From 1e4aa28c9daf1ab221b67bea158a0c31d82cec67 Mon Sep 17 00:00:00 2001 From: James Phillips Date: Mon, 21 Dec 2015 21:47:35 -0800 Subject: [PATCH] Adds child process reaping when Consul is running as PID 1. --- command/agent/command.go | 27 +++++++++++++++++++ command/agent/config.go | 10 +++++++ command/agent/config_test.go | 13 +++++++++ .../source/docs/agent/options.html.markdown | 4 +++ 4 files changed, 54 insertions(+) diff --git a/command/agent/command.go b/command/agent/command.go index 0993ccfa1..a5f59bee9 100644 --- a/command/agent/command.go +++ b/command/agent/command.go @@ -18,6 +18,7 @@ import ( "github.com/armon/go-metrics/datadog" "github.com/hashicorp/consul/watch" "github.com/hashicorp/go-checkpoint" + "github.com/hashicorp/go-reap" "github.com/hashicorp/go-syslog" "github.com/hashicorp/logutils" scada "github.com/hashicorp/scada-client" @@ -641,6 +642,32 @@ func (c *Command) Run(args []string) int { defer server.Shutdown() } + // Enable child process reaping + if !config.DisableReap && (os.Getpid() == 1) { + logger := c.agent.logger + if !reap.IsSupported() { + logger.Printf("[WARN] Running as PID 1 but child process reaping is not supported on this platform, disabling") + } else { + logger.Printf("[DEBUG] Automatically reaping child processes") + + pids := make(reap.PidCh, 1) + errors := make(reap.ErrorCh, 1) + go func() { + for { + select { + case pid := <-pids: + logger.Printf("[DEBUG] Reaped child process %d", pid) + case err := <-errors: + logger.Printf("[ERR] Error reaping child process: %v", err) + case <-c.agent.shutdownCh: + return + } + } + }() + go reap.ReapChildren(pids, errors, c.agent.shutdownCh) + } + } + // Check and shut down the SCADA listeners at the end defer func() { if c.scadaHttp != nil { diff --git a/command/agent/config.go b/command/agent/config.go index c03659116..50db3244f 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -422,6 +422,12 @@ type Config struct { // Minimum Session TTL SessionTTLMin time.Duration `mapstructure:"-"` SessionTTLMinRaw string `mapstructure:"session_ttl_min"` + + // DisableReap controls automatic reaping of child processes, useful if + // running as PID 1 in a Docker container. This defaults to false, and + // reaping will be automatically enabled if this is false and Consul's + // PID is 1. + DisableReap bool `mapstructure:"disable_reap"` } // UnixSocketPermissions contains information about a unix socket, and @@ -1140,6 +1146,10 @@ func MergeConfig(a, b *Config) *Config { result.RetryJoinWan = append(result.RetryJoinWan, a.RetryJoinWan...) result.RetryJoinWan = append(result.RetryJoinWan, b.RetryJoinWan...) + if b.DisableReap { + result.DisableReap = true + } + return &result } diff --git a/command/agent/config_test.go b/command/agent/config_test.go index 000567b26..8ce8236ad 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -777,6 +777,17 @@ func TestDecodeConfig(t *testing.T) { if config.SessionTTLMin != 5*time.Second { t.Fatalf("bad: %s %#v", config.SessionTTLMin.String(), config) } + + // DisableReap + input = `{"disable_reap": true}` + config, err = DecodeConfig(bytes.NewReader([]byte(input))) + if err != nil { + t.Fatalf("err: %s", err) + } + + if config.DisableReap != true { + t.Fatalf("bad: reap not disabled: %#v", config) + } } func TestDecodeConfig_invalidKeys(t *testing.T) { @@ -1157,6 +1168,7 @@ func TestMergeConfig(t *testing.T) { CheckUpdateIntervalRaw: "8m", RetryIntervalRaw: "10s", RetryIntervalWanRaw: "10s", + DisableReap: false, } b := &Config{ @@ -1266,6 +1278,7 @@ func TestMergeConfig(t *testing.T) { RPC: &net.TCPAddr{}, RPCRaw: "127.0.0.5:1233", }, + DisableReap: true, } c := MergeConfig(a, b) diff --git a/website/source/docs/agent/options.html.markdown b/website/source/docs/agent/options.html.markdown index cadd50621..aac394f32 100644 --- a/website/source/docs/agent/options.html.markdown +++ b/website/source/docs/agent/options.html.markdown @@ -407,6 +407,10 @@ definitions support being updated during a reload. `disable_anonymous_signature` Disables providing an anonymous signature for de-duplication with the update check. See [`disable_update_check`](#disable_update_check). +* + `disable_reap` will prevent Consul from automatically reaping child processes if it + detects it is running as PID 1, such as in a Docker container. + * `disable_remote_exec` Disables support for remote execution. When set to true, the agent will ignore any incoming remote exec requests.