diff options
author | Fabricio Voznika <fvoznika@google.com> | 2019-01-09 09:17:04 -0800 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-01-09 09:18:15 -0800 |
commit | 0d7023d581612e1670ef36490a827e46968d6d08 (patch) | |
tree | 553a72196b31b749cb4bdf115d7ad64c1e17ec59 /runsc/sandbox | |
parent | dd761c170cc2d44eee20757a6088f80a9322342c (diff) |
Restore to original cgroup after sandbox and gofer processes are created
The original code assumed that it was safe to join and not restore cgroup,
but Container.Run will not exit after calling start, making cgroup cleanup
fail because there were still processes inside the cgroup.
PiperOrigin-RevId: 228529199
Change-Id: I12a48d9adab4bbb02f20d71ec99598c336cbfe51
Diffstat (limited to 'runsc/sandbox')
-rw-r--r-- | runsc/sandbox/sandbox.go | 37 |
1 files changed, 6 insertions, 31 deletions
diff --git a/runsc/sandbox/sandbox.go b/runsc/sandbox/sandbox.go index d84995d04..9e95a11b4 100644 --- a/runsc/sandbox/sandbox.go +++ b/runsc/sandbox/sandbox.go @@ -64,32 +64,15 @@ type Sandbox struct { Cgroup *cgroup.Cgroup `json:"cgroup"` } -// Create creates the sandbox process. The caller must call Destroy() on the -// sandbox. If spec specified a cgroup, the current process will have joined -// the cgroup upon return. -func Create(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSocket, userLog string, ioFiles []*os.File) (*Sandbox, error) { - s := &Sandbox{ID: id} - // The Cleanup object cleans up partially created sandboxes when an error occurs. - // Any errors occurring during cleanup itself are ignored. +// New creates the sandbox process. The caller must call Destroy() on the +// sandbox. +func New(id string, spec *specs.Spec, conf *boot.Config, bundleDir, consoleSocket, userLog string, ioFiles []*os.File, cg *cgroup.Cgroup) (*Sandbox, error) { + s := &Sandbox{ID: id, Cgroup: cg} + // The Cleanup object cleans up partially created sandboxes when an error + // occurs. Any errors occurring during cleanup itself are ignored. c := specutils.MakeCleanup(func() { _ = s.destroy() }) defer c.Clean() - if cg, ok := cgroup.New(spec); ok { - s.Cgroup = cg - - // If there is cgroup config, install it before creating sandbox process. - if err := s.Cgroup.Install(spec.Linux.Resources); err != nil { - return nil, fmt.Errorf("configuring cgroup: %v", err) - } - - // Make this process join the cgroup to ensure the sandbox (and all its - // children processes) are part of the cgroup from the start. Don't bother - // moving out because the caller is about to exit anyways. - if err := cg.Join(); err != nil { - return nil, fmt.Errorf("joining cgroup: %v", err) - } - } - // Create pipe to synchronize when sandbox process has been booted. fds := make([]int, 2) if err := syscall.Pipe(fds); err != nil { @@ -871,14 +854,6 @@ func (s *Sandbox) waitForStopped() error { return backoff.Retry(op, b) } -// AddGoferToCgroup adds the gofer process to the sandbox's cgroup. -func (s *Sandbox) AddGoferToCgroup(pid int) error { - if s.Cgroup != nil { - return s.Cgroup.Add(pid) - } - return nil -} - // deviceFileForPlatform opens the device file for the given platform. If the // platform does not need a device file, then nil is returned. func deviceFileForPlatform(p boot.PlatformType) (*os.File, error) { |