ops-class.org | Learn Operating Systems Online
Hack the kernel! Learn operating systems online. Watch videos, complete assignments, and compete with other students.
kernel  learning 
Watch paths recursively for changes in Hammerspoon
9 days ago
What is advantage of Tini? · Issue #8 · krallin/tini · GitHub
Good question! This is going to be a bit long, so bear with me (I know you asked for brief, sorry about that :x).

First, let's talk a little bit about Docker. When you run a Docker container, Docker proceeds to isolate it from the rest of the system. That isolation happens at different levels (e.g. network, filesystem, processes).

Tini isn't really concerned with the network or the filesystem, so let's focus on what matters in the context of Tini: processes.

Each Docker container is a PID namespace, which means that the processes in your container are isolated from other processes on your host. A PID namespace is a tree, which starts at PID 1, which is commonly called init.

Note: when you run a Docker container, PID 1 is whatever you set as your ENTRYPOINT (or if you don't have one, then it's either your shell or another program, depending on the format of your CMD).

Now, unlike other processes, PID 1 has a unique responsibility, which is to reap zombie processes.

Zombie processes are processes that:

Have exited.
Were not waited on by their parent process (wait is the syscall parent processes use to retrieve the exit code of their children).
Have lost their parent (i.e. their parent exited as well), which means they'll never be waited on by their parent.

When a zombie is created (i.e. which happens when its parent exits, and therefore all chances of it ever being waited by it are gone), it is reparent to init, which is expected to reap it (which means calling wait on it).

In other words, someone has to clean up after "irresponsible" parents that leave their children un-wait'ed, and that's PID 1's job.

That's what Tini does, and is something the JVM (which is what runs when you do exec java ...) does not do, which his why you don't want to run Jenkins as PID 1.

Note that creating zombies is usually frowned upon in the first place (i.e. ideally you should be fixing your code so it doesn't create zombies), but for something like Jenkins, they're unavoidable: since Jenkins usually runs code that isn't written by the Jenkins maintainers (i.e. your build scripts), they can't "fix the code".

This is why Jenkins uses Tini: to clean up after build scripts that create zombies.

Now, Bash actually does the same thing (reaping zombies), so you're probably wondering: why not use Bash as PID 1?

One problem is, if you run Bash as PID 1, then all signals you send to your Docker container (e.g. using docker stop or docker kill) end up sent to Bash, which does not forward them anywhere (unless you code it yourself). In other words, if you use Bash to run Jenkins, and then run docker stop, then Jenkins will never see the stop command!

Tini fixes by "forwarding signals": if you send a signal to Tini, then it sends that same signal to your child process (Jenkins in your case).

A second problem is that once your process has exited, Bash will proceed to exit as well. If you're not being careful, Bash might exit with exit code 0, whereas your process actually crashed (0 means "all fine"; this would cause Docker restart policies to not do what you expect). What you actually want is for Bash to return the same exit code your process had.

Note that you can address this by creating signal handlers in Bash to actually do the forwarding, and returning a proper exit code. On the other hand that's more work, whereas adding Tini is a few lines in your Dockerfile.

Now, there would be another solution, which would be to add e.g. another thread in Jenkins to reap zombies, and run Jenkins as PID 1.

This isn't ideal either, for two reasons:

First, if Jenkins runs as PID 1, then it's difficult to differentiate between process that were re-parented to Jenkins (which should be reaped), and processes that were spawned by Jenkins (which shouldn't, because there's other code that's already expecting to wait them). I'm sure you could solve that in code, but again: why write it when you can just drop Tini in?

Second, if Jenkins runs as PID 1, then it may not receive the signals you send it!

That's a subtlety in PID 1. Unlike other unlike processes, PID 1 does not have default signal handlers, which means that if Jenkins hasn't explicitly installed a signal handler for SIGTERM, then that signal is going to be discarded when it's sent (whereas the default behavior would have been to terminate the process).

Tini does install explicit signal handlers (to forward them, incidentally), so those signals no longer get dropped. Instead, they're sent to Jenkins, which is not running as PID 1 (Tini is), and therefore has default signal handlers (note: this is not the reason why Jenkins uses Tini, they use it for signal reaping, but it was used in the RabbitMQ image for that reason).

Note that there are also a few extras in Tini, which would be harder to reproduce in Bash or Java (e.g. Tini can register as a subreaper so it doesn't actually need to run as PID 1 to do its zombie-reaping job), but those are mostly useful for specialist use cases.

Hope this helps!

Here are some references you might be interested in to learn more about that topic:

More about zombies: https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/
A more succinct explanation https://github.com/docker-library/official-images#init

Finally, do note that there are alternatives to Tini (like Phusion's base image).

Tini differentiates with:

Doing everything PID 1 needs to do and nothing else. Things like reading environment files, changing users, process supervision are out of scope for Tini (there are other, better tools for those)
It requires zero configuration to do its job properly (Tini >= 0.6 will also warn you if you're not running it properly).
It's got a lot of tests.

docker  tini 
july 2016
chef cookbook delivery - chef server vs. artifactory + berkshelf - Stack Overflow
Most people using chef today deploy straight from their source code repositories. Since you're already using Artifactory you understand the importance of keeping an explicit record of your release at a point in time. A release artifact repository creates a healthy division between the act of building your software and deploying it onto a target system.

Using a dedicated instance of chef server (to store released cookbook versions) is just an option. It's an approach that happens to play nice with Berkself-api and allows you to continue to use Berkshelf as the tool to upload cookbooks into target chef servers.

There is nothing stopping you from using artifactory. You'll need to create an archive that contains your cookbook and all its dependencies, the berkshelf "package" does that.

berks package mycookbooks.tar.gz
mvn deploy:deploy-file \
-Durl=$REPO_URL \
-DrepositoryId=$REPO_ID \
-DgroupId=org.myorg \
-DartifactId=mycookbooks \
-Dversion=1.2.3 \
-Dpackaging=tar.gz \
The tarball can be used as part of your current chef-solo process or could optionally be used to populate a target chef server:

curl https://myrepo/org/myorg/1.2.3/mycookbooks-1.2.3.tar.gz
tar zxvf mycookbooks-1.2.3.tar.gz
knife cookbooks upload --all --environment my-prod-env
The "environment" option will set the cookbook version constraints on a chef environment, useful if you want to be certain which versions are applied at run-time.
march 2016
Configuration - Consul by HashiCorp
ports This is a nested object that allows setting the bind ports for the following keys:

dns - The DNS server, -1 to disable. Default 8600.
http - The HTTP API, -1 to disable. Default 8500.
https - The HTTPS API, -1 to disable. Default -1 (disabled).
rpc - The RPC endpoint. Default 8400.
serf_lan - The Serf LAN port. Default 8301.
serf_wan - The Serf WAN port. Default 8302.
server - Server RPC address. Default 8300.
february 2016
Consensus Protocol - Consul by HashiCorp
Deployment Table

Below is a table that shows quorum size and failure tolerance for various cluster sizes. The recommended deployment is either 3 or 5 servers. A single server deployment is highly discouraged as data loss is inevitable in a failure scenario.

Servers Quorum Size Failure Tolerance
1 1 0
2 2 0
3 2 1
4 3 1
5 3 2
6 4 2
7 4 3
february 2016
Case 159
An illustrated collection of (sometimes violent) fables, concerning the Art and Philosophy of software development
august 2014
Revealing the Uncommonly Common with Elasticsearch
InfoQ.com is a practitioner-driven community news site focused on facilitating the spread of knowledge and innovation in enterprise software development.
august 2014
Western Calligraphy
The history and introduction to the art of Western calligraphy. The Tattoo Artists - Custom Designed Unique. Living. Art
august 2014
Your PaaS. Your Rules.
Deis is an open source PaaS that leverages Docker, CoreOS and Heroku Buildpacks to provide a private application platform that is lightweight and flexible.
sysadmin  devops  paas  clojure  docker 
august 2014
Handwriting font creator
Free online tool to create a vector font from your own handwriting.
august 2014
Setup Vim, Powerline and iTerm2 on Mac OS X
A protip by christianrojas about vim, macvim, iterm, powerline, and vundler.
powerline  iterm2 
august 2014
Installing Powerline on OS X + homebrew
I've always wanted to get that fancy Powerline status bar and prompt. Chevrons and git branch icons in the terminal just sounds so... defying: I'd failed to get it working properly before because o...
osx  powerline  tmux  vim  zsh 
august 2014
This Flowchart Helps Cleans Your Closet with Quick Decisions
Closets can quickly get cluttered with clothes and then it's time to clean. But what do you keep and what do you throw out? Owltastic Adventures designed a neat infographic that you can print and hang up to make quick decisions about what to keep, trash and donate.
cleaning  lifehack  organization  infographics  lifetips 
july 2014
Tower - The most powerful Git client for Mac
Tower - the most powerful Git client for Mac
git  software  osx 
july 2014
helps hosts and service providers create their own next-gen cloud, CDN and storage services - quickly, easily and at very low cost.
hosting  controlpanel 
july 2014
Compare Models
This chart compares models of Cisco Catalyst 3750 Series Switches.
cisco  switches 
july 2014
Cisco Firewall Comparison
With Cisco ASA firewalls, you can integrate multiple enterprise-class, next-generation network security services without sacrificing performance. Cisco ASA combines the most deployed stateful inspection firewall in the industry with next-generation firewall capabilities.
cisco  firewall 
july 2014
API Design Tour: Dell
API Design Tour:DellRound Rock, Texas, USABrian Mulloy Apigee@landlessness @apigee
july 2014
Speed up RTP packetloss troubleshooting with tshark read filters
I hate waiting for Wireshark to load a 20+meg capture file to review RTP streams. Once it loads you browse to "Telephony > RTP > Show All Streams". Then you wait for it analyze the RTP streams..... If you have a fair amount of memory it might not be too horrible of a wait, but it can…
tshark  rtp  voip  sip 
july 2014
This repository is used to publish my home directory org document. Virtually all of my development occurs in a private repository. That is responsible for ongoing, unstable changes. This repository is used to publish a known good and working version of the system.
july 2014
What is the best way to open remote files with emacs and ssh - Stack Overflow
And to add to @abo-abo's post about "shortcuts" --

Use Emacs bookmarks. Just create bookmarks normally, when you visit a remote file or directory. Then just use C-x r b to jump to a remote bookmark, whose name you provide (with completion).

If you use Bookmark+ then remote bookmarks are highlighted specially in the *Bookmark List*, so you can recognize them more easily. And remote bookmarks that must be accessed by su or sudo (root) are highlighted differently.

If you use Dired+ then you can also quickly bookmark multiple remote files or directories, by visiting their containing remote directory in Dired, marking them, and hitting C-x b. No need to give the bookmarks names; they are named after the files. Even if you never use those bookmarks for navigating to the remote files, you can use them with Bookmark+ tags to organize the files and thus operate on subsets of them.

If you use Icicles then whenever you use a command to jump to a bookmark, you can narrow the completion candidates to those that are remote by hitting C-M-@ during completion.
december 2013
« earlier      
40 82 8217 8220 8221 anvil api as5400 asset_pipeline asterisk authentication autocomplete automation blog boycottgodaddy bundler businesscard campfire centos certif certificate charles circuits cisco cleaning clojure clojurescript cloud colo consul container controlpanel dashboard dashing datacenter datamapper demo demotivational devops didyouknow discourse dns docker dovecot ebook ecig education elasticsearch emacs ember fatherhood firewall fitstats floxee font freeclass geekdad gem gemfile generic git github gnus googlewallet grape graphite grok guide-key hack hammer heavyink heroacademy hosting http imgur infographics interfacekc inventory irc iterm2 java javascript jekyll jenkins jira joplin kc kcstorms kernel keytool kids kindle koji ldap learning lessons life lifehack lifetips lion lisp logstash mac mail mario mars math mcollective missionpd mitm monitoring moo moom moveyourdomain mu4e mysql newrelic nintendo notifications notmuch octopress offlineimap openfire opschef orchestration organization orgmode osx paas pandora path php postfix pow powerline powershell preppers projectpage proxy prtg pulp puppet puppetize python rack rackspace rancher reading repl retention rhel rsense rtp ruby safari screenshots selenium selinux sensu sequel set_dataset sip skateboard software sopa spotify ssl startrekii strangeloop switches sysadmin tattoo tdi tech techkc test testing theforeman thepersonalnetwork thor tightwallet tini tivo tmux toys tramp tshark tv tweetcongress upgrade vas via:horshacktest vim virtualenv vmware voip warden website weirdal whiteboard winbind windows xml yubikey zabbix zsh

Copy this bookmark: