In CRIU and LXC-restore we met the situation, when iptables in container can't be restored because of permission denied:
https://github.com/checkpoint-restore/criu/issues/469 Containers want to restore their own net ns, while they may have no their own mnt ns. This case they share host's /run/xtables.lock file, but they may not have permission to open it. Patch makes /run/xtables.lock to be per-namespace, i.e., to refer to the caller task's net ns. What you think? Thanks, Kirill Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com> --- iptables/xshared.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/iptables/xshared.c b/iptables/xshared.c index 06db72d4..b6dbe4e7 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -254,7 +254,12 @@ static int xtables_lock(int wait, struct timeval *wait_interval) time_left.tv_sec = wait; time_left.tv_usec = 0; - fd = open(XT_LOCK_NAME, O_CREAT, 0600); + if (symlink("/proc/self/ns/net", XT_LOCK_NAME) != 0 && + errno != EEXIST) { + fprintf(stderr, "Fatal: can't create lock file\n"); + return XT_LOCK_FAILED; + } + fd = open(XT_LOCK_NAME, O_RDONLY); if (fd < 0) { fprintf(stderr, "Fatal: can't open lock file %s: %s\n", XT_LOCK_NAME, strerror(errno));
