[systemd-devel] [PATCH] nspawn: close extra fds before execing init

Lennart Poettering lennart at poettering.net
Mon May 18 13:26:21 PDT 2015 

On Mon, 18.05.15 16:45, Alban Crequy (alban.crequy at gmail.com) wrote:

> From: Alban Crequy <alban at endocode.com>
> 
> When systemd-nspawn gets exec*()ed, it inherits the followings file
> descriptors:
> - 0, 1, 2: stdin, stdout, stderr
> - SD_LISTEN_FDS_START, ... SD_LISTEN_FDS_START+LISTEN_FDS: file
>   descriptors passed by the system manager (useful for socket
>   activation). They are passed to the child process (process leader).
> - extra lock fd: rkt passes a locked directory as an extra fd, so the
>   directory remains locked as long as the container is alive.
> 
> systemd-nspawn used to close all open fds except 0, 1, 2 and the
> SD_LISTEN_FDS_START..SD_LISTEN_FDS_START+LISTEN_FDS. This patch delays
> the close just before the exec so the nspawn process (parent) keeps the
> extra fds open.

Applied, but made some changes to it before. 

The log_close() + log_open() calls around fdeset_close_others() were
in place only to ensure that the fd used for logging internally by the
logging subsystem is cleanly closed, so that the logging subsystem
knows about it, and doesn't get confused by an abruptly closed
fd. This code of course needed to be moved down, as well.

> ---
>  src/nspawn/nspawn.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
> index 8aa7b45..85a7bad 100644
> --- a/src/nspawn/nspawn.c
> +++ b/src/nspawn/nspawn.c
> @@ -3998,7 +3998,6 @@ int main(int argc, char *argv[]) {
>                          goto finish;
>                  }
>          }
> -        fdset_close_others(fds);
>          log_open();
>  
>          if (arg_directory) {
> @@ -4509,6 +4508,8 @@ int main(int argc, char *argv[]) {
>                           * setup, too... */
>                          (void) barrier_place_and_sync(&barrier); /* #5 */
>  
> +                        (void) fdset_close_others(fds);
> +
>                          if (arg_boot) {
>                                  char **a;
>                                  size_t l;
> -- 
> 2.1.4
> 
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel


Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list