Hi Bert,

Thanks for reporting the bug.

Unfortunately, I think this is an issue with autofs.

The MOUNT_UNDER_SCRATCH feature works by creating a separate mount namespace for each job, then bind mounting the sysadmin-specified directories (such as /tmp or /var/tmp) within the namespace.  For more info, see http://osgtech.blogspot.com/2012/02/file-isolation-using-bind-mounts-and.html.  Call the system's namespace A and the job's namespace B.

Autofs appears to work by having a stub mount of type autofs; when it sees filesystem activity inside its mount, it replaces the stub mount with the real mount.

The problem is that autofs sees activity in namespace B, but mounts the filesystem in namespace A - invisible to the job.

There are two ways to fix this (that I can think of, at least):
1) Autofs can mark its mounts as "shared sub-tree".  That means changes in namespace A automatically show up in namespace B.
2) Autofs can use the new "setns" call (available in Linux kernel 3.0) to temporarily associate itself with namespace B and do the mount only in namespace B.

However, I don't know enough about the autofs to speculate which approach would be doable upstream.

Matt - meta question: do you know how to CC the autofs maintainers on this ticket?

Brian

(In reply to comment #1)
> Hi Bert,
> 
> Thanks for reporting the bug.
> 
> Unfortunately, I think this is an issue with autofs.
> 
> The MOUNT_UNDER_SCRATCH feature works by creating a separate mount namespace
> for each job, then bind mounting the sysadmin-specified directories (such as
> /tmp or /var/tmp) within the namespace.  For more info, see
> http://osgtech.blogspot.com/2012/02/file-isolation-using-bind-mounts-and.html. 
> Call the system's namespace A and the job's namespace B.
> 
> Autofs appears to work by having a stub mount of type autofs; when it sees
> filesystem activity inside its mount, it replaces the stub mount with the real
> mount.

Actually mounts over the top of the trigger.

> 
> The problem is that autofs sees activity in namespace B, but mounts the
> filesystem in namespace A - invisible to the job.
> 
> There are two ways to fix this (that I can think of, at least):
> 1) Autofs can mark its mounts as "shared sub-tree".  That means changes in
> namespace A automatically show up in namespace B.

Not sure about that, I'll have to look around and see if I
can evaluate the implications of that.

> 2) Autofs can use the new "setns" call (available in Linux kernel 3.0) to
> temporarily associate itself with namespace B and do the mount only in
> namespace B.

Sounds good but my initial impression is that autofs is not
aware of the different namespace when it needs to be.
Again I'll need to look around.

> 
> However, I don't know enough about the autofs to speculate which approach would
> be doable upstream.

The question of namespace support within autofs is actually
pretty difficult AFAICT from previous interactions with folks
involved with the implementation.

What's really needed is for me to consult with one of the
namespace code maintainers, but I'm not sure who that should
be.

Ian

If the autofs folks are against namespace support (either due to a difficult implementation, or a technical disagreement), I think Condor could itself mark the mount directory as shared-subtree.  Perhaps it's inevitable in order to properly support our local RHEL6 boxes.

We already have to parse the relevant files as "/" itself is a shared-subtree in F16, and we want to have a per-job "/tmp".  The approach is pretty distasteful as I am mucking around with mounts that don't belong to us, but I think should actually work.

A ticket has been filed upstream:

https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=2959

Patch is attached there.

(In reply to comment #4)
> A ticket has been filed upstream:
> 
> https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=2959
> 
> Patch is attached there.

Are you sure this will work around the problem?

I thought the shared mount attribute was propagated to child
mounts from the parent mount and systemd marks "/" as shared
already IIRC.

I was able to reproduce (not out of the box though - I had to manually make the autofs mounts non-shared), and this patch fixed it.

Your comment about "/" being shared already is correct (on RHEL6 and prior Fedoras, this is not true).

As mentioned on the Condor ticket, I also noticed a buildsys issue that should have made the detection of "/" as shared broken - meaning, out-of-the-box on F16, the MOUNT_UNDER_SCRATCH feature should have been broken.

So, I'm now curious about how the original bug reporter got their box into this state.  It would be nice to see /proc/self/mountinfo from Bert's box.

(In reply to comment #6)
> I was able to reproduce (not out of the box though - I had to manually make the
> autofs mounts non-shared), and this patch fixed it.
> 
> Your comment about "/" being shared already is correct (on RHEL6 and prior
> Fedoras, this is not true).

That's true, and I had to make a change to F16 autofs to make
autofs work with the shared subtree root filesystem, which is
not present in RHEL-6. So, keep that in mind too.

Created attachment 580747 [details]
/proc/self/mountinfo on one of the compute nodes

This is as seen from outside all things condor.

Hi Bert,

Did you do anything special to make "/" not shared?  From your attachment, it seems we have diagnosed the bug correctly.

I think we're going to do a new build for F16/F17/rawhide today; I'll try to make sure this patch gets reviewed and added.

Brian

Hi Brian,

Nope, nothing special there, neither /etc/fstab nor automount configs.  Might be
a side effect of something, but what?

Bert.

condor-7.9.0-0.1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/condor-7.9.0-0.1.fc16

condor-7.9.0-0.1.fc17.2 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/condor-7.9.0-0.1.fc17.2

Package condor-7.9.0-0.1.fc17.2:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing condor-7.9.0-0.1.fc17.2'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6880/condor-7.9.0-0.1.fc17.2
then log in and leave karma (feedback).

Hi all,

I just tried condor-7.9.0-0.1.fc16 from updates-testing. The results are nearly same as with
condor-7.7.5-0.2.fc16:

(stderr)
/users/visics/deknuydt/condor/testscript.sh: line 3: cd: /software/matlab/2012a/bin: Too many levels of symbolic links
ls: cannot access /software/matlab/2012a/bin/matlab: Too many levels of symbolic links

Which is the outcome of a simple:
> cd  /software/matlab/2012a/bin

From inside the condor job, no automounts, except those that were already available
Filesystem                               1K-blocks       Used Available Use% Mounted on
rootfs                                     8362320    2402964   5539928  31% /
[...]
asgard:/visics/homedirs/visics/deknuydt 2113787904 1124507648 881906688  57% /users/visics/deknuydt
/dev/mapper/vg_yingchang-LogVol02        698257668   10453424 652855536   2% /tmp
/dev/mapper/vg_yingchang-LogVol02        698257668   10453424 652855536   2% /var/tmp

From outside the condor job, you see the thing properly mounted:

> df
Filesystem                               1K-blocks       Used Available Use% Mounted on
rootfs                                     8362320    2402960   5539932  31% /
[...]
tmpfs                                      3108924          0   3108924   0% /tmp
tmpfs                                      3108924          0   3108924   0% /var/tmp
[...]
asgard:/visics/homedirs/visics/deknuydt 2113787904 1124228096 882186240  57% /users/visics/deknuydt
bocq:/softw/matlab                       264224768  253955072   7584768  98% /software/matlab

Do you get any wiser with the outputs of /proc/self/mountinfo?

Hi Bert,

I see what's wrong.  Look at my latest update here:

https://condor-wiki.cs.wisc.edu/index.cgi/tktview?tn=2959,0

I fat-fingered the creation of a patch from my git branch, causing the fix to be #ifdef'd out.

Working on it.

Brian

Updated, will be in next spin.

Any movement to be expected here?  Fedora 1{6,7} are still at 7.7.5,
while more recent stuff is out upstream ...

condor-7.9.1-0.1.fc17.2 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/condor-7.9.1-0.1.fc17.2

Package condor-7.9.1-0.1.fc17.2:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing condor-7.9.1-0.1.fc17.2'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-12127/condor-7.9.1-0.1.fc17.2
then log in and leave karma (feedback).

condor-7.9.1-0.1.fc17.2 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

I have a similar problem "Too many levels of symbolic links" (not using condor !) 
cf https://bugzilla.redhat.com/show_bug.cgi?id=833535

in comment #7 above,  Ian kent said
"I had to make a change to F16 autofs to make
autofs work with the shared subtree root filesystem"

I would like to try that, 
how do you configure autofs to work with shared subtree !?

Thanks .

(In reply to comment #21)
> I have a similar problem "Too many levels of symbolic links" (not using
> condor !) 
> cf https://bugzilla.redhat.com/show_bug.cgi?id=833535
> 
> in comment #7 above,  Ian kent said
> "I had to make a change to F16 autofs to make
> autofs work with the shared subtree root filesystem"
> 
> I would like to try that, 
> how do you configure autofs to work with shared subtree !?

Use autofs-5.0.6-3 or later.

I am already on : 
autofs-5.0.6-22.fc17.i686 , kernel-PAE-3.5.4-1.fc17.i686 , fedora17

but maybe there's an option, variable or whatever to set (in /etc/sysconfig/autofs ?) to force the use of shared subtree ?
how can I check if I use shared subtree ?

Thanks .

(In reply to comment #23)
> I am already on : 
> autofs-5.0.6-22.fc17.i686 , kernel-PAE-3.5.4-1.fc17.i686 , fedora17
> 
> but maybe there's an option, variable or whatever to set (in
> /etc/sysconfig/autofs ?) to force the use of shared subtree ?
> how can I check if I use shared subtree ?

There isn't, the issue was that systemd sets "/" as shared and
that caused a problem with the construction of mount trees.

When the containing file system is shared moving the mount
(tree) to the final location after construction wouldn't work.
But this mechanism isn't needed with the vfs-automount
intrastrucure so it was removed, actually just disabled in
fc17.

Just what is causing the problem your seeing is puzzling. No
matter how I look at it, it has to mean that there's a call
to perform a mount that returns success but no mount is actually
present.

I haven't ruled out the possiblity this is reated in some way
to the fact that "/" is shared. If you don't rely on this you
could "mount --make-private /", stop autofs and make sure there's
no autofs stuff mounted, then start it and see if the problem
remains.

I might also add I have a patch that is yet to be posted that
solves a problem with recurring mount requests but I can't see
how that would cause this either, but maybe.

I'll get to posting that soon as I can and then see about a
test kernel.

Probably the better place to continue this is bug 833535
rather than hijacking this bug.