7 files changed, 293 insertions, 206 deletions

diff --git a/pkg/shim/proc/BUILD b/pkg/shim/proc/BUILD
index 544bdc170..c8527a6d9 100644
--- a/pkg/shim/proc/BUILD
+++ b/pkg/shim/proc/BUILD
@@ -20,7 +20,9 @@ go_library(
         "//shim:__subpackages__",
     ],
     deps = [
+        "//pkg/cleanup",
         "//pkg/shim/runsc",
+        "//pkg/shim/utils",
         "@com_github_containerd_console//:go_default_library",
         "@com_github_containerd_containerd//errdefs:go_default_library",
         "@com_github_containerd_containerd//log:go_default_library",
diff --git a/pkg/shim/proc/deleted_state.go b/pkg/shim/proc/deleted_state.go
index d9b970c4d..b0bbe4d7e 100644
--- a/pkg/shim/proc/deleted_state.go
+++ b/pkg/shim/proc/deleted_state.go
@@ -22,28 +22,38 @@ import (
 	"github.com/containerd/console"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/pkg/process"
+	runc "github.com/containerd/go-runc"
 )
 
 type deletedState struct{}
 
-func (*deletedState) Resize(ws console.WinSize) error {
-	return fmt.Errorf("cannot resize a deleted process.ss")
+func (*deletedState) Resize(console.WinSize) error {
+	return fmt.Errorf("cannot resize a deleted container/process")
 }
 
-func (*deletedState) Start(ctx context.Context) error {
-	return fmt.Errorf("cannot start a deleted process.ss")
+func (*deletedState) Start(context.Context) error {
+	return fmt.Errorf("cannot start a deleted container/process")
 }
 
-func (*deletedState) Delete(ctx context.Context) error {
-	return fmt.Errorf("cannot delete a deleted process.ss: %w", errdefs.ErrNotFound)
+func (*deletedState) Delete(context.Context) error {
+	return fmt.Errorf("cannot delete a deleted container/process: %w", errdefs.ErrNotFound)
 }
 
-func (*deletedState) Kill(ctx context.Context, sig uint32, all bool) error {
-	return fmt.Errorf("cannot kill a deleted process.ss: %w", errdefs.ErrNotFound)
+func (*deletedState) Kill(_ context.Context, signal uint32, _ bool) error {
+	return handleStoppedKill(signal)
 }
 
-func (*deletedState) SetExited(status int) {}
+func (*deletedState) SetExited(int) {}
 
-func (*deletedState) Exec(ctx context.Context, path string, r *ExecConfig) (process.Process, error) {
+func (*deletedState) Exec(context.Context, string, *ExecConfig) (process.Process, error) {
 	return nil, fmt.Errorf("cannot exec in a deleted state")
 }
+
+func (s *deletedState) State(context.Context) (string, error) {
+	// There is no "deleted" state, closest one is stopped.
+	return "stopped", nil
+}
+
+func (s *deletedState) Stats(context.Context, string) (*runc.Stats, error) {
+	return nil, fmt.Errorf("cannot stat a stopped container/process")
+}
diff --git a/pkg/shim/proc/exec.go b/pkg/shim/proc/exec.go
index e7968d9d5..e0f2ae6fa 100644
--- a/pkg/shim/proc/exec.go
+++ b/pkg/shim/proc/exec.go
@@ -26,11 +26,13 @@ import (
 
 	"github.com/containerd/console"
 	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/log"
 	"github.com/containerd/containerd/pkg/stdio"
 	"github.com/containerd/fifo"
 	runc "github.com/containerd/go-runc"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
+	"gvisor.dev/gvisor/pkg/cleanup"
 
 	"gvisor.dev/gvisor/pkg/shim/runsc"
 )
@@ -92,6 +94,12 @@ func (e *execProcess) SetExited(status int) {
 }
 
 func (e *execProcess) setExited(status int) {
+	if !e.exited.IsZero() {
+		log.L.Debugf("Exec: status already set to %d, ignoring status: %d", e.status, status)
+		return
+	}
+
+	log.L.Debugf("Exec: setting status: %d", status)
 	e.status = status
 	e.exited = time.Now()
 	e.parent.Platform.ShutdownConsole(context.Background(), e.console)
@@ -105,7 +113,7 @@ func (e *execProcess) Delete(ctx context.Context) error {
 	return e.execState.Delete(ctx)
 }
 
-func (e *execProcess) delete(ctx context.Context) error {
+func (e *execProcess) delete() error {
 	e.wg.Wait()
 	if e.io != nil {
 		for _, c := range e.closers {
@@ -113,12 +121,6 @@ func (e *execProcess) delete(ctx context.Context) error {
 		}
 		e.io.Close()
 	}
-	pidfile := filepath.Join(e.path, fmt.Sprintf("%s.pid", e.id))
-	// silently ignore error
-	os.Remove(pidfile)
-	internalPidfile := filepath.Join(e.path, fmt.Sprintf("%s-internal.pid", e.id))
-	// silently ignore error
-	os.Remove(internalPidfile)
 	return nil
 }
 
@@ -145,16 +147,13 @@ func (e *execProcess) Kill(ctx context.Context, sig uint32, _ bool) error {
 
 func (e *execProcess) kill(ctx context.Context, sig uint32, _ bool) error {
 	internalPid := e.internalPid
-	if internalPid != 0 {
-		if err := e.parent.runtime.Kill(ctx, e.parent.id, int(sig), &runsc.KillOpts{
-			Pid: internalPid,
-		}); err != nil {
-			// If this returns error, consider the process has
-			// already stopped.
-			//
-			// TODO: Fix after signal handling is fixed.
-			return fmt.Errorf("%s: %w", err.Error(), errdefs.ErrNotFound)
-		}
+	if internalPid == 0 {
+		return nil
+	}
+
+	opts := runsc.KillOpts{Pid: internalPid}
+	if err := e.parent.runtime.Kill(ctx, e.parent.id, int(sig), &opts); err != nil {
+		return fmt.Errorf("%s: %w", err.Error(), errdefs.ErrNotFound)
 	}
 	return nil
 }
@@ -174,42 +173,53 @@ func (e *execProcess) Start(ctx context.Context) error {
 	return e.execState.Start(ctx)
 }
 
-func (e *execProcess) start(ctx context.Context) (err error) {
-	var (
-		socket          *runc.Socket
-		pidfile         = filepath.Join(e.path, fmt.Sprintf("%s.pid", e.id))
-		internalPidfile = filepath.Join(e.path, fmt.Sprintf("%s-internal.pid", e.id))
-	)
-	if e.stdio.Terminal {
-		if socket, err = runc.NewTempConsoleSocket(); err != nil {
+func (e *execProcess) start(ctx context.Context) error {
+	var socket *runc.Socket
+
+	switch {
+	case e.stdio.Terminal:
+		s, err := runc.NewTempConsoleSocket()
+		if err != nil {
 			return fmt.Errorf("failed to create runc console socket: %w", err)
 		}
-		defer socket.Close()
-	} else if e.stdio.IsNull() {
-		if e.io, err = runc.NewNullIO(); err != nil {
+		defer s.Close()
+		socket = s
+
+	case e.stdio.IsNull():
+		io, err := runc.NewNullIO()
+		if err != nil {
 			return fmt.Errorf("creating new NULL IO: %w", err)
 		}
-	} else {
-		if e.io, err = runc.NewPipeIO(e.parent.IoUID, e.parent.IoGID, withConditionalIO(e.stdio)); err != nil {
+		e.io = io
+
+	default:
+		io, err := runc.NewPipeIO(e.parent.IoUID, e.parent.IoGID, withConditionalIO(e.stdio))
+		if err != nil {
 			return fmt.Errorf("failed to create runc io pipes: %w", err)
 		}
+		e.io = io
 	}
+
 	opts := &runsc.ExecOpts{
-		PidFile:         pidfile,
-		InternalPidFile: internalPidfile,
+		PidFile:         filepath.Join(e.path, fmt.Sprintf("%s.pid", e.id)),
+		InternalPidFile: filepath.Join(e.path, fmt.Sprintf("%s-internal.pid", e.id)),
 		IO:              e.io,
 		Detach:          true,
 	}
+	defer func() {
+		_ = os.Remove(opts.PidFile)
+		_ = os.Remove(opts.InternalPidFile)
+	}()
 	if socket != nil {
 		opts.ConsoleSocket = socket
 	}
+
 	eventCh := e.parent.Monitor.Subscribe()
-	defer func() {
-		// Unsubscribe if an error is returned.
-		if err != nil {
-			e.parent.Monitor.Unsubscribe(eventCh)
-		}
-	}()
+	cu := cleanup.Make(func() {
+		e.parent.Monitor.Unsubscribe(eventCh)
+	})
+	defer cu.Clean()
+
 	if err := e.parent.runtime.Exec(ctx, e.parent.id, e.spec, opts); err != nil {
 		close(e.waitBlock)
 		return e.parent.runtimeError(err, "OCI runtime exec failed")
@@ -237,6 +247,7 @@ func (e *execProcess) start(ctx context.Context) (err error) {
 			return fmt.Errorf("failed to start io pipe copy: %w", err)
 		}
 	}
+
 	pid, err := runc.ReadPidFile(opts.PidFile)
 	if err != nil {
 		return fmt.Errorf("failed to retrieve OCI runtime exec pid: %w", err)
@@ -247,6 +258,7 @@ func (e *execProcess) start(ctx context.Context) (err error) {
 		return fmt.Errorf("failed to retrieve OCI runtime exec internal pid: %w", err)
 	}
 	e.internalPid = internalPid
+
 	go func() {
 		defer e.parent.Monitor.Unsubscribe(eventCh)
 		for event := range eventCh {
@@ -260,21 +272,25 @@ func (e *execProcess) start(ctx context.Context) (err error) {
 			}
 		}
 	}()
+
+	cu.Release() // cancel cleanup on success.
 	return nil
 }
 
-func (e *execProcess) Status(ctx context.Context) (string, error) {
+func (e *execProcess) Status(context.Context) (string, error) {
 	e.mu.Lock()
 	defer e.mu.Unlock()
 	// if we don't have a pid then the exec process has just been created
 	if e.pid == 0 {
 		return "created", nil
 	}
-	// if we have a pid and it can be signaled, the process is running
-	// TODO(random-liu): Use `runsc kill --pid`.
-	if err := unix.Kill(e.pid, 0); err == nil {
-		return "running", nil
+	// This checks that `runsc exec` process is still running. This process has
+	// the same lifetime as the process executing inside the container. So instead
+	// of calling `runsc kill --pid`, just do a quick check that `runsc exec` is
+	// still running.
+	if err := unix.Kill(e.pid, 0); err != nil {
+		// Can't signal the process, it must have exited.
+		return "stopped", nil
 	}
-	// else if we have a pid but it can nolonger be signaled, it has stopped
-	return "stopped", nil
+	return "running", nil
 }
diff --git a/pkg/shim/proc/exec_state.go b/pkg/shim/proc/exec_state.go
index 4dcda8b44..8d8ecf541 100644
--- a/pkg/shim/proc/exec_state.go
+++ b/pkg/shim/proc/exec_state.go
@@ -34,18 +34,21 @@ type execCreatedState struct {
 	p *execProcess
 }
 
-func (s *execCreatedState) transition(name string) error {
-	switch name {
-	case "running":
+func (s *execCreatedState) name() string {
+	return "created"
+}
+
+func (s *execCreatedState) transition(transition stateTransition) {
+	switch transition {
+	case running:
 		s.p.execState = &execRunningState{p: s.p}
-	case "stopped":
+	case stopped:
 		s.p.execState = &execStoppedState{p: s.p}
-	case "deleted":
+	case deleted:
 		s.p.execState = &deletedState{}
 	default:
-		return fmt.Errorf("invalid state transition %q to %q", stateName(s), name)
+		panic(fmt.Sprintf("invalid state transition %q to %q", s.name(), transition))
 	}
-	return nil
 }
 
 func (s *execCreatedState) Resize(ws console.WinSize) error {
@@ -56,14 +59,16 @@ func (s *execCreatedState) Start(ctx context.Context) error {
 	if err := s.p.start(ctx); err != nil {
 		return err
 	}
-	return s.transition("running")
+	s.transition(running)
+	return nil
 }
 
-func (s *execCreatedState) Delete(ctx context.Context) error {
-	if err := s.p.delete(ctx); err != nil {
+func (s *execCreatedState) Delete(context.Context) error {
+	if err := s.p.delete(); err != nil {
 		return err
 	}
-	return s.transition("deleted")
+	s.transition(deleted)
+	return nil
 }
 
 func (s *execCreatedState) Kill(ctx context.Context, sig uint32, all bool) error {
@@ -72,35 +77,35 @@ func (s *execCreatedState) Kill(ctx context.Context, sig uint32, all bool) error
 
 func (s *execCreatedState) SetExited(status int) {
 	s.p.setExited(status)
-
-	if err := s.transition("stopped"); err != nil {
-		panic(err)
-	}
+	s.transition(stopped)
 }
 
 type execRunningState struct {
 	p *execProcess
 }
 
-func (s *execRunningState) transition(name string) error {
-	switch name {
-	case "stopped":
+func (s *execRunningState) name() string {
+	return "running"
+}
+
+func (s *execRunningState) transition(transition stateTransition) {
+	switch transition {
+	case stopped:
 		s.p.execState = &execStoppedState{p: s.p}
 	default:
-		return fmt.Errorf("invalid state transition %q to %q", stateName(s), name)
+		panic(fmt.Sprintf("invalid state transition %q to %q", s.name(), transition))
 	}
-	return nil
 }
 
 func (s *execRunningState) Resize(ws console.WinSize) error {
 	return s.p.resize(ws)
 }
 
-func (s *execRunningState) Start(ctx context.Context) error {
+func (s *execRunningState) Start(context.Context) error {
 	return fmt.Errorf("cannot start a running process")
 }
 
-func (s *execRunningState) Delete(ctx context.Context) error {
+func (s *execRunningState) Delete(context.Context) error {
 	return fmt.Errorf("cannot delete a running process")
 }
 
@@ -110,45 +115,46 @@ func (s *execRunningState) Kill(ctx context.Context, sig uint32, all bool) error
 
 func (s *execRunningState) SetExited(status int) {
 	s.p.setExited(status)
-
-	if err := s.transition("stopped"); err != nil {
-		panic(err)
-	}
+	s.transition(stopped)
 }
 
 type execStoppedState struct {
 	p *execProcess
 }
 
-func (s *execStoppedState) transition(name string) error {
-	switch name {
-	case "deleted":
+func (s *execStoppedState) name() string {
+	return "stopped"
+}
+
+func (s *execStoppedState) transition(transition stateTransition) {
+	switch transition {
+	case deleted:
 		s.p.execState = &deletedState{}
 	default:
-		return fmt.Errorf("invalid state transition %q to %q", stateName(s), name)
+		panic(fmt.Sprintf("invalid state transition %q to %q", s.name(), transition))
 	}
-	return nil
 }
 
-func (s *execStoppedState) Resize(ws console.WinSize) error {
+func (s *execStoppedState) Resize(console.WinSize) error {
 	return fmt.Errorf("cannot resize a stopped container")
 }
 
-func (s *execStoppedState) Start(ctx context.Context) error {
+func (s *execStoppedState) Start(context.Context) error {
 	return fmt.Errorf("cannot start a stopped process")
 }
 
-func (s *execStoppedState) Delete(ctx context.Context) error {
-	if err := s.p.delete(ctx); err != nil {
+func (s *execStoppedState) Delete(context.Context) error {
+	if err := s.p.delete(); err != nil {
 		return err
 	}
-	return s.transition("deleted")
+	s.transition(deleted)
+	return nil
 }
 
-func (s *execStoppedState) Kill(ctx context.Context, sig uint32, all bool) error {
-	return s.p.kill(ctx, sig, all)
+func (s *execStoppedState) Kill(_ context.Context, sig uint32, _ bool) error {
+	return handleStoppedKill(sig)
 }
 
-func (s *execStoppedState) SetExited(status int) {
+func (s *execStoppedState) SetExited(int) {
 	// no op
 }
diff --git a/pkg/shim/proc/init.go b/pkg/shim/proc/init.go
index 664465e0d..6bf090813 100644
--- a/pkg/shim/proc/init.go
+++ b/pkg/shim/proc/init.go
@@ -39,6 +39,8 @@ import (
 	"gvisor.dev/gvisor/pkg/shim/runsc"
 )
 
+const statusStopped = "stopped"
+
 // Init represents an initial process for a container.
 type Init struct {
 	wg        sync.WaitGroup
@@ -201,10 +203,15 @@ func (p *Init) ExitedAt() time.Time {
 func (p *Init) Status(ctx context.Context) (string, error) {
 	p.mu.Lock()
 	defer p.mu.Unlock()
+
+	return p.initState.State(ctx)
+}
+
+func (p *Init) state(ctx context.Context) (string, error) {
 	c, err := p.runtime.State(ctx, p.id)
 	if err != nil {
 		if strings.Contains(err.Error(), "does not exist") {
-			return "stopped", nil
+			return statusStopped, nil
 		}
 		return "", p.runtimeError(err, "OCI runtime state failed")
 	}
@@ -231,10 +238,7 @@ func (p *Init) start(ctx context.Context) error {
 		status, err := p.runtime.Wait(context.Background(), p.id)
 		if err != nil {
 			log.G(ctx).WithError(err).Errorf("Failed to wait for container %q", p.id)
-			// TODO(random-liu): Handle runsc kill error.
-			if err := p.killAll(ctx); err != nil {
-				log.G(ctx).WithError(err).Errorf("Failed to kill container %q", p.id)
-			}
+			p.killAllLocked(ctx)
 			status = internalErrorCode
 		}
 		ExitCh <- Exit{
@@ -255,6 +259,12 @@ func (p *Init) SetExited(status int) {
 }
 
 func (p *Init) setExited(status int) {
+	if !p.exited.IsZero() {
+		log.L.Debugf("Status already set to %d, ignoring status: %d", p.status, status)
+		return
+	}
+
+	log.L.Debugf("Setting status: %d", status)
 	p.exited = time.Now()
 	p.status = status
 	p.Platform.ShutdownConsole(context.Background(), p.console)
@@ -270,15 +280,16 @@ func (p *Init) Delete(ctx context.Context) error {
 }
 
 func (p *Init) delete(ctx context.Context) error {
-	p.killAll(ctx)
+	p.killAllLocked(ctx)
 	p.wg.Wait()
+
 	err := p.runtime.Delete(ctx, p.id, nil)
-	// ignore errors if a runtime has already deleted the process
-	// but we still hold metadata and pipes
-	//
-	// this is common during a checkpoint, runc will delete the container state
-	// after a checkpoint and the container will no longer exist within runc
 	if err != nil {
+		// ignore errors if a runtime has already deleted the process
+		// but we still hold metadata and pipes
+		//
+		// this is common during a checkpoint, runc will delete the container state
+		// after a checkpoint and the container will no longer exist within runc
 		if strings.Contains(err.Error(), "does not exist") {
 			err = nil
 		} else {
@@ -326,29 +337,24 @@ func (p *Init) Kill(ctx context.Context, signal uint32, all bool) error {
 	return p.initState.Kill(ctx, signal, all)
 }
 
-func (p *Init) kill(context context.Context, signal uint32, all bool) error {
+func (p *Init) kill(ctx context.Context, signal uint32, all bool) error {
 	var (
 		killErr error
 		backoff = 100 * time.Millisecond
 	)
-	timeout := 1 * time.Second
-	for start := time.Now(); time.Now().Sub(start) < timeout; {
-		c, err := p.runtime.State(context, p.id)
+	const timeout = time.Second
+	for start := time.Now(); time.Since(start) < timeout; {
+		state, err := p.initState.State(ctx)
 		if err != nil {
-			if strings.Contains(err.Error(), "does not exist") {
-				return fmt.Errorf("no such process: %w", errdefs.ErrNotFound)
-			}
 			return p.runtimeError(err, "OCI runtime state failed")
 		}
 		// For runsc, signal only works when container is running state.
 		// If the container is not in running state, directly return
 		// "no such process"
-		if p.convertStatus(c.Status) == "stopped" {
+		if state == statusStopped {
 			return fmt.Errorf("no such process: %w", errdefs.ErrNotFound)
 		}
-		killErr = p.runtime.Kill(context, p.id, int(signal), &runsc.KillOpts{
-			All: all,
-		})
+		killErr = p.runtime.Kill(ctx, p.id, int(signal), &runsc.KillOpts{All: all})
 		if killErr == nil {
 			return nil
 		}
@@ -358,22 +364,18 @@ func (p *Init) kill(context context.Context, signal uint32, all bool) error {
 	return p.runtimeError(killErr, "kill timeout")
 }
 
-// KillAll kills all processes belonging to the init process.
-func (p *Init) KillAll(context context.Context) error {
+// KillAll kills all processes belonging to the init process. If
+// `runsc kill --all` returns error, assume the container has already stopped.
+func (p *Init) KillAll(context context.Context) {
 	p.mu.Lock()
 	defer p.mu.Unlock()
-	return p.killAll(context)
+	p.killAllLocked(context)
 }
 
-func (p *Init) killAll(context context.Context) error {
-	p.runtime.Kill(context, p.id, int(unix.SIGKILL), &runsc.KillOpts{
-		All: true,
-	})
-	// Ignore error handling for `runsc kill --all` for now.
-	// * If it doesn't return error, it is good;
-	// * If it returns error, consider the container has already stopped.
-	// TODO: Fix `runsc kill --all` error handling.
-	return nil
+func (p *Init) killAllLocked(context context.Context) {
+	if err := p.runtime.Kill(context, p.id, int(unix.SIGKILL), &runsc.KillOpts{All: true}); err != nil {
+		log.L.Warningf("Ignoring error killing container %q: %v", p.id, err)
+	}
 }
 
 // Stdin returns the stdin of the process.
@@ -396,7 +398,6 @@ func (p *Init) Exec(ctx context.Context, path string, r *ExecConfig) (process.Pr
 
 // exec returns a new exec'd process.
 func (p *Init) exec(path string, r *ExecConfig) (process.Process, error) {
-	// process exec request
 	var spec specs.Process
 	if err := json.Unmarshal(r.Spec.Value, &spec); err != nil {
 		return nil, err
@@ -420,6 +421,17 @@ func (p *Init) exec(path string, r *ExecConfig) (process.Process, error) {
 	return e, nil
 }
 
+func (p *Init) Stats(ctx context.Context, id string) (*runc.Stats, error) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	return p.initState.Stats(ctx, id)
+}
+
+func (p *Init) stats(ctx context.Context, id string) (*runc.Stats, error) {
+	return p.Runtime().Stats(ctx, id)
+}
+
 // Stdio returns the stdio of the process.
 func (p *Init) Stdio() stdio.Stdio {
 	return p.stdio
@@ -444,7 +456,7 @@ func (p *Init) runtimeError(rErr error, msg string) error {
 func (p *Init) convertStatus(status string) string {
 	if status == "created" && !p.Sandbox && p.status == internalErrorCode {
 		// Treat start failure state for non-root container as stopped.
-		return "stopped"
+		return statusStopped
 	}
 	return status
 }
diff --git a/pkg/shim/proc/init_state.go b/pkg/shim/proc/init_state.go
index 0065fc385..5347ddefe 100644
--- a/pkg/shim/proc/init_state.go
+++ b/pkg/shim/proc/init_state.go
@@ -19,16 +19,40 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/containerd/console"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/pkg/process"
+	runc "github.com/containerd/go-runc"
+	"golang.org/x/sys/unix"
+	"gvisor.dev/gvisor/pkg/shim/utils"
 )
 
+type stateTransition int
+
+const (
+	running stateTransition = iota
+	stopped
+	deleted
+)
+
+func (s stateTransition) String() string {
+	switch s {
+	case running:
+		return "running"
+	case stopped:
+		return "stopped"
+	case deleted:
+		return "deleted"
+	default:
+		panic(fmt.Sprintf("unknown state: %d", s))
+	}
+}
+
 type initState interface {
-	Resize(console.WinSize) error
 	Start(context.Context) error
 	Delete(context.Context) error
 	Exec(context.Context, string, *ExecConfig) (process.Process, error)
+	State(ctx context.Context) (string, error)
+	Stats(context.Context, string) (*runc.Stats, error)
 	Kill(context.Context, uint32, bool) error
 	SetExited(int)
 }
@@ -37,22 +61,21 @@ type createdState struct {
 	p *Init
 }
 
-func (s *createdState) transition(name string) error {
-	switch name {
-	case "running":
+func (s *createdState) name() string {
+	return "created"
+}
+
+func (s *createdState) transition(transition stateTransition) {
+	switch transition {
+	case running:
 		s.p.initState = &runningState{p: s.p}
-	case "stopped":
-		s.p.initState = &stoppedState{p: s.p}
-	case "deleted":
+	case stopped:
+		s.p.initState = &stoppedState{process: s.p}
+	case deleted:
 		s.p.initState = &deletedState{}
 	default:
-		return fmt.Errorf("invalid state transition %q to %q", stateName(s), name)
+		panic(fmt.Sprintf("invalid state transition %q to %q", s.name(), transition))
 	}
-	return nil
-}
-
-func (s *createdState) Resize(ws console.WinSize) error {
-	return s.p.resize(ws)
 }
 
 func (s *createdState) Start(ctx context.Context) error {
@@ -66,20 +89,20 @@ func (s *createdState) Start(ctx context.Context) error {
 		if !s.p.Sandbox {
 			s.p.io.Close()
 			s.p.setExited(internalErrorCode)
-			if err := s.transition("stopped"); err != nil {
-				panic(err)
-			}
+			s.transition(stopped)
 		}
 		return err
 	}
-	return s.transition("running")
+	s.transition(running)
+	return nil
 }
 
 func (s *createdState) Delete(ctx context.Context) error {
 	if err := s.p.delete(ctx); err != nil {
 		return err
 	}
-	return s.transition("deleted")
+	s.transition(deleted)
+	return nil
 }
 
 func (s *createdState) Kill(ctx context.Context, sig uint32, all bool) error {
@@ -88,40 +111,48 @@ func (s *createdState) Kill(ctx context.Context, sig uint32, all bool) error {
 
 func (s *createdState) SetExited(status int) {
 	s.p.setExited(status)
-
-	if err := s.transition("stopped"); err != nil {
-		panic(err)
-	}
+	s.transition(stopped)
 }
 
 func (s *createdState) Exec(ctx context.Context, path string, r *ExecConfig) (process.Process, error) {
 	return s.p.exec(path, r)
 }
 
+func (s *createdState) State(ctx context.Context) (string, error) {
+	state, err := s.p.state(ctx)
+	if err == nil && state == statusStopped {
+		s.transition(stopped)
+	}
+	return state, err
+}
+
+func (s *createdState) Stats(ctx context.Context, id string) (*runc.Stats, error) {
+	return s.p.stats(ctx, id)
+}
+
 type runningState struct {
 	p *Init
 }
 
-func (s *runningState) transition(name string) error {
-	switch name {
-	case "stopped":
-		s.p.initState = &stoppedState{p: s.p}
-	default:
-		return fmt.Errorf("invalid state transition %q to %q", stateName(s), name)
-	}
-	return nil
+func (s *runningState) name() string {
+	return "running"
 }
 
-func (s *runningState) Resize(ws console.WinSize) error {
-	return s.p.resize(ws)
+func (s *runningState) transition(transition stateTransition) {
+	switch transition {
+	case stopped:
+		s.p.initState = &stoppedState{process: s.p}
+	default:
+		panic(fmt.Sprintf("invalid state transition %q to %q", s.name(), transition))
+	}
 }
 
 func (s *runningState) Start(ctx context.Context) error {
-	return fmt.Errorf("cannot start a running process.ss")
+	return fmt.Errorf("cannot start a running container")
 }
 
 func (s *runningState) Delete(ctx context.Context) error {
-	return fmt.Errorf("cannot delete a running process.ss")
+	return fmt.Errorf("cannot delete a running container")
 }
 
 func (s *runningState) Kill(ctx context.Context, sig uint32, all bool) error {
@@ -130,53 +161,81 @@ func (s *runningState) Kill(ctx context.Context, sig uint32, all bool) error {
 
 func (s *runningState) SetExited(status int) {
 	s.p.setExited(status)
+	s.transition(stopped)
+}
+
+func (s *runningState) Exec(_ context.Context, path string, r *ExecConfig) (process.Process, error) {
+	return s.p.exec(path, r)
+}
 
-	if err := s.transition("stopped"); err != nil {
-		panic(err)
+func (s *runningState) State(ctx context.Context) (string, error) {
+	state, err := s.p.state(ctx)
+	if err == nil && state == "stopped" {
+		s.transition(stopped)
 	}
+	return state, err
 }
 
-func (s *runningState) Exec(ctx context.Context, path string, r *ExecConfig) (process.Process, error) {
-	return s.p.exec(path, r)
+func (s *runningState) Stats(ctx context.Context, id string) (*runc.Stats, error) {
+	return s.p.stats(ctx, id)
 }
 
 type stoppedState struct {
-	p *Init
+	process *Init
 }
 
-func (s *stoppedState) transition(name string) error {
-	switch name {
-	case "deleted":
-		s.p.initState = &deletedState{}
-	default:
-		return fmt.Errorf("invalid state transition %q to %q", stateName(s), name)
-	}
-	return nil
+func (s *stoppedState) name() string {
+	return "stopped"
 }
 
-func (s *stoppedState) Resize(ws console.WinSize) error {
-	return fmt.Errorf("cannot resize a stopped container")
+func (s *stoppedState) transition(transition stateTransition) {
+	switch transition {
+	case deleted:
+		s.process.initState = &deletedState{}
+	default:
+		panic(fmt.Sprintf("invalid state transition %q to %q", s.name(), transition))
+	}
 }
 
-func (s *stoppedState) Start(ctx context.Context) error {
-	return fmt.Errorf("cannot start a stopped process.ss")
+func (s *stoppedState) Start(context.Context) error {
+	return fmt.Errorf("cannot start a stopped container")
 }
 
 func (s *stoppedState) Delete(ctx context.Context) error {
-	if err := s.p.delete(ctx); err != nil {
+	if err := s.process.delete(ctx); err != nil {
 		return err
 	}
-	return s.transition("deleted")
+	s.transition(deleted)
+	return nil
 }
 
-func (s *stoppedState) Kill(ctx context.Context, sig uint32, all bool) error {
-	return errdefs.ToGRPCf(errdefs.ErrNotFound, "process.ss %s not found", s.p.id)
+func (s *stoppedState) Kill(_ context.Context, signal uint32, _ bool) error {
+	return handleStoppedKill(signal)
 }
 
 func (s *stoppedState) SetExited(status int) {
-	// no op
+	s.process.setExited(status)
 }
 
-func (s *stoppedState) Exec(ctx context.Context, path string, r *ExecConfig) (process.Process, error) {
+func (s *stoppedState) Exec(context.Context, string, *ExecConfig) (process.Process, error) {
 	return nil, fmt.Errorf("cannot exec in a stopped state")
 }
+
+func (s *stoppedState) State(context.Context) (string, error) {
+	return "stopped", nil
+}
+
+func (s *stoppedState) Stats(context.Context, string) (*runc.Stats, error) {
+	return nil, fmt.Errorf("cannot stat a stopped container")
+}
+
+func handleStoppedKill(signal uint32) error {
+	switch unix.Signal(signal) {
+	case unix.SIGTERM, unix.SIGKILL:
+		// Container is already stopped, so everything inside the container has
+		// already been killed.
+		return nil
+	default:
+		return utils.ErrToGRPCf(errdefs.ErrNotFound, "process not found")
+	}
+}
diff --git a/pkg/shim/proc/proc.go b/pkg/shim/proc/proc.go
index edba3fca5..89ad3f505 100644
--- a/pkg/shim/proc/proc.go
+++ b/pkg/shim/proc/proc.go
@@ -17,23 +17,5 @@
 // the sandbox process running the container.
 package proc
 
-import (
-	"fmt"
-)
-
 // RunscRoot is the path to the root runsc state directory.
 const RunscRoot = "/run/containerd/runsc"
-
-func stateName(v interface{}) string {
-	switch v.(type) {
-	case *runningState, *execRunningState:
-		return "running"
-	case *createdState, *execCreatedState:
-		return "created"
-	case *deletedState:
-		return "deleted"
-	case *stoppedState:
-		return "stopped"
-	}
-	panic(fmt.Errorf("invalid state %v", v))
-}