Process descendants

Question

I'm trying to build a process container. The container will trigger other programs. For example - a bash script that launches running background tasks with '&' usage.

The important feature I'm after is this: when I kill the container, everything that has been spawned under it should be killed. Not just direct children, but their descendants too.

When I started this project, I mistakenly believed that when you killed a process its children were automatically killed too. I've sought advice from people who had the same incorrect idea. While it's possible to catch a signal and pass the kill on to children, that's not what I'm looking for here.

I believe what I want to be achievable, because when you close an xterm, anything that was running within it is killed unless it was nohup'd. This includes orphaned processes. That's what I'm looking to recreate.

I have an idea that what I'm loooking for involves unix sessions.

If there was a reliable way to identify all the descendants of a process, it would be useful to be able to send them arbitrary signals, too. e.g. SIGUSR1.

Answer 1

If you send a signal to a process, that process gets killed. I wonder how the rumor that killing a process also kills other processes got started, it seems particularly counter-intuitive.

There are, however, ways to kill more than one process. But you won't be sending a signal to one process. You can kill a whole process group by sending a signal to -1234 where 1234 is the PGID (process group ID), which is the PID of the process group leader. When you run a pipeline, the whole pipeline starts out as a process group (the applications may change this by calling setpgid or setpgrp).

When you start processes in the background (foo &), they are in their own process group. Process groups are used to manage access to the terminal; normally only the foreground process group has access to the terminal. The background jobs remain in the same session, but there's no facility to kill a whole session or even to enumerate the process groups or processes in a session, so that doesn't help much.

When you close a terminal, the kernel sends the signal SIGHUP to all processes that have it as their controlling terminal. These processes form a session, but not all sessions have a controlling terminal. For your project, one possibility is therefore to start all the processes in their own terminal, created by script, screen, etc. Kill the terminal emulator process to kill the contained processes (assuming they haven't seceded with setsid).

You can provide more isolation by running the processes as their own user, who doesn't do anything else. Then it's easy to kill all the processes: run kill (the system call or the utility) as that user and use -1 as the PID argument to kill, meaning “all of that user's processes”.

You can provide even more isolation, but with considerably more setup by running the contained processes in an actual container.

Answer 2

A reliable way to identiry all the descendants of a process is to use the command pstree <pid> where pid is your parent process id.

Read the man page on pstree here.

To signal all members of a process group: killpg(<pgrp>, <sig>);
where pgrp is the process group number and sig is the signal.

To wait for children in a specified process group: waitpid(-<pgrp>, &status, ...);

An alternative to what you're doing is to run your process container in a new bash shell. Create the new bash shell with the command bash and then run your processes. When you want all processes to be ended, exit the shell with the command exit.

Answer 3

Within the parent script trap the kill signal and have it kill all the children. For example,

#!/bin/bash
# kill the parent and children together
trap "kill 0" EXIT
# create all the children
for n in $(seq 1 100)
do
    ( echo "begin $n"; sleep 60; echo "end $n" ) &
done
# wait for the children to complete
wait

Answer 4

You could use this kind of shell script:

set -m; (
# start the processes in this container:
...
) & set +m; pid=$!
...
# terminate the container:
kill -- -"$pid"

The trick is to enable job control for the container subshell so that the processes executed there get common unique process group ID, which you can use by the given kill command to kill all the processes.

Answer 5

Use

unshare -fp --kill-child -- yourprogram

If you kill unshare, all child processes (that yourprogram may have spawned) will be killed.

This is now possible with util-linux 2.32; I implemented this upstream. It requires either user namespaces (kernel config option CONFIG_USER_NS=y) or root privileges. See also here.

Answer 6

rkill command from pslist package sends given signal (or SIGTERM by default) to specified process and all its descendants:

rkill [-SIG] pid/name...

Answer 7

Another option for killing all descendants of the shell: jobs -p | xargs -n 1 pkill -P

Answer 8

At least if you use Bash (5.0.17), you could use the following:

    #!/bin/bash -m
    set +m
    trap 'kill -- -$$' EXIT
    process1 &
    process2 &
    ....
    wait

There are some problems if you send USR1 signal to the process group, though.

If you use dash (0.5.10.2), set +m will switch process group to match the process group of the caller, thus killing this process (group) would kill the caller, too.

Answer 9

pgrep -P ppid: Restrict matches to processes with a parent process ID in the comma-separated list ppid.

# ZSH code
function ps-children() {
    pgrep -P "$1"
}
function ps-grandchildren() {
  local children=( $(ps-children "$1") ) pid
for pid in $children[@]
  do
    "$0" "$pid"
  done
print -r -- "${(F)children}"
}
function kill-withchildren() {
    setopt localoptions re_match_pcre
    local sig=2
    if [[ "$1" =~ '-\d+' ]] ; then
        sig="$1"
        shift
    fi
    local pids=("$@") pid
for pid in "$pids[@]" ; do
    local children=("${(@f)$(ps-grandchildren "$pid")}")
    kill -$sig "$pid" "$children[@]"
done

}