diff options
| author | Michael Pratt <mpratt@google.com> | 2020-06-18 14:29:39 -0400 |
|---|---|---|
| committer | Michael Pratt <mpratt@google.com> | 2020-07-15 15:15:11 -0400 |
| commit | 1481673178494def3dd335ff240c8cd9219374ce (patch) | |
| tree | 185ee6349dbb3d7327913229aed4ca9fa74cc80d /runsc/container | |
| parent | 3970c127434817304f67a2ad192cbe8094ad3353 (diff) | |
Apply pdeathsig to gofer for runsc run/do
Much like the boot process, apply pdeathsig to the gofer for cases where
the sandbox lifecycle is attached to the parent (runsc run/do).
This isn't strictly necessary, as the gofer normally exits once the
sentry disappears, but this makes that extra reliable.
Diffstat (limited to 'runsc/container')
| -rw-r--r-- | runsc/container/container.go | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/runsc/container/container.go b/runsc/container/container.go index 6d297d0df..7ad09bf23 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -324,7 +324,7 @@ func New(conf *boot.Config, args Args) (*Container, error) { } } if err := runInCgroup(cg, func() error { - ioFiles, specFile, err := c.createGoferProcess(args.Spec, conf, args.BundleDir) + ioFiles, specFile, err := c.createGoferProcess(args.Spec, conf, args.BundleDir, args.Attached) if err != nil { return err } @@ -427,7 +427,7 @@ func (c *Container) Start(conf *boot.Config) error { // the start (and all their children processes). if err := runInCgroup(c.Sandbox.Cgroup, func() error { // Create the gofer process. - ioFiles, mountsFile, err := c.createGoferProcess(c.Spec, conf, c.BundleDir) + ioFiles, mountsFile, err := c.createGoferProcess(c.Spec, conf, c.BundleDir, false) if err != nil { return err } @@ -861,7 +861,7 @@ func (c *Container) waitForStopped() error { return backoff.Retry(op, b) } -func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bundleDir string) ([]*os.File, *os.File, error) { +func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bundleDir string, attached bool) ([]*os.File, *os.File, error) { // Start with the general config flags. args := conf.ToFlags() @@ -955,6 +955,14 @@ func (c *Container) createGoferProcess(spec *specs.Spec, conf *boot.Config, bund cmd.ExtraFiles = goferEnds cmd.Args[0] = "runsc-gofer" + if attached { + // The gofer is attached to the lifetime of this process, so it + // should synchronously die when this process dies. + cmd.SysProcAttr = &syscall.SysProcAttr{ + Pdeathsig: syscall.SIGKILL, + } + } + // Enter new namespaces to isolate from the rest of the system. Don't unshare // cgroup because gofer is added to a cgroup in the caller's namespace. nss := []specs.LinuxNamespace{ |