system service: unset listen fds on tcp #19196
Conversation
openshift-ci
bot
added
do-not-merge/work-in-progress
|
Why only for tcp? We should unset all three LISTEN_ envs after this block for everything, there is no reason to leak them ever into the container when started via service. I still would like to understand why tcp misbehaves in that case? |
This sounds like a systemd bug to me. |
That is a good idea.
I also smell a systemd bug. |
Ah well. I don't think so anymore. It does not happen when socket isn't active. For that to happen, it must 1) be removed from the service dependencies and 2) be stopped. |
|
Agreed I think systemd is behaving as documented here. The .service unit has a implicit dependency on the socket. So if you start the service it will automatically trigger the socket unit and pass the fds down.
I think this patch to unset the env is correct but I still do not understand why that is causing issues with dropping tcp packets. |
Disable leaking the LISTEN_* variables into containers which are observed to be passed by systemd even without being socket activated as described in https://access.redhat.com/solutions/6512011. [NO NEW TESTS NEEDED] - Ultimately, the solution 6512011 should be updated. Fixes: bugzilla.redhat.com/show_bug.cgi?id=2180483 Signed-off-by: Valentin Rothberg <[email protected]>
That is indeed puzzling. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
Good to go from my end. Apologies, I did not manage to reproduce the issues outside this very specific scenario of manually editing the installed .service. |
|
@flouthoc PTAL |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: flouthoc, Luap99, vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherry-pick v4.6 |
|
@vrothberg: new pull request created: #19205 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
github-actions
bot
added
the
locked - please file new issue/PR
Disable leaking the LISTEN_* variables into containers which are
observed to be passed by systemd even without being socket activated as
described in https://access.redhat.com/solutions/6512011.
[NO NEW TESTS NEEDED] - Ultimately, the solution 6512011 should be updated.
Fixes: bugzilla.redhat.com/show_bug.cgi?id=2180483
@Luap99 PTAL. test/e2e/systemd_activate_test.go does not set LISTEN_FDS, so there's no test I can plug into.
Does this PR introduce a user-facing change?