oci: fix race when the container exits before start returns

[giuseppe]

fix a race when the container process exits faster than we are
notified from the OCI runtime start command. When it happens, the
cleanup process exits immediately as the container is reported as
running. Do the check while we hold the lock, so we won't release it
with an invalid status.

Reproducer:
NOTIFY_SOCKET=/run/user/1000/notify podman run fedora sh -c ' echo hello'

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [giuseppe]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mheon]

The cleanup process exiting immediately shouldn't happen - it should wait until start is done, then sync state and pick up that the container is running...

So if this actually fixes us, we still have some serious issues. This patch can't hurt, though, let me test.

[mheon]

This does fix it. Which means that locking isn't working.

That's really, really not good.

[mheon]

Trivial test indicates that locking does seem to work for rootless.

[mheon]

I know what this is. This isn't the fix.

[mheon]

The actual issue:

StartAndAttach() runs container.attach() in a goroutine. container.attach() can start the container, which changes its state, and as such needs to hold the lock. However, we return before the goroutine completes - so defer lock.Unlock() fires and start happens when the lock is not held.

[mheon]

#3127 to fix