From: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
To: Sukadev Bhattiprolu
<sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
Ferenc Wagner <wferi-eEbw3PyuezQ@public.gmane.org>
Subject: Re: pid namespace bug ?
Date: Fri, 07 May 2010 10:51:57 +0200 [thread overview]
Message-ID: <4BE3D4AD.1030705@free.fr> (raw)
In-Reply-To: <20100506205233.GA23542-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Sukadev Bhattiprolu wrote:
> Daniel Lezcano [daniel.lezcano-GANU6spQydw@public.gmane.org] wrote:
>
>> Ferenc Wagner wrote:
>>
>>
>>> I noticed something strange:
>>>
>>> # lxc-start -n jail -s lxc.mount.entry="/ /tmp/jail none bind 0 0" -s lxc.rootfs=/tmp/jail -s lxc.pivotdir=/mnt /bin/sleep 1000
>>> (in another terminal)
>>> # lxc-ps --lxc
>>> CONTAINER PID TTY TIME CMD
>>> jail 4173 pts/1 00:00:00 sleep
>>> # kill 4173
>>> (this does not kill the sleep!)
>>> # strace -p 4173
>>> Process 4173 attached - interrupt to quit
>>> restart_syscall(<... resuming interrupted call ...> = ? ERESTART_RESTARTBLOCK (To be restarted)
>>> --- SIGTERM (Terminated) @ 0 (0) ---
>>> Process 4173 detached
>>> # lxc-ps --lxc
>>> CONTAINER PID TTY TIME CMD
>>> jail 4173 pts/1 00:00:00 sleep
>>> # fgrep -i sig /proc/4173/status SigQ: 1/16382
>>> SigPnd: 0000000000000000
>>> SigBlk: 0000000000000000
>>> SigIgn: 0000000000000000
>>> SigCgt: 0000000000000000
>>> # kill -9 4173
>>>
>>> That is, the jailed sleep process could be killed by SIGKILL only, even
>>> though (according to strace) SIGTERM was delivered and it isn't handled
>>> specially. Why does this happen?
>>>
>
> Yes, SIGKILL is the only reliable way to terminate a container-init.
> container-init needs to be immune to signals from within the container
> but be open to receiving signals from parent container. These requirements
> complicate the implementation of allowing SIGINIT/SIGTERM etc to
> container-init from parent container.
>
> Besides a realistic container-init would block such signals, in which case
> the complexity in the kernel could be viewed as unnecessary.
>
I am not sure it is good to have the pid 1 immune against signals sent
from outside of the container.
From the POV of the parent process, the container init is like any
other process and it may want to kill it with a signal (for notification
or just terminate instead of killing it).
If the container init is a real init pid, these signals will be blocked
but if we launch something different, eg a 'sleep', Ctrl+C won't work.
eg: lxc-start -n foo sleep 3600 is not interruptible.
That's a bit annoying if we need to plug the container with batch
managers or use them with HPC jobs.
next prev parent reply other threads:[~2010-05-07 8:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8739y6ikjr.fsf@tac.ki.iif.hu>
[not found] ` <4BE178BC.4030201@free.fr>
[not found] ` <87ljbyh1zv.fsf@tac.ki.iif.hu>
[not found] ` <4BE18E01.3090103@free.fr>
[not found] ` <87hbml2uf3.fsf@tac.ki.iif.hu>
[not found] ` <4BE2A479.3060805@free.fr>
[not found] ` <87ocgt12fb.fsf@tac.ki.iif.hu>
[not found] ` <87ocgt12fb.fsf-/U8DR9OPLL8grVaPS+uXcA@public.gmane.org>
2010-05-06 20:13 ` pid namespace bug ? Daniel Lezcano
[not found] ` <4BE322F1.5030500-GANU6spQydw@public.gmane.org>
2010-05-06 20:52 ` Sukadev Bhattiprolu
[not found] ` <20100506205233.GA23542-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-07 8:51 ` Daniel Lezcano [this message]
[not found] ` <4BE3D4AD.1030705-GANU6spQydw@public.gmane.org>
2010-05-07 19:44 ` Sukadev Bhattiprolu
[not found] ` <20100507194426.GB14799-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-07 21:01 ` Ferenc Wagner
[not found] ` <878w7vmnnn.fsf-/U8DR9OPLL8grVaPS+uXcA@public.gmane.org>
2010-05-07 21:30 ` Sukadev Bhattiprolu
[not found] ` <20100507213037.GA3305-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-07 21:43 ` Ferenc Wagner
2010-05-08 12:52 ` Daniel Lezcano
2010-05-07 14:10 ` Ferenc Wagner
[not found] ` <87aasbsszn.fsf-/U8DR9OPLL8grVaPS+uXcA@public.gmane.org>
2010-05-07 17:46 ` Sukadev Bhattiprolu
[not found] ` <20100507174646.GA3484-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-07 20:54 ` Ferenc Wagner
[not found] ` <87d3x7mnzz.fsf-/U8DR9OPLL8grVaPS+uXcA@public.gmane.org>
2010-05-08 2:11 ` Sukadev Bhattiprolu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BE3D4AD.1030705@free.fr \
--to=daniel.lezcano-ganu6spqydw@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=wferi-eEbw3PyuezQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.