[lxc-devel] [PATCH 0/2] lxc_attach and user namespaces

[Christian Seiler]

As discussed earlier on this list with Serge, here is my first set of
patches that fixes lxc_attach to user namespaces.

The first patch is bascially Serge's patch v2 with the following changes:

 - use socketpair() instead of pipes because we need two-way
   communication; before we exec() we need to make sure that
   the process was added to cgroups, otherwise this can be
   racy (for example, we execute something that fork()s
   immediately, then that may happen before we return from
   attaching the child to groups - this is now fixed)

 - some minor cleanups

 - a large explanatory comment in the source code about the
   general logic

 - use lxc_cgroup_attach directly, don't use prepare/finish/dispose
   (We don't need them any more if we double-fork()!)

The second patch just gets rid of the unnecessary
prepare/finish/dispose functions for cgroup attaching that were
introduced to avoid a triple-fork in the first place.

A few more patches will follow shortly, especially w.r.t. to UID
and shell handling.

-- Christian

PS: As a side note: I currently get some weird error messages when the
attached process ends:
  /bin/sh: 0: Cannot set tty process group (No such process)
Apprently, upon exit, the shell of the container tries to reset the
controlling terminal to have the process group of its parent process be
the foreground process group. That fails, (because parent pid appears to
be 0 from the inside), so it prints this message. Strangely enough, I
got this message only recently, is this a new feature of the shell
current Ubuntu versions use?

I don't see an easy way to suppress the message btw., so I'm open
to suggestions.