[Lxc-users] unstoppable container

[Ferenc Wagner]

Daniel Lezcano <daniel.lezcano at free.fr> writes:

> The cgroup is not removed automatically by the cgroup infrastructure
> when all the tasks die, it's how the cgroup is implemented. So it is
> up to lxc-start to remove the cgroup after the pid 1 of the container
> exits. If lxc-start was killed, this directory will not be removed and
> will stay there.
>
> If you start your container again, lxc-start will try to remove this
> directory if it is present and recreate a new cgroup.

I understand now, thanks for the clarification!

> there is a linux specific process control, where the kernel sends a
> signal to a child process when its parent dies.
>
>     PR_SET_PDEATHSIG (since Linux 2.1.57)
>         Set the parent process death signal of the calling process to
>         arg2 (either a signal value in the range 1..maxsig, or 0 to
>         clear).  This is the signal that the calling process will get
>         when its parent dies.  This value is cleared for the child of
>         a fork(2).
>
> This prctl is used in lxc as a safe guard in case lxc-start is killed
> widely, in order to wipe out container's processes.

Neat, I again leart something interesting.  Thanks!

> When the container init exits, it sends a SIGKILL to all the child
> processes and reap them (aka wait), that happens at the kernel level
> (zap_pid_ns). Hence, in userspace, when wait('init') returns you have
> the guarantee there are no more processes in the container.

Thanks for the detailed info, very useful.

> I meant the prctl(PR_SET_PDEATHSIG) is broken on 2.6.32

Beyond repair?  2.6.32 is a long-time-supported branch, the fix should
be backported to it if at all possible.  Do you think it is?
-- 
Thanks,
Feri.