Bug 1302807

Summary: regression: Unattached child process should exist when the container is killed in docker container with pid=host
Product: [Fedora] Fedora Reporter: Jeffrey Zhang <zhang.lei.fly>
Component: dockerAssignee: Mrunal Patel <mpatel>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: adimania, admiller, amurdaca, andreas.bierfert, dustymabe, dwalsh, ichavero, jcajka, jchaloup, lsm5, marianne, miminar, mpatel, steven.dake, vbatts, zhang.lei.fly
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1302814 (view as bug list) Environment:
Last Closed: 2016-02-22 21:27:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1302814    

Description Jeffrey Zhang 2016-01-28 16:41:15 UTC 
Description of problem:

In the docker container with pid=host, the unattached child process shouldn't be killed when killing the container. 

Version-Release number of selected component (if applicable):

docker 1.9.1
centos 7

How reproducible:


Steps to Reproduce:
1. start a container with pid=host and command libvirtd
2. launch a qemu process using virsh in the container. The start qemu process will be unattached.
3. try to kill the container using `docker kill -s KILL <container_id>

Actual results:

the qemu process is killed, too.

Expected results:

the unattached qemu process is not killed.


Additional info:
Comment 1 Jeffrey Zhang 2016-01-28 17:46:50 UTC 
here is some discuss from irc

http://eavesdrop.openstack.org/irclogs/%23kolla/%23kolla.2016-01-28.log.html#t2016-01-28T12:59:05
Comment 2 Mrunal Patel 2016-02-08 11:10:15 UTC 
docker tracks the pids in a container using cgroups and hence all processes are killed even though we use pid=host. I believe we had probably prompted them to add this behavior in the first place.
Comment 3 Daniel Walsh 2016-02-08 15:08:08 UTC 
But the VM's are moved to a different CGroup so they should be exempt.
Comment 4 Daniel Walsh 2016-02-08 15:18:23 UTC 
I have been traveling, so I have not been able to verify this bug.


The way this is supposed to work is libvirt launches VM in its own cgroup, so that if libvirt gets killed docker does not see the VM's PID.

Steven is reporting that this does not work.  I have a feeling this is something to do with libvirt since I don't see how docker could find the vm.

Steven could you check the cgroup of the VM versus the cgroup of libvirt in the container, make sure they are different.

libvirt is --privileged and should be able to see the cgroup fs Or talks to systemd, 

We need to run a VM and make sure it is in a different cgroup.

Then if the VM is in a different cgroup and docker somehow kills it, we know the problem is docker.

If the VM is not in a different cgroup then it is something to do with libvirt, running in the container, not moving the VM to a different Cgroup.
Comment 5 Daniel Walsh 2016-02-22 21:27:55 UTC 
I was told this was a configuration issue, and it actually works correctly.