When I execute a task within a container using docker exec, the newly spawned process is attached to containerd-shim with the other processes of this container which is the expected behavior. But I don’t understand in detail how the newly spawned process can be attached to this process.
EDIT : After some research, i understood that the process was actually spawned by runc then, using prctl(PR_SET_CHILD_SUBREAPER, 1); it was possible to terminate runc and the process was attached to runc. Yet, that does not explain how the process is "transferred" from my shell to this runc process attached to containerd-shim
For instance, if I spawn a process with sudo strace docker exec 104f931f77ee sleep 99 then I will have the following ps tree (simplified for clarity).
systemd,1
├─agetty,365 -o -p -- \\u --noclear tty1 linux
├─containerd,364
│ ├─containerd-shim,1858 -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/104f931f77eeb745451a47644e4997440a674697cef9a1a567b4edede960c68e -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
│ │ ├─bash,1875
│ │ ├─sleep,4769 10000000
│ │ ├─sleep,15504 99
│ │ └─{containerd-shim},1859, 1860, ...
│ └─{containerd},373, 374, ...
├─dockerd,366 -H fd:// --containerd=/run/containerd/containerd.sock
│ └─{dockerd},381, 382 ... 406
│
└─sshd,371 -D
└─sshd,565
└─sshd,582
└─zsh,583
└─sudo,15479 strace docker exec 104f931f77ee sleep 99
└─strace,15480 docker exec 104f931f77ee sleep 99
└─docker,15483 exec 104f931f77ee sleep 99
└─{docker},15485 to 15494
According to the strace of containerd-shim, this isn’t due to containerd-shim directly as no systemcall is done when a container is attached to this process. (Since it is waken only when a container dies, not when it spawns)
futex(0x9d8828, FUTEX_WAIT_PRIVATE, 0, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=21192, si_uid=0, si_status=0, si_utime=1, si_stime=0} ---
futex(0x9f3500, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigreturn({mask=~[HUP INT QUIT ILL TRAP ABRT BUS FPE KILL USR1 SEGV PIPE TERM STKFLT CHLD STOP PROF SYS RTMIN RT_1]}) = 202
futex(0x9d8828, FUTEX_WAIT_PRIVATE, 0, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=21653, si_uid=0, si_status=0, si_utime=0, si_stime=3} ---
futex(0x9f3500, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigreturn({mask=~[HUP INT QUIT ILL TRAP ABRT BUS FPE KILL USR1 SEGV PIPE TERM STKFLT CHLD STOP PROF SYS RTMIN RT_1]}) = 202
futex(0x9d8828, FUTEX_WAIT_PRIVATE, 0, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
(See edit)This is especially weird since :
You can not start a process as the child of the shell, and then "reparent" it so another process becomes it's parent.So you need to use a parent process that explicitly starts the children.
Also, according to this strace there is no direct communication between the spawning process and the containerd-shim
sudo strace docker exec 104f931f77ee sleep 99
execve("/usr/bin/docker", ["docker", "exec", "104f931f77ee", "sleep", "99"], 0x7ffe39a39f60 /* 13 vars */) = 0
brk(NULL) = 0x5650f557d000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=32790, ...}) = 0
mmap(NULL, 32790, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3324830000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@l\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=146968, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f332482e000
mmap(NULL, 132288, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f332480d000
mmap(0x7f3324813000, 61440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f3324813000
mmap(0x7f3324822000, 24576, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f3324822000
mmap(0x7f3324828000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x7f3324828000
mmap(0x7f332482a000, 13504, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f332482a000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\21\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14592, ...}) = 0
mmap(NULL, 16656, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3324808000
mmap(0x7f3324809000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f3324809000
mmap(0x7f332480a000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f332480a000
mmap(0x7f332480b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f332480b000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260A\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1824496, ...}) = 0
mmap(NULL, 1837056, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3324647000
mprotect(0x7f3324669000, 1658880, PROT_NONE) = 0
mmap(0x7f3324669000, 1343488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7f3324669000
mmap(0x7f33247b1000, 311296, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16a000) = 0x7f33247b1000
mmap(0x7f33247fe000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b6000) = 0x7f33247fe000
mmap(0x7f3324804000, 14336, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3324804000
close(3) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3324644000
arch_prctl(ARCH_SET_FS, 0x7f3324644740) = 0
mprotect(0x7f33247fe000, 16384, PROT_READ) = 0
mprotect(0x7f332480b000, 4096, PROT_READ) = 0
mprotect(0x7f3324828000, 4096, PROT_READ) = 0
mprotect(0x5650f338d000, 27123712, PROT_READ) = 0
mprotect(0x7f3324860000, 4096, PROT_READ) = 0
munmap(0x7f3324830000, 32790) = 0
set_tid_address(0x7f3324644a10) = 15483
set_robust_list(0x7f3324644a20, 24) = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f33248136b0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f3324813740, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
brk(NULL) = 0x5650f557d000
brk(0x5650f559e000) = 0x5650f559e000
sched_getaffinity(0, 8192, [0, 1, 2, 3, 4, 5]) = 64
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3324604000
mmap(0xc000000000, 67108864, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc000000000
mmap(0xc000000000, 67108864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xc000000000
mmap(NULL, 33554432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3322604000
mmap(NULL, 2164736, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f33223f3000
mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f33223e3000
mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f33223d3000
rt_sigprocmask(SIG_SETMASK, NULL, [], 8) = 0
sigaltstack(NULL, {ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=0}) = 0
sigaltstack({ss_sp=0xc000002000, ss_flags=0, ss_size=32768}, NULL) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
gettid() = 15483
rt_sigaction(SIGHUP, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGHUP, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGINT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGQUIT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGILL, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGILL, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGTRAP, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTRAP, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGABRT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGABRT, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGBUS, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGFPE, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGFPE, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGUSR1, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGUSR1, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGSEGV, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGUSR2, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGUSR2, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=0x5650f1abaf20, sa_mask=~[RTMIN RT_1],
[...]
sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f332481f730}, NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f3321bd2000
mprotect(0x7f3321bd3000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f33223d1fb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f33223d29d0, tls=0x7f33223d2700, child_tidptr=0x7f33223d29d0) = 15485
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f33213d1000
mprotect(0x7f33213d2000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f3321bd0fb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f3321bd19d0, tls=0x7f3321bd1700, child_tidptr=0x7f3321bd19d0) = 15486
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
futex(0xc000074848, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f33203cf000
mprotect(0x7f33203d0000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f3320bcefb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f3320bcf9d0, tls=0x7f3320bcf700, child_tidptr=0x7f3320bcf9d0) = 15488
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f33137ff000
mprotect(0x7f3313800000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f3313ffefb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f3313fff9d0, tls=0x7f3313fff700, child_tidptr=0x7f3313fff9d0) = 15489
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
mmap(NULL, 1439992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f332026f000
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f332022f000
readlinkat(AT_FDCWD, "/proc/self/exe", "/usr/bin/docker", 128) = 15
fcntl(0, F_GETFL) = 0x402 (flags O_RDWR|O_APPEND)
futex(0xc000074bc8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0000a6148, FUTEX_WAKE_PRIVATE, 1) = 1
fcntl(1, F_GETFL) = 0x402 (flags O_RDWR|O_APPEND)
fcntl(2, F_GETFL) = 0x402 (flags O_RDWR|O_APPEND)
getpid() = 15483
newfstatat(AT_FDCWD, "/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}, 0) = 0
openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3
epoll_create1(EPOLL_CLOEXEC) = 4
epoll_ctl(4, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=539230440, u64=139857559290088}}) = 0
fcntl(3, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 0
read(3, "cpu 2248 0 4821 3583425 1021 0 "..., 4096) = 1387
read(3, "", 2709) = 0
epoll_ctl(4, EPOLL_CTL_DEL, 3, 0xc00021120c) = 0
close(3) = 0
futex(0xc000074bc8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000074bc8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0000a6148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0000a6148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000074848, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000074848, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc000074bc8, FUTEX_WAKE_PRIVATE, 1) = 1
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f33201ef000
futex(0xc000074bc8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0000a6148, FUTEX_WAKE_PRIVATE, 1) = 1
getrandom("\x5c\x6c\x6d\xbf\xd9\x2a\xf8\x4d", 8, 0) = 8
newfstatat(AT_FDCWD, "/usr/lib/libykcs11.so", 0xc000050788, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/libykcs11.so.1", 0xc000050858, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib64/libykcs11.so", 0xc000050928, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib64/libykcs11.so.1", 0xc0000509f8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libykcs11.so", 0xc000050ac8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/lib/libykcs11.so", 0xc000050b98, 0) = -1 ENOENT (No such file or directory)
capget({version=0 /* _LINUX_CAPABILITY_VERSION_??? */, pid=0}, NULL) = 0
openat(AT_FDCWD, "/proc/sys/kernel/cap_last_cap", O_RDONLY|O_CLOEXEC) = 3
epoll_ctl(4, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=539230440, u64=139857559290088}}) = 0
fcntl(3, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 0
read(3, "37\n", 11) = 3
epoll_ctl(4, EPOLL_CTL_DEL, 3, 0xc000211d24) = 0
close(3) = 0
newfstatat(AT_FDCWD, "/usr/local/sbin/unpigz", 0xc0000512e8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/bin/unpigz", 0xc0000513b8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/sbin/unpigz", 0xc000051488, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/bin/unpigz", {st_mode=S_IFREG|0755, st_size=116944, ...}, 0) = 0
getpid() = 15483
futex(0xc000074848, FUTEX_WAKE_PRIVATE, 1) = 1
uname({sysname="Linux", nodename="debiankvm", ...}) = 0
getuid() = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=510, ...}) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 510
read(3, "", 4096) = 0
close(3) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=32790, ...}) = 0
mmap(NULL, 32790, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3324830000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0003\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=55792, ...}) = 0
mmap(NULL, 83768, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f33201da000
mprotect(0x7f33201dd000, 40960, PROT_NONE) = 0
mmap(0x7f33201dd000, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f33201dd000
mmap(0x7f33201e4000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f33201e4000
mmap(0x7f33201e7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f33201e7000
mmap(0x7f33201e9000, 22328, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f33201e9000
close(3) = 0
mprotect(0x7f33201e7000, 4096, PROT_READ) = 0
munmap(0x7f3324830000, 32790) = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=1394, ...}) = 0
read(3, "root:x:0:0:root:/root:/bin/zsh\nd"..., 4096) = 1394
close(3) = 0
futex(0x5650f4e04230, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04130, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00044c148, FUTEX_WAKE_PRIVATE, 1) = 1
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], [], 8) = 0
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f3311ffc000
mprotect(0x7f3311ffd000, 8388608, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x7f33127fbfb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7f33127fc9d0, tls=0x7f33127fc700, child_tidptr=0x7f33127fc9d0) = 15492
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
futex(0x5650f4e04230, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04130, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0000a7d48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04230, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04130, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0000a7d48, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00044c148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00044c148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00044c148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04230, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04130, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00044c148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04230, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04130, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00044c148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
epoll_pwait(4, [], 128, 0, NULL, 8) = 0
futex(0x5650f4e04230, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04130, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00044c148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0004ec148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0004ec148, FUTEX_WAKE_PRIVATE, 1) = 1
mmap(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f332018a000
futex(0xc0004ec148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04ee8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable)
epoll_pwait(4, [], 128, 0, NULL, 128) = 0
futex(0x5650f4e04230, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04130, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00044c4c8, FUTEX_WAKE_PRIVATE, 1) = 1
mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f332017a000
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e04ee8, FUTEX_WAIT_PRIVATE, 0, NULL) = 0
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
newfstatat(AT_FDCWD, "/root/.docker/config.json", 0xc0004d9bd8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/root/.dockercfg", 0xc0004d9ca8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/sbin/pass", 0xc0004d9d78, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/bin/pass", 0xc0004d9e48, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/sbin/pass", 0xc0004d9f18, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/bin/pass", 0xc000018038, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/sbin/pass", 0xc000018108, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/bin/pass", 0xc0000181d8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/sbin/docker-credential-secretservice", 0xc0000182a8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/local/bin/docker-credential-secretservice", 0xc000018378, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/sbin/docker-credential-secretservice", 0xc000018448, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/bin/docker-credential-secretservice", 0xc000018518, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/sbin/docker-credential-secretservice", 0xc0000185e8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/bin/docker-credential-secretservice", 0xc0000186b8, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/root/.kube/config", 0xc000018788, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/root/.kube/config", 0xc000018858, 0) = -1 ENOENT (No such file or directory)
futex(0xc0003dd9c8, FUTEX_WAKE_PRIVATE, 1) = 1
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
futex(0xc0004ec148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x5650f4e08b80, FUTEX_WAIT_PRIVATE, 0, {tv_sec=31, tv_nsec=999222248}^C) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
strace: Process 15483 detached
So, how is the container created with containerd-shim as a parent?
Note: The question is not about why do containers need this architecture (I know that it allows the process that spawned the container to exit without disrupting it: the container can continue its execution detached from the shell). But how this can technically be done.
