@@ -2,18 +2,14 @@ package libcontainer

 type Container struct {

 	ID           string       `json:"id,omitempty"`

-	NsPid        int          `json:"namespace_pid,omitempty"`

 	Command      *Command     `json:"command,omitempty"`

-	RootFs       string       `json:"rootfs,omitempty"`

 	ReadonlyFs   bool         `json:"readonly_fs,omitempty"`

-	NetNsFd      uintptr      `json:"network_namespace_fd,omitempty"`

 	User         string       `json:"user,omitempty"`

 	WorkingDir   string       `json:"working_dir,omitempty"`

 	Namespaces   Namespaces   `json:"namespaces,omitempty"`

 	Capabilities Capabilities `json:"capabilities,omitempty"`

-	Master       uintptr      `json:"master"`

-	Console      string       `json:"console"`

-	LogFile      string       `json:"log_file"`

+	LogFile      string       `json:"log_file,omitempty"`

+	Network      *Network     `json:"network,omitempty"`

 }

 type Command struct {

@@ -22,9 +18,9 @@ type Command struct {

 }

 type Network struct {

-	TempVethName string `json:"temp_veth,omitempty"`

 	IP           string `json:"ip,omitempty"`

 	Gateway      string `json:"gateway,omitempty"`

 	Bridge       string `json:"bridge,omitempty"`

 	Mtu          int    `json:"mtu,omitempty"`

+	TempVethName string `json:"temp_veth,omitempty"`

 }

@@ -1,27 +1,17 @@

-/*

-   Higher level convience functions for setting up a container

-*/

-

 package namespaces

 import (

-	"errors"

 	"github.com/dotcloud/docker/pkg/libcontainer"

 	"github.com/dotcloud/docker/pkg/system"

+	"github.com/dotcloud/docker/pkg/term"

 	"io"

 	"log"

 	"os"

 	"os/exec"

-	"path/filepath"

-	"strconv"

 	"syscall"

 )

-var (

-	ErrExistingNetworkNamespace = errors.New("specified both CLONE_NEWNET and an existing network namespace")

-)

-

-// Exec will spawn new namespaces with the specified Container configuration

+// ExecContainer will spawn new namespaces with the specified Container configuration

 // in the RootFs path and return the pid of the new containerized process.

 //

 // If an existing network namespace is specified the container

@@ -30,30 +20,19 @@ var (

 // existing network namespace and the CLONE_NEWNET option in the container configuration will allow

 // the container to the the host's networking options and configuration.

 func ExecContainer(container *libcontainer.Container) (pid int, err error) {

-	// a user cannot pass CLONE_NEWNET and an existing net namespace fd to join

-	if container.NetNsFd > 0 && container.Namespaces.Contains(libcontainer.CLONE_NEWNET) {

-		return -1, ErrExistingNetworkNamespace

-	}

-

 	master, console, err := createMasterAndConsole()

 	if err != nil {

 		return -1, err

 	}

-	nsinit := filepath.Join(container.RootFs, ".nsinit")

 	// we need CLONE_VFORK so we can wait on the child

 	flag := uintptr(getNamespaceFlags(container.Namespaces) | CLONE_VFORK)

-	command := exec.Command(nsinit, "-master", strconv.Itoa(int(master.Fd())), "-console", console, "init", "container.json")

-	// command.Stdin = os.Stdin

-	// command.Stdout = os.Stdout

-	// command.Stderr = os.Stderr

-	command.SysProcAttr = &syscall.SysProcAttr{}

-	command.SysProcAttr.Cloneflags = flag

-

-	command.ExtraFiles = []*os.File{master}

+	command := exec.Command("nsinit", console)

+	command.SysProcAttr = &syscall.SysProcAttr{

+		Cloneflags: flag,

+	}

-	println("vvvvvvvvv")

 	if err := command.Start(); err != nil {

 		return -1, err

 	}

@@ -64,11 +43,18 @@ func ExecContainer(container *libcontainer.Container) (pid int, err error) {

 			log.Println(err)

 		}

 	}()

+

 	go func() {

 		if _, err := io.Copy(master, os.Stdin); err != nil {

 			log.Println(err)

 		}

 	}()

+

+	term.SetRawTerminal(os.Stdin.Fd())

+

+	if err := command.Wait(); err != nil {

+		return pid, err

+	}

 	return pid, nil

 }

deleted file mode 100644

@@ -1,7 +0,0 @@

-// +build linux,x86_64

-package namespaces

-

-// Via http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7b21fddd087678a70ad64afc0f632e0f1071b092

-const (

-	SYS_SETNS = 308

-)

deleted file mode 100644

@@ -1,209 +0,0 @@

-package namespaces

-

-import (

-	"fmt"

-	"github.com/dotcloud/docker/pkg/system"

-	"log"

-	"os"

-	"path/filepath"

-	"syscall"

-)

-

-var (

-	// default mount point options

-	defaults = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV

-)

-

-func SetupNewMountNamespace(rootfs, console string, readonly bool) error {

-	if err := system.Mount("", "/", "", syscall.MS_SLAVE|syscall.MS_REC, ""); err != nil {

-		return fmt.Errorf("mounting / as slave %s", err)

-	}

-

-	if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {

-		return fmt.Errorf("mouting %s as bind %s", rootfs, err)

-	}

-

-	if readonly {

-		if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, ""); err != nil {

-			return fmt.Errorf("mounting %s as readonly %s", rootfs, err)

-		}

-	}

-

-	if err := mountSystem(rootfs); err != nil {

-		return fmt.Errorf("mount system %s", err)

-	}

-

-	if err := copyDevNodes(rootfs); err != nil {

-		return fmt.Errorf("copy dev nodes %s", err)

-	}

-

-	ptmx := filepath.Join(rootfs, "dev/ptmx")

-	if err := os.Remove(ptmx); err != nil && !os.IsNotExist(err) {

-		return err

-	}

-	if err := os.Symlink("pts/ptmx", ptmx); err != nil {

-		return fmt.Errorf("symlink dev ptmx %s", err)

-	}

-

-	if err := setupDev(rootfs); err != nil {

-		return err

-	}

-

-	if err := setupConsole(rootfs, console); err != nil {

-		return err

-	}

-

-	if err := system.Chdir(rootfs); err != nil {

-		return fmt.Errorf("chdir into %s %s", rootfs, err)

-	}

-

-	if err := system.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {

-		return fmt.Errorf("mount move %s into / %s", rootfs, err)

-	}

-

-	if err := system.Chroot("."); err != nil {

-		return fmt.Errorf("chroot . %s", err)

-	}

-

-	if err := system.Chdir("/"); err != nil {

-		return fmt.Errorf("chdir / %s", err)

-	}

-

-	system.Umask(0022)

-

-	return nil

-}

-

-func copyDevNodes(rootfs string) error {

-	oldMask := system.Umask(0000)

-	defer system.Umask(oldMask)

-

-	for _, node := range []string{

-		"null",

-		"zero",

-		"full",

-		"random",

-		"urandom",

-		"tty",

-	} {

-		stat, err := os.Stat(filepath.Join("/dev", node))

-		if err != nil {

-			return err

-		}

-

-		var (

-			dest = filepath.Join(rootfs, "dev", node)

-			st   = stat.Sys().(*syscall.Stat_t)

-		)

-

-		log.Printf("copy %s to %s %d\n", node, dest, st.Rdev)

-		if err := system.Mknod(dest, st.Mode, int(st.Rdev)); err != nil && !os.IsExist(err) {

-			return fmt.Errorf("copy %s %s", node, err)

-		}

-	}

-	return nil

-}

-

-func setupDev(rootfs string) error {

-	for _, link := range []struct {

-		from string

-		to   string

-	}{

-		{"/proc/kcore", "/dev/core"},

-		{"/proc/self/fd", "/dev/fd"},

-		{"/proc/self/fd/0", "/dev/stdin"},

-		{"/proc/self/fd/1", "/dev/stdout"},

-		{"/proc/self/fd/2", "/dev/stderr"},

-	} {

-		dest := filepath.Join(rootfs, link.to)

-		if err := os.Remove(dest); err != nil && !os.IsNotExist(err) {

-			return fmt.Errorf("remove %s %s", dest, err)

-		}

-		if err := os.Symlink(link.from, dest); err != nil {

-			return fmt.Errorf("symlink %s %s", dest, err)

-		}

-	}

-	return nil

-}

-

-func setupConsole(rootfs, console string) error {

-	oldMask := system.Umask(0000)

-	defer system.Umask(oldMask)

-

-	stat, err := os.Stat(console)

-	if err != nil {

-		return fmt.Errorf("stat console %s %s", console, err)

-	}

-	st := stat.Sys().(*syscall.Stat_t)

-

-	dest := filepath.Join(rootfs, "dev/console")

-	if err := os.Remove(dest); err != nil && !os.IsNotExist(err) {

-		return fmt.Errorf("remove %s %s", dest, err)

-	}

-

-	if err := os.Chmod(console, 0600); err != nil {

-		return err

-	}

-	if err := os.Chown(console, 0, 0); err != nil {

-		return err

-	}

-

-	if err := system.Mknod(dest, (st.Mode&^07777)|0600, int(st.Rdev)); err != nil {

-		return fmt.Errorf("mknod %s %s", dest, err)

-	}

-

-	if err := system.Mount(console, dest, "bind", syscall.MS_BIND, ""); err != nil {

-		return fmt.Errorf("bind %s to %s %s", console, dest, err)

-	}

-	return nil

-}

-

-// mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts

-// inside the mount namespace

-func mountSystem(rootfs string) error {

-	for _, m := range []struct {

-		source string

-		path   string

-		device string

-		flags  int

-		data   string

-	}{

-		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaults},

-		{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaults},

-		{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"},

-		{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaults, data: "mode=1777"},

-		{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: "newinstance,ptmxmode=0666,mode=620,gid=5"},

-		{source: "tmpfs", path: filepath.Join(rootfs, "run"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_STRICTATIME, data: "mode=755"},

-	} {

-		if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {

-			return fmt.Errorf("mkdirall %s %s", m.path, err)

-		}

-		if err := system.Mount(m.source, m.path, m.device, uintptr(m.flags), m.data); err != nil {

-			return fmt.Errorf("mounting %s into %s %s", m.source, m.path, err)

-		}

-	}

-	return nil

-}

-

-func remountProc() error {

-	if err := system.Unmount("/proc", syscall.MNT_DETACH); err != nil {

-		return err

-	}

-	if err := system.Mount("proc", "/proc", "proc", uintptr(defaults), ""); err != nil {

-		return err

-	}

-	return nil

-}

-

-func remountSys() error {

-	if err := system.Unmount("/sys", syscall.MNT_DETACH); err != nil {

-		if err != syscall.EINVAL {

-			return err

-		}

-	} else {

-		if err := system.Mount("sysfs", "/sys", "sysfs", uintptr(defaults), ""); err != nil {

-			return err

-		}

-	}

-	return nil

-}

@@ -40,5 +40,5 @@ func getNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {

 	for _, ns := range namespaces {

 		flag |= namespaceMap[ns]

 	}

-	return

+	return flag

 }

@@ -1,6 +1,7 @@

-package nsinit

+package main

 import (

+	"encoding/json"

 	"fmt"

 	"github.com/dotcloud/docker/pkg/libcontainer"

 	"github.com/dotcloud/docker/pkg/libcontainer/capabilities"

@@ -12,103 +13,112 @@ import (

 	"syscall"

 )

-// InitNamespace should be run inside an existing namespace to setup

-// common mounts, drop capabilities, and setup network interfaces

-func InitNamespace(container *libcontainer.Container) error {

-	println("|||||||||||||")

-	if err := setLogFile(container); err != nil {

-		return err

+func loadContainer() (*libcontainer.Container, error) {

+	f, err := os.Open("container.json")

+	if err != nil {

+		return nil, err

 	}

-	println(container.LogFile)

-	log.Printf("--------->")

-	rootfs, err := resolveRootfs(container)

+	defer f.Close()

+

+	var container *libcontainer.Container

+	if err := json.NewDecoder(f).Decode(&container); err != nil {

+		return nil, err

+	}

+	return container, nil

+}

+

+func main() {

+	container, err := loadContainer()

 	if err != nil {

-		return err

+		log.Fatal(err)

 	}

-	// any errors encoutered inside the namespace we should write

-	// out to a log or a pipe to our parent and exit(1)

-	// because writing to stderr will not work after we close

-	if err := closeMasterAndStd(os.NewFile(container.Master, "/dev/ptmx")); err != nil {

-		log.Fatalf("close master and std %s", err)

-		return err

+	if os.Args[1] == "exec" {

+		_, err := namespaces.ExecContainer(container)

+		if err != nil {

+			log.Fatal(err)

+		}

+		os.Exit(0)

+	}

+	console := os.Args[1]

+

+	if err := setLogFile(container); err != nil {

+		log.Fatal(err)

 	}

-	slave, err := openTerminal(container.Console, syscall.O_RDWR)

+	rootfs, err := resolveRootfs()

+	if err != nil {

+		log.Fatal(err)

+	}

+

+	// close pipes so that we can replace it with the pty

+	os.Stdin.Close()

+	os.Stdout.Close()

+	os.Stderr.Close()

+

+	slave, err := openTerminal(console, syscall.O_RDWR)

 	if err != nil {

 		log.Fatalf("open terminal %s", err)

-		return err

+	}

+	if slave.Fd() != 0 {

+		log.Fatalf("slave fd should be 0")

 	}

 	if err := dupSlave(slave); err != nil {

 		log.Fatalf("dup2 slave %s", err)

-		return err

 	}

-	/*

-		if container.NetNsFd > 0 {

-			if err := joinExistingNamespace(container.NetNsFd, libcontainer.CLONE_NEWNET); err != nil {

-				log.Fatalf("join existing net namespace %s", err)

-			}

-		}

-	*/

-

 	if _, err := system.Setsid(); err != nil {

 		log.Fatalf("setsid %s", err)

-		return err

 	}

 	if err := system.Setctty(); err != nil {

 		log.Fatalf("setctty %s", err)

-		return err

 	}

 	if err := system.ParentDeathSignal(); err != nil {

 		log.Fatalf("parent deth signal %s", err)

-		return err

 	}

-	if err := namespaces.SetupNewMountNamespace(rootfs, container.Console, container.ReadonlyFs); err != nil {

+

+	if err := setupNewMountNamespace(rootfs, console, container.ReadonlyFs); err != nil {

 		log.Fatalf("setup mount namespace %s", err)

-		return err

 	}

+

+	if container.Network != nil {

+		if err := setupNetworking(container); err != nil {

+			log.Fatalf("setup networking %s", err)

+		}

+	}

+

 	if err := system.Sethostname(container.ID); err != nil {

 		log.Fatalf("sethostname %s", err)

-		return err

 	}

 	if err := capabilities.DropCapabilities(container); err != nil {

 		log.Fatalf("drop capabilities %s", err)

-		return err

 	}

 	if err := setupUser(container); err != nil {

 		log.Fatalf("setup user %s", err)

-		return err

 	}

 	if container.WorkingDir != "" {

 		if err := system.Chdir(container.WorkingDir); err != nil {

 			log.Fatalf("chdir to %s %s", container.WorkingDir, err)

-			return err

 		}

 	}

 	if err := system.Exec(container.Command.Args[0], container.Command.Args[0:], container.Command.Env); err != nil {

 		log.Fatalf("exec %s", err)

-		return err

 	}

 	panic("unreachable")

 }

-func resolveRootfs(container *libcontainer.Container) (string, error) {

-	rootfs, err := filepath.Abs(container.RootFs)

+func resolveRootfs() (string, error) {

+	cwd, err := os.Getwd()

+	if err != nil {

+		return "", err

+	}

+	rootfs, err := filepath.Abs(cwd)

 	if err != nil {

 		return "", err

 	}

 	return filepath.EvalSymlinks(rootfs)

 }

-func closeMasterAndStd(master *os.File) error {

-	master.Close()

-	os.Stdin.Close()

-	os.Stdout.Close()

-	os.Stderr.Close()

-	return nil

-}

-

 func setupUser(container *libcontainer.Container) error {

 	// TODO: honor user passed on container

 	if err := system.Setgroups(nil); err != nil {

@@ -154,3 +164,7 @@ func setLogFile(container *libcontainer.Container) error {

 	log.SetOutput(f)

 	return nil

 }

+

+func setupNetworking(conatiner *libcontainer.Container) error {

+	return nil

+}

new file mode 100644

@@ -0,0 +1,209 @@

+package main

+

+import (

+	"fmt"

+	"github.com/dotcloud/docker/pkg/system"

+	"log"

+	"os"

+	"path/filepath"

+	"syscall"

+)

+

+var (

+	// default mount point options

+	defaults = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV

+)

+

+func setupNewMountNamespace(rootfs, console string, readonly bool) error {

+	if err := system.Mount("", "/", "", syscall.MS_SLAVE|syscall.MS_REC, ""); err != nil {

+		return fmt.Errorf("mounting / as slave %s", err)

+	}

+

+	if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REC, ""); err != nil {

+		return fmt.Errorf("mouting %s as bind %s", rootfs, err)

+	}

+

+	if readonly {

+		if err := system.Mount(rootfs, rootfs, "bind", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC, ""); err != nil {

+			return fmt.Errorf("mounting %s as readonly %s", rootfs, err)

+		}

+	}

+

+	if err := mountSystem(rootfs); err != nil {

+		return fmt.Errorf("mount system %s", err)

+	}

+

+	if err := copyDevNodes(rootfs); err != nil {

+		return fmt.Errorf("copy dev nodes %s", err)

+	}

+

+	ptmx := filepath.Join(rootfs, "dev/ptmx")

+	if err := os.Remove(ptmx); err != nil && !os.IsNotExist(err) {

+		return err

+	}

+	if err := os.Symlink("pts/ptmx", ptmx); err != nil {

+		return fmt.Errorf("symlink dev ptmx %s", err)

+	}

+

+	if err := setupDev(rootfs); err != nil {

+		return err

+	}

+

+	if err := setupConsole(rootfs, console); err != nil {

+		return err

+	}

+

+	if err := system.Chdir(rootfs); err != nil {

+		return fmt.Errorf("chdir into %s %s", rootfs, err)

+	}

+

+	if err := system.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {

+		return fmt.Errorf("mount move %s into / %s", rootfs, err)

+	}

+

+	if err := system.Chroot("."); err != nil {

+		return fmt.Errorf("chroot . %s", err)

+	}

+

+	if err := system.Chdir("/"); err != nil {

+		return fmt.Errorf("chdir / %s", err)

+	}

+

+	system.Umask(0022)

+

+	return nil

+}

+

+func copyDevNodes(rootfs string) error {

+	oldMask := system.Umask(0000)

+	defer system.Umask(oldMask)

+

+	for _, node := range []string{

+		"null",

+		"zero",

+		"full",

+		"random",

+		"urandom",

+		"tty",

+	} {

+		stat, err := os.Stat(filepath.Join("/dev", node))

+		if err != nil {

+			return err

+		}

+

+		var (

+			dest = filepath.Join(rootfs, "dev", node)

+			st   = stat.Sys().(*syscall.Stat_t)

+		)

+

+		log.Printf("copy %s to %s %d\n", node, dest, st.Rdev)

+		if err := system.Mknod(dest, st.Mode, int(st.Rdev)); err != nil && !os.IsExist(err) {

+			return fmt.Errorf("copy %s %s", node, err)

+		}

+	}

+	return nil

+}

+

+func setupDev(rootfs string) error {

+	for _, link := range []struct {

+		from string

+		to   string

+	}{

+		{"/proc/kcore", "/dev/core"},

+		{"/proc/self/fd", "/dev/fd"},

+		{"/proc/self/fd/0", "/dev/stdin"},

+		{"/proc/self/fd/1", "/dev/stdout"},

+		{"/proc/self/fd/2", "/dev/stderr"},

+	} {

+		dest := filepath.Join(rootfs, link.to)

+		if err := os.Remove(dest); err != nil && !os.IsNotExist(err) {

+			return fmt.Errorf("remove %s %s", dest, err)

+		}

+		if err := os.Symlink(link.from, dest); err != nil {

+			return fmt.Errorf("symlink %s %s", dest, err)

+		}

+	}

+	return nil

+}

+

+func setupConsole(rootfs, console string) error {

+	oldMask := system.Umask(0000)

+	defer system.Umask(oldMask)

+

+	stat, err := os.Stat(console)

+	if err != nil {

+		return fmt.Errorf("stat console %s %s", console, err)

+	}

+	st := stat.Sys().(*syscall.Stat_t)

+

+	dest := filepath.Join(rootfs, "dev/console")

+	if err := os.Remove(dest); err != nil && !os.IsNotExist(err) {

+		return fmt.Errorf("remove %s %s", dest, err)

+	}

+

+	if err := os.Chmod(console, 0600); err != nil {

+		return err

+	}

+	if err := os.Chown(console, 0, 0); err != nil {

+		return err

+	}

+

+	if err := system.Mknod(dest, (st.Mode&^07777)|0600, int(st.Rdev)); err != nil {

+		return fmt.Errorf("mknod %s %s", dest, err)

+	}

+

+	if err := system.Mount(console, dest, "bind", syscall.MS_BIND, ""); err != nil {

+		return fmt.Errorf("bind %s to %s %s", console, dest, err)

+	}

+	return nil

+}

+

+// mountSystem sets up linux specific system mounts like sys, proc, shm, and devpts

+// inside the mount namespace

+func mountSystem(rootfs string) error {

+	for _, m := range []struct {

+		source string

+		path   string

+		device string

+		flags  int

+		data   string

+	}{

+		{source: "proc", path: filepath.Join(rootfs, "proc"), device: "proc", flags: defaults},

+		{source: "sysfs", path: filepath.Join(rootfs, "sys"), device: "sysfs", flags: defaults},

+		{source: "tmpfs", path: filepath.Join(rootfs, "dev"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_STRICTATIME, data: "mode=755"},

+		{source: "shm", path: filepath.Join(rootfs, "dev", "shm"), device: "tmpfs", flags: defaults, data: "mode=1777"},

+		{source: "devpts", path: filepath.Join(rootfs, "dev", "pts"), device: "devpts", flags: syscall.MS_NOSUID | syscall.MS_NOEXEC, data: "newinstance,ptmxmode=0666,mode=620,gid=5"},

+		{source: "tmpfs", path: filepath.Join(rootfs, "run"), device: "tmpfs", flags: syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_STRICTATIME, data: "mode=755"},

+	} {

+		if err := os.MkdirAll(m.path, 0755); err != nil && !os.IsExist(err) {

+			return fmt.Errorf("mkdirall %s %s", m.path, err)

+		}

+		if err := system.Mount(m.source, m.path, m.device, uintptr(m.flags), m.data); err != nil {

+			return fmt.Errorf("mounting %s into %s %s", m.source, m.path, err)

+		}

+	}

+	return nil

+}

+

+func remountProc() error {

+	if err := system.Unmount("/proc", syscall.MNT_DETACH); err != nil {

+		return err

+	}

+	if err := system.Mount("proc", "/proc", "proc", uintptr(defaults), ""); err != nil {

+		return err

+	}

+	return nil

+}

+

+func remountSys() error {

+	if err := system.Unmount("/sys", syscall.MNT_DETACH); err != nil {

+		if err != syscall.EINVAL {

+			return err

+		}

+	} else {

+		if err := system.Mount("sysfs", "/sys", "sysfs", uintptr(defaults), ""); err != nil {

+			return err

+		}

+	}

+	return nil

+}

@@ -7,7 +7,6 @@ import (

 	"path/filepath"

 	"strconv"

 	"strings"

-	"syscall"

 )

 func addEnvIfNotSet(container *libcontainer.Container, key, value string) {

@@ -26,31 +25,6 @@ func addEnvIfNotSet(container *libcontainer.Container, key, value string) {

 	container.Command.Env = append(container.Command.Env, jv)

 }

-// getNsFds inspects the container's namespace configuration and opens the fds to

-// each of the namespaces.

-func getNsFds(container *libcontainer.Container) ([]uintptr, error) {

-	var (

-		namespaces = []string{}

-		fds        = []uintptr{}

-	)

-

-	for _, ns := range container.Namespaces {

-		namespaces = append(namespaces, namespaceFileMap[ns])

-	}

-

-	for _, ns := range namespaces {

-		fd, err := getNsFd(container.NsPid, ns)

-		if err != nil {

-			for _, fd = range fds {

-				syscall.Close(int(fd))

-			}

-			return nil, err

-		}

-		fds = append(fds, fd)

-	}

-	return fds, nil

-}

-

 // getNsFd returns the fd for a specific pid and namespace option

 func getNsFd(pid int, ns string) (uintptr, error) {

 	nspath := filepath.Join("/proc", strconv.Itoa(pid), "ns", ns)