Clean up after unexpectedly terminated build

[Honny1]

The podman system prune command can remove build containers that were created during the build but were not removed because the build terminated unexpectedly.

By default, build containers are not removed to prevent interference with builds in progress. Use the --build flag when running the command to remove build containers as well.

Reproducer:

• Containerfile:

FROM ubi8/ubi
RUN truncate -s 10G out
RUN echo "Hi"
RUN sleep infinity

• Test script run.sh:

#!/usr/bin/env bash

podman build -f Containerfile -t podmanleaker &
sleep 60 && kill -9 $! 

• measure the size of current images, containers, etc... Before build

podman unshare du -sh ~/.local/share/containers/

• Test script (Note: requires disk space of about 32 GB)

./run.sh

• measure the size of current images, containers, etc... After termination of build

podman unshare du -sh ~/.local/share/containers/

• Clean up leftovers after build

podman system prune --build -f

• measure the size of current images, containers, etc... After cleanup build

podman unshare du -sh ~/.local/share/containers/

The size should be the same as the first measurement but could be different if a base image is present in the system.

Fixes: #14523
Fixes: #23683
Fixes: https://issues.redhat.com/browse/RHEL-62009

Does this PR introduce a user-facing change?

The `podman system prune` command now supports removing build containers with the new `--build` option. 

[Luap99]

use fileutils.Exists()

@nalind Is there another (better?) way to check if a storage container is from buildah?

[Luap99]

do not report the error to the caller and also print a warning.
Just reporting the errors back to the caller is good enough. The caller can then log once.

[Luap99]

same here

[Luap99]

Why is this a loop? Running once should be enough.

[Luap99]

This seems inconsistent with the documentation, from the docs you wrote it sounds like it only prune the build containers but this prunes everything other containers and images as well.
I don't think this is desirable.
If we want that behavior then the code should not cause a conflict with --build option and only do this in addition to the existing code in SystemPrune() instead of duplicating the image logic here.

[Luap99]

This leads to horrible Expected false to be true errors.

Please use the proper matchers, something like Expect(none.OutputToString()).To(ContanSubstring("none"))

[Luap99]

Does this matter? This peaks at rather internal storage details which can change requiring the test to be updated often. Would it not be better to run buildah containers instead? Then in the end ensure it is removed there?

[Luap99]

Not sure what this should check, AFAIK in the test/e2e setup we will always have extra images from the additional store shown.

[Luap99]

also needs to use proper matchers

[Luap99]

same comment I would use buildah containers to check

[Luap99]

Also what this doesn't answer what happens if the build process is still running? And another thing that this does not cleanup is the networking, not sure if there is a good way for that but if you kill the build and run with bridge networking the interfaces/firewall rules and ipam db allocations are still leaked. They should be cleaned after reboot so not that bad like the storage leak and certainly not a blocker for this here. I just mention it as there are other leaks to consider too.

[Honny1]

@Luap99 I have incorporated your review. I've changed the approach and the --build flag allows the removal of build/stage containers for the podman system prune command, so it works the same as --volumes. The networking should also be cleaned.

[Luap99]

Thanks, code wise this seems good to me. just a minor comment on the man page and we need to make sure the test does not run forever

[Luap99]

I think the general style in the man pages was to write Note: ... or something like that. I don't think we have used > elsewhere. I don't mind it for the web view but I have not yet looked at how it looks in the rendered man page.

[Luap99]

this is great but maybe add a small sleep for like 10ms or something to not busy poll which also eats a lot of resources.

Second this needs a timeout, if the build process fails and never prints the output this would loop forever causing hard to debug issues in CI.

[Luap99]

This will still hang the goroutine which means you leak the entire goroutine. This really needs a timeout in the loop so the loop actually ends.

matchedOutput := false

for range 900 {
	if build.LineInOutputContains("Please use signal 9") {
		matchedOutput = true
		break
	}
	time.Sleep(100 * time.Millisecond)
}
if !matchedOutput {
	Fail("Did not match special string in podman build")
}

Also when using goroutines in a ginkgo test one should use defer GinkgoRecover() to ensure error reporting there works. In this case it may not strictly be needed as there is no actual matching done but in case of a panic it should still be recovered by ginkgo.

[Honny1]

Thanks. I didn't realize that. Fixed.

[Luap99]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Honny1, Luap99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Luap99]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Luap99]

Removed the lgtm label again (forgot there wasn't a second review)

[rhatdan]

I am hitting this all the time when playing with AI builds

Thanks @Honny1
/lgtm