Use sync.WaitGroup to avoid exiting before components have shut down

Currently only waits on etcd and kine, as other components
are stateless and do not need to shut down cleanly.

Terminal but non-fatal errors now request shutdown via context
cancellation, instead of just logging a fatal error.

Signed-off-by: Brad Davidson <[email protected]>

Author: brandond

go.mod

@@ -17,6 +17,7 @@ replace (
 	github.com/golang/protobuf => github.com/golang/protobuf v1.5.4
 	github.com/google/cadvisor => github.com/k3s-io/cadvisor v0.52.1
 	github.com/googleapis/gax-go/v2 => github.com/googleapis/gax-go/v2 v2.12.0
+	github.com/k3s-io/kine => github.com/brandond/kine v0.14.1-0.20250914084328-b26c9d642f69
 	github.com/open-policy-agent/opa => github.com/open-policy-agent/opa v0.59.0 // github.com/Microsoft/hcsshim using bad version v0.42.2
 	github.com/opencontainers/runc => github.com/opencontainers/runc v1.3.1
 	github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.11.1

go.sum

@@ -295,6 +295,8 @@ github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2y
 github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
+github.com/brandond/kine v0.14.1-0.20250914084328-b26c9d642f69 h1:v5gN3RUPblkWsMNc0vvWHIFWLQMNgybCHI/7ErlnthE=
+github.com/brandond/kine v0.14.1-0.20250914084328-b26c9d642f69/go.mod h1:mtcQsUUA0XpbKlQJevLERc4YU1ao44ErPCbbItpZLjo=
 github.com/bronze1man/goStrongswanVici v0.0.0-20231128135937-211cef3b0b20 h1:JMoL5xJSYxo1QVJ3c+4FutWQnks3gZX9DYkgAnvg+5g=
 github.com/bronze1man/goStrongswanVici v0.0.0-20231128135937-211cef3b0b20/go.mod h1:fWUtBEPt2yjrr3WFhOqvajM8JSEU8bEeBcoeSCsKRpc=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
@@ -825,8 +827,6 @@ github.com/k3s-io/etcd/server/v3 v3.6.4-k3s3 h1:DY9zD2dDmIw6L0G+nL5s4ivIV73f4lQI
 github.com/k3s-io/etcd/server/v3 v3.6.4-k3s3/go.mod h1:aYCL/h43yiONOv0QIR82kH/2xZ7m+IWYjzRmyQfnCAg=
 github.com/k3s-io/helm-controller v0.16.13 h1:jMD5lI4Mzo9uclZjLgJ8Yak6wSnXaL/tuTU+dEEx69Q=
 github.com/k3s-io/helm-controller v0.16.13/go.mod h1:mw6sVaH/eli+81sUnRqRYh5wV7YVzYp+U7OucLT5kUc=
-github.com/k3s-io/kine v0.14.0 h1:4vmVEErYwSPESHI5t0S6gL3aCOfmLlHfKnwrsuvupl4=
-github.com/k3s-io/kine v0.14.0/go.mod h1:mtcQsUUA0XpbKlQJevLERc4YU1ao44ErPCbbItpZLjo=
 github.com/k3s-io/klog/v2 v2.120.1-k3s1 h1:7twAHPFpZA21KdMnMNnj68STQMPldAxF2Zsaol57dxw=
 github.com/k3s-io/klog/v2 v2.120.1-k3s1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 github.com/k3s-io/kube-router/v2 v2.5.0 h1:pG46bYnvi17z/Zp7W1MTeTax8HaFEp7zCzUu59UwKpI=

pkg/agent/containerd/containerd.go

@@ -20,6 +20,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/agent/cri"
 	util2 "github.com/k3s-io/k3s/pkg/agent/util"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
+	"github.com/k3s-io/k3s/pkg/signals"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/natefinch/lumberjack"
 	pkgerrors "github.com/pkg/errors"
@@ -106,10 +107,9 @@ func Run(ctx context.Context, cfg *config.Node) error {
 		addDeathSig(cmd)
 		err := cmd.Run()
 		if err != nil && !errors.Is(err, context.Canceled) {
-			logrus.Errorf("containerd exited: %s", err)
-			os.Exit(1)
+			signals.RequestShutdown(pkgerrors.WithMessage(err, "containerd exited"))
 		}
-		os.Exit(0)
+		signals.RequestShutdown(nil)
 	}()
 
 	if err := cri.WaitForService(ctx, cfg.Containerd.Address, "containerd"); err != nil {

pkg/agent/containerd/watcher.go

@@ -259,8 +259,7 @@ func importAndWatchImages(ctx context.Context, cfg *config.Node) error {
 
 	// wait for the workqueue to empty before returning
 	for w.workqueue.Len() > 0 {
-		logrus.Debugf("Waiting for initial import of images from %s", cfg.Images)
-		time.Sleep(time.Second * 2)
+		time.Sleep(500 * time.Millisecond)
 	}
 
 	// prune unseen entries from last run once all existing files have been processed

pkg/agent/cridockerd/cridockerd.go

@@ -12,10 +12,12 @@ import (
 
 	"github.com/Mirantis/cri-dockerd/cmd"
 	"github.com/Mirantis/cri-dockerd/cmd/version"
+	pkgerrors "github.com/pkg/errors"
 
 	"github.com/k3s-io/k3s/pkg/agent/cri"
 	"github.com/k3s-io/k3s/pkg/cgroups"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
+	"github.com/k3s-io/k3s/pkg/signals"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/sirupsen/logrus"
 
@@ -41,10 +43,9 @@ func Run(ctx context.Context, cfg *config.Node) error {
 		}()
 		err := command.ExecuteContext(ctx)
 		if err != nil && !errors.Is(err, context.Canceled) {
-			logrus.Errorf("cri-dockerd exited: %v", err)
-			os.Exit(1)
+			signals.RequestShutdown(pkgerrors.WithMessage(err, "cri-dockerd exited"))
 		}
-		os.Exit(0)
+		signals.RequestShutdown(nil)
 	}()
 
 	return cri.WaitForService(ctx, cfg.CRIDockerd.Address, "cri-dockerd")

pkg/agent/flannel/flannel.go

@@ -51,7 +51,7 @@ var (
 	FlannelExternalIPv6Annotation = FlannelBaseAnnotation + "/public-ipv6-overwrite"
 )
 
-func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kubeConfigFile string, flannelIPv6Masq bool, nm netMode) error {
+func flannel(ctx context.Context, wg *sync.WaitGroup, flannelIface *net.Interface, flannelConf, kubeConfigFile string, flannelIPv6Masq bool, nm netMode) error {
 	extIface, err := LookupExtInterface(flannelIface, nm)
 	if err != nil {
 		return pkgerrors.WithMessage(err, "failed to find the interface")
@@ -80,7 +80,7 @@ func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kube
 		return pkgerrors.WithMessage(err, "failed to create the flannel backend")
 	}
 
-	bn, err := be.RegisterNetwork(ctx, &sync.WaitGroup{}, config)
+	bn, err := be.RegisterNetwork(ctx, wg, config)
 	if err != nil {
 		return pkgerrors.WithMessage(err, "failed to register flannel network")
 	}

pkg/agent/flannel/setup.go

@@ -5,13 +5,14 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"os"
 	"path/filepath"
 	goruntime "runtime"
 	"strings"
+	"sync"
 
 	agentutil "github.com/k3s-io/k3s/pkg/agent/util"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
+	"github.com/k3s-io/k3s/pkg/signals"
 	"github.com/k3s-io/k3s/pkg/util"
 	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -73,7 +74,7 @@ func Prepare(ctx context.Context, nodeConfig *config.Node) error {
 	return createFlannelConf(nodeConfig)
 }
 
-func Run(ctx context.Context, nodeConfig *config.Node) error {
+func Run(ctx context.Context, wg *sync.WaitGroup, nodeConfig *config.Node) error {
 	logrus.Infof("Starting flannel with backend %s", nodeConfig.FlannelBackend)
 
 	kubeConfig := nodeConfig.AgentConfig.KubeConfigKubelet
@@ -104,12 +105,11 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 		return pkgerrors.WithMessage(err, "failed to check netMode for flannel")
 	}
 	go func() {
-		err := flannel(ctx, nodeConfig.FlannelIface, nodeConfig.FlannelConfFile, kubeConfig, nodeConfig.FlannelIPv6Masq, nm)
+		err := flannel(ctx, wg, nodeConfig.FlannelIface, nodeConfig.FlannelConfFile, kubeConfig, nodeConfig.FlannelIPv6Masq, nm)
 		if err != nil && !errors.Is(err, context.Canceled) {
-			logrus.Errorf("flannel exited: %v", err)
-			os.Exit(1)
+			signals.RequestShutdown(pkgerrors.WithMessage(err, "flannel exited"))
 		}
-		os.Exit(0)
+		signals.RequestShutdown(nil)
 	}()
 
 	return nil

pkg/agent/netpol/netpol.go

@@ -46,7 +46,7 @@ func init() {
 // https://github.com/cloudnativelabs/kube-router/blob/ee9f6d890d10609284098229fa1e283ab5d83b93/pkg/cmd/kube-router.go#L78
 // It converts the k3s config.Node into kube-router configuration (only the
 // subset of options needed for netpol controller).
-func Run(ctx context.Context, nodeConfig *config.Node) error {
+func Run(ctx context.Context, wg *sync.WaitGroup, nodeConfig *config.Node) error {
 	set, err := utils.NewIPSet(false)
 	if err != nil {
 		logrus.Warnf("Skipping network policy controller start, ipset unavailable: %v", err)
@@ -119,9 +119,6 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 	stopCh := ctx.Done()
 	healthCh := make(chan *healthcheck.ControllerHeartbeat)
 
-	// We don't use this WaitGroup, but kube-router components require it.
-	var wg sync.WaitGroup
-
 	informerFactory := informers.NewSharedInformerFactory(client, 0)
 	podInformer := informerFactory.Core().V1().Pods().Informer()
 	nsInformer := informerFactory.Core().V1().Namespaces().Informer()
@@ -176,10 +173,10 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 	hc.SetAlive()
 
 	wg.Add(1)
-	go hc.RunCheck(healthCh, stopCh, &wg)
+	go hc.RunCheck(healthCh, stopCh, wg)
 
 	wg.Add(1)
-	go metricsRunCheck(mc, healthCh, stopCh, &wg)
+	go metricsRunCheck(mc, healthCh, stopCh, wg)
 
 	npc, err := netpol.NewNetworkPolicyController(client, krConfig, podInformer, npInformer, nsInformer, &sync.Mutex{}, nil,
 		iptablesCmdHandlers, ipSetHandlers)
@@ -193,7 +190,7 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 
 	wg.Add(1)
 	logrus.Infof("Starting network policy controller version %s, built on %s, %s", version.Version, version.BuildDate, runtime.Version())
-	go npc.Run(healthCh, stopCh, &wg)
+	go npc.Run(healthCh, stopCh, wg)
 
 	return nil
 }

pkg/agent/run.go

@@ -10,6 +10,7 @@ import (
 	goruntime "runtime"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	systemd "github.com/coreos/go-systemd/v22/daemon"
@@ -32,6 +33,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/nodeconfig"
 	"github.com/k3s-io/k3s/pkg/profile"
 	"github.com/k3s-io/k3s/pkg/rootless"
+	"github.com/k3s-io/k3s/pkg/signals"
 	"github.com/k3s-io/k3s/pkg/spegel"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
@@ -147,34 +149,29 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 		}
 	}
 
-	if nodeConfig.Docker {
-		if err := executor.Docker(ctx, nodeConfig); err != nil {
-			return err
-		}
-	} else if nodeConfig.ContainerRuntimeEndpoint == "" {
-		if err := containerd.SetupContainerdConfig(nodeConfig); err != nil {
-			return err
-		}
-		if err := executor.Containerd(ctx, nodeConfig); err != nil {
-			return err
-		}
-	} else {
-		if err := executor.CRI(ctx, nodeConfig); err != nil {
-			return err
-		}
-	}
+	// Create a new context to use for agent components that is cancelled on a
+	// delay after the signal context. This allows other things (like etcd) to
+	// clean up, before agent components exit when their contexts are cancelled.
+	ctx = util.DelayCancel(ctx, util.DefaultContextDelay)
 
 	notifySocket := os.Getenv("NOTIFY_SOCKET")
 	os.Unsetenv("NOTIFY_SOCKET")
 
+	go func() {
+		if err := startCRI(ctx, nodeConfig); err != nil {
+			signals.RequestShutdown(pkgerrors.WithMessage(err, "failed to start container runtime"))
+		}
+	}()
+
 	if err := setupTunnelAndRunAgent(ctx, nodeConfig, cfg, proxy); err != nil {
 		return err
 	}
 
 	go func() {
 		<-executor.APIServerReadyChan()
-		if err := startNetwork(ctx, nodeConfig); err != nil {
-			logrus.Fatalf("Failed to start networking: %v", err)
+		if err := startNetwork(ctx, &sync.WaitGroup{}, nodeConfig); err != nil {
+			signals.RequestShutdown(pkgerrors.WithMessage(err, "failed to start networking"))
+			return
 		}
 
 		// By default, the server is responsible for notifying systemd
@@ -189,9 +186,23 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 	return nil
 }
 
+// startCRI starts the configured CRI, or waits for an external CRI to be ready.
+func startCRI(ctx context.Context, nodeConfig *daemonconfig.Node) error {
+	if nodeConfig.Docker {
+		return executor.Docker(ctx, nodeConfig)
+	} else if nodeConfig.ContainerRuntimeEndpoint == "" {
+		if err := containerd.SetupContainerdConfig(nodeConfig); err != nil {
+			return err
+		}
+		return executor.Containerd(ctx, nodeConfig)
+	} else {
+		return executor.CRI(ctx, nodeConfig)
+	}
+}
+
 // startNetwork updates the network annotations on the node, and starts flannel
 // and the kube-router netpol controller, if enabled.
-func startNetwork(ctx context.Context, nodeConfig *daemonconfig.Node) error {
+func startNetwork(ctx context.Context, wg *sync.WaitGroup, nodeConfig *daemonconfig.Node) error {
 	// Use the kubelet kubeconfig to update annotations on the local node
 	kubeletClient, err := util.GetClientSet(nodeConfig.AgentConfig.KubeConfigKubelet)
 	if err != nil {
@@ -203,13 +214,13 @@ func startNetwork(ctx context.Context, nodeConfig *daemonconfig.Node) error {
 	}
 
 	if !nodeConfig.NoFlannel {
-		if err := flannel.Run(ctx, nodeConfig); err != nil {
+		if err := flannel.Run(ctx, wg, nodeConfig); err != nil {
 			return err
 		}
 	}
 
 	if !nodeConfig.AgentConfig.DisableNPC {
-		if err := netpol.Run(ctx, nodeConfig); err != nil {
+		if err := netpol.Run(ctx, wg, nodeConfig); err != nil {
 			return err
 		}
 	}
@@ -264,7 +275,7 @@ func getConntrackConfig(nodeConfig *daemonconfig.Node) (*kubeproxyconfig.KubePro
 // RunStandalone bootstraps the executor, but does not run the kubelet or containerd.
 // This allows other bits of code that expect the executor to be set up properly to function
 // even when the agent is disabled.
-func RunStandalone(ctx context.Context, cfg cmds.Agent) error {
+func RunStandalone(ctx context.Context, wg *sync.WaitGroup, cfg cmds.Agent) error {
 	proxy, err := createProxyAndValidateToken(ctx, &cfg)
 	if err != nil {
 		return err
@@ -308,7 +319,7 @@ func RunStandalone(ctx context.Context, cfg cmds.Agent) error {
 
 // Run sets up cgroups, configures the LB proxy, and triggers startup
 // of containerd and kubelet.
-func Run(ctx context.Context, cfg cmds.Agent) error {
+func Run(ctx context.Context, wg *sync.WaitGroup, cfg cmds.Agent) error {
 	if err := cgroups.Validate(); err != nil {
 		return err
 	}

pkg/agent/tunnel/tunnel.go

@@ -17,8 +17,10 @@ import (
 	"github.com/k3s-io/k3s/pkg/clientaccess"
 	daemonconfig "github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/daemons/executor"
+	"github.com/k3s-io/k3s/pkg/signals"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/remotedialer"
 	"github.com/sirupsen/logrus"
 	"github.com/yl2chen/cidranger"
@@ -117,7 +119,8 @@ func (a *agentTunnel) startWatches(ctx context.Context, config *daemonconfig.Nod
 			Group:     "discovery.k8s.io",
 			Resource:  "endpointslices",
 		}, ""); err != nil {
-			logrus.Fatalf("Tunnel watches failed to wait for RBAC: %v", err)
+			signals.RequestShutdown(pkgerrors.WithMessage(err, "tunnel watches failed to wait for RBAC"))
+			return
 		}
 
 		close(rbacReady)