Re: [HTCondor-users] condor_rm & the docker universe

[Brian Bockelman <bbockelm@xxxxxxxxxxx>]

> On Jul 30, 2015, at 11:40 AM, Dimitri Maziuk <dmaziuk@xxxxxxxxxxxxx> wrote:
> 
> On 07/30/2015 10:01 AM, andrew.lahiff@xxxxxxxxxx wrote:
>> Hi Greg,
>> 
>> Ok, I didn't realized it worked like this - I had assumed HTCondor
> would do something like "docker stop", rather than send a signal to the
> actual executable running inside the container. Isn't this rather
> unsafe? It makes it very easy for people to run jobs which escape
> HTCondor's control - according to HTCondor the job has been killed but
> the Docker container continues running for as long as it wants.
> 
> I'd've thought sending sigterm to pid 1 would be rather unsafe... 'cause
> there's no possible way it could ever get routed to a wrong pid
> namespace or something…
> 

Well, HTCondor doesn’t call it PID 1 — as far as HTCondor knows, it's PID XYZ as the kill is coming from outside the namespace.

It’s just that any process that is PID 1 of its current namespace has special signal handling semantics within the kernel, regardless of the source of the signal.

Brian