Add notes indicating potential zombies #109
Conversation
car-roll
changed the title
|
Updated to using incemental from durable-task 106 |
|
Would be good to go ahead and update the help for |
|
It would be great to update this with the latest version of the upstream PR. You can |
|
@dwnusbaum okay will do. Thought I had to wait until the CI had to upload to incrementals :p |
car-roll
changed the title
src/main/resources/org/jenkinsci/plugins/workflow/steps/durable_task/ShellStep/help-script.html
Outdated
Show resolved
Hide resolved
src/main/resources/org/jenkinsci/plugins/workflow/steps/durable_task/ShellStep/help-script.html
Outdated
Show resolved
Hide resolved
| while in Kubernetes, you may leverage | ||
| <a href="https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/"> shared process namespace</a>. | ||
| With shared process namespaces, the pod sandbox will be assigned PID 1 and assume | ||
| <a href="https://github.com/kubernetes/kubernetes/blob/master/build/pause/pause.c#L37">zombie-reaping responsibilities</a>. |
There was a problem hiding this comment.
Maybe that's too specific? I just couldn't find any official documentation on the zombie reaping for some reason. I found PRs and discussion and blog posts, but nothing on kubernetes.io. Maybe i'm searching for the wrong keywords?
There was a problem hiding this comment.
Yeah, I wouldn't link directly to source code. I think the link to shared process namespaces is good enough. Any idea of how common this kind of setting is, or if there are any alternatives? It looks like it has some drawbacks in terms of security, so it seems less than ideal if that is the only way to get things working in Kubernetes.
There was a problem hiding this comment.
It's actually enabled by default (as of v1.15)
There was a problem hiding this comment.
The only other way i'm aware of in Kubernetes would be to then roll your own init process for each container
There was a problem hiding this comment.
If I understand correctly, the ability to use the feature is what is enabled by default, but you have to explicitly use it by adding shareProcessNamespace: true to the Pod spec. I think disabling the feature makes it so that shareProcessNamespace is not a valid field for Pod specs.
There was a problem hiding this comment.
Looks like the feature has been discussed for a few years now, but only got introduced as a beta in its current incarnation about a year ago. That's about the only insight I can give about how common of a use case it is.
|
Ran simple test on kubernetes with the following Jenkinsfile. |
Rebuilding. |
| @@ -9,4 +9,13 @@ | |||
| Otherwise the system default shell will be run, using the <code>-xe</code> flags | |||
| (you can specify <code>set +e</code> and/or <code>set +x</code> to disable those). | |||
| </p> | |||
| <p> | |||
| NOTE: The script is launched and monitored using a binary with the prefix <code>durable-task-monitor-</code>. | |||
There was a problem hiding this comment.
nit: maybe clarify that the binary is only used on some OSs
This reverts commit d4092bd.
car-roll
force-pushed
the
test-durable-pr92
branch
from
28a45bf
to
0f11f1f
Compare
jglick
changed the title
|
Is this about https://issues.jenkins.io/browse/JENKINS-58656? Does |
|
@jglick Yes, if you specify |
Test PR showing that unit tests pass when using the durable task plugin version from PR-92