Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update c/common to add some netns cleanup fixes #23519

Merged
merged 3 commits into from
Aug 15, 2024

Conversation

Luap99
Copy link
Member

@Luap99 Luap99 commented Aug 6, 2024

Does this PR introduce a user-facing change?

None

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none labels Aug 6, 2024
Copy link
Contributor

openshift-ci bot commented Aug 6, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 6, 2024
@edsantiago
Copy link
Member

No joy, sorry. debian root, f40 root, and other jobs still running

@Luap99
Copy link
Member Author

Luap99 commented Aug 6, 2024

No joy, sorry. debian root, f40 root, and other jobs still running

I still would call this progress. At least the error message is less cluttered with unimportant messages. But yes it seem like whatever root cause there is is not fixed (not surprising as I don't understand the cause at all)
Anyhow I will try to get #23487 ready which should provide me with better logs

@Luap99 Luap99 changed the title DNM: test netns cleanup fixes from c/common update c/common to add some netns cleanup fixes Aug 9, 2024
@Luap99
Copy link
Member Author

Luap99 commented Aug 9, 2024

@mheon @edsantiago PTAL

cdcef62 is needed after #23553 bc it doesn't log the netns error otherwise just that it failed to stop containers.

@Luap99 Luap99 marked this pull request as ready for review August 9, 2024 11:12
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 9, 2024
@Luap99 Luap99 added the No New Tests Allow PR to proceed without adding regression tests label Aug 9, 2024
@Luap99
Copy link
Member Author

Luap99 commented Aug 9, 2024

@mtrmac Looks like your changes broke the tests here, containers/image@f49cb62?

time="2024-08-09T06:35:05-05:00" level=warning msg="Compression using zstd:chunked is not beneficial for encrypted layers, using plain zstd instead"

The test expected an empty stderr. Do we need to fix the test to force zstd?

@mtrmac
Copy link
Collaborator

mtrmac commented Aug 9, 2024

@Luap99 Thanks for pointing me at this.

Per https://github.com/containers/podman/blob/1ab9dd156a35ed1ca7648379d74d7cfb9615699a/vendor/github.com/containers/common/pkg/config/default.go#L358 and https://github.com/containers/podman/blob/1ab9dd156a35ed1ca7648379d74d7cfb9615699a/vendor/github.com/containers/common/pkg/config/containers.conf#L442 , I’d expect this to be defaulting to gzip. So I thought this test failure newly appears only when changing the configuration, I’m sorry.

Are the tests, perhaps, running against the system’s containers.conf? (https://src.fedoraproject.org/rpms/containers-common/tree/rawhide does show rawhide enabling zstd:chunked).


If the above is all expected, yes, either change https://github.com/containers/podman/blob/1ab9dd156a35ed1ca7648379d74d7cfb9615699a/test/e2e/pull_test.go#L612 to use non-chunked zstd, or ignore the warning like 0adf8d2 (from #23397 ). The former would be a bit clearer because other warnings would still cause failures.

@Luap99
Copy link
Member Author

Luap99 commented Aug 9, 2024

Are the tests, perhaps, running against the system’s containers.conf? (https://src.fedoraproject.org/rpms/containers-common/tree/rawhide does show rawhide enabling zstd:chunked).

Yes we use system configs except for the cases where explicitly overwrite certain settings (i.e. composefs on rawhide).

If the above is all expected, yes, either change

Sure fixing the test is easy but if we enable zstd:chunked as default for newer Fedoras than this will throw visible warnings for all users that push encrypted images (likely not many) and you basically force them to overwrite system default settings just to get rid of this warning. Is a warning really needed, should it be dropped to an info level?

IMO "expected" configurations should not throw warnings. There is the case of setting --compression-format explicitly in which case a warning sounds appropriate to me but this isn't something c/image wouldn't know about I guess? So I think we would need to decide which of the two cases we want? Or we move such a warning into the podman fronted where such information is available.

@mtrmac
Copy link
Collaborator

mtrmac commented Aug 9, 2024

In short, I’m leaning towards c/image lowering this to a debug-level log message.

(Reordered)

There is the case of setting --compression-format explicitly in which case a warning sounds appropriate to me but this isn't something c/image wouldn't know about I guess?

Yes, the difficulty is that c/image can’t tell the difference between the setting coming from the CLI, and from containers.conf.

IMO "expected" configurations should not throw warnings.

I agree that it’s undesirable to warn users about the system-shipped default configuration. We might want to warn about a user-customized configuration, but that’s less important (and we can’t tell user’s intent from an unchanged field in any case). A very weak counterargument is that “encrypting images is not ‘expected’”… and that we there is a low, hypothetical, chance that we would add support for the combination in the future.


you basically force them to overwrite system default settings just to get rid of this warning.

Yes, that’s the impact; manually use --compression-format zstd to silence.

Is a warning really needed, should it be dropped to an info level?

I think typically users don’t care about compression that much, but zstd:chunked comes with performance promises (“only pulling the changed files”) that users might want. I don’t know.

To confirm, the effect of using “info” level would be to hide it from Podman’s output, wouldn’t it? (Skopeo does include “info” by default.)

If the intent is to hide this, I’d rather go all the way to “debug”. If the intent is to keep it visible, I have no opinion on the severity level of the log message. (If I imagine myself in the users’ shoes, I’d either just ignore the warning, or I’d want to silence it, whether it is called a “warning” or “info”.)


So I think we would need to decide which of the two cases we want? Or we move such a warning into the podman fronted where such information is available.

I think if the warning is valuable, it should trigger also for non-Podman callers which haven’t been explicitly updated.

We could over-engineer this, have the caller provide the default compression (in addition to the current “desired compression”) as a new field … but that seems to me to be too much complexity, both increasing the API surface and IIRC Podman / Buildah don’t have a truly centralized location where the c/image SystemContext is created, so we would be playing whac-a-mole.


For reference: containers/image#2485

@rhatdan
Copy link
Member

rhatdan commented Aug 10, 2024

Alternatively should podman just not use the format when pushing encrypted images, then we can just document that encrypted images are ignore compression-format?

@mtrmac
Copy link
Collaborator

mtrmac commented Aug 10, 2024

Interesting … there already is a precedent for hard-coding compression decisions in c/common/libimage: https://github.com/containers/common/blob/d93f74f43223d0d20bd7e4d4b29b762ed981b04c/libimage/push.go#L90-L95
I don’t know how I feel about hard-coding these things, but a precedent and consistency are, to me, quite important.

But, then again, libimage, just like c/image, can’t tell the difference between a CLI option and a containers.conf default, because Podman’s CLI layer has a habit of using the containers.conf values as option defaults, erasing the difference:

flags.StringVar(&pushOptions.CompressionFormat, compFormat, compressionFormat(), "compression format to use")


Completely ignoring the config and falling back to gzip is plausible. Ignoring CLI options and not allowing to create zstd-compressed encrypted images at all seems hard to accept (but, ultimately, up to Podman maintainers, not me). So I think this is also blocked by the inability to tell the difference between options on the CLI and in the config file.

@Luap99
Copy link
Member Author

Luap99 commented Aug 12, 2024

We could over-engineer this, have the caller provide the default compression (in addition to the current “desired compression”) as a new field … but that seems to me to be too much complexity, both increasing the API surface and IIRC Podman / Buildah don’t have a truly centralized location where the c/image SystemContext is created, so we would be playing whac-a-mole.

Agree, I fix the tests to work around that. I guess we will see eventually if users complain or not about this message.

Log all stopping errors for each container so we actually see the real
cause.

Signed-off-by: Paul Holzinger <[email protected]>
Includes some netns cleanup fixes.

Signed-off-by: Paul Holzinger <[email protected]>
c/image now throws a warning when using encryption and zstd:chunked as
they do not work together[1]. As CI uses default configs from fedora it
means rawhide now defaults to zstd:chunked which trigger the warning
there. To work around that force zstd compression.

[1] containers/image#2485

Signed-off-by: Paul Holzinger <[email protected]>
@rhatdan
Copy link
Member

rhatdan commented Aug 12, 2024

Can't we just change the options to conflict. Podman CLI can tell if the user actually changed the CLI. So if
CLI states `encryted and --compression-format we throw an error, otherwise we just document the behaviour.

@Luap99
Copy link
Member Author

Luap99 commented Aug 12, 2024

Can't we just change the options to conflict. Podman CLI can tell if the user actually changed the CLI. So if CLI states `encryted and --compression-format we throw an error, otherwise we just document the behaviour.

I don't think they conflict, only zstd:chunked conflicts with means we have to do a very narrow specific check

If we have such a warning on the cli level you likely would have to patch buildah and skopeo the same way and then not let c/image log this. But then any other other c/image user faces the problem where c/image drops the compression format without notice which isn't nice either depending on the context.

Regardless none of this blocks this PR as this does a simple vendor and I just fix the test for now. If someone wants to change this we can do so later

@Luap99
Copy link
Member Author

Luap99 commented Aug 15, 2024

@containers/podman-maintainers PTAL

@mheon
Copy link
Member

mheon commented Aug 15, 2024

LGTM

@rhatdan
Copy link
Member

rhatdan commented Aug 15, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 15, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 734c4b9 into containers:main Aug 15, 2024
91 checks passed
@Luap99 Luap99 deleted the netns-cleanup branch August 15, 2024 12:42
@stale-locking-app stale-locking-app bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Nov 14, 2024
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Nov 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. No New Tests Allow PR to proceed without adding regression tests release-note-none
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants