Only unshare the mount namespace for execin
Fixes #4728 Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
parent
e4ef28500c
commit
0424993f6d
1 changed files with 6 additions and 4 deletions
|
@ -14,12 +14,14 @@ import (
|
||||||
|
|
||||||
// ExecIn uses an existing pid and joins the pid's namespaces with the new command.
|
// ExecIn uses an existing pid and joins the pid's namespaces with the new command.
|
||||||
func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []string) (int, error) {
|
func (ns *linuxNs) ExecIn(container *libcontainer.Container, nspid int, args []string) (int, error) {
|
||||||
ns.logger.Println("unshare namespaces")
|
for _, nsv := range container.Namespaces {
|
||||||
for _, ns := range container.Namespaces {
|
// skip the PID namespace on unshare because it it not supported
|
||||||
if err := system.Unshare(ns.Value); err != nil {
|
if nsv.Key != "NEWPID" {
|
||||||
|
if err := system.Unshare(nsv.Value); err != nil {
|
||||||
return -1, err
|
return -1, err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
fds, err := ns.getNsFds(nspid, container)
|
fds, err := ns.getNsFds(nspid, container)
|
||||||
closeFds := func() {
|
closeFds := func() {
|
||||||
for _, f := range fds {
|
for _, f := range fds {
|
||||||
|
|
Loading…
Reference in a new issue