add option to close inherited fds

The option is implied by '-d', because the admin won't see the warning
message.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h
index 6a2ffc6836dc3a0d17f5b8ac0abbe9225e54e226..40f0d6c1b9f2a40e3f0e8c39bf22c0b3b2dd179c 100644 (file)
--- a/src/lxc/arguments.h
+++ b/src/lxc/arguments.h
@@ -58,6 +58,9 @@ struct lxc_arguments {
        /* for lxc-wait */
        char *states;
 
+       /* close fds from parent? */
+       int close_all_fds;
+
        /* remaining arguments */
        char *const *argv;
        int argc;

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 24e7c43dcb907552ef7054c85cdcc00f71c20c79..09f55cb3fba794d36fd28be9bd9e4c53b206fdd6 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -215,6 +215,7 @@ struct lxc_conf {
        struct lxc_console console;
        struct lxc_rootfs rootfs;
        char *ttydir;
+       int close_all_fds;
 };
 
 /*

diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index 43210e2724098d975eb75962621c18e2d16df873..8f428f179ecdbba532225c8f1465b0c80e46dcb7 100644 (file)
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -83,7 +83,7 @@ int lxc_execute(const char *name, char *const argv[], int quiet,
                .quiet = quiet
        };
 
-       if (lxc_check_inherited(-1))
+       if (lxc_check_inherited(conf, -1))
                return -1;
 
        return __lxc_start(name, conf, &execute_start_ops, &args);

diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index fdd4c72c4fefcc438f948be4147268ea9be175d2..755944435fa6794ae0133730b38668a379b99089 100644 (file)
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -58,8 +58,9 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg)
 {
        switch (c) {
        case 'c': args->console = arg; break;
-       case 'd': args->daemonize = 1; break;
+       case 'd': args->daemonize = 1; args->close_all_fds = 1; break;
        case 'f': args->rcfile = arg; break;
+       case 'C': args->close_all_fds = 1; break;
        case 's': return lxc_config_define_add(&defines, arg);
        }
        return 0;
@@ -70,6 +71,7 @@ static const struct option my_longopts[] = {
        {"rcfile", required_argument, 0, 'f'},
        {"define", required_argument, 0, 's'},
        {"console", required_argument, 0, 'c'},
+       {"close-all-fds", no_argument, 0, 'C'},
        LXC_COMMON_OPTIONS
 };
 
@@ -85,6 +87,9 @@ Options :\n\
   -d, --daemon         daemonize the container\n\
   -f, --rcfile=FILE    Load configuration file FILE\n\
   -c, --console=FILE   Set the file output for the container console\n\
+  -C, --close-all-fds  If any fds are inherited, close them\n\
+                       If not specified, exit with failure instead\n\
+                      Note: --daemon implies --close-all-fds\n\
   -s, --define KEY=VAL Assign VAL to configuration variable KEY\n",
        .options   = my_longopts,
        .parser    = my_parser,
@@ -199,6 +204,9 @@ int main(int argc, char *argv[])
                return err;
        }
 
+       if (my_args.close_all_fds)
+               conf->close_all_fds = 1;
+
        err = lxc_start(my_args.name, args, conf);
 
        /*

diff --git a/src/lxc/restart.c b/src/lxc/restart.c
index a19b94820ba86e3e1b61c479694602a11ad68953..a054838641f49d3b68103d794acefe411178e281 100644 (file)
--- a/src/lxc/restart.c
+++ b/src/lxc/restart.c
@@ -71,7 +71,7 @@ int lxc_restart(const char *name, int sfd, struct lxc_conf *conf, int flags)
                .flags = flags
        };
 
-       if (lxc_check_inherited(sfd))
+       if (lxc_check_inherited(conf, sfd))
                return -1;
 
        return __lxc_start(name, conf, &restart_ops, &restart_arg);

diff --git a/src/lxc/start.c b/src/lxc/start.c
index f3a47a3af625bb0e6796d53ba8e565bab6bc72a8..fc2a1b148b9256cfc6355b9a4863690e0d2ffbd8 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -134,12 +134,13 @@ static int match_fd(int fd)
        return (fd == 0 || fd == 1 || fd == 2);
 }
 
-int lxc_check_inherited(int fd_to_ignore)
+int lxc_check_inherited(struct lxc_conf *conf, int fd_to_ignore)
 {
        struct dirent dirent, *direntp;
        int fd, fddir;
        DIR *dir;
 
+restart:
        dir = opendir("/proc/self/fd");
        if (!dir) {
                WARN("failed to open directory: %m");
@@ -166,6 +167,12 @@ int lxc_check_inherited(int fd_to_ignore)
                if (match_fd(fd))
                        continue;
 
+               if (conf->close_all_fds) {
+                       close(fd);
+                       closedir(dir);
+                       INFO("closed inherited fd %d", fd);
+                       goto restart;
+               }
                WARN("inherited fd %d", fd);
        }
 
@@ -709,7 +716,7 @@ int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf)
                .argv = argv,
        };
 
-       if (lxc_check_inherited(-1))
+       if (lxc_check_inherited(conf, -1))
                return -1;
 
        conf->need_utmp_watch = 1;

diff --git a/src/lxc/start.h b/src/lxc/start.h
index 4009e1dbf472715bf0d8380699a39eafa825a907..016d3ee55a2a970eab45576ebe78a5b7e1f16011 100644 (file)
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -54,7 +54,7 @@ extern int lxc_poll(const char *name, struct lxc_handler *handler);
 extern void lxc_abort(const char *name, struct lxc_handler *handler);
 extern void lxc_fini(const char *name, struct lxc_handler *handler);
 extern int lxc_set_state(const char *, struct lxc_handler *, lxc_state_t);
-extern int lxc_check_inherited(int fd_to_ignore);
+extern int lxc_check_inherited(struct lxc_conf *conf, int fd_to_ignore);
 int __lxc_start(const char *, struct lxc_conf *, struct lxc_operations *,
                void *);