0

I read about docker and the PID 1 problem, and I am a bit paranoid now. I create my own image based on the official php-fpm image and wonder if I should run an init system instead of php-fpm as PID 1.

How could I find out if a process works fine regarding signaling and reaping? Checking the docs did not answer this. Can I safely assume that official, popular docker images are just designed well in that regard? Currently, I am just inclined to have run everything with docker's built-in init system due to my unsureness.

Richard Kiefer
  • 1,814
  • 2
  • 23
  • 42

1 Answers1

1

Running containers with --init is safe, and if you're at all worried about this class of problem, go ahead and do it. (If you ever run containers in a context that's not pure Docker, note that Kubernetes does not have an equivalent option and you need to have an init process built into your image.)

In both of these cases, code inspection can help you figure out if there's even potentially a problem. Do you ever launch a subprocess? A typical Docker-packaged HTTP service doesn't. If you don't, then a child process can never launch a grandchild process and then exit without cleaning it up, so you can never inherit an unexpected zombie child process. Similarly, if you never launch a subprocess, then the only things that can send you signals are your own code and docker stop, and you can easily tell if there's a problem there.

None of the standard Docker Hub images I've looked at in detail run an init system. Stack Overflow Docker questions seem to contain very few complaints about docker stop not working, or about processes leaking on the host. I wouldn't especially worry about this, unless you have evidence to think you have a problem, or if you're trying to check absolutely every last "it's a good idea to..." box.

David Maze
  • 130,717
  • 29
  • 175
  • 215