Add init process for zombie fighting

This adds a small C binary for fighting zombies. It is mounted under `/dev/init` and is prepended to the args specified by the user. You enable it via a daemon flag, `dockerd --init`, as it is disable by default for backwards compat. You can also override the daemon option or specify this on a per container basis with `docker run --init=true|false`. You can test this by running a process like this as the pid 1 in a container and see the extra zombie that appears in the container as it is running. ```c int main(int argc, char ** argv) { pid_t pid = fork(); if (pid == 0) { pid = fork(); if (pid == 0) { exit(0); } sleep(3); exit(0); } printf("got pid %d and exited\n", pid); sleep(20); } ``` Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-06-27 14:38:47 -07:00 · 2016-06-27 14:38:47 -07:00 · d72deed554
parent 71e220fc11
commit d72deed554
2 changed files with 6 additions and 0 deletions
--- a/docs/reference/commandline/dockerd.md
+++ b/docs/reference/commandline/dockerd.md
@ -48,6 +48,7 @@ Options:
      -H, --host=[]                          Daemon socket(s) to connect to
      --help                                 Print usage
      --icc=true                             Enable inter-container communication
+      --init                                 Run an init inside containers to forward signals and reap processes
      --insecure-registry=[]                 Enable insecure registry communication
      --ip=0.0.0.0                           Default IP when binding container ports
      --ip-forward=true                      Enable net.ipv4.ip_forward
@ -1140,6 +1141,7 @@ This is a full example of the allowed configuration options on Linux:
 	"group": "",
 	"cgroup-parent": "",
 	"default-ulimits": {},
+	"init": false,
 	"ipv6": false,
 	"iptables": false,
 	"ip-forward": false,
--- a/man/dockerd.8.md
+++ b/man/dockerd.8.md
@ -34,6 +34,7 @@ dockerd - Enable daemon mode
 [**-H**|**--host**[=*[]*]]
 [**--help**]
 [**--icc**[=*true*]]
+[**--init**[=*false*]]
 [**--insecure-registry**[=*[]*]]
 [**--ip**[=*0.0.0.0*]]
 [**--ip-forward**[=*true*]]
@ -166,6 +167,9 @@ unix://[/path/to/socket] to use.
 **--icc**=*true*|*false*
  Allow unrestricted inter\-container and Docker daemon host communication. If disabled, containers can still be linked together using the **--link** option (see **docker-run(1)**). Default is true.

+**--init**
+Run an init process inside containers for signal forwarding and process reaping.
+
 **--insecure-registry**=[]
  Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication.