From: Christian Brauner Date: Fri, 22 Dec 2017 16:18:50 +0000 (+0100) Subject: start: simplify cgroup namespace preservation X-Git-Tag: lxc-2.0.10~447 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2ffd2574a0311717e3fb8d911eaf2c5e6efd436;p=thirdparty%2Flxc.git start: simplify cgroup namespace preservation Since we are now dumpable we can open /proc//ns/cgroup so let's avoid the overhead of sending around fds. Signed-off-by: Christian Brauner --- diff --git a/src/lxc/start.c b/src/lxc/start.c index a89e750c5..11fab46ee 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -898,7 +898,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf) static int do_start(void *data) { - int fd, ret; + int ret; struct lxc_list *iterator; char path[PATH_MAX]; bool have_cap_setgid; @@ -1055,30 +1055,12 @@ static int do_start(void *data) /* Setup the container, ip, names, utsname, ... */ ret = lxc_setup(handler); close(handler->data_sock[1]); + close(handler->data_sock[0]); if (ret < 0) { ERROR("Failed to setup container \"%s\".", handler->name); - close(handler->data_sock[0]); goto out_warn_father; } - if (handler->clone_flags & CLONE_NEWCGROUP) { - fd = lxc_preserve_ns(lxc_raw_getpid(), "cgroup"); - if (fd < 0) { - ERROR("%s - Failed to preserve cgroup namespace", strerror(errno)); - close(handler->data_sock[0]); - goto out_warn_father; - } - - ret = lxc_abstract_unix_send_fds(handler->data_sock[0], &fd, 1, NULL, 0); - close(fd); - if (ret < 0) { - ERROR("%s - Failed to preserve cgroup namespace", strerror(errno)); - close(handler->data_sock[0]); - goto out_warn_father; - } - } - close(handler->data_sock[0]); - /* Set the label to change to when we exec(2) the container's init. */ if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0) goto out_warn_father; @@ -1492,6 +1474,17 @@ static int lxc_spawn(struct lxc_handler *handler) cgroup_disconnect(); cgroups_connected = false; + if (handler->clone_flags & CLONE_NEWCGROUP) { + /* Now we're ready to preserve the cgroup namespace */ + ret = lxc_preserve_ns(handler->pid, "cgroup"); + if (ret < 0) { + ERROR("%s - Failed to preserve cgroup namespace", strerror(errno)); + goto out_delete_net; + } + handler->nsfd[LXC_NS_CGROUP] = ret; + DEBUG("Preserved cgroup namespace via fd %d", ret); + } + /* Tell the child to complete its initialization and wait for it to exec * or return an error. (The child will never return * LXC_SYNC_POST_CGROUP+1. It will either close the sync pipe, causing @@ -1520,17 +1513,6 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } - if (handler->clone_flags & CLONE_NEWCGROUP) { - ret = lxc_abstract_unix_recv_fds(handler->data_sock[1], - &handler->nsfd[LXC_NS_CGROUP], - 1, NULL, 0); - if (ret < 0) { - ERROR("%s - Failed to preserve cgroup namespace", strerror(errno)); - goto out_delete_net; - } - DEBUG("Preserved cgroup namespace via fd %d", handler->nsfd[LXC_NS_CGROUP]); - } - if (handler->ops->post_start(handler, handler->data)) goto out_abort;