nginx_stage nginx_clean: Also clean up PUNs of non-existing users #3879
Comments
I agree. I'm not sure off the top why it wouldn't clean a PUN for a user that doesn't exist, so I'll have to investigate why it's not cleaning those PUNs. But I agree that it should. |
The issue is that the code tries to resolve the username (based on the I tested this on OOD 3.1.9 using the following methodology:
The outcome is quite interesting. I get an error message saying: and the nginx_clean exits with code 0. So the error is caught somewhere, but doesn't reflect the original error, being that my username didn't resolve into a valid user account. I also strace:d the program while testing this and it didn't show any interesting errors on the syscall side. It basically checked what's inside the I suspect this is where the "all users do exist" assumption starts being a problem: ondemand/nginx_stage/lib/nginx_stage.rb Line 187 in 1b076a8 |
johrstrom
added
component/nginx_stage
bug
|
I'm trying to replicate the circumstances that would get us into this spot. Though I think I need |
|
I got the hpc-toolset working to do this. Unfortunately, if it works correctly and gets (I added one or two output statements here to see the nginx command) So I'm not really sure what to do here - save for searching for and |
I'm now wondering why you delete the user instead of just disabling it? Seems like if you delete a user you'd have to do all sorts of cleanup tasks afterwards (like cleaning their HOME and so on). This may just be one more cleanup task you need to take care of. |
|
Thanks for looking into this!
Okay, that's good to know.
I won't go into details, but this is how our system is set up to work. Users who aren't authorized to compute won't exist either.
There's no need to go to I.e., the solution to this issue would in my opinion simply do something similar, without the pid="$(cat /var/run/ondemand-nginx/${redacted_user:?}/passenger.pid)"
/usr/bin/kill -s TERM "$pid"
# Remove the empty PID file directory
rmdir /var/run/ondemand-nginx/${redacted_user:?}
# Remove the PUN config and secret_key_base (kind of hacky, please revisit)
find /var/lib/ondemand-nginx/config/puns/ -name "${redacted_user:?}.*" -deleteThe PUN config and secret_key_base seems to be based on usernames only, so this should be easy to integrate at the same time: ondemand/nginx_stage/lib/nginx_stage/configuration.rb Lines 459 to 460 in 5ec1821 |
|
I have a PR in to also cleanup non existing PUNs/config files. Looking at the git blame, looks like we've been at it a while, you created #1833 😆. |
Currently, the nginx_stage program depends on a user existing in order to function properly. Previously, there were issues with it crashing if a single user didn't exist, but thankfully that's no longer an issue.
For the purpose of cleaning up inactive PUNs regularly, we're running
nginx_stage nginx_cleanonce every 5 minutes. The issue is that PUNs belonging to a UID which doesn't have a valid user attached to it any longer won't be cleaned up.Users accounts might get removed from the system at any time due to all of their projects being closed, or due to misconduct or other issues, and in these cases, it would be nice if
nginx_stage nginx_cleancould kill their PUN regardless of activity or inactivity.As far as I can see, this could be done by checking all of the PUN config files, and gathering the ones which have no valid owner, and finally calling the
nginx -c ${config_file} -s stopcommand, like this function does. From these config file paths, the previous usernames of the UIDs would be available and other possible clean-up can be done, if necessary.It would probably be possible to implement a separate tool for this as well, but I think OOD might want to integrate it into
nginx_stage nginx_cleanfor completeness. Let me know what you think. Thanks in advance!The text was updated successfully, but these errors were encountered: