From ecfbc6f3247448df8c297dca8c32ce7aea18656a Mon Sep 17 00:00:00 2001
From: Matthew Heon <matthew.heon@pm.me>
Date: Wed, 31 Aug 2022 10:58:06 -0400
Subject: Inhibit SIGTERM during Conmon startup
If we get a SIGTERM immediately after Conmon starts but before we
record its PID in the database, we end up leaking a Conmon and
associated OCI runtime process. Inhibit shutdown using the logic
we originally wrote to prevent similar issues during container
creation to prevent this problem.
[NO NEW TESTS NEEDED] No real way to test this I can think of.
Fixes #15557
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
---
libpod/container_internal.go | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index bad68991b..438f24ff0 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -27,6 +27,7 @@ import (
cutil "github.com/containers/common/pkg/util"
"github.com/containers/podman/v4/libpod/define"
"github.com/containers/podman/v4/libpod/events"
+ "github.com/containers/podman/v4/libpod/shutdown"
"github.com/containers/podman/v4/pkg/ctime"
"github.com/containers/podman/v4/pkg/lookup"
"github.com/containers/podman/v4/pkg/rootless"
@@ -1049,6 +1050,13 @@ func (c *Container) init(ctx context.Context, retainRetries bool) error {
}
}
+ // To ensure that we don't lose track of Conmon if hit by a SIGTERM
+ // in the middle of setting up the container, inhibit shutdown signals
+ // until after we save Conmon's PID to the state.
+ // TODO: This can likely be removed once conmon-rs support merges.
+ shutdown.Inhibit()
+ defer shutdown.Uninhibit()
+
// With the spec complete, do an OCI create
if _, err = c.ociRuntime.CreateContainer(c, nil); err != nil {
return err
@@ -1084,6 +1092,7 @@ func (c *Container) init(ctx context.Context, retainRetries bool) error {
if err := c.save(); err != nil {
return err
}
+
if c.config.HealthCheckConfig != nil {
if err := c.createTimer(); err != nil {
logrus.Error(err)
--
cgit v1.2.3-54-g00ecf