Make port preflight checks idempotent

Author: alexbrand

integration/install_test.go

@@ -270,6 +270,10 @@ var _ = Describe("kismatic", func() {
 						sub.It("nodes should contain expected component overrides", func() error {
 							return ContainsOverrides(nodes, sshKey)
 						})
+
+						sub.It("should allow for running preflight checks idempotently", func() error {
+							return runValidate("kismatic-testing.yaml")
+						})
 					})
 				})
 			})
@@ -324,6 +328,10 @@ var _ = Describe("kismatic", func() {
 						sub.It("nodes should contain expected labels", func() error {
 							return containsLabels(nodes, sshKey)
 						})
+
+						sub.It("should allow for running preflight checks idempotently", func() error {
+							return runValidate("kismatic-testing.yaml")
+						})
 					})
 				})
 			})

integration/validate.go

@@ -102,10 +102,7 @@ func ValidateKismaticMini(node NodeDeets, user, sshKey string) PlanAWS {
 
 	// Run validation
 	By("Validate our plan")
-	ver := exec.Command("./kismatic", "install", "validate", "-f", f.Name())
-	ver.Stdout = os.Stdout
-	ver.Stderr = os.Stderr
-	err = ver.Run()
+	err = runValidate(f.Name())
 	FailIfError(err, "Error validating plan")
 	return plan
 }
@@ -141,10 +138,7 @@ func ValidateKismaticMiniDenyPkgInstallation(node NodeDeets, sshUser, sshKey str
 
 	// Run validation
 	By("Validate our plan")
-	cmd := exec.Command("./kismatic", "install", "validate", "-f", f.Name())
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	return cmd.Run()
+	return runValidate(f.Name())
 }
 
 func ValidateKismaticMiniWithBadSSH(node NodeDeets, user, sshKey string) PlanAWS {
@@ -175,10 +169,7 @@ func ValidateKismaticMiniWithBadSSH(node NodeDeets, user, sshKey string) PlanAWS
 
 	// Run validation
 	By("Validate our plan")
-	ver := exec.Command("./kismatic", "install", "validate", "-f", f.Name())
-	ver.Stdout = os.Stdout
-	ver.Stderr = os.Stderr
-	err = ver.Run()
+	err = runValidate(f.Name())
 	FailIfSuccess(err)
 	return plan
 }
@@ -196,3 +187,10 @@ func getBadSSHKeyFile() (string, error) {
 
 	return filepath.Join(dir, ".ssh", "bad.pem"), nil
 }
+
+func runValidate(planFile string) error {
+	cmd := exec.Command("./kismatic", "install", "validate", "-f", planFile)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
+}

pkg/inspector/check/tcp.go

@@ -1,12 +1,11 @@
 package check
 
 import (
-	"bufio"
-	"errors"
 	"fmt"
 	"io"
 	"log"
 	"net"
+	"os/exec"
 	"strings"
 	"time"
 )
@@ -34,41 +33,29 @@ func (c *TCPPortClientCheck) Check() (bool, error) {
 	if err != nil {
 		return false, fmt.Errorf("Port %d on host %q is unreachable. Error was: %v", c.PortNumber, c.IPAddress, err)
 	}
-
-	testMsg := "ECHO\n"
-	fmt.Fprint(conn, testMsg)
-	resp, err := bufio.NewReader(conn).ReadString('\n')
-	if err == io.EOF {
-		return false, nil // The server sent an empty response
-	}
-	if err != nil {
-		return false, fmt.Errorf("error reading from TCP socket: %v", err)
-	}
-	if resp != testMsg {
-		return false, nil
-	}
+	conn.Close()
 	return true, nil
 }
 
-// TCPPortServerCheck ensures that the given port is free, and stands up a TCP server that can be used to
-// check TCP connectivity to the host using TCPPortClientCheck
+// TCPPortServerCheck ensures that the given port is free, or bound to the right
+// process. In the case that it is free, it stands up a TCP server that can be
+// used to check TCP connectivity to the host using TCPPortClientCheck
 type TCPPortServerCheck struct {
 	PortNumber     int
+	ProcName       string
 	started        bool
 	closeListener  func() error
 	listenerClosed chan interface{}
 }
 
-// Check returns true if the port is available for the server. Otherwise returns false
-// and an error message
+// Check returns true if the port is free, or taken by the expected process.
 func (c *TCPPortServerCheck) Check() (bool, error) {
 	ln, err := net.Listen("tcp", fmt.Sprintf(":%d", c.PortNumber))
 	if err != nil && strings.Contains(err.Error(), "address already in use") {
-		return false, nil
+		return portTakenByProc(c.PortNumber, c.ProcName)
 	}
 	if err != nil {
-		// TODO: We could check if the port is being used here..
-		return false, fmt.Errorf("error listening on port %d", c.PortNumber)
+		return false, fmt.Errorf("error listening on port %d: %v", c.PortNumber, err)
 	}
 	c.closeListener = ln.Close
 	// Setup go routine for accepting connections
@@ -98,11 +85,40 @@ func (c *TCPPortServerCheck) Check() (bool, error) {
 	return true, nil
 }
 
-// Close the TCP server
+// Close the TCP server if it was started. Otherwise this is a noop.
 func (c *TCPPortServerCheck) Close() error {
 	if c.started {
 		close(c.listenerClosed)
 		return c.closeListener()
 	}
-	return errors.New("called close on a TCPPortServerCheck that is not started")
+	return nil
+}
+
+// Returns true if the port is taken by a process with the given name.
+func portTakenByProc(port int, procName string) (bool, error) {
+	// Use lsof to find the process that is bound to the tcp port in listen
+	// mode.
+	// ~# lsof -i TCP:2379 -s TCP:LISTEN -Pn +c 0
+	// COMMAND       PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
+	// docker-proxy 7294 root    4u  IPv6  43407      0t0  TCP *:2379 (LISTEN)
+	portArg := fmt.Sprintf("TCP:%d", port)
+	cmd := exec.Command("lsof", "-i", portArg, "-s", "TCP:LISTEN", "-Pn", "+c", "0")
+	out, err := cmd.Output()
+	if err != nil {
+		return false, fmt.Errorf("error running lsof: %v", err)
+	}
+	lines := strings.Split(string(out), "\n")
+	if len(lines) < 2 {
+		return false, fmt.Errorf("expected lsof to return at least 2 lines, but returned %d", len(lines))
+	}
+	// There are cases where lsof will return multiple lines for the same port. For example:
+	// ~# lsof -i TCP:$port -s TCP:LISTEN -Pn +c 0
+	// COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
+	// nginx   18611   root   10u  IPv4  82841      0t0  TCP *:80 (LISTEN)
+	// nginx   18628 nobody   10u  IPv4  82841      0t0  TCP *:80 (LISTEN)
+	// nginx   18629 nobody   10u  IPv4  82841      0t0  TCP *:80 (LISTEN)
+	//
+	// Use the first line after the header for verifying the proc name.
+	lsofFields := strings.Fields(lines[1])
+	return lsofFields[0] == procName, nil
 }

pkg/inspector/rule/check_mapper.go

@@ -38,7 +38,7 @@ func (m DefaultCheckMapper) GetCheckForRule(rule Rule) (check.Check, error) {
 	case FileContentMatches:
 		c = check.FileContentCheck{File: r.File, SearchString: r.ContentRegex}
 	case TCPPortAvailable:
-		c = &check.TCPPortServerCheck{PortNumber: r.Port}
+		c = &check.TCPPortServerCheck{PortNumber: r.Port, ProcName: r.ProcName}
 	case TCPPortAccessible:
 		timeout, err := time.ParseDuration(r.Timeout)
 		if err != nil {

pkg/inspector/rule/encoding.go

@@ -40,6 +40,7 @@ type catchAllRule struct {
 	AnyVersion        bool     `yaml:"anyVersion"`
 	Executable        string   `yaml:"executable"`
 	Port              int      `yaml:"port"`
+	ProcName          string   `yaml:"procName"`
 	File              string   `yaml:"file"`
 	ContentRegex      string   `yaml:"contentRegex"`
 	Timeout           string   `yaml:"timeout"`
@@ -103,7 +104,8 @@ func buildRule(catchAll catchAllRule) (Rule, error) {
 		return r, nil
 	case "tcpportavailable":
 		r := TCPPortAvailable{
-			Port: catchAll.Port,
+			Port:     catchAll.Port,
+			ProcName: catchAll.ProcName,
 		}
 		r.Meta = meta
 		return r, nil

pkg/inspector/rule/rule_set.go

@@ -35,15 +35,19 @@ const defaultRuleSet = `---
 - kind: TCPPortAvailable
   when: ["etcd"]
   port: 2379
+  procName: docker-proxy # docker sets up a proxy for the etcd container
 - kind: TCPPortAvailable
   when: ["etcd"]
   port: 6666
+  procName: docker-proxy # docker sets up a proxy for the etcd container
 - kind: TCPPortAvailable
   when: ["etcd"]
   port: 2380
+  procName: docker-proxy # docker sets up a proxy for the etcd container
 - kind: TCPPortAvailable
   when: ["etcd"]
   port: 6660
+  procName: docker-proxy # docker sets up a proxy for the etcd container
 
 # Ports used by etcd are accessible
 - kind: TCPPortAccessible
@@ -67,17 +71,21 @@ const defaultRuleSet = `---
 - kind: TCPPortAvailable
   when: ["master"]
   port: 6443
+  procName: kube-apiserver
 - kind: TCPPortAvailable
   when: ["master"]
   port: 8080
+  procName: kube-apiserver
 # kube-scheduler
 - kind: TCPPortAvailable
   when: ["master"]
   port: 10251
+  procName: kube-scheduler
 # kube-controller-manager
 - kind: TCPPortAvailable
   when: ["master"]
   port: 10252
+  procName: kube-controller
 
 # Ports used by K8s master are accessible
 # Port 8080 is not accessible from outside
@@ -101,26 +109,32 @@ const defaultRuleSet = `---
 - kind: TCPPortAvailable
   when: ["master","worker","ingress","storage"]
   port: 4194
+  procName: kubelet
 # kubelet localhost healthz
 - kind: TCPPortAvailable
   when: ["master","worker","ingress","storage"]
   port: 10248
+  procName: kubelet
 # kube-proxy metrics
 - kind: TCPPortAvailable
   when: ["master","worker","ingress","storage"]
   port: 10249
+  procName: kube-proxy
 # kube-proxy health
 - kind: TCPPortAvailable
   when: ["master","worker","ingress","storage"]
   port: 10256
+  procName: kube-proxy
 # kubelet
 - kind: TCPPortAvailable
   when: ["master","worker","ingress","storage"]
   port: 10250
+  procName: kubelet
 # kubelet no auth
 - kind: TCPPortAvailable
   when: ["master","worker","ingress","storage"]
   port: 10255
+  procName: kubelet
 
 # Ports used by K8s worker are accessible
 # cAdvisor
@@ -143,13 +157,15 @@ const defaultRuleSet = `---
 - kind: TCPPortAvailable
   when: ["ingress"]
   port: 80
+  procName: nginx
 - kind: TCPPortAccessible
   when: ["ingress"]
   port: 80
   timeout: 5s
 - kind: TCPPortAvailable
   when: ["ingress"]
   port: 443
+  procName: nginx
 - kind: TCPPortAccessible
   when: ["ingress"]
   port: 443
@@ -158,6 +174,7 @@ const defaultRuleSet = `---
 - kind: TCPPortAvailable
   when: ["ingress"]
   port: 10254
+  procName: nginx-ingress-c
 - kind: TCPPortAccessible
   when: ["ingress"]
   port: 10254
@@ -392,44 +409,41 @@ const defaultRuleSet = `---
 - kind: TCPPortAvailable
   when: ["storage"]
   port: 8081
+  procName: exechealthz
 - kind: TCPPortAccessible
   when: ["storage"]
   port: 8081
   timeout: 5s
 
 # Ports required for NFS
-# Removed due to https://github.com/apprenda/kismatic/issues/784
-#- kind: TCPPortAvailable
-#  when: ["storage"]
-#  port: 111
-#- kind: TCPPortAccessible
-#  when: ["storage"]
-#  port: 111
-#  timeout: 5s
 - kind: TCPPortAvailable
   when: ["storage"]
   port: 2049
+  procName: glusterfs
 - kind: TCPPortAccessible
   when: ["storage"]
   port: 2049
   timeout: 5s
 - kind: TCPPortAvailable
   when: ["storage"]
   port: 38465
+  procName: glusterfs
 - kind: TCPPortAccessible
   when: ["storage"]
   port: 38465
   timeout: 5s
 - kind: TCPPortAvailable
   when: ["storage"]
   port: 38466
+  procName: glusterfs
 - kind: TCPPortAccessible
   when: ["storage"]
   port: 38466
   timeout: 5s
 - kind: TCPPortAvailable
   when: ["storage"]
   port: 38467
+  procName: glusterfs
 - kind: TCPPortAccessible
   when: ["storage"]
   port: 38467

pkg/inspector/rule/tcp_port.go

@@ -7,11 +7,15 @@ import (
 )
 
 // TCPPortAvailable is a rule that ensures that a given port is available
-// on the node. Available means that the port is not being used by another
-// process.
+// on the node. The port is considered available if:
+// - The port is free and ready to be bound by a new process, or
+// - The port is bound to the process defined in ProcName
 type TCPPortAvailable struct {
 	Meta
+	// The port number to verify
 	Port int
+	// The name of the process that owns this port after KET installation
+	ProcName string
 }
 
 // Name is the name of the rule
@@ -24,10 +28,14 @@ func (p TCPPortAvailable) IsRemoteRule() bool { return false }
 
 // Validate the rule
 func (p TCPPortAvailable) Validate() []error {
+	var errs []error
 	if p.Port < 1 || p.Port > 65535 {
-		return []error{fmt.Errorf("Invalid port number %d specified", p.Port)}
+		errs = append(errs, fmt.Errorf("Invalid port number %d specified", p.Port))
 	}
-	return nil
+	if p.ProcName == "" {
+		errs = append(errs, fmt.Errorf("ProcName cannot be empty"))
+	}
+	return errs
 }
 
 // TCPPortAccessible is a rule that ensures the given port on a remote node