Pkill nsd create zombies

Hi,

I build a docker container with nsd ( configure; make; make install )
With a very simple nsd.conf I could run nsd, do "pkill nsd" and see zombies.

root@497d872b1c91:/# cat <<EOF > /usr/local/etc/nsd/nsd.conf
server:
  database: ""
  pidfile: ""
  verbosity: 9
EOF

root@497d872b1c91:/# ps afx
    PID TTY STAT TIME COMMAND
     19 pts/0 Ss 0:00 bash
     28 pts/0 R+ 0:00 \_ ps afx
      1 ? Ss 0:00 /bin/sleep infinity

root@497d872b1c91:/# nsd
[2021-02-15 16:45:08.484] nsd[29]: notice: nsd starting (NSD 4.3.5)
[2021-02-15 16:45:08.484] nsd[29]: notice: listen on ip-address ::@53 (udp) with server(s): *
[2021-02-15 16:45:08.485] nsd[29]: notice: listen on ip-address ::@53 (tcp) with server(s): *
[2021-02-15 16:45:08.485] nsd[29]: notice: listen on ip-address 0.0.0.0@53 (udp) with server(s): *
[2021-02-15 16:45:08.485] nsd[29]: notice: listen on ip-address 0.0.0.0@53 (tcp) with server(s): *

root@497d872b1c91:/# sleep 10

root@497d872b1c91:/# pkill nsd

root@497d872b1c91:/# ps afx
    PID TTY STAT TIME COMMAND
     19 pts/0 Ss 0:00 bash
     35 pts/0 R+ 0:00 \_ ps afx
      1 ? Ss 0:00 /bin/sleep infinity
     30 ? Zs 0:00 [nsd: xfrd] <defunct>
     32 ? Z 0:00 [nsd: server 1] <defunct>

the container is started with "network-mode: none".

root@497d872b1c91:/# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever

notice, NSD log "listen on ip-address ::@53" while IPv6 isn't present.

adding "do-ip6: no" to the configuration above doesn't change anything beside NSD do not listen on IPv6.

running NSD non forking add some logging:

root@3ee5f805fbb9:/# nsd -d
[2021-02-15 16:55:18.077] nsd[35]: notice: nsd starting (NSD 4.3.5)
[2021-02-15 16:55:18.077] nsd[35]: notice: listen on ip-address 0.0.0.0@53 (udp) with server(s): *
[2021-02-15 16:55:18.077] nsd[35]: notice: listen on ip-address 0.0.0.0@53 (tcp) with server(s): *
[2021-02-15 16:55:18.255] nsd[36]: notice: nsd started (NSD 4.3.5), pid 35
^C[2021-02-15 16:55:21.463] nsd[36]: warning: signal received, shutting down...
[2021-02-15 16:55:21.463] nsd[36]: error: problems sending command 11 to server 37: Broken pipe

any ideas what else I could check / I'm doing wrong ?

Andreas

Am 15.02.21 um 16:56 scrunchie A. Schulze via nsd-users:

I build a docker container with nsd ( configure; make; make install )
With a very simple nsd.conf I could run nsd, do "pkill nsd" and see zombies.

I made some tests to eliminate some variables.

1. I use to run docker on Debian.
Docker is available as docker-ce provided by the docker.com company.
The upcoming Debian 11/Bullseye provide also a version simply not built by docker.com but the Debian team.
-> switching between these two docker versions makes no difference.

2. Docker makes it easy to run same code on different platforms.
Said that, I moved a container from a one docker-ce running on Debian/11 to an other host
with same docker-ce running in Debian/10. Still zombies. Moving to the next host
running docker-ca on Debian/9 change the picture. No zombies anymore.

To be clear: only the hostsystem, running the docker daemon, changed.
The container image was always the same (NSD using Debian11/Bullseye libraries)

strange ...

Andreas

Hello Andreas,

root@497d872b1c91:/# ps afx
    PID TTY STAT TIME COMMAND
     19 pts/0 Ss 0:00 bash
     28 pts/0 R+ 0:00 \_ ps afx
      1 ? Ss 0:00 /bin/sleep infinity

Exited processes always become zombies, until their parent reaps them.
Usually this happens so quickly that you never even notice you had any
zombies!

If the parent process of an unreaped zombie disappears, the zombie is
reparented to PID 1. On 'normal' systems (i.e. not inside Docker
containers), PID 1 is an init process that is ready to reap any zombie
it finds.

/bin/sleep infinity (even if it does contain the string 'init'!) is not
such an init process.

If you pass '--init' to 'docker run', Docker will install a small init
(called tini - tiny init, get it? ) as PID 1 in your container, and
that will reap the zombies for you. If you are not using 'docker run',
consult the documentation for whatever you are using to manage your
containers. I promise it will have a similar flag.

Kind regards,