Use a custom pipe instead of stdin for sync net namespace

Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume.charmes@docker.com> (github: creack)

libcontainer/nsinit/exec.go

@@ -22,16 +22,20 @@ func execCommand(container *libcontainer.Container, args []string) (int, error)
 		return -1, err
 	}
 
-	command := createCommand(container, console, args)
 	// create a pipe so that we can syncronize with the namespaced process and
 	// pass the veth name to the child
-	inPipe, err := command.StdinPipe()
+	r, w, err := os.Pipe()
 	if err != nil {
 		return -1, err
 	}
+	system.UsetCloseOnExec(r.Fd())
+
+	command := createCommand(container, console, r.Fd(), args)
+
 	if err := command.Start(); err != nil {
 		return -1, err
 	}
+
 	if err := writePidFile(command); err != nil {
 		command.Process.Kill()
 		return -1, err
@@ -52,11 +56,11 @@ func execCommand(container *libcontainer.Container, args []string) (int, error)
 		if err != nil {
 			return -1, err
 		}
-		sendVethName(vethPair, inPipe)
+		sendVethName(vethPair, w)
 	}
 
 	// Sync with child
-	inPipe.Close()
+	w.Close()
 
 	go io.Copy(os.Stdout, master)
 	go io.Copy(master, os.Stdin)
@@ -163,8 +167,8 @@ func deletePidFile() error {
 // createCommand will return an exec.Cmd with the Cloneflags set to the proper namespaces
 // defined on the container's configuration and use the current binary as the init with the
 // args provided
-func createCommand(container *libcontainer.Container, console string, args []string) *exec.Cmd {
+func createCommand(container *libcontainer.Container, console string, pipe uintptr, args []string) *exec.Cmd {
-	command := exec.Command("nsinit", append([]string{"-console", console, "init"}, args...)...)
+	command := exec.Command("nsinit", append([]string{"-console", console, "-pipe", fmt.Sprint(pipe), "init"}, args...)...)
 	command.SysProcAttr = &syscall.SysProcAttr{
 		Cloneflags: uintptr(getNamespaceFlags(container.Namespaces)),
 	}

libcontainer/nsinit/init.go

@@ -8,20 +8,21 @@ import (
 	"github.com/dotcloud/docker/pkg/libcontainer/capabilities"
 	"github.com/dotcloud/docker/pkg/libcontainer/network"
 	"github.com/dotcloud/docker/pkg/system"
+	"io"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"syscall"
 )
 
-func initCommand(container *libcontainer.Container, console string, args []string) error {
+func initCommand(container *libcontainer.Container, console string, pipe io.ReadCloser, args []string) error {
 	rootfs, err := resolveRootfs()
 	if err != nil {
 		return err
 	}
 
 	// We always read this as it is a way to sync with the parent as well
-	tempVethName, err := getVethName()
+	tempVethName, err := getVethName(pipe)
 	if err != nil {
 		return err
 	}
@@ -164,8 +165,10 @@ func setupVethNetwork(config *libcontainer.Network, tempVethName string) error {
 // getVethName reads from Stdin the temp veth name
 // sent by the parent processes after the veth pair
 // has been created and setup
-func getVethName() (string, error) {
+func getVethName(pipe io.ReadCloser) (string, error) {
-	data, err := ioutil.ReadAll(os.Stdin)
+	defer pipe.Close()
+
+	data, err := ioutil.ReadAll(pipe)
 	if err != nil {
 		return "", fmt.Errorf("error reading from stdin %s", err)
 	}

libcontainer/nsinit/main.go

@@ -18,6 +18,7 @@ var (
 
 func main() {
 	console := flag.String("console", "", "Console (pty slave) name")
+	pipeFd := flag.Int("pipe", 0, "sync pipe fd")
 	flag.Parse()
 
 	container, err := loadContainer()
@@ -50,7 +51,7 @@ func main() {
 		if flag.NArg() < 2 {
 			log.Fatal(ErrWrongArguments)
 		}
-		if err := initCommand(container, *console, flag.Args()[1:]); err != nil {
+		if err := initCommand(container, *console, os.NewFile(uintptr(*pipeFd), "pipe"), flag.Args()[1:]); err != nil {
 			log.Fatal(err)
 		}
 	default: