diff --git a/Dockerfiles/agent/Dockerfile b/Dockerfiles/agent/Dockerfile index ec47e665f5bd1..4c24ca56ae1f7 100644 --- a/Dockerfiles/agent/Dockerfile +++ b/Dockerfiles/agent/Dockerfile @@ -80,6 +80,9 @@ COPY s6-services /etc/services.d/ COPY entrypoint /etc/cont-init.d/ COPY probe.sh initlog.sh / +# Override the exit script by ours to fix --pid=host operations +COPY init-stage3 /etc/s6/init/init-stage3 + # Prepare for running without root RUN adduser --group dd-agent \ && adduser --system --no-create-home --disabled-password --ingroup dd-agent dd-agent \ diff --git a/Dockerfiles/agent/init-stage3 b/Dockerfiles/agent/init-stage3 new file mode 100755 index 0000000000000..4eff9e6544565 --- /dev/null +++ b/Dockerfiles/agent/init-stage3 @@ -0,0 +1,14 @@ +#!/bin/execlineb -S0 + +# This is the shutdown script, running as process 1. +cd / + +# Merge environments from our custom stage into current context +s6-envdir -I /var/run/s6/env-stage3 + +# Reap all the zombies, and we're done. +wait { } + +# Use CMD exit code defaulting to zero if not present. +importas -u -D0 S6_STAGE2_EXITED S6_STAGE2_EXITED +exit ${S6_STAGE2_EXITED} diff --git a/Dockerfiles/agent/s6-services/agent/finish b/Dockerfiles/agent/s6-services/agent/finish index 806bff20c55b7..1c1d48edf12a6 100755 --- a/Dockerfiles/agent/s6-services/agent/finish +++ b/Dockerfiles/agent/s6-services/agent/finish @@ -3,4 +3,6 @@ # Kill the container if the main agent were to exit foreground { /initlog.sh "AGENT EXITED WITH CODE ${1}, SIGNAL ${2}, KILLING CONTAINER" } -s6-svscanctl -t /var/run/s6/services + +# If the container is stopped via docker, s6 is already closing, silencing the error +redirfd -w 2 /dev/null s6-svscanctl -t /var/run/s6/services diff --git a/releasenotes/notes/dockerfile-pid-host-47ddbf2cdfa6e02e.yaml b/releasenotes/notes/dockerfile-pid-host-47ddbf2cdfa6e02e.yaml new file mode 100644 index 0000000000000..a9d41e0dc7c99 --- /dev/null +++ b/releasenotes/notes/dockerfile-pid-host-47ddbf2cdfa6e02e.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fix Docker container `--pid=host` operations. Previous RCs can cause host system + instabilities and should not be run in pid host mode.