Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix runc kill and runc delete for containers with no init and no private PID namespace #4102

Merged
merged 8 commits into from
Nov 28, 2023
Merged

Fix runc kill and runc delete for containers with no init and no private PID namespace #4102

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d9f2a24
libct: replace runType with hasInit
kolyshkin Oct 2, 2023
542cce0
libct: Signal: slight refactor
kolyshkin Oct 31, 2023
dcf1b73
runc kill: fix sending KILL to non-pidns container
kolyshkin Oct 31, 2023
29283bb
runc delete -f: fix for no pidns + no init case
kolyshkin Nov 4, 2023
d3d7f7d
libct/cg: improve cgroup removal logic
kolyshkin Nov 9, 2023
7396ca9
runc delete: do not ignore error from destroy
kolyshkin Nov 6, 2023
ab3cd8d
runc delete, container.Destroy: kill all processes
kolyshkin Nov 6, 2023
a6f4081
libct: Destroy: don't proceed in case of errors
kolyshkin Nov 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 6 additions & 9 deletions libcontainer/container_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -364,14 +364,8 @@ func (c *Container) start(process *Process) (retErr error) {
func (c *Container) Signal(s os.Signal) error {
c.m.Lock()
defer c.m.Unlock()
status, err := c.currentStatus()
if err != nil {
return err
}
// To avoid a PID reuse attack, don't kill non-running container.
switch status {
case Running, Created, Paused:
default:
if !c.hasInit() {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems also changed the logic about the container status?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have some problems when you using runc, feel free to open an issue.

return ErrNotRunning
}

Expand All @@ -382,6 +376,7 @@ func (c *Container) Signal(s os.Signal) error {
//
// OTOH, if PID namespace is shared, we should kill all pids to avoid
// leftover processes.
var err error
if s == unix.SIGKILL && !c.config.Namespaces.IsPrivate(configs.NEWPID) {
err = signalAllProcesses(c.cgroupManager, unix.SIGKILL)
} else {
Expand All @@ -390,11 +385,13 @@ func (c *Container) Signal(s os.Signal) error {
if err != nil {
return fmt.Errorf("unable to signal init: %w", err)
}
if status == Paused && s == unix.SIGKILL {
if s == unix.SIGKILL {
// For cgroup v1, killing a process in a frozen cgroup
// does nothing until it's thawed. Only thaw the cgroup
// for SIGKILL.
_ = c.cgroupManager.Freeze(configs.Thawed)
if paused, _ := c.isPaused(); paused {
_ = c.cgroupManager.Freeze(configs.Thawed)
}
}
return nil
}
Expand Down