From: Daniel Lezcano <daniel.lezcano@free.fr>
To: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
Cc: Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
Containers <containers@lists.osdl.org>,
Oleg Nesterov <oleg@tv-sign.ru>,
roland@redhat.com, Greg Kurz <gkurz@fr.ibm.com>
Subject: Re: [PATCH 0/7][v8] Container-init signal semantics
Date: Thu, 19 Feb 2009 15:59:20 +0100 [thread overview]
Message-ID: <499D73C8.3090209@free.fr> (raw)
In-Reply-To: <20090219030207.GA18783@us.ibm.com>
Sukadev Bhattiprolu wrote:
> Patch 5/7 is new in this set and fixes a bug. Remaining patches are
> just a forward-port from previous version and I believe they address
> all comments I have received.
>
> Oleg please sign-off/ack if you agree.
>
> ---
>
> Container-init must behave like global-init to processes within the
> container and hence it must be immune to unhandled fatal signals from
> within the container (i.e SIG_DFL signals that terminate the process).
>
> But the same container-init must behave like a normal process to
> processes in ancestor namespaces and so if it receives the same fatal
> signal from a process in ancestor namespace, the signal must be
> processed.
>
> Implementing these semantics requires that send_signal() determine pid
> namespace of the sender but since signals can originate from workqueues/
> interrupt-handlers, determining pid namespace of sender may not always
> be possible or safe.
>
> This patchset implements the design/simplified semantics suggested by
> Oleg Nesterov. The simplified semantics for container-init are:
>
> - container-init must never be terminated by a signal from a
> descendant process.
>
> - container-init must never be immune to SIGKILL from an ancestor
> namespace (so a process in parent namespace must always be able
> to terminate a descendant container).
>
> - container-init may be immune to unhandled fatal signals (like
> SIGUSR1) even if they are from ancestor namespace. SIGKILL/SIGSTOP
> are the only reliable signals to a container-init from ancestor
> namespace.
>
Hi Suka,
I agree with these semantics, they look good.
What is planned to have the init process to die when a system container
shuts down ?
Let's say we use the "shutdown" command, it will telinit to go to the
runlevel 0, and will kill -1.
At this point, the container finishes with a sys_reboot (we take care to
do nothing otherwise the real system shuts down). But the init process
will stay there and the launcher of the container will never know if the
container has stopped or not.
Gregory Kurz proposed a solution:
* when shutdown is called and we are not in the init pidns, then we
kill the process 1 of the pidnamespace.
* when reboot is called and we are not in the init pidns, then we
reexec the init process, using the same command line. I guess this one
could be easily retrieved if we are able to display /proc/1/cmdline ;)
IMHO, this is a good proposition because it is generic and intuitive, no ?
What do you thing ?
-- Daniel
next prev parent reply other threads:[~2009-02-19 14:59 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-19 3:02 [PATCH 0/7][v8] Container-init signal semantics Sukadev Bhattiprolu
2009-02-19 3:05 ` [PATCH 1/7][v8] Remove 'handler' parameter to tracehook functions Sukadev Bhattiprolu
2009-02-19 3:05 ` [PATCH 2/7][v8] Protect init from unwanted signals more Sukadev Bhattiprolu
2009-02-19 3:06 ` [PATCH 3/7][v8] Add from_ancestor_ns parameter to send_signal() Sukadev Bhattiprolu
2009-02-19 3:06 ` [PATCH 4/7][v8] Protect cinit from unblocked SIG_DFL signals Sukadev Bhattiprolu
2009-02-19 3:07 ` [PATCH 5/7][v8] zap_pid_ns_process() should use force_sig() Sukadev Bhattiprolu
2009-02-19 18:59 ` Oleg Nesterov
2009-02-19 20:26 ` Sukadev Bhattiprolu
2009-02-19 3:07 ` [PATCH 6/7][v8] Protect cinit from blocked fatal signals Sukadev Bhattiprolu
2009-02-19 3:07 ` [PATCH 7/7][v8] SI_USER: Masquerade si_pid when crossing pid ns boundary Sukadev Bhattiprolu
2009-02-19 16:11 ` Eric W. Biederman
2009-02-19 18:51 ` Oleg Nesterov
2009-02-19 22:18 ` Eric W. Biederman
2009-02-19 22:31 ` Oleg Nesterov
2009-02-19 23:21 ` Eric W. Biederman
2009-02-19 23:51 ` Roland McGrath
2009-02-20 0:35 ` Eric W. Biederman
2009-02-20 1:06 ` Roland McGrath
2009-02-20 2:12 ` Eric W. Biederman
2009-02-20 3:10 ` Roland McGrath
2009-02-20 4:05 ` Eric W. Biederman
2009-02-20 0:28 ` Oleg Nesterov
2009-02-20 1:16 ` Eric W. Biederman
2009-02-19 14:59 ` Daniel Lezcano [this message]
2009-03-07 19:04 ` [PATCH 0/7][v8] Container-init signal semantics Sukadev Bhattiprolu
2009-03-07 19:43 ` Daniel Lezcano
2009-03-07 19:51 ` Greg Kurz
2009-03-07 19:59 ` Daniel Lezcano
2009-02-19 20:53 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499D73C8.3090209@free.fr \
--to=daniel.lezcano@free.fr \
--cc=akpm@osdl.org \
--cc=containers@lists.osdl.org \
--cc=ebiederm@xmission.com \
--cc=gkurz@fr.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@tv-sign.ru \
--cc=roland@redhat.com \
--cc=sukadev@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox