Skip to content

Improve nsexec logging#2836

Merged
cyphar merged 2 commits intoopencontainers:masterfrom
kolyshkin:improve-nsexec-logging
Apr 13, 2021
Merged

Improve nsexec logging#2836
cyphar merged 2 commits intoopencontainers:masterfrom
kolyshkin:improve-nsexec-logging

Conversation

@kolyshkin
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin commented Mar 6, 2021
edited
Loading

Draft as it's blocked by #2835

In order to make runc --debug actually useful for debugging nsexec
bugs, provide information about all the internal operations when in
debug mode.

Before:

# runc --debug run x123
DEBU[0000] nsexec:601 nsexec started                    
DEBU[0000] child process in init()                      
DEBU[0000] logging has already been configured          
DEBU[0000] log pipe has been closed: EOF                
DEBU[0001] process exited                                pid=1472529 status=0

After:

# runc --debug run x123
DEBU[0000] nsexec[1472380]: => nsexec container setup   
DEBU[0000] nsexec-0[1472380]: ~> nsexec stage-0         
DEBU[0000] nsexec-0[1472380]: spawn stage-1             
DEBU[0000] nsexec-0[1472380]: -> stage-1 synchronisation loop 
DEBU[0000] nsexec-1[1472384]: ~> nsexec stage-1         
DEBU[0000] nsexec-1[1472384]: unshare remaining namespace (except cgroupns) 
DEBU[0000] nsexec-1[1472384]: spawn stage-2             
DEBU[0000] nsexec-1[1472384]: request stage-0 to forward stage-2 pid (1472385) 
DEBU[0000] nsexec-0[1472380]: stage-1 requested pid to be forwarded 
DEBU[0000] nsexec-0[1472380]: forward stage-1 (1472384) and stage-2 (1472385) pids to runc 
DEBU[0000] nsexec-2[1]: ~> nsexec stage-2               
DEBU[0000] nsexec-1[1472384]: signal completion to stage-0 
DEBU[0000] nsexec-1[1472384]: <~ nsexec stage-1         
DEBU[0000] nsexec-0[1472380]: stage-1 complete          
DEBU[0000] nsexec-0[1472380]: <- stage-1 synchronisation loop 
DEBU[0000] nsexec-0[1472380]: -> stage-2 synchronisation loop 
DEBU[0000] nsexec-0[1472380]: signalling stage-2 to run 
DEBU[0000] nsexec-2[1]: unshare cgroup namespace        
DEBU[0000] nsexec-2[1]: signal completion to stage-0    
DEBU[0000] nsexec-0[1472380]: stage-2 complete          
DEBU[0000] nsexec-0[1472380]: <- stage-2 synchronisation loop 
DEBU[0000] nsexec-0[1472380]: <~ nsexec stage-0         
DEBU[0000] nsexec-2[1]: <= nsexec container setup       
DEBU[0000] nsexec-2[1]: booting up go runtime ...       
DEBU[0000] child process in init()                      
DEBU[0000] init: closing the pipe to signal completion  
DEBU[0000] sending signal to process urgent I/O condition 
DEBU[0000] sending signal to process urgent I/O condition 
DEBU[0001] process exited                                pid=1472385 status=0

This is a carry of #2460 with a few fixes on top:

Closes: #2460

(this was originally developed in #2487)

This was referenced Mar 8, 2021
Closed
Closed
@kolyshkin kolyshkin requested a review from cyphar March 8, 2021 16:18
@kolyshkin kolyshkin mentioned this pull request Mar 22, 2021
Merged
@kolyshkin kolyshkin force-pushed the improve-nsexec-logging branch 3 times, most recently from d1e0960 to 73d5aba Compare March 28, 2021 17:40
@kolyshkin kolyshkin mentioned this pull request Mar 28, 2021
Merged
@thaJeztah
Copy link
Copy Markdown
Member

thaJeztah commented Mar 29, 2021

This still draft?

@kolyshkin kolyshkin marked this pull request as ready for review March 31, 2021 01:36
@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Mar 31, 2021

No longer a draft; @cyphar PTAL (this is mostly your code)

@cyphar @kolyshkin
nsenter: improve debug logging
64bb59f 
In order to make 'runc --debug' actually useful for debugging nsexec
bugs, provide information about all the internal operations when in
debug mode.

[@kolyshkin: rebasing; fix formatting via indent for make validate to pass]

Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin force-pushed the improve-nsexec-logging branch from 73d5aba to 8c15967 Compare April 8, 2021 16:55
@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Apr 8, 2021

Rebased again; PTAL @cyphar

@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Apr 8, 2021

centos7 fails

=== RUN   TestSystemdFreeze
    utils_test.go:86: exec_test.go:539: unexpected error: unable to freeze
        
--- FAIL: TestSystemdFreeze (0.74s)

This is the second time I see it, not sure what's happening but definitely unrelated to this PR.

CI restarted.

cyphar
cyphar previously approved these changes Apr 9, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I'll take your word for it that most of this new code is mine. 😬

@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Apr 12, 2021

CentOS CI failure is a flake (#2760), restarting.

mrunalp
mrunalp reviewed Apr 12, 2021
View reviewed changes
Comment thread libcontainer/nsenter/escape.c Outdated
@kolyshkin
libct/nsenter: add json msg escaping
928ef7a 
Since the previous commit, some strings logged by write_log() contain a
literal newline, which leads to errors like this one:

> # time="2020-06-07T15:41:37Z" level=error msg="failed to decode \"{\\\"level\\\":\\\"debug\\\", \\\"msg\\\": \\\"nsexec-0[2265]: update /proc/2266/uid_map to '0 1000 1\\n\" to json: invalid character '\\n' in string literal"

The fix is to escape such characters.

Add a simple (as much as it can be) routine which implements JSON string
escaping as required by RFC4627, section 2.5, plus escaping of DEL (0x7f)
character (not required, but allowed by the standard, and usually done
by tools such as jq).

As much as I hate to code something like this, I was not able to find
a ready to consume and decent C implementation (not using glib).

Added a test case (and some additional asserts in C code, conditionally
enabled by the test case) to make sure the implementation is correct.
The test case have to live in a separate directory so we can use
different C flags to compile the test, and use C from go test.

[v2: try to simplify the code, add more tests]
[v3: don't do exit(1), try returning an error instead]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin kolyshkin force-pushed the improve-nsexec-logging branch from 8c15967 to 928ef7a Compare April 12, 2021 23:48
@kolyshkin kolyshkin requested a review from cyphar April 12, 2021 23:52
@kolyshkin
Copy link
Copy Markdown
Contributor Author

kolyshkin commented Apr 12, 2021

@cyphar PTAL; the only change after your review was this: #2836 (comment)

cyphar
cyphar approved these changes Apr 13, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Comment thread libcontainer/nsenter/escape.c
free(s);
// As malloc failed, strdup can fail, too, so in the worst case
// scenario NULL will be returned from here.
return strdup("escape_json_string: out of memory");
Copy link
Copy Markdown
Member

@cyphar cyphar Apr 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like it makes more sense to always return NULL (and then in the caller provide the fallback error message), but it doesn't really matter imho.

@cyphar cyphar closed this in 14ce8be Apr 13, 2021
@cyphar cyphar merged commit 14ce8be into opencontainers:master Apr 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp mrunalp approved these changes

@cyphar cyphar cyphar approved these changes

Assignees

No one assigned

Labels

area/logging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kolyshkin @thaJeztah @mrunalp @cyphar