Pass Systemd LISTEN_* environment to the container #10448
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
|
@eriksjolund I would love to work with you on this. I think this PR is needed to move this forward. Basically this PR passes the environment variables into the container so PID1 of the container can use them. We force the LISTEN_PID=1 since systemd will originally set it to the Podman PID. I am hoping that conmon and crun/runc handle down the open file descriptors correctly. If you could build a simple test script to test this, I could finish it up. |
|
@giuseppe PTAL |
|
@haircommander @giuseppe I believe we have to update the --preservefds as well when executing conmon. |
|
@rhatdan Sure, I'll create a simple test script. I could try it out during the weekend. |
rhatdan
force-pushed
the
systemd
branch
4 times, most recently
from
ba439bc to
b479da3
Compare
cmd/podman/system/service_abi.go
Outdated
| // If the podman service is setup as socket activated, we don't want any containers | ||
| // to inherit these settings from the service. | ||
| for _, lEnv := range []string{"LISTEN_PID", "LISTEN_FDS", "LISTEN_FDNAMES"} { | ||
| os.Unsetenv(lEnv) |
There was a problem hiding this comment.
These are also unset in the coreos/go-systemd library when the service is started. See
that is called during NewServer...() before Serve()There was a problem hiding this comment.
Except I don't see activation.Files(true) ever being called.
grep -r 'activation\.Files(' .
./vendor/github.com/docker/go-plugins-helpers/sdk/unix_listener_systemd.go: listenFds := activation.Files(false)
./libpod/oci_conmon_linux.go: fds := activation.Files(false)
There was a problem hiding this comment.
From activation.Listeners() which is called in NewServer...()
If a container is running within a systemd service and it is socket activated, we need to leak the LISTEN_* environment variables into the container. Fixes: containers#10443 Signed-off-by: Daniel J Walsh <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
rhatdan
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@eriksjolund PTAL |
|
@giuseppe @mheon @vrothberg @edsantiago PTAL, Anyone have a simple test to see if this works? |
|
Just some thoughts. (Disclaimer: sending this quite late in the evening so it might not be crystal clear). crun takes the LISTEN_FDS information from the environment That looks good. I think we need to keep the preserve_fds information and LISTEN_FDS information apart in the Podman and Conmon code. In the source code for Podman and Conmon the term preserve_fds could for instance be "reserved" to always mean the user-provided argument --preserve-fds from One thing to think about Quote from: https://www.freedesktop.org/software/systemd/man/sd_listen_fds.html In other words. The first LISTEN_FDS file descriptor needs to come directly after stdin, stdout, stderr. |
| if uint(listenFds) > ctr.config.PreserveFDs { | ||
| ctr.config.PreserveFDs = uint(listenFds) | ||
| } |
There was a problem hiding this comment.
if uint(listenFds) > ctr.config.PreserveFDs {
ctr.config.PreserveFDs = uint(listenFds)
}
seems to be
(pseudo code)
ctr.config.PreserveFDs := max(listenFds, ctr.config.PreserveFDs)
I don't understand this code. Why should it be a max value?
There was a problem hiding this comment.
I am just guessing here, that if the user specified --preserve_fds=1 and LISTEN_FDS=2, then we need to leak at least 2 FDs into the container. But I am not really sure what should be the behaviour. Perhaps we should ignore the LISTEN_FDS and force the user to tell us how many FDS to leak.
There was a problem hiding this comment.
At first sight runc and crun are doing the same:
See the runc example:
LISTEN_PID=$pid_of_runc LISTEN_FDS=3 runc run --preserve-fds 5 <container>
from https://github.com/opencontainers/runc/blob/master/docs/terminals.md
The first 3 (3, 4, and 5) were passed due to LISTEN_FDS and the other 5 (6, 7, 8, 9, and 10)
were passed due to --preserve-fds
Quote: basically, it can just leave the FDs and $LISTEN_FDS untouched
https://systemd.io/CONTAINER_INTERFACE/
I guess runc and crun could have ignored LISTEN_FDS and just make it the responsibility of
the caller to specify a --preserve-fds argument that includes the LISTEN_FDS.
But that is not how it is done right now.
There was a problem hiding this comment.
So we should do nothing with them except leak them into the OCI Runtimes. Will crun and runc rename the LISTEN_PID to pid1?
|
I don't want to add another option about leaked FDs into conmon, since conmon would not know which one to take priority with. |
|
@rhatdan Regarding the test scripts, I gave it a try but I haven't finished it yet. Here is some code that might be useful if anyone is trying to do the same I don't remember what was not working. (Adding |
|
@eriksjolund any progress? |
|
@rhatdan No, I have been busy with other things. |
|
A friendly reminder that this PR had no activity for 30 days. |
|
Closing, @rhatdan aksed me to take over. |
github-actions
bot
added
the
locked - please file new issue/PR
If a container is running within a systemd service and it is socket
activated, we need to leak the LISTEN_* environment variables into the
container.
Fixes: #10443
Signed-off-by: Daniel J Walsh [email protected]