mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
d5d62ff955
Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :) Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers. Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
38 lines
1 KiB
Go
38 lines
1 KiB
Go
package system
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"strconv"
|
|
"syscall"
|
|
)
|
|
|
|
// Works similarly to OpenBSD's "closefrom(2)":
|
|
// The closefrom() call deletes all descriptors numbered fd and higher from
|
|
// the per-process file descriptor table. It is effectively the same as
|
|
// calling close(2) on each descriptor.
|
|
// http://www.openbsd.org/cgi-bin/man.cgi?query=closefrom&sektion=2
|
|
//
|
|
// See also http://stackoverflow.com/a/918469/433558
|
|
func CloseFdsFrom(minFd int) error {
|
|
fdList, err := ioutil.ReadDir("/proc/self/fd")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, fi := range fdList {
|
|
fd, err := strconv.Atoi(fi.Name())
|
|
if err != nil {
|
|
// ignore non-numeric file names
|
|
continue
|
|
}
|
|
|
|
if fd < minFd {
|
|
// ignore descriptors lower than our specified minimum
|
|
continue
|
|
}
|
|
|
|
// intentionally ignore errors from syscall.Close
|
|
syscall.Close(fd)
|
|
// the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall)
|
|
}
|
|
return nil
|
|
}
|