child subreaper, all of the children
-// that it creates, and their descendants, will be marked as
-// having a subreaper. In effect, a subreaper fulfills the role
-// of init(1) for its descendant processes. Upon termination of
-// a process that is orphaned (i.e., its immediate parent has
-// already terminated) and marked as having a subreaper, the
-// nearest still living ancestor subreaper will receive a SIGCHLD
-// signal and be able to wait(2) on the process to discover its
-// termination status.
-const PR_SET_CHILD_SUBREAPER = 36
-
-type ParentDeathSignal int
-
-func (p ParentDeathSignal) Restore() error {
- if p == 0 {
- return nil
- }
- current, err := GetParentDeathSignal()
- if err != nil {
- return err
- }
- if p == current {
- return nil
- }
- return p.Set()
-}
-
-func (p ParentDeathSignal) Set() error {
- return SetParentDeathSignal(uintptr(p))
-}
-
-func Execv(cmd string, args []string, env []string) error {
- name, err := exec.LookPath(cmd)
- if err != nil {
- return err
- }
-
- return syscall.Exec(name, args, env)
-}
-
-func Prlimit(pid, resource int, limit unix.Rlimit) error {
- _, _, err := unix.RawSyscall6(unix.SYS_PRLIMIT64, uintptr(pid), uintptr(resource), uintptr(unsafe.Pointer(&limit)), uintptr(unsafe.Pointer(&limit)), 0, 0)
- if err != 0 {
- return err
- }
- return nil
-}
-
-func SetParentDeathSignal(sig uintptr) error {
- if err := unix.Prctl(unix.PR_SET_PDEATHSIG, sig, 0, 0, 0); err != nil {
- return err
- }
- return nil
-}
-
-func GetParentDeathSignal() (ParentDeathSignal, error) {
- var sig int
- if err := unix.Prctl(unix.PR_GET_PDEATHSIG, uintptr(unsafe.Pointer(&sig)), 0, 0, 0); err != nil {
- return -1, err
- }
- return ParentDeathSignal(sig), nil
-}
-
-func SetKeepCaps() error {
- if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 1, 0, 0, 0); err != nil {
- return err
- }
-
- return nil
-}
-
-func ClearKeepCaps() error {
- if err := unix.Prctl(unix.PR_SET_KEEPCAPS, 0, 0, 0, 0); err != nil {
- return err
- }
-
- return nil
-}
-
-func Setctty() error {
- if err := unix.IoctlSetInt(0, unix.TIOCSCTTY, 0); err != nil {
- return err
- }
- return nil
-}
-
-// RunningInUserNS detects whether we are currently running in a user namespace.
-// Originally copied from github.com/lxc/lxd/shared/util.go
-func RunningInUserNS() bool {
- uidmap, err := user.CurrentProcessUIDMap()
- if err != nil {
- // This kernel-provided file only exists if user namespaces are supported
- return false
- }
- return UIDMapInUserNS(uidmap)
-}
-
-func UIDMapInUserNS(uidmap []user.IDMap) bool {
- /*
- * We assume we are in the initial user namespace if we have a full
- * range - 4294967295 uids starting at uid 0.
- */
- if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 {
- return false
- }
- return true
-}
-
-// GetParentNSeuid returns the euid within the parent user namespace
-func GetParentNSeuid() int64 {
- euid := int64(os.Geteuid())
- uidmap, err := user.CurrentProcessUIDMap()
- if err != nil {
- // This kernel-provided file only exists if user namespaces are supported
- return euid
- }
- for _, um := range uidmap {
- if um.ID <= euid && euid <= um.ID+um.Count-1 {
- return um.ParentID + euid - um.ID
- }
- }
- return euid
-}
-
-// SetSubreaper sets the value i as the subreaper setting for the calling process
-func SetSubreaper(i int) error {
- return unix.Prctl(PR_SET_CHILD_SUBREAPER, uintptr(i), 0, 0, 0)
-}
-
-// GetSubreaper returns the subreaper setting for the calling process
-func GetSubreaper() (int, error) {
- var i uintptr
-
- if err := unix.Prctl(unix.PR_GET_CHILD_SUBREAPER, uintptr(unsafe.Pointer(&i)), 0, 0, 0); err != nil {
- return -1, err
- }
-
- return int(i), nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go b/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go
deleted file mode 100644
index 79232a437..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/proc.go
+++ /dev/null
@@ -1,113 +0,0 @@
-package system
-
-import (
- "fmt"
- "io/ioutil"
- "path/filepath"
- "strconv"
- "strings"
-)
-
-// State is the status of a process.
-type State rune
-
-const ( // Only values for Linux 3.14 and later are listed here
- Dead State = 'X'
- DiskSleep State = 'D'
- Running State = 'R'
- Sleeping State = 'S'
- Stopped State = 'T'
- TracingStop State = 't'
- Zombie State = 'Z'
-)
-
-// String forms of the state from proc(5)'s documentation for
-// /proc/[pid]/status' "State" field.
-func (s State) String() string {
- switch s {
- case Dead:
- return "dead"
- case DiskSleep:
- return "disk sleep"
- case Running:
- return "running"
- case Sleeping:
- return "sleeping"
- case Stopped:
- return "stopped"
- case TracingStop:
- return "tracing stop"
- case Zombie:
- return "zombie"
- default:
- return fmt.Sprintf("unknown (%c)", s)
- }
-}
-
-// Stat_t represents the information from /proc/[pid]/stat, as
-// described in proc(5) with names based on the /proc/[pid]/status
-// fields.
-type Stat_t struct {
- // PID is the process ID.
- PID uint
-
- // Name is the command run by the process.
- Name string
-
- // State is the state of the process.
- State State
-
- // StartTime is the number of clock ticks after system boot (since
- // Linux 2.6).
- StartTime uint64
-}
-
-// Stat returns a Stat_t instance for the specified process.
-func Stat(pid int) (stat Stat_t, err error) {
- bytes, err := ioutil.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "stat"))
- if err != nil {
- return stat, err
- }
- return parseStat(string(bytes))
-}
-
-// GetProcessStartTime is deprecated. Use Stat(pid) and
-// Stat_t.StartTime instead.
-func GetProcessStartTime(pid int) (string, error) {
- stat, err := Stat(pid)
- if err != nil {
- return "", err
- }
- return fmt.Sprintf("%d", stat.StartTime), nil
-}
-
-func parseStat(data string) (stat Stat_t, err error) {
- // From proc(5), field 2 could contain space and is inside `(` and `)`.
- // The following is an example:
- // 89653 (gunicorn: maste) S 89630 89653 89653 0 -1 4194560 29689 28896 0 3 146 32 76 19 20 0 1 0 2971844 52965376 3920 18446744073709551615 1 1 0 0 0 0 0 16781312 137447943 0 0 0 17 1 0 0 0 0 0 0 0 0 0 0 0 0 0
- i := strings.LastIndex(data, ")")
- if i <= 2 || i >= len(data)-1 {
- return stat, fmt.Errorf("invalid stat data: %q", data)
- }
-
- parts := strings.SplitN(data[:i], "(", 2)
- if len(parts) != 2 {
- return stat, fmt.Errorf("invalid stat data: %q", data)
- }
-
- stat.Name = parts[1]
- _, err = fmt.Sscanf(parts[0], "%d", &stat.PID)
- if err != nil {
- return stat, err
- }
-
- // parts indexes should be offset by 3 from the field number given
- // proc(5), because parts is zero-indexed and we've removed fields
- // one (PID) and two (Name) in the paren-split.
- parts = strings.Split(data[i+2:], " ")
- var state int
- fmt.Sscanf(parts[3-3], "%c", &state)
- stat.State = State(state)
- fmt.Sscanf(parts[22-3], "%d", &stat.StartTime)
- return stat, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go
deleted file mode 100644
index c5ca5d862..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_32.go
+++ /dev/null
@@ -1,26 +0,0 @@
-// +build linux
-// +build 386 arm
-
-package system
-
-import (
- "golang.org/x/sys/unix"
-)
-
-// Setuid sets the uid of the calling thread to the specified uid.
-func Setuid(uid int) (err error) {
- _, _, e1 := unix.RawSyscall(unix.SYS_SETUID32, uintptr(uid), 0, 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
-
-// Setgid sets the gid of the calling thread to the specified gid.
-func Setgid(gid int) (err error) {
- _, _, e1 := unix.RawSyscall(unix.SYS_SETGID32, uintptr(gid), 0, 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go b/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
deleted file mode 100644
index 11c3faafb..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/syscall_linux_64.go
+++ /dev/null
@@ -1,26 +0,0 @@
-// +build linux
-// +build arm64 amd64 mips mipsle mips64 mips64le ppc ppc64 ppc64le s390x
-
-package system
-
-import (
- "golang.org/x/sys/unix"
-)
-
-// Setuid sets the uid of the calling thread to the specified uid.
-func Setuid(uid int) (err error) {
- _, _, e1 := unix.RawSyscall(unix.SYS_SETUID, uintptr(uid), 0, 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
-
-// Setgid sets the gid of the calling thread to the specified gid.
-func Setgid(gid int) (err error) {
- _, _, e1 := unix.RawSyscall(unix.SYS_SETGID, uintptr(gid), 0, 0)
- if e1 != 0 {
- err = e1
- }
- return
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
deleted file mode 100644
index b8434f105..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// +build cgo,linux
-
-package system
-
-/*
-#include <unistd.h>
-*/
-import "C"
-
-func GetClockTicks() int {
- return int(C.sysconf(C._SC_CLK_TCK))
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go b/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go
deleted file mode 100644
index d93b5d5fd..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/sysconfig_notcgo.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// +build !cgo windows
-
-package system
-
-func GetClockTicks() int {
- // TODO figure out a better alternative for platforms where we're missing cgo
- //
- // TODO Windows. This could be implemented using Win32 QueryPerformanceFrequency().
- // https://msdn.microsoft.com/en-us/library/windows/desktop/ms644905(v=vs.85).aspx
- //
- // An example of its usage can be found here.
- // https://msdn.microsoft.com/en-us/library/windows/desktop/dn553408(v=vs.85).aspx
-
- return 100
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go b/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
deleted file mode 100644
index b94be74a6..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/unsupported.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// +build !linux
-
-package system
-
-import (
- "os"
-
- "github.com/opencontainers/runc/libcontainer/user"
-)
-
-// RunningInUserNS is a stub for non-Linux systems
-// Always returns false
-func RunningInUserNS() bool {
- return false
-}
-
-// UIDMapInUserNS is a stub for non-Linux systems
-// Always returns false
-func UIDMapInUserNS(uidmap []user.IDMap) bool {
- return false
-}
-
-// GetParentNSeuid returns the euid within the parent user namespace
-// Always returns os.Geteuid on non-linux
-func GetParentNSeuid() int {
- return os.Geteuid()
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go
deleted file mode 100644
index a6823fc99..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/system/xattrs_linux.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package system
-
-import "golang.org/x/sys/unix"
-
-// Returns a []byte slice if the xattr is set and nil otherwise
-// Requires path and its attribute as arguments
-func Lgetxattr(path string, attr string) ([]byte, error) {
- var sz int
- // Start with a 128 length byte array
- dest := make([]byte, 128)
- sz, errno := unix.Lgetxattr(path, attr, dest)
-
- switch {
- case errno == unix.ENODATA:
- return nil, errno
- case errno == unix.ENOTSUP:
- return nil, errno
- case errno == unix.ERANGE:
- // 128 byte array might just not be good enough,
- // A dummy buffer is used to get the real size
- // of the xattrs on disk
- sz, errno = unix.Lgetxattr(path, attr, []byte{})
- if errno != nil {
- return nil, errno
- }
- dest = make([]byte, sz)
- sz, errno = unix.Lgetxattr(path, attr, dest)
- if errno != nil {
- return nil, errno
- }
- case errno != nil:
- return nil, errno
- }
- return dest[:sz], nil
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go
deleted file mode 100644
index 6fd8dd0d4..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package user
-
-import (
- "errors"
-)
-
-var (
- // The current operating system does not provide the required data for user lookups.
- ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
- // No matching entries found in file.
- ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
- ErrNoGroupEntries = errors.New("no matching entries in group file")
-)
-
-// LookupUser looks up a user by their username in /etc/passwd. If the user
-// cannot be found (or there is no /etc/passwd file on the filesystem), then
-// LookupUser returns an error.
-func LookupUser(username string) (User, error) {
- return lookupUser(username)
-}
-
-// LookupUid looks up a user by their user id in /etc/passwd. If the user cannot
-// be found (or there is no /etc/passwd file on the filesystem), then LookupId
-// returns an error.
-func LookupUid(uid int) (User, error) {
- return lookupUid(uid)
-}
-
-// LookupGroup looks up a group by its name in /etc/group. If the group cannot
-// be found (or there is no /etc/group file on the filesystem), then LookupGroup
-// returns an error.
-func LookupGroup(groupname string) (Group, error) {
- return lookupGroup(groupname)
-}
-
-// LookupGid looks up a group by its group id in /etc/group. If the group cannot
-// be found (or there is no /etc/group file on the filesystem), then LookupGid
-// returns an error.
-func LookupGid(gid int) (Group, error) {
- return lookupGid(gid)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go
deleted file mode 100644
index 92b5ae8de..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_unix.go
+++ /dev/null
@@ -1,144 +0,0 @@
-// +build darwin dragonfly freebsd linux netbsd openbsd solaris
-
-package user
-
-import (
- "io"
- "os"
- "strconv"
-
- "golang.org/x/sys/unix"
-)
-
-// Unix-specific path to the passwd and group formatted files.
-const (
- unixPasswdPath = "/etc/passwd"
- unixGroupPath = "/etc/group"
-)
-
-func lookupUser(username string) (User, error) {
- return lookupUserFunc(func(u User) bool {
- return u.Name == username
- })
-}
-
-func lookupUid(uid int) (User, error) {
- return lookupUserFunc(func(u User) bool {
- return u.Uid == uid
- })
-}
-
-func lookupUserFunc(filter func(u User) bool) (User, error) {
- // Get operating system-specific passwd reader-closer.
- passwd, err := GetPasswd()
- if err != nil {
- return User{}, err
- }
- defer passwd.Close()
-
- // Get the users.
- users, err := ParsePasswdFilter(passwd, filter)
- if err != nil {
- return User{}, err
- }
-
- // No user entries found.
- if len(users) == 0 {
- return User{}, ErrNoPasswdEntries
- }
-
- // Assume the first entry is the "correct" one.
- return users[0], nil
-}
-
-func lookupGroup(groupname string) (Group, error) {
- return lookupGroupFunc(func(g Group) bool {
- return g.Name == groupname
- })
-}
-
-func lookupGid(gid int) (Group, error) {
- return lookupGroupFunc(func(g Group) bool {
- return g.Gid == gid
- })
-}
-
-func lookupGroupFunc(filter func(g Group) bool) (Group, error) {
- // Get operating system-specific group reader-closer.
- group, err := GetGroup()
- if err != nil {
- return Group{}, err
- }
- defer group.Close()
-
- // Get the users.
- groups, err := ParseGroupFilter(group, filter)
- if err != nil {
- return Group{}, err
- }
-
- // No user entries found.
- if len(groups) == 0 {
- return Group{}, ErrNoGroupEntries
- }
-
- // Assume the first entry is the "correct" one.
- return groups[0], nil
-}
-
-func GetPasswdPath() (string, error) {
- return unixPasswdPath, nil
-}
-
-func GetPasswd() (io.ReadCloser, error) {
- return os.Open(unixPasswdPath)
-}
-
-func GetGroupPath() (string, error) {
- return unixGroupPath, nil
-}
-
-func GetGroup() (io.ReadCloser, error) {
- return os.Open(unixGroupPath)
-}
-
-// CurrentUser looks up the current user by their user id in /etc/passwd. If the
-// user cannot be found (or there is no /etc/passwd file on the filesystem),
-// then CurrentUser returns an error.
-func CurrentUser() (User, error) {
- return LookupUid(unix.Getuid())
-}
-
-// CurrentGroup looks up the current user's group by their primary group id's
-// entry in /etc/passwd. If the group cannot be found (or there is no
-// /etc/group file on the filesystem), then CurrentGroup returns an error.
-func CurrentGroup() (Group, error) {
- return LookupGid(unix.Getgid())
-}
-
-func currentUserSubIDs(fileName string) ([]SubID, error) {
- u, err := CurrentUser()
- if err != nil {
- return nil, err
- }
- filter := func(entry SubID) bool {
- return entry.Name == u.Name || entry.Name == strconv.Itoa(u.Uid)
- }
- return ParseSubIDFileFilter(fileName, filter)
-}
-
-func CurrentUserSubUIDs() ([]SubID, error) {
- return currentUserSubIDs("/etc/subuid")
-}
-
-func CurrentUserSubGIDs() ([]SubID, error) {
- return currentUserSubIDs("/etc/subgid")
-}
-
-func CurrentProcessUIDMap() ([]IDMap, error) {
- return ParseIDMapFile("/proc/self/uid_map")
-}
-
-func CurrentProcessGIDMap() ([]IDMap, error) {
- return ParseIDMapFile("/proc/self/gid_map")
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go b/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go
deleted file mode 100644
index 65cd40e92..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/lookup_windows.go
+++ /dev/null
@@ -1,40 +0,0 @@
-// +build windows
-
-package user
-
-import (
- "fmt"
- "os/user"
-)
-
-func lookupUser(username string) (User, error) {
- u, err := user.Lookup(username)
- if err != nil {
- return User{}, err
- }
- return userFromOS(u)
-}
-
-func lookupUid(uid int) (User, error) {
- u, err := user.LookupId(fmt.Sprintf("%d", uid))
- if err != nil {
- return User{}, err
- }
- return userFromOS(u)
-}
-
-func lookupGroup(groupname string) (Group, error) {
- g, err := user.LookupGroup(groupname)
- if err != nil {
- return Group{}, err
- }
- return groupFromOS(g)
-}
-
-func lookupGid(gid int) (Group, error) {
- g, err := user.LookupGroupId(fmt.Sprintf("%d", gid))
- if err != nil {
- return Group{}, err
- }
- return groupFromOS(g)
-}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
deleted file mode 100644
index 7b912bbf8..000000000
--- a/vendor/github.com/opencontainers/runc/libcontainer/user/user.go
+++ /dev/null
@@ -1,608 +0,0 @@
-package user
-
-import (
- "bufio"
- "fmt"
- "io"
- "os"
- "os/user"
- "strconv"
- "strings"
-)
-
-const (
- minId = 0
- maxId = 1<<31 - 1 //for 32-bit systems compatibility
-)
-
-var (
- ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId)
-)
-
-type User struct {
- Name string
- Pass string
- Uid int
- Gid int
- Gecos string
- Home string
- Shell string
-}
-
-// userFromOS converts an os/user.(*User) to local User
-//
-// (This does not include Pass, Shell or Gecos)
-func userFromOS(u *user.User) (User, error) {
- newUser := User{
- Name: u.Username,
- Home: u.HomeDir,
- }
- id, err := strconv.Atoi(u.Uid)
- if err != nil {
- return newUser, err
- }
- newUser.Uid = id
-
- id, err = strconv.Atoi(u.Gid)
- if err != nil {
- return newUser, err
- }
- newUser.Gid = id
- return newUser, nil
-}
-
-type Group struct {
- Name string
- Pass string
- Gid int
- List []string
-}
-
-// groupFromOS converts an os/user.(*Group) to local Group
-//
-// (This does not include Pass, Shell or Gecos)
-func groupFromOS(g *user.Group) (Group, error) {
- newGroup := Group{
- Name: g.Name,
- }
-
- id, err := strconv.Atoi(g.Gid)
- if err != nil {
- return newGroup, err
- }
- newGroup.Gid = id
-
- return newGroup, nil
-}
-
-// SubID represents an entry in /etc/sub{u,g}id
-type SubID struct {
- Name string
- SubID int64
- Count int64
-}
-
-// IDMap represents an entry in /proc/PID/{u,g}id_map
-type IDMap struct {
- ID int64
- ParentID int64
- Count int64
-}
-
-func parseLine(line string, v ...interface{}) {
- parseParts(strings.Split(line, ":"), v...)
-}
-
-func parseParts(parts []string, v ...interface{}) {
- if len(parts) == 0 {
- return
- }
-
- for i, p := range parts {
- // Ignore cases where we don't have enough fields to populate the arguments.
- // Some configuration files like to misbehave.
- if len(v) <= i {
- break
- }
-
- // Use the type of the argument to figure out how to parse it, scanf() style.
- // This is legit.
- switch e := v[i].(type) {
- case *string:
- *e = p
- case *int:
- // "numbers", with conversion errors ignored because of some misbehaving configuration files.
- *e, _ = strconv.Atoi(p)
- case *int64:
- *e, _ = strconv.ParseInt(p, 10, 64)
- case *[]string:
- // Comma-separated lists.
- if p != "" {
- *e = strings.Split(p, ",")
- } else {
- *e = []string{}
- }
- default:
- // Someone goof'd when writing code using this function. Scream so they can hear us.
- panic(fmt.Sprintf("parseLine only accepts {*string, *int, *int64, *[]string} as arguments! %#v is not a pointer!", e))
- }
- }
-}
-
-func ParsePasswdFile(path string) ([]User, error) {
- passwd, err := os.Open(path)
- if err != nil {
- return nil, err
- }
- defer passwd.Close()
- return ParsePasswd(passwd)
-}
-
-func ParsePasswd(passwd io.Reader) ([]User, error) {
- return ParsePasswdFilter(passwd, nil)
-}
-
-func ParsePasswdFileFilter(path string, filter func(User) bool) ([]User, error) {
- passwd, err := os.Open(path)
- if err != nil {
- return nil, err
- }
- defer passwd.Close()
- return ParsePasswdFilter(passwd, filter)
-}
-
-func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
- if r == nil {
- return nil, fmt.Errorf("nil source for passwd-formatted data")
- }
-
- var (
- s = bufio.NewScanner(r)
- out = []User{}
- )
-
- for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
- line := strings.TrimSpace(s.Text())
- if line == "" {
- continue
- }
-
- // see: man 5 passwd
- // name:password:UID:GID:GECOS:directory:shell
- // Name:Pass:Uid:Gid:Gecos:Home:Shell
- // root:x:0:0:root:/root:/bin/bash
- // adm:x:3:4:adm:/var/adm:/bin/false
- p := User{}
- parseLine(line, &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell)
-
- if filter == nil || filter(p) {
- out = append(out, p)
- }
- }
-
- return out, nil
-}
-
-func ParseGroupFile(path string) ([]Group, error) {
- group, err := os.Open(path)
- if err != nil {
- return nil, err
- }
-
- defer group.Close()
- return ParseGroup(group)
-}
-
-func ParseGroup(group io.Reader) ([]Group, error) {
- return ParseGroupFilter(group, nil)
-}
-
-func ParseGroupFileFilter(path string, filter func(Group) bool) ([]Group, error) {
- group, err := os.Open(path)
- if err != nil {
- return nil, err
- }
- defer group.Close()
- return ParseGroupFilter(group, filter)
-}
-
-func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
- if r == nil {
- return nil, fmt.Errorf("nil source for group-formatted data")
- }
-
- var (
- s = bufio.NewScanner(r)
- out = []Group{}
- )
-
- for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
- text := s.Text()
- if text == "" {
- continue
- }
-
- // see: man 5 group
- // group_name:password:GID:user_list
- // Name:Pass:Gid:List
- // root:x:0:root
- // adm:x:4:root,adm,daemon
- p := Group{}
- parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List)
-
- if filter == nil || filter(p) {
- out = append(out, p)
- }
- }
-
- return out, nil
-}
-
-type ExecUser struct {
- Uid int
- Gid int
- Sgids []int
- Home string
-}
-
-// GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the
-// given file paths and uses that data as the arguments to GetExecUser. If the
-// files cannot be opened for any reason, the error is ignored and a nil
-// io.Reader is passed instead.
-func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath string) (*ExecUser, error) {
- var passwd, group io.Reader
-
- if passwdFile, err := os.Open(passwdPath); err == nil {
- passwd = passwdFile
- defer passwdFile.Close()
- }
-
- if groupFile, err := os.Open(groupPath); err == nil {
- group = groupFile
- defer groupFile.Close()
- }
-
- return GetExecUser(userSpec, defaults, passwd, group)
-}
-
-// GetExecUser parses a user specification string (using the passwd and group
-// readers as sources for /etc/passwd and /etc/group data, respectively). In
-// the case of blank fields or missing data from the sources, the values in
-// defaults is used.
-//
-// GetExecUser will return an error if a user or group literal could not be
-// found in any entry in passwd and group respectively.
-//
-// Examples of valid user specifications are:
-// * ""
-// * "user"
-// * "uid"
-// * "user:group"
-// * "uid:gid
-// * "user:gid"
-// * "uid:group"
-//
-// It should be noted that if you specify a numeric user or group id, they will
-// not be evaluated as usernames (only the metadata will be filled). So attempting
-// to parse a user with user.Name = "1337" will produce the user with a UID of
-// 1337.
-func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (*ExecUser, error) {
- if defaults == nil {
- defaults = new(ExecUser)
- }
-
- // Copy over defaults.
- user := &ExecUser{
- Uid: defaults.Uid,
- Gid: defaults.Gid,
- Sgids: defaults.Sgids,
- Home: defaults.Home,
- }
-
- // Sgids slice *cannot* be nil.
- if user.Sgids == nil {
- user.Sgids = []int{}
- }
-
- // Allow for userArg to have either "user" syntax, or optionally "user:group" syntax
- var userArg, groupArg string
- parseLine(userSpec, &userArg, &groupArg)
-
- // Convert userArg and groupArg to be numeric, so we don't have to execute
- // Atoi *twice* for each iteration over lines.
- uidArg, uidErr := strconv.Atoi(userArg)
- gidArg, gidErr := strconv.Atoi(groupArg)
-
- // Find the matching user.
- users, err := ParsePasswdFilter(passwd, func(u User) bool {
- if userArg == "" {
- // Default to current state of the user.
- return u.Uid == user.Uid
- }
-
- if uidErr == nil {
- // If the userArg is numeric, always treat it as a UID.
- return uidArg == u.Uid
- }
-
- return u.Name == userArg
- })
-
- // If we can't find the user, we have to bail.
- if err != nil && passwd != nil {
- if userArg == "" {
- userArg = strconv.Itoa(user.Uid)
- }
- return nil, fmt.Errorf("unable to find user %s: %v", userArg, err)
- }
-
- var matchedUserName string
- if len(users) > 0 {
- // First match wins, even if there's more than one matching entry.
- matchedUserName = users[0].Name
- user.Uid = users[0].Uid
- user.Gid = users[0].Gid
- user.Home = users[0].Home
- } else if userArg != "" {
- // If we can't find a user with the given username, the only other valid
- // option is if it's a numeric username with no associated entry in passwd.
-
- if uidErr != nil {
- // Not numeric.
- return nil, fmt.Errorf("unable to find user %s: %v", userArg, ErrNoPasswdEntries)
- }
- user.Uid = uidArg
-
- // Must be inside valid uid range.
- if user.Uid < minId || user.Uid > maxId {
- return nil, ErrRange
- }
-
- // Okay, so it's numeric. We can just roll with this.
- }
-
- // On to the groups. If we matched a username, we need to do this because of
- // the supplementary group IDs.
- if groupArg != "" || matchedUserName != "" {
- groups, err := ParseGroupFilter(group, func(g Group) bool {
- // If the group argument isn't explicit, we'll just search for it.
- if groupArg == "" {
- // Check if user is a member of this group.
- for _, u := range g.List {
- if u == matchedUserName {
- return true
- }
- }
- return false
- }
-
- if gidErr == nil {
- // If the groupArg is numeric, always treat it as a GID.
- return gidArg == g.Gid
- }
-
- return g.Name == groupArg
- })
- if err != nil && group != nil {
- return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err)
- }
-
- // Only start modifying user.Gid if it is in explicit form.
- if groupArg != "" {
- if len(groups) > 0 {
- // First match wins, even if there's more than one matching entry.
- user.Gid = groups[0].Gid
- } else {
- // If we can't find a group with the given name, the only other valid
- // option is if it's a numeric group name with no associated entry in group.
-
- if gidErr != nil {
- // Not numeric.
- return nil, fmt.Errorf("unable to find group %s: %v", groupArg, ErrNoGroupEntries)
- }
- user.Gid = gidArg
-
- // Must be inside valid gid range.
- if user.Gid < minId || user.Gid > maxId {
- return nil, ErrRange
- }
-
- // Okay, so it's numeric. We can just roll with this.
- }
- } else if len(groups) > 0 {
- // Supplementary group ids only make sense if in the implicit form.
- user.Sgids = make([]int, len(groups))
- for i, group := range groups {
- user.Sgids[i] = group.Gid
- }
- }
- }
-
- return user, nil
-}
-
-// GetAdditionalGroups looks up a list of groups by name or group id
-// against the given /etc/group formatted data. If a group name cannot
-// be found, an error will be returned. If a group id cannot be found,
-// or the given group data is nil, the id will be returned as-is
-// provided it is in the legal range.
-func GetAdditionalGroups(additionalGroups []string, group io.Reader) ([]int, error) {
- var groups = []Group{}
- if group != nil {
- var err error
- groups, err = ParseGroupFilter(group, func(g Group) bool {
- for _, ag := range additionalGroups {
- if g.Name == ag || strconv.Itoa(g.Gid) == ag {
- return true
- }
- }
- return false
- })
- if err != nil {
- return nil, fmt.Errorf("Unable to find additional groups %v: %v", additionalGroups, err)
- }
- }
-
- gidMap := make(map[int]struct{})
- for _, ag := range additionalGroups {
- var found bool
- for _, g := range groups {
- // if we found a matched group either by name or gid, take the
- // first matched as correct
- if g.Name == ag || strconv.Itoa(g.Gid) == ag {
- if _, ok := gidMap[g.Gid]; !ok {
- gidMap[g.Gid] = struct{}{}
- found = true
- break
- }
- }
- }
- // we asked for a group but didn't find it. let's check to see
- // if we wanted a numeric group
- if !found {
- gid, err := strconv.Atoi(ag)
- if err != nil {
- return nil, fmt.Errorf("Unable to find group %s", ag)
- }
- // Ensure gid is inside gid range.
- if gid < minId || gid > maxId {
- return nil, ErrRange
- }
- gidMap[gid] = struct{}{}
- }
- }
- gids := []int{}
- for gid := range gidMap {
- gids = append(gids, gid)
- }
- return gids, nil
-}
-
-// GetAdditionalGroupsPath is a wrapper around GetAdditionalGroups
-// that opens the groupPath given and gives it as an argument to
-// GetAdditionalGroups.
-func GetAdditionalGroupsPath(additionalGroups []string, groupPath string) ([]int, error) {
- var group io.Reader
-
- if groupFile, err := os.Open(groupPath); err == nil {
- group = groupFile
- defer groupFile.Close()
- }
- return GetAdditionalGroups(additionalGroups, group)
-}
-
-func ParseSubIDFile(path string) ([]SubID, error) {
- subid, err := os.Open(path)
- if err != nil {
- return nil, err
- }
- defer subid.Close()
- return ParseSubID(subid)
-}
-
-func ParseSubID(subid io.Reader) ([]SubID, error) {
- return ParseSubIDFilter(subid, nil)
-}
-
-func ParseSubIDFileFilter(path string, filter func(SubID) bool) ([]SubID, error) {
- subid, err := os.Open(path)
- if err != nil {
- return nil, err
- }
- defer subid.Close()
- return ParseSubIDFilter(subid, filter)
-}
-
-func ParseSubIDFilter(r io.Reader, filter func(SubID) bool) ([]SubID, error) {
- if r == nil {
- return nil, fmt.Errorf("nil source for subid-formatted data")
- }
-
- var (
- s = bufio.NewScanner(r)
- out = []SubID{}
- )
-
- for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
- line := strings.TrimSpace(s.Text())
- if line == "" {
- continue
- }
-
- // see: man 5 subuid
- p := SubID{}
- parseLine(line, &p.Name, &p.SubID, &p.Count)
-
- if filter == nil || filter(p) {
- out = append(out, p)
- }
- }
-
- return out, nil
-}
-
-func ParseIDMapFile(path string) ([]IDMap, error) {
- r, err := os.Open(path)
- if err != nil {
- return nil, err
- }
- defer r.Close()
- return ParseIDMap(r)
-}
-
-func ParseIDMap(r io.Reader) ([]IDMap, error) {
- return ParseIDMapFilter(r, nil)
-}
-
-func ParseIDMapFileFilter(path string, filter func(IDMap) bool) ([]IDMap, error) {
- r, err := os.Open(path)
- if err != nil {
- return nil, err
- }
- defer r.Close()
- return ParseIDMapFilter(r, filter)
-}
-
-func ParseIDMapFilter(r io.Reader, filter func(IDMap) bool) ([]IDMap, error) {
- if r == nil {
- return nil, fmt.Errorf("nil source for idmap-formatted data")
- }
-
- var (
- s = bufio.NewScanner(r)
- out = []IDMap{}
- )
-
- for s.Scan() {
- if err := s.Err(); err != nil {
- return nil, err
- }
-
- line := strings.TrimSpace(s.Text())
- if line == "" {
- continue
- }
-
- // see: man 7 user_namespaces
- p := IDMap{}
- parseParts(strings.Fields(line), &p.ID, &p.ParentID, &p.Count)
-
- if filter == nil || filter(p) {
- out = append(out, p)
- }
- }
-
- return out, nil
-}
diff --git a/vendor/github.com/opencontainers/runc/vendor.conf b/vendor/github.com/opencontainers/runc/vendor.conf
deleted file mode 100644
index 22cba0f1b..000000000
--- a/vendor/github.com/opencontainers/runc/vendor.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# OCI runtime-spec. When updating this, make sure you use a version tag rather
-# than a commit ID so it's much more obvious what version of the spec we are
-# using.
-github.com/opencontainers/runtime-spec 29686dbc5559d93fb1ef402eeda3e35c38d75af4
-# Core libcontainer functionality.
-github.com/checkpoint-restore/go-criu v3.11
-github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
-github.com/opencontainers/selinux v1.2.2
-github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
-github.com/sirupsen/logrus a3f95b5c423586578a4e099b11a46c2479628cac
-github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
-github.com/vishvananda/netlink 1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270
-# systemd integration.
-github.com/coreos/go-systemd v14
-github.com/coreos/pkg v3
-github.com/godbus/dbus v3
-github.com/golang/protobuf 18c9bb3261723cd5401db4d0c9fbc5c3b6c70fe8
-# Command-line interface.
-github.com/cyphar/filepath-securejoin v0.2.1
-github.com/docker/go-units v0.2.0
-github.com/urfave/cli d53eb991652b1d438abdd34ce4bfa3ef1539108e
-golang.org/x/sys 41f3e6584952bb034a481797859f6ab34b6803bd https://github.com/golang/sys
-
-# console dependencies
-github.com/containerd/console 2748ece16665b45a47f884001d5831ec79703880
-github.com/pkg/errors v0.8.0
diff --git a/vendor/github.com/opencontainers/runtime-spec/LICENSE b/vendor/github.com/opencontainers/runtime-spec/LICENSE
deleted file mode 100644
index bdc403653..000000000
--- a/vendor/github.com/opencontainers/runtime-spec/LICENSE
+++ /dev/null
@@ -1,191 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- Copyright 2015 The Linux Foundation.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/github.com/opencontainers/runtime-spec/README.md b/vendor/github.com/opencontainers/runtime-spec/README.md
deleted file mode 100644
index b40dba17d..000000000
--- a/vendor/github.com/opencontainers/runtime-spec/README.md
+++ /dev/null
@@ -1,153 +0,0 @@
-# Open Container Initiative Runtime Specification
-
-The [Open Container Initiative][oci] develops specifications for standards on Operating System process and application containers.
-
-The specification can be found [here](spec.md).
-
-## Table of Contents
-
-Additional documentation about how this group operates:
-
-- [Code of Conduct][code-of-conduct]
-- [Style and Conventions](style.md)
-- [Implementations](implementations.md)
-- [Releases](RELEASES.md)
-- [project](project.md)
-- [charter][charter]
-
-## Use Cases
-
-To provide context for users the following section gives example use cases for each part of the spec.
-
-### Application Bundle Builders
-
-Application bundle builders can create a [bundle](bundle.md) directory that includes all of the files required for launching an application as a container.
-The bundle contains an OCI [configuration file](config.md) where the builder can specify host-independent details such as [which executable to launch](config.md#process) and host-specific settings such as [mount](config.md#mounts) locations, [hook](config.md#posix-platform-hooks) paths, Linux [namespaces](config-linux.md#namespaces) and [cgroups](config-linux.md#control-groups).
-Because the configuration includes host-specific settings, application bundle directories copied between two hosts may require configuration adjustments.
-
-### Hook Developers
-
-[Hook](config.md#posix-platform-hooks) developers can extend the functionality of an OCI-compliant runtime by hooking into a container's lifecycle with an external application.
-Example use cases include sophisticated network configuration, volume garbage collection, etc.
-
-### Runtime Developers
-
-Runtime developers can build runtime implementations that run OCI-compliant bundles and container configuration, containing low-level OS and host-specific details, on a particular platform.
-
-## Contributing
-
-Development happens on GitHub for the spec.
-Issues are used for bugs and actionable items and longer discussions can happen on the [mailing list](#mailing-list).
-
-The specification and code is licensed under the Apache 2.0 license found in the [LICENSE](./LICENSE) file.
-
-### Discuss your design
-
-The project welcomes submissions, but please let everyone know what you are working on.
-
-Before undertaking a nontrivial change to this specification, send mail to the [mailing list](#mailing-list) to discuss what you plan to do.
-This gives everyone a chance to validate the design, helps prevent duplication of effort, and ensures that the idea fits.
-It also guarantees that the design is sound before code is written; a GitHub pull-request is not the place for high-level discussions.
-
-Typos and grammatical errors can go straight to a pull-request.
-When in doubt, start on the [mailing-list](#mailing-list).
-
-### Meetings
-
-The contributors and maintainers of all OCI projects have monthly meetings, which are usually at 2:00 PM (USA Pacific) on the first Wednesday of every month.
-There is an [iCalendar][rfc5545] format for the meetings [here](meeting.ics).
-Everyone is welcome to participate via [UberConference web][uberconference] or audio-only: +1 415 968 0849 (no PIN needed).
-An initial agenda will be posted to the [mailing list](#mailing-list) in the week before each meeting, and everyone is welcome to propose additional topics or suggest other agenda alterations there.
-Minutes are posted to the [mailing list](#mailing-list) and minutes from past calls are archived [here][minutes], with minutes from especially old meetings (September 2015 and earlier) archived [here][runtime-wiki].
-
-### Mailing List
-
-You can subscribe and join the mailing list on [Google Groups][dev-list].
-
-### IRC
-
-OCI discussion happens on #opencontainers on Freenode ([logs][irc-logs]).
-
-### Git commit
-
-#### Sign your work
-
-The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch.
-The rules are pretty simple: if you can certify the below (from http://developercertificate.org):
-
-```
-Developer Certificate of Origin
-Version 1.1
-
-Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
-660 York Street, Suite 102,
-San Francisco, CA 94110 USA
-
-Everyone is permitted to copy and distribute verbatim copies of this
-license document, but changing it is not allowed.
-
-
-Developer's Certificate of Origin 1.1
-
-By making a contribution to this project, I certify that:
-
-(a) The contribution was created in whole or in part by me and I
- have the right to submit it under the open source license
- indicated in the file; or
-
-(b) The contribution is based upon previous work that, to the best
- of my knowledge, is covered under an appropriate open source
- license and I have the right under that license to submit that
- work with modifications, whether created in whole or in part
- by me, under the same open source license (unless I am
- permitted to submit under a different license), as indicated
- in the file; or
-
-(c) The contribution was provided directly to me by some other
- person who certified (a), (b) or (c) and I have not modified
- it.
-
-(d) I understand and agree that this project and the contribution
- are public and that a record of the contribution (including all
- personal information I submit with it, including my sign-off) is
- maintained indefinitely and may be redistributed consistent with
- this project or the open source license(s) involved.
-```
-
-then you just add a line to every git commit message:
-
- Signed-off-by: Joe Smith <joe@gmail.com>
-
-using your real name (sorry, no pseudonyms or anonymous contributions.)
-
-You can add the sign off when creating the git commit via `git commit -s`.
-
-#### Commit Style
-
-Simple house-keeping for clean git history.
-Read more on [How to Write a Git Commit Message][how-to-git-commit] or the Discussion section of [git-commit(1)][git-commit.1].
-
-1. Separate the subject from body with a blank line
-2. Limit the subject line to 50 characters
-3. Capitalize the subject line
-4. Do not end the subject line with a period
-5. Use the imperative mood in the subject line
-6. Wrap the body at 72 characters
-7. Use the body to explain what and why vs. how
- * If there was important/useful/essential conversation or information, copy or include a reference
-8. When possible, one keyword to scope the change in the subject (i.e. "README: ...", "runtime: ...")
-
-
-[charter]: https://www.opencontainers.org/about/governance
-[code-of-conduct]: https://github.com/opencontainers/tob/blob/master/code-of-conduct.md
-[dev-list]: https://groups.google.com/a/opencontainers.org/forum/#!forum/dev
-[how-to-git-commit]: http://chris.beams.io/posts/git-commit
-[irc-logs]: http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/
-[iso-week]: https://en.wikipedia.org/wiki/ISO_week_date#Calculating_the_week_number_of_a_given_date
-[minutes]: http://ircbot.wl.linuxfoundation.org/meetings/opencontainers/
-[oci]: https://www.opencontainers.org
-[rfc5545]: https://tools.ietf.org/html/rfc5545
-[runtime-wiki]: https://github.com/opencontainers/runtime-spec/wiki
-[uberconference]: https://www.uberconference.com/opencontainers
-
-[git-commit.1]: http://git-scm.com/docs/git-commit
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
deleted file mode 100644
index f32698cab..000000000
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ /dev/null
@@ -1,632 +0,0 @@
-package specs
-
-import "os"
-
-// Spec is the base configuration for the container.
-type Spec struct {
- // Version of the Open Container Initiative Runtime Specification with which the bundle complies.
- Version string `json:"ociVersion"`
- // Process configures the container process.
- Process *Process `json:"process,omitempty"`
- // Root configures the container's root filesystem.
- Root *Root `json:"root,omitempty"`
- // Hostname configures the container's hostname.
- Hostname string `json:"hostname,omitempty"`
- // Mounts configures additional mounts (on top of Root).
- Mounts []Mount `json:"mounts,omitempty"`
- // Hooks configures callbacks for container lifecycle events.
- Hooks *Hooks `json:"hooks,omitempty" platform:"linux,solaris"`
- // Annotations contains arbitrary metadata for the container.
- Annotations map[string]string `json:"annotations,omitempty"`
-
- // Linux is platform-specific configuration for Linux based containers.
- Linux *Linux `json:"linux,omitempty" platform:"linux"`
- // Solaris is platform-specific configuration for Solaris based containers.
- Solaris *Solaris `json:"solaris,omitempty" platform:"solaris"`
- // Windows is platform-specific configuration for Windows based containers.
- Windows *Windows `json:"windows,omitempty" platform:"windows"`
- // VM specifies configuration for virtual-machine-based containers.
- VM *VM `json:"vm,omitempty" platform:"vm"`
-}
-
-// Process contains information to start a specific application inside the container.
-type Process struct {
- // Terminal creates an interactive terminal for the container.
- Terminal bool `json:"terminal,omitempty"`
- // ConsoleSize specifies the size of the console.
- ConsoleSize *Box `json:"consoleSize,omitempty"`
- // User specifies user information for the process.
- User User `json:"user"`
- // Args specifies the binary and arguments for the application to execute.
- Args []string `json:"args"`
- // Env populates the process environment for the process.
- Env []string `json:"env,omitempty"`
- // Cwd is the current working directory for the process and must be
- // relative to the container's root.
- Cwd string `json:"cwd"`
- // Capabilities are Linux capabilities that are kept for the process.
- Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"`
- // Rlimits specifies rlimit options to apply to the process.
- Rlimits []POSIXRlimit `json:"rlimits,omitempty" platform:"linux,solaris"`
- // NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
- NoNewPrivileges bool `json:"noNewPrivileges,omitempty" platform:"linux"`
- // ApparmorProfile specifies the apparmor profile for the container.
- ApparmorProfile string `json:"apparmorProfile,omitempty" platform:"linux"`
- // Specify an oom_score_adj for the container.
- OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
- // SelinuxLabel specifies the selinux context that the container process is run as.
- SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
-}
-
-// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.
-// http://man7.org/linux/man-pages/man7/capabilities.7.html
-type LinuxCapabilities struct {
- // Bounding is the set of capabilities checked by the kernel.
- Bounding []string `json:"bounding,omitempty" platform:"linux"`
- // Effective is the set of capabilities checked by the kernel.
- Effective []string `json:"effective,omitempty" platform:"linux"`
- // Inheritable is the capabilities preserved across execve.
- Inheritable []string `json:"inheritable,omitempty" platform:"linux"`
- // Permitted is the limiting superset for effective capabilities.
- Permitted []string `json:"permitted,omitempty" platform:"linux"`
- // Ambient is the ambient set of capabilities that are kept.
- Ambient []string `json:"ambient,omitempty" platform:"linux"`
-}
-
-// Box specifies dimensions of a rectangle. Used for specifying the size of a console.
-type Box struct {
- // Height is the vertical dimension of a box.
- Height uint `json:"height"`
- // Width is the horizontal dimension of a box.
- Width uint `json:"width"`
-}
-
-// User specifies specific user (and group) information for the container process.
-type User struct {
- // UID is the user id.
- UID uint32 `json:"uid" platform:"linux,solaris"`
- // GID is the group id.
- GID uint32 `json:"gid" platform:"linux,solaris"`
- // AdditionalGids are additional group ids set for the container's process.
- AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`
- // Username is the user name.
- Username string `json:"username,omitempty" platform:"windows"`
-}
-
-// Root contains information about the container's root filesystem on the host.
-type Root struct {
- // Path is the absolute path to the container's root filesystem.
- Path string `json:"path"`
- // Readonly makes the root filesystem for the container readonly before the process is executed.
- Readonly bool `json:"readonly,omitempty"`
-}
-
-// Mount specifies a mount for a container.
-type Mount struct {
- // Destination is the absolute path where the mount will be placed in the container.
- Destination string `json:"destination"`
- // Type specifies the mount kind.
- Type string `json:"type,omitempty" platform:"linux,solaris"`
- // Source specifies the source path of the mount.
- Source string `json:"source,omitempty"`
- // Options are fstab style mount options.
- Options []string `json:"options,omitempty"`
-}
-
-// Hook specifies a command that is run at a particular event in the lifecycle of a container
-type Hook struct {
- Path string `json:"path"`
- Args []string `json:"args,omitempty"`
- Env []string `json:"env,omitempty"`
- Timeout *int `json:"timeout,omitempty"`
-}
-
-// Hooks for container setup and teardown
-type Hooks struct {
- // Prestart is a list of hooks to be run before the container process is executed.
- Prestart []Hook `json:"prestart,omitempty"`
- // Poststart is a list of hooks to be run after the container process is started.
- Poststart []Hook `json:"poststart,omitempty"`
- // Poststop is a list of hooks to be run after the container process exits.
- Poststop []Hook `json:"poststop,omitempty"`
-}
-
-// Linux contains platform-specific configuration for Linux based containers.
-type Linux struct {
- // UIDMapping specifies user mappings for supporting user namespaces.
- UIDMappings []LinuxIDMapping `json:"uidMappings,omitempty"`
- // GIDMapping specifies group mappings for supporting user namespaces.
- GIDMappings []LinuxIDMapping `json:"gidMappings,omitempty"`
- // Sysctl are a set of key value pairs that are set for the container on start
- Sysctl map[string]string `json:"sysctl,omitempty"`
- // Resources contain cgroup information for handling resource constraints
- // for the container
- Resources *LinuxResources `json:"resources,omitempty"`
- // CgroupsPath specifies the path to cgroups that are created and/or joined by the container.
- // The path is expected to be relative to the cgroups mountpoint.
- // If resources are specified, the cgroups at CgroupsPath will be updated based on resources.
- CgroupsPath string `json:"cgroupsPath,omitempty"`
- // Namespaces contains the namespaces that are created and/or joined by the container
- Namespaces []LinuxNamespace `json:"namespaces,omitempty"`
- // Devices are a list of device nodes that are created for the container
- Devices []LinuxDevice `json:"devices,omitempty"`
- // Seccomp specifies the seccomp security settings for the container.
- Seccomp *LinuxSeccomp `json:"seccomp,omitempty"`
- // RootfsPropagation is the rootfs mount propagation mode for the container.
- RootfsPropagation string `json:"rootfsPropagation,omitempty"`
- // MaskedPaths masks over the provided paths inside the container.
- MaskedPaths []string `json:"maskedPaths,omitempty"`
- // ReadonlyPaths sets the provided paths as RO inside the container.
- ReadonlyPaths []string `json:"readonlyPaths,omitempty"`
- // MountLabel specifies the selinux context for the mounts in the container.
- MountLabel string `json:"mountLabel,omitempty"`
- // IntelRdt contains Intel Resource Director Technology (RDT) information
- // for handling resource constraints (e.g., L3 cache) for the container
- IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
-}
-
-// LinuxNamespace is the configuration for a Linux namespace
-type LinuxNamespace struct {
- // Type is the type of namespace
- Type LinuxNamespaceType `json:"type"`
- // Path is a path to an existing namespace persisted on disk that can be joined
- // and is of the same type
- Path string `json:"path,omitempty"`
-}
-
-// LinuxNamespaceType is one of the Linux namespaces
-type LinuxNamespaceType string
-
-const (
- // PIDNamespace for isolating process IDs
- PIDNamespace LinuxNamespaceType = "pid"
- // NetworkNamespace for isolating network devices, stacks, ports, etc
- NetworkNamespace = "network"
- // MountNamespace for isolating mount points
- MountNamespace = "mount"
- // IPCNamespace for isolating System V IPC, POSIX message queues
- IPCNamespace = "ipc"
- // UTSNamespace for isolating hostname and NIS domain name
- UTSNamespace = "uts"
- // UserNamespace for isolating user and group IDs
- UserNamespace = "user"
- // CgroupNamespace for isolating cgroup hierarchies
- CgroupNamespace = "cgroup"
-)
-
-// LinuxIDMapping specifies UID/GID mappings
-type LinuxIDMapping struct {
- // ContainerID is the starting UID/GID in the container
- ContainerID uint32 `json:"containerID"`
- // HostID is the starting UID/GID on the host to be mapped to 'ContainerID'
- HostID uint32 `json:"hostID"`
- // Size is the number of IDs to be mapped
- Size uint32 `json:"size"`
-}
-
-// POSIXRlimit type and restrictions
-type POSIXRlimit struct {
- // Type of the rlimit to set
- Type string `json:"type"`
- // Hard is the hard limit for the specified type
- Hard uint64 `json:"hard"`
- // Soft is the soft limit for the specified type
- Soft uint64 `json:"soft"`
-}
-
-// LinuxHugepageLimit structure corresponds to limiting kernel hugepages
-type LinuxHugepageLimit struct {
- // Pagesize is the hugepage size
- Pagesize string `json:"pageSize"`
- // Limit is the limit of "hugepagesize" hugetlb usage
- Limit uint64 `json:"limit"`
-}
-
-// LinuxInterfacePriority for network interfaces
-type LinuxInterfacePriority struct {
- // Name is the name of the network interface
- Name string `json:"name"`
- // Priority for the interface
- Priority uint32 `json:"priority"`
-}
-
-// linuxBlockIODevice holds major:minor format supported in blkio cgroup
-type linuxBlockIODevice struct {
- // Major is the device's major number.
- Major int64 `json:"major"`
- // Minor is the device's minor number.
- Minor int64 `json:"minor"`
-}
-
-// LinuxWeightDevice struct holds a `major:minor weight` pair for weightDevice
-type LinuxWeightDevice struct {
- linuxBlockIODevice
- // Weight is the bandwidth rate for the device.
- Weight *uint16 `json:"weight,omitempty"`
- // LeafWeight is the bandwidth rate for the device while competing with the cgroup's child cgroups, CFQ scheduler only
- LeafWeight *uint16 `json:"leafWeight,omitempty"`
-}
-
-// LinuxThrottleDevice struct holds a `major:minor rate_per_second` pair
-type LinuxThrottleDevice struct {
- linuxBlockIODevice
- // Rate is the IO rate limit per cgroup per device
- Rate uint64 `json:"rate"`
-}
-
-// LinuxBlockIO for Linux cgroup 'blkio' resource management
-type LinuxBlockIO struct {
- // Specifies per cgroup weight
- Weight *uint16 `json:"weight,omitempty"`
- // Specifies tasks' weight in the given cgroup while competing with the cgroup's child cgroups, CFQ scheduler only
- LeafWeight *uint16 `json:"leafWeight,omitempty"`
- // Weight per cgroup per device, can override BlkioWeight
- WeightDevice []LinuxWeightDevice `json:"weightDevice,omitempty"`
- // IO read rate limit per cgroup per device, bytes per second
- ThrottleReadBpsDevice []LinuxThrottleDevice `json:"throttleReadBpsDevice,omitempty"`
- // IO write rate limit per cgroup per device, bytes per second
- ThrottleWriteBpsDevice []LinuxThrottleDevice `json:"throttleWriteBpsDevice,omitempty"`
- // IO read rate limit per cgroup per device, IO per second
- ThrottleReadIOPSDevice []LinuxThrottleDevice `json:"throttleReadIOPSDevice,omitempty"`
- // IO write rate limit per cgroup per device, IO per second
- ThrottleWriteIOPSDevice []LinuxThrottleDevice `json:"throttleWriteIOPSDevice,omitempty"`
-}
-
-// LinuxMemory for Linux cgroup 'memory' resource management
-type LinuxMemory struct {
- // Memory limit (in bytes).
- Limit *int64 `json:"limit,omitempty"`
- // Memory reservation or soft_limit (in bytes).
- Reservation *int64 `json:"reservation,omitempty"`
- // Total memory limit (memory + swap).
- Swap *int64 `json:"swap,omitempty"`
- // Kernel memory limit (in bytes).
- Kernel *int64 `json:"kernel,omitempty"`
- // Kernel memory limit for tcp (in bytes)
- KernelTCP *int64 `json:"kernelTCP,omitempty"`
- // How aggressive the kernel will swap memory pages.
- Swappiness *uint64 `json:"swappiness,omitempty"`
- // DisableOOMKiller disables the OOM killer for out of memory conditions
- DisableOOMKiller *bool `json:"disableOOMKiller,omitempty"`
-}
-
-// LinuxCPU for Linux cgroup 'cpu' resource management
-type LinuxCPU struct {
- // CPU shares (relative weight (ratio) vs. other cgroups with cpu shares).
- Shares *uint64 `json:"shares,omitempty"`
- // CPU hardcap limit (in usecs). Allowed cpu time in a given period.
- Quota *int64 `json:"quota,omitempty"`
- // CPU period to be used for hardcapping (in usecs).
- Period *uint64 `json:"period,omitempty"`
- // How much time realtime scheduling may use (in usecs).
- RealtimeRuntime *int64 `json:"realtimeRuntime,omitempty"`
- // CPU period to be used for realtime scheduling (in usecs).
- RealtimePeriod *uint64 `json:"realtimePeriod,omitempty"`
- // CPUs to use within the cpuset. Default is to use any CPU available.
- Cpus string `json:"cpus,omitempty"`
- // List of memory nodes in the cpuset. Default is to use any available memory node.
- Mems string `json:"mems,omitempty"`
-}
-
-// LinuxPids for Linux cgroup 'pids' resource management (Linux 4.3)
-type LinuxPids struct {
- // Maximum number of PIDs. Default is "no limit".
- Limit int64 `json:"limit"`
-}
-
-// LinuxNetwork identification and priority configuration
-type LinuxNetwork struct {
- // Set class identifier for container's network packets
- ClassID *uint32 `json:"classID,omitempty"`
- // Set priority of network traffic for container
- Priorities []LinuxInterfacePriority `json:"priorities,omitempty"`
-}
-
-// LinuxRdma for Linux cgroup 'rdma' resource management (Linux 4.11)
-type LinuxRdma struct {
- // Maximum number of HCA handles that can be opened. Default is "no limit".
- HcaHandles *uint32 `json:"hcaHandles,omitempty"`
- // Maximum number of HCA objects that can be created. Default is "no limit".
- HcaObjects *uint32 `json:"hcaObjects,omitempty"`
-}
-
-// LinuxResources has container runtime resource constraints
-type LinuxResources struct {
- // Devices configures the device whitelist.
- Devices []LinuxDeviceCgroup `json:"devices,omitempty"`
- // Memory restriction configuration
- Memory *LinuxMemory `json:"memory,omitempty"`
- // CPU resource restriction configuration
- CPU *LinuxCPU `json:"cpu,omitempty"`
- // Task resource restriction configuration.
- Pids *LinuxPids `json:"pids,omitempty"`
- // BlockIO restriction configuration
- BlockIO *LinuxBlockIO `json:"blockIO,omitempty"`
- // Hugetlb limit (in bytes)
- HugepageLimits []LinuxHugepageLimit `json:"hugepageLimits,omitempty"`
- // Network restriction configuration
- Network *LinuxNetwork `json:"network,omitempty"`
- // Rdma resource restriction configuration.
- // Limits are a set of key value pairs that define RDMA resource limits,
- // where the key is device name and value is resource limits.
- Rdma map[string]LinuxRdma `json:"rdma,omitempty"`
-}
-
-// LinuxDevice represents the mknod information for a Linux special device file
-type LinuxDevice struct {
- // Path to the device.
- Path string `json:"path"`
- // Device type, block, char, etc.
- Type string `json:"type"`
- // Major is the device's major number.
- Major int64 `json:"major"`
- // Minor is the device's minor number.
- Minor int64 `json:"minor"`
- // FileMode permission bits for the device.
- FileMode *os.FileMode `json:"fileMode,omitempty"`
- // UID of the device.
- UID *uint32 `json:"uid,omitempty"`
- // Gid of the device.
- GID *uint32 `json:"gid,omitempty"`
-}
-
-// LinuxDeviceCgroup represents a device rule for the whitelist controller
-type LinuxDeviceCgroup struct {
- // Allow or deny
- Allow bool `json:"allow"`
- // Device type, block, char, etc.
- Type string `json:"type,omitempty"`
- // Major is the device's major number.
- Major *int64 `json:"major,omitempty"`
- // Minor is the device's minor number.
- Minor *int64 `json:"minor,omitempty"`
- // Cgroup access permissions format, rwm.
- Access string `json:"access,omitempty"`
-}
-
-// Solaris contains platform-specific configuration for Solaris application containers.
-type Solaris struct {
- // SMF FMRI which should go "online" before we start the container process.
- Milestone string `json:"milestone,omitempty"`
- // Maximum set of privileges any process in this container can obtain.
- LimitPriv string `json:"limitpriv,omitempty"`
- // The maximum amount of shared memory allowed for this container.
- MaxShmMemory string `json:"maxShmMemory,omitempty"`
- // Specification for automatic creation of network resources for this container.
- Anet []SolarisAnet `json:"anet,omitempty"`
- // Set limit on the amount of CPU time that can be used by container.
- CappedCPU *SolarisCappedCPU `json:"cappedCPU,omitempty"`
- // The physical and swap caps on the memory that can be used by this container.
- CappedMemory *SolarisCappedMemory `json:"cappedMemory,omitempty"`
-}
-
-// SolarisCappedCPU allows users to set limit on the amount of CPU time that can be used by container.
-type SolarisCappedCPU struct {
- Ncpus string `json:"ncpus,omitempty"`
-}
-
-// SolarisCappedMemory allows users to set the physical and swap caps on the memory that can be used by this container.
-type SolarisCappedMemory struct {
- Physical string `json:"physical,omitempty"`
- Swap string `json:"swap,omitempty"`
-}
-
-// SolarisAnet provides the specification for automatic creation of network resources for this container.
-type SolarisAnet struct {
- // Specify a name for the automatically created VNIC datalink.
- Linkname string `json:"linkname,omitempty"`
- // Specify the link over which the VNIC will be created.
- Lowerlink string `json:"lowerLink,omitempty"`
- // The set of IP addresses that the container can use.
- Allowedaddr string `json:"allowedAddress,omitempty"`
- // Specifies whether allowedAddress limitation is to be applied to the VNIC.
- Configallowedaddr string `json:"configureAllowedAddress,omitempty"`
- // The value of the optional default router.
- Defrouter string `json:"defrouter,omitempty"`
- // Enable one or more types of link protection.
- Linkprotection string `json:"linkProtection,omitempty"`
- // Set the VNIC's macAddress
- Macaddress string `json:"macAddress,omitempty"`
-}
-
-// Windows defines the runtime configuration for Windows based containers, including Hyper-V containers.
-type Windows struct {
- // LayerFolders contains a list of absolute paths to directories containing image layers.
- LayerFolders []string `json:"layerFolders"`
- // Devices are the list of devices to be mapped into the container.
- Devices []WindowsDevice `json:"devices,omitempty"`
- // Resources contains information for handling resource constraints for the container.
- Resources *WindowsResources `json:"resources,omitempty"`
- // CredentialSpec contains a JSON object describing a group Managed Service Account (gMSA) specification.
- CredentialSpec interface{} `json:"credentialSpec,omitempty"`
- // Servicing indicates if the container is being started in a mode to apply a Windows Update servicing operation.
- Servicing bool `json:"servicing,omitempty"`
- // IgnoreFlushesDuringBoot indicates if the container is being started in a mode where disk writes are not flushed during its boot process.
- IgnoreFlushesDuringBoot bool `json:"ignoreFlushesDuringBoot,omitempty"`
- // HyperV contains information for running a container with Hyper-V isolation.
- HyperV *WindowsHyperV `json:"hyperv,omitempty"`
- // Network restriction configuration.
- Network *WindowsNetwork `json:"network,omitempty"`
-}
-
-// WindowsDevice represents information about a host device to be mapped into the container.
-type WindowsDevice struct {
- // Device identifier: interface class GUID, etc.
- ID string `json:"id"`
- // Device identifier type: "class", etc.
- IDType string `json:"idType"`
-}
-
-// WindowsResources has container runtime resource constraints for containers running on Windows.
-type WindowsResources struct {
- // Memory restriction configuration.
- Memory *WindowsMemoryResources `json:"memory,omitempty"`
- // CPU resource restriction configuration.
- CPU *WindowsCPUResources `json:"cpu,omitempty"`
- // Storage restriction configuration.
- Storage *WindowsStorageResources `json:"storage,omitempty"`
-}
-
-// WindowsMemoryResources contains memory resource management settings.
-type WindowsMemoryResources struct {
- // Memory limit in bytes.
- Limit *uint64 `json:"limit,omitempty"`
-}
-
-// WindowsCPUResources contains CPU resource management settings.
-type WindowsCPUResources struct {
- // Number of CPUs available to the container.
- Count *uint64 `json:"count,omitempty"`
- // CPU shares (relative weight to other containers with cpu shares).
- Shares *uint16 `json:"shares,omitempty"`
- // Specifies the portion of processor cycles that this container can use as a percentage times 100.
- Maximum *uint16 `json:"maximum,omitempty"`
-}
-
-// WindowsStorageResources contains storage resource management settings.
-type WindowsStorageResources struct {
- // Specifies maximum Iops for the system drive.
- Iops *uint64 `json:"iops,omitempty"`
- // Specifies maximum bytes per second for the system drive.
- Bps *uint64 `json:"bps,omitempty"`
- // Sandbox size specifies the minimum size of the system drive in bytes.
- SandboxSize *uint64 `json:"sandboxSize,omitempty"`
-}
-
-// WindowsNetwork contains network settings for Windows containers.
-type WindowsNetwork struct {
- // List of HNS endpoints that the container should connect to.
- EndpointList []string `json:"endpointList,omitempty"`
- // Specifies if unqualified DNS name resolution is allowed.
- AllowUnqualifiedDNSQuery bool `json:"allowUnqualifiedDNSQuery,omitempty"`
- // Comma separated list of DNS suffixes to use for name resolution.
- DNSSearchList []string `json:"DNSSearchList,omitempty"`
- // Name (ID) of the container that we will share with the network stack.
- NetworkSharedContainerName string `json:"networkSharedContainerName,omitempty"`
- // name (ID) of the network namespace that will be used for the container.
- NetworkNamespace string `json:"networkNamespace,omitempty"`
-}
-
-// WindowsHyperV contains information for configuring a container to run with Hyper-V isolation.
-type WindowsHyperV struct {
- // UtilityVMPath is an optional path to the image used for the Utility VM.
- UtilityVMPath string `json:"utilityVMPath,omitempty"`
-}
-
-// VM contains information for virtual-machine-based containers.
-type VM struct {
- // Hypervisor specifies hypervisor-related configuration for virtual-machine-based containers.
- Hypervisor VMHypervisor `json:"hypervisor,omitempty"`
- // Kernel specifies kernel-related configuration for virtual-machine-based containers.
- Kernel VMKernel `json:"kernel"`
- // Image specifies guest image related configuration for virtual-machine-based containers.
- Image VMImage `json:"image,omitempty"`
-}
-
-// VMHypervisor contains information about the hypervisor to use for a virtual machine.
-type VMHypervisor struct {
- // Path is the host path to the hypervisor used to manage the virtual machine.
- Path string `json:"path"`
- // Parameters specifies parameters to pass to the hypervisor.
- Parameters string `json:"parameters,omitempty"`
-}
-
-// VMKernel contains information about the kernel to use for a virtual machine.
-type VMKernel struct {
- // Path is the host path to the kernel used to boot the virtual machine.
- Path string `json:"path"`
- // Parameters specifies parameters to pass to the kernel.
- Parameters string `json:"parameters,omitempty"`
- // InitRD is the host path to an initial ramdisk to be used by the kernel.
- InitRD string `json:"initrd,omitempty"`
-}
-
-// VMImage contains information about the virtual machine root image.
-type VMImage struct {
- // Path is the host path to the root image that the VM kernel would boot into.
- Path string `json:"path"`
- // Format is the root image format type (e.g. "qcow2", "raw", "vhd", etc).
- Format string `json:"format"`
-}
-
-// LinuxSeccomp represents syscall restrictions
-type LinuxSeccomp struct {
- DefaultAction LinuxSeccompAction `json:"defaultAction"`
- Architectures []Arch `json:"architectures,omitempty"`
- Syscalls []LinuxSyscall `json:"syscalls,omitempty"`
-}
-
-// Arch used for additional architectures
-type Arch string
-
-// Additional architectures permitted to be used for system calls
-// By default only the native architecture of the kernel is permitted
-const (
- ArchX86 Arch = "SCMP_ARCH_X86"
- ArchX86_64 Arch = "SCMP_ARCH_X86_64"
- ArchX32 Arch = "SCMP_ARCH_X32"
- ArchARM Arch = "SCMP_ARCH_ARM"
- ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
- ArchMIPS Arch = "SCMP_ARCH_MIPS"
- ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
- ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
- ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
- ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
- ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
- ArchPPC Arch = "SCMP_ARCH_PPC"
- ArchPPC64 Arch = "SCMP_ARCH_PPC64"
- ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE"
- ArchS390 Arch = "SCMP_ARCH_S390"
- ArchS390X Arch = "SCMP_ARCH_S390X"
- ArchPARISC Arch = "SCMP_ARCH_PARISC"
- ArchPARISC64 Arch = "SCMP_ARCH_PARISC64"
-)
-
-// LinuxSeccompAction taken upon Seccomp rule match
-type LinuxSeccompAction string
-
-// Define actions for Seccomp rules
-const (
- ActKill LinuxSeccompAction = "SCMP_ACT_KILL"
- ActTrap LinuxSeccompAction = "SCMP_ACT_TRAP"
- ActErrno LinuxSeccompAction = "SCMP_ACT_ERRNO"
- ActTrace LinuxSeccompAction = "SCMP_ACT_TRACE"
- ActAllow LinuxSeccompAction = "SCMP_ACT_ALLOW"
-)
-
-// LinuxSeccompOperator used to match syscall arguments in Seccomp
-type LinuxSeccompOperator string
-
-// Define operators for syscall arguments in Seccomp
-const (
- OpNotEqual LinuxSeccompOperator = "SCMP_CMP_NE"
- OpLessThan LinuxSeccompOperator = "SCMP_CMP_LT"
- OpLessEqual LinuxSeccompOperator = "SCMP_CMP_LE"
- OpEqualTo LinuxSeccompOperator = "SCMP_CMP_EQ"
- OpGreaterEqual LinuxSeccompOperator = "SCMP_CMP_GE"
- OpGreaterThan LinuxSeccompOperator = "SCMP_CMP_GT"
- OpMaskedEqual LinuxSeccompOperator = "SCMP_CMP_MASKED_EQ"
-)
-
-// LinuxSeccompArg used for matching specific syscall arguments in Seccomp
-type LinuxSeccompArg struct {
- Index uint `json:"index"`
- Value uint64 `json:"value"`
- ValueTwo uint64 `json:"valueTwo,omitempty"`
- Op LinuxSeccompOperator `json:"op"`
-}
-
-// LinuxSyscall is used to match a syscall in Seccomp
-type LinuxSyscall struct {
- Names []string `json:"names"`
- Action LinuxSeccompAction `json:"action"`
- Args []LinuxSeccompArg `json:"args,omitempty"`
-}
-
-// LinuxIntelRdt has container runtime resource constraints
-// for Intel RDT/CAT which introduced in Linux 4.10 kernel
-type LinuxIntelRdt struct {
- // The schema for L3 cache id and capacity bitmask (CBM)
- // Format: "L3:<cache_id0>=<cbm0>;<cache_id1>=<cbm1>;..."
- L3CacheSchema string `json:"l3CacheSchema,omitempty"`
-}
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go
deleted file mode 100644
index 89dce34be..000000000
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go
+++ /dev/null
@@ -1,17 +0,0 @@
-package specs
-
-// State holds information about the runtime state of the container.
-type State struct {
- // Version is the version of the specification that is supported.
- Version string `json:"ociVersion"`
- // ID is the container ID
- ID string `json:"id"`
- // Status is the runtime status of the container.
- Status string `json:"status"`
- // Pid is the process ID for the container process.
- Pid int `json:"pid,omitempty"`
- // Bundle is the path to the container's bundle directory.
- Bundle string `json:"bundle"`
- // Annotations are key values associated with the container.
- Annotations map[string]string `json:"annotations,omitempty"`
-}
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
deleted file mode 100644
index b920fc1b3..000000000
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package specs
-
-import "fmt"
-
-const (
- // VersionMajor is for an API incompatible changes
- VersionMajor = 1
- // VersionMinor is for functionality in a backwards-compatible manner
- VersionMinor = 0
- // VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 1
-
- // VersionDev indicates development branch. Releases will be empty string.
- VersionDev = "-dev"
-)
-
-// Version is the specification version that the package types support.
-var Version = fmt.Sprintf("%d.%d.%d%s", VersionMajor, VersionMinor, VersionPatch, VersionDev)