Open lbernail opened 3 years ago
@AkihiroSuda Can we use a cgroup to make sure this doesn't happen?
No, we can't write cgroup
I guess supporting runsc
would be more realistic solution.
(Ideally we should be able to run buildkitd
inside runsc
, but in this context I'm just talking about using runsc
as the binary for the OCI worker of buildkitd
running inside a plain old runc
container)
@AkihiroSuda could cgroupv2 help here? It seems some controllers are available to unprivileged users and some can be delegated to unprivileged users
When running rootless with
--oci-worker-no-process-sandbox
we have noticed that builds can end leaking processes and create issues for following builds.Here is an example Dockerfile:
and script.sh
When running rootless with
--oci-worker-no-process-sandbox
here is what happens:echo "Script done"
and never gets to the following step in the DockerfileIn addition, killing the leaked process leaves a zombie
If we run rootless but privileged and without
--oci-worker-no-process-sandbox
everything works as expected: image builds and we don't leak processes (as expected because they run in a different pid namespace)Of course, this example is just a reproduction but we have seen the problem with some Dockerfiles where installing a package will start a daemon.
I'm wondering if we could track processes started in the background.
In addition, in our setup we use buildkitd to run concurrent builds and sharing the pid and network namespace is likely to create problems from time to time. Have you considered a buildx kubernetes driver that would start a buildkitd pod (directly or with a job) and delete it when the build is over?