Merge release-20210208.0-79-g19fe3a2bf (automated)

3 files changed, 11 insertions, 11 deletions

diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go
index cb5d8ea31..5e849cb37 100644
--- a/runsc/boot/controller.go
+++ b/runsc/boot/controller.go
@@ -547,7 +547,8 @@ type SignalArgs struct {
 	// Signo is the signal to send to the process.
 	Signo int32
 
-	// PID is the process ID in the given container that will be signaled.
+	// PID is the process ID in the given container that will be signaled,
+	// relative to the root PID namespace, not the container's.
 	// If 0, the root container will be signalled.
 	PID int32
 
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index a02eb2ec5..5afce232d 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -1171,7 +1171,8 @@ func (f *sandboxNetstackCreator) CreateStack() (inet.Stack, error) {
 // signal sends a signal to one or more processes in a container. If PID is 0,
 // then the container init process is used. Depending on the SignalDeliveryMode
 // option, the signal may be sent directly to the indicated process, to all
-// processes in the container, or to the foreground process group.
+// processes in the container, or to the foreground process group. pid is
+// relative to the root PID namespace, not the container's.
 func (l *Loader) signal(cid string, pid, signo int32, mode SignalDeliveryMode) error {
 	if pid < 0 {
 		return fmt.Errorf("PID (%d) must be positive", pid)
@@ -1208,6 +1209,8 @@ func (l *Loader) signal(cid string, pid, signo int32, mode SignalDeliveryMode) e
 	}
 }
 
+// signalProcess sends signal to process in the given container. tgid is
+// relative to the root PID namespace, not the container's.
 func (l *Loader) signalProcess(cid string, tgid kernel.ThreadID, signo int32) error {
 	execTG, err := l.threadGroupFromID(execID{cid: cid, pid: tgid})
 	if err == nil {
@@ -1216,18 +1219,14 @@ func (l *Loader) signalProcess(cid string, tgid kernel.ThreadID, signo int32) er
 	}
 
 	// The caller may be signaling a process not started directly via exec.
-	// In this case, find the process in the container's PID namespace and
-	// signal it.
-	initTG, err := l.threadGroupFromID(execID{cid: cid})
-	if err != nil {
-		return fmt.Errorf("no thread group found: %v", err)
-	}
-	tg := initTG.PIDNamespace().ThreadGroupWithID(tgid)
+	// In this case, find the process and check that the process belongs to the
+	// container in question.
+	tg := l.k.RootPIDNamespace().ThreadGroupWithID(tgid)
 	if tg == nil {
 		return fmt.Errorf("no such process with PID %d", tgid)
 	}
 	if tg.Leader().ContainerID() != cid {
-		return fmt.Errorf("process %d is part of a different container: %q", tgid, tg.Leader().ContainerID())
+		return fmt.Errorf("process %d belongs to a different container: %q", tgid, tg.Leader().ContainerID())
 	}
 	return l.k.SendExternalSignalThreadGroup(tg, &arch.SignalInfo{Signo: signo})
 }
diff --git a/runsc/cmd/kill.go b/runsc/cmd/kill.go
index aecf0b7ab..e0df39266 100644
--- a/runsc/cmd/kill.go
+++ b/runsc/cmd/kill.go
@@ -52,7 +52,7 @@ func (*Kill) Usage() string {
 // SetFlags implements subcommands.Command.SetFlags.
 func (k *Kill) SetFlags(f *flag.FlagSet) {
 	f.BoolVar(&k.all, "all", false, "send the specified signal to all processes inside the container")
-	f.IntVar(&k.pid, "pid", 0, "send the specified signal to a specific process")
+	f.IntVar(&k.pid, "pid", 0, "send the specified signal to a specific process. pid is relative to the root PID namespace")
 }
 
 // Execute implements subcommands.Command.Execute.