From 494db3e166d80ee5fad2a49195339fa0b6a4842b Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 9 Jan 2023 20:59:30 +0100 Subject: [PATCH 1/2] oci: check for valid PID before kill(pid, 0) check that the container has a valid pid before attempting to use kill($PID, 0) on it. If the PID==0, it means the container is already stopped. Signed-off-by: Giuseppe Scrivano --- libpod/oci_conmon_common.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libpod/oci_conmon_common.go b/libpod/oci_conmon_common.go index b60e680cb0..b2414dd6ea 100644 --- a/libpod/oci_conmon_common.go +++ b/libpod/oci_conmon_common.go @@ -429,6 +429,10 @@ func (r *ConmonOCIRuntime) StopContainer(ctr *Container, timeout uint, all bool) } if err := r.KillContainer(ctr, uint(unix.SIGKILL), all); err != nil { + // If the PID is 0, then the container is already stopped. + if ctr.state.PID == 0 { + return nil + } // Again, check if the container is gone. If it is, exit cleanly. if aliveErr := unix.Kill(ctr.state.PID, 0); errors.Is(aliveErr, unix.ESRCH) { return nil From 4cf06fe7e074cb9a09670f8308ade12f30bb958d Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 9 Jan 2023 15:35:25 +0100 Subject: [PATCH 2/2] podman: podman rm -f doesn't leave processes follow-up to 6886e80b45caae27dda81a9b44d8dd179c414580 when "podman -rm -f" is used on a container in "stopping" state, also make sure it is terminated before removing it from the local storage. Signed-off-by: Giuseppe Scrivano --- libpod/runtime_ctr.go | 2 +- test/system/055-rm.bats | 35 ++++++++++++++++++++++++++++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go index 4757471c98..4d13d7ffb1 100644 --- a/libpod/runtime_ctr.go +++ b/libpod/runtime_ctr.go @@ -741,7 +741,7 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force, remo } // Check that the container's in a good state to be removed. - if c.state.State == define.ContainerStateRunning { + if c.ensureState(define.ContainerStateRunning, define.ContainerStateStopping) { time := c.StopTimeout() if timeout != nil { time = *timeout diff --git a/test/system/055-rm.bats b/test/system/055-rm.bats index 6b682c0e28..a8028ee440 100644 --- a/test/system/055-rm.bats +++ b/test/system/055-rm.bats @@ -113,9 +113,8 @@ load helpers is "$output" "" "Should print no output" } -@test "podman container rm doesn't affect stopping containers" { - local cname=c$(random_string 30) - run_podman run -d --name $cname \ +function __run_healthcheck_container() { + run_podman run -d --name $1 \ --health-cmd /bin/false \ --health-interval 1s \ --health-retries 2 \ @@ -125,6 +124,11 @@ load helpers --health-start-period 0 \ --stop-signal SIGTERM \ $IMAGE sleep infinity +} + +@test "podman container rm doesn't affect stopping containers" { + local cname=c$(random_string 30) + __run_healthcheck_container $cname local cid=$output # We'll use the PID later to confirm that container is not running @@ -159,4 +163,29 @@ load helpers fi } +@test "podman container rm --force doesn't leave running processes" { + local cname=c$(random_string 30) + __run_healthcheck_container $cname + local cid=$output + + # We'll use the PID later to confirm that container is not running + run_podman inspect --format '{{.State.Pid}}' $cname + local pid=$output + + for i in {1..10}; do + run_podman inspect $cname --format '{{.State.Status}}' + if [ "$output" = "stopping" ]; then + break + fi + + sleep 0.5 + done + + run_podman rm -f $cname + + if kill -0 $pid; then + die "Container $cname process is still running (pid $pid)" + fi +} + # vim: filetype=sh