-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add init process for zombie fighting and signal handling #26061
Conversation
We should add an option to run integration-cli with both modes. I'm sure we have a test for this case. |
Looks like this will resolve #3793 |
Destination: "/dev/init", | ||
Type: "bind", | ||
Source: path, | ||
Options: []string{"bind", "rw"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why rw?
4b6aefe
to
393515d
Compare
Ok, so as far as flags go, @tonistiigi and I talked about this some. We are not totally sold on what the flag name should be but we have a good idea on how it should work. On the daemon we will have a bool On run, we will also have a If anyone has a better idea for a flag name let me know. |
Updated this to use |
Moving this to code review: I think there no big controversy on the design 👍 I agree with everything in that comment #26061 (comment). |
@@ -2402,30 +2402,6 @@ func (s *DockerSuite) TestRunExposePort(c *check.C) { | |||
c.Assert(out, checker.Contains, "invalid range format for --expose") | |||
} | |||
|
|||
func (s *DockerSuite) TestRunUnknownCommand(c *check.C) { | |||
out, _, _ := dockerCmdWithStdoutStderr(c, "create", "busybox", "/bin/nada") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we do a lookup and mode check for the entrypoint before actually executing to maintain this behavior?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like in the docker daemon?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in daemon or containerd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
won't work because lookups have to happen inside the container's mount ns after all volumes are mounted because PATH and binaries could live inside them
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already have same hack for cp
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, "hack"
Small questions regarding tests, otherwise LGTM 👍 |
10248ce
to
26456ec
Compare
|
||
// only add the custom init if it is specified and the container is running in its | ||
// own private pid namespace. It does not make sense to add if it is running in the | ||
// host namespace or another container's pid namespace were we already have an init |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo "were" not "where"
is the i recall discussion about perhaps just use file named |
moby/moby#26061 moby/moby#28037 own copy (instead of distro package) because it requires tini with no args build krallin/tini#55
That's a nice improvement to get docker handle this PID1 issue. But I'm concerned this moves the responsibility to run with I suggest one could use some metadata in image to let runtime know such init process is required, for sample by adding to Dockerfile: |
In cases where a zombie reaper is required (in most cases, it should not even be needed), it should be added by the image author. I think this PR should be seen as a "last effort" if the image is not under control of the user. |
Did the Dockerfile instruction to enable this by default at the image level
we discussed make it in to 1.13? 😇
|
Pull request moby#27745 added support for the client to talk to older versions of the daemon. Various flags were added to docker 1.13 that are not compatible with older daemons. This PR adds annotations to those flags, so that they are automatically hidden if the daemon is older than docker 1.13 (API 1.25). Not all new flags affect the API (some are client-side only). The following PR's added new flags to docker 1.13 that affect the API; - moby#23430 added `--cpu-rt-period`and `--cpu-rt-runtime` - moby#27800 / moby#25317 added `--group` / `--group-add` / `--group-rm` - moby#27702 added `--network` to `docker build` - moby#25962 added `--attachable` to `docker network create` - moby#27998 added `--compose-file` to `docker stack deploy` - moby#22566 added `--stop-timeout` to `docker run` and `docker create` - moby#26061 added `--init` to `docker run` and `docker create` - moby#26941 added `--init-path` to `docker run` and `docker create` - moby#27958 added `--cpus` on `docker run` / `docker create` - moby#27567 added `--dns`, `--dns-opt`, and `--dns-search` to `docker service create` - moby#27596 added `--force` to `docker service update` - moby#27857 added `--hostname` to `docker service create` - moby#28031 added `--hosts`, `--host-add` / `--host-rm` to `docker service create` and `docker service update` - moby#28076 added `--tty` on `docker service create` / `docker service update` - moby#26421 added `--update-max-failure-ratio`, `--update-monitor` and `--rollback` on `docker service update` - moby#27369 added `--health-cmd`, `--health-interval`, `--health-retries`, `--health-timeout` and `--no-healthcheck` options to `docker service create` and `docker service update` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Pull request moby/moby#27745 added support for the client to talk to older versions of the daemon. Various flags were added to docker 1.13 that are not compatible with older daemons. This PR adds annotations to those flags, so that they are automatically hidden if the daemon is older than docker 1.13 (API 1.25). Not all new flags affect the API (some are client-side only). The following PR's added new flags to docker 1.13 that affect the API; - moby/moby#23430 added `--cpu-rt-period`and `--cpu-rt-runtime` - moby/moby#27800 / moby/moby#25317 added `--group` / `--group-add` / `--group-rm` - moby/moby#27702 added `--network` to `docker build` - moby/moby#25962 added `--attachable` to `docker network create` - moby/moby#27998 added `--compose-file` to `docker stack deploy` - moby/moby#22566 added `--stop-timeout` to `docker run` and `docker create` - moby/moby#26061 added `--init` to `docker run` and `docker create` - moby/moby#26941 added `--init-path` to `docker run` and `docker create` - moby/moby#27958 added `--cpus` on `docker run` / `docker create` - moby/moby#27567 added `--dns`, `--dns-opt`, and `--dns-search` to `docker service create` - moby/moby#27596 added `--force` to `docker service update` - moby/moby#27857 added `--hostname` to `docker service create` - moby/moby#28031 added `--hosts`, `--host-add` / `--host-rm` to `docker service create` and `docker service update` - moby/moby#28076 added `--tty` on `docker service create` / `docker service update` - moby/moby#26421 added `--update-max-failure-ratio`, `--update-monitor` and `--rollback` on `docker service update` - moby/moby#27369 added `--health-cmd`, `--health-interval`, `--health-retries`, `--health-timeout` and `--no-healthcheck` options to `docker service create` and `docker service update` Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 5d2722f83db9e301c6dcbe1c562c2051a52905db Component: cli
fixes #1101 additional context: * this was introduced in docker 1.13 (1/2017), we require docker 17.10 (10/2017), this should not have any issues dependency-wise, as `docker-init` is in the docker install from that point in time. unless explicitly removed, it should be in the dind container we use as well... * the PR that introduced this to docker is moby/moby#26061 for additional context * it may be wise to put this through some paces, if anybody has any... interesting... function containers. the tests seem to work fine, however, and this shouldn't be something users have to think about (?) at all, just something that we are doing. this isn't the default in docker for compatibility reasons, which is maybe a yellow flag but I am not sure tbh
fixes #1101 additional context: * this was introduced in docker 1.13 (1/2017), we require docker 17.10 (10/2017), this should not have any issues dependency-wise, as `docker-init` is in the docker install from that point in time. unless explicitly removed, it should be in the dind container we use as well... * the PR that introduced this to docker is moby/moby#26061 for additional context * it may be wise to put this through some paces, if anybody has any... interesting... function containers. the tests seem to work fine, however, and this shouldn't be something users have to think about (?) at all, just something that we are doing. this isn't the default in docker for compatibility reasons, which is maybe a yellow flag but I am not sure tbh
This adds a small C binary for fighting zombies. It is mounted under
/dev/init
and is prepended to the args specified by the user. Youenable it via a daemon flag,
dockerd --init
, as it is disable bydefault for backwards compat.
You can also override the daemon option or specify this on a per
container basis with
docker run --init=true|false
.You can test this by running a process like this as the pid 1 in a
container and see the extra zombie that appears in the container as it
is running.
Fixes #3793
Fixes #24284
Signed-off-by: Michael Crosby crosbymichael@gmail.com