Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wait for reexec to finish when fileOutput is nil #7292

Merged
merged 1 commit into from
Aug 18, 2020
Merged

Wait for reexec to finish when fileOutput is nil #7292

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions pkg/rootless/rootless_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,11 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
if pid < 0 {
return false, -1, errors.Errorf("cannot re-exec process")
}
defer func() {
if retErr != nil {
C.reexec_in_user_namespace_wait(pidC, 0)
}
}()

uids, gids, err := GetConfiguredMappings()
if err != nil {
Expand Down Expand Up @@ -294,6 +299,11 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
}

if fileOutput != nil {
ret := C.reexec_in_user_namespace_wait(pidC, 0)
if ret < 0 {
return false, -1, errors.New("error waiting for the re-exec process")
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IDK, but will ask. We have a couple of other returns before the end of this function at lines 311 and 315. Do we need to call there too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we probably should. Can we defer a function that runs reexec_in_user_namespace_wait? Would there be a problem if we ran it against the same PID in rapid succession?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jdieter if we did the defer, we'd need to capture the status of the call and return appropriately based on that. I'm not sure that's doable with defer, @mheon or @vrothberg might have some smarter thoughts on that or my question in general.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could probably record the exit error and run it only when retErr != nil. What do you think?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I'm not very proficient in Go, but tell me if my lastest push has what you're looking for. I've setup a deferred function that waits for the child if retErr != nil. I don't bother with the return value from reexec_in_user_namespace_wait because we presumably are more interested in passing whatever error is causing us to bail.

return true, 0, nil
}

Expand Down