runsc: Fix stdin/stdout/stderr in multi-container mode.

The issue with the previous change was that the stdin/stdout/stderr passed to
the sentry were dup'd by host.ImportFile. This left a dangling FD that by never
closing caused containerd to timeout waiting on container stop.

PiperOrigin-RevId: 213753032
Change-Id: Ia5e4c0565c42c8610d3b59f65599a5643b0901e4

1 files changed, 9 insertions, 5 deletions

diff --git a/runsc/boot/fds.go b/runsc/boot/fds.go
index 9de5a78b1..92d641b68 100644
--- a/runsc/boot/fds.go
+++ b/runsc/boot/fds.go
@@ -16,7 +16,6 @@ package boot
 
 import (
 	"fmt"
-	"syscall"
 
 	"gvisor.googlesource.com/gvisor/pkg/sentry/context"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/fs"
@@ -28,15 +27,20 @@ import (
 
 // createFDMap creates an fd map that contains stdin, stdout, and stderr. If
 // console is true, then ioctl calls will be passed through to the host fd.
-func createFDMap(ctx context.Context, k *kernel.Kernel, l *limits.LimitSet, console bool) (*kernel.FDMap, error) {
+// Upon success, createFDMap dups then closes stdioFDs.
+func createFDMap(ctx context.Context, k *kernel.Kernel, l *limits.LimitSet, console bool, stdioFDs []int) (*kernel.FDMap, error) {
+	if len(stdioFDs) != 3 {
+		return nil, fmt.Errorf("stdioFDs should contain exactly 3 FDs (stdin, stdout, and stderr), but %d FDs received", len(stdioFDs))
+	}
+
 	fdm := k.NewFDMap()
 	defer fdm.DecRef()
 
 	// Maps sandbox fd to host fd.
 	fdMap := map[int]int{
-		0: syscall.Stdin,
-		1: syscall.Stdout,
-		2: syscall.Stderr,
+		0: stdioFDs[0],
+		1: stdioFDs[1],
+		2: stdioFDs[2],
 	}
 	mounter := fs.FileOwnerFromContext(ctx)