Fix "build already running" stuck state on prod

The admin UI's Run Build Now always failed on prod because the handler
passed a locked flock fd to the child pipeline process via ExtraFiles.
Parent and child shared the same open file description, so if the child
became orphaned (e.g. server restart mid-build), the lock was held
indefinitely — even across server restarts.

Replace the fd-passing design with a DB-based build slot:
- Handler atomically INSERTs a "running" row (with server PID as
  placeholder) before starting the child, using INSERT...WHERE NOT
  EXISTS to serialize concurrent requests
- Child pipeline claims the row via UPDATE with its own PID and
  validates it exists via RowsAffected
- Reaper goroutine marks the row "failed" if the child exits before
  recording its own outcome, preventing stuck rows
- Stale cleanup cancels "running" rows whose PID is dead (ESRCH)
- Child keeps its own independent flock for CLI-level protection
- Remove PIPELINE_LOCK_FD inheritance mechanism and related tests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: retlehs

cmd/wpcomposer/cmd/pipeline.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strconv"
 	"syscall"
 	"time"
 
@@ -26,41 +25,8 @@ func acquirePipelineLock() error {
 	return acquireLock(pipelineLockPath)
 }
 
-// acquireLock acquires an exclusive file lock at lockPath. If PIPELINE_LOCK_FD is
-// set, the lock is expected to have been inherited from the parent process via fd
-// passing; the inherited fd is validated for both inode identity and lock ownership.
+// acquireLock acquires an exclusive file lock at lockPath.
 func acquireLock(lockPath string) error {
-	if v := os.Getenv("PIPELINE_LOCK_FD"); v != "" {
-		fd, err := strconv.Atoi(v)
-		if err != nil {
-			return fmt.Errorf("invalid PIPELINE_LOCK_FD: %w", err)
-		}
-		pipelineLockFile = os.NewFile(uintptr(fd), lockPath)
-		if pipelineLockFile == nil {
-			return fmt.Errorf("PIPELINE_LOCK_FD=%d: invalid file descriptor", fd)
-		}
-
-		// Verify the inherited fd points to the actual lock file (inode match).
-		var fdStat, pathStat syscall.Stat_t
-		if err := syscall.Fstat(fd, &fdStat); err != nil {
-			return fmt.Errorf("PIPELINE_LOCK_FD=%d: fstat failed: %w", fd, err)
-		}
-		if err := syscall.Stat(lockPath, &pathStat); err != nil {
-			return fmt.Errorf("pipeline lock stat: %w", err)
-		}
-		if fdStat.Dev != pathStat.Dev || fdStat.Ino != pathStat.Ino {
-			return fmt.Errorf("PIPELINE_LOCK_FD=%d does not refer to %s", fd, lockPath)
-		}
-
-		// Verify this fd actually holds the lock. Re-locking our own fd is a
-		// no-op in flock, so LOCK_EX|LOCK_NB succeeds if we hold it, and fails
-		// with EWOULDBLOCK if a different open file description holds it.
-		if err := syscall.Flock(fd, syscall.LOCK_EX|syscall.LOCK_NB); err != nil {
-			return fmt.Errorf("PIPELINE_LOCK_FD=%d does not hold the pipeline lock", fd)
-		}
-		return nil
-	}
-
 	f, err := os.OpenFile(lockPath, os.O_CREATE|os.O_RDWR, 0644)
 	if err != nil {
 		return fmt.Errorf("pipeline lock: %w", err)
@@ -85,38 +51,53 @@ var pipelineBuildID string
 
 func runPipeline(cmd *cobra.Command, args []string) error {
 	// Acquire a system-wide file lock so only one pipeline runs at a time.
-	// When triggered from the admin UI, the parent process passes the already-locked
-	// fd via PIPELINE_LOCK_FD so the lock transfers atomically with no TOCTOU gap.
 	if err := acquirePipelineLock(); err != nil {
 		return err
 	}
 
 	skipDiscover, _ := cmd.Flags().GetBool("skip-discover")
 	skipDeploy, _ := cmd.Flags().GetBool("skip-deploy")
 	discoverSource, _ := cmd.Flags().GetString("discover-source")
+	buildIDFlag, _ := cmd.Flags().GetString("build-id")
 
 	ctx := cmd.Context()
 	started := time.Now().UTC()
 
 	// Mark any stale "running" builds (dead PID) as cancelled.
 	markStaleBuildsCancelled(ctx, application.DB)
 
-	// Record this build as "running" before doing any work.
-	buildID := started.Format("20060102-150405")
+	// When triggered from the admin UI, a "running" row already exists —
+	// claim it by updating the PID to our own and verify it exists. When
+	// invoked from the CLI, insert a new row.
+	var buildID string
+	if buildIDFlag != "" {
+		buildID = buildIDFlag
+		res, err := application.DB.ExecContext(ctx, `
+			UPDATE builds SET pid = ? WHERE id = ? AND status = 'running'`,
+			os.Getpid(), buildID)
+		if err != nil {
+			return fmt.Errorf("claiming build %s: %w", buildID, err)
+		}
+		if n, _ := res.RowsAffected(); n == 0 {
+			return fmt.Errorf("build %s not found or not in running state", buildID)
+		}
+	} else {
+		buildID = started.Format("20060102-150405")
+		_, err := application.DB.ExecContext(ctx, `
+			INSERT INTO builds (id, started_at, status, pid,
+				packages_total, packages_changed, packages_skipped,
+				provider_groups, artifact_count, root_hash, manifest_json)
+			VALUES (?, ?, 'running', ?, 0, 0, 0, 0, 0, '', '{}')`,
+			buildID,
+			started.Format(time.RFC3339),
+			os.Getpid(),
+		)
+		if err != nil {
+			return fmt.Errorf("recording running build: %w", err)
+		}
+	}
 	pipelineBuildID = buildID
 	defer func() { pipelineBuildID = "" }()
-	_, err := application.DB.ExecContext(ctx, `
-		INSERT INTO builds (id, started_at, status, pid,
-			packages_total, packages_changed, packages_skipped,
-			provider_groups, artifact_count, root_hash, manifest_json)
-		VALUES (?, ?, 'running', ?, 0, 0, 0, 0, 0, '', '{}')`,
-		buildID,
-		started.Format(time.RFC3339),
-		os.Getpid(),
-	)
-	if err != nil {
-		return fmt.Errorf("recording running build: %w", err)
-	}
 
 	if err := executePipelineSteps(cmd, ctx, skipDiscover, skipDeploy, discoverSource); err != nil {
 		recordFailedBuild(cmd, started, err)
@@ -222,7 +203,8 @@ func recordFailedBuild(cmd *cobra.Command, started time.Time, pipelineErr error)
 // markStaleBuildsCancelled finds builds with status "running" whose PID is no
 // longer alive and marks them as "cancelled".
 func markStaleBuildsCancelled(ctx context.Context, db *sql.DB) {
-	rows, err := db.QueryContext(ctx, `SELECT id, pid FROM builds WHERE status = 'running' AND pid IS NOT NULL`)
+	rows, err := db.QueryContext(ctx,
+		`SELECT id, pid FROM builds WHERE status = 'running' AND pid IS NOT NULL`)
 	if err != nil {
 		return
 	}
@@ -259,5 +241,6 @@ func init() {
 	pipelineCmd.Flags().String("discover-source", "config", "discovery source (config or svn)")
 	pipelineCmd.Flags().Bool("skip-discover", false, "skip the discover step")
 	pipelineCmd.Flags().Bool("skip-deploy", false, "skip the deploy step")
+	pipelineCmd.Flags().String("build-id", "", "pre-allocated build ID (set by admin UI trigger)")
 	rootCmd.AddCommand(pipelineCmd)
 }

cmd/wpcomposer/cmd/pipeline_lock_test.go

@@ -1,7 +1,6 @@
 package cmd
 
 import (
-	"fmt"
 	"os"
 	"path/filepath"
 	"syscall"
@@ -14,7 +13,6 @@ func resetLockState() {
 		_ = pipelineLockFile.Close()
 		pipelineLockFile = nil
 	}
-	_ = os.Unsetenv("PIPELINE_LOCK_FD")
 }
 
 func TestAcquireLock_BlocksSecondCaller(t *testing.T) {
@@ -41,85 +39,17 @@ func TestAcquireLock_BlocksSecondCaller(t *testing.T) {
 	}
 }
 
-func TestAcquireLock_InheritedFD_Valid(t *testing.T) {
+func TestAcquireLock_SucceedsWhenFree(t *testing.T) {
 	t.Cleanup(resetLockState)
 
 	lockPath := filepath.Join(t.TempDir(), "pipeline.lock")
 
-	// Simulate parent: open and lock the file.
-	f, err := os.OpenFile(lockPath, os.O_CREATE|os.O_RDWR, 0644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(func() {
-		_ = syscall.Flock(int(f.Fd()), syscall.LOCK_UN)
-		_ = f.Close()
-	})
-	if err := syscall.Flock(int(f.Fd()), syscall.LOCK_EX|syscall.LOCK_NB); err != nil {
-		t.Fatalf("flock failed: %v", err)
-	}
-
-	t.Setenv("PIPELINE_LOCK_FD", fmt.Sprintf("%d", f.Fd()))
-	if err := acquireLock(lockPath); err != nil {
-		t.Fatalf("inherited fd should be accepted: %v", err)
-	}
-}
-
-func TestAcquireLock_InheritedFD_WrongFile(t *testing.T) {
-	t.Cleanup(resetLockState)
-
-	dir := t.TempDir()
-	lockPath := filepath.Join(dir, "pipeline.lock")
-
-	// Create the lock file so stat succeeds.
+	// Pre-create the file (simulates previous run).
 	if err := os.WriteFile(lockPath, nil, 0644); err != nil {
 		t.Fatal(err)
 	}
 
-	// Open a different file and lock it.
-	other, err := os.CreateTemp(dir, "other")
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(func() { _ = other.Close() })
-	_ = syscall.Flock(int(other.Fd()), syscall.LOCK_EX|syscall.LOCK_NB)
-
-	t.Setenv("PIPELINE_LOCK_FD", fmt.Sprintf("%d", other.Fd()))
-	err = acquireLock(lockPath)
-	if err == nil {
-		t.Fatal("expected rejection for fd pointing to wrong file")
-	}
-}
-
-func TestAcquireLock_InheritedFD_NotLocked(t *testing.T) {
-	t.Cleanup(resetLockState)
-
-	lockPath := filepath.Join(t.TempDir(), "pipeline.lock")
-
-	// Open the correct file but don't lock it.
-	f, err := os.OpenFile(lockPath, os.O_CREATE|os.O_RDWR, 0644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(func() { _ = f.Close() })
-
-	// Hold the lock from a *different* fd to simulate a real pipeline running.
-	holder, err := os.OpenFile(lockPath, os.O_CREATE|os.O_RDWR, 0644)
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Cleanup(func() {
-		_ = syscall.Flock(int(holder.Fd()), syscall.LOCK_UN)
-		_ = holder.Close()
-	})
-	if err := syscall.Flock(int(holder.Fd()), syscall.LOCK_EX|syscall.LOCK_NB); err != nil {
-		t.Fatalf("flock failed: %v", err)
-	}
-
-	// f points to the right file but doesn't hold the lock — should be rejected.
-	t.Setenv("PIPELINE_LOCK_FD", fmt.Sprintf("%d", f.Fd()))
-	err = acquireLock(lockPath)
-	if err == nil {
-		t.Fatal("expected rejection for fd that doesn't hold the lock")
+	if err := acquireLock(lockPath); err != nil {
+		t.Fatalf("lock acquisition should succeed on free file: %v", err)
 	}
 }

internal/http/handlers.go

@@ -7,7 +7,9 @@ import (
 	"database/sql"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"os"
 	"os/exec"
@@ -371,8 +373,6 @@ func handleAdminBuilds(a *app.App, tmpl *templateSet) http.HandlerFunc {
 	}
 }
 
-const pipelineLockPath = "storage/pipeline.lock"
-
 func handleTriggerBuild(a *app.App) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		self, err := os.Executable()
@@ -382,35 +382,73 @@ func handleTriggerBuild(a *app.App) http.HandlerFunc {
 			return
 		}
 
-		// Acquire the lock before spawning so we know the status is accurate.
-		lockFile, err := os.OpenFile(pipelineLockPath, os.O_CREATE|os.O_RDWR, 0644)
+		// Clean up stale "running" rows (dead PID) before checking.
+		markStaleBuildsCancelled(r.Context(), a.DB, a.Logger)
+
+		// Atomically claim a build slot before starting the child. The row
+		// is inserted with the server's own PID so that stale cleanup
+		// (which checks PID liveness) cannot cancel it while we start the
+		// child. The child will UPDATE the PID to its own once it begins.
+		buildID := time.Now().UTC().Format("20060102-150405")
+		res, err := a.DB.ExecContext(r.Context(), `
+			INSERT INTO builds (id, started_at, status, pid,
+				packages_total, packages_changed, packages_skipped,
+				provider_groups, artifact_count, root_hash, manifest_json)
+			SELECT ?, ?, 'running', ?, 0, 0, 0, 0, 0, '', '{}'
+			WHERE NOT EXISTS (
+				SELECT 1 FROM builds WHERE status = 'running'
+			)`,
+			buildID,
+			time.Now().UTC().Format(time.RFC3339),
+			os.Getpid(),
+		)
 		if err != nil {
-			a.Logger.Error("failed to open pipeline lock", "error", err)
+			a.Logger.Error("failed to claim build slot", "error", err)
 			http.Redirect(w, r, "/admin/builds?error=internal+error", http.StatusSeeOther)
 			return
 		}
-		if err := syscall.Flock(int(lockFile.Fd()), syscall.LOCK_EX|syscall.LOCK_NB); err != nil {
-			_ = lockFile.Close()
+		n, _ := res.RowsAffected()
+		if n == 0 {
 			http.Redirect(w, r, "/admin/builds?error=build+already+running", http.StatusSeeOther)
 			return
 		}
 
-		// Pass the locked fd to the child via ExtraFiles (fd 3) so the lock
-		// transfers atomically. The child detects PIPELINE_LOCK_FD and skips
-		// its own acquisition.
+		// Slot claimed — start the child. On failure, mark the row
+		// failed so the slot is freed.
+		cmd := exec.Command(self, "pipeline", "--build-id", buildID)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		if err := cmd.Start(); err != nil {
+			a.Logger.Error("failed to start pipeline", "error", err)
+			_, _ = a.DB.ExecContext(r.Context(), `
+				UPDATE builds SET status = 'failed', finished_at = ?,
+					error_message = ? WHERE id = ?`,
+				time.Now().UTC().Format(time.RFC3339),
+				"failed to start: "+err.Error(), buildID)
+			http.Redirect(w, r, "/admin/builds?error=internal+error", http.StatusSeeOther)
+			return
+		}
+
+		// Update the row with the child's actual PID so stale cleanup
+		// tracks the right process going forward.
+		if _, err := a.DB.ExecContext(r.Context(),
+			`UPDATE builds SET pid = ? WHERE id = ?`,
+			cmd.Process.Pid, buildID); err != nil {
+			a.Logger.Warn("failed to update build PID", "build_id", buildID, "error", err)
+		}
+
+		// Reap the child in the background. If the child exits with an
+		// error and the row is still in "running" state (i.e. the child
+		// never got far enough to record its own outcome), mark it failed
+		// here so the slot is freed.
 		go func() {
-			defer func() {
-				_ = syscall.Flock(int(lockFile.Fd()), syscall.LOCK_UN)
-				_ = lockFile.Close()
-			}()
-
-			cmd := exec.Command(self, "pipeline")
-			cmd.Stdout = os.Stdout
-			cmd.Stderr = os.Stderr
-			cmd.ExtraFiles = []*os.File{lockFile} // fd 3 in child
-			cmd.Env = append(os.Environ(), "PIPELINE_LOCK_FD=3")
-			if err := cmd.Run(); err != nil {
+			if err := cmd.Wait(); err != nil {
 				a.Logger.Error("triggered pipeline failed", "error", err)
+				now := time.Now().UTC().Format(time.RFC3339)
+				_, _ = a.DB.ExecContext(context.Background(), `
+					UPDATE builds SET status = 'failed', finished_at = ?,
+						error_message = ? WHERE id = ? AND status = 'running'`,
+					now, err.Error(), buildID)
 			} else {
 				a.Logger.Info("triggered pipeline completed")
 			}
@@ -420,6 +458,38 @@ func handleTriggerBuild(a *app.App) http.HandlerFunc {
 	}
 }
 
+// markStaleBuildsCancelled finds builds with status "running" whose PID is no
+// longer alive and marks them as "cancelled".
+func markStaleBuildsCancelled(ctx context.Context, db *sql.DB, logger *slog.Logger) {
+	rows, err := db.QueryContext(ctx,
+		`SELECT id, pid FROM builds WHERE status = 'running' AND pid IS NOT NULL`)
+	if err != nil {
+		return
+	}
+
+	var staleIDs []string
+	for rows.Next() {
+		var id string
+		var pid int
+		if err := rows.Scan(&id, &pid); err != nil {
+			continue
+		}
+		if err := syscall.Kill(pid, 0); err != nil {
+			if errors.Is(err, syscall.ESRCH) {
+				staleIDs = append(staleIDs, id)
+			} else {
+				logger.Warn("stale build check: unexpected kill(0) error", "build_id", id, "pid", pid, "error", err)
+			}
+		}
+	}
+	_ = rows.Close()
+
+	now := time.Now().UTC().Format(time.RFC3339)
+	for _, id := range staleIDs {
+		_, _ = db.ExecContext(ctx, `UPDATE builds SET status = 'cancelled', finished_at = ? WHERE id = ?`, now, id)
+	}
+}
+
 var logFiles = map[string]string{
 	"wpcomposer": filepath.Join("storage", "logs", "wpcomposer.log"),
 	"pipeline":   filepath.Join("storage", "logs", "pipeline.log"),