Split start/create #506
Split start/create #506
Conversation
|
I'm not really grokking the benefits of separating the two? I understand in the Docker case (you get a flashy new |
duglin
force-pushed
the
SplitDeux
branch
3 times, most recently
from
eca4907 to
65dd507
Compare
|
@duglin Have you tested this with userns? Also, are the bugs with joining a previously created userns fixed? |
|
@ashahab-altiscale no I haven't tried with userns - if someone can tell me how to do that I'll give it a try. |
|
rebased |
|
Add user to the namespaces in runtime.json. Add uidMappings. Chown the
|
duglin
force-pushed
the
SplitDeux
branch
3 times, most recently
from
6932329 to
2307102
Compare
|
rebased - detach was a little painful :-) |
|
@duglin I get a fork/exec perm denied with userns. I'm on centos. Do you see anything different? |
|
@ashahab-altiscale helped me test this and it does appear to work with userNS. ping @crosbymichael @LK4D4 @mrunalp is this headed in the right direction? |
duglin
force-pushed
the
SplitDeux
branch
9 times, most recently
from
c4eaa7c to
69474d1
Compare
|
Fixed an issue where the "Created" timestamp was set during 'start' instead of 'create'. @crosbymichael are there specific issues you'd like to discuss/focus on, or is it just a matter of giving people time to review and become comfortable with it? |
duglin
force-pushed
the
SplitDeux
branch
4 times, most recently
from
4a6f631 to
ce12b03
Compare
|
rebased (again) |
While in there, to show why someone may want it, I also added support for: runc run cmd args... runc batch batchFileOfCommands | - Signed-off-by: Doug Davis <[email protected]>
|
rebased |
| @@ -360,6 +434,28 @@ func newPipe() (parent *os.File, child *os.File, err error) { | |||
| func (c *linuxContainer) Destroy() error { | |||
| c.m.Lock() | |||
| defer c.m.Unlock() | |||
|
|
|||
| namespaces := []string{"NEWIPC", "NEWUTS", "NEWNET", "NEWPID", "NEWUSER", "NEWNS", "NEWMNT"} | |||
There was a problem hiding this comment.
only try to unmount the ones in the config.
|
@duglin: I rebased this PR locally and am I trying to test and review it along the way! |
| return nil, err | ||
| } | ||
| return &initProcess{ | ||
| cmd: cmd, |
There was a problem hiding this comment.
Is this cmd equivalent to that of the init process defined in the Spec?
There was a problem hiding this comment.
I see this line answering my question partly.
|
@duglin can you write-up a high level write up of the theory of operation? |
|
@philips see if the intro comment on opencontainers/runtime-spec#384 has what you're looking for. If not I can add more. |
Closes opencontainers#506 Signed-off-by: Michael Crosby <[email protected]>
First pass at splitting create and start.
runc createwill create all of the namespaces, except PID.runc startwill then run the main proc.There's
runc deletetoo for when you're done.Also added
runc batch <list of commands file>to show how you could do create+a series of cmds.And added
runc run <cmd>which is likerunc execbut uses a main proc - again just for demo purposes. Not sure if we want to add batch/run to runc proper but it was an interesting exercise.Any way, I'm not convinced all of this is correct - i think the new 'mount' property probably needs to go away but I wanted to let people play with it to see how it felt to use create and start separately.