Bug 1302807 - regression: Unattached child process should exist when the container is killed in docker container with pid=host
regression: Unattached child process should exist when the container is kille...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: docker (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Mrunal Patel
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1302814
  Show dependency treegraph
 
Reported: 2016-01-28 11:41 EST by Jeffrey Zhang
Modified: 2016-02-22 16:27 EST (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1302814 (view as bug list)
Environment:
Last Closed: 2016-02-22 16:27:55 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeffrey Zhang 2016-01-28 11:41:15 EST
Description of problem:

In the docker container with pid=host, the unattached child process shouldn't be killed when killing the container. 

Version-Release number of selected component (if applicable):

docker 1.9.1
centos 7

How reproducible:


Steps to Reproduce:
1. start a container with pid=host and command libvirtd
2. launch a qemu process using virsh in the container. The start qemu process will be unattached.
3. try to kill the container using `docker kill -s KILL <container_id>

Actual results:

the qemu process is killed, too.

Expected results:

the unattached qemu process is not killed.


Additional info:
Comment 1 Jeffrey Zhang 2016-01-28 12:46:50 EST
here is some discuss from irc

http://eavesdrop.openstack.org/irclogs/%23kolla/%23kolla.2016-01-28.log.html#t2016-01-28T12:59:05
Comment 2 Mrunal Patel 2016-02-08 06:10:15 EST
docker tracks the pids in a container using cgroups and hence all processes are killed even though we use pid=host. I believe we had probably prompted them to add this behavior in the first place.
Comment 3 Daniel Walsh 2016-02-08 10:08:08 EST
But the VM's are moved to a different CGroup so they should be exempt.
Comment 4 Daniel Walsh 2016-02-08 10:18:23 EST
I have been traveling, so I have not been able to verify this bug.


The way this is supposed to work is libvirt launches VM in its own cgroup, so that if libvirt gets killed docker does not see the VM's PID.

Steven is reporting that this does not work.  I have a feeling this is something to do with libvirt since I don't see how docker could find the vm.

Steven could you check the cgroup of the VM versus the cgroup of libvirt in the container, make sure they are different.

libvirt is --privileged and should be able to see the cgroup fs Or talks to systemd, 

We need to run a VM and make sure it is in a different cgroup.

Then if the VM is in a different cgroup and docker somehow kills it, we know the problem is docker.

If the VM is not in a different cgroup then it is something to do with libvirt, running in the container, not moving the VM to a different Cgroup.
Comment 5 Daniel Walsh 2016-02-22 16:27:55 EST
I was told this was a configuration issue, and it actually works correctly.

Note You need to log in before you can comment on or make changes to this bug.