Manage ns: manage pid #3910

haircommander · 2020-06-29T20:22:52Z

What type of PR is this?

/kind bug

What this PR does / why we need it:

pid namespaces were special cased as a namespace that was not managed, because they function differently

For the other namespaces, we can pass a new namespace to the runtime when that namespace is private to the pod
However, it would be a bother creating a new pid namespace (conmon would have to unshare the namespace, then do the bind mount)

Instead, mount the pid namespace after the sandbox is created. This way, the infra container's runtime config doesn't list the namespace (more on that below)
but subsequent containers created can join the namespace, instead of the proc entry. This further protects us from pid wrap

A consequence of not adding the file to the config is the restore case is a bit odd. The other namespaces can join the namespace listed in the restored config.json,
but the pid namespace is not saved in its config json.

Work around this by saving the pidns location to the infra container's runDir

this PR also adds unit tests, and refactors a couple of things to make tests pass

Which issue(s) this PR fixes:

Special notes for your reviewer:

build on top of #3868

Does this PR introduce a user-facing change?

CRI-O now manages the lifecycle of sandbox's PID namespace when manage_ns_lifecycle is enabled

haircommander · 2020-06-30T13:34:22Z

/test e2e_rhel

haircommander · 2020-06-30T19:21:08Z

mount is getting EPERM'd in unit tests :(

haircommander · 2020-08-21T01:22:17Z

/retest

haircommander · 2020-08-21T01:24:36Z

PTAL @giuseppe @kolyshkin @mrunalp @umohnani8 @saschagrunert

saschagrunert

Just found some nits, otherwise LGTM 👏

internal/lib/container_server.go

saschagrunert · 2020-08-21T07:13:17Z

internal/lib/container_server.go

+		}
+		for _, namespaceToJoin := range namespacesToJoin {
+			path, err := configNsPath(&m, namespaceToJoin.rspecNS)
+			if err == nil {


What to do if the error is not nil? Log it or return?

we ignore. If it errors, the namespaces were not managed

internal/lib/sandbox/namespaces_linux.go

openshift-ci-robot · 2020-08-21T07:18:20Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [haircommander,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

TomSweeneyRedHat · 2020-08-21T14:01:23Z

Other than @saschagrunert 's comments, LGTM

haircommander · 2020-08-25T13:25:58Z

/retest

internal/lib/sandbox/namespaces.go

internal/lib/sandbox/namespaces_linux.go

haircommander · 2020-08-26T13:13:48Z

/retest

haircommander · 2020-08-26T13:34:40Z

/retest

haircommander · 2020-08-26T14:13:49Z

this one is new:

# time="2020-08-26T13:47:34Z" level=fatal msg="Creating container failed: rpc error: code = Unknown desc = container create failed: time=\"2020-08-26T13:47:29Z\" level=warning msg=\"Timed out while waiting for StartTransientUnit(crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope) completion signal from dbus. Continuing...\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/cpuset/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/cpu,cpuacct/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/pids/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/hugetlb/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/perf_event/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/net_cls,net_prio/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/net_cls,net_prio/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/devices/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/memory/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/cpu,cpuacct/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/blkio/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:30Z\" level=warning msg=\"Failed to remove cgroup (will retry)\" error=\"rmdir /sys/fs/cgroup/freezer/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/devices/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/memory/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/cpu,cpuacct/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/blkio/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/freezer/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/net_cls,net_prio/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/net_cls,net_prio/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/cpuset/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/cpu,cpuacct/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/pids/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/hugetlb/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:31Z\" level=error msg=\"Failed to remove cgroup\" error=\"rmdir /sys/fs/cgroup/perf_event/pod_123.slice/pod_123-456.slice/crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope: device or resource busy\"\ntime=\"2020-08-26T13:47:32Z\" level=warning msg=\"signal: killed\"\ntime=\"2020-08-26T13:47:33Z\" level=error msg=\"container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: process_linux.go:422: setting cgroup config for procHooks process caused: Unit crio-6efc429c7cee082bb52c0cf58d721f2f1a9ba834fb7f69095ee96e412e2ddf2f.scope is not loaded.\"\n"

/retest

haircommander · 2020-08-26T18:03:22Z

/retest

haircommander · 2020-08-26T18:37:29Z

/retest

haircommander · 2020-08-26T18:56:29Z

/retest

haircommander · 2020-08-26T19:54:44Z

# time="2020-08-26T19:44:36Z" level=error msg="removing the pod sandbox \"855734bf795f063e427426b16f3cd93d7aba0066c84f2fe347d018195fafa27f\" failed: rpc error: code = Unknown desc = unable to unmount SHM: unable to unmount /tmp/tmp.QMyAWu92Q3/crio-run/overlay-containers/855734bf795f063e427426b16f3cd93d7aba0066c84f2fe347d018195fafa27f/userdata/shm: no such file or directory"

dang
/retest

haircommander · 2020-08-27T14:37:22Z

/retest

pid namespaces were special cased as a namespace that was not managed, because they function differently For the other namespaces, we can pass a new namespace to the runtime when that namespace is private to the pod However, it would be a bother creating a new pid namespace (conmon would have to unshare the namespace, then do the bind mount) Instead, mount the pid namespace *after* the sandbox is created. This way, the infra container's runtime config doesn't list the namespace (more on that below) but subsequent containers created can join the namespace, instead of the proc entry. This further protects us from pid wrap A consequence of not adding the file to the config is the restore case is a bit odd. The other namespaces can join the namespace listed in the restored config.json, but the pid namespace is not saved in its config json. Work around this by saving the pidns location to the infra container's runDir this PR also adds unit tests, and refactors a couple of things to make tests pass Signed-off-by: Peter Hunt <[email protected]>

haircommander · 2020-09-03T17:52:34Z

/retest

openshift-merge-robot · 2020-11-18T16:12:40Z

@haircommander: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-agnostic	`57b7856`	link	`/test e2e-agnostic`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci-robot · 2021-04-11T09:42:08Z

@haircommander: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

github-actions · 2022-07-14T00:03:25Z

A friendly reminder that this PR had no activity for 30 days.

openshift-ci-robot · 2023-05-06T02:15:54Z

@haircommander: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/openshift-jenkins/integration_rhel	`57b7856`	link	`/test integration_rhel`
ci/prow/e2e-aws	`57b7856`	link	`/test e2e-aws`
ci/openshift-jenkins/e2e_crun_cgroupv2	`57b7856`	link	`/test e2e_cgroupv2`
ci/kata-jenkins	`57b7856`	link	true	`/test kata-containers`

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci · 2023-05-24T02:55:41Z

@haircommander: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp	`57b7856`	link	`/test e2e-gcp`
ci/prow/e2e-agnostic	`57b7856`	link	`/test e2e-agnostic`
ci/prow/ci-integration	`57b7856`	link	true	`/test ci-integration`
ci/prow/ci-critest	`57b7856`	link	true	`/test ci-critest`
ci/prow/ci-rhel-integration	`57b7856`	link	true	`/test ci-rhel-integration`
ci/prow/e2e-aws-ovn	`57b7856`	link	true	`/test e2e-aws-ovn`
ci/prow/ci-images	`57b7856`	link	true	`/test ci-images`
ci/prow/images	`57b7856`	link	true	`/test images`
ci/prow/periodics-images	`57b7856`	link	true	`/test periodics-images`
ci/prow/ci-cgroupv2-e2e	`57b7856`	link	true	`/test ci-cgroupv2-e2e`
ci/prow/ci-crun-e2e	`57b7856`	link	true	`/test ci-crun-e2e`
ci/prow/ci-rhel-e2e	`57b7856`	link	true	`/test ci-rhel-e2e`
ci/prow/ci-rhel-critest	`57b7856`	link	true	`/test ci-rhel-critest`
ci/prow/ci-e2e	`57b7856`	link	true	`/test ci-e2e`
ci/prow/ci-cgroupv2-e2e-features	`57b7856`	link	true	`/test ci-cgroupv2-e2e-features`
ci/prow/ci-e2e-conmonrs	`57b7856`	link	true	`/test ci-e2e-conmonrs`
ci/prow/e2e-gcp-ovn	`57b7856`	link	true	`/test e2e-gcp-ovn`
ci/prow/ci-cgroupv2-e2e-crun	`57b7856`	link	true	`/test ci-cgroupv2-e2e-crun`
ci/prow/ci-cgroupv2-integration	`57b7856`	link	true	`/test ci-cgroupv2-integration`
ci/prow/ci-fedora-critest	`57b7856`	link	true	`/test ci-fedora-critest`
ci/prow/ci-fedora-integration	`57b7856`	link	true	`/test ci-fedora-integration`
ci/kata-jenkins	`57b7856`	link	true	`/test kata-containers`
ci/prow/ci-e2e-evented-pleg	`57b7856`	link	true	`/test ci-e2e-evented-pleg`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

haircommander · 2023-05-24T16:36:11Z

I think we're not going to do this now. Hopefully eventually we can drop the infra container entirely

haircommander requested review from mrunalp and runcom as code owners June 29, 2020 20:22

openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Jun 29, 2020

openshift-ci-robot requested review from giuseppe and umohnani8 June 29, 2020 20:22

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 29, 2020

haircommander force-pushed the check-pid-manage-ns branch 2 times, most recently from b9b84ce to bd0ae27 Compare June 30, 2020 15:44

haircommander force-pushed the check-pid-manage-ns branch from bd0ae27 to 47a7e29 Compare July 11, 2020 01:17

openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 16, 2020

haircommander force-pushed the check-pid-manage-ns branch from 47a7e29 to da5e654 Compare July 16, 2020 20:10

openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 16, 2020

haircommander mentioned this pull request Jul 21, 2020

WIP: drop the infra container (again!) #3997

Closed

haircommander force-pushed the check-pid-manage-ns branch 2 times, most recently from ec2dde8 to a291448 Compare July 27, 2020 18:46

haircommander force-pushed the check-pid-manage-ns branch from a291448 to 1b01a85 Compare August 11, 2020 14:13

haircommander changed the title ~~wip manage ns: manage pid~~ Manage ns: manage pid Aug 11, 2020

openshift-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Aug 11, 2020

haircommander force-pushed the check-pid-manage-ns branch 3 times, most recently from 85574c9 to 324a47b Compare August 20, 2020 21:45

saschagrunert approved these changes Aug 21, 2020

View reviewed changes

mrunalp reviewed Aug 25, 2020

View reviewed changes

internal/lib/sandbox/namespaces.go Outdated Show resolved Hide resolved

mrunalp reviewed Aug 25, 2020

View reviewed changes

internal/lib/sandbox/namespaces_linux.go Outdated Show resolved Hide resolved

haircommander force-pushed the check-pid-manage-ns branch 2 times, most recently from 5b48d84 to af76399 Compare August 26, 2020 13:07

haircommander force-pushed the check-pid-manage-ns branch from af76399 to bf5e5bf Compare August 26, 2020 17:55

haircommander force-pushed the check-pid-manage-ns branch from bf5e5bf to d79d94e Compare August 26, 2020 19:31

haircommander force-pushed the check-pid-manage-ns branch 2 times, most recently from 4e35af9 to c07341a Compare August 27, 2020 13:11

haircommander force-pushed the check-pid-manage-ns branch from c07341a to 57b7856 Compare September 3, 2020 17:40

openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 11, 2021

haircommander mentioned this pull request Jul 26, 2021

Support Target NamespaceMode #4790

Closed

github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 14, 2022

haircommander closed this May 24, 2023

Manage ns: manage pid #3910

Manage ns: manage pid #3910

Uh oh!

Conversation

haircommander commented Jun 29, 2020

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

haircommander commented Jun 30, 2020

Uh oh!

haircommander commented Jun 30, 2020

Uh oh!

haircommander commented Aug 21, 2020

Uh oh!

haircommander commented Aug 21, 2020

Uh oh!

saschagrunert left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

saschagrunert Aug 21, 2020

Choose a reason for hiding this comment

Uh oh!

haircommander Aug 21, 2020

Choose a reason for hiding this comment

Uh oh!

Uh oh!

openshift-ci-robot commented Aug 21, 2020

Uh oh!

TomSweeneyRedHat commented Aug 21, 2020

Uh oh!

haircommander commented Aug 25, 2020

Uh oh!

Uh oh!

Uh oh!

haircommander commented Aug 26, 2020

Uh oh!

haircommander commented Aug 26, 2020

Uh oh!

haircommander commented Aug 26, 2020

Uh oh!

haircommander commented Aug 26, 2020

Uh oh!

haircommander commented Aug 26, 2020

Uh oh!

haircommander commented Aug 26, 2020

Uh oh!

haircommander commented Aug 26, 2020

Uh oh!

haircommander commented Aug 27, 2020

Uh oh!

haircommander commented Sep 3, 2020

Uh oh!

openshift-merge-robot commented Nov 18, 2020

Uh oh!

openshift-ci-robot commented Apr 11, 2021

Uh oh!

github-actions bot commented Jul 14, 2022

Uh oh!

openshift-ci-robot commented May 6, 2023

Uh oh!

openshift-ci bot commented May 24, 2023

Uh oh!

haircommander commented May 24, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants