Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper working with logging pipe inside plugin #33

Open
suxarik opened this issue Dec 6, 2019 · 2 comments
Open

Improper working with logging pipe inside plugin #33

suxarik opened this issue Dec 6, 2019 · 2 comments

Comments

@suxarik
Copy link

suxarik commented Dec 6, 2019

Issue:

Docker cli stop responding to commands, because in some cases message sent to init-stderr or init-stdout is above the linux kernel default max pipe size of 64Kb. The only way to return to working conditions is to read the pipe manually.

Pipes in question:

/var/run/docker/plugins/<opa-docker-authz_id>/init-stderr
/var/run/docker/plugins/<opa-docker-authz_id>/init-stdout

Example

Create yaml stack definition with docker secret above 64Kb (docker itself allow secret to be 500Kb: https://docs.docker.com/engine/swarm/secrets/)

secrets:
      - source: cacert
        target: /app/bundle/rootCA.crt
        uid: '19000'
        gid: '19000'
        mode: 0440

let's say my rootCA.crt is above 100Kb

then deploy stack:

docker stack deploy --with-registry-auth -c deploy_something.yml SomeStack

Expected behavior:

Docker OPA plugin check for allowed policies, if allowed, then deploy stack, else deny.

Actual behavior:

Docker cli output freeze. Restarting docker service is not possible, since gracefull shutdown can't be made. The only way to unfreeze the docker cli is to:

cat /var/run/docker/plugins/<opa-docker-authz_id>/init-stderr
or
tail -f /var/run/docker/plugins/<opa-docker-authz_id>/init-stderr

Looks like opa-plugin cant correctly work with SIGPIPE signals, which tells about pipe size.

Environment:

System: RHEL 7.*
Kernel: Linux 3.10.0-957.el7.x86_64
Docker-CE: 18.09.6
Docker api: 1.39
OPA-Plugin: 0.4, 0.5 (I believe all of them will behave exactly the same)
@tsandall
Copy link
Member

tsandall commented Dec 6, 2019

@suxarik thanks for filing this. Do you have a suggestion for how the plugin can handle SIGPIPE properly? If you can submit a patch that would be ideal.

@suxarik
Copy link
Author

suxarik commented Dec 6, 2019
edited

@suxarik thanks for filing this. Do you have a suggestion for how the plugin can handle SIGPIPE properly? If you can submit a patch that would be ideal.

Sadly no. My dev skills are not that great. But firstly I think its important to find out is that a particular plugin problem or a docker plugin subsystem.

Probably something here can help:
https://golang.org/pkg/os/signal/
https://www.linuxquestions.org/questions/programming-9/how-to-handle-a-broken-pipe-exception-sigpipe-in-fifo-pipe-866132/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsandall @suxarik