daemon/execdriver/native/exec.go - third_party/github.com/moby/moby - Git at Google

 // +build linux

 package native

 import (
 	"fmt"
 	"os"
 	"os/exec"
 	"strings"
 	"syscall"

 	"github.com/docker/docker/daemon/execdriver"
 	"github.com/opencontainers/runc/libcontainer"
 	// Blank import 'nsenter' so that init in that package will call c
 	// function 'nsexec()' to do 'setns' before Go runtime take over,
 	// it's used for join to exist ns like 'docker exec' command.
 	_ "github.com/opencontainers/runc/libcontainer/nsenter"
 	"github.com/opencontainers/runc/libcontainer/utils"
 )

 // Exec implements the exec driver Driver interface,
 // it calls libcontainer APIs to execute a container.
 func (d *Driver) Exec(c *execdriver.Command, processConfig *execdriver.ProcessConfig, pipes *execdriver.Pipes, hooks execdriver.Hooks) (int, error) {
 	active := d.activeContainers[c.ID]
 	if active == nil {
 		return -1, fmt.Errorf("No active container exists with ID %s", c.ID)
 	}

 	user := processConfig.User
 	if c.RemappedRoot.UID != 0 && user == "" {
 		//if user namespaces are enabled, set user explicitly so uid/gid is set to 0
 		//otherwise we end up with the overflow id and no permissions (65534)
 		user = "0"
 	}

 	p := &libcontainer.Process{
 		Args: append([]string{processConfig.Entrypoint}, processConfig.Arguments...),
 		Env:  c.ProcessConfig.Env,
 		Cwd:  c.WorkingDir,
 		User: user,
 	}

 	if processConfig.Privileged {
 		p.Capabilities = execdriver.GetAllCapabilities()
 	}
 	// add CAP_ prefix to all caps for new libcontainer update to match
 	// the spec format.
 	for i, s := range p.Capabilities {
 		if !strings.HasPrefix(s, "CAP_") {
 			p.Capabilities[i] = fmt.Sprintf("CAP_%s", s)
 		}
 	}

 	config := active.Config()
 	if err := setupPipes(&config, processConfig, p, pipes); err != nil {
 		return -1, err
 	}

 	if err := active.Start(p); err != nil {
 		return -1, err
 	}

 	if hooks.Start != nil {
 		pid, err := p.Pid()
 		if err != nil {
 			p.Signal(os.Kill)
 			p.Wait()
 			return -1, err
 		}

 		// A closed channel for OOM is returned here as it will be
 		// non-blocking and return the correct result when read.
 		chOOM := make(chan struct{})
 		close(chOOM)
 		hooks.Start(&c.ProcessConfig, pid, chOOM)
 	}

 	ps, err := p.Wait()
 	if err != nil {
 		exitErr, ok := err.(*exec.ExitError)
 		if !ok {
 			return -1, err
 		}
 		ps = exitErr.ProcessState
 	}
 	return utils.ExitStatus(ps.Sys().(syscall.WaitStatus)), nil
 }
	// +build linux

	package native

	import (
	"fmt"
	"os"
	"os/exec"
	"strings"
	"syscall"

	"github.com/docker/docker/daemon/execdriver"
	"github.com/opencontainers/runc/libcontainer"
	// Blank import 'nsenter' so that init in that package will call c
	// function 'nsexec()' to do 'setns' before Go runtime take over,
	// it's used for join to exist ns like 'docker exec' command.
	_ "github.com/opencontainers/runc/libcontainer/nsenter"
	"github.com/opencontainers/runc/libcontainer/utils"
	)

	// Exec implements the exec driver Driver interface,
	// it calls libcontainer APIs to execute a container.
	func (d Driver) Exec(c execdriver.Command, processConfig execdriver.ProcessConfig, pipes execdriver.Pipes, hooks execdriver.Hooks) (int, error) {
	active := d.activeContainers[c.ID]
	if active == nil {
	return -1, fmt.Errorf("No active container exists with ID %s", c.ID)
	}

	user := processConfig.User
	if c.RemappedRoot.UID != 0 && user == "" {
	//if user namespaces are enabled, set user explicitly so uid/gid is set to 0
	//otherwise we end up with the overflow id and no permissions (65534)
	user = "0"
	}

	p := &libcontainer.Process{
	Args: append([]string{processConfig.Entrypoint}, processConfig.Arguments...),
	Env: c.ProcessConfig.Env,
	Cwd: c.WorkingDir,
	User: user,
	}

	if processConfig.Privileged {
	p.Capabilities = execdriver.GetAllCapabilities()
	}
	// add CAP_ prefix to all caps for new libcontainer update to match
	// the spec format.
	for i, s := range p.Capabilities {
	if !strings.HasPrefix(s, "CAP_") {
	p.Capabilities[i] = fmt.Sprintf("CAP_%s", s)
	}
	}

	config := active.Config()
	if err := setupPipes(&config, processConfig, p, pipes); err != nil {
	return -1, err
	}

	if err := active.Start(p); err != nil {
	return -1, err
	}

	if hooks.Start != nil {
	pid, err := p.Pid()
	if err != nil {
	p.Signal(os.Kill)
	p.Wait()
	return -1, err
	}

	// A closed channel for OOM is returned here as it will be
	// non-blocking and return the correct result when read.
	chOOM := make(chan struct{})
	close(chOOM)
	hooks.Start(&c.ProcessConfig, pid, chOOM)
	}

	ps, err := p.Wait()
	if err != nil {
	exitErr, ok := err.(*exec.ExitError)
	if !ok {
	return -1, err
	}
	ps = exitErr.ProcessState
	}
	return utils.ExitStatus(ps.Sys().(syscall.WaitStatus)), nil
	}