diff options
author | gVisor bot <gvisor-bot@google.com> | 2019-07-26 22:09:36 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2019-07-26 22:09:36 +0000 |
commit | 4283f75bf2136e5a24858ebc23f68e38c145ef07 (patch) | |
tree | 5e00c8ce90f1773897de48332522a2dac1dc86ac /runsc | |
parent | d1ac010e93da039b4a046981845adf6f11273b3d (diff) | |
parent | b50122379c696f1ae31d4fa914c1c14d28cae826 (diff) |
Merge b5012237 (automated)
Diffstat (limited to 'runsc')
-rw-r--r-- | runsc/boot/fs.go | 1 | ||||
-rw-r--r-- | runsc/boot/loader.go | 33 |
2 files changed, 31 insertions, 3 deletions
diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go index aaad0121b..7e95e1f41 100644 --- a/runsc/boot/fs.go +++ b/runsc/boot/fs.go @@ -518,6 +518,7 @@ func (c *containerMounter) setupFS(ctx context.Context, conf *Config, procArgs * Credentials: auth.NewRootCredentials(creds.UserNamespace), Umask: 0022, MaxSymlinkTraversals: linux.MaxSymlinkTraversals, + PIDNamespace: procArgs.PIDNamespace, } rootCtx := rootProcArgs.NewContext(c.k) diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index a8adaf292..50cac0433 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -138,6 +138,9 @@ type execProcess struct { // tty will be nil if the process is not attached to a terminal. tty *host.TTYFileOperations + + // pidnsPath is the pid namespace path in spec + pidnsPath string } func init() { @@ -278,6 +281,7 @@ func New(args Args) (*Loader, error) { RootUTSNamespace: kernel.NewUTSNamespace(args.Spec.Hostname, args.Spec.Hostname, creds.UserNamespace), RootIPCNamespace: kernel.NewIPCNamespace(creds.UserNamespace), RootAbstractSocketNamespace: kernel.NewAbstractSocketNamespace(), + PIDNamespace: kernel.NewRootPIDNamespace(creds.UserNamespace), }); err != nil { return nil, fmt.Errorf("initializing kernel: %v", err) } @@ -298,7 +302,7 @@ func New(args Args) (*Loader, error) { // Create a watchdog. dog := watchdog.New(k, watchdog.DefaultTimeout, args.Conf.WatchdogAction) - procArgs, err := newProcess(args.ID, args.Spec, creds, k) + procArgs, err := newProcess(args.ID, args.Spec, creds, k, k.RootPIDNamespace()) if err != nil { return nil, fmt.Errorf("creating init process for root container: %v", err) } @@ -376,7 +380,7 @@ func New(args Args) (*Loader, error) { } // newProcess creates a process that can be run with kernel.CreateProcess. -func newProcess(id string, spec *specs.Spec, creds *auth.Credentials, k *kernel.Kernel) (kernel.CreateProcessArgs, error) { +func newProcess(id string, spec *specs.Spec, creds *auth.Credentials, k *kernel.Kernel, pidns *kernel.PIDNamespace) (kernel.CreateProcessArgs, error) { // Create initial limits. ls, err := createLimitSet(spec) if err != nil { @@ -396,7 +400,9 @@ func newProcess(id string, spec *specs.Spec, creds *auth.Credentials, k *kernel. IPCNamespace: k.RootIPCNamespace(), AbstractSocketNamespace: k.RootAbstractSocketNamespace(), ContainerID: id, + PIDNamespace: pidns, } + return procArgs, nil } @@ -559,6 +565,9 @@ func (l *Loader) run() error { } ep.tg = l.k.GlobalInit() + if ns, ok := specutils.GetNS(specs.PIDNamespace, l.spec); ok { + ep.pidnsPath = ns.Path + } if l.console { ttyFile, _ := l.rootProcArgs.FDTable.Get(0) defer ttyFile.DecRef() @@ -627,7 +636,24 @@ func (l *Loader) startContainer(spec *specs.Spec, conf *Config, cid string, file caps, l.k.RootUserNamespace()) - procArgs, err := newProcess(cid, spec, creds, l.k) + var pidns *kernel.PIDNamespace + if ns, ok := specutils.GetNS(specs.PIDNamespace, spec); ok { + if ns.Path != "" { + for _, p := range l.processes { + if ns.Path == p.pidnsPath { + pidns = p.tg.PIDNamespace() + break + } + } + } + if pidns == nil { + pidns = l.k.RootPIDNamespace().NewChild(l.k.RootUserNamespace()) + } + l.processes[eid].pidnsPath = ns.Path + } else { + pidns = l.k.RootPIDNamespace() + } + procArgs, err := newProcess(cid, spec, creds, l.k, pidns) if err != nil { return fmt.Errorf("creating new process: %v", err) } @@ -749,6 +775,7 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) { // Start the process. proc := control.Proc{Kernel: l.k} + args.PIDNamespace = tg.PIDNamespace() newTG, tgid, ttyFile, err := control.ExecAsync(&proc, args) if err != nil { return 0, err |