Use tini as the init system

Remove the my_init script in favour of tini, which meant that
docker-entrypoint.sh could be cleaned up significantly.

distribution/docker/src/docker/Dockerfile

@@ -35,6 +35,14 @@ RUN chmod 0775 config data logs
 COPY config/elasticsearch.yml config/log4j2.properties config/
 RUN chmod 0660 config/elasticsearch.yml config/log4j2.properties
 
+# `tini` is a tiny but valid init for containers. This is used to cleanly
+#control how ES and any child processes are shut down.
+ADD https://github.com/krallin/tini/releases/download/v0.18.0/tini /tini
+ADD https://github.com/krallin/tini/releases/download/v0.18.0/tini.asc /tini.asc
+RUN gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 \
+ && gpg --batch --verify /tini.asc /tini
+RUN chmod +x /tini
+
 ################################################################################
 # Build stage 1 (the actual elasticsearch image):
 # Copy elasticsearch from stage 0
@@ -45,6 +53,8 @@ FROM ${base_image}
 
 ENV ELASTIC_CONTAINER true
 
+COPY --from=builder /tini /tini
+
 RUN for iter in {1..10}; do ${package_manager} update --setopt=tsflags=nodocs -y && \
     ${package_manager} install --setopt=tsflags=nodocs -y nc shadow-utils zip unzip && \
     ${package_manager} clean all && exit_code=0 && break || exit_code=\$? && echo "${package_manager} error: retry \$iter in 10s" && sleep 10; done; \
@@ -66,11 +76,9 @@ RUN ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/elasticsearch/jdk
 ENV PATH /usr/share/elasticsearch/bin:\$PATH
 
 COPY bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-COPY bin/my_init /sbin/my_init
 
 RUN chmod g=u /etc/passwd && \
-    chmod 0775 /usr/local/bin/docker-entrypoint.sh && \
-    chmod 0775 /sbin/my_init
+    chmod 0775 /usr/local/bin/docker-entrypoint.sh
 
 # Ensure that there are no files with setuid, in order to mitigate "stackclash" attacks.
 RUN find / -xdev -perm -4000 -exec chmod u-s {} +
@@ -99,7 +107,7 @@ LABEL org.label-schema.build-date="${build_date}" \
 
 USER elasticsearch:root
 
-ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+ENTRYPOINT ["/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
 # Dummy overridable parameter parsed by entrypoint
 CMD ["eswrapper"]
 

distribution/docker/src/docker/bin/docker-entrypoint.sh

@@ -40,36 +40,13 @@ if [[ -f bin/elasticsearch-users ]]; then
   # enabled, but we have no way of knowing which node we are yet. We'll just
   # honor the variable if it's present.
   if [[ -n "$ELASTIC_PASSWORD" ]]; then
-    [[ -f /usr/share/elasticsearch/config/elasticsearch.keystore ]] || (run_as_other_user_if_needed elasticsearch-keystore create)
+    [[ -f /usr/share/elasticsearch/config/elasticsearch.keystore ]] || (elasticsearch-keystore create)
     if ! (elasticsearch-keystore list | grep -q '^bootstrap.password$'); then
       (echo "$ELASTIC_PASSWORD" | elasticsearch-keystore add -x 'bootstrap.password')
     fi
   fi
 fi
 
-# Do not abort script if Elasticsearch returns error code
-set +e
-
-PID_FILE=/tmp/es.pid
-
-term_handler() {
-   echo "Caught SIGTERM"
-   kill -TERM $(cat $PID_FILE)
-}
-
-# We need to ensure that TERM is sent only to Elasticsearch, not
-# to the whole process group, as it can cause issues with forked
-# processes appearing to have been exited abnormally.
-trap term_handler SIGTERM
-
-# Use a mini-init process to ensure any children are cleaned up and we
-# aren't left with any zombies.
-/sbin/my_init --skip-runit -- /usr/share/elasticsearch/bin/elasticsearch "$@" -p $PID_FILE &
-
-# Wait for my_init to exit, which will happen when Elasticsearch exits.
-INIT_PID=$!
-wait "${INIT_PID}"
-
-# my_init propagates the ES exit code.
-ES_EXIT_CODE=$?
-exit $ES_EXIT_CODE
+# Signal forwarding and child reaping is handled by `tini`, which is the
+# actual entrypoint of the container
+exec /usr/share/elasticsearch/bin/elasticsearch