Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752833AbbLIDhm (ORCPT ); Tue, 8 Dec 2015 22:37:42 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:34866 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751179AbbLIDhk (ORCPT ); Tue, 8 Dec 2015 22:37:40 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Dongsheng Yang Cc: Shayan Pooya , , , Richard Weinberger , References: <56679161.303@cn.fujitsu.com> <56679399.6080306@cn.fujitsu.com> Date: Tue, 08 Dec 2015 21:29:13 -0600 In-Reply-To: <56679399.6080306@cn.fujitsu.com> (Dongsheng Yang's message of "Wed, 9 Dec 2015 10:36:09 +0800") Message-ID: <876108fgfq.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX1+FgvjmSnp2JpNsC4hNb9MHZhW00vy3t8o= X-SA-Exim-Connect-IP: 70.59.167.217 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4235] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Dongsheng Yang X-Spam-Relay-Country: X-Spam-Timing: total 753 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 3.5 (0.5%), b_tie_ro: 2.6 (0.3%), parse: 0.74 (0.1%), extract_message_metadata: 13 (1.7%), get_uri_detail_list: 2.9 (0.4%), tests_pri_-1000: 4.6 (0.6%), tests_pri_-950: 1.22 (0.2%), tests_pri_-900: 1.00 (0.1%), tests_pri_-400: 24 (3.1%), check_bayes: 22 (3.0%), b_tokenize: 7 (1.0%), b_tok_get_all: 8 (1.0%), b_comp_prob: 2.4 (0.3%), b_tok_touch_all: 2.8 (0.4%), b_finish: 0.63 (0.1%), tests_pri_0: 355 (47.1%), check_dkim_signature: 0.49 (0.1%), check_dkim_adsp: 3.4 (0.4%), tests_pri_500: 347 (46.1%), poll_dns_idle: 331 (43.9%), rewrite_mail: 0.00 (0.0%) Subject: Re: piping core dump to a program escapes container X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3720 Lines: 93 Dongsheng Yang writes: > On 12/09/2015 10:26 AM, Dongsheng Yang wrote: >> On 10/25/2015 05:54 AM, Shayan Pooya wrote: >>> I noticed the following core_pattern behavior in my linux box while >>> running docker containers. I am not sure if it is bug, but it is >>> inconsistent and not documented. >>> >>> If the core_pattern is set on the host, the containers will observe >>> and use the pattern for dumping cores (there is no per cgroup >>> core_pattern). According to core(5) for setting core_pattern one can: >>> >>> 1. echo "/tmp/cores/core.%e.%p" > /proc/sys/kernel/core_pattern >>> 2. echo "|/bin/custom_core /tmp/cores/ %e %p " > >>> /proc/sys/kernel/core_pattern >>> >>> The former pattern evaluates the /tmp/cores path in the container's >>> filesystem namespace. Which means, the host does not see a core file >>> in /tmp/cores. >>> >>> However, the latter evaluates the /bin/custom_core path in the global >>> filesystem namespace. Moreover, if /bin/core decides to write the core >>> to a path (/tmp/cores in this case as shown by the arg to >>> custom_core), the path will be evaluated in the global filesystem >>> namespace as well. >>> >>> The latter behaviour is counter-intuitive and error-prone as the >>> container can fill up the core-file directory which it does not have >>> direct access to (which means the core is also not accessible for >>> debugging if someone only has access to the container). >From a container perspective it is perhaps counter intuitive from the perspective of the operator of the machine nothing works specially about core_pattern and it works as designed with no unusual danages. >> Hi Shayan, >> We found the same problem with what you described here. >> Is there any document for this behaviour? I want to know is >> that intentional or as you said a 'bug'. Maybe that's intentional >> to provide a way for admin to collect core dumps from all containers as >> Richard said. I am interested in it too. >> >> Anyone can help here? > > In addition, is that a good idea to make core_pattern to be seperated > in different namespace? The behavior was the best we could do at the time last time this issue was examined. There is enough information available to be able to write a core dumping program that can reliably place your core dumps in your container. There has not yet been an obvious namespace in which to stick core_pattern, and even worse exactly how to appropriate launch a process in a container has not been figured out. If those tricky problems can be solved we can have a core_pattern in a container. What we have now is the best we have been able to figure out so far. Eric > > Yang >> >> Yang >>> >>> Currently, I work around this issue by detecting that the process is >>> crashing from a container (by comparing the namespace pid to the >>> global pid) and refuse to dump the core if it is from a container. >>> >>> Tested on Ubuntu (kernel 3.16) and Fedora (kernel 4.1). >>> -- >>> To unsubscribe from this list: send the line "unsubscribe cgroups" in >>> the body of a message to majordomo@vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> >> >> >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> Please read the FAQ at http://www.tux.org/lkml/ >> . >> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/