build(zddc-server): use tini as PID-1 entrypoint
Adds tini to the runtime image and routes ENTRYPOINT through it so zddc-server runs as PID 2 with proper orphan reaping and signal forwarding. Today zddc-server is a single-process server and the change is invisible; the motivation is the upcoming render path that will shell out to pandoc (which itself shells out to xelatex / lua filters / dot) — any grandchild orphaned by a mid-run crash gets reparented to PID 1, and a Go server is not the right thing to put in charge of reaping subprocesses it never spawned. tini is ~24KB and does exactly this one job. Putting it in the upstream image (rather than each downstream consumer's Dockerfile) means every deployment of codeberg.org/varasys/zddc-server gets the fix for free, including the Burns & McDonnell prod chart wrapper that's about to land. Cut a new release with `sh release-image.sh <version> stable` to publish. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
f56eb7d0f9
commit
cf4101b9e4
1 changed files with 9 additions and 4 deletions
|
|
@ -63,9 +63,14 @@ LABEL org.opencontainers.image.title="zddc-server" \
|
||||||
org.opencontainers.image.vendor="VARASYS"
|
org.opencontainers.image.vendor="VARASYS"
|
||||||
|
|
||||||
# wget is in the base image (busybox); explicitly install ca-certificates
|
# wget is in the base image (busybox); explicitly install ca-certificates
|
||||||
# so outbound HTTPS (e.g. an upstream auth check) works if the operator
|
# (outbound HTTPS for any future upstream auth check) and tini (PID-1
|
||||||
# adds anything later. Keep the install footprint minimal.
|
# orphan reaper + signal forwarder). zddc-server itself only spawns
|
||||||
RUN apk add --no-cache ca-certificates && rm -rf /var/cache/apk/*
|
# subprocesses transitively — e.g. once a future render path shells out
|
||||||
|
# to pandoc, which in turn shells out to xelatex / lua filters / dot —
|
||||||
|
# and any of those grandchildren orphaned by a mid-run crash get
|
||||||
|
# reparented to PID 1. Without an init that knows to wait(2) on them,
|
||||||
|
# they accumulate as zombies. tini is ~24KB and does exactly this.
|
||||||
|
RUN apk add --no-cache ca-certificates tini && rm -rf /var/cache/apk/*
|
||||||
|
|
||||||
# Non-root user. UID/GID are deliberately fixed so volume permissions are
|
# Non-root user. UID/GID are deliberately fixed so volume permissions are
|
||||||
# predictable across hosts.
|
# predictable across hosts.
|
||||||
|
|
@ -99,4 +104,4 @@ EXPOSE 8443
|
||||||
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
|
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
|
||||||
CMD wget --no-check-certificate -q --spider https://localhost:8443/ || exit 1
|
CMD wget --no-check-certificate -q --spider https://localhost:8443/ || exit 1
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/local/bin/zddc-server"]
|
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/zddc-server"]
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue