runc-shim: fix races/prevent init exits from being dropped

[laurazard]

Based off of #10647 and #10634 (and with inspiration from #10650), replaced s.pendingExecs with s.runningExecs. The logic is changed to keep track of running execs instead of pending execs, and handling a pending/prestarted exec the same as a running exec, which significantly simplifies the shim exit processing logic.

closes #10589

---

This PR rewrites and simplifies a lot of the shim exit processing logic to reduce it's complexity, and also handle the case where the container doesn't have it's own pid-namespace, which means that we're not guaranteed to receive the init exit last.

This is achieved by replacing s.pendingExecs with s.runningExecs, for which both (previously) pending and de facto running execs are considered.

The new exit handling logic can be summed up by:

• when we receive an init exit, stash it it in s.containerInitExit, and if a container's init process has exited, refuse new execs.
• (if the container does not have it's own pidns) kill all running processes (if the container has a private pid-namespace, then all processes will be dead already).
• wait for the container's running exec count (which includes execs which have been started but might still early exit) to get to 0.
• publish the stashed away init exit.

The issue with init exits being dropped if new execs keep coming in is resolved by refusing new execs after the container's init process has exited.

Big thanks to both @corhere for the guidance and discussion and @samuelkarp for the input, discussion and repro in #10649.

[corhere]

I like it!

[laurazard]

/cc @samuelkarp @dmcgowan

[dims]

LGTM, looks like @cpuguy83 has a few more comments

[ningmingxiao]

func (e *execProcess) start(ctx context.Context) (err error) {
	// The reaper may receive exit signal right after
	// the container is started, before the e.pid is updated.
	// In that case, we want to block the signal handler to
	// access e.pid until it is updated.
	e.pid.Lock()
	defer e.pid.Unlock()

	var (
		socket  *runc.Socket
		pio     *processIO
		pidFile = newExecPidFile(e.path, e.id)
	)
	if e.stdio.Terminal {
		if socket, err = runc.NewTempConsoleSocket(); err != nil {
			return fmt.Errorf("failed to create runc console socket: %w", err)
		}
		defer socket.Close()
	} else {
		if pio, err = createIO(ctx, e.id, e.parent.IoUID, e.parent.IoGID, e.stdio); err != nil {
			return fmt.Errorf("failed to create init process I/O: %w", err)
		}
		e.io = pio
	}
	opts := &runc.ExecOpts{
		PidFile: pidFile.Path(),
		Detach:  true,
	}
	if pio != nil {
		opts.IO = pio.IO()
	}
	if socket != nil {
		opts.ConsoleSocket = socket
	}
	if err := e.parent.runtime.Exec(ctx, e.parent.id, e.spec, opts); err != nil {
		close(e.waitBlock)
		return e.parent.runtimeError(err, "OCI runtime exec failed")
	}
	if e.stdio.Stdin != "" {
		if err := e.openStdin(e.stdio.Stdin); err != nil {
			return err
		}
	}
	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
	defer cancel()
	if socket != nil {
		console, err := socket.ReceiveMaster()
		if err != nil {
			return fmt.Errorf("failed to retrieve console master: %w", err)
		}
		if e.console, err = e.parent.Platform.CopyConsole(ctx, console, e.id, e.stdio.Stdin, e.stdio.Stdout, e.stdio.Stderr, &e.wg); err != nil {
			return fmt.Errorf("failed to start console copy: %w", err)
		}
	} else {
		if err := pio.Copy(ctx, &e.wg); err != nil {
			return fmt.Errorf("failed to start io pipe copy: %w", err)
		}
	}
	pid, err := pidFile.Read()
	if err != nil {
		return fmt.Errorf("failed to retrieve OCI runtime exec pi: %wd", err)
	}
	e.pid.pid = pid
	return nil
}

line 297 s.runningExecs[container]--
after e.parent.runtime.Exec is called (if e.parent.runtime.Exec is ok, runc exec ok) but after "e.parent.runtime.Exec" may generate other error, s.runningExecs[container] may reduce to wrong value. maybe we should record exec process pid.

[dims]

LGTM

[samuelkarp]

/cherrypick release/1.7

[k8s-infra-cherrypick-robot]

@samuelkarp: once the present PR merges, I will cherry-pick it on top of release/1.7 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release/1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dims]

xref: #10603

[k8s-infra-cherrypick-robot]

@samuelkarp: #10651 failed to apply on top of branch "release/1.7":

Applying: runc-shim: remove misleading comment
Using index info to reconstruct a base tree...
A	cmd/containerd-shim-runc-v2/task/service.go
Falling back to patching base and 3-way merge...
Auto-merging runtime/v2/runc/task/service.go
Applying: runc-shim: refuse to start execs after init exits
Using index info to reconstruct a base tree...
A	cmd/containerd-shim-runc-v2/task/service.go
Falling back to patching base and 3-way merge...
Auto-merging runtime/v2/runc/task/service.go
Applying: runc-shim: handle pending execs as running
Using index info to reconstruct a base tree...
A	cmd/containerd-shim-runc-v2/task/service.go
Falling back to patching base and 3-way merge...
Auto-merging runtime/v2/runc/task/service.go
CONFLICT (content): Merge conflict in runtime/v2/runc/task/service.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0003 runc-shim: handle pending execs as running
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherrypick release/1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[laurazard]

Opened backports: #10676 and #10675.