[1.20] Point to k8s release-1.20 branch for tests

so we don't leak a goroutine

Signed-off-by: Peter Hunt <[email protected]>

…pick-4412-to-release-1.20

[release-1.20] image pull: close progress chan

Signed-off-by: Urvashi Mohnani <[email protected]>

Signed-off-by: Skyler Clark <[email protected]>

This saves some time (a few seconds per test at least) as we avoid
running setup_test (and cleanup_test has nothing to clean up), and
removes some code duplication.

Signed-off-by: Kir Kolyshkin <[email protected]>

...and add a status check to one case where we use run, to make it
more obvious that `run` is really needed here.

Signed-off-by: Kir Kolyshkin <[email protected]>

Using /dev/loop-control is problematic since it is not supposed
to be read from or written to.

Use /dev/kmsg, and actually enable the write test.

Signed-off-by: Kir Kolyshkin <[email protected]>

…pick-4402-to-release-1.20

[release-1.20] convert shmsize annotation to handler_allowed

…pick-4369-to-release-1.20

[release-1.20] test/devices.bats: nits

[1.20] Bump version to v1.20.0-rc.1

which changed after a k8s release-notes package bump

Signed-off-by: Peter Hunt <[email protected]>

This test case is sometimes fails like this:

> not ok 40 ctr execsync
> # (in test file ./ctr.bats, line 429)
> #   `[[ "$output" == *"command timed out"* ]]' failed
> .....
> # time="2020-12-02T23:28:58Z" level=fatal msg="connect: connect endpoint 'unix:///tmp/tmp.ncaFI2tZzn/crio.sock', make sure you are running as root and the endpoint has been started: context deadline exceeded"

This happens because our CI might be slow and this 1 second timeout
also applies to connect.

Increase the timeout and the sleep accordingly to fix the flake.

Signed-off-by: Kir Kolyshkin <[email protected]>

[1.20] release-notes: fix flags

…pick-4411-to-release-1.20

[release-1.20] test/ctr.bats: fix a "ctr execsync" flake

ResourceCache is a structure that keeps track of partially created Pods and Containers.
Its features include:
- tracking pods and containers after their initial creation times out
- automatic garbage collection (after a timer)

Signed-off-by: Peter Hunt <[email protected]>

Signed-off-by: Peter Hunt <[email protected]>

Before when a client's request for a RunPodSandbox or ContainerCreate timed out, CRI-O would clean up the resource.

However, these requests usually fail when the node is under load. In these cases, it would be better to hold onto the progress,
not get rid of it.

This commit uses the previously created ResourceCache to cache the progress of a container creation and sandbox run.
When a duplicate name is detected, before erroring, the server checks in the ResourceCache to see if we've already
successfully created that resource. If so, we return it as if we'd just created it.

It also moves the SetCreated call to after the resource is deemed as not having timed out.

Hopefully, this reduces the load on already overloaded nodes.

Signed-off-by: Peter Hunt <[email protected]>

Even if we use the resource cache as is, the user is still bombarded with messages saying the name is reserved.

This is bad UX, and we're capable of improving it.

Add watcher idiom to resource cache, allowing a handler routine of RunPodSandbox or CreateContainer to
wait for a resource to be available.

Something that is key here is if the resource becomes available while we're watching for it,
*we still need to error on this request*
This is because we could get the resource from the cache, remove it (thus meaning it won't be cleaned up),
and the kubelet's request could time out, and it could try again. This would cause us to leak a resource.

This way, if we get into this situation, there needs to be three requests:
first that times out
second that discovers the resource is ready, but still errors
third that actually retrives that resource and returns it.

This will result in many fewer "name is reserved" errors (one every 2 seconds to one every 4 minutes)

Signed-off-by: Peter Hunt <[email protected]>

Now that we plan on caching the results of a pod sandbox creation, we shouldn't short circut the
network creation. In a perfect world, we'd give the CNI plugin unbounded time, which would allow
us to reuse even the longest of CNI creation time. However, this leads to the chance that the
CNI plugin runs forever, which is not ideal.

Instead, give the sandbox network creation 5 minutes (a minute more than the full request),
to improve the odds we have a completed sandbox that can be reused, rather than thrown away.

Signed-off-by: Peter Hunt <[email protected]>

timeout.bats is a test suite that tests different scenerios regarding to timeouts in
sandbox running and container creation.

It requires a crictl that knows about the -T option

Signed-off-by: Peter Hunt <[email protected]>

Older version of this code used to have a goroutine for each resource,
which is no longer the case, so remove the obsoleted part of the doc.

It is already described elsewhere how the resource is becoming stale
and removed.

Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: Kir Kolyshkin <[email protected]>

The 10s timeout is not enough sometimes to finish container or pod
creation. Increase to 30s to fix occasional flakes, and move to a
separate function wait_crio.

While at it,
 - increate conmon sleep and crictl create/runp cancel timeout to 3s;
 - move create_conmon to setup;
 - fix ID checks (we're looking for string, not substring);
 - change a 3m timeout to 150s. Not critical, just nits.

Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: Peter Hunt <[email protected]>

[1.20] improve timeout handling and fix flakes

Signed-off-by: Peter Hunt <[email protected]>

bump to v1.20.0

This is mostly to have containers/storage@83150e3
    which should fix the authentication failure during bootstrap node install.
    BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1907770

Signed-off-by: Qi Wang <[email protected]>

…1.20

[1.20] ResourceStore: fix segfault and update tests

as well as remove any file that exists in that spot
as well as create nsmgr package to mirror release-1.21 structure (only holding the NSType right now)

Signed-off-by: Peter Hunt <[email protected]>

[1.20] config: pre-create pinns directories

We want systemd to only send SIGTERM to the main process
on stop and let that process forward the signal.

Today, we have seen issues where the main process forwards
the signal in addition to systemd sending it directly
leading to failures in graceful shutdown.

Signed-off-by: Mrunal Patel <[email protected]>

[1.20] Set systemd property KillMode to mixed for containers

conmon forwards the SIGTERM to the main container process.
This is undesirable during node shutdown as it results in
the container receving 2 SIGTERMs. With this change, conmon
ignores the SIGPIPE and will exit after the main container
process dies. If it doesn't for some reason, then
it gets SIGKILL by systemd after 90 seconds.

We need a follow-on to adjust the 90s to a value higher
than the termination grace period as a follow on. This doesn't
matter today as we don't retain container state on reboot.

Signed-off-by: Mrunal Patel <[email protected]>

[1.20] Set conmon scope KillSignal to SIGPIPE

This reverts commit 8164338.

Signed-off-by: Mrunal Patel <[email protected]>

Signed-off-by: Peter Hunt <[email protected]>

[1.20] Revert "Set systemd property KillMode to mixed for containers"

Signed-off-by: Mrunal Patel <[email protected]>

[1.20] bump protobuf to 1.3.2

[1.20] Log container stop timeout