kube: notifyproxy: close once

Do not close a notifyproxy more than once.  Also polish the backend a
bit to reflect ealier changes from commit 4fa307f.

Fixes: #19715
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>

pkg/domain/infra/abi/play.go

@@ -802,7 +802,8 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 		initContainers = append(initContainers, ctr)
 	}
 
-	var sdNotifyProxies []*notifyproxy.NotifyProxy // containers' sd-notify proxies
+	// Callers are expected to close the proxies
+	var sdNotifyProxies []*notifyproxy.NotifyProxy
 
 	for _, container := range podYAML.Spec.Containers {
 		// Error out if the same name is used for more than one container
@@ -915,11 +916,6 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 		errors := make([]error, len(sdNotifyProxies))
 		for i := range sdNotifyProxies {
 			wg.Add(1)
-			defer func() {
-				if err := sdNotifyProxies[i].Close(); err != nil {
-					logrus.Errorf("Closing sdnotify proxy %q: %v", sdNotifyProxies[i].SocketPath(), err)
-				}
-			}()
 			go func(i int) {
 				err := sdNotifyProxies[i].Wait()
 				if err != nil {

pkg/systemd/notifyproxy/notifyproxy.go

@@ -103,18 +103,16 @@ func New(tmpDir string) (*NotifyProxy, error) {
 	// Start waiting for the READY message in the background.  This way,
 	// the proxy can be created prior to starting the container and
 	// circumvents a race condition on writing/reading on the socket.
-	proxy.waitForReady()
+	proxy.listen()
 
 	return proxy, nil
 }
 
-// waitForReady waits for the READY message in the background. The goroutine
+// listen waits for the READY message in the background, and process file
-// returns on receiving READY or when the socket is closed.
+// descriptors and barriers send over the NOTIFY_SOCKET. The goroutine returns
-func (p *NotifyProxy) waitForReady() {
+// when the socket is closed.
+func (p *NotifyProxy) listen() {
 	go func() {
-		// Read until the `READY` message is received or the connection
-		// is closed.
-
 		// See https://github.com/containers/podman/issues/16515 for a description of the protocol.
 		fdSize := unix.CmsgSpace(4)
 		buffer := make([]byte, _notifyBufferMax)
@@ -128,6 +126,7 @@ func (p *NotifyProxy) waitForReady() {
 					return
 				}
 				logrus.Errorf("Error reading unix message on socket %q: %v", p.socketPath, err)
+				continue
 			}
 
 			if n > _notifyBufferMax || oobn > _notifyFdMax*fdSize {
@@ -207,7 +206,7 @@ type Container interface {
 	ID() string
 }
 
-// WaitAndClose waits until receiving the `READY` notify message. Note that the
+// Wait waits until receiving the `READY` notify message. Note that the
 // this function must only be executed inside a systemd service which will kill
 // the process after a given timeout. If the (optional) container stopped
 // running before the `READY` is received, the waiting gets canceled and

test/system/260-sdnotify.bats

@@ -489,6 +489,8 @@ none | false | false | 0
                  podman_exit=0
             fi
             run_podman $podman_exit kube play --service-exit-code-propagation="$exit_code_prop" --service-container $fname
+            # Make sure that there are no error logs (e.g., #19715)
+            assert "$output" !~ "error msg="
             run_podman container inspect --format '{{.KubeExitCodePropagation}}' $service_container
             is "$output" "$exit_code_prop" "service container has the expected policy set in its annotations"
             run_podman wait $service_container