Expire breaks code transparency

[ilyadt]

trafficstars

Preflight checklist

• [x] I could not find a solution in the existing issues, docs, nor discussions.
• [x] I agree to follow this project's Code of Conduct.
• [x] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

It took me a lot of time to understand how exactly Expire() works on containers.

As codebase in source code Expire calls <container>/stop?t=<timeout> which stops container immediately. But somehow Expire() does not stop container and waits for timeout.

After some time I realized that it changes stop-signal from <container_stop_signal> to SIGWINCH on container start. It is where the magic happened and container not stopping on <container>/stop?t=<timeout>.

I think it is not good for 2 reasons.

1. It breaks container lifecycle on stop.
2. It is not obvious. Looks like black magic.

Related: https://github.com/ory/dockertest/pull/133

Describe your ideal solution

Instead of modifying the container’s stop-signal on start, use the Docker API’s built-in support for custom stop signals: <container>/stop?signal=SIGWINCH&t=<timeout> for the Expire() functionality.

Reference: https://docs.docker.com/reference/api/engine/version/v1.48/#tag/Container/operation/ContainerStop

Workarounds or alternatives

Version

v3.12.0

Additional Context

No response