diff options
| author | Luke T. Shumaker <lukeshu@parabola.nu> | 2024-08-22 06:50:16 +0200 |
|---|---|---|
| committer | Luke T. Shumaker <lukeshu@parabola.nu> | 2024-09-07 02:33:50 +0200 |
| commit | cde9210efd26854c849dfb60a784d9c1aa098b7c (patch) | |
| tree | 5586f597eb759b1dd1192867b3eb6720909b4270 /src/nspawn | |
| parent | Merge pull request #34295 from poettering/uki-with-many-ukify (diff) | |
| download | systemd-cde9210efd26854c849dfb60a784d9c1aa098b7c.tar.xz systemd-cde9210efd26854c849dfb60a784d9c1aa098b7c.zip | |
nspawn: fix the comment about which namespaces outer_child is in
The comment says that it is still in the host's CLONE_NEWUSER namespace,
which is not true if !arg_privileged. Also, it says that the CLONE_NEWNS
namespace was created by clone(), but if !arg_privileged then it was
actually created by nsresource_allocate_userns() and switched into by
setns(). Fix those inaccuracies.
When trying to word it clearly, there are enough commas and nested clauses
that I think it's clearer to break it into a list/table.
Diffstat (limited to 'src/nspawn')
| -rw-r--r-- | src/nspawn/nspawn.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 0653196e1a..8fd307b1d8 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3811,11 +3811,19 @@ static int outer_child( ssize_t l; int r; - /* This is the "outer" child process, i.e the one forked off by the container manager itself. It - * already has its own CLONE_NEWNS namespace (which was created by the clone()). It still lives in - * the host's CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER and CLONE_NEWNET - * namespaces. After it completed a number of initializations a second child (the "inner" one) is - * forked off it, and it exits. */ + /* This is the "outer" child process, i.e the one forked off by the container manager itself. Its + * namespace situation is: + * + * - CLONE_NEWNS : already has its own (created by clone() if arg_privileged, or unshare() if !arg_unprivileged) + * - CLONE_NEWUSER : if arg_privileged: still in the host's + * if !arg_privileged: already has its own (created by nsresource_allocate_userns()->setns(userns_fd)) + * - CLONE_NEWPID : still in the host's + * - CLONE_NEWUTS : still in the host's + * - CLONE_NEWIPC : still in the host's + * - CLONE_NEWNET : still in the host's + * + * After it completed a number of initializations a second child (the "inner" one) is forked off it, + * and it exits. */ assert(barrier); assert(directory); |