> On July 31, 2013, 5:02 p.m., Ian Downes wrote: > > Can you please expand on your last point regarding cleaning up a pid > > namespace? Does this only work in a container setting with a pid 1 init > > process that you kill? If only in this case, what are your thoughts on the > > best way to kill all processes in a pid namespace. > > Eric Biederman wrote: > Outside of a pid namespace when you look at the processes in a pid > namespace they all look normal. > > Inside of a pid namespace the first process in the pid namespace has pid > 1. > > When the first process in a pid namespace dies the kernel sends all other > processes SIGKILL, and the first process is not reapable until all of it's > children processes are reaped. > > Furthermore it is not possible for a process to ever leave a pid > namespace that it is in. > > So I suspect that by fully leveraging pid namespaces mesos-slave could > have simpler more reliable cleanup code. > > > Ian Downes wrote: > Am I correct in understanding this means if the executor execl()'ed from > the clone()'ed launcher dies/exits it will immediately take out the task > processes as well? > > Eric Biederman wrote: > You are correct. With this change if the executor dies it will > immediately take out the task processes as well.
Just to add this here too, there's different signal handling for pid 1 inside a namespace as well. http://lwn.net/Articles/532748/ - Ian ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13045/#review24356 ----------------------------------------------------------- On July 29, 2013, 10:52 p.m., Eric Biederman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/13045/ > ----------------------------------------------------------- > > (Updated July 29, 2013, 10:52 p.m.) > > > Review request for mesos, Benjamin Hindman, Ben Mahler, Ian Downes, and Vinod > Kone. > > > Repository: mesos-git > > > Description > ------- > > cgroup_isolator: Isolate the exectuor and tasks in a pid namespace. > > This has several advantages: > > - It becomes impossible to send unix signals to processes outside of > the pid namespace. > > - Forked processes can not escape the pid namespace no matter what they do. > > - It becomes easy to cleanup a pid namespace because all processes are > killed when the first process the executor is killed. > > > Diffs > ----- > > src/slave/cgroups_isolator.cpp 0faf7d5 > > Diff: https://reviews.apache.org/r/13045/diff/ > > > Testing > ------- > > make -j 8 check > > And watched the tests pass. > > > Thanks, > > Eric Biederman > >
