IP Address Leak with Chained CNI Plugins When Teardown Fails

[MrHohn]

Description

When using chained CNI plugins, if a pod fails to be created due to an error in a later CNI plugin, an IP address can be leaked from an earlier plugin in the chain in every iteration of sandbox creation. Consequently, a large number of IP addresses might be allocated and not cleaned up from a single pod creation in a relatively short amount of time, until no IP addresses available.

Steps to reproduce the issue

This occurs when the following sequence of events happens:

1. During sandbox creation, CNI ADD is called for the CNI plugin chain.
2. The first plugin (e.g., host-local IPAM) successfully allocates an IP address.
3. A subsequent plugin in the chain fails the CNI ADD operation. This causes the overall setupPodNetwork step to fail.
4. Containerd then attempts to clean up the failed sandbox.
5. During cleanup, teardownPodNetwork is called, which invokes CNI DEL on the plugin chain.
6. The same CNI plugin that failed on ADD also fails on DEL (note in practice, this might be transient, e.g. CNI provider may happen to be loaded and unable to process the request).
7. Because the teardown failed, and the initial setup also failed (CNIResult was never populated), containerd ignores the teardown error and considers network cleanup finished.
8. As a result, the CNI DEL command is never sent to the first plugin, and the IP address it allocated is permanently leaked. Kubelet retries creating the pod, leading to multiple leaked IPs for a single pod creation attempt.

Describe the results you received and expected

In the case illustrated above, a Kubernetes node will experience IP leakage and in worst case burning all available IP on the node in a short amount of time.

In a more general view, it seems containerd is more fragile to churns/errors in CNI plugins, especially the ones used in a chain pattern.

Ask - The logic that swallows the cleanupErr should be reconsidered. Even if the initial setup failed, a teardown error indicates that some resources might be left behind and cleanup should be retried or handled more robustly.

What version of containerd are you using?

Containerd v1.7.22+ or v1.6.37+.

Any other relevant information

The skipping behavior for teardownPodNetwork was added in #10744 and got cherrypicked into 1.7 and 1.6.

Show configuration if it is related to CRI plugin.

N/A

[MrHohn]

cc @aojea @qiutongs

[mikebrow]

nod.. kk so we need to add an automatic "down" for lo even on error..

[aojea]

nod.. kk so we need to add an automatic "down" for lo even on error..

AFAIK that will not be problematic, once the network namespace is deleted the lo interface will be wiped out by the kernel.

The main problem here is the cleanup, plugin these days are more complex and need to perform more complex operation on delete

[mikebrow]

I see yeah we don't even "down" lo today.. we just destroy the network ns..

[mikebrow]

so classic problem.. do we let the admin clean up the "reason" for the failure and try again.. to stop/rm the pod

or do we ignore the cni failure which might actually be the admin installed an updated or older CNI version before stopping the pods.. and now we have a disconnect for these running pods

[mikebrow]

a force flag would be a nice way out of this quandary

[mikebrow]

long term.. I have wanted a way to run pod a on version aa of the config+cni plugins.. and pod b on version bb of the config+cni plugins allowing us to clean up without require cross version/config compat

[aojea]

whatever we do today somehow somewhere someone will depend on some existing behavior ...

[sameersaeed]

Hi, I think the issue that #10744 was opened for was fixed by #10839, as it prevents the pods from being created in the first place when CNI plugins aren't initialized.

I tested the flow mentioned in #10744 again and was unable to create a pod when I had no CNI plugins initialized:

root@c2dc79668cc1:/src# crictl runp pod-config.json
E0721 20:38:09.267426   26717 remote_runtime.go:193] "RunPodSandbox from runtime service failed" err="rpc error: code = Unknown desc = failed to setup network for sandbox \"58cedee199f0786a7318f1f1ab2a2f3ff3480602549d6c5c7cbb46a22c9c93eb\": cni plugin not initialized"
FATA[0000] run pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "58cedee199f0786a7318f1f1ab2a2f3ff3480602549d6c5c7cbb46a22c9c93eb": cni plugin not initialized
root@c2dc79668cc1:/src# crictl pods
POD ID              CREATED             STATE               NAME                NAMESPACE           ATTEMPT             RUNTIME 

Based on this, I'm unsure whether the changes from #10744 would still be needed, assuming that there is no problem with keeping #10839's changes. But if anyone has any insights feel free to correct me.

Either way, I would be interested in helping with this! 😃