[Devel] [PATCH 2/2] hooks_ct: fix pivot_root failure with mount namespaces.

Glauber Costa glommer at parallels.com
Mon Feb 25 19:40:37 PST 2013


Not only we don't need to call pivot_root when joining a mount namespace, we
can't do it. This is because the filesystem we currently are will become
invisible after we join the mount namespace. As a side effect, we are fully
protected because we will only have the filesystem view of the newly joined
namespace.

Because setns support for mount namespaces are not always present, we need
a flag do determine whether or not we've joined it. And because this is not
needed outside this scope at all, we can resort to a local only flag instead
of storing this information in the vps_handler

Signed-off-by: Glauber Costa <glommer at parallels.com>
---
 src/lib/hooks_ct.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index ac6d97e..6f78263 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -213,13 +213,14 @@ static int ct_env_create(struct arg_start *arg)
 	return 0;
 }
 
-static int __ct_enter(vps_handler *h, envid_t veid, int flags)
+static int ct_enter(vps_handler *h, envid_t veid, const char *root, int flags)
 {
 	DIR *dp;
 	struct dirent *ep;
 	char path[STR_SIZE]; /* long enough for any pid */
 	pid_t task_pid;
 	int ret = VZ_RESOURCE_ERROR;
+	bool joined_mnt_ns = false;
 
 	if (!h->can_join_pidns) {
 		logger(-1, 0, "Kernel lacks setns for pid namespace");
@@ -258,7 +259,22 @@ static int __ct_enter(vps_handler *h, envid_t veid, int flags)
 			goto out;
 		if (setns(fd, 0))
 			logger(-1, errno, "Failed to set context for %s", ep->d_name);
+
+		if (!strcmp(ep->d_name, "mnt"))
+			joined_mnt_ns = true;
 	}
+
+	/*
+	 * If we can join the mount namespace, we don't need to call
+	 * pivot_root, or any other follow up step, since we will already
+	 * inherit any fs tree structure the process already has.
+	 *
+	 * As a matter of fact, we won't even be able to see the container
+	 * directories to jump to
+	 */
+	if (!joined_mnt_ns && (ret = ct_chroot(root)))
+		return ret;
+
 	ret = 0;
 
 out:
@@ -266,20 +282,6 @@ out:
 	return ret;
 }
 
-/*
- * We need to do chroot only after the context is set. Otherwise, we can't find the proc files
- * we need to operate on the ns files
- */
-static int ct_enter(vps_handler *h, envid_t veid, const char *root, int flags)
-{
-	int ret;
-	if ((ret = __ct_enter(h, veid, flags)))
-		return ret;
-	if ((ret = ct_chroot(root)))
-		return ret;
-	return 0;
-}
-
 #define add_value(val, var, mult) do { if (val) { var = *val * mult; } } while (0)
 
 static int ct_setlimits(vps_handler *h, envid_t veid, struct ub_struct *ub)
-- 
1.7.11.7




More information about the Devel mailing list