Verify the ExecSession pid before killing it. #25906
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
jankaluza
force-pushed
the
25104-pidfs
branch
2 times, most recently
from
cd78208 to
2ad99b0
Compare
libpod/container_exec.go
Outdated
| @@ -295,6 +299,10 @@ func (c *Container) ExecStart(sessionID string) error { | |||
|
|
|||
| // Update and save session to reflect PID/running | |||
| session.PID = pid | |||
| session.PIDData, err = c.generatePIDData(pid) | |||
There was a problem hiding this comment.
I'm a bit paranoid that if the process is already finished at this point, and someone else gets this PID number, the PIDData will contain data from someone else's process. I'd say the chances would be small, and maybe there's no need to address this.
There was a problem hiding this comment.
This can happen in case the process exits right after we start it and the pid is also recycled within the same time. It is quite unlikely, but in theory it can for sure happen.
We could probably fix that by generating the pidhandle in readConmonPipeData while the pipe is still open (if that's event possible, not sure if it's not closed right after we receive the data). But not sure if that's worth it.
jankaluza
force-pushed
the
25104-pidfs
branch
3 times, most recently
from
a32af9c to
1127797
Compare
|
I'm learning how to do some code for different systems. I will tell you here once the PR is ready to review again :-). |
jankaluza
force-pushed
the
25104-pidfs
branch
2 times, most recently
from
12f2835 to
067f849
Compare
|
[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore. |
jankaluza
force-pushed
the
25104-pidfs
branch
2 times, most recently
from
4caf6df to
b768015
Compare
|
So what's left here is to deduplicate the pidhandle_linux.go and pidhandle.go, fix the unit-tests and check why the sys tests failed. |
jankaluza
force-pushed
the
25104-pidfs
branch
5 times, most recently
from
51b3f52 to
d24fda0
Compare
|
I still have to rewrite the unit-tests to match the new code and I have a feeling it sometimes fails with "Invalid argument" for podman exec, so I will also try to debug this more. I hope I will find out the reason while rewriting the tests, let's see :-). |
jankaluza
force-pushed
the
25104-pidfs
branch
3 times, most recently
from
95b3d5b to
fb0d2c2
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
As a follow-up, it would be nice to also move waitPidStop to PIDHandle and used pidfs there. |
| @@ -48,7 +48,8 @@ function Local-Unit { | |||
| Build-Ginkgo | |||
| $skippackages="hack,internal\domain\infra\abi,internal\domain\infra\tunnel,libpod\lock\shm,pkg\api\handlers\libpod,pkg\api\handlers\utils,pkg\bindings," | |||
| $skippackages+="pkg\domain\infra\abi,pkg\emulation,pkg\machine\apple,pkg\machine\applehv,pkg\machine\e2e,pkg\machine\libkrun," | |||
| $skippackages+="pkg\machine\provider,pkg\machine\proxyenv,pkg\machine\qemu,pkg\specgen\generate,pkg\systemd,test\e2e,test\utils,cmd\rootlessport" | |||
| $skippackages+="pkg\machine\provider,pkg\machine\proxyenv,pkg\machine\qemu,pkg\specgen\generate,pkg\systemd,test\e2e,test\utils,cmd\rootlessport," | |||
| $skippackages+="pkg\pidhandle" | |||
There was a problem hiding this comment.
if the unit tests don't run on windows then they should have !windows build tags instead of skipping them here like this
There was a problem hiding this comment.
Although your test file is already called linux_test.go so it should already be only called on linux so I don't quite follow why this would be needed
There was a problem hiding this comment.
This is needed, because otherwise the tests complain on windows that there is no built .go file in the pidhandle package. It seems there is some check for empty packages.
There was a problem hiding this comment.
@l0rd Do you know how we can avoid this? IMO it is quite annoying to have all packages listed here. IF someone adds windows test to any of the dirs they likely don't remember to remove it from the list.
There was a problem hiding this comment.
No, I don't know how to do that. For some reason, it fails to compile the package because "build constraints exclude all Go files". The only way I found to avoid adding the package in the skip list is to add a pidhandle_windows.go that only has the package def:
//go:build windows
package pidhandleThere was a problem hiding this comment.
Well, I think including empty .go files is also not ideal. If someone adds new Windows test, that person also most likely tries to run this test on Windows and finds out that the package is not compiled there at all. This should hopefully lead to line removal from skippackages.
There was a problem hiding this comment.
What about using //go:build !remote? The remote is a remote client. Am I right?
There was a problem hiding this comment.
//go:build !remote or //go:build !windows have the same effect (on windows) and don't fix the problem.
jankaluza
force-pushed
the
25104-pidfs
branch
6 times, most recently
from
60b35dd to
16d020a
Compare
|
@Luap99 , btw, this one is ready for another review, but no rush :-). |
jankaluza
force-pushed
the
25104-pidfs
branch
3 times, most recently
from
d4581c2 to
50e2c41
Compare
When container is being removed, podman iterates through its exec sessions and checks whether exec session pid is still alive. The problem is that the pid can be reused for other processes, so that it may not belong to exec session. In this scenario podman may kill another process This commit prevents it by doing following changes: - Adds the PIDData string to ExecSession struct. This string is used to store additional context for a PID to later verify that the PID killed by the podman is really the one started by it. - Adds new package called pidhandle which implements the methods generating the PIDData, and killing the PID with the PIDData ensuring the right PID is killed by verifying the metadata. The new code uses pidfd_open and name_to_handle_at when available. It fallbacks to process start-time get using the gopsutil package. Fixes: containers#25104 Signed-off-by: Jan Kaluza <[email protected]>
| return newFileHandle(255, []byte("test")), 1, nil | ||
| } | ||
|
|
||
| h, err := NewPIDHandleFromString(os.Getpid(), nameToHandlePrefix+"254 74657374") |
There was a problem hiding this comment.
if you are going to push a new version, could you add a test for the empty string?
openshift-ci
bot
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, jankaluza, Luap99 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
When container is being removed, podman iterates
through its exec sessions and checks whether exec
session pid is still alive.
The problem is that the pid can be reused for other processes, so that it may not belong to exec session.
In this scenario podman may kill another process
This commit prevents it by doing following changes:
Fixes: #25104
Does this PR introduce a user-facing change?