On 17/02/2017 22:36, Ian Lance Taylor wrote:
On Fri, Feb 17, 2017 at 1:55 PM, Steven Hartland <[email protected]> wrote:
Recently we started adding support to our systems for opencontainers via
libcontainer however due to its use of C code for the early hooking this
means we now can't cross-compile our code any more, which is a PITA.
The main reason for this is the early hooking required to perform setns as
detailed:
https://github.com/opencontainers/runc/tree/master/libcontainer/nsenter
Clearly this is done to avoid the issues with multiple threads in the
runtime, but I was wondering if it would be possible to solve this in a way
which didn't require CGO hence allowing easy cross compilation.
What are peoples thoughts?
As far as I can tell, a lot of what that code does in C can be done in
Go by setting various fields of syscall.SysProcAttr.
What precisely can not be done in Go today? Is it just the setns
call? How would we implement that in syscall.SysProcAttr? Is this
related to https://golang.org/issue/12125?
That seems to be slightly related, but reading the details nsexec there
are quite a few other low level Linux at play too, so the process
actually requires two children to achieve the desired result hence I'm
not sure allowing simple set specific calls during an exec would provide
enough functionality.
Interesting comments can be found here:
Overall Process Gotchas:
https://github.com/opencontainers/runc/blob/master/libcontainer/nsenter/nsexec.c#L442
Parent Process Flow:
https://github.com/opencontainers/runc/blob/master/libcontainer/nsenter/nsexec.c#L490
First Child Flow:
https://github.com/opencontainers/runc/blob/master/libcontainer/nsenter/nsexec.c#L605
Second Child Flow:
https://github.com/opencontainers/runc/blob/master/libcontainer/nsenter/nsexec.c#L708
I believe, that one of the main issues is down to certain Linux syscalls
only effecting the current thread hence if performed once the runtime
has initialised we're going to get into trouble as the state of the
other threads will not be consistent. Sounds reminiscent of the reason
setuid was removed from Linux syscall.
That said after fork we only have a single thread, so it should be
possible to perform these actions safely if it where possible to run
arbitrary actions via SysProcAttr and care was taken.
Regards
Steve
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
