If we don't re-open these after clone, the init process has a pointer to the parent's /dev/{zero,null}. CRIU seese these and wants to dump the parent's mount namespace, which is unnecessary. Instead, we should just re-open stdin/out/err after we do the clone and pivot root, to ensure that we have pointers to the devcies in init's rootfs instead of the host's.
v2: Only close fds if the container was daemonized. This didn't turn out as nicely as described on the list because lxc_start() doesn't actually have the struct lxc_container, so it cant see the flag. Instead, we just pass it down everywhere. Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com> --- src/lxc/execute.c | 4 ++-- src/lxc/lxc.h | 22 +++++++++++++--------- src/lxc/lxc_execute.c | 2 +- src/lxc/lxccontainer.c | 10 ++-------- src/lxc/start.c | 17 ++++++++++++++--- src/lxc/start.h | 3 ++- 6 files changed, 34 insertions(+), 24 deletions(-) diff --git a/src/lxc/execute.c b/src/lxc/execute.c index a0f7ff1..d14092a 100644 --- a/src/lxc/execute.c +++ b/src/lxc/execute.c @@ -111,7 +111,7 @@ static struct lxc_operations execute_start_ops = { }; int lxc_execute(const char *name, char *const argv[], int quiet, - struct lxc_conf *conf, const char *lxcpath) + struct lxc_conf *conf, const char *lxcpath, bool backgrounded) { struct execute_args args = { .argv = argv, @@ -122,5 +122,5 @@ int lxc_execute(const char *name, char *const argv[], int quiet, return -1; conf->is_execute = 1; - return __lxc_start(name, conf, &execute_start_ops, &args, lxcpath); + return __lxc_start(name, conf, &execute_start_ops, &args, lxcpath, backgrounded); } diff --git a/src/lxc/lxc.h b/src/lxc/lxc.h index dd1048c..b1b858d 100644 --- a/src/lxc/lxc.h +++ b/src/lxc/lxc.h @@ -27,6 +27,7 @@ extern "C" { #endif +#include <stdbool.h> #include <stddef.h> #include <sys/select.h> #include <sys/types.h> @@ -44,24 +45,27 @@ struct lxc_arguments; /* * Start the specified command inside a system container - * @name : the name of the container - * @argv : an array of char * corresponding to the commande line - * @conf : configuration + * @name : the name of the container + * @argv : an array of char * corresponding to the commande line + * @conf : configuration + * @backgrounded : whether or not the container is daemonized * Returns 0 on success, < 0 otherwise */ extern int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf, - const char *lxcpath); + const char *lxcpath, bool backgrounded); /* * Start the specified command inside an application container - * @name : the name of the container - * @argv : an array of char * corresponding to the commande line - * @quiet : if != 0 then lxc-init won't produce any output - * @conf : configuration + * @name : the name of the container + * @argv : an array of char * corresponding to the commande line + * @quiet : if != 0 then lxc-init won't produce any output + * @conf : configuration + * @backgrounded : whether or not the container is daemonized * Returns 0 on success, < 0 otherwise */ extern int lxc_execute(const char *name, char *const argv[], int quiet, - struct lxc_conf *conf, const char *lxcpath); + struct lxc_conf *conf, const char *lxcpath, + bool backgrounded); /* * Open the monitoring mechanism for a specific container diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c index b602793..4f1e1f6 100644 --- a/src/lxc/lxc_execute.c +++ b/src/lxc/lxc_execute.c @@ -139,7 +139,7 @@ int main(int argc, char *argv[]) if (lxc_config_define_load(&defines, conf)) return 1; - ret = lxc_execute(my_args.name, my_args.argv, my_args.quiet, conf, my_args.lxcpath[0]); + ret = lxc_execute(my_args.name, my_args.argv, my_args.quiet, conf, my_args.lxcpath[0], false); lxc_conf_free(conf); diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 0ca5b9f..d49426f 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -584,7 +584,7 @@ static bool lxcapi_start(struct lxc_container *c, int useinit, char * const argv container_mem_unlock(c); if (useinit) { - ret = lxc_execute(c->name, argv, 1, conf, c->config_path); + ret = lxc_execute(c->name, argv, 1, conf, c->config_path, daemonize); return ret == 0 ? true : false; } @@ -642,12 +642,6 @@ static bool lxcapi_start(struct lxc_container *c, int useinit, char * const argv return false; } lxc_check_inherited(conf, true, -1); - close(0); - close(1); - close(2); - open("/dev/zero", O_RDONLY); - open("/dev/null", O_RDWR); - open("/dev/null", O_RDWR); setsid(); } else { if (!am_single_threaded()) { @@ -687,7 +681,7 @@ reboot: goto out; } - ret = lxc_start(c->name, argv, conf, c->config_path); + ret = lxc_start(c->name, argv, conf, c->config_path, daemonize); c->error_num = ret; if (conf->reboot) { diff --git a/src/lxc/start.c b/src/lxc/start.c index d615375..8aedc7d 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -759,6 +759,15 @@ static int do_start(void *data) close(handler->sigfd); + if (handler->backgrounded) { + close(0); + close(1); + close(2); + open("/dev/zero", O_RDONLY); + open("/dev/null", O_RDWR); + open("/dev/null", O_RDWR); + } + /* after this call, we are in error because this * ops should not return as it execs */ handler->ops->start(handler, handler->data); @@ -1112,7 +1121,8 @@ int get_netns_fd(int pid) } int __lxc_start(const char *name, struct lxc_conf *conf, - struct lxc_operations* ops, void *data, const char *lxcpath) + struct lxc_operations* ops, void *data, const char *lxcpath, + bool backgrounded) { struct lxc_handler *handler; int err = -1; @@ -1126,6 +1136,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf, } handler->ops = ops; handler->data = data; + handler->backgrounded = backgrounded; if (must_drop_cap_sys_boot(handler->conf)) { #if HAVE_SYS_CAPABILITY_H @@ -1257,12 +1268,12 @@ static struct lxc_operations start_ops = { }; int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf, - const char *lxcpath) + const char *lxcpath, bool backgrounded) { struct start_args start_arg = { .argv = argv, }; conf->need_utmp_watch = 1; - return __lxc_start(name, conf, &start_ops, &start_arg, lxcpath); + return __lxc_start(name, conf, &start_ops, &start_arg, lxcpath, backgrounded); } diff --git a/src/lxc/start.h b/src/lxc/start.h index aab063a..f1a41f5 100644 --- a/src/lxc/start.h +++ b/src/lxc/start.h @@ -74,6 +74,7 @@ struct lxc_handler { const char *lxcpath; void *cgroup_data; int ttysock[2]; // socketpair for child->parent tty fd passing + bool backgrounded; // indicates whether should we close std{in,out,err} on start }; @@ -85,7 +86,7 @@ extern void lxc_fini(const char *name, struct lxc_handler *handler); extern int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_ignore); int __lxc_start(const char *, struct lxc_conf *, struct lxc_operations *, - void *, const char *); + void *, const char *, bool); extern void resolve_clone_flags(struct lxc_handler *handler); #endif -- 2.1.4 _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel