[RFC][PATCH 0/6][v3] Container-init signal semantics

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Sukadev Bhattiprolu

Subject: [RFC][PATCH 0/6][v3] Container-init signal semantics

Date: Saturday, December 20, 2008 - 5:51 pm

Container-init must behave like global-init to processes within the
container and hence it must be immune to unhandled fatal signals from
within the container (i.e SIG_DFL signals that terminate the process).

But the same container-init must behave like a normal process to 
processes in ancestor namespaces and so if it receives the same fatal
signal from a process in ancestor namespace, the signal must be
processed.

Implementing these semantics requires that send_signal() determine pid
namespace of the sender but since signals can originate from workqueues/
interrupt-handlers, determining pid namespace of sender may not always
be possible or safe.

Changelog[v3]:
	Changes based on discussions of previous version:
		http://lkml.org/lkml/2008/11/25/458

	Major changes:

	- Define SIGNAL_UNKILLABLE_FROM_NS and use in container-inits to
	  skip fatal signals from same namespace but process SIGKILL/SIGSTOP
	  from ancestor namespace.
	- Use SI_FROMUSER() and si_code != SI_ASYNCIO to determine if
	  it is safe to dereference pid-namespace of caller. Highly
	  experimental :-)
	- Masquerading si_pid when crossing namespace boundary: relevant
	  patches merged in -mm and dropped from this set.

	Minor changes:

	- Remove 'handler' parameter to tracehook functions
	- Update sig_ignored() to drop SIG_DFL signals to global init early
	  (tried to address Roland's  and Oleg's comments)
	- Use 'same_ns' flag to drop SIGKILL/SIGSTOP to cinit from same
	  namespace

This patchset implements the design/simplified semantics suggested by
Oleg Nesterov.  The simplified semantics for container-init are:

	- container-init must never be terminated by a signal from a
	  descendant process.

	- container-init must never be immune to SIGKILL from an ancestor
	  namespace (so a process in parent namespace must always be able
	  to terminate a descendant container).

	- container-init may be immune to unhandled fatal signals (like
	  SIGUSR1) even if they are from ancestor namespace (SIGKILL is
	  the only reliable signal from ancestor namespace).

Patches in this set:

	[PATCH 1/6] Remove 'handler' parameter to tracehook functions
	[PATCH 2/6] Protect init from unwanted signals more
	[PATCH 3/6] Define/set SIGNAL_UNKILLABLE_FROM_NS
	[PATCH 4/6] Define siginfo_from_ancestor_ns()
	[PATCH 5/6] Protect cinit from unblocked SIG_DFL signals
	[PATCH 6/6] Protect cinit from blocked fatal signals

TODO:
	- Use sig_task_unkillable() in fs/proc/array.c:task_sig() to
	  correctly report ignored signals for container/global init.
	- Make SI_ASYNCIO a kernel signal ?
	- Compile/touch tested. Need so real testing ;-)

Limitations/side-effects of current design

	- Container-init is immune to suicide - kill(getpid(), SIGKILL) is
	  ignored. Use exit() :-)
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[RFC][PATCH 0/6][v3] Container-init signal semantics, Sukadev Bhattiprolu, (Sat Dec 20, 5:51 pm)

[RFC][PATCH 1/6][v3] Remove 'handler' parameter to traceho ..., Sukadev Bhattiprolu, (Sat Dec 20, 5:52 pm)

[RFC][PATCH 2/6][v3] Protect init from unwanted signals more, Sukadev Bhattiprolu, (Sat Dec 20, 5:53 pm)

[RFC][PATCH 3/6][v3] Define/set SIGNAL_UNKILLABLE_FROM_NS, Sukadev Bhattiprolu, (Sat Dec 20, 5:53 pm)

[RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Sukadev Bhattiprolu, (Sat Dec 20, 5:54 pm)

[RFC][PATCH 5/6][v3] Protect cinit from unblocked SIG_DFL ..., Sukadev Bhattiprolu, (Sat Dec 20, 5:54 pm)

[RFC][PATCH 6/6][v3] Protect cinit from blocked fatal signals, Sukadev Bhattiprolu, (Sat Dec 20, 5:55 pm)

Re: [RFC][PATCH 0/6][v3] Container-init signal semantics, Eric W. Biederman, (Mon Dec 22, 3:55 am)

Re: [RFC][PATCH 0/6][v3] Container-init signal semantics, Sukadev Bhattiprolu, (Mon Dec 22, 12:47 pm)

Re: [RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Oleg Nesterov, (Mon Dec 22, 3:26 pm)

Re: [RFC][PATCH 5/6][v3] Protect cinit from unblocked SIG_ ..., Oleg Nesterov, (Mon Dec 22, 3:46 pm)

Re: [RFC][PATCH 6/6][v3] Protect cinit from blocked fatal ..., Oleg Nesterov, (Mon Dec 22, 3:58 pm)

Re: [RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Oleg Nesterov, (Mon Dec 22, 4:01 pm)

Re: [RFC][PATCH 6/6][v3] Protect cinit from blocked fatal ..., Sukadev Bhattiprolu, (Mon Dec 22, 4:38 pm)

Re: [RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Sukadev Bhattiprolu, (Mon Dec 22, 4:45 pm)

Re: [RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Oleg Nesterov, (Mon Dec 22, 4:54 pm)

Re: [RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Sukadev Bhattiprolu, (Mon Dec 22, 4:58 pm)

Re: [RFC][PATCH 6/6][v3] Protect cinit from blocked fatal ..., Oleg Nesterov, (Mon Dec 22, 5:03 pm)

Re: [RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Oleg Nesterov, (Mon Dec 22, 5:22 pm)

Re: [RFC][PATCH 0/6][v3] Container-init signal semantics, Eric W. Biederman, (Mon Dec 22, 5:27 pm)

Re: [RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Eric W. Biederman, (Mon Dec 22, 5:32 pm)

Re: [RFC][PATCH 0/6][v3] Container-init signal semantics, Sukadev Bhattiprolu, (Mon Dec 22, 7:12 pm)

Re: [RFC][PATCH 4/6][v3] Define siginfo_from_ancestor_ns(), Sukadev Bhattiprolu, (Mon Dec 22, 9:47 pm)

Re: [RFC][PATCH 0/6][v3] Container-init signal semantics, Serge E. Hallyn, (Tue Dec 23, 9:51 am)

Re: [RFC][PATCH 1/6][v3] Remove 'handler' parameter to tra ..., Roland McGrath, (Tue Dec 23, 12:30 pm)

Re: [RFC][PATCH 2/6][v3] Protect init from unwanted signal ..., Roland McGrath, (Tue Dec 23, 12:31 pm)


linux-kernel:
Ingo Molnar	Re: [PATCH 0/3] v2 Make hierarchical RCU less IPI-happy and add more tracing
Jeremy Fitzhardinge	Re: Linux 2.6.28.10 and Linux 2.6.29.6 XEN Guest Support Broken x86_64 in BUILD
Nick Piggin	Re: [patch] CFS (Completely Fair Scheduler), v2
Gary Hade	Re: [PATCH 0/5][RFC] Physical PCI slot objects
Dave Johnson	Re: expected behavior of PF_PACKET on NETIF_F_HW_VLAN_RX device?
linux-netdev:
Arnd Bergmann	Re: 64-bit net_device_stats
Stephens, Allan	RE: [PATCH]: tipc: Fix oops on send prior to entering networked mode
frank.blaschka	[patch 3/5] [PATCH] qeth: support z/VM VSWITCH Port Isolation
Wu Fengguang	Re: [PATCH] dm9601: handle corrupt mac address
David Miller	Re: [PATCH net-2.6.24] Fix refcounting problem with netif_rx_reschedule()
git:
Junio C Hamano	Re: [PATCH] [RFC] add Message-ID field to log on git-am operation
Junio C Hamano	Re: Handling large files with GIT
Karl	Re: [ANNOUNCE] pg - A patch porcelain for GIT
Josh Triplett	Re: [RFC][PATCH 00/10] Sparse: Git's "make check" target
Pierre Habouzit	Re: [PATCH] git-daemon: more powerful base-path/user-path settings, using formats.
git-commits-head:
Linux Kernel Mailing List	MIPS: RBTX4939: Fix IOC pin-enable register updating
Linux Kernel Mailing List	regulator: update email address for Liam Girdwood
Linux Kernel Mailing List	[SCSI] ipr: add message to error table
Linux Kernel Mailing List	powerpc/32: Wire up the trampoline code for kdump
Linux Kernel Mailing List	USB: omap_udc: sync with OMAP tree
openbsd-misc:
Josh Grosse	Re: error : pkg add phpMyAdmin
Brian Candler	Re: OBSD's perspective on SELinux
Jacob Meuser	Re: /dev/audio: Device busy
David Vasek	Re: Inexpensive, low power, "wall wart" computer
William Boshuck	Re: Richard Stallman...