containers stuck terminating / creating - many `runc init` processes

[alam0rt]

Description

Hi, I raised an issue opencontainers/runc#3448 in the runc repo, but as you can see the issue appears to be that containerd (1.6.2) is not started the created containers.

• The issue affected basically every node as soon as they came up
• Have other clusters running the same setup which makes me think it is triggered by load or a certain type of workload
• Kubernetes 1.22.8
• Most pods, after failing to start were then met with OutOfcpu making me think that the CPU requests were being accounted for even if nothing was running (all nodes basically idle).
• Switching to docker CRI "fixed"
• Nodes are set up to have both docker and containerd present, can switch to either runtime with a configuration change to point kubelet to either.
• Restarting containerd service fixes.
• Running containerd-stress density will even fail to start a container and is stuck in the same way.

Steps to reproduce the issue

1. Scale up a workload so the nodes are fully committed (e.g. cluster-autoscaler will start creating nodes)
2. Wait for node to start accumulating runc init processes. Containerd logs will report report errors creating containers/sandboxes etc.

Describe the results you received and expected

We have a way to switch container runtime from containerd -> docker. We expected containerd to work in the same way as docker.

What version of containerd are you using?

1.6.2

Any other relevant information

runc version, CRI configuration, OS/Kernel version, etc.

runc
VERSION:
   1.0.3
commit: v1.0.3-0-gf46b6ba
spec: 1.0.2-dev
go: go1.16.15
libseccomp: 2.5.1

(I also tried on 1.1.1 with same results which makes me think the issue could be with the shim?)

{
  "status": {
    "conditions": [
      {
        "type": "RuntimeReady",
        "status": true,
        "reason": "",
        "message": ""
      },
      {
        "type": "NetworkReady",
        "status": true,
        "reason": "",
        "message": ""
      }
    ]
  },
  "cniconfig": {
    "PluginDirs": [
      "/opt/cni/bin"
    ],
    "PluginConfDir": "/etc/cni/net.d",
    "PluginMaxConfNum": 1,
    "Prefix": "eth",
    "Networks": [
      {
        "Config": {
          "Name": "cni-loopback",
          "CNIVersion": "0.3.1",
          "Plugins": [
            {
              "Network": {
                "type": "loopback",
                "ipam": {},
                "dns": {}
              },
              "Source": "{\"type\":\"loopback\"}"
            }
          ],
          "Source": "{\n\"cniVersion\": \"0.3.1\",\n\"name\": \"cni-loopback\",\n\"plugins\": [{\n  \"type\": \"loopback\"\n}]\n}"
        },
        "IFName": "lo"
      },
      {
        "Config": {
          "Name": "aws-cni",
          "CNIVersion": "0.4.0",
          "Plugins": [
            {
              "Network": {
                "name": "aws-cni",
                "type": "aws-cni",
                "ipam": {},
                "dns": {}
              },
              "Source": "{\"mtu\":\"9001\",\"name\":\"aws-cni\",\"pluginLogFile\":\"/var/log/aws-routed-eni/plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"type\":\"aws-cni\",\"vethPrefix\":\"eni\"}"
            },
            {
              "Network": {
                "name": "egress-v4-cni",
                "type": "egress-v4-cni",
                "ipam": {
                  "type": "host-local"
                },
                "dns": {}
              },
              "Source": "{\"enabled\":\"false\",\"ipam\":{\"dataDir\":\"/run/cni/v6pd/egress-v4-ipam\",\"ranges\":[[{\"subnet\":\"169.254.172.0/22\"}]],\"routes\":[{\"dst\":\"0.0.0.0/0\"}],\"type\":\"host-local\"},\"mtu\":9001,\"name\":\"egress-v4-cni\",\"nodeIP\":\"172.30.228.249\",\"pluginLogFile\":\"/var/log/aws-routed-eni/egress-v4-plugin.log\",\"pluginLogLevel\":\"DEBUG\",\"type\":\"egress-v4-cni\"}"
            },
            {
              "Network": {
                "type": "portmap",
                "capabilities": {
                  "portMappings": true
                },
                "ipam": {},
                "dns": {}
              },
              "Source": "{\"capabilities\":{\"portMappings\":true},\"snat\":true,\"type\":\"portmap\"}"
            }
          ],
          "Source": "{\n  \"cniVersion\": \"0.4.0\",\n  \"name\": \"aws-cni\",\n  \"disableCheck\": true,\n  \"plugins\": [\n    {\n      \"name\": \"aws-cni\",\n      \"type\": \"aws-cni\",\n      \"vethPrefix\": \"eni\",\n      \"mtu\": \"9001\",\n      \"pluginLogFile\": \"/var/log/aws-routed-eni/plugin.log\",\n      \"pluginLogLevel\": \"DEBUG\"\n    },\n    {\n      \"name\": \"egress-v4-cni\",\n      \"type\": \"egress-v4-cni\",\n      \"mtu\": 9001,\n      \"enabled\": \"false\",\n      \"nodeIP\": \"172.30.228.249\",\n      \"ipam\": {\n         \"type\": \"host-local\",\n         \"ranges\": [[{\"subnet\": \"169.254.172.0/22\"}]],\n         \"routes\": [{\"dst\": \"0.0.0.0/0\"}],\n         \"dataDir\": \"/run/cni/v6pd/egress-v4-ipam\"\n      },\n      \"pluginLogFile\": \"/var/log/aws-routed-eni/egress-v4-plugin.log\",\n      \"pluginLogLevel\": \"DEBUG\"\n    },\n    {\n      \"type\": \"portmap\",\n      \"capabilities\": {\"portMappings\": true},\n      \"snat\": true\n    }\n  ]\n}"
        },
        "IFName": "eth0"
      }
    ]
  },
  "config": {
    "containerd": {
      "snapshotter": "overlayfs",
      "defaultRuntimeName": "runc",
      "defaultRuntime": {
        "runtimeType": "",
        "runtimePath": "",
        "runtimeEngine": "",
        "PodAnnotations": null,
        "ContainerAnnotations": null,
        "runtimeRoot": "",
        "options": null,
        "privileged_without_host_devices": false,
        "baseRuntimeSpec": "",
        "cniConfDir": "",
        "cniMaxConfNum": 0
      },
      "untrustedWorkloadRuntime": {
        "runtimeType": "",
        "runtimePath": "",
        "runtimeEngine": "",
        "PodAnnotations": null,
        "ContainerAnnotations": null,
        "runtimeRoot": "",
        "options": null,
        "privileged_without_host_devices": false,
        "baseRuntimeSpec": "",
        "cniConfDir": "",
        "cniMaxConfNum": 0
      },
      "runtimes": {
        "runc": {
          "runtimeType": "io.containerd.runc.v2",
          "runtimePath": "",
          "runtimeEngine": "",
          "PodAnnotations": null,
          "ContainerAnnotations": null,
          "runtimeRoot": "",
          "options": {
            "BinaryName": "",
            "CriuImagePath": "",
            "CriuPath": "",
            "CriuWorkPath": "",
            "IoGid": 0,
            "IoUid": 0,
            "NoNewKeyring": false,
            "NoPivotRoot": false,
            "Root": "",
            "ShimCgroup": "",
            "SystemdCgroup": false
          },
          "privileged_without_host_devices": false,
          "baseRuntimeSpec": "",
          "cniConfDir": "",
          "cniMaxConfNum": 0
        }
      },
      "noPivot": false,
      "disableSnapshotAnnotations": true,
      "discardUnpackedLayers": false,
      "ignoreRdtNotEnabledErrors": false
    },
    "cni": {
      "binDir": "/opt/cni/bin",
      "confDir": "/etc/cni/net.d",
      "maxConfNum": 1,
      "confTemplate": "",
      "ipPref": ""
    },
    "registry": {
      "configPath": "",
      "mirrors": null,
      "configs": null,
      "auths": null,
      "headers": null
    },
    "imageDecryption": {
      "keyModel": "node"
    },
    "disableTCPService": true,
    "streamServerAddress": "127.0.0.1",
    "streamServerPort": "0",
    "streamIdleTimeout": "4h0m0s",
    "enableSelinux": false,
    "selinuxCategoryRange": 1024,
    "sandboxImage": "k8s.gcr.io/pause:3.6",
    "statsCollectPeriod": 10,
    "systemdCgroup": false,
    "enableTLSStreaming": false,
    "x509KeyPairStreaming": {
      "tlsCertFile": "",
      "tlsKeyFile": ""
    },
    "maxContainerLogSize": 16384,
    "disableCgroup": false,
    "disableApparmor": false,
    "restrictOOMScoreAdj": false,
    "maxConcurrentDownloads": 3,
    "disableProcMount": false,
    "unsetSeccompProfile": "",
    "tolerateMissingHugetlbController": true,
    "disableHugetlbController": true,
    "device_ownership_from_security_context": false,
    "ignoreImageDefinedVolumes": false,
    "netnsMountsUnderStateDir": false,
    "enableUnprivilegedPorts": false,
    "enableUnprivilegedICMP": false,
    "containerdRootDir": "/var/lib/containerd",
    "containerdEndpoint": "/run/containerd/containerd.sock",
    "rootDir": "/var/lib/containerd/io.containerd.grpc.v1.cri",
    "stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
  },
  "golang": "go1.17.2",
  "lastCNILoadStatus": "OK",
  "lastCNILoadStatus.default": "OK"
}

Linux $IP 5.4.0-1071-aws #76~18.04.1-Ubuntu SMP Mon Mar 28 17:49:57 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

#   Copyright 2018-2022 Docker Inc.

#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at

#       http://www.apache.org/licenses/LICENSE-2.0

#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

disabled_plugins = []

[metrics]
  address = "127.0.0.1:1338"

#root = "/var/lib/containerd"
#state = "/run/containerd"
#subreaper = true
#oom_score = 0

#[grpc]
#  address = "/run/containerd/containerd.sock"
#  uid = 0
#  gid = 0

[debug]
#  address = "/run/containerd/debug.sock"
#  uid = 0
#  gid = 0
# supported values [trace, debug, info, warn, error, fatal, panic]
# https://github.com/containerd/containerd/blob/v1.6.1/cmd/containerd/command/main.go#L89
  level = "error"
# https://github.com/containerd/containerd/blob/v1.6.1/log/context.go#L45-L49
  format = "json"

[alam0rt]

wanted to node, am running both docker and containerd at the same time, both are configured to use the same socket path which I understand could cause contention with cgroup management.

Would this possibly cause the stated issue? Will reconfigure them regardless.

[alam0rt]

Okay, I think I've found a way to reproduce this which is simply create a large number of pods at once. Did a k scale deployment $some_largish_workload --replicas 1000, and after about 5 minutes, scale back down.

Lots of pods stuck in Terminating.

containerd logs are filled with

Apr 05 01:51:51 containerd[4743]: {"error":"rpc error: code = DeadlineExceeded desc = failed to stop sandbox container \"88956ab6c466107f184d53b63f9a6f7622aaadd6f2ef5e7967af41e1ef1f11e2\" in \"SANDBOX_READY\" state: wait sandbox container \"88956ab6c466107f184d53b63f9a6f7622aaadd6f2ef5e7967af41e1ef1f11e2\": context deadline exceeded","level":"error","msg":"StopPodSandbox for \"88956ab6c466107f184d53b63f9a6f7622aaadd6f2ef5e7967af41e1ef1f11e2\" failed","time":"2022-04-05T01:51:51.759136525Z"}
Apr 05 01:51:51 containerd[4743]: {"error":"rpc error: code = DeadlineExceeded desc = failed to stop sandbox container \"e1f9a29f5642a2f7893b29ab1f6e391ed3482b0c6e5c0bc0758a2e0f5e634785\" in \"SANDBOX_READY\" state: wait sandbox container \"e1f9a29f5642a2f7893b29ab1f6e391ed3482b0c6e5c0bc0758a2e0f5e634785\": context deadline exceeded","level":"error","msg":"StopPodSandbox for \"e1f9a29f5642a2f7893b29ab1f6e391ed3482b0c6e5c0bc0758a2e0f5e634785\" failed","time":"2022-04-05T01:51:51.759132456Z"}
Apr 05 01:51:51 containerd[4743]: {"error":"rpc error: code = DeadlineExceeded desc = failed to stop sandbox container \"3344542a24a2a1a565175ba41f2cc59bc9edcee972f41e66159b1cc7511bc2bd\" in \"SANDBOX_READY\" state: wait sandbox container \"3344542a24a2a1a565175ba41f2cc59bc9edcee972f41e66159b1cc7511bc2bd\": context deadline exceeded","level":"error","msg":"StopPodSandbox for \"3344542a24a2a1a565175ba41f2cc59bc9edcee972f41e66159b1cc7511bc2bd\" failed","time":"2022-04-05T01:51:51.759147676Z"}

and

Apr 05 01:51:46 containerd[4743]: {"error":"failed to reserve sandbox name \"node-exporter-qk5h5_kube-system_1b750210-d162-4df4-8414-965ebb017395_0\": name \"node-exporter-qk5h5_kube-system_1b750210-d162-4df4-8414-965ebb017395_0\" is reserved for \"1e6cd2a72fcf198817387e4a662af875274ed8ec5bf889211b9cfb81f115b7c3\"","level":"error","msg":"RunPodSandbox for \u0026PodSandboxMetadata{Name:node-exporter-qk5h5,Uid:1b750210-d162-4df4-8414-965ebb017395,Namespace:kube-system,Attempt:0,} failed, error","time":"2022-04-05T01:51:46.457243498Z"}

  $ ps aux | grep 'runc init' | wc -l
63

  $ sudo lsof -p $(pidof containerd) | wc -l
947

barely any load

  $ vmstat 1
procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 1  0      0 184559104 538444 7995808    0    0    14   282  173  374  1  0 98  0  0
 0  0      0 184556992 538444 7995836    0    0     0  1692 3820 8323  0  0 100  0  0
 0  0      0 184555584 538444 7995840    0    0     0     0 2928 7495  0  0 99  0  0
 7  0      0 184553856 538444 7995844    0    0     0     0 3510 9174  1  0 99  0  0
 0  0      0 184548608 538460 7995896    0    0     0   520 7330 18170  1  0 99  0  0
 1  0      0 184550368 538460 7995940    0    0     0     0 6056 14737  0  0 99  0  0
 7  0      0 184549376 538460 7995932    0    0     0     0 6444 18897  1  0 99  0  0

[fuweid]

Could you mind to fill the issue with the template, like containerd version, cri config etc.? Thanks

[alam0rt]

Could you mind to fill the issue with the template, like containerd version, cri config etc.? Thanks

Have updated the OP

[alam0rt]

So, did a little more digging after I reproduced again.

crictl pods listing pods as ready

POD ID              CREATED             STATE               NAME                               NAMESPACE            ATTEMPT             RUNTIME
e61e65ad28451       9 minutes ago       Ready               kube2iam-9dv4k                     kube-system          0                   (default)
258739eb027c3       9 minutes ago       Ready               node-exporter-kt8mm                kube-system          0                   

kubectl is listing these all as Terminating.

All the pods are (critctl inspectp ...)

    "state": "SANDBOX_READY",

Trying to start one

DEBU[0000] get runtime connection
DEBU[0000] connect using endpoint 'unix:///run/containerd/containerd.sock' with '2s' timeout
DEBU[0000] connected successfully using endpoint: unix:///run/containerd/containerd.sock
DEBU[0000] StartContainerRequest: &StartContainerRequest{ContainerId:c2d99d797f8b2,}
DEBU[0000] StartContainerResponse: nil
FATA[0000] starting the container "c2d99d797f8b2": rpc error: code = Unknown desc = failed to set starting state for container "c2d99d797f8b2ce049de65996a11a1f69264994ee3e98a49762208400a3636be": container is already in starting state

Stop (hangs which probably explains everything stuck in terminating state)

DEBU[0000] get runtime connection
DEBU[0000] connect using endpoint 'unix:///run/containerd/containerd.sock' with '2s' timeout
DEBU[0000] connected successfully using endpoint: unix:///run/containerd/containerd.sock
DEBU[0000] StopPodSandboxRequest: &StopPodSandboxRequest{PodSandboxId:cb7c349224ef6,}

crictl ps -a

8836dee036e7f       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   8a7deac1b642b
a59b45d544f76       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   160cc44eb7c73
db79b04a35a7b       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   60cd9518b2f7b
7a2e19dc692a8       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   e61a1f8611d35
ca2b96e347096       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   cb7c349224ef6
70618e5bcee8f       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   3c6d3a8271d71
671d994a87f9e       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   08db027c453c7
2c3286678513e       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   63ddb9ad380de
c2d99d797f8b2       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   748fd9b0028f1
07e165f398e36       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   163358db1e87d
b43cb402e379c       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   1360a745aecc4
9f3e59bf3afbf       c665473c2d1a8       19 minutes ago       Created             sensor                  0                   f92c831f7f95d

{
  "status": {
    "id": "c2d99d797f8b2ce049de65996a11a1f69264994ee3e98a49762208400a3636be",
    "metadata": {
      "attempt": 0,
      "name": "sensor"
    },
    "state": "CONTAINER_CREATED",
    "createdAt": "2022-04-06T01:08:44.498852593Z",
    "startedAt": "0001-01-01T00:00:00Z",
    "finishedAt": "0001-01-01T00:00:00Z",
    "exitCode": 0,
    "image": {

using runc

runc --root /run/containerd/runc/k8s.io/ state d30e0c0d500fabbeb7c3fa645b7f5e3178d015c87e0e58123a12d8f31de85eb6
{
  "ociVersion": "1.0.2-dev",
  "id": "d30e0c0d500fabbeb7c3fa645b7f5e3178d015c87e0e58123a12d8f31de85eb6",
  "pid": 46995,
  "status": "created",
  "bundle": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/d30e0c0d500fabbeb7c3fa645b7f5e3178d015c87e0e58123a12d8f31de85eb6",
  "rootfs": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/d30e0c0d500fabbeb7c3fa645b7f5e3178d015c87e0e58123a12d8f31de85eb6/rootfs",
  "created": "2022-04-06T01:30:27.819165909Z",
  "annotations": {
    "io.kubernetes.cri.container-name": "kube2iam",
    "io.kubernetes.cri.container-type": "container",
    "io.kubernetes.cri.image-name": "foo",
    "io.kubernetes.cri.sandbox-id": "8f84b0fce446f14ae493a2bb6612e08c4a33c2f86eacf3bb0e8f19935c861787",
    "io.kubernetes.cri.sandbox-name": "foo",
    "io.kubernetes.cri.sandbox-namespace": "kube-system"
  },
  "owner": ""

[fuweid]

@alam0rt is there too many runc init processes? And could you mind to kill -USR1 $(pidof containerd) and kill -USR1 ${unexpected-shim-pid} to get the stack from containerd's log? Thanks.

[alam0rt]

@alam0rt is there too many runc init processes? And could you mind to kill -USR1 $(pidof containerd) and kill -USR1 ${unexpected-shim-pid} to get the stack from containerd's log? Thanks.

i will do this once i can trigger the issue again - thanks

[alam0rt]

containerd-goroutines.gz
shims-goroutine-dump.gz (contains every shim goroutine output so be warned, most are "stuck" so lots of examples :) )

I should also note, I had to restart containerd to enable debugging (did a ctr pprof...) and the issue was still occuring even after it came back up.

Interesting to note that the pause container is generally creating fine (but there have been instances where even that cannot start)
shim-29907.gz

root      29907  2.2  0.0 712896 14064 ?        Sl   00:20   1:45 /usr/bin/containerd-shim-runc-v2 -namespace k8s.io -id e50d1311691a99e4688278774f27e58893fde
65535     30355  0.0  0.0    964     4 ?        Ss   00:21   0:00  \_ /pause
root      35305  0.0  0.0 1090812 11748 ?       Ssl  00:22   0:00  \_ runc init
1337      40475  0.0  0.0 1090812 11804 ?       Ssl  00:24   0:00  \_ runc init
root      46408  0.0  0.0 1090812 12200 ?       Ssl  00:26   0:00  \_ runc init
1337      51166  0.0  0.0 1090556 12272 ?       Ssl  00:28   0:00  \_ runc init
root      55858  0.0  0.0 1090556 12004 ?       Ssl  00:30   0:00  \_ runc init
1337      60509  0.0  0.0 1090812 12300 ?       Ssl  00:32   0:00  \_ runc init
root      65065  0.0  0.0 1090812 12588 ?       Ssl  00:34   0:00  \_ runc init
1337      69335  0.0  0.0 1090812 12808 ?       Ssl  00:36   0:00  \_ runc init
root      74315  0.0  0.0 1090812 12748 ?       Ssl  00:38   0:00  \_ runc init
1337      78945  0.0  0.0 1090812 12740 ?       Ssl  00:40   0:00  \_ runc init
root      83229  0.0  0.0 1090556 12892 ?       Ssl  00:42   0:00  \_ runc init
1337      87183  0.0  0.0 1090812 13292 ?       Ssl  00:44   0:00  \_ runc init
root      91232  0.0  0.0 1090556 12892 ?       Ssl  00:46   0:00  \_ runc init
1337      95219  0.0  0.0 1090812 13432 ?       Ssl  00:48   0:00  \_ runc init
root      99711  0.0  0.0 1090812 13684 ?       Ssl  00:50   0:00  \_ runc init
1337     104343  0.0  0.0 1090812 13684 ?       Ssl  00:52   0:00  \_ runc init
root     108525  0.0  0.0 1091452 11848 ?       Ssl  00:54   0:00  \_ runc init
1337     112585  0.0  0.0 1091452 11812 ?       Ssl  00:56   0:00  \_ runc init
root     116657  0.0  0.0 1091452 12080 ?       Ssl  00:58   0:00  \_ runc init
1337     120750  0.0  0.0 1091452 11720 ?       Ssl  01:00   0:00  \_ runc init
root     124972  0.0  0.0 1091452 11824 ?       Ssl  01:02   0:00  \_ runc init
1337     129217  0.0  0.0 1091452 11828 ?       Ssl  01:04   0:00  \_ runc init
root       2815  0.0  0.0 1091708 11776 ?       Ssl  01:06   0:00  \_ runc init
1337       7161  0.0  0.0 1091452 11704 ?       Ssl  01:08   0:00  \_ runc init
root      11451  0.0  0.0 1091452 11724 ?       Ssl  01:10   0:00  \_ runc init
1337      16478  0.0  0.0 1091452 11764 ?       Ssl  01:12   0:00  \_ runc init
root      20776  0.0  0.0 1091708 11800 ?       Ssl  01:14   0:00  \_ runc init
1337      25362  0.0  0.0 1091452 11548 ?       Ssl  01:16   0:00  \_ runc init
root      29598  0.0  0.0 1091452 11908 ?       Ssl  01:18   0:00  \_ runc init
1337      33829  0.0  0.0 1091452 11764 ?       Ssl  01:20   0:00  \_ runc init
root      38301  0.0  0.0 1091708 11688 ?       Ssl  01:22   0:00  \_ runc init
1337      42831  0.0  0.0 1091452 11700 ?       Ssl  01:24   0:00  \_ runc init
root      48470  0.0  0.0 1091708 11944 ?       Ssl  01:26   0:00  \_ runc init
1337      52866  0.0  0.0 1091708 11764 ?       Ssl  01:28   0:00  \_ runc init
root      57250  0.0  0.0 1091708 11732 ?       Ssl  01:30   0:00  \_ runc init
1337      62072  0.0  0.0 1091708 11800 ?       Ssl  01:32   0:00  \_ runc init
root      66143  0.0  0.0 1091452 11688 ?       Ssl  01:34   0:00  \_ runc init
1337      70477  0.0  0.0 1091708 14284 ?       Ssl  01:36   0:00  \_ runc init
root      74886  0.0  0.0 1091644 14672 ?       Ssl  01:38   0:00  \_ runc init

I restarted containerd a few more times on another node and it started cleaning up the failing shims

containerd[78409]: time="2022-04-07T02:31:15.445513105Z" level=info msg="cleaning up dead shim"
containerd[78409]: time="2022-04-07T02:31:15.464364443Z" level=warning msg="cleanup warnings time=\"2022-04-07T02:31:15Z\" level=info msg=\"starting signal loop\" namespace=k8s.io pid=107245 runtime=io.containerd.runc.v2\n"
containerd[78409]: time="2022-04-07T02:31:15.468434905Z" level=debug msg="Loaded container {Metadata:{ID:a48e5d760c4588c66b6965a8a7939e9af4e49783b72e0d7982c9c1b33a4cf829 Name:bar
containerd[78409]: time="2022-04-07T02:31:15.469054837Z" level=debug msg="Start writing stream \"stdout\" to log file \"/var/log/pods/foo-54c9b8648-s88fb_15731558-9f0b-4426-a959-cf20398d4fac/istio-proxy/8.log\""
containerd[78409]: time="2022-04-07T02:31:15.469080786Z" level=debug msg="Start writing stream \"stderr\" to log file \"/var/log/pods/foo-54c9b8648-s88fb_15731558-9f0b-4426-a959-cf20398d4fac/istio-proxy/8.log\""
containerd[78409]: time="2022-04-07T02:31:15.488331399Z" level=debug msg="Finish piping stdout of container \"a48f4a11bdbba4dea174785a2e9a03d83295d6e3b31a6223af8f40a45be01c4c\""
containerd[78409]: time="2022-04-07T02:31:15.488332315Z" level=debug msg="Finish piping stderr of container \"a48f4a11bdbba4dea174785a2e9a03d83295d6e3b31a6223af8f40a45be01c4c\""
containerd[78409]: time="2022-04-07T02:31:15.488359718Z" level=debug msg="Getting EOF from stream \"stderr\" while redirecting to log file \"/var/log/pods/foo-54c9b8648-s88fb_15731558-9f0b-4426-a959-cf20398d4fac/istio-pro
containerd[78409]: time="2022-04-07T02:31:15.488368406Z" level=debug msg="Getting EOF from stream \"stdout\" while redirecting to log file \"/var/log/pods/foo-54c9b8648-s88fb_15731558-9f0b-4426-a959-cf20398d4fac/istio-pro
containerd[78409]: time="2022-04-07T02:31:15.488392594Z" level=debug msg="Finish redirecting stream \"stdout\" to log file \"/var/log/pods/foo-54c9b8648-s88fb_15731558-9f0b-4426-a959-cf20398d4fac/istio-proxy/8.log\""
containerd[78409]: time="2022-04-07T02:31:15.488383153Z" level=debug msg="Finish redirecting stream \"stderr\" to log file \"/var/log/pods/foo-54c9b8648-s88fb_15731558-9f0b-4426-a959-cf20398d4fac/istio-proxy/8.log\""
containerd[78409]: time="2022-04-07T02:31:15.488419332Z" level=debug msg="Finish redirecting log file \"/var/log/pods/foo-54c9b8648-s88fb_15731558-9f0b-4426-a959-cf20398d4fac/istio-proxy/8.log\", closing it"
containerd[78409]: time="2022-04-07T02:31:15.488796311Z" level=debug msg="event forwarded" ns=k8s.io topic=/tasks/exit type=containerd.events.TaskExit
containerd[78409]: time="2022-04-07T02:31:15.515193902Z" level=debug msg="event forwarded" ns=k8s.io topic=/tasks/delete type=containerd.events.TaskDelete
containerd[78409]: time="2022-04-07T02:31:15.515289746Z" level=info msg="shim disconnected" id=a48f4a11bdbba4dea174785a2e9a03d83295d6e3b31a6223af8f40a45be01c4c
containerd[78409]: time="2022-04-07T02:31:15.515319691Z" level=warning msg="cleaning up after shim disconnected" id=a48f4a11bdbba4dea174785a2e9a03d83295d6e3b31a6223af8f40a45be01c4c namespace=k8s.io
containerd[78409]: time="2022-04-07T02:31:15.515328867Z" level=info msg="cleaning up dead shim"
containerd[78409]: time="2022-04-07T02:31:15.534083132Z" level=warning msg="cleanup warnings time=\"2022-04-07T02:31:15Z\" level=info msg=\"starting signal loop\" namespace=k8s.io pid=107269 runtime=io.containerd.runc.v2\n"

another thing to note, this occurs on multiple nodes all at the same time... it's very odd.

[fuweid]

thanks. It is caused by dead lock in metrics so that there is no task.Start to kick runC-init. Seeking the solution to fix it.