Merge pull request #320 from rhatdan/pidns
killall processes in a cgroup if you are not using the pid namespace
This commit is contained in:
Michael Crosby
commit
09809b551c
|
|
@ -67,7 +67,7 @@ func TestIPCPrivate(t *testing.T) {
|
|||
}
|
||||
|
||||
if actual := strings.Trim(buffers.Stdout.String(), "\n"); actual == l {
|
||||
t.Fatalf("ipc link should be private to the conatiner but equals host %q %q", actual, l)
|
||||
t.Fatalf("ipc link should be private to the container but equals host %q %q", actual, l)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -152,7 +152,7 @@ func TestIPCBadPath(t *testing.T) {
|
|||
|
||||
_, _, err = runContainer(config, "", "true")
|
||||
if err == nil {
|
||||
t.Fatal("container succeded with bad ipc path")
|
||||
t.Fatal("container succeeded with bad ipc path")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -176,3 +176,34 @@ func TestRlimit(t *testing.T) {
|
|||
t.Fatalf("expected rlimit to be 1024, got %s", limit)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPIDNSPrivate(t *testing.T) {
|
||||
if testing.Short() {
|
||||
return
|
||||
}
|
||||
|
||||
rootfs, err := newRootFs()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer remove(rootfs)
|
||||
|
||||
l, err := os.Readlink("/proc/1/ns/pid")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
config := newTemplateConfig(rootfs)
|
||||
buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/pid")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if exitCode != 0 {
|
||||
t.Fatalf("exit code not 0. code %d stderr %q", exitCode, buffers.Stderr)
|
||||
}
|
||||
|
||||
if actual := strings.Trim(buffers.Stdout.String(), "\n"); actual == l {
|
||||
t.Fatalf("pid link should be private to the container but equals host %q %q", actual, l)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -110,9 +110,40 @@ func Exec(container *libcontainer.Config, stdin io.Reader, stdout, stderr io.Wri
|
|||
return -1, err
|
||||
}
|
||||
}
|
||||
if !container.Namespaces.Contains(libcontainer.NEWPID) {
|
||||
killAllPids(container)
|
||||
}
|
||||
return command.ProcessState.Sys().(syscall.WaitStatus).ExitStatus(), nil
|
||||
}
|
||||
|
||||
func killAllPids(container *libcontainer.Config) {
|
||||
var (
|
||||
pids []int
|
||||
err error
|
||||
)
|
||||
freeze := fs.Freeze
|
||||
getPids := fs.GetPids
|
||||
if systemd.UseSystemd() {
|
||||
freeze = systemd.Freeze
|
||||
getPids = systemd.GetPids
|
||||
}
|
||||
|
||||
freeze(container.Cgroups, cgroups.Frozen)
|
||||
if pids, err = getPids(container.Cgroups); err == nil {
|
||||
for _, pid := range pids {
|
||||
if p, err := os.FindProcess(pid); err == nil {
|
||||
p.Kill()
|
||||
}
|
||||
}
|
||||
}
|
||||
freeze(container.Cgroups, cgroups.Thawed)
|
||||
for _, pid := range pids {
|
||||
if p, err := os.FindProcess(pid); err == nil {
|
||||
p.Wait()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// DefaultCreateCommand will return an exec.Cmd with the Cloneflags set to the proper namespaces
|
||||
// defined on the container's configuration and use the current binary as the init with the
|
||||
// args provided
|
||||
|
|
|
|||
Loading…
Reference in New Issue