Hi! On Fri, 2021-12-03 at 09:56:34 +0100, Andrej Shadura wrote: > Package: dpkg > Version: 1.20.9 > Severity: normal > File: /sbin/start-stop-daemon
> I was debugging an init script in a Debian Docker container, and found > it always fails to stop the daemon. Upon a closer inspection, I found > that --exec, which init-d-script always passed, never matches the > executable, even if a PID file is used. I then checked the source and > tried to do the steps manually: > > root@d351c00abb80:/# ls /proc/1841/exe -l > ls: cannot read symbolic link '/proc/1841/exe': Permission denied > lrwxrwxrwx 1 sphinxsearch sphinxsearch 0 Dec 3 08:46 /proc/1841/exe > > In fact, cwd and root are also inaccessible. I’m not sure it’s some > security setting Docker applies or is it something becaue of the > containers, but the fact is that --exec is unusable in this setting. Yes, this seems to be a known regression in docker, see <https://github.com/moby/moby/issues/40713> and all related bugs closed w/o any action. It seems you can workaround this by running the docker image with ptrace Linux capabilities (even though that looks rather unintuitive). > I guess falling back to other matching methods might be more useful than > failing to stop at all. I don't think that would be safe at all, as the interface is expected to AND all the match options, to properly select what to act on. And in any case this looks like a bug in docker anyway. Given the above I'm going to be closing this, unless there's a very compelling argument to do otherwise. Thanks, Guillem
