server: Serialize container/pod creation with updates

Interleaving asynchronous updates with pod or container creations can
lead to unrecoverable races and corruptions of the pod or container hash
tables. This is fixed by serializing update against pod or container
creation operations, while pod and container creation operations can
run in parallel.

Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
This commit is contained in:
Samuel Ortiz 2017-04-04 17:24:55 +02:00
parent d1006fdfbc
commit be5084387c
3 changed files with 11 additions and 0 deletions

View file

@ -207,6 +207,10 @@ func setupContainerUser(specgen *generate.Generator, rootfs string, sc *pb.Linux
func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerRequest) (res *pb.CreateContainerResponse, err error) { func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerRequest) (res *pb.CreateContainerResponse, err error) {
logrus.Debugf("CreateContainerRequest %+v", req) logrus.Debugf("CreateContainerRequest %+v", req)
s.Update() s.Update()
s.updateLock.RLock()
defer s.updateLock.RUnlock()
sbID := req.PodSandboxId sbID := req.PodSandboxId
if sbID == "" { if sbID == "" {
return nil, fmt.Errorf("PodSandboxId should not be empty") return nil, fmt.Errorf("PodSandboxId should not be empty")

View file

@ -65,6 +65,9 @@ func (s *Server) runContainer(container *oci.Container, cgroupParent string) err
// RunPodSandbox creates and runs a pod-level sandbox. // RunPodSandbox creates and runs a pod-level sandbox.
func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest) (resp *pb.RunPodSandboxResponse, err error) { func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest) (resp *pb.RunPodSandboxResponse, err error) {
s.updateLock.RLock()
defer s.updateLock.RUnlock()
logrus.Debugf("RunPodSandboxRequest %+v", req) logrus.Debugf("RunPodSandboxRequest %+v", req)
var processLabel, mountLabel, netNsPath, resolvPath string var processLabel, mountLabel, netNsPath, resolvPath string
// process req.Name // process req.Name

View file

@ -34,6 +34,7 @@ type Server struct {
images storage.ImageServer images storage.ImageServer
storage storage.RuntimeServer storage storage.RuntimeServer
stateLock sync.Mutex stateLock sync.Mutex
updateLock sync.RWMutex
state *serverState state *serverState
netPlugin ocicni.CNIPlugin netPlugin ocicni.CNIPlugin
podNameIndex *registrar.Registrar podNameIndex *registrar.Registrar
@ -287,6 +288,9 @@ func (s *Server) Update() {
} }
func (s *Server) update() error { func (s *Server) update() error {
s.updateLock.Lock()
defer s.updateLock.Unlock()
containers, err := s.store.Containers() containers, err := s.store.Containers()
if err != nil && !os.IsNotExist(err) { if err != nil && !os.IsNotExist(err) {
logrus.Warnf("could not read containers and sandboxes: %v", err) logrus.Warnf("could not read containers and sandboxes: %v", err)