Skip to content

Commit 7062c75

Browse files
crosbymichaelcrosbymichael
committed
Apply cgroups earlier
This applies cgroups earlier for container creation before the init process starts running and forking off any additional processes. Signed-off-by: Michael Crosby <[email protected]>
1 parent 5274430 commit 7062c75

File tree

1 file changed

+17
-14
lines changed

1 file changed

+17
-14
lines changed

libcontainer/process_linux.go

Lines changed: 17 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -273,20 +273,6 @@ func (p *initProcess) start() error {
273273
p.process.ops = nil
274274
return newSystemErrorWithCause(err, "starting init process command")
275275
}
276-
if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil {
277-
return newSystemErrorWithCause(err, "copying bootstrap data to pipe")
278-
}
279-
if err := p.execSetns(); err != nil {
280-
return newSystemErrorWithCause(err, "running exec setns process for init")
281-
}
282-
// Save the standard descriptor names before the container process
283-
// can potentially move them (e.g., via dup2()). If we don't do this now,
284-
// we won't know at checkpoint time which file descriptor to look up.
285-
fds, err := getPipeFds(p.pid())
286-
if err != nil {
287-
return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid())
288-
}
289-
p.setExternalDescriptors(fds)
290276
// Do this before syncing with child so that no children can escape the
291277
// cgroup. We don't need to worry about not doing this and not being root
292278
// because we'd be using the rootless cgroup manager in that case.
@@ -307,6 +293,23 @@ func (p *initProcess) start() error {
307293
}
308294
}
309295
}()
296+
297+
if _, err := io.Copy(p.parentPipe, p.bootstrapData); err != nil {
298+
return newSystemErrorWithCause(err, "copying bootstrap data to pipe")
299+
}
300+
301+
if err := p.execSetns(); err != nil {
302+
return newSystemErrorWithCause(err, "running exec setns process for init")
303+
}
304+
305+
// Save the standard descriptor names before the container process
306+
// can potentially move them (e.g., via dup2()). If we don't do this now,
307+
// we won't know at checkpoint time which file descriptor to look up.
308+
fds, err := getPipeFds(p.pid())
309+
if err != nil {
310+
return newSystemErrorWithCausef(err, "getting pipe fds for pid %d", p.pid())
311+
}
312+
p.setExternalDescriptors(fds)
310313
if err := p.createNetworkInterfaces(); err != nil {
311314
return newSystemErrorWithCause(err, "creating network interfaces")
312315
}

0 commit comments

Comments
 (0)