changelog: update Jailer limitations and suggestions

Sudan Landge · wearyzen · commit 55a7f8ba6cb1 · 2024-02-13T16:35:35.000Z
There was a change in behaviour introduced in Jailer because of which
killing the Jailer does not kill the Firecracker process.
Highlight the change in behaviour and suggested workaround in the
CHANGELOG and Jailer doc.

Signed-off-by: Sudan Landge &lt;sudanl@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -46,6 +46,19 @@ and this project adheres to
   This fixes a bug where a microVM with incompatible balloon and guest memory
   size could be booted, due to the check for this condition happening after
   Firecracker's configuration was updated.
+- [#4259](https://github.com/firecracker-microvm/firecracker/pull/4259): Added a
+  double fork mechanism in the Jailer to avoid setsid() failures occurred while
+  running Jailer as the process group leader. However, this changed the
+  behaviour of Jailer and now the Firecracker process will always have a
+  different PID than the Jailer process.
+  [#4436](https://github.com/firecracker-microvm/firecracker/pull/4436): Added a
+  "Known Limitations" section in the Jailer docs to highlight the above change
+  in behaviour introduced in PR#4259.
+  [#4442](https://github.com/firecracker-microvm/firecracker/pull/4442): As a
+  solution to the change in behaviour introduced in PR#4259, provided a
+  mechanism to reliably fetch Firecracker PID. With this change, Firecracker
+  process's PID will always be available in the Jailer's root directory
+  regardless of whether new_pid_ns was set.
 
 ## \[1.6.0\]
 
diff --git a/docs/jailer.md b/docs/jailer.md
@@ -280,10 +280,13 @@ Note: default value for `<api-sock>` is `/run/firecracker.socket`.
 ### Known limitations
 
 - When passing the --daemonize option to Firecracker without the --new-ns-pid
-  option, the Firecracker process will have a different pid than the Jailer
-  process. The suggested workaround to get Firecracker process's pid in this
-  case is using `--new-pid-ns` flag and read Firecracker's pid from the
-  `firecracker.pid` file present in the jailer's root directory.
+  option, the Firecracker process will have a different PID than the Jailer
+  process and killing the Jailer will not kill the Firecracker process. As a
+  workaround to get Firecracker PID, the Jailer stores the PID of the child
+  process in the jail root directory inside `<exec_file_name>.pid` for all cases
+  regardless of whether `--new-pid-ns` was provided. The suggested way to fetch
+  Firecracker's PID when using the Jailer is to read the `firecracker.pid` file
+  present in the Jailer's root directory.
 
 ## Caveats
 
