On 11/12/2015 05:59 PM, Stanislav Kinsburskiy wrote: > > 12.11.2015 15:53, Andrey Wagin пишет: >> 2015-11-12 17:46 GMT+03:00 Stanislav Kinsburskiу <[email protected]>: >>> 12 нояб. 2015 г. 15:14 пользователь Andrey Ryabinin >>> <[email protected]> написал: >>>> CRIU sends SIGKILL to container's init process as a part of >>>> cleanup process if restoring failed. >>>> CRIU does this from a different ve, which is currently not allowed >>>> without any apparent reason. >>> The reason looks very clear to me: improve namespaces isolation. >>> It espesially applies to killing child reaper of another ve. >>> You throwed away this check, and now it's possible to kill one container >>> from another one. >>> Or I'm missing somethig? >> Each container has its own pidns, so you can't kill anyone who isn't >> in this pidns. > > So how CRIU sends kill signal from one ve to another then? >
AFAIK, CRIU creates it's own ve namespace, but it still operates in root pid namespace. _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
