| Property | Value |
|---|---|
| Severity | Warning |
| Category | Correctness |
| Default | Enabled |
| Auto-fix | Yes (safe) |
Description
When a container runssystemd or /sbin/init as PID 1, the container
runtime’s default stop signal (SIGTERM, signal 15) does not trigger a clean
shutdown. systemd interprets SIGTERM as an “isolate to rescue mode” request,
not a halt.
The correct signal is SIGRTMIN+3, which tells systemd to perform a clean
manager shutdown — analogous to running systemctl halt inside the container.
This rule fires when:
- the stage’s effective PID 1 is a recognized systemd/init binary, and
STOPSIGNALis either missing or set to a signal other thanSIGRTMIN+3.
Recognized systemd/init executables
/sbin/init/usr/sbin/init/lib/systemd/systemd/usr/lib/systemd/systemdsystemd(bare name, with or without arguments)
When the rule does not fire
- Shell-form
ENTRYPOINTorCMD— the shell becomes PID 1, not systemd, so the signal mapping is unreliable. - Non-systemd executables (nginx, postgres, etc.) — other daemon-specific rules handle those.
- Windows stages —
STOPSIGNALhas no effect on Windows containers. - Environment variable signals (e.g.
STOPSIGNAL $MY_SIGNAL) — the value cannot be determined statically.
References
Examples
Bad
Good
Auto-fix
The rule provides two fix modes depending on the violation: Wrong signal — replaces the signal token withSIGRTMIN+3:
STOPSIGNAL SIGRTMIN+3 before the
ENTRYPOINT/CMD instruction:
FixSafe safety because the PID 1 process is confirmed as
systemd/init and SIGRTMIN+3 is the definitively correct signal.
Cross-rule interactions
- tally/prefer-canonical-stopsignal: Handles
RTMIN+3→SIGRTMIN+3normalization. This rule checks the normalized value, soRTMIN+3is accepted as correct. - tally/no-ungraceful-stopsignal: Both may fire on the same
STOPSIGNAL(e.g.SIGKILLon a systemd stage). This rule’s fix takes precedence, replacing withSIGRTMIN+3instead of the genericSIGTERM.