def grandchild(): """Setup everything inside the process that finally exec()s the tool.""" try: # We know that this process has PID 2 in the inner namespace, # but we actually need to know its PID in the outer namespace # such that parent can put us into the correct cgroups. According to # http://man7.org/linux/man-pages/man7/pid_namespaces.7.html, # there are two ways to achieve this: sending a message with the PID # via a socket (but Python 2 lacks a convenient API for sendmsg), # and reading /proc/self in the outer procfs instance # (that's what we do). my_outer_pid = container.get_my_pid_from_procfs() container.mount_proc(self._container_system_config) container.drop_capabilities() container.reset_signal_handling() child_setup_fn() # Do some other setup the caller wants. # Signal readiness to parent by sending our PID # and wait until parent is also ready os.write(to_parent, str(my_outer_pid).encode()) received = os.read(from_parent, 1) assert received == MARKER_PARENT_COMPLETED, received finally: # close remaining ends of pipe os.close(from_parent) os.close(to_parent)
def grandchild(): """Setup everything inside the process that finally exec()s the tool.""" try: # We know that this process has PID 2 in the inner namespace, # but we actually need to know its PID in the outer namespace # such that parent can put us into the correct cgroups. # According to http://man7.org/linux/man-pages/man7/pid_namespaces.7.html, # there are two ways to achieve this: sending a message with the PID # via a socket (but Python < 3.3 lacks a convenient API for sendmsg), # and reading /proc/self in the outer procfs instance (that's what we do). my_outer_pid = container.get_my_pid_from_procfs() container.mount_proc() container.drop_capabilities() container.reset_signal_handling() child_setup_fn() # Do some other setup the caller wants. # Signal readiness to parent by sending our PID and wait until parent is also ready os.write(to_parent, str(my_outer_pid).encode()) received = os.read(from_parent, 1) assert received == b"\0", received finally: # close remaining ends of pipe os.close(from_parent) os.close(to_parent)