--die-with-parent is a massive footgun

[thomasjm]

trafficstars

I recently stumbled upon the same issue that was reported in this blog post: https://www.recall.ai/blog/pdeathsig-is-almost-never-what-you-want.

The problem is how PR_SET_PDEATHSIG works (from here):

The parent-death signal is sent upon subsequent termination of the parent thread

Thus it is triggered by the death of the parent thread, not the parent process. This means that if the parent process chooses to launch a subprocess using a thread that isn't the main thread, and then that thread happens to die, then bwrap and its children will receive a SIGKILL, even though the parent process is still alive. This can lead to some very hard to debug process deaths.

I was running bwrap --die-with-parent in a Docker container via docker exec. Docker ultimately invokes runc to create processes, and runc is evidently multi-threaded, because I would occasionally get these SIGKILL process deaths.

I don't think this is adequately explained in Bubblewrap's documentation, which says this:

    --die-with-parent            Kills with SIGKILL child process (COMMAND) when bwrap or bwrap's parent dies.

Considering this flag is also inherently racy (see #633) I feel like it's dangerous to use and maybe should even be removed.

[rusty-snake]

Considering this flag is also inherently racy (see https://github.com/containers/bubblewrap/issues/633) I feel like it's dangerous to use and maybe should even be removed.

Well, there are some valid uses for it so removing isn't a real option. If it does not work for you, don't use it.

I don't think this is adequately explained in Bubblewrap's documentation, which says this:

Fell free to open a PR with improvements (longer explanations should go into the manpage). Looking at the current maintainer situation of bwrap, this is unlikely to be done by one of the maintainers.