chore: wip

nixpig · Dec 16, 2024 · f34698c · f34698c
1 parent 5979d63
commit f34698c
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -11,6 +11,8 @@ This is a personal project for me to explore and better understand the OCI Runti
 **🗒️ To do** (items remaining for _me_ to consider this 'complete')
 
 - [ ] ~Unit tests~ Integration tests seem to be sufficing
+- [ ] Fix networking
+- [ ] Container cleanup
 - [ ] Implement [Cgroups v2](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#control-groups)
 - [ ] Implement optional [Seccomp](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp)
 - [ ] Implement optional [AppArmor](https://github.com/opencontainers/runtime-spec/blob/main/config.md#linux-process)

diff --git a/container/container_init.go b/container/container_init.go
@@ -92,15 +92,18 @@ func (c *Container) Init(reexec string, arg string) error {
 		ns := namespace.LinuxNamespace(ns)
 
 		if ns.Path == "" {
+			fmt.Printf("join '%s' namespace by clone\n", ns.Type)
 			cloneFlags |= ns.ToFlag()
 		} else {
+			fmt.Printf("join '%s' namespace by path\n", ns.Type)
 			if !strings.HasSuffix(ns.Path, fmt.Sprintf("/%s", ns.ToEnv())) &&
 				ns.Type != specs.PIDNamespace {
 				return fmt.Errorf("namespace type (%s) and path (%s) do not match", ns.Type, ns.Path)
 			}
 
-			// TODO: align so the same mechanism is used for all namespaces?
 			if ns.Type == specs.MountNamespace {
+				// mount namespaces do not work across threads, so this needs to be done
+				// in single-threaded context in C before the reexec
 				cmd.Env = append(cmd.Env, fmt.Sprintf("gons_%s=%s", ns.ToEnv(), ns.Path))
 			} else {
 				if err := ns.Enter(); err != nil {
@@ -111,10 +114,9 @@ func (c *Container) Init(reexec string, arg string) error {
 	}
 
 	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Cloneflags:   cloneFlags,
-		Unshareflags: uintptr(0),
-		UidMappings:  uidMappings,
-		GidMappings:  gidMappings,
+		Cloneflags:  cloneFlags,
+		UidMappings: uidMappings,
+		GidMappings: gidMappings,
 	}
 
 	if c.Spec.Process != nil && c.Spec.Process.Env != nil {
@@ -160,7 +162,7 @@ func (c *Container) Init(reexec string, arg string) error {
 
 	conn, err := listener.Accept()
 	if err != nil {
-		return fmt.Errorf("accept on listener: %w", err)
+		return fmt.Errorf("accept on init listener: %w", err)
 	}
 	defer conn.Close()
 

diff --git a/container/container_reexec.go b/container/container_reexec.go
@@ -148,17 +148,6 @@ func (c *Container) Reexec() error {
 		return fmt.Errorf("set additional GIDs: %w", err)
 	}
 
-	// TODO: reimplement uid and gid mappings for execve
-	// if c.Spec.Linux.UIDMappings != nil {
-	// 	cmd.SysProcAttr.UidMappings =
-	// 		user.BuildUIDMappings(c.Spec.Linux.UIDMappings)
-	// }
-	//
-	// if c.Spec.Linux.GIDMappings != nil {
-	// 	cmd.SysProcAttr.GidMappings =
-	// 		user.BuildGIDMappings(c.Spec.Linux.GIDMappings)
-	// }
-
 	if err := c.ExecHooks("startContainer"); err != nil {
 		return fmt.Errorf("execute startContainer hooks: %w", err)
 	}