Expire breaks code transparency #585
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe your problem
It took me a lot of time to understand how exactly Expire() works on containers.
As codebase in source code Expire calls <container>/stop?t=<timeout> which stops container immediately. But somehow Expire() does not stop container and waits for timeout.
After some time I realized that it changes stop-signal from <container_stop_signal> to SIGWINCH on container start.
It is where the magic happened and container not stopping on <container>/stop?t=<timeout>.
I think it is not good for 2 reasons.
- It breaks container lifecycle on stop.
- It is not obvious. Looks like black magic.
Related:
#133
Describe your ideal solution
Instead of modifying the container’s stop-signal on start, use the Docker API’s built-in support for custom stop signals: <container>/stop?signal=SIGWINCH&t=<timeout> for the Expire() functionality.
Reference:
https://docs.docker.com/reference/api/engine/version/v1.48/#tag/Container/operation/ContainerStop
Workarounds or alternatives
Version
v3.12.0
Additional Context
No response