fix(docker): reap orphaned subprocesses with tini; dedup smoke setup (#1287, #1303)#1306
Merged
Aaronontheweb merged 3 commits intoJun 3, 2026
Conversation
Insert tini as PID 1 (ENTRYPOINT) so orphaned netclawd tool subprocesses that reparent to PID 1 are reaped instead of piling up as <defunct> zombies. entrypoint.sh only `wait`s its own direct child, so without a reaping init these accumulated over a long-running container's lifetime (netclaw-dev#1287). `tini -g` forwards signals to the whole process group so a `docker stop` reaches netclawd even mid-backoff. Extract the Docker smoke-test minimal-config env contract and the health-poll into scripts/docker/lib/smoke-lib.sh so the two validate_docker_image.yml verify steps and the lifecycle regression test share one source of truth instead of 2-3 copies that silently drift when the health route, provider-env contract, or startup budget changes (netclaw-dev#1303). Extend the lifecycle regression test with Phase D (orphan reaping) and replace its "PPID == 1" supervision assertion with a chain check (netclawd -> entrypoint.sh -> PID 1) that still expresses "supervised, not a detached exec-session daemon" now that tini, not entrypoint.sh, is PID 1. Broaden the workflow path filter to scripts/docker/** so changes to the shared lib re-run the image gate.
b43604f to
4f5b99a
Compare
Collaborator
Author
|
Uses |
Aaronontheweb
commented
Jun 3, 2026
Aaronontheweb
left a comment
Collaborator
Author
There was a problem hiding this comment.
Docker-only change, LGTM - smoke tests came back clean but we'll see how it performs in the wild
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two follow-ups from the #1279 container-lifecycle rework (#1282):
Docker image PID 1 (entrypoint.sh) doesn't reap reparented zombies #1287 — reap orphaned subprocesses. Insert
tinias PID 1 via theENTRYPOINT.entrypoint.shsupervisesnetclawdwithnetclawd & wait $PID, so it only reaps its own direct child.netclawd's tool subprocessesthat orphan (their parent exits) reparent to PID 1 and, with
entrypoint.shas PID 1, were never reaped — they piled up as
<defunct>zombies over along-running container's lifetime.
tiniis the canonical tiny init thatreaps them;
-gforwards signals to the whole process group sodocker stopreaches
netclawdeven mid-backoff.Dedup container smoke test bring-up/health-poll with validate_docker_image.yml #1303 — dedup the Docker smoke setup. The minimal-provider env contract
(
NETCLAW_Providers__validate__* / NETCLAW_Models__Main__*) and the/api/health/readypoll were copy-pasted across the twovalidate_docker_image.ymlverify steps andtest-daemon-lifecycle.sh.Extracted them into
scripts/docker/lib/smoke-lib.shso the port, healthpath, provider-env contract, and crash-bail logic live in one place and
can't silently drift.
Changes
docker/Dockerfile: addtinito the apt set;ENTRYPOINT ["/usr/bin/tini", "-g", "--", "/opt/netclaw/entrypoint.sh"]; update the header comments todescribe the
tini → entrypoint.sh → netclawdtree.scripts/docker/lib/smoke-lib.sh(new):netclaw_smoke_env_argsandnetclaw_wait_healthy(0 healthy / 1 timeout / 2 exited).scripts/docker/test-daemon-lifecycle.sh: source the lib; add Phase D(orphan reaping — spawn a process that reparents to PID 1, kill it, assert it
is reaped not left
<defunct>); replace the barePPID == 1supervisionassertion with a chain check (
netclawd → entrypoint.sh → PID 1) thatstill expresses "supervised, not a detached exec-session daemon" now that
tini, notentrypoint.sh, is PID 1..github/workflows/validate_docker_image.yml: both verify steps source thelib; broaden the path filter to
scripts/docker/**so a change to the sharedlib re-runs the image gate.
Validation
Built the image locally and ran the full lifecycle smoke test — all four
phases pass:
The same
validate_docker_imageworkflow runs this on the PR (it touchesdocker/**andscripts/docker/**).Closes #1287
Closes #1303