From 8bf3abfbd04670101dad7c2adc197a77054a3d70 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 22 Dec 2017 17:18:50 +0100 Subject: [PATCH] start: simplify cgroup namespace preservation Since we are now dumpable we can open /proc//ns/cgroup so let's avoid the overhead of sending around fds. Signed-off-by: Christian Brauner --- src/lxc/start.c | 46 ++++++++++++++-------------------------------- 1 file changed, 14 insertions(+), 32 deletions(-) diff --git a/src/lxc/start.c b/src/lxc/start.c index 6ac7784e6..c7d87fb3c 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -868,7 +868,7 @@ void lxc_abort(const char *name, struct lxc_handler *handler) static int do_start(void *data) { - int fd, ret; + int ret; struct lxc_list *iterator; char path[PATH_MAX]; struct lxc_handler *handler = data; @@ -1014,30 +1014,12 @@ static int do_start(void *data) /* Setup the container, ip, names, utsname, ... */ ret = lxc_setup(handler); close(handler->data_sock[1]); + close(handler->data_sock[0]); if (ret < 0) { ERROR("Failed to setup container \"%s\".", handler->name); - close(handler->data_sock[0]); goto out_warn_father; } - if (handler->clone_flags & CLONE_NEWCGROUP) { - fd = lxc_preserve_ns(lxc_raw_getpid(), "cgroup"); - if (fd < 0) { - ERROR("%s - Failed to preserve cgroup namespace", strerror(errno)); - close(handler->data_sock[0]); - goto out_warn_father; - } - - ret = lxc_abstract_unix_send_fds(handler->data_sock[0], &fd, 1, NULL, 0); - close(fd); - if (ret < 0) { - ERROR("%s - Failed to preserve cgroup namespace", strerror(errno)); - close(handler->data_sock[0]); - goto out_warn_father; - } - } - close(handler->data_sock[0]); - /* Set the label to change to when we exec(2) the container's init. */ if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0) goto out_warn_father; @@ -1442,7 +1424,7 @@ static int lxc_spawn(struct lxc_handler *handler) if (handler->on_clone_flags & ns_info[i].clone_flag) INFO("Cloned %s", ns_info[i].flag_name); - if (!preserve_ns(handler->nsfd, handler->clone_flags & ~CLONE_NEWNET, handler->pid)) { + if (!preserve_ns(handler->nsfd, handler->on_clone_flags, handler->pid)) { ERROR("Failed to preserve cloned namespaces for lxc.hook.stop"); goto out_delete_net; } @@ -1547,6 +1529,17 @@ static int lxc_spawn(struct lxc_handler *handler) cgroup_disconnect(); cgroups_connected = false; + if (handler->clone_flags & CLONE_NEWCGROUP) { + /* Now we're ready to preserve the cgroup namespace */ + ret = lxc_preserve_ns(handler->pid, "cgroup"); + if (ret < 0) { + ERROR("%s - Failed to preserve cgroup namespace", strerror(errno)); + goto out_delete_net; + } + handler->nsfd[LXC_NS_CGROUP] = ret; + DEBUG("Preserved cgroup namespace via fd %d", ret); + } + snprintf(pidstr, 20, "%d", handler->pid); if (setenv("LXC_PID", pidstr, 1)) SYSERROR("Failed to set environment variable: LXC_PID=%s.", pidstr); @@ -1585,17 +1578,6 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } - if (handler->clone_flags & CLONE_NEWCGROUP) { - ret = lxc_abstract_unix_recv_fds(handler->data_sock[1], - &handler->nsfd[LXC_NS_CGROUP], - 1, NULL, 0); - if (ret < 0) { - ERROR("%s - Failed to preserve cgroup namespace", strerror(errno)); - goto out_delete_net; - } - DEBUG("Preserved cgroup namespace via fd %d", handler->nsfd[LXC_NS_CGROUP]); - } - if (handler->ops->post_start(handler, handler->data)) goto out_abort; -- 2.47.2