jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #1165 from cyphar/nsenter-fix-comments 

nsenter: fix up comments
This commit is contained in:
Mrunal Patel 2016-10-31 10:39:34 -07:00 committed by GitHub
parent 509b1db98c 9b15bf17a0
commit bc462c96bf
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
libcontainer/nsenter/nsexec.c
View File

@ -447,10 +447,17 @@ void nsexec(void)
/* /*
* Okay, so this is quite annoying. * Okay, so this is quite annoying.
* *
* In order to make sure that deal with older kernels (when CLONE_NEWUSER * In order for this unsharing code to be more extensible we need to split
* wasn't guaranteed to be done first if you specify multiple namespaces in * up unshare(CLONE_NEWUSER) and clone() in various ways. The ideal case
* a clone(2) invocation) as well as with certain usecases like rootless * would be if we did clone(CLONE_NEWUSER) and the other namespaces
* containers, we cannot just dump all of the cloneflags into clone(2). * separately, but because of SELinux issues we cannot really do that. But
* we cannot just dump the namespace flags into clone(...) because several
* usecases (such as rootless containers) require more granularity around
* the namespace setup. In addition, some older kernels had issues where
* CLONE_NEWUSER wasn't handled before other namespaces (but we cannot
* handle this while also dealing with SELinux so we choose SELinux support
* over broken kernel support).
*
* However, if we unshare(2) the user namespace *before* we clone(2), then * However, if we unshare(2) the user namespace *before* we clone(2), then
* all hell breaks loose. * all hell breaks loose.
* *
@ -623,9 +630,9 @@ void nsexec(void)
* containers). But for now, it's not possible to split this into * containers). But for now, it's not possible to split this into
* CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues. * CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues.
* *
* We also can't be sure if the current kernel supports * Note that we don't merge this with clone() because there were
* clone(CLONE_PARENT | CLONE_NEWPID), so we'll just do it the long * some old kernel versions where clone(CLONE_PARENT | CLONE_NEWPID)
* way anyway. * was broken, so we'll just do it the long way anyway.
*/ */
if (unshare(config.cloneflags) < 0) if (unshare(config.cloneflags) < 0)
bail("failed to unshare namespaces"); bail("failed to unshare namespaces");
@ -701,7 +708,7 @@ void nsexec(void)
syncfd = syncpipe[0]; syncfd = syncpipe[0];
/* For debugging. */ /* For debugging. */
prctl(PR_SET_NAME, (unsigned long) "runc:[1:INIT]", 0, 0, 0); prctl(PR_SET_NAME, (unsigned long) "runc:[2:INIT]", 0, 0, 0);
if (setsid() < 0) if (setsid() < 0)
bail("setsid failed"); bail("setsid failed");