Merge pull request #4271 from kolyshkin/two-inits

libct.Start: fix locking, do not allow a second container init
opencontainers · Jun 11, 2024 · 9d60019 · 9d60019
2 parents 349e5ab + 42cea2e
commit 9d60019
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 21 deletions.
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -204,28 +204,16 @@ func (c *Container) Set(config configs.Config) error {
 func (c *Container) Start(process *Process) error {
 	c.m.Lock()
 	defer c.m.Unlock()
-	if c.config.Cgroups.Resources.SkipDevices {
-		return errors.New("can't start container with SkipDevices set")
-	}
-	if process.Init {
-		if err := c.createExecFifo(); err != nil {
-			return err
-		}
-	}
-	if err := c.start(process); err != nil {
-		if process.Init {
-			c.deleteExecFifo()
-		}
-		return err
-	}
-	return nil
+	return c.start(process)
 }
 
 // Run immediately starts the process inside the container. Returns an error if
 // the process fails to start. It does not block waiting for the exec fifo
 // after start returns but opens the fifo after start returns.
 func (c *Container) Run(process *Process) error {
-	if err := c.Start(process); err != nil {
+	c.m.Lock()
+	defer c.m.Unlock()
+	if err := c.start(process); err != nil {
 		return err
 	}
 	if process.Init {
@@ -314,6 +302,23 @@ type openResult struct {
 }
 
 func (c *Container) start(process *Process) (retErr error) {
+	if c.config.Cgroups.Resources.SkipDevices {
+		return errors.New("can't start container with SkipDevices set")
+	}
+	if process.Init {
+		if c.initProcessStartTime != 0 {
+			return errors.New("container already has init process")
+		}
+		if err := c.createExecFifo(); err != nil {
+			return err
+		}
+		defer func() {
+			if retErr != nil {
+				c.deleteExecFifo()
+			}
+		}()
+	}
+
 	parent, err := c.newParentProcess(process)
 	if err != nil {
 		return fmt.Errorf("unable to create new parent process: %w", err)
@@ -417,9 +422,6 @@ func (c *Container) createExecFifo() error {
 	}
 
 	fifoName := filepath.Join(c.stateDir, execFifoFilename)
-	if _, err := os.Stat(fifoName); err == nil {
-		return fmt.Errorf("exec fifo %s already exists", fifoName)
-	}
 	if err := unix.Mkfifo(fifoName, 0o622); err != nil {
 		return &os.PathError{Op: "mkfifo", Path: fifoName, Err: err}
 	}

diff --git a/libcontainer/integration/execin_test.go b/libcontainer/integration/execin_test.go
@@ -115,7 +115,6 @@ func testExecInRlimit(t *testing.T, userns bool) {
 			// increase process rlimit higher than container rlimit to test per-process limit
 			{Type: unix.RLIMIT_NOFILE, Hard: 1026, Soft: 1026},
 		},
-		Init: true,
 	}
 	err = container.Run(ps)
 	ok(t, err)
@@ -359,7 +358,6 @@ func TestExecInEnvironment(t *testing.T) {
 		Stdin:  buffers.Stdin,
 		Stdout: buffers.Stdout,
 		Stderr: buffers.Stderr,
-		Init:   true,
 	}
 	err = container.Run(process2)
 	ok(t, err)