oci: terminate all container processes on cleanup

if the container has no pid namespace, they are not killed when the container process ends. In this case, attempt to kill them in the same way. The problem was noticed with toolbox where the exec'ed sessions are not terminated when the container is stopped, blocking the system shutdown. [NO NEW TESTS NEEDED] Signed-off-by: Giuseppe Scrivano <[email protected]>
vrothberg · Jan 7, 2023 · 9fe86ec · 9fe86ec
1 parent b89435a
commit 9fe86ec
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/libpod/container_api.go b/libpod/container_api.go
@@ -735,6 +735,19 @@ func (c *Container) Cleanup(ctx context.Context) error {
 
 	// If we didn't restart, we perform a normal cleanup
 
+	// make sure all the container processes are terminated if we are running without a pid namespace.
+	hasPidNs := false
+	for _, i := range c.config.Spec.Linux.Namespaces {
+		if i.Type == spec.PIDNamespace {
+			hasPidNs = true
+			break
+		}
+	}
+	if !hasPidNs {
+		// do not fail on errors
+		_ = c.ociRuntime.KillContainer(c, uint(unix.SIGKILL), true)
+	}
+
 	// Check for running exec sessions
 	sessions, err := c.getActiveExecSessions()
 	if err != nil {