OCPBUGS-33181: Fixed audit-logs sigterm failing to terminate gracefully

[Joseph-Goergen]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci-robot]

@Joseph-Goergen: This pull request references Jira Issue OCPBUGS-33181, which is invalid:

• expected the bug to target either version "4.16." or "openshift-4.16.", but it targets "4.15" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rtheis]

Why are you starting a new script when the command calling this is /bin/bash? Do you really need #!/bin/bash?

[Joseph-Goergen]

Probably not, I was mainly just following what others do when calling /bin/bash -clike

hypershift/contrib/ci/hypershift-ci-1.yaml

Lines 111 to 119 in 85148d5

	- args:
	- -c
	- |
	#!/bin/bash
	set -euo pipefail
	/usr/bin/oc get istag -n hypershift hypershift-operator:latest -ojsonpath='{.image.dockerImageReference}' > /installer-data/image-ref
	command:
	- /bin/bash

. There's quite a few more examples throughout the hypershift operator, so I thought it was common place for this repo.

[rtheis]

But in this case, the previous code doesn't do that. So unless there's a good reason, please continue the pattern of the previous audit container setup.

[stevekuznetsov]

Previously, it was calling tail directly, so it couldn't have - if we're going to use bash it seems prudent to continue with euo pipefail - it will reduce the chance we introduce any of the common bugs those guard against.

[jeffnowicki]

/jira refresh

[openshift-ci-robot]

@jeffnowicki: This pull request references Jira Issue OCPBUGS-33181, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stevekuznetsov]

Are you relying on implicit behavior of bash when you call exit? Could we instead explicitly forward SIGTERM to children on SIGINT?

[rtheis]

@stevekuznetsov is this what you'd like Joe to do: https://unix.stackexchange.com/questions/146756/forward-sigterm-to-child-in-bash?

[stevekuznetsov]

#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail

function cleanup() {
  for child in $( jobs -p ); do
    kill "${child}"
  done
  wait
}
trap cleanup EXIT

for (( i = 0; i < 999; i++ )); do
    child.sh $i
    wait $!
done

[stevekuznetsov]

Something like this would work

[rtheis]

@Joseph-Goergen ptal

[Joseph-Goergen]

Updated and tested(using a 4.15 release branch)

[stevekuznetsov]

Could we please export the function and re-use it in the OAPI deployment?

[Joseph-Goergen]

Done!

[stevekuznetsov]

/lgtm

[Joseph-Goergen]

@stevekuznetsov
If/when this merges, the pr for #3994 may have to rebase (if this gets in before it) and use the RenderAuditLogScript function for the audit-logs container. Or if that PR merges, I'll have to reconfigure this.

[Joseph-Goergen]

/retest-required

[rtheis]

/retest-required

[rtheis]

/retest-required

[rtheis]

/test e2e-kubevirt-aws-ovn

[rtheis]

I tested this and it doesn't work unless EXIT is SIGTERM.

[Joseph-Goergen]

@rtheis I tested this using the openshift-apiserver

# time kubectl delete pod -n master-coskjif10c6fhqphi0hg openshift-apiserver-55476ddfc-h4ldv
pod "openshift-apiserver-55476ddfc-h4ldv" deleted

real	1m47.992s
user	0m0.273s
sys	0m0.109s

[rtheis]

@Joseph-Goergen my point exactly, it shouldn't take 1 minute 47 seconds to fully terminate the pod.

[rtheis]

/retest-required

[Joseph-Goergen]

/test e2e-kubevirt-aws-ovn

[Joseph-Goergen]

/test e2e-kubevirt-aws-ovn

[rtheis]

/lgtm

[Joseph-Goergen]

/retest-required

[rtheis]

/retest-required

[rtheis]

/test e2e-kubevirt-aws-ovn

[Joseph-Goergen]

@stevekuznetsov May I get a re-review? I had to rebase

[sjenning]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Joseph-Goergen, rtheis, sjenning, stevekuznetsov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sjenning]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 0d10c82 and 2 for PR HEAD 82df7b3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b5576e4 and 1 for PR HEAD 82df7b3 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 4148e4d and 0 for PR HEAD 82df7b3 in total

[openshift-ci]

@Joseph-Goergen: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure	82df7b3	link	false	/test e2e-azure

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rtheis]

/test e2e-kubevirt-aws-ovn

[openshift-ci-robot]

@Joseph-Goergen: Jira Issue OCPBUGS-33181: All pull requests linked via external trackers have merged:

• openshift/hypershift#3972

Jira Issue OCPBUGS-33181 has been moved to the MODIFIED state.

In response to this:

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-hypershift-container-v4.17.0-202405240410.p0.g239a333.assembly.stream.el9 for distgit hypershift.
All builds following this will include this PR.

[Joseph-Goergen]

/cherry-pick release-4.15

[openshift-cherrypick-robot]

@Joseph-Goergen: new pull request created: #4089

In response to this:

/cherry-pick release-4.15

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rtheis]

/cherry-pick release-4.16

[openshift-cherrypick-robot]

@rtheis: new pull request created: #4090

In response to this:

/cherry-pick release-4.16

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.