[Devel] [PATCH] ct: fix exec to really enter into pidns (v2)

[Andrey Vagin]

setns() of the pid namespace unlike unsharing of other namespaces
does not take affect immediately. Instead it affects the children
created with fork and clone.

v2: don't forget about the end mark in close_fds

https://bugzilla.openvz.org/show_bug.cgi?id=2658

Reported-by: Igor Gnatenko <i.gnatenko.brain at gmail.com>
Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 src/lib/hooks_ct.c | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index 3cd1404..9854bc9 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -536,9 +536,8 @@ static int ct_enter(vps_handler *h, envid_t veid, const char *root, int flags)
 	char path[STR_SIZE]; /* long enough for any pid */
 	pid_t task_pid;
 	int ret = VZ_RESOURCE_ERROR;
-	int err;
 	bool joined_mnt_ns = false;
-	int fd;
+	int fd, err, status;
 
 	if (!h->can_join_pidns) {
 		logger(-1, 0, "Kernel lacks setns for pid namespace");
@@ -621,7 +620,38 @@ static int ct_enter(vps_handler *h, envid_t veid, const char *root, int flags)
 	if (!joined_mnt_ns && (ret = ct_chroot(root)))
 		goto out;
 
+	/*
+	 * setns() of the pid namespace unlike unsharing of other namespaces
+	 * does not take affect immediately.  Instead it affects the children
+	 * created with fork and clone.
+	 */
+	task_pid = fork();
+	if (task_pid < 0) {
+		logger(-1, errno, "Unable to fork");
+		goto out;
+	}
+
 	ret = 0;
+	if (task_pid == 0)
+		goto out;
+
+	close_fds(false, -1);
+	while (1) {
+		ret = waitpid(task_pid, &status, 0);
+		if (ret < 0) {
+			logger(-1, errno, "Unable to wait the child %d", task_pid);
+			exit(VZ_RESOURCE_ERROR);
+		}
+		if (WIFSTOPPED(status) || WIFCONTINUED(status))
+			continue;
+
+		break;
+	}
+
+	if (WIFEXITED(status))
+		exit(WEXITSTATUS(status));
+	else
+		exit(-WTERMSIG(status));
 
 out:
 	closedir(dp);
-- 
1.8.3.1