When running busybox wget in a docker container to request an SSL page, there is a leak of defunct ssl_client processes. Version: amd64 v1.31.1 tested in the alpine:3.19,3.18.3.16 and ubuntu:latest images from Docker Hub arm64 v1.31.1 tested in the alpine:3.19 Steps to reproduce 1. docker run --name mycontainer -it --rm alpine:3.19 /bin/sleep inf 2. docker exec -it mycontainer ps aux PID USER TIME COMMAND 1 root 0:00 /bin/sleep inf 7 root 0:00 ps aux 3. docker exec -it mycontainer wget https://google.com 4. docker exec -it mycontainer ps aux PID USER TIME COMMAND 1 root 0:00 /bin/sleep inf 19 root 0:00 [ssl_client] 20 root 0:00 [ssl_client] 21 root 0:00 ps aux Additional info: If the container's PID1 is /bin/sh (i.e., docker run -it --name mycontainer alpine:3.19 /bin/sh), the issue is not reproducible (because it handles SIGCHLD?).
This is the docker pid 1 and zombies problem. In linux pid 1 is special and is expected to reap orphaned child processes. The pid 1 (bin/sleep) is not doing this. The fix is to add --init to docker run: $ docker run --init --name mycontainer -it --rm alpine:3.19 /bin/sleep inf
Isn't adding --init, i.e., having a parent process with reaping "capabilities", a workaround? Yes, it solves, but shouldn't the wget applet be able to join the ssl_client before it becomes an orphaned process?