* by a process different from the container init.
*/
if (siginfo.ssi_pid != *pid) {
- WARN("Invalid pid for SIGCHLD. Received pid %d, expected pid %d.", siginfo.ssi_pid, *pid);
+ NOTICE("Received SIGCHLD from pid %d instead of container init %d.", siginfo.ssi_pid, *pid);
return init_died ? 1 : 0;
}
* have necessary privilege.
*/
#if HAVE_LIBCAP
- have_cap_setgid = lxc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
+ have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
#else
have_cap_setgid = false;
#endif
INFO("Inheriting a UTS namespace.");
}
+/* lxc_spawn() performs crucial setup tasks and clone()s the new process which
+ * exec()s the requested container binary.
+ * Note that lxc_spawn() runs in the parent namespaces. Any operations performed
+ * right here should be double checked if they'd pose a security risk. (For
+ * example, any {u}mount() operations performed here will be reflected on the
+ * host!)
+ */
static int lxc_spawn(struct lxc_handler *handler)
{
int failed_before_rename = 0;
int saved_ns_fd[LXC_NS_MAX];
int preserve_mask = 0, i, flags;
int netpipepair[2], nveths;
+ bool wants_to_map_ids;
+ struct lxc_list *id_map;
netpipe = -1;
+ id_map = &handler->conf->id_map;
+ wants_to_map_ids = !lxc_list_empty(id_map);
for (i = 0; i < LXC_NS_MAX; i++)
if (handler->conf->inherit_ns_fd[i] != -1)
* it readonly.
* If the container is unprivileged then skip rootfs pinning.
*/
- if (lxc_list_empty(&handler->conf->id_map)) {
+ if (!wants_to_map_ids) {
handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
if (handler->pinfd == -1)
INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
* mapped to something else on the host.) later to become a valid uid
* again.
*/
- if (lxc_map_ids(&handler->conf->id_map, handler->pid)) {
+ if (wants_to_map_ids && lxc_map_ids(id_map, handler->pid)) {
ERROR("Failed to set up id mapping.");
goto out_delete_net;
}
if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
goto out_delete_net;
+ if (!lxc_list_empty(&handler->conf->limits) && setup_resource_limits(&handler->conf->limits, handler->pid)) {
+ ERROR("failed to setup resource limits for '%s'", name);
+ goto out_delete_net;
+ }
+
if (!cgroup_setup_limits(handler, true)) {
ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
goto out_delete_net;
if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CGROUP))
return -1;
- if (detect_shared_rootfs())
- umount2(handler->conf->rootfs.mount, MNT_DETACH);
-
if (handler->ops->post_start(handler, handler->data))
goto out_abort;