MCPcopy
hub / github.com/opencontainers/runc / Init

Method Init

libcontainer/standard_init_linux.go:51–306  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

49}
50
51func (l *linuxStandardInit) Init() error {
52 if !l.config.Config.NoNewKeyring {
53 if l.config.ProcessLabel != "" {
54 if err := selinux.SetKeyLabel(l.config.ProcessLabel); err != nil {
55 return err
56 }
57 defer selinux.SetKeyLabel("") //nolint: errcheck
58 }
59 ringname, keepperms, newperms := l.getSessionRingParams()
60
61 // Do not inherit the parent's session keyring.
62 if sessKeyId, err := keys.JoinSessionKeyring(ringname); err != nil {
63 logrus.Warnf("KeyctlJoinSessionKeyring: %v", err)
64 // If keyrings aren't supported then it is likely we are on an
65 // older kernel (or inside an LXC container). While we could bail,
66 // the security feature we are using here is best-effort (it only
67 // really provides marginal protection since VFS credentials are
68 // the only significant protection of keyrings).
69 if !errors.Is(err, unix.ENOSYS) {
70 return fmt.Errorf("unable to join session keyring: %w", err)
71 }
72 } else {
73 // Make session keyring searchable. If we've gotten this far we
74 // bail on any error -- we don't want to have a keyring with bad
75 // permissions.
76 if err := keys.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
77 return fmt.Errorf("unable to mod keyring permissions: %w", err)
78 }
79 }
80 }
81
82 if err := setupNetwork(l.config); err != nil {
83 return err
84 }
85 if err := setupRoute(l.config.Config); err != nil {
86 return err
87 }
88
89 // initialises the labeling system
90 selinux.GetEnabled()
91
92 err := prepareRootfs(l.pipe, l.config)
93 if err != nil {
94 return err
95 }
96
97 // Set up the console. This has to be done *before* we finalize the rootfs,
98 // but *after* we've given the user the chance to set up all of the mounts
99 // they wanted.
100 if l.config.CreateConsole {
101 if err := setupConsole(l.consoleSocket, l.config, true); err != nil {
102 return err
103 }
104 if err := system.Setctty(); err != nil {
105 return &os.SyscallError{Syscall: "ioctl(setctty)", Err: err}
106 }
107 }
108

Callers 1

containerInitFunction · 0.95

Calls 15

getSessionRingParamsMethod · 0.95
JoinSessionKeyringFunction · 0.92
ModKeyringPermFunction · 0.92
SetcttyFunction · 0.92
ApplyProfileFunction · 0.92
WriteSysctlsFunction · 0.92
GetParentDeathSignalFunction · 0.92
InitSeccompFunction · 0.92
ReopenFunction · 0.92
UnsafeCloseFromFunction · 0.92
ExecFunction · 0.92
setupNetworkFunction · 0.85

Tested by

no test coverage detected