blockdev: Fix loopback device resource leak on signal interruption #1402
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a signal-safe cleanup mechanism for loopback devices to prevent resource leaks on signal interruption. It uses an out-of-process helper to clean up leaked loopback devices. I've added comments to enhance error logging for better debugging.
gursewak1997
force-pushed
the
bootc-799
branch
6 times, most recently
from
70c2b77 to
a4ab303
Compare
|
Thanks for working on this! While it will be a bit more awkward can you try doing it this way #799 (comment) - that should 100% avoid all the unsafe code. Basically instead of a raw |
blockdev/src/blockdev.rs
Outdated
| anyhow::bail!("This function should only be called as a cleanup helper"); | ||
| } | ||
|
|
||
| // Close stdin, stdout, stderr and redirect to /dev/null |
There was a problem hiding this comment.
This is better done in the parent process setup above
blockdev/src/blockdev.rs
Outdated
| .context("Failed to read /proc/self/exe")?; | ||
|
|
||
| // Create the helper process using exec | ||
| let mut cmd = Command::new(self_exe); |
There was a problem hiding this comment.
Set up std{in,out,err} here via https://doc.rust-lang.org/std/process/struct.Stdio.html#method.null
blockdev/src/blockdev.rs
Outdated
| } | ||
|
|
||
| // Set up death signal notification - we want to be notified when parent dies | ||
| unsafe { |
There was a problem hiding this comment.
There's a safe version of this in https://docs.rs/rustix/latest/rustix/process/fn.set_parent_process_death_signal.html
blockdev/src/blockdev.rs
Outdated
|
|
||
| // Set up death signal notification - we want to be notified when parent dies | ||
| unsafe { | ||
| if libc::prctl(libc::PR_SET_PDEATHSIG, libc::SIGUSR1) != 0 { |
There was a problem hiding this comment.
It seems cleaner to me to use SIGTERM and react to that
blockdev/src/blockdev.rs
Outdated
| } | ||
| } | ||
|
|
||
| // Mask most signals to avoid being killed accidentally |
There was a problem hiding this comment.
So https://docs.rs/tokio/latest/tokio/signal/index.html is one way to handle this in a safe way (will require making the function async)
I think the tokio API will replace about 50 lines of unsafe code with 5 lines of safe code.
blockdev/src/blockdev.rs
Outdated
|
|
||
| match status { | ||
| Ok(exit_status) if exit_status.success() => { | ||
| // Write to stderr since we closed stdout |
There was a problem hiding this comment.
Mmm my vote here is probably to not inherit stderr at all; if we write to stderr then we have the possibility to intermix the child process writes with the parent's.
One option is to explicitly log to the systemd journal.
I guess speaking of systemd...a whole possibility I hadn't considered until just now is that we fork off via systemd-run. That would have some nice advantages but will be trickier to get right the lifecycle binding, so let's leave that for the future.
(There's this whole giant topic in bootc overall defaulting to running via systemd in some cases, which would similarly have a lot of advantages but be a big nontrivial change)
blockdev/src/blockdev.rs
Outdated
| 20961247 | ||
| ); | ||
| Ok(()) | ||
| let data = fs::read_to_string("tests/fixtures/lsblk.json").unwrap(); |
There was a problem hiding this comment.
This change looks unrelated? I mean it's probably fine to do but let's break it into a separate commit
There was a problem hiding this comment.
This still needs fixing, can you move this section of the change to a different PR?
lib/src/cli.rs
Outdated
| device: String, | ||
| /// Parent process ID to monitor | ||
| #[clap(long)] | ||
| parent_pid: u32, |
There was a problem hiding this comment.
This isn't necessary, with PDEATHSIG we automatically monitor the parent. It can be dropped.
blockdev/src/blockdev.rs
Outdated
| "loopback-cleanup-helper", | ||
| "--device", | ||
| device_path, | ||
| "--parent-pid", |
blockdev/src/blockdev.rs
Outdated
| /// Handle to manage the cleanup helper process for loopback devices | ||
| struct LoopbackCleanupHandle { | ||
| /// Process ID of the cleanup helper | ||
| helper_pid: u32, |
There was a problem hiding this comment.
This should actually hold the Child instance. And on Drop we should send it SIGTERM - note not kill but rustix kill with SIGTERM.
blockdev/src/blockdev.rs
Outdated
|
|
||
| // Try to spawn cleanup helper process - if it fails, continue without it | ||
| let cleanup_handle = Self::spawn_cleanup_helper(dev.as_str()) | ||
| .map_err(|e| { |
There was a problem hiding this comment.
I'm uncertain about ignoring errors here by default. It seems better to make it fatal.
blockdev/src/blockdev.rs
Outdated
| // Kill the cleanup helper since we're cleaning up normally | ||
| if let Some(cleanup_handle) = self.cleanup_handle.take() { | ||
| // Kill the helper process since we're doing normal cleanup | ||
| let _ = std::process::Command::new("kill") |
There was a problem hiding this comment.
See above, we can directly send a signal instead of invoking an external command.
Also, crucially by holding a reference to the Child we avoid pid reuse problems if the child exits early.
blockdev/src/blockdev.rs
Outdated
| 20961247 | ||
| ); | ||
| Ok(()) | ||
| let data = fs::read_to_string("tests/fixtures/lsblk.json").unwrap(); |
There was a problem hiding this comment.
This still needs fixing, can you move this section of the change to a different PR?
Add fork+exec based cleanup helper to prevent loopback device leaks when bootc install --via-loopback is interrupted by signals like SIGINT. - Add loopback-cleanup-helper CLI subcommand - Implement run_loopback_cleanup_helper() with PR_SET_PDEATHSIG - Update LoopbackDevice to spawn cleanup helper process - Add tests for spawn mechanism
This commit implements issue #799 by creating a signal-safe cleanup helper for loopback devices to prevent resource leaks when bootc install --via-loopback is interrupted by signals like SIGINT (Ctrl-C).
The solution uses an 'out-of-process drop' helper that:
This prevents the common issue where interrupting bootc install --via-loopback with Ctrl-C would leave /dev/loopN devices allocated on the system.
Fixes: #799