StartContainer will start a new container in the sandbox.
(args *StartContainerArgs, _ *uint32)
| 200 | |
| 201 | // StartContainer will start a new container in the sandbox. |
| 202 | func (l *Lifecycle) StartContainer(args *StartContainerArgs, _ *uint32) error { |
| 203 | timeRequested := time.Now() |
| 204 | timeRequestReceived := ×tamppb.Timestamp{ |
| 205 | Seconds: timeRequested.Unix(), |
| 206 | Nanos: int32(timeRequested.Nanosecond()), |
| 207 | } |
| 208 | log.Infof("StartContainer: %v", args) |
| 209 | if len(args.Files) != len(args.DonatedFDs) { |
| 210 | return fmt.Errorf("FilePayload.Files and DonatedFDs must have same number of elements (%d != %d)", len(args.Files), len(args.DonatedFDs)) |
| 211 | } |
| 212 | |
| 213 | l.mu.RLock() |
| 214 | contNS, ok := l.ContainerNamespacesMap[args.ContainerID] |
| 215 | if !ok { |
| 216 | l.mu.RUnlock() |
| 217 | return fmt.Errorf("mount namespace is nil for %s", args.ContainerID) |
| 218 | } |
| 219 | l.mu.RUnlock() |
| 220 | |
| 221 | uid := args.KUID |
| 222 | gid := args.KGID |
| 223 | if args.User != "" { |
| 224 | if uid != 0 || gid != 0 { |
| 225 | return fmt.Errorf("container spec specified both an explicit UID/GID and a user name, only one or the other may be provided") |
| 226 | } |
| 227 | uid, gid = user.GetExecUIDGIDFromUser(l.Kernel.SupervisorContext(), contNS.MountNamespace, args.User) |
| 228 | } |
| 229 | |
| 230 | creds := auth.NewUserCredentials( |
| 231 | uid, |
| 232 | gid, |
| 233 | nil, /* extraKGIDs */ |
| 234 | nil, /* capabilities */ |
| 235 | l.Kernel.RootUserNamespace()) |
| 236 | |
| 237 | ls, err := limits.NewLinuxDistroLimitSet() |
| 238 | if err != nil { |
| 239 | return fmt.Errorf("error creating default limit set: %w", err) |
| 240 | } |
| 241 | for name, limit := range args.Limits { |
| 242 | lt, ok := limits.FromLinuxResourceName[name] |
| 243 | if !ok { |
| 244 | return fmt.Errorf("unknown limit %q", name) |
| 245 | } |
| 246 | ls.SetUnchecked(lt, limit) |
| 247 | } |
| 248 | |
| 249 | initArgs := kernel.CreateProcessArgs{ |
| 250 | Filename: args.Filename, |
| 251 | Argv: args.Argv, |
| 252 | // Order Envv before SecretEnvv. |
| 253 | Envv: append(args.Envv, args.SecretEnvv...), |
| 254 | WorkingDirectory: args.WorkingDirectory, |
| 255 | Credentials: creds, |
| 256 | Umask: 0022, |
| 257 | Limits: ls, |
| 258 | MaxSymlinkTraversals: linux.MaxSymlinkTraversals, |
| 259 | UTSNamespace: l.Kernel.RootUTSNamespace(), |
nothing calls this directly
no test coverage detected