Shim leak on recovery: `is_same_process` rejects live shim, leaves orphan holding host ports

[G4614]

Summary

Every boxlite invocation after boxlite run -d triggers recovery, which misdetects the live shim as dead, deletes its PID file, and marks the box Stopped — without killing the actual shim process. Subsequent boxlite exec then spawns a fresh shim, leaving the original as an orphan that still holds host TCP ports (from image EXPOSE), vsock channels, file handles, and the box's full --memory allocation.

For most workloads this is a silent leak (RAM accumulates, top eventually shows N zombie boxlite-shim processes). For images with EXPOSE directives (docker:dind, anything with TCP ports), the leaked shim blocks the next box's gvproxy from binding the same host port → EADDRINUSE → gvproxy fails to create the virtual network → entire box has no outbound network (ARP probes go nowhere). This is what blocks test:integration:dind from passing on a host that has previously run any dind box.

Reproduction

boxlite run -d --name a docker:dind sleep infinity  # spawns shim, binds host :2375 :2376
boxlite ls                                          # recovery fires; pid file removed, box marked Stopped
                                                    # shim still alive, still binding :2375 :2376
boxlite rm -f a                                     # state record removed; shim STILL alive
ss -tlnp | grep 2375                                # → libkrun VM pid=XXXXX, orphan

# Now any dind box fails:
make test:integration:dind  # → DNS timeout, ARP INCOMPLETE, build fails

Workaround until fixed: pkill -9 boxlite-shim between runs.

Root cause

Two pieces of code with an implicit contract that doesn't hold:

vmm/controller/spawn.rs:91 — shim is deliberately spawned without CLI args so secret config (sent via stdin pipe) never lands in world-readable /proc/<pid>/cmdline:

// 4. Build isolated command — no CLI args, config sent via stdin pipe
let no_args: &[String] = &[];
let mut cmd = jail.command(self.binary_path, no_args);

util/process.rs:283 — is_same_process_linux validates ownership by checking cmdline contains box_id:

args.iter().any(|arg| arg.contains("boxlite-shim")) && cmdline.contains(box_id)
//                                                    ^^^^^^^^^^^^^^^^^^^^^^^^^
//                                                    always false (cmdline has no args)

cmdline.contains(box_id) is always false because spawn never put box_id there → is_same_process always returns false for live shims → recovery at rt_impl.rs:1196 hits the else branch that deletes the pid file and marks the box Stopped. The shim itself is not signalled, so it keeps running, keeps holding its resources, and is no longer tracked by the runtime.

Box process dead, cleaned up stale PID file is the visible signature in the logs.

Impact

• --memory-sized RAM leak per run -d + ls/exec: 4 dind boxes with --memory 2048 leak 8 GB even if user thinks they were all removed
• Per-box exec after run -d silently spawns a fresh shim: in-memory state of original box is lost; user thinks they're talking to same box but they're not (acutely bad for dockerd-style stateful PID 1)
• Visible failure for EXPOSE-having images: next box of same image (or with same port mapping) gets EADDRINUSE; gvproxy fails silently; entire VM has no outbound network; symptom looks like "boxlite doesn't support docker:dind" but is actually leak-driven port collision

Suggested fix

Pass box_id as the sole argv to shim (box_id is a short random identifier, not sensitive — unlike the config which keeps stdin transport):

// vmm/controller/spawn.rs
let args = [self.box_id.to_string()];
let mut cmd = jail.command(self.binary_path, &args);

shim's main doesn't need to read the arg; it's purely there so /proc/<pid>/cmdline carries it for is_same_process to validate. ~3 lines of code.

After this fix:

• Recovery correctly identifies live shims → no false Stopped → no orphan creation on exec
• boxlite stop/rm paths already work (they read pid file → SIGTERM → graceful)
• test:integration:dind passes deterministically (no manual pkill needed between runs)

Verified locally: shim cmdline becomes /path/to/boxlite-shim <box_id>, recovery passes, repeated run -d/exec/rm cycles leave no orphans, make test:integration:dind passes on fresh host state without pkill between runs.

[G4614]

Additional evidence from make test:integration:cli on m8i.4xlarge / kernel 7.0.0-1004-aws today — this leak isn't only a "RAM accumulates + dind port collision" problem. In sufficiently parallel integration runs it accumulates fast enough to take the host down.

Per-test accumulation (measured)

Bisected src/cli/tests/exec.rs by running each of its 18 cases individually with resource snapshots between runs. All 18 PASSED individually with host stable, but state grew monotonically:

Δ per microVM test
live boxlite-shim procs (PPid=1, holding anon_inode:kvm-vm + 4× anon_inode:kvm-vcpu)	+2
Dirty: pagecache	+4 to +9 GB (fresh mke2fs ext4 image + 386 MB shim/guest blob, no flush between cases)
FileHugePages:	accumulates with libkrun guest RAM mapping per leaked shim
losetup loop devices (box rootfs attachments)	persists across cases
MemAvailable:	−0.5 to −1 GB

This is exactly the cmdline-mismatch path described in the issue body — the shim survives, kvm-vm + vCPU fds stay held, so does the guest RAM mapping and the box's loop-device-backed rootfs. None of it is reclaimed until a process exit that never comes.

Cumulative consequence: AWS Nitro silently resets the VM

Under cargo nextest --profile vm (test-threads=4) the leak rate × 4 workers + nested KVM saturation + Dirty: writeback queue saturating EBS hits whatever quota Nitro uses to declare the EC2 VM misbehaving. We observed 3 silent host hard-resets today during full integration runs, ~12-97 cases into the suite:

• CloudTrail Event history: zero StopInstances / RebootInstances / RebootInstances API calls on the instance for the day
• CloudWatch StatusCheckFailed_{System,Instance}: all 0 across the reset windows (Nitro's view: never failed)
• last -x reboot: empty. journalctl --list-boots shows the boot transitions but no shutdown trail in any of the prior boots — journald didn't get to flush before the reset
• All kernel panic sysctls are 0; boot cmdline has no panic= — even kernel panic alone couldn't have rebooted the host
• Truncation pattern: log files cut off mid-test with ext4 null-byte page-cache padding ⇒ writeback in flight when the VM dropped

The only remaining explanation is a hypervisor-layer reset (Nitro), which matches the leak-amplified resource saturation profile.

Practical workflow impact

• ~3 hours lost today chasing "AWS host hardware issue" before instrumentation between bisect iterations made the +2 procs / +N GB Dirty per test obvious.
• Tests that individually pass become uncovenanted in a full suite run — including tests/rm.rs::test_rm_force_running, which deterministically fails because the same is_same_process rejection that creates this leak also makes boxlite rm <running-box> succeed without --force (the recovery branch marks the box Stopped and lets rm through; contract violation for "can't remove a running box without --force").
• Workaround that unblocked --privileged (feat: opt-in --privileged for in-box privileged execution (dind support) #568) integration work today: pkill -9 boxlite-shim && losetup -D between runs, plus avoiding the full 242-case run.

Fix

The 3-line spawn.rs change in the issue body matches what's already in our worktree as "Verified locally" — extracting it now to a focused PR with a deterministic reproducer (assert no libkrun VM proc residual + no orphan loop device after BoxTestBase::new().await + drop). Will link here when up.

Related, possibly downstream of this one: #523 (daemon-wide SIGCHLD reaper), #434 (listInfo reports detached boxes as stopped while live), #469 (flaky parallel exec tests).

[G4614]

@DorianZheng The machine-hang problems is confirmed as OOM problems, the root reason is shim not released after the boxlite lifecycle, but I think the detach rules are designed to keep the box alive when any planned exit occurs, so I need to ask how to treat this situation

[G4614]

Surfaced a related-but-distinct EADDRINUSE failure mode while debugging make test:integration:dind on feat/privileged-with-gvproxy-fix: two concurrent live boxes of the same EXPOSE'd image hit the same symptom — no orphan shim involved. The cmdline-validation fix here addresses the recovery-orphan path; this case sits on top of it and the suite still won't be deterministic without a second fix.

Repro

Nextest's default scheduling starts dind_supports_docker_build and dind_compose_multi_service_network ~7 ms apart on the same host. Both boxes are alive; neither is leaked.

Instrumented gvproxy-bridge/main.go with fmt.Fprintf(os.Stderr, "BOXLITE-PROBE …\n") at every step. Second box's shim.stderr:

BOXLITE-PROBE create-entry  id=1 socket=…/net.sock pid=391623
BOXLITE-PROBE listen-ok     id=1 path=…/net.sock
BOXLITE-PROBE create-return id=1
[shim] entering VM (krun_start_enter)
[krun] krun_start_enter called
# (no accept-wait, no accept-ok, no qemu-start)

boxlite-shim.log.<date> shows the missing goroutine:

ERROR gvproxy: Failed to create virtual network
  error=cannot add network services: listen tcp 0.0.0.0:2376: bind: address already in use
  id=1

virtualnetwork.New(tapConfig) runs in a goroutine launched after the FFI returned, so Rust gets id=1 and proceeds. libkrun connects to net.sock, ships virtio-net frames into a userspace black hole, guest sees i/o timeout on 192.168.127.1:53 for the entire run.

Root cause for this variant

src/boxlite/src/litebox/init/tasks/vmm_spawn.rs:320-323 auto-maps every image EXPOSE port to the identical host port with no conflict check:

for port in container_image_config.tcp_ports() {
    if !user_guest_ports.contains(&port) {
        port_map.insert(port, port);   // host_port == guest_port, no dedup across live boxes
    }
}

Any two concurrent boxes whose EXPOSE sets overlap collide on bind(). Verified: --test-threads=1 -E 'test(~dind_)' passes both tests deterministically; default scheduling always fails one.

Suggested follow-ups (orthogonal to the cmdline fix)

1. Fail loud at the FFI boundary. gvproxy_create should synchronize the virtualnetwork.New step (at minimum the host port bind) so Rust sees EADDRINUSE immediately, instead of getting a usable-looking instance ID for a network-less box.
2. Don't hardcode host_port == guest_port for auto-EXPOSE. Either let the kernel allocate (host_port = 0, surface the assigned port back to the user) or skip individual conflicting mappings with a warning. Auto-EXPOSE is a convenience — the box shouldn't be unusable because of it.

Happy to split these into a separate issue if cleaner — flagging here since #565's fix is necessary but not sufficient for test:integration:dind under nextest defaults.

[G4614]

Fixed by #590 — thanks @DorianZheng for the fix, and @zxyasfas for the design direction in #492.

The ProcessIdentity (PID + start_time fingerprint) approach is strictly stronger than the argv-roundtrip I proposed here: no PID-reuse window.