2 * lxc: linux Container library
4 * (C) Copyright IBM Corp. 2007, 2008
7 * Daniel Lezcano <daniel.lezcano at free.fr>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
31 #include <sys/param.h>
32 #include <sys/prctl.h>
33 #include <sys/mount.h>
34 #include <sys/socket.h>
35 #include <sys/syscall.h>
37 #include <linux/unistd.h>
40 #if !HAVE_DECL_PR_CAPBSET_DROP
41 #define PR_CAPBSET_DROP 24
44 #include "namespace.h"
54 #if HAVE_SYS_PERSONALITY_H
55 #include <sys/personality.h>
59 # define SOCK_CLOEXEC 02000000
62 lxc_log_define(lxc_attach
, lxc
);
64 struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid
)
66 struct lxc_proc_context_info
*info
= calloc(1, sizeof(*info
));
68 char proc_fn
[MAXPATHLEN
];
70 size_t line_bufsz
= 0;
74 SYSERROR("Could not allocate memory.");
78 /* read capabilities */
79 snprintf(proc_fn
, MAXPATHLEN
, "/proc/%d/status", pid
);
81 proc_file
= fopen(proc_fn
, "r");
83 SYSERROR("Could not open %s", proc_fn
);
88 while (getline(&line
, &line_bufsz
, proc_file
) != -1) {
89 ret
= sscanf(line
, "CapBnd: %llx", &info
->capability_mask
);
90 if (ret
!= EOF
&& ret
> 0) {
101 SYSERROR("Could not read capability bounding set from %s", proc_fn
);
106 /* read personality */
107 snprintf(proc_fn
, MAXPATHLEN
, "/proc/%d/personality", pid
);
109 proc_file
= fopen(proc_fn
, "r");
111 SYSERROR("Could not open %s", proc_fn
);
115 ret
= fscanf(proc_file
, "%lx", &info
->personality
);
118 if (ret
== EOF
|| ret
== 0) {
119 SYSERROR("Could not read personality from %s", proc_fn
);
123 info
->aa_profile
= aa_get_profile(pid
);
132 int lxc_attach_to_ns(pid_t pid
, int which
)
134 char path
[MAXPATHLEN
];
135 /* according to <http://article.gmane.org/gmane.linux.kernel.containers.lxc.devel/1429>,
136 * the file for user namepsaces in /proc/$pid/ns will be called
137 * 'user' once the kernel supports it
139 static char *ns
[] = { "mnt", "pid", "uts", "ipc", "user", "net" };
140 static int flags
[] = {
141 CLONE_NEWNS
, CLONE_NEWPID
, CLONE_NEWUTS
, CLONE_NEWIPC
,
142 CLONE_NEWUSER
, CLONE_NEWNET
144 static const int size
= sizeof(ns
) / sizeof(char *);
146 int i
, j
, saved_errno
;
149 snprintf(path
, MAXPATHLEN
, "/proc/%d/ns", pid
);
150 if (access(path
, X_OK
)) {
151 ERROR("Does this kernel version support 'attach' ?");
155 for (i
= 0; i
< size
; i
++) {
156 /* ignore if we are not supposed to attach to that
159 if (which
!= -1 && !(which
& flags
[i
])) {
164 snprintf(path
, MAXPATHLEN
, "/proc/%d/ns/%s", pid
, ns
[i
]);
165 fd
[i
] = open(path
, O_RDONLY
| O_CLOEXEC
);
169 /* close all already opened file descriptors before
170 * we return an error, so we don't leak them
172 for (j
= 0; j
< i
; j
++)
176 SYSERROR("failed to open '%s'", path
);
181 for (i
= 0; i
< size
; i
++) {
182 if (fd
[i
] >= 0 && setns(fd
[i
], 0) != 0) {
185 for (j
= i
; j
< size
; j
++)
189 SYSERROR("failed to set namespace '%s'", ns
[i
]);
199 int lxc_attach_remount_sys_proc()
203 ret
= unshare(CLONE_NEWNS
);
205 SYSERROR("failed to unshare mount namespace");
209 /* assume /proc is always mounted, so remount it */
210 ret
= umount2("/proc", MNT_DETACH
);
212 SYSERROR("failed to unmount /proc");
216 ret
= mount("none", "/proc", "proc", 0, NULL
);
218 SYSERROR("failed to remount /proc");
222 /* try to umount /sys - if it's not a mount point,
223 * we'll get EINVAL, then we ignore it because it
224 * may not have been mounted in the first place
226 ret
= umount2("/sys", MNT_DETACH
);
227 if (ret
< 0 && errno
!= EINVAL
) {
228 SYSERROR("failed to unmount /sys");
230 } else if (ret
== 0) {
232 ret
= mount("none", "/sys", "sysfs", 0, NULL
);
234 SYSERROR("failed to remount /sys");
242 int lxc_attach_drop_privs(struct lxc_proc_context_info
*ctx
)
244 int last_cap
= lxc_caps_last_cap();
247 for (cap
= 0; cap
<= last_cap
; cap
++) {
248 if (ctx
->capability_mask
& (1LL << cap
))
251 if (prctl(PR_CAPBSET_DROP
, cap
, 0, 0, 0)) {
252 SYSERROR("failed to remove capability id %d", cap
);
260 int lxc_attach_set_environment(enum lxc_attach_env_policy_t policy
, char** extra_env
, char** extra_keep
)
262 if (policy
== LXC_ATTACH_CLEAR_ENV
) {
263 char **extra_keep_store
= NULL
;
269 for (count
= 0; extra_keep
[count
]; count
++);
271 extra_keep_store
= calloc(count
, sizeof(char *));
272 if (!extra_keep_store
) {
273 SYSERROR("failed to allocate memory for storing current "
274 "environment variable values that will be kept");
277 for (i
= 0; i
< count
; i
++) {
278 char *v
= getenv(extra_keep
[i
]);
280 extra_keep_store
[i
] = strdup(v
);
281 if (!extra_keep_store
[i
]) {
282 SYSERROR("failed to allocate memory for storing current "
283 "environment variable values that will be kept");
285 free(extra_keep_store
[--i
]);
286 free(extra_keep_store
);
289 if (strcmp(extra_keep
[i
], "PATH") == 0)
292 /* calloc sets entire array to zero, so we don't
299 SYSERROR("failed to clear environment");
300 if (extra_keep_store
) {
301 for (p
= extra_keep_store
; *p
; p
++)
303 free(extra_keep_store
);
308 if (extra_keep_store
) {
310 for (i
= 0; extra_keep
[i
]; i
++) {
311 if (extra_keep_store
[i
])
312 setenv(extra_keep
[i
], extra_keep_store
[i
], 1);
313 free(extra_keep_store
[i
]);
315 free(extra_keep_store
);
318 /* always set a default path; shells and execlp tend
319 * to be fine without it, but there is a disturbing
320 * number of C programs out there that just assume
321 * that getenv("PATH") is never NULL and then die a
322 * painful segfault death. */
328 n
= confstr(_CS_PATH
, NULL
, 0);
329 path_env
= malloc(n
);
331 confstr(_CS_PATH
, path_env
, n
);
332 setenv("PATH", path_env
, 1);
335 /* don't error out, this is just an extra service */
337 setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 1);
342 if (putenv("container=lxc")) {
343 SYSERROR("failed to set environment variable");
347 /* set extra environment variables */
349 for (; *extra_env
; extra_env
++) {
350 /* duplicate the string, just to be on
351 * the safe side, because putenv does not
353 char *p
= strdup(*extra_env
);
354 /* we just assume the user knows what they
355 * are doing, so we don't do any checks */
357 SYSERROR("failed to allocate memory for additional environment "
368 char *lxc_attach_getpwshell(uid_t uid
)
370 /* local variables */
377 /* we need to fork off a process that runs the
378 * getent program, and we need to capture its
379 * output, so we use a pipe for that purpose
396 size_t line_bufsz
= 0;
402 pipe_f
= fdopen(pipes
[0], "r");
403 while (getline(&line
, &line_bufsz
, pipe_f
) != -1) {
405 char *saveptr
= NULL
;
410 /* if we already found something, just continue
411 * to read until the pipe doesn't deliver any more
412 * data, but don't modify the existing data
418 /* trim line on the right hand side */
419 for (i
= strlen(line
); i
> 0 && (line
[i
- 1] == '\n' || line
[i
- 1] == '\r'); --i
)
422 /* split into tokens: first user name */
423 token
= strtok_r(line
, ":", &saveptr
);
426 /* next: dummy password field */
427 token
= strtok_r(NULL
, ":", &saveptr
);
431 token
= strtok_r(NULL
, ":", &saveptr
);
432 value
= token
? strtol(token
, &endptr
, 10) : 0;
433 if (!token
|| !endptr
|| *endptr
|| value
== LONG_MIN
|| value
== LONG_MAX
)
435 /* dummy sanity check: user id matches */
436 if ((uid_t
) value
!= uid
)
438 /* skip fields: gid, gecos, dir, go to next field 'shell' */
439 for (i
= 0; i
< 4; i
++) {
440 token
= strtok_r(NULL
, ":", &saveptr
);
448 result
= strdup(token
);
450 /* sanity check that there are no fields after that */
451 token
= strtok_r(NULL
, ":", &saveptr
);
461 if (waitpid(pid
, &status
, 0) < 0) {
467 /* some sanity checks: if anything even hinted at going
468 * wrong: we can't be sure we have a valid result, so
472 if (!WIFEXITED(status
))
475 if (WEXITSTATUS(status
) != 0)
485 char *arguments
[] = {
494 /* we want to capture stdout */
498 /* get rid of stdin/stderr, so we try to associate it
501 fd
= open("/dev/null", O_RDWR
);
511 /* finish argument list */
512 ret
= snprintf(uid_buf
, sizeof(uid_buf
), "%ld", (long) uid
);
516 /* try to run getent program */
517 (void) execvp("getent", arguments
);
522 void lxc_attach_get_init_uidgid(uid_t
* init_uid
, gid_t
* init_gid
)
525 char proc_fn
[MAXPATHLEN
];
527 size_t line_bufsz
= 0;
530 uid_t uid
= (uid_t
)-1;
531 gid_t gid
= (gid_t
)-1;
533 /* read capabilities */
534 snprintf(proc_fn
, MAXPATHLEN
, "/proc/%d/status", 1);
536 proc_file
= fopen(proc_fn
, "r");
540 while (getline(&line
, &line_bufsz
, proc_file
) != -1) {
541 /* format is: real, effective, saved set user, fs
542 * we only care about real uid
544 ret
= sscanf(line
, "Uid: %ld", &value
);
545 if (ret
!= EOF
&& ret
> 0) {
548 ret
= sscanf(line
, "Gid: %ld", &value
);
549 if (ret
!= EOF
&& ret
> 0)
552 if (uid
!= (uid_t
)-1 && gid
!= (gid_t
)-1)
559 /* only override arguments if we found something */
560 if (uid
!= (uid_t
)-1)
562 if (gid
!= (gid_t
)-1)
565 /* TODO: we should also parse supplementary groups and use
566 * setgroups() to set them */
569 struct attach_clone_payload
{
571 lxc_attach_options_t
* options
;
572 struct lxc_proc_context_info
* init_ctx
;
573 lxc_attach_exec_t exec_function
;
577 static int attach_child_main(void* data
);
579 /* help the optimizer along if it doesn't know that exit always exits */
580 #define rexit(c) do { int __c = (c); exit(__c); return __c; } while(0)
582 /* define default options if no options are supplied by the user */
583 static lxc_attach_options_t attach_static_default_options
= LXC_ATTACH_OPTIONS_DEFAULT
;
585 int lxc_attach(const char* name
, const char* lxcpath
, lxc_attach_exec_t exec_function
, void* exec_payload
, lxc_attach_options_t
* options
, pid_t
* attached_process
)
588 pid_t init_pid
, pid
, attached_pid
;
589 struct lxc_proc_context_info
*init_ctx
;
595 options
= &attach_static_default_options
;
597 init_pid
= lxc_cmd_get_init_pid(name
, lxcpath
);
599 ERROR("failed to get the init pid");
603 init_ctx
= lxc_proc_get_context_info(init_pid
);
605 ERROR("failed to get context of the init process, pid = %ld", (long)init_pid
);
609 cwd
= getcwd(NULL
, 0);
611 /* determine which namespaces the container was created with
612 * by asking lxc-start, if necessary
614 if (options
->namespaces
== -1) {
615 options
->namespaces
= lxc_cmd_get_clone_flags(name
, lxcpath
);
617 if (options
->namespaces
== -1) {
618 ERROR("failed to automatically determine the "
619 "namespaces which the container unshared");
621 free(init_ctx
->aa_profile
);
627 /* create a socket pair for IPC communication; set SOCK_CLOEXEC in order
628 * to make sure we don't irritate other threads that want to fork+exec away
630 * IMPORTANT: if the initial process is multithreaded and another call
631 * just fork()s away without exec'ing directly after, the socket fd will
632 * exist in the forked process from the other thread and any close() in
633 * our own child process will not really cause the socket to close properly,
634 * potentiall causing the parent to hang.
636 * For this reason, while IPC is still active, we have to use shutdown()
637 * if the child exits prematurely in order to signal that the socket
638 * is closed and cannot assume that the child exiting will automatically
641 * IPC mechanism: (X is receiver)
642 * initial process intermediate attached
646 * send 0 ------------------------------------> X
647 * [do initialization]
648 * X <------------------------------------ send 1
649 * [add to cgroup, ...]
650 * send 2 ------------------------------------> X
651 * close socket close socket
654 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, ipc_sockets
);
656 SYSERROR("could not set up required IPC mechanism for attaching");
658 free(init_ctx
->aa_profile
);
663 /* create intermediate subprocess, three reasons:
664 * 1. runs all pthread_atfork handlers and the
665 * child will no longer be threaded
666 * (we can't properly setns() in a threaded process)
667 * 2. we can't setns() in the child itself, since
668 * we want to make sure we are properly attached to
670 * 3. also, the initial thread has to put the attached
671 * process into the cgroup, which we can only do if
672 * we didn't already setns() (otherwise, user
673 * namespaces will hate us)
678 SYSERROR("failed to create first subprocess");
680 free(init_ctx
->aa_profile
);
686 pid_t to_cleanup_pid
= pid
;
689 /* inital thread, we close the socket that is for the
692 close(ipc_sockets
[1]);
695 /* get pid from intermediate process */
696 ret
= lxc_read_nointr_expect(ipc_sockets
[0], &attached_pid
, sizeof(attached_pid
), NULL
);
699 ERROR("error using IPC to receive pid of attached process");
703 /* reap intermediate process */
704 ret
= wait_for_pid(pid
);
708 /* we will always have to reap the grandchild now */
709 to_cleanup_pid
= attached_pid
;
711 /* tell attached process it may start initializing */
713 ret
= lxc_write_nointr(ipc_sockets
[0], &status
, sizeof(status
));
715 ERROR("error using IPC to notify attached process for initialization (0)");
719 /* wait for the attached process to finish initializing */
721 ret
= lxc_read_nointr_expect(ipc_sockets
[0], &status
, sizeof(status
), &expected
);
724 ERROR("error using IPC to receive notification from attached process (1)");
728 /* attach to cgroup, if requested */
729 if (options
->attach_flags
& LXC_ATTACH_MOVE_TO_CGROUP
) {
730 ret
= lxc_cgroup_attach(attached_pid
, name
, lxcpath
);
732 ERROR("could not move attached process %ld to cgroup of container", (long)attached_pid
);
737 /* tell attached process we're done */
739 ret
= lxc_write_nointr(ipc_sockets
[0], &status
, sizeof(status
));
741 ERROR("error using IPC to notify attached process for initialization (2)");
745 /* now shut down communication with child, we're done */
746 shutdown(ipc_sockets
[0], SHUT_RDWR
);
747 close(ipc_sockets
[0]);
748 free(init_ctx
->aa_profile
);
751 /* we're done, the child process should now execute whatever
752 * it is that the user requested. The parent can now track it
753 * with waitpid() or similar.
756 *attached_process
= attached_pid
;
760 /* first shut down the socket, then wait for the pid,
761 * otherwise the pid we're waiting for may never exit
763 shutdown(ipc_sockets
[0], SHUT_RDWR
);
764 close(ipc_sockets
[0]);
766 (void) wait_for_pid(to_cleanup_pid
);
767 free(init_ctx
->aa_profile
);
772 /* first subprocess begins here, we close the socket that is for the
775 close(ipc_sockets
[0]);
777 /* attach now, create another subprocess later, since pid namespaces
778 * only really affect the children of the current process
780 ret
= lxc_attach_to_ns(init_pid
, options
->namespaces
);
782 ERROR("failed to enter the namespace");
783 shutdown(ipc_sockets
[1], SHUT_RDWR
);
787 /* attach succeeded, try to cwd */
788 if (options
->initial_cwd
)
789 new_cwd
= options
->initial_cwd
;
792 ret
= chdir(new_cwd
);
794 WARN("could not change directory to '%s'", new_cwd
);
797 /* now create the real child process */
799 struct attach_clone_payload payload
= {
800 .ipc_socket
= ipc_sockets
[1],
802 .init_ctx
= init_ctx
,
803 .exec_function
= exec_function
,
804 .exec_payload
= exec_payload
806 /* We use clone_parent here to make this subprocess a direct child of
807 * the initial process. Then this intermediate process can exit and
808 * the parent can directly track the attached process.
810 pid
= lxc_clone(attach_child_main
, &payload
, CLONE_PARENT
);
813 /* shouldn't happen, clone() should always return positive pid */
815 SYSERROR("failed to create subprocess");
816 shutdown(ipc_sockets
[1], SHUT_RDWR
);
820 /* tell grandparent the pid of the pid of the newly created child */
821 ret
= lxc_write_nointr(ipc_sockets
[1], &pid
, sizeof(pid
));
822 if (ret
!= sizeof(pid
)) {
823 /* if this really happens here, this is very unfortunate, since the
824 * parent will not know the pid of the attached process and will
825 * not be able to wait for it (and we won't either due to CLONE_PARENT)
826 * so the parent won't be able to reap it and the attached process
827 * will remain a zombie
829 ERROR("error using IPC to notify main process of pid of the attached process");
830 shutdown(ipc_sockets
[1], SHUT_RDWR
);
834 /* the rest is in the hands of the initial and the attached process */
838 int attach_child_main(void* data
)
840 struct attach_clone_payload
* payload
= (struct attach_clone_payload
*)data
;
841 int ipc_socket
= payload
->ipc_socket
;
842 lxc_attach_options_t
* options
= payload
->options
;
843 struct lxc_proc_context_info
* init_ctx
= payload
->init_ctx
;
844 #if HAVE_SYS_PERSONALITY_H
845 long new_personality
;
855 /* wait for the initial thread to signal us that it's ready
856 * for us to start initializing
860 ret
= lxc_read_nointr_expect(ipc_socket
, &status
, sizeof(status
), &expected
);
862 ERROR("error using IPC to receive notification from initial process (0)");
863 shutdown(ipc_socket
, SHUT_RDWR
);
867 /* load apparmor profile */
868 if ((options
->namespaces
& CLONE_NEWNS
) && (options
->attach_flags
& LXC_ATTACH_APPARMOR
)) {
869 ret
= attach_apparmor(init_ctx
->aa_profile
);
871 shutdown(ipc_socket
, SHUT_RDWR
);
876 /* A description of the purpose of this functionality is
877 * provided in the lxc-attach(1) manual page. We have to
878 * remount here and not in the parent process, otherwise
879 * /proc may not properly reflect the new pid namespace.
881 if (!(options
->namespaces
& CLONE_NEWNS
) && (options
->attach_flags
& LXC_ATTACH_REMOUNT_PROC_SYS
)) {
882 ret
= lxc_attach_remount_sys_proc();
884 shutdown(ipc_socket
, SHUT_RDWR
);
889 /* now perform additional attachments*/
890 #if HAVE_SYS_PERSONALITY_H
891 if (options
->personality
< 0)
892 new_personality
= init_ctx
->personality
;
894 new_personality
= options
->personality
;
896 if (options
->attach_flags
& LXC_ATTACH_SET_PERSONALITY
) {
897 ret
= personality(new_personality
);
899 SYSERROR("could not ensure correct architecture");
900 shutdown(ipc_socket
, SHUT_RDWR
);
906 if (options
->attach_flags
& LXC_ATTACH_DROP_CAPABILITIES
) {
907 ret
= lxc_attach_drop_privs(init_ctx
);
909 ERROR("could not drop privileges");
910 shutdown(ipc_socket
, SHUT_RDWR
);
915 /* always set the environment (specify (LXC_ATTACH_KEEP_ENV, NULL, NULL) if you want this to be a no-op) */
916 ret
= lxc_attach_set_environment(options
->env_policy
, options
->extra_env_vars
, options
->extra_keep_env
);
918 ERROR("could not set initial environment for attached process");
919 shutdown(ipc_socket
, SHUT_RDWR
);
923 /* set user / group id */
926 /* ignore errors, we will fall back to root in that case
927 * (/proc was not mounted etc.)
929 if (options
->namespaces
& CLONE_NEWUSER
)
930 lxc_attach_get_init_uidgid(&new_uid
, &new_gid
);
932 if (options
->uid
!= (uid_t
)-1)
933 new_uid
= options
->uid
;
934 if (options
->gid
!= (gid_t
)-1)
935 new_gid
= options
->gid
;
937 /* try to set the uid/gid combination */
938 if ((new_gid
!= 0 || options
->namespaces
& CLONE_NEWUSER
) && setgid(new_gid
)) {
939 SYSERROR("switching to container gid");
940 shutdown(ipc_socket
, SHUT_RDWR
);
943 if ((new_uid
!= 0 || options
->namespaces
& CLONE_NEWUSER
) && setuid(new_uid
)) {
944 SYSERROR("switching to container uid");
945 shutdown(ipc_socket
, SHUT_RDWR
);
949 /* tell initial process it may now put us into the cgroups */
951 ret
= lxc_write_nointr(ipc_socket
, &status
, sizeof(status
));
952 if (ret
!= sizeof(status
)) {
953 ERROR("error using IPC to notify initial process for initialization (1)");
954 shutdown(ipc_socket
, SHUT_RDWR
);
958 /* wait for the initial thread to signal us that it has done
959 * everything for us when it comes to cgroups etc.
963 ret
= lxc_read_nointr_expect(ipc_socket
, &status
, sizeof(status
), &expected
);
965 ERROR("error using IPC to receive final notification from initial process (2)");
966 shutdown(ipc_socket
, SHUT_RDWR
);
970 shutdown(ipc_socket
, SHUT_RDWR
);
972 free(init_ctx
->aa_profile
);
975 /* The following is done after the communication socket is
976 * shut down. That way, all errors that might (though
977 * unlikely) occur up until this point will have their messages
978 * printed to the original stderr (if logging is so configured)
979 * and not the fd the user supplied, if any.
982 /* fd handling for stdin, stdout and stderr;
983 * ignore errors here, user may want to make sure
984 * the fds are closed, for example */
985 if (options
->stdin_fd
>= 0 && options
->stdin_fd
!= 0)
986 dup2(options
->stdin_fd
, 0);
987 if (options
->stdout_fd
>= 0 && options
->stdout_fd
!= 1)
988 dup2(options
->stdout_fd
, 1);
989 if (options
->stderr_fd
>= 0 && options
->stderr_fd
!= 2)
990 dup2(options
->stderr_fd
, 2);
992 /* close the old fds */
993 if (options
->stdin_fd
> 2)
994 close(options
->stdin_fd
);
995 if (options
->stdout_fd
> 2)
996 close(options
->stdout_fd
);
997 if (options
->stderr_fd
> 2)
998 close(options
->stderr_fd
);
1000 /* try to remove CLOEXEC flag from stdin/stdout/stderr,
1001 * but also here, ignore errors */
1002 for (fd
= 0; fd
<= 2; fd
++) {
1003 flags
= fcntl(fd
, F_GETFL
);
1006 if (flags
& FD_CLOEXEC
)
1007 fcntl(fd
, F_SETFL
, flags
& ~FD_CLOEXEC
);
1010 /* we're done, so we can now do whatever the user intended us to do */
1011 rexit(payload
->exec_function(payload
->exec_payload
));
1014 int lxc_attach_run_command(void* payload
)
1016 lxc_attach_command_t
* cmd
= (lxc_attach_command_t
*)payload
;
1018 execvp(cmd
->program
, cmd
->argv
);
1019 SYSERROR("failed to exec '%s'", cmd
->program
);
1023 int lxc_attach_run_shell(void* payload
)
1026 struct passwd
*passwd
;
1029 /* ignore payload parameter */
1033 passwd
= getpwuid(uid
);
1035 /* this probably happens because of incompatible nss
1036 * implementations in host and container (remember, this
1037 * code is still using the host's glibc but our mount
1038 * namespace is in the container)
1039 * we may try to get the information by spawning a
1040 * [getent passwd uid] process and parsing the result
1043 user_shell
= lxc_attach_getpwshell(uid
);
1045 user_shell
= passwd
->pw_shell
;
1048 execlp(user_shell
, user_shell
, NULL
);
1050 /* executed if either no passwd entry or execvp fails,
1051 * we will fall back on /bin/sh as a default shell
1053 execlp("/bin/sh", "/bin/sh", NULL
);
1054 SYSERROR("failed to exec shell");