Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: treat host pidns container with no init process as running if some processes exist in cgroup #4049

Closed
kolyshkin opened this issue Oct 3, 2023 · 4 comments

Comments

@kolyshkin
Copy link
Contributor

kolyshkin commented Oct 3, 2023

Description

Currently, runc checks the existence of init process inside a container to figure out whether the container is running or not. This is a correct thing to do for a container having its own PID namespace.

Yet, for the container which does not have its own pid namespace (i.e. it shares pidns with the host or possibly another container), merely checking that init is there is not a good way to say whether the container is running or not. In fact, init might be already killed or exited, and other container processes remain.

Since #3132 is fixed, for a no-pidns container we can instead say that the container is running if its cgroup has some processes running. While at it, it might make sense to disallow creating containers with shared or no cgroup and no pidns.

References:

@lifubang
Copy link
Member

lifubang commented Oct 3, 2023

👍 Maybe we also need to update the descriptions about ‘stopped’ in runtime-spec.
https://github.com/opencontainers/runtime-spec/blob/main/runtime.md?plain=1#L22

@kolyshkin
Copy link
Contributor Author

OTOH all this is just for shared pidns containers, so maybe we can do something else. Frankly, I dunno

@fuweid
Copy link
Member

fuweid commented Oct 4, 2023

for a no-pidns container we can instead say that the container is running if its cgroup has some processes running.

I think we can still consider the container as stopped. But the runc kill should always send the signal to all the processes in the cgroup if the cgroup is still here. Otherwise, the runc delete will fail.

@kolyshkin
Copy link
Contributor Author

This is a very rare corner case, so yes, let's assume the container as stopped if it has no initial process running. Things were working this way and there's no need to change it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants