|
|
Subscribe / Log in / New account

Systemd vs. Docker

Systemd vs. Docker

Posted Feb 27, 2016 23:42 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
In reply to: Systemd vs. Docker by paulj
Parent article: Systemd vs. Docker

You can't escape a cgroup, so they're reliable. However, process killing races with process creation so it might be possible to create processes faster than systemd can kill them. In practice, it doesn't happen - I tried.

Forkbombs are more interesting - you CAN cause PID starvation by launching a forkbomb in an unconfined cgroup. https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt can help against it.

Another problematic case are PID races. SIGSTOP+SIGKILL does the job reliably, SIGSTOP can't be ignored and also forces the process to stick around.

to post comments

Systemd vs. Docker

Posted Feb 28, 2016 3:43 UTC (Sun) by mchapman (subscriber, #66589) [Link] (1 responses)

> Another problematic case are PID races. SIGSTOP+SIGKILL does the job reliably, SIGSTOP can't be ignored and also forces the process to stick around.

It might be possible for two or more cooperating processes to circumvent this by continually SIGCONTing each other, forking new processes along the way. cortana's suggestion of using the freezer controller seems like a better approach.

Systemd vs. Docker

Posted Feb 28, 2016 6:44 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Yes, you need to SIGSTOP everything first. Though it can be susceptible to a livelock (if a group of processes SIGCONT every other process). Freezer would solve this, but it's not available everywhere.

It appears that process handles or PID namespaces is the only reliable way.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds