github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-03 18:04:16 +00:00
Code Issues Projects Releases Wiki Activity

agent: avoid fd leakage of passfd-io

Browse Source 
In do_create_container and do_exec_process, we should create the proc_io first,
in case there's some error occur below, thus we can make sure
the io stream closed when error occur.

Signed-off-by: Tim Zhang <tim@hyper.sh>
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
This commit is contained in:
Tim Zhang
2024-04-17 15:59:55 +08:00
parent 8441187d5e
commit aeba483ec8
1 changed files with 16 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/agent/src/rpc.rs
View File

@@ -179,6 +179,14 @@ impl AgentService {
&self, &self,
req: protocols::agent::CreateContainerRequest, req: protocols::agent::CreateContainerRequest,
) -> Result<()> { ) -> Result<()> {
// create the proc_io first, in case there's some error occur below, thus we can make sure
// the io stream closed when error occur.
let proc_io = if AGENT_CONFIG.passfd_listener_port != 0 {
Some(passfd_io::take_io_streams(req.stdin_port, req.stdout_port, req.stderr_port).await)
} else {
None
};
let cid = req.container_id.clone(); let cid = req.container_id.clone();
kata_sys_util::validate::verify_id(&cid)?; kata_sys_util::validate::verify_id(&cid)?;
@@ -270,14 +278,6 @@ impl AgentService {
let pipe_size = AGENT_CONFIG.container_pipe_size; let pipe_size = AGENT_CONFIG.container_pipe_size;
let p = if let Some(p) = oci.process { let p = if let Some(p) = oci.process {
let proc_io = if AGENT_CONFIG.passfd_listener_port != 0 {
Some(
passfd_io::take_io_streams(req.stdin_port, req.stdout_port, req.stderr_port)
.await,
)
} else {
None
};
Process::new(&sl(), &p, cid.as_str(), true, pipe_size, proc_io)? Process::new(&sl(), &p, cid.as_str(), true, pipe_size, proc_io)?
} else { } else {
info!(sl(), "no process configurations!"); info!(sl(), "no process configurations!");
@@ -376,6 +376,14 @@ impl AgentService {
info!(sl(), "do_exec_process cid: {} eid: {}", cid, exec_id); info!(sl(), "do_exec_process cid: {} eid: {}", cid, exec_id);
// create the proc_io first, in case there's some error occur below, thus we can make sure
// the io stream closed when error occur.
let proc_io = if AGENT_CONFIG.passfd_listener_port != 0 {
Some(passfd_io::take_io_streams(req.stdin_port, req.stdout_port, req.stderr_port).await)
} else {
None
};
let mut sandbox = self.sandbox.lock().await; let mut sandbox = self.sandbox.lock().await;
let mut process = req let mut process = req
.process .process
@@ -388,13 +396,6 @@ impl AgentService {
let pipe_size = AGENT_CONFIG.container_pipe_size; let pipe_size = AGENT_CONFIG.container_pipe_size;
let ocip = rustjail::process_grpc_to_oci(&process); let ocip = rustjail::process_grpc_to_oci(&process);
// passfd_listener_port != 0 indicates passfd io mode
let proc_io = if AGENT_CONFIG.passfd_listener_port != 0 {
Some(passfd_io::take_io_streams(req.stdin_port, req.stdout_port, req.stderr_port).await)
} else {
None
};
let p = Process::new(&sl(), &ocip, exec_id.as_str(), false, pipe_size, proc_io)?; let p = Process::new(&sl(), &ocip, exec_id.as_str(), false, pipe_size, proc_io)?;
let ctr = sandbox let ctr = sandbox