Docker 4.26.1 breaks Xvfb USR1 signal handling when using rosetta #7122
Description
Description
This worked in Docker 4.25.2 (129061), but is broken in Docker 4.26.1 (131620).
I am running xvfb-run in an amd64 container on Apple Silicon mac with "Use Rosetta" enabled in Docker. This now hangs because it seems that rosetta now blocks signal USR1 that Xvfb sends.
Reproduce
Sample Dockerfile:
FROM ubuntu:jammy
RUN apt-get -y update && apt-get -y install xvfb
ENTRYPOINT ["/usr/bin/xvfb-run", "--error-file", "/dev/stderr", "/bin/ls", "/"]
On Apple Silicon, with Rosetta enabled, these are the results I got:
Sonoma 14.2.1
Docker 4.26.1 (131620)
docker buildx build --platform=linux/amd64 --load --tag xvfb .
docker run --init --rm xvfb
# HANGS
docker buildx build --platform=linux/arm64 --load --tag xvfb .
docker run --init --rm xvfb
# WORKS
Ventura 13.6.3
Docker 4.25.2 (129061)
docker buildx build --platform=linux/amd64 --load --tag xvfb .
docker run --init --rm xvfb
# WORKS
docker buildx build --platform=linux/arm64 --load --tag xvfb .
docker run --init --rm xvfb
# WORKS
Ventura 13.6.3
Docker 4.26.1 (131620)
docker buildx build --platform=linux/amd64 --load --tag xvfb .
docker run --init --rm xvfb
# HANGS
docker buildx build --platform=linux/arm64 --load --tag xvfb .
docker run --init --rm xvfb
# WORKS
Expected behavior
USR1 should not be blocked and Xvfb should work as it did in Docker 4.25.2
docker version
Client:
Cloud integration: v1.0.35+desktop.5
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:04:20 2023
OS/Arch: darwin/arm64
Context: desktop-linux
Server: Docker Desktop 4.26.1 (131620)
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:08:15 2023
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.6.25
GitCommit: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
runc:
Version: 1.1.10
GitCommit: v1.1.10-0-g18a0cb0
docker-init:
Version: 0.19.0
GitCommit: de40ad0docker info
Client:
Version: 24.0.7
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.12.0-desktop.2
Path: /Users/aw/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.23.3-desktop.2
Path: /Users/aw/.docker/cli-plugins/docker-compose
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.0
Path: /Users/aw/.docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.21
Path: /Users/aw/.docker/cli-plugins/docker-extension
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: 0.1
Path: /Users/aw/.docker/cli-plugins/docker-feedback
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v0.1.0-beta.10
Path: /Users/aw/.docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/aw/.docker/cli-plugins/docker-sbom
scan: Docker Scan (Docker Inc.)
Version: v0.26.0
Path: /Users/aw/.docker/cli-plugins/docker-scan
scout: Docker Scout (Docker Inc.)
Version: v1.2.0
Path: /Users/aw/.docker/cli-plugins/docker-scout
Server:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 20
Server Version: 24.0.7
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
runc version: v1.1.10-0-g18a0cb0
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
cgroupns
Kernel Version: 6.5.11-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 10
Total Memory: 4.813GiB
Name: docker-desktop
ID: 6df6abf4-1b71-4342-b7bd-aac30b035329
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
WARNING: daemon is not using the default seccomp profileDiagnostics ID
ECBEBC37-A545-45B6-9DCA-FCE68405FE65/20231221234212
Additional Info
This describes a similar problem where Xvfb is being run by a wrapper script that is blocking USR1 signal. I'm suspicious that since Xvfb is being run under rosetta, it is blocking the signal somehow.
https://unix.stackexchange.com/questions/244470/xvfb-not-sending-sigusr1-breaking-xvfb-run
If I docker exec into the hanging container, I see Xvfb is being run by rosetta:
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 23:45 ? 00:00:00 /sbin/docker-init -- /usr/bin/xvfb-run --error-file /dev/stderr /bin/ls /
root 7 1 0 23:45 ? 00:00:00 /rosetta/rosetta /bin/sh /bin/sh /usr/bin/xvfb-run --error-file /dev/stderr /bin/ls
root 56 7 0 23:45 ? 00:00:00 /rosetta/rosetta /usr/bin/Xvfb Xvfb :99 -screen 0 1280x1024x24 -nolisten tcp -auth /
root 74 0 3 23:45 pts/0 00:00:00 /rosetta/rosetta /usr/bin/bash bash
