podman rm, with more than one arg: error removing container, unlinkat, EBUSY #10454
Comments
|
Got it to fail with |
|
@mheon I believe this could happen if the c.state.State == define.ContainerStateStopped and you attempt to remove it. Should we wait in the condition? If we wait, will the status be able to change? |
|
I don't think that's possible - the container is already locked, there's no potential for a race.
That right there is extremely suspicious. The container is marked as unmounted in the DB, yet clearly it's still mounted because it's failing. I'm not sure how this happens - maybe the cleanup process already fired and failed to unmount? |
|
@edsantiago could you attempt to remove the container afterwards to prove this is a race. I was thinking the container could be stopped but not cleaned up yet, and we go in and attempt to remove it. |
|
I'm not sure what you mean by "remove the container afterwards" -- in all cases, both containers are gone: the |
|
@rhatdan We clean up as part of removal - you can see it in the logs. The container is guaranteed to be gone after |
|
So we don't know if there is any storage container left? If there is a failure on removing from storage, should we remove from the database? |
|
The only reason that the image would be busy, would be if something is mounted on the image or if a process is running on the image. |
|
@rhatdan It's much better to get rid of the containers, even if there's a storage container left over - we had so many issues in the early days with containers that could not be removed at all without manual intervention. Defaulting to getting rid of the container is much safer. |
|
Ok but any thoughts on what is happening? |
|
Initial thought: cleanup process has already fired but failed to clean up, and the container was marked as unmounted despite this failure. As to why: lingering container process using the mountpoint, maybe? We really need to get the initial error message on the unmount attempt. Does this replicate outside of CI? |
Trivially. See initial comment for one-line reproducer. |
|
@edsantiago 10452 is always this flake. I think the problem can happen with a normal race. |
|
New information: there is a ten-second pause when this happens: $ while :;do ./bin/podman run --name foo -d alpine true;./bin/podman run --name bar -d alpine true;./bin/podman run --name fubar -d alpine true;./bin/podman rm foo bar fubar || break;done | ts
....
May 25 09:30:55 2928a791accaadf6d5555a329220bd5522db587e9ad89a4a18e456438f3d48e6
May 25 09:30:55 15341f6fea9dfca020df227ebb4a8e9a2a7d1c008c69a207dcbe68491a49bb39
May 25 09:30:56 925501b27ffb98593115c1d75e5be70cbff091b7780a9e53e32d1aa5ef779258
May 25 09:30:56 2928a791accaadf6d5555a329220bd5522db587e9ad89a4a18e456438f3d48e6
May 25 09:30:56 15341f6fea9dfca020df227ebb4a8e9a2a7d1c008c69a207dcbe68491a49bb39
May 25 09:30:56 67bcf3f0e0fe0d87d39b449b8c8ceee02edfcf39933f48cd000486d1052bf063
May 25 09:30:57 ebb7c59a425b8facedf789c598ad0661e6ccf77d80ea25e940a7c7efcc6cd339
May 25 09:30:57 b6ed86f90f3508656641049d005e1a0e6ccdfaebfbf1ff17315e308c053879c5
Error: error removing container ebb7c59a425b8facedf789c598ad0661e6ccf77d80ea25e940a7c7efcc6cd339 root filesystem: 1 error occurred:
* unlinkat /home/esm/.local/share/containers/storage/overlay/0fb14d50003fcbd3457f3afe4ea185d4d26af544cb70bee28bf3ad317976026c/merged: device or resource busy
May 25 09:31:08 67bcf3f0e0fe0d87d39b449b8c8ceee02edfcf39933f48cd000486d1052bf063
May 25 09:31:08 b6ed86f90f3508656641049d005e1a0e6ccdfaebfbf1ff17315e308c053879c5 |
|
Here's my latest reproducer, slightly updated to make output more readable: $ while :;do echo;./bin/podman run --name foo -d alpine true;./bin/podman run --name bar -d alpine true;./bin/podman run --name fubar -d alpine true;./bin/podman rm foo bar fubar || break;done | ts
...
May 25 09:32:54
May 25 09:32:54 32e042fab9276c040c9ef69a1bed91955e6716b9f8cab0930d17b398d1059e23
May 25 09:32:55 d588d4d67feabac480202da381fb5610437941fdcf1a1631524661d8bef214d2
May 25 09:32:55 d4083e76ed34d419f4604669ced0ebeda6af5446eea751b7497dc10920e1486f
May 25 09:32:56 d4083e76ed34d419f4604669ced0ebeda6af5446eea751b7497dc10920e1486f
May 25 09:32:56 32e042fab9276c040c9ef69a1bed91955e6716b9f8cab0930d17b398d1059e23
May 25 09:32:56 d588d4d67feabac480202da381fb5610437941fdcf1a1631524661d8bef214d2
May 25 09:32:56
May 25 09:32:56 b79a385ab25dfd5ba8687d39273013ab7c25f9a33a6174bdd38bad4b156f0056
May 25 09:32:57 9ab95a14ed09e07ebfa9ede24fb3b7479a2380dd58e3455316f5765f59d8ee19
May 25 09:32:57 4982b2c0bc7f6bc4313663d56337c6854638651b4b754fe6fb75a7d30ae75d4f
Error: error removing container 9ab95a14ed09e07ebfa9ede24fb3b7479a2380dd58e3455316f5765f59d8ee19 root filesystem: 1 error occurred:
* unlinkat /home/esm/.local/share/containers/storage/overlay/7d7b1833de538603870e84beed40c294dc1f1a101a1e3ae58bf852a84766889e/merged: device or resource busy
May 25 09:33:08 b79a385ab25dfd5ba8687d39273013ab7c25f9a33a6174bdd38bad4b156f0056
May 25 09:33:08 4982b2c0bc7f6bc4313663d56337c6854638651b4b754fe6fb75a7d30ae75d4f |
|
With However: if I change all |
|
I just tried And I am not getting any errors. |
|
What is the value of "podman"? Are you using system podman, or FWIW your reproducer triggers the failure on my system: I can also reproduce it if I use I cannot reproduce the flake if I use |
|
Well I can not get this to fail, but I am not using fuse-overlayfs. We are only seeing this on Ubuntu machines in CI system, although @edsantiago and @mheon have gotten it to fail on Fedora. With the reproducer above. @mheon Was the fuse-overlayfs failure repeatable? Newer versions of podman are executing the overlay fs with new options? Could this be related? |
|
Running |
|
FYI my kernel is 5.11.17-300.fc34 I'm not feeling a great desire to |
|
I just forced fuse-overlay and it still does not fail for me. $ for i in {1..100}; do ./bin/podman run --name test$i alpine true; done; ./bin/podman rm $(seq --format="test%.0f" 1 100) |
$ podman info|grep -1i fuse -
overlay.mount_program:
Executable: /usr/bin/fuse-overlayfs
Package: fuse-overlayfs-1.5.0-1.fc34.x86_64
Version: |-
fusermount3 version: 3.10.3
fuse-overlayfs: version 1.5
FUSE library version 3.10.3
using FUSE kernel interface version 7.31
graphRoot: /home/esm/.local/share/containers/storage |
|
I think it could also be a regression in the kernel, I am still troubleshooting but after some time using the reproducer provided by @edsantiago I am able to reproduce locally. It gets the system in a weird state: and strace says: Interesting, if I join just the mount namespace as root on the host, I am able to umount it. |
It could be, but why can I not reproduce the problem with Incidentally, this is also happening with podman rm -a, not just explicitly-enumerated containers. |
|
Yes I switched the test to run with three podman rm commands rather then one, and it still flaked. It is definitely something to do with rootless podman rm failing. because of a mount point in use. Could this be some kind of mount space leak? |
sys: podman start --all - start all containers
Also failing in run-basic test, which does sys: podman run - basic tests
Hmmmm, this is not failing on fedora CI, only ubuntu CI, and both ubuntu 2010 and 2104. To me that argues a little against it being a kernel issue (but I'm no expert) |
$ podman unshare
# umount ~/.local/share/containers/storage/overlay
# mount|grep /home/esm/.local/share/containers/storage|awk '{print $3}'
[ lots and lots]
# mount|grep /home/esm/.local/share/containers/storage|awk '{print $3}'|xargs -l1 umount ! succeeds |
|
I may not have been clear: my comment above indicates that #10219 is almost 100% guaranteed to be the culprit. I'm sorry. |
|
On nooos :^) I read can reproduce. |
|
@edsantiago can you reproduce after reverting commit 8352e5b? |
|
@vrothberg did you really want me to try to resolve the conflicts in |
No, absolutely not, sorry for not checking if it reverts cleanly. Can you try with https://paste.centos.org/view/a5a90a57? |
|
Too late to function properly. Need to massage the patch. |
|
That'll compile: https://paste.centos.org/view/a51c1483 |
|
The thing is that |
|
Here's the attempt I came up with. It looks pretty similar to yours. I cannot (can not) reproduce the flake with that patch. Three iterations so far (with 10219, it almost always fails in one iteration). Sorry again. |
|
@containers/podman-maintainers may I humbly suggest that this is an all-hands-on-deck moment? |
|
Most suspicious bit I can see is switching from shutting down the store directly, to calling the Libimage shutdown function. That would be the first thing I look at. |
|
@edsantiago, thanks a lot for testing! One last request, could you test: https://paste.centos.org/view/fa6a32d4? Here, we're not using libimage to shutdown the store. I do not yet know why that would make any difference but I cannot rule it out at that point. |
https://paste.centos.org/view/fa6a32d4 reverts that. But as mentioned above, libimage shutdown does exactly that as well. It's not obvious to me yet how that would impact. Anyhow, I have to leave the keyboard. Good luck, folks! |
|
Four iterations so far with the above patch (fa6a32d4). No flakes. To be clear: |
|
Well.... I left the reproducer running anyway, and it just triggered. I don't know how many iterations, but according to the github timestamp above it took 26 minutes. This tells me that #10219 did not cause the problem, it just made it more pronounced. |
|
Another unhelpful data point: I reverted back to 62c14dc (commit before #10219), this time letting the reproducer run uninterrupted. Three hours later, no failures. Is it possible that the simple existence of |
|
Thanks a lot for all the data points, @edsantiago. I am under the impression that #10219 is merely increasing the chance of hitting the issue; maybe because it takes slightly longer to shutdown the store. |
|
I left 62c14dc running all night. 605 iterations, not a single crash. |
|
@giuseppe may have found the source in c/storage. Could be an issue in comparing time stamps. |
use s.graphLock.Modified() instead of s.graphLock.TouchedSince(). TouchedSince() seems to fail in some cases when comparing the inode mtime with the current time. Avoid such kind of problems in a critical code path as store.mount(), as we must be sure there is already a driver home mount present, otherwise it the next process may cover the container mount with the home mount. Closes: containers/podman#10454 Signed-off-by: Giuseppe Scrivano <[email protected]>
|
opened a PR: containers/storage#926 |
use s.graphLock.Modified() instead of s.graphLock.TouchedSince(). TouchedSince() seems to fail in some cases when comparing the inode mtime with the current time. Avoid such kind of problems in a critical code path as store.mount(), as we must be sure there is already a driver home mount present, otherwise it the next process may cover the container mount with the home mount. Closes: containers/podman#10454 Signed-off-by: Giuseppe Scrivano <[email protected]>
github-actions
bot
added
the
locked - please file new issue/PR
It looks like the cause of our new unlinkat/EBUSY flake is
podman rmwith more than one argument:It can take one minute, but more typically it's about five.
master @ 78df4f6. Running rootless on f34.
The text was updated successfully, but these errors were encountered: