-
-
Notifications
You must be signed in to change notification settings - Fork 636
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure that sandboxed processes exit before their sandboxes are cleaned up #18632
Ensure that sandboxed processes exit before their sandboxes are cleaned up #18632
Conversation
…r`, and document `CapturedWorkdir`'s `Drop` constraint.
Commits are useful to review independently.
I'll likely open a ticket about this when I have more time, because it's a fairly awkward interface. And one implementation re-uses a single sandbox, two use dedicated sandboxes, etc. |
…ed up (Cherry-pick of pantsbuild#18632) As @jsirois discovered and described in pantsbuild#16778 (comment), because the `local::CommandRunner` does not `wait` for its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of pantsbuild#16778, potentially cause named cache corruption). This change ensures that we block to call `wait` when spawning local processes by wrapping them in the `ManagedChild` helper that we were already using for interactive processes. It then attempts to clarify the contract of the `CapturedWorkdir` trait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before the `run_and_capture_workdir` method has returned. Fixes pantsbuild#16778 🤞. --------- Co-authored-by: John Sirois <john.sirois@gmail.com> (cherry picked from commit 1462bef)
…ed up (Cherry-pick of pantsbuild#18632) As @jsirois discovered and described in pantsbuild#16778 (comment), because the `local::CommandRunner` does not `wait` for its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of pantsbuild#16778, potentially cause named cache corruption). This change ensures that we block to call `wait` when spawning local processes by wrapping them in the `ManagedChild` helper that we were already using for interactive processes. It then attempts to clarify the contract of the `CapturedWorkdir` trait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before the `run_and_capture_workdir` method has returned. Fixes pantsbuild#16778 🤞. --------- Co-authored-by: John Sirois <john.sirois@gmail.com> (cherry picked from commit 1462bef)
…ed up (Cherry-pick of pantsbuild#18632) As @jsirois discovered and described in pantsbuild#16778 (comment), because the `local::CommandRunner` does not `wait` for its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of pantsbuild#16778, potentially cause named cache corruption). This change ensures that we block to call `wait` when spawning local processes by wrapping them in the `ManagedChild` helper that we were already using for interactive processes. It then attempts to clarify the contract of the `CapturedWorkdir` trait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before the `run_and_capture_workdir` method has returned. Fixes pantsbuild#16778 🤞. --------- Co-authored-by: John Sirois <john.sirois@gmail.com> (cherry picked from commit 1462bef)
#18641) …ed up (Cherry-pick of #18632) As @jsirois discovered and described in #16778 (comment), because the `local::CommandRunner` does not `wait` for its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of #16778, potentially cause named cache corruption). This change ensures that we block to call `wait` when spawning local processes by wrapping them in the `ManagedChild` helper that we were already using for interactive processes. It then attempts to clarify the contract of the `CapturedWorkdir` trait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before the `run_and_capture_workdir` method has returned. Fixes #16778 🤞. --------- Co-authored-by: John Sirois <john.sirois@gmail.com> (cherry picked from commit 1462bef) Co-authored-by: Stu Hood <stuhood@gmail.com>
#18640) …ed up (Cherry-pick of #18632) As @jsirois discovered and described in #16778 (comment), because the `local::CommandRunner` does not `wait` for its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of #16778, potentially cause named cache corruption). This change ensures that we block to call `wait` when spawning local processes by wrapping them in the `ManagedChild` helper that we were already using for interactive processes. It then attempts to clarify the contract of the `CapturedWorkdir` trait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before the `run_and_capture_workdir` method has returned. Fixes #16778 🤞. --------- Co-authored-by: John Sirois <john.sirois@gmail.com> (cherry picked from commit 1462bef) Co-authored-by: Stu Hood <stuhood@gmail.com>
#18642) …ed up (Cherry-pick of #18632) As @jsirois discovered and described in #16778 (comment), because the `local::CommandRunner` does not `wait` for its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of #16778, potentially cause named cache corruption). This change ensures that we block to call `wait` when spawning local processes by wrapping them in the `ManagedChild` helper that we were already using for interactive processes. It then attempts to clarify the contract of the `CapturedWorkdir` trait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before the `run_and_capture_workdir` method has returned. Fixes #16778 🤞. --------- Co-authored-by: John Sirois <john.sirois@gmail.com> (cherry picked from commit 1462bef) Co-authored-by: Stu Hood <stuhood@gmail.com>
As @jsirois discovered and described in #16778 (comment), because the
local::CommandRunner
does notwait
for its child process to have exited, it might be possible for a SIGKILL to not have taken effect on the child process before its sandbox has been torn down. And that could result in the process seeing a partial sandbox (and in the case of #16778, potentially cause named cache corruption).This change ensures that we block to call
wait
when spawning local processes by wrapping them in theManagedChild
helper that we were already using for interactive processes. It then attempts to clarify the contract of theCapturedWorkdir
trait (but in order to improve cherry-pickability does not attempt to adjust it), to make it clear that child processes should fully exit before therun_and_capture_workdir
method has returned.Fixes #16778 🤞.