The wget binary leaks defunct ssl_client processes #158
Open
Description
The included wget binary (from busybox) seems to leak defunct ssl_client processes.
When using wget for health checking a registry serving on SSL, the host's ulimit for forking is eventually reached, and the registry becomes nonfunctional.
Affected versions and env
- docker.io/library/registry:2.8.2
- docker.io/library/registry:2.8.3
- docker.io/library/registry:3.0.0-alpha.1
Server: Docker Engine - Community
Engine:
Version: 25.0.3
API version: 1.44 (minimum version 1.24)
Go version: go1.21.6
Git commit: f417435
Built: Tue Feb 6 21:14:27 2024
OS/Arch: linux/amd64
Kernel: Linux seraph 6.8.0-0.rc5.41.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Feb 19 14:05:40 UTC 2024 x86_64 GNU/Linux
Host OS: Fedora CoreOS
Steps to reproduce
$ docker run -d --rm --name myreg docker.io/library/registry:2.8.3
$ docker exec -it myreg sh
/ # ps aux
PID USER TIME COMMAND
1 root 0:00 registry serve /etc/docker/registry/config.yml
18 root 0:00 sh
24 root 0:00 ps aux
/ # wget https://google.com
Connecting to google.com (142.250.186.174:443)
Connecting to www.google.com (172.217.18.4:443)
saving to 'index.html'
index.html 100% |********************************************************************************************************************************************************************************| 19417 0:00:00 ETA
'index.html' saved
/ # ps aux
PID USER TIME COMMAND
1 root 0:00 registry serve /etc/docker/registry/config.yml
18 root 0:00 sh
26 root 0:00 [ssl_client]
27 root 0:00 [ssl_client]
28 root 0:00 ps aux
/ #
Other Infos
I tried it on the base image, alpine:3.18.6, and it didn't reproduce
Metadata
Assignees
Labels
No labels