shim/docker: handle SIGTERM & SIGINT?

Question

shim/docker: handle SIGTERM & SIGINT?

pepyakin opened this issue a year ago · 5 comments

Normally, SIGTERM & SIGINT signals terminate a receiving process, unless overriden. However, the PID 1 process is special cased and doesn't have this behavior. So those signals are ignored.

In Docker, a container's entrypoint is spawned as PID 1 and thus is not killable by default.

One workaround for that is to use tini or alike. We could also just override the default signal handlers. We should ensure however no surprises when running under docker.

Answer 1 · 2023-12-13T21:28:21.000Z

IMO the correct approach to this is not to handle it within the binary itself, but just to write our own containers which use tini or a base image which packages a proper init handler: https://github.com/phusion/baseimage-docker

Answer 2 · 2023-12-14T08:50:40.000Z

Init process is now part of recent docker versions (based on tini).

For compose: https://docs.docker.com/compose/compose-file/compose-file-v3/#init
For docker run: https://docs.docker.com/engine/reference/run/#specify-an-init-process

Answer 3 · 2023-12-15T00:59:23.000Z

I'm fairly inexperienced with docker, but the docker run --init needs to be invoked by the end-user, correct? In that case, it's still quite easy to forget. In the docker-compose case it seems to work well.

Answer 4 · 2023-12-15T01:00:46.000Z

Still w.r.t. the initial issue scope, I suggest we close this and decide not to explicitly handle signals in any special way within the shim. The docker containers we provide, docker compose, or docker run user can handle the PID 1 problem correctly.

Answer 5 · 2023-12-15T09:41:59.000Z

Agree. FWIW, in my containers, I manually included tini which works great.