archive-log zombies till failure.

[evensky]

Hi. I'm launching the container as:

podman run -d --replace --name zeek --net=host --privileged -v /opt/zeek/run/logs:/usr/local/zeek/logs -v /opt/zeek/run/spool:/usr/local/zeek/spool -v /opt/zeek/run/etc:/usr/local/zeek/etc:ro zeek-custom:latest

where zeek-custom is built from the zeek container with this Dockerfile:

FROM zeek/zeek RUN apt update; apt -y install jq iproute2 procps; apt -y upgrade RUN zkg refresh &&
zkg autoconfig --force &&
zkg install ja3 --force &&
zkg install zeek/foxio/ja4 --force RUN echo "redef ignore_checksums = T;" > /usr/local/zeek/share/zeek/site/opt_checksum.zeek RUN echo "@load ja3" >> /usr/local/zeek/share/zeek/site/local.zeek &&
echo "@load ja4" >> /usr/local/zeek/share/zeek/site/local.zeek &&
echo "@load opt_checksum" >> /usr/local/zeek/share/zeek/site/local.zeek CMD ["/bin/bash","-c","/usr/local/zeek/bin/zeekctl deploy && sleep infinity"]

All is well. All, except the ever increasing number of archive-log processes left in a 'Z' state. Eventually the container hangs due to pid starvation. Is this a bug, am I doing something wrong, both?

[awelzel]

Eventually the container hangs due to pid starvation. Is this a bug, am I doing something wrong, both?

You could try running the container with --init to insert a init process as pid 1 that reaps processes.