Merge pull request #843 from kernelkit/drop-execd

Redesign and simplify container creation/removal

Author: troglobit

board/common/rootfs/etc/finit.d/available/[email protected]

@@ -1,4 +1,4 @@
-service :%i pid:!/run/k8s-logger-%i.pid <usr/container:%i> \
-	[2345] k8s-logger -cni %i -f local1 /run/containers/%i.fifo -- Logger for container %i
-sysv    :%i pid:!/run/container:%i.pid <!pid/k8s-logger:%i> log kill:10 \
+task    name:container-%i :setup \
+	[2345] container -n %i setup -- Setup container %i
+sysv    <!usr/container:%i> :%i pid:!/run/container:%i.pid log:prio:local1,tag:%i kill:10 \
 	[2345] container -n %i -- container %i

board/common/rootfs/usr/bin/pager

@@ -5,11 +5,10 @@
 # -K :: exit immediately when an interrupt character (usually ^C) is typed
 # -R :: Almost raw control charachters, only ANSI color escape sequences and
 #       OSC 8 hyperlink sequences are output.  Allows veritcal scrolling
-# -S :: lines longer than the screen width are chopped (truncated), not wrapped
 # -X :: No termcap initialization and deinitialization set to the terminal.
 #       This is what leaves the contents of the output on screen.
 
 export LESS="-P %f (press h for help or q to quit)"
 export LANG=en_US.UTF-8
 
-less -RISKd -FX "$@"
+less -RIKd -FX "$@"

board/common/rootfs/usr/lib/tmpfiles.d/containers.conf

@@ -0,0 +1,6 @@
+d  /run/containers/args		0700 - -
+d  /run/containers/files	0700 - -
+d  /var/lib/containers		0700 - -
+d  /var/lib/containers/oci	0700 - -
+d  /run/cni			0755 - -
+L+ /var/lib/cni                 -    - - - /run/cni

board/common/rootfs/usr/sbin/container

@@ -1,17 +1,17 @@
 #!/bin/sh
 # This script can be used to start, stop, create, and delete containers.
-# It is primarily used by confd to create jobs for execd to run from its
-# /run/containers/queue, but it can also be used manually.
+# It is what confd use, with the Finit [email protected] template, to set
+# up, run, and delete containers.
 #
 # NOTE: when creating/deleting containers, remember 'initctl reload' to
-#       activate the changes!  When called by confd, via execd, this is
-#       already handled.
+#       activate the changes!  In confd this is already handled.
 #
 DOWNLOADS=/var/lib/containers/oci
 BUILTIN=/lib/oci
 TMPDIR=/var/tmp
 checksum=""
 extracted=
+timeout=30
 dir=""
 all=""
 env=""
@@ -126,7 +126,17 @@ unpack_archive()
 	    fi
             ;;
 	*)			# docker://*, docker-archive:*, or URL
-	    echo "$image"
+	    if podman image exists "$image"; then
+		echo "$image"
+		return 0
+	    fi
+	    # XXX: use --retry=0 with Podman 5.0 or later.
+	    if ! id=$(podman pull --quiet "$image"); then
+		log "Failed pulling $image"
+		return 1
+	    fi
+	    # Echo image name to caller
+	    podman images --filter id="$id" --format "{{.Repository}}:{{.Tag}}"
 	    return 0
 	    ;;
     esac
@@ -216,13 +226,10 @@ create()
     fi
 
     if [ -z "$logging" ]; then
-	logging="--log-driver k8s-file --log-opt path=/run/containers/$name.fifo"
+	logging="--log-driver none"
     fi
 
-    # Pull quietly and don't retry on failure, we use execd for this,
-    # or user retry manually when run interactively, we may have other
-    # containers waiting to start that have an image locally already.
-    # Use --retry=0 with Podman 5.0 or later.
+    # When we get here we've already fetched, or pulled, the image
     args="$args --read-only --replace --quiet --cgroup-parent=containers $caps"
     args="$args --restart=$restart --systemd=false --tz=local $privileged"
     args="$args $vol $mount $hostname $entrypoint $env $port $logging"
@@ -253,6 +260,7 @@ create()
     if podman create --name "$name" --conmon-pidfile="$pidfn" $args "$image" $*; then
 	[ -n "$quiet"  ] || log "Successfully created container $name from $image"
 	[ -n "$manual" ] || start "$name"
+
 	# Should already be enabled by confd (this is for manual use)
 	initctl -bnq enable "container@${name}.conf"
 	exit 0
@@ -272,16 +280,23 @@ delete()
 	exit 1
     fi
 
-    # Should already be disabled (and stopped) by confd (this is for manual use)
-    initctl -bnq disable "container@${name}.conf"
+    # Should already be stopped, but if not ...
+    container stop "$name"
+
+    while running "$name"; do
+	_=$((timeout -= 1))
+	if [ $timeout -le 0 ]; then
+	    err 1 "timed out waiting for container $1 to stop before deleting it."
+	fi
+	sleep 1
+    done
 
     podman rm -vif "$name" >/dev/null 2>&1
     [ -n "$quiet" ] || log "Container $name has been removed."
 }
 
 waitfor()
 {
-    timeout=$2
     while [ ! -f "$1" ]; do
 	_=$((timeout -= 1))
 	if [ $timeout -le 0 ]; then
@@ -353,6 +368,12 @@ netrestart()
     done
 }
 
+cleanup()
+{
+    log "Received signal, exiting."
+    exit 1
+}
+
 usage()
 {
 	cat <<EOF
@@ -386,6 +407,7 @@ options:
   -q, --quiet              Quiet operation, called from confd
   -r, --restart POLICY     One of "no", "always", or "on-failure:NUM"
   -s, --simple             Show output in simplified format
+  -t, --timeout SEC        Set timeout for delete/restart commands, default: 20
   -v, --volume NAME:PATH   Create named volume mounted inside container on PATH
 
 commands:
@@ -403,6 +425,7 @@ commands:
   restart [network] NAME   Restart a (crashed) container or container(s) using network
   run      NAME [CMD]      Run a container interactively, with an optional command
   save     IMAGE FILE      Save a container image to an OCI tarball FILE[.tar.gz]
+  setup    NAME            Create and set up container as a Finit task
   shell                    Start a shell inside a container
   show    [image | volume] Show containers, images, or volumes
   stat                     Show continuous stats about containers (Ctrl-C aborts)
@@ -525,6 +548,10 @@ while [ "$1" != "" ]; do
 	-s | --simple)
 	    simple=true
 	    ;;
+	-t | --timeout)
+	    shift
+	    timeout=$1
+	    ;;
 	-v | --volume)
 	    shift
 	    vol="$vol -v $1"
@@ -541,6 +568,8 @@ if [ -n "$cmd" ]; then
     shift
 fi
 
+trap cleanup INT TERM
+
 case $cmd in
     # Does not work atm., cannot attach to TTY because
     # we monitor 'podman start -ai foo' with Finit.
@@ -666,6 +695,20 @@ case $cmd in
 	    gzip "$file"
 	fi
 	;;
+    setup)
+	[ -n "$name" ] || err 1 "setup: missing container name."
+	script=/run/containers/${name}.sh
+	[ -x "$script" ] || err 1 "setup: $script does not exist or is not executable."
+	while ! "$script"; do
+	    # Wait for address/route changes, or retry every 60 secods
+	    # shellcheck disable=2162,3045
+	    ip monitor address route | while read -t 60 _; do break; done
+
+	    # On IP address/route changes, wait a few seconds more to ensure
+	    # the system has ample time to react and set things up for us.
+	    sleep 2
+	done
+	;;
     shell)
 	podman exec -it "$1" sh -l
 	;;
@@ -720,7 +763,6 @@ case $cmd in
 	    else
 		name=$1
 		stop "$name"
-		timeout=20
 		while running "$name"; do
 		    _=$((timeout -= 1))
 		    if [ $timeout -le 0 ]; then
@@ -781,7 +823,7 @@ case $cmd in
 	[ -n "$cmd" ] && shift
 	case $cmd in
 	    prune)
-		podman volume $force prune
+		podman volume prune $force
 		;;
 	    *)
 		false

configs/aarch64_defconfig

@@ -134,7 +134,6 @@ BR2_PACKAGE_CONFD=y
 BR2_PACKAGE_CONFD_TEST_MODE=y
 BR2_PACKAGE_CURIOS_HTTPD=y
 BR2_PACKAGE_CURIOS_NFTABLES=y
-BR2_PACKAGE_EXECD=y
 BR2_PACKAGE_GENCERT=y
 BR2_PACKAGE_STATD=y
 BR2_PACKAGE_FACTORY=y
@@ -147,7 +146,6 @@ BR2_PACKAGE_FINIT_RTC_FILE="/var/lib/misc/rtc"
 BR2_PACKAGE_FINIT_PLUGIN_TTY=y
 BR2_PACKAGE_FINIT_PLUGIN_URANDOM=y
 BR2_PACKAGE_IITO=y
-BR2_PACKAGE_K8S_LOGGER=y
 BR2_PACKAGE_KEYACK=y
 BR2_PACKAGE_KLISH_PLUGIN_INFIX=y
 BR2_PACKAGE_LANDING=y

configs/r2s_defconfig

@@ -175,7 +175,6 @@ INFIX_HOME="https://github.com/kernelkit/infix/"
 INFIX_DOC="https://github.com/kernelkit/infix/tree/main/doc"
 INFIX_SUPPORT="mailto:[email protected]"
 BR2_PACKAGE_CONFD=y
-BR2_PACKAGE_EXECD=y
 BR2_PACKAGE_GENCERT=y
 BR2_PACKAGE_STATD=y
 BR2_PACKAGE_FACTORY=y
@@ -188,7 +187,6 @@ BR2_PACKAGE_FINIT_RTC_FILE="/var/lib/misc/rtc"
 BR2_PACKAGE_FINIT_PLUGIN_TTY=y
 BR2_PACKAGE_FINIT_PLUGIN_URANDOM=y
 BR2_PACKAGE_IITO=y
-BR2_PACKAGE_K8S_LOGGER=y
 BR2_PACKAGE_KEYACK=y
 BR2_PACKAGE_KLISH_PLUGIN_INFIX=y
 BR2_PACKAGE_LANDING=y

configs/riscv64_defconfig

@@ -165,7 +165,6 @@ INFIX_DOC="https://github.com/kernelkit/infix/tree/main/doc"
 INFIX_SUPPORT="mailto:[email protected]"
 BR2_PACKAGE_CONFD=y
 # BR2_PACKAGE_CONFD_TEST_MODE is not set
-BR2_PACKAGE_EXECD=y
 BR2_PACKAGE_GENCERT=y
 BR2_PACKAGE_STATD=y
 BR2_PACKAGE_FACTORY=y
@@ -178,7 +177,6 @@ BR2_PACKAGE_FINIT_RTC_FILE="/var/lib/misc/rtc"
 BR2_PACKAGE_FINIT_PLUGIN_TTY=y
 BR2_PACKAGE_FINIT_PLUGIN_URANDOM=y
 BR2_PACKAGE_IITO=y
-BR2_PACKAGE_K8S_LOGGER=y
 BR2_PACKAGE_KEYACK=y
 BR2_PACKAGE_KLISH_PLUGIN_INFIX=y
 BR2_PACKAGE_LANDING=y

configs/x86_64_defconfig

@@ -138,7 +138,6 @@ BR2_PACKAGE_CONFD=y
 BR2_PACKAGE_CONFD_TEST_MODE=y
 BR2_PACKAGE_CURIOS_HTTPD=y
 BR2_PACKAGE_CURIOS_NFTABLES=y
-BR2_PACKAGE_EXECD=y
 BR2_PACKAGE_GENCERT=y
 BR2_PACKAGE_STATD=y
 BR2_PACKAGE_FACTORY=y
@@ -151,7 +150,6 @@ BR2_PACKAGE_FINIT_RTC_FILE="/var/lib/misc/rtc"
 BR2_PACKAGE_FINIT_PLUGIN_TTY=y
 BR2_PACKAGE_FINIT_PLUGIN_URANDOM=y
 BR2_PACKAGE_IITO=y
-BR2_PACKAGE_K8S_LOGGER=y
 BR2_PACKAGE_KEYACK=y
 BR2_PACKAGE_KLISH_PLUGIN_INFIX=y
 BR2_PACKAGE_LANDING=y

doc/ChangeLog.md

@@ -10,15 +10,37 @@ All notable changes to the project are documented in this file.
 ### Changes
  - Allow setting IP address directly on VLAN filtering bridges.  This
    only works when the bridge is an untagged member of a (single) VLAN.
+ - cli: usability -- showing log files now automatically jump to the end
+   of the file, where the latest events are
+ - cli: usability -- showing container status, or other status that
+   overflows the terminal horizontally, now wrap the lines and exit the
+   pager immediately if the contents fit on the first screen
+ - The default log level of the mDNS responder, `avahi-daemon`, has been
+   adjusted to make it less verbose.  Now only `LOG_NOTICE` and higher
+   severity is logged -- making it very quiet
 
 ### Fixes
 
  - Fix #685: DSA conduit interface not always detected.  Previous
    attempt at a fix (v24.10.2) mitigated the issue, but did not
    completely solve it.
+ - Fix #835: redesign how the system creates/deletes containers from the
+   `running-config`.  Prior to this change, all removal and creation was
+   handled by a separate queue that ran asynchronously from the `confd`
+   process.  This could lead to situations where new configurations are
+   applied before the queue had been fully processed.  After this change
+   containers are deleted synchronously and new containers are created
+   in the same flow as during normal runtime operation (start/upgrade)
+ - Fix start of containers with `manual=True` option should now work
+   again, regression in v24.11.0
+ - Stop the zeroconf (IPv4LL) agent, `avahi-autoipd`, when removing an
+   interface, e.g., `br0`
+ - Creating more than one container trigger restarts of previously set
+   up containers.  Which in some cases may cause these earlier ones to
+   end up in an inconsistent state
  - Prevent traffic assigned to locally terminated VLANs from being
-   forwarded, when the underlying ports are simultaneously attached to a
-   VLAN filtering bridge.
+   forwarded, when the underlying ports are simultaneously attached to
+   a VLAN filtering bridge.
 
 
 [v24.11.0][] - 2024-11-20

package/execd/tmpfiles.conf

@@ -1,7 +1 @@
-d  /run/containers/args		0700 - -
-d  /run/containers/files	0700 - -
-d  /var/lib/containers/oci	0755 - -
-d  /run/containers/inbox	0700 - -
 d  /run/containers/queue	0700 - -
-d  /run/cni			0755 - -
-L+ /var/lib/cni                 -    - - - /run/cni