search

containerd / go-cni

A generic CNI library to provide APIs for CNI plugin interactions
Apache License 2.0
146 stars 56 forks source link

ip may be leaked when call RunPodSandbox failed #60

Open yylt opened 4 years ago

yylt commented 4 years ago

environments

cni configuration

{
  "name":"cni0",
  "cniVersion":"0.3.1",
  "plugins":[
    {
      "type":"flannel",
      "delegate":{
        "forceAddress":true,
        "hairpinMode": true,
        "isDefaultGateway":true
      }
    },
    {
      "type":"portmap",
      "capabilities":{
        "portMappings":true
      }
    }
  ]
}

containerd log

Oct 13 19:57:27 node-6 containerd: time="2020-10-13T19:57:27.000650503+08:00" level=error msg="Failed to destroy network for sandbox \"48579e8be48f4e17144c81e6750947513bd790985c3513a78a84d3569d94b33c\"" error="delegateDel: error invoking ConflistDel - \"cni0\": conflistDel: error in getting result from DelNetworkList: could not teardown ipv4 snat: running [/usr/sbin/iptables -t nat -N CNI-SN-789e45a28000a6e5f5d67 --wait]: exit status 4: iptables: Resource temporarily unavailable.\n"

expected

ip recycled

real

ip leaked

look like, this should be cni question, but cni plugins should return failed also

mikebrow commented 4 years ago

fyi we moved up to the latest cni, cni plugins, and cni config in containerd v1.4.1

were you running with containerd in -l debug mode?

temporarily unavailable sounds like a zombie process issue... qemu-kvm?

lots of variables here..

yylt commented 4 years ago

fyi we moved up to the latest cni, cni plugins, and cni config in containerd v1.4.1

were you running with containerd in -l debug mode?

temporarily unavailable sounds like a zombie process issue... qemu-kvm?

lots of variables here..

sorry for many info lost.

produce

  1. use kata-shim to run secure container. and the binary file qemu-kvm which used by kata-shim was removed sometime.
  2. now we create a secure pod
  3. journalctl -eu containerd -o cat will see RunPodSandbox failed, but the ip which had allocated was not recycled.
MikeZappa87 commented 2 years ago

In the error log, I see mentions of Deletion, however the command "/usr/sbin/iptables -t nat -N CNI-SN-789e45a28000a6e5f5d67 --wait" is creating a new iptables chain in the nat table which is an odd action when calling DEL. That error most likely came from the portmap plugin. When you say "ip leaked" is the error above preventing the ipam from reclaiming the ip address? I think flannel writes the currently used ip addresses to /var/lib/cni/networks? Are you seeing the ip address file to around after the pod is deleted?