This issue is intended to be a place to discuss what's the best approach on this matter.
As it is right now, if we run a program with runc, and that program exits, then we have a dangling VFS root context (or other resources that might not be cleaned up automatically) that nobody uses anymore, but nothing is responsible to clean it up in such case.
The solutions I have in my mind:
Let the exiting program to do this job. Only works if it's not jailed though, because when a process is jailed it can't do this kind of job.
Add a mechanism in runc to wait for the containerized program to exit and clean the resources afterwards.
This will require using runc as a daemon (or even adding something like containerd?). The running container should be invoked separately, maybe with #24764 being in, we could do the jailing part in the new process and not in runc.
Add a kernel mechanism to auto-clean resources if nothing uses them. Could be useful but should be a knob and not a requirement.
Maybe there are more options so feedback on this topic is appreciated :)
This issue is intended to be a place to discuss what's the best approach on this matter.
As it is right now, if we run a program with
runc
, and that program exits, then we have a dangling VFS root context (or other resources that might not be cleaned up automatically) that nobody uses anymore, but nothing is responsible to clean it up in such case.The solutions I have in my mind:
runc
to wait for the containerized program to exit and clean the resources afterwards. This will require usingrunc
as a daemon (or even adding something likecontainerd
?). The running container should be invoked separately, maybe with #24764 being in, we could do the jailing part in the new process and not inrunc
.Maybe there are more options so feedback on this topic is appreciated :)