Fix race condition in ContainersService.create()#721
Merged
dcantah merged 2 commits intoOct 9, 2025
Conversation
Wrap the entire create() method with lock.withLock to prevent race conditions when creating containers with the same name concurrently. Without the lock, two simultaneous create calls could both pass the existence check and race to create the same directory, resulting in filesystem errors instead of proper 'container already exists' errors. Fixes apple#692
dcantah
approved these changes
Oct 9, 2025
3 tasks
dkovba
reviewed
Oct 9, 2025
Contributor
There was a problem hiding this comment.
@bismansahni Thank you for the contribution!
Should we do the same in the methods below?
createProcess()stop()delete()_cleanup()
saehejkang
pushed a commit
to saehejkang/container
that referenced
this pull request
Oct 9, 2025
Fixes apple#692 This PR resolves a race condition in `ContainersService.create()` that occurs when creating containers with the same name concurrently.
7 tasks
Ronitsabhaya75
pushed a commit
to Ronitsabhaya75/container
that referenced
this pull request
Oct 16, 2025
Fixes apple#692 This PR resolves a race condition in `ContainersService.create()` that occurs when creating containers with the same name concurrently.
Ronitsabhaya75
pushed a commit
to Ronitsabhaya75/container
that referenced
this pull request
Oct 16, 2025
Fixes apple#692 This PR resolves a race condition in `ContainersService.create()` that occurs when creating containers with the same name concurrently.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #692
This PR resolves a race condition in
ContainersService.create()that occurs when creating containers with the same name concurrently.Changes
create()method body withlock.withLockto ensure atomic container creationawaitkeywords for actor isolation when accessingself.containerswithin the lock closuresetContainerState()with contextProblem
Without the lock, two concurrent
create()calls could both pass the existence check at line 133 and proceed to create the same container directory, resulting in filesystem errors like:Solution
By wrapping the entire method with
lock.withLock, only one container creation can proceed at a time. The second concurrent call will now properly receive:This follows the same pattern used in other methods like
bootstrap(),startProcess(), anddelete().Testing
make test)swift build)ContainersService#692