-
Notifications
You must be signed in to change notification settings - Fork 316
namespaces: allow to use pid namespace without mount namespace #358
Conversation
The gocapability package uses /proc/PID/status to get a bounding set. If a container uses pidns without mntns, it sees /proc from the host namespace, but the process doesn't know its own pid in this namespace. In this case it can use /proc/self/status, which is always the right one. Signed-off-by: Andrew Vagin <[email protected]>
@@ -11,7 +9,7 @@ const allCapabilityTypes = capability.CAPS | capability.BOUNDS | |||
// DropBoundingSet drops the capability bounding set to those specified in the | |||
// container configuration. | |||
func DropBoundingSet(capabilities []string) error { | |||
c, err := capability.NewPid(os.Getpid()) | |||
c, err := capability.NewPid(0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what does 0 mean here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@crosbymichael Change capabilities of the calling process. os.Getpid() and 0 are the same except the case, when you try to access /proc from another pidns
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like drone failing because of this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LK4D4 I have not commited changes in the vendor direcotry.
Signed-off-by: Andrey Vagin <[email protected]>
LGTM |
1 similar comment
LGTM |
namespaces: allow to use pid namespace without mount namespace
gocapability has supported 0 as "the current PID" since syndtr/gocapability@5e7cce49 (Allow to use the zero value for pid to operate with the current task, 2015-01-15, syndtr/gocapability#2). libcontainer was ported to that approach in 444cc29 (namespaces: allow to use pid namespace without mount namespace, 2015-01-27, docker-archive/libcontainer#358), but the change was clobbered by 22df555 (Merge branch 'master' into api, 2015-02-19, docker-archive/libcontainer#388) which landed via 5b73860 (Merge pull request opencontainers#388 from docker/api, 2015-02-19, docker-archive/libcontainer#388) . This commit restores the changes from 444cc29. Signed-off-by: W. Trevor King <[email protected]>
gocapability has supported 0 as "the current PID" since syndtr/gocapability@5e7cce49 (Allow to use the zero value for pid to operate with the current task, 2015-01-15, syndtr/gocapability#2). libcontainer was ported to that approach in 444cc29 (namespaces: allow to use pid namespace without mount namespace, 2015-01-27, docker-archive/libcontainer#358), but the change was clobbered by 22df555 (Merge branch 'master' into api, 2015-02-19, docker-archive/libcontainer#388) which landed via 5b73860 (Merge pull request opencontainers#388 from docker/api, 2015-02-19, docker-archive/libcontainer#388). This commit restores the changes from 444cc29. Signed-off-by: W. Trevor King <[email protected]>
The gocapability package uses /proc/PID/status to get a bounding set.
If a container uses pidns without mntns, it sees /proc from the host
namespace, but the process doesn't know its own pid in this namespace.
In this case it can use /proc/self/status, which is always the right one.
Signed-off-by: Andrew Vagin [email protected]