Merge pull request containerd#1460 from mlaventure/pid-host-kill-init

mlaventure · web-flow · commit b4cc42d02820 · 2017-09-01T15:17:40.000-07:00
Ensure all init children are dead when it exits
diff --git a/container_linux_test.go b/container_linux_test.go
@@ -896,3 +896,79 @@ func TestContainerRuntimeOptions(t *testing.T) {
 		t.Errorf("task creation should have failed because of lack of executable. Instead failed with: %v", err.Error())
 	}
 }
+
+func TestContainerKillInitPidHost(t *testing.T) {
+	client, err := newClient(t, address)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer client.Close()
+
+	var (
+		image       Image
+		ctx, cancel = testContext()
+		id          = t.Name()
+	)
+	defer cancel()
+
+	image, err = client.GetImage(ctx, testImage)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	container, err := client.NewContainer(ctx, id,
+		withNewSnapshot(id, image),
+		WithNewSpec(withImageConfig(image),
+			withProcessArgs("sh", "-c", "sleep 42; echo hi"),
+			WithHostNamespace(specs.PIDNamespace),
+		),
+	)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	defer container.Delete(ctx, WithSnapshotCleanup)
+
+	stdout := bytes.NewBuffer(nil)
+	task, err := container.NewTask(ctx, NewIO(bytes.NewBuffer(nil), stdout, bytes.NewBuffer(nil)))
+	if err != nil {
+		t.Error(err)
+		return
+	}
+	defer task.Delete(ctx)
+
+	statusC, err := task.Wait(ctx)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	if err := task.Start(ctx); err != nil {
+		t.Error(err)
+		return
+	}
+
+	if err := task.Kill(ctx, syscall.SIGKILL); err != nil {
+		t.Error(err)
+	}
+
+	// Give the shim time to reap the init process and kill the orphans
+	select {
+	case <-statusC:
+	case <-time.After(100 * time.Millisecond):
+	}
+
+	b, err := exec.Command("ps", "ax").CombinedOutput()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if strings.Contains(string(b), "sleep 42") {
+		t.Fatalf("killing init didn't kill all its children:\n%v", string(b))
+	}
+
+	if _, err := task.Delete(ctx, WithProcessKill); err != nil {
+		t.Error(err)
+	}
+}
diff --git a/linux/runtime.go b/linux/runtime.go
@@ -367,7 +367,10 @@ func (r *Runtime) loadTasks(ctx context.Context, ns string) ([]*Task, error) {
 func (r *Runtime) cleanupAfterDeadShim(ctx context.Context, bundle *bundle, ns, id string, pid int, ec chan runc.Exit) error {
 	ctx = namespaces.WithNamespace(ctx, ns)
 	if err := r.terminate(ctx, bundle, ns, id); err != nil {
-		return errors.New("failed to terminate task, leaving bundle for debugging")
+		if r.config.ShimDebug {
+			return errors.Wrap(err, "failed to terminate task, leaving bundle for debugging")
+		}
+		log.G(ctx).WithError(err).Warn("failed to terminate task")
 	}
 
 	if ec != nil {
diff --git a/linux/shim/service.go b/linux/shim/service.go
@@ -393,6 +393,14 @@ func (s *Service) checkProcesses(e runc.Exit) {
 	defer s.mu.Unlock()
 	for _, p := range s.processes {
 		if p.Pid() == e.Pid {
+			if ip, ok := p.(*initProcess); ok {
+				// Ensure all children are killed
+				if err := ip.killAll(s.context); err != nil {
+					log.G(s.context).WithError(err).WithField("id", ip.ID()).
+						Error("failed to kill init's children")
+				}
+			}
+
 			p.SetExited(e.Status)
 			s.events <- &eventsapi.TaskExit{
 				ContainerID: s.id,
diff --git a/reaper/reaper.go b/reaper/reaper.go
@@ -3,7 +3,6 @@
 package reaper
 
 import (
-	"bytes"
 	"os/exec"
 	"sync"
 	"time"
@@ -47,23 +46,6 @@ type Monitor struct {
 	subscribers map[chan runc.Exit]struct{}
 }
 
-func (m *Monitor) Output(c *exec.Cmd) ([]byte, error) {
-	var b bytes.Buffer
-	c.Stdout = &b
-	if err := m.Run(c); err != nil {
-		return nil, err
-	}
-	return b.Bytes(), nil
-}
-
-func (m *Monitor) CombinedOutput(c *exec.Cmd) ([]byte, error) {
-	var b bytes.Buffer
-	c.Stdout = &b
-	c.Stderr = &b
-	err := m.Run(c)
-	return b.Bytes(), err
-}
-
 // Start starts the command a registers the process with the reaper
 func (m *Monitor) Start(c *exec.Cmd) (chan runc.Exit, error) {
 	ec := m.Subscribe()
@@ -74,16 +56,9 @@ func (m *Monitor) Start(c *exec.Cmd) (chan runc.Exit, error) {
 	return ec, nil
 }
 
-// Run runs and waits for the command to finish
-func (m *Monitor) Run(c *exec.Cmd) error {
-	ec, err := m.Start(c)
-	if err != nil {
-		return err
-	}
-	_, err = m.Wait(c, ec)
-	return err
-}
-
+// Wait blocks until a process is signal as dead.
+// User should rely on the value of the exit status to determine if the
+// command was successful or not.
 func (m *Monitor) Wait(c *exec.Cmd, ec chan runc.Exit) (int, error) {
 	for e := range ec {
 		if e.Pid == c.Process.Pid {
diff --git a/vendor.conf b/vendor.conf
@@ -1,5 +1,5 @@
 github.com/coreos/go-systemd 48702e0da86bd25e76cfef347e2adeb434a0d0a6
-github.com/containerd/go-runc e103f453ff3db23ec69d31371cadc1ea0ce87ec0
+github.com/containerd/go-runc ba22f6a82e52be3be4eb4a00000fe816f4b41c2e
 github.com/containerd/console 76d18fd1d66972718ab2284449591db0b3cdb4de
 github.com/containerd/cgroups e6d1aa8c71c6103624b2c6e6f4be0863b67027f1
 github.com/docker/go-metrics 8fd5772bf1584597834c6f7961a530f06cbfbb87
diff --git a/vendor/github.com/containerd/go-runc/monitor.go b/vendor/github.com/containerd/go-runc/monitor.go
diff --git a/vendor/github.com/containerd/go-runc/runc.go b/vendor/github.com/containerd/go-runc/runc.go
