Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podman generate systemd yields file, that does not allow shutting down of a container without error #11304

Closed
polygamma opened this issue Aug 22, 2021 · 9 comments · Fixed by #11312 or #11315
Closed

podman generate systemd yields file, that does not allow shutting down of a container without error #11304

polygamma opened this issue Aug 22, 2021 · 9 comments · Fixed by #11312 or #11315
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@polygamma
Copy link

polygamma commented Aug 22, 2021
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

With Podman 3.3.0 the podman generate systemd command yields a file, that does not allow shutting down of a container without error.

With Podman 3.2.3 everything works as expected.

Steps to reproduce the issue:

sudo podman create -t --rm --name test --privileged --network='host' --ipc='host' --systemd='true' docker.io/archlinux/archlinux:base /sbin/init
sudo podman generate systemd --name --new --restart-policy=always test | sudo tee /etc/systemd/system/container-test.service > /dev/null
sudo podman container rm --force test
sudo systemctl daemon-reload
sudo systemctl start container-test
sudo systemctl stop container-test
sudo systemctl status container-test

Podman 3.2.3

[jonny@jonny-arch-pc ~]$ sudo systemctl status container-test
○ container-test.service - Podman container-test.service
     Loaded: loaded (/etc/systemd/system/container-test.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
       Docs: man:podman-generate-systemd(1)

Aug 22 15:49:26 jonny-arch-pc podman[5689]: fb2d972832ef417189b323a04f0b8616c14af58d832a72c9b4260eb665fefcb2
Aug 22 15:49:26 jonny-arch-pc systemd[1]: Started Podman container-test.service.
Aug 22 15:49:32 jonny-arch-pc systemd[1]: Stopping Podman container-test.service...
Aug 22 15:49:33 jonny-arch-pc podman[6184]: 2021-08-22 15:49:33.251663887 +0200 CEST m=+0.382890167 container stop fb2d972832ef417189b323a04f0b8616c14af58d832a72c9b4260eb665fefcb2 (image=do>
Aug 22 15:49:33 jonny-arch-pc podman[6184]: 2021-08-22 15:49:33.371108128 +0200 CEST m=+0.502334199 container died fb2d972832ef417189b323a04f0b8616c14af58d832a72c9b4260eb665fefcb2 (image=do>
Aug 22 15:49:33 jonny-arch-pc podman[6184]: fb2d972832ef417189b323a04f0b8616c14af58d832a72c9b4260eb665fefcb2
Aug 22 15:49:33 jonny-arch-pc podman[6378]: 2021-08-22 15:49:33.980500229 +0200 CEST m=+0.349547381 container remove fb2d972832ef417189b323a04f0b8616c14af58d832a72c9b4260eb665fefcb2 (image=>
Aug 22 15:49:33 jonny-arch-pc podman[6378]: fb2d972832ef417189b323a04f0b8616c14af58d832a72c9b4260eb665fefcb2
Aug 22 15:49:34 jonny-arch-pc systemd[1]: container-test.service: Deactivated successfully.
Aug 22 15:49:34 jonny-arch-pc systemd[1]: Stopped Podman container-test.service.

Podman 3.3.0

[jonny@jonny-arch-pc ~]$ sudo systemctl status container-test
× container-test.service - Podman container-test.service
     Loaded: loaded (/etc/systemd/system/container-test.service; disabled; vendor preset: disabled)
     Active: failed (Result: timeout) since Sun 2021-08-22 15:47:31 CEST; 11s ago
       Docs: man:podman-generate-systemd(1)
    Process: 2539 ExecStart=/usr/bin/podman run --sdnotify=conmon --cgroups=no-conmon --rm -d --replace -t --name test --privileged --network=host --ipc=host --systemd=true docker.io/archli>
   Main PID: 2539 (code=killed, signal=KILL)
        CPU: 226ms

Aug 22 15:46:14 jonny-arch-pc podman[2499]: 2021-08-22 15:46:14.198619042 +0200 CEST m=+0.475849327 container init c7bcc08f94142b624e45047f1c13c2de9b2f7ae59d444cca1b10563607f7b543 (image=do>
Aug 22 15:46:14 jonny-arch-pc systemd[1]: Started Podman container-test.service.
Aug 22 15:46:14 jonny-arch-pc podman[2499]: 2021-08-22 15:46:14.240357293 +0200 CEST m=+0.517587581 container start c7bcc08f94142b624e45047f1c13c2de9b2f7ae59d444cca1b10563607f7b543 (image=d>
Aug 22 15:46:14 jonny-arch-pc podman[2499]: c7bcc08f94142b624e45047f1c13c2de9b2f7ae59d444cca1b10563607f7b543
Aug 22 15:46:21 jonny-arch-pc systemd[1]: Stopping Podman container-test.service...
Aug 22 15:47:31 jonny-arch-pc systemd[1]: container-test.service: State 'stop-sigterm' timed out. Killing.
Aug 22 15:47:31 jonny-arch-pc systemd[1]: container-test.service: Killing process 2539 (conmon) with signal SIGKILL.
Aug 22 15:47:31 jonny-arch-pc systemd[1]: container-test.service: Main process exited, code=killed, status=9/KILL
Aug 22 15:47:31 jonny-arch-pc systemd[1]: container-test.service: Failed with result 'timeout'.
Aug 22 15:47:31 jonny-arch-pc systemd[1]: Stopped Podman container-test.service.

Describe the results you received:

Status of the systemd service is Active: failed (Result: timeout)

Describe the results you expected:

Status of the systemd service should be Active: inactive (dead)

Output of podman version:

Version:      3.3.0
API Version:  3.3.0
Go Version:   go1.17
Git Commit:   98f252a3a1a8f1ee00f9f96c6ba00500954b5093-dirty
Built:        Sat Aug 21 13:48:18 2021
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.22.3
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.0.29-1
    path: /usr/bin/conmon
    version: 'conmon version 2.0.29, commit: 7e6de6678f6ed8a18661e1d5721b81ccee293b9b'
  cpus: 8
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: jonny-arch-pc
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.10.60-1-lts
  linkmode: dynamic
  memFree: 12780802048
  memTotal: 16740794368
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 0.21-1
    path: /usr/bin/crun
    version: |-
      crun version 0.21
      commit: c4c3cdf2ce408ed44a9e027c618473e6485c635b
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.1.12-1
    version: |-
      slirp4netns version 1.1.12
      commit: 7a104a101aa3278a2152351a082a6df71f57c9a3
      libslirp: 4.6.1
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.1
  swapFree: 0
  swapTotal: 0
  uptime: 14m 58.44s
registries: {}
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  imageStore:
    number: 0
  runRoot: /run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 3.3.0
  Built: 1629546498
  BuiltTime: Sat Aug 21 13:48:18 2021
  GitCommit: 98f252a3a1a8f1ee00f9f96c6ba00500954b5093-dirty
  GoVersion: go1.17
  OsArch: linux/amd64
  Version: 3.3.0

Package info (e.g. output of rpm -q podman or apt list podman):

[jonny@jonny-arch-pc ~]$ pacman -Qi podman
Name            : podman
Version         : 3.3.0-1
Description     : Tool and library for running OCI-based containers in pods
Architecture    : x86_64
URL             : https://github.com/containers/podman
Licenses        : Apache
Groups          : None
Provides        : None
Depends On      : cni-plugins  conmon  containers-common  device-mapper
                  iptables  libseccomp  crun  slirp4netns  libsystemd
                  fuse-overlayfs  libgpgme.so=11-64
Optional Deps   : podman-docker: for Docker-compatible CLI
                  btrfs-progs: support btrfs backend devices [installed]
                  catatonit: --init flag support
                  crun: support for unified cgroupsv2 [installed]
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 71.69 MiB
Packager        : Morten Linderud <foxboron@archlinux.org>
Build Date      : Sat 21 Aug 2021 01:48:18 PM CEST
Install Date    : Sun 22 Aug 2021 03:52:25 PM CEST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/master/troubleshooting.md)

Yes
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Aug 22, 2021
@vrothberg
Copy link
Member

Thanks for reaching out, @polygamma!

Aug 22 15:46:21 jonny-arch-pc systemd[1]: Stopping Podman container-test.service...
Aug 22 15:47:31 jonny-arch-pc systemd[1]: container-test.service: State 'stop-sigterm' timed out. Killing.

What's happening is that the container doesn't shutdown on SIGTERM, so systemd is using the big SIGKILL hammer.

We dropped the custom ExecStop in 3.3 where we used podman stop/rm etc. to handle shutdown gracefully. While shutdown is still working, I understand that it may be preferable not to leave the units in a failed state.

@rhatdan @Luap99 @mheon any ideas?

@Luap99
Copy link
Member

Luap99 commented Aug 23, 2021

@vrothberg The problem is that systemd is running inside the container and systemd expects SIGRTMIN+3 as stop signal. podman stop knows this and uses the correct signal. Users could also overwrite the stop signal at container creation in this case podman stop would also be needed. Therefore I think the unit should always use ExecStop=podman stop ... to properly function in all cases.

@vrothberg
Copy link
Member

I share your opinion, @Luap99. Note that it also fails in simpler scenarios just running alpine top.

@mheon
Copy link
Member

mheon commented Aug 23, 2021

Can you expand on why we dropped the custom ExecStop - was it causing issues on system shutdown? How so?

I think, if we have to choose between the two, it's a lot more important that user-initiated systemctl stop works well than system shutdown.

@vrothberg
Copy link
Member

Can you expand on why we dropped the custom ExecStop - was it causing issues on system shutdown? How so?

We wanted to get rid of using --cidfile.

I think, if we have to choose between the two, it's a lot more important that user-initiated systemctl stop works well than system shutdown.

I concur, systemctl stop must work. We still have a week until the RHEL deadline, so I think we should get it back.

vrothberg added a commit to vrothberg/libpod that referenced this issue Aug 23, 2021
@vrothberg
generate systemd: custom stop signal
01151c2 
Commit 9ac5267 changed the type of the generated systemd units from
forking to notify.  Parts of these changes was also removing the need to
pass any information via the file system (e.g., PIDFILE, container ID).
That in turn implies that systemd takes care of stopping the container.

By default, systemd first sends a SIGTERM and after a certain timeout,
it'll send a SIGKILL.  That's pretty much what Podman is doing, unless
the container was created with a custom stop signal which is the case
when the --stop-signal flag was used or systemd is mounted.

Account for that by using systemd's KillSignal option which allows for
changing SIGTERM to another signal.  Also make sure that we're using the
correct timeout.

Fixes: containers#11304
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@vrothberg vrothberg mentioned this issue Aug 23, 2021
Merged
@vrothberg
Copy link
Member

@polygamma, any chance you try rerunning with #11312?

vrothberg added a commit to vrothberg/libpod that referenced this issue Aug 24, 2021
@vrothberg
generate systemd: custom stop signal
753f6dc 
Commit 9ac5267 changed the type of the generated systemd units from
forking to notify.  Parts of these changes was also removing the need to
pass any information via the file system (e.g., PIDFILE, container ID).
That in turn implies that systemd takes care of stopping the container.

By default, systemd first sends a SIGTERM and after a certain timeout,
it'll send a SIGKILL.  That's pretty much what Podman is doing, unless
the container was created with a custom stop signal which is the case
when the --stop-signal flag was used or systemd is mounted.

Account for that by using systemd's KillSignal option which allows for
changing SIGTERM to another signal.  Also make sure that we're using the
correct timeout.

Fixes: containers#11304
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg added a commit to vrothberg/libpod that referenced this issue Aug 24, 2021
@vrothberg
generate systemd: custom stop signal
1c74703 
Commit 9ac5267 changed the type of the generated systemd units from
forking to notify.  Parts of these changes was also removing the need to
pass any information via the file system (e.g., PIDFILE, container ID).
That in turn implies that systemd takes care of stopping the container.

By default, systemd first sends a SIGTERM and after a certain timeout,
it'll send a SIGKILL.  That's pretty much what Podman is doing, unless
the container was created with a custom stop signal which is the case
when the --stop-signal flag was used or systemd is mounted.

Account for that by using systemd's KillSignal option which allows for
changing SIGTERM to another signal.  Also make sure that we're using the
correct timeout for units generated with --new.

Fixes: containers#11304
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg added a commit to vrothberg/libpod that referenced this issue Aug 24, 2021
@vrothberg
generate systemd: custom stop signal
70801b3 
Commit 9ac5267 changed the type of the generated systemd units from
forking to notify.  Parts of these changes was also removing the need to
pass any information via the file system (e.g., PIDFILE, container ID).
That in turn implies that systemd takes care of stopping the container.

By default, systemd first sends a SIGTERM and after a certain timeout,
it'll send a SIGKILL.  That's pretty much what Podman is doing, unless
the container was created with a custom stop signal which is the case
when the --stop-signal flag was used or systemd is mounted.

Account for that by using systemd's KillSignal option which allows for
changing SIGTERM to another signal.  Also make sure that we're using the
correct timeout for units generated with --new.

Fixes: containers#11304
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@polygamma
Copy link
Author

polygamma commented Aug 24, 2021
edited
Loading

@vrothberg

@polygamma, any chance you try rerunning with #11312?

It works "better", since the systemctl stop terminates immediately, but it still fails.

[jonny@jonny-work-pc ~]$ sudo systemctl status container-test
× container-test.service - Podman container-test.service
     Loaded: loaded (/etc/systemd/system/container-test.service; disabled; vendor preset: disabled)
     Active: failed (Result: signal) since Tue 2021-08-24 11:58:11 CEST; 42s ago
       Docs: man:podman-generate-systemd(1)
    Process: 3120 ExecStart=/usr/bin/podman run --cgroups=no-conmon --rm --sdnotify=conmon -d --replace -t --name test --privileged --network=host --ipc=host --systemd=true docker.io/archli>
   Main PID: 3120 (code=killed, signal=RTMIN+3)
        CPU: 167ms

Aug 24 11:57:59 jonny-work-pc podman[3081]: 2021-08-24 11:57:59.607832844 +0200 CEST m=+0.028930879 image pull  docker.io/archlinux/archlinux:base
Aug 24 11:58:00 jonny-work-pc podman[3081]: 2021-08-24 11:58:00.183792866 +0200 CEST m=+0.604890952 container create 7f18f8b449233aa5f3a339b63285655f63a69009529afa570235cb5f2709ecdd (image=>
Aug 24 11:58:00 jonny-work-pc podman[3081]: 2021-08-24 11:58:00.548624061 +0200 CEST m=+0.969722140 container init 7f18f8b449233aa5f3a339b63285655f63a69009529afa570235cb5f2709ecdd (image=do>
Aug 24 11:58:00 jonny-work-pc systemd[1]: Started Podman container-test.service.
Aug 24 11:58:00 jonny-work-pc podman[3081]: 2021-08-24 11:58:00.642316377 +0200 CEST m=+1.063414461 container start 7f18f8b449233aa5f3a339b63285655f63a69009529afa570235cb5f2709ecdd (image=d>
Aug 24 11:58:00 jonny-work-pc podman[3081]: 7f18f8b449233aa5f3a339b63285655f63a69009529afa570235cb5f2709ecdd
Aug 24 11:58:11 jonny-work-pc systemd[1]: Stopping Podman container-test.service...
Aug 24 11:58:11 jonny-work-pc systemd[1]: container-test.service: Main process exited, code=killed, status=37/RTMIN+3
Aug 24 11:58:11 jonny-work-pc systemd[1]: container-test.service: Failed with result 'signal'.
Aug 24 11:58:11 jonny-work-pc systemd[1]: Stopped Podman container-test.service.

@vrothberg vrothberg reopened this Aug 24, 2021
vrothberg added a commit to vrothberg/libpod that referenced this issue Aug 24, 2021
@vrothberg
generate systemd: use --cidfile again
83fcad9 
Commit 9ac5267 changed the type of the generated systemd units from
`forking` to `notify`.  It further stopped using `--cidfile` and instead
intended systemd to take care of stopping the container, which turned
out to be a bad idea.

Systemd will send the stop/kill signals to conmon which in turn may exit
non-zero, depending on the signal, and ultimately breaking container
cleanup.

Hence, we need to use --cidfile again and let podman stop and remove the
container to make sure that everything's in order.

Fixes: containers#11304
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@vrothberg vrothberg mentioned this issue Aug 24, 2021
Merged
@vrothberg
Copy link
Member

#11315 will restore the previous behavior. This time for real :^)

@polygamma
Copy link
Author

@vrothberg

#11315 will restore the previous behavior. This time for real :^)

Works as intended now :)

vrothberg added a commit to vrothberg/libpod that referenced this issue Aug 24, 2021
@vrothberg
generate systemd: use --cidfile again
274d6fa 
Commit 9ac5267 changed the type of the generated systemd units from
`forking` to `notify`.  It further stopped using `--cidfile` and instead
intended systemd to take care of stopping the container, which turned
out to be a bad idea.

Systemd will send the stop/kill signals to conmon which in turn may exit
non-zero, depending on the signal, and ultimately breaking container
cleanup.

Hence, we need to use --cidfile again and let podman stop and remove the
container to make sure that everything's in order.

Fixes: containers#11304
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
vrothberg added a commit to vrothberg/libpod that referenced this issue Aug 25, 2021
@vrothberg
generate systemd: use --cidfile again
8228182 
Commit 9ac5267 changed the type of the generated systemd units from
`forking` to `notify`.  It further stopped using `--cidfile` and instead
intended systemd to take care of stopping the container, which turned
out to be a bad idea.

Systemd will send the stop/kill signals to conmon which in turn may exit
non-zero, depending on the signal, and ultimately breaking container
cleanup.

Hence, we need to use --cidfile again and let podman stop and remove the
container to make sure that everything's in order.

Backport of commit 74ab2aa.

Fixes: containers#11304
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
@vrothberg vrothberg mentioned this issue Aug 25, 2021
Merged
@Luap99 Luap99 mentioned this issue Feb 15, 2022
Closed
@Luap99 Luap99 mentioned this issue Jun 15, 2022
Merged
@Luap99 Luap99 mentioned this issue Sep 15, 2022
Merged
@aneustroev aneustroev mentioned this issue Aug 3, 2023
Closed
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
4 participants
@mheon @vrothberg @polygamma @Luap99