go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
534 Commits 2 Branches 96 Tags 81 MiB
Commit Graph

6 Commits

Author SHA1 Message Date
Nicolas Lacasse 0a9a40abcd runsc: Run sandbox as user nobody. 
When starting a sandbox without direct file or network access, we create an
empty user namespace and run the sandbox in there.  However, the root user in
that namespace is still mapped to the root user in the parent namespace.

This CL maps the "nobody" user from the parent namespace into the child
namespace, and runs the sandbox process as user "nobody" inside the new
namespace.

PiperOrigin-RevId: 211572223
Change-Id: I1b1f9b1a86c0b4e7e5ca7bc93be7d4887678bab6
 2018-09-04 20:33:05 -07:00
Fabricio Voznika db81c0b02f Put fsgofer inside chroot 
Now each container gets its own dedicated gofer that is chroot'd to the
rootfs path. This is done to add an extra layer of security in case the
gofer gets compromised.

PiperOrigin-RevId: 210396476
Change-Id: Iba21360a59dfe90875d61000db103f8609157ca0
 2018-08-27 11:10:14 -07:00
Fabricio Voznika 413bfb39a9 Use backoff package for retry logic 
PiperOrigin-RevId: 206834838
Change-Id: I9a44c6fa5f4766a01f86e90810f025cefecdf2d4
 2018-07-31 15:07:53 -07:00
Fabricio Voznika 8459390cdd Error out if spec is invalid 
Closes #66

PiperOrigin-RevId: 202496258
Change-Id: Ib9287c5bf1279ffba1db21ebd9e6b59305cddf34
 2018-06-28 09:57:27 -07:00
Fabricio Voznika c186ebb62a Return error when child exits early 
PiperOrigin-RevId: 195365050
Change-Id: I8754dc7a3fc2975d422cae453762a455478a8e6a
 2018-05-03 21:09:31 -07:00
Googler d02b74a5dc Check in gVisor. 
PiperOrigin-RevId: 194583126
Change-Id: Ica1d8821a90f74e7e745962d71801c598c652463
 2018-04-28 01:44:26 -04:00