feat(exec): Add --no-session flag for improved performance

[ryanmccann1024]

Fixes: #26588

For use cases like HPC, where podman exec is called in rapid succession, the standard exec process can become a bottleneck due to container locking and database I/O for session tracking.

This commit introduces a new --no-session flag to podman exec. When used, this flag invokes a new, lightweight backend implementation (ExecNoSession) that:

• Skips container locking, reducing lock contention.
• Bypasses the creation, tracking, and removal of exec sessions in the database.
• Executes the command directly and retrieves the exit code without persisting session state.

Does this PR introduce a user-facing change?

Added a new `--no-session` flag to `podman exec` to provide a performance-optimized execution path that bypasses container locking and database session tracking. This is ideal for high-concurrency environments like HPC where exec session tracking is not required.

[openshift-ci]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[packit-as-a-service]

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

[ryanmccann1024]

Hello @mheon,

I'm not really sure why some of the pipelines fail, I'm stuck.

[mheon]

Integration tests, you need a SkipIfRemote in your tests. System tests are both flakes.

[Honny1]

Good job, LGTM

The failed Healthcheck seems to be a flake. I tested it locally and the Healthcheck passed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Honny1, ryanmccann1024
Once this PR has been reviewed and has the lgtm label, please assign mheon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mheon]

LGTM

[ryanmccann1024]

I think there's still a pending review @mheon

Or I'm not sure if I should do something else before that.

[mheon]

@containers/podman-maintainers PTAL

[Luap99]

This seems to be mostly duplication from c.healthCheckExec(), I like to see this worked to share the code not duplicate it.

[Luap99]

is there a reason to define a new function on the interface like this, it could easily be added in ContainerExec()

In particular this function simply removes several required things that ContainerExec() does.

First this here never calls, getContainers() which means --latest will be broken

Second, it misses the if options.Tty branch to add the TERM env which means you get different behavior fro TERM in session on no session mode which seems very unexpected

Lastly it also doesn't do the tty resize logic that is in ExecAttachCtr() so the terminal is not set into the right state I think

[mheon]

I'd prefer to keep this separate - I'm expecting further changes down the line to diverge from normal Exec()

[Luap99]

different how? we can split in libpod but doing this here on the cli/ContainerEngine just seems to bypass basic code that we must always do as I pointed out above.

We can always do if execNoSession inside ContainerExec() once we looked up the container and configured the basic exec config.

what further changes are expected here where this function makes sense?

[mheon]

Complete removal of the Conmon backend in favor of directly calling OCI runtime exec directly.

[Luap99]

Sure but that can still happen within ContainerExec(), right now we duplicate common lookup logic which I find quite bad due the bugs mentioned, at the end of ContainerExec() a simple if options.NoSession would be easier IMO.

[Luap99]

please test exit exit codes, it should exit 137 due the kill signal I guess?
It is easy to such tests wrong otherwise, you could type the command then it always errors with non 0 code but didn't test what you wanted.

[giuseppe]

Do we have any numbers on what's the improvement is?

Can you run it under hyperfine and check what's the difference with a regular exec?

[giuseppe]

Do we have any numbers on what's the improvement is?

Can you run it under hyperfine and check what's the difference with a regular exec?

I did the test on my machine and the results are very good:

➜ hyperfine 'bin/podman exec foo true' 'bin/podman exec --no-session foo true'
Benchmark 1: bin/podman exec foo true
  Time (mean ± σ):      80.2 ms ±   2.9 ms    [User: 22.6 ms, System: 14.6 ms]
  Range (min … max):    74.9 ms …  86.5 ms    34 runs

Benchmark 2: bin/podman exec --no-session foo true
  Time (mean ± σ):      29.9 ms ±   6.8 ms    [User: 20.1 ms, System: 11.9 ms]
  Range (min … max):    22.3 ms …  54.1 ms    97 runs

Summary
  bin/podman exec --no-session foo true ran
    2.68 ± 0.62 times faster than bin/podman exec foo true

[ryanmccann1024]

Update: Going to make these changes this week.

Sorry for the delay!

[Luap99]

Looking at this again there is another problem with this, right now conmon always spawns the podman container cleanup command which should remove the session but since there is no session in the db that command will always fail.
Well technically it doesn't fail because we ignore the no session error as this is a common race

diff --git a/pkg/domain/infra/abi/containers.go b/pkg/domain/infra/abi/containers.go
index 1ac01c3842..9393b4eedc 100644
--- a/pkg/domain/infra/abi/containers.go
+++ b/pkg/domain/infra/abi/containers.go
@@ -1328,7 +1328,7 @@ func (ic *ContainerEngine) ContainerCleanup(ctx context.Context, namesOrIds []st
                                err = ctr.ExecCleanup(options.Exec)
                        }
                        // If ErrNoSuchExecSession then the exec session was already removed so do not report an error.
-                       if err != nil && !errors.Is(err, define.ErrNoSuchExecSession) {
+                       if err != nil /*&& !errors.Is(err, define.ErrNoSuchExecSession) */ {
                                return nil, err
                        }
                        return []*entities.ContainerCleanupReport{}, nil

With this and using the hack/podman_cleanup_tracer.bt you see the commands failing.
Anyway my point here is that we should never register the cleanup command to begin with, it will always fail so this should really not specify the command for conmon. This should make this patch even more effective as we do not spawn a cleanup process.

Either that or we keep the cleanup process so it can clean up the tmpfiles we created for this exec, but then we need a way to communicate the location to the cleanup process instead of it looking it up in the db.
And also one thing exec doesn't seem to do is to handle the signal's sure, i.e. if we get SIGINT/TERM we should be able to cleanup the tmpfiles before exiting to ensure we do not leak them.

[ryanmccann1024]

Got it!

I think I'm all set to keep working on this although I'm not fully clear on the last suggestion made by @Luap99 (I'm a newbie).

[Luap99]

Got it!

I think I'm all set to keep working on this although I'm not fully clear on the last suggestion made by @Luap99 (I'm a newbie).

There is this in makeExecConfig() which sets a exit command on conmon which we don't want.

	// TODO: Add some ability to toggle syslog
	exitCommandArgs, err := specgenutil.CreateExitCommandArgs(storageConfig, runtimeConfig, logrus.IsLevelEnabled(logrus.DebugLevel), false, false, true)
	if err != nil {
		return nil, fmt.Errorf("constructing exit command for exec session: %w", err)
	}
	execConfig.ExitCommand = exitCommandArgs

So in theory all you need to do is to make sure the command is nil for you exec config then it should work I think.

[Honny1]

This ends with a 255 error code. I suspect there is some incorrect handling of the error code.

[ryanmccann1024]

This might be a ridiculous question, but how do I run the tests locally (I'm on a Mac)?

[Honny1]

Unfortunately, you will need a Linux virtual machine (VM). Alternatively, you can SSH into the Podman machine with podman machine ssh. The entire /Users directory is mounted, so you can cd to the location where you cloned the Podman repository. Then, you can install the developer dependencies using the command sudo rpm-ostree install systemd-devel gcc glib2-devel glibc-devel glibc-static golang git-core gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel shadow-utils-subid-devel pkgconfig man-db sqlite-devel systemd systemd-devel. Afterward, exit the machine and restart it with podman machine stop and podman machine start. Once you SSH back into the machine, you should have a working environment where you can run tests.

[ryanmccann1024]

Not sure if I'm doing something wrong, the integration tests pass for me locally?

[mheon]

I think the problem here is that this is running serially - maybe put the execSession bit in a goroutine so they run concurrent? Though you'd need a sleep to sequence them, give time for the first exec to start (our CI is really slow)

[ryanmccann1024]

Any suggestions on how to fix the failure on that pipeline due to the merge?

I think there's also a linting error from upstream?

[Honny1]

Linting error fix: #27234

[Honny1]

@ryanmccann1024 Could you please rebase on main?