Skip to content

Commit

Permalink
Close extraneous file descriptors in containers
Browse files Browse the repository at this point in the history
Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :)

Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
  • Loading branch information
tianon committed Apr 29, 2014
1 parent 5d4927c commit 187b637
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions nsinit/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,12 +130,16 @@ func setupNetwork(container *libcontainer.Container, context libcontainer.Contex
return nil
}

// finalizeNamespace drops the caps and sets the correct user
// and working dir before execing the command inside the namespace
// finalizeNamespace drops the caps, sets the correct user
// and working dir, and closes any leaky file descriptors
// before execing the command inside the namespace
func finalizeNamespace(container *libcontainer.Container) error {
if err := capabilities.DropCapabilities(container); err != nil {
return fmt.Errorf("drop capabilities %s", err)
}
if err := system.CloseFdsFrom(3); err != nil {
return fmt.Errorf("close open file descriptors %s", err)
}
if err := setupUser(container); err != nil {
return fmt.Errorf("setup user %s", err)
}
Expand Down

0 comments on commit 187b637

Please sign in to comment.