Merge pull request #3672 from brauner/2021-02-14/fixes

src/lxc/start.c

@@ -119,24 +119,21 @@ static int lxc_try_preserve_namespace(struct lxc_handler *handler,
 	int ret;
 
 	fd = lxc_preserve_ns(handler->pid, ns);
-	if (fd < 0) {
-		if (errno != ENOENT)
-			return log_error_errno(-EINVAL, errno,
-					       "Failed to preserve %s namespace", ns);
-
-		return log_warn_errno(-EOPNOTSUPP, errno,
-				      "Kernel does not support preserving %s namespaces", ns);
-	}
+	if (fd < 0)
+		return -errno;
 
 	ret = strnprintf(handler->nsfd_paths[idx],
 			 sizeof(handler->nsfd_paths[idx]), "%s:/proc/%d/fd/%d",
 			 ns_info[idx].proc_name, handler->monitor_pid, fd);
+	if (ret < 0)
+		return ret_errno(EIO);
 
-	/* Legacy style argument passing as arguments to hooks. */
+	/*
+	 * In case LXC is configured for exposing information to hooks as
+	 * argv-style arguments prepare an argv array we can use.
+	 */
 	handler->hook_argv[handler->hook_argc] = handler->nsfd_paths[idx];
 	handler->hook_argc++;
-	if (ret < 0)
-		return ret_errno(EIO);
 
 	DEBUG("Preserved %s namespace via fd %d and stashed path as %s",
 	      ns_info[idx].proc_name, fd, handler->nsfd_paths[idx]);
@@ -157,6 +154,7 @@ static bool lxc_try_preserve_namespaces(struct lxc_handler *handler,
 
 	for (lxc_namespace_t ns_idx = 0; ns_idx < LXC_NS_MAX; ns_idx++) {
 		int ret;
+		const char *ns = ns_info[ns_idx].proc_name;
 
 		if ((ns_clone_flags & ns_info[ns_idx].clone_flag) == 0)
 			continue;
@@ -164,15 +162,17 @@ static bool lxc_try_preserve_namespaces(struct lxc_handler *handler,
 		ret = lxc_try_preserve_namespace(handler, ns_idx,
 						 ns_info[ns_idx].proc_name);
 		if (ret < 0) {
-			/* Do not fail to start container on kernels that do
-			 * not support interacting with namespaces through
-			 * /proc.
-			 */
-			if (ret == -EOPNOTSUPP)
+			if (ret == -ENOENT) {
+				SYSERROR("Kernel does not support preserving %s namespaces", ns);
 				continue;
+			}
 
+			/*
+			 * Handle kernels that do not support interacting with
+			 * namespaces through procfs.
+			 */
 			lxc_put_nsfds(handler);
-			return false;
+			return log_error_errno(false, errno, "Failed to preserve %s namespace", ns);
 		}
 	}
 
@@ -1827,7 +1827,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	if (handler->nsfd[LXC_NS_NET] < 0) {
 		ret = lxc_try_preserve_namespace(handler, LXC_NS_NET, "net");
 		if (ret < 0) {
-			if (ret != -EOPNOTSUPP) {
+			if (ret != -ENOENT) {
 				SYSERROR("Failed to preserve net namespace");
 				goto out_delete_net;
 			}
@@ -1878,8 +1878,8 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 
 	/*
-	 * with isolation the limiting devices cgroup was already setup, so
-	 * only setup devices here if we have no namespace directory
+	 * With isolation the limiting devices cgroup was already setup, so
+	 * only setup devices here if we have no namespace directory.
 	 */
 	if (!handler->conf->cgroup_meta.namespace_dir &&
 	    !cgroup_ops->setup_limits_legacy(cgroup_ops, handler->conf, true)) {
@@ -1898,7 +1898,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 		/* Now we're ready to preserve the cgroup namespace */
 		ret = lxc_try_preserve_namespace(handler, LXC_NS_CGROUP, "cgroup");
 		if (ret < 0) {
-			if (ret != -EOPNOTSUPP) {
+			if (ret != -ENOENT) {
 				SYSERROR("Failed to preserve cgroup namespace");
 				goto out_delete_net;
 			}
@@ -1909,10 +1909,10 @@ static int lxc_spawn(struct lxc_handler *handler)
 	TRACE("Finished setting up cgroups");
 
 	if (handler->ns_unshare_flags & CLONE_NEWTIME) {
-		/* Now we're ready to preserve the cgroup namespace */
+		/* Now we're ready to preserve the time namespace */
 		ret = lxc_try_preserve_namespace(handler, LXC_NS_TIME, "time");
 		if (ret < 0) {
-			if (ret != -EOPNOTSUPP) {
+			if (ret != -ENOENT) {
 				SYSERROR("Failed to preserve time namespace");
 				goto out_delete_net;
 			}