68 lines
2.4 KiB
Diff
68 lines
2.4 KiB
Diff
From fa6c4b2cbb985a765b4fae14470453b7a573c665 Mon Sep 17 00:00:00 2001
|
|
From: Kir Kolyshkin <kolyshkin@gmail.com>
|
|
Date: Fri, 12 May 2023 16:04:11 -0700
|
|
Subject: [PATCH] libct: fix shared pidns detection
|
|
|
|
When someone is using libcontainer to start and kill containers from a
|
|
long lived process (i.e. the same process creates and removes the
|
|
container), initProcess.wait method is used, which has a kludge to work
|
|
around killing containers that do not have their own PID namespace.
|
|
|
|
The code that checks for own PID namespace is not entirely correct.
|
|
To be exact, it does not set sharePidns flag when the host/caller PID
|
|
namespace is implicitly used. As a result, the above mentioned kludge
|
|
does not work.
|
|
|
|
Fix the issue, add a test case (which fails without the fix).
|
|
|
|
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
|
---
|
|
libcontainer/configs/namespaces_syscall.go | 12 ++++++++++++
|
|
libcontainer/container_linux.go | 3 +--
|
|
2 files changed, 13 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/libcontainer/configs/namespaces_syscall.go b/libcontainer/configs/namespaces_syscall.go
|
|
index fb4b8522..6171a3b6 100644
|
|
--- a/libcontainer/configs/namespaces_syscall.go
|
|
+++ b/libcontainer/configs/namespaces_syscall.go
|
|
@@ -29,3 +29,15 @@ func (n *Namespaces) CloneFlags() uintptr {
|
|
}
|
|
return uintptr(flag)
|
|
}
|
|
+
|
|
+// IsPrivate tells whether the namespace of type t is configured as private
|
|
+// (i.e. it exists and is not shared).
|
|
+func (n Namespaces) IsPrivate(t NamespaceType) bool {
|
|
+ for _, v := range n {
|
|
+ if v.Type == t {
|
|
+ return v.Path == ""
|
|
+ }
|
|
+ }
|
|
+ // Not found, so implicitly sharing a parent namespace.
|
|
+ return false
|
|
+}
|
|
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
|
|
index 7be84a63..113dbf42 100644
|
|
--- a/libcontainer/container_linux.go
|
|
+++ b/libcontainer/container_linux.go
|
|
@@ -488,7 +488,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
|
|
nsMaps[ns.Type] = ns.Path
|
|
}
|
|
}
|
|
- _, sharePidns := nsMaps[configs.NEWPID]
|
|
data, err := c.bootstrapData(c.config.Namespaces.CloneFlags(), nsMaps)
|
|
if err != nil {
|
|
return nil, err
|
|
@@ -502,7 +501,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
|
|
container: c,
|
|
process: p,
|
|
bootstrapData: data,
|
|
- sharePidns: sharePidns,
|
|
+ sharePidns: !c.config.Namespaces.IsPrivate(configs.NEWPID),
|
|
rootDir: rootDir,
|
|
}, nil
|
|
}
|
|
--
|
|
2.33.0
|
|
|