[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor_rm & the docker universe

> On Jul 30, 2015, at 11:40 AM, Dimitri Maziuk <dmaziuk@xxxxxxxxxxxxx> wrote:
> On 07/30/2015 10:01 AM, andrew.lahiff@xxxxxxxxxx wrote:
>> Hi Greg,
>> Ok, I didn't realized it worked like this - I had assumed HTCondor
> would do something like "docker stop", rather than send a signal to the
> actual executable running inside the container. Isn't this rather
> unsafe? It makes it very easy for people to run jobs which escape
> HTCondor's control - according to HTCondor the job has been killed but
> the Docker container continues running for as long as it wants.
> I'd've thought sending sigterm to pid 1 would be rather unsafe... 'cause
> there's no possible way it could ever get routed to a wrong pid
> namespace or something…

Well, HTCondor doesn’t call it PID 1 — as far as HTCondor knows, it's PID XYZ as the kill is coming from outside the namespace.

It’s just that any process that is PID 1 of its current namespace has special signal handling semantics within the kernel, regardless of the source of the signal.