()
| 1062 | } |
| 1063 | |
| 1064 | func (l *Loader) run() error { |
| 1065 | if l.root.conf.Network == config.NetworkHost { |
| 1066 | // Delay host network configuration to this point because network namespace |
| 1067 | // is configured after the loader is created and before Run() is called. |
| 1068 | log.Debugf("Configuring host network") |
| 1069 | s := l.k.RootNetworkNamespace().Stack().(*hostinet.Stack) |
| 1070 | if err := s.Configure(l.root.conf.EnableRaw); err != nil { |
| 1071 | return err |
| 1072 | } |
| 1073 | } |
| 1074 | |
| 1075 | l.mu.Lock() |
| 1076 | defer l.mu.Unlock() |
| 1077 | |
| 1078 | eid := execID{cid: l.sandboxID} |
| 1079 | ep, ok := l.processes[eid] |
| 1080 | if !ok { |
| 1081 | return fmt.Errorf("trying to start deleted container %q", l.sandboxID) |
| 1082 | } |
| 1083 | |
| 1084 | switch l.state { |
| 1085 | case created: |
| 1086 | if l.root.conf.ProfileEnable { |
| 1087 | pprof.Initialize() |
| 1088 | } |
| 1089 | |
| 1090 | // Finally done with all configuration. Setup filters before user code |
| 1091 | // is loaded. |
| 1092 | if err := l.installSeccompFilters(); err != nil { |
| 1093 | return err |
| 1094 | } |
| 1095 | |
| 1096 | // Create the root container init task. It will begin running |
| 1097 | // when the kernel is started. |
| 1098 | var ( |
| 1099 | tg *kernel.ThreadGroup |
| 1100 | err error |
| 1101 | ) |
| 1102 | tg, ep.tty, err = l.createContainerProcess(&l.root) |
| 1103 | if err != nil { |
| 1104 | return err |
| 1105 | } |
| 1106 | |
| 1107 | if seccheck.Global.Enabled(seccheck.PointContainerStart) { |
| 1108 | evt := pb.Start{ |
| 1109 | Id: l.sandboxID, |
| 1110 | Cwd: l.root.spec.Process.Cwd, |
| 1111 | Args: l.root.spec.Process.Args, |
| 1112 | Terminal: l.root.spec.Process.Terminal, |
| 1113 | } |
| 1114 | fields := seccheck.Global.GetFieldSet(seccheck.PointContainerStart) |
| 1115 | if fields.Local.Contains(seccheck.FieldContainerStartEnv) { |
| 1116 | evt.Env = l.root.spec.Process.Env |
| 1117 | } |
| 1118 | if !fields.Context.Empty() { |
| 1119 | evt.ContextData = &pb.ContextData{} |
| 1120 | kernel.LoadSeccheckData(tg.Leader(), fields.Context, evt.ContextData) |
| 1121 | } |
no test coverage detected