salt: Avoid duplicating static pod manifests #3003

gdemonet · 2020-12-28T09:47:48Z

When using metalk8s.static_pod_managed, we call file.managed behind
the scenes. This state does a lot of magic, including creating a
temporary file with the new contents before replacing the old file.
This temp file gets created in the same directory as the managed
file by default, so it gets picked up by kubelet as if it were
another static Pod to manage. If the replacement occurs too late,
kubelet may have already created another Pod for the temp file, and
may not be able to "remember" the old Pod, hence not cleaning it up.
This results in "rogue containers", which can create issues (e.g.
preventing new containers from binding some ports on the host).

This commit reimplements the 'file.managed' state in a minimal fashion,
to ensure the temporary file used for making an "atomic replace" is
ignored by kubelet. Note that it requires us to also reimplement the
'file.manage_file' execution function, since it always relies on the
existing "atomic copy" operation from salt.utils.files.copyfile.

Fixes: #2840

salt/_states/metalk8s.py

gdemonet · 2020-12-28T14:14:22Z

Received a comment from someone in PTO (😅 ), which points out that writing the temporary file to another directory (e.g. /tmp) may break the atomicity of replacing the original file (if /tmp is not on the same device as /etc/kubernetes/manifests, which is very likely for tmpfs).

Since kubelet ignores Pod manifests with filenames starting with a dot (see here), I'll change the approach to use this behaviour instead.

gdemonet · 2020-12-28T15:51:10Z

After investigating what file.managed does behind the scenes (mostly calling out to the file.manage_file execution method), two things arose:

tmp_dir would not have been used anyway, because this only serves for the check_cmd (which we don't use)
given the log we get from kubelet when this error happens:

Unable to process watch event: can't process config file "/etc/kubernetes/manifests/repositories.yamlcsl_iuli": open /etc/kubernetes/manifests/repositories.yamlcsl_iuli: no such file or directory

It appears this file is created by the call to salt.utils.files.mkstemp, with prefix set to the destination filename and dir to the destination directory. This call is made from salt.utils.files.copyfile, and there is no way around this behaviour.

In conclusion, I'll need to write a custom module for managing these manifests as we want 😞 .

TeddyAndrieux · 2021-01-06T16:45:38Z

salt/_states/metalk8s.py

@@ -76,6 +77,7 @@ def static_pod_managed(name,
            context or {},
            config_digest=config_digest, metalk8s_version=metalk8s_version
        ),
+        tmp_dir=kwargs.pop("tmp_dir", tempfile.gettempdir()),


Minor, maybe deserve a small comment 😄

This line is going away, I'm going to push the latest code so you can have a look :)

salt/_modules/metalk8s.py

salt/_states/metalk8s.py

NicolasT · 2021-01-07T13:45:17Z

May want to update PR description with current commit message to avoid confusion.

When using `metalk8s.static_pod_managed`, we call `file.managed` behind the scenes. This state does a lot of magic, including creating a temporary file with the new contents before replacing the old file. This temp file gets created **in the same directory** as the managed file by default, so it gets picked up by `kubelet` as if it were another static Pod to manage. If the replacement occurs too late, `kubelet` may have already created another Pod for the temp file, and may not be able to "remember" the old Pod, hence not cleaning it up. This results in "rogue containers", which can create issues (e.g. preventing new containers from binding some ports on the host). This commit reimplements the 'file.managed' state in a minimal fashion, to ensure the temporary file used for making an "atomic replace" is ignored by kubelet. Note that it requires us to also reimplement the 'file.manage_file' execution function, since it always relies on the existing "atomic copy" operation from `salt.utils.files.copyfile`. Fixes: #2840

bert-e · 2021-01-08T09:12:50Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
one peer

Peer approvals must include at least 1 approval from the following list:

The following reviewers are expecting changes from the author, or must review again:

@NicolasT

bert-e · 2021-01-08T11:21:55Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
one peer

Peer approvals must include at least 1 approval from the following list:

gdemonet · 2021-01-08T12:19:37Z

/reset

gdemonet · 2021-01-08T12:19:43Z

/approve

bert-e · 2021-01-08T12:19:44Z

Reset complete

I have successfully deleted this pull request's integration branches.

bert-e · 2021-01-08T12:19:52Z

Integration data created

I have created the integration data for the additional destination branches.

this pull request will merge bugfix/2840-static-pods-tmp-files into
development/2.7
w/2.8/bugfix/2840-static-pods-tmp-files will be merged into development/2.8

The following branches will NOT be impacted:

development/1.0
development/1.1
development/1.2
development/1.3
development/2.0
development/2.1
development/2.2
development/2.3
development/2.4
development/2.5
development/2.6

You can set option create_pull_requests if you need me to create
integration pull requests in addition to integration branches, with:

@bert-e create_pull_requests

The following options are set: approve

bert-e · 2021-01-08T13:58:23Z

Build failed

The build for commit did not succeed in branch bugfix/2840-static-pods-tmp-files.

The following options are set: approve

bert-e · 2021-01-08T18:24:07Z

In the queue

The changeset has received all authorizations and has been added to the
relevant queue(s). The queue(s) will be merged in the target development
branch(es) as soon as builds have passed.

The changeset will be merged in:

✔️ development/2.7
✔️ development/2.8

The following branches will NOT be impacted:

development/1.0
development/1.1
development/1.2
development/1.3
development/2.0
development/2.1
development/2.2
development/2.3
development/2.4
development/2.5
development/2.6

There is no action required on your side. You will be notified here once
the changeset has been merged. In the unlikely event that the changeset
fails permanently on the queue, a member of the admin team will
contact you to help resolve the matter.

IMPORTANT

Please do not attempt to modify this pull request.

Any commit you add on the source branch will trigger a new cycle after the
current queue is merged.
Any commit you add on one of the integration branches will be lost.

If you need this pull request to be removed from the queue, please contact a
member of the admin team now.

The following options are set: approve

bert-e · 2021-01-11T20:12:04Z

I have successfully merged the changeset of this pull request
into targetted development branches:

✔️ development/2.7
✔️ development/2.8

The following branches have NOT changed:

development/1.0
development/1.1
development/1.2
development/1.3
development/2.0
development/2.1
development/2.2
development/2.3
development/2.4
development/2.5
development/2.6

Please check the status of the associated issue None.

Goodbye gdemonet.

gdemonet requested a review from a team December 28, 2020 09:47