ssh: fix error on commandconn close, add ping and default timeout #4226
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
laurazard
force-pushed
the
fix-connhelper-docker-example
branch
from
4782087
to
4bcf2a7
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #4226 +/- ##
==========================================
+ Coverage 59.07% 59.29% +0.22%
==========================================
Files 287 288 +1
Lines 24752 24769 +17
==========================================
+ Hits 14623 14688 +65
+ Misses 9249 9197 -52
- Partials 880 884 +4 |
thaJeztah
reviewed
Apr 26, 2023
laurazard
force-pushed
the
fix-connhelper-docker-example
branch
from
4bcf2a7
to
8841e13
Compare
laurazard
changed the title
laurazard
force-pushed
the
fix-connhelper-docker-example
branch
from
8841e13
to
8dd8535
Compare
thaJeztah
reviewed
Apr 28, 2023
laurazard
force-pushed
the
fix-connhelper-docker-example
branch
4 times, most recently
from
e36a5d5
to
02c34ad
Compare
thaJeztah
reviewed
May 2, 2023
laurazard
force-pushed
the
fix-connhelper-docker-example
branch
4 times, most recently
from
4f18381
to
592fa93
Compare
|
/cc @AkihiroSuda perhaps you want to have a look as well |
thaJeztah
reviewed
Jun 5, 2023
|
opened laurazard#1 (please squash with your commits, and (as mentioned) feel free to update/ignore/whatever). |
--- commandconn: fix race on `Close()` During normal operation, if a `Read()` or `Write()` call results in an EOF, we call `onEOF()` to handle the terminating command, and store it's exit value. However, if a Read/Write call was blocked while `Close()` is called the in/out pipes are immediately closed which causes an EOF to be returned. Here, we shouldn't call `onEOF()`, since the reason why we got an EOF is because we're already terminating the connection. This also prevents a race between two calls to the commands `Wait()`, in the `Close()` call and `onEOF()` --- Add CLI init timeout to SSH connections --- connhelper: add 30s ssh default dialer timeout (same as non-ssh dialer) Signed-off-by: Laura Brehm <laurabrehm@hey.com>
laurazard
force-pushed
the
fix-connhelper-docker-example
branch
from
50d81c8
to
a5ebe22
Compare
|
@thaJeztah I merged your changes (thank you!) |
|
@rumpl @AkihiroSuda ptal 🤗 |
vvoland
approved these changes
Jun 9, 2023
AkihiroSuda
reviewed
Jun 10, 2023
| assert.Check(t, !process.Alive(cmdConn.cmd.Process.Pid)) | ||
|
|
||
| readErr := <-readErrC | ||
| assert.ErrorContains(t, readErr, "EOF") |
There was a problem hiding this comment.
Can't we use errors.Is(readErr, io.EOF)?
This was referenced Jul 18, 2023
tianon
reviewed
Sep 28, 2023
| cmdMutex sync.Mutex // for cmd, cmdWaitErr | ||
| cmd *exec.Cmd | ||
| cmdWaitErr error | ||
| cmdExited atomic.Bool |
There was a problem hiding this comment.
Similar to moby/moby#45966 (comment), this means we should update our go 1.18 line in vendor.mod to at least 1.19 😅
# github.com/docker/cli/cli/connhelper/commandconn
cli/connhelper/commandconn/commandconn.go:71:22: undefined: atomic.Bool
cli/connhelper/commandconn/commandconn.go:76:22: undefined: atomic.Bool
cli/connhelper/commandconn/commandconn.go:77:22: undefined: atomic.Bool
cli/connhelper/commandconn/commandconn.go:78:22: undefined: atomic.BoolThere was a problem hiding this comment.
Hello @tianon, are you interested in contributing to open source and opening a PR? 😉
There was a problem hiding this comment.
Naw, open source isn't really my thing 😂
(totally fair callout, I'll see what I can do)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- Related
- TLDR
During CLI initialization we ping the configured host. Initially, we set no context timeout for these connections, and after b397391 we set timeouts but only for TCP connections (which then got changed in #3722 to only specifically exclude SSH connections and not sockets).
This looks to be due to errory looking logs from
cli/connhelper/commandconn/commandconn.goonClose()– which gets called byhttp.Transportwhen the request context times out.However, these logs are being thrown erroneously –
commandconn.kill()states that it will return nil if the command terminates regardless of it's exit status:cli/cli/connhelper/commandconn/commandconn.go
Line 113 in 26a7357
But the implementation does not hold up to this contract:
cli/cli/connhelper/commandconn/commandconn.go
Line 130 in 26a7357
since
ProcessState.Exited()returns true only if the program exited due to callingexitand not if the program was terminated by a signal (this probably does works on Windows since hereProcessState.Exited()returns true if the program has exited either way, but not on POSIXy OSs).If
commandconn.kill()is fixed to always returnnilwhen the command has terminated, setting timeouts on contexts passed to SSH connections works fine and we no longer need special handling.Other than that, I also added
-o ConnectTimeout=30to the created SSH command, which serves to align with the timeout from the client returned for non-SSH connections incli/cli/context/docker/load.go
Line 134 in 26a7357
docker statsor anattachwon't time out after 30s.During this I also found a racy call to
cmd.Wait()betweenClose()andonEOF(), since callingClosewill close the command's stdin/out pipes, which will throw an EOF to pending reads, triggering a call toonEOF(), but afterwardsClosewill also callkill()which will also callcmd.Wait()- What I did
cli/connhelper/commandconn/commandconn.go:kill(): Fix implementation so we don't return an error when process is successfully closedWrite()/Read(): Prevent race by checking if connection is being closedcli/command/cli.go:initializeFromClient(): remove SSH special handling so we also add timeout for SSH connectionscli/context/docker/load.go:ClientOpts(): add 30s timeout to align with non-SSH client- How to verify it
DOCKER_HOST=ssh://example.com docker: no longer hangs forever, now it returns after the default 2s CLI init timeoutDOCKER_HOST=ssh://example.com docker version: no longer hangs forever, now it will timeout after 30s (can be more if the host resolves to more than 1 IP address)- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)