Make sandbox.Pid public and use it for Container.GoferPid.

The `pid` type in `sandbox.go` has been renamed to `Pid` and its methods have
been exported. This `sandbox.Pid` type is now used for the `Container.GoferPid`
field, ensurinr atomic access. All call sites accessing `GoferPid` have been
updated to use atomics.

Updates #12051

PiperOrigin-RevId: 803498368

Author: ayushr2

runsc/cmd/capability_test.go

@@ -136,7 +136,7 @@ func testCapabilities(t *testing.T, directfs bool) {
 	if err := checkProcessCaps(c.Sandbox.Getpid(), wantSandboxCaps); err != nil {
 		t.Error(err)
 	}
-	if err := checkProcessCaps(c.GoferPid, goferCaps); err != nil {
+	if err := checkProcessCaps(c.GoferPid.Load(), goferCaps); err != nil {
 		t.Error(err)
 	}
 }

runsc/container/container.go

@@ -118,7 +118,7 @@ type Container struct {
 
 	// GoferPid is the PID of the gofer running along side the sandbox. May
 	// be 0 if the gofer has been killed.
-	GoferPid int `json:"goferPid"`
+	GoferPid sandbox.Pid `json:"goferPid"`
 
 	// Sandbox is the sandbox this container is running in. It's set when the
 	// container is created and reset when the sandbox is destroyed.
@@ -995,7 +995,7 @@ func (c *Container) createGoferFilestores(ovlConf config.Overlay2, mountHints *b
 	// namespace, so that they don't prevent the host mount points from being
 	// unmounted from the host's mount namespace. We will use /proc/pid/root
 	// to access gofer's mount namespace. See proc_pid_root(5).
-	goferRootfs := fmt.Sprintf("/proc/%d/root", c.GoferPid)
+	goferRootfs := fmt.Sprintf("/proc/%d/root", c.GoferPid.Load())
 
 	// Handle rootfs first.
 	rootfsConf := c.GoferMountConfs[0]
@@ -1129,11 +1129,11 @@ func (c *Container) stop() error {
 	}
 
 	// Try killing gofer if it does not exit with container.
-	if c.GoferPid != 0 {
-		log.Debugf("Killing gofer for container, cid: %s, PID: %d", c.ID, c.GoferPid)
-		if err := unix.Kill(c.GoferPid, unix.SIGKILL); err != nil {
+	if goferPid := c.GoferPid.Load(); goferPid != 0 {
+		log.Debugf("Killing gofer for container, cid: %s, PID: %d", c.ID, goferPid)
+		if err := unix.Kill(goferPid, unix.SIGKILL); err != nil {
 			// The gofer may already be stopped, log the error.
-			log.Warningf("Error sending signal %d to gofer %d: %v", unix.SIGKILL, c.GoferPid, err)
+			log.Warningf("Error sending signal %d to gofer %d: %v", unix.SIGKILL, goferPid, err)
 		}
 	}
 
@@ -1158,7 +1158,8 @@ func (c *Container) stop() error {
 }
 
 func (c *Container) waitForStopped() error {
-	if c.GoferPid == 0 {
+	goferPid := c.GoferPid.Load()
+	if goferPid == 0 {
 		return nil
 	}
 
@@ -1171,21 +1172,21 @@ func (c *Container) waitForStopped() error {
 	if c.goferIsChild {
 		// The gofer process is a child of the current process,
 		// so we can wait it and collect its zombie.
-		if _, err := unix.Wait4(int(c.GoferPid), nil, 0, nil); err != nil {
+		if _, err := unix.Wait4(int(goferPid), nil, 0, nil); err != nil {
 			return fmt.Errorf("error waiting the gofer process: %v", err)
 		}
-		c.GoferPid = 0
+		c.GoferPid.Store(0)
 		return nil
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	b := backoff.WithContext(backoff.NewConstantBackOff(100*time.Millisecond), ctx)
 	op := func() error {
-		if err := unix.Kill(c.GoferPid, 0); err == nil {
+		if err := unix.Kill(goferPid, 0); err == nil {
 			return fmt.Errorf("gofer is still running")
 		}
-		c.GoferPid = 0
+		c.GoferPid.Store(0)
 		return nil
 	}
 	return backoff.Retry(op, b)
@@ -1435,7 +1436,7 @@ func (c *Container) createGoferProcess(conf *config.Config, mountHints *boot.Pod
 		return nil, nil, nil, nil, fmt.Errorf("gofer: %v", err)
 	}
 	log.Infof("Gofer started, PID: %d", cmd.Process.Pid)
-	c.GoferPid = cmd.Process.Pid
+	c.GoferPid.Store(cmd.Process.Pid)
 	c.goferIsChild = true
 	rpcPidCh <- cmd.Process.Pid
 
@@ -1448,7 +1449,7 @@ func (c *Container) createGoferProcess(conf *config.Config, mountHints *boot.Pod
 
 	// Set up nvproxy with the Gofer's mount namespaces while chrootSyncSandEnd is
 	// is still open.
-	if err := nvproxySetup(c.Spec, conf, c.GoferPid); err != nil {
+	if err := nvproxySetup(c.Spec, conf, c.GoferPid.Load()); err != nil {
 		return nil, nil, nil, nil, fmt.Errorf("setting up nvproxy for gofer: %w", err)
 	}
 
@@ -1567,10 +1568,11 @@ func runInCgroup(cg cgroup.Cgroup, fn func() error) error {
 
 // adjustGoferOOMScoreAdj sets the oom_store_adj for the container's gofer.
 func (c *Container) adjustGoferOOMScoreAdj() error {
-	if c.GoferPid == 0 || c.Spec.Process.OOMScoreAdj == nil {
+	goferPid := c.GoferPid.Load()
+	if goferPid == 0 || c.Spec.Process.OOMScoreAdj == nil {
 		return nil
 	}
-	return setOOMScoreAdj(c.GoferPid, *c.Spec.Process.OOMScoreAdj)
+	return setOOMScoreAdj(goferPid, *c.Spec.Process.OOMScoreAdj)
 }
 
 // adjustSandboxOOMScoreAdj sets the oom_score_adj for the sandbox.

runsc/container/container_test.go

@@ -2084,7 +2084,7 @@ func TestGoferExits(t *testing.T) {
 		t.Fatalf("error killing sandbox process: %v", err)
 	}
 
-	err = blockUntilWaitable(c.GoferPid)
+	err = blockUntilWaitable(c.GoferPid.Load())
 	if err != nil && err != unix.ECHILD {
 		t.Errorf("error waiting for gofer to exit: %v", err)
 	}

runsc/container/multi_container_test.go

@@ -837,7 +837,7 @@ func TestMultiContainerSignal(t *testing.T) {
 			}
 
 			// goferPid is reset when container is destroyed.
-			goferPid := containers[1].GoferPid
+			goferPid := containers[1].GoferPid.Load()
 
 			// Destroy container and ensure container's gofer process has exited.
 			if err := containers[1].Destroy(); err != nil {
@@ -867,7 +867,7 @@ func TestMultiContainerSignal(t *testing.T) {
 			}
 
 			// Ensure that container's gofer and sandbox process are no more.
-			err = blockUntilWaitable(containers[0].GoferPid)
+			err = blockUntilWaitable(containers[0].GoferPid.Load())
 			if err != nil && err != unix.ECHILD {
 				t.Errorf("error waiting for gofer to exit: %v", err)
 			}
@@ -1973,8 +1973,8 @@ func TestMultiContainerGoferKilled(t *testing.T) {
 	}
 
 	// Kill container's gofer.
-	if err := unix.Kill(c.GoferPid, unix.SIGKILL); err != nil {
-		t.Fatalf("unix.Kill(%d, SIGKILL)=%v", c.GoferPid, err)
+	if err := unix.Kill(c.GoferPid.Load(), unix.SIGKILL); err != nil {
+		t.Fatalf("unix.Kill(%d, SIGKILL)=%v", c.GoferPid.Load(), err)
 	}
 
 	// Wait until container stops.
@@ -2005,8 +2005,8 @@ func TestMultiContainerGoferKilled(t *testing.T) {
 
 	// Kill root container's gofer to bring entire sandbox down.
 	c = containers[0]
-	if err := unix.Kill(c.GoferPid, unix.SIGKILL); err != nil {
-		t.Fatalf("unix.Kill(%d, SIGKILL)=%v", c.GoferPid, err)
+	if err := unix.Kill(c.GoferPid.Load(), unix.SIGKILL); err != nil {
+		t.Fatalf("unix.Kill(%d, SIGKILL)=%v", c.GoferPid.Load(), err)
 	}
 
 	// Wait until sandbox stops. waitForProcessList will loop until sandbox exits

runsc/sandbox/sandbox.go

@@ -104,33 +104,35 @@ func createControlSocket(rootDir, id string) (string, int, error) {
 	return "", -1, fmt.Errorf("unable to find location to write socket file")
 }
 
-// pid is an atomic type that implements JSON marshal/unmarshal interfaces.
-type pid struct {
+// Pid is an atomic type that implements JSON marshal/unmarshal interfaces.
+type Pid struct {
 	val atomicbitops.Int64
 }
 
-func (p *pid) store(pid int) {
+// Store stores the PID in p.
+func (p *Pid) Store(pid int) {
 	p.val.Store(int64(pid))
 }
 
-func (p *pid) load() int {
+// Load loads the PID from p.
+func (p *Pid) Load() int {
 	return int(p.val.Load())
 }
 
 // UnmarshalJSON implements json.Unmarshaler.UnmarshalJSON.
-func (p *pid) UnmarshalJSON(b []byte) error {
+func (p *Pid) UnmarshalJSON(b []byte) error {
 	var pid int
 
 	if err := json.Unmarshal(b, &pid); err != nil {
 		return err
 	}
-	p.store(pid)
+	p.Store(pid)
 	return nil
 }
 
 // MarshalJSON implements json.Marshaler.MarshalJSON
-func (p *pid) MarshalJSON() ([]byte, error) {
-	return json.Marshal(p.load())
+func (p *Pid) MarshalJSON() ([]byte, error) {
+	return json.Marshal(p.Load())
 }
 
 // Sandbox wraps a sandbox process.
@@ -156,7 +158,7 @@ type Sandbox struct {
 
 	// Pid is the pid of the running sandbox. May be 0 if the sandbox
 	// is not running.
-	Pid pid `json:"pid"`
+	Pid Pid `json:"pid"`
 
 	// UID is the user ID in the parent namespace that the sandbox is running as.
 	UID int `json:"uid"`
@@ -231,7 +233,7 @@ type Sandbox struct {
 
 // Getpid returns the process ID of the sandbox process.
 func (s *Sandbox) Getpid() int {
-	return s.Pid.load()
+	return s.Pid.Load()
 }
 
 // Args is used to configure a new sandbox.
@@ -388,7 +390,7 @@ func New(conf *config.Config, args *Args) (*Sandbox, error) {
 
 // CreateSubcontainer creates a container inside the sandbox.
 func (s *Sandbox) CreateSubcontainer(conf *config.Config, cid string, tty *os.File) error {
-	log.Debugf("Create sub-container %q in sandbox %q, PID: %d", cid, s.ID, s.Pid.load())
+	log.Debugf("Create sub-container %q in sandbox %q, PID: %d", cid, s.ID, s.Pid.Load())
 
 	var files []*os.File
 	if tty != nil {
@@ -428,7 +430,7 @@ func (s *Sandbox) StartRoot(conf *config.Config, spec *specs.Spec) error {
 	if err := hostsettings.Handle(conf); err != nil {
 		return fmt.Errorf("host settings: %w (use --host-settings=ignore to bypass)", err)
 	}
-	pid := s.Pid.load()
+	pid := s.Pid.Load()
 	log.Debugf("Start root sandbox %q, PID: %d", s.ID, pid)
 	conn, err := s.sandboxConnect()
 	if err != nil {
@@ -456,7 +458,7 @@ func (s *Sandbox) StartRoot(conf *config.Config, spec *specs.Spec) error {
 
 // StartSubcontainer starts running a sub-container inside the sandbox.
 func (s *Sandbox) StartSubcontainer(spec *specs.Spec, conf *config.Config, cid string, stdios, goferFiles, goferFilestores []*os.File, devIOFile *os.File, goferConfs []boot.GoferMountConf) error {
-	log.Debugf("Start sub-container %q in sandbox %q, PID: %d", cid, s.ID, s.Pid.load())
+	log.Debugf("Start sub-container %q in sandbox %q, PID: %d", cid, s.ID, s.Pid.Load())
 
 	if err := s.configureStdios(conf, stdios); err != nil {
 		return err
@@ -561,7 +563,7 @@ func (s *Sandbox) Restore(conf *config.Config, spec *specs.Spec, cid string, ima
 		return err
 	}
 	// Configure the network.
-	if err := setupNetwork(conn, s.Pid.load(), conf, disableIPv6); err != nil {
+	if err := setupNetwork(conn, s.Pid.Load(), conf, disableIPv6); err != nil {
 		return fmt.Errorf("setting up network: %v", err)
 	}
 
@@ -575,7 +577,7 @@ func (s *Sandbox) Restore(conf *config.Config, spec *specs.Spec, cid string, ima
 
 // RestoreSubcontainer sends the restore call for a sub-container in the sandbox.
 func (s *Sandbox) RestoreSubcontainer(spec *specs.Spec, conf *config.Config, cid string, stdios, goferFiles, goferFilestoreFiles []*os.File, devIOFile *os.File, goferMountConf []boot.GoferMountConf) error {
-	log.Debugf("Restore sub-container %q in sandbox %q, PID: %d", cid, s.ID, s.Pid.load())
+	log.Debugf("Restore sub-container %q in sandbox %q, PID: %d", cid, s.ID, s.Pid.Load())
 
 	if err := s.configureStdios(conf, stdios); err != nil {
 		return err
@@ -680,7 +682,7 @@ func (s *Sandbox) ProcfsDump() ([]procfs.ProcessProcfsDump, error) {
 
 // NewCGroup returns the sandbox's Cgroup, or an error if it does not have one.
 func (s *Sandbox) NewCGroup() (cgroup.Cgroup, error) {
-	return cgroup.NewFromPid(s.Pid.load(), false /* useSystemd */)
+	return cgroup.NewFromPid(s.Pid.Load(), false /* useSystemd */)
 }
 
 // Execute runs the specified command in the container. It returns the PID of
@@ -797,7 +799,7 @@ func (s *Sandbox) call(method string, arg, result any) error {
 }
 
 func (s *Sandbox) connError(err error) error {
-	return fmt.Errorf("connecting to control server at PID %d: %v", s.Pid.load(), err)
+	return fmt.Errorf("connecting to control server at PID %d: %v", s.Pid.Load(), err)
 }
 
 // createSandboxProcess starts the sandbox as a subprocess by running the "boot"
@@ -1287,7 +1289,7 @@ func (s *Sandbox) createSandboxProcess(conf *config.Config, args *Args, startSyn
 	}
 
 	s.child = true
-	s.Pid.store(cmd.Process.Pid)
+	s.Pid.Store(cmd.Process.Pid)
 	log.Infof("Sandbox started, PID: %d", cmd.Process.Pid)
 
 	return nil
@@ -1390,7 +1392,7 @@ func (s *Sandbox) destroy() error {
 			log.Warningf("failed to delete control socket file %q: %v", controlSocketPath, err)
 		}
 	}
-	pid := s.Pid.load()
+	pid := s.Pid.Load()
 	if pid != 0 {
 		log.Debugf("Killing sandbox %q", s.ID)
 		if err := unix.Kill(pid, unix.SIGKILL); err != nil && err != unix.ESRCH {
@@ -1610,7 +1612,7 @@ func (s *Sandbox) ExportMetrics(opts control.MetricsExportOpts) (*prometheus.Sna
 
 // IsRunning returns true if the sandbox or gofer process is running.
 func (s *Sandbox) IsRunning() bool {
-	pid := s.Pid.load()
+	pid := s.Pid.Load()
 	if pid == 0 {
 		return false
 	}
@@ -1721,7 +1723,7 @@ func (s *Sandbox) waitForStopped() error {
 	if s.child {
 		s.statusMu.Lock()
 		defer s.statusMu.Unlock()
-		pid := s.Pid.load()
+		pid := s.Pid.Load()
 		if pid == 0 {
 			return nil
 		}
@@ -1730,7 +1732,7 @@ func (s *Sandbox) waitForStopped() error {
 		if _, err := unix.Wait4(int(pid), &s.status, 0, nil); err != nil {
 			return fmt.Errorf("error waiting the sandbox process: %v", err)
 		}
-		s.Pid.store(0)
+		s.Pid.Store(0)
 		return nil
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), waitTimeout)
@@ -1878,7 +1880,7 @@ func (s *Sandbox) fixPidns(spec *specs.Spec) {
 		// pidns was not set, nothing to fix.
 		return
 	}
-	if pidns.Path != fmt.Sprintf("/proc/%d/ns/pid", s.Pid.load()) {
+	if pidns.Path != fmt.Sprintf("/proc/%d/ns/pid", s.Pid.Load()) {
 		// Fix only if the PID namespace corresponds to the sandbox's.
 		return
 	}

test/root/oom_score_adj_test.go

@@ -90,7 +90,7 @@ func TestOOMScoreAdjSingle(t *testing.T) {
 
 			// Verify the gofer's oom_score_adj
 			if testCase.OOMScoreAdj != nil {
-				goferScore, err := specutils.GetOOMScoreAdj(c.GoferPid)
+				goferScore, err := specutils.GetOOMScoreAdj(c.GoferPid.Load())
 				if err != nil {
 					t.Fatalf("error reading gofer oom_score_adj: %v", err)
 				}
@@ -240,7 +240,7 @@ func TestOOMScoreAdjMulti(t *testing.T) {
 			for i, c := range containers {
 				if oomScoreAdj[i] != nil {
 					// Verify the gofer's oom_score_adj
-					score, err := specutils.GetOOMScoreAdj(c.GoferPid)
+					score, err := specutils.GetOOMScoreAdj(c.GoferPid.Load())
 					if err != nil {
 						t.Fatalf("error reading gofer oom_score_adj: %v", err)
 					}