libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed. by jiusanzhou · Pull Request #3804 · opencontainers/runc

jiusanzhou · 2023-04-03T13:53:46Z

In code we have frozen the cgroup to avoid the processes get
an occasional "permission denied" error, while the systemd's application of device
rules is done disruptively. When the processes in the container can not
be frozen over 2 seconds (which defined in fs/freezer.go),
we still update the cgroup which resulting the container get an occasional
"permission denied" error in some cases.

This PR make sure to return error directly without updating cgroup, when freeze fails.

Fixes: #3803

kolyshkin

Overall the fix makes sense to me -- we should not update a non-frozen container.

Will take a deeper look later.

kolyshkin · 2023-04-06T18:35:16Z

@jiusanzhou you need to ~~rebase and~~ fix linter warnings (the ones from validate and commit CI jobs look legit).

Update: ah, I see you've rebased already.

kolyshkin · 2023-04-06T18:38:05Z

For the commit subject, I suggest something like

libct/cg/sd/v1: do not update non-frozen cgroup

For the description, you can get some text from #3803 to describe what happens and then go on to say how the commit is fixing this.

jiusanzhou · 2023-04-08T02:17:08Z

@kolyshkin thank you for your advice, CI checking is green now. Please take another look.

jiusanzhou · 2023-04-17T09:20:44Z

@cyphar PTAL

zvier · 2023-06-04T11:12:36Z

any update？

kolyshkin

LGTM

kolyshkin · 2023-06-06T00:58:11Z

@thaJeztah @AkihiroSuda @cyphar PTAL

In code we have frozen the cgroup to avoid the processes get an occasional "permission denied" error, while the systemd's application of device rules is done disruptively. When the processes in the container can not be frozen over 2 seconds (which defined in fs/freezer.go), we still update the cgroup which resulting the container get an occasional "permission denied" error in some cases. Return error directly without updating cgroup, when freeze fails. Fixes: opencontainers#3803 Signed-off-by: Zoe <hi@zoe.im>

kolyshkin · 2023-06-27T15:25:40Z

@opencontainers/runc-maintainers PTAL

AkihiroSuda · 2023-06-27T15:28:12Z

Can we have a test?

kolyshkin · 2023-06-27T18:18:45Z

Can we have a test?

I'm not sure we can. To test the branch of code being added, we need cgroup freeze to fail, and I don't know how to do that reliably.

kolyshkin · 2023-06-27T18:31:16Z

@jiusanzhou can you open a PR against release-1.1 branch?

jiusanzhou · 2023-07-04T12:34:19Z

1.1 backport: #3921

jiusanzhou force-pushed the bugfix/skip-update-while-frozen-faield branch from 68168b7 to fad60b8 Compare April 3, 2023 13:57

kolyshkin reviewed Apr 3, 2023

View reviewed changes

jiusanzhou force-pushed the bugfix/skip-update-while-frozen-faield branch from 6bacdf5 to 446bf56 Compare April 6, 2023 08:47

jiusanzhou force-pushed the bugfix/skip-update-while-frozen-faield branch 2 times, most recently from ac81a17 to 53a8bd4 Compare April 7, 2023 14:04

jiusanzhou force-pushed the bugfix/skip-update-while-frozen-faield branch from 53a8bd4 to cbfa85b Compare April 17, 2023 07:44

jiusanzhou force-pushed the bugfix/skip-update-while-frozen-faield branch from cbfa85b to 01caf55 Compare April 27, 2023 03:47

jiusanzhou changed the title ~~bugfix: avoid an occasional "permission denied" error while frozen failed. #3803~~ libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed. Apr 27, 2023

jiusanzhou force-pushed the bugfix/skip-update-while-frozen-faield branch from 01caf55 to ad9e9b9 Compare April 29, 2023 15:02

jiusanzhou requested a review from kolyshkin April 29, 2023 15:13

kolyshkin approved these changes Jun 6, 2023

View reviewed changes

kolyshkin added backport/1.1-todo A PR in main branch which needs to be backported to release-1.1 area/systemd area/cgroupv1 labels Jun 6, 2023

jiusanzhou force-pushed the bugfix/skip-update-while-frozen-faield branch from ad9e9b9 to 62963fe Compare June 12, 2023 02:10

AkihiroSuda approved these changes Jun 27, 2023

View reviewed changes

AkihiroSuda merged commit 92c71e7 into opencontainers:main Jun 27, 2023

jiusanzhou mentioned this pull request Jun 30, 2023

[1.1] libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed. #3921

Merged

kolyshkin added backport/1.1-done A PR in main branch which has been backported to release-1.1 and removed backport/1.1-todo A PR in main branch which needs to be backported to release-1.1 labels Jul 6, 2023

Conversation

jiusanzhou commented Apr 3, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

kolyshkin commented Apr 6, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kolyshkin commented Apr 6, 2023

Uh oh!

jiusanzhou commented Apr 8, 2023

Uh oh!

jiusanzhou commented Apr 17, 2023

Uh oh!

zvier commented Jun 4, 2023

Uh oh!

kolyshkin left a comment

Choose a reason for hiding this comment

Uh oh!

kolyshkin commented Jun 6, 2023

Uh oh!

kolyshkin commented Jun 27, 2023

Uh oh!

AkihiroSuda commented Jun 27, 2023

Uh oh!

kolyshkin commented Jun 27, 2023

Uh oh!

kolyshkin commented Jun 27, 2023

Uh oh!

jiusanzhou commented Jul 4, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

jiusanzhou commented Apr 3, 2023 •

edited

Loading

kolyshkin commented Apr 6, 2023 •

edited

Loading