Skip to content

Commit

Permalink
perf(kerberos): stop ticket renewal as soon as possible (reanahub#454)
Browse files Browse the repository at this point in the history
Use `inotifywait` instead of `sleep` when waiting for the status file to
be created, so that the pod stops immediately after the file creation.

Closes reanahub/reana-job-controller#450
mdonadoni committed Apr 18, 2024

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
1 parent ac2a01b commit 08cbfa1
Showing 2 changed files with 17 additions and 8 deletions.
18 changes: 12 additions & 6 deletions reana_commons/config.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# -*- coding: utf-8 -*-
#
# This file is part of REANA.
# Copyright (C) 2018, 2019, 2020, 2021, 2022, 2023 CERN.
# Copyright (C) 2018, 2019, 2020, 2021, 2022, 2023, 2024 CERN.
#
# REANA is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
@@ -461,7 +461,7 @@ def default_workspace():
# Kerberos configurations

KRB5_CONTAINER_IMAGE = os.getenv(
"KRB5_CONTAINER_IMAGE", "docker.io/reanahub/reana-auth-krb5:1.0.1"
"KRB5_CONTAINER_IMAGE", "docker.io/reanahub/reana-auth-krb5:1.0.3"
)
"""Default docker image of KRB5 sidecar container."""

@@ -471,10 +471,6 @@ def default_workspace():
KRB5_RENEW_CONTAINER_NAME = "krb5-renew"
"""Name of KRB5 sidecar container used for ticket renewal."""

KRB5_STATUS_FILE_LOCATION = "/krb5_cache/status_file"
"""Status file path used to terminate KRB5 renew container when the main
job finishes."""

KRB5_STATUS_FILE_CHECK_INTERVAL = 15
"""Time interval in seconds between checks to the status file."""

@@ -489,6 +485,16 @@ def default_workspace():
KRB5_TOKEN_CACHE_FILENAME = "krb5_{}"
"""Name of the Kerberos token cache file."""

KRB5_STATUS_FILENAME = "status_file"
"""Name of status file used to terminate KRB5 renew container when the main
job finishes."""

KRB5_STATUS_FILE_LOCATION = os.path.join(
KRB5_TOKEN_CACHE_LOCATION, KRB5_STATUS_FILENAME
)
"""Status file path used to terminate KRB5 renew container when the main
job finishes."""

KRB5_CONFIGMAP_NAME = os.getenv(
"REANA_KRB5_CONFIGMAP_NAME", f"{REANA_COMPONENT_PREFIX}-krb5-conf"
)
7 changes: 5 additions & 2 deletions reana_commons/k8s/kerberos.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# -*- coding: utf-8 -*-
#
# This file is part of REANA.
# Copyright (C) 2022 CERN.
# Copyright (C) 2022, 2024 CERN.
#
# REANA is free software; you can redistribute it and/or modify it
# under the terms of the MIT License; see LICENSE file for more details.
@@ -115,7 +115,10 @@ def get_kerberos_k8s_config(
f"while ! test -f {KRB5_STATUS_FILE_LOCATION}; do "
f"if [ $SECONDS -ge {KRB5_TICKET_RENEW_INTERVAL} ]; then "
'echo "Renewing Kerberos ticket: $(date)"; kinit -R; SECONDS=0; fi; '
f"sleep {KRB5_STATUS_FILE_CHECK_INTERVAL}; done"
# wait until status file is created or for a given timeout, whichever comes first
f"inotifywait --quiet --format 'Detected job status change' --timeout {KRB5_STATUS_FILE_CHECK_INTERVAL} --event create {KRB5_TOKEN_CACHE_LOCATION}; "
"done; "
"echo 'Stopping Kerberos ticket renewal sidecar'"
)
],
"name": KRB5_RENEW_CONTAINER_NAME,

0 comments on commit 08cbfa1

Please sign in to comment.