start: simplify cgroup namespace preservation

Since we are now dumpable we can open /proc/<child-pid>/ns/cgroup so let's avoid the overhead of sending around fds. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: simplify cgroup namespace preservation
a2ffd257 · Christian Brauner · 25753d59 · a2ffd257
Unverified Commit a2ffd257 authored Dec 22, 2017 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 31 deletions

start.c src/lxc/start.c +13 -31

No files found.
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -898,7 +898,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)

 static int do_start(void *data)
 {
-	int fd, ret;
+	int ret;
 	struct lxc_list *iterator;
 	char path[PATH_MAX];
 	bool have_cap_setgid;
@@ -1055,30 +1055,12 @@ static int do_start(void *data)
 	/* Setup the container, ip, names, utsname, ... */
 	ret = lxc_setup(handler);
 	close(handler->data_sock[1]);
+	close(handler->data_sock[0]);
 	if (ret < 0) {
 		ERROR("Failed to setup container \"%s\".", handler->name);
-		close(handler->data_sock[0]);
 		goto out_warn_father;
 	}

-	if (handler->clone_flags & CLONE_NEWCGROUP) {
-		fd = lxc_preserve_ns(lxc_raw_getpid(), "cgroup");
-		if (fd < 0) {
-			ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
-			close(handler->data_sock[0]);
-			goto out_warn_father;
-		}
-
-		ret = lxc_abstract_unix_send_fds(handler->data_sock[0], &fd, 1, NULL, 0);
-		close(fd);
-		if (ret < 0) {
-			ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
-			close(handler->data_sock[0]);
-			goto out_warn_father;
-		}
-	}
-	close(handler->data_sock[0]);
-
 	/* Set the label to change to when we exec(2) the container's init. */
 	if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0)
 		goto out_warn_father;
@@ -1492,6 +1474,17 @@ static int lxc_spawn(struct lxc_handler *handler)
 	cgroup_disconnect();
 	cgroups_connected = false;

+	if (handler->clone_flags & CLONE_NEWCGROUP) {
+		/* Now we're ready to preserve the cgroup namespace */
+		ret = lxc_preserve_ns(handler->pid, "cgroup");
+		if (ret < 0) {
+			ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
+			goto out_delete_net;
+		}
+		handler->nsfd[LXC_NS_CGROUP] = ret;
+		DEBUG("Preserved cgroup namespace via fd %d", ret);
+	}
+
 	/* Tell the child to complete its initialization and wait for it to exec
 	 * or return an error. (The child will never return
 	 * LXC_SYNC_POST_CGROUP+1. It will either close the sync pipe, causing
@@ -1520,17 +1513,6 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}

-	if (handler->clone_flags & CLONE_NEWCGROUP) {
-		ret = lxc_abstract_unix_recv_fds(handler->data_sock[1],
-						 &handler->nsfd[LXC_NS_CGROUP],
-						 1, NULL, 0);
-		if (ret < 0) {
-			ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
-			goto out_delete_net;
-		}
-		DEBUG("Preserved cgroup namespace via fd %d", handler->nsfd[LXC_NS_CGROUP]);
-	}
-
 	if (handler->ops->post_start(handler, handler->data))
 		goto out_abort;