fix: prune old build containers

Author: eoinsha

src/build-container.ts

@@ -1,10 +1,13 @@
 import { spawnSync } from 'node:child_process';
 
 export const BUILDER_LABEL = 'com.fourtheorem.uv-python-lambda.builder';
+const BUILDER_KEY_LABEL = 'com.fourtheorem.uv-python-lambda.builder-key';
+const BUILDER_PID_LABEL = 'com.fourtheorem.uv-python-lambda.builder-owner-pid';
 
 const managedBuilders = new Map<string, string>();
 
 let cleanupRegistered = false;
+let cleanupInProgress = false;
 
 interface DockerResult {
   readonly stdout: string;
@@ -16,6 +19,7 @@ export interface BuilderContainerOptions {
   readonly name: string;
   readonly args: string[];
   readonly readyLog: string;
+  readonly builderKey?: string;
   readonly timeoutMs?: number;
 }
 
@@ -30,6 +34,9 @@ export function ensureBuilderContainer(
   }
 
   pruneExitedBuilderContainers();
+  if (options.builderKey) {
+    pruneOrphanedBuilderContainers(options.builderKey, options.name);
+  }
   removeContainer(options.name);
 
   const dockerRun = runDockerCommand(options.args);
@@ -57,10 +64,16 @@ export function ensureBuilderContainer(
 }
 
 export function cleanupBuilderContainers() {
+  if (cleanupInProgress) {
+    return;
+  }
+
+  cleanupInProgress = true;
   for (const containerId of managedBuilders.values()) {
     removeContainer(containerId);
   }
   managedBuilders.clear();
+  cleanupInProgress = false;
 }
 
 export function getManagedBuilderContainerNames(): string[] {
@@ -88,6 +101,42 @@ export function pruneExitedBuilderContainers() {
   }
 }
 
+function pruneOrphanedBuilderContainers(builderKey: string, currentName: string) {
+  const matching = runDockerCommand([
+    'ps',
+    '-aq',
+    '--filter',
+    `label=${BUILDER_LABEL}=true`,
+    '--filter',
+    `label=${BUILDER_KEY_LABEL}=${builderKey}`,
+  ]);
+
+  if (matching.status !== 0) {
+    throw new Error(
+      `Failed to list builder containers for ${builderKey}: ${matching.stderr}`,
+    );
+  }
+
+  for (const containerId of matching.stdout.split(/\s+/).filter(Boolean)) {
+    const metadata = inspectBuilderMetadata(containerId);
+    if (!metadata) {
+      continue;
+    }
+
+    if (metadata.name === currentName) {
+      continue;
+    }
+
+    const ownerPid =
+      metadata.ownerPid ?? parsePidFromBuilderName(metadata.name, builderKey);
+    if (ownerPid === undefined || isProcessAlive(ownerPid)) {
+      continue;
+    }
+
+    removeContainer(containerId);
+  }
+}
+
 function waitForContainerReady(
   containerId: string,
   readyLog: string,
@@ -145,6 +194,25 @@ function removeContainer(containerIdOrName: string) {
   runDockerCommand(['rm', '-f', containerIdOrName]);
 }
 
+function inspectBuilderMetadata(containerId: string) {
+  const result = runDockerCommand([
+    'inspect',
+    '--format',
+    `{{.Name}}\n{{index .Config.Labels "${BUILDER_PID_LABEL}"}}`,
+    containerId,
+  ]);
+
+  if (result.status !== 0) {
+    return undefined;
+  }
+
+  const [rawName = '', rawOwnerPid = ''] = result.stdout.split('\n');
+  return {
+    name: rawName.replace(/^\//, '').trim(),
+    ownerPid: parseOptionalPid(rawOwnerPid),
+  };
+}
+
 function runDockerCommand(args: string[]): DockerResult {
   const result = spawnSync('docker', args, {
     encoding: 'utf8',
@@ -164,9 +232,12 @@ function registerCleanupHandlers() {
 
   cleanupRegistered = true;
 
-  process.on('exit', cleanupBuilderContainers);
-  for (const signal of ['SIGINT', 'SIGTERM'] as const) {
-    process.on(signal, () => {
+  for (const event of ['beforeExit', 'exit'] as const) {
+    process.once(event, cleanupBuilderContainers);
+  }
+
+  for (const signal of ['SIGINT', 'SIGTERM', 'SIGHUP'] as const) {
+    process.once(signal, () => {
       cleanupBuilderContainers();
       process.exit(1);
     });
@@ -176,3 +247,35 @@ function registerCleanupHandlers() {
 function sleep(ms: number) {
   Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
 }
+
+function parseOptionalPid(value: string) {
+  const parsed = Number.parseInt(value.trim(), 10);
+  return Number.isInteger(parsed) && parsed > 0 ? parsed : undefined;
+}
+
+function parsePidFromBuilderName(name: string, builderKey: string) {
+  const prefix = `${builderKey}-`;
+  if (!name.startsWith(prefix)) {
+    return undefined;
+  }
+
+  return parseOptionalPid(name.slice(prefix.length));
+}
+
+function isProcessAlive(pid: number) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (error) {
+    if (
+      typeof error === 'object' &&
+      error !== null &&
+      'code' in error &&
+      error.code === 'EPERM'
+    ) {
+      return true;
+    }
+
+    return false;
+  }
+}

src/bundling.ts

@@ -37,6 +37,8 @@ export const DEFAULT_UV_VERSION = '0.5.27';
 const BUILDER_TOOL_DIR = '/opt/uv-python-lambda';
 const BUILDER_READY_LOG = 'Builder container is ready and waiting';
 const BUILDER_NOFILE_LIMIT = '1048576:1048576';
+const BUILDER_OWNER_PID_LABEL =
+  'com.fourtheorem.uv-python-lambda.builder-owner-pid';
 
 export interface BundlingProps extends BundlingOptions {
   /**
@@ -191,6 +193,8 @@ export class Bundling {
       `${BUILDER_LABEL}=true`,
       '--label',
       `com.fourtheorem.uv-python-lambda.builder-key=${this.containerBuilderKey}`,
+      '--label',
+      `${BUILDER_OWNER_PID_LABEL}=${process.pid}`,
       '--name',
       this.containerBuilderName,
     ];
@@ -232,6 +236,7 @@ export class Bundling {
     );
 
     ensureBuilderContainer({
+      builderKey: this.containerBuilderKey,
       name: this.containerBuilderName,
       args: dockerArgs,
       readyLog: BUILDER_READY_LOG,

test/build-container.test.ts

@@ -122,6 +122,118 @@ describe('build-container', () => {
     );
   });
 
+  test('removes stale running builders for the same key when the owner pid is gone', () => {
+    const spawnSyncMock = jest
+      .fn()
+      .mockReturnValueOnce(dockerResult())
+      .mockReturnValueOnce(dockerResult({ stdout: 'stale-container\n' }))
+      .mockReturnValueOnce(dockerResult({ stdout: '/builder-key-123\n123\n' }))
+      .mockReturnValueOnce(dockerResult())
+      .mockReturnValueOnce(dockerResult())
+      .mockReturnValueOnce(dockerResult({ stdout: 'container-id\n' }))
+      .mockReturnValueOnce(dockerResult({ stdout: 'running' }))
+      .mockReturnValueOnce(dockerResult({ stdout: 'ready' }));
+    const processKillSpy = jest
+      .spyOn(process, 'kill')
+      .mockImplementation(((_pid: number, _signal?: number | NodeJS.Signals) => {
+        const error = new Error('missing process') as NodeJS.ErrnoException;
+        error.code = 'ESRCH';
+        throw error;
+      }) as typeof process.kill);
+
+    const buildContainer = loadBuildContainerModule(spawnSyncMock);
+
+    buildContainer.ensureBuilderContainer({
+      name: 'builder-key-999',
+      builderKey: 'builder-key',
+      args: ['run', 'image'],
+      readyLog: 'ready',
+    });
+
+    expect(processKillSpy).toHaveBeenCalledWith(123, 0);
+    expect(spawnSyncMock).toHaveBeenCalledWith(
+      'docker',
+      ['rm', '-f', 'stale-container'],
+      { encoding: 'utf8' },
+    );
+
+    processKillSpy.mockRestore();
+  });
+
+  test('keeps running builders for the same key when the owner pid is still alive', () => {
+    const spawnSyncMock = jest
+      .fn()
+      .mockReturnValueOnce(dockerResult())
+      .mockReturnValueOnce(dockerResult({ stdout: 'live-container\n' }))
+      .mockReturnValueOnce(dockerResult({ stdout: '/builder-key-456\n456\n' }))
+      .mockReturnValueOnce(dockerResult())
+      .mockReturnValueOnce(dockerResult({ stdout: 'container-id\n' }))
+      .mockReturnValueOnce(dockerResult({ stdout: 'running' }))
+      .mockReturnValueOnce(dockerResult({ stdout: 'ready' }));
+    const processKillSpy = jest
+      .spyOn(process, 'kill')
+      .mockImplementation(
+        ((_pid: number, _signal?: number | NodeJS.Signals) =>
+          true) as typeof process.kill,
+      );
+
+    const buildContainer = loadBuildContainerModule(spawnSyncMock);
+
+    buildContainer.ensureBuilderContainer({
+      name: 'builder-key-999',
+      builderKey: 'builder-key',
+      args: ['run', 'image'],
+      readyLog: 'ready',
+    });
+
+    expect(processKillSpy).toHaveBeenCalledWith(456, 0);
+    expect(spawnSyncMock).not.toHaveBeenCalledWith(
+      'docker',
+      ['rm', '-f', 'live-container'],
+      { encoding: 'utf8' },
+    );
+
+    processKillSpy.mockRestore();
+  });
+
+  test('falls back to the builder name pid when older containers lack an owner label', () => {
+    const spawnSyncMock = jest
+      .fn()
+      .mockReturnValueOnce(dockerResult())
+      .mockReturnValueOnce(dockerResult({ stdout: 'stale-container\n' }))
+      .mockReturnValueOnce(dockerResult({ stdout: '/builder-key-123\n\n' }))
+      .mockReturnValueOnce(dockerResult())
+      .mockReturnValueOnce(dockerResult())
+      .mockReturnValueOnce(dockerResult({ stdout: 'container-id\n' }))
+      .mockReturnValueOnce(dockerResult({ stdout: 'running' }))
+      .mockReturnValueOnce(dockerResult({ stdout: 'ready' }));
+    const processKillSpy = jest
+      .spyOn(process, 'kill')
+      .mockImplementation(((_pid: number, _signal?: number | NodeJS.Signals) => {
+        const error = new Error('missing process') as NodeJS.ErrnoException;
+        error.code = 'ESRCH';
+        throw error;
+      }) as typeof process.kill);
+
+    const buildContainer = loadBuildContainerModule(spawnSyncMock);
+
+    buildContainer.ensureBuilderContainer({
+      name: 'builder-key-999',
+      builderKey: 'builder-key',
+      args: ['run', 'image'],
+      readyLog: 'ready',
+    });
+
+    expect(processKillSpy).toHaveBeenCalledWith(123, 0);
+    expect(spawnSyncMock).toHaveBeenCalledWith(
+      'docker',
+      ['rm', '-f', 'stale-container'],
+      { encoding: 'utf8' },
+    );
+
+    processKillSpy.mockRestore();
+  });
+
   test('times out when the builder never becomes ready', () => {
     const spawnSyncMock = jest
       .fn()
@@ -190,6 +302,8 @@ describe('build-container', () => {
       readyLog: 'ready',
     });
 
+    expect(listeners.has('beforeExit')).toBe(true);
+    expect(listeners.has('exit')).toBe(true);
     listeners.get('SIGINT')?.();
 
     expect(buildContainer.getManagedBuilderContainerNames()).toHaveLength(0);

test/bundling.test.ts

@@ -374,7 +374,12 @@ describe('Bundling', () => {
     expect(fromBuildSpy).toHaveBeenCalled();
     expect(ensureBuilderContainerMock).toHaveBeenCalledWith(
       expect.objectContaining({
+        builderKey: expect.stringMatching(/^uv-bundling-/),
         args: expect.arrayContaining([
+          '--label',
+          expect.stringMatching(
+            /^com\.fourtheorem\.uv-python-lambda\.builder-owner-pid=\d+$/,
+          ),
           '--user',
           getExpectedDockerUserArg(),
           'mock-image',
@@ -412,6 +417,7 @@ describe('Bundling', () => {
 
     expect(ensureBuilderContainerMock).toHaveBeenCalledWith(
       expect.objectContaining({
+        builderKey: expect.stringMatching(/^uv-bundling-/),
         args: expect.arrayContaining([
           '--network',
           'test-network',
@@ -421,6 +427,10 @@ describe('Bundling', () => {
           '/tmp/cache:/cache',
           '--volumes-from',
           'shared-container',
+          '--label',
+          expect.stringMatching(
+            /^com\.fourtheorem\.uv-python-lambda\.builder-owner-pid=\d+$/,
+          ),
           'mock-image',
         ]),
       }),