Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sidecars doesn't get terminated when the binary is in the nop image #1347

Closed
chmouel opened this issue Sep 23, 2019 · 11 comments
Closed

Sidecars doesn't get terminated when the binary is in the nop image #1347

chmouel opened this issue Sep 23, 2019 · 11 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@chmouel
Copy link
Member

chmouel commented Sep 23, 2019

Expected Behavior

Sidecars get terminated along the main container

Actual Behavior

This is a followup to the discussion we had with @sbwsg on this issue :

#1253 (comment)

Since the sidecar tests has been implemented we have seen some issues on our openshift based CI. The test would run waiting for a terminate state and fails waiting. Here is the test :

https://github.com/chmouel/tektoncd-pipeline/blob/chmouel-ci-test-1809/test/sidecar_test.go#L105-L107

We believe that we only just figured this out, It seems that it is because of the base image we are using that are based on a RHEL image called registry.access.redhat.com/ubi8/ubi:latest.

With KO the nop image is by default based according to https://github.com/google/ko#overriding-the-default-base-image on gcr.io/distroless/base:latestwhich has no /bin/sh while the RHEL image has.

We are guessing of what's happening is :

  • a main container runs with a sidecar container
  • the main and sidecar containers are both doing /bin/sh scripts like this :
    https://github.com/chmouel/tektoncd-pipeline/blob/chmouel-ci-test-1809/test/sidecar_test.go#L49-L50
  • the main container gets killed, tekton controller sees that there is a sidecar container and replaces the main image name with a nop image and keep the same arguments.
  • If the nop container is able to run those arguments then it continue running instead of getting to killed state as it should be.

Steps to Reproduce the Problem

  1. override the base image for nop with a container that has /bin/sh
diff --git a/.ko.yaml b/.ko.yaml
index 9b34cc27..27524d01 100644
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,4 +1,5 @@
 baseImageOverrides:
+  github.com/tektoncd/pipeline/cmd/nop: google/cloud-sdk:alpine
   # TODO(christiewilson): Use our built base image
   github.com/tektoncd/pipeline/cmd/creds-init: gcr.io/knative-nightly/github.com/knative/build/build-base:latest
   github.com/tektoncd/pipeline/cmd/git-init: gcr.io/knative-nightly/github.com/knative/build/build-base:latest
  1. Run the TestSideCar test :
% go test -failfast -v -count=1 -tags=e2e -ldflags '-X github.com/tektoncd/pipeline/test.missingKoFatal=false' ./test -timeout=20m --kubeconfig $KUBECONFIG -run TestSidecarTaskSupport

Additional Info

We probably want to figure why rewriting the Entrypoint is not possible.

/kind bug
/cc @sbwsg

@tekton-robot tekton-robot added the kind/bug Categorizes issue or PR as related to a bug. label Sep 23, 2019
@vdemeester vdemeester added this to the Pipelines 0.8 🐱 milestone Sep 23, 2019
@chmouel chmouel changed the title SideCarding seems broken Sidecars doesn't get terminated when the binary is in the nop image Sep 24, 2019
chmouel added a commit to chmouel/tektoncd-pipeline that referenced this issue Sep 24, 2019
This is a very cheeky hack, sidecar is currently broken with our nop image so we
just use nightly `nop` from upstream CI. `nop` should not change or do anything
differently with a different base so we should be safe until
tektoncd#1347 gets fixed.

Signed-off-by: Chmouel Boudjnah <[email protected]>
chmouel added a commit to chmouel/tektoncd-pipeline that referenced this issue Sep 24, 2019
This is a very cheeky hack, sidecar is currently broken with our nop image so we
just use nightly `nop` from upstream CI. `nop` should not change or do anything
differently with a different base so we should be safe until
tektoncd#1347 gets fixed.

Signed-off-by: Chmouel Boudjnah <[email protected]>
@chmouel
Copy link
Member Author

chmouel commented Sep 24, 2019

Related Kubernetes issue for a RFE allowing spec.Container.Command to be modified kubernetes/kubernetes#83059

@ghost
Copy link

ghost commented Sep 24, 2019

Ah, great work figuring this out @chmouel! I'm wondering - what is the reason for overriding the nop image?

@ghost
Copy link

ghost commented Sep 24, 2019

Oh wait, nevermind, I see that https://github.com/google/ko#overriding-the-default-base-image describes some reasons to do so.

@chmouel
Copy link
Member Author

chmouel commented Sep 24, 2019

Our case is a bit different,

As a policy (and our CI enforces it) all our images needs to use our official distro so we have to base the nop image against a minimal RHEL container (called UBI).

@ghost
Copy link

ghost commented Sep 24, 2019

Does UBI contain a kill binary? If so then this issue may be resolved by #1131 since, once implemented, that would no longer perform a nop image swap (and at the same time would introduce a nice simple contract for sidecar containers that want to be stopped "gracefully").

@ghost
Copy link

ghost commented Sep 24, 2019

There is also the ongoing sidecar KEP which is progressively being implemented in Kubernetes. kubernetes/enhancements#753 (and which Tekton may eventually use "under the hood" to run the sidecars).

@chmouel
Copy link
Member Author

chmouel commented Sep 24, 2019

@sbwsg ah really nice yes we do have a kill binary :

image

but if I understand your comment here #1131 (comment) you want to SIGKILL process 1 in the sidecar container before it gets replaced to nop. That sidecar container is whatever the user choose to be, we are not enforcing our base images on this one, it's only on the images we ship from tekton that we have a RHEL base.

So what I am trying to say is that if we come down to the bullet point number 3. from your comment where we endup doing the swap this would end up the same as what we have here.

Having said that I don't see any alternative and if we implement #1131 things would def be better,

I am still wondering why k8 allows us to change the image name and not the entrypoints,

kubernetes/enhancements#753 is definitively the way to go, glad to see something like this being worked on.

@ghost
Copy link

ghost commented Sep 24, 2019

it's only on the images we ship from tekton that we have a RHEL base.

Ah yeah good point!

@ghost
Copy link

ghost commented Oct 24, 2019

At least in the short term i think we should document this. I will do this today.

@ghost
Copy link

ghost commented Oct 24, 2019

#1464

tekton-robot pushed a commit that referenced this issue Oct 25, 2019
Sidecars are stopped by having their Image field swapped out to the
`nop` image. When the nop image starts up in the sidecar container it is
supposed to immediately exit because `nop` doesn't include the sidecar's
command. However, when the `nop` image *does* contain the command that
the sidecar is running, the sidecar container will actually never stop
and the Task will eventually timeout.

For most sidecars this issue will not manifest - the `nop` container
that Tekton provides out of the box includes only a very limited set of
commands. However, if a Tekton operator overrides the `nop` image when
deploying the tekton controller (for example, because their organization
requires images configured for Tekton to be built on their org's own base
image) then there is a risk that `nop` will start offering more commands
and therefore introduce a higher risk that a sidecar's command will be
runnable by the `nop` image finally increasing the likelihood of Tasks
with sidecars running until timeout.

This issue is a known bug with the way sidecars operate at the moment
and is being tracked in #1347
but should be documented clearly.
@bobcatfish bobcatfish modified the milestones: Pipelines 0.9 🐱, Pipelines 1.1 / Post-beta 🐱 Oct 30, 2019
@ghost
Copy link

ghost commented Apr 27, 2020

Now that this is documented I'm going to close this issue.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

5 participants