12 нояб. 2015 г. 17:51 пользователь Andrey Wagin <[email protected]> написал: > > 2015-11-12 19:41 GMT+03:00 Stanislav Kinsburskiy <[email protected]>: > > > > > > 12.11.2015 17:11, Andrey Ryabinin пишет: > > > >> > >> On 11/12/2015 07:08 PM, Stanislav Kinsburskiy wrote: > >>> > >>> > >>> 12.11.2015 16:47, Andrey Ryabinin пишет: > >>>> > >>>> On 11/12/2015 05:59 PM, Stanislav Kinsburskiy wrote: > >>>>> > >>>>> 12.11.2015 15:53, Andrey Wagin пишет: > >>>>>> > >>>>>> 2015-11-12 17:46 GMT+03:00 Stanislav Kinsburskiу > >>>>>> <[email protected]>: > >>>>>>> > >>>>>>> 12 нояб. 2015 г. 15:14 пользователь Andrey Ryabinin > >>>>>>> <[email protected]> написал: > >>>>>>>> > >>>>>>>> CRIU sends SIGKILL to container's init process as a part of > >>>>>>>> cleanup process if restoring failed. > >>>>>>>> CRIU does this from a different ve, which is currently not allowed > >>>>>>>> without any apparent reason. > >>>>>>> > >>>>>>> The reason looks very clear to me: improve namespaces isolation. > >>>>>>> It espesially applies to killing child reaper of another ve. > >>>>>>> You throwed away this check, and now it's possible to kill one > >>>>>>> container from another one. > >>>>>>> Or I'm missing somethig? > >>>>>> > >>>>>> Each container has its own pidns, so you can't kill anyone who isn't > >>>>>> in this pidns. > >>>>> > >>>>> So how CRIU sends kill signal from one ve to another then? > >>>>> > >>>> AFAIK, CRIU creates it's own ve namespace, but it still operates in root > >>>> pid namespace. > >>> > >>> Hmm, ok. > >>> Then nothing against this patch. > >>> The only thing I'm curios: for how long we have this patch? Pid > >>> namespaces are used in OpenVZ for at least last 6 years (probably more). > >>> When this checks appeared? Maybe there was another reason, which is just > >>> not obvious so far? > >> > >> I suspect that it was just blindly ported from 2.6: > >> > >> commit fd3207d650434ac82f2c897cadd5607e67f2c274 > >> Author: Kirill Tkhai <[email protected]> > >> Date: Fri Oct 10 19:35:02 2014 +0400 > >> > >> ve: Ignore signals from wrong ve > >> Port sig_ve_ignored(). > >> This is a part of 74-diff-ve-mix-combined. > >> https://jira.sw.ru/browse/PSBM-17903 > >> Signed-off-by: Kirill Tkhai <[email protected]> > > > > > > That's for sure. > > My question was about origins of this patch. > > Thanks to Vasiliy: > > > > RCS file: > > /cvs/Virtuozzo/kernel-patches/2.6.18-rhel5/diff-ve-init-signals-20070514,v > > Working file: diff-ve-init-signals-20070514 > > head: 1.1 > > branch: > > locks: strict > > access list: > > symbolic names: > > keyword substitution: o > > total revisions: 1; selected revisions: 1 > > description: > > ---------------------------- > > revision 1.1 > > date: 2007/05/18 13:24:17; author: dev; state: Exp; > > Patch from Denis Lunev <[email protected]> > > [VE] VE init signal delivery reworked to be similar to host > > Prevent VE init from receiving unexpected signals sent from VE > > including fatal ones. Signals sent from VE0 are still allowed, > > e.g. for fast VE stop. > > Fix for sys_reboot called from VE to force VE death > > (SIGKILL is sent in the context of VE). > > > > http://bugzilla.openvz.org/show_bug.cgi?id=533 > > > > Are you sure, that you are not braking the logic, this patch introduced in > > past? > > > > [root@fc22-vm ~]# unshare --fork -p > [root@fc22-vm ~]# kill -9 1 > [root@fc22-vm ~]# kill -9 1 > [root@fc22-vm ~]# kill -9 1 > [root@fc22-vm ~]# kill -9 1 > [root@fc22-vm ~]# kill -USR1 1 > [root@fc22-vm ~]# kill -USR1 1 > [root@fc22-vm ~]# > > >
Ok then. Probably, this patch should be ported to rhel6 as well. _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
