Details
-
Improvement
-
Status: Reviewable
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
Some containers want to manage their cgroup by sub-dividing the cgroup that Mesos allocates to them into multiple sub-cgroups and put subprocess into the corresponding sub-cgroups.
For instance, someone wants to run Docker daemon in a Mesos container. Docker daemon will manage the cgroup assigned to it by Mesos (with the help , for example, cgroups namespace).
Problems arise during the teardown of the container because two entities might be manipulating the same cgroup simultaneously. For example, the Mesos cgroups::destroy might fail if the task running inside is trying to delete the same nested cgroup at the same time.
To support that case, we should consider kill all the processes in the Mesos cgroup first, making sure that no one will be creating sub-cgroups and moving new processes into sub-cgroups. And then, destroy the cgroups recursively.
And we need freezer because we want to make sure all processes are stopped while we are sending kill signals to avoid TOCTTOU race problem. I think it makes more sense to freezer the cgroups (and sub-cgroups) from top down (rather than bottom up because typically, processes in the parent cgroup manipulate sub-cgroups).
Attachments
Issue Links
- is related to
-
MESOS-6414 cgroups isolator cleanup failed when the hierarchy is cleanup by docker daemon
-
- Resolved
-
-
-
- Reviewable
-
-
-
- Reviewable
-
- relates to
-
-
- Open
-