[lxc-devel] [PATCH 1/2] c/r: populate clone flags on restore

Serge Hallyn serge.hallyn at ubuntu.com
Fri Apr 10 14:15:44 UTC 2015


Quoting Tycho Andersen (tycho.andersen at canonical.com):
> Since attach asks the restore process what the clone flags were, if we forgot
> to set them then the attach command ran in the hosts namespaces instead of the
> containers, which is a Very Bad Thing :). Instead, we remember to set the clone
> flags in the restore process' handler, so that we report them correctly to any
> attach processes who ask.
> 
> Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  src/lxc/lxccontainer.c |  2 ++
>  src/lxc/start.c        | 55 ++++++++++++++++++++++++++++----------------------
>  src/lxc/start.h        |  1 +
>  3 files changed, 34 insertions(+), 24 deletions(-)
> 
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 0d81552..3c3ff33 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -4149,6 +4149,8 @@ static void do_restore(struct lxc_container *c, int pipe, char *directory, bool
>  		goto out_fini_handler;
>  	}
>  
> +	resolve_clone_flags(handler);
> +
>  	pid = fork();
>  	if (pid < 0)
>  		goto out_fini_handler;
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 70e4693..d615375 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -840,6 +840,35 @@ static int recv_ttys_from_child(struct lxc_handler *handler)
>  	return 0;
>  }
>  
> +void resolve_clone_flags(struct lxc_handler *handler)
> +{
> +	handler->clone_flags = CLONE_NEWPID | CLONE_NEWNS;
> +
> +	if (!lxc_list_empty(&handler->conf->id_map)) {
> +		INFO("Cloning a new user namespace");
> +		handler->clone_flags |= CLONE_NEWUSER;
> +	}
> +
> +	if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
> +		if (!lxc_requests_empty_network(handler))
> +			handler->clone_flags |= CLONE_NEWNET;
> +	} else {
> +		INFO("Inheriting a net namespace");
> +	}
> +
> +	if (handler->conf->inherit_ns_fd[LXC_NS_IPC] == -1) {
> +		handler->clone_flags |= CLONE_NEWIPC;
> +	} else {
> +		INFO("Inheriting an IPC namespace");
> +	}
> +
> +	if (handler->conf->inherit_ns_fd[LXC_NS_UTS] == -1) {
> +		handler->clone_flags |= CLONE_NEWUTS;
> +	} else {
> +		INFO("Inheriting a UTS namespace");
> +	}
> +}
> +
>  static int lxc_spawn(struct lxc_handler *handler)
>  {
>  	int failed_before_rename = 0;
> @@ -858,21 +887,14 @@ static int lxc_spawn(struct lxc_handler *handler)
>  	if (lxc_sync_init(handler))
>  		return -1;
>  
> -	handler->clone_flags = CLONE_NEWPID|CLONE_NEWNS;
> -	if (!lxc_list_empty(&handler->conf->id_map)) {
> -		INFO("Cloning a new user namespace");
> -		handler->clone_flags |= CLONE_NEWUSER;
> -	}
> -
>  	if (socketpair(AF_UNIX, SOCK_DGRAM, 0, handler->ttysock) < 0) {
>  		lxc_sync_fini(handler);
>  		return -1;
>  	}
>  
> -	if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
> -		if (!lxc_requests_empty_network(handler))
> -			handler->clone_flags |= CLONE_NEWNET;
> +	resolve_clone_flags(handler);
>  
> +	if (handler->clone_flags & CLONE_NEWNET) {
>  		if (!lxc_list_empty(&handler->conf->network)) {
>  
>  			/* Find gateway addresses from the link device, which is
> @@ -899,23 +921,8 @@ static int lxc_spawn(struct lxc_handler *handler)
>  			ERROR("failed to save physical nic info");
>  			goto out_abort;
>  		}
> -	} else {
> -		INFO("Inheriting a net namespace");
>  	}
>  
> -	if (handler->conf->inherit_ns_fd[LXC_NS_IPC] == -1) {
> -		handler->clone_flags |= CLONE_NEWIPC;
> -	} else {
> -		INFO("Inheriting an IPC namespace");
> -	}
> -
> -	if (handler->conf->inherit_ns_fd[LXC_NS_UTS] == -1) {
> -		handler->clone_flags |= CLONE_NEWUTS;
> -	} else {
> -		INFO("Inheriting a UTS namespace");
> -	}
> -
> -
>  	if (!cgroup_init(handler)) {
>  		ERROR("failed initializing cgroup support");
>  		goto out_delete_net;
> diff --git a/src/lxc/start.h b/src/lxc/start.h
> index 2c6fc0d..aab063a 100644
> --- a/src/lxc/start.h
> +++ b/src/lxc/start.h
> @@ -87,5 +87,6 @@ extern int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_i
>  int __lxc_start(const char *, struct lxc_conf *, struct lxc_operations *,
>  		void *, const char *);
>  
> +extern void resolve_clone_flags(struct lxc_handler *handler);
>  #endif
>  
> -- 
> 2.1.4
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list