From 0b1c1ef461d26b3c373269c3a2e7085124f89eb5 Mon Sep 17 00:00:00 2001 From: Joseph Gooch Date: Fri, 19 Jun 2020 13:29:34 +0000 Subject: [PATCH 1/2] Implement --sdnotify cmdline option to control sd-notify behavior --sdnotify container|conmon|ignore With "conmon", we send the MAINPID, and clear the NOTIFY_SOCKET so the OCI runtime doesn't pass it into the container. We also advertise "ready" when the OCI runtime finishes to advertise the service as ready. With "container", we send the MAINPID, and leave the NOTIFY_SOCKET so the OCI runtime passes it into the container for initialization, and let the container advertise further metadata. This is the default, which is closest to the behavior podman has done in the past. The "ignore" option removes NOTIFY_SOCKET from the environment, so neither podman nor any child processes will talk to systemd. This removes the need for hardcoded CID and PID files in the command line, and the PIDFile directive, as the pid is advertised directly through sd-notify. Signed-off-by: Joseph Gooch --- cmd/podman/common/create.go | 6 ++ cmd/podman/common/create_opts.go | 1 + cmd/podman/common/specgen.go | 1 + docs/source/markdown/podman-create.1.md | 11 +++ docs/source/markdown/podman-run.1.md | 11 +++ libpod/container.go | 2 + libpod/container_internal.go | 14 ++++ libpod/define/config.go | 7 ++ libpod/oci_conmon_exec_linux.go | 2 +- libpod/oci_conmon_linux.go | 30 +++++-- libpod/options.go | 22 +++++ pkg/specgen/container_validate.go | 7 ++ pkg/specgen/generate/container_create.go | 4 + pkg/specgen/specgen.go | 5 ++ .../coreos/go-systemd/v22/daemon/sdnotify.go | 84 +++++++++++++++++++ .../coreos/go-systemd/v22/daemon/watchdog.go | 73 ++++++++++++++++ vendor/modules.txt | 1 + 17 files changed, 274 insertions(+), 7 deletions(-) create mode 100644 vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify.go create mode 100644 vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go diff --git a/cmd/podman/common/create.go b/cmd/podman/common/create.go index bbe31d19f3..f6fbe8e105 100644 --- a/cmd/podman/common/create.go +++ b/cmd/podman/common/create.go @@ -6,6 +6,7 @@ import ( "github.com/containers/common/pkg/auth" "github.com/containers/libpod/v2/cmd/podman/registry" + "github.com/containers/libpod/v2/libpod/define" "github.com/spf13/pflag" ) @@ -394,6 +395,11 @@ func GetCreateFlags(cf *ContainerCLIOpts) *pflag.FlagSet { "rootfs", false, "The first argument is not an image but the rootfs to the exploded container", ) + createFlags.StringVar( + &cf.SdNotifyMode, + "sdnotify", define.SdNotifyModeContainer, + `control sd-notify behavior ("container"|"conmon"|"ignore")`, + ) createFlags.StringArrayVar( &cf.SecurityOpt, "security-opt", containerConfig.SecurityOptions(), diff --git a/cmd/podman/common/create_opts.go b/cmd/podman/common/create_opts.go index 3183a5cceb..eafe7f0902 100644 --- a/cmd/podman/common/create_opts.go +++ b/cmd/podman/common/create_opts.go @@ -81,6 +81,7 @@ type ContainerCLIOpts struct { Rm bool RootFS bool SecurityOpt []string + SdNotifyMode string ShmSize string StopSignal string StopTimeout uint diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index 225370368e..0948e78f13 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -443,6 +443,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string } s.Systemd = c.Systemd + s.SdNotifyMode = c.SdNotifyMode if s.ResourceLimits == nil { s.ResourceLimits = &specs.LinuxResources{} } diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 1fc99cd873..e0703fd228 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -702,6 +702,17 @@ If specified, the first argument refers to an exploded container on the file sys This is useful to run a container without requiring any image management, the rootfs of the container is assumed to be managed externally. +**--sdnotify**=**container**|**conmon**|**ignore** + +Determines how to use the NOTIFY_SOCKET, as passed with systemd and Type=notify. + +Default is **container**, which means allow the OCI runtime to proxy the socket into the +container to receive ready notification. Podman will set the MAINPID to conmon's pid. +The **conmon** option sets MAINPID to conmon's pid, and sends READY when the container +has started. The socket is never passed to the runtime or the container. +The **ignore** option removes NOTIFY_SOCKET from the environment for itself and child processes, +for the case where some other process above Podman uses NOTIFY_SOCKET and Podman should not use it. + **--seccomp-policy**=*policy* Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index 86179e63c4..54c497ba2d 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -723,6 +723,17 @@ of the container is assumed to be managed externally. Note: On **SELinux** systems, the rootfs needs the correct label, which is by default **unconfined_u:object_r:container_file_t**. +**--sdnotify**=**container**|**conmon**|**ignore** + +Determines how to use the NOTIFY_SOCKET, as passed with systemd and Type=notify. + +Default is **container**, which means allow the OCI runtime to proxy the socket into the +container to receive ready notification. Podman will set the MAINPID to conmon's pid. +The **conmon** option sets MAINPID to conmon's pid, and sends READY when the container +has started. The socket is never passed to the runtime or the container. +The **ignore** option removes NOTIFY_SOCKET from the environment for itself and child processes, +for the case where some other process above Podman uses NOTIFY_SOCKET and Podman should not use it. + **--seccomp-policy**=*policy* Specify the policy to select the seccomp profile. If set to *image*, Podman will look for a "io.podman.seccomp.profile" label in the container-image config and use its value as a seccomp profile. Otherwise, Podman will follow the *default* policy by applying the default profile unless specified otherwise via *--security-opt seccomp* as described below. diff --git a/libpod/container.go b/libpod/container.go index a71692dd8b..fa90fef7a9 100644 --- a/libpod/container.go +++ b/libpod/container.go @@ -414,6 +414,8 @@ type ContainerConfig struct { // sharing kernel namespaces in a pod IsInfra bool `json:"pause"` + // SdNotifyMode tells libpod what to do with a NOTIFY_SOCKET if passed + SdNotifyMode string `json:"sdnotifyMode,omitempty"` // Systemd tells libpod to setup the container in systemd mode Systemd bool `json:"systemd"` diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 7a547e5659..12132cf414 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -24,6 +24,7 @@ import ( "github.com/containers/storage/pkg/archive" "github.com/containers/storage/pkg/idtools" "github.com/containers/storage/pkg/mount" + "github.com/coreos/go-systemd/v22/daemon" securejoin "github.com/cyphar/filepath-securejoin" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -1192,6 +1193,19 @@ func (c *Container) start() error { c.state.State = define.ContainerStateRunning + if c.config.SdNotifyMode != define.SdNotifyModeIgnore { + payload := fmt.Sprintf("MAINPID=%d", c.state.ConmonPID) + if c.config.SdNotifyMode == define.SdNotifyModeConmon { + payload += "\n" + payload += daemon.SdNotifyReady + } + if sent, err := daemon.SdNotify(false, payload); err != nil { + logrus.Errorf("Error notifying systemd of Conmon PID: %s", err.Error()) + } else if sent { + logrus.Debugf("Notify sent successfully") + } + } + if c.config.HealthCheckConfig != nil { if err := c.updateHealthStatus(define.HealthCheckStarting); err != nil { logrus.Error(err) diff --git a/libpod/define/config.go b/libpod/define/config.go index 900a363d8f..c436015545 100644 --- a/libpod/define/config.go +++ b/libpod/define/config.go @@ -75,3 +75,10 @@ const JSONLogging = "json-file" // NoLogging is the string conmon expects when specifying to use no log driver whatsoever const NoLogging = "none" + +// Strings used for --sdnotify option to podman +const ( + SdNotifyModeContainer = "container" + SdNotifyModeConmon = "conmon" + SdNotifyModeIgnore = "ignore" +) diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go index 1a6fe827b9..4196bdcaf5 100644 --- a/libpod/oci_conmon_exec_linux.go +++ b/libpod/oci_conmon_exec_linux.go @@ -444,7 +444,7 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex // } // } - conmonEnv, extraFiles, err := r.configureConmonEnv(runtimeDir) + conmonEnv, extraFiles, err := r.configureConmonEnv(c, runtimeDir) if err != nil { return nil, nil, err } diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go index 98e436e785..5346223829 100644 --- a/libpod/oci_conmon_linux.go +++ b/libpod/oci_conmon_linux.go @@ -30,6 +30,7 @@ import ( "github.com/containers/libpod/v2/utils" pmount "github.com/containers/storage/pkg/mount" "github.com/coreos/go-systemd/v22/activation" + "github.com/coreos/go-systemd/v22/daemon" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/selinux/go-selinux" "github.com/opencontainers/selinux/go-selinux/label" @@ -365,8 +366,10 @@ func (r *ConmonOCIRuntime) StartContainer(ctr *Container) error { return err } env := []string{fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir)} - if notify, ok := os.LookupEnv("NOTIFY_SOCKET"); ok { - env = append(env, fmt.Sprintf("NOTIFY_SOCKET=%s", notify)) + if ctr.config.SdNotifyMode == define.SdNotifyModeContainer { + if notify, ok := os.LookupEnv("NOTIFY_SOCKET"); ok { + env = append(env, fmt.Sprintf("NOTIFY_SOCKET=%s", notify)) + } } if path, ok := os.LookupEnv("PATH"); ok { env = append(env, fmt.Sprintf("PATH=%s", path)) @@ -887,6 +890,12 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co } } + if ctr.config.SdNotifyMode == define.SdNotifyModeIgnore { + if err := os.Unsetenv("NOTIFY_SOCKET"); err != nil { + logrus.Warnf("Error unsetting NOTIFY_SOCKET %s", err.Error()) + } + } + args := r.sharedConmonArgs(ctr, ctr.ID(), ctr.bundlePath(), filepath.Join(ctr.state.RunDir, "pidfile"), ctr.LogPath(), r.exitsDir, ociLog, ctr.LogDriver(), logTag) if ctr.config.Spec.Process.Terminal { @@ -940,7 +949,7 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co } // 0, 1 and 2 are stdin, stdout and stderr - conmonEnv, envFiles, err := r.configureConmonEnv(runtimeDir) + conmonEnv, envFiles, err := r.configureConmonEnv(ctr, runtimeDir) if err != nil { return err } @@ -1034,6 +1043,13 @@ func (r *ConmonOCIRuntime) createOCIContainer(ctr *Container, restoreOptions *Co // conmon not having a pid file is a valid state, so don't set it if we don't have it logrus.Infof("Got Conmon PID as %d", conmonPID) ctr.state.ConmonPID = conmonPID + if ctr.config.SdNotifyMode != define.SdNotifyModeIgnore { + if sent, err := daemon.SdNotify(false, fmt.Sprintf("MAINPID=%d", conmonPID)); err != nil { + logrus.Errorf("Error notifying systemd of Conmon PID: %s", err.Error()) + } else if sent { + logrus.Debugf("Notify MAINPID sent successfully") + } + } } if ctr.config.PreserveFDs > 0 { @@ -1137,7 +1153,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se // configureConmonEnv gets the environment values to add to conmon's exec struct // TODO this may want to be less hardcoded/more configurable in the future -func (r *ConmonOCIRuntime) configureConmonEnv(runtimeDir string) ([]string, []*os.File, error) { +func (r *ConmonOCIRuntime) configureConmonEnv(ctr *Container, runtimeDir string) ([]string, []*os.File, error) { env := make([]string, 0, 6) env = append(env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir)) env = append(env, fmt.Sprintf("_CONTAINERS_USERNS_CONFIGURED=%s", os.Getenv("_CONTAINERS_USERNS_CONFIGURED"))) @@ -1149,8 +1165,10 @@ func (r *ConmonOCIRuntime) configureConmonEnv(runtimeDir string) ([]string, []*o env = append(env, fmt.Sprintf("HOME=%s", home)) extraFiles := make([]*os.File, 0) - if notify, ok := os.LookupEnv("NOTIFY_SOCKET"); ok { - env = append(env, fmt.Sprintf("NOTIFY_SOCKET=%s", notify)) + if ctr.config.SdNotifyMode == define.SdNotifyModeContainer { + if notify, ok := os.LookupEnv("NOTIFY_SOCKET"); ok { + env = append(env, fmt.Sprintf("NOTIFY_SOCKET=%s", notify)) + } } if !r.sdNotify { if listenfds, ok := os.LookupEnv("LISTEN_FDS"); ok { diff --git a/libpod/options.go b/libpod/options.go index c1a8fdbe1f..61d1676f13 100644 --- a/libpod/options.go +++ b/libpod/options.go @@ -4,6 +4,7 @@ import ( "net" "os" "path/filepath" + "strings" "syscall" "github.com/containers/common/pkg/config" @@ -22,6 +23,10 @@ import ( ) // Runtime Creation Options +var ( + // SdNotifyModeValues describes the only values that SdNotifyMode can be + SdNotifyModeValues = []string{define.SdNotifyModeContainer, define.SdNotifyModeConmon, define.SdNotifyModeIgnore} +) // WithStorageConfig uses the given configuration to set up container storage. // If this is not specified, the system default configuration will be used @@ -550,6 +555,23 @@ func WithSystemd() CtrCreateOption { } } +// WithSdNotifyMode sets the sd-notify method +func WithSdNotifyMode(mode string) CtrCreateOption { + return func(ctr *Container) error { + if ctr.valid { + return define.ErrCtrFinalized + } + + // verify values + if len(mode) > 0 && !util.StringInSlice(strings.ToLower(mode), SdNotifyModeValues) { + return errors.Wrapf(define.ErrInvalidArg, "--sdnotify values must be one of %q", strings.Join(SdNotifyModeValues, ", ")) + } + + ctr.config.SdNotifyMode = mode + return nil + } +} + // WithShmSize sets the size of /dev/shm tmpfs mount. func WithShmSize(size int64) CtrCreateOption { return func(ctr *Container) error { diff --git a/pkg/specgen/container_validate.go b/pkg/specgen/container_validate.go index 8063bee386..bf03ff0e7e 100644 --- a/pkg/specgen/container_validate.go +++ b/pkg/specgen/container_validate.go @@ -3,6 +3,7 @@ package specgen import ( "strings" + "github.com/containers/libpod/v2/libpod/define" "github.com/containers/libpod/v2/pkg/rootless" "github.com/containers/libpod/v2/pkg/util" "github.com/pkg/errors" @@ -13,6 +14,8 @@ var ( ErrInvalidSpecConfig = errors.New("invalid configuration") // SystemDValues describes the only values that SystemD can be SystemDValues = []string{"true", "false", "always"} + // SdNotifyModeValues describes the only values that SdNotifyMode can be + SdNotifyModeValues = []string{define.SdNotifyModeContainer, define.SdNotifyModeConmon, define.SdNotifyModeIgnore} // ImageVolumeModeValues describes the only values that ImageVolumeMode can be ImageVolumeModeValues = []string{"ignore", "tmpfs", "anonymous"} ) @@ -40,6 +43,10 @@ func (s *SpecGenerator) Validate() error { if len(s.ContainerBasicConfig.Systemd) > 0 && !util.StringInSlice(strings.ToLower(s.ContainerBasicConfig.Systemd), SystemDValues) { return errors.Wrapf(ErrInvalidSpecConfig, "--systemd values must be one of %q", strings.Join(SystemDValues, ", ")) } + // sdnotify values must be container, conmon, or ignore + if len(s.ContainerBasicConfig.SdNotifyMode) > 0 && !util.StringInSlice(strings.ToLower(s.ContainerBasicConfig.SdNotifyMode), SdNotifyModeValues) { + return errors.Wrapf(ErrInvalidSpecConfig, "--sdnotify values must be one of %q", strings.Join(SdNotifyModeValues, ", ")) + } // // ContainerStorageConfig diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 1ab576869a..8df5b996e0 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -175,6 +175,10 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. options = append(options, libpod.WithSystemd()) } + if len(s.SdNotifyMode) > 0 { + options = append(options, libpod.WithSdNotifyMode(s.SdNotifyMode)) + } + if len(s.Name) > 0 { logrus.Debugf("setting container name %s", s.Name) options = append(options, libpod.WithName(s.Name)) diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index fe735bc1f1..b4e10fa87f 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -107,6 +107,11 @@ type ContainerBasicConfig struct { // If not specified, "false" will be assumed. // Optional. Systemd string `json:"systemd,omitempty"` + // Determine how to handle the NOTIFY_SOCKET - do we participate or pass it through + // "container" - let the OCI runtime deal with it, advertise conmon's MAINPID + // "conmon-only" - advertise conmon's MAINPID, send READY when started, don't pass to OCI + // "ignore" - unset NOTIFY_SOCKET + SdNotifyMode string `json:"sdnotifyMode,omitempty"` // Namespace is the libpod namespace the container will be placed in. // Optional. Namespace string `json:"namespace,omitempty"` diff --git a/vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify.go b/vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify.go new file mode 100644 index 0000000000..ba4ae31f19 --- /dev/null +++ b/vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify.go @@ -0,0 +1,84 @@ +// Copyright 2014 Docker, Inc. +// Copyright 2015-2018 CoreOS, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +// Package daemon provides a Go implementation of the sd_notify protocol. +// It can be used to inform systemd of service start-up completion, watchdog +// events, and other status changes. +// +// https://www.freedesktop.org/software/systemd/man/sd_notify.html#Description +package daemon + +import ( + "net" + "os" +) + +const ( + // SdNotifyReady tells the service manager that service startup is finished + // or the service finished loading its configuration. + SdNotifyReady = "READY=1" + + // SdNotifyStopping tells the service manager that the service is beginning + // its shutdown. + SdNotifyStopping = "STOPPING=1" + + // SdNotifyReloading tells the service manager that this service is + // reloading its configuration. Note that you must call SdNotifyReady when + // it completed reloading. + SdNotifyReloading = "RELOADING=1" + + // SdNotifyWatchdog tells the service manager to update the watchdog + // timestamp for the service. + SdNotifyWatchdog = "WATCHDOG=1" +) + +// SdNotify sends a message to the init daemon. It is common to ignore the error. +// If `unsetEnvironment` is true, the environment variable `NOTIFY_SOCKET` +// will be unconditionally unset. +// +// It returns one of the following: +// (false, nil) - notification not supported (i.e. NOTIFY_SOCKET is unset) +// (false, err) - notification supported, but failure happened (e.g. error connecting to NOTIFY_SOCKET or while sending data) +// (true, nil) - notification supported, data has been sent +func SdNotify(unsetEnvironment bool, state string) (bool, error) { + socketAddr := &net.UnixAddr{ + Name: os.Getenv("NOTIFY_SOCKET"), + Net: "unixgram", + } + + // NOTIFY_SOCKET not set + if socketAddr.Name == "" { + return false, nil + } + + if unsetEnvironment { + if err := os.Unsetenv("NOTIFY_SOCKET"); err != nil { + return false, err + } + } + + conn, err := net.DialUnix(socketAddr.Net, nil, socketAddr) + // Error connecting to NOTIFY_SOCKET + if err != nil { + return false, err + } + defer conn.Close() + + if _, err = conn.Write([]byte(state)); err != nil { + return false, err + } + return true, nil +} diff --git a/vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go b/vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go new file mode 100644 index 0000000000..7a0e0d3a51 --- /dev/null +++ b/vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go @@ -0,0 +1,73 @@ +// Copyright 2016 CoreOS, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package daemon + +import ( + "fmt" + "os" + "strconv" + "time" +) + +// SdWatchdogEnabled returns watchdog information for a service. +// Processes should call daemon.SdNotify(false, daemon.SdNotifyWatchdog) every +// time / 2. +// If `unsetEnvironment` is true, the environment variables `WATCHDOG_USEC` and +// `WATCHDOG_PID` will be unconditionally unset. +// +// It returns one of the following: +// (0, nil) - watchdog isn't enabled or we aren't the watched PID. +// (0, err) - an error happened (e.g. error converting time). +// (time, nil) - watchdog is enabled and we can send ping. +// time is delay before inactive service will be killed. +func SdWatchdogEnabled(unsetEnvironment bool) (time.Duration, error) { + wusec := os.Getenv("WATCHDOG_USEC") + wpid := os.Getenv("WATCHDOG_PID") + if unsetEnvironment { + wusecErr := os.Unsetenv("WATCHDOG_USEC") + wpidErr := os.Unsetenv("WATCHDOG_PID") + if wusecErr != nil { + return 0, wusecErr + } + if wpidErr != nil { + return 0, wpidErr + } + } + + if wusec == "" { + return 0, nil + } + s, err := strconv.Atoi(wusec) + if err != nil { + return 0, fmt.Errorf("error converting WATCHDOG_USEC: %s", err) + } + if s <= 0 { + return 0, fmt.Errorf("error WATCHDOG_USEC must be a positive number") + } + interval := time.Duration(s) * time.Microsecond + + if wpid == "" { + return interval, nil + } + p, err := strconv.Atoi(wpid) + if err != nil { + return 0, fmt.Errorf("error converting WATCHDOG_PID: %s", err) + } + if os.Getpid() != p { + return 0, nil + } + + return interval, nil +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 12f44afea3..5183ef19b3 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -200,6 +200,7 @@ github.com/containers/storage/pkg/unshare github.com/coreos/go-iptables/iptables # github.com/coreos/go-systemd/v22 v22.1.0 github.com/coreos/go-systemd/v22/activation +github.com/coreos/go-systemd/v22/daemon github.com/coreos/go-systemd/v22/dbus github.com/coreos/go-systemd/v22/internal/dlopen github.com/coreos/go-systemd/v22/journal From 10ad46eb7377ff504a65783a7a604b248b50f20a Mon Sep 17 00:00:00 2001 From: Ed Santiago Date: Wed, 1 Jul 2020 13:43:38 -0600 Subject: [PATCH 2/2] BATS system tests for new sdnotify Signed-off-by: Ed Santiago --- test/system/260-sdnotify.bats | 142 ++++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 test/system/260-sdnotify.bats diff --git a/test/system/260-sdnotify.bats b/test/system/260-sdnotify.bats new file mode 100644 index 0000000000..c37eea15a0 --- /dev/null +++ b/test/system/260-sdnotify.bats @@ -0,0 +1,142 @@ +#!/usr/bin/env bats -*- bats -*- +# +# Tests for systemd sdnotify +# + +load helpers + +# Shared throughout this module: PID of socat process, and path to its log +_SOCAT_PID= +_SOCAT_LOG= + +function setup() { + skip_if_remote + + # TODO: remove this once CI systems have newer crun and container-selinux + skip "TEMPORARY SKIP - until CI systems get new crun, container-selinux" + + basic_setup +} + +function teardown() { + unset NOTIFY_SOCKET + + _stop_socat + + basic_teardown +} + +############################################################################### +# BEGIN helpers + +# Run socat process on a socket, logging to well-known path. Each received +# packet is logged with a newline appended, for ease of parsing the log file. +function _start_socat() { + _SOCAT_LOG="$PODMAN_TMPDIR/socat.log" + + rm -f $_SOCAT_LOG + socat unix-recvfrom:"$NOTIFY_SOCKET",fork \ + system:"(cat;echo) >> $_SOCAT_LOG" & + _SOCAT_PID=$! +} + +# Stop the socat background process and clean up logs +function _stop_socat() { + if [[ -n "$_SOCAT_PID" ]]; then + kill $_SOCAT_PID + fi + _SOCAT_PID= + + if [[ -n "$_SOCAT_LOG" ]]; then + rm -f $_SOCAT_LOG + fi +} + +# Check that MAINPID=xxxxx points to a running conmon process +function _assert_mainpid_is_conmon() { + local mainpid=$(expr "$1" : "MAINPID=\([0-9]\+\)") + test -n "$mainpid" || die "Could not parse '$1' as 'MAINPID=nnnn'" + + test -d /proc/$mainpid || die "sdnotify MAINPID=$mainpid - but /proc/$mainpid does not exist" + + # e.g. /proc/12345/exe -> /usr/bin/conmon + local mainpid_bin=$(readlink /proc/$mainpid/exe) + is "$mainpid_bin" ".*/conmon" "sdnotify MAINPID=$mainpid is conmon process" +} + +# END helpers +############################################################################### +# BEGIN tests themselves + +@test "sdnotify : ignore" { + export NOTIFY_SOCKET=$PODMAN_TMPDIR/ignore.sock + _start_socat + + run_podman 1 run --rm --sdnotify=ignore $IMAGE printenv NOTIFY_SOCKET + is "$output" "" "\$NOTIFY_SOCKET in container" + + is "$(< $_SOCAT_LOG)" "" "nothing received on socket" + _stop_socat +} + +@test "sdnotify : conmon" { + export NOTIFY_SOCKET=$PODMAN_TMPDIR/conmon.sock + _start_socat + + run_podman run -d --name sdnotify_conmon_c \ + --sdnotify=conmon \ + $IMAGE \ + sh -c 'printenv NOTIFY_SOCKET;echo READY;while ! test -f /stop;do sleep 0.1;done' + cid="$output" + wait_for_ready $cid + + run_podman logs sdnotify_conmon_c + is "$output" "READY" "\$NOTIFY_SOCKET in container" + + run cat $_SOCAT_LOG + is "${lines[-1]}" "READY=1" "final output from sdnotify" + + _assert_mainpid_is_conmon "${lines[0]}" + + # Done. Stop container, clean up. + run_podman exec $cid touch /stop + run_podman rm $cid + _stop_socat +} + +@test "sdnotify : container" { + # Sigh... we need to pull a humongous image because it has systemd-notify. + # FIXME: is there a smaller image we could use? + _FEDORA=registry.fedoraproject.org/fedora:latest + + # Pull that image. Retry in case of flakes. + run_podman pull $_FEDORA || \ + run_podman pull $_FEDORA || \ + run_podman pull $_FEDORA + + export NOTIFY_SOCKET=$PODMAN_TMPDIR/container.sock + _start_socat + + run_podman run -d --sdnotify=container $_FEDORA \ + sh -c 'printenv NOTIFY_SOCKET;echo READY;systemd-notify --ready;while ! test -f /stop;do sleep 0.1;done' + cid="$output" + wait_for_ready $cid + + run_podman logs $cid + is "${lines[0]}" "/.*/container\.sock/notify" "NOTIFY_SOCKET is passed to container" + + # With container, READY=1 isn't necessarily the last message received; + # just look for it anywhere in received messages + run cat $_SOCAT_LOG + is "$output" ".*READY=1" "received READY=1 through notify socket" + + _assert_mainpid_is_conmon "${lines[0]}" + + # Done. Stop container, clean up. + run_podman exec $cid touch /stop + run_podman rm $cid + run_podman rmi $_FEDORA + _stop_socat +} + +# vim: filetype=sh