What happens after the invocation of /proc/self/exe init

[therandombyte]

When the container is about to be started and in the init phase, can anybody help me understand where does the code logic go after /proc/self/exe init gets executed?

Is there a function called init() somewhere that gets invoked (which maybe invokes the "sh" command in a container)?

The command declaration happens In container_linux.go:
exec.Command("/proc/self/exe", "init")

and execution happens in process_linux.go:
func (p *initProcess) start() (retErr error) {
defer p.messageSockPair.parent.Close() //nolint: errcheck
err := p.cmd.Start() // <---- where does the logic go after this invocation? --->

I have been cracking my head behind this and unable to trace the steps. Any ideas/help appreciated!!

[tianon]

I think https://github.com/opencontainers/runc/blob/5a9266b068b86f37c66330c37067250a32c4076a/init.go is probably what you're looking for 👀

[therandombyte]

Thanks for your response. I tried putting debug messages in init.go, but execution does not reach inside the if block. This init.go package seems to load the libcontainer's nsenter module, and i am wondering if the control is passed there?

[cyphar]

Once you call runc init you end up in libcontainer/nsenter/nsexec.c, which runs before the Go runtime does. If you look in that package you'll be able to see how we make sure this happens (with compiler attributes to have our C code run as a "constructor"). After that, the C code returns and the Go runtime starts up -- at which point the code in StartInitialzation runs.

[kolyshkin]

Some documentation is available in libcontainer/README.md. The process is somewhat complicated.

First of all, all the stuff from libcontainer/nsenter gets executed (which is mostly in C), then the golang init (from init.go) is run, which calls StartInitialization. This is where you want to look.

[therandombyte]

Thanks for taking out time for answering me. However when i put debug/log messages in the StartInitialization function, i don't see them getting printed on the console. The container gets launched successfully but i don't see the log messages and its confusing me more :)

Also, i realized the nsenter (nsexec) code is getting executed twice after the /proc/self/exe init gets invoked. Can i ask why is that?

[cyphar]

Due to the way consoles are set up for containers, just printing to stdout won't work. We have since rewritten the logging for nsexec, so if you use write_log() you will get the messages.

As for why we re-exec runc init, this is done to defend against CVE-2019-5736. There is a pull request to improve this a fair bit by moving that code out of the C portion, which will mean we only exec runc init once.