1*%כծؕ٦طַٕ׵
 暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ Docker Meetup Tokyo #6 Kazuki Suda

2 Kazuki Suda / Z Lab
 github.com/superbrothers

؝ٝذشָءؚشٕ׾「ֽ➰ֽזְֿהָ֮׷׏ג劤䔲דַׅ $ python -c 'while True: pass' & [1] 2817 $ kill -TERM 2817 $ [1]+ Terminated python -c 'while True: pass' فٗإأח4*(5&3.׾鷏⥋ׅ׷הفٗإأכ穄✪ׅ׷կ
 4*(5&3.ךرؿٕؓزך䮶׷莸ְכչفٗإأך穄✪պ 3

؝ٝذشָءؚشٕ׾「ֽ➰ֽזְֿהָ֮׷׏ג劤䔲דַׅ $ CONTAINER_ID=$(docker run -d mycontainer python -c 'while True: pass') $ docker kill -s TERM $CONTAINER_ID 3d2ba3d265751e54aef5d2d4718da37fcaf93bf14330eb25983f3c40a0f3b550 $ docker ps -q 3d2ba3d26575 ؝ٝذشח4*(5&3.׾鷏⥋׃׋ךח娤׿דזְկ
 ؝ٝذشחז׷הծءؚشٕ׾搀鋔ׅ׷ֿהָ֮׷ 4

؝ٝذشָءؚشٕ׾「ֽ➰ֽזְֿהָ֮׷׏ג劤䔲דַׅ % docker exec $CONTAINER_ID ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 99.6 0.8 24380 9156 ? Rs 01:16 9:44 python -c while True: pass root 40 0.0 0.2 19188 2320 ? Rs 01:26 0:00 ps aux ؝ٝذشה׉ֲׄׯזְהֹך麩ְ׏ג
 ؝ٝذشדכծ؝وٝسָ1*%ה׃ג㹋遤ׁ׸׷կ -JOVYחֶֽ׷1*%ך䕵ⶴ׏גז׿׌׏׋׏ֽկTCJOJOJU 5 $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 1.3 37352 6776 ? Ss Mar04 0:01 /sbin/init ... vagrant 3008 123 0.9 22952 4824 pts/3 R 01:29 0:02 python -c while True: pass

1*%כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ $ pstree -p init(1)-+ ..... | |-sshd(967)---sshd(2274)---sshd(2327)---bash(2328)---python(2344) ..... JOJUכծ♧菙涸ח1*%ד饯⹛ׁ׸׷➭ךفٗإأⰋגך鋵فٗإأկ
 JOJUָ媷ׁ׸׷הծծծءأذيָװלְ ؕ٦طٕכ1*%ךفٗإأ׾媷ׁ׸זְ״ֲח暴ⴽ䪔ְ׃גְ׷ 6

1*%כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ $ man 2 kill NAME kill - send signal to a process ... NOTES The only signals that can be sent to process ID 1, the init process, are those for which init has explicitly installed signal handlers. This is done to assure the system is not brought down accidentally. 䠐鏬JOJU׾媷ׁ׸׷הءأذيָتׅؐٝ׷ַ׵
 JOJUָ僇爙涸חعٝسٓ׾鏣㹀׃׋ءؚشٕ⟃㢩כ鷏׸זְ״ֲחׅ׷׻ 7

1*%כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ 8 /* linux/kernel/fork.c 638c201 */ static struct task_struct *copy_process(unsigned long clone_flags, ... { ... if (is_child_reaper(pid)) { ns_of_pid(pid)->child_reaper = p; p->signal->flags |= SIGNAL_UNKILLABLE; } } /* linux/include/linux/pid.h 638c201 */ /* * is_child_reaper returns true if the pid is the init process * of the current namespace. As this one could be checked before * pid_ns->child_reaper is assigned in copy_process, we check * with the pid number. */ static inline bool is_child_reaper(struct pid *pid) { return pid->numbers[pid->level].nr == 1; }

1*%כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ 9 /* linux/kernel/signal.c 638c201 */ int get_signal(struct ksignal *ksig) { ... /* * Global init gets no signals it doesn't want. * Container-init gets no signals it doesn't want from same * container. * * Note that if global/container-init sees a sig_kernel_only() * signal here, the signal must have been generated internally * or must have come from an ancestor namespace. In either * case, the signal cannot be dropped. */ if (unlikely(signal->flags & SIGNAL_UNKILLABLE) && !sig_kernel_only(signr)) continue; ... }

ֿֿתדךתה׭ ؝ٝذشדכծ؝وٝسָ1*%ה׃ג㹋遤ׁ׸׷կ
 JOJU 1*% כծؕ٦طָٕ暴ⴽ䪔ְ׃ג
 僇爙涸חءؚشٕعٝسٓ׾鏣㹀׃׋ءؚشٕ׌ֽ「ֽ➰ֽ׷կ
 ؝ٝذشדכ僇爙涸חءؚشٕعٝسٓ׾鏣㹀׃זְה
 ءؚشٕ׾「ֽ➰ֽ׆ծرؿٕؓزך䮶׷莸ְָ㹋遤ׁ׸זְկ ׄׯ֮וֲׅ׷僇爙涸חءؚشٕعٝسٓ׾鏣㹀׃׋׵ְְկ
 ZFMQEVNCJOJU׾⢪ֲה♧澓ד鍑寸ׅ׷կ 10 1*%כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ

葺ֹח鎘׵ֲ؝ٝذش橆㞮ぢֽJOJUءأذيEVNCJOJU 㹋遤׃׋ְ؝وٝس׾㶨فٗإأה׃ג㹋遤׃ծ
 ءؚشٕ׾「ֽ《׏׋׵㶨فٗإأחءؚشٕ׾فٗؗءׅ׷׌ֽ 11

葺ֹח鎘׵ֲ؝ٝذش橆㞮ぢֽJOJUءأذيEVNCJOJU $ CONTAINER_ID=$(docker run -d my_container dumb-init python -c 'while True: pass') $ docker exec $CONTAINER_ID pstree -p dumb-init(1)---python(6) $ docker kill -s TERM $CONTAINER_ID 79ae1676e41c263548ac9e4a7c1dac02ac9370bba4343240a75e255542346833 $ docker ps -q "XFTPNF 12

תה׭ ˖ ؝ٝذشדכծ㹋遤ׅ׷؝وٝسךفٗإأָ1*%ה׃ג㹋遤ׁ׸׷ ˖ ؕ٦طٕכ1*%׾暴ⴽ䪔ְ׃גְגծءؚشٕ׾鷏⥋׃ג׮رؿٕؓ زך䮶׷莸ְ׾㹋遤׃זְ ˖ EVNCJOJU׾⢪ֲה⡦׮罋ִ׆ח➭ך1*%הずׄ䮙⹛חז׏ג⤑ⵃ 13

8&"3&)*3*/( 
 zlab.co.jp 14 Docker, Kubernetes, etc…