Merge pull request #36853 from verb/init

Automatic merge from submit-queue (batch tested with PRs 39446, 40023, 36853) Add SIGCHLD handler to pause container **What this PR does / why we need it**: This allows pause to reap orphaned zombies in a shared PID namespace. (#1615) **Special notes for your reviewer**: I plan to discuss this with SIG Node to ensure compatibility with future runtimes. **Release note**: This will have no effect until shared PID namespace is enabled, so recommend release-note-none. This allows pause to reap zombies in the upcoming Shared PID namespace (#1615). Uses the better defined sigaction() instead of signal() for all signals both for consistency (SIGCHLD handler avoids SA_RESTART) and to avoid the implicit signal()->sigaction() translation of various libc versions. Also makes warnings errors and includes a tool to make orphaned zombies for manual testing.
2025-10-31 02:08:13 +00:00 · 2017-01-19 18:53:49 -08:00
parent 71802d2dc1 68262ad5f4
commit 4f8f6006cf
3 changed files with 75 additions and 12 deletions
--- a/build/pause/Makefile
+++ b/build/pause/Makefile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-.PHONY: all push push-legacy container clean
+.PHONY: all push push-legacy container clean orphan

 REGISTRY ?= gcr.io/google_containers
 IMAGE = $(REGISTRY)/pause-$(ARCH)
@@ -25,7 +25,7 @@ ARCH ?= amd64

 ALL_ARCH = amd64 arm arm64 ppc64le s390x

-CFLAGS = -Os -Wall -static
+CFLAGS = -Os -Wall -Werror -static
 KUBE_CROSS_IMAGE ?= gcr.io/google_containers/kube-cross
 KUBE_CROSS_VERSION ?= $(shell cat ../build-image/cross/VERSION)

@@ -97,5 +97,16 @@ ifeq ($(ARCH),amd64)
 endif
 	touch $@

+# Useful for testing, not automatically included in container image
+orphan: bin/orphan-$(ARCH)
+bin/orphan-$(ARCH): orphan.c
+	mkdir -p bin
+	docker run -u $$(id -u):$$(id -g) -v $$(pwd):/build \
+		$(KUBE_CROSS_IMAGE):$(KUBE_CROSS_VERSION) \
+		/bin/bash -c "\
+			cd /build && \
+			$(TRIPLE)-gcc $(CFLAGS) -o $@ $^ && \
+			$(TRIPLE)-strip $@"
+
 clean:
 	rm -rf .container-* .push-* bin/
--- a/build/pause/orphan.c
+++ b/build/pause/orphan.c
@@ -0,0 +1,36 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/* Creates a zombie to be reaped by init. Useful for testing. */
+
+#include <stdio.h>
+#include <unistd.h>
+
+int main() {
+  pid_t pid;
+  pid = fork();
+  if (pid == 0) {
+    while (getppid() > 1)
+      ;
+    printf("Child exiting: pid=%d ppid=%d\n", getpid(), getppid());
+    return 0;
+  } else if (pid > 0) {
+    printf("Parent exiting: pid=%d ppid=%d\n", getpid(), getppid());
+    return 0;
+  }
+  perror("Could not create child");
+  return 1;
+}
--- a/build/pause/pause.c
+++ b/build/pause/pause.c
@@ -17,20 +17,36 @@ limitations under the License.
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/types.h>
+#include <sys/wait.h>
 #include <unistd.h>

 static void sigdown(int signo) {
-	psignal(signo, "shutting down, got signal");
-	exit(0);
+  psignal(signo, "Shutting down, got signal");
+  exit(0);
+}
+
+static void sigreap(int signo) {
+  while (waitpid(-1, NULL, WNOHANG) > 0)
+    ;
 }

 int main() {
-	if (signal(SIGINT, sigdown) == SIG_ERR)
-		return 1;
-	if (signal(SIGTERM, sigdown) == SIG_ERR)
-		return 2;
-	signal(SIGKILL, sigdown);
-	for (;;) pause();
-	fprintf(stderr, "error: infinite loop terminated\n");
-	return 42;
+  if (getpid() != 1)
+    /* Not an error because pause sees use outside of infra containers. */
+    fprintf(stderr, "Warning: pause should be the first process in a pod\n");
+
+  if (sigaction(SIGINT, &(struct sigaction){.sa_handler = sigdown}, NULL) < 0)
+    return 1;
+  if (sigaction(SIGTERM, &(struct sigaction){.sa_handler = sigdown}, NULL) < 0)
+    return 2;
+  if (sigaction(SIGCHLD, &(struct sigaction){.sa_handler = sigreap,
+                                             .sa_flags = SA_NOCLDSTOP},
+                NULL) < 0)
+    return 3;
+
+  for (;;)
+    pause();
+  fprintf(stderr, "Error: infinite loop terminated\n");
+  return 42;
 }