merge #4647 into opencontainers/runc:release-1.2

Evan Phoenix (1): libcontainer: Prevent startup hang when CloseExecFrom errors LGTMs: lifubang cyphar
2025-09-26 19:41:35 +08:00 · 2025-02-27 16:06:02 +11:00
parent 35d1d6e7a0 e64390545e
commit 4dbf9ac5ae
1 changed files with 11 additions and 10 deletions
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -324,16 +324,6 @@ func (c *Container) start(process *Process) (retErr error) {
 	defer process.closeClonedExes()

 	logsDone := parent.forwardChildLogs()
-	if logsDone != nil {
-		defer func() {
-			// Wait for log forwarder to finish. This depends on
-			// runc init closing the _LIBCONTAINER_LOGPIPE log fd.
-			err := <-logsDone
-			if err != nil && retErr == nil {
-				retErr = fmt.Errorf("unable to forward init logs: %w", err)
-			}
-		}()
-	}

 	// Before starting "runc init", mark all non-stdio open files as O_CLOEXEC
 	// to make sure we don't leak any files into "runc init". Any files to be
@@ -348,6 +338,17 @@ func (c *Container) start(process *Process) (retErr error) {
 		return fmt.Errorf("unable to start container process: %w", err)
 	}

+	if logsDone != nil {
+		defer func() {
+			// Wait for log forwarder to finish. This depends on
+			// runc init closing the _LIBCONTAINER_LOGPIPE log fd.
+			err := <-logsDone
+			if err != nil && retErr == nil {
+				retErr = fmt.Errorf("unable to forward init logs: %w", err)
+			}
+		}()
+	}
+
 	if process.Init {
 		c.fifo.Close()
 		if c.config.Hooks != nil {