feat (postStart) : Allow debugging poststart failures with sleep by trapping errors

[rohanKanojia]

What does this PR do?

In #425 controller.devfile.io/debug-start annotation was added to aid in debugging failed devworkspaces: Debugging a failing workspace

We extend the use case of this annotation so that any failure in a postStart command results in the container sleeping for a specified number of seconds, as per the configured progressTimeout, allowing developers time to inspect the container state.

• Added enableDebugStart parameter to poststart methods.
• Injects trap ... sleep into postStart scripts when debug mode is enabled.
• Includes support for both timeout-wrapped (postStartTimeout) and non-timeout lifecycle scripts.

This feature improves the debuggability of DevWorkspaces where postStart hooks fail and would otherwise cause container crashes/restarts.

What issues does this PR fix or reference?

eclipse-che/che#23404

Is it tested? How?

With Changes

1. Checkout code changes added in this PR
2. Deploy DevWorkspace Operator Kubernetes/OpenShift cluster make docker && make install
3. Create DevWorkspace that has a failing poststart command

oc apply -f - <<EOF
apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: failing-poststart-debug-dw
  annotations:
    controller.devfile.io/debug-start: "true"
spec:
  started: true
  template:
    components:
      - name: tools
        container:
          image: quay.io/wto/web-terminal-tooling:next
          sourceMapping: /projects
          command: [ "tail" ]
          args: [ "-f", "/dev/null" ]
    commands:
      - id: failing-command
        exec:
          commandLine: ls idontexist
          component: tools
    events:
      postStart:
        - failing-command
EOF

4. After creating the DevWorkspace, observe its pod status. It should stay in ContainerCreating phase

oc get dw                                                                           
NAME                         DEVWORKSPACE ID             PHASE      INFO
failing-poststart-debug-dw   workspace55bf350cfb754260   Starting   Waiting for workspace deployment
oc get pods                                                                          
NAME                                         READY   STATUS              RESTARTS   AGE
workspace55bf350cfb754260-54749bf7c5-288vt   0/1     ContainerCreating   0          10s

5. You should be able to exec into the pod and see /tmp/poststart-stderr.txt to see root cause of failure:

oc get pods                                                                         
NAME                                         READY   STATUS              RESTARTS   AGE
workspace55bf350cfb754260-54749bf7c5-288vt   0/1     ContainerCreating   0          14s
kubectl exec -it workspace55bf350cfb754260-54749bf7c5-288vt -- /bin/bash            
bash-4.4$ cat /tmp/poststart-stderr.txt 
ls: cannot access 'idontexist': No such file or directory

6. Verify the sleep process is active in the container:

ps -ax | grep sleep
      2 ?        Ss     0:00 /bin/sh -c { cat << 'EOF' > /tmp/poststart.sh #!/bin/sh set -e trap 'echo "[postStart] failure encountered, sleep for debugging"; sleep 3600' ERR ls idontexist EOF chmod +x /tmp/poststart.sh /tmp/poststart.sh  } 1>/tmp/poststart-stdout.txt 2>/tmp/poststart-stderr.txt 
      7 ?        S      0:00 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 3600
     19 pts/0    S+     0:00 grep sleep

With PostStartTimeout Enabled

PostStart commands are processed slightly differently when postStartTimeout field is enabled in DevWorkspaceOperatorConfig. You can verify the above flow after enabling it:

oc patch devworkspaceoperatorconfig devworkspace-operator-config -n openshift-operators --type=merge -p '{"config": {"workspace": {"postStartTimeout": "5m"}}}'

## Repeat steps 3-6

Without Changes

With the current changes in the main, when we create a DevWorkspace with a failing post-start event. The pod immediately goes into PostStartHookFailed error and then CrashLoopbackOff error. It doesn't allow execution into it to view failure:

# Create DevWorkspace with failing poststart
oc apply -f - <<EOF
apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: failing-poststart-debug-dw
  annotations:
    controller.devfile.io/debug-start: "true"
spec:
  started: true
  template:
    components:
      - name: tools
        container:
          image: quay.io/wto/web-terminal-tooling:next
          sourceMapping: /projects
          command: [ "tail" ]
          args: [ "-f", "/dev/null" ]
    commands:
      - id: failing-command
        exec:
          commandLine: ls idontexist
          component: tools
    events:
      postStart:
        - failing-command
EOF

oc get dw                                                                            
NAME                         DEVWORKSPACE ID             PHASE     INFO
failing-poststart-debug-dw   workspace7ad9a94285b94f7c   Failing   Error creating DevWorkspace deployment: Container tools has state [postStart hook] Commands failed (Kubelet reported exit code 2)

oc get pods                                                                          
NAME                                         READY   STATUS             RESTARTS      AGE
workspace7ad9a94285b94f7c-579896cc48-wmtrj   0/1     CrashLoopBackOff   1 (20s ago)   50s
kubectl exec -it workspace7ad9a94285b94f7c-579896cc48-wmtrj -- /bin/bash             
error: unable to upgrade connection: container not found ("tools")

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rohanKanojia
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/ok-to-test

[tolusha]

For some reasons my workspace is running (tested on OpenShift)

oc get dw    -A
NAMESPACE   NAME                         DEVWORKSPACE ID             PHASE     INFO
test        failing-poststart-debug-dw   workspaced0882b8ed1fc4c69   Running   Workspace is running

[tolusha]

To be honest I don't like using ProgressTimeout for this purpose.
But on the other hand I don't have another solution but some constant

[rohanKanojia]

Actually, I use ProgressTimeout to be consistent with the behavior of the Debug annotation when it fails for the main component.

We do not scale down the failing workspace until the failing timeout is satisfied:

devworkspace-operator/controllers/workspace/devworkspace_controller.go

Lines 170 to 173 in b61eaed

	// If debug annotation is present, leave the deployment in place to let users
	// view logs.
	if workspace.Annotations[constants.DevWorkspaceDebugStartAnnotation] == "true" {
	if isTimeout, err := checkForFailingTimeout(workspace); err != nil {

Inside the checkForFailingTimeout, we're parsing ProgressTimeout:

devworkspace-operator/controllers/workspace/status.go

Line 317 in b61eaed

timeout, err := time.ParseDuration(workspace.Config.Workspace.ProgressTimeout)

[tolusha]

@rohanKanojia
Were you able to test this snippet?
I am not sure if chmod +x will work

[rohanKanojia]

I really apologize for my mistake 🙏 . This seems to be a leftover from previous attempts.

I'll remove it.

[rohanKanojia]

For some reasons my workspace is running (tested on OpenShift)

@tolusha : Could you please share which OCP version you were using? I have tested it on CRC 2.53.0 with OpenShift 4.19.3.

[rohanKanojia]

@tolusha : I've created these videos based on OpenShift 4.20 via clusterbot

Scenario 1 : No Poststart Timeout Configured

dwo-debug-poststart-normal-scenario.mp4

Scenario 2: PostStart Timeout Configured

dwo-debug-poststart-poststart-timeout-configured.mp4

[tolusha]

There is a corner case.
When trap already exists, then added one is ignored.
I think we can keep as is.

[dkwon17]

Could we also log the error in this case?

log.Log.Error(err, ...

[rohanKanojia]

Thanks, I’ve added the log statement as you advised.

[dkwon17]

oc get dw                                                                           
NAME                         DEVWORKSPACE ID             PHASE      INFO
failing-poststart-debug-dw   workspace55bf350cfb754260   Starting   Waiting for workspace deployment

@rohanKanojia it would be great if the INFO can state something similar to Post start hook failed, sleeping for <progressTimeout> to let the user know that the failure has been detected, but I think this is a bit difficult to detect, WDYT?

[rohanKanojia]

@dkwon17 : You're right about this. It would definitely improve user experience if DevWorkspace INFO field indicated that postStart hook failed and the container is sleeping for debugging.

However, as you mentioned, detecting this specific state from DevWorkspace Controller may be tricky since the DevWorkspace Controller doesn't have direct visibility into the postStart execution inside the container.

During the PostStart hook execution, we inject a sleep between the following DevWorkspace states:

(Starting) ---> (if postStart hook failed, inject sleep) ---> (Failed)

When the postStart hook fails, the container enters a sleep state before transitioning to Failed. During this period, the DevWorkspace does not re-enter the reconciliation loop until the sleep duration completes.

I haven't dig deep into it but here are some ways we might be able to handle this:

Option 1 : Patch DevWorkspace from within the pod via curl:

It might also be technically possible for the workspace pod to curl the Kubernetes API directly and patch its own DevWorkspace resource to signal this failure state. However, it depends on how the workspace's ServiceAccount is configured.

⚠️ I'm not sure standard DevWorkspaces would have the necessary RBAC permissions to patch or update their own DevWorkspace resource.

Option 2 : Surface failure via inspecting container state

It might be possible to add logic in controller to periodically check DevWorkspaces with debug-start annotation

• For each workspace with annotation, the controller would inspect associated pod.
• if exec is available and a sleep process injected by postStart hook is detected, the controller can immediately update workspace status to indicate that the postStart hook failed and container is sleeping for debugging.

[dkwon17]

Suggested change

	func processCommandsWithoutTimeoutFallback(postStartDebugTrapSleepDuration string, commands []dw.Command) (*corev1.LifecycleHandler, error) {
	func processCommandsWithoutTimeoutFallback(commands []dw.Command, postStartDebugTrapSleepDuration string) (*corev1.LifecycleHandler, error) {

Nitpick, but could we have the new parameter at the end?

[dkwon17]

Suggested change

	func generateScriptWithTimeout(postStartDebugTrapSleepDuration string, escapedUserScript string, postStartTimeout string) string {
	func generateScriptWithTimeout(escapedUserScript string, postStartTimeout string, postStartDebugTrapSleepDuration string) string {

[dkwon17]

What is the purpose of the set -e here?

[rohanKanojia]

set -e makes the script exit immediately if any command fails, so the poststart hook stops on errors instead of continuing silently. This ensures failures are caught and trigger the debug trap properly. I had added it as a safeguard to make sure postStart script fails fast.

I checked if we can remove set -e and tested with this DevWorkspace:

apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: dig-fail-debug
  annotations:
    controller.devfile.io/debug-start: "true"
spec:
  started: true
  template:
    components:
      - name: tools
        container:
          image: quay.io/devfile/universal-developer-image:ubi9-latest
          mountSources: false
          command: ["tail"]
          args: ["-f", "/dev/null"]
    commands:
      - id: poststart-wrapper
        exec:
          component: tools
          commandLine: |
            echo "Start"
            wget 'https://wrongexample.com'  # should fail 
            echo "After failure"
    events:
      postStart:
        - poststart-wrapper

When I tested with a version that had set -e removed, I observed that the echo "After failure" command ran after trap sleep, and Kubernetes treated the hook as successful even though wget failed.

$ oc get pods
NAME                                         READY   STATUS    RESTARTS   AGE
workspacef6c14b383c1240e6-7f98c9ffb7-t6m6g   1/1     Running   0          7m54s
$ kubectl exec -it pod/workspacef6c14b383c1240e6-7f98c9ffb7-t6m6g -- /bin/bash
projects $ cat /tmp/poststart-stderr.txt
--2025-11-05 09:53:47--  https://wrongexample.com/
Resolving wrongexample.com (wrongexample.com)... 172.67.177.31, 104.21.83.138, 2606:4700:3033::6815:538a, ...
Connecting to wrongexample.com (wrongexample.com)|172.67.177.31|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
index.html: Permission denied

Cannot write to 'index.html' (No such file or directory).
projects $ cat /tmp/poststart-stdout.txt
Start
[postStart] failure encountered, sleep for debugging
After failure
projects $ exit
exit

When I tested with set -e , the pod transitioned to PostStartHookError error after debug trap sleep:

oc get pods
NAME                                         READY   STATUS               RESTARTS   AGE
workspace50b3197366ca4c18-84cfdf596c-8rfz5   0/1     PostStartHookError   0          7m43s

[rohanKanojia]

@dkwon17 : I got some suggestions from Anatolii that instead of using tricky/brittle approach, we can slightly change the message when debug-start annotation is enabled.

With new changes, a devworkspace created wth debug-start annotation would have status like this:

NAMESPACE             NAME                    DEVWORKSPACE ID             PHASE      INFO
openshift-operators   failing-post-start-ws   workspace6734b18d651d486d   Starting   Debug mode: failed postStart commands will be trapped; inspect logs/exec to debug

[openshift-ci]

@rohanKanojia: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v14-devworkspace-operator-e2e	3a96b2b	link	true	/test v14-devworkspace-operator-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.