oci: do not use conmon for exec sync #4943

haircommander · 2021-05-25T18:23:00Z

What type of PR is this?

/kind design

What this PR does / why we need it:

It is not really needed, and causes unnecessary overhead. Plus, we drop an unkillable child from the mix
allowing cri-o to keep track of its children better.

Signed-off-by: Peter Hunt [email protected]

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

ExecSync requests now don't use conmon, instead calling the runtime directly, which reduces overhead.

codecov · 2021-05-25T18:26:14Z

Codecov Report

Merging #4943 (53a06fb) into master (0a81d8f) will increase coverage by 0.44%.
The diff coverage is 0.00%.

❗ Current head 53a06fb differs from pull request most recent head eebef46. Consider uploading reports for the commit eebef46 to get more accurate results

@@            Coverage Diff             @@
##           master    #4943      +/-   ##
==========================================
+ Coverage   42.94%   43.38%   +0.44%     
==========================================
  Files         107      107              
  Lines        9933     9825     -108     
==========================================
- Hits         4266     4263       -3     
+ Misses       5217     5112     -105     
  Partials      450      450

mrunalp · 2021-05-25T19:24:34Z

internal/oci/runtime_oci.go

+		Stdout:   stdout,
+		Stderr:   stderr,
+		ExitCode: exitCode,
+	}, waitErr


This block doesn't match the existing code block and that may break container restarts.

Please check if the kubelet will tolerate this change.

there's something awry with the code. I am working on getting critests passing, and that will likely involve changing this block

I just spent nearly a whole day looking for

// gather exit code from waitErr exitCode := int32(0) if waitErr != nil { - if exitError, ok := err.(*exec.ExitError); ok { + if exitError, ok := waitErr.(*exec.ExitError); ok { exitCode = int32(exitError.ExitCode()) } }

😢

Oh, nice catch

internal/oci/runtime_oci.go

haircommander · 2021-05-26T14:47:56Z

/retest

haircommander · 2021-05-26T20:09:16Z

/test integration_fedora

haircommander · 2021-05-26T20:11:34Z

goodness this is a rabbit hole
we needed to handle the case where the command times out but the container process still runs. since the container process isn't a child of the runtime process, we can't kill the exec.Command struct, but rather find the process with pidFile and kill that (what conmon does).

I think this passes critest now, hard to tell because I keep getting rate limited. no idea what's up with the openshift jenkins tests either...

edit: openshift jenkins didn't seem to like the ' in the title 🙃

saschagrunert · 2021-05-27T06:52:56Z

/override ci/prow/e2e-agnostic
/override ci/prow/e2e-gcp

openshift-ci · 2021-05-27T06:53:02Z

@saschagrunert: Overrode contexts on behalf of saschagrunert: ci/prow/e2e-agnostic, ci/prow/e2e-gcp

Details

In response to this:

/override ci/prow/e2e-agnostic
/override ci/prow/e2e-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

saschagrunert

Just two nits, otherwise LGTM

saschagrunert · 2021-05-27T07:03:01Z

internal/oci/runtime_oci.go

-			Stderr:   stderrBuf,
-			ExitCode: -1,
-			Err:      err,
+		log.Errorf(ctx, "failed to get pid (%d) or pgid (%d) from file %s: %v", ctrPid, ctrPgid, pidFile, err)


Suggested change

log.Errorf(ctx, "failed to get pid (%d) or pgid (%d) from file %s: %v", ctrPid, ctrPgid, pidFile, err)

log.Errorf(ctx, "Failed to get pid (%d) or pgid (%d) from file %s: %v", ctrPid, ctrPgid, pidFile, err)

return

saschagrunert · 2021-05-27T07:04:26Z

internal/oci/runtime_oci.go

+			log.Errorf(ctx, "Failed to kill process after timeout: %v", err)
 		}
 	}



Suggested change

It is not really needed, and causes unnecessary overhead. Plus, we drop an unkillable child from the mix allowing cri-o to keep track of its children better. Signed-off-by: Peter Hunt <[email protected]>

Signed-off-by: Peter Hunt <[email protected]>

haircommander · 2021-05-27T13:30:08Z

/retest

saschagrunert

/lgtm
/hold
@mrunalp @haircommander feel free to lift the hold when ready.

openshift-ci · 2021-05-27T13:41:15Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [haircommander,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

For ultra-low-latency workloads, it is helpful to guarantee that the container entry point, and any other foreign process run in the container (kubectl exec...) are always scheduled on fixed and predictable cpu in the container cpuset (e.g. not in a random one). This patch implements this optional behaviour depending on container annotations. Signed-off-by: Francesco Romani <[email protected]>

haircommander · 2021-05-27T14:54:06Z

/retest

openshift-ci · 2021-05-27T17:44:27Z

@haircommander: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/e2e_crun_cgroupv2	`eebef46`	link	`/test e2e_cgroupv2`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

mrunalp · 2021-05-30T04:47:11Z

/hold cancel

openshift-bot · 2021-05-30T04:56:31Z

/retest