rootless: make sure we only use a single pause process #18083
Conversation
openshift-ci
bot
added
release-note-none
approved
openshift-ci
bot
added
do-not-merge/hold
test/system/550-pause-process.bats
Outdated
| # Use podman system migrate to stop the currently running pause process | ||
| run_podman system migrate | ||
|
|
||
| run pgrep "podman pause" |
There was a problem hiding this comment.
Should probably be pgrep -u $(id -u) ...
test/system/550-pause-process.bats
Outdated
| assert "$output" == "$tmpdir_userns" "podman should use the same userns" | ||
|
|
||
| run pgrep "podman pause" | ||
| assert "$output" == "$(cat $XDG_RUNTIME_DIR/libpod/tmp/pause.pid)" "pause pid written to correct location" |
There was a problem hiding this comment.
This won't work: system tests do not guarantee having XDG set, and ISTR that fedora gating tests run using su which leaves it unset.
There was a problem hiding this comment.
The fact that the fedora tests are run in a different setup concerns me?! Using su to switch users without proper env vars and systemd login session is just asking for unnecessary trouble.
Could I just import the systemd helpers to define it?
podman/test/system/helpers.systemd.bash
Lines 6 to 11 in b39cdff
There was a problem hiding this comment.
It concerns me too, but this is a lose-lose situation: we need to make sure podman works in cases where XDG is unset, because that's a valid real-world situation and we need to catch those bugs before customers do. So, we test XDG environments in CI, and do almost-last-minute non-XDG tests in gating. If you can think of a better way to catch all conditions, I'd love to hear ideas.
There was a problem hiding this comment.
so just wrap this check with if [ -n "$XDG_RUNTIME_DIR" ]; then so I only test it when it is defined?
There was a problem hiding this comment.
[untested]
local xdg_default="/run/user/$(id -u)"
local pidfile="${XDG_RUNTIME_DIR:-xdg_default}/libpod/tmp/pause.pid"
assert "$output" = "$(<$pidfile)" ...Could be done in one line but that makes my head hurt
There was a problem hiding this comment.
Well the thing here is that podman will also fall back to /tmp/podman-run-$UID if /run/user/$UID is not writeable, which is often the case when you do not have a systemd session.
It is likely better to not assume much about podman and just do not check when we know it is set. In the end the test does not need to care about where the pid lives just that it works and we already verified this above.
|
...but don't push yet. Tests are more than halfway complete, I think we should see how they do. |
|
...such as, Debian. Maybe Debian doesn't set XDG? I think your fix would address that. |
|
ok, tests complete. Timing results below, because I have a vague memory that you thought something-something might affect CI times but now I can't find that comment.
[EDIT: Debian was the only failure] |
|
I asked for #18057, this PR should not be any slower than before |
Luap99
force-pushed
the
pause-single-process
branch
from
f2b0cd6 to
3dd19bb
Compare
|
Weird: Debian is still failing. Also, this is weird too: in my hammer-at-sqlite PR, I see four "no logs from conmon" failures (#10927). That's very unusual; the most I've ever seen before is two in one run. I'm commenting on this PR, but it could just as easily be #18085. |
|
Logs downloaded and checked. Lots of flakes, but none of them especially worrisome. (Mostly "no logs from conmon", and one "failed to unmount NS" (presumably handled in #18085)). |
|
Ok I guess I need to hack/get_ci_vm to see what the debian env looks like. |
|
/hold The question is also why is fedora using podman/pkg/rootless/rootless_linux.c Lines 280 to 285 in fb41410 On debian we have /usr/bin/catatonit while on fedora it is /usr/libexec/podman/catatonit.The LIBEXECPODMAN "catatonit" is suspicious, I do not see an extra / added between the dir and catatonit.
While this is a bug and can be fixed easily I am not so sure if my test would make much sense given that I would need to grep for Anyway it is end of the day here so I will continue next week. |
|
Friendly suggestion for an alternative 550-pause-process.bats A little safer in some ways. Tested with |
|
LGTM |
Currently --tmpdir changes the location of the pause.pid file. this causes issues because the c code in pkg/rootless does not know about that. I tried to fix this[1] by fixing the c code to not use the shortcut. While this fix worked it will result in many pause processes leaking in the integrration tests. Commit ab88632 added this behavior but following the disccusion it was never the intention that we end up having more than one pause process. The issues that was trying to fix was caused by somthing else AFAICT, the main problem seems to be that the pause.pid file parent directory may not be created when we try to create the pid file so it failed with ENOENT. This patch fixes it by creating this directory always and revert the change to no longer depend on the tmpdir value. With this commit we now always use XDG_RUNTIME_DIR/libpod/tmp/pause.pid for all podman processes. This allows the c shortcut to work reliably and should therefore improve perfomance over my other approach. A system test is added to ensure we see the right behavior and that podman system migrate actually stops the pause process. Thanks to Ed Santiago for the improved test to make it work for both `catatonit` and `podman pause`. This should fix the issues with namespace missmatches that we can see in CI as flakes. [1] containers#18057 Fixes containers#18057 Signed-off-by: Paul Holzinger <[email protected]>
The path was missing a slash between the libexec path and the binary name. This was never noticed because the code already falls back to a builtt-in pause process. Fixes: 71f96c2 ("rootless: define LIBEXECPODMAN") Signed-off-by: Paul Holzinger <[email protected]>
Luap99
force-pushed
the
pause-single-process
branch
from
3dd19bb to
38c217a
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, Luap99, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@giuseppe @edsantiago PTanotherL |
|
LGTM |
|
Also meant to say, I've had this running (cherry-picked) in #17831 and it doesn't cure the "stop" issue but I have seen a reduction in other flakes. |
|
Yeah for now all I think #17903 should be fixed with it, if other flakes are fixed by this that is welcome too. |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
Belated followup: I downloaded all CI logs, manually viewed all the In my no-retries PR, though, fully rebased against this, I hit this in f37 rootless: Any suggestions on how to diagnose that? |
|
OMG, sometimes I do not see the forest for the trees. While this fix is still correct the major problem is that we are killing the pause process in Line 124 in 8c4838f We cannot do this when we run parallel testing. #18057 may have fixed this as well but there the problem would be that we leak 100/1000s of pause processes which I rather avoid. Regardless I will reopen the issue then, this is clearly not fixed. |
github-actions
bot
added
the
locked - please file new issue/PR
Currently --tmpdir changes the location of the pause.pid file. this causes issues because the c code in pkg/rootless does not know about that. I tried to fix this[1] by fixing the c code to not use the shortcut. While this fix worked it will result in many pause processes leaking in the integrration tests.
Commit ab88632 added this behavior but following the disccusion it was never the intention that we end up having more than one pause process. The issues that was trying to fix was caused by somthing else AFAICT, the main problem seems to be that the pause.pid file parent directory may not be created when we try to create the pid file so it failed with ENOENT. This patch fixes it by creating this directory always and revert the change to no longer depend on the tmpdir value.
With this commit we now always use XDG_RUNTIME_DIR/libpod/tmp/pause.pid for all podman processes. This allows the c shortcut to work reliably and should therefore improve perfomance over my other approach.
A system test is added to ensure we see the right behavior and that podman system migrate actually stops the pause process. I do not see a better way.
This should fix the issues with namespace missmatches that we can see in CI as flakes.
[1] #18057
Fixes #17903
Does this PR introduce a user-facing change?