From: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
To: oleg@redhat.com, ebiederm@xmission.com, roland@redhat.com,
bastian@waldi.eu.org
Cc: daniel@hozac.com, xemul@openvz.org, containers@lists.osdl.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 0/7][v7] Container-init signal semantics
Date: Sat, 17 Jan 2009 12:26:38 -0800 [thread overview]
Message-ID: <20090117202638.GA11825@us.ibm.com> (raw)
Container-init must behave like global-init to processes within the
container and hence it must be immune to unhandled fatal signals from
within the container (i.e SIG_DFL signals that terminate the process).
But the same container-init must behave like a normal process to
processes in ancestor namespaces and so if it receives the same fatal
signal from a process in ancestor namespace, the signal must be
processed.
Implementing these semantics requires that send_signal() determine pid
namespace of the sender but since signals can originate from workqueues/
interrupt-handlers, determining pid namespace of sender may not always
be possible or safe.
This patchset implements the design/simplified semantics suggested by
Oleg Nesterov. The simplified semantics for container-init are:
- container-init must never be terminated by a signal from a
descendant process.
- container-init must never be immune to SIGKILL from an ancestor
namespace (so a process in parent namespace must always be able
to terminate a descendant container).
- container-init may be immune to unhandled fatal signals (like
SIGUSR1) even if they are from ancestor namespace (SIGKILL is
the only reliable signal from ancestor namespace).
Patches in this set:
[PATCH 1/7] Remove 'handler' parameter to tracehook functions
[PATCH 2/7] Protect init from unwanted signals more
[PATCH 3/7] Add from_ancestor_ns parameter to send_signal()
[PATCH 4/7] Protect cinit from unblocked SIG_DFL signals
[PATCH 5/7] Protect cinit from blocked fatal signals
[PATCH 6/7] SI_USER: Masquerade si_pid when crossing pid ns boundary
[PATCH 7/7] proc: Show SIG_DFL signals to init as "ignored" signals
Changelog[v7]:
- siginfo_from_user() and siginfo_from_ancestor_ns() are fairly simple
and used only in send_signal(). Remove them and move the logic into
send_signal() (Drop old patch 4, update new patch 4/7)
- Update /proc/pid/status to include SIG_DFL signals to init in the
"ignored" set (and remove the TODO in Patch 0/7) (Patch 7/7)
Changelog[v6]:
- Patches 3,4: Have kill_pid_info_as_uid() pass in 'from_ancestor_ns'
parameter to __send_signal() and remove SI_ASYNCIO check in
siginfo_from_user().
- Patches 4,6: Update changelog and simplify code
Changelog[v5]:
- Patch 2/6: Remove SIG_IGN check in sig_task_ignored() and let
sig_handler_ignored() check SIG_IGN.
- Patch 3/6. Put siginfo_from_ancestor_ns() back under CONFIG_PID_NS
and remove warning in rt_sigqueueinfo().
- (Patch 5/6)Simplify check in get_signal_to_deliver()
- (Patch 6/6)Simplify masquerading pid
- LTP-20081219-intermediate showed no new errors on 2.6.28-rc5-mm2.
Changelog[v4]:
- [Bugfix] Patch 3/7. Check ns == NULL in siginfo_from_ancestor_ns().
Although http://lkml.org/lkml/2008/12/16/502 makes it less likely
that ns == NULL, looks like an explicit check won't hurt ?
- Remove SIGNAL_UNKILLABLE_FROM_NS flag and simplify logic as
suggested by Oleg Nesterov.
- Dropped patch that set SIGNAL_UNKILLABLE_FROM_NS and set
SIGNAL_UNKILLABLE in patch 5/7 to be bisect-safe.
- Add a warning in rt_sigqueueinfo() if SI_ASYNCIO is used
(patch 3/7)
- Added two patches (6/7 and 7/7) to masquerade si_pid for
SI_USER and SI_TKILL
Changelog[v3]:
Changes based on discussions of previous version:
http://lkml.org/lkml/2008/11/25/458
Major changes:
- Define SIGNAL_UNKILLABLE_FROM_NS and use in container-inits to
skip fatal signals from same namespace but process SIGKILL/SIGSTOP
from ancestor namespace.
- Use SI_FROMUSER() and si_code != SI_ASYNCIO to determine if
it is safe to dereference pid-namespace of caller. Highly
experimental :-)
- Masquerading si_pid when crossing namespace boundary: relevant
patches merged in -mm and dropped from this set.
Minor changes:
- Remove 'handler' parameter to tracehook functions
- Update sig_ignored() to drop SIG_DFL signals to global init early
(tried to address Roland's and Oleg's comments)
- Use 'same_ns' flag to drop SIGKILL/SIGSTOP to cinit from same
namespace
Limitations/side-effects of current design
- Container-init is immune to suicide - kill(getpid(), SIGKILL) is
ignored. Use exit() :-)
next reply other threads:[~2009-01-17 20:26 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-17 20:26 Sukadev Bhattiprolu [this message]
2009-01-17 20:35 ` [PATCH 1/7][v7] Remove 'handler' parameter to tracehook functions Sukadev Bhattiprolu
2009-01-17 20:35 ` [PATCH 2/7][v7] Protect init from unwanted signals more Sukadev Bhattiprolu
[not found] ` <20090117202638.GA11825-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-01-17 20:35 ` [PATCH 3/7][v7] Add from_ancestor_ns parameter to send_signal() Sukadev Bhattiprolu
2009-01-17 20:35 ` Sukadev Bhattiprolu
2009-01-17 20:36 ` [PATCH 4/7][v7] Protect cinit from unblocked SIG_DFL signals Sukadev Bhattiprolu
2009-01-17 22:12 ` Oleg Nesterov
2009-01-20 1:07 ` Sukadev Bhattiprolu
2009-01-20 1:09 ` Sukadev Bhattiprolu
2009-01-17 20:36 ` [PATCH 5/7][v7] Protect cinit from blocked fatal signals Sukadev Bhattiprolu
2009-01-17 20:37 ` [PATCH 6/7][v7] SI_USER: Masquerade si_pid when crossing pid ns boundary Sukadev Bhattiprolu
2009-01-17 20:37 ` [PATCH 7/7][v7] proc: Show SIG_DFL signals to init as "ignored" signals Sukadev Bhattiprolu
2009-01-17 22:19 ` Oleg Nesterov
2009-01-20 1:04 ` Sukadev Bhattiprolu
2009-01-20 7:33 ` Oleg Nesterov
[not found] ` <20090120073305.GA29130-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-01-20 16:09 ` Sukadev Bhattiprolu
2009-01-20 16:09 ` Sukadev Bhattiprolu
2009-01-19 2:09 ` [PATCH 0/7][v7] Container-init signal semantics KAMEZAWA Hiroyuki
2009-01-21 3:05 ` Sukadev Bhattiprolu
2009-01-21 3:53 ` KAMEZAWA Hiroyuki
2009-01-21 4:16 ` Eric W. Biederman
2009-01-21 4:23 ` KAMEZAWA Hiroyuki
2009-01-21 4:23 ` KAMEZAWA Hiroyuki
[not found] ` <20090121030500.GA32138-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-01-21 4:05 ` Serge E. Hallyn
2009-01-21 4:05 ` Serge E. Hallyn
2009-01-22 5:48 ` Matt Helsley
2009-01-21 4:39 ` Bryan Donlan
[not found] ` <3e8340490901202039r1ac7e0te5372690dfe81089-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-01-21 8:31 ` Oleg Nesterov
2009-01-21 8:31 ` Oleg Nesterov
2009-02-07 21:20 ` Sukadev Bhattiprolu
2009-02-09 4:04 ` Roland McGrath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090117202638.GA11825@us.ibm.com \
--to=sukadev@linux.vnet.ibm.com \
--cc=bastian@waldi.eu.org \
--cc=containers@lists.osdl.org \
--cc=daniel@hozac.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=roland@redhat.com \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.