Fix podman system reset deletes the podman.sock
#25504
Conversation
openshift-ci
bot
added
release-note
do-not-merge/work-in-progress
Honny1
force-pushed
the
sys-reset-podman-socket
branch
from
cc60309 to
901e4d4
Compare
There was a problem hiding this comment.
Mhh, I am not sure this is a sane expectation.
There is a fundamental issue here. There is one podman.service but there can be many separate podman instances under the same user (i.e. --root/-runroot). When you rest one it should not bring down the global socket that is totally unrelated IMO.
At least in e2e tests this is a total no go as it "breaks" user systems by doing this. The e2e tests should not touch the global podman instance.
What is exactly deleting the socket here? I don't see it in the reset code.
cc @mheon
|
@Luap99 When we discussed this, my understanding was that we already took down the |
Ah machine reset... I was looking at the libpod reset! It should certainly only reset files we care about. But the raises some rather bad side effects as none of the machine code is isolated paths wise which means running e2e locally wipe my machines which they really should not. I mean not deleting the socket is an option but I am not sure if that improves things enough, if the podman service is running while you do system reset I doubt the service can ever be in a sane state and should be restarted. I don't know if restarting the socket automatically stop and restarts the service as well. Logically if we really want to deal with these issues we likely should start by stopping the podman.service when running system reset. And then check if we still have to restart the socket or not then. But even with all that I am not convinced that this is right due the possibility of --root/--runroot, etc... Sure that is not a common use case but we use that heavily for testing. A system reset should then not all of the sudden touch other things. |
|
If we can identify the owner of podman.sock, and if we know that it is not managed by systemd, I think it would be reasonable to skip the restart-the-service step. If it was started by systemd, we don't care if |
|
Though, this raises the question: how can we tell if |
Connect to the socket via the remote bindings, then check if reset process graphroot equals our service graphroot. Also not here we cannot have any hard requirements on systemd. Podman must work without systemd and so far looking at this it always tries to use systemd which of course will fail on non systemd distros or in a container, etc... I really don't want to deal with all these complexities here, I personally rather just say the user is responsible for restart the systemd unit if they use it. |
|
Sounds OK to me. I'll poke @baude as it is |
Honny1
force-pushed
the
sys-reset-podman-socket
branch
3 times, most recently
from
b4776e3 to
f887f90
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
test/e2e/system_reset_test.go
Outdated
| It("system reset - restart socket", func() { | ||
| SkipIfRemote("system reset not supported on podman --remote") | ||
| SkipIfNotActive("podman.socket", "podman.socket is not active") | ||
|
|
||
| session := podmanTest.PodmanExitCleanly("info", "--format", "{{.Host.RemoteSocket.Path}}") | ||
| socketPath := session.OutputToString() | ||
|
|
||
| curlBeforeReset := StartSystemExec("curl", []string{"-s", "--max-time", "3", "--unix-socket", socketPath, "http://localhost/libpod/_ping"}) | ||
| curlBeforeReset.WaitWithDefaultTimeout() | ||
| Expect(curlBeforeReset).Should(ExitCleanly()) | ||
| Expect(curlBeforeReset.OutputToString()).Should(Equal("OK")) | ||
|
|
||
| podmanTest.PodmanExitCleanly("system", "reset", "--force") | ||
|
|
||
| curlAfterReset := StartSystemExec("curl", []string{"-s", "--max-time", "3", "--unix-socket", socketPath, "http://localhost/libpod/_ping"}) | ||
| curlAfterReset.WaitWithDefaultTimeout() | ||
| Expect(curlAfterReset).Should(ExitCleanly()) | ||
| Expect(curlAfterReset.OutputToString()).Should(Equal("OK")) | ||
| }) |
There was a problem hiding this comment.
This test does not seem useful, it assumes the podman.service works while e2e tests generally should be fully isolated.
And the socket is disabled in all our CI envs AFAIK so the test is effectively skipped in CI thus there is no coverage either.
I don't think curl is needed either. If we really want to test then it seems enough to test if socket path exist before rest if it does it must exist after reset, so a simple
Expect(path).To(BeAnExistingFile()) should be enough.
But maybe no test works best. Or if we want a test maybe in test/system as better as we do require full ownership over the storage there.
There was a problem hiding this comment.
Okay, I didn't know that. I will remove test.
Honny1
force-pushed
the
sys-reset-podman-socket
branch
from
f887f90 to
d0437a3
Compare
Honny1
added
the
No New Tests
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Honny1, Luap99 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
| } | ||
| for _, file := range files { | ||
| if file.Name() != excludeFile { | ||
| if err := os.RemoveAll(filepath.Join(path, file.Name())); err != nil { |
There was a problem hiding this comment.
Shouldn't you use GuardedRemoveAll here for safety?
There was a problem hiding this comment.
It is not needed because iteration over the contents of the directory is performed. However, the same check could be used to make sure it doesn't remove the contents of the / directory.
…mmand The `podman system reset` removes the `RunDirectory` directory as part of the machine reset, where `podman.sock` is usually stored. Fixes: https://issues.redhat.com/browse/RHEL-71320 Signed-off-by: Jan Rodák <[email protected]>
Honny1
force-pushed
the
sys-reset-podman-socket
branch
from
d0437a3 to
41924f8
Compare
|
/packit rebuild-failed |
|
/lgtm |
stale-locking-app
bot
added
the
locked - please file new issue/PR
This PR prevents the removal of the
podman.sockfile using thepodman system resetcommand.The
podman system resetremoves theRunDirectorydirectory as part of the podman machine reset, wherepodman.sockis usually stored.Fixes: https://issues.redhat.com/browse/RHEL-71320
Does this PR introduce a user-facing change?