This issue is intended to be a place to discuss what's the best approach on this matter.
As it is right now, if we run a program with runc
, and that program exits, then we have a dangling VFS root context (or other resources that might not be cleaned up automatically) that nobody uses anymore, but nothing is responsible to clean it up in such case.
The solutions I have in my mind:
runc
to wait for the containerized program to exit and clean the resources afterwards.runc
as a daemon (or even adding something like containerd
?). The running container should be invoked separately, maybe with #24764 being in, we could do the jailing part in the new process and not in runc
.Maybe there are more options so feedback on this topic is appreciated :)
Pay now to fund the work behind this issue.
Get updates on progress being made.
Maintainer is rewarded once the issue is completed.
You're funding impactful open source efforts
You want to contribute to this effort
You want to get funding like this too