Merge pull request #4727 from rhatdan/pidns

if container is not in a pid namespace, stop all processes
2019-12-20 12:13:22 +01:00 · 2019-12-20 12:13:22 +01:00 · e33d7e9fab
parent 1ba6d0f883 123b8c627d
commit e33d7e9fab
4 changed files with 23 additions and 6 deletions
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@ -183,7 +183,7 @@ func (c *Container) StopWithTimeout(timeout uint) error {
 		return errors.Wrapf(define.ErrCtrStateInvalid, "can only stop created or running containers. %s is in state %s", c.ID(), c.state.State.String())
 	}
-	return c.stop(timeout, false)
+	return c.stop(timeout)
 }
 // Kill sends a signal to a container
@ -715,7 +715,7 @@ func (c *Container) Refresh(ctx context.Context) error {
 	// Next, if the container is running, stop it
 	if c.state.State == define.ContainerStateRunning {
-		if err := c.stop(c.config.StopTimeout, false); err != nil {
+		if err := c.stop(c.config.StopTimeout); err != nil {
 			return err
 		}
 	}
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@ -1129,9 +1129,14 @@ func (c *Container) start() error {
 }
 // Internal, non-locking function to stop container
-func (c *Container) stop(timeout uint, all bool) error {
+func (c *Container) stop(timeout uint) error {
 	logrus.Debugf("Stopping ctr %s (timeout %d)", c.ID(), timeout)
 	// If the container is running in a PID Namespace, then killing the
 	// primary pid is enough to kill the container.  If it is not running in
 	// a pid namespace then the OCI Runtime needs to kill ALL processes in
 	// the containers cgroup in order to make sure the container is stopped.
 	all := !c.hasNamespace(spec.PIDNamespace)
 	// We can't use --all if CGroups aren't present.
 	// Rootless containers with CGroups v1 and NoCgroups are both cases
 	// where this can happen.
@ -1225,7 +1230,7 @@ func (c *Container) restartWithTimeout(ctx context.Context, timeout uint) (err e
 	if c.state.State == define.ContainerStateRunning {
 		conmonPID := c.state.ConmonPID
-		if err := c.stop(timeout, false); err != nil {
+		if err := c.stop(timeout); err != nil {
 			return err
 		}
 		// Old versions of conmon have a bug where they create the exit file before
@ -1895,3 +1900,15 @@ func (c *Container) reapExecSessions() error {
 	}
 	return lastErr
 }
 func (c *Container) hasNamespace(namespace spec.LinuxNamespaceType) bool {
 	if c.config.Spec == nil || c.config.Spec.Linux == nil {
 		return false
 	}
 	for _, n := range c.config.Spec.Linux.Namespaces {
 		if n.Type == namespace {
 			return true
 		}
 	}
 	return false
 }
--- a/libpod/pod_api.go
+++ b/libpod/pod_api.go
@ -123,7 +123,7 @@ func (p *Pod) StopWithTimeout(ctx context.Context, cleanup bool, timeout int) (m
 		if timeout > -1 {
 			stopTimeout = uint(timeout)
 		}
-		if err := ctr.stop(stopTimeout, false); err != nil {
+		if err := ctr.stop(stopTimeout); err != nil {
 			ctr.lock.Unlock()
 			ctrErrors[ctr.ID()] = err
 			continue
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@ -463,7 +463,7 @@ func (r *Runtime) removeContainer(ctx context.Context, c *Container, force bool,
 	// Check that the container's in a good state to be removed
 	if c.state.State == define.ContainerStateRunning {
-		if err := c.stop(c.StopTimeout(), true); err != nil {
+		if err := c.stop(c.StopTimeout()); err != nil {
 			return errors.Wrapf(err, "cannot remove container %s as it could not be stopped", c.ID())
 		}
 	}