[Lxc-users] PID namespace behavior
Serge Hallyn
serge.hallyn at canonical.com
Wed Apr 11 14:22:28 UTC 2012
Quoting Arun M (arunmahadevaiyer at gmail.com):
> Hello,
>
> I am observing that if two containers are spawned via lxc-execute and if
> these happen to be in the same process group, a process inside one
> container can terminate the second container by sending a SIGTERM to the
> process group.
>
>
> Code snippet of the test program that was running inside the container (via
> lxc-execute):-
> --
> void handle_term(int sig)
> {
> signal(SIGTERM, SIG_DFL);
> kill(0, SIGTERM);
> }
>
> int main()
> {
> signal(SIGTERM, handle_term);
> sleep(3600);
> }
> ----
>
> I forked two copies of this via lxc-execute and made sure that they have
> the same process group ID and sent a SIGTERM to the first lxc-execute.
>
> The second container (where SIGTERM was not sent) apparently gets a SIGTERM
> from PID 2 of the first container.
>
> ---
> write(3, " lxc-execute 1334131101.756 INFO lxc_start - received
> signal 15 from pid 2, uid 36886\n", 94) = 94
> write(3, " lxc-execute 1334131101.756 INFO lxc_start - forwarded
> signal 15 to pid 14875\n", 85) = 85
> ---
>
> Is this expected behavior ? Shouldn't two process in independent PID
> namespaces get their own copy of process group IDs ?
Interesting case. My first guess was that it is because lxc-execute doesn't
do a setsid() or setpgrp() and that clone(CLONE_NEWPID) doesn't do that for
you as I assumed. But when I try:
handlesignal() {
echo hi htere
}
trap handlesignal USR1
cat > /root/killusr1.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <signal.h>
int main()
{
kill(0, SIGUSR1);
}
EOF
gcc -o /root/killusr1 /root/killusr1.c
lxc-unshare -s PID /root/killusr1
the parent shell doesn't get the signal.
So I'm not sure offhand what is going on. I'll wait and see if someone else
knows offhand, otherwise will look into it more. Cause it's interesting.
thanks,
-serge
More information about the lxc-users
mailing list