MCPcopy
hub / github.com/google/gvisor / StartContainer

Method StartContainer

pkg/sentry/control/lifecycle.go:202–394  ·  view source on GitHub ↗

StartContainer will start a new container in the sandbox.

(args *StartContainerArgs, _ *uint32)

Source from the content-addressed store, hash-verified

200
201// StartContainer will start a new container in the sandbox.
202func (l *Lifecycle) StartContainer(args *StartContainerArgs, _ *uint32) error {
203 timeRequested := time.Now()
204 timeRequestReceived := &timestamppb.Timestamp{
205 Seconds: timeRequested.Unix(),
206 Nanos: int32(timeRequested.Nanosecond()),
207 }
208 log.Infof("StartContainer: %v", args)
209 if len(args.Files) != len(args.DonatedFDs) {
210 return fmt.Errorf("FilePayload.Files and DonatedFDs must have same number of elements (%d != %d)", len(args.Files), len(args.DonatedFDs))
211 }
212
213 l.mu.RLock()
214 contNS, ok := l.ContainerNamespacesMap[args.ContainerID]
215 if !ok {
216 l.mu.RUnlock()
217 return fmt.Errorf("mount namespace is nil for %s", args.ContainerID)
218 }
219 l.mu.RUnlock()
220
221 uid := args.KUID
222 gid := args.KGID
223 if args.User != "" {
224 if uid != 0 || gid != 0 {
225 return fmt.Errorf("container spec specified both an explicit UID/GID and a user name, only one or the other may be provided")
226 }
227 uid, gid = user.GetExecUIDGIDFromUser(l.Kernel.SupervisorContext(), contNS.MountNamespace, args.User)
228 }
229
230 creds := auth.NewUserCredentials(
231 uid,
232 gid,
233 nil, /* extraKGIDs */
234 nil, /* capabilities */
235 l.Kernel.RootUserNamespace())
236
237 ls, err := limits.NewLinuxDistroLimitSet()
238 if err != nil {
239 return fmt.Errorf("error creating default limit set: %w", err)
240 }
241 for name, limit := range args.Limits {
242 lt, ok := limits.FromLinuxResourceName[name]
243 if !ok {
244 return fmt.Errorf("unknown limit %q", name)
245 }
246 ls.SetUnchecked(lt, limit)
247 }
248
249 initArgs := kernel.CreateProcessArgs{
250 Filename: args.Filename,
251 Argv: args.Argv,
252 // Order Envv before SecretEnvv.
253 Envv: append(args.Envv, args.SecretEnvv...),
254 WorkingDirectory: args.WorkingDirectory,
255 Credentials: creds,
256 Umask: 0022,
257 Limits: ls,
258 MaxSymlinkTraversals: linux.MaxSymlinkTraversals,
259 UTSNamespace: l.Kernel.RootUTSNamespace(),

Callers

nothing calls this directly

Calls 15

NewContextMethod · 0.95
DecRefMethod · 0.95
updateContainerStateMethod · 0.95
reapMethod · 0.95
InfofFunction · 0.92
GetExecUIDGIDFromUserFunction · 0.92
NewUserCredentialsFunction · 0.92
NewLinuxDistroLimitSetFunction · 0.92
NewFromFilesFunction · 0.92
ImportFunction · 0.92
MakeFunction · 0.92
ResolveExecutablePathFunction · 0.92

Tested by

no test coverage detected