-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker healthcheck creates zombie processes if TLS is enabled with self signed certificate #7463
Comments
Looks to be a bug with busybox wget's ssl_client. This should fix it #7498 (though it'll add ~4MB to our image). Please give it a shot and let me know. |
Can confirm, #7498 does fix the issue. LimeTech (creator of UNRAID) is also working on a fix for their docker implementation to prevent process leaks from crashing the host. |
Great to know. Can't really see why the busybox wget has not been fixed. The issue occurs with any TLS request it looks like. |
Yeah, just found this: https://bugs.busybox.net/show_bug.cgi?id=15967 Adding |
This should prevent the issues with the broken busybox wget by installing the musl wget. It should be noted that while this is labelled as a fix this does not fix the actual issue as the issue is an upstream bug with the busybox wget TLS client where it appears to leave zombie processes on any TLS request. This is just a workaround. Fixes #7463 Signed-off-by: James Elliott <[email protected]>
Hmm, I'm kind of inclined to say it may be the correct solution and I may revert the merged one, and instead update the docs. Considering the only instance where this has been discovered is an edge case (most people do not run the container with TLS but instead use a proxy to perform termination) it'd make more sense to do that then to force everyone to download a larger image. Init runs tini, which is included with docker older than 1.24. I will do some more research I think. |
Yeah, the whole thing kinda is an edge case on an edge case and is very unlikely to cause these massive problems to anyone else. I agree with you, but if someone forgets to set this uncommon docker setting, it could be really hard to troubleshoot. I am not sure how predictable the authelia app itself fails when being PID limited, which might cause more edge cases (even security related maybe?). It also depends on the os and if the docker compose |
I'll update the docs on that to clarify secure networks vs insecure ones. i.e. a iptables network on a host is significantly more secure as they'd likely have to compromise a host with root equivalent access as well to compromise that network, making the effort inconsequential in a vast majority of cases since they'd be able to alter configs themselves if they have root equivalent access. |
Resolved in v4.38.10 |
Version
v4.38.9
Deployment Method
Docker
Reverse Proxy
Traefik
Reverse Proxy Version
3.0.3
Description
Hi,
I would like to follow up on my Discord message and properly document this issue as a bug.
Although this issue is not within the Authelia application itself, it is within the Authelia codebase and is also present by default in every Docker image.
If Authelia has been configured with the TLS option enabled (see below), the Docker healthcheck command using
wget
will create a zombie process at every execution. The default Docker healthcheck interval is set to 30 seconds, which will create 2,880 processes per day (24 hours * 60 minutes/hour * 2 processes/minute). When using Debian as the Docker host, the process limit is around 7,000 processes per container. Therefore, the Authelia container will become unhealthy after about 2.5 days, leading Traefik to drop requests to this container.In the rare case where the host OS (Unraid) does not limit the processes, the host will eventually run out of PIDs and crash.
Reproduction
This issue can be replicated using the authelia docker image with the TLS option enabled in the configuration.yml.
The key and certificate can be created using the command from the docs.
To speed up the issue, I suggest increasing the healtheck interval using docker-compose:
To check the amount of processes created, I ran
docker stats
on the host orps
inside the container.Expectations
The container healthcheck should not fail after a certain period of time.
Configuration (Authelia)
Build Information
Logs (Authelia)
Logs (Proxy / Application)
No response
Documentation
https://www.authelia.com/configuration/miscellaneous/server/#tls
https://www.authelia.com/overview/security/measures/#mutual-tls
Pre-Submission Checklist
I agree to follow the Code of Conduct
This is a bug report and not a support request
I have read the security policy and this bug report is not a security issue or security related issue
I have either included the complete configuration file or I am sure it's unrelated to the configuration
I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
I have checked for related proxy or application logs and included them if available
I have checked for related issues and checked the documentation
The text was updated successfully, but these errors were encountered: