:bug: ensure envtest stops the whole process group by dnwe · Pull Request #3447 · kubernetes-sigs/controller-runtime

dnwe · 2026-02-02T15:28:38Z

Previous PR #2560 attempted to prevent envtest from leaking orphaned etcd / kube-apiserver etc. processes by adding a SysProcAttr of Setpgid: true. However, it made a few mistakes:

It incorrectly described the change as causing the process to "inherit the parent's process group id", which is the opposite of what it does. In fact it causes a brand new process group to be created for the child process, which is the actual behaviour we want, so correct the comment.
Whilst it added a new process group, it didn't update the signalling to send SIGTERM (and eventually SIGKILL) to the process group (by using a - prefix) and was still just sending the signal to the process itself [1].
It didn't add a unittest to assert on the desired behaviour before and after the changes.

While with this PR the whole process group is stopped when stopping envtest, this doesn't really result in behavioral changes because the processsgroup consists of one process in all circumstances (either kas or etcd).

[1] https://medium.com/@felixge/killing-a-child-process-and-all-of-its-children-in-go-54079af94773

k8s-ci-robot · 2026-02-02T15:28:48Z

Welcome @dnwe!

It looks like this is your first PR to kubernetes-sigs/controller-runtime 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/controller-runtime has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

k8s-ci-robot · 2026-02-02T15:28:49Z

Hi @dnwe. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

alvaroaleman · 2026-02-03T04:47:14Z

/ok-to-test

A previous pull request attempted to prevent envtest from leaking orphaned etcd / kube-apiserver etc. processes by adding a SysProcAttr of `Setpgid: true`. However, it made a few mistakes: - It incorrectly described the change as causing the process to "inherit the parent's process group id", which is the opposite of what it does. In fact it causes a brand new process group to be created for the child process, which is the actual behaviour we want, so correct the comment. - Whilst it added a new process group, it didn't update the signalling to send SIGTERM (and eventually SIGKILL) to the process group (by using a `-` prefix) and was still just sending the signal to the process itself. - It didn't add a unittest to assert on the desired behaviour before and after the changes. This PR should hopefully fix all of those problems and result in fewer process leaks. Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>

alvaroaleman · 2026-02-06T01:04:15Z

 // GetSysProcAttr returns the SysProcAttr to use for the process,
 // for unix systems this returns a SysProcAttr with Setpgid set to true,
-// which inherits the parent's process group id.
+// which creates a new process group for the child process.


While your updated description is correctly describing what already happened, I am not sure I understand why that actually matters. Unless I am missing something, we directly start the apiserver and etcd binary without an intermediate like a shell so it shouldn't make a difference if we send a signal to them directly or to the processgroup?

I've seen the stale etcd and apiserver processes too, but my theory would be that happens because the test dies and Stop() doesn't run, not because the cleanup is buggy. But maybe I am missing something here?

Ah yes sadly you're right I think that this won't help the etcd/apiserver case. I hadn't actually checked how they were being started, I'd just spotted the leaking processes and then found #2560 which looked a bit wrong.

As you say, it seems like in pkg/internal/testing/controlplane/plane.go we just start them one after the other as singleton processes. So I think the PR is still right, in that it corrects the behaviour when a group of processes is spawned, but it's more of a housekeeping thing rather than actually improving the enduser experience when running envtest 😔

Would it make sense to slightly change the PR description (and PR title) to surface that this won't change anything for envtest?

alvaroaleman

Thanks!

k8s-ci-robot · 2026-02-09T17:12:04Z

LGTM label has been added.

Details

Git tree hash: 3916cadbe6f68a45ee0daef4f00af73c88272893

k8s-ci-robot · 2026-02-09T17:12:14Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alvaroaleman, dnwe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [alvaroaleman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Feb 2, 2026

k8s-ci-robot requested a review from FillZpp February 2, 2026 15:28

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 2, 2026

k8s-ci-robot requested a review from inteon February 2, 2026 15:28

k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Feb 2, 2026

k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 2, 2026

dnwe force-pushed the use-process-group branch 3 times, most recently from 755af69 to b909de1 Compare February 2, 2026 15:55

k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Feb 2, 2026

k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 3, 2026

dnwe force-pushed the use-process-group branch 4 times, most recently from 6aaf6a1 to 48df3b6 Compare February 4, 2026 20:27

dnwe force-pushed the use-process-group branch from 48df3b6 to 6c7ba77 Compare February 4, 2026 21:41

alvaroaleman reviewed Feb 6, 2026

View reviewed changes

alvaroaleman approved these changes Feb 9, 2026

View reviewed changes

k8s-ci-robot assigned alvaroaleman Feb 9, 2026

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 9, 2026

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 9, 2026

k8s-ci-robot merged commit 2053ba3 into kubernetes-sigs:main Feb 9, 2026
10 checks passed

dnwe deleted the use-process-group branch February 9, 2026 17:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🐛 ensure envtest stops the whole process group#3447

🐛 ensure envtest stops the whole process group#3447
k8s-ci-robot merged 1 commit intokubernetes-sigs:mainfrom
dnwe:use-process-group

dnwe commented Feb 2, 2026 •

edited by sbueringer

Loading

Uh oh!

k8s-ci-robot commented Feb 2, 2026

Uh oh!

k8s-ci-robot commented Feb 2, 2026

Uh oh!

alvaroaleman commented Feb 3, 2026

Uh oh!

alvaroaleman Feb 6, 2026

Uh oh!

dnwe Feb 7, 2026

Uh oh!

sbueringer Feb 11, 2026 •

edited

Loading

Uh oh!

alvaroaleman left a comment

Uh oh!

k8s-ci-robot commented Feb 9, 2026

Uh oh!

k8s-ci-robot commented Feb 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

dnwe commented Feb 2, 2026 • edited by sbueringer Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k8s-ci-robot commented Feb 2, 2026

Uh oh!

k8s-ci-robot commented Feb 2, 2026

Uh oh!

alvaroaleman commented Feb 3, 2026

Uh oh!

alvaroaleman Feb 6, 2026

Choose a reason for hiding this comment

Uh oh!

dnwe Feb 7, 2026

Choose a reason for hiding this comment

Uh oh!

sbueringer Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

alvaroaleman left a comment

Choose a reason for hiding this comment

Uh oh!

k8s-ci-robot commented Feb 9, 2026

Uh oh!

k8s-ci-robot commented Feb 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

dnwe commented Feb 2, 2026 •

edited by sbueringer

Loading

sbueringer Feb 11, 2026 •

edited

Loading