runsc: Pass log and config files to sandbox process by FD.

This is a prereq for running the sandbox process as user "nobody", when it may not have permissions to open these files. Instead, we must open then before starting the sandbox process, and pass them by FD. The specutils.ReadSpecFromFile method was fixed to always seek to the beginning of the file before reading. This allows Files from the same FD to be read multiple times, as we do in the boot command when the apply-caps flag is set. Tested with --network=host. PiperOrigin-RevId: 211570647 Change-Id: I685be0a290aa7f70731ebdce82ebc0ebcc9d475c
author: Nicolas Lacasse <nlacasse@google.com> 2018-09-04 20:08:41 -0700
committer: Shentubot <shentubot@google.com> 2018-09-04 20:10:01 -0700
commit: ad8648c6343cf2cf3e51a0f58cb053ee303f6ffb (patch)
tree: 3b1c7c9e8d978258eee349592fd13fbebb36eb1e /runsc/cmd/create.go
parent: 2cff07381a911ad52cf9df70d702f39217e9539e (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/runsc/cmd/create.go b/runsc/cmd/create.go
index 94a889077..38ae03e7a 100644
--- a/runsc/cmd/create.go
+++ b/runsc/cmd/create.go
@@ -15,6 +15,8 @@
 package cmd
 
 import (
+	"path/filepath"
+
 	"context"
 	"flag"
 	"github.com/google/subcommands"
@@ -83,6 +85,7 @@ func (c *Create) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}
 		Fatalf("error reading spec: %v", err)
 	}
 	specutils.LogSpec(spec)
+	conf.SpecFile = filepath.Join(bundleDir, "config.json")
 
 	// Create the container. A new sandbox will be created for the
 	// container unless the metadata specifies that it should be run in an
author	Nicolas Lacasse <nlacasse@google.com>	2018-09-04 20:08:41 -0700
committer	Shentubot <shentubot@google.com>	2018-09-04 20:10:01 -0700
commit	ad8648c6343cf2cf3e51a0f58cb053ee303f6ffb (patch)
tree	3b1c7c9e8d978258eee349592fd13fbebb36eb1e /runsc/cmd/create.go
parent	2cff07381a911ad52cf9df70d702f39217e9539e (diff)