Merge pull request containers#17025 from giuseppe/terminate-processes…

…-no-pid-namespace oci: terminate all container processes on cleanup
vrothberg · Jan 8, 2023 · 74a961a · 74a961a
2 parents c83a2f8 + 9fe86ec
commit 74a961a
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/libpod/container_api.go b/libpod/container_api.go
@@ -786,6 +786,19 @@ func (c *Container) Cleanup(ctx context.Context) error {
 
 	// If we didn't restart, we perform a normal cleanup
 
+	// make sure all the container processes are terminated if we are running without a pid namespace.
+	hasPidNs := false
+	for _, i := range c.config.Spec.Linux.Namespaces {
+		if i.Type == spec.PIDNamespace {
+			hasPidNs = true
+			break
+		}
+	}
+	if !hasPidNs {
+		// do not fail on errors
+		_ = c.ociRuntime.KillContainer(c, uint(unix.SIGKILL), true)
+	}
+
 	// Check for running exec sessions
 	sessions, err := c.getActiveExecSessions()
 	if err != nil {