//TODO 关于init process signal handling is clear, how about init process forward signal?
[ ] ancestor ns send sigterm to container init, will it receive it or not.
首先需要理解docker container -> process in different pid namespace
需要理解几个点ancestor namespace kill child init process: https://man7.org/linux/man-pages/man7/pid_namespaces.7.html docker kill, docker stop, docker rm difference https://unix.stackexchange.com/questions/509660/do-docker-container-rm-and-docker-container-kill-effectively-achieve-the-sam
from inside of container kill init process, foreground: https://devops.stackexchange.com/questions/5613/how-to-explicitly-kill-the-process-with-pid-1-from-inside-a-container https://docs.docker.com/engine/reference/run/#foreground we need handler for init process https://medium.com/@gchudnov/trapping-signals-in-docker-containers-7a57fdda7d86
how to know living process has signal handler: https://stackoverflow.com/questions/5975315/linux-how-to-see-if-a-living-process-has-signal-handlers-set/8810790
there is a demo to write signal proxy by your own: https://medium.com/hackernoon/my-process-became-pid-1-and-now-signals-behave-strangely-b05c52cc551c
Best practices for propagating signals on Docker https://www.kaggle.com/residentmario/best-practices-for-propagating-signals-on-docker
Kill init Process in Container
Inside container, PID 1 will never be killed by kill -9 1, but if PID 1 has registered other signal handlers then it can respond accordingly, need to check the signal bit:
1 | # sh as PID 1 |
The output is:
1 | SigCgt: 0000000000010002 |
So sh has 2 handlers in bit 2(SIGINT) and bit 17(SIGHLD), so for this container, it will never react to kill 1 or kill -9 1 as no handler registered for them.
If the init PID you use has bitmap set for SIGTERM with exit(0), then you can terminate it by kill 1.