diff options
author | gVisor bot <gvisor-bot@google.com> | 2019-07-26 15:00:49 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2019-07-26 15:00:51 -0700 |
commit | b50122379c696f1ae31d4fa914c1c14d28cae826 (patch) | |
tree | 74fd85cff244b3d905bb21f3e750dcdaa26a95fe /runsc/boot/loader.go | |
parent | 444a9d9e545f01dc204f1863e91acb8700823c6e (diff) | |
parent | 1c5b6d9bd26ba090610d05366df90d4fee91c677 (diff) |
Merge pull request #452 from zhangningdlut:chris_test_pidns
PiperOrigin-RevId: 260220279
Diffstat (limited to 'runsc/boot/loader.go')
-rw-r--r-- | runsc/boot/loader.go | 33 |
1 files changed, 30 insertions, 3 deletions
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index a8adaf292..50cac0433 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -138,6 +138,9 @@ type execProcess struct { // tty will be nil if the process is not attached to a terminal. tty *host.TTYFileOperations + + // pidnsPath is the pid namespace path in spec + pidnsPath string } func init() { @@ -278,6 +281,7 @@ func New(args Args) (*Loader, error) { RootUTSNamespace: kernel.NewUTSNamespace(args.Spec.Hostname, args.Spec.Hostname, creds.UserNamespace), RootIPCNamespace: kernel.NewIPCNamespace(creds.UserNamespace), RootAbstractSocketNamespace: kernel.NewAbstractSocketNamespace(), + PIDNamespace: kernel.NewRootPIDNamespace(creds.UserNamespace), }); err != nil { return nil, fmt.Errorf("initializing kernel: %v", err) } @@ -298,7 +302,7 @@ func New(args Args) (*Loader, error) { // Create a watchdog. dog := watchdog.New(k, watchdog.DefaultTimeout, args.Conf.WatchdogAction) - procArgs, err := newProcess(args.ID, args.Spec, creds, k) + procArgs, err := newProcess(args.ID, args.Spec, creds, k, k.RootPIDNamespace()) if err != nil { return nil, fmt.Errorf("creating init process for root container: %v", err) } @@ -376,7 +380,7 @@ func New(args Args) (*Loader, error) { } // newProcess creates a process that can be run with kernel.CreateProcess. -func newProcess(id string, spec *specs.Spec, creds *auth.Credentials, k *kernel.Kernel) (kernel.CreateProcessArgs, error) { +func newProcess(id string, spec *specs.Spec, creds *auth.Credentials, k *kernel.Kernel, pidns *kernel.PIDNamespace) (kernel.CreateProcessArgs, error) { // Create initial limits. ls, err := createLimitSet(spec) if err != nil { @@ -396,7 +400,9 @@ func newProcess(id string, spec *specs.Spec, creds *auth.Credentials, k *kernel. IPCNamespace: k.RootIPCNamespace(), AbstractSocketNamespace: k.RootAbstractSocketNamespace(), ContainerID: id, + PIDNamespace: pidns, } + return procArgs, nil } @@ -559,6 +565,9 @@ func (l *Loader) run() error { } ep.tg = l.k.GlobalInit() + if ns, ok := specutils.GetNS(specs.PIDNamespace, l.spec); ok { + ep.pidnsPath = ns.Path + } if l.console { ttyFile, _ := l.rootProcArgs.FDTable.Get(0) defer ttyFile.DecRef() @@ -627,7 +636,24 @@ func (l *Loader) startContainer(spec *specs.Spec, conf *Config, cid string, file caps, l.k.RootUserNamespace()) - procArgs, err := newProcess(cid, spec, creds, l.k) + var pidns *kernel.PIDNamespace + if ns, ok := specutils.GetNS(specs.PIDNamespace, spec); ok { + if ns.Path != "" { + for _, p := range l.processes { + if ns.Path == p.pidnsPath { + pidns = p.tg.PIDNamespace() + break + } + } + } + if pidns == nil { + pidns = l.k.RootPIDNamespace().NewChild(l.k.RootUserNamespace()) + } + l.processes[eid].pidnsPath = ns.Path + } else { + pidns = l.k.RootPIDNamespace() + } + procArgs, err := newProcess(cid, spec, creds, l.k, pidns) if err != nil { return fmt.Errorf("creating new process: %v", err) } @@ -749,6 +775,7 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) { // Start the process. proc := control.Proc{Kernel: l.k} + args.PIDNamespace = tg.PIDNamespace() newTG, tgid, ttyFile, err := control.ExecAsync(&proc, args) if err != nil { return 0, err |