From b440fdb692995b833ce99d08dad4917cd4a084cc Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Wed, 8 Sep 2021 11:26:17 -0400 Subject: [PATCH 1/2] oci: call wait on conmon if cgroup move fails if we fail to move conmon to a cgroup, we still need to call Wait() on the process, or else we will leak a child Signed-off-by: Peter Hunt --- internal/oci/runtime_oci.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/oci/runtime_oci.go b/internal/oci/runtime_oci.go index fcf649062d7..d4cd6cedee6 100644 --- a/internal/oci/runtime_oci.go +++ b/internal/oci/runtime_oci.go @@ -159,6 +159,9 @@ func (r *runtimeOCI) CreateContainer(c *Container, cgroupParent string) (retErr // Platform specific container setup if err := r.createContainerPlatform(c, cgroupParent, cmd.Process.Pid); err != nil { + if waitErr := cmd.Wait(); waitErr != nil { + return errors.Wrap(err, waitErr.Error()) + } return err } From 826801ef545f0bfd123df93b7ff33c21bfaa5fc1 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Wed, 8 Sep 2021 11:33:32 -0400 Subject: [PATCH 2/2] call cmd.Wait() in all cases we call Start() or else we will leak a pid Signed-off-by: Peter Hunt --- internal/oci/runtime_oci.go | 3 +++ internal/storage/image.go | 3 +++ 2 files changed, 6 insertions(+) diff --git a/internal/oci/runtime_oci.go b/internal/oci/runtime_oci.go index d4cd6cedee6..a65b0acf082 100644 --- a/internal/oci/runtime_oci.go +++ b/internal/oci/runtime_oci.go @@ -302,6 +302,9 @@ func (r *runtimeOCI) ExecContainer(ctx context.Context, c *Container, cmd []stri // The read side of the pipe should be closed after the container process has been started. if r != nil { if err := r.Close(); err != nil { + if waitErr := execCmd.Wait(); waitErr != nil { + return errors.Wrap(err, waitErr.Error()) + } return err } } diff --git a/internal/storage/image.go b/internal/storage/image.go index d48e47c4daa..99ebe548e35 100644 --- a/internal/storage/image.go +++ b/internal/storage/image.go @@ -571,6 +571,9 @@ func (svc *imageService) copyImage(systemContext *types.SystemContext, imageName } if err := json.NewEncoder(stdin).Encode(&stdinArguments); err != nil { stdin.Close() + if waitErr := cmd.Wait(); waitErr != nil { + return errors.Wrap(err, waitErr.Error()) + } return errors.Wrap(err, "json encode to pipe failed") } stdin.Close()