diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2021-02-22 09:31:32 -0800 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-02-22 09:33:46 -0800 |
| commit | 19fe3a2bfb72622c307311dc61019238896a756b (patch) | |
| tree | f2c46a08217feb8cc4d9274ef912342c665d6a29 /runsc/boot | |
| parent | 93fc09248a2fa8b840d8ce47800414980d74bdb0 (diff) | |
Fix `runsc kill --pid`
Previously, loader.signalProcess was inconsitently using both root and
container's PID namespace to find the process. It used root namespace
for the exec'd process and container's PID namespace for other processes.
This fixes the code to use the root PID namespace across the board, which
is the same PID reported in `runsc ps` (or soon will after
https://github.com/google/gvisor/pull/5519).
PiperOrigin-RevId: 358836297
Diffstat (limited to 'runsc/boot')
| -rw-r--r-- | runsc/boot/controller.go | 3 | ||||
| -rw-r--r-- | runsc/boot/loader.go | 17 |
2 files changed, 10 insertions, 10 deletions
diff --git a/runsc/boot/controller.go b/runsc/boot/controller.go index cb5d8ea31..5e849cb37 100644 --- a/runsc/boot/controller.go +++ b/runsc/boot/controller.go @@ -547,7 +547,8 @@ type SignalArgs struct { // Signo is the signal to send to the process. Signo int32 - // PID is the process ID in the given container that will be signaled. + // PID is the process ID in the given container that will be signaled, + // relative to the root PID namespace, not the container's. // If 0, the root container will be signalled. PID int32 diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index a02eb2ec5..5afce232d 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -1171,7 +1171,8 @@ func (f *sandboxNetstackCreator) CreateStack() (inet.Stack, error) { // signal sends a signal to one or more processes in a container. If PID is 0, // then the container init process is used. Depending on the SignalDeliveryMode // option, the signal may be sent directly to the indicated process, to all -// processes in the container, or to the foreground process group. +// processes in the container, or to the foreground process group. pid is +// relative to the root PID namespace, not the container's. func (l *Loader) signal(cid string, pid, signo int32, mode SignalDeliveryMode) error { if pid < 0 { return fmt.Errorf("PID (%d) must be positive", pid) @@ -1208,6 +1209,8 @@ func (l *Loader) signal(cid string, pid, signo int32, mode SignalDeliveryMode) e } } +// signalProcess sends signal to process in the given container. tgid is +// relative to the root PID namespace, not the container's. func (l *Loader) signalProcess(cid string, tgid kernel.ThreadID, signo int32) error { execTG, err := l.threadGroupFromID(execID{cid: cid, pid: tgid}) if err == nil { @@ -1216,18 +1219,14 @@ func (l *Loader) signalProcess(cid string, tgid kernel.ThreadID, signo int32) er } // The caller may be signaling a process not started directly via exec. - // In this case, find the process in the container's PID namespace and - // signal it. - initTG, err := l.threadGroupFromID(execID{cid: cid}) - if err != nil { - return fmt.Errorf("no thread group found: %v", err) - } - tg := initTG.PIDNamespace().ThreadGroupWithID(tgid) + // In this case, find the process and check that the process belongs to the + // container in question. + tg := l.k.RootPIDNamespace().ThreadGroupWithID(tgid) if tg == nil { return fmt.Errorf("no such process with PID %d", tgid) } if tg.Leader().ContainerID() != cid { - return fmt.Errorf("process %d is part of a different container: %q", tgid, tg.Leader().ContainerID()) + return fmt.Errorf("process %d belongs to a different container: %q", tgid, tg.Leader().ContainerID()) } return l.k.SendExternalSignalThreadGroup(tg, &arch.SignalInfo{Signo: signo}) } |