vsock semantics

[jodh-intel]

Background

Whilst working on the agent tracing (#415), I noticed that occasionally the agent's gRPC server was not shutting down. This is a big problem for tracing since we need to guarantee a clean agent shutdown. Since the gRPC server is not shutting down, it is stopping the agent from finalising trace spans, meaning only partial trace information is being sent back to the Jaeger agent on the host.

Findings

From what I can see, the hang has nothing to do with the gRPC library, nor the existing agent code, nor the new agent tracing code: the problem appears to be vsock: toggling use_vsock = false in configuration.toml stops the hang.

Observed vsock behaviour in kata-agent

Tracing the agent code shows that deep in the bowels of the gRPC server, the following is happening:

lis, err := vsock.Listen(vSockPort)
err = grpcServer.Serve(lis)

And grpcServer.Serve() is doing this:

for {
    rawConn, err := lis.Accept()

    s.handleRawConn(rawConn)
}

Using a serial device or a unix domain socket, that Accept() call will fail when the client (the kata-runtime) disconnects, returning an error (a Yamux ErrSessionShutdown).

But with kata-runtime, vsock seemingly never fails at this point, always returning a new connection. As a result, the infinite loop never exits, ergo the hang.

It may be that we are mis-using vsock somehow or it may be that we're hitting a kernel bug with the vsock module.

Recreating the problem

To help debugging this issue, I've created a branch that:

• Allows the agent to be run stand-alone (and it also includes a ton of debug messages :)
• Provides a kata-agent-ctl command that provides just enough functionality to trigger the problem.

Agent

• Clone https://github.com/jodh-intel/agent-1/tree/run-on-host to $GOPATH/src/github.com/kata-containers/agent.
• Then:

  $ make clean && make

Testing

Test using a unix domain socket

• Start kata-agent (server)

  $ cd $GOPATH/src/github.com/kata-containers/agent
  $ ./kata-agent --debug --grpc-trace --channelPath unix:///tmp/kata-agent.sock --no-udev

• Start client

  $ cli/kata-agent-ctl --keep-alive --debug --agentAddress unix:///tmp/kata-agent.sock --enable-yamux

Running the client should display some output and exit. It should also cause the server to exit.

Test using a vsock socket

• Setup vsock on host

  $ sudo modprobe vhost_vsock
  $ sudo chmod 666 /dev/vhost-vsock /dev/vsock

• Start qemu with -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=3

• Start kata-agent server (inside qemu)

  $ sudo ./kata-agent --debug --grpc-trace --no-udev

• Start client (on host)

  $ sudo cli/kata-agent-ctl --keep-alive --debug

  (Note: the --keep-alive option doesn't appear to make life better fwics so that may be optional).

What you will probably find is that the behaviour is now erratic:

• Sometimes the server will exit when the client exits (as expected).
• Sometimes the server will not exit when the client exits, but re-running the client will cause the server and client to exit.
• Sometimes the server will not exit when the client exits and re-running the client will cause the server to immediately exit, but the client will then hang waiting for the server.

@stefanha - could you tal and sanity check the above? Is there anything obvious we're doing or not doing that might trigger behaviour like this? The agent file dealing with vsock is:

• https://github.com/kata-containers/agent/blob/master/channel.go

/cc @sboeuf, @mcastelino,

[jodh-intel]

@stefanha - fwics, this issue is likely a vsock kernel module issue but would value your input on it.

[devimc]

might be related to kata-containers/runtime#618

[jodh-intel]

Adding @asias and @bergwolf, since both seem to have contributed vsock code to the kernel and might be able to shed some light on this issue.

[stefanha]

I'm not sure I understand the issue correctly.

Imagine this was a TCP server listening on a socket. accept(2) would always wait for the next client connection until the listen socket itself is closed.

yamux using virtio-serial doesn't offer socket semantics, there is a single serial session for transporting data. Therefore yamux sees a "disconnect" when that session is ended.

But in a sockets world (TCP or vsock) the server will listen and accept new client connections until something shuts down the server.

Did I misunderstand?

[sboeuf]

@jodh-intel I agree with @stefanha here. We cannot expect the server to stop on its own because there's no one connected to it.
You mentioned to me earlier that stopping the server from outside a thread executing a gRPC call was working properly. So here is my proposal to fix the issue, hoping this will actually fix it...

I would start from agent.go a Go routine waiting on a channel to be closed. This Go routine would be simply started after the gRPC server has been properly started and is performing his duty of listening to incoming connections. The Go routine would be very simple, it would wait for a channel to be closed, and once this happens, it would call into server.GracefulStop(). Indeed, the point here being to make sure the pending gRPC call is completed and doesn't return an error, the GracefulStop() would be the most appropriate here. The definition of GracefulStop():

// GracefulStop stops the gRPC server gracefully. It stops the server from
// accepting new connections and RPCs and blocks until all the pending RPCs are
// finished.

We do need this function to block because the one responsible for the channel to be closed will be the gRPC function DestroySandbox(), and we want a proper answer to that call from a kata-runtime perspective.
Once the runtime disconnects from the socket after DestroySandbox() returned, I don't think any other gRPC call will be pending at this point, and this means the GracefulStop() should be able to proceed forward. It'd be smart to add a timeout on the GracefulStop() so that if it blocked for more than 30s, we would use the big hammer by invoking Stop(), here is the definition:

// Stop stops the gRPC server. It immediately closes all open
// connections and listeners.
// It cancels all active RPCs on the server side and the corresponding
// pending RPCs on the client side will get notified by connection
// errors.

Let me know your thoughts on this @jodh-intel. I'll submit a PR implementing what I just described, it should be pretty straightforward.

[sboeuf]

@jodh-intel here I've opened a PR that I believe should help with the matter: #448
Could you try this out with the code enabling the tracing and see if it helps 🤞