-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix clone(2) with double fork #217
Conversation
ad939ee
to
6a483bd
Compare
5e4497e
to
d243eef
Compare
@yihuaf |
Maybe, but if we don't use rootless, do we need to do double-fork? |
Try
and then
In the shell using |
There are 2 cases where we don't need to double fork.
|
Use blocking mio pipe directly.
I was able to confirm the change. Thank you very much. main
this pr
|
Does this mean that if uid_mapping and gid_mapping are not needed, double-fork is not needed? |
I was hoping these PRs would pass with this PR fix, but it looks like not. |
I will not point out any details in this PR. We will not point out details in this PR, because this PR is very important and will be very hard to merge because of the large number of changes. Those corrections will be made in the PR little by little. I am looking forward to your reviews. |
I will take a look at these tests right after this. #221 filed. |
Actually no. Without uid/gid mapping, we would still require double fork unless we are in one of two cases mentioned above. I think we can potentially improve this by differentiating which case to use, but it would take some effort to get all the corner cases right. The double fork implementation would cover all the cases and should be good enough for the moment. |
That's probably a good idea, and I am happy to continue to fix all the details. I will summarize the issue here again, and #185 contains a history of how we got here. Before this PR, the implementation was to use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Superb!
Fix #185
This PR replaces clone(2) with double fork to create the container process. Double fork was the original implementation, and we wisely thought that we could improve it by using a single clone call. Turns out jokes on us that we can't use a single clone call. With clone, if we enter into a new pid namespace, we are OK. However, if we need to set_ns into an existing pid namespace, we are out of luck. So the right path forward needs to be double fork. For a more detailed discussion, see #185 why it doesn't work.
Also, turns out, this is a bigger change than I intended. So I apologize up front for the big change.