Skip to content

L
lxc
Commit ff074c81 by Serge Hallyn Committed by Stéphane Graber
Options

container start: clone newcgroup immediately

rather than waiting and later unsharing. This "makes the creation of a new cgroup early enough that the existing cgroup mounts are visible. Which means any fancy permission checks I dream will work on a future version of liblxc." This also includes what should be a tiny improvement regarding netns, though it's conceivable it'll break something. Remember that with new kernels we need to unshare netns after we've become the root user in the new userns, so that netns files are owned by that root. But we were passing the unfiltered handler->clone_flags to the original clone(). This just resulted in a temporary extra netns generation, but still worked since our target netns, which we passed our devices into, was created late enough. Signed-off-by: 's avatarSerge Hallyn <serge@hallyn.com> Signed-off-by: 's avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent 8511da27
Showing with 5 additions and 6 deletions
src/lxc/start.c
...@@ -909,11 +909,6 @@ static int do_start(void *data) ...@@ -909,11 +909,6 @@ static int do_start(void *data)
devnull_fd = -1; devnull_fd = -1;
} }
if (cgns_supported() && unshare(CLONE_NEWCGROUP) != 0) {
SYSERROR("Failed to unshare cgroup namespace");
goto out_warn_father;
}
setsid(); setsid();
/* after this call, we are in error because this /* after this call, we are in error because this
...@@ -1136,7 +1131,11 @@ static int lxc_spawn(struct lxc_handler *handler) ...@@ -1136,7 +1131,11 @@ static int lxc_spawn(struct lxc_handler *handler)
flags = handler->clone_flags; flags = handler->clone_flags;
if (handler->clone_flags & CLONE_NEWUSER) if (handler->clone_flags & CLONE_NEWUSER)
flags &= ~CLONE_NEWNET; flags &= ~CLONE_NEWNET;
handler->pid = lxc_clone(do_start, handler, handler->clone_flags); if (cgns_supported()) {
handler->clone_flags |= CLONE_NEWCGROUP;
flags |= CLONE_NEWCGROUP;
}
handler->pid = lxc_clone(do_start, handler, flags);
if (handler->pid < 0) { if (handler->pid < 0) {
SYSERROR("failed to fork into a new namespace"); SYSERROR("failed to fork into a new namespace");
goto out_delete_net; goto out_delete_net;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment