-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Recreate watcher if the file unlinked and replaced #2893
Conversation
/ok-to-test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/assign @sbueringer
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: m-messiah, vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
LGTM label has been added. Git tree hash: b9055ed877ccf5bafe16326c138eddb0e39f675f
|
/hold cancel |
/cherry-pick release-1.8 |
@vincepri: cannot checkout In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/cherry-pick release-0.18 |
/cherry-pick release-0.17 |
@vincepri: new pull request created: #2919 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
@vincepri: new pull request created: #2920 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
The current certwatcher misses some events, so if the certificate is maintained in a failsafe-backup way it cannot be watched and fails to get any updates.
For example, when it started with
certwartcher.New("app.crt", "app.key")
and someone does:The FD of the file gets these inotify events and stops being watched.
Please take a look at the added test for the implementation of failsafe cert replacement.
The problem is that in this stage because of hardlink the certwatcher continues to watch
app.crt.old
andapp.key.old
inodes until they are removed. If they are removed properly - it gets a REMOVE fsnotify event and recreates the watch, but if they use something likeunlink
and still have open FD or another watch - they would be watched forever.The case is already mentioned in fsnotify library comments: https://github.com/fsnotify/fsnotify/blob/c1467c02fba575afdb5f4201072ab8403bbf00f4/fsnotify.go#L40-L48
and https://github.com/fsnotify/fsnotify/blob/c1467c02fba575afdb5f4201072ab8403bbf00f4/fsnotify.go#L135-L139
So the PR adds
fsnotify.Chmod
event to be treated equally tofsnotify.Remove
in case someone still looks at the old inode, because for certiwatcher the important data are in the filename, not inode.Note, there is no harm in recreating the watch for a file that is already monitored (in case Chmod was thrown for any other reason) as watcher would just reuse the existing: https://github.com/fsnotify/fsnotify/blob/c1467c02fba575afdb5f4201072ab8403bbf00f4/fsnotify.go#L277-L312