[lxc-devel] [PATCH 2/2] c/r: re-open fds after clone()

Mon Apr 20 23:34:31 UTC 2015

If we don't re-open these after clone, the init process has a pointer to the
parent's /dev/{zero,null}. CRIU seese these and wants to dump the parent's
mount namespace, which is unnecessary. Instead, we should just re-open
stdin/out/err after we do the clone and pivot root, to ensure that we have
pointers to the devcies in init's rootfs instead of the host's.

v2: Only close fds if the container was daemonized. This didn't turn out as
    nicely as described on the list because lxc_start() doesn't actually have
    the struct lxc_container, so it cant see the flag. Instead, we just pass it
    down everywhere.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 src/lxc/execute.c      |  4 ++--
 src/lxc/lxc.h          | 22 +++++++++++++---------
 src/lxc/lxc_execute.c  |  2 +-
 src/lxc/lxccontainer.c | 10 ++--------
 src/lxc/start.c        | 17 ++++++++++++++---
 src/lxc/start.h        |  3 ++-
 6 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index a0f7ff1..d14092a 100644
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -111,7 +111,7 @@ static struct lxc_operations execute_start_ops = {
 };
 
 int lxc_execute(const char *name, char *const argv[], int quiet,
-		struct lxc_conf *conf, const char *lxcpath)
+		struct lxc_conf *conf, const char *lxcpath, bool backgrounded)
 {
 	struct execute_args args = {
 		.argv = argv,
@@ -122,5 +122,5 @@ int lxc_execute(const char *name, char *const argv[], int quiet,
 		return -1;
 
 	conf->is_execute = 1;
-	return __lxc_start(name, conf, &execute_start_ops, &args, lxcpath);
+	return __lxc_start(name, conf, &execute_start_ops, &args, lxcpath, backgrounded);
 }
diff --git a/src/lxc/lxc.h b/src/lxc/lxc.h
index dd1048c..b1b858d 100644
--- a/src/lxc/lxc.h
+++ b/src/lxc/lxc.h
@@ -27,6 +27,7 @@
 extern "C" {
 #endif
 
+#include <stdbool.h>
 #include <stddef.h>
 #include <sys/select.h>
 #include <sys/types.h>
@@ -44,24 +45,27 @@ struct lxc_arguments;
 
 /*
  * Start the specified command inside a system container
- * @name     : the name of the container
- * @argv     : an array of char * corresponding to the commande line
- * @conf     : configuration
+ * @name         : the name of the container
+ * @argv         : an array of char * corresponding to the commande line
+ * @conf         : configuration
+ * @backgrounded : whether or not the container is daemonized
  * Returns 0 on success, < 0 otherwise
  */
 extern int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf,
-		     const char *lxcpath);
+		     const char *lxcpath, bool backgrounded);
 
 /*
  * Start the specified command inside an application container
- * @name     : the name of the container
- * @argv     : an array of char * corresponding to the commande line
- * @quiet    : if != 0 then lxc-init won't produce any output
- * @conf     : configuration
+ * @name         : the name of the container
+ * @argv         : an array of char * corresponding to the commande line
+ * @quiet        : if != 0 then lxc-init won't produce any output
+ * @conf         : configuration
+ * @backgrounded : whether or not the container is daemonized
  * Returns 0 on success, < 0 otherwise
  */
 extern int lxc_execute(const char *name, char *const argv[], int quiet,
-		       struct lxc_conf *conf, const char *lxcpath);
+		       struct lxc_conf *conf, const char *lxcpath,
+		       bool backgrounded);
 
 /*
  * Open the monitoring mechanism for a specific container
diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c
index b602793..4f1e1f6 100644
--- a/src/lxc/lxc_execute.c
+++ b/src/lxc/lxc_execute.c
@@ -139,7 +139,7 @@ int main(int argc, char *argv[])
 	if (lxc_config_define_load(&defines, conf))
 		return 1;
 
-	ret = lxc_execute(my_args.name, my_args.argv, my_args.quiet, conf, my_args.lxcpath[0]);
+	ret = lxc_execute(my_args.name, my_args.argv, my_args.quiet, conf, my_args.lxcpath[0], false);
 
 	lxc_conf_free(conf);
 
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 0ca5b9f..d49426f 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -584,7 +584,7 @@ static bool lxcapi_start(struct lxc_container *c, int useinit, char * const argv
 	container_mem_unlock(c);
 
 	if (useinit) {
-		ret = lxc_execute(c->name, argv, 1, conf, c->config_path);
+		ret = lxc_execute(c->name, argv, 1, conf, c->config_path, daemonize);
 		return ret == 0 ? true : false;
 	}
 
@@ -642,12 +642,6 @@ static bool lxcapi_start(struct lxc_container *c, int useinit, char * const argv
 			return false;
 		}
 		lxc_check_inherited(conf, true, -1);
-		close(0);
-		close(1);
-		close(2);
-		open("/dev/zero", O_RDONLY);
-		open("/dev/null", O_RDWR);
-		open("/dev/null", O_RDWR);
 		setsid();
 	} else {
 		if (!am_single_threaded()) {
@@ -687,7 +681,7 @@ reboot:
 		goto out;
 	}
 
-	ret = lxc_start(c->name, argv, conf, c->config_path);
+	ret = lxc_start(c->name, argv, conf, c->config_path, daemonize);
 	c->error_num = ret;
 
 	if (conf->reboot) {
diff --git a/src/lxc/start.c b/src/lxc/start.c
index d615375..8aedc7d 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -759,6 +759,15 @@ static int do_start(void *data)
 
 	close(handler->sigfd);
 
+	if (handler->backgrounded) {
+		close(0);
+		close(1);
+		close(2);
+		open("/dev/zero", O_RDONLY);
+		open("/dev/null", O_RDWR);
+		open("/dev/null", O_RDWR);
+	}
+
 	/* after this call, we are in error because this
 	 * ops should not return as it execs */
 	handler->ops->start(handler, handler->data);
@@ -1112,7 +1121,8 @@ int get_netns_fd(int pid)
 }
 
 int __lxc_start(const char *name, struct lxc_conf *conf,
-		struct lxc_operations* ops, void *data, const char *lxcpath)
+		struct lxc_operations* ops, void *data, const char *lxcpath,
+		bool backgrounded)
 {
 	struct lxc_handler *handler;
 	int err = -1;
@@ -1126,6 +1136,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
 	}
 	handler->ops = ops;
 	handler->data = data;
+	handler->backgrounded = backgrounded;
 
 	if (must_drop_cap_sys_boot(handler->conf)) {
 		#if HAVE_SYS_CAPABILITY_H
@@ -1257,12 +1268,12 @@ static struct lxc_operations start_ops = {
 };
 
 int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf,
-	      const char *lxcpath)
+	      const char *lxcpath, bool backgrounded)
 {
 	struct start_args start_arg = {
 		.argv = argv,
 	};
 
 	conf->need_utmp_watch = 1;
-	return __lxc_start(name, conf, &start_ops, &start_arg, lxcpath);
+	return __lxc_start(name, conf, &start_ops, &start_arg, lxcpath, backgrounded);
 }
diff --git a/src/lxc/start.h b/src/lxc/start.h
index aab063a..f1a41f5 100644
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -74,6 +74,7 @@ struct lxc_handler {
 	const char *lxcpath;
 	void *cgroup_data;
 	int ttysock[2]; // socketpair for child->parent tty fd passing
+	bool backgrounded; // indicates whether should we close std{in,out,err} on start
 };
 
 
@@ -85,7 +86,7 @@ extern void lxc_fini(const char *name, struct lxc_handler *handler);
 
 extern int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_ignore);
 int __lxc_start(const char *, struct lxc_conf *, struct lxc_operations *,
-		void *, const char *);
+		void *, const char *, bool);
 
 extern void resolve_clone_flags(struct lxc_handler *handler);
 #endif
-- 
2.1.4

