bin=nerdctl.gomodjail
# bin=nerdctl
"$bin" \
run --sig-proxy=true --name foo alpine sh -c -- '#!/bin/sh
set -eu
sig_msg () {
printf "received\n"
[ "true" != true ] || exit 0
}
trap sig_msg 2
printf "trap ready\n"
while true; do
printf "waiting...\n"
sleep 0.5
done'then separately kill -2 $(ps aux | grep sig-proxy=true | grep -v grep | grep -v .cache | awk '{printf $2}')
Note that with bin=nerdctl we get (expected):
...
waiting...
waiting...
received
Meaning the bash trap did get the signal.
With gomodjail, we only get:
...
waiting...
waiting...
so, we seemingly exit without the bash trap seeing the signal.
Furthermore, alternatively attempting to kill -2 the unpacked process (eg: ~/.cache/gomodjail/33a0d87e38fedf31/nerdctl run --sig-proxy=true) seems to be a no-op.
If I were to spitball an hypothesis, I would say that gomodjail gets the SIGINT and just terminates childs, instead of forwarding the signal.
This was spotted in containerd/nerdctl#4180
then separately
kill -2 $(ps aux | grep sig-proxy=true | grep -v grep | grep -v .cache | awk '{printf $2}')Note that with
bin=nerdctlwe get (expected):Meaning the bash trap did get the signal.
With gomodjail, we only get:
so, we seemingly exit without the bash trap seeing the signal.
Furthermore, alternatively attempting to
kill -2the unpacked process (eg:~/.cache/gomodjail/33a0d87e38fedf31/nerdctl run --sig-proxy=true) seems to be a no-op.If I were to spitball an hypothesis, I would say that gomodjail gets the SIGINT and just terminates childs, instead of forwarding the signal.
This was spotted in containerd/nerdctl#4180