From 9fe86ec7f6a0a2398ae425befca17aca90d2de0f Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Sat, 7 Jan 2023 15:00:46 +0100
Subject: [PATCH] oci: terminate all container processes on cleanup

if the container has no pid namespace, they are not killed when the
container process ends.  In this case, attempt to kill them in the
same way.

The problem was noticed with toolbox where the exec'ed sessions are
not terminated when the container is stopped, blocking the system
shutdown.

[NO NEW TESTS NEEDED]

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 libpod/container_api.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/libpod/container_api.go b/libpod/container_api.go
index 71f97a240b..0b57803997 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -735,6 +735,19 @@ func (c *Container) Cleanup(ctx context.Context) error {
 
 	// If we didn't restart, we perform a normal cleanup
 
+	// make sure all the container processes are terminated if we are running without a pid namespace.
+	hasPidNs := false
+	for _, i := range c.config.Spec.Linux.Namespaces {
+		if i.Type == spec.PIDNamespace {
+			hasPidNs = true
+			break
+		}
+	}
+	if !hasPidNs {
+		// do not fail on errors
+		_ = c.ociRuntime.KillContainer(c, uint(unix.SIGKILL), true)
+	}
+
 	// Check for running exec sessions
 	sessions, err := c.getActiveExecSessions()
 	if err != nil {