From d93e4b939d0ab4ab512eb05d0ea5389c909a34ab Mon Sep 17 00:00:00 2001 From: Fupan Li Date: Thu, 14 Jul 2022 16:39:49 +0800 Subject: [PATCH] container: kill all of the processes in this container When a container terminated, we should make sure there's no processes left after destroying the container. Before this commit, kata-agent depended on the kernel's pidns to destroy all of the process in a container after the 1 process exit in a container. This is true for those container using a separated pidns, but for the case of shared pidns within the sandbox, the container exit wouldn't trigger the pidns terminated, and there would be some daemon process left in this container, this wasn't expected. Fixes: #4663 Signed-off-by: Fupan Li --- src/agent/rustjail/src/container.rs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs index f95aaffd81..2c360cf164 100644 --- a/src/agent/rustjail/src/container.rs +++ b/src/agent/rustjail/src/container.rs @@ -1092,6 +1092,16 @@ impl BaseContainer for LinuxContainer { fs::remove_dir_all(&self.root)?; if let Some(cgm) = self.cgroup_manager.as_mut() { + // Kill all of the processes created in this container to prevent + // the leak of some daemon process when this container shared pidns + // with the sandbox. + let pids = cgm.get_pids().context("get cgroup pids")?; + for i in pids { + if let Err(e) = signal::kill(Pid::from_raw(i), Signal::SIGKILL) { + warn!(self.logger, "kill the process {} error: {:?}", i, e); + } + } + cgm.destroy().context("destroy cgroups")?; } Ok(())