cli/components/engine/pkg/libcontainer/nsinit/execin.go

package main

import (
	"fmt"
	"github.com/dotcloud/docker/pkg/libcontainer"
	"github.com/dotcloud/docker/pkg/libcontainer/capabilities"
	"github.com/dotcloud/docker/pkg/system"
	"os"
	"path/filepath"
	"strconv"
	"syscall"
)

func execinCommand(container *libcontainer.Container, nspid int, args []string) (int, error) {
	for _, ns := range container.Namespaces {
		if err := system.Unshare(namespaceMap[ns]); err != nil {
			return -1, err
		}
	}
	fds, err := getNsFds(nspid, container)
	closeFds := func() {
		for _, f := range fds {
			system.Closefd(f)
		}
	}
	if err != nil {
		closeFds()
		return -1, err
	}

	for _, fd := range fds {
		if fd > 0 {
			if err := system.Setns(fd, 0); err != nil {
				closeFds()
				return -1, fmt.Errorf("setns %s", err)
			}
		}
		system.Closefd(fd)
	}

	// if the container has a new pid and mount namespace we need to
	// remount proc and sys to pick up the changes
	if container.Namespaces.Contains(libcontainer.CLONE_NEWNS) &&
		container.Namespaces.Contains(libcontainer.CLONE_NEWPID) {

		pid, err := system.Fork()
		if err != nil {
			return -1, err
		}
		if pid == 0 {
			// TODO: make all raw syscalls to be fork safe
			if err := system.Unshare(syscall.CLONE_NEWNS); err != nil {
				return -1, err
			}
			if err := remountProc(); err != nil {
				return -1, fmt.Errorf("remount proc %s", err)
			}
			if err := remountSys(); err != nil {
				return -1, fmt.Errorf("remount sys %s", err)
			}
			if err := capabilities.DropCapabilities(container); err != nil {
				return -1, fmt.Errorf("drop capabilities %s", err)
			}
			if err := system.Exec(args[0], args[0:], container.Env); err != nil {
				return -1, err
			}
		}
		proc, err := os.FindProcess(pid)
		if err != nil {
			return -1, err
		}
		state, err := proc.Wait()
		if err != nil {
			return -1, err
		}
		os.Exit(state.Sys().(syscall.WaitStatus).ExitStatus())
	}
	if err := capabilities.DropCapabilities(container); err != nil {
		return -1, fmt.Errorf("drop capabilities %s", err)
	}
	if err := system.Exec(args[0], args[0:], container.Env); err != nil {
		return -1, err
	}
	panic("unreachable")
}

func getNsFds(pid int, container *libcontainer.Container) ([]uintptr, error) {
	fds := make([]uintptr, len(container.Namespaces))
	for i, ns := range container.Namespaces {
		f, err := os.OpenFile(filepath.Join("/proc/", strconv.Itoa(pid), "ns", namespaceFileMap[ns]), os.O_RDONLY, 0)
		if err != nil {
			return fds, err
		}
		fds[i] = f.Fd()
	}
	return fds, nil
}