crun hangs when an OCI hook exists non-zero

[vrothberg]

Didn't look into the code yet but it's a reproducer in 100 percent of the cases.

[giuseppe]

@vrothberg had a chance to try with the master version and the fix for OCI hooks that went in?

[vrothberg]

Yes, still happening on my machine.

[giuseppe]

could you provide me the reproducer?

[vrothberg]

I can reproduce on F31 with the latest crun (master) and the hook from https://github.com/containers/oci-seccomp-bpf-hook. A quick reproducer is to let main() of the hook do an os.Exit(1). The symptom is that podman/crun will hang.

[giuseppe]

could you quickly verify what processes are running? Is the "podman cleanup" process running?

[giuseppe]

the issue I am seeing can be reproduced with:

$ echo "exit 1" >> /tmp/runtime.sh
$ chmod +x /tmp/runtime.sh
$ podman --runtime /tmp/runtime.sh run --rm -ti alpine true

podman hangs

[giuseppe]

the issue I've seen is fixed with: containers/conmon#76

[rhatdan]

PR Is closed, could you guys build a new conmon and verify that this issue is fixed. Then lets get the new conmon released to Fedora 31.

[vrothberg]

I can confirm that it's an issue in conmon. Thanks for looking into it, @giuseppe!

[vrothberg]

containers/conmon#76 works but I'm not satisfied with the error...

Error: error reading container (probably exited) json message: EOF

Usually, we get better errors. I will experiment a bit to see what might trigger it. Ultimately, I consider this specific issue to be solved and will close the issue. Again, thanks @giuseppe !