10
"github.com/containers/podman/v5/libpod/define"
11
"golang.org/x/sys/unix"
14
// joinMountAndExec executes the specified function `f` inside the container's
15
// mount and PID namespace. That allows for having the exact view on the
16
// container's file system.
18
// Note, if the container is not running `f()` will be executed as is.
19
func (c *Container) joinMountAndExec(f func() error) error {
20
if c.state.State != define.ContainerStateRunning {
24
// Container's running, so we need to execute `f()` inside its mount NS.
25
errChan := make(chan error)
27
runtime.LockOSThread()
29
// Join the mount and PID NS of the container.
30
getFD := func(ns LinuxNS) (*os.File, error) {
31
nsPath, err := c.namespacePath(ns)
35
return os.Open(nsPath)
38
mountFD, err := getFD(MountNS)
45
inHostPidNS, err := c.inHostPidNS()
47
errChan <- fmt.Errorf("checking inHostPidNS: %w", err)
52
pidFD, err = getFD(PIDNS)
60
if err := unix.Unshare(unix.CLONE_NEWNS); err != nil {
66
if err := unix.Setns(int(pidFD.Fd()), unix.CLONE_NEWPID); err != nil {
71
if err := unix.Setns(int(mountFD.Fd()), unix.CLONE_NEWNS); err != nil {
76
// Last but not least, execute the workload.
82
func (c *Container) resolveCopyTarget(mountPoint string, containerPath string) (string, string, error) {
83
// If the container is running, we will execute the copy
84
// inside the container's mount namespace so we return a path
85
// relative to the container's root.
86
if c.state.State == define.ContainerStateRunning {
87
return "/", c.pathAbs(containerPath), nil
89
return c.resolvePath(mountPoint, containerPath)