Allow multiple CreateContainer operations at the same time. #1355
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anmaxvl
force-pushed
the
gcs-rework-locks
branch
3 times, most recently
from
9bff60f
to
2fba6ce
Compare
dcantah
reviewed
Apr 15, 2022
anmaxvl
force-pushed
the
gcs-rework-locks
branch
from
2fba6ce
to
1ad611e
Compare
anmaxvl
force-pushed
the
gcs-rework-locks
branch
from
1ad611e
to
b61ca1d
Compare
|
Maksim and I discussed, I pointed out a race condition in this version. Maksim will be changing slightly to address. |
helsaawy
reviewed
Apr 18, 2022
dcantah
reviewed
Apr 18, 2022
dcantah
reviewed
Apr 18, 2022
dcantah
reviewed
Apr 18, 2022
anmaxvl
force-pushed
the
gcs-rework-locks
branch
from
417292b
to
8a50b85
Compare
|
This addresses the issue that @svolos discovered, LGTM. |
helsaawy
approved these changes
Apr 21, 2022
kevpar
reviewed
Apr 21, 2022
internal/guest/runtime/hcsv2/uvm.go
Outdated
| @@ -318,7 +331,7 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM | |||
| } | |||
| } | |||
|
|
|||
| h.containers[id] = c | |||
| c.status = containerCreated | |||
There was a problem hiding this comment.
I think we need to do this under lock as well, otherwise we could be changing c.status just as another thread is reading it.
There was a problem hiding this comment.
container level lock I assume?
There was a problem hiding this comment.
It could be the map lock, as long as we ensure only one accessor. You could also look at using an atomic here.
There was a problem hiding this comment.
currently that isn't possible with the existing implementation but it was a concern that i raised with @anmaxvl as something to look at for the future if not wasn't addressed now.
There was a problem hiding this comment.
changed to atomic update. had to switch to uint32 without custom type definition.
SeanTAllen
reviewed
Apr 22, 2022
internal/guest/runtime/hcsv2/uvm.go
Outdated
| @@ -318,7 +332,7 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM | |||
| } | |||
| } | |||
|
|
|||
| h.containers[id] = c | |||
| atomic.StoreUint32(&c.status, containerCreated) | |||
There was a problem hiding this comment.
I dont think this is a good approach. You need an atomic for any reads as well.
Given the lack of usage of atomics in the codebase, I can see this being incorrectly done (as it is currently in this PR). I think coming up with a more robust approach would be better. I'm not a Go expert so I'm not sure of the best pattern, but making all access atomic (store and load) without relying on authors of later changes to get it correct would be good.
There was a problem hiding this comment.
go-winio has a custom atomic bool that basically wraps these operations and I have been looking for an excuse to export it for a while.
since status is currently creating/created, a bool would suffice for now, i think...
There was a problem hiding this comment.
I'm afraid go-winio route will take too long. I'll just add getter/setter.
Prior to this change, GCS allowed only one CreateContainer operation at a time. This isn't an issue in general case, however this doesn't work properly with synchronization via OCI runtime hook. Synchronization via runtime hook was introduced in: microsoft#1258 It injects a CreateRuntime OCI hook, if security policy provides wait paths. This allows container-A to run after container-B, where container-B writes to an empty directory volume shared between the two containers to signal that it's done some setup container-A depends on. In general case, container-A can be started before container-B which results in a deadlock, because CreateContainer request holds a lock to a map, which keeps track of running containers. To resolve the issue, the code has been updated to do a more granular locking when reading/updating the containers map: - Add a new "Status" field to Container object, which can be either "Running" or "Creating". - Remove locking from CreateContainer function - Rework "GetContainer" to "GetRunningContainer", which returns the container object only when it's in "Running" state, otherwise either `gcserr.HrVmcomputeSystemNotFound` or `gcserr.HrVmcomputeInvalidState` error returned. - Add new "AddContainer(id, container)" function, which updates the containers map with new container instances. - Rework CreateContainer to initially add new container objects into the containers map and set the "Status" to "Creating" at the start of the function and set it to "Running" only when the container successfully starts. Reworking "GetContainer" to "GetRunningContainer" seemed to be the least invasive change, which allows us to limit updates in the affected places. If "GetContainer" is left unchanged, then handling of containers in status "Creating" needs to take place and this requires handling cases when (e.g.) a modification request is sent to a container which isn't yet running. Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Additionally update synchronization CRI tests to use go routines to properly reproduce the scenario. Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
force-pushed
the
gcs-rework-locks
branch
from
c4151f2
to
34521cb
Compare
kevpar
reviewed
Apr 22, 2022
kevpar
reviewed
Apr 22, 2022
dcantah
approved these changes
Apr 22, 2022
Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
added a commit
that referenced
this pull request
Feb 7, 2023
princepereira
pushed a commit
to princepereira/hcsshim
that referenced
this pull request
Aug 29, 2024
…t#1355) Prior to this change, GCS allowed only one CreateContainer operation at a time. This isn't an issue in general case, however this doesn't work properly with synchronization via OCI runtime hook. Synchronization via runtime hook was introduced in: microsoft#1258 It injects a `CreateRuntime` OCI hook, if security policy provides wait paths. This allows container-A to run after container-B, where container-B writes to an empty directory volume shared between the two containers to signal that it's done some setup container-A depends on. In general case, container-A can be started before container-B which results in a deadlock, because `CreateContainer` request holds a lock to a map, which keeps track of running containers. To resolve the issue, the code has been updated to do a more granular locking when reading/updating the containers map: - Add a new "status" field to Container object and atomic setter/getter, which can be either "Created" or "Creating". New `uint32` type alias and constants were added to represent the values (`containerCreated` and `containerCreating`) - Remove locking from `CreateContainer` function - Rework `GetContainer` to `GetCreatedContainer`, which returns the container object only when it's in `containerCreated` state, otherwise either `gcserr.HrVmcomputeSystemNotFound` or `gcserr.HrVmcomputeInvalidState` error returned. - Add new `AddContainer(id, container)` function, which updates the containers map with new container instances. - Rework `CreateContainer` to initially add new container objects into the containers map and set the "status" to `containerCreating` at the start of the function and set it to `containerCreated` only when the container is successfully created in runtime. Reworking `GetContainer` to `GetCreatedContainer` seemed to be the least invasive change, which allows us to limit updates in the affected places. If `GetContainer` is left unchanged, then handling of containers in status "Creating" needs to take place and this requires handling cases when (e.g.) a modification request is sent to a container which isn't yet running. Additionally update synchronization CRI tests to use go routines to properly reproduce the scenario. Signed-off-by: Maksim An <maksiman@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prior to this change, GCS allowed only one CreateContainer operation
at a time. This isn't an issue in general case, however this doesn't
work properly with synchronization via OCI runtime hook.
Synchronization via runtime hook was introduced in:
#1258
It injects a CreateRuntime OCI hook, if security policy provides
wait paths.
This allows container-A to run after container-B, where container-B
writes to an empty directory volume shared between the two containers
to signal that it's done some setup container-A depends on.
In general case, container-A can be started before container-B which
results in a deadlock, because CreateContainer request holds a lock
to a map, which keeps track of running containers.
To resolve the issue, the code has been updated to do a more granular
locking when reading/updating the containers map:
"Creating" or "Created".
the container object only when it's in "Created" state, otherwise
either
gcserr.HrVmcomputeSystemNotFoundorgcserr.HrVmcomputeInvalidStateerror returned.
containers map with new container instances.
the containers map and set the "Status" to "Creating" at the start
of the function and set it to "Created" only when the container
was successfully created.
Reworking "GetContainer" to "GetCreatedContainer" seemed to be the least
invasive change, which allows us to limit updates in the affected places.
If "GetContainer" is left unchanged, then handling of containers in status
"Creating" needs to take place and this requires handling cases when (e.g.)
a modification request is sent to a container which hasn't been created yet.
Signed-off-by: Maksim An maksiman@microsoft.com