mirror of
https://github.com/NVIDIA/nvidia-container-toolkit
synced 2025-05-30 01:58:49 +00:00
ec29b602c3
This change uses the reexec package to run the update of the ldcache in a container in a process with isolated namespaces. Since the hook is invoked as a createContainer hook, these namespaces are cloned from the container's namespaces. In the reexec handler, we further isolate the proc filesystem, mount the host ldconfig to a tmpfs, and pivot into the containers root. Signed-off-by: Evan Lezar <elezar@nvidia.com>
17 lines
218 B
Go
17 lines
218 B
Go
package reexec
|
|
|
|
import (
|
|
"os/exec"
|
|
"syscall"
|
|
)
|
|
|
|
func command(args ...string) *exec.Cmd {
|
|
return &exec.Cmd{
|
|
Path: Self(),
|
|
Args: args,
|
|
SysProcAttr: &syscall.SysProcAttr{
|
|
Pdeathsig: syscall.SIGTERM,
|
|
},
|
|
}
|
|
}
|