Re: pid namespace bug ? - Sukadev Bhattiprolu

Linux Container Development
 help / color / mirror / Atom feed

From: Sukadev Bhattiprolu <sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
Cc: Linux Containers
	<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
	Ferenc Wagner <wferi-eEbw3PyuezQ@public.gmane.org>
Subject: Re: pid namespace bug ?
Date: Thu, 6 May 2010 13:52:33 -0700	[thread overview]
Message-ID: <20100506205233.GA23542@us.ibm.com> (raw)
In-Reply-To: <4BE322F1.5030500-GANU6spQydw@public.gmane.org>

Daniel Lezcano [daniel.lezcano-GANU6spQydw@public.gmane.org] wrote:
> Ferenc Wagner wrote:
>
>> I noticed something strange:
>>
>> # lxc-start -n jail -s lxc.mount.entry="/ /tmp/jail none bind 0 0" -s lxc.rootfs=/tmp/jail -s lxc.pivotdir=/mnt /bin/sleep 1000
>> (in another terminal)
>> # lxc-ps --lxc
>> CONTAINER    PID TTY          TIME CMD
>> jail        4173 pts/1    00:00:00 sleep
>> # kill 4173
>> (this does not kill the sleep!)
>> # strace -p 4173
>> Process 4173 attached - interrupt to quit
>> restart_syscall(<... resuming interrupted call ...> = ? ERESTART_RESTARTBLOCK (To be restarted)
>> --- SIGTERM (Terminated) @ 0 (0) ---
>> Process 4173 detached
>> # lxc-ps --lxc
>> CONTAINER    PID TTY          TIME CMD
>> jail        4173 pts/1    00:00:00 sleep
>> # fgrep -i sig /proc/4173/status SigQ:	1/16382
>> SigPnd:	0000000000000000
>> SigBlk:	0000000000000000
>> SigIgn:	0000000000000000
>> SigCgt:	0000000000000000
>> # kill -9 4173
>>
>> That is, the jailed sleep process could be killed by SIGKILL only, even
>> though (according to strace) SIGTERM was delivered and it isn't handled
>> specially.  Why does this happen?

Yes, SIGKILL is the only reliable way to terminate a container-init.
container-init needs to be immune to signals from within the container
but be open to receiving signals from parent container.  These requirements
complicate the implementation of allowing SIGINIT/SIGTERM etc to
container-init from parent container.

Besides a realistic container-init would block such signals, in which case
the complexity in the kernel could be viewed as unnecessary.

Hope that helps,

Sukadev

next prev parent reply	other threads:[~2010-05-06 20:52 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <8739y6ikjr.fsf@tac.ki.iif.hu>
     [not found] ` <4BE178BC.4030201@free.fr>
     [not found]   ` <87ljbyh1zv.fsf@tac.ki.iif.hu>
     [not found]     ` <4BE18E01.3090103@free.fr>
     [not found]       ` <87hbml2uf3.fsf@tac.ki.iif.hu>
     [not found]         ` <4BE2A479.3060805@free.fr>
     [not found]           ` <87ocgt12fb.fsf@tac.ki.iif.hu>
     [not found]             ` <87ocgt12fb.fsf-/U8DR9OPLL8grVaPS+uXcA@public.gmane.org>
2010-05-06 20:13               ` pid namespace bug ? Daniel Lezcano
     [not found]                 ` <4BE322F1.5030500-GANU6spQydw@public.gmane.org>
2010-05-06 20:52                   ` Sukadev Bhattiprolu [this message]
     [not found]                     ` <20100506205233.GA23542-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-07  8:51                       ` Daniel Lezcano
     [not found]                         ` <4BE3D4AD.1030705-GANU6spQydw@public.gmane.org>
2010-05-07 19:44                           ` Sukadev Bhattiprolu
     [not found]                             ` <20100507194426.GB14799-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-07 21:01                               ` Ferenc Wagner
     [not found]                                 ` <878w7vmnnn.fsf-/U8DR9OPLL8grVaPS+uXcA@public.gmane.org>
2010-05-07 21:30                                   ` Sukadev Bhattiprolu
     [not found]                                     ` <20100507213037.GA3305-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-07 21:43                                       ` Ferenc Wagner
2010-05-08 12:52                                       ` Daniel Lezcano
2010-05-07 14:10                       ` Ferenc Wagner
     [not found]                         ` <87aasbsszn.fsf-/U8DR9OPLL8grVaPS+uXcA@public.gmane.org>
2010-05-07 17:46                           ` Sukadev Bhattiprolu
     [not found]                             ` <20100507174646.GA3484-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-05-07 20:54                               ` Ferenc Wagner
     [not found]                                 ` <87d3x7mnzz.fsf-/U8DR9OPLL8grVaPS+uXcA@public.gmane.org>
2010-05-08  2:11                                   ` Sukadev Bhattiprolu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100506205233.GA23542@us.ibm.com \
    --to=sukadev-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
    --cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
    --cc=daniel.lezcano-GANU6spQydw@public.gmane.org \
    --cc=wferi-eEbw3PyuezQ@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox