[systemd-devel] [PATCH] nspawn: close extra fds before execing init
Alban Crequy
alban.crequy at gmail.com
Mon May 18 07:45:30 PDT 2015
From: Alban Crequy <alban at endocode.com>
When systemd-nspawn gets exec*()ed, it inherits the followings file
descriptors:
- 0, 1, 2: stdin, stdout, stderr
- SD_LISTEN_FDS_START, ... SD_LISTEN_FDS_START+LISTEN_FDS: file
descriptors passed by the system manager (useful for socket
activation). They are passed to the child process (process leader).
- extra lock fd: rkt passes a locked directory as an extra fd, so the
directory remains locked as long as the container is alive.
systemd-nspawn used to close all open fds except 0, 1, 2 and the
SD_LISTEN_FDS_START..SD_LISTEN_FDS_START+LISTEN_FDS. This patch delays
the close just before the exec so the nspawn process (parent) keeps the
extra fds open.
This patch supersedes the previous attempt ("cloexec extraneous fds"):
http://lists.freedesktop.org/archives/systemd-devel/2015-May/031608.html
---
src/nspawn/nspawn.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 8aa7b45..85a7bad 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3998,7 +3998,6 @@ int main(int argc, char *argv[]) {
goto finish;
}
}
- fdset_close_others(fds);
log_open();
if (arg_directory) {
@@ -4509,6 +4508,8 @@ int main(int argc, char *argv[]) {
* setup, too... */
(void) barrier_place_and_sync(&barrier); /* #5 */
+ (void) fdset_close_others(fds);
+
if (arg_boot) {
char **a;
size_t l;
--
2.1.4
More information about the systemd-devel
mailing list