From 8f0b6e7fc02919df034dea9e9c9dbab1b80de2be Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Wed, 5 Sep 2018 21:13:46 -0700 Subject: runsc: Support runsc kill multi-container. Now, we can kill individual containers rather than the entire sandbox. PiperOrigin-RevId: 211748106 Change-Id: Ic97e91db33d53782f838338c4a6d0aab7a313ead --- runsc/container/container.go | 1 + runsc/container/container_test.go | 142 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 136 insertions(+), 7 deletions(-) (limited to 'runsc/container') diff --git a/runsc/container/container.go b/runsc/container/container.go index a4a3ed56d..5977fbd21 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -427,6 +427,7 @@ func (c *Container) Signal(sig syscall.Signal) error { log.Warningf("container %q not running, not sending signal %v", c.ID, sig) return nil } + // TODO: Query the container for its state, then save it. return c.Sandbox.Signal(c.ID, sig) } diff --git a/runsc/container/container_test.go b/runsc/container/container_test.go index c00db3e91..00e38e12c 100644 --- a/runsc/container/container_test.go +++ b/runsc/container/container_test.go @@ -38,6 +38,7 @@ import ( "gvisor.googlesource.com/gvisor/pkg/sentry/kernel/auth" "gvisor.googlesource.com/gvisor/pkg/unet" "gvisor.googlesource.com/gvisor/runsc/boot" + "gvisor.googlesource.com/gvisor/runsc/specutils" "gvisor.googlesource.com/gvisor/runsc/test/testutil" ) @@ -336,8 +337,8 @@ func TestLifecycle(t *testing.T) { wg.Done() }() - // Wait a bit to ensure that we've started waiting on the container - // before we signal. + // Wait a bit to ensure that we've started waiting on the + // container before we signal. <-ch time.Sleep(100 * time.Millisecond) // Send the container a SIGTERM which will cause it to stop. @@ -347,11 +348,11 @@ func TestLifecycle(t *testing.T) { // Wait for it to die. wg.Wait() - // The sandbox process should have exited by now, but it is a zombie. - // In normal runsc usage, it will be parented to init, and init will - // reap the sandbox. However, in this case the test runner is the - // parent and will not reap the sandbox process, so we must do it - // ourselves. + // The sandbox process should have exited by now, but it is a + // zombie. In normal runsc usage, it will be parented to init, + // and init will reap the sandbox. However, in this case the + // test runner is the parent and will not reap the sandbox + // process, so we must do it ourselves. p, _ := os.FindProcess(s.Sandbox.Pid) p.Wait() g, _ := os.FindProcess(s.GoferPid) @@ -1547,6 +1548,133 @@ func TestGoferExits(t *testing.T) { } } +// TestMultiContainerSignal checks that it is possible to signal individual +// containers without killing the entire sandbox. +func TestMultiContainerSignal(t *testing.T) { + for _, conf := range configs(all...) { + t.Logf("Running test with conf: %+v", conf) + + containerIDs := []string{ + testutil.UniqueContainerID(), + testutil.UniqueContainerID(), + } + containerAnnotations := []map[string]string{ + // The first container creates a sandbox. + map[string]string{ + specutils.ContainerdContainerTypeAnnotation: specutils.ContainerdContainerTypeSandbox, + }, + // The second container creates a container within the first + // container's sandbox. + map[string]string{ + specutils.ContainerdContainerTypeAnnotation: specutils.ContainerdContainerTypeContainer, + specutils.ContainerdSandboxIDAnnotation: containerIDs[0], + }, + } + + rootDir, err := testutil.SetupRootDir() + if err != nil { + t.Fatalf("error creating root dir: %v", err) + } + defer os.RemoveAll(rootDir) + + // Setup the containers. + containers := make([]*Container, 0, len(containerIDs)) + for i, annotations := range containerAnnotations { + spec := testutil.NewSpecWithArgs("sleep", "100") + spec.Annotations = annotations + bundleDir, err := testutil.SetupContainerInRoot(rootDir, spec, conf) + if err != nil { + t.Fatalf("error setting up container: %v", err) + } + defer os.RemoveAll(bundleDir) + cont, err := Create(containerIDs[i], spec, conf, bundleDir, "", "") + if err != nil { + t.Fatalf("error creating container: %v", err) + } + defer cont.Destroy() + if err := cont.Start(conf); err != nil { + t.Fatalf("error starting container: %v", err) + } + containers = append(containers, cont) + } + + expectedPL := []*control.Process{ + { + UID: 0, + PID: 1, + PPID: 0, + C: 0, + Cmd: "sleep", + }, + { + UID: 0, + PID: 2, + PPID: 0, + C: 0, + Cmd: "sleep", + }, + } + + // Check via ps that multiple processes are running. + if err := waitForProcessList(containers[0], expectedPL); err != nil { + t.Errorf("failed to wait for sleep to start: %v", err) + } + + // Kill process 2. + if err := containers[1].Signal(syscall.SIGKILL); err != nil { + t.Errorf("failed to kill process 2: %v", err) + } + + // Make sure process 1 is still running. + if err := waitForProcessList(containers[0], expectedPL[:1]); err != nil { + t.Errorf("failed to wait for sleep to start: %v", err) + } + + // Now that process 2 is gone, ensure we get an error trying to + // signal it again. + if err := containers[1].Signal(syscall.SIGKILL); err == nil { + t.Errorf("container %q shouldn't exist, but we were able to signal it", containers[1].ID) + } + + // Kill process 1. + if err := containers[0].Signal(syscall.SIGKILL); err != nil { + t.Errorf("failed to kill process 1: %v", err) + } + + if err := waitForSandboxExit(containers[0]); err != nil { + t.Errorf("failed to exit sandbox: %v", err) + } + + // The sentry should be gone, so signaling should yield an + // error. + if err := containers[0].Signal(syscall.SIGKILL); err == nil { + t.Errorf("sandbox %q shouldn't exist, but we were able to signal it", containers[0].Sandbox.ID) + } + } +} + +// waitForSandboxExit waits until both the sandbox and gofer processes of the +// container have exited. +func waitForSandboxExit(container *Container) error { + goferProc, _ := os.FindProcess(container.GoferPid) + state, err := goferProc.Wait() + if err != nil { + return err + } + if !state.Exited() { + return fmt.Errorf("gofer with PID %d failed to exit", container.GoferPid) + } + sandboxProc, _ := os.FindProcess(container.Sandbox.Pid) + state, err = sandboxProc.Wait() + if err != nil { + return err + } + if !state.Exited() { + return fmt.Errorf("sandbox with PID %d failed to exit", container.Sandbox.Pid) + } + return nil +} + func TestMain(m *testing.M) { testutil.RunAsRoot(m) } -- cgit v1.2.3