Using containerMode kubernetes causes random step failures

[mhuijgen]

Checks

• I've already read https://github.com/actions/actions-runner-controller/blob/master/TROUBLESHOOTING.md and I'm sure my issue is not covered in the troubleshooting guide.
• I'm not using a custom entrypoint in my runner image

Controller Version

0.4.0

Helm Chart Version

0.4.0

CertManager Version

N/A

Deployment Method

Helm

cert-manager installation

cert-manager not required

Checks

• This isn't a question or user support case (For Q&A and community support, go to Discussions. It might also be a good idea to contract with any of contributors and maintainers if your business is so critical and therefore you need priority support
• I've read releasenotes before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
• My actions-runner-controller version (v0.x.y) does support the feature
• I've already upgraded ARC (including the CRDs, see charts/actions-runner-controller/docs/UPGRADING.md for details) to the latest and it didn't fix the issue
• I've migrated to the workflow job webhook event (if you using webhook driven scaling)

Resource Definitions

containerMode:
  type: "kubernetes"
  kubernetesModeWorkVolumeClaim:
    accessModes: ["ReadWriteOnce"]
    storageClassName: "default"
    resources:
      requests:
        storage: 16Gi

template:
  spec:
    restartPolicy: Never
    nodeSelector:
      kubernetes.io/os: linux
    initContainers:
    - name: init-k8s-volume-permissions
      image: ghcr.io/actions/actions-runner:latest
      command: ["sudo", "chown", "-R", "runner", "/home/runner/_work"]
      volumeMounts:
        - name: work
          mountPath: /home/runner/_work
    containers:
    - name: runner
      image: ghcr.io/actions/actions-runner:latest
      command: ["/home/runner/run.sh"]
      resources:
        requests:
          cpu: "1.3"

To Reproduce

This only occurs when running a large workflow so far. The workflow that fails has up to 20 parallel jobs running each comprised of about 9 steps. A few dozen jobs run successfully but some fail in a random step with the following error:

Run '/home/runner/k8s/index.js'
node:internal/process/promises:279
            triggerUncaughtException(err, true /* fromPromise */);
            ^

[UnhandledPromiseRejection: This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). The promise rejected with the reason "#<ErrorEvent>".] {
  code: 'ERR_UNHANDLED_REJECTION'
}
Error: Process completed with exit code 1.
Error: Executing the custom container implementation failed. Please contact your self hosted runner administrator.

Describe the bug

Some jobs abort in seemingly random steps . All fail with the error listed under reproduce step.

Describe the expected behavior

That the workflow has executed successfully dozens of times when using containermode dind.

I expect the workflow to also execute reliably when using containermode kubernetes.

Whole Controller Logs

Will update this after next failing run together with runner pod log of a failing job.

Whole Runner Pod Logs

Will try to extract the logs of the runner pod running a job that fails, but since the pods immediately disappear after failure I will need to stream all runner pod logs to a file and then filter it for a failing pod.

Additional Context

Note that I had to add the initcontainer that fixes the permission on the kubernetesModeWorkVolumeClaim pv because its provisioned by azure as an empty filesystem owned by root:root and the runner runs under user runner. Without it the runner pod itself immediately fails with an error that it cannot write to the _work folder.

This issue might actually be in https://github.com/actions/runner-container-hooks, if so desired Im happy to create a linked issue there.

[github-actions]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

[mhuijgen]

More context:
Running ARC in Azure AKS, tried both free and standard tier.

I did get the runner and controller logs from the run, but not sure if I can share these publicly since they are from private organization repositories.

Snippet from one of the runner log files that failed in its 3rd step after initialize containers:

scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner] Caught exception from step: System.Exception: Executing the custom container implementation failed. Please contact your self hosted runner administrator.
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]  ---> System.Exception: The hook script at '/home/runner/k8s/index.js' running command 'RunScriptStep' did not execute successfully
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]    at GitHub.Runner.Worker.Container.ContainerHooks.ContainerHookManager.ExecuteHookScript[T](IExecutionContext context, HookInput input, ActionRunStage stage, String prependPath)
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]    --- End of inner exception stack trace ---
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]    at GitHub.Runner.Worker.Container.ContainerHooks.ContainerHookManager.ExecuteHookScript[T](IExecutionContext context, HookInput input, ActionRunStage stage, String prependPath)
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]    at GitHub.Runner.Worker.Container.ContainerHooks.ContainerHookManager.RunScriptStepAsync(IExecutionContext context, ContainerInfo container, String workingDirectory, String entryPoint, String entryPointArgs, IDictionary`2 environmentVariables, String prependPath)
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]    at GitHub.Runner.Worker.Handlers.ContainerStepHost.ExecuteAsync(IExecutionContext context, String workingDirectory, String fileName, String arguments, IDictionary`2 environment, Boolean requireExitCodeZero, Encoding outputEncoding, Boolean killProcessOnCancel, Boolean inheritConsoleHandler, String standardInInput, CancellationToken cancellationToken)
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]    at GitHub.Runner.Worker.Handlers.NodeScriptActionHandler.RunAsync(ActionRunStage stage)
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]    at GitHub.Runner.Worker.ActionRunner.RunAsync()
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z ERR  StepsRunner]    at GitHub.Runner.Worker.StepsRunner.RunStepAsync(IStep step, CancellationToken jobCancellationToken)
scoe-arc-runnerset-lw8hn-runner-t5vg9 runner [WORKER 2023-08-10 19:11:26Z INFO StepsRunner] Step result: Failed

On the GitHub workflow run page it shows for this step:

Run actions/download-artifact@v3
Run '/home/runner/k8s/index.js'
node:internal/process/promises:279
            triggerUncaughtException(err, true /* fromPromise */);
            ^

[UnhandledPromiseRejection: This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). The promise rejected with the reason "#<ErrorEvent>".] {
  code: 'ERR_UNHANDLED_REJECTION'
}
Error: Process completed with exit code 1.
Error: Executing the custom container implementation failed. Please contact your self hosted runner administrator.

kubectl events --watch on the runner namespace:

0s                  Warning   FailedScheduling         Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          0/7 nodes are available: 7 waiting for ephemeral volume controller to create the persistentvolumeclaim "scoe-arc-runnerset-lw8hn-runner-t5vg9-work". preemption: 0/7 nodes are available: 7 Preemption is not helpful for scheduling.
0s                  Normal    WaitForPodScheduled      PersistentVolumeClaim/scoe-arc-runnerset-lw8hn-runner-t5vg9-work   waiting for pod scoe-arc-runnerset-lw8hn-runner-t5vg9 to be scheduled
0s                  Normal    Provisioning             PersistentVolumeClaim/scoe-arc-runnerset-lw8hn-runner-t5vg9-work   External provisioner is provisioning volume for claim "arc-runners/scoe-arc-runnerset-lw8hn-runner-t5vg9-work"
0s                  Normal    ExternalProvisioning     PersistentVolumeClaim/scoe-arc-runnerset-lw8hn-runner-t5vg9-work   waiting for a volume to be created, either by external provisioner "disk.csi.azure.com" or manually created by system administrator
0s                  Warning   ProvisioningFailed       PersistentVolumeClaim/scoe-arc-runnerset-lw8hn-runner-t5vg9-work   failed to provision volume with StorageClass "default": error generating accessibility requirements: no topology key found on CSINode aks-ephemeral-41282508-vmss00003d
0s (x2 over 1s)     Normal    Provisioning             PersistentVolumeClaim/scoe-arc-runnerset-lw8hn-runner-t5vg9-work   External provisioner is provisioning volume for claim "arc-runners/scoe-arc-runnerset-lw8hn-runner-t5vg9-work"
0s                  Normal    ProvisioningSucceeded    PersistentVolumeClaim/scoe-arc-runnerset-lw8hn-runner-t5vg9-work   Successfully provisioned volume pvc-5944bc62-e449-4158-982b-da0704abebe7
0s                  Normal    Scheduled                Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Successfully assigned arc-runners/scoe-arc-runnerset-lw8hn-runner-t5vg9 to aks-ephemeral-41282508-vmss00003d
0s                  Normal    SuccessfulAttachVolume   Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          AttachVolume.Attach succeeded for volume "pvc-5944bc62-e449-4158-982b-da0704abebe7"
0s                  Normal    Pulling                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Pulling image "ghcr.io/actions/actions-runner:latest"
0s                  Normal    Pulled                   Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Successfully pulled image "ghcr.io/actions/actions-runner:latest" in 9.813341395s (9.813427895s including waiting)
0s                  Normal    Created                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Created container init-k8s-volume-permissions
0s                  Normal    Started                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Started container init-k8s-volume-permissions
0s                  Normal    Pulling                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Pulling image "ghcr.io/actions/actions-runner:latest"
0s                  Normal    Pulled                   Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Successfully pulled image "ghcr.io/actions/actions-runner:latest" in 109.546342ms (109.633043ms including waiting)
0s                  Normal    Created                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Created container runner
0s                  Normal    Started                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9                          Started container runner
0s                  Normal    Pulling                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9-workflow                 Pulling image "ghcr.io/xxx/yyy:latest"
0s                  Normal    Pulled                   Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9-workflow                 Successfully pulled image "ghcr.io/xxx/yyy:latest" in 27.663319399s (27.663386599s including waiting)
0s                  Normal    Created                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9-workflow                 Created container job
0s                  Normal    Started                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9-workflow                 Started container job
0s                  Normal    Killing                  Pod/scoe-arc-runnerset-lw8hn-runner-t5vg9-workflow                 Stopping container job

Controller logs dealing with same pod:
scoe-arc-runnerset-lw8hn-runner-t5vg9-controller.log

[mhuijgen]

Tried another rerun but this time with the 'Enable debug logging' checkbox turned on.
It actually succeeded the whole workflow for the first time, maybe a fluke because of the randomness of the issue, or the debug logging slows down something so the issue no longer occurs...

Will run it couple of times more with debug turned on to see if this prevents the failure, maybe that gives some hints as to where it might fail.

[nikola-jokic]

Hey 👋

If this keeps recurring, can you please provide an example workflow so I can try to replicate it as closely as I can? I am not sure why the exception is not caught so I'm curious what code path might have caused it

[mhuijgen]

Hi @nikola-jokic

2nd run with debug also completed, so it for sure starts to look like turning on debug prevents the failure (had like a dozen runs fail without debug so far, none succeeded using kubernetes mode).

As for a workflow to reproduce the issue that might take some time. To give you an idea how big it is:

On GH hosted runners billable time is about 16h, but wall clock time is about 1h due to parallelism in the workflow. Scale set has maximum of 20 runners.

I can try duplicating the flow and replacing the actual build actions with some sleeps and see if this will trigger the failure.

I'm also happy to build a custom runner image with a custom container hooks version if that helps you any further in troubleshooting this.

[nikola-jokic]

Did you customize the container hook? Maybe encapsulating the body of the run() in a try catch can help.

We had an issue causing the promise rejection before, so this PR intended to fix it. If you customized the container hook, maybe applying a similar patch can help you find the source of the issue.
But what is interesting is why does enabling debug logging fixing the problem?

[mhuijgen]

No the hook has not been customized, but I can create a custom one if it helps to drill down into the issue. It looks like the try/catch from the PR you mentioned has already been merged into a release of runner-container-hooks and is already used in the runner image I'm running if I'm not mistaken.

The last release has the try catch that encapsulates the whole body, so either this catch block does not catch it, or perhaps it causes a new exception? I'm not an expert in typescript by any means, but would it be possible to wrap the void run() at the bottom of packages/k8s/src/index.ts in a try catch block? Then it would be completely outside the async function run is.

Just completed a run without debug and that just completed without failing. Nothing changed in the workflow though. Will trigger it a few more times today and early next week. Will keep the ticket updated with the results.

[nikola-jokic]

Thank you for all your effort! Please, keep us posted ☺️

[mhuijgen]

After the first 2 runs failed on paid tier of AKS in Azure failed with these random failures, I have not observed them again.

However occasionally it fails with:

Run '/home/runner/k8s/index.js'
shell: /home/runner/externals/node16/bin/node {0}
Error: Error: connect ETIMEDOUT 10.0.0.1:443
Error: Process completed with exit code 1.
Error: Executing the custom container implementation failed. Please contact your self hosted runner administrator.

Seems the reliability to reach the k8s API on azure AKS (10.0.0.1 is the IP of the cluster k8s API) cannot be considered to be 100% and I guess there might not be any retries in the k8s hooks on k8s API calls?

Over the week I'll try downgrading to the free AKS tier again and see if the random failures start to pop up again.

[nikola-jokic]

We can probably enhance the error reporting in the hook to better explain failures