From: Daniel Pittman <daniel-zvVxMF7wGoXk1uMJSBkQmQ@public.gmane.org>
To: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: Containers <containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
Oleg Nesterov <oleg-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org>,
Pavel Emelianov <xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
Subject: Re: [Devel] [PATCH] Allow signalling container-init
Date: Thu, 09 Aug 2007 11:29:06 +1000 [thread overview]
Message-ID: <87myx1h4wt.fsf@rimspace.net> (raw)
In-Reply-To: <20070809012128.GA16391-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org> (Serge E. Hallyn's message of "Wed, 8 Aug 2007 20:21:28 -0500")
"Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> writes:
> Quoting Daniel Pittman (daniel-zvVxMF7wGoXk1uMJSBkQmQ@public.gmane.org):
>> sukadev-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org writes:
[...]
>> > TODO: Ideally we should allow killing the container-init only from
>> > ancestor containers and prevent it being killed from that or
>> > descendant containers. But that is a more complex change and
>> > will be addressed by a follow-on patch. For now allow the
>> > container-init to be terminated by any process with sufficient
>> > privileges.
>>
>> This will break, as far as I can see, by allowing the container root to
>> send signals to init that it doesn't expect.
>
> Yes, in the end what we want is for a container init to receive
>
> 1. all signals from a (authorized) process in a parent
> pid namespace.
> 2. for signals sent from inside it's pid namespace, only
> exactly those signals for which it has installed a
> custom signal handler, no others.
>
> In other words to a process in an ancestor pid namespace, the init of a
> container is like any other process. To a process inside the namespace
> for which it is init, it is as /sbin/init is to the system now.
That makes sense.
> Actually achieving that without affecting performance for all
> signalers is nontrivial. The current patchset is complex enough that
> I'd like to see us settle on non-optimal semantics for now, and once
> these patches have settled implement the ideal signaling.
I appreciate that. I figured to make you aware that this will make it
impossible to run upstart and, probably, other versions of init in your
container as expected.
Since this was a somewhat subtle bug to track down it is, I think, work
documenting so that people trying to use this code are aware of the
limitation.
Regards,
Daniel
--
Digital Infrastructure Solutions -- making IT simple, stable and secure
Phone: 0401 155 707 email: contact-gyMb1R/nBgM33TBCqt261WVqPpYm49HuKQEueVp/e6I@public.gmane.org
http://digital-infrastructure.com.au/
next prev parent reply other threads:[~2007-08-09 1:29 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-08 23:47 [PATCH] Allow signalling container-init sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20070808234737.GA18334-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2007-08-09 0:02 ` Oleg Nesterov
[not found] ` <20070809000234.GA967-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org>
2007-08-09 7:29 ` sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20070809072933.GD23175-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2007-08-09 7:55 ` Oleg Nesterov
[not found] ` <20070809075535.GA115-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org>
2007-08-09 10:47 ` Pavel Emelyanov
[not found] ` <46BAF0CB.2070202-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2007-08-10 0:48 ` sukadev-r/Jw6+rmf7HQT0dZR+AlfA
[not found] ` <20070810004812.GB2850-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2007-08-10 10:53 ` Oleg Nesterov
2007-08-09 0:46 ` [Devel] " Daniel Pittman
[not found] ` <87vebph6vq.fsf-zvVxMF7wGoXk1uMJSBkQmQ@public.gmane.org>
2007-08-09 1:21 ` Serge E. Hallyn
[not found] ` <20070809012128.GA16391-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org>
2007-08-09 1:29 ` Daniel Pittman [this message]
[not found] ` <87myx1h4wt.fsf-zvVxMF7wGoXk1uMJSBkQmQ@public.gmane.org>
2007-08-09 14:42 ` Serge E. Hallyn
2007-08-09 8:16 ` Kirill Korotaev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87myx1h4wt.fsf@rimspace.net \
--to=daniel-zvvxmf7wgoxk1umjsbkqmq@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=oleg-6lXkIZvqkOAvJsYlp49lxw@public.gmane.org \
--cc=serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
--cc=xemul-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox