runsc ps: Add process group ID (PGID) to output#12739
runsc ps: Add process group ID (PGID) to output#12739copybara-service[bot] merged 1 commit intogoogle:masterfrom
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
@ayushr2 sorry for the ping - it's my first contribution here. Did I miss something to make this visible for reviewers? |
|
I'll also tag @EtiennePerot here. The context is: we kill individual processes instead killing the whole gVisor on memory pressure. Currently we kill by invoking a custom command mounted into gVisor, but it not reliable when memory pressure is high. Killing using gVisor machinery should be more reliable. But to do that, we need to find processes structure, using process group ids. |
|
@stepancheg thanks for the context, seems reasonable. @danielpfeifer02 sorry we didn't get to this for so long. |
Add the process group ID (PGID) field to the Process struct and populate it using the existing kernel ProcessGroup API. The PGID is now displayed in a new JSON-full output of `runsc ps`. The JSON-full output format is making fields like PGID, PPID, UID, and command name available to callers in a JSON format but keeping the original JSON format the same for backwards compatibility. This enables container runtimes to discover process group IDs from outside the sandbox without needing to exec into the container, which is useful for sending signals to entire process groups via `runsc kill` when the container may be under memory pressure. I am planning to add a follow-up PR enabling the functionality of running `runsc kill --pgid xxx`. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12739 from danielpfeifer02:dpfeifer/runsc-ps-pgid 27f59b4 PiperOrigin-RevId: 896146844
| // SetFlags implements subcommands.Command.SetFlags. | ||
| func (ps *PS) SetFlags(f *flag.FlagSet) { | ||
| f.StringVar(&ps.format, "format", "table", "output format. Select one of: table or json (default: table)") | ||
| f.StringVar(&ps.format, "format", "table", "output format. Select one of: table, json (PIDs only), or json-full (full process data) (default: table)") |
There was a problem hiding this comment.
IMO we should not add a new format for this. This is inconsistent with what runc does: https://github.com/opencontainers/runc/blob/main/ps.go
Instead, we can just add this to the table output when format==table. This was the same approach taken in 663fe84
77f6faf to
182306a
Compare
|
Please squash your commits: https://github.com/google/gvisor/blob/master/CONTRIBUTING.md#code-reviews |
Add the process group ID (PGID) field to the Process struct and populate it using the existing kernel ProcessGroup API. The PGID is now displayed in both table and JSON output of `runsc ps`. The JSON output format is changed from a bare PID array to the full Process struct serialization, making fields like PGID, PPID, UID, and command name available to callers. This enables container runtimes to discover process group IDs from outside the sandbox without needing to exec into the container, which is useful for sending signals to entire process groups via `runsc kill` when the container may be under memory pressure.
182306a to
9eead07
Compare
|
Hi @ayushr2, thanks for your feedback. I moved the change into the existing table format and squashed all into one commit. |
Add the process group ID (PGID) field to the Process struct and populate it using the existing kernel ProcessGroup API. The PGID is now displayed in a new JSON-full output of `runsc ps`. The JSON-full output format is making fields like PGID, PPID, UID, and command name available to callers in a JSON format but keeping the original JSON format the same for backwards compatibility. This enables container runtimes to discover process group IDs from outside the sandbox without needing to exec into the container, which is useful for sending signals to entire process groups via `runsc kill` when the container may be under memory pressure. I am planning to add a follow-up PR enabling the functionality of running `runsc kill --pgid xxx`. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12739 from danielpfeifer02:dpfeifer/runsc-ps-pgid 9eead07 PiperOrigin-RevId: 896146844
Add the process group ID (PGID) field to the Process struct and populate it using the existing kernel ProcessGroup API. The PGID is now displayed in a new JSON-full output of `runsc ps`. The JSON-full output format is making fields like PGID, PPID, UID, and command name available to callers in a JSON format but keeping the original JSON format the same for backwards compatibility. This enables container runtimes to discover process group IDs from outside the sandbox without needing to exec into the container, which is useful for sending signals to entire process groups via `runsc kill` when the container may be under memory pressure. I am planning to add a follow-up PR enabling the functionality of running `runsc kill --pgid xxx`. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12739 from danielpfeifer02:dpfeifer/runsc-ps-pgid 9eead07 PiperOrigin-RevId: 896146844
Add the process group ID (PGID) field to the Process struct and populate it using the existing kernel ProcessGroup API. The PGID is now displayed in a new JSON-full output of `runsc ps`. The JSON-full output format is making fields like PGID, PPID, UID, and command name available to callers in a JSON format but keeping the original JSON format the same for backwards compatibility. This enables container runtimes to discover process group IDs from outside the sandbox without needing to exec into the container, which is useful for sending signals to entire process groups via `runsc kill` when the container may be under memory pressure. I am planning to add a follow-up PR enabling the functionality of running `runsc kill --pgid xxx`. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12739 from danielpfeifer02:dpfeifer/runsc-ps-pgid 9eead07 PiperOrigin-RevId: 896146844
Follow up PR of #12739 for adding `runsc kill --pgid xxx` support. ## Changes ## Adds a `--pgid` flag to `runsc kill` that sends a signal to all processes in a given process group (identified by PGID in the root PID namespace). This complements the existing `--pid` and `--all` flags. The signal is delivered through the existing `ContMgrSignal` `RPC` via a new `DeliverToProcessGroup` delivery mode, following the same `container -> sandbox -> loader` chain as the other signal modes. ## Testing ## `TestSignalProcessGroup` creates a 3-process container (`init -> child -> grandchild`) where the child calls `setpgid` to form a new process group shared with the grandchild. The test sends `SIGKILL` to that PGID and verifies: - Both child and grandchild are killed - Init (PGID 1) survives A new `task-tree-pgid` test app subcommand supports this by spawning a deterministic process tree with a distinct process group. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12905 from danielpfeifer02:dpfeifer/runsc-kill-pgid 7afe641 PiperOrigin-RevId: 897368159
Follow up PR of #12739 for adding `runsc kill --pgid xxx` support. ## Changes ## Adds a `--pgid` flag to `runsc kill` that sends a signal to all processes in a given process group (identified by PGID in the root PID namespace). This complements the existing `--pid` and `--all` flags. The signal is delivered through the existing `ContMgrSignal` `RPC` via a new `DeliverToProcessGroup` delivery mode, following the same `container -> sandbox -> loader` chain as the other signal modes. ## Testing ## `TestSignalProcessGroup` creates a 3-process container (`init -> child -> grandchild`) where the child calls `setpgid` to form a new process group shared with the grandchild. The test sends `SIGKILL` to that PGID and verifies: - Both child and grandchild are killed - Init (PGID 1) survives A new `task-tree-pgid` test app subcommand supports this by spawning a deterministic process tree with a distinct process group. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12905 from danielpfeifer02:dpfeifer/runsc-kill-pgid 7afe641 PiperOrigin-RevId: 897368159
Follow up PR of #12739 for adding `runsc kill --pgid xxx` support. ## Changes ## Adds a `--pgid` flag to `runsc kill` that sends a signal to all processes in a given process group (identified by PGID in the root PID namespace). This complements the existing `--pid` and `--all` flags. The signal is delivered through the existing `ContMgrSignal` `RPC` via a new `DeliverToProcessGroup` delivery mode, following the same `container -> sandbox -> loader` chain as the other signal modes. ## Testing ## `TestSignalProcessGroup` creates a 3-process container (`init -> child -> grandchild`) where the child calls `setpgid` to form a new process group shared with the grandchild. The test sends `SIGKILL` to that PGID and verifies: - Both child and grandchild are killed - Init (PGID 1) survives A new `task-tree-pgid` test app subcommand supports this by spawning a deterministic process tree with a distinct process group. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12905 from danielpfeifer02:dpfeifer/runsc-kill-pgid 7afe641 PiperOrigin-RevId: 897368159
Follow up PR of #12739 for adding `runsc kill --pgid xxx` support. ## Changes ## Adds a `--pgid` flag to `runsc kill` that sends a signal to all processes in a given process group (identified by PGID in the root PID namespace). This complements the existing `--pid` and `--all` flags. The signal is delivered through the existing `ContMgrSignal` `RPC` via a new `DeliverToProcessGroup` delivery mode, following the same `container -> sandbox -> loader` chain as the other signal modes. ## Testing ## `TestSignalProcessGroup` creates a 3-process container (`init -> child -> grandchild`) where the child calls `setpgid` to form a new process group shared with the grandchild. The test sends `SIGKILL` to that PGID and verifies: - Both child and grandchild are killed - Init (PGID 1) survives A new `task-tree-pgid` test app subcommand supports this by spawning a deterministic process tree with a distinct process group. FUTURE_COPYBARA_INTEGRATE_REVIEW=#12905 from danielpfeifer02:dpfeifer/runsc-kill-pgid 7afe641 PiperOrigin-RevId: 897368159
Add the process group ID (PGID) field to the Process struct and populate it using the existing kernel ProcessGroup API. The PGID is now displayed in a new JSON-full output of
runsc ps.The JSON-full output format is making fields like PGID, PPID, UID, and command name available to callers in a JSON format but keeping the original JSON format the same for backwards compatibility.
This enables container runtimes to discover process group IDs from outside the sandbox without needing to exec into the container, which is useful for sending signals to entire process groups via
runsc killwhen the container may be under memory pressure.I am planning to add a follow-up PR enabling the functionality of running
runsc kill --pgid xxx.