Huge amount of zombie ssl_client processes

[p4block]

As per title. We're using PROXY protocol for our IRC behind a cloud LB.

Config (snippet):

network:
    name: ourdomain.com

server:
    # server name
    name: ourdomain.com

    listeners:
        ":6667": # (loopback ipv4, localhost-only)
            proxy: true

        # The standard SSL/TLS port for IRC is 6697. This will listen on all interfaces:
        ":6697":
            tls:
                cert: "/data/fullchain.pem"
                key: "/data/privkey.pem"
            proxy: true
            min-tls-version: 1.2

      proxy-allowed-from:
         - 167.233.22.11

[...]
    auth-script:
        enabled: true
        command: "/ircd/auth.sh"
        args: ["https://user.ourdomain.com/irc/ergochat/login"]
        autocreate: true
        timeout: 9s
        kill-timeout: 1s
        max-concurrency: 64

I'm suspecting it's related to the auth script.

#!/bin/sh
read input
wget --header='CONTENT-TYPE:application/json' --post-data "$input" -O - -q $1 && printf '\n' # This assume no endline ohne the API response

Related issue may be with wget in alpine

[p4block]

Switched the auth script to use curl and the problem now happens less but it's not fixed, seems to be an upstream alpine/busybox issue.

#!/bin/sh
read input
curl -X POST -H 'Content-Type:application/json' --data "$input" -sS $1 && printf '\n'

Got curl into the image by overriding the container command

  entrypoint: ["/bin/sh", "-c"]
  command: ["apk add curl && /ircd-bin/run.sh"]

[slingamn]

Thanks for the report! It looks like this is the problem solved by dumb-init and tini. We may need to recommend the use of --init in our Docker guides.

[slingamn]

@p4block have you tried using --init with your docker run invocation, as per #2097

[Brutus5000]

Init mode seems to have solved the issue.