PID1 は、カーネルから
特別扱いされてるって本当ですか？

Transcript

1. 1*%
   כծؕ٦طַٕ׵
 暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ Docker Meetup Tokyo #6 Kazuki Suda

2. 2 Kazuki Suda / Z Lab
 github.com/superbrothers

3. ؝ٝذشָءؚشٕ׾「ֽ➰ֽזְֿהָ֮׷׏ג劤䔲דַׅ $ python -c 'while True: pass' & [1] 2817

   $ kill -TERM 2817 $ [1]+ Terminated python -c 'while True: pass' فٗإأח
   4*(5&3.
   ׾鷏⥋ׅ׷הفٗإأכ穄✪ׅ׷կ
 4*(5&3.
   ךرؿٕؓزך䮶׷莸ְכչفٗإأך穄✪պ 3

4. ؝ٝذشָءؚشٕ׾「ֽ➰ֽזְֿהָ֮׷׏ג劤䔲דַׅ $ CONTAINER_ID=$(docker run -d mycontainer python -c 'while True:

   pass') $ docker kill -s TERM $CONTAINER_ID 3d2ba3d265751e54aef5d2d4718da37fcaf93bf14330eb25983f3c40a0f3b550 $ docker ps -q 3d2ba3d26575 ؝ٝذشח
   4*(5&3.
   ׾鷏⥋׃׋ךח娤׿דזְկ
 ؝ٝذشחז׷הծءؚشٕ׾搀鋔ׅ׷ֿהָ֮׷ 4

5. ؝ٝذشָءؚشٕ׾「ֽ➰ֽזְֿהָ֮׷׏ג劤䔲דַׅ % docker exec $CONTAINER_ID ps aux USER PID %CPU

   %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 99.6 0.8 24380 9156 ? Rs 01:16 9:44 python -c while True: pass root 40 0.0 0.2 19188 2320 ? Rs 01:26 0:00 ps aux ؝ٝذشה׉ֲׄׯזְהֹך麩ְ׏ג
 ؝ٝذشדכծ؝وٝسָ
   1*%
   ה׃ג㹋遤ׁ׸׷կ
   -JOVY
   חֶֽ׷
   1*%
   ך䕵ⶴ׏גז׿׌׏׋׏ֽկ
   TCJOJOJU 5 $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 1.3 37352 6776 ? Ss Mar04 0:01 /sbin/init ... vagrant 3008 123 0.9 22952 4824 pts/3 R 01:29 0:02 python -c while True: pass

6. 1*%
   כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ $ pstree -p init(1)-+ ..... | |-sshd(967)---sshd(2274)---sshd(2327)---bash(2328)---python(2344) ..... JOJU
   כծ♧菙涸ח
   1*%
   ד饯⹛ׁ׸׷➭ךفٗإأⰋגך鋵فٗإأկ


   JOJU
   ָ媷ׁ׸׷הծծծءأذيָװלְ
   
   
   ؕ٦طٕכ
   1*%
   ךفٗإأ׾媷ׁ׸זְ״ֲח暴ⴽ䪔ְ׃גְ׷ 6

7. 1*%
   כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ $ man 2 kill NAME kill - send signal

   to a process ... NOTES The only signals that can be sent to process ID 1, the init process, are those for which init has explicitly installed signal handlers. This is done to assure the system is not brought down accidentally. 䠐鏬
   JOJU
   ׾媷ׁ׸׷הءأذيָتׅؐٝ׷ַ׵
 JOJU
   ָ僇爙涸חعٝسٓ׾鏣㹀׃׋ءؚشٕ⟃㢩כ鷏׸זְ״ֲחׅ׷׻ 7

8. 1*%
   כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ 8 /* linux/kernel/fork.c 638c201 */ static struct task_struct *copy_process(unsigned

   long clone_flags, ... { ... if (is_child_reaper(pid)) { ns_of_pid(pid)->child_reaper = p; p->signal->flags |= SIGNAL_UNKILLABLE; } } /* linux/include/linux/pid.h 638c201 */ /* * is_child_reaper returns true if the pid is the init process * of the current namespace. As this one could be checked before * pid_ns->child_reaper is assigned in copy_process, we check * with the pid number. */ static inline bool is_child_reaper(struct pid *pid) { return pid->numbers[pid->level].nr == 1; }

9. 1*%
   כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ 9 /* linux/kernel/signal.c 638c201 */ int get_signal(struct ksignal *ksig)

   { ... /* * Global init gets no signals it doesn't want. * Container-init gets no signals it doesn't want from same * container. * * Note that if global/container-init sees a sig_kernel_only() * signal here, the signal must have been generated internally * or must have come from an ancestor namespace. In either * case, the signal cannot be dropped. */ if (unlikely(signal->flags & SIGNAL_UNKILLABLE) && !sig_kernel_only(signr)) continue; ... }

10. ֿֿתדךתה׭
    
    ؝ٝذشדכծ؝وٝسָ
    1*%
    ה׃ג㹋遤ׁ׸׷կ
 
    JOJU
    1*%
    כծؕ٦طָٕ暴ⴽ䪔ְ׃ג

    
    
    
    
    
    
    
    
    
    
    
    僇爙涸חءؚشٕعٝسٓ׾鏣㹀׃׋ءؚشٕ׌ֽ「ֽ➰ֽ׷կ

    ؝ٝذشדכ僇爙涸חءؚشٕعٝسٓ׾鏣㹀׃זְה

    
    
    
    
    
    
    
    
    
    
    
    
    
    
    ءؚشٕ׾「ֽ➰ֽ׆ծرؿٕؓزך䮶׷莸ְָ㹋遤ׁ׸זְկ
    ׄׯ֮וֲׅ׷
    僇爙涸חءؚشٕعٝسٓ׾鏣㹀׃׋׵ְְկ

    ZFMQEVNCJOJU
    ׾⢪ֲה♧澓ד鍑寸ׅ׷կ

    10 1*%
    כծؕ٦طַٕ׵暴ⴽ䪔ְׁ׸ג׷׏ג劤䔲דַׅ

11. 葺ֹח鎘׵ֲ؝ٝذش橆㞮ぢֽ
    JOJU
    ءأذي
    EVNCJOJU 㹋遤׃׋ְ؝وٝس׾㶨فٗإأה׃ג㹋遤׃ծ
 ءؚشٕ׾「ֽ《׏׋׵㶨فٗإأחءؚشٕ׾فٗؗءׅ׷׌ֽ 11

12. 葺ֹח鎘׵ֲ؝ٝذش橆㞮ぢֽ
    JOJU
    ءأذي
    EVNCJOJU $ CONTAINER_ID=$(docker run -d my_container dumb-init python -c 'while

    True: pass') $ docker exec $CONTAINER_ID pstree -p dumb-init(1)---python(6) $ docker kill -s TERM $CONTAINER_ID 79ae1676e41c263548ac9e4a7c1dac02ac9370bba4343240a75e255542346833 $ docker ps -q "XFTPNF
    
    12

13. תה׭ ˖ ؝ٝذشדכծ㹋遤ׅ׷؝وٝسךفٗإأָ
    1*%
    ה׃ג㹋遤ׁ׸׷
    ˖ ؕ٦طٕכ
    1*%
    ׾暴ⴽ䪔ְ׃גְגծءؚشٕ׾鷏⥋׃ג׮رؿٕؓ زך䮶׷莸ְ׾㹋遤׃זְ
    ˖ EVNCJOJU
    ׾⢪ֲה⡦׮罋ִ׆ח➭ך
    1*%
    הずׄ䮙⹛חז׏ג⤑ⵃ 13

14. 8&
    "3&
    )*3*/( 
 zlab.co.jp 14 Docker, Kubernetes, etc…