This repository has been archived by the owner on Dec 13, 2018. It is now read-only.
namespaces: allow to use pid namespace without mount namespace #358
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The gocapability package uses /proc/PID/status to get a bounding set. If a container uses pidns without mntns, it sees /proc from the host namespace, but the process doesn't know its own pid in this namespace. In this case it can use /proc/self/status, which is always the right one. Signed-off-by: Andrew Vagin <avagin@openvz.org>
| @@ -11,7 +9,7 @@ const allCapabilityTypes = capability.CAPS | capability.BOUNDS | |||
| // DropBoundingSet drops the capability bounding set to those specified in the | |||
| // container configuration. | |||
| func DropBoundingSet(capabilities []string) error { | |||
| c, err := capability.NewPid(os.Getpid()) | |||
| c, err := capability.NewPid(0) | |||
There was a problem hiding this comment.
what does 0 mean here?
There was a problem hiding this comment.
@crosbymichael Change capabilities of the calling process. os.Getpid() and 0 are the same except the case, when you try to access /proc from another pidns
There was a problem hiding this comment.
Seems like drone failing because of this
There was a problem hiding this comment.
@LK4D4 I have not commited changes in the vendor direcotry.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
|
LGTM |
1 similar comment
|
LGTM |
vmarmol
added a commit
that referenced
this pull request
Feb 3, 2015
namespaces: allow to use pid namespace without mount namespace
wking
added a commit
to wking/runc
that referenced
this pull request
Feb 19, 2018
gocapability has supported 0 as "the current PID" since syndtr/gocapability@5e7cce49 (Allow to use the zero value for pid to operate with the current task, 2015-01-15, syndtr/gocapability#2). libcontainer was ported to that approach in 444cc29 (namespaces: allow to use pid namespace without mount namespace, 2015-01-27, docker-archive/libcontainer#358), but the change was clobbered by 22df555 (Merge branch 'master' into api, 2015-02-19, docker-archive/libcontainer#388) which landed via 5b73860 (Merge pull request opencontainers#388 from docker/api, 2015-02-19, docker-archive/libcontainer#388) . This commit restores the changes from 444cc29. Signed-off-by: W. Trevor King <wking@tremily.us>
wking
added a commit
to wking/runc
that referenced
this pull request
Feb 19, 2018
gocapability has supported 0 as "the current PID" since syndtr/gocapability@5e7cce49 (Allow to use the zero value for pid to operate with the current task, 2015-01-15, syndtr/gocapability#2). libcontainer was ported to that approach in 444cc29 (namespaces: allow to use pid namespace without mount namespace, 2015-01-27, docker-archive/libcontainer#358), but the change was clobbered by 22df555 (Merge branch 'master' into api, 2015-02-19, docker-archive/libcontainer#388) which landed via 5b73860 (Merge pull request opencontainers#388 from docker/api, 2015-02-19, docker-archive/libcontainer#388). This commit restores the changes from 444cc29. Signed-off-by: W. Trevor King <wking@tremily.us>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The gocapability package uses /proc/PID/status to get a bounding set.
If a container uses pidns without mntns, it sees /proc from the host
namespace, but the process doesn't know its own pid in this namespace.
In this case it can use /proc/self/status, which is always the right one.
Signed-off-by: Andrew Vagin avagin@openvz.org