A question on runc exec.fifo

[Shahed Moolji]

Apologies in advance if this is not the correct place to ask such question (this is my first post to this group)

I am trying to understand the runc / libcontainer code and am currently trying to understand the role of the exec.fifo pipe.

1. I created  a container (with the create and --console-socket command.. so its running runc init in state "created" ) 

 

2. Next, I run "runc exec <container> <command>".

    What I am trying to see is how the cmd line exec interacts with the running init process (if at all) and if exec.fifo is involved in any way.

So far, it looks to me like when you run exec, its similar to using nsenter to run a process within another namespace... so I am not sure if there is any connection 

between the runc exec and the already running runc init processes.

Any help in clarifying the flow for an exec and the role of exec.fifo would be greatly appriciated.

    Also any clarification on how "start" and "exec" differ would also be appreciated (looks like start simply run the command in config.json ?)

Thanks

Shahed

[Aleksa Sarai]

> I am trying to understand the runc / libcontainer code and am currently
> trying to understand the role of the exec.fifo pipe.

The "execFifo" doesn't have anything to do with "runc exec" (the
similar names are unfortunate and I never realised that it would be
confusing in this way).

The purpose of the FIFO is for the `runc create` and `runc start`
split. `runc create` creates the containers and init process,
preparing everything needed in order for the user's init process to
start. Before it does the final execve(...) into the user's code, it
blocks on the "execFifo" (by attempting to write to it). This will
block until someone opens the FIFO for reading (which is what `runc
start` does).

`runc exec` works the same way no matter what the state of the
container's init is, it is /basically/ nsenter with a couple of extra
features (like being able to allocate a PTY for you and also running
programs through exec in a detached mode so there's no runc process
staying around).

> Also any clarification on how "start" and "exec" differ would also be
> appreciated (looks like start simply run the command in config.json ?)

`runc create` and `runc start` are what you want to use (in general,
there are special usecases for using `runc exec`) to create the
container and then start the init process you specified in
config.json. This is all defined by the runtime-spec's lifecycle
description. `runc exec` is an additional feature which allows you to
run additional processes in the container (without forking those
processes from the init process). It's basically the same as nsenter.

"start" and "exec" are completely different commands that do
completely different things.

--
Aleksa Sarai (cyphar)
www.cyphar.com