MCPcopy
hub / github.com/google/gvisor / createContainerProcess

Method createContainerProcess

runsc/boot/loader.go:1309–1397  ·  view source on GitHub ↗

+checklocks:l.mu

(info *containerInfo)

Source from the content-addressed store, hash-verified

1307
1308// +checklocks:l.mu
1309func (l *Loader) createContainerProcess(info *containerInfo) (*kernel.ThreadGroup, *host.TTYFileDescription, error) {
1310 // Create the FD map, which will set stdin, stdout, and stderr.
1311 ctx := info.procArgs.NewContext(l.k)
1312 fdTable, ttyFile, err := createFDTable(ctx, info.spec.Process.Terminal, info.stdioFDs, info.passFDs, info.spec.Process.User, info.containerName)
1313 if err != nil {
1314 return nil, nil, fmt.Errorf("importing fds: %w", err)
1315 }
1316 // CreateProcess takes a reference on fdTable if successful. We won't need
1317 // ours either way.
1318 info.procArgs.FDTable = fdTable
1319
1320 if ttyFile != nil {
1321 info.procArgs.TTY = ttyFile.TTY()
1322 }
1323
1324 if info.execFD != nil {
1325 if info.procArgs.Filename != "" {
1326 return nil, nil, fmt.Errorf("process must either be started from a file or a filename, not both")
1327 }
1328 file, err := host.NewFD(ctx, l.k.HostMount(), info.execFD.FD(), &host.NewFDOptions{
1329 Readonly: true,
1330 Savable: true,
1331 VirtualOwner: true,
1332 UID: auth.KUID(info.spec.Process.User.UID),
1333 GID: auth.KGID(info.spec.Process.User.GID),
1334 })
1335 if err != nil {
1336 return nil, nil, err
1337 }
1338 defer file.DecRef(ctx)
1339 info.execFD.Release()
1340
1341 info.procArgs.File = file
1342 }
1343
1344 // Gofer FDs must be ordered and the first FD is always the rootfs.
1345 if len(info.goferFDs) < 1 {
1346 return nil, nil, fmt.Errorf("rootfs gofer FD not found")
1347 }
1348 l.startGoferMonitor(info)
1349
1350 if l.root.cid == l.sandboxID {
1351 // Mounts cgroups for all the controllers.
1352 if err := l.mountCgroupMounts(info.conf, info.procArgs.Credentials); err != nil {
1353 return nil, nil, err
1354 }
1355 }
1356 // We can share l.sharedMounts with containerMounter since l.mu is locked.
1357 // Hence, mntr must only be used within this function (while l.mu is locked).
1358 mntr := l.newContainerMounter(info)
1359 if err := setupContainerVFS(ctx, info, mntr, &info.procArgs); err != nil {
1360 return nil, nil, err
1361 }
1362 defer func() {
1363 for cg := range info.procArgs.InitialCgroups {
1364 cg.Dentry.DecRef(ctx)
1365 }
1366 }()

Callers 2

runMethod · 0.95
startSubcontainerMethod · 0.95

Calls 15

startGoferMonitorMethod · 0.95
mountCgroupMountsMethod · 0.95
newContainerMounterMethod · 0.95
NewFDFunction · 0.92
KUIDTypeAlias · 0.92
KGIDTypeAlias · 0.92
MaybeAddExecUserHomeFunction · 0.92
createFDTableFunction · 0.85
setupContainerVFSFunction · 0.85
buildOCISeccompProgramFunction · 0.85
HostMountMethod · 0.80
CreateProcessMethod · 0.80

Tested by

no test coverage detected