Add tini to allow termination signal handling #3320
Conversation
shikharbhardwaj
requested review from
dblock,
peterzhuamazon,
bbarani,
gaiksaya,
rishabh6788,
zelinh,
jordarlu,
prudhvigodithi,
Divyaasm and
tianleh
as code owners
Signed-off-by: shikharbhardwaj <shikhar.bhardwaj@instabase.com>
shikharbhardwaj
force-pushed
the
add-tini-pid1
branch
from
7d31c6d to
86ae4f1
Compare
There was a problem hiding this comment.
Hi @shikharbhardwaj ,
Thanks very much for this PR.
Would you mind send some test results/logs if possible?
Showcasing the before/after of the change?
Also, not sure if this can be considered as a major change.
Since this is the first time we are changing how the process is being started.
So probably a good timing to merge this fix is when 3.x launch?
cc: @bbarani
Thanks.
|
|
||
| # Update packages | ||
| # Install the tools we need: tar and gzip to unpack the OpenSearch tarball, and shadow-utils to give us `groupadd` and `useradd`. | ||
| # Install which to allow running of securityadmin.sh | ||
| RUN yum update -y && yum install -y tar gzip shadow-utils which && yum clean all | ||
|
|
||
| # Add tini to use as init (PID1) process. | ||
| ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /bin/tini |
There was a problem hiding this comment.
This wont work as this download is only the x64 version, will crash on the arm64 here.
tini: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a3f773dca5734fef07e2ea80c0450b3c60bbaf74, stripped
There was a problem hiding this comment.
Need code to handle download for x64 vs arm64.
There was a problem hiding this comment.
Updated the download source according to the TARGETARCH supplied by docker
There was a problem hiding this comment.
TARGETARCH seems only support multi-arch building?
Tried on the single arch build script and it could not figure out arch.
https://docs.docker.com/desktop/extensions-sdk/extensions/multi-arch/#adding-multi-arch-binaries
Step 20/39 : ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-${TARGETARCH} /bin/tini
ADD failed: failed to GET https://github.com/krallin/tini/releases/download/v0.19.0/tini- with status 404 Not Found: <!DOCTYPE html>
<html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system">
Although we release for multi-arch we also want to support single-arch if people want to build in their local.
Probably add this in the build-image-single-arch.sh?
--build-arg TARGETARCH=${arch_uname}
| @@ -93,5 +98,5 @@ LABEL org.label-schema.schema-version="1.0" \ | |||
| org.label-schema.build-date="$BUILD_DATE" | |||
|
|
|||
| # CMD to run | |||
| ENTRYPOINT ["./opensearch-dashboards-docker-entrypoint.sh"] | |||
| ENTRYPOINT ["tini", "--", "./opensearch-dashboards-docker-entrypoint.sh"] | |||
There was a problem hiding this comment.
Is it possible to use ENTRYPOINT + CMD together?
ENTRYPOINT ["/tini", "--"]
# Run your program under Tini
CMD ["/your/program", "-and", "-its", "arguments"]
There was a problem hiding this comment.
Not sure about this since this may change behavior for existing invocations, but AFAICS non-opensearch command invocations will just exec the supplied command with a couple of env var exports
There was a problem hiding this comment.
Seems like you add this now?
|
|
||
| # Update packages | ||
| # Install the tools we need: tar and gzip to unpack the OpenSearch tarball, and shadow-utils to give us `groupadd` and `useradd`. | ||
| # Install which to allow running of securityadmin.sh | ||
| RUN yum update -y && yum install -y tar gzip shadow-utils which && yum clean all | ||
|
|
||
| # Add tini to use as init (PID1) process. | ||
| ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /bin/tini | ||
| RUN chmod +x /bin/tini |
There was a problem hiding this comment.
I kinda prefer to not make it globally available, and add full path in the entrypoint.
Tho I am not strongly against it.
There was a problem hiding this comment.
probably use 755 specifically instead of +x so it is precise?
There was a problem hiding this comment.
Sounds good, updated the chmod to 755. Open to path suggestions where we can keep this binary
There was a problem hiding this comment.
As of path, just use WORKDIR? It is the home dir of os or osd on docker.
So instead of using /bin/tini just use ./tini?
Signed-off-by: shikharbhardwaj <shikharbhardwaj68@gmail.com>
shikharbhardwaj
force-pushed
the
add-tini-pid1
branch
from
0ec6d04 to
6d36279
Compare
Signed-off-by: shikharbhardwaj <shikharbhardwaj68@gmail.com>
Signed-off-by: Shikhar Bhardwaj <shikharbhardwaj@users.noreply.github.com>
|
@peterzhuamazon sorry for the delay on turning this around, made some updates here along with the steps I did to test this. Let me know if there's a better set of steps to test this PR. Not exactly sure about the major version requirement, since this is more of a fix than a new feature, but it is possible something downstream depends on this behavior. |
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #3320 +/- ##
==========================================
+ Coverage 91.44% 91.72% +0.28%
==========================================
Files 172 172
Lines 4991 4991
==========================================
+ Hits 4564 4578 +14
+ Misses 427 413 -14 |
| @@ -58,7 +58,8 @@ function setupPerformanceAnalyzerPlugin { | |||
| echo "Disabling execution of $OPENSEARCH_HOME/bin/$PERFORMANCE_ANALYZER_PLUGIN/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin" | |||
| else | |||
| echo "Enabling execution of OPENSEARCH_HOME/bin/$PERFORMANCE_ANALYZER_PLUGIN/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin" | |||
| $OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli > $OPENSEARCH_HOME/logs/PerformanceAnalyzer.log 2>&1 & | |||
| # Launch performance plugin and disown to PID1 (tini). | |||
| $OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli > $OPENSEARCH_HOME/logs/PerformanceAnalyzer.log 2>&1 & disown | |||
There was a problem hiding this comment.
Good catch, tho I never try to use disown after a command tho.
I think it does the same thing as nohup in front.
There was a problem hiding this comment.
I will add this change into another PR so this PR of yours only focused on tini.
If we need to revert later on we dont have to revert the entire tini implementation.
Thanks.
There was a problem hiding this comment.
|
Thanks @shikharbhardwaj I have reviewed for another pass. Thanks! |
|
You might also want to rebase after #3479 merged to consume all the CVE fixes, so that security scan can pass. |
|
Hello, @shikharbhardwaj , would you be able to rebase and resolve the conflct to have the WhiteSource Security Check to validate again? thanks ! |
Signed-off-by: Shikhar Bhardwaj <shikharbhardwaj@users.noreply.github.com>
|
Hi @shikharbhardwaj welcome back and would you mind check the follow up comments I added in previous callouts? |
|
Greetings, @shikharbhardwaj , since it has been a while, wondering if you got time to comment on the feedback from @peterzhuamazon yet? thanks .. |
|
Hi @shikharbhardwaj, can you please take a look at the comments and provide your feedback? |
|
@peterzhuamazon Let's close if this is not going to be merged? |
Description
Issues Resolved
Test plan
opensearchimage to dockerhubBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.