Fix bug that could incorrectly clean up pause contaier before other containers

angelcar · angelcar · commit e6b9f2a8cf2f · 2021-03-26T22:52:41.000-07:00
diff --git a/agent/engine/docker_task_engine.go b/agent/engine/docker_task_engine.go
@@ -1425,15 +1425,12 @@ func (engine *DockerTaskEngine) checkTearDownPauseContainer(task *apitask.Task)
 	}
 	for _, container := range task.Containers {
 		// Cleanup the pause container network namespace before stop the container
-		if container.Type == apicontainer.ContainerCNIPause && !container.IsContainerTornDown() {
+		if container.Type == apicontainer.ContainerCNIPause {
 			// Clean up if the pause container has stopped or will stop
 			if container.KnownTerminal() || container.DesiredTerminal() {
 				err := engine.cleanupPauseContainerNetwork(task, container)
 				if err != nil {
 					seelog.Errorf("Task engine [%s]: unable to cleanup pause container network namespace: %v", task.Arn, err)
-				} else {
-					container.SetContainerTornDown(true)
-					seelog.Infof("Task engine [%s]: cleaned pause container network namespace", task.Arn)
 				}
 			}
 			return
@@ -1443,6 +1440,10 @@ func (engine *DockerTaskEngine) checkTearDownPauseContainer(task *apitask.Task)
 
 // cleanupPauseContainerNetwork will clean up the network namespace of pause container
 func (engine *DockerTaskEngine) cleanupPauseContainerNetwork(task *apitask.Task, container *apicontainer.Container) error {
+	// This operation is idempotent
+	if container.IsContainerTornDown() {
+		return nil
+	}
 	delay := time.Duration(engine.cfg.ENIPauseContainerCleanupDelaySeconds) * time.Second
 	if engine.handleDelay != nil && delay > 0 {
 		seelog.Infof("Task engine [%s]: waiting %s before cleaning up pause container.", task.Arn, delay)
@@ -1460,7 +1461,14 @@ func (engine *DockerTaskEngine) cleanupPauseContainerNetwork(task *apitask.Task,
 			"engine: failed cleanup task network namespace, task: %s", task.String())
 	}
 
-	return engine.cniClient.CleanupNS(engine.ctx, cniConfig, cniCleanupTimeout)
+	err = engine.cniClient.CleanupNS(engine.ctx, cniConfig, cniCleanupTimeout)
+	if err != nil {
+		return err
+	}
+
+	container.SetContainerTornDown(true)
+	seelog.Infof("Task engine [%s]: cleaned pause container network namespace", task.Arn)
+	return nil
 }
 
 // buildCNIConfigFromTaskContainer builds a CNI config for the task and container.
@@ -1513,7 +1521,14 @@ func (engine *DockerTaskEngine) stopContainer(task *apitask.Task, container *api
 		}
 	}
 
-	engine.checkTearDownPauseContainer(task)
+	// Cleanup the pause container network namespace before stop the container
+	if container.Type == apicontainer.ContainerCNIPause {
+		err := engine.cleanupPauseContainerNetwork(task, container)
+		if err != nil {
+			seelog.Errorf("Task engine [%s]: unable to cleanup pause container network namespace: %v",
+				task.Arn, err)
+		}
+	}
 
 	apiTimeoutStopContainer := container.GetStopTimeout()
 	if apiTimeoutStopContainer <= 0 {
diff --git a/agent/engine/docker_task_engine_test.go b/agent/engine/docker_task_engine_test.go
@@ -1137,9 +1137,11 @@ func TestPauseContainerHappyPath(t *testing.T) {
 	taskEngine.(*DockerTaskEngine).cniClient = cniClient
 	taskEngine.(*DockerTaskEngine).taskSteadyStatePollInterval = taskSteadyStatePollInterval
 	eventStream := make(chan dockerapi.DockerContainerChangeEvent)
-	sleepTask := testdata.LoadTask("sleep5")
-	sleepContainer := sleepTask.Containers[0]
-	sleepContainer.TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
+	sleepTask := testdata.LoadTask("sleep5TwoContainers")
+	sleepContainer1 := sleepTask.Containers[0]
+	sleepContainer1.TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
+	sleepContainer2 := sleepTask.Containers[1]
+	sleepContainer2.TransitionDependenciesMap = make(map[apicontainerstatus.ContainerStatus]apicontainer.TransitionDependencySet)
 
 	// Add eni information to the task so the task can add dependency of pause container
 	sleepTask.AddTaskENI(mockENI)
@@ -1158,6 +1160,8 @@ func TestPauseContainerHappyPath(t *testing.T) {
 
 	dockerClient.EXPECT().ContainerEvents(gomock.Any()).Return(eventStream, nil)
 
+	sleepContainerID1 := containerID + "1"
+	sleepContainerID2 := containerID + "2"
 	pauseContainerID := "pauseContainerID"
 	// Pause container will be launched first
 	gomock.InOrder(
@@ -1183,19 +1187,26 @@ func TestPauseContainerHappyPath(t *testing.T) {
 
 	// For the other container
 	imageManager.EXPECT().AddAllImageStates(gomock.Any()).AnyTimes()
-	dockerClient.EXPECT().PullImage(gomock.Any(), gomock.Any(), nil, gomock.Any()).Return(dockerapi.DockerContainerMetadata{})
-	imageManager.EXPECT().RecordContainerReference(gomock.Any()).Return(nil)
-	imageManager.EXPECT().GetImageStateFromImageName(gomock.Any()).Return(nil, false)
-	dockerClient.EXPECT().APIVersion().Return(defaultDockerClientAPIVersion, nil)
+	dockerClient.EXPECT().PullImage(gomock.Any(), gomock.Any(), nil, gomock.Any()).Return(dockerapi.DockerContainerMetadata{}).Times(2)
+	imageManager.EXPECT().RecordContainerReference(gomock.Any()).Return(nil).Times(2)
+	imageManager.EXPECT().GetImageStateFromImageName(gomock.Any()).Return(nil, false).Times(2)
+	dockerClient.EXPECT().APIVersion().Return(defaultDockerClientAPIVersion, nil).Times(2)
+
+	dockerClient.EXPECT().CreateContainer(gomock.Any(), gomock.Any(), gomock.Any(),
+		gomock.Any(), gomock.Any()).Return(dockerapi.DockerContainerMetadata{DockerID: sleepContainerID1})
 	dockerClient.EXPECT().CreateContainer(gomock.Any(), gomock.Any(), gomock.Any(),
-		gomock.Any(), gomock.Any()).Return(dockerapi.DockerContainerMetadata{DockerID: containerID})
-	dockerClient.EXPECT().StartContainer(gomock.Any(), containerID, defaultConfig.ContainerStartTimeout).Return(
-		dockerapi.DockerContainerMetadata{DockerID: containerID})
+		gomock.Any(), gomock.Any()).Return(dockerapi.DockerContainerMetadata{DockerID: sleepContainerID2})
+
+	dockerClient.EXPECT().StartContainer(gomock.Any(), sleepContainerID1, defaultConfig.ContainerStartTimeout).Return(
+		dockerapi.DockerContainerMetadata{DockerID: sleepContainerID1})
+	dockerClient.EXPECT().StartContainer(gomock.Any(), sleepContainerID2, defaultConfig.ContainerStartTimeout).Return(
+		dockerapi.DockerContainerMetadata{DockerID: sleepContainerID2})
 
 	cleanup := make(chan time.Time)
 	defer close(cleanup)
 	mockTime.EXPECT().Now().Return(time.Now()).MinTimes(1)
-	dockerClient.EXPECT().DescribeContainer(gomock.Any(), containerID).AnyTimes()
+	dockerClient.EXPECT().DescribeContainer(gomock.Any(), sleepContainerID1).AnyTimes()
+	dockerClient.EXPECT().DescribeContainer(gomock.Any(), sleepContainerID2).AnyTimes()
 	dockerClient.EXPECT().DescribeContainer(gomock.Any(), pauseContainerID).AnyTimes()
 
 	err := taskEngine.Init(ctx)
@@ -1208,27 +1219,36 @@ func TestPauseContainerHappyPath(t *testing.T) {
 	var wg sync.WaitGroup
 	wg.Add(1)
 	mockTime.EXPECT().After(gomock.Any()).Return(cleanup).MinTimes(1)
-	dockerClient.EXPECT().InspectContainer(gomock.Any(), gomock.Any(), gomock.Any()).Return(&types.ContainerJSON{
-		ContainerJSONBase: &types.ContainerJSONBase{
-			ID:    pauseContainerID,
-			State: &types.ContainerState{Pid: containerPid},
-		},
-	}, nil)
-	cniClient.EXPECT().CleanupNS(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
-	dockerClient.EXPECT().StopContainer(gomock.Any(), pauseContainerID, gomock.Any()).Return(
-		dockerapi.DockerContainerMetadata{DockerID: pauseContainerID})
-	cniClient.EXPECT().ReleaseIPResource(gomock.Any(), gomock.Any(), gomock.Any()).Do(
-		func(ctx context.Context, cfg *ecscni.Config, timeout time.Duration) {
-			wg.Done()
-		}).Return(nil)
-	dockerClient.EXPECT().RemoveContainer(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).Times(2)
-	imageManager.EXPECT().RemoveContainerReferenceFromImageState(gomock.Any()).Return(nil)
+
+	gomock.InOrder(
+		dockerClient.EXPECT().StopContainer(gomock.Any(), sleepContainerID2, gomock.Any()).Return(
+			dockerapi.DockerContainerMetadata{DockerID: sleepContainerID2}),
+
+		dockerClient.EXPECT().InspectContainer(gomock.Any(), pauseContainerID, gomock.Any()).Return(&types.ContainerJSON{
+			ContainerJSONBase: &types.ContainerJSONBase{
+				ID:    pauseContainerID,
+				State: &types.ContainerState{Pid: containerPid},
+			},
+		}, nil),
+		cniClient.EXPECT().CleanupNS(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil),
+
+		dockerClient.EXPECT().StopContainer(gomock.Any(), pauseContainerID, gomock.Any()).Return(
+			dockerapi.DockerContainerMetadata{DockerID: pauseContainerID}),
+
+		cniClient.EXPECT().ReleaseIPResource(gomock.Any(), gomock.Any(), gomock.Any()).Do(
+			func(ctx context.Context, cfg *ecscni.Config, timeout time.Duration) {
+				wg.Done()
+			}).Return(nil),
+	)
+
+	dockerClient.EXPECT().RemoveContainer(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).Times(3)
+	imageManager.EXPECT().RemoveContainerReferenceFromImageState(gomock.Any()).Return(nil).Times(2)
 
 	// Simulate a container stop event from docker
 	eventStream <- dockerapi.DockerContainerChangeEvent{
 		Status: apicontainerstatus.ContainerStopped,
 		DockerContainerMetadata: dockerapi.DockerContainerMetadata{
-			DockerID: containerID,
+			DockerID: sleepContainerID1,
 			ExitCode: aws.Int(exitCode),
 		},
 	}
diff --git a/agent/engine/testdata/test_tasks/sleep5TwoContainers.json b/agent/engine/testdata/test_tasks/sleep5TwoContainers.json
@@ -0,0 +1,63 @@
+{
+  "Arn":"arn:aws:ecs:us-west-2:123456789012:task/12345678-90ab-cdef-1234-56780abcdef1",
+  "Family":"sleep5",
+  "Version":"2",
+  "Containers":
+  [
+    {
+      "Name":"sleep5",
+      "Image":"busybox",
+      "Command":["sleep","5"],
+      "Cpu":10,
+      "Memory":10,
+      "Links":null,
+      "volumesFrom":[],
+      "mountPoints":[],
+      "portMappings":[],
+      "Essential":true,
+      "EntryPoint":null,
+      "environment":{},
+      "overrides":{"command":null},
+      "desiredStatus":"NONE",
+      "KnownStatus":"NONE",
+      "RunDependencies":null,
+      "IsInternal":false,
+      "AppliedStatus":"NONE",
+      "ApplyingError":null,
+      "SentStatus":"NONE",
+      "KnownExitCode":null,
+      "KnownPortBindingsUnsafe":null,
+      "StatusLock":{}
+    },
+    {
+      "Name":"sleep5-2",
+      "Image":"busybox",
+      "Command":["sleep","5"],
+      "Cpu":10,
+      "Memory":10,
+      "Links":null,
+      "volumesFrom":[],
+      "mountPoints":[],
+      "portMappings":[],
+      "Essential":true,
+      "EntryPoint":null,
+      "environment":{},
+      "overrides":{"command":null},
+      "desiredStatus":"NONE",
+      "KnownStatus":"NONE",
+      "RunDependencies":null,
+      "IsInternal":false,
+      "AppliedStatus":"NONE",
+      "ApplyingError":null,
+      "SentStatus":"NONE",
+      "KnownExitCode":null,
+      "KnownPortBindingsUnsafe":null,
+      "StatusLock":{}
+    }
+  ],
+  "volumes":[],
+  "DesiredStatus":"RUNNING",
+  "KnownStatus":"NONE",
+  "KnownTime":"0001-01-01T00:00:00Z",
+  "SentStatus":"NONE"
+}
