/* * Okay, so this is quite annoying. * * In order for this unsharing code to be more extensible we need to split * up unshare(CLONE_NEWUSER) and clone() in various ways. The ideal case * would be if we did clone(CLONE_NEWUSER) and the other namespaces * separately, but because of SELinux issues we cannot really do that. But * we cannot just dump the namespace flags into clone(...) because several * usecases (such as rootless containers) require more granularity around * the namespace setup. In addition, some older kernels had issues where * CLONE_NEWUSER wasn't handled before other namespaces (but we cannot * handle this while also dealing with SELinux so we choose SELinux support * over broken kernel support). * * However, if we unshare(2) the user namespace *before* we clone(2), then * all hell breaks loose. * * The parent no longer has permissions to do many things (unshare(2) drops * all capabilities in your old namespace), and the container cannot be set * up to have more than one {uid,gid} mapping. This is obviously less than * ideal. In order to fix this, we have to first clone(2) and then unshare. * * Unfortunately, it's not as simple as that. We have to fork to enter the * PID namespace (the PID namespace only applies to children). Since we'll * have to double-fork, this clone_parent() call won't be able to get the * PID of the _actual_ init process (without doing more synchronisation than * I can deal with at the moment). So we'll just get the parent to send it * for us, the only job of this process is to update * /proc/pid/{setgroups,uid_map,gid_map}. * * And as a result of the above, we also need to setns(2) in the first child * because if we join a PID namespace in the topmost parent then our child * will be in that namespace (and it will not be able to give us a PID value * that makes sense without resorting to sending things with cmsg). * * This also deals with an older issue caused by dumping cloneflags into * clone(2): On old kernels, CLONE_PARENT didn't work with CLONE_NEWPID, so * we have to unshare(2) before clone(2) in order to do this. This was fixed * in upstream commit 1f7f4dde5c945f41a7abc2285be43d918029ecc5, and was * introduced by 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e. As far as we're * aware, the last mainline kernel which had this bug was Linux 3.12. * However, we cannot comment on which kernels the broken patch was * backported to. * * -- Aleksa "what has my life come to?" Sarai */
Title: How to clone init process Parent->Child: clone first child Note right of Child: join namespace and unshare newuser Child->Parent: send SYNC_USERMAP_PLS Note left of Parent: update groups,uid and gid Parent->Child: send SYNC_USERMAP_ACK Note right of Child: unshare other namespace, except cgroup Child->GrandChild: clone grand child Child->Parent: send SYNC_RECVPID_PLS Note left of Parent: get pid of childs Parent->Child: send SYNC_RECVPID_ACK Note left of Parent: send pid of childs to parent of myself(process of runc create) Child->Parent: send SYNC_CHILD_READY Note right of Child: finish Parent->GrandChild: send SYNC_GRANDCHILD Note left of Parent: wait SYNC_CHILD_READY from GrandChild Note right of GrandChild: set sid,uid,gid Note right of GrandChild: unshare cgroup namespace GrandChild->Parent: send SYNC_CHILD_READY Note left of Parent: finish Note right of GrandChild: let go runtime take over process