main: run aardvark as a daemon via forking and maintain its partial daemon like nature.

[flouthoc]

This is one the redesign PR for aardvark-dns and netavark. Design
proposes that forking will happen at aardvark-end instead of
netavark and aarvark verifies validity of server before returning
control to aardvark.

Redesign proposal

• Aardvark will invoke server on the child process by double-forking.

• Parent waits for child to show up and verify against a dummy DNS
  query to check if server is running.

• Exit parent on success and deatch child.

• Calling process will wait for aardvark's parent process to return.

• On successful return from parent it will be assumed that aardvark is
  running properly

One new design is implemented and merged and netavark starts using this
it should close

• Aardvark/Netavark flakes podman#14173
• Aardvark Test 5: Two containers on their own subnets, one container on both podman#14171

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: flouthoc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [flouthoc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Luap99]

It looks like you are misunderstanding what I want.
The goal is to daemonize ourself, see daemon(3). exec() is not required.

[flouthoc]

It looks like you are misunderstanding what I want. The goal is to daemonize ourself, see daemon(3). exec() is not required.

Yeah can do that well, exec might not be needed. We can just continue with actual serve logic in the child fork.

[Luap99]

I don't think we should try to query the server.

If we want to sync with the child we could create a pipe and make a blocking read in the parent and a write in the child directly before the child starts listening on the socket.

[flouthoc]

The problem is again that it does not ensures e2e testing on the actual interface and does not ensures if something is taking time after it performs listening. We can use pipe but current check ensure that we actually create a DNS client and check against it, is there any problem if we use this approach for verification ?

[Luap99]

It just doesn't feel right to ensure this by making a query. First this adds a hardcoded value with a special meaning which leads to unexpected behaviour when a user for some reason ends up using this name. It also adds a lot of overhead.

[flouthoc]

@Luap99 I see but one issue is that we have different servers running in different threads and will have to ensure that each one of them is running. My intention is to only return from parent when event loop for all the servers have already started which happens after we start listening and its a blocking call so we cannot notify after that with unix pipe approach we will end up notifying parent before even event loop starts but i doubt that this delay would matter so I don't have a strict opinion here and we could switch to unix pipe approach if everyone is fine with that so no issues. @mheon Do you have any opinion here ?

[flouthoc]

Switched this a unix pipe blocking approach.

[edsantiago]

Since this seems to be the clearinghouse for all the different Aardvark CI flakes, here are the ones seen in the last fifteen days in podman:

Podman run networking [It] Aardvark Test 2: Two containers, same subnet

• fedora-36 : int podman fedora-36 root host
  • PR #14608
    • 06-16 09:09
    • 06-16 09:09
    • 06-16 09:09
  • PR #14533
    • 06-09 10:01
    • 06-09 10:01
    • 06-09 10:01
  • PR #14478
    • 06-03 10:40
    • 06-03 10:40
  • PR #14477
    • 06-03 09:58
• fedora-36 : int remote fedora-36 root host [remote]
  • PR #14608
    • 06-16 09:26
    • 06-16 09:26
  • PR #14570
    • 06-14 19:24
    • 06-14 19:24
    • 06-14 19:24

Podman run networking [It] Aardvark Test 5: Two containers on their own subnets, one container on both

• fedora-36 : int podman fedora-36 root host
  • PR #14608
    • 06-16 09:09
    • 06-16 09:09
    • 06-16 09:09
  • PR #14533
    • 06-09 10:01
    • 06-09 10:01
    • 06-09 10:01
  • PR #14477
    • 06-03 09:58
    • 06-03 09:58
    • 06-03 09:58
• fedora-36 : int remote fedora-36 root host [remote]
  • PR #14570
    • 06-14 19:24
    • 06-14 19:24

Podman run networking [It] Aardvark Test 3: Two containers, same subnet w/aliases

• fedora-36 : int podman fedora-36 root host
  • PR #14608
    • 06-16 09:09
  • PR #14605
    • 06-15 14:47
  • PR #14533
    • 06-09 10:01
    • 06-09 10:01
    • 06-09 10:01
  • PR #14478
    • 06-03 10:40
    • 06-03 10:40
    • 06-03 10:40
• fedora-36 : int remote fedora-36 root host [remote]
  • PR #14570
    • 06-14 19:24
    • 06-14 19:24

Podman run networking [It] podman run check dnsname plugin with Netavark

• fedora-36 : int podman fedora-36 root host
  • PR #14605
    • 06-15 14:47
    • 06-15 14:47
    • 06-15 14:47

Podman run networking [It] Aardvark Test 6: Three subnets, first container on 1/2 and second on 2/3, w/ network aliases

• fedora-36 : int podman fedora-36 root host
  • PR #14533
    • 06-09 10:01
    • 06-09 10:01
    • 06-09 10:01
• fedora-36 : int remote fedora-36 root host [remote]
  • PR #14570
    • 06-14 19:24
    • 06-14 19:24
    • 06-14 19:24

Podman run networking [It] Aardvark Test 1: One container

• fedora-36 : int podman fedora-36 root host
  • PR #14477
    • 06-03 09:58
    • 06-03 09:58
    • 06-03 09:58

[Luap99]

One nit otherwise LGTM
We should definitely put this and the netavark change in the podman CI to make sure everything still works before merging either PR.

@cevich Is it possible to use netavark/aardvark build from this PR in the podman CI?

[Luap99]

Why is this unsafe?

[flouthoc]

nix's fork is returns unsafe most likely because it invokes fork( directly in such cases rust compiler will bark however our use-case is okay here so all such functions can be invoked under unsafe. See https://docs.rs/nix/latest/nix/unistd/fn.fork.html and this https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html

But invocation is fine for our use-case.

[cevich]

@cevich Is it possible to use netavark/aardvark build from this PR in the podman CI?

Yes, but only with some manual intervention[*]. Here's what I would suggest (in podman):

0. Check out main
1. Edit .cirrus.yml and comment out the podman_machine task (workaround a bug: fix expected in a day or less).
2. Use hack/get_ci_vm.sh int podman fedora-36 root host (or one of the other tasks if you prefer).
3. Do an rpm -e --nodeps aardvark-dns netavark to strip out the distro-provided files w/o also removing any dependencies.
4. Manually download the latest netavark and aardvark builds:
   1. curl -o /tmp/netavark.zip https://api.cirrus-ci.com/v1/artifact/github/containers/netavark/success/binary.zip
   2. curl -o /tmp/aardvark-dns.zip https://api.cirrus-ci.com/v1/artifact/github/containers/aardvark-dns/success/binary.zip
5. Unzip those files and manually copy the binaries into place.
6. Execute the podman tests (if desired) cd $GOSRC; ./contrib/cirrus/runner.sh (should "just work").

[*]Note: If you expect to be doing this regularly, this semi-manual method will quickly become a PITA. In this case, I would propose new CI work for podman. For example, we make setup_environment.sh sensitive to a PR label, and if present perform the steps above automatically.

[Luap99]

Manually download the latest netavark and aardvark builds:

I want the one from this PR and containers/netavark#300, we should verify that this works before merging.

I don't plan on doing this regular, I just want to be sure this passes podman CI

[cevich]

I want the one from this PR and...

Ahh okay, this can be done in a similar way, the URL is simply different:

1. Click on the 'success' for each, hit the 'view more details in Cirrus-CI' link.
2. Look at the URL, it will have a "task ID" (number) at the end. Copy this.
3. In your VM, use a URL of the form: https://api.cirrus-ci.com/v1/artifact/task/<CIRRUS_TASK_ID>/binary.zip
4. Do the same thing to get the URL for the other repo's CI run.

Does that make sense?

(Let me know if it doesn't work, I didn't actually try it this time).

[Luap99]

Makes sense I will try it tomorrow.

[flouthoc]

Rebased.

[Luap99]

OK I checked both the podman integration and system test with this and they passed, LGTM

@baude @mheon PTAL

[baude]

/lgtm