fix stdio permission error for runc run without detach

Signed-off-by: lifubang <lifubang@acmcoder.com>

Author: lifubang

libcontainer/process_linux.go

@@ -917,7 +917,7 @@ func getPipeFds(pid int) ([]string, error) {
 // opposite side for each. Do not use this if you want to have a pseudoterminal
 // set up for you by libcontainer (TODO: fix that too).
 // TODO: This is mostly unnecessary, and should be handled by clients.
-func (p *Process) InitializeIO(rootuid, rootgid int) (i *IO, err error) {
+func (p *Process) InitializeIO(containerUID, containerGID int) (i *IO, err error) {
 	var fds []uintptr
 	i = &IO{}
 	// cleanup in case of an error
@@ -949,7 +949,11 @@ func (p *Process) InitializeIO(rootuid, rootgid int) (i *IO, err error) {
 	p.Stderr, i.Stderr = w, r
 	// change ownership of the pipes in case we are in a user namespace
 	for _, fd := range fds {
-		if err := unix.Fchown(int(fd), rootuid, rootgid); err != nil {
+		if err := unix.Fchown(int(fd), containerUID, containerGID); err != nil {
+			if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) || errors.Is(err, unix.EROFS) {
+				// Let's wait to do chown in the container init
+				continue
+			}
 			return nil, &os.PathError{Op: "fchown", Path: "fd " + strconv.Itoa(int(fd)), Err: err}
 		}
 	}

tty.go

@@ -31,8 +31,8 @@ func (t *tty) copyIO(w io.Writer, r io.ReadCloser) {
 
 // setup pipes for the process so that advanced features like c/r are able to easily checkpoint
 // and restore the process's IO without depending on a host specific path or device
-func setupProcessPipes(p *libcontainer.Process, rootuid, rootgid int) (*tty, error) {
-	i, err := p.InitializeIO(rootuid, rootgid)
+func setupProcessPipes(p *libcontainer.Process, containerUID, containerGID int) (*tty, error) {
+	i, err := p.InitializeIO(containerUID, containerGID)
 	if err != nil {
 		return nil, err
 	}

utils_linux.go

@@ -94,7 +94,7 @@ func newProcess(p specs.Process) (*libcontainer.Process, error) {
 }
 
 // setupIO modifies the given process config according to the options.
-func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, detach bool, sockpath string) (*tty, error) {
+func setupIO(process *libcontainer.Process, containerUID, containerGID int, createTTY, detach bool, sockpath string) (*tty, error) {
 	if createTTY {
 		process.Stdin = nil
 		process.Stdout = nil
@@ -140,7 +140,7 @@ func setupIO(process *libcontainer.Process, rootuid, rootgid int, createTTY, det
 		inheritStdio(process)
 		return &tty{}, nil
 	}
-	return setupProcessPipes(process, rootuid, rootgid)
+	return setupProcessPipes(process, containerUID, containerGID)
 }
 
 // createPidFile creates a file containing the PID,
@@ -237,11 +237,11 @@ func (r *runner) run(config *specs.Process) (int, error) {
 		}
 		process.ExtraFiles = append(process.ExtraFiles, os.NewFile(uintptr(i), "PreserveFD:"+strconv.Itoa(i)))
 	}
-	rootuid, err := r.container.Config().HostRootUID()
+	containerUID, err := r.container.Config().HostUID(int(config.User.UID))
 	if err != nil {
 		return -1, err
 	}
-	rootgid, err := r.container.Config().HostRootGID()
+	containerGID, err := r.container.Config().HostGID(int(config.User.GID))
 	if err != nil {
 		return -1, err
 	}
@@ -250,7 +250,7 @@ func (r *runner) run(config *specs.Process) (int, error) {
 	// with detaching containers, and then we get a tty after the container has
 	// started.
 	handler := newSignalHandler(r.enableSubreaper, r.notifySocket)
-	tty, err := setupIO(process, rootuid, rootgid, config.Terminal, detach, r.consoleSocket)
+	tty, err := setupIO(process, containerUID, containerGID, config.Terminal, detach, r.consoleSocket)
 	if err != nil {
 		return -1, err
 	}