-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Podman can crash during standard stream I/O #685
Comments
Looking more into it, we are now sure that when a container sends large amounts of data through its standard streams, faster than the client can consume, The affected platforms and respective
For Ubuntu Focal, things are a bit more complicated. While |
The timeout issue that affects Ubuntu Focal is easily bypassed. We can just use The abrupt return issue though cannot be bypassed, to the best of my knowledge. The code path that erroneously sets the
The Therefore, we have two options:
|
Thanks a lot for this investigation and findings!
This option sounds interesting. However, won't the podman be dependent on a specific conmon version already provided by the same repo? Because if this is the case we'd need to provide all the other dependencies in our repo such that our podman "take over" the user's distro one. However if the user uses podman for something else, this could lead to unintended consequences. And we'd also need to re-sign / rebuild these repos, which takes some maintenance work. |
No, it's actually dependent on But yes, you're right about a) possibly unintended consequences, and b) resigning the packages. I don't like that as well. |
There's another option that we can consider: Package
|
Sigh 😮💨 While building the package, I just realized that this is a known bug in Debian Bullseye. The maintainers of the package are doing the same thing we are describing in this issue (#685 (comment)). They have backported the fix from v2.0.26 into v2.0.25, and have created a new package called v2.0.25+ds1-1.1+deb11u1. This package has been accepted as a "proposed update" for Debian Bullseye in Sun, 12 Nov 2023. The proposed package has not landed yet in Debian Bullseye, nor Ubuntu Jammy. We can build a Debian package out of it though and name it 2.0.25+ds1-1.1+deb11u1~fpf1. This way, I believe that the version order will be:
where:
Useful LinksEdit: The original suggestion was to use Debian version
where:
|
Oh wow. What a timing... and this is an issue that has existed for more than a year. How convenient! So this is actually good for us, no? We can use debian's package and just rename it (not sure if it uses the name inside the package or not) and re-sign it. |
It adds a bit more confidence in what we're doing, so yeah, it's a good thing. I'll grab their source package, bump the changelog accordingly (the Debian version is taken from the changelog), and build it in an Ubuntu Jammy and Debian Bullseye container.
|
I stand corrected: Debian has some repos called proposed-updates. For instance, there is an
And if they run
whereas for Podman, it's the old one, because we have lowered the priority of the proposed updates repo:
|
Nice. That means we can now see if our CI is fixed on #627. |
I've downloaded I have a reservation regarding how this package was built. It was built in Debian Bullseye (proposed updates) which has:
We plan to install it in Ubuntu Jammy and Debian Bullseye though, which have:
As one can see, for Debian Bullseye, aside for a missing patch in
Since |
@legoktm pointed out that the Debian 11.9 release will happen on February 10th, so it may not be strictly necessary to include the |
Switching from mounting files to writing to stdout has introduced some Podman crashes in specific environments (Ubuntu Jammy / Debian Bullseye) due to a conmon bug that affects version 2.0.25. Fixing it for various permutations of the environments we support requires the following: 1. CI tests: Install conmon from the oldstable-proposed-updates in our Debian Bullseye / Ubuntu Jammy dev/end-user environments. 2. Developers: Add a line in BUILD.md that suggests users to install conmon from the oldstable-proposed-updates repo, or some other repo they prefer. 3. End-user installations: We will build conmon for Ubuntu Jammy, and wait until the proposed updates repo gets merged in Debian Bullseye. Fixes #685
Update the Debian changelog with version 2.0.25+ds1-1.1a~fpf1, which is greater than the existing Ubuntu Jammy version (2.0.25+ds1-1.1) but sorts lower than anything else. Refs freedomofpress/dangerzone#685
Add instructions on how to build an Ubuntu Jammy package for `conmon`. Also, add an explanation of why does FPF needs to create an Ubuntu Jammy package for this project Refs freedomofpress/dangerzone#685
Add a conmon package in Ubuntu Jammy, that fixes an issue that is present only in that version. Refs freedomofpress/dangerzone#685
Add instructions on how to build an Ubuntu Jammy package for `conmon`. Also, add an explanation of why does FPF needs to create an Ubuntu Jammy package for this project Refs freedomofpress/dangerzone#685
While working on issue #443 and PR #627, we have seen the following weird behavior (#627 (comment) and #627 (comment)):
The platforms where this behavior is consistent are:
Specifically for the abrupt return bug, it seems that on the client side
read()
gets interrupted abruptly, and thus we raiseConverterProcException()
. Then we try to find the reason for the exception, and the exit code is actually0
! In that case, the Podman process does not exist, and the container is deleted as well.Interestingly, with
ps
we see that the underlying conversion process still runs. Withjournalctl -f
, we see that aconmon
component attempts to print binary data to the journal.The text was updated successfully, but these errors were encountered: