Inconsistent state on pod termination

[lbernail]

Description

We just had an issue with containerd: an application was killed several times by the oom killer because it reached its cgroup memory limit. Containers on the host are now in a really weird state:

• ok according to crictl ps
• crictl exec fails with cannot exec in a stopped state: unknown
• ctr -n k8s.io t ls hangs without any output
• ps auxf shows many containerd-shim without any child process (or sometime only the pause container)
• runc --root /run/containerd/runc/k8s.io list shows some containers in stopped state
• the associated containerd-shim process is still running without any child

It seems that sometimes when a container process is oom-killed because it has reached its cgroup memory limit the containerd state becomes inconsistent. Once this has happened it's no longer possible to delete containers. When trying to delete a pod, the containerd logs show:

• containerd tries to stop it (StopContainer)
• stop container xx timed out
• then error=“an error occurs during waiting for container xxx to stop: wait container xxx is cancelled”
• the container is stopped but not removed

Steps to reproduce the issue:

1. Run kubernetes using containerd as CRI
2. Create a pod with a memory limit
3. Allocate more memory than the limit
4. After several OOM kills, it should no longer be possible to interact with containerd

Describe the results you received:
containerd seems to be stuck in a inconsistent state and no longer able to fulfill CRI requests

Describe the results you expected:
containerd should clean up oom killed containers and remain consistent

Output of containerd --version:

containerd --version
containerd github.com/containerd/containerd v1.1.0 209a7fc3e4a32ef71a8c7b50c68fc8398415badf```

[Random-Liu]

@lbernail I can't reproduce it.

Test pod I'm using:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: stress
  labels:
    app: stress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: stress
  template:
    metadata:
      labels:
        app: stress
    spec:
      containers:
      - name: stress
        image: k8s.gcr.io/stress:v1
        args: [ "-mem-alloc-size", "64Mi", "-mem-alloc-sleep", "1s", "-mem-total", "256Mi" ]
        resources:
           requests:
              memory: "64Mi"
           limits:
              memory: "64Mi"

The kubectl output:

$ kubectl get pods -w
NAME                          READY     STATUS             RESTARTS   AGE
hostexec-1-5869d5bb87-t9x4z   1/1       Running            0          2d
hostexec-6d4c95d44-bnms5      1/1       Running            0          10h
stress-5b5596b5db-xj45k       0/1       CrashLoopBackOff   3          1m
stress-5b5596b5db-xj45k   0/1       OOMKilled   4         1m
stress-5b5596b5db-xj45k   0/1       CrashLoopBackOff   4         1m
stress-5b5596b5db-xj45k   1/1       Running   5         3m
stress-5b5596b5db-xj45k   0/1       OOMKilled   5         3m
stress-5b5596b5db-xj45k   0/1       CrashLoopBackOff   5         3m
stress-5b5596b5db-xj45k   0/1       OOMKilled   6         5m
stress-5b5596b5db-xj45k   0/1       CrashLoopBackOff   6         6m
stress-5b5596b5db-xj45k   0/1       OOMKilled   7         11m
stress-5b5596b5db-xj45k   0/1       CrashLoopBackOff   7         11m

Containerd seems to be fine:

# ctr -n k8s.io t ls
TASK                                                                PID      STATUS    
2e5313432efbfe21eeaec1a2c50dfee0e9ae1923b7ed334af2802c6fb5ee6fd4    1513     RUNNING
67ba476cb9be03e88175a41b064710857c423d956cb60a464bbad349266e0262    1899     RUNNING
719524ba228cfd638e3c8327f4ac6bf28632f649b06d4d5c6eff146b19c0d75e    1672     RUNNING
77709c1383fd4d377205d6face17b8ad59fa1f51ea9faa4ed532c8c3e40fcd2a    1559     RUNNING
b4e55dc81f55faf202657840668520e40927aa08dc63d9f72493b82f97f048f0    1954     RUNNING
ea34a4a9a5e9fdcaf9d39dc086337e07985b5e4f31b51bb2606065846fd87c0e    2766     RUNNING
f6925171084d48cc38acbe90d2cf388b9743acaa860c55b49d4f5f5ee675f8b8    1847     RUNNING
2c625b262b23e15208dfdf62440e84079fd3da6c307aa98efec04581638914c0    2219     RUNNING
4134e0035d3610f2c68b7575e71f57ccb12c196f606e331eb8ae84c908fea3a2    2011     RUNNING
8cf19ae5de14d8d5469987076c267b73aef48dd2feb4b472ccf68022dedcdba9    2720     RUNNING
f3acf3bd1d8e1ea8d330cbe02e37399e457a49ea2fde624a5f6ac1655597d49f    22023    RUNNING
0005ae1b0e852110455e6406cd16dc28ac3669494b8f78dd9f2498e9c5a37995    2676     RUNNING

I'll leave it there running for a day, but I'm not able to reproduce it till now.

@lbernail Can you try whether you can reproduce the issue in your environment with the stress pod above?

[mikebrow]

@Random-Liu you on 1.1.0? may have been a delta or two in that code path.

[Random-Liu]

I’m using gke, which is using 1.1.0.

…

On Fri, Jul 6, 2018 at 6:49 PM Mike Brown ***@***.***> wrote: @Random-Liu <https://github.com/Random-Liu> you on 1.1.0? may have been a delta or two in that code path. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2438 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFjVuxSXQNsQDdzLLQsUJbcU_oPfwJiTks5uEBOXgaJpZM4VECbU> .

[mikebrow]

ok according to crictl ps... ok means? "crictl ps -all"?

[lbernail]

@Random-Liu the issue seems to be triggered by the OOM but not consistently : we had the same setup on several servers but it did not happen on all of them (and on the ones where it happened it took a while). However we have already seen this a few times in the past weeks.

If you need any additional info let me know (I probably still have a server in a "broken" state)

In our case we run kubernetes ourselves on ubuntu 1804 instances. I wonder if GKE comes with some memory management settings?

[lbernail]

We have seen a few more instances of this issue and what is interesting is that it happened at least once without oom-killer intervention.

Symptoms are the same:

• pod stuck in terminating
• all containers in pods show as running in crictl
• however some containers in the pods are stopped (according to runc)
• when the containerd state become inconsistent no operation can succeed on the node anymore (and new deleted pods end up in the same state)

In the containerd logs it keeps trying to kill the pod without success:

Jul 26 12:50:13 np-vm-ingress-agent-ffg6 containerd[1026]: time="2018-07-26T12:50:13Z" level=info msg="StopContainer for "0a18bf68260b9c0e8941fa3e66b805ce3c2cede9c1be6a0d2f0e78868e95437d" with timeout 30 (s)"
Jul 26 12:50:13 np-vm-ingress-agent-ffg6 containerd[1026]: time="2018-07-26T12:50:13Z" level=info msg="Stop container "0a18bf68260b9c0e8941fa3e66b805ce3c2cede9c1be6a0d2f0e78868e95437d" with signal terminated"

Repeated every 90s

The pods that seem to trigger the issue have a complex configuration:

• host pid namespace
• 3 containers
• exec-based liveness and readiness probes (that can take a few seconds)

I wonder how the exec-ed process is tracked in host pod namespace. Could that be related?

I updated the title of the issue to remove the reference to the oom killer which probably wasn't related

[Random-Liu]

@lbernail

Based on what you describe:

1. ok according to crictl ps - This means that cri plugin is working fine.
2. ctr -n k8s.io t ls hangs without any output - This is usually caused by a hanging containerd-shim. /cc @crosbymichael We should probably add timeout to those calls. We shouldn't hang containerd for a single container.

Can you send SIGUSR1 signal to containerd daemon and check the log? Containerd should print the stack trace, and we can debug here.

[lbernail]

The CRI plugin is working fine but the crictl ps answer is misleading (all containers are shown as Running but some are stopped according to runc

And yes I can see a containerd-shim without any child for all all stopped containers

[lbernail]

I looked at the stack trace on a server with the issue and it's definitely very different from servers without it:

• ok server: ~100 goroutines
• server with the issue: ~2500 goroutines

I attached the goroutine stack dump

containerd_trace.log.gz

[crosbymichael]

Ya, i'll have to look into this

[crosbymichael]

Do you know of an easy way to reproduce outside of kub?

[roboll]

We haven't reproduced it outside of kube, no. (@lbernail and I work together)

[lbernail]

Yes, sorry I've been away for a few days. Today we see the issue regularly (but not too often) on kubernetes but I'll try and reproduce based on the ideas we have using crictl only

[roboll]

I don't know if any of this will be helpful but I've been digging a bunch today and here's what I've found.

On a node where this issue manifests, the containerd-shim processes never get killed. When I crictl stop {ctr} containerd-shim strace looks like this (and does not exit).

$ sudo strace -p 3675
strace: Process 3675 attached
futex(0x800008, FUTEX_WAIT, 0, NULL)    = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3692, si_uid=0, si_status=2, si_utime=11184, si_stime=9801} ---
futex(0x81bcc0, FUTEX_WAKE, 1)          = 1
rt_sigreturn({mask=~[HUP INT QUIT ILL TRAP ABRT BUS FPE KILL USR1 SEGV PIPE TERM STKFLT CHLD STOP PROF SYS RTMIN RT_1]}) = 202
futex(0x800008, FUTEX_WAIT, 0, NULL

On a healthy node with the same interaction containerd-shim strace looks like this:

$ sudo strace -p 4195
strace: Process 4195 attached
futex(0x800008, FUTEX_WAIT, 0, NULL)    = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4215, si_uid=0, si_status=2, si_utime=8663, si_stime=6026} ---
futex(0x81bcc0, FUTEX_WAKE, 1)          = 1
rt_sigreturn({mask=~[HUP INT QUIT ILL TRAP ABRT BUS FPE KILL USR1 SEGV PIPE TERM STKFLT CHLD STOP PROF SYS RTMIN RT_1]}) = 202
futex(0x800008, FUTEX_WAIT, 0, NULL)    = ?
+++ killed by SIGKILL +++

Seeing a lot of this in the logs, repeated every 90s:

Aug 07 08:06:53 np-vm-ingress-agent-ffg6 containerd[1026]: time="2018-08-07T08:06:53Z" level=info msg="StopPodSandbox for "fccfc5a3a17c6d0b6c7c9efbcf9c836d1e14308d48dc9b4eb5482701ebec453f""
Aug 07 08:08:53 np-vm-ingress-agent-ffg6 containerd[1026]: time="2018-08-07T08:08:53Z" level=error msg="StopPodSandbox for "fccfc5a3a17c6d0b6c7c9efbcf9c836d1e14308d48dc9b4eb5482701ebec453f" failed" error="failed to stop container "c730819088718ff5e43908127b870f72a9766dab80581968486c6aa51ee4a59b": an error occurs during waiting for container "c730819088718ff5e43908127b870f72a9766dab80581968486c6aa51ee4a59b" to stop: wait container "c730819088718ff5e43908127b870f72a9766dab80581968486c6aa51ee4a59b" is cancelled"

Process for this container looks like this:

ddeng@np-vm-ingress-agent-ffg6:~$ ps faux | grep containerd -A10
root      1026  2.0  2.0 1644320 159776 ?      Ssl  Jul16 671:28 /usr/local/bin/containerd --log-level debug
root      2500  0.0  0.0   7512  4092 ?        Sl   Jul16   0:56  \_ containerd-shim -namespace k8s.io -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/k8s.io/fccfc5a3a17c6d0b6c7c9efbcf9c836d1e14308d48dc9b4eb5482701ebec453f -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd
root      2579  0.0  0.0   1024     4 ?        Ss   Jul16   0:00  |   \_ /pause

When I kill the containerd-shim process, we see this in the logs:

Aug 08 16:04:59 np-vm-ingress-agent-ffg6 containerd[1026]: time="2018-08-08T16:04:59Z" level=error msg="StopPodSandbox for "fccfc5a3a17c6d0b6c7c9efbcf9c836d1e14308d48dc9b4eb5482701ebec453f" failed" error="failed to stop container "c730819088718ff5e43908127b870f72a9766dab80581968486c6aa51ee4a59b": an error occurs during waiting for container "c730819088718ff5e43908127b870f72a9766dab80581968486c6aa51ee4a59b" to stop: wait container "c730819088718ff5e43908127b870f72a9766dab80581968486c6aa51ee4a59b" is cancelled"
Aug 08 16:05:42 np-vm-ingress-agent-ffg6 containerd[1026]: time="2018-08-08T16:05:42Z" level=info msg="shim reaped" id=fccfc5a3a17c6d0b6c7c9efbcf9c836d1e14308d48dc9b4eb5482701ebec453f
Aug 08 16:05:42 np-vm-ingress-agent-ffg6 containerd[1026]: time="2018-08-08T16:05:42Z" level=warning msg="cleaning up after killed shim" id=fccfc5a3a17c6d0b6c7c9efbcf9c836d1e14308d48dc9b4eb5482701ebec453f namespace=k8s.io

and the process is properly killed.