From: Daniel Pittman <daniel-zvVxMF7wGoXk1uMJSBkQmQ@public.gmane.org>
To: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: Containers <containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
Oleg Nesterov <oleg-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org>,
Pavel Emelianov <xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
Subject: Re: [Devel] [PATCH] Allow signalling container-init
Date: Thu, 09 Aug 2007 11:29:06 +1000 [thread overview]
Message-ID: <87myx1h4wt.fsf@rimspace.net> (raw)
In-Reply-To: <20070809012128.GA16391-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org> (Serge E. Hallyn's message of "Wed, 8 Aug 2007 20:21:28 -0500")
"Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> writes:
> Quoting Daniel Pittman (daniel-zvVxMF7wGoXk1uMJSBkQmQ@public.gmane.org):
>> sukadev-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org writes:
[...]
>> > TODO: Ideally we should allow killing the container-init only from
>> > ancestor containers and prevent it being killed from that or
>> > descendant containers. But that is a more complex change and
>> > will be addressed by a follow-on patch. For now allow the
>> > container-init to be terminated by any process with sufficient
>> > privileges.
>>
>> This will break, as far as I can see, by allowing the container root to
>> send signals to init that it doesn't expect.
>
> Yes, in the end what we want is for a container init to receive
>
> 1. all signals from a (authorized) process in a parent
> pid namespace.
> 2. for signals sent from inside it's pid namespace, only
> exactly those signals for which it has installed a
> custom signal handler, no others.
>
> In other words to a process in an ancestor pid namespace, the init of a
> container is like any other process. To a process inside the namespace
> for which it is init, it is as /sbin/init is to the system now.
That makes sense.
> Actually achieving that without affecting performance for all
> signalers is nontrivial. The current patchset is complex enough that
> I'd like to see us settle on non-optimal semantics for now, and once
> these patches have settled implement the ideal signaling.
I appreciate that. I figured to make you aware that this will make it
impossible to run upstart and, probably, other versions of init in your
container as expected.
Since this was a somewhat subtle bug to track down it is, I think, work
documenting so that people trying to use this code are aware of the
limitation.
Regards,
Daniel
--
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact-gyMb1R/nBgM33TBCqt261WVqPpYm49HuKQEueVp/e6I@public.gmane.org
http://digital-infrastructure.com.au/
next prev parent reply other threads:[~2007-08-09 1:29 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-08 23:47 [PATCH] Allow signalling container-init sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20070808234737.GA18334-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2007-08-09 0:02 ` Oleg Nesterov
[not found] ` <20070809000234.GA967-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org>
2007-08-09 7:29 ` sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20070809072933.GD23175-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2007-08-09 7:55 ` Oleg Nesterov
[not found] ` <20070809075535.GA115-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org>
2007-08-09 10:47 ` Pavel Emelyanov
[not found] ` <46BAF0CB.2070202-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2007-08-10 0:48 ` sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20070810004812.GB2850-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2007-08-10 10:53 ` Oleg Nesterov
2007-08-09 0:46 ` [Devel] " Daniel Pittman
[not found] ` <87vebph6vq.fsf-zvVxMF7wGoXk1uMJSBkQmQ@public.gmane.org>
2007-08-09 1:21 ` Serge E. Hallyn
[not found] ` <20070809012128.GA16391-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-08-09 1:29 ` Daniel Pittman [this message]
[not found] ` <87myx1h4wt.fsf-zvVxMF7wGoXk1uMJSBkQmQ@public.gmane.org>
2007-08-09 14:42 ` Serge E. Hallyn
2007-08-09 8:16 ` Kirill Korotaev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87myx1h4wt.fsf@rimspace.net \
--to=daniel-zvvxmf7wgoxk1umjsbkqmq@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=oleg-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org \
--cc=serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
--cc=xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.