[lxc-devel] [RFC 0/5] stop hook with namespace access

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Sep 28 12:28:07 UTC 2015


Just a quick followup:

I thought I'd drop a stop hook example here and a reason for why it's
useful.

As I mentioned, it's mostly about unmounting NFS mountpoints. However,
you could say that that's not usually an issue as the container
usually performs a (hopefully) clean shutdown sequence which should
unmount the filesystem anyway (or maybe just read-only remount it).
And yes, most of the time when a container shuts down its shutdown
sequence's unmount/sync commands would hang anyway, so why bother with
the stop hook?

Two examples: 1) Some systems seem to default to force-unmounting, and
the seccomp policy forbids this to avoid shooting lxcfs in the back.
Eg. on a standard centos template I seem to have *always* lost my
lxcfs on shutdown of a container until I started using the seccomp
policy to forbid force-unmounting. The side effect of this is that the
unmount call EPERMs and no unmounting is performed. This is where
network deleays in NFS can become an issue for us.

2) Assume a system running SystemD as init. Now send a SIGSEGV to pid
1 (yes, you're actually allowed to do that because it installs a
SIGSEGV handler, and according to kill(2) you can send signals to pid
1 provided such a signal handler was actually installed). SystemD
handles a first such signal by freezing itself with a nice log entry
about this - I assume this is to not kill the whole system while
giving you a chance to "deal". Sending yet another SIGSEGV finally
kills it off.
So do another `kill -11 1` and the system's gone without doing any
kind of shutdown sequence.

I have attached a stop-hook.c that's supposed to unmount all
filesystems inside the container after shutdown.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stop-hook.c
Type: text/x-csrc
Size: 4400 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150928/c6416711/attachment.c>


More information about the lxc-devel mailing list