libct: Signal: honor RootlessCgroups

`signalAllProcesses()` depends on the cgroup and is expected to fail when runc is running in rootless without an access to the cgroup. When `RootlessCgroups` is set to `true`, runc just ignores the error from `signalAllProcesses` and may leak some processes running. (See the comments in PR 4395) In the future, runc should walk the process tree to avoid such a leak. Note that `RootlessCgroups` is a misnomer; it is set to `false` despite the name when cgroup v2 delegation is configured. This is expected to be renamed in a separate commit. Fix issue 4394 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2025-09-26 19:41:35 +08:00 · 2024-09-05 05:05:24 +09:00
parent 961b8031f6
commit 429e06a518
4 changed files with 37 additions and 0 deletions
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -388,11 +388,21 @@ func (c *Container) Signal(s os.Signal) error {
 	// leftover processes. Handle this special case here.
 	if s == unix.SIGKILL && !c.config.Namespaces.IsPrivate(configs.NEWPID) {
 		if err := signalAllProcesses(c.cgroupManager, unix.SIGKILL); err != nil {
+			if c.config.RootlessCgroups { // may not have an access to cgroup
+				logrus.WithError(err).Warn("failed to kill all processes, possibly due to lack of cgroup (Hint: enable cgroup v2 delegation)")
+				// Some processes may leak when cgroup is not delegated
+				// https://github.com/opencontainers/runc/pull/4395#pullrequestreview-2291179652
+				return c.signal(s)
+			}
 			return fmt.Errorf("unable to kill all processes: %w", err)
 		}
 		return nil
 	}

+	return c.signal(s)
+}
+
+func (c *Container) signal(s os.Signal) error {
 	// To avoid a PID reuse attack, don't kill non-running container.
 	if !c.hasInit() {
 		return ErrNotRunning
--- a/libcontainer/init_linux.go
+++ b/libcontainer/init_linux.go
@@ -695,6 +695,8 @@ func setupPersonality(config *configs.Config) error {

 // signalAllProcesses freezes then iterates over all the processes inside the
 // manager's cgroups sending the signal s to them.
+//
+// signalAllProcesses returns ErrNotRunning when the cgroup does not exist.
 func signalAllProcesses(m cgroups.Manager, s unix.Signal) error {
 	if !m.Exists() {
 		return ErrNotRunning
--- a/libcontainer/state_linux.go
+++ b/libcontainer/state_linux.go
@@ -44,6 +44,7 @@ func destroy(c *Container) error {
 	// and destroy is supposed to remove all the container resources, we need
 	// to kill those processes here.
 	if !c.config.Namespaces.IsPrivate(configs.NEWPID) {
+		// Likely to fail when c.config.RootlessCgroups is true
 		_ = signalAllProcesses(c.cgroupManager, unix.SIGKILL)
 	}
 	if err := c.cgroupManager.Destroy(); err != nil {
--- a/tests/integration/kill.bats
+++ b/tests/integration/kill.bats
@@ -133,3 +133,27 @@ test_host_pidns_kill() {
 	test_host_pidns_kill
 	unset KILL_INIT
 }
+
+# https://github.com/opencontainers/runc/issues/4394 (cgroup v1, rootless)
+@test "kill KILL [shared pidns]" {
+	update_config '.process.args = ["sleep", "infinity"]'
+
+	runc run -d --console-socket "$CONSOLE_SOCKET" target_ctr
+	[ "$status" -eq 0 ]
+	testcontainer target_ctr running
+	target_pid="$(__runc state target_ctr | jq .pid)"
+	update_config '.linux.namespaces |= map(if .type == "user" or .type == "pid" then (.path = "/proc/'"$target_pid"'/ns/" + .type) else . end) | del(.linux.uidMappings) | del(.linux.gidMappings)'
+
+	runc run -d --console-socket "$CONSOLE_SOCKET" attached_ctr
+	[ "$status" -eq 0 ]
+	testcontainer attached_ctr running
+
+	runc kill attached_ctr 9
+	[ "$status" -eq 0 ]
+
+	runc delete --force attached_ctr
+	[ "$status" -eq 0 ]
+
+	runc delete --force target_ctr
+	[ "$status" -eq 0 ]
+}