@@ -124,6 +124,7 @@ type Server struct {
124124 listeners map [net.Listener ]struct {}
125125 conns map [net.Conn ]struct {}
126126 sessions map [ssh.Session ]struct {}
127+ processes map [* os.Process ]struct {}
127128 closing chan struct {}
128129 // Wait for goroutines to exit, waited without
129130 // a lock on mu but protected by closing.
@@ -182,6 +183,7 @@ func NewServer(ctx context.Context, logger slog.Logger, prometheusRegistry *prom
182183 fs : fs ,
183184 conns : make (map [net.Conn ]struct {}),
184185 sessions : make (map [ssh.Session ]struct {}),
186+ processes : make (map [* os.Process ]struct {}),
185187 logger : logger ,
186188
187189 config : config ,
@@ -586,7 +588,10 @@ func (s *Server) startNonPTYSession(logger slog.Logger, session ssh.Session, mag
586588 // otherwise context cancellation will not propagate properly
587589 // and SSH server close may be delayed.
588590 cmd .SysProcAttr = cmdSysProcAttr ()
589- cmd .Cancel = cmdCancel (session .Context (), logger , cmd )
591+
592+ // to match OpenSSH, we don't actually tear a non-TTY command down, even if the session ends.
593+ // c.f. https://github.com/coder/coder/issues/18519#issuecomment-3019118271
594+ cmd .Cancel = nil
590595
591596 cmd .Stdout = session
592597 cmd .Stderr = session .Stderr ()
@@ -609,6 +614,16 @@ func (s *Server) startNonPTYSession(logger slog.Logger, session ssh.Session, mag
609614 s .metrics .sessionErrors .WithLabelValues (magicTypeLabel , "no" , "start_command" ).Add (1 )
610615 return xerrors .Errorf ("start: %w" , err )
611616 }
617+
618+ // Since we don't cancel the process when the session stops, we still need to tear it down if we are closing. So
619+ // track it here.
620+ if ! s .trackProcess (cmd .Process , true ) {
621+ // must be closing
622+ err = cmdCancel (logger , cmd .Process )
623+ return xerrors .Errorf ("failed to track process: %w" , err )
624+ }
625+ defer s .trackProcess (cmd .Process , false )
626+
612627 sigs := make (chan ssh.Signal , 1 )
613628 session .Signals (sigs )
614629 defer func () {
@@ -1052,6 +1067,27 @@ func (s *Server) trackSession(ss ssh.Session, add bool) (ok bool) {
10521067 return true
10531068}
10541069
1070+ // trackCommand registers the process with the server. If the server is
1071+ // closing, the process is not registered and should be closed.
1072+ //
1073+ //nolint:revive
1074+ func (s * Server ) trackProcess (p * os.Process , add bool ) (ok bool ) {
1075+ s .mu .Lock ()
1076+ defer s .mu .Unlock ()
1077+ if add {
1078+ if s .closing != nil {
1079+ // Server closed.
1080+ return false
1081+ }
1082+ s .wg .Add (1 )
1083+ s .processes [p ] = struct {}{}
1084+ return true
1085+ }
1086+ s .wg .Done ()
1087+ delete (s .processes , p )
1088+ return true
1089+ }
1090+
10551091// Close the server and all active connections. Server can be re-used
10561092// after Close is done.
10571093func (s * Server ) Close () error {
@@ -1091,6 +1127,10 @@ func (s *Server) Close() error {
10911127 _ = c .Close ()
10921128 }
10931129
1130+ for p := range s .processes {
1131+ _ = cmdCancel (s .logger , p )
1132+ }
1133+
10941134 s .logger .Debug (ctx , "closing SSH server" )
10951135 err := s .srv .Close ()
10961136
0 commit comments