Merge branch 'v1.0.0.rc1'

* v1.0.0.rc1:
  man/ocitools.1: Replace "**...(1)**" with "**...**(1)"
  add namespace check for uid/gid mappings
  validation: add linux resource check
  add label manpage and fix help
  support setting oom_score_adj
  generate: fix mount-cgroups bug
  completions: update based on generate help message
  update urfave/cli package to v1.18.0
  generate: optimize namespace setup log and fix manpage
  change param type of AddProcessAdditionalGid
  remove unnecessary return error value
  Modify generate API
  Add Travis CI badge to README
  generate: fix capability.List() for cap_last_cap not exist
  generate: remove unnecessary spec initialization
  generate: fix tmpfs adding based on manpage
  Check CAP_LAST_CAP while setting privileged
  generate: Remove superfluous err check from Save

Signed-off-by: W. Trevor King <wking@tremily.us>

Conflicts:
	cmd/ocitools/generate.go
	man/ocitools-generate.1.md

The conflicts are because:

* support setting oom_score_adj (#176, #185)
* add label manpage and fix help (#189, #190)

have landed in master and been backported to v1.0.0.rc1 since this
branch split from master.  They wouldn't have happend if I'd rebased
this branch on the current master before merging v1.0.0.rc1, but then
I'd have to repeat the initial dance done with eac0762 (Merge commit
'30e2ea2', 2016-08-02) and b45bebd (Merge commit '6acca9e',
2016-08-02).

Author: wking

cmd/ocitools/generate.go

@@ -36,7 +36,7 @@ var generateFlags = []cli.Flag{
 	cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"},
 	cli.StringSliceFlag{Name: "tmpfs", Usage: "mount tmpfs"},
 	cli.StringSliceFlag{Name: "args", Usage: "command to run in the container"},
-	cli.StringSliceFlag{Name: "env", Usage: "add environment variable"},
+	cli.StringSliceFlag{Name: "env", Usage: "add environment variable e.g. key=value"},
 	cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"},
 	cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"},
 	cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest:(rw,ro)"},
@@ -58,6 +58,7 @@ var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "seccomp-errno", Usage: "specifies syscalls to be added to list that returns an error"},
 	cli.StringFlag{Name: "template", Usage: "base template to use for creating the configuration"},
 	cli.StringSliceFlag{Name: "label", Usage: "add annotations to the configuration e.g. key=value"},
+	cli.IntFlag{Name: "oom-score-adj", Usage: "oom_score_adj for the container"},
 }
 
 var generateCommand = cli.Command{
@@ -319,6 +320,10 @@ func setupSpec(g *generate.Generator, context *cli.Context) error {
 		g.AddLinuxGIDMapping(hid, cid, size)
 	}
 
+	if context.IsSet("oom-score-adj") {
+		g.SetLinuxResourcesOOMScoreAdj(context.Int("oom-score-adj"))
+	}
+
 	var sd string
 	var sa, ss []string
 

cmd/ocitools/validate.go

@@ -316,13 +316,7 @@ func checkLinux(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string)
 	ipcExists := false
 	mountExists := false
 	netExists := false
-
-	if len(spec.Linux.UIDMappings) > 5 {
-		msgs = append(msgs, "Only 5 UID mappings are allowed (linux kernel restriction).")
-	}
-	if len(spec.Linux.GIDMappings) > 5 {
-		msgs = append(msgs, "Only 5 GID mappings are allowed (linux kernel restriction).")
-	}
+	userExists := false
 
 	for index := 0; index < len(spec.Linux.Namespaces); index++ {
 		if !namespaceValid(spec.Linux.Namespaces[index]) {
@@ -336,10 +330,20 @@ func checkLinux(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string)
 				netExists = true
 			} else if spec.Linux.Namespaces[index].Type == rspec.MountNamespace {
 				mountExists = true
+			} else if spec.Linux.Namespaces[index].Type == rspec.UserNamespace {
+				userExists = true
 			}
 		}
 	}
 
+	if (len(spec.Linux.UIDMappings) > 0 || len(spec.Linux.GIDMappings) > 0) && !userExists {
+		msgs = append(msgs, "UID/GID mappings requires a new User namespace to be specified as well")
+	} else if len(spec.Linux.UIDMappings) > 5 {
+		msgs = append(msgs, "Only 5 UID mappings are allowed (linux kernel restriction).")
+	} else if len(spec.Linux.GIDMappings) > 5 {
+		msgs = append(msgs, "Only 5 GID mappings are allowed (linux kernel restriction).")
+	}
+
 	for k := range spec.Linux.Sysctl {
 		if strings.HasPrefix(k, "net.") && !netExists {
 			msgs = append(msgs, fmt.Sprintf("Sysctl %v requires a new Network namespace to be specified as well", k))
@@ -361,6 +365,11 @@ func checkLinux(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string)
 		}
 	}
 
+	if spec.Linux.Resources != nil {
+		ms := checkLinuxResources(*spec.Linux.Resources, hostCheck)
+		msgs = append(msgs, ms...)
+	}
+
 	if spec.Linux.Seccomp != nil {
 		ms := checkSeccomp(*spec.Linux.Seccomp)
 		msgs = append(msgs, ms...)
@@ -381,6 +390,21 @@ func checkLinux(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string)
 	return
 }
 
+func checkLinuxResources(r rspec.Resources, hostCheck bool) (msgs []string) {
+	logrus.Debugf("check linux resources")
+
+	if r.Memory != nil {
+		if r.Memory.Limit != nil && r.Memory.Swap != nil && uint64(*r.Memory.Limit) > uint64(*r.Memory.Swap) {
+			msgs = append(msgs, fmt.Sprintf("Minimum memoryswap should be larger than memory limit"))
+		}
+		if r.Memory.Limit != nil && r.Memory.Reservation != nil && uint64(*r.Memory.Reservation) > uint64(*r.Memory.Limit) {
+			msgs = append(msgs, fmt.Sprintf("Minimum memory limit should be larger than memory reservation"))
+		}
+	}
+
+	return
+}
+
 func checkSeccomp(s rspec.Seccomp) (msgs []string) {
 	logrus.Debugf("check seccomp")
 

completions/bash/ocitools

@@ -275,6 +275,7 @@ _ocitools_generate() {
 	      --cap-add
 	      --cap-drop
 	      --cgroup
+	      --cgroup-path
 	      --cwd
 	      --env
 	      --gid
@@ -283,25 +284,31 @@ _ocitools_generate() {
 	      --hostname
 	      --help
 	      --ipc
+	      --label
 	      --mount
 	      --mount-cgroups
+	      --mount-label
 	      --network
 	      --os
+	      --output
 	      --pid
 	      --poststart
 	      --poststop
 	      --prestart
 	      --root-propagation
 	      --rootfs
-	      --seccomp-default
+	      --seccomp-allow
 	      --seccomp-arch
+	      --seccomp-default
+	      --seccomp-errno
 	      --seccomp-syscalls
 	      --selinux-label
-	      --mount-label
 	      --sysctl
+	      --tmplate
 	      --tmpfs
 	      --uid
 	      --uidmappings
+	      --user
 	      --uts
 	"
 
@@ -330,11 +337,6 @@ _ocitools_generate() {
 			return
 			;;
 
-		--seccomp-default)
-			__ocitools_complete_seccomp_actions
-			return
-			;;
-
 		--root-propagation)
 			__ocitools_complete_propagations
 			return

generate/generate.go

@@ -194,11 +194,7 @@ func (g *Generator) Save(w io.Writer) error {
 	}
 
 	_, err = w.Write(data)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return err
 }
 
 // SaveToFile writes the spec into a file.
@@ -362,6 +358,12 @@ func (g *Generator) SetLinuxMountLabel(label string) {
 	g.spec.Linux.MountLabel = label
 }
 
+// SetLinuxResourcesOOMScoreAdj sets g.spec.Linux.Resources.OOMScoreAdj.
+func (g *Generator) SetLinuxResourcesOOMScoreAdj(adj int) {
+	g.initSpecLinuxResources()
+	g.spec.Linux.Resources.OOMScoreAdj = &adj
+}
+
 // SetLinuxResourcesCPUShares sets g.spec.Linux.Resources.CPU.Shares.
 func (g *Generator) SetLinuxResourcesCPUShares(shares uint64) {
 	g.initSpecLinuxResourcesCPU()
@@ -855,6 +857,7 @@ func (g *Generator) AddCgroupsMount(mountCgroupOption string) error {
 	switch mountCgroupOption {
 	case "ro":
 	case "rw":
+		break
 	case "no":
 		return nil
 	default:

man/ocitools-generate.1.md

@@ -58,10 +58,10 @@ read the configuration from `config.json`.
   Current working directory for the process
 
 **--env**=[]
-  Set environment variables
-  This option allows you to specify arbitrary
-environment variables that are available for the process that will be launched
-inside of the container.
+  Set environment variables e.g. key=value.
+  This option allows you to specify arbitrary environment variables
+  that are available for the process that will be launched inside of
+  the container.
 
 **--gid**=GID
   Gid for the process inside of container
@@ -84,6 +84,9 @@ inside of the container.
   The special *PATH* `host` removes any existing IPC namespace from the
   configuration.
 
+**--label**=[]
+  Add annotations to the configuration e.g. key=value.
+
 **--mount**=*PATH*
   Use a mount namespace where *PATH* is an existing mount namespace file
   to join. The special *PATH*  empty-string  creates a new namespace.
@@ -117,6 +120,9 @@ inside of the container.
   using tools like setuid apps.  It is a good idea to run unprivileged
   containers with this flag.
 
+**--oom-score-adj**=adj
+  Specifies oom_score_adj for the container.
+
 **--output**=PATH
   Instead of writing the configuration JSON to stdout, write it to a
   file at *PATH* (overwriting the existing content if a file already

man/ocitools.1.md

@@ -38,11 +38,11 @@ ocitools is a collection of tools for working with the [OCI runtime specificatio
 # COMMANDS
 **validate**
   Validating OCI bundle
-  See **ocitools-validate(1)** for full documentation on the **validate** command.
+  See **ocitools-validate**(1) for full documentation on the **validate** command.
 
 **generate**
   Generating OCI runtime spec configuration files
-  See **ocitools-generate(1)** for full documentation on the **generate** command.
+  See **ocitools-generate**(1) for full documentation on the **generate** command.
 
 # SEE ALSO
 **ocitools-validate**(1), **ocitools-generate**(1)