From: Alban Crequy <al...@endocode.com> When systemd-nspawn gets exec*()ed, it inherits the followings file descriptors: - 0, 1, 2: stdin, stdout, stderr - SD_LISTEN_FDS_START, ... SD_LISTEN_FDS_START+LISTEN_FDS: file descriptors passed by the system manager (useful for socket activation). They are passed to the child process (process leader). - extra lock fd: rkt passes a locked directory as an extra fd, so the directory remains locked as long as the container is alive.
systemd-nspawn used to close all open fds except 0, 1, 2 and the SD_LISTEN_FDS_START..SD_LISTEN_FDS_START+LISTEN_FDS. This patch delays the close just before the exec so the nspawn process (parent) keeps the extra fds open. This patch supersedes the previous attempt ("cloexec extraneous fds"): http://lists.freedesktop.org/archives/systemd-devel/2015-May/031608.html --- src/nspawn/nspawn.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 8aa7b45..85a7bad 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3998,7 +3998,6 @@ int main(int argc, char *argv[]) { goto finish; } } - fdset_close_others(fds); log_open(); if (arg_directory) { @@ -4509,6 +4508,8 @@ int main(int argc, char *argv[]) { * setup, too... */ (void) barrier_place_and_sync(&barrier); /* #5 */ + (void) fdset_close_others(fds); + if (arg_boot) { char **a; size_t l; -- 2.1.4 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel