From 19fe3a2bfb72622c307311dc61019238896a756b Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Mon, 22 Feb 2021 09:31:32 -0800 Subject: Fix `runsc kill --pid` Previously, loader.signalProcess was inconsitently using both root and container's PID namespace to find the process. It used root namespace for the exec'd process and container's PID namespace for other processes. This fixes the code to use the root PID namespace across the board, which is the same PID reported in `runsc ps` (or soon will after https://github.com/google/gvisor/pull/5519). PiperOrigin-RevId: 358836297 --- runsc/boot/loader.go | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'runsc/boot/loader.go') diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go index a02eb2ec5..5afce232d 100644 --- a/runsc/boot/loader.go +++ b/runsc/boot/loader.go @@ -1171,7 +1171,8 @@ func (f *sandboxNetstackCreator) CreateStack() (inet.Stack, error) { // signal sends a signal to one or more processes in a container. If PID is 0, // then the container init process is used. Depending on the SignalDeliveryMode // option, the signal may be sent directly to the indicated process, to all -// processes in the container, or to the foreground process group. +// processes in the container, or to the foreground process group. pid is +// relative to the root PID namespace, not the container's. func (l *Loader) signal(cid string, pid, signo int32, mode SignalDeliveryMode) error { if pid < 0 { return fmt.Errorf("PID (%d) must be positive", pid) @@ -1208,6 +1209,8 @@ func (l *Loader) signal(cid string, pid, signo int32, mode SignalDeliveryMode) e } } +// signalProcess sends signal to process in the given container. tgid is +// relative to the root PID namespace, not the container's. func (l *Loader) signalProcess(cid string, tgid kernel.ThreadID, signo int32) error { execTG, err := l.threadGroupFromID(execID{cid: cid, pid: tgid}) if err == nil { @@ -1216,18 +1219,14 @@ func (l *Loader) signalProcess(cid string, tgid kernel.ThreadID, signo int32) er } // The caller may be signaling a process not started directly via exec. - // In this case, find the process in the container's PID namespace and - // signal it. - initTG, err := l.threadGroupFromID(execID{cid: cid}) - if err != nil { - return fmt.Errorf("no thread group found: %v", err) - } - tg := initTG.PIDNamespace().ThreadGroupWithID(tgid) + // In this case, find the process and check that the process belongs to the + // container in question. + tg := l.k.RootPIDNamespace().ThreadGroupWithID(tgid) if tg == nil { return fmt.Errorf("no such process with PID %d", tgid) } if tg.Leader().ContainerID() != cid { - return fmt.Errorf("process %d is part of a different container: %q", tgid, tg.Leader().ContainerID()) + return fmt.Errorf("process %d belongs to a different container: %q", tgid, tg.Leader().ContainerID()) } return l.k.SendExternalSignalThreadGroup(tg, &arch.SignalInfo{Signo: signo}) } -- cgit v1.2.3