Merge pull request #14 from xtremerui/bump-cloudfoundry-garden

bumping cloudfoundry/garden

scope executable lookup to container rootfses

before this change, exec.Command(...) would end up finding the
executable using the host's $PATH, which could resolve to a path that
doesn't actually exist in the container.

with this change, it will be resolved using the container's configured
$PATH, with a sensible default if it's not set.

Signed-off-by: Alex Suraci <[email protected]>

support raw:// rootfses on linux

if specified, container processes will be run in a chroot() to the
specified directory.

a few critical paths are set up as bind-mounts to the host:

* /dev
* /proc
* /sys
* /etc/resolv.conf
* /etc/hosts

with this added, I'm able to run Concourse pipelines on a Pixelbook
without requiring the `worker` container to be privileged. there is
still no process isolation or user namespacing, but it's at least good
enough for testing.

it does however still require CAP_SYS_ADMIN in order to run the
bind-mounts. this can be enabled via `cap_add: [SYS_ADMIN]` in Docker
Compose without making the container privileged.

i spent some time trying to support user namespaces as well, because
BaggageClaim does it by default, but I couldn't get it to successfully
write to `/proc/X/uid_map` - it would just return `EPERM`. i gave up on
this after investigating for a while in favor of just adding a flag to
disable user namespacing in BaggageClaim.

Signed-off-by: Alex Suraci <[email protected]>

add test deps

Signed-off-by: Alex Suraci <[email protected]>

ensure StreamOut terminates

mmmdeps

use explicit output

use explicit output

automate linux deps