feat: support process cgroup isolation without systemd (#11)

Author: fastcat

addons/containerd/go.sum

@@ -214,6 +214,7 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda h1:i/Q+bfisr7gq6feoJnS/DlpdwEL4ihp41fvRiM3Ork0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=

addons/docker/go.sum

@@ -109,6 +109,7 @@ golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1 h1:APHvLLYBhtZvsbnpkfknDZ7NyH4z5+ub/I0u8L3Oz6g=
 google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1/go.mod h1:xUjFWUnWDpZ/C0Gu0qloASKFb6f8/QXiiXhSPFsD668=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda h1:i/Q+bfisr7gq6feoJnS/DlpdwEL4ihp41fvRiM3Ork0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
 google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
 google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=

addons/gcloud/addon.go

@@ -271,8 +271,8 @@ func copyADC(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	defer os.Remove(tf.Name())
-	defer tf.Close()
+	defer os.Remove(tf.Name()) //nolint:errcheck
+	defer tf.Close()           //nolint:errcheck
 	if _, err := tf.Write(adcContents); err != nil {
 		return err
 	}

addons/gcs/go.sum

@@ -64,6 +64,7 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
+github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=

addons/gocache/gcs/go.sum

@@ -125,11 +125,13 @@ golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
 google.golang.org/api v0.255.0 h1:OaF+IbRwOottVCYV2wZan7KUq7UeNUQn1BcPc4K7lE4=
+google.golang.org/api v0.255.0/go.mod h1:d1/EtvCLdtiWEV4rAEHDHGh2bCnqsWhw+M8y2ECN4a8=
 google.golang.org/genproto v0.0.0-20250826171959-ef028d996bc1 h1:Nm5SEGIguOIBDXs5rhfz2aKwEVWlgwC58UcmEnLDc8Y=
 google.golang.org/genproto v0.0.0-20250826171959-ef028d996bc1/go.mod h1:Jz9LrroM7Mcm+a0QrLh4UpZ1B/WhjIbqwEcUf4y08nQ=
 google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1 h1:APHvLLYBhtZvsbnpkfknDZ7NyH4z5+ub/I0u8L3Oz6g=
 google.golang.org/genproto/googleapis/api v0.0.0-20250826171959-ef028d996bc1/go.mod h1:xUjFWUnWDpZ/C0Gu0qloASKFb6f8/QXiiXhSPFsD668=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda h1:i/Q+bfisr7gq6feoJnS/DlpdwEL4ihp41fvRiM3Ork0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
 google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
 google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
 google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=

addons/gocache/layered-backend.go

@@ -167,22 +167,19 @@ func (l *layeredStorageBackend) WriteOutput(a ActionEntry, body io.Reader) (stri
 	var localPath string
 	var err1, err2 error
 	var wg sync.WaitGroup
-	wg.Add(2)
-	go func() {
-		defer wg.Done()
+	wg.Go(func() {
 		defer bodyCopyW.Close()         // nolint:errcheck // else pipe won't know we're done
 		defer io.Copy(io.Discard, body) // nolint:errcheck // drain the body to avoid deadlock
 		if localPath, err1 = l.localW.WriteOutput(a, body); err1 != nil {
 			err1 = fmt.Errorf("failed to write output to local storage: %w", err1)
 		}
-	}()
-	go func() {
-		defer wg.Done()
+	})
+	wg.Go(func() {
 		defer io.Copy(io.Discard, bodyCopyR) // nolint:errcheck // drain the body to avoid deadlock
 		if _, err2 = l.remoteW.WriteOutput(a, bodyCopyR); err2 != nil {
 			err2 = fmt.Errorf("failed to write output to remote storage: %w", err2)
 		}
-	}()
+	})
 	wg.Wait()
 	return localPath, errors.Join(err1, err2)
 }

addons/pm/api/child.go

@@ -37,6 +37,7 @@ type ExecStatus struct {
 	State    ExecState `json:"state"`
 	StartErr string    `json:"startErr"`
 	Pid      int       `json:"pid,omitzero"`
+	Group    string    `json:"group,omitzero"`
 	ExitCode int       `json:"exitCode"`
 }
 

addons/pm/server/child.go

@@ -22,21 +22,23 @@ import (
 )
 
 type child struct {
-	def    api.Child
-	status atomic.Pointer[api.ChildStatus]
-	cmds   chan childCmd
-	wg     sync.WaitGroup
+	def      api.Child
+	status   atomic.Pointer[api.ChildStatus]
+	cmds     chan childCmd
+	wg       sync.WaitGroup
+	isolator isolator
 
 	restartDelay               time.Duration
 	killDelay                  time.Duration
 	healthCheckInitialInterval time.Duration
 	healthCheckInterval        time.Duration
 }
 
-func newChild(def api.Child) *child {
+func newChild(def api.Child, isolator isolator) *child {
 	c := &child{
-		def:  def,
-		cmds: make(chan childCmd), // important that this be un-buffered
+		def:      def,
+		cmds:     make(chan childCmd), // important that this be un-buffered
+		isolator: isolator,
 
 		// tests may override these
 		restartDelay: time.Second, // TODO: scale
@@ -142,6 +144,9 @@ MANAGER:
 			}
 			curProc = nil
 			s := curStatus()
+			// make sure any children that tried to fork off get caught and killed via
+			// the cgroup, unless they managed to escape into a new cgroup
+			c.cleanup(s)
 			s.State = api.ExecEnded
 			var ee *exec.ExitError
 			if errors.As(err, &ee) {
@@ -153,6 +158,9 @@ MANAGER:
 			s.Pid = 0
 			switch status.State {
 			case api.ChildStopping:
+				// re-check all the isolation groups to make sure all processes are
+				// killed and cgroups removed
+				c.cleanupAll(&status)
 				// stop completed
 				status.State = api.ChildStopped
 				// reset the starting process to the beginning
@@ -315,21 +323,20 @@ func (c *child) start(
 		return nil, api.ExecStatus{State: api.ExecNotStarted, StartErr: err.Error()}, errorState
 	}
 	log.Printf("started %s as pid %d", name, cmd.Process.Pid)
-	c.wg.Add(1)
-	go func() {
-		defer c.wg.Done()
+	c.wg.Go(func() {
 		err := cmd.Wait()
 		exited <- err
-	}()
-	if err := isolateProcess(context.TODO(), name, cmd.Process); err != nil {
+	})
+	eStat := api.ExecStatus{
+		State: api.ExecRunning,
+		Pid:   cmd.Process.Pid,
+	}
+	if isolationGroup, err := c.isolator.isolateProcess(context.TODO(), name, cmd.Process); err != nil {
 		log.Printf("ERROR: failed to isolate process %d as %q: %v", cmd.Process.Pid, name, err)
+	} else {
+		eStat.Group = isolationGroup
 	}
-	return cmd.Process,
-		api.ExecStatus{
-			State: api.ExecRunning,
-			Pid:   cmd.Process.Pid,
-		},
-		runningState
+	return cmd.Process, eStat, runningState
 }
 
 func (c *child) terminate(p *os.Process, s *api.ExecStatus) {
@@ -345,9 +352,32 @@ func (c *child) kill(p *os.Process, s *api.ExecStatus) {
 	if err := syscall.Kill(-p.Pid, syscall.SIGKILL); err != nil {
 		log.Printf("failed to kill %d: %v", p.Pid, err)
 	}
+	if s.Group != "" {
+		if err := c.isolator.cleanup(context.TODO(), s.Group); err != nil {
+			log.Printf("failed to cleanup isolation group %q: %v", s.Group, err)
+		}
+	}
 	s.State = api.ExecStopping
 }
 
+func (c *child) cleanup(s *api.ExecStatus) {
+	if s.Group == "" {
+		return
+	}
+	if err := c.isolator.cleanup(context.TODO(), s.Group); err != nil {
+		log.Printf("failed to cleanup isolation group %q: %v", s.Group, err)
+	} else {
+		s.Group = ""
+	}
+}
+
+func (c *child) cleanupAll(s *api.ChildStatus) {
+	for i := range s.Init {
+		c.cleanup(&s.Init[i])
+	}
+	c.cleanup(&s.Main)
+}
+
 func cloneStatus(s api.ChildStatus) *api.ChildStatus {
 	r := s
 	r.Init = slices.Clone(s.Init)

addons/pm/server/child_test.go

@@ -17,6 +17,9 @@ func TestChildSleeps(t *testing.T) {
 		t.SkipNow() // does not return
 	}
 
+	isolator, err := getIsolator()
+	require.NoError(t, err)
+
 	// run a simple sequence of init containers followed by a process container
 	def := api.Child{
 		Name: "sleeps",
@@ -35,7 +38,7 @@ func TestChildSleeps(t *testing.T) {
 			Args: []string{"1h"}, // we will kill this one
 		},
 	}
-	c := newChild(def)
+	c := newChild(def, isolator)
 	// TODO: this will hang if something goes wrong
 	t.Cleanup(c.Wait)
 
@@ -78,6 +81,9 @@ func TestChildFails(t *testing.T) {
 		t.SkipNow() // does not return
 	}
 
+	isolator, err := getIsolator()
+	require.NoError(t, err)
+
 	td := t.TempDir()
 
 	// run a simple sequence of init containers followed by a process container
@@ -98,7 +104,7 @@ func TestChildFails(t *testing.T) {
 			Cwd:  td,
 		},
 	}
-	c := newChild(def)
+	c := newChild(def, isolator)
 	// speed up the restart timers to make this test not so slow
 	c.restartDelay = 20 * time.Millisecond
 

addons/pm/server/daemon.go

@@ -20,13 +20,19 @@ type daemon struct {
 	children    map[string]*child
 	onTerminate context.CancelFunc
 	tasks       []Task
+	isolator    isolator
 }
 
-func NewDaemon(tasks ...Task) *daemon {
+func NewDaemon(tasks ...Task) (*daemon, error) {
+	isolator, err := getIsolator()
+	if err != nil {
+		return nil, err
+	}
 	return &daemon{
 		children: make(map[string]*child),
 		tasks:    slices.Clone(tasks),
-	}
+		isolator: isolator,
+	}, nil
 }
 
 var _ api.API = (*daemon)(nil)
@@ -86,7 +92,7 @@ func (d *daemon) PutChild(ctx context.Context, child api.Child) (*api.ChildWithS
 	if _, ok := d.children[child.Name]; ok {
 		return nil, internal.WithStatus(http.StatusConflict, fmt.Errorf("child %s already exists", child.Name))
 	}
-	c := newChild(child)
+	c := newChild(child, d.isolator)
 	d.children[child.Name] = c
 	go func() {
 		c.run()
@@ -227,9 +233,7 @@ func (d *daemon) Terminate(context.Context) error {
 	d.mu.Unlock()
 	var wg sync.WaitGroup
 	for _, child := range children {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
+		wg.Go(func() {
 			child.cmds <- childStop
 			// wait for it to stop
 			// TODO: avoid polling
@@ -242,7 +246,7 @@ func (d *daemon) Terminate(context.Context) error {
 			}
 			child.cmds <- childDelete
 			child.Wait()
-		}()
+		})
 	}
 	wg.Wait()
 	log.Print("daemon done")