[lxc-devel] [PATCH] don't leak the rootfs.pin fd into the container

Ward, David - 0663 - MITLL david.ward at ll.mit.edu
Mon Mar 11 01:51:34 UTC 2013 

Hi Serge,

This patch seems to have introduced a regression.  When I use 
lxc-execute with a very simple container (which only sets the utsname), 
the terminal input is not forwarded to the application anymore.  In 
particular, running "lxc-execute -n $CONTAINER -- bash" returns 
immediately without opening a shell.  (This is with Fedora 18 and kernel 
3.8.2.)

David

On 01/17/2013 10:53 AM, Serge Hallyn wrote:
> Only the container parent needs to keep that fd open.  Close it
> as soon as the container's first task is spawned.  Else it can
> show up in /proc/$$/fd in the container.
>
> Signed-off-by: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA at public.gmane.org>
> ---
>   src/lxc/start.c | 12 +++++++-----
>   src/lxc/start.h |  1 +
>   2 files changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 90696f6..5083b24 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -575,6 +575,9 @@ static int do_start(void *data)
>   
>   	lxc_sync_fini_parent(handler);
>   
> +	/* don't leak the pinfd to the container */
> +	close(handler->pinfd);
> +
>   	/* Tell the parent task it can begin to configure the
>   	 * container and wait for it to finish
>   	 */
> @@ -691,7 +694,6 @@ int lxc_spawn(struct lxc_handler *handler)
>   {
>   	int failed_before_rename = 0;
>   	const char *name = handler->name;
> -	int pinfd;
>   
>   	if (lxc_sync_init(handler))
>   		return -1;
> @@ -735,8 +737,8 @@ int lxc_spawn(struct lxc_handler *handler)
>   	 * marking it readonly.
>   	 */
>   
> -	pinfd = pin_rootfs(handler->conf->rootfs.path);
> -	if (pinfd == -1) {
> +	handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
> +	if (handler->pinfd == -1) {
>   		ERROR("failed to pin the container's rootfs");
>   		goto out_abort;
>   	}
> @@ -818,8 +820,8 @@ int lxc_spawn(struct lxc_handler *handler)
>   
>   	lxc_sync_fini(handler);
>   
> -	if (pinfd >= 0)
> -		close(pinfd);
> +	if (handler->pinfd >= 0)
> +		close(handler->pinfd);
>   
>   	return 0;
>   
> diff --git a/src/lxc/start.h b/src/lxc/start.h
> index 4b2e2b5..27688f3 100644
> --- a/src/lxc/start.h
> +++ b/src/lxc/start.h
> @@ -49,6 +49,7 @@ struct lxc_handler {
>   #if HAVE_APPARMOR
>   	int aa_enabled;
>   #endif
> +	int pinfd;
>   };
>   
>   extern struct lxc_handler *lxc_init(const char *name, struct lxc_conf *);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4571 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130310/220c8fe9/attachment.bin>

More information about the lxc-devel mailing list