Fix the fd leaking to aardvark-dns.

jankaluza · jankaluza · commit d9914ff27d56 · 2025-04-15T13:24:03.000+02:00
The openDirectory function is missing the unix.O_CLOEXEC flag.
As a result, this file descriptor can leak into the aardvark-dns
process which can then block the umount of rootfs - in this case,
the umount fails with "Device or Resource busy" error message.

This commits adds the unix.O_CLOEXEC to unix.Open call, resulting
in this fd to be closed on aardvark-dns exec.

Signed-off-by: Jan Kaluza &lt;jkaluza@redhat.com&gt;
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
@@ -440,7 +440,7 @@ func (c *Container) getOCICgroupPath() (string, error) {
 }
 
 func openDirectory(path string) (fd int, err error) {
-	return unix.Open(path, unix.O_RDONLY|unix.O_PATH, 0)
+	return unix.Open(path, unix.O_RDONLY|unix.O_PATH|unix.O_CLOEXEC, 0)
 }
 
 func (c *Container) addNetworkNamespace(g *generate.Generator) error {

Original file line number	Diff line number	Diff line change
`@@ -440,7 +440,7 @@ func (c *Container) getOCICgroupPath() (string, error) {`
`440`	`440`	`}`
`441`	`441`
`442`	`442`	`func openDirectory(path string) (fd int, err error) {`
`443`		`- return unix.Open(path, unix.O_RDONLY\|unix.O_PATH, 0)`
	`443`	`+ return unix.Open(path, unix.O_RDONLY\|unix.O_PATH\|unix.O_CLOEXEC, 0)`
`444`	`444`	`}`
`445`	`445`
`446`	`446`	`func (c Container) addNetworkNamespace(g generate.Generator) error {`