c/r: re-open fds after clone()

If we don't re-open these after clone, the init process has a pointer to the
parent's /dev/{zero,null}. CRIU seese these and wants to dump the parent's
mount namespace, which is unnecessary. Instead, we should just re-open
stdin/out/err after we do the clone and pivot root, to ensure that we have
pointers to the devcies in init's rootfs instead of the host's.

v2: Only close fds if the container was daemonized. This didn't turn out as
    nicely as described on the list because lxc_start() doesn't actually have
    the struct lxc_container, so it cant see the flag. Instead, we just pass it
    down everywhere.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index a0f7ff11ceeab3aeb8e36762e45f9eb268d5e7b2..d14092af514cd03837e8e30148e16dc01cfe10c7 100644 (file)
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -111,7 +111,7 @@ static struct lxc_operations execute_start_ops = {
 };
 
 int lxc_execute(const char *name, char *const argv[], int quiet,
-               struct lxc_conf *conf, const char *lxcpath)
+               struct lxc_conf *conf, const char *lxcpath, bool backgrounded)
 {
        struct execute_args args = {
                .argv = argv,
@@ -122,5 +122,5 @@ int lxc_execute(const char *name, char *const argv[], int quiet,
                return -1;
 
        conf->is_execute = 1;
-       return __lxc_start(name, conf, &execute_start_ops, &args, lxcpath);
+       return __lxc_start(name, conf, &execute_start_ops, &args, lxcpath, backgrounded);
 }

diff --git a/src/lxc/lxc.h b/src/lxc/lxc.h
index dd1048c0480ec137fc6d501362b942206c39aab2..b1b858dc3885cd1df1ef2aaa45992a46c8478d3f 100644 (file)
--- a/src/lxc/lxc.h
+++ b/src/lxc/lxc.h
@@ -27,6 +27,7 @@
 extern "C" {
 #endif
 
+#include <stdbool.h>
 #include <stddef.h>
 #include <sys/select.h>
 #include <sys/types.h>
@@ -44,24 +45,27 @@ struct lxc_arguments;
 
 /*
  * Start the specified command inside a system container
- * @name     : the name of the container
- * @argv     : an array of char * corresponding to the commande line
- * @conf     : configuration
+ * @name         : the name of the container
+ * @argv         : an array of char * corresponding to the commande line
+ * @conf         : configuration
+ * @backgrounded : whether or not the container is daemonized
  * Returns 0 on success, < 0 otherwise
  */
 extern int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf,
-                    const char *lxcpath);
+                    const char *lxcpath, bool backgrounded);
 
 /*
  * Start the specified command inside an application container
- * @name     : the name of the container
- * @argv     : an array of char * corresponding to the commande line
- * @quiet    : if != 0 then lxc-init won't produce any output
- * @conf     : configuration
+ * @name         : the name of the container
+ * @argv         : an array of char * corresponding to the commande line
+ * @quiet        : if != 0 then lxc-init won't produce any output
+ * @conf         : configuration
+ * @backgrounded : whether or not the container is daemonized
  * Returns 0 on success, < 0 otherwise
  */
 extern int lxc_execute(const char *name, char *const argv[], int quiet,
-                      struct lxc_conf *conf, const char *lxcpath);
+                      struct lxc_conf *conf, const char *lxcpath,
+                      bool backgrounded);
 
 /*
  * Open the monitoring mechanism for a specific container

diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c
index b602793165de47ff7f39d2519c1c36c4e01b3697..4f1e1f674f099c80280c350aa2e6fc86f8dea3ac 100644 (file)
--- a/src/lxc/lxc_execute.c
+++ b/src/lxc/lxc_execute.c
@@ -139,7 +139,7 @@ int main(int argc, char *argv[])
        if (lxc_config_define_load(&defines, conf))
                return 1;
 
-       ret = lxc_execute(my_args.name, my_args.argv, my_args.quiet, conf, my_args.lxcpath[0]);
+       ret = lxc_execute(my_args.name, my_args.argv, my_args.quiet, conf, my_args.lxcpath[0], false);
 
        lxc_conf_free(conf);
 

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 0ca5b9f5d535304e96aa0fb70887be592a411361..d49426f00ef2cee6d246d1f3791aab5a869889c1 100644 (file)
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -584,7 +584,7 @@ static bool lxcapi_start(struct lxc_container *c, int useinit, char * const argv
        container_mem_unlock(c);
 
        if (useinit) {
-               ret = lxc_execute(c->name, argv, 1, conf, c->config_path);
+               ret = lxc_execute(c->name, argv, 1, conf, c->config_path, daemonize);
                return ret == 0 ? true : false;
        }
 
@@ -642,12 +642,6 @@ static bool lxcapi_start(struct lxc_container *c, int useinit, char * const argv
                        return false;
                }
                lxc_check_inherited(conf, true, -1);
-               close(0);
-               close(1);
-               close(2);
-               open("/dev/zero", O_RDONLY);
-               open("/dev/null", O_RDWR);
-               open("/dev/null", O_RDWR);
                setsid();
        } else {
                if (!am_single_threaded()) {
@@ -687,7 +681,7 @@ reboot:
                goto out;
        }
 
-       ret = lxc_start(c->name, argv, conf, c->config_path);
+       ret = lxc_start(c->name, argv, conf, c->config_path, daemonize);
        c->error_num = ret;
 
        if (conf->reboot) {

diff --git a/src/lxc/start.c b/src/lxc/start.c
index d6153759b9bcafb734c10233e79eeaad16419cb4..8aedc7daa1c2c98c480c2756fc2238e704d51812 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -759,6 +759,15 @@ static int do_start(void *data)
 
        close(handler->sigfd);
 
+       if (handler->backgrounded) {
+               close(0);
+               close(1);
+               close(2);
+               open("/dev/zero", O_RDONLY);
+               open("/dev/null", O_RDWR);
+               open("/dev/null", O_RDWR);
+       }
+
        /* after this call, we are in error because this
         * ops should not return as it execs */
        handler->ops->start(handler, handler->data);
@@ -1112,7 +1121,8 @@ int get_netns_fd(int pid)
 }
 
 int __lxc_start(const char *name, struct lxc_conf *conf,
-               struct lxc_operations* ops, void *data, const char *lxcpath)
+               struct lxc_operations* ops, void *data, const char *lxcpath,
+               bool backgrounded)
 {
        struct lxc_handler *handler;
        int err = -1;
@@ -1126,6 +1136,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
        }
        handler->ops = ops;
        handler->data = data;
+       handler->backgrounded = backgrounded;
 
        if (must_drop_cap_sys_boot(handler->conf)) {
                #if HAVE_SYS_CAPABILITY_H
@@ -1257,12 +1268,12 @@ static struct lxc_operations start_ops = {
 };
 
 int lxc_start(const char *name, char *const argv[], struct lxc_conf *conf,
-             const char *lxcpath)
+             const char *lxcpath, bool backgrounded)
 {
        struct start_args start_arg = {
                .argv = argv,
        };
 
        conf->need_utmp_watch = 1;
-       return __lxc_start(name, conf, &start_ops, &start_arg, lxcpath);
+       return __lxc_start(name, conf, &start_ops, &start_arg, lxcpath, backgrounded);
 }

diff --git a/src/lxc/start.h b/src/lxc/start.h
index aab063a1e6661aeb914f50eccefbcf941cc3b2f2..f1a41f59a40948389d2fb262fa4475dd0b290f3c 100644 (file)
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -74,6 +74,7 @@ struct lxc_handler {
        const char *lxcpath;
        void *cgroup_data;
        int ttysock[2]; // socketpair for child->parent tty fd passing
+       bool backgrounded; // indicates whether should we close std{in,out,err} on start
 };
 
 
@@ -85,7 +86,7 @@ extern void lxc_fini(const char *name, struct lxc_handler *handler);
 
 extern int lxc_check_inherited(struct lxc_conf *conf, bool closeall, int fd_to_ignore);
 int __lxc_start(const char *, struct lxc_conf *, struct lxc_operations *,
-               void *, const char *);
+               void *, const char *, bool);
 
 extern void resolve_clone_flags(struct lxc_handler *handler);
 #endif