From 42cea2ecb43d7cf0637ac683d8edbc2b12013ae5 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Mon, 6 May 2024 18:18:36 -0700
Subject: [PATCH] libct: don't allow to start second init process

By definition, every container has only 1 init (i.e. PID 1) process.

Apparently, libcontainer API supported running more than 1 init, and
at least one tests mistakenly used it.

Let's not allow that, erroring out if we already have init. Doing
otherwise _probably_ results in some confusion inside the library.

Fix two cases in libct/int which ran two inits inside a container.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 libcontainer/container_linux.go         | 3 +++
 libcontainer/integration/execin_test.go | 2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index 7566afd25b3..3af5da7dcd7 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -306,6 +306,9 @@ func (c *Container) start(process *Process) (retErr error) {
 		return errors.New("can't start container with SkipDevices set")
 	}
 	if process.Init {
+		if c.initProcessStartTime != 0 {
+			return errors.New("container already has init process")
+		}
 		if err := c.createExecFifo(); err != nil {
 			return err
 		}
diff --git a/libcontainer/integration/execin_test.go b/libcontainer/integration/execin_test.go
index c5c324130c6..b9683b76442 100644
--- a/libcontainer/integration/execin_test.go
+++ b/libcontainer/integration/execin_test.go
@@ -115,7 +115,6 @@ func testExecInRlimit(t *testing.T, userns bool) {
 			// increase process rlimit higher than container rlimit to test per-process limit
 			{Type: unix.RLIMIT_NOFILE, Hard: 1026, Soft: 1026},
 		},
-		Init: true,
 	}
 	err = container.Run(ps)
 	ok(t, err)
@@ -359,7 +358,6 @@ func TestExecInEnvironment(t *testing.T) {
 		Stdin:  buffers.Stdin,
 		Stdout: buffers.Stdout,
 		Stderr: buffers.Stderr,
-		Init:   true,
 	}
 	err = container.Run(process2)
 	ok(t, err)