libimage: pull: increase timeout running under systemd #1616
Conversation
|
Look like this will work. I do have two comments though:
|
What do you consider a reasonable number? 20 seconds?
I was going back and forth on making it conditional. In a way it is already conditional via the env. It doesn't really make sense in |
vrothberg
force-pushed
the
fix-containers/podman/issues/18353
branch
from
393d0fb to
b95e0be
Compare
vrothberg
force-pushed
the
fix-containers/podman/issues/18353
branch
from
b95e0be to
7b49c21
Compare
In the first PR, @rhatdan proposed 30 seconds. Maybe go with that
Do we know that it does? |
SGTM
With containers/podman#19644 it will. I was convinced it was doing it (but double checked). |
Then I think we're good |
|
LGTM |
vrothberg
force-pushed
the
fix-containers/podman/issues/18353
branch
from
7b49c21 to
72981d0
Compare
|
Now with 30 seconds. I'll keep it as a draft until I've figured out how to test it. |
|
The one problem with this approach is that it never actually checks for actual data progress. This works fine in the good case but if we now run into a deadlock in the pull code this goroutine will extend the time-out forever and the systemd unit will never time out. I don't think it is likely to happen but certainly a thing to consider and why I think the correct thing to do is to check for actual pull progress and only send a new message if we know new progress has been made. |
Dan asked the same thing in #1616 (comment) but I don't feel very comfortable doing it. The standard lib will take care of throwing an error in case the downloads starve. There may be a bug in our stack for sure that may cause it to block. But that would also be true if we'd check for pull progress where we some bug may indicate progress indefinitely. Schema 1 images don't indicate the size of blobs. |
I agree with @vrothberg here with one caveat. Can a call to |
In theory any call to podman can hang forever if there's a bug. My main point is that using pull progress as a line of defense isn't much more robust either since the standard lib already times out. So at the moment we rely on that. If we'd also rely on pull progress being made (ie., listen on the channel), I don't think we add much robustness. Maybe we should limit the number of timeout extensions to 10 or something like that? So something super high that should largely be sufficient but deterministic. If users have gigantic images or so low bandwidth that 5 minutes + 90 seconds are not enough, then I'd argue that they need to tweak the timeout in their Quadlet files themselves. |
|
Well I don't think there is any known deadlock in the pull code. This was more about being actually correct in all cases even when we introduce a deadlock in the future. Of course a normal I agree that this solution is simple enough and fixes a important problem that many users run into. My comments was only meant as maybe there is a even better way? If we agree that there is not without adding a lot of complexity and work I am favour of merging. |
I don't think this is how it works, form the sd_notify(3):
So it will time-out when it does not revive a new EXTEND_TIMEOUT_USEC message in the given time and it is over the normal default configured timeout. It does not add the time to the default value. |
Thanks. Yes, once it exceeds beyond the specific timeout, the timeout will be ignored. |
Absolutely. I think it's more than fair to reflect on how to prevent a potential deadlock. So far, I didn't like the progress-check proposal for the reasons mentioned above. What do you think about a fixed limit of how often Podman would increase the timeout? I'd guess it's fair to help in most cases but the extreme ones. |
|
I think having a limit of 5min sounds good to me. If someone pull super large images then they likely should pre populate them and not have their service start-up delayed so long and if they truly want that I agree they can still set the normal TimeoutStartSec= in the unit. |
|
In that case, I think we can simplify the entire thing and try handling that in Quadlet? If the default timeout is bigger than 5 minutes (not sure if/how Quadlet can access this value) or if a custom limit is set, Quadlet leaves things as they are. Otherwise, it'll add a TimeoutStartSec=5mins in the unit. |
|
You do not need to access anything if the default is bigger then systemd will use the bigger value and not time-out, again the docs are very explicit about the behaviour:
And setting a default TimeoutStartSec=5min is also not a good idea because that would effect all of podman and and there we definitely have more deadlocks. To me the extend feature is great because we only extend for things we know should take longer, i.e. pulls. There might be other special cases in the future were we want to extend it for example chown or selinux label setting on large volumes. |
vrothberg
force-pushed
the
fix-containers/podman/issues/18353
branch
from
72981d0 to
20a1a0f
Compare
|
Now I'm a bit confused. @vrothberg do you want to go forward with it? @Luap99 another advantage of this change is that it limits the time extension to the pull process while in the Quadlet solution the longer value will be set to subsequent runs as well (runs that will not require pulling the image). Having said that, now I'm also thinking about the health checks and the new sd-notify option. IIUC, once the extend message is sent, the process is expected to send additional ones or ready within the extension period. Am I correct in my understanding? If yes, can this cause an issue? |
Very good point!
Yes, I find it difficult to decide. There's pros and cons on both alternatives. I am OK to move forward with this idea. We can always change in the future. The important part is that we don't see a big blocker. |
I am OK with moving forward. I pinged you and Dan to have some more thoughts as I find it hard to balance the alternatives.
AFAIUI: once the default timeout has been exceeded, the EXTEND_TIMEOUT_USEC one extends the timeout for the specified time. On each send it will be extended by the specified value. If 10 seconds are left after a successful pull, then Podman has 10 seconds to finish the job until the timeout kicks in.
At the moment, I am not worried about health checks etc. If users expect a delayed start I think it's fair to make them responsible for taking care of the timeout. Probably something to highlight in the docs? |
Combining these two comments, it means that the 10 seconds are not only for Podman, but also for the health check to pass. Now, if the checks take 15 seconds from the start of the container the service will fail. So, maybe the extension period should be longer that 30 seconds? |
In that case, I would expect the |
vrothberg
force-pushed
the
fix-containers/podman/issues/18353
branch
from
20a1a0f to
b7e3379
Compare
vrothberg
force-pushed
the
fix-containers/podman/issues/18353
branch
3 times, most recently
from
061adba to
e1e02eb
Compare
vrothberg
changed the title
vrothberg
force-pushed
the
fix-containers/podman/issues/18353
branch
from
e1e02eb to
81cb638
Compare
Set the `EXTEND_TIMEOUT_USEC` over DBUS when pulling an image from a registry and when running under systemd. This will prevent a frequent issue when running Quadlets and exceeding the default systemd start timeout of 90 seconds when pulling the image takes too long. Fixes: containers/podman/issues/18353 Signed-off-by: Valentin Rothberg <[email protected]>
vrothberg
force-pushed
the
fix-containers/podman/issues/18353
branch
from
81cb638 to
4488724
Compare
|
containers/podman#19644 s passing (minus the CI farts), so this PR is good to go from my end. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Luap99, rhatdan, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
It… will? In principle, a very slow HTTP response body is not unusual. I can’t see any default timeout on reading a HTTP body, neither when making progress nor when the body is idle (if there were one, I think we would already have received bug reports about layer downloads not fitting into the default value). AFAICS (Warning: I didn’t actually try any of this in practice, I have just briefly read the HTTP 1.x version of the |
TLS timeouts are common at least. I expected similar timeouts when the download stalls. Wouldn't it otherwise be just too easy to create a DOS server/registry? |
|
It’s quite possible that the server has timeouts set up to protect itself. I haven’t found any in the standard library (although I didn’t look that hard), and AFAIK c/image does nothing special other than respect the provided |
|
@mtrmac would it make sense to move such a monitoring logic into |
|
Compare https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/ . I think adding a c/image option to limit… something (e.g. time the connection can be idle while downloading the body) could make sense; it would have more sense if we had a user with a specific use case. But that would, without other work, do nothing to extend the systemd-imposed timeout. |
|
(Note that it is already possible to set a global timeout. I think that one is easy for users to understand; once we start explaining network idle times and various connections states, we have probably lost a lot of users’ attention.) |
Set the
EXTEND_TIMEOUT_USECover DBUS when pulling an image from a registry and when running under systemd. This will prevent a frequent issue when running Quadlets and exceeding the default systemd start timeout of 90 seconds when pulling the image takes too long.Fixes: containers/podman/issues/18353
Entirely untested but it may aid in deciding what to do with containers/podman/issues/18353.
@rhatdan @ygalblum WDYT?