Description of problem: In the docker container with pid=host, the unattached child process shouldn't be killed when killing the container. Version-Release number of selected component (if applicable): docker 1.9.1 centos 7 How reproducible: Steps to Reproduce: 1. start a container with pid=host and command libvirtd 2. launch a qemu process using virsh in the container. The start qemu process will be unattached. 3. try to kill the container using `docker kill -s KILL <container_id> Actual results: the qemu process is killed, too. Expected results: the unattached qemu process is not killed. Additional info:
here is some discuss from irc http://eavesdrop.openstack.org/irclogs/%23kolla/%23kolla.2016-01-28.log.html#t2016-01-28T12:59:05
docker tracks the pids in a container using cgroups and hence all processes are killed even though we use pid=host. I believe we had probably prompted them to add this behavior in the first place.
But the VM's are moved to a different CGroup so they should be exempt.
I have been traveling, so I have not been able to verify this bug. The way this is supposed to work is libvirt launches VM in its own cgroup, so that if libvirt gets killed docker does not see the VM's PID. Steven is reporting that this does not work. I have a feeling this is something to do with libvirt since I don't see how docker could find the vm. Steven could you check the cgroup of the VM versus the cgroup of libvirt in the container, make sure they are different. libvirt is --privileged and should be able to see the cgroup fs Or talks to systemd, We need to run a VM and make sure it is in a different cgroup. Then if the VM is in a different cgroup and docker somehow kills it, we know the problem is docker. If the VM is not in a different cgroup then it is something to do with libvirt, running in the container, not moving the VM to a different Cgroup.
I was told this was a configuration issue, and it actually works correctly.