fix: eliminate 10s container shutdown delay (#1371) (#1373)

Mossaka · claude · web-flow · commit cc21c114a35c · 2026-03-19T16:41:48.000-07:00
Three root causes of the 10-second shutdown delay:

1. api-proxy Dockerfile used shell-form CMD (node runs under /bin/sh,
   which doesn't forward SIGTERM to the child process). Switched to
   exec form so node is PID 1 and handles signals directly.

2. Squid's default shutdown_lifetime (30s) causes it to wait for active
   connections to drain. Added shutdown_lifetime 0 since this is an
   ephemeral proxy with no need for connection draining.

3. Docker Compose default stop timeout is 10s. Added stop_grace_period
   of 2s to squid and api-proxy services since they now shut down
   promptly on SIGTERM.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/containers/api-proxy/Dockerfile b/containers/api-proxy/Dockerfile
@@ -30,6 +30,5 @@ USER apiproxy
 # 10004 - OpenCode API proxy (routes to Anthropic)
 EXPOSE 10000 10001 10002 10004
 
-# Redirect stdout/stderr to log file for persistence
-# Use shell form to enable redirection and tee for both file and console
-CMD node server.js 2>&1 | tee -a /var/log/api-proxy/api-proxy.log
+# Use exec form so node is PID 1 and receives SIGTERM directly
+CMD ["node", "server.js"]
diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
@@ -538,6 +538,12 @@ describe('docker-manager', () => {
       expect(squid.ports).toContain('3128:3128');
     });
 
+    it('should set stop_grace_period on squid service', () => {
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
+      const squid = result.services['squid-proxy'] as any;
+      expect(squid.stop_grace_period).toBe('2s');
+    });
+
     it('should inject squid config via base64 env var when content is provided', () => {
       const squidConfig = 'http_port 3128\nacl allowed_domains dstdomain .github.com\n';
       const result = generateDockerCompose(mockConfig, mockNetworkConfig, undefined, squidConfig);
@@ -1789,6 +1795,13 @@ describe('docker-manager', () => {
         expect(proxy.security_opt).toContain('no-new-privileges:true');
       });
 
+      it('should set stop_grace_period on api-proxy service', () => {
+        const configWithProxy = { ...mockConfig, enableApiProxy: true, openaiApiKey: 'sk-test-key' };
+        const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
+        const proxy = result.services['api-proxy'] as any;
+        expect(proxy.stop_grace_period).toBe('2s');
+      });
+
       it('should set resource limits', () => {
         const configWithProxy = { ...mockConfig, enableApiProxy: true, openaiApiKey: 'sk-test-key' };
         const result = generateDockerCompose(configWithProxy, mockNetworkConfigWithProxy);
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -325,6 +325,7 @@ export function generateDockerCompose(
       'AUDIT_WRITE',  // No audit log writing
       'SETFCAP',      // No setting file capabilities
     ],
+    stop_grace_period: '2s',
   };
 
   // Inject squid.conf via environment variable instead of bind mount.
@@ -1238,6 +1239,7 @@ export function generateDockerCompose(
       memswap_limit: '512m',
       pids_limit: 100,
       cpu_shares: 512,
+      stop_grace_period: '2s',
     };
 
     // Use GHCR image or build locally
diff --git a/src/squid-config.test.ts b/src/squid-config.test.ts
@@ -568,6 +568,15 @@ describe('generateSquidConfig', () => {
       const result = generateSquidConfig(config);
       expect(result).toContain('pconn_timeout 2 minutes');
     });
+
+    it('should include shutdown_lifetime 0 for fast shutdown', () => {
+      const config: SquidConfig = {
+        domains: ['example.com'],
+        port: defaultPort,
+      };
+      const result = generateSquidConfig(config);
+      expect(result).toContain('shutdown_lifetime 0 seconds');
+    });
   });
 
   describe('Real-world Domain Patterns', () => {
diff --git a/src/squid-config.ts b/src/squid-config.ts
@@ -606,6 +606,10 @@ client_lifetime 8 hours
 # Critical for SSE where server sends but client doesn't respond
 half_closed_clients on
 
+# shutdown_lifetime: Time to wait for active connections during shutdown
+# Set to 0 because this is an ephemeral proxy — no connection draining needed
+shutdown_lifetime 0 seconds
+
 # Debugging (can be enabled for troubleshooting)
 # debug_options ALL,1 33,2
 `;
