+checklocks:l.mu
(info *containerInfo)
| 1307 | |
| 1308 | // +checklocks:l.mu |
| 1309 | func (l *Loader) createContainerProcess(info *containerInfo) (*kernel.ThreadGroup, *host.TTYFileDescription, error) { |
| 1310 | // Create the FD map, which will set stdin, stdout, and stderr. |
| 1311 | ctx := info.procArgs.NewContext(l.k) |
| 1312 | fdTable, ttyFile, err := createFDTable(ctx, info.spec.Process.Terminal, info.stdioFDs, info.passFDs, info.spec.Process.User, info.containerName) |
| 1313 | if err != nil { |
| 1314 | return nil, nil, fmt.Errorf("importing fds: %w", err) |
| 1315 | } |
| 1316 | // CreateProcess takes a reference on fdTable if successful. We won't need |
| 1317 | // ours either way. |
| 1318 | info.procArgs.FDTable = fdTable |
| 1319 | |
| 1320 | if ttyFile != nil { |
| 1321 | info.procArgs.TTY = ttyFile.TTY() |
| 1322 | } |
| 1323 | |
| 1324 | if info.execFD != nil { |
| 1325 | if info.procArgs.Filename != "" { |
| 1326 | return nil, nil, fmt.Errorf("process must either be started from a file or a filename, not both") |
| 1327 | } |
| 1328 | file, err := host.NewFD(ctx, l.k.HostMount(), info.execFD.FD(), &host.NewFDOptions{ |
| 1329 | Readonly: true, |
| 1330 | Savable: true, |
| 1331 | VirtualOwner: true, |
| 1332 | UID: auth.KUID(info.spec.Process.User.UID), |
| 1333 | GID: auth.KGID(info.spec.Process.User.GID), |
| 1334 | }) |
| 1335 | if err != nil { |
| 1336 | return nil, nil, err |
| 1337 | } |
| 1338 | defer file.DecRef(ctx) |
| 1339 | info.execFD.Release() |
| 1340 | |
| 1341 | info.procArgs.File = file |
| 1342 | } |
| 1343 | |
| 1344 | // Gofer FDs must be ordered and the first FD is always the rootfs. |
| 1345 | if len(info.goferFDs) < 1 { |
| 1346 | return nil, nil, fmt.Errorf("rootfs gofer FD not found") |
| 1347 | } |
| 1348 | l.startGoferMonitor(info) |
| 1349 | |
| 1350 | if l.root.cid == l.sandboxID { |
| 1351 | // Mounts cgroups for all the controllers. |
| 1352 | if err := l.mountCgroupMounts(info.conf, info.procArgs.Credentials); err != nil { |
| 1353 | return nil, nil, err |
| 1354 | } |
| 1355 | } |
| 1356 | // We can share l.sharedMounts with containerMounter since l.mu is locked. |
| 1357 | // Hence, mntr must only be used within this function (while l.mu is locked). |
| 1358 | mntr := l.newContainerMounter(info) |
| 1359 | if err := setupContainerVFS(ctx, info, mntr, &info.procArgs); err != nil { |
| 1360 | return nil, nil, err |
| 1361 | } |
| 1362 | defer func() { |
| 1363 | for cg := range info.procArgs.InitialCgroups { |
| 1364 | cg.Dentry.DecRef(ctx) |
| 1365 | } |
| 1366 | }() |
no test coverage detected