start: simplify cgroup namespace preservation

Since we are now dumpable we can open /proc/<child-pid>/ns/cgroup so let's
avoid the overhead of sending around fds.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/start.c b/src/lxc/start.c
index a89e750c56cc6913b4565c7cced128a757f54c03..11fab46eed84cd7ce914342d94761e5b30bdea9e 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -898,7 +898,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
 
 static int do_start(void *data)
 {
-       int fd, ret;
+       int ret;
        struct lxc_list *iterator;
        char path[PATH_MAX];
        bool have_cap_setgid;
@@ -1055,30 +1055,12 @@ static int do_start(void *data)
        /* Setup the container, ip, names, utsname, ... */
        ret = lxc_setup(handler);
        close(handler->data_sock[1]);
+       close(handler->data_sock[0]);
        if (ret < 0) {
                ERROR("Failed to setup container \"%s\".", handler->name);
-               close(handler->data_sock[0]);
                goto out_warn_father;
        }
 
-       if (handler->clone_flags & CLONE_NEWCGROUP) {
-               fd = lxc_preserve_ns(lxc_raw_getpid(), "cgroup");
-               if (fd < 0) {
-                       ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
-                       close(handler->data_sock[0]);
-                       goto out_warn_father;
-               }
-
-               ret = lxc_abstract_unix_send_fds(handler->data_sock[0], &fd, 1, NULL, 0);
-               close(fd);
-               if (ret < 0) {
-                       ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
-                       close(handler->data_sock[0]);
-                       goto out_warn_father;
-               }
-       }
-       close(handler->data_sock[0]);
-
        /* Set the label to change to when we exec(2) the container's init. */
        if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0)
                goto out_warn_father;
@@ -1492,6 +1474,17 @@ static int lxc_spawn(struct lxc_handler *handler)
        cgroup_disconnect();
        cgroups_connected = false;
 
+       if (handler->clone_flags & CLONE_NEWCGROUP) {
+               /* Now we're ready to preserve the cgroup namespace */
+               ret = lxc_preserve_ns(handler->pid, "cgroup");
+               if (ret < 0) {
+                       ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
+                       goto out_delete_net;
+               }
+               handler->nsfd[LXC_NS_CGROUP] = ret;
+               DEBUG("Preserved cgroup namespace via fd %d", ret);
+       }
+
        /* Tell the child to complete its initialization and wait for it to exec
         * or return an error. (The child will never return
         * LXC_SYNC_POST_CGROUP+1. It will either close the sync pipe, causing
@@ -1520,17 +1513,6 @@ static int lxc_spawn(struct lxc_handler *handler)
                goto out_delete_net;
        }
 
-       if (handler->clone_flags & CLONE_NEWCGROUP) {
-               ret = lxc_abstract_unix_recv_fds(handler->data_sock[1],
-                                                &handler->nsfd[LXC_NS_CGROUP],
-                                                1, NULL, 0);
-               if (ret < 0) {
-                       ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
-                       goto out_delete_net;
-               }
-               DEBUG("Preserved cgroup namespace via fd %d", handler->nsfd[LXC_NS_CGROUP]);
-       }
-
        if (handler->ops->post_start(handler, handler->data))
                goto out_abort;