containerd fails on start: "failed to get metadata for stored sandbox"

[drigz]

Description

We observed one of our nodes failing to properly boot. The error is:

Oct 17 13:46:12 containerd[40100]: time="2024-10-17T13:46:12.015594695Z" level=info msg="Start recovering state"
Oct 17 13:46:12 containerd[40100]: time="2024-10-17T13:46:12.015677461Z" level=info msg=serving... address=/run/containerd/containerd.sock.ttrpc
Oct 17 13:46:12 containerd[40100]: time="2024-10-17T13:46:12.016081023Z" level=info msg=serving... address=/run/containerd/containerd.sock
Oct 17 13:46:12 containerd[40100]: time="2024-10-17T13:46:12.062483416Z" level=fatal msg="Failed to run CRI service" error="failed to recover state: failed to get metadata for stored sandbox \"4ea7054a2b00694197040ac0c59ac2552624824adf3df31c292243992c72bfc9\": not found"

Workaround: rm -rf /var/lib/containerd/ then restarting containerd. Note: I previously suggested just removing io.containerd.metadata.v1.bolt/meta.db but removed this based on Thomas's comment below

Steps to reproduce the issue

We've not yet reproduced the issue, it's a one-off so far. I've seen two other references: siderolabs/talos#9496 (from 5 days ago) and #10236 (from May 16th).

I'll update here if I see this again or if I can reproduce it.

Describe the results you received and expected

I expect that containerd is able to recover state without failing, ignoring/deleting any invalid entries in the metadata.

What version of containerd are you using?

2.0.0-rc.4

Any other relevant information

# runc --version
runc version 1.1.14
commit: 2c9f5602f0ba3d9da1c2596322dfc4e156844890
spec: 1.0.2-dev
go: go1.23.0
libseccomp: 2.5.5
# uname -a
Linux hostname 6.6.42-rt37 #1 SMP PREEMPT_RT Thu Sep 12 11:03:43 CEST 2024 x86_64 AMD Ryzen 5 5600X 6-Core Processor AuthenticAMD GNU/Linux

Show configuration if it is related to CRI plugin.

No response

[mikebrow]

@samuelkarp FYI https://github.com/containerd/containerd/blame/main/internal/cri/server/restart.go#L107-L111 fatal error here is causing a failure to restart the CRI plugin.. Need to figure out a way to clean and continue from this state.

Here we have augmented the recover logic to also do a migration to the new sandboxed support.. however this pod can't be migrated due to there being no metadata corresponding to the key.. suggest log error and continue. Hopefully the admin can rm the pod if not I suppose we could add a force option.

*** Note: https://github.com/containerd/containerd/blob/main/internal/cri/server/sandbox_remove.go#L105 been here before.

[uhthomas]

I have also run across this today and it has completely halted a single node cluster. I guess I'll have to try the workaround of just removing the DB.

[uhthomas]

Unfortunately removing the DB breaks other things.

192.168.1.102   etcd         Failed    ?        2m38s ago     Failed to run pre stage: failed to pull image "gcr.io/etcd-development/etcd:v3.5.16": 1 error(s) occurred:
                failed to pull image "gcr.io/etcd-development/etcd:v3.5.16": failed to prepare extraction snapshot "extract-876211769-cOcg sha256:c79c5237324588ec7d6e94a0d95d226cde0da9d18be6598a9cf5aaa474ee6820": parent snapshot sha256:35c6024c94ed6d39380f78210d243b7422dcdb825146e51c69e6f4b8ff1f9277 does not exist: not found

[uhthomas]

The solution is to just delete the entire /var/lib/containerd directory.

[smira]

I have same error reproduced while running Kubernetes e2e tests (Conformance) on a Talos cluster with containerd v2.0.3.

This error seems to happen after a hard containerd crash (segmentation fault) which causes the state to be corrupted (?).

It seems to be reproducible now, is there anything I can do to help debug/fix this?

@mikebrow seems to suggest to ignore the error and move on.