Re: [Lxc-users] PID namespace behavior

Wed, 11 Apr 2012 07:25:36 -0700 

Quoting Arun M (arunmahadevai...@gmail.com):
> Hello,
> 
> I am observing that if two containers are spawned via lxc-execute and if
> these happen to be in  the same process group, a process inside one
> container can terminate the second container by sending a SIGTERM to the
> process group.
> 
> 
> Code snippet of the test program that was running inside the container (via
> lxc-execute):-
> --
> void handle_term(int sig)
> {
>   signal(SIGTERM, SIG_DFL);
>   kill(0, SIGTERM);
> }
> 
> int main()
> {
>   signal(SIGTERM, handle_term);
>   sleep(3600);
> }
> ----
> 
> I forked two copies of this via lxc-execute and made sure that they have
> the same process group ID and sent a SIGTERM to the first lxc-execute.
> 
> The second container (where SIGTERM was not sent) apparently gets a SIGTERM
> from PID 2 of the first container.
> 
> ---
> write(3, "    lxc-execute 1334131101.756 INFO     lxc_start - received
>  signal 15 from pid 2, uid 36886\n", 94) = 94
> write(3, "    lxc-execute 1334131101.756 INFO     lxc_start - forwarded
> signal 15 to pid 14875\n", 85) = 85
> ---
> 
> Is this expected behavior ? Shouldn't two process in independent PID
> namespaces get their own copy of process group IDs ?

Interesting case.  My first guess was that it is because lxc-execute doesn't
do a setsid() or setpgrp() and that clone(CLONE_NEWPID) doesn't do that for
you as I assumed.  But when I try:

handlesignal() {
        echo hi htere
}
trap handlesignal USR1
cat > /root/killusr1.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <signal.h>

int main()
{
                kill(0, SIGUSR1);
}
EOF
gcc -o /root/killusr1 /root/killusr1.c
lxc-unshare -s PID /root/killusr1

the parent shell doesn't get the signal.

So I'm not sure offhand what is going on.  I'll wait and see if someone else
knows offhand, otherwise will look into it more.  Cause it's interesting.

thanks,
-serge

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to