inject signal to running container like sigterm #1560
-
|
From the docs apparently I could use this: sys.enable_sigterm_injection = [true|false] However my entrypoint of my gsc container is the apploader.sh. I used the gsc binary which relies on the templates to create a graminized docker image. The problem is that the child process that apploader.sh launches is not catching the SIGTERM being sent from docker stop. Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
This all shouldn't matter for Gramine. If you specify UPDATE: I see the problem now. This SO discussion is very useful: https://unix.stackexchange.com/questions/146756/forward-sigterm-to-child-in-bash. According to the discussion, there are two ways to fix the problem:
Our
@tiagorvmartins Could you try the second solution, with diff --git a/templates/apploader.common.template b/templates/apploader.common.template
index 4322eca..52f4bbe 100644
--- a/templates/apploader.common.template
+++ b/templates/apploader.common.template
@@ -11,10 +11,10 @@ set -e
# Default to Linux-SGX if no PAL was specified
if [ -z "$GSC_PAL" ] || [ "$GSC_PAL" == "Linux-SGX" ]
then
- gramine-sgx /gramine/app_files/entrypoint \
+ exec gramine-sgx /gramine/app_files/entrypoint \
{% if insecure_args %}{{ binary_arguments | map('shlex_quote') | join(' ') }} \
"${@}"{% endif %}
else
- gramine-direct /gramine/app_files/entrypoint \
+ exec gramine-direct /gramine/app_files/entrypoint \
{{ binary_arguments | map('shlex_quote') | join(' ') }} "${@}"
fi |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @dimakuv will update you on this asap. |
Beta Was this translation helpful? Give feedback.
-
|
I can confirm that it worked, without any other issues on my side, thank you! |
Beta Was this translation helpful? Give feedback.
-
|
@tiagorvmartins Thanks for testing, I created a PR that will fix it in upstream GSC: gramineproject/gsc#171 |
Beta Was this translation helpful? Give feedback.
This all shouldn't matter for Gramine. If you specify
sys.enable_sigterm_injection = truein the manifest file, it will work. The additional layers (Docker GSC container, theapploader.shscript) should be irrelevant.UPDATE: I see the problem now. This SO discussion is very useful: https://unix.stackexchange.com/questions/146756/forward-sigterm-to-child-in-bash.
According to the discussion, there are two ways to fix the problem:
execsolution: https://unix.stackexchange.com/a/196053Our
apploader.shfrom GSC doesn't use any of these two unfortunately: