summaryrefslogtreecommitdiff
path: root/libpod/oci.go
diff options
context:
space:
mode:
Diffstat (limited to 'libpod/oci.go')
-rw-r--r--libpod/oci.go14
1 files changed, 11 insertions, 3 deletions
diff --git a/libpod/oci.go b/libpod/oci.go
index da054eceb..4f0fbe8e9 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -682,15 +682,23 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty
execCmd := exec.Command(r.path, args...)
if rootless.IsRootless() {
- args = append([]string{"--preserve-credentials", "-U", "-t", fmt.Sprintf("%d", c.state.PID), r.path}, args...)
- // using nsenter might not be correct if the target PID joined a different user namespace.
- // A better way would be to retrieve the parent ns (NS_GET_PARENT) until it is a child of the current namespace.
+ args = append([]string{"--preserve-credentials", "--user=/proc/self/fd/3", r.path}, args...)
+ f, err := rootless.GetUserNSForPid(uint(c.state.PID))
+ if err != nil {
+ return nil, err
+ }
execCmd = exec.Command("nsenter", args...)
+ execCmd.ExtraFiles = append(execCmd.ExtraFiles, f)
}
execCmd.Stdout = os.Stdout
execCmd.Stderr = os.Stderr
execCmd.Stdin = os.Stdin
execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
+
+ if err := execCmd.Start(); err != nil {
+ return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
+ }
+
return execCmd, nil
}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-14 02:22:47 +0000