server: Serialize container/pod creation with updates
Interleaving asynchronous updates with pod or container creations can lead to unrecoverable races and corruptions of the pod or container hash tables. This is fixed by serializing update against pod or container creation operations, while pod and container creation operations can run in parallel. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
This commit is contained in:
parent
d1006fdfbc
commit
be5084387c
3 changed files with 11 additions and 0 deletions
|
@ -207,6 +207,10 @@ func setupContainerUser(specgen *generate.Generator, rootfs string, sc *pb.Linux
|
||||||
func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerRequest) (res *pb.CreateContainerResponse, err error) {
|
func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerRequest) (res *pb.CreateContainerResponse, err error) {
|
||||||
logrus.Debugf("CreateContainerRequest %+v", req)
|
logrus.Debugf("CreateContainerRequest %+v", req)
|
||||||
s.Update()
|
s.Update()
|
||||||
|
|
||||||
|
s.updateLock.RLock()
|
||||||
|
defer s.updateLock.RUnlock()
|
||||||
|
|
||||||
sbID := req.PodSandboxId
|
sbID := req.PodSandboxId
|
||||||
if sbID == "" {
|
if sbID == "" {
|
||||||
return nil, fmt.Errorf("PodSandboxId should not be empty")
|
return nil, fmt.Errorf("PodSandboxId should not be empty")
|
||||||
|
|
|
@ -65,6 +65,9 @@ func (s *Server) runContainer(container *oci.Container, cgroupParent string) err
|
||||||
|
|
||||||
// RunPodSandbox creates and runs a pod-level sandbox.
|
// RunPodSandbox creates and runs a pod-level sandbox.
|
||||||
func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest) (resp *pb.RunPodSandboxResponse, err error) {
|
func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest) (resp *pb.RunPodSandboxResponse, err error) {
|
||||||
|
s.updateLock.RLock()
|
||||||
|
defer s.updateLock.RUnlock()
|
||||||
|
|
||||||
logrus.Debugf("RunPodSandboxRequest %+v", req)
|
logrus.Debugf("RunPodSandboxRequest %+v", req)
|
||||||
var processLabel, mountLabel, netNsPath, resolvPath string
|
var processLabel, mountLabel, netNsPath, resolvPath string
|
||||||
// process req.Name
|
// process req.Name
|
||||||
|
|
|
@ -34,6 +34,7 @@ type Server struct {
|
||||||
images storage.ImageServer
|
images storage.ImageServer
|
||||||
storage storage.RuntimeServer
|
storage storage.RuntimeServer
|
||||||
stateLock sync.Mutex
|
stateLock sync.Mutex
|
||||||
|
updateLock sync.RWMutex
|
||||||
state *serverState
|
state *serverState
|
||||||
netPlugin ocicni.CNIPlugin
|
netPlugin ocicni.CNIPlugin
|
||||||
podNameIndex *registrar.Registrar
|
podNameIndex *registrar.Registrar
|
||||||
|
@ -287,6 +288,9 @@ func (s *Server) Update() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) update() error {
|
func (s *Server) update() error {
|
||||||
|
s.updateLock.Lock()
|
||||||
|
defer s.updateLock.Unlock()
|
||||||
|
|
||||||
containers, err := s.store.Containers()
|
containers, err := s.store.Containers()
|
||||||
if err != nil && !os.IsNotExist(err) {
|
if err != nil && !os.IsNotExist(err) {
|
||||||
logrus.Warnf("could not read containers and sandboxes: %v", err)
|
logrus.Warnf("could not read containers and sandboxes: %v", err)
|
||||||
|
|
Loading…
Reference in a new issue