forked from opencontainers/runc
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
merge opencontainers#4507 into opencontainers/runc:release-1.2
Akihiro Suda (1): docs: remove prompt symbols from shell snippets LGTMs: AkihiroSuda cyphar
- Loading branch information
Showing
4 changed files
with
34 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,8 +24,8 @@ but for most users the security benefit is identical. | |
The provided `[email protected]` file can be used to get systemd to manage | ||
this daemon. You can supply the path like so: | ||
|
||
``` | ||
% systemctl start memfd-bind@$(systemd-escape -p /usr/bin/runc) | ||
```bash | ||
systemctl start memfd-bind@$(systemd-escape -p /usr/bin/runc) | ||
``` | ||
|
||
Thus, there are three ways of protecting against CVE-2019-5736, in order of how | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -34,18 +34,18 @@ The recommended systemd version is 244 or later. Older systemd does not support | |
|
||
Make sure you also have the `dbus-user-session` (Debian/Ubuntu) or `dbus-daemon` (CentOS/Fedora) package installed, and that `dbus` is running. On Debian-flavored distros, this can be accomplished like so: | ||
|
||
```console | ||
$ sudo apt install -y dbus-user-session | ||
$ systemctl --user start dbus | ||
```bash | ||
sudo apt install -y dbus-user-session | ||
systemctl --user start dbus | ||
``` | ||
|
||
## Rootless | ||
On cgroup v2 hosts, rootless runc can talk to systemd to get cgroup permissions to be delegated. | ||
|
||
```console | ||
$ runc spec --rootless | ||
$ jq '.linux.cgroupsPath="user.slice:runc:foo"' config.json | sponge config.json | ||
$ runc --systemd-cgroup run foo | ||
```bash | ||
runc spec --rootless | ||
jq '.linux.cgroupsPath="user.slice:runc:foo"' config.json | sponge config.json | ||
runc --systemd-cgroup run foo | ||
``` | ||
|
||
The container processes are executed in a cgroup like `/user.slice/user-$(id -u).slice/user@$(id -u).service/user.slice/runc-foo.scope`. | ||
|
@@ -60,11 +60,11 @@ memory pids | |
|
||
To allow delegation of other controllers, you need to change the systemd configuration as follows: | ||
|
||
```console | ||
# mkdir -p /etc/systemd/system/[email protected] | ||
# cat > /etc/systemd/system/[email protected]/delegate.conf << EOF | ||
```bash | ||
sudo mkdir -p /etc/systemd/system/[email protected] | ||
cat <<EOF | sudo tee /etc/systemd/system/[email protected]/delegate.conf | ||
[Service] | ||
Delegate=cpu cpuset io memory pids | ||
EOF | ||
# systemctl daemon-reload | ||
sudo systemctl daemon-reload | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters