From ddb0b115790f0af228ab43caf5fbc60148bcf713 Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Tue, 17 Dec 2024 11:47:12 +0100 Subject: [PATCH] Fix container restart issue When container are restarted with podman the reestart will send the TERM signal to the entry process. Since the main entry for these container is a script running other script and waiting the singal are not propagated to the thread group making the restart hanging until a KILL signal is used but these return with an error code making the automation failing. --- .github/workflows/ca-container-basic-test.yml | 3 +++ .../workflows/ca-container-existing-certs-test.yml | 3 ++- .github/workflows/kra-container-test.yml | 6 ++++-- .github/workflows/ocsp-container-test.yml | 6 ++++-- .github/workflows/server-container-test.yml | 3 ++- .github/workflows/tks-container-test.yml | 3 ++- .github/workflows/tps-container-test.yml | 6 ++++-- base/ca/bin/pki-ca-run | 11 ++++++++--- base/kra/bin/pki-kra-run | 11 ++++++++--- base/ocsp/bin/pki-ocsp-run | 11 ++++++++--- base/server/bin/pki-server-run | 10 ++++++++-- base/tks/bin/pki-tks-run | 10 ++++++++-- base/tps/bin/pki-tps-run | 10 ++++++++-- 13 files changed, 69 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ca-container-basic-test.yml b/.github/workflows/ca-container-basic-test.yml index 6c577fd4539..3d31ee06b50 100644 --- a/.github/workflows/ca-container-basic-test.yml +++ b/.github/workflows/ca-container-basic-test.yml @@ -312,9 +312,12 @@ jobs: - name: Restart CA run: | docker restart ca + sleep 10 + docker network reload --all # wait for CA to restart docker exec client curl \ + -v \ --retry 180 \ --retry-delay 0 \ --retry-connrefused \ diff --git a/.github/workflows/ca-container-existing-certs-test.yml b/.github/workflows/ca-container-existing-certs-test.yml index b388707063a..dcd8f32eb42 100644 --- a/.github/workflows/ca-container-existing-certs-test.yml +++ b/.github/workflows/ca-container-existing-certs-test.yml @@ -403,7 +403,8 @@ jobs: - name: Restart CA run: | docker restart ca - sleep 5 + sleep 10 + docker network reload --all # wait for CA to restart docker exec client curl \ diff --git a/.github/workflows/kra-container-test.yml b/.github/workflows/kra-container-test.yml index a0df464d3b7..f0053de520e 100644 --- a/.github/workflows/kra-container-test.yml +++ b/.github/workflows/kra-container-test.yml @@ -487,7 +487,8 @@ jobs: - name: Restart CA run: | docker restart ca - sleep 5 + sleep 10 + docker network reload --all # wait for CA to restart docker exec client curl \ @@ -623,7 +624,8 @@ jobs: - name: Restart KRA run: | docker restart kra - sleep 5 + sleep 10 + docker network reload --all # wait for KRA to restart docker exec client curl \ diff --git a/.github/workflows/ocsp-container-test.yml b/.github/workflows/ocsp-container-test.yml index 9a5927042aa..1a0fe1d8ce9 100644 --- a/.github/workflows/ocsp-container-test.yml +++ b/.github/workflows/ocsp-container-test.yml @@ -487,7 +487,8 @@ jobs: - name: Restart CA run: | docker restart ca - sleep 5 + sleep 10 + docker network reload --all # wait for CA to restart docker exec client curl \ @@ -645,7 +646,8 @@ jobs: - name: Restart OCSP run: | docker restart ocsp - sleep 5 + sleep 10 + docker network reload --all # wait for OCSP to restart docker exec client curl \ diff --git a/.github/workflows/server-container-test.yml b/.github/workflows/server-container-test.yml index b1df856dc97..a89d79e78d3 100644 --- a/.github/workflows/server-container-test.yml +++ b/.github/workflows/server-container-test.yml @@ -148,7 +148,8 @@ jobs: - name: Restart server run: | docker restart server - sleep 5 + sleep 10 + docker network reload --all # wait for server to restart docker exec client curl \ diff --git a/.github/workflows/tks-container-test.yml b/.github/workflows/tks-container-test.yml index f5cdbe6ad7b..eead63832bb 100644 --- a/.github/workflows/tks-container-test.yml +++ b/.github/workflows/tks-container-test.yml @@ -428,7 +428,8 @@ jobs: - name: Restart TKS run: | docker restart tks - sleep 5 + sleep 10 + docker network reload --all # wait for TKS to restart docker exec client curl \ diff --git a/.github/workflows/tps-container-test.yml b/.github/workflows/tps-container-test.yml index 6a5ff8f4791..8202f196c98 100644 --- a/.github/workflows/tps-container-test.yml +++ b/.github/workflows/tps-container-test.yml @@ -415,7 +415,8 @@ jobs: - name: Restart CA run: | docker restart ca - sleep 5 + sleep 10 + docker network reload --all # wait for CA to restart docker exec client curl \ @@ -785,7 +786,8 @@ jobs: - name: Restart TPS run: | docker restart tps - sleep 5 + sleep 10 + docker network reload --all # wait for TPS to restart docker exec client curl \ diff --git a/base/ca/bin/pki-ca-run b/base/ca/bin/pki-ca-run index 280e1f6a61c..30a2324b83f 100755 --- a/base/ca/bin/pki-ca-run +++ b/base/ca/bin/pki-ca-run @@ -361,15 +361,20 @@ rm /tmp/sslserver.crt echo "################################################################################" echo "INFO: Starting CA server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run - + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/kra/bin/pki-kra-run b/base/kra/bin/pki-kra-run index 4c2b63efc15..5a07cc92521 100755 --- a/base/kra/bin/pki-kra-run +++ b/base/kra/bin/pki-kra-run @@ -199,15 +199,20 @@ find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Starting KRA server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run - + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/ocsp/bin/pki-ocsp-run b/base/ocsp/bin/pki-ocsp-run index ebc27fdb7c8..fa6f6b2f94f 100755 --- a/base/ocsp/bin/pki-ocsp-run +++ b/base/ocsp/bin/pki-ocsp-run @@ -180,15 +180,20 @@ find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Starting OCSP server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run - + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/server/bin/pki-server-run b/base/server/bin/pki-server-run index 735955d1dbb..42f4d28e0cf 100755 --- a/base/server/bin/pki-server-run +++ b/base/server/bin/pki-server-run @@ -228,15 +228,21 @@ rm /tmp/sslserver.crt echo "################################################################################" echo "INFO: Starting PKI server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/tks/bin/pki-tks-run b/base/tks/bin/pki-tks-run index 3845f26723d..270deef951f 100644 --- a/base/tks/bin/pki-tks-run +++ b/base/tks/bin/pki-tks-run @@ -161,15 +161,21 @@ find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Starting TKS server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/tps/bin/pki-tps-run b/base/tps/bin/pki-tps-run index dcbc2976a63..87d4f848a9b 100644 --- a/base/tps/bin/pki-tps-run +++ b/base/tps/bin/pki-tps-run @@ -168,15 +168,21 @@ find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Starting TPS server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi