Close extraneous file descriptors in containers

Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :) Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers. Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-04-28 23:22:54 -06:00 · 2014-04-28 23:22:54 -06:00 · c1dad4d063
commit c1dad4d063
parent 5479a8e86f
3 changed files with 56 additions and 2 deletions
--- a/system/fds_linux.go
+++ b/system/fds_linux.go
@ -0,0 +1,38 @@
+package system
+
+import (
+	"io/ioutil"
+	"strconv"
+	"syscall"
+)
+
+// Works similarly to OpenBSD's "closefrom(2)":
+//   The closefrom() call deletes all descriptors numbered fd and higher from
+//   the per-process file descriptor table.  It is effectively the same as
+//   calling close(2) on each descriptor.
+// http://www.openbsd.org/cgi-bin/man.cgi?query=closefrom&sektion=2
+//
+// See also http://stackoverflow.com/a/918469/433558
+func CloseFdsFrom(minFd int) error {
+	fdList, err := ioutil.ReadDir("/proc/self/fd")
+	if err != nil {
+		return err
+	}
+	for _, fi := range fdList {
+		fd, err := strconv.Atoi(fi.Name())
+		if err != nil {
+			// ignore non-numeric file names
+			continue
+		}
+
+		if fd < minFd {
+			// ignore descriptors lower than our specified minimum
+			continue
+		}
+
+		// intentionally ignore errors from syscall.Close
+		syscall.Close(fd)
+		// the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)
+	}
+	return nil
+}