From afea6b981be5dbe0221916980a3e2b9ca8bc48af Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Wed, 18 Dec 2024 12:13:55 +0100 Subject: [PATCH 1/2] Fix container restart issue When container are restarted with podman the restart will send the TERM signal to the entry process. Since the main entry for these container is a script running other script and waiting the signal are not propagated to the thread group making the restart hanging until a KILL signal is used but these return with an error code making the automation failing. --- .github/workflows/ca-container-basic-test.yml | 1 + .../workflows/ca-container-existing-certs-test.yml | 2 +- .github/workflows/kra-container-test.yml | 4 ++-- .github/workflows/ocsp-container-test.yml | 4 ++-- .github/workflows/server-container-test.yml | 2 +- .github/workflows/tks-container-test.yml | 2 +- .github/workflows/tps-container-test.yml | 4 ++-- base/ca/bin/pki-ca-run | 11 ++++++++--- base/kra/bin/pki-kra-run | 11 ++++++++--- base/ocsp/bin/pki-ocsp-run | 11 ++++++++--- base/server/bin/pki-server-run | 10 ++++++++-- base/tks/bin/pki-tks-run | 10 ++++++++-- base/tps/bin/pki-tps-run | 10 ++++++++-- 13 files changed, 58 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ca-container-basic-test.yml b/.github/workflows/ca-container-basic-test.yml index 6c577fd4539..7e672a808f3 100644 --- a/.github/workflows/ca-container-basic-test.yml +++ b/.github/workflows/ca-container-basic-test.yml @@ -312,6 +312,7 @@ jobs: - name: Restart CA run: | docker restart ca + sleep 10 # wait for CA to restart docker exec client curl \ diff --git a/.github/workflows/ca-container-existing-certs-test.yml b/.github/workflows/ca-container-existing-certs-test.yml index b388707063a..18c23ad5ca3 100644 --- a/.github/workflows/ca-container-existing-certs-test.yml +++ b/.github/workflows/ca-container-existing-certs-test.yml @@ -403,7 +403,7 @@ jobs: - name: Restart CA run: | docker restart ca - sleep 5 + sleep 10 # wait for CA to restart docker exec client curl \ diff --git a/.github/workflows/kra-container-test.yml b/.github/workflows/kra-container-test.yml index a0df464d3b7..821820a5985 100644 --- a/.github/workflows/kra-container-test.yml +++ b/.github/workflows/kra-container-test.yml @@ -487,7 +487,7 @@ jobs: - name: Restart CA run: | docker restart ca - sleep 5 + sleep 10 # wait for CA to restart docker exec client curl \ @@ -623,7 +623,7 @@ jobs: - name: Restart KRA run: | docker restart kra - sleep 5 + sleep 10 # wait for KRA to restart docker exec client curl \ diff --git a/.github/workflows/ocsp-container-test.yml b/.github/workflows/ocsp-container-test.yml index 9a5927042aa..53e08de031c 100644 --- a/.github/workflows/ocsp-container-test.yml +++ b/.github/workflows/ocsp-container-test.yml @@ -487,7 +487,7 @@ jobs: - name: Restart CA run: | docker restart ca - sleep 5 + sleep 10 # wait for CA to restart docker exec client curl \ @@ -645,7 +645,7 @@ jobs: - name: Restart OCSP run: | docker restart ocsp - sleep 5 + sleep 10 # wait for OCSP to restart docker exec client curl \ diff --git a/.github/workflows/server-container-test.yml b/.github/workflows/server-container-test.yml index b1df856dc97..f5d2b314bd7 100644 --- a/.github/workflows/server-container-test.yml +++ b/.github/workflows/server-container-test.yml @@ -148,7 +148,7 @@ jobs: - name: Restart server run: | docker restart server - sleep 5 + sleep 10 # wait for server to restart docker exec client curl \ diff --git a/.github/workflows/tks-container-test.yml b/.github/workflows/tks-container-test.yml index f5cdbe6ad7b..c559008f586 100644 --- a/.github/workflows/tks-container-test.yml +++ b/.github/workflows/tks-container-test.yml @@ -428,7 +428,7 @@ jobs: - name: Restart TKS run: | docker restart tks - sleep 5 + sleep 10 # wait for TKS to restart docker exec client curl \ diff --git a/.github/workflows/tps-container-test.yml b/.github/workflows/tps-container-test.yml index 6a5ff8f4791..158a87f991a 100644 --- a/.github/workflows/tps-container-test.yml +++ b/.github/workflows/tps-container-test.yml @@ -415,7 +415,7 @@ jobs: - name: Restart CA run: | docker restart ca - sleep 5 + sleep 10 # wait for CA to restart docker exec client curl \ @@ -785,7 +785,7 @@ jobs: - name: Restart TPS run: | docker restart tps - sleep 5 + sleep 10 # wait for TPS to restart docker exec client curl \ diff --git a/base/ca/bin/pki-ca-run b/base/ca/bin/pki-ca-run index 280e1f6a61c..30a2324b83f 100755 --- a/base/ca/bin/pki-ca-run +++ b/base/ca/bin/pki-ca-run @@ -361,15 +361,20 @@ rm /tmp/sslserver.crt echo "################################################################################" echo "INFO: Starting CA server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run - + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/kra/bin/pki-kra-run b/base/kra/bin/pki-kra-run index 4c2b63efc15..5a07cc92521 100755 --- a/base/kra/bin/pki-kra-run +++ b/base/kra/bin/pki-kra-run @@ -199,15 +199,20 @@ find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Starting KRA server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run - + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/ocsp/bin/pki-ocsp-run b/base/ocsp/bin/pki-ocsp-run index ebc27fdb7c8..fa6f6b2f94f 100755 --- a/base/ocsp/bin/pki-ocsp-run +++ b/base/ocsp/bin/pki-ocsp-run @@ -180,15 +180,20 @@ find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Starting OCSP server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run - + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/server/bin/pki-server-run b/base/server/bin/pki-server-run index 735955d1dbb..42f4d28e0cf 100755 --- a/base/server/bin/pki-server-run +++ b/base/server/bin/pki-server-run @@ -228,15 +228,21 @@ rm /tmp/sslserver.crt echo "################################################################################" echo "INFO: Starting PKI server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/tks/bin/pki-tks-run b/base/tks/bin/pki-tks-run index 3845f26723d..270deef951f 100644 --- a/base/tks/bin/pki-tks-run +++ b/base/tks/bin/pki-tks-run @@ -161,15 +161,21 @@ find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Starting TKS server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi diff --git a/base/tps/bin/pki-tps-run b/base/tps/bin/pki-tps-run index dcbc2976a63..87d4f848a9b 100644 --- a/base/tps/bin/pki-tps-run +++ b/base/tps/bin/pki-tps-run @@ -168,15 +168,21 @@ find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Starting TPS server" +trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM + if [ "$UID" = "0" ]; then # In Docker the server runs as root user but it will switch # into pkiuser (UID=17) that belongs to the root group (GID=0). - pki-server run + pki-server run & + PID=$! + wait $PID else # In OpenShift/Podman the server runs as a non-root user # (with a random UID) that belongs to the root group (GID=0). # # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id - pki-server run --as-current-user + pki-server run --as-current-user & + PID=$! + wait $PID fi From 46952529c32776e2c7972ae60962bf99137787bd Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Wed, 18 Dec 2024 14:56:07 +0100 Subject: [PATCH 2/2] CI Restart network interface in podman container When a podman container restarts the network interface does not always get updated correctly, making the following communications with the container fail. Reload the network solve the problems when it is present. --- .github/workflows/ca-container-basic-test.yml | 2 ++ .github/workflows/ca-container-existing-certs-test.yml | 2 ++ .github/workflows/kra-container-test.yml | 4 ++++ .github/workflows/ocsp-container-test.yml | 4 ++++ .github/workflows/server-container-test.yml | 2 ++ .github/workflows/tks-container-test.yml | 2 ++ .github/workflows/tps-container-test.yml | 4 ++++ 7 files changed, 20 insertions(+) diff --git a/.github/workflows/ca-container-basic-test.yml b/.github/workflows/ca-container-basic-test.yml index 7e672a808f3..303e16388ed 100644 --- a/.github/workflows/ca-container-basic-test.yml +++ b/.github/workflows/ca-container-basic-test.yml @@ -314,6 +314,8 @@ jobs: docker restart ca sleep 10 + docker network reload --all + # wait for CA to restart docker exec client curl \ --retry 180 \ diff --git a/.github/workflows/ca-container-existing-certs-test.yml b/.github/workflows/ca-container-existing-certs-test.yml index 18c23ad5ca3..c44b3e82f21 100644 --- a/.github/workflows/ca-container-existing-certs-test.yml +++ b/.github/workflows/ca-container-existing-certs-test.yml @@ -405,6 +405,8 @@ jobs: docker restart ca sleep 10 + docker network reload --all + # wait for CA to restart docker exec client curl \ --retry 180 \ diff --git a/.github/workflows/kra-container-test.yml b/.github/workflows/kra-container-test.yml index 821820a5985..0b1a3b84343 100644 --- a/.github/workflows/kra-container-test.yml +++ b/.github/workflows/kra-container-test.yml @@ -489,6 +489,8 @@ jobs: docker restart ca sleep 10 + docker network reload --all + # wait for CA to restart docker exec client curl \ --retry 180 \ @@ -625,6 +627,8 @@ jobs: docker restart kra sleep 10 + docker network reload --all + # wait for KRA to restart docker exec client curl \ --retry 180 \ diff --git a/.github/workflows/ocsp-container-test.yml b/.github/workflows/ocsp-container-test.yml index 53e08de031c..1435edca3ea 100644 --- a/.github/workflows/ocsp-container-test.yml +++ b/.github/workflows/ocsp-container-test.yml @@ -489,6 +489,8 @@ jobs: docker restart ca sleep 10 + docker network reload --all + # wait for CA to restart docker exec client curl \ --retry 180 \ @@ -647,6 +649,8 @@ jobs: docker restart ocsp sleep 10 + docker network reload --all + # wait for OCSP to restart docker exec client curl \ --retry 180 \ diff --git a/.github/workflows/server-container-test.yml b/.github/workflows/server-container-test.yml index f5d2b314bd7..d8ad9d7022e 100644 --- a/.github/workflows/server-container-test.yml +++ b/.github/workflows/server-container-test.yml @@ -150,6 +150,8 @@ jobs: docker restart server sleep 10 + docker network reload --all + # wait for server to restart docker exec client curl \ --retry 60 \ diff --git a/.github/workflows/tks-container-test.yml b/.github/workflows/tks-container-test.yml index c559008f586..dea84e94324 100644 --- a/.github/workflows/tks-container-test.yml +++ b/.github/workflows/tks-container-test.yml @@ -430,6 +430,8 @@ jobs: docker restart tks sleep 10 + docker network reload --all + # wait for TKS to restart docker exec client curl \ --retry 180 \ diff --git a/.github/workflows/tps-container-test.yml b/.github/workflows/tps-container-test.yml index 158a87f991a..c12e8523492 100644 --- a/.github/workflows/tps-container-test.yml +++ b/.github/workflows/tps-container-test.yml @@ -417,6 +417,8 @@ jobs: docker restart ca sleep 10 + docker network reload --all + # wait for CA to restart docker exec client curl \ --retry 180 \ @@ -787,6 +789,8 @@ jobs: docker restart tps sleep 10 + docker network reload --all + # wait for TPS to restart docker exec client curl \ --retry 180 \