Remove userns sidecar process

Move the network setup back into the standard init even for user
namespaces now that mounts are fully supported and working.

Signed-off-by: Michael Crosby <[email protected]>

Author: crosbymichael

error.go

@@ -57,11 +57,3 @@ type Error interface {
 	// Returns the error code for this error.
 	Code() ErrorCode
 }
-
-type initError struct {
-	Message string `json:"message,omitempty"`
-}
-
-func (i initError) Error() string {
-	return i.Message
-}

generic_error.go

@@ -28,6 +28,7 @@ func newGenericError(err error, c ErrorCode) Error {
 	return &genericError{
 		Timestamp: time.Now(),
 		Err:       err,
+		Message:   err.Error(),
 		ECode:     c,
 		Stack:     stacktrace.Capture(1),
 	}
@@ -41,19 +42,21 @@ func newSystemError(err error) Error {
 		Timestamp: time.Now(),
 		Err:       err,
 		ECode:     SystemError,
+		Message:   err.Error(),
 		Stack:     stacktrace.Capture(1),
 	}
 }
 
 type genericError struct {
 	Timestamp time.Time
 	ECode     ErrorCode
-	Err       error
+	Err       error `json:"-"`
+	Message   string
 	Stack     stacktrace.Stacktrace
 }
 
 func (e *genericError) Error() string {
-	return fmt.Sprintf("[%d] %s: %s", e.ECode, e.ECode, e.Err)
+	return fmt.Sprintf("[%d] %s: %s", e.ECode, e.ECode, e.Message)
 }
 
 func (e *genericError) Code() ErrorCode {

linux_container.go

@@ -147,7 +147,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
 		if cmd.SysProcAttr.Credential == nil {
 			cmd.SysProcAttr.Credential = &syscall.Credential{}
 		}
-		t = "_LIBCONTAINER_INITTYPE=userns"
 	}
 	cmd.Env = append(cmd.Env, t)
 	cmd.SysProcAttr.Cloneflags = cloneFlags

linux_factory.go

@@ -166,9 +166,7 @@ func (l *LinuxFactory) StartInitialization(pipefd uintptr) (err error) {
 			// ensure that any data sent from the parent is consumed so it doesn't
 			// receive ECONNRESET when the child writes to the pipe.
 			ioutil.ReadAll(pipe)
-			if err := json.NewEncoder(pipe).Encode(initError{
-				Message: err.Error(),
-			}); err != nil {
+			if err := json.NewEncoder(pipe).Encode(newSystemError(err)); err != nil {
 				panic(err)
 			}
 		}

linux_init.go

@@ -21,10 +21,8 @@ import (
 type initType string
 
 const (
-	initSetns       initType = "setns"
-	initStandard    initType = "standard"
-	initUserns      initType = "userns"
-	initUsernsSetup initType = "userns_setup"
+	initSetns    initType = "setns"
+	initStandard initType = "standard"
 )
 
 type pid struct {
@@ -67,14 +65,6 @@ func newContainerInit(t initType, pipe *os.File) (initer, error) {
 		return &linuxSetnsInit{
 			config: config,
 		}, nil
-	case initUserns:
-		return &linuxUsernsInit{
-			config: config,
-		}, nil
-	case initUsernsSetup:
-		return &linuxUsernsSideCar{
-			config: config,
-		}, nil
 	case initStandard:
 		return &linuxStandardInit{
 			config: config,

linux_process.go

@@ -4,13 +4,11 @@ package libcontainer
 
 import (
 	"encoding/json"
-	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"syscall"
 
-	log "github.com/Sirupsen/logrus"
 	"github.com/docker/libcontainer/cgroups"
 	"github.com/docker/libcontainer/system"
 )
@@ -145,28 +143,12 @@ func (p *initProcess) start() error {
 	if err := p.createNetworkInterfaces(); err != nil {
 		return newSystemError(err)
 	}
-	// Start the setup process to setup the init process
-	if p.cmd.SysProcAttr.Cloneflags&syscall.CLONE_NEWUSER != 0 {
-		parent, err := p.newUsernsSetupProcess()
-		if err != nil {
-			return newSystemError(err)
-		}
-		if err := parent.start(); err != nil {
-			if err := parent.terminate(); err != nil {
-				log.Warn(err)
-			}
-			return err
-		}
-		if _, err := parent.wait(); err != nil {
-			return newSystemError(err)
-		}
-	}
 	if err := p.sendConfig(); err != nil {
 		return newSystemError(err)
 	}
 	// wait for the child process to fully complete and receive an error message
 	// if one was encoutered
-	var ierr *initError
+	var ierr *genericError
 	if err := json.NewDecoder(p.parentPipe).Decode(&ierr); err != nil && err != io.EOF {
 		return newSystemError(err)
 	}
@@ -229,26 +211,6 @@ func (p *initProcess) createNetworkInterfaces() error {
 	return nil
 }
 
-func (p *initProcess) newUsernsSetupProcess() (parentProcess, error) {
-	parentPipe, childPipe, err := newPipe()
-	if err != nil {
-		return nil, newSystemError(err)
-	}
-	cmd := exec.Command(p.cmd.Args[0], p.cmd.Args[1:]...)
-	cmd.ExtraFiles = []*os.File{childPipe}
-	cmd.Dir = p.cmd.Dir
-	cmd.Env = append(cmd.Env,
-		fmt.Sprintf("_LIBCONTAINER_INITPID=%d", p.pid()),
-		fmt.Sprintf("_LIBCONTAINER_INITTYPE=userns_setup"),
-	)
-	return &setnsProcess{
-		cmd:        cmd,
-		childPipe:  childPipe,
-		parentPipe: parentPipe,
-		config:     p.config,
-	}, nil
-}
-
 func (p *initProcess) signal(s os.Signal) error {
 	return p.cmd.Process.Signal(s)
 }

linux_rootfs.go

@@ -199,30 +199,27 @@ func createDevices(config *configs.Config) error {
 
 // Creates the device node in the rootfs of the container.
 func createDeviceNode(rootfs string, node *configs.Device) error {
-	var (
-		dest   = filepath.Join(rootfs, node.Path)
-		parent = filepath.Dir(dest)
-	)
-	if err := os.MkdirAll(parent, 0755); err != nil {
+	dest := filepath.Join(rootfs, node.Path)
+	if err := os.MkdirAll(filepath.Dir(dest), 0755); err != nil {
 		return err
 	}
 	if err := mknodDevice(dest, node); err != nil {
 		if os.IsExist(err) {
 			return nil
 		}
+		if err != syscall.EPERM {
+			return err
+		}
 		// containers running in a user namespace are not allowed to mknod
 		// devices so we can just bind mount it from the host.
-		if err == syscall.EPERM {
-			f, err := os.Create(dest)
-			if err != nil {
-				if os.IsExist(err) {
-					return nil
-				}
-				return err
-			}
+		f, err := os.Create(dest)
+		if err != nil && !os.IsExist(err) {
+			return err
+		}
+		if f != nil {
 			f.Close()
-			return syscall.Mount(node.Path, dest, "bind", syscall.MS_BIND, "")
 		}
+		return syscall.Mount(node.Path, dest, "bind", syscall.MS_BIND, "")
 	}
 	return nil
 }

linux_userns_init.go

@@ -33,6 +33,7 @@ var createFlags = []cli.Flag{
 	cli.StringFlag{Name: "mount-label", Usage: "set the mount label"},
 	cli.StringFlag{Name: "rootfs", Usage: "set the rootfs"},
 	cli.IntFlag{Name: "userns-root-uid", Usage: "set the user namespace root uid"},
+	cli.StringFlag{Name: "hostname", Value: "nsinit", Usage: "hostname value for the container"},
 	cli.StringFlag{Name: "net", Value: "", Usage: "network namespace"},
 	cli.StringFlag{Name: "ipc", Value: "", Usage: "ipc namespace"},
 	cli.StringFlag{Name: "pid", Value: "", Usage: "pid namespace"},
@@ -158,6 +159,9 @@ func modify(config *configs.Config, context *cli.Context) {
 					},
 				}
 			}
+			if v == "uts" {
+				config.Hostname = context.String("hostname")
+			}
 		default:
 			config.Namespaces.Remove(value)
 			config.Namespaces.Add(value, v)
@@ -218,8 +222,7 @@ func getTemplate() *configs.Config {
 			AllowAllDevices: false,
 			AllowedDevices:  configs.DefaultAllowedDevices,
 		},
-		Devices:  configs.DefaultAutoCreatedDevices,
-		Hostname: "nsinit",
+		Devices: configs.DefaultAutoCreatedDevices,
 		MaskPaths: []string{
 			"/proc/kcore",
 		},