try to avoid orphans on windows

ethan-lowman-dd · ethan-lowman-dd · commit 0eaa502938f7 · 2023-09-06T20:41:55.000-04:00
Signed-off-by: Ethan Lowman &lt;ethan.lowman@datadoghq.com&gt;
diff --git a/pkg/imageverifier/bindir/bindir.go b/pkg/imageverifier/bindir/bindir.go
@@ -122,10 +122,9 @@ func (v *ImageVerifier) runVerifier(ctx context.Context, bin string, imageName s
 	}
 
 	cmd := exec.CommandContext(ctx, binPath, args...)
-	configureVerifierCommand(cmd)
 
-	// We construct our own pipes instead of using cmd.StdinPipe, cmd.StoutPipe,
-	// and cmd.StderrPipe in order to set timeouts on reads and writes.
+	// We construct our own pipes instead of using the default StdinPipe,
+	// StoutPipe, and StderrPipe in order to set timeouts on reads and writes.
 	stdinRead, stdinWrite, err := os.Pipe()
 	if err != nil {
 		return -1, "", err
@@ -136,15 +135,15 @@ func (v *ImageVerifier) runVerifier(ctx context.Context, bin string, imageName s
 
 	stdoutRead, stdoutWrite, err := os.Pipe()
 	if err != nil {
-		return -1, "", fmt.Errorf("creating stdout pipe: %w", err)
+		return -1, "", err
 	}
 	cmd.Stdout = stdoutWrite
 	defer stdoutRead.Close()
 	defer stdoutWrite.Close()
 
 	stderrRead, stderrWrite, err := os.Pipe()
 	if err != nil {
-		return -1, "", fmt.Errorf("creating stderr pipe: %w", err)
+		return -1, "", err
 	}
 	cmd.Stderr = stderrWrite
 	defer stderrRead.Close()
@@ -158,10 +157,12 @@ func (v *ImageVerifier) runVerifier(ctx context.Context, bin string, imageName s
 		stderrRead.SetDeadline(d)
 	}
 
-	// Fork & exec the child process.
-	if err := cmd.Start(); err != nil {
-		return -1, "", fmt.Errorf("starting process: %w", err)
+	// Finish configuring, and then fork & exec the child process.
+	p, err := startProcess(ctx, cmd)
+	if err != nil {
+		return -1, "", err
 	}
+	defer p.cleanup(ctx)
 
 	// Close the child ends of the pipes in the parent process.
 	stdinRead.Close()
diff --git a/pkg/imageverifier/bindir/bindir_test.go b/pkg/imageverifier/bindir/bindir_test.go
@@ -369,7 +369,7 @@ func TestBinDirVerifyImage(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		if strings.Contains(string(b), "-sleep-forever") {
+		if strings.Contains(string(b), "verifier-") {
 			t.Fatalf("killing the verifier binary didn't kill all its children:\n%v", string(b))
 		}
 	})
diff --git a/pkg/imageverifier/bindir/processes_unix.go b/pkg/imageverifier/bindir/processes_unix.go
@@ -19,15 +19,20 @@
 package bindir
 
 import (
+	"context"
+	"fmt"
 	"os/exec"
 
 	"golang.org/x/sys/unix"
 )
 
-func configureVerifierCommand(cmd *exec.Cmd) {
-	// Configure the verifier command so that killing it kills all child
-	// processes of the verifier process.
+type process struct {
+	cmd *exec.Cmd
+}
 
+// Configure the verifier command so that killing it kills all child
+// processes of the verifier process.
+func startProcess(ctx context.Context, cmd *exec.Cmd) (*process, error) {
 	// Assign the verifier a new process group so that killing its process group
 	// in Cancel() doesn't kill the parent process (containerd).
 	cmd.SysProcAttr = &unix.SysProcAttr{Setpgid: true}
@@ -37,4 +42,14 @@ func configureVerifierCommand(cmd *exec.Cmd) {
 		// process group whose ID is cmd.Process.Pid.
 		return unix.Kill(-cmd.Process.Pid, unix.SIGKILL)
 	}
+
+	if err := cmd.Start(); err != nil {
+		return nil, fmt.Errorf("starting process: %w", err)
+	}
+
+	return &process{
+		cmd: cmd,
+	}, nil
 }
+
+func (p *process) cleanup(ctx context.Context) {}
diff --git a/pkg/imageverifier/bindir/processes_windows.go b/pkg/imageverifier/bindir/processes_windows.go
@@ -19,11 +19,83 @@
 package bindir
 
 import (
+	"context"
+	"fmt"
 	"os/exec"
+	"unsafe"
+
+	"github.com/containerd/containerd/log"
+	"golang.org/x/sys/windows"
 )
 
-func configureVerifierCommand(cmd *exec.Cmd) {
-	// No customizations needed for Windows since the orphaned process leak
-	// mitigated in the Unix implementation of configureVerifierCommand is not
-	// applicable on Windows.
+type process struct {
+	cmd *exec.Cmd
+
+	jobHandle     *windows.Handle
+	processHandle *windows.Handle
+}
+
+// Configure the verifier command so that killing it kills all child
+// processes of the verifier process.
+//
+// Job/process management based on:
+// https://devblogs.microsoft.com/oldnewthing/20131209-00/?p=2433
+func startProcess(ctx context.Context, cmd *exec.Cmd) (*process, error) {
+	p := &process{
+		cmd: cmd,
+	}
+
+	jobHandle, err := windows.CreateJobObject(nil, nil)
+	if err != nil {
+		return nil, fmt.Errorf("creating job object: %w", err)
+	}
+	p.jobHandle = &jobHandle
+
+	info := windows.JOBOBJECT_EXTENDED_LIMIT_INFORMATION{
+		BasicLimitInformation: windows.JOBOBJECT_BASIC_LIMIT_INFORMATION{
+			LimitFlags: windows.JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE,
+		},
+	}
+	_, err = windows.SetInformationJobObject(
+		jobHandle,
+		windows.JobObjectExtendedLimitInformation,
+		uintptr(unsafe.Pointer(&info)),
+		uint32(unsafe.Sizeof(info)),
+	)
+	if err != nil {
+		p.cleanup(ctx)
+		return nil, fmt.Errorf("setting limits for job object: %w", err)
+	}
+
+	if err := cmd.Start(); err != nil {
+		p.cleanup(ctx)
+		return nil, fmt.Errorf("starting process: %w", err)
+	}
+
+	processHandle, err := windows.OpenProcess(windows.PROCESS_QUERY_INFORMATION, false, uint32(cmd.Process.Pid))
+	if err != nil {
+		return nil, fmt.Errorf("getting handle for verifier process: %w", err)
+	}
+	p.processHandle = &processHandle
+
+	err = windows.AssignProcessToJobObject(jobHandle, processHandle)
+	if err != nil {
+		p.cleanup(ctx)
+		return nil, fmt.Errorf("associating new process to job object: %w", err)
+	}
+
+	return p, nil
+}
+
+func (p *process) cleanup(ctx context.Context) {
+	if p.jobHandle != nil {
+		if err := windows.CloseHandle(*p.jobHandle); err != nil {
+			log.G(ctx).WithError(err).Error("failed to close job handle")
+		}
+	}
+	if p.processHandle != nil {
+		if err := windows.CloseHandle(*p.processHandle); err != nil {
+			log.G(ctx).WithError(err).Error("failed to close process handle")
+		}
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -369,7 +369,7 @@ func TestBinDirVerifyImage(t *testing.T) {`
`369`	`369`	`t.Fatal(err)`
`370`	`370`	`}`
`371`	`371`
`372`		`- if strings.Contains(string(b), "-sleep-forever") {`
	`372`	`+ if strings.Contains(string(b), "verifier-") {`
`373`	`373`	`t.Fatalf("killing the verifier binary didn't kill all its children:\n%v", string(b))`
`374`	`374`	`}`
`375`	`375`	`})`