Don't fchown when inheriting io

crosbymichael · crosbymichael · commit eebdb644f924 · 2017-03-02T10:06:10.000-08:00
This is a fix for rootless containers and general io handling.  The
higher level systems must preparte the IO for the container in the
detach case and make sure it is setup correctly for the container's
process.

Signed-off-by: Michael Crosby &lt;crosbymichael@gmail.com&gt;
diff --git a/tty.go b/tty.go
@@ -7,7 +7,6 @@ import (
 	"io"
 	"os"
 	"sync"
-	"syscall"
 
 	"github.com/docker/docker/pkg/term"
 	"github.com/opencontainers/runc/libcontainer"
@@ -28,9 +27,9 @@ func (t *tty) copyIO(w io.Writer, r io.ReadCloser) {
 	r.Close()
 }
 
-// setup standard pipes so that the TTY of the calling runc process
-// is not inherited by the container.
-func createStdioPipes(p *libcontainer.Process, rootuid, rootgid int) (*tty, error) {
+// setup pipes for the process so that advanced features like c/r are able to easily checkpoint
+// and restore the process's IO without depending on a host specific path or device
+func setupProcessPipes(p *libcontainer.Process, rootuid, rootgid int) (*tty, error) {
 	i, err := p.InitializeIO(rootuid, rootgid)
 	if err != nil {
 		return nil, err
@@ -62,19 +61,10 @@ func createStdioPipes(p *libcontainer.Process, rootuid, rootgid int) (*tty, erro
 	return t, nil
 }
 
-func dupStdio(process *libcontainer.Process, rootuid, rootgid int) error {
+func inheritStdio(process *libcontainer.Process) error {
 	process.Stdin = os.Stdin
 	process.Stdout = os.Stdout
 	process.Stderr = os.Stderr
-	for _, fd := range []uintptr{
-		os.Stdin.Fd(),
-		os.Stdout.Fd(),
-		os.Stderr.Fd(),
-	} {
-		if err := syscall.Fchown(int(fd), rootuid, rootgid); err != nil {
-			return err
-		}
-	}
 	return nil
 }
 
diff --git a/utils_linux.go b/utils_linux.go
@@ -110,19 +110,15 @@ func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, det
 		process.Stderr = nil
 		return &tty{}, nil
 	}
-
-	// When we detach, we just dup over stdio and call it a day. There's no
-	// requirement that we set up anything nice for our caller or the
-	// container.
+	// when runc will detach the caller provides the stdio to runc via runc's 0,1,2
+	// and the container's process inherits runc's stdio.
 	if detach {
-		if err := dupStdio(process, rootuid, rootgid); err != nil {
+		if err := inheritStdio(process); err != nil {
 			return nil, err
 		}
 		return &tty{}, nil
 	}
-
-	// XXX: This doesn't sit right with me. It's ugly.
-	return createStdioPipes(process, rootuid, rootgid)
+	return setupProcessPipes(process, rootuid, rootgid)
 }
 
 // createPidFile creates a file with the processes pid inside it atomically

Original file line number	Diff line number	Diff line change
`@@ -110,19 +110,15 @@ func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, det`
`110`	`110`	`process.Stderr = nil`
`111`	`111`	`return &tty{}, nil`
`112`	`112`	`}`
`113`		`-`
`114`		`- // When we detach, we just dup over stdio and call it a day. There's no`
`115`		`- // requirement that we set up anything nice for our caller or the`
`116`		`- // container.`
	`113`	`+ // when runc will detach the caller provides the stdio to runc via runc's 0,1,2`
	`114`	`+ // and the container's process inherits runc's stdio.`
`117`	`115`	`if detach {`
`118`		`- if err := dupStdio(process, rootuid, rootgid); err != nil {`
	`116`	`+ if err := inheritStdio(process); err != nil {`
`119`	`117`	`return nil, err`
`120`	`118`	`}`
`121`	`119`	`return &tty{}, nil`
`122`	`120`	`}`
`123`		`-`
`124`		`- // XXX: This doesn't sit right with me. It's ugly.`
`125`		`- return createStdioPipes(process, rootuid, rootgid)`
	`121`	`+ return setupProcessPipes(process, rootuid, rootgid)`
`126`	`122`	`}`
`127`	`123`
`128`	`124`	`// createPidFile creates a file with the processes pid inside it atomically`