proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-28 20:52:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

start: fix namespace sharing

Browse Source 
Fixes: #4134
Signed-off-by: Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
This commit is contained in:
Christian Brauner 2022-07-01 10:12:45 +02:00 committed by Christian Brauner (Microsoft)
parent 59d483ef49
commit 07a00b78f0
No known key found for this signature in database
GPG Key ID: 91C61BC06578DCA2
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/lxc/start.c
View File

@ -1597,6 +1597,13 @@ static bool inherits_namespaces(const struct lxc_handler *handler)
return false; return false;
} }
static inline void resolve_cgroup_clone_flags(struct lxc_handler *handler)
{
handler->clone_flags &= ~(CLONE_INTO_CGROUP | CLONE_NEWCGROUP);
handler->ns_on_clone_flags &= ~(CLONE_INTO_CGROUP | CLONE_NEWCGROUP);
handler->ns_unshare_flags |= CLONE_NEWCGROUP;
}
/* lxc_spawn() performs crucial setup tasks and clone()s the new process which /* lxc_spawn() performs crucial setup tasks and clone()s the new process which
* exec()s the requested container binary. * exec()s the requested container binary.
* Note that lxc_spawn() runs in the parent namespaces. Any operations performed * Note that lxc_spawn() runs in the parent namespaces. Any operations performed
@ -1645,6 +1652,7 @@ static int lxc_spawn(struct lxc_handler *handler)
if (inherits_namespaces(handler)) { if (inherits_namespaces(handler)) {
pid_t attacher_pid; pid_t attacher_pid;
resolve_cgroup_clone_flags(handler);
attacher_pid = lxc_clone(do_share_ns, handler, attacher_pid = lxc_clone(do_share_ns, handler,
CLONE_VFORK | CLONE_VM | CLONE_FILES, NULL); CLONE_VFORK | CLONE_VM | CLONE_FILES, NULL);
if (attacher_pid < 0) { if (attacher_pid < 0) {
@ -1686,10 +1694,7 @@ static int lxc_spawn(struct lxc_handler *handler)
SYSTRACE("Failed to spawn container directly into target cgroup"); SYSTRACE("Failed to spawn container directly into target cgroup");
/* Kernel might simply be too old for CLONE_INTO_CGROUP. */ /* Kernel might simply be too old for CLONE_INTO_CGROUP. */
handler->clone_flags &= ~(CLONE_INTO_CGROUP | CLONE_NEWCGROUP); resolve_cgroup_clone_flags(handler);
handler->ns_on_clone_flags &= ~CLONE_NEWCGROUP;
handler->ns_unshare_flags |= CLONE_NEWCGROUP;
clone_args.flags = handler->clone_flags; clone_args.flags = handler->clone_flags;
handler->pid = lxc_clone3(&clone_args, CLONE_ARGS_SIZE_VER0); handler->pid = lxc_clone3(&clone_args, CLONE_ARGS_SIZE_VER0);