Re: [libvirt] [PATCH] lxc: hoist supplemental group detection before clone
On 07/15/2013 03:59 AM, Daniel P. Berrange wrote:
On Mon, Jul 15, 2013 at 03:40:53PM +0800, Gao feng wrote:
> On 07/13/2013 01:35 AM, Eric Blake wrote:
>> Commit 75c1256 states that virGetGroupList must not be called
>> between fork and exec, then commit ee777e99 promptly violated
>> that for lxc. Hoist the group detection to occur before clone.
>>
>> * src/lxc/lxc_container.c (__lxc_child_argv): Add members.
>> (lxcContainerSetID): Adjust signature.
>> (lxcContainerChild, lxcContainerStart): Adjust callers.
>>
>> Signed-off-by: Eric Blake <eblake(a)redhat.com>
>> ---
>> -
>> /* Only call virSetUIDGID when user namespace is enabled
>> * for this container. And user namespace is only enabled
>> * when nuidmap&ngidmap is not zero */
>>
>> VIR_DEBUG("Set UID/GID to 0/0");
>> - if (def->idmap.nuidmap &&
>> - ((ngroups = virGetGroupList(0, 0, &groups) < 0) ||
>
'initgroups' will continually call setgroups() removing the
last GID
from the list each time until it succeeds. This is somewhat dubious
behaviour IMHO, which again makes me think we should just not set any
supplementary groups in LXC
Then it sounds like I need a v2 that calls virSetUIDGID(0, 0, NULL, 0),
which forces the implementation to not set any supplementary groups.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)