opencontainers · cyphar · Jul 18, 2016 · Jul 21, 2016 · Aug 3, 2016 · Oct 11, 2016
diff --git a/libcontainer/configs/namespaces_unix.go b/libcontainer/configs/namespaces_unix.go
@@ -22,8 +22,8 @@ var (
 	supportedNamespaces = make(map[NamespaceType]bool)
 )
 
-// nsToFile converts the namespace type to its filename
-func nsToFile(ns NamespaceType) string {
+// NsName converts the namespace type to its filename
+func NsName(ns NamespaceType) string {
 	switch ns {
 	case NEWNET:
 		return "net"
@@ -50,7 +50,7 @@ func IsNamespaceSupported(ns NamespaceType) bool {
 	if ok {
 		return supported
 	}
-	nsFile := nsToFile(ns)
+	nsFile := NsName(ns)
 	// if the namespace type is unknown, just return false
 	if nsFile == "" {
 		return false
@@ -84,7 +84,7 @@ func (n *Namespace) GetPath(pid int) string {
 	if n.Path != "" {
 		return n.Path
 	}
-	return fmt.Sprintf("/proc/%d/ns/%s", pid, nsToFile(n.Type))
+	return fmt.Sprintf("/proc/%d/ns/%s", pid, NsName(n.Type))
 }
 
 func (n *Namespaces) Remove(t NamespaceType) bool {

diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -1223,16 +1223,22 @@ func (c *linuxContainer) currentState() (*State, error) {
 // can setns in order.
 func (c *linuxContainer) orderNamespacePaths(namespaces map[configs.NamespaceType]string) ([]string, error) {
 	paths := []string{}
-	nsTypes := []configs.NamespaceType{
+	order := []configs.NamespaceType{
+		// The user namespace *must* be done first.
+		configs.NEWUSER,
 		configs.NEWIPC,
 		configs.NEWUTS,
 		configs.NEWNET,
 		configs.NEWPID,
 		configs.NEWNS,
 	}
-	// join userns if the init process explicitly requires NEWUSER
-	if c.config.Namespaces.Contains(configs.NEWUSER) {
-		nsTypes = append(nsTypes, configs.NEWUSER)
+
+	// Remove namespaces that we don't need to join.
+	var nsTypes []configs.NamespaceType
+	for _, ns := range order {
+		if c.config.Namespaces.Contains(ns) {
+			nsTypes = append(nsTypes, ns)
+		}
 	}
 	for _, nsType := range nsTypes {
 		if p, ok := namespaces[nsType]; ok && p != "" {
@@ -1249,7 +1255,7 @@ func (c *linuxContainer) orderNamespacePaths(namespaces map[configs.NamespaceTyp
 			if strings.ContainsRune(p, ',') {
 				return nil, newSystemError(fmt.Errorf("invalid path %s", p))
 			}
-			paths = append(paths, p)
+			paths = append(paths, fmt.Sprintf("%s:%s", configs.NsName(nsType), p))
 		}
 	}
 	return paths, nil

diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go
@@ -232,7 +232,7 @@ func TestEnter(t *testing.T) {
 	}
 	err = container.Run(&pconfig)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 	pid, err := pconfig.Pid()
 	ok(t, err)
@@ -273,7 +273,7 @@ func TestEnter(t *testing.T) {
 	stdinW2.Close()
 	waitProcess(&pconfig2, t)
 
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(&pconfig, t)
 
 	// Check that both processes live in the same pidns
@@ -499,7 +499,7 @@ func testFreeze(t *testing.T, systemd bool) {
 	}
 	err = container.Run(pconfig)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	err = container.Pause()
@@ -512,7 +512,7 @@ func testFreeze(t *testing.T, systemd bool) {
 		t.Fatal("Unexpected state: ", state)
 	}
 
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(pconfig, t)
 }
 
@@ -713,7 +713,7 @@ func TestContainerState(t *testing.T) {
 		t.Fatal(err)
 	}
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 
 	st, err := container.State()
 	if err != nil {
@@ -727,7 +727,7 @@ func TestContainerState(t *testing.T) {
 	if l1 != l {
 		t.Fatal("Container using non-host ipc namespace")
 	}
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(p, t)
 }
 
@@ -1222,7 +1222,7 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
 
 	err = container.Run(pconfig)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	// Create mnt1host/mnt2host and bind mount itself on top of it. This
@@ -1256,7 +1256,7 @@ func TestRootfsPropagationSlaveMount(t *testing.T) {
 
 	stdinW2.Close()
 	waitProcess(pconfig2, t)
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(pconfig, t)
 
 	mountPropagated = false
@@ -1339,7 +1339,7 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
 
 	err = container.Run(pconfig)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	// Create mnt1host/mnt2cont.  This will become visible inside container
@@ -1377,7 +1377,7 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
 	// Wait for process
 	stdinW2.Close()
 	waitProcess(pconfig2, t)
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(pconfig, t)
 
 	defer unmountOp(dir2host)

diff --git a/libcontainer/integration/execin_test.go b/libcontainer/integration/execin_test.go
@@ -38,7 +38,7 @@ func TestExecIn(t *testing.T) {
 	}
 	err = container.Run(process)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	buffers := newStdBuffers()
@@ -54,7 +54,7 @@ func TestExecIn(t *testing.T) {
 	err = container.Run(ps)
 	ok(t, err)
 	waitProcess(ps, t)
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(process, t)
 
 	out := buffers.Stdout.String()
@@ -105,7 +105,7 @@ func testExecInRlimit(t *testing.T, userns bool) {
 	}
 	err = container.Run(process)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	buffers := newStdBuffers()
@@ -125,7 +125,7 @@ func testExecInRlimit(t *testing.T, userns bool) {
 	ok(t, err)
 	waitProcess(ps, t)
 
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(process, t)
 
 	out := buffers.Stdout.String()
@@ -159,7 +159,7 @@ func TestExecInAdditionalGroups(t *testing.T) {
 	}
 	err = container.Run(process)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	var stdout bytes.Buffer
@@ -177,7 +177,7 @@ func TestExecInAdditionalGroups(t *testing.T) {
 	// Wait for process
 	waitProcess(&pconfig, t)
 
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(process, t)
 
 	outputGroups := string(stdout.Bytes())
@@ -216,7 +216,7 @@ func TestExecInError(t *testing.T) {
 	err = container.Run(process)
 	stdinR.Close()
 	defer func() {
-		stdinW.Close()
+		closeStdin(stdinW)
 		if _, err := process.Wait(); err != nil {
 			t.Log(err)
 		}
@@ -267,7 +267,7 @@ func TestExecInTTY(t *testing.T) {
 	}
 	err = container.Run(process)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	var stdout bytes.Buffer
@@ -292,7 +292,7 @@ func TestExecInTTY(t *testing.T) {
 	}
 	waitProcess(ps, t)
 
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(process, t)
 
 	out := stdout.String()
@@ -324,7 +324,7 @@ func TestExecInEnvironment(t *testing.T) {
 	}
 	err = container.Run(process)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	buffers := newStdBuffers()
@@ -345,7 +345,7 @@ func TestExecInEnvironment(t *testing.T) {
 	ok(t, err)
 	waitProcess(process2, t)
 
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(process, t)
 
 	out := buffers.Stdout.String()
@@ -388,7 +388,7 @@ func TestExecinPassExtraFiles(t *testing.T) {
 	}
 	err = container.Run(process)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -410,7 +410,7 @@ func TestExecinPassExtraFiles(t *testing.T) {
 	}
 
 	waitProcess(inprocess, t)
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(process, t)
 
 	out := string(stdout.Bytes())
@@ -461,7 +461,7 @@ func TestExecInOomScoreAdj(t *testing.T) {
 	}
 	err = container.Run(process)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	buffers := newStdBuffers()
@@ -477,7 +477,7 @@ func TestExecInOomScoreAdj(t *testing.T) {
 	ok(t, err)
 	waitProcess(ps, t)
 
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(process, t)
 
 	out := buffers.Stdout.String()
@@ -516,7 +516,7 @@ func TestExecInUserns(t *testing.T) {
 	}
 	err = container.Run(process)
 	stdinR.Close()
-	defer stdinW.Close()
+	defer closeStdin(stdinW)
 	ok(t, err)
 
 	initPID, err := process.Pid()
@@ -537,7 +537,7 @@ func TestExecInUserns(t *testing.T) {
 	err = container.Run(process2)
 	ok(t, err)
 	waitProcess(process2, t)
-	stdinW.Close()
+	closeStdin(stdinW)
 	waitProcess(process, t)
 
 	if out := strings.TrimSpace(buffers.Stdout.String()); out != initUserns {

diff --git a/libcontainer/integration/utils_test.go b/libcontainer/integration/utils_test.go
@@ -5,6 +5,7 @@ import (
 	"crypto/md5"
 	"encoding/hex"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
@@ -52,6 +53,14 @@ func ok(t testing.TB, err error) {
 	}
 }
 
+func closeStdin(w io.WriteCloser) {
+	// Now, a sane shell wouldn't require this, but busybox is not sane. For
+	// some reason, busybox will not wait(-1) until you enter a newline. It
+	// doesn't make any sense.
+	w.Write([]byte("\n"))
+	w.Close()
+}
+
 func waitProcess(p *libcontainer.Process, t *testing.T) {
 	_, file, line, _ := runtime.Caller(1)
 	status, err := p.Wait()