RFC: treat host pidns container with no init process as running if some processes exist in cgroup

[kolyshkin]

Description

Currently, runc checks the existence of init process inside a container to figure out whether the container is running or not. This is a correct thing to do for a container having its own PID namespace.

Yet, for the container which does not have its own pid namespace (i.e. it shares pidns with the host or possibly another container), merely checking that init is there is not a good way to say whether the container is running or not. In fact, init might be already killed or exited, and other container processes remain.

Since #3132 is fixed, for a no-pidns container we can instead say that the container is running if its cgroup has some processes running. While at it, it might make sense to disallow creating containers with shared or no cgroup and no pidns.

References:

• Issue HostPID Pod Container Cgroup path was residual after container restarts #4040
• Issue regression: can't kill and delete the container with shared(host) pid ns when the init process has dead #4047
• Discussions in Fix a regression when killing and deleting a container with shared(host) pid namespace #4048

[lifubang]

👍 Maybe we also need to update the descriptions about ‘stopped’ in runtime-spec.
https://github.com/opencontainers/runtime-spec/blob/main/runtime.md?plain=1#L22

[kolyshkin]

OTOH all this is just for shared pidns containers, so maybe we can do something else. Frankly, I dunno

[fuweid]

for a no-pidns container we can instead say that the container is running if its cgroup has some processes running.

I think we can still consider the container as stopped. But the runc kill should always send the signal to all the processes in the cgroup if the cgroup is still here. Otherwise, the runc delete will fail.

[kolyshkin]

This is a very rare corner case, so yes, let's assume the container as stopped if it has no initial process running. Things were working this way and there's no need to change it.