[lxc-devel] [PATCH 1/2] c/r: populate clone flags on restore
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Apr 10 14:15:44 UTC 2015
Quoting Tycho Andersen (tycho.andersen at canonical.com):
> Since attach asks the restore process what the clone flags were, if we forgot
> to set them then the attach command ran in the hosts namespaces instead of the
> containers, which is a Very Bad Thing :). Instead, we remember to set the clone
> flags in the restore process' handler, so that we report them correctly to any
> attach processes who ask.
>
> Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> src/lxc/lxccontainer.c | 2 ++
> src/lxc/start.c | 55 ++++++++++++++++++++++++++++----------------------
> src/lxc/start.h | 1 +
> 3 files changed, 34 insertions(+), 24 deletions(-)
>
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 0d81552..3c3ff33 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -4149,6 +4149,8 @@ static void do_restore(struct lxc_container *c, int pipe, char *directory, bool
> goto out_fini_handler;
> }
>
> + resolve_clone_flags(handler);
> +
> pid = fork();
> if (pid < 0)
> goto out_fini_handler;
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 70e4693..d615375 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -840,6 +840,35 @@ static int recv_ttys_from_child(struct lxc_handler *handler)
> return 0;
> }
>
> +void resolve_clone_flags(struct lxc_handler *handler)
> +{
> + handler->clone_flags = CLONE_NEWPID | CLONE_NEWNS;
> +
> + if (!lxc_list_empty(&handler->conf->id_map)) {
> + INFO("Cloning a new user namespace");
> + handler->clone_flags |= CLONE_NEWUSER;
> + }
> +
> + if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
> + if (!lxc_requests_empty_network(handler))
> + handler->clone_flags |= CLONE_NEWNET;
> + } else {
> + INFO("Inheriting a net namespace");
> + }
> +
> + if (handler->conf->inherit_ns_fd[LXC_NS_IPC] == -1) {
> + handler->clone_flags |= CLONE_NEWIPC;
> + } else {
> + INFO("Inheriting an IPC namespace");
> + }
> +
> + if (handler->conf->inherit_ns_fd[LXC_NS_UTS] == -1) {
> + handler->clone_flags |= CLONE_NEWUTS;
> + } else {
> + INFO("Inheriting a UTS namespace");
> + }
> +}
> +
> static int lxc_spawn(struct lxc_handler *handler)
> {
> int failed_before_rename = 0;
> @@ -858,21 +887,14 @@ static int lxc_spawn(struct lxc_handler *handler)
> if (lxc_sync_init(handler))
> return -1;
>
> - handler->clone_flags = CLONE_NEWPID|CLONE_NEWNS;
> - if (!lxc_list_empty(&handler->conf->id_map)) {
> - INFO("Cloning a new user namespace");
> - handler->clone_flags |= CLONE_NEWUSER;
> - }
> -
> if (socketpair(AF_UNIX, SOCK_DGRAM, 0, handler->ttysock) < 0) {
> lxc_sync_fini(handler);
> return -1;
> }
>
> - if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
> - if (!lxc_requests_empty_network(handler))
> - handler->clone_flags |= CLONE_NEWNET;
> + resolve_clone_flags(handler);
>
> + if (handler->clone_flags & CLONE_NEWNET) {
> if (!lxc_list_empty(&handler->conf->network)) {
>
> /* Find gateway addresses from the link device, which is
> @@ -899,23 +921,8 @@ static int lxc_spawn(struct lxc_handler *handler)
> ERROR("failed to save physical nic info");
> goto out_abort;
> }
> - } else {
> - INFO("Inheriting a net namespace");
> }
>
> - if (handler->conf->inherit_ns_fd[LXC_NS_IPC] == -1) {
> - handler->clone_flags |= CLONE_NEWIPC;
> - } else {
> - INFO("Inheriting an IPC namespace");
> - }
> -
> - if (handler->conf->inherit_ns_fd[LXC_NS_UTS] == -1) {
> - handler->clone_flags |= CLONE_NEWUTS;
> - } else {
> - INFO("Inheriting a UTS namespace");
> - }
> -
> -
> if (!cgroup_init(handler)) {
> ERROR("failed initializing cgroup support");
> goto out_delete_net;
> diff --git a/src/lxc/start.h b/src/lxc/start.h
> index 2c6fc0d..aab063a 100644
> --- a/src/lxc/start.h
> +++ b/src/lxc/start.h
> @@ -87,5 +87,6 @@ extern int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_i
> int __lxc_start(const char *, struct lxc_conf *, struct lxc_operations *,
> void *, const char *);
>
> +extern void resolve_clone_flags(struct lxc_handler *handler);
> #endif
>
> --
> 2.1.4
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list