VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build(zddc-server): use tini as PID-1 entrypoint

Browse source 
Adds tini to the runtime image and routes ENTRYPOINT through it so
zddc-server runs as PID 2 with proper orphan reaping and signal
forwarding. Today zddc-server is a single-process server and the change
is invisible; the motivation is the upcoming render path that will
shell out to pandoc (which itself shells out to xelatex / lua filters /
dot) — any grandchild orphaned by a mid-run crash gets reparented to
PID 1, and a Go server is not the right thing to put in charge of
reaping subprocesses it never spawned.

tini is ~24KB and does exactly this one job. Putting it in the upstream
image (rather than each downstream consumer's Dockerfile) means every
deployment of codeberg.org/varasys/zddc-server gets the fix for free,
including the Burns & McDonnell prod chart wrapper that's about to land.

Cut a new release with `sh release-image.sh <version> stable` to
publish.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
ZDDC 2026-04-29 10:02:57 -05:00
parent f56eb7d0f9
commit cf4101b9e4
1 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
zddc/Containerfile
View file

@ -63,9 +63,14 @@ LABEL org.opencontainers.image.title="zddc-server" \
org.opencontainers.image.vendor="VARASYS"
# wget is in the base image (busybox); explicitly install ca-certificates
# so outbound HTTPS (e.g. an upstream auth check) works if the operator
# adds anything later. Keep the install footprint minimal.
RUN apk add --no-cache ca-certificates && rm -rf /var/cache/apk/*
# (outbound HTTPS for any future upstream auth check) and tini (PID-1
# orphan reaper + signal forwarder). zddc-server itself only spawns
# subprocesses transitively — e.g. once a future render path shells out
# to pandoc, which in turn shells out to xelatex / lua filters / dot —
# and any of those grandchildren orphaned by a mid-run crash get
# reparented to PID 1. Without an init that knows to wait(2) on them,
# they accumulate as zombies. tini is ~24KB and does exactly this.
RUN apk add --no-cache ca-certificates tini && rm -rf /var/cache/apk/*
# Non-root user. UID/GID are deliberately fixed so volume permissions are
# predictable across hosts.
@ -99,4 +104,4 @@ EXPOSE 8443
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
CMD wget --no-check-certificate -q --spider https://localhost:8443/ || exit 1
ENTRYPOINT ["/usr/local/bin/zddc-server"]
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/zddc-server"]