Proposal: just signal all processes inside the container #2037
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: lifubang <[email protected]>
Signed-off-by: lifubang <[email protected]>
|
(and the latest shared pidns discussion happened in #4102) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
runc kill --helpsays:--all, -a send the specified signal to all processes inside the containerBut if we use shared cgroup path to create 2 containers a & b.
When we send signal KILL to container a by
runc kill -a a 9,it will also kill container b's processes, not just only processes inside container a.
I think we should have a way to send a signal to just only all processes inside one container, not all processes in shared cgroup path.
This PR provides a way to implement this operation.
The method is to use sub cgroup path in freezer cgroup subsystem.
I think there are some discussion in:
containerd/containerd#2558
containerd/containerd#3149
We don't know when to use
runc kill -a cidinShared cgroup pathandShared pid namespace.https://github.com/lifubang/runc/blob/dd2d6faab8ca804c7ab320003d69306917812c07/libcontainer/state_linux.go#L40-L46
And there is another effect:
If we use host pid namespace, we must use
signalAllProcessto kill all processes inside the container when destroy the container, but if we have used shared cgroup path, other container's processes will be killed at that time.Signed-off-by: Lifubang [email protected]