Merge pull request #1609 from brauner/2017-06-01/unit_test_idmap_parser

[mirror_lxc.git] / src / lxc / start.c

diff --git a/src/lxc/start.c b/src/lxc/start.c
index ab5f5ade404ad5b416eb9ebfa3849296091b59fd..f1b3f8e11d6269115b74998e78c2a0242814a955 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -333,7 +333,7 @@ static int signal_handler(int fd, uint32_t events, void *data,
         * by a process different from the container init.
         */
        if (siginfo.ssi_pid != *pid) {
-               WARN("Invalid pid for SIGCHLD. Received pid %d, expected pid %d.", siginfo.ssi_pid, *pid);
+               NOTICE("Received SIGCHLD from pid %d instead of container init %d.", siginfo.ssi_pid, *pid);
                return init_died ? 1 : 0;
        }
 
@@ -899,7 +899,7 @@ static int do_start(void *data)
                 * have necessary privilege.
                 */
                #if HAVE_LIBCAP
-               have_cap_setgid = lxc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
+               have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
                #else
                have_cap_setgid = false;
                #endif
@@ -1071,6 +1071,13 @@ void resolve_clone_flags(struct lxc_handler *handler)
                INFO("Inheriting a UTS namespace.");
 }
 
+/* lxc_spawn() performs crucial setup tasks and clone()s the new process which
+ * exec()s the requested container binary.
+ * Note that lxc_spawn() runs in the parent namespaces. Any operations performed
+ * right here should be double checked if they'd pose a security risk. (For
+ * example, any {u}mount() operations performed here will be reflected on the
+ * host!)
+ */
 static int lxc_spawn(struct lxc_handler *handler)
 {
        int failed_before_rename = 0;
@@ -1079,8 +1086,12 @@ static int lxc_spawn(struct lxc_handler *handler)
        int saved_ns_fd[LXC_NS_MAX];
        int preserve_mask = 0, i, flags;
        int netpipepair[2], nveths;
+       bool wants_to_map_ids;
+       struct lxc_list *id_map;
 
        netpipe = -1;
+       id_map = &handler->conf->id_map;
+       wants_to_map_ids = !lxc_list_empty(id_map);
 
        for (i = 0; i < LXC_NS_MAX; i++)
                if (handler->conf->inherit_ns_fd[i] != -1)
@@ -1142,7 +1153,7 @@ static int lxc_spawn(struct lxc_handler *handler)
         * it readonly.
         * If the container is unprivileged then skip rootfs pinning.
         */
-       if (lxc_list_empty(&handler->conf->id_map)) {
+       if (!wants_to_map_ids) {
                handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
                if (handler->pinfd == -1)
                        INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
@@ -1196,7 +1207,7 @@ static int lxc_spawn(struct lxc_handler *handler)
         * mapped to something else on the host.) later to become a valid uid
         * again.
         */
-       if (lxc_map_ids(&handler->conf->id_map, handler->pid)) {
+       if (wants_to_map_ids && lxc_map_ids(id_map, handler->pid)) {
                ERROR("Failed to set up id mapping.");
                goto out_delete_net;
        }
@@ -1261,6 +1272,11 @@ static int lxc_spawn(struct lxc_handler *handler)
        if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
                goto out_delete_net;
 
+       if (!lxc_list_empty(&handler->conf->limits) && setup_resource_limits(&handler->conf->limits, handler->pid)) {
+               ERROR("failed to setup resource limits for '%s'", name);
+               goto out_delete_net;
+       }
+
        if (!cgroup_setup_limits(handler, true)) {
                ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
                goto out_delete_net;
@@ -1284,9 +1300,6 @@ static int lxc_spawn(struct lxc_handler *handler)
        if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CGROUP))
                return -1;
 
-       if (detect_shared_rootfs())
-               umount2(handler->conf->rootfs.mount, MNT_DETACH);
-
        if (handler->ops->post_start(handler, handler->data))
                goto out_abort;