Fix container exit detection when process is not a child of conmon in systemd scope environments

[jnovy]

When container processes are not direct children of conmon conmon fails to detect container exits because it never receives SIGCHLD signals.

This fixes issue where conmon processes remain running after container exit in certain systemd cgroup manager configurations.

Fixes: #545

[giuseppe]

how would this happen?

conmon is setting set_subreaper() so that any child process, even not direct, is reported to conmon

[jnovy]

It seems subreaper handles the normal case where process re-parenting works as expected. The problem is that in some systemd configurations, even with subreaper set container processes may not become direct children of conmon.

[giuseppe]

It seems subreaper handles the normal case where process re-parenting works as expected. The problem is that in some systemd configurations, even with subreaper set container processes may not become direct children of conmon.

how would that happen? conmon runs the OCI runtime that in turns runs the container. Every container process is a descendant of conmon

[giuseppe]

does it break when there are exec sessions?

[jnovy]

Good catch! Let me add some bits to handle this.

[jnovy]

@giuseppe Is it better now? Or is there anything else I missed?

[giuseppe]

I am not really a fan of the probe part, can we understand how that configuration happens? Because conmon should get the signal, even with exec sessions (the container exits, all the processes in the pid namespace are killed and their parent gets the sigchld)

[jnovy]

Normally this would be the expected state:

systemd
  - crio-conmon-xxx.scope
    - conmon (subreaper)
      - OCI runtime (create_pid)
        - container process

But what happens in the case described in the issue is:

systemd
  - crio-conmon-xxx.scope
    - conmon (subreaper - isolated from container)
      - OCI runtime (create_pid, exits normally)
  - crio-xxx.scope
    - container process (moved by systemd, no longer child of conmon) 

So systemd moves the container process to the new scope after OCI runtime creates it but before OCI runtime exits. This seems to be why conmon receives the runtime exit signal (from runtime) but misses the container exit signal.

Does it make it any more clear?

[giuseppe]

how does the cgroup affect the parent->child relationship? I don't think it should matter in what cgroup the process ends up, it should still be reported to the conmon (assuming set_reaper() was used correctly) used for the exec session.

You can verify it by running podman run ...., then do podman exec ... and find in the process list the exec'ed process:

$ podman exec -lti sleep 12345 &
$ grep -i ppid /proc/$(pgrep -f 12345 | tail -n1)/status
PPid:   380778

and PPid is the conmon process.

[jnovy]

Ok, let's keep the fix minimal - I removed the probe and left only the main part. @giuseppe PTAL

[giuseppe]

I am ok with this extra check but I still don't understand how we could end up in this situation, unless the OCI runtime is misbehaving. Could we adjust the comment that mentions the process not being a child of conmon?

LGTM

[jnovy]

Comment adjusted, thanks!