Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podman cp: support copying on tmpfs mounts #9593

Merged
merged 1 commit into from
Mar 5, 2021
Merged

podman cp: support copying on tmpfs mounts #9593

merged 1 commit into from
Mar 5, 2021

Conversation

vrothberg
Copy link
Member

Traditionally, the path resolution for containers has been resolved on
the host; relative to the container's mount point or relative to
specified bind mounts or volumes.

While this works nicely for non-running containers, it poses a problem
for running ones. In that case, certain kinds of mounts (e.g., tmpfs)
will not resolve correctly. A tmpfs is held in memory and hence cannot
be resolved relatively to the container's mount point. A copy operation
will succeed but the data will not show up inside the container.

To support these kinds of mounts, we need to join the running
container's mount namespace (and PID namespace) when copying.

Note that this change implies moving the copy and stat logic into
libpod since we need to keep the container locked to avoid race
conditions. The immediate benefit is that all logic is now inside
libpod; the code isn't scattered anymore.

Further note that Docker does not support copying to tmpfs mounts.

Tests have been extended to cover both path resolutions for running
and created containers. New tests have been added to exercise the
tmpfs-mount case.

Signed-off-by: Valentin Rothberg [email protected]

@containers/podman-maintainers PTAL
@edsantiago, I'd love your input especially on the test changes

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 3, 2021
@vrothberg
Copy link
Member Author

vrothberg commented Mar 3, 2021
edited
Loading

@TomSweeneyRedHat FWIW, I would love to get this into 3.0 for two reasons: 1) It's a really cool thing and customers are asking for it (we can consider it a bug), 2) it will make backports much easier (there are still some bugs we need to iron out in cp).

Is a backport for RHEL possible?

@vrothberg vrothberg force-pushed the cp-tmp branch 4 times, most recently from b588b12 to 6f68c77 Compare March 3, 2021 14:32
rhatdan
rhatdan approved these changes Mar 3, 2021
View reviewed changes
Copy link
Member

@rhatdan rhatdan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work.

libpod/container_copy_linux.go Show resolved Hide resolved
@edsantiago
Copy link
Member

Just an FYI: in one of my test runs, I encountered a flake:

 ✗ podman cp file from host to container
...
$ podman start -a cpcontainer
   random-0-qvvUDTQtME
   Error: unable to start container f0191a2a6a86a3e78252b8d095a50a24b21980ea80f8c71de8df9c98703b9428: error attaching to container f0191a2a6a86a3e78252b8d095a50a24b21980ea80f8c71de8df9c98703b9428: read unixpacket @->/proc/self/fd/13/attach: read: connection reset by peer
   [ rc=125 (** EXPECTED 0 **) ]

"read unixpacket" has a horrible history of flakiness, usually relating to conmon: #7228, #3302. This was on my laptop, f33, conmon-2.0.26-1.fc33, 5.10.19-200.fc33.

@edsantiago
Copy link
Member

May I make a friendly suggestion? This shaves over one minute from the test's run time (126 seconds down to 58):
cp-fast.diff.txt

Reason: podman rm -f has to wait those stupid ten seconds, and there's no --do-it-right-now-dammit option.

edsantiago
edsantiago reviewed Mar 3, 2021
View reviewed changes
test/system/065-cp.bats Outdated Show resolved Hide resolved
edsantiago
edsantiago reviewed Mar 3, 2021
View reviewed changes
test/system/065-cp.bats Outdated Show resolved Hide resolved
edsantiago
edsantiago reviewed Mar 3, 2021
View reviewed changes
test/system/065-cp.bats Outdated Show resolved Hide resolved
edsantiago
edsantiago reviewed Mar 3, 2021
View reviewed changes
test/system/065-cp.bats Outdated Show resolved Hide resolved
@vrothberg
Copy link
Member Author

May I make a friendly suggestion? This shaves over one minute from the test's run time (126 seconds down to 58):
cp-fast.diff.txt

Reason: podman rm -f has to wait those stupid ten seconds, and there's no --do-it-right-now-dammit option.

Yes, I was afraid of that. I will add podman kill before to cut things short :^)

@vrothberg
Copy link
Member Author

NOTE: we currently cannot copy tty devices from a rootless container. One e2e test is disabled for now. I chatted with @nalind and he has an idea how to tackle that in the copier package.

I think we can merge. It's a very minor corner case and I will be adding a couple more commits to address other cp issues tomorrow.

@vrothberg
Copy link
Member Author

Updated. Thanks for the super helpful reviews!

mheon
mheon reviewed Mar 3, 2021
View reviewed changes
libpod/container_api.go Outdated Show resolved Hide resolved
mheon
mheon reviewed Mar 3, 2021
View reviewed changes
libpod/container_api.go Outdated Show resolved Hide resolved
@vrothberg
Copy link
Member Author

@edsantiago

read: connection reset by peer

Just hit that in the F33 root system tests as well.

@vrothberg vrothberg force-pushed the cp-tmp branch 3 times, most recently from 2454ac0 to 8a2583b Compare March 4, 2021 10:42
@vrothberg
Copy link
Member Author

Repushing. Many jobs timed out (Cc @cevich).

@vrothberg vrothberg force-pushed the cp-tmp branch 2 times, most recently from 0bbfb60 to 3e5fac7 Compare March 4, 2021 12:48
@vrothberg
Copy link
Member Author

May I make a friendly suggestion? This shaves over one minute from the test's run time (126 seconds down to 58):
cp-fast.diff.txt
Reason: podman rm -f has to wait those stupid ten seconds, and there's no --do-it-right-now-dammit option.

Yes, I was afraid of that. I will add podman kill before to cut things short :^)

Unfortunately, start -aseems to be too flaky/broken. I'll change the copy tests but it's concerning.

@mheon
Copy link
Member

mheon commented Mar 4, 2021

We really ought to add --timeout to podman rm

@vrothberg
podman cp: support copying on tmpfs mounts
a090301 
Traditionally, the path resolution for containers has been resolved on
the *host*; relative to the container's mount point or relative to
specified bind mounts or volumes.

While this works nicely for non-running containers, it poses a problem
for running ones.  In that case, certain kinds of mounts (e.g., tmpfs)
will not resolve correctly.  A tmpfs is held in memory and hence cannot
be resolved relatively to the container's mount point.  A copy operation
will succeed but the data will not show up inside the container.

To support these kinds of mounts, we need to join the *running*
container's mount namespace (and PID namespace) when copying.

Note that this change implies moving the copy and stat logic into
`libpod` since we need to keep the container locked to avoid race
conditions.  The immediate benefit is that all logic is now inside
`libpod`; the code isn't scattered anymore.

Further note that Docker does not support copying to tmpfs mounts.

Tests have been extended to cover *both* path resolutions for running
and created containers.  New tests have been added to exercise the
tmpfs-mount case.

For the record: Some tests could be improved by using `start -a` instead
of a start-exec sequence.  Unfortunately, `start -a` is flaky in the CI
which forced me to use the more expensive start-exec option.

Signed-off-by: Valentin Rothberg <[email protected]>
@rhatdan
Copy link
Member

rhatdan commented Mar 4, 2021

I agree podman rm --timeout 0 -f is needed.

giuseppe
giuseppe approved these changes Mar 5, 2021
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 5, 2021
@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, rhatdan, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [giuseppe,rhatdan,vrothberg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 05080a1 into containers:master Mar 5, 2021
@vrothberg vrothberg deleted the cp-tmp branch March 5, 2021 08:58
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mheon mheon mheon left review comments

@edsantiago edsantiago edsantiago left review comments

@rhatdan rhatdan rhatdan approved these changes

@giuseppe giuseppe giuseppe approved these changes

Assignees

@giuseppe giuseppe

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@vrothberg @edsantiago @mheon @rhatdan @openshift-ci-robot @giuseppe @openshift-merge-robot