Cory Snider
Cory Snider
There are no goroutines blocked waiting on a condition variable inside `ioutils.(*BytesPipe).Write` so this isn't a case of that known deadlock bug. There are four goroutines inside `fifo.(*fifo).Read` which I...
I realized that builder-next can utilize user namespaces via the `IdentityMapping` option passed into `runcexecutor`, therefore my change to builder-next breaks buildkit builds when the daemon is started with the...
> Can you explain more about why the `getNetworkSandbox` needs to be between create and start and how does it cause the userns error otherwise? For reasons I do not...
Multithreaded processes cannot change their user namespace. The kernel will refuse to setns or unshare the user namespace of any task which shares its virtual memory space with any other...
I made progress towards #44690, only to discover that `containerdexecutor` does not have user-namespace support plumbed in. More work is needed on the buildkit side.
Unfortunately, runc invokes the prestart OCI hooks before it applies the sysctls in the container spec, contrary to what the OCI runtime spec says MUST be done. Moving setting the...
I think there's a defensible default for `RLIMIT_NOFILE` in containers: 1024 (2**10) as the soft limit, and the value of `/proc/sys/fs/nr_open` ([with a fallback of 1048576 (2**20)](https://www.kernel.org/doc/Documentation/sysctl/fs.txt#:~:text=nr_open%3A%0A%0AThis%20denotes%20the%20maximum%20number%20of%20file%2Dhandles%20a%20process%20can%0Aallocate.%20Default%20value%20is%201024*1024%20(1048576)%20which%20should%20be%0Aenough%20for%20most%20machines.%20Actual%20limit%20depends%20on%20RLIMIT_NOFILE%0Aresource%20limit.)) as the hard...
Sigh, [the CLI half-closes the connection to signal EOF on stdin.](https://github.com/docker/cli/blob/de0d30ff24fad55df89adcb3c01d10bb1821c8db/cli/command/container/hijack.go#L171) So much for that idea. It's looking like the sorts of OS-specific close notifications you had implemented initially is...
Just discussed in today's maintainers call: host mode will need to go through a deprecation cycle. We can document it as deprecated now, deprecate in code for v-next, and remove...
Since host mode is an implementation detail rather than a user-facing feature, and is only needed to support overlay networks on long-deprecated kernels, that code can be dropped without first...