Does vault require the signal-rewriting capabilities of dumb-init, or will the docker built-in tini implementation suffice?

Question

Background:

I am attempting to enable a plugin that requires glibc with hashicorp vault, running in a container. The official vault docker image is built on an alpine image (Dockerfile). I want to build out an image based on debian, which has no "dumb-init" package matching the hashicorp implementation.

The docker-entrypoint.sh provided by hashicorp uses a shebang of #!/usr/bin/dumb-init /bin/sh with the following explanation:

# Note above that we run dumb-init as PID 1 in order to reap zombie processes
# as well as forward signals to all processes in its session. Normally, sh
# wouldn't do either of these functions so we'd leak zombies as well as do
# unclean termination of all our sub-processes.

According to the comments on this question by the maintainer of tini,

For example they [dumb-init] support signal rewriting and Tini doesn't, but Tini supports subreapers and they don't. Overall, though, if you're looking for zombie reaping and that's it, either will do

(but perhaps this has changed...)

If either will do, I'd prefer to update the shebang to #!/bin/sh and leave the init handling to using the --init flag on the docker invocation.

Question:

Does vault require the signal-rewriting capabilities of dumb-init, or will the docker built-in tini implementation (as of Docker 1.13.0) suffice?

Answer 1

The description of the dumb-init signal rewriting functionality sounds like a pretty special case. docker stop, for instance, will always send SIGTERM and then SIGKILL after 10 seconds; the delay is configurable but the specific signals aren't. But, for instance, nginx will accept SIGQUIT to do a "graceful" shutdown (presumably allowing existing requests to complete), so you might prefer docker stop to send SIGQUIT instead; that's what this option is for.

I don't believe Vault has any special signal handling (the only thing I can find in the documentation is that sending it SIGUSR1 dumps its telemetry data) so you should be fine with tini or whatever docker run --init provides.