> On July 31, 2013, 5:02 p.m., Ian Downes wrote: > > Can you please expand on your last point regarding cleaning up a pid > > namespace? Does this only work in a container setting with a pid 1 init > > process that you kill? If only in this case, what are your thoughts on the > > best way to kill all processes in a pid namespace.
Outside of a pid namespace when you look at the processes in a pid namespace they all look normal. Inside of a pid namespace the first process in the pid namespace has pid 1. When the first process in a pid namespace dies the kernel sends all other processes SIGKILL, and the first process is not reapable until all of it's children processes are reaped. Furthermore it is not possible for a process to ever leave a pid namespace that it is in. So I suspect that by fully leveraging pid namespaces mesos-slave could have simpler more reliable cleanup code. - Eric ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13045/#review24356 ----------------------------------------------------------- On July 29, 2013, 10:52 p.m., Eric Biederman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/13045/ > ----------------------------------------------------------- > > (Updated July 29, 2013, 10:52 p.m.) > > > Review request for mesos, Benjamin Hindman, Ben Mahler, Ian Downes, and Vinod > Kone. > > > Repository: mesos-git > > > Description > ------- > > cgroup_isolator: Isolate the exectuor and tasks in a pid namespace. > > This has several advantages: > > - It becomes impossible to send unix signals to processes outside of > the pid namespace. > > - Forked processes can not escape the pid namespace no matter what they do. > > - It becomes easy to cleanup a pid namespace because all processes are > killed when the first process the executor is killed. > > > Diffs > ----- > > src/slave/cgroups_isolator.cpp 0faf7d5 > > Diff: https://reviews.apache.org/r/13045/diff/ > > > Testing > ------- > > make -j 8 check > > And watched the tests pass. > > > Thanks, > > Eric Biederman > >
