fix: move cgroups to after process start

nixpig · Dec 15, 2024 · effac04 · effac04
1 parent 3c801b7
commit effac04
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 29 deletions.
diff --git a/cgroups/cgroupsv1.go b/cgroups/cgroupsv1.go
@@ -12,7 +12,6 @@ func AddV1(
 	devices []specs.LinuxDeviceCgroup,
 	pid int,
 ) error {
-
 	staticPath := cgroup1.StaticPath(path)
 
 	cg, err := cgroup1.New(

diff --git a/container/container_init.go b/container/container_init.go
@@ -25,6 +25,8 @@ func (c *Container) Init(reexec string, arg string) error {
 		return fmt.Errorf("execute createContainer hooks: %w", err)
 	}
 
+	cmd := exec.Command(reexec, []string{arg, c.ID()}...)
+
 	useTerminal := c.Spec.Process != nil &&
 		c.Spec.Process.Terminal &&
 		c.Opts.ConsoleSocket != ""
@@ -39,18 +41,6 @@ func (c *Container) Init(reexec string, arg string) error {
 		}
 	}
 
-	if c.Spec.Linux.CgroupsPath != "" && c.Spec.Linux.Resources != nil {
-		if err := cgroups.AddV1(
-			c.Spec.Linux.CgroupsPath,
-			c.Spec.Linux.Resources.Devices,
-			c.PID(),
-		); err != nil {
-			return err
-		}
-	}
-
-	// ---------------------------
-
 	if c.Spec.Process != nil && c.Spec.Process.OOMScoreAdj != nil {
 		if err := os.WriteFile(
 			"/proc/self/oom_score_adj",
@@ -83,13 +73,6 @@ func (c *Container) Init(reexec string, arg string) error {
 		fmt.Println("TODO: implement fallback stdio??")
 	}
 
-	// ---------------------------
-
-	reexecCmd := exec.Command(
-		reexec,
-		[]string{arg, c.ID()}...,
-	)
-
 	cloneFlags := uintptr(0)
 
 	var uidMappings []syscall.SysProcIDMap
@@ -122,7 +105,7 @@ func (c *Container) Init(reexec string, arg string) error {
 
 			// TODO: align so the same mechanism is used for all namespaces?
 			if ns.Type == specs.MountNamespace {
-				reexecCmd.Env = append(reexecCmd.Env, fmt.Sprintf("gons_%s=%s", ns.ToEnv(), ns.Path))
+				cmd.Env = append(cmd.Env, fmt.Sprintf("gons_%s=%s", ns.ToEnv(), ns.Path))
 			} else {
 				if err := ns.Enter(); err != nil {
 					return fmt.Errorf("enter namespace: %w", err)
@@ -131,32 +114,42 @@ func (c *Container) Init(reexec string, arg string) error {
 		}
 	}
 
-	reexecCmd.SysProcAttr = &syscall.SysProcAttr{
+	cmd.SysProcAttr = &syscall.SysProcAttr{
 		Cloneflags:   cloneFlags,
 		Unshareflags: uintptr(0),
 		UidMappings:  uidMappings,
 		GidMappings:  gidMappings,
 	}
 
 	if c.Spec.Process != nil && c.Spec.Process.Env != nil {
-		reexecCmd.Env = append(reexecCmd.Env, c.Spec.Process.Env...)
+		cmd.Env = append(cmd.Env, c.Spec.Process.Env...)
 	}
 
-	reexecCmd.Stdin = c.Opts.Stdin
-	reexecCmd.Stdout = c.Opts.Stdout
-	reexecCmd.Stderr = c.Opts.Stderr
+	cmd.Stdin = c.Opts.Stdin
+	cmd.Stdout = c.Opts.Stdout
+	cmd.Stderr = c.Opts.Stderr
 
-	if err := reexecCmd.Start(); err != nil {
+	if err := cmd.Start(); err != nil {
 		return fmt.Errorf("start reexec container: %w", err)
 	}
 
-	pid := reexecCmd.Process.Pid
+	pid := cmd.Process.Pid
 	c.SetPID(pid)
 	if err := c.Save(); err != nil {
 		return fmt.Errorf("save pid for reexec: %w", err)
 	}
 
-	if err := reexecCmd.Process.Release(); err != nil {
+	if c.Spec.Linux.CgroupsPath != "" && c.Spec.Linux.Resources != nil {
+		if err := cgroups.AddV1(
+			c.Spec.Linux.CgroupsPath,
+			c.Spec.Linux.Resources.Devices,
+			c.PID(),
+		); err != nil {
+			return err
+		}
+	}
+
+	if err := cmd.Process.Release(); err != nil {
 		return fmt.Errorf("detach reexec container: %w", err)
 	}