restore: Wait for userns being prepared before moving into cgroups

Submitted by Andrei Vagin on April 20, 2016, 8:46 p.m.

Details

Message ID 1461185214-5562-1-git-send-email-avagin@openvz.org
State Rejected
Series "restore: Wait for userns being prepared before moving into cgroups"
Headers show

Patch hide | download patch | download mbox

diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 34db7f7..d9ca9f4 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -1608,6 +1608,11 @@  static int restore_task_with_children(void *_arg)
 
 	current = ca->item;
 
+	if (ca->clone_flags & CLONE_NEWUSER) {
+		if (restore_finish_stage(CR_STATE_RESTORE_USERNS) < 0)
+			goto err;
+	}
+
 	if (current != root_item) {
 		char buf[12];
 		int fd;
@@ -1752,6 +1757,7 @@  static inline int stage_participants(int next_stage)
 	switch (next_stage) {
 	case CR_STATE_FAIL:
 		return 0;
+	case CR_STATE_RESTORE_USERNS:
 	case CR_STATE_RESTORE_NS:
 	case CR_STATE_RESTORE_SHARED:
 		return 1;
@@ -2047,6 +2053,9 @@  static int restore_root_task(struct pstree_item *init)
 	futex_set(&task_entries->nr_in_progress,
 			stage_participants(CR_STATE_RESTORE_NS));
 
+	if (root_ns_mask & CLONE_NEWUSER)
+		__restore_switch_stage(CR_STATE_RESTORE_USERNS);
+
 	ret = fork_with_pid(init);
 	if (ret < 0)
 		goto out;
@@ -2078,8 +2087,13 @@  static int restore_root_task(struct pstree_item *init)
 	 * uid_map and gid_map must be filled from a parent user namespace.
 	 * prepare_userns_creds() must be called after filling mappings.
 	 */
-	if ((root_ns_mask & CLONE_NEWUSER) && prepare_userns(init))
-		goto out_kill;
+	if (root_ns_mask & CLONE_NEWUSER) {
+		if  (prepare_userns(init))
+			goto out_kill;
+		ret = restore_switch_stage(CR_STATE_RESTORE_NS);
+		if (ret < 0)
+			goto out_kill;
+	}
 
 	pr_info("Wait until namespaces are created\n");
 	ret = restore_wait_inprogress_tasks();
diff --git a/criu/include/restorer.h b/criu/include/restorer.h
index b00c212..098c5f0 100644
--- a/criu/include/restorer.h
+++ b/criu/include/restorer.h
@@ -213,7 +213,8 @@  static inline unsigned long restorer_stack(struct thread_restore_args *a)
 
 enum {
 	CR_STATE_FAIL		= -1,
-	CR_STATE_RESTORE_NS	= 0, /* is used for executing "setup-namespace" scripts */
+	CR_STATE_RESTORE_USERNS = 0,	/* restore uid_map and gid_map */
+	CR_STATE_RESTORE_NS,		/* is used for executing "setup-namespace" scripts */
 	CR_STATE_RESTORE_SHARED,
 	CR_STATE_FORKING,
 	CR_STATE_RESTORE,

Comments

Cyrill Gorcunov April 20, 2016, 8:53 p.m.
On Wed, Apr 20, 2016 at 11:46:54PM +0300, Andrey Vagin wrote:
> From: Andrew Vagin <avagin@virtuozzo.com>
> 
> When user namespace are stepping in we should wait for their preparation
> to complete before start using userns daemon (internally the kernel
> checks for uids and if uids are not set -EINVAL will be returned
> when usersn calls for sendmsg()).
> 
> Thus use completion and wait for uid maps being written first.
> 
> https://jira.sw.ru/browse/PSBM-46360
> 
> Cc: Cyrill Gorcunov <gorcunov@gmail.com>
> Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>

Great! This version is shorter. Gonna pick it up into stable. Thanks!