[Lxc-users] unstoppable container

[Daniel Lezcano]

On 08/30/2010 03:01 PM, Ferenc Wagner wrote:
> Daniel Lezcano<daniel.lezcano at free.fr>  writes:
>
>> The cgroup is not removed automatically by the cgroup infrastructure
>> when all the tasks die, it's how the cgroup is implemented. So it is
>> up to lxc-start to remove the cgroup after the pid 1 of the container
>> exits. If lxc-start was killed, this directory will not be removed and
>> will stay there.
>>
>> If you start your container again, lxc-start will try to remove this
>> directory if it is present and recreate a new cgroup.
>
> I understand now, thanks for the clarification!
>
>> there is a linux specific process control, where the kernel sends a
>> signal to a child process when its parent dies.
>>
>>      PR_SET_PDEATHSIG (since Linux 2.1.57)
>>          Set the parent process death signal of the calling process to
>>          arg2 (either a signal value in the range 1..maxsig, or 0 to
>>          clear).  This is the signal that the calling process will get
>>          when its parent dies.  This value is cleared for the child of
>>          a fork(2).
>>
>> This prctl is used in lxc as a safe guard in case lxc-start is killed
>> widely, in order to wipe out container's processes.
>
> Neat, I again leart something interesting.  Thanks!
>
>> When the container init exits, it sends a SIGKILL to all the child
>> processes and reap them (aka wait), that happens at the kernel level
>> (zap_pid_ns). Hence, in userspace, when wait('init') returns you have
>> the guarantee there are no more processes in the container.
>
> Thanks for the detailed info, very useful.
>
>> I meant the prctl(PR_SET_PDEATHSIG) is broken on 2.6.32
>
> Beyond repair?  2.6.32 is a long-time-supported branch, the fix should
> be backported to it if at all possible.  Do you think it is?

The patchset is small, IMHO there is a chance we can have the patchset 
backported. Serge can give us some clarifications about this I think.

Thanks
   -- Daniel