The root problem this fixes is the docker daemon uses DefaulDependencies
for all of its scopes which means that the containers get killed by
systemd before the docker daemon is notified to shutdown. This means
that a docker run in a service file won't get ordered properly on
shutdown! This has affected many CoreOS users and is documented in
systemd as so:
"Unless DefaultDependencies=false is used, scope units will implicitly
have dependencies of type Conflicts= and Before= on shutdown.target."
Unfortunately, systemd didn't allow setting DefaultDependencies=false on
transient units until today:
systemd-run --scope --property="DefaultDependencies=false" /usr/bin/sleep 50000
Unknown assignment DefaultDependencies=false.
Failed to create message: Invalid argument
Fixed here:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=261420ba2a20305ad271b6f5f380aa74c5c9dd50
Discussion with systemd upstream:
http://lists.freedesktop.org/archives/systemd-devel/2014-December/026313.htmlhttp://lists.freedesktop.org/archives/systemd-devel/2015-February/027890.html
Tested with docker and systemd master as of today and it work for me.
Signed-off-by: Brandon Philips <brandon.philips@coreos.com>
The gocapability package uses /proc/PID/status to get a bounding set.
If a container uses pidns without mntns, it sees /proc from the host
namespace, but the process doesn't know its own pid in this namespace.
In this case it can use /proc/self/status, which is always the right one.
Signed-off-by: Andrew Vagin <avagin@openvz.org>
Issue with cmd.Wait is that it is waiting for closing pipes and if we
have forked processes which inherited pipes from parent, then we need to
kill them to unblock cmd.Wait.
Should fixdocker/docker#10303
Now idea is next:
- cmd.Process.Wait for init process dead
- Kill remaining processes in cgroup (pipes closed as side effect)
- use cmd.Wait for waiting pipes flushed to client
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
The only place I could find where libcontainer tries to write to the
container's root FS is when setting up the pivot dir, to be used on
pivot_root(2).
This makes the pivot base dir configurable, so a read-only FS can be
used as root FS of containers. Users can then specify a writeable
subpath to be used as pivot inside the container.
Signed-off-by: Fabio Kung <fabio@heroku.com> (github: fabiokung)
A non-zero Path field for a namespace says that a process should attach to an
existing namespace, so the process can be forked without the flag for this
namespace.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
My previous patch moved the setting of the freezer state after the Set()
command. It's wrong, because this command uses it, so we need to set the
freezer state before the command and rollback it in an error case.
Fixes: 13a5703d85 ("cgroups: don't change a freezer state if an operation failed")
Signed-off-by: Andrey Vagin <avagin@openvz.org>
this allows the parent to place the process into cgroup first so it can track
the children properly
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
This adds the ability to receive OOM notifications for a container via
the `nsinit oom` command.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Test the process WaitStatus for a signal, and return an exit code of 128
+ signal which killed the process. Fixesdocker/docker#9979.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Adds POWER (ppc64 and ppc64le), System z (s390x), and ARM to list of
architectures currently supported by libcontainer
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Brandon Philips
Victor Marmol
Andrey Vagin
Mrunal Patel
Alexander Morozov
Rohit Jnagal
Shishir Mahajan
Michael Crosby
guoxiuyan
Fabio Kung
Qiang Huang
Mrunal Patel
Alexander Morozov
Daniel, Dao Quang Minh
Michael Crosby
Arnaud Porterie
Phil Estes