Merge branch 'main' of github.com:containers/youki into readonly_paths

.codecov.yml

@@ -13,6 +13,3 @@ comment:
   layout: "header, diff"
   behavior: default
   require_changes: false
-
-ignore:
-  - "crates/integration_test"

.github/workflows/benchmark_execution_time.yml

@@ -134,7 +134,7 @@ jobs:
     # since the GITHUB_TOKEN is needed to let the bot commit messages in the PR
     # but right now it is controlled by the organization.
     # TODO: change back to use this when the permission granted
-    # - name: Writting report to PR comment
+    # - name: Writing report to PR comment
     #   uses: marocchino/sticky-pull-request-comment@v2 
     #   with:
     #     append: true

.github/workflows/main.yml

@@ -93,7 +93,7 @@ jobs:
         run: |
           cargo llvm-cov clean --workspace
           cargo llvm-cov --no-report
-          cargo llvm-cov --no-run --lcov --output-path ./coverage.lcov
+          cargo llvm-cov --no-run --lcov --ignore-filename-regex "libseccomp/src|integration_test/src|test_framework/src|systemd_api.rs" --output-path ./coverage.lcov
       - name: Upload Youki Code Coverage Results
         uses: codecov/codecov-action@v2
         with:

Cargo.lock

@@ -407,9 +407,9 @@ dependencies = [
 
 [[package]]
 name = "fixedbitset"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "398ea4fabe40b9b0d885340a2a991a44c8a645624075ad966d21f88688e2b69e"
+checksum = "279fb028e20b3c4c320317955b77c5e0c9701f05a1d309905d6fc702cdc5053e"
 
 [[package]]
 name = "flate2"
@@ -657,7 +657,7 @@ dependencies = [
  "log",
  "nix",
  "num_cpus",
- "oci-spec 0.5.2 (git+https://github.com/containers/oci-spec-rs?rev=54c5e386f01ab37c9305cc4a83404eb157e42440)",
+ "oci-spec 0.5.2",
  "once_cell",
  "pnet",
  "procfs",
@@ -702,9 +702,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 
 [[package]]
 name = "libbpf-sys"
-version = "0.6.0-1"
+version = "0.6.1-1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2cd400737426f2a92b5b41071a0a63c9b493b7c67ff3e428967fded73af0668"
+checksum = "1b1cbfb63e05a1ddea29411862a04f70824e8f37a6514ebcd338fb3a8c4d44a2"
 dependencies = [
  "cc",
  "pkg-config",
@@ -730,7 +730,7 @@ dependencies = [
  "libc",
  "log",
  "nix",
- "oci-spec 0.5.2 (git+https://github.com/containers/oci-spec-rs?rev=12dcd858543db0e7bfb1ef053d1b748f2fda74ee)",
+ "oci-spec 0.5.3",
  "procfs",
  "quickcheck",
  "rbpf",
@@ -755,7 +755,7 @@ dependencies = [
  "log",
  "mio",
  "nix",
- "oci-spec 0.5.2 (git+https://github.com/containers/oci-spec-rs?rev=12dcd858543db0e7bfb1ef053d1b748f2fda74ee)",
+ "oci-spec 0.5.3",
  "path-clean",
  "prctl",
  "procfs",
@@ -938,11 +938,10 @@ dependencies = [
 [[package]]
 name = "oci-spec"
 version = "0.5.2"
-source = "git+https://github.com/containers/oci-spec-rs?rev=12dcd858543db0e7bfb1ef053d1b748f2fda74ee#12dcd858543db0e7bfb1ef053d1b748f2fda74ee"
+source = "git+https://github.com/containers/oci-spec-rs?rev=54c5e386f01ab37c9305cc4a83404eb157e42440#54c5e386f01ab37c9305cc4a83404eb157e42440"
 dependencies = [
  "derive_builder",
  "getset",
- "quickcheck",
  "serde",
  "serde_json",
  "thiserror",
@@ -950,11 +949,13 @@ dependencies = [
 
 [[package]]
 name = "oci-spec"
-version = "0.5.2"
-source = "git+https://github.com/containers/oci-spec-rs?rev=54c5e386f01ab37c9305cc4a83404eb157e42440#54c5e386f01ab37c9305cc4a83404eb157e42440"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8057bb0f33d7ecdf1f0f7cc74ea5cced7c6c694245e2a8d14700507c3bde32e3"
 dependencies = [
  "derive_builder",
  "getset",
+ "quickcheck",
  "serde",
  "serde_json",
  "thiserror",
@@ -1024,9 +1025,9 @@ checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e"
 
 [[package]]
 name = "pin-project-lite"
-version = "0.2.7"
+version = "0.2.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8d31d11c69a6b52a174b42bdc0c30e5e11670f90788b2c471c31c1d17d449443"
+checksum = "e280fbe77cc62c91527259e9442153f4688736748d24660126286329742b4c6c"
 
 [[package]]
 name = "pin-utils"
@@ -1325,18 +1326,18 @@ checksum = "568a8e6258aa33c13358f81fd834adb854c6f7c9468520910a9b1e8fac068012"
 
 [[package]]
 name = "serde"
-version = "1.0.132"
+version = "1.0.133"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b9875c23cf305cd1fd7eb77234cbb705f21ea6a72c637a5c6db5fe4b8e7f008"
+checksum = "97565067517b60e2d1ea8b268e59ce036de907ac523ad83a0475da04e818989a"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.132"
+version = "1.0.133"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ecc0db5cb2556c0e558887d9bbdcf6ac4471e83ff66cf696e5419024d1606276"
+checksum = "ed201699328568d8d08208fdd080e3ff594e6c422e438b6705905da01005d537"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1345,9 +1346,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.73"
+version = "1.0.74"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bcbd0344bc6533bc7ec56df11d42fb70f1b912351c0825ccb7211b59d8af7cf5"
+checksum = "ee2bb9cd061c5865d345bb02ca49fcef1391741b672b54a0bf7b679badec3142"
 dependencies = [
  "itoa",
  "ryu",
@@ -1396,9 +1397,9 @@ checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
 
 [[package]]
 name = "syn"
-version = "1.0.84"
+version = "1.0.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ecb2e6da8ee5eb9a61068762a32fa9619cc591ceb055b3687f4cd4051ec2e06b"
+checksum = "a684ac3dcd8913827e18cd09a68384ee66c1de24157e3c556c9ab16d85695fb7"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1671,7 +1672,7 @@ dependencies = [
  "liboci-cli",
  "log",
  "nix",
- "oci-spec 0.5.2 (git+https://github.com/containers/oci-spec-rs?rev=12dcd858543db0e7bfb1ef053d1b748f2fda74ee)",
+ "oci-spec 0.5.3",
  "once_cell",
  "pentacle",
  "procfs",

README.md

@@ -35,7 +35,7 @@ Here is why we are writing a new container runtime in Rust.
         ```console
         $ hyperfine --prepare 'sudo sync; echo 3 | sudo tee /proc/sys/vm/drop_caches' --warmup 10 --min-runs 100 'sudo ./youki create -b tutorial a && sudo ./youki start a && sudo ./youki delete -f a'
         ```
-    - Enviroment  
+    - Environment
         ```console
         $ ./youki info
         Version           0.0.1

crates/libcgroups/Cargo.toml

@@ -16,17 +16,17 @@ nix = "0.23.1"
 procfs = "0.12.0"
 log = "0.4"
 anyhow = "1.0"
-oci-spec = { git = "https://github.com/containers/oci-spec-rs",  rev = "12dcd858543db0e7bfb1ef053d1b748f2fda74ee" }
+oci-spec = "0.5.3"
 dbus = { version = "0.9.5", optional = true }
-fixedbitset = "0.4.0"
+fixedbitset = "0.4.1"
 serde = { version = "1.0", features = ["derive"] }
 rbpf = {version = "0.1.0", optional = true }
-libbpf-sys = { version = "0.6.0-1", optional = true }
+libbpf-sys = { version = "0.6.1-1", optional = true }
 errno = { version = "0.2.8", optional = true }
 libc = { version = "0.2.112", optional = true }
 
 [dev-dependencies]
-oci-spec = { git = "https://github.com/containers/oci-spec-rs",  rev = "12dcd858543db0e7bfb1ef053d1b748f2fda74ee", features = ["proptests"] }
+oci-spec = { version = "0.5.3", features = ["proptests"] }
 quickcheck = "1"
 clap = "3.0.0-beta.5"
 serde = { version = "1.0", features = ["derive"] }

crates/libcgroups/src/stats.rs

@@ -106,7 +106,7 @@ pub struct PidStats {
 /// Reports block io stats for a cgroup
 #[derive(Debug, Default, PartialEq, Eq, Serialize)]
 pub struct BlkioStats {
-    // Number of bytes transfered to/from a device by the cgroup
+    // Number of bytes transferred to/from a device by the cgroup
     pub service_bytes: Vec<BlkioDeviceStat>,
     // Number of I/O operations performed on a device by the cgroup
     pub serviced: Vec<BlkioDeviceStat>,

crates/libcgroups/src/systemd/memory.rs

@@ -82,7 +82,7 @@ impl Memory {
             // as memory limit would be either bigger (invariant violation) or zero which would
             // leave the container with no memory and no swap.
             // if swap is greater than zero and memory limit is unspecified swap cannot be
-            // calulated. If memory limit is zero the container would have only swap. If
+            // calculated. If memory limit is zero the container would have only swap. If
             // memory is unlimited it would be bigger than swap.
             (_, Some(0)) | (None | Some(0) | Some(-1), Some(1..=i64::MAX)) => bail!(
                 "cgroup v2 swap value cannot be calculated from swap of {} and limit of {}",

crates/libcgroups/src/v1/blkio.rs

@@ -26,7 +26,7 @@ const BLKIO_THROTTLE_WRITE_IOPS: &str = "blkio.throttle.write_iops_device";
 // Number of I/O operations performed on a device by the cgroup
 // Format: Major:Minor Type Ops
 const BLKIO_THROTTLE_IO_SERVICED: &str = "blkio.throttle.io_serviced";
-// Number of bytes transfered to/from a device by the cgroup
+// Number of bytes transferred to/from a device by the cgroup
 // Format: Major:Minor Type Bytes
 const BLKIO_THROTTLE_IO_SERVICE_BYTES: &str = "blkio.throttle.io_service_bytes";
 
@@ -54,7 +54,7 @@ const BLKIO_TIME: &str = "blkio.time_recursive";
 // Number of sectors transferred to/from a device by the cgroup
 // Format: Major:Minor Sectors
 const BLKIO_SECTORS: &str = "blkio.sectors_recursive";
-// Number of bytes transfered to/from a device by the cgroup
+// Number of bytes transferred to/from a device by the cgroup
 /// Format: Major:Minor Type Bytes
 const BLKIO_IO_SERVICE_BYTES: &str = "blkio.io_service_bytes_recursive";
 // Number of I/O operations performed on a device by the cgroup

crates/libcgroups/src/v1/manager.rs

@@ -88,7 +88,7 @@ impl Manager {
                 if let Some(subsystem_path) = self.subsystems.get(controller) {
                     required_controllers.insert(controller, subsystem_path);
                 } else {
-                    bail!("cgroup {} is required to fullfill the request, but is not supported by this system", controller);
+                    bail!("cgroup {} is required to fulfill the request, but is not supported by this system", controller);
                 }
             }
         }

crates/libcgroups/src/v2/devices/emulator.rs

@@ -1,7 +1,7 @@
 use anyhow::Result;
 use oci_spec::runtime::{LinuxDeviceCgroup, LinuxDeviceType};
 
-// For cgroup v1 compatiblity, runc implements a device emulator to caculate the final rules given
+// For cgroup v1 compatibility, runc implements a device emulator to caculate the final rules given
 // a list of user-defined rules.
 // https://github.com/opencontainers/runc/commit/2353ffec2bb670a200009dc7a54a56b93145f141
 //

crates/libcgroups/src/v2/hugetlb.rs

@@ -55,7 +55,7 @@ impl HugeTlb {
         }
 
         common::write_cgroup_file(
-            root_path.join(format!("hugetlb.{}.limit_in_bytes", hugetlb.page_size())),
+            root_path.join(format!("hugetlb.{}.max", hugetlb.page_size())),
             hugetlb.limit(),
         )?;
         Ok(())
@@ -93,7 +93,7 @@ mod tests {
 
     #[test]
     fn test_set_hugetlb() {
-        let page_file_name = "hugetlb.2MB.limit_in_bytes";
+        let page_file_name = "hugetlb.2MB.max";
         let tmp = create_temp_dir("test_set_hugetlbv2").expect("create temp directory for test");
         set_fixture(&tmp, page_file_name, "0").expect("Set fixture for 2 MB page size");
 
@@ -127,7 +127,7 @@ mod tests {
 
     quickcheck! {
         fn property_test_set_hugetlb(hugetlb: LinuxHugepageLimit) -> bool {
-            let page_file_name = format!("hugetlb.{:?}.limit_in_bytes", hugetlb.page_size());
+            let page_file_name = format!("hugetlb.{:?}.max", hugetlb.page_size());
             let tmp = create_temp_dir("property_test_set_hugetlbv2").expect("create temp directory for test");
             set_fixture(&tmp, &page_file_name, "0").expect("Set fixture for page size");
             let result = HugeTlb::apply(&tmp, &hugetlb);

crates/libcontainer/Cargo.toml

@@ -18,7 +18,7 @@ libc = "0.2.112"
 log = "0.4"
 mio = { version = "0.8.0", features = ["os-ext", "os-poll"] }
 nix = "0.23.1"
-oci-spec = { git = "https://github.com/containers/oci-spec-rs",  rev = "12dcd858543db0e7bfb1ef053d1b748f2fda74ee" }
+oci-spec = "0.5.3"
 path-clean = "0.1.0"
 procfs = "0.12.0"
 prctl = "1.0.0"
@@ -28,6 +28,6 @@ serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 
 [dev-dependencies]
-oci-spec = { git = "https://github.com/containers/oci-spec-rs",  rev = "12dcd858543db0e7bfb1ef053d1b748f2fda74ee", features = ["proptests"] }
+oci-spec = { version = "0.5.3", features = ["proptests"] }
 quickcheck = "1"
 serial_test = "0.5.1"

crates/libcontainer/src/capabilities.rs

@@ -544,7 +544,7 @@ mod tests {
         struct Testcase {
             name: String,
             input: LinuxCapabilities,
-            // be awared of that calling sequence in the drop_privileges function
+            // be aware that the calling sequence in the drop_privileges function
             // will affect the output sequence from test_command.get_set_capability_args()
             want: Vec<(CapSet, Vec<SpecCapability>)>,
         }
@@ -639,7 +639,7 @@ mod tests {
 
             for (i, want) in test.want.iter().enumerate().take(test.want.len()) {
                 // because CapSet has no Eq, PartialEq attributes,
-                // so using String to do the comparsion.
+                // so using String to do the comparison.
                 let want_cap_set = format!("{:?}", want.0);
                 let got_cap_set = format!("{:?}", got[i].0);
                 let want_caps = &want.1;

crates/libcontainer/src/hooks.rs

@@ -7,7 +7,7 @@ use std::{
 };
 
 use crate::{container::Container, utils};
-// A special error used to signal a timeout. We want to differenciate between a
+// A special error used to signal a timeout. We want to differentiate between a
 // timeout vs. other error.
 #[derive(Debug)]
 pub struct HookTimeoutError;
@@ -28,7 +28,7 @@ pub fn run_hooks(hooks: Option<&Vec<Hook>>, container: Option<&Container>) -> Re
     if let Some(hooks) = hooks {
         for hook in hooks {
             let mut hook_command = process::Command::new(&hook.path());
-            // Based on OCI spec, the first arguement of the args vector is the
+            // Based on OCI spec, the first argument of the args vector is the
             // arg0, which can be different from the path.  For example, path
             // may be "/usr/bin/true" and arg0 is set to "true". However, rust
             // command differenciates arg0 from args, where rust command arg

crates/libcontainer/src/process/container_init_process.rs

@@ -51,7 +51,7 @@ fn get_open_fds() -> Result<Vec<i32>> {
 // stay open: stdio, stdout, and stderr. We would further preserve the next
 // "preserve_fds" number of fds. Set the rest of fd with CLOEXEC flag, so they
 // will be closed after execve into the container payload. We can't close the
-// fds immediatly since we at least still need it for the pipe used to wait on
+// fds immediately since we at least still need it for the pipe used to wait on
 // starting the container.
 fn cleanup_file_descriptors(preserve_fds: i32) -> Result<()> {
     let open_fds = get_open_fds().with_context(|| "Failed to obtain opened fds")?;
@@ -366,7 +366,7 @@ pub fn container_init_process(
         }
     };
 
-    // Clean up and handle perserved fds. We only mark the fd as CLOSEXEC, so we
+    // Clean up and handle preserved fds. We only mark the fd as CLOSEXEC, so we
     // don't have to worry about when the fd will be closed.
     cleanup_file_descriptors(preserve_fds).with_context(|| "Failed to clean up extra fds")?;
 

crates/libcontainer/src/process/container_intermediate_process.rs

@@ -61,7 +61,7 @@ pub fn container_intermediate_process(
         // process, We want to make sure continue as the root user inside the
         // new user namespace. This is required because the process of
         // configuring the container process will require root, even though the
-        // root in the user namespace likely is mapped to an non-priviliged user
+        // root in the user namespace likely is mapped to an non-privileged user
         // on the parent user namespace.
         command.set_id(Uid::from_raw(0), Gid::from_raw(0)).context(
             "failed to configure uid and gid root in the beginning of a new user namespace",

crates/libcontainer/src/rootless.rs

@@ -30,7 +30,7 @@ impl<'a> Rootless<'a> {
         let user_namespace = namespaces.get(LinuxNamespaceType::User);
 
         // If conditions requires us to use rootless, we must either create a new
-        // user namespace or enter an exsiting.
+        // user namespace or enter an existing.
         if rootless_required() && user_namespace.is_none() {
             bail!("rootless container requires valid user namespace definition");
         }

crates/libcontainer/src/seccomp/mod.rs

@@ -13,7 +13,7 @@ use std::os::unix::io;
 
 #[derive(Debug)]
 struct Compare {
-    // The zero-indexed index of the syscall arguement.
+    // The zero-indexed index of the syscall argument.
     arg: libc::c_uint,
     op: Option<scmp_compare>,
     datum_a: Option<scmp_datum_t>,
@@ -299,7 +299,7 @@ pub fn initialize_seccomp(seccomp: &LinuxSeccomp) -> Result<Option<io::RawFd>> {
         for syscall in syscalls {
             let action = translate_action(syscall.action(), syscall.errno_ret());
             if action == default_action {
-                // When the action is the same as the default action, the rule is redundent. We can
+                // When the action is the same as the default action, the rule is redundant. We can
                 // skip this here to avoid failing when we add the rules.
                 log::warn!(
                     "Detect a seccomp action that is the same as the default action: {:?}",

crates/liboci-cli/README.md

@@ -2,7 +2,7 @@
 
 This is a crate to parse command line arguments for OCI container
 runtimes as specified in the [OCI Runtime Command Line
-Interface][https://github.com/opencontainers/runtime-tools/blob/master/docs/command-line-interface.md).
+Interface](https://github.com/opencontainers/runtime-tools/blob/master/docs/command-line-interface.md).
 
 ## Implemented subcommands
 

crates/youki/Cargo.toml

@@ -20,7 +20,7 @@ libcontainer = { version = "0.0.1", path = "../libcontainer" }
 liboci-cli = { version = "0.0.1", path = "../liboci-cli" }
 log = { version = "0.4", features = ["std"]}
 nix = "0.23.1"
-oci-spec = { git = "https://github.com/containers/oci-spec-rs",  rev = "12dcd858543db0e7bfb1ef053d1b748f2fda74ee" }
+oci-spec = "0.5.3"
 once_cell = "1.9.0"
 pentacle = "1.0.0"
 procfs = "0.12.0"

crates/youki/src/commands/info.rs

@@ -7,7 +7,6 @@ use libcontainer::rootless;
 use procfs::{CpuInfo, Meminfo};
 
 use libcgroups::{common::CgroupSetup, v2::controller_type::ControllerType};
-
 /// Show information about the system
 #[derive(Parser, Debug)]
 pub struct Info {}
@@ -26,6 +25,7 @@ pub fn info(_: Info) -> Result<()> {
 /// print Version of Youki
 pub fn print_youki() {
     println!("{:<18}{}", "Version", env!("CARGO_PKG_VERSION"));
+    println!("{:<18}{}", "Commit", env!("VERGEN_GIT_SHA_SHORT"));
 }
 
 /// Print Kernel Release, Version and Architecture
@@ -100,11 +100,19 @@ pub fn print_hardware() {
 
 /// Print cgroups info of system
 pub fn print_cgroups() {
+    print_cgroups_setup();
+    print_cgroup_mounts();
+    print_cgroup_v2_controllers();
+}
+
+pub fn print_cgroups_setup() {
     let cgroup_setup = libcgroups::common::get_cgroup_setup();
     if let Ok(cgroup_setup) = &cgroup_setup {
         println!("{:<18}{}", "Cgroup setup", cgroup_setup);
     }
+}
 
+pub fn print_cgroup_mounts() {
     println!("Cgroup mounts");
     if let Ok(v1_mounts) = libcgroups::v1::util::list_supported_mount_points() {
         let mut v1_mounts: Vec<String> = v1_mounts
@@ -122,6 +130,11 @@ pub fn print_cgroups() {
     if let Ok(mount_point) = &unified {
         println!("  {:<16}{}", "unified", mount_point.display());
     }
+}
+
+pub fn print_cgroup_v2_controllers() {
+    let cgroup_setup = libcgroups::common::get_cgroup_setup();
+    let unified = libcgroups::v2::util::get_unified_mount_point();
 
     if let Ok(cgroup_setup) = cgroup_setup {
         if let Ok(unified) = &unified {

docs/src/developer/libcgroups.md

@@ -9,7 +9,7 @@ This crates exposes several functions and modules that can be used to work with
 - common traits and functions which are used by both v1 and v2 such as
 
   - Trait CgroupManager, this abstracts over the underlying implementation of interacting with specific version of cgroups, and gives functions to add certain process to a certain cgroup, apply resource restrictions, get statistics of a cgroups, freeze a cgroup, remove a cgroup or get list of all processes belonging to a cgroup. v1 and v2 modules both contain a version specific cgroup manager which implements this trait, and thus either can be given to functions or structs which expects a cgroup manager, depending on which cgroups the host system uses.
-  - Apart from the trait, this also contians functions which help with reading cgroups files, and write data to a cgroup file, which are used throughout this crate.
+  - Apart from the trait, this also contains functions which help with reading cgroups files, and write data to a cgroup file, which are used throughout this crate.
   - A function to detect which cgroup setup (v1, v2 or hybrid) is on the host system, as well as a function to get the corresponding cgroups manager.
 
 - Functions and structs to get and store the statistics of a cgroups such as

docs/src/developer/libcontainer.md

@@ -16,7 +16,7 @@ This crate also provides an interface for Apparmor which is another Linux Kernel
 
 - rootfs, which is a ramfs like simple filesystem used by kernel during initialization
 - hooks, which allow running of specified program at certain points in the container lifecycle, such as before and after creation, start etc.
-- singals, which provide a wrapper to convert to and from signal numbers and text representation of signal names
+- signals, which provide a wrapper to convert to and from signal numbers and text representation of signal names
 - capabilities, which has functions related to set and reset specific capabilities, as well as to drop extra privileges
   - [Simple explanation of capabilities](https://blog.container-solutions.com/linux-capabilities-in-practice)
   - [man page for capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html)

docs/src/developer/youki.md

@@ -1,6 +1,6 @@
 # youki
 
-This is the core crate that contains the youki binary itself. This provides the user interface, as well as binds the ther crates together to actually perform the work of creation and management of containers. THus this provides implementation of all the commands supported by youki.
+This is the core crate that contains the youki binary itself. This provides the user interface, as well as binds the other crates together to actually perform the work of creation and management of containers. THus this provides implementation of all the commands supported by youki.
 
 The simple control flow of youki can be explained as :
 

docs/src/user/basic_setup.md

@@ -2,7 +2,7 @@
 
 This explains the requirements for compiling Youki as a binary, to use it as a low-level container runtime, or to depend once of its crates as dependency for your own project.
 
-Youki currently only supports Linux Platfrom, and to use it on other platform you will need to use some kind of virtualization. The repo itself provides Vagrantfile that provides basic setup to use Youki on non-Linux system using Vagrant. The last sub-section explains using this vagrantfile.
+Youki currently only supports Linux Platform, and to use it on other platform you will need to use some kind of virtualization. The repo itself provides Vagrantfile that provides basic setup to use Youki on non-Linux system using Vagrant. The last sub-section explains using this vagrantfile.
 
 Also note that Youki currently only supports and expects systemd as init system, and would not work on other systems. There is currently work on-going to put systemd dependent features behind a feature flag, but till then you will need a systemd enabled system to work with Youki.
 

integration_test.sh

@@ -45,7 +45,7 @@ test_cases=(
   "linux_ns_nopath/linux_ns_nopath.t"
   "linux_ns_path/linux_ns_path.t"
   "linux_ns_path_type/linux_ns_path_type.t"
-  # This test case requires that an apparmor profile named 'acme_secure_profile' has been installed on the system. It needs to allow the capabilites
+  # This test case requires that an apparmor profile named 'acme_secure_profile' has been installed on the system. It needs to allow the capabilities
   # validated by runtime-tools otherwise the test case will fail despite the profile being available.
   # "linux_process_apparmor_profile/linux_process_apparmor_profile.t"
   "linux_readonly_paths/linux_readonly_paths.t"
@@ -76,7 +76,7 @@ test_cases=(
   "state/state.t"
 )
 
-check_enviroment() {
+check_environment() {
   test_case=$1
   if [[ $test_case =~ .*(memory|hugetlb).t ]]; then
     if [[ ! -e "/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes" ]]; then
@@ -94,8 +94,8 @@ done
 
 
 for case in "${test_cases[@]}"; do
-  if ! check_enviroment $case; then
-    echo "Skip $case bacause your enviroment doesn't support this test case"
+  if ! check_environment $case; then
+    echo "Skip $case bacause your environment doesn't support this test case"
     continue
   fi