[MDEV-34234] Delayed SST when running on unprivileged containers on RHEL9 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5.25
Fix Version/s: 10.5.27, 10.6.20, 10.11.10, 11.2.6, 11.4.4
Component/s: Galera SST
Labels:
None

Description

When running with drop privileges on a RHEL9 host, mariadb WSREP reliance on `lsof` may cause SST to take a while before starting. The culprit is wsrep scripts preference for lsof. While ss works alright on these containers, lsof hangs forever, until the timeout defined here:

https://github.com/MariaDB/server/blob/44b23bb18476b9f2f3d88fabab41f206f3531f98/scripts/wsrep_sst_mariabackup.sh#L802-L819

is complete.

Given logic exists to use `lsof`, `sockstat` or `ss`

https://github.com/MariaDB/server/blob/44974a0788c80ba6b309fc0c05f68f101a40293a/scripts/wsrep_sst_common.sh#L1210-L1228

CMAKE should be adjusted to list `lsof` as a soft dependency.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

docker-compose.yml
2 kB
2024-05-24 22:10
joiner.log
23 kB
2024-05-24 22:18
sst_logs_with_lsof.log
24 kB
2024-05-25 02:18
sst_logs_without_lsof.log
26 kB
2024-05-25 00:53

Activity

Ascending order - Click to sort in descending order

Andre F de M created issue - 2024-05-24 12:40

Daniel Black made changes - 2024-05-24 22:10

Field	Original Value	New Value
Attachment		docker-compose.yml [ 73549 ]

Daniel Black made changes - 2024-05-24 22:18

Attachment

joiner.log [ 73550 ]

Daniel Black added a comment - 2024-05-24 22:20

After docker-compose up donor the logs for docker-compose up joiner are attached without serious delay.

Can you include your logs of the SST?

Did yo manually change to sockstat or ss and observer the quicker sst?

Daniel Black added a comment - 2024-05-24 22:20 After docker-compose up donor the logs for docker-compose up joiner are attached without serious delay. Can you include your logs of the SST? Did yo manually change to sockstat or ss and observer the quicker sst?

Daniel Black made changes - 2024-05-24 22:20

Component/s

Galera SST [ 10121 ]

Andre F de M added a comment - 2024-05-25 00:13

from reading on lsof inside of containers the issue seems to be related to the docker host and the need to run the container in privileged mode.

https://unix.stackexchange.com/questions/722948/lsof-is-frozen-inside-the-container

issues with ulimits

https://github.com/docker/for-linux/issues/73

I tested a container built without lsof (literally rm'ing it), startup time is immediate.

I also observe the RPM dependencies of MariaDB are a bit curious. We require both `lsof` and `iproute` (which contains `ss`) packages, despite `lsof` taking precedence over `ss`.

The proposed PR still leaves the `ss` dependency as it is but makes `lsof` optional. By doing that, the actual script behaviour which can somehow be described as:

if lsof is available, use it
else
if sockstat is available, use it
else
if ss is available, use it
else
complain

Will be respected.

Andre F de M added a comment - 2024-05-25 00:13 from reading on lsof inside of containers the issue seems to be related to the docker host and the need to run the container in privileged mode. https://unix.stackexchange.com/questions/722948/lsof-is-frozen-inside-the-container issues with ulimits https://github.com/docker/for-linux/issues/73 I tested a container built without lsof (literally rm'ing it), startup time is immediate. I also observe the RPM dependencies of MariaDB are a bit curious. We require both `lsof` and `iproute` (which contains `ss`) packages, despite `lsof` taking precedence over `ss`. The proposed PR still leaves the `ss` dependency as it is but makes `lsof` optional. By doing that, the actual script behaviour which can somehow be described as: if lsof is available, use it else if sockstat is available, use it else if ss is available, use it else complain Will be respected.

Andre F de M made changes - 2024-05-25 00:53

Attachment

sst_logs_without_lsof.log [ 73551 ]

Andre F de M made changes - 2024-05-25 02:18

Attachment

sst_logs_with_lsof.log [ 73552 ]

Andre F de M added a comment - 2024-05-25 02:18

Without LSOF:
As you can see on logs without `lsof` SST starts immediately after the joiner comes up.

With LSOF:
The container starts, however, as soon we see:

WSREP_SST: [INFO] Evaluating timeout -k 310 300 socat -u openssl-listen:4444,reuseaddr,<SSL-DETAILS> stdio | '/usr//bin/mbstream' -x; RC=( ${PIPESTATUS[@]} ) (20240525 01:35:39.721)

2024-05-25  1:35:42 0 [Note] WSREP: (1758f2de-8acb, 'ssl://0.0.0.0:4567') turning message relay requesting off

2024-05-25  1:36:09 0 [Note] WSREP: Joiner waited 30 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:36:39 0 [Note] WSREP: Joiner waited 60 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:37:09 0 [Note] WSREP: Joiner waited 90 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:37:39 0 [Note] WSREP: Joiner waited 120 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:38:09 0 [Note] WSREP: Joiner waited 150 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:38:39 0 [Note] WSREP: Joiner waited 180 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:39:09 0 [Note] WSREP: Joiner waited 210 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:39:39 0 [Note] WSREP: Joiner waited 240 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:40:09 0 [Note] WSREP: Joiner waited 270 sec, extending systemd startup timeout as SSTis not completed

2024-05-25  1:40:21 2 [Note] WSREP: Prepared SST request: mariabackup|joiner:d1a530298e61c2b29fc62b2f9d7d926a@joiner:4444/xtrabackup_sst//1

Checking the container you see:

mysql        427  0.0  0.0   5652  3840 ?        S    01:35   0:00 /usr/bin/bash /usr//bin/wsrep_sst_mariabackup --role joiner --address joiner

mysql        703  0.0  0.0   5652  2280 ?        S    01:35   0:00 /usr/bin/bash /usr//bin/wsrep_sst_mariabackup --role joiner --address joiner

mysql        705  100  0.0   9728  3200 ?        R    01:35   0:43 lsof -Pnl -i :4444

mysql        706  0.0  0.0   3888  1280 ?        S    01:35   0:00 grep -q -E ^(socat|nc)[^[:space:]]*[[:space:]]+[0-9]+[[:space:]].*\(LISTEN\)

mysql        709  0.0  0.0   5320  2560 ?        S    01:35   0:00 /usr/bin/coreutils --coreutils-prog-shebang=timeout /usr//bin/timeout -k 310 300 socat -u openssl-lis

mysql        710  0.0  0.0  76672  1280 ?        Sl   01:35   0:00 /usr//bin/mbstream -x

mysql        712  0.0  0.0   9264  6400 ?        S    01:35   0:00 socat -u openssl-listen:4444,reuseaddr,<SSL_DETAILS>>

The behaviours are consistent during 1st join and re-join (reason one of the logs is a rejoin and the other is a join).

Note: the names may be a bit messed in terms of who is joiner vs who is donor since I am not hardcoding donors via `wsrep_sst_donor`, instead. I left one of the nodes as "donor" but don't take that too strictly. Just making it easier to read there are 3 nodes running when the SST happened.

Andre F de M added a comment - 2024-05-25 02:18 Without LSOF: As you can see on logs without `lsof` SST starts immediately after the joiner comes up. With LSOF: The container starts, however, as soon we see: WSREP_SST: [INFO] Evaluating timeout -k 310 300 socat -u openssl-listen:4444,reuseaddr,<SSL-DETAILS> stdio | '/usr//bin/mbstream' -x; RC=( ${PIPESTATUS[@]} ) (20240525 01:35:39.721) 2024-05-25 1:35:42 0 [Note] WSREP: (1758f2de-8acb, 'ssl://0.0.0.0:4567') turning message relay requesting off 2024-05-25 1:36:09 0 [Note] WSREP: Joiner waited 30 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:36:39 0 [Note] WSREP: Joiner waited 60 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:37:09 0 [Note] WSREP: Joiner waited 90 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:37:39 0 [Note] WSREP: Joiner waited 120 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:38:09 0 [Note] WSREP: Joiner waited 150 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:38:39 0 [Note] WSREP: Joiner waited 180 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:39:09 0 [Note] WSREP: Joiner waited 210 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:39:39 0 [Note] WSREP: Joiner waited 240 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:40:09 0 [Note] WSREP: Joiner waited 270 sec, extending systemd startup timeout as SSTis not completed 2024-05-25 1:40:21 2 [Note] WSREP: Prepared SST request: mariabackup|joiner:d1a530298e61c2b29fc62b2f9d7d926a@joiner:4444/xtrabackup_sst//1 Checking the container you see: mysql 427 0.0 0.0 5652 3840 ? S 01:35 0:00 /usr/bin/bash /usr//bin/wsrep_sst_mariabackup --role joiner --address joiner mysql 703 0.0 0.0 5652 2280 ? S 01:35 0:00 /usr/bin/bash /usr//bin/wsrep_sst_mariabackup --role joiner --address joiner mysql 705 100 0.0 9728 3200 ? R 01:35 0:43 lsof -Pnl -i :4444 mysql 706 0.0 0.0 3888 1280 ? S 01:35 0:00 grep -q -E ^(socat|nc)[^[:space:]]*[[:space:]]+[0-9]+[[:space:]].*$LISTEN$ mysql 709 0.0 0.0 5320 2560 ? S 01:35 0:00 /usr/bin/coreutils --coreutils-prog-shebang=timeout /usr//bin/timeout -k 310 300 socat -u openssl-lis mysql 710 0.0 0.0 76672 1280 ? Sl 01:35 0:00 /usr//bin/mbstream -x mysql 712 0.0 0.0 9264 6400 ? S 01:35 0:00 socat -u openssl-listen:4444,reuseaddr,<SSL_DETAILS>> The behaviours are consistent during 1st join and re-join (reason one of the logs is a rejoin and the other is a join). Note: the names may be a bit messed in terms of who is joiner vs who is donor since I am not hardcoding donors via `wsrep_sst_donor`, instead. I left one of the nodes as "donor" but don't take that too strictly. Just making it easier to read there are 3 nodes running when the SST happened.