From cf4101b9e48cd596e2a6b20d306a902df257fb4a Mon Sep 17 00:00:00 2001 From: ZDDC Date: Wed, 29 Apr 2026 10:02:57 -0500 Subject: [PATCH] build(zddc-server): use tini as PID-1 entrypoint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds tini to the runtime image and routes ENTRYPOINT through it so zddc-server runs as PID 2 with proper orphan reaping and signal forwarding. Today zddc-server is a single-process server and the change is invisible; the motivation is the upcoming render path that will shell out to pandoc (which itself shells out to xelatex / lua filters / dot) — any grandchild orphaned by a mid-run crash gets reparented to PID 1, and a Go server is not the right thing to put in charge of reaping subprocesses it never spawned. tini is ~24KB and does exactly this one job. Putting it in the upstream image (rather than each downstream consumer's Dockerfile) means every deployment of codeberg.org/varasys/zddc-server gets the fix for free, including the Burns & McDonnell prod chart wrapper that's about to land. Cut a new release with `sh release-image.sh stable` to publish. Co-Authored-By: Claude Opus 4.7 (1M context) --- zddc/Containerfile | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/zddc/Containerfile b/zddc/Containerfile index 5c519f0..3539b2c 100644 --- a/zddc/Containerfile +++ b/zddc/Containerfile @@ -63,9 +63,14 @@ LABEL org.opencontainers.image.title="zddc-server" \ org.opencontainers.image.vendor="VARASYS" # wget is in the base image (busybox); explicitly install ca-certificates -# so outbound HTTPS (e.g. an upstream auth check) works if the operator -# adds anything later. Keep the install footprint minimal. -RUN apk add --no-cache ca-certificates && rm -rf /var/cache/apk/* +# (outbound HTTPS for any future upstream auth check) and tini (PID-1 +# orphan reaper + signal forwarder). zddc-server itself only spawns +# subprocesses transitively — e.g. once a future render path shells out +# to pandoc, which in turn shells out to xelatex / lua filters / dot — +# and any of those grandchildren orphaned by a mid-run crash get +# reparented to PID 1. Without an init that knows to wait(2) on them, +# they accumulate as zombies. tini is ~24KB and does exactly this. +RUN apk add --no-cache ca-certificates tini && rm -rf /var/cache/apk/* # Non-root user. UID/GID are deliberately fixed so volume permissions are # predictable across hosts. @@ -99,4 +104,4 @@ EXPOSE 8443 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ CMD wget --no-check-certificate -q --spider https://localhost:8443/ || exit 1 -ENTRYPOINT ["/usr/local/bin/zddc-server"] +ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/zddc-server"]