RFC: drop -a from `runc kill`

[kolyshkin]

Option -a for runc kill is only usable when we are trying to kill -9 the container which does not have its own PID namespace. All other use cases (like sending SIGTERM to all container processes) are questionable to say at least.

I propose we deprecate -a, and handle the above use case (sending SIGKILL to init of the container which does not have its own pidns) automatically (in fact, this is already done in libcontainer, but not in runc binary).

The deprecation can be done in steps:

1. In runc 1.2, emit a warning when -a is used with runc kill.
2. In runc 1.3 (or later version), upgrade the warning to error.
3. In runc 1.4, drop the flag.

[kolyshkin]

@giuseppe @cyphar @AkihiroSuda WDYT?

[AkihiroSuda]

automatically

Probably this is fine but we might need to add another flag to disable it

drop the flag

For compatibility sake, the flag will have to remain as a NOP flag

[kolyshkin]

automatically

Probably this is fine but we might need to add another flag to disable it

libcontainer works this way since 2005:

runc/libcontainer/process_linux.go

Lines 617 to 622 in 2685116

	func (p *initProcess) wait() (*os.ProcessState, error) {
	err := p.cmd.Wait()
	// we should kill all processes in cgroup when init is died if we use host PID namespace
	if p.sharePidns {
	_ = signalAllProcesses(p.manager, unix.SIGKILL)
	}

(Yes, the other peculiarity here is we call kill from wait which is counterintuitive to say at least).

For some reason, runc kill doesn't work this way, thus the need for -a.

I don't think we need a flag to disable this behavior -- there is no use case when you want to kill -9 container init but leave all other processes around.

drop the flag

For compatibility sake, the flag will have to remain as a NOP flag

Sure

[giuseppe]

@giuseppe @cyphar @AkihiroSuda WDYT?

LGTM