kata-containers / runtime

Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers).
https://katacontainers.io/
Apache License 2.0
2.1k stars 375 forks source link

Kata-Firecracker -- long running processes get killed with code 137 #2240

Closed Dodan closed 4 years ago

Dodan commented 4 years ago

Description of problem

Hello! My team and I have been running some benchmarks on some various FaaS technologies using various containerization setups. We have been facing some stability issues when using Kata with Firecracker.

Bellow we have put together a simple scenario where a series of apt update/install commands, inside a kata-fc container running Ubuntu, will lead to the container receiving a sigkill.

We noticed that this behaviour replicates for other long running processes that we use (e.g. python http servers or using the containers shell interactively) but the easiest and most reliable way to replicate this was by running the packet manager.

Can you please have a look?

This is our setup:

CRI-O version: 1.15.3-dev  
Kata version: 1.9.1  
Firecracker version: 0.18.0 

This is the script we used to recreate the bug:

Show code: ```bash #!/bin/bash # kill_container.sh POD_ID=`crictl runp -r $1 pod.yaml` READY_STATUS=`crictl pods | grep busybox | grep Ready | wc -l` while [[ $READY_STATUS -ne 1 ]]; do READY_STATUS=`crictl pods | grep busybox | grep Ready | wc -l` done echo $POD_ID echo $READY_STATUS CONT_ID=`crictl create $POD_ID container.yaml pod.yaml` READY_STATUS=`crictl ps -a | grep busybox | grep Created | wc -l` while [[ $READY_STATUS -ne 1 ]]; do READY_STATUS=`crictl ps -a | grep busybox | grep Created | wc -l` done echo $CONT_ID echo $READY_STATUS EXEC_STATUS=`crictl exec -it $CONT_ID apt update` echo $EXEC_STATUS EXEC_STATUS=`crictl exec -it $CONT_ID apt install -y htop` echo $EXEC_STATUS EXEC_STATUS=`crictl exec -it $CONT_ID apt install -y build-essential` echo $EXEC_STATUS RM_STATUS=`crictl stop $CONT_ID && crictl rm $CONT_ID` echo $RM_STATUS RMP_STATUS=`crictl stopp $POD_ID && crictl rmp $POD_ID` echo $RMP_STATUS ```

Expected result

$ ./kill_container.sh runc
1f86cb87aee45fa63c8f44ef2f044e9a01f34ea21f6b2a6033325ff6cae19fbf
1
e30c6e2cb8aa5f3befc7837006ef470622c0507ca01009372030dc0bd87d10a7
1
 All packages are up to date.Done0%]ntu bionic-backports/universe amd64 Packages [4235 B]]]
Get:1 http://archive.ubuntu.com/ubuntu bionic/main amd64 liblocale-gettext-perl amd64 1.07-3build2 [16.6 Get:2 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 perl-modules-5.26 all 5.26.1-6ubuntu0.3 Get:5 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libperl5.26 amd64 5.26.1-6ubuntu0.3 [352Get:9 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libsqlite3-0 amd64 3.22.0-1ubuntu0.1 [49Get:10 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libssl1.1 amd64 1.1.1-1ubuntu2.1~18.04.Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils-common amd64 2.30-21ubuntu1~18Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libbinutils amd64 2.30-21ubuntu1~18.04.Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils-x86-64-linux-gnu amd64 2.30-21Get:17 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils amd64 2.30-21ubuntu1~18.04.2 [Get:19 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 linux-libc-dev amd64 4.15.0-70.79 [1079Get:21 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gcc-7-base amd64 7.4.0-1ubuntu1~18.04.1Get:25 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 cpp-7 amd64 7.4.0-1ubuntu1~18.04.1 [674Get:27 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcc1-0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:28 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libgomp1 amd64 8.3.0-6ubuntu1~18.04.1 [Get:29 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libitm1 amd64 8.3.0-6ubuntu1~18.04.1 [2Get:30 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libatomic1 amd64 8.3.0-6ubuntu1~18.04.1Get:31 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libasan4 amd64 7.4.0-1ubuntu1~18.04.1 [Get:32 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 liblsan0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:33 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libtsan0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:34 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libubsan0 amd64 7.4.0-1ubuntu1~18.04.1 Get:35 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcilkrts5 amd64 7.4.0-1ubuntu1~18.04.Get:36 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libmpx2 amd64 8.3.0-6ubuntu1~18.04.1 [1Get:37 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libquadmath0 amd64 8.3.0-6ubuntu1~18.04Get:38 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libgcc-7-dev amd64 7.4.0-1ubuntu1~18.04Get:39 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gcc-7 amd64 7.4.0-1ubuntu1~18.04.1 [746Get:41 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libstdc++-7-dev amd64 7.4.0-1ubuntu1~18Get:42 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 g++-7 amd64 7.4.0-1ubuntu1~18.04.1 [757Get:45 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libdpkg-perl all 1.19.0.5ubuntu2.3 [211Get:54 http://archive.ubuntu.com/ubuntu bionic/main amd64 libheimbase1-heimdal amd64 7.5.0+dfsg-1 [29.3 kGet:55 http://archive.ubuntu.com/ubuntu bionic/main amd64 libhcrypto4-heimdal amd64 7.5.0+dfsg-1 [85.9 kBGet:59 http://archive.ubuntu.com/ubuntu bionic/main amd64 libheimntlm0-heimdal amd64 7.5.0+dfsg-1 [14.8 kGet:61 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-modules-db amd64 2.1.27~101-g0780600+dGet:62 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-2 amd64 2.1.27~101-g0780600+dfsg-3ubunGet:63 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-common all 2.4.45+dfsg-1ubuntu1Get:64 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-2.4-2 amd64 2.4.45+dfsg-1ubuntuGet:69 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gnupg-l10n all 2.2.4-1ubuntu1.2 [49.6 kGet:70 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gnupg-utils amd64 2.2.4-1ubuntu1.2 [127Get:73 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-agent amd64 2.2.4-1ubuntu1.2 [227 kGet:74 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-wks-client amd64 2.2.4-1ubuntu1.2 [Get:75 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-wks-server amd64 2.2.4-1ubuntu1.2 [Get:79 http://archive.ubuntu.com/ubuntu bionic/main amd64 libalgorithm-diff-xs-perl amd64 0.04-5 [11.1 kBGet:81 http://archive.ubuntu.com/ubuntu bionic/main amd64 libfile-fcntllock-perl amd64 0.22-3build2 [33.2Get:82 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-modules amd64 2.1.27~101-g0780600+dfsg debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /u update-alternatives: warning: skip creation of /usr/share/man/man1/lzma.1.gz because associated file /us update-alternatives: warning: skip creation of /usr/share/man/man1/unlzma.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzcat.1.gz because associated file /u update-alternatives: warning: skip creation of /usr/share/man/man1/lzmore.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzless.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzdiff.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzcmp.1.gz because associated file /u update-alternatives: warning: skip creation of /usr/share/man/man1/lzgrep.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzegrep.1.gz because associated file  update-alternatives: warning: skip creation of /usr/share/man/man1/lzfgrep.1.gz because associated file  update-alternatives: warning: skip creation of /usr/share/man/man1/fakeroot.1.gz because associated file update-alternatives: warning: skip creation of /usr/share/man/man1/faked.1.gz because associated file /u update-alternatives: warning: skip creation of /usr/share/man/es/man1/fakeroot.1.gz because associated f update-alternatives: warning: skip creation of /usr/share/man/es/man1/faked.1.gz because associated file update-alternatives: warning: skip creation of /usr/share/man/fr/man1/fakeroot.1.gz because associated f update-alternatives: warning: skip creation of /usr/share/man/fr/man1/faked.1.gz because associated file update-alternatives: warning: skip creation of /usr/share/man/sv/man1/fakeroot.1.gz because associated f update-alternatives: warning: skip creation of /usr/share/man/sv/man1/faked.1.gz because associated file update-alternatives: warning: skip creation of /usr/share/man/man1/c++.1.gz because associated file /usr Processing triggers for libc-bin (2.27-3ubuntu1) ...exist

e30c6e2cb8aa5f3befc7837006ef470622c0507ca01009372030dc0bd87d10a7 e30c6e2cb8aa5f3befc7837006ef470622c0507ca01009372030dc0bd87d10a7
Stopped sandbox 1f86cb87aee45fa63c8f44ef2f044e9a01f34ea21f6b2a6033325ff6cae19fbf Removed sandbox 1f86cb87aee45fa63c8f44ef2f044e9a01f34ea21f6b2a6033325ff6cae19fbf
$ ./kill_container.sh kata-qemu
e97d32e6d369e48e68537a5773eca0ad960d4ed8f18db34120e5867322ed4f4f
1
dbaca9a90b3158818b0c3ef2b1bce6ed9cdfe9163134c4dd7653d87cd8baf3e3
1
 All packages are up to date.Doneubuntu bionic-backports/universe amd64 Packages [4235 B]]]
Get:1 http://archive.ubuntu.com/ubuntu bionic/main amd64 liblocale-gettext-perl amd64 1.07-3build2 [16.6 Get:2 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 perl-modules-5.26 all 5.26.1-6ubuntu0.3 Get:5 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libperl5.26 amd64 5.26.1-6ubuntu0.3 [352Get:9 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libsqlite3-0 amd64 3.22.0-1ubuntu0.1 [49Get:10 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libssl1.1 amd64 1.1.1-1ubuntu2.1~18.04.Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils-common amd64 2.30-21ubuntu1~18Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libbinutils amd64 2.30-21ubuntu1~18.04.Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils-x86-64-linux-gnu amd64 2.30-21Get:17 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils amd64 2.30-21ubuntu1~18.04.2 [Get:19 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 linux-libc-dev amd64 4.15.0-70.79 [1079Get:21 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gcc-7-base amd64 7.4.0-1ubuntu1~18.04.1Get:25 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 cpp-7 amd64 7.4.0-1ubuntu1~18.04.1 [674Get:27 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcc1-0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:28 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libgomp1 amd64 8.3.0-6ubuntu1~18.04.1 [Get:29 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libitm1 amd64 8.3.0-6ubuntu1~18.04.1 [2Get:30 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libatomic1 amd64 8.3.0-6ubuntu1~18.04.1Get:31 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libasan4 amd64 7.4.0-1ubuntu1~18.04.1 [Get:32 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 liblsan0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:33 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libtsan0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:34 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libubsan0 amd64 7.4.0-1ubuntu1~18.04.1 Get:35 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcilkrts5 amd64 7.4.0-1ubuntu1~18.04.Get:36 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libmpx2 amd64 8.3.0-6ubuntu1~18.04.1 [1Get:37 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libquadmath0 amd64 8.3.0-6ubuntu1~18.04Get:38 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libgcc-7-dev amd64 7.4.0-1ubuntu1~18.04Get:39 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gcc-7 amd64 7.4.0-1ubuntu1~18.04.1 [746Get:41 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libstdc++-7-dev amd64 7.4.0-1ubuntu1~18Get:42 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 g++-7 amd64 7.4.0-1ubuntu1~18.04.1 [757Get:45 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libdpkg-perl all 1.19.0.5ubuntu2.3 [211Get:54 http://archive.ubuntu.com/ubuntu bionic/main amd64 libheimbase1-heimdal amd64 7.5.0+dfsg-1 [29.3 kGet:55 http://archive.ubuntu.com/ubuntu bionic/main amd64 libhcrypto4-heimdal amd64 7.5.0+dfsg-1 [85.9 kBGet:59 http://archive.ubuntu.com/ubuntu bionic/main amd64 libheimntlm0-heimdal amd64 7.5.0+dfsg-1 [14.8 kGet:61 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-modules-db amd64 2.1.27~101-g0780600+dGet:62 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-2 amd64 2.1.27~101-g0780600+dfsg-3ubunGet:63 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-common all 2.4.45+dfsg-1ubuntu1Get:64 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-2.4-2 amd64 2.4.45+dfsg-1ubuntuGet:69 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gnupg-l10n all 2.2.4-1ubuntu1.2 [49.6 kGet:70 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gnupg-utils amd64 2.2.4-1ubuntu1.2 [127Get:73 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-agent amd64 2.2.4-1ubuntu1.2 [227 kGet:74 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-wks-client amd64 2.2.4-1ubuntu1.2 [Get:75 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-wks-server amd64 2.2.4-1ubuntu1.2 [Get:79 http://archive.ubuntu.com/ubuntu bionic/main amd64 libalgorithm-diff-xs-perl amd64 0.04-5 [11.1 kBGet:81 http://archive.ubuntu.com/ubuntu bionic/main amd64 libfile-fcntllock-perl amd64 0.22-3build2 [33.2Get:82 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-modules amd64 2.1.27~101-g0780600+dfsg debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /u update-alternatives: warning: skip creation of /usr/share/man/man1/lzma.1.gz because associated file /us update-alternatives: warning: skip creation of /usr/share/man/man1/unlzma.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzcat.1.gz because associated file /u update-alternatives: warning: skip creation of /usr/share/man/man1/lzmore.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzless.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzdiff.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzcmp.1.gz because associated file /u update-alternatives: warning: skip creation of /usr/share/man/man1/lzgrep.1.gz because associated file / update-alternatives: warning: skip creation of /usr/share/man/man1/lzegrep.1.gz because associated file  update-alternatives: warning: skip creation of /usr/share/man/man1/lzfgrep.1.gz because associated file  update-alternatives: warning: skip creation of /usr/share/man/man1/fakeroot.1.gz because associated file update-alternatives: warning: skip creation of /usr/share/man/man1/faked.1.gz because associated file /u update-alternatives: warning: skip creation of /usr/share/man/es/man1/fakeroot.1.gz because associated f update-alternatives: warning: skip creation of /usr/share/man/es/man1/faked.1.gz because associated file update-alternatives: warning: skip creation of /usr/share/man/fr/man1/fakeroot.1.gz because associated f update-alternatives: warning: skip creation of /usr/share/man/fr/man1/faked.1.gz because associated file update-alternatives: warning: skip creation of /usr/share/man/sv/man1/fakeroot.1.gz because associated f update-alternatives: warning: skip creation of /usr/share/man/sv/man1/faked.1.gz because associated file update-alternatives: warning: skip creation of /usr/share/man/man1/c++.1.gz because associated file /usr Processing triggers for libc-bin (2.27-3ubuntu1) ...exist

dbaca9a90b3158818b0c3ef2b1bce6ed9cdfe9163134c4dd7653d87cd8baf3e3 dbaca9a90b3158818b0c3ef2b1bce6ed9cdfe9163134c4dd7653d87cd8baf3e3
Stopped sandbox e97d32e6d369e48e68537a5773eca0ad960d4ed8f18db34120e5867322ed4f4f Removed sandbox e97d32e6d369e48e68537a5773eca0ad960d4ed8f18db34120e5867322ed4f4f

Actual result

$ ./kill_container.sh kata-fc
573fee4f5d1c54fefe1c7c9fe82eecd223a10c2c23c6a74fc0f88a9bb98a5899
1
430b11e2069e48b829bf89530d0e14e70d85b2420054c7697494caf0994a8483
1
 All packages are up to date.Doneubuntu bionic-backports/main amd64 Packages [2496 B]5 B]]B]
FATA[0025] execing command in container failed: command terminated with exit code 137 
Get:1 http://archive.ubuntu.com/ubuntu bionic/main amd64 liblocale-gettext-perl amd64 1.07-3build2 [16.6 Get:2 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 perl-modules-5.26 all 5.26.1-6ubuntu0.3 Get:5 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libperl5.26 amd64 5.26.1-6ubuntu0.3 [352Get:9 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libsqlite3-0 amd64 3.22.0-1ubuntu0.1 [49Get:10 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libssl1.1 amd64 1.1.1-1ubuntu2.1~18.04.Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils-common amd64 2.30-21ubuntu1~18Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libbinutils amd64 2.30-21ubuntu1~18.04.Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils-x86-64-linux-gnu amd64 2.30-21Get:17 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 binutils amd64 2.30-21ubuntu1~18.04.2 [Get:19 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 linux-libc-dev amd64 4.15.0-70.79 [1079Get:21 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gcc-7-base amd64 7.4.0-1ubuntu1~18.04.1Get:25 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 cpp-7 amd64 7.4.0-1ubuntu1~18.04.1 [674Get:27 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcc1-0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:28 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libgomp1 amd64 8.3.0-6ubuntu1~18.04.1 [Get:29 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libitm1 amd64 8.3.0-6ubuntu1~18.04.1 [2Get:30 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libatomic1 amd64 8.3.0-6ubuntu1~18.04.1Get:31 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libasan4 amd64 7.4.0-1ubuntu1~18.04.1 [Get:32 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 liblsan0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:33 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libtsan0 amd64 8.3.0-6ubuntu1~18.04.1 [Get:34 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libubsan0 amd64 7.4.0-1ubuntu1~18.04.1 Get:35 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libcilkrts5 amd64 7.4.0-1ubuntu1~18.04.Get:36 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libmpx2 amd64 8.3.0-6ubuntu1~18.04.1 [1Get:37 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libquadmath0 amd64 8.3.0-6ubuntu1~18.04Get:38 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libgcc-7-dev amd64 7.4.0-1ubuntu1~18.04Get:39 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gcc-7 amd64 7.4.0-1ubuntu1~18.04.1 [746Get:41 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libstdc++-7-dev amd64 7.4.0-1ubuntu1~18Get:42 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 g++-7 amd64 7.4.0-1ubuntu1~18.04.1 [757Get:45 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libdpkg-perl all 1.19.0.5ubuntu2.3 [211Get:54 http://archive.ubuntu.com/ubuntu bionic/main amd64 libheimbase1-heimdal amd64 7.5.0+dfsg-1 [29.3 kGet:55 http://archive.ubuntu.com/ubuntu bionic/main amd64 libhcrypto4-heimdal amd64 7.5.0+dfsg-1 [85.9 kBGet:59 http://archive.ubuntu.com/ubuntu bionic/main amd64 libheimntlm0-heimdal amd64 7.5.0+dfsg-1 [14.8 kGet:61 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-modules-db amd64 2.1.27~101-g0780600+dGet:62 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-2 amd64 2.1.27~101-g0780600+dfsg-3ubunGet:63 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-common all 2.4.45+dfsg-1ubuntu1Get:64 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-2.4-2 amd64 2.4.45+dfsg-1ubuntuGet:69 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gnupg-l10n all 2.2.4-1ubuntu1.2 [49.6 kGet:70 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gnupg-utils amd64 2.2.4-1ubuntu1.2 [127Get:73 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-agent amd64 2.2.4-1ubuntu1.2 [227 kGet:74 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-wks-client amd64 2.2.4-1ubuntu1.2 [Get:75 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 gpg-wks-server amd64 2.2.4-1ubuntu1.2 [Get:79 http://archive.ubuntu.com/ubuntu bionic/main amd64 libalgorithm-diff-xs-perl amd64 0.04-5 [11.1 kBGet:81 http://archive.ubuntu.com/ubuntu bionic/main amd64 libfile-fcntllock-perl amd64 0.22-3build2 [33.2Get:82 http://archive.ubuntu.com/ubuntu bionic/main amd64 libsasl2-modules amd64 2.1.27~101-g0780600+dfsg Unpacking perl-modules-5.26 (5.26.1-6ubuntu0.3) ...-6ubuntu0.3_all.deb .....15-1 [2217 kB]

430b11e2069e48b829bf89530d0e14e70d85b2420054c7697494caf0994a8483 430b11e2069e48b829bf89530d0e14e70d85b2420054c7697494caf0994a8483
FATA[0060] stopping the pod sandbox "573fee4f5d1c54fefe1c7c9fe82eecd223a10c2c23c6a74fc0f88a9bb98a5899" failed: rpc error: code = Unknown desc = failed to stop infra container k8s_POD_busybox-sandbox_default_hdishd83djaidwnduwk28bcsc_1 in pod sandbox 573fee4f5d1c54fefe1c7c9fe82eecd223a10c2c23c6a74fc0f88a9bb98a5899: failed to stop container "573fee4f5d1c54fefe1c7c9fe82eecd223a10c2c23c6a74fc0f88a9bb98a5899": failed to find process: <nil>

Environment

These are the pod.yaml and container.yaml files we used:

$ vim pod.yaml
metadata:
  attempt: 1
  name: busybox-sandbox
  namespace: default
  uid: hdishd83djaidwnduwk28bcsc
log_directory: /tmp
linux:
  namespaces:
    options: {}
dns_config:
  servers:
    - 8.8.8.8
$ vim container.yaml
metadata:
  name: busybox
image:
  image: ubuntu:latest
command:
- top
log_path: busybox.0.log

These are the CRI-O network configuration file and crio.conf file we used:

$ vim /etc/cni/net.d/10-mynet.conf
{
    "cniVersion": "0.3.0",
    "name": "mynet",
    "type": "bridge",
    "bridge": "cni0",
    "isGateway": true,
    "ipMasq": true,
    "ipam": {
        "type": "host-local",
        "subnet": "10.22.0.0/16",
        "routes": [
            { "dst": "0.0.0.0/0" }
        ]
    }
}

This is the output of the kata-collect-data.sh script:

# Meta details Running `kata-collect-data.sh` version `1.9.1 (commit )` at `2019-11-21.13:16:44.154152320+0200`. --- Runtime is `/usr/bin/kata-runtime`. # `kata-env` Output of "`/usr/bin/kata-runtime kata-env`": ```toml [Meta] Version = "1.0.23" [Runtime] Debug = false Trace = false DisableGuestSeccomp = true DisableNewNetNs = false SandboxCgroupOnly = false Path = "/usr/bin/kata-runtime" [Runtime.Version] Semver = "1.9.1" Commit = "" OCI = "1.0.1-dev" [Runtime.Config] Path = "/usr/share/defaults/kata-containers/configuration.toml" [Hypervisor] MachineType = "pc" Version = "QEMU emulator version 4.1.0\nCopyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers" Path = "/usr/bin/qemu-vanilla-system-x86_64" BlockDeviceDriver = "virtio-scsi" EntropySource = "/dev/urandom" Msize9p = 8192 MemorySlots = 10 Debug = false UseVSock = false SharedFS = "virtio-9p" [Image] Path = "/usr/share/kata-containers/kata-containers-image_clearlinux_1.9.1_agent_d4bbd8007f.img" [Kernel] Path = "/usr/share/kata-containers/vmlinuz-4.19.75.54-5.container" Parameters = "systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket" [Initrd] Path = "" [Proxy] Type = "kataProxy" Version = "kata-proxy version 1.9.1-3285321" Path = "/usr/libexec/kata-containers/kata-proxy" Debug = false [Shim] Type = "kataShim" Version = "kata-shim version 1.9.1-712a345" Path = "/usr/libexec/kata-containers/kata-shim" Debug = false [Agent] Type = "kata" Debug = false Trace = false TraceMode = "" TraceType = "" [Host] Kernel = "5.2.2-050202-generic" Architecture = "amd64" VMContainerCapable = true SupportVSocks = true [Host.Distro] Name = "Ubuntu" Version = "18.04" [Host.CPU] Vendor = "GenuineIntel" Model = "Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz" [Netmon] Version = "kata-netmon version 1.9.1" Path = "/usr/libexec/kata-containers/kata-netmon" Debug = false Enable = false ``` --- # Runtime config files ## Runtime default config files ``` /etc/kata-containers/configuration.toml /usr/share/defaults/kata-containers/configuration.toml ``` ## Runtime config file contents Config file `/etc/kata-containers/configuration.toml` not found Output of "`cat "/usr/share/defaults/kata-containers/configuration.toml"`": ```toml # Copyright (c) 2017-2019 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # # XXX: WARNING: this file is auto-generated. # XXX: # XXX: Source file: "cli/config/configuration-qemu.toml.in" # XXX: Project: # XXX: Name: Kata Containers # XXX: Type: kata [hypervisor.qemu] path = "/usr/bin/qemu-vanilla-system-x86_64" kernel = "/usr/share/kata-containers/vmlinuz.container" image = "/usr/share/kata-containers/kata-containers.img" machine_type = "pc" # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. # # WARNING: - any parameter specified here will take priority over the default # parameter value of the same name used to start the virtual machine. # Do not set values here unless you understand the impact of doing so as you # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. kernel_params = "" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty firmware = "" # Machine accelerators # comma-separated list of machine accelerators to pass to the hypervisor. # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` machine_accelerators="" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to 1 # < 0 --> will be set to the actual number of physical cores # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores default_vcpus = 1 # Default maximum number of vCPUs per SB/VM: # unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when # the actual number of physical cores is greater than it. # WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU # the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs # can be added to a SB/VM, but the memory footprint will be big. Another example, with # `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of # vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable, # unless you know what are you doing. default_maxvcpus = 0 # Bridges can be used to hot plug devices. # Limitations: # * Currently only pci bridges are supported # * Until 30 devices per bridge can be hot plugged. # * Until 5 PCI bridges can be cold plugged per VM. # This limitation could be a bug in qemu or in the kernel # Default number of bridges per SB/VM: # unspecified or 0 --> will be set to 1 # > 1 <= 5 --> will be set to the specified number # > 5 --> will be set to 5 default_bridges = 1 # Default memory size in MiB for SB/VM. # If unspecified then it will be set 2048 MiB. default_memory = 2048 # # Default memory slots per SB/VM. # If unspecified then it will be set 10. # This is will determine the times that memory will be hotadded to sandbox/VM. #memory_slots = 10 # The size in MiB will be plused to max memory of hypervisor. # It is the memory address space for the NVDIMM devie. # If set block storage driver (block_device_driver) to "nvdimm", # should set memory_offset to the size of block device. # Default 0 #memory_offset = 0 # Disable block device from being used for a container's rootfs. # In case of a storage driver like devicemapper where a container's # root file system is backed by a block device, the block device is passed # directly to the hypervisor for performance reasons. # This flag prevents the block device from being passed to the hypervisor, # 9pfs is used instead to pass the rootfs. disable_block_device_use = false # Shared file system type: # - virtio-9p (default) # - virtio-fs shared_fs = "virtio-9p" # Path to vhost-user-fs daemon. virtio_fs_daemon = "/usr/bin/virtiofsd" # Default size of DAX cache in MiB virtio_fs_cache_size = 1024 # Extra args for virtiofsd daemon # # Format example: # ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"] # # see `virtiofsd -h` for possible options. virtio_fs_extra_args = [] # Cache mode: # # - none # Metadata, data, and pathname lookup are not cached in guest. They are # always fetched from host and any changes are immediately pushed to host. # # - auto # Metadata and pathname lookup cache expires after a configured amount of # time (default is 1 second). Data is cached while the file is open (close # to open consistency). # # - always # Metadata, data, and pathname lookup are cached in guest and never expire. virtio_fs_cache = "always" # Block storage driver to be used for the hypervisor in case the container # rootfs is backed by a block device. This is virtio-scsi, virtio-blk # or nvdimm. block_device_driver = "virtio-scsi" # Specifies cache-related options will be set to block devices or not. # Default false #block_device_cache_set = true # Specifies cache-related options for block devices. # Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. # Default false #block_device_cache_direct = true # Specifies cache-related options for block devices. # Denotes whether flush requests for the device are ignored. # Default false #block_device_cache_noflush = true # Enable iothreads (data-plane) to be used. This causes IO to be # handled in a separate IO thread. This is currently only implemented # for SCSI. # enable_iothreads = false # Enable pre allocation of VM RAM, default false # Enabling this will result in lower container density # as all of the memory will be allocated and locked # This is useful when you want to reserve all the memory # upfront or in the cases where you want memory latencies # to be very predictable # Default false #enable_mem_prealloc = true # Enable huge pages for VM RAM, default false # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network # stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true # Enable file based guest memory support. The default is an empty string which # will disable this feature. In the case of virtio-fs, this is enabled # automatically and '/dev/shm' is used as the backing folder. # This option will be ignored if VM templating is enabled. #file_mem_backend = "" # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true #enable_swap = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. This extra output is added # to the proxy logs, but only when proxy debug is also enabled. # # Default false #enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. # #disable_nesting_checks = true # This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = 8192 # If true and vsocks are supported, use vsocks to communicate directly # with the agent and no proxy is started, otherwise use unix # sockets and start a proxy to communicate with the agent. # Default false #use_vsock = true # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on # a bridge. This value is valid for "pc" machine type. # Default false #hotplug_vfio_on_root_bus = true # If host doesn't support vhost_net, set to true. Thus we won't create vhost fds for nics. # Default false #disable_vhost_net = true # # Default entropy source. # The path to a host source of entropy (including a real hardware RNG) # /dev/urandom and /dev/random are two main options. # Be aware that /dev/random is a blocking source of entropy. If the host # runs out of entropy, the VMs boot time will increase leading to get startup # timeouts. # The source of entropy /dev/urandom is non-blocking and provides a # generally acceptable source of entropy. It should work well for pretty much # all practical purposes. #entropy_source= "/dev/urandom" # Path to OCI hook binaries in the *guest rootfs*. # This does not affect host-side hooks which must instead be added to # the OCI spec passed to the runtime. # # You can create a rootfs with hooks by customizing the osbuilder scripts: # https://github.com/kata-containers/osbuilder # # Hooks must be stored in a subdirectory of guest_hook_path according to their # hook type, i.e. "guest_hook_path/{prestart,postart,poststop}". # The agent will scan these directories for executable files and add them, in # lexicographical order, to the lifecycle of the guest container. # Hooks are executed in the runtime namespace of the guest. See the official documentation: # https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks # Warnings will be logged if any error is encountered will scanning for hooks, # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and # agent memory by mapping it readonly. It helps speeding up new container # creation and saves a lot of memory if there are many kata containers running # on the same host. # # When disabled, new VMs are created from scratch. # # Note: Requires "initrd=" to be set ("image=" is not supported). # # Default false #enable_template = true # Specifies the path of template. # # Default "/run/vc/vm/template" #template_path = "/run/vc/vm/template" # The number of caches of VMCache: # unspecified or == 0 --> VMCache is disabled # > 0 --> will be set to the specified number # # VMCache is a function that creates VMs as caches before using it. # It helps speed up new container creation. # The function consists of a server and some clients communicating # through Unix socket. The protocol is gRPC in protocols/cache/cache.proto. # The VMCache server will create some VMs and cache them by factory cache. # It will convert the VM to gRPC format and transport it when gets # requestion from clients. # Factory grpccache is the VMCache client. It will request gRPC format # VM and convert it back to a VM. If VMCache function is enabled, # kata-runtime will request VM from factory grpccache when it creates # a new sandbox. # # Default 0 #vm_cache_number = 0 # Specify the address of the Unix socket that is used by VMCache. # # Default /var/run/kata-containers/cache.sock #vm_cache_endpoint = "/var/run/kata-containers/cache.sock" [proxy.kata] path = "/usr/libexec/kata-containers/kata-proxy" # If enabled, proxy messages will be sent to the system log # (default: disabled) #enable_debug = true [shim.kata] path = "/usr/libexec/kata-containers/kata-shim" # If enabled, shim messages will be sent to the system log # (default: disabled) #enable_debug = true # If enabled, the shim will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # # Note: By default, the shim runs in a separate network namespace. Therefore, # to allow it to send trace details to the Jaeger agent running on the host, # it is necessary to set 'disable_new_netns=true' so that it runs in the host # network namespace. # # (default: disabled) #enable_tracing = true [agent.kata] # If enabled, make the agent display debug-level messages. # (default: disabled) #enable_debug = true # Enable agent tracing. # # If enabled, the default trace mode is "dynamic" and the # default trace type is "isolated". The trace mode and type are set # explicity with the `trace_type=` and `trace_mode=` options. # # Notes: # # - Tracing is ONLY enabled when `enable_tracing` is set: explicitly # setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing` # will NOT activate agent tracing. # # - See https://github.com/kata-containers/agent/blob/master/TRACING.md for # full details. # # (default: disabled) #enable_tracing = true # #trace_mode = "dynamic" #trace_type = "isolated" # Comma separated list of kernel modules and their parameters. # These modules will be loaded in the guest kernel using modprobe(8). # The following example can be used to load two kernel modules with parameters # - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"] # The first word is considered as the module name and the rest as its parameters. # Container will not be started when: # * A kernel module is specified and the modprobe command is not installed in the guest # or it fails loading the module. # * The module is not available in the guest or it doesn't met the guest kernel # requirements, like architecture and version. # kernel_modules=[] [netmon] # If enabled, the network monitoring process gets started when the # sandbox is created. This allows for the detection of some additional # network being added to the existing network namespace, after the # sandbox has been created. # (default: disabled) #enable_netmon = true # Specify the path to the netmon binary. path = "/usr/libexec/kata-containers/kata-netmon" # If enabled, netmon messages will be sent to the system log # (default: disabled) #enable_debug = true [runtime] # If enabled, the runtime will log additional debug messages to the # system log # (default: disabled) #enable_debug = true # # Internetworking model # Determines how the VM should be connected to the # the container network interface # Options: # # - bridged (Deprecated) # Uses a linux bridge to interconnect the container interface to # the VM. Works for most cases except macvlan and ipvlan. # ***NOTE: This feature has been deprecated with plans to remove this # feature in the future. Please use other network models listed below. # # - macvtap # Used when the Container network interface can be bridged using # macvtap. # # - none # Used when customize network. Only creates a tap device. No veth pair. # # - tcfilter # Uses tc filter rules to redirect traffic from the network interface # provided by plugin to a tap interface connected to the VM. # internetworking_model="tcfilter" # disable guest seccomp # Determines whether container seccomp profiles are passed to the virtual # machine and applied by the kata agent. If set to true, seccomp is not applied # within the guest # (default: true) disable_guest_seccomp=true # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) #enable_tracing = true # If enabled, the runtime will not create a network namespace for shim and hypervisor processes. # This option may have some potential impacts to your host. It should only be used when you know what you're doing. # `disable_new_netns` conflicts with `enable_netmon` # `disable_new_netns` conflicts with `internetworking_model=bridged` and `internetworking_model=macvtap`. It works only # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge # (like OVS) directly. # If you are using docker, `disable_new_netns` only works with `docker run --net=none` # (default: false) #disable_new_netns = true # if enabled, the runtime will add all the kata processes inside one dedicated cgroup. # The container cgroups in the host are not created, just one single cgroup per sandbox. # The sandbox cgroup is not constrained by the runtime # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType sandbox_cgroup_only=false # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # They may break compatibility, and are prepared for a big version bump. # Supported experimental features: # 1. "newstore": new persist storage driver which breaks backward compatibility, # expected to move out of experimental in 2.0.0. # (default: []) experimental=[] ``` --- # KSM throttler ## version Output of "`/usr/libexec/kata-ksm-throttler/kata-ksm-throttler --version`": ``` kata-ksm-throttler version 1.9.1-1790d98 ``` ## systemd service # Image details ```yaml --- osbuilder: url: "https://github.com/kata-containers/osbuilder" version: "unknown" rootfs-creation-time: "2019-11-06T04:45:14.191056602+0000Z" description: "osbuilder rootfs" file-format-version: "0.0.2" architecture: "x86_64" base-distro: name: "Clear" version: "31470" packages: default: - "chrony" - "iptables-bin" - "kmod-bin" - "libudev0-shim" - "systemd" - "util-linux-bin" extra: agent: url: "https://github.com/kata-containers/agent" name: "kata-agent" version: "1.9.1-d4bbd8007fddd06616f81d1069126ab28bd8c9b5" agent-is-init-daemon: "no" ``` --- # Initrd details No initrd --- # Logfiles ## Runtime logs Recent runtime problems found in system journal: ``` time="2019-11-20T16:56:16.139818504+02:00" level=info msg="sanner return error: read unix @->/run/vc/vm/cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a/qmp.sock: use of closed network connection" arch=amd64 command=create container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 name=kata-runtime pid=5824 source=virtcontainers subsystem=qmp time="2019-11-20T16:56:16.161030899+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=5895 source=rootless time="2019-11-20T16:56:16.194212681+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=5935 source=rootless time="2019-11-20T16:56:16.216456517+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=exec container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=5945 source=rootless time="2019-11-20T16:56:20.979800803+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6040 source=rootless time="2019-11-20T16:56:21.019708048+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=exec container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6050 source=rootless time="2019-11-20T16:56:22.290257643+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6090 source=rootless time="2019-11-20T16:56:22.338472175+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=exec container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6104 source=rootless time="2019-11-20T16:56:51.015439292+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=kill container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6379 source=rootless time="2019-11-20T16:56:51.258442706+02:00" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a/48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851/rootfs" time="2019-11-20T16:56:51.261164253+02:00" level=info msg="sanner return error: read unix @->/run/vc/vm/cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a/qmp.sock: use of closed network connection" arch=amd64 command=kill container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 name=kata-runtime pid=6379 sandbox=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a source=virtcontainers subsystem=qmp time="2019-11-20T16:56:51.281381978+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6395 source=rootless time="2019-11-20T16:56:51.303703337+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6406 source=rootless time="2019-11-20T16:56:51.325899519+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6417 source=rootless time="2019-11-20T16:56:51.406805859+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6430 source=rootless time="2019-11-20T16:56:51.438136537+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=delete container=48a949a59ab391d783e53c904286807dec83b2af7969c1439b21f23c5d48b851 error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6448 source=rootless time="2019-11-20T16:56:51.803411306+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=kill container=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6538 source=rootless time="2019-11-20T16:56:51.930154543+02:00" level=warning msg="no such file or directory: /run/kata-containers/shared/sandboxes/cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a/cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a/rootfs" time="2019-11-20T16:56:51.966157128+02:00" level=info msg="sanner return error: read unix @->/run/vc/vm/cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a/qmp.sock: use of closed network connection" arch=amd64 command=kill container=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a name=kata-runtime pid=6538 sandbox=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a source=virtcontainers subsystem=qmp time="2019-11-20T16:56:52.007619659+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6556 source=rootless time="2019-11-20T16:56:52.031836752+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6566 source=rootless time="2019-11-20T16:56:52.053128995+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6580 source=rootless time="2019-11-20T16:56:52.133652884+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6591 source=rootless time="2019-11-20T16:56:52.161385919+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=delete container=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=6611 source=rootless time="2019-11-20T16:56:52.165191802+02:00" level=warning msg="sandox cgroups path is empty" arch=amd64 command=delete container=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a name=kata-runtime pid=6611 sandbox=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a source=virtcontainers subsystem=sandbox time="2019-11-20T16:57:43.429333507+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=create container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7130 source=rootless time="2019-11-20T16:57:43.430543803+02:00" level=info msg="No info could be fetched" arch=amd64 command=create container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad error="open /run/vc/sbs/debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad/hypervisor.json: no such file or directory" function=init name=kata-runtime pid=7130 source=virtcontainers subsystem=firecracker time="2019-11-20T16:57:43.43061359+02:00" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad error="open /run/vc/sbs/debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad/devices.json: no such file or directory" name=kata-runtime pid=7130 sandbox=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad sandboxid=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad source=virtcontainers subsystem=sandbox time="2019-11-20T16:57:45.096330805+02:00" level=warning msg="unsupported address" address="fe80::e4c2:7ff:feae:d755/64" arch=amd64 command=create container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad name=kata-runtime pid=7130 source=virtcontainers subsystem=network unsupported-address-type=ipv6 time="2019-11-20T16:57:45.18655684+02:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad name=kata-runtime pid=7130 sandbox=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad source=virtcontainers subsystem=sandbox time="2019-11-20T16:57:45.209815781+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=start container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7197 source=rootless time="2019-11-20T16:57:45.235921188+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7225 source=rootless time="2019-11-20T16:57:45.338397324+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=create container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7298 source=rootless time="2019-11-20T16:57:45.455531243+02:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a name=kata-runtime pid=7298 sandbox=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad source=virtcontainers subsystem=sandbox time="2019-11-20T16:57:45.477639709+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7335 source=rootless time="2019-11-20T16:57:45.509106093+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7371 source=rootless time="2019-11-20T16:57:45.531380345+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=exec container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7387 source=rootless time="2019-11-20T16:57:50.596900919+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7483 source=rootless time="2019-11-20T16:57:50.619147205+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=exec container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7494 source=rootless time="2019-11-20T16:57:52.235073553+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7541 source=rootless time="2019-11-20T16:57:52.257572702+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=exec container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7552 source=rootless time="2019-11-20T16:58:16.213042279+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=kill container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=7758 source=rootless time="2019-11-20T16:59:16.89456462+02:00" level=error msg="rpc error: code = DeadlineExceeded desc = context deadline exceeded" arch=amd64 command=kill container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a name=kata-runtime pid=7758 sandbox=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad source=runtime time="2019-11-20T16:59:16.926053649+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=8245 source=rootless time="2019-11-20T16:59:16.949550658+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=8258 source=rootless time="2019-11-20T16:59:16.971720553+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=8269 source=rootless time="2019-11-20T16:59:16.994159919+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=state container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=8280 source=rootless time="2019-11-20T16:59:17.020321872+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=delete container=fd8ae5fe68859b601a0399a7341250d42ffd7f693b8da599bf11d55c9d508c3a error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=8298 source=rootless time="2019-11-20T16:59:17.224311093+02:00" level=error msg="Unable to determine if running rootless" arch=amd64 command=kill container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad error="Failed to parse uid map file /proc/self/uid_map" name=kata-runtime pid=8354 source=rootless time="2019-11-20T17:00:17.438161896+02:00" level=error msg="rpc error: code = DeadlineExceeded desc = context deadline exceeded" arch=amd64 command=kill container=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad name=kata-runtime pid=8354 sandbox=debace6e6d77091ad762ee16388dd6e83adda87b1202f197e496a47cc35decad source=runtime ``` ## Proxy logs Recent proxy problems found in system journal: ``` time="2019-10-04T16:43:54.785672216+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/43b8540fb19e973c3e72168b11a69096fb54bd51fbddbd4b2a6c6b607f436465/kata.sock: use of closed network connection" name=kata-proxy pid=3661 sandbox=43b8540fb19e973c3e72168b11a69096fb54bd51fbddbd4b2a6c6b607f436465 source=proxy time="2019-10-04T16:44:00.239702542+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/ea5c5266c50c103d07dc65e2fae3aa5832589f0e97865db51b19869f25a04371/kata.sock: use of closed network connection" name=kata-proxy pid=4358 sandbox=ea5c5266c50c103d07dc65e2fae3aa5832589f0e97865db51b19869f25a04371 source=proxy time="2019-10-04T16:44:35.696908656+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/4af291be48f340ac1c1938b014bd43a0fe77e9d02c29fb9ce7f01824fd461f41/kata.sock: use of closed network connection" name=kata-proxy pid=3025 sandbox=4af291be48f340ac1c1938b014bd43a0fe77e9d02c29fb9ce7f01824fd461f41 source=proxy time="2019-10-04T16:45:44.534673011+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/6e26a392d26c4724514dc01c5c764955fc95e2e95eb0bb26ef0d7792152b25c7/kata.sock: use of closed network connection" name=kata-proxy pid=4235 sandbox=6e26a392d26c4724514dc01c5c764955fc95e2e95eb0bb26ef0d7792152b25c7 source=proxy time="2019-10-04T16:45:49.106445135+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/b65ace984e1e33d16c3430bd8748b380bec5da890b9d85038037e9dee419c52a/kata.sock: use of closed network connection" name=kata-proxy pid=4911 sandbox=b65ace984e1e33d16c3430bd8748b380bec5da890b9d85038037e9dee419c52a source=proxy time="2019-10-09T11:24:27.439417777+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/cd082b4dfd8482310013fa7ad2d3d5961dcabd28b4dd09728671f4edbfd18cb8/kata.sock: use of closed network connection" name=kata-proxy pid=11353 sandbox=cd082b4dfd8482310013fa7ad2d3d5961dcabd28b4dd09728671f4edbfd18cb8 source=proxy time="2019-10-09T13:01:50.241507288+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/76ba5531abfb6a0321bb52afe3964749d0ce31df41a7b4b37bc57efc09f9f04c/kata.sock: use of closed network connection" name=kata-proxy pid=14606 sandbox=76ba5531abfb6a0321bb52afe3964749d0ce31df41a7b4b37bc57efc09f9f04c source=proxy time="2019-10-09T13:52:37.603819234+03:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/986b6fecf9962de83f6881a1140831b126c69a5acdd8b26e121d409430f730cf/proxy.sock: use of closed network connection" name=kata-proxy pid=24712 sandbox=986b6fecf9962de83f6881a1140831b126c69a5acdd8b26e121d409430f730cf source=proxy time="2019-10-09T13:52:41.384928372+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/4729a3551407b26f57df63684a473ed2715c2c2db1aa1ce21f7beaf5c99fd65e/kata.sock: use of closed network connection" name=kata-proxy pid=25401 sandbox=4729a3551407b26f57df63684a473ed2715c2c2db1aa1ce21f7beaf5c99fd65e source=proxy time="2019-10-09T13:59:05.758548655+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/4b06f91799ee8259b3b4de7abe072b98d986f0afe8580634c4d4fffd19b5cd69/kata.sock: use of closed network connection" name=kata-proxy pid=7082 sandbox=4b06f91799ee8259b3b4de7abe072b98d986f0afe8580634c4d4fffd19b5cd69 source=proxy time="2019-10-09T13:59:13.407168851+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/d0ad40a66a97e9f258c07c2bec158f7b792e827ab1c0b21d653cb73bb3e5b209/kata.sock: use of closed network connection" name=kata-proxy pid=7780 sandbox=d0ad40a66a97e9f258c07c2bec158f7b792e827ab1c0b21d653cb73bb3e5b209 source=proxy time="2019-10-09T14:18:17.003290149+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/9bf52524dc2dac5d9765289760e1e17281be994822409d885496392c80fd77f4/kata.sock: use of closed network connection" name=kata-proxy pid=18412 sandbox=9bf52524dc2dac5d9765289760e1e17281be994822409d885496392c80fd77f4 source=proxy time="2019-10-09T14:18:20.377256561+03:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/21e8bd5710649526b1a212e63c9a55c476b580dc2d608c65f2671b62bb2d8d03/proxy.sock: use of closed network connection" name=kata-proxy pid=19071 sandbox=21e8bd5710649526b1a212e63c9a55c476b580dc2d608c65f2671b62bb2d8d03 source=proxy time="2019-10-09T14:18:34.492670815+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/9c29caa99e6482107f49c04fef4546799be85192c4b4a56815ce54400719751d/kata.sock: use of closed network connection" name=kata-proxy pid=8834 sandbox=9c29caa99e6482107f49c04fef4546799be85192c4b4a56815ce54400719751d source=proxy time="2019-10-09T14:32:51.133061216+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/dc8171e8880d8b162cd9fbbeb0abaca4a1e9533cfd0b0474a868d98669c55fe7/kata.sock: use of closed network connection" name=kata-proxy pid=14823 sandbox=dc8171e8880d8b162cd9fbbeb0abaca4a1e9533cfd0b0474a868d98669c55fe7 source=proxy time="2019-10-09T14:32:51.133102471+03:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/dc8171e8880d8b162cd9fbbeb0abaca4a1e9533cfd0b0474a868d98669c55fe7/proxy.sock: use of closed network connection" name=kata-proxy pid=14823 sandbox=dc8171e8880d8b162cd9fbbeb0abaca4a1e9533cfd0b0474a868d98669c55fe7 source=proxy time="2019-10-09T15:37:50.236348856+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/f81450113b0ca3f4ffa51a2244788291d988b897d37b0fab8753865c65b50f24/kata.sock: use of closed network connection" name=kata-proxy pid=11155 sandbox=f81450113b0ca3f4ffa51a2244788291d988b897d37b0fab8753865c65b50f24 source=proxy time="2019-10-09T15:37:50.236418142+03:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/f81450113b0ca3f4ffa51a2244788291d988b897d37b0fab8753865c65b50f24/proxy.sock: use of closed network connection" name=kata-proxy pid=11155 sandbox=f81450113b0ca3f4ffa51a2244788291d988b897d37b0fab8753865c65b50f24 source=proxy time="2019-10-09T15:37:53.907925663+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/ca9a59954b2eb913c910c9bc392e02caac64ba1b718a08b70fc82d816506e9cf/kata.sock: use of closed network connection" name=kata-proxy pid=11842 sandbox=ca9a59954b2eb913c910c9bc392e02caac64ba1b718a08b70fc82d816506e9cf source=proxy time="2019-10-09T16:00:02.218336285+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/972eb21527081edbc59a8f5820dcbec9f897877332d3f8b4265a8ac3f5589f99/kata.sock: use of closed network connection" name=kata-proxy pid=9518 sandbox=972eb21527081edbc59a8f5820dcbec9f897877332d3f8b4265a8ac3f5589f99 source=proxy time="2019-10-09T16:21:49.362247954+03:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/cdac91638e5d68d1d865fb5b4159dd8023ef099e5cd57114fdaa58a76c5a76c3/proxy.sock: use of closed network connection" name=kata-proxy pid=30334 sandbox=cdac91638e5d68d1d865fb5b4159dd8023ef099e5cd57114fdaa58a76c5a76c3 source=proxy time="2019-10-10T14:11:35.5994325+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/b842bf528fbb81331de4c820bc0e755268fa417c0935a0f45e527306384de77a/kata.sock: use of closed network connection" name=kata-proxy pid=22392 sandbox=b842bf528fbb81331de4c820bc0e755268fa417c0935a0f45e527306384de77a source=proxy time="2019-10-10T14:11:38.526605114+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/f9f70e0a0ece9276ce1404d9e3413cf5059f5ecb0ea1c2c0d78b8cb9cec024dc/kata.sock: use of closed network connection" name=kata-proxy pid=23072 sandbox=f9f70e0a0ece9276ce1404d9e3413cf5059f5ecb0ea1c2c0d78b8cb9cec024dc source=proxy time="2019-10-10T14:16:36.929336441+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/d32e0f33fe94e7274c2f881b3d07c626da2426b787c9050b618bde0fd4fc33ad/kata.sock: use of closed network connection" name=kata-proxy pid=9201 sandbox=d32e0f33fe94e7274c2f881b3d07c626da2426b787c9050b618bde0fd4fc33ad source=proxy time="2019-10-10T14:20:16.094144503+03:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/63f07f39d906797e2377d3565d6b0cc944adf7b786081b4384dad7f6b661ae12/kata.sock: use of closed network connection" name=kata-proxy pid=10342 sandbox=63f07f39d906797e2377d3565d6b0cc944adf7b786081b4384dad7f6b661ae12 source=proxy time="2019-10-10T14:20:16.094233863+03:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/63f07f39d906797e2377d3565d6b0cc944adf7b786081b4384dad7f6b661ae12/proxy.sock: use of closed network connection" name=kata-proxy pid=10342 sandbox=63f07f39d906797e2377d3565d6b0cc944adf7b786081b4384dad7f6b661ae12 source=proxy time="2019-11-19T11:11:26.251542563+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/9da2ce50c831b0d397fecb4d86abced19b98bb25710aeacfdb4b96d7dda38eab/kata.sock: use of closed network connection" name=kata-proxy pid=18275 sandbox=9da2ce50c831b0d397fecb4d86abced19b98bb25710aeacfdb4b96d7dda38eab source=proxy time="2019-11-19T11:12:24.964217163+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/cb6e4912b0f53a5b5e6364483ca093f7121bc34094770060c186ef9b86c98815/proxy.sock: use of closed network connection" name=kata-proxy pid=19196 sandbox=cb6e4912b0f53a5b5e6364483ca093f7121bc34094770060c186ef9b86c98815 source=proxy time="2019-11-19T11:13:48.619045828+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/365cc97866e62da5af36c20a828fb84cf3575a49c080a865895d600c8baaa10c/kata.sock: use of closed network connection" name=kata-proxy pid=14254 sandbox=365cc97866e62da5af36c20a828fb84cf3575a49c080a865895d600c8baaa10c source=proxy time="2019-11-19T12:25:53.046755764+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/442dba0c814efbff23609456603e420031b90d604be845f142d646c2c3e236b9/kata.sock: use of closed network connection" name=kata-proxy pid=16936 sandbox=442dba0c814efbff23609456603e420031b90d604be845f142d646c2c3e236b9 source=proxy time="2019-11-19T12:25:53.047078508+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/442dba0c814efbff23609456603e420031b90d604be845f142d646c2c3e236b9/proxy.sock: use of closed network connection" name=kata-proxy pid=16936 sandbox=442dba0c814efbff23609456603e420031b90d604be845f142d646c2c3e236b9 source=proxy time="2019-11-19T14:39:35.392905622+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b/kata.sock: use of closed network connection" name=kata-proxy pid=27390 sandbox=ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b source=proxy time="2019-11-19T14:51:36.843664086+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/aff57ed6514d27696a2a457d58a2423c5046a70ece4181dc76ed2c242f5078b0/kata.sock: use of closed network connection" name=kata-proxy pid=3194 sandbox=aff57ed6514d27696a2a457d58a2423c5046a70ece4181dc76ed2c242f5078b0 source=proxy time="2019-11-19T14:51:36.843820934+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/aff57ed6514d27696a2a457d58a2423c5046a70ece4181dc76ed2c242f5078b0/proxy.sock: use of closed network connection" name=kata-proxy pid=3194 sandbox=aff57ed6514d27696a2a457d58a2423c5046a70ece4181dc76ed2c242f5078b0 source=proxy time="2019-11-19T15:06:22.050046735+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/ef38107759df1052a62ba94e1c6a7136b50d316a2e266492ff6fe6d71b87cb65/proxy.sock: use of closed network connection" name=kata-proxy pid=5336 sandbox=ef38107759df1052a62ba94e1c6a7136b50d316a2e266492ff6fe6d71b87cb65 source=proxy time="2019-11-19T17:19:52.429117036+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/e97d32e6d369e48e68537a5773eca0ad960d4ed8f18db34120e5867322ed4f4f/kata.sock: use of closed network connection" name=kata-proxy pid=21190 sandbox=e97d32e6d369e48e68537a5773eca0ad960d4ed8f18db34120e5867322ed4f4f source=proxy time="2019-11-19T17:38:01.515141938+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/9d99628eab3e90616be9989cc9271e67ea3ac53bee344aaa964b6cad7c6c57c7/kata.sock: use of closed network connection" name=kata-proxy pid=8513 sandbox=9d99628eab3e90616be9989cc9271e67ea3ac53bee344aaa964b6cad7c6c57c7 source=proxy time="2019-11-19T17:38:44.634368424+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/f3755218feb07a7e64efb1499378e604de1e9dabc53880569e0d8fce18b6f007/proxy.sock: use of closed network connection" name=kata-proxy pid=9431 sandbox=f3755218feb07a7e64efb1499378e604de1e9dabc53880569e0d8fce18b6f007 source=proxy time="2019-11-20T10:47:49.583906628+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/a065ec112b03829c8e260b88563564eb70a6e0398d07053bffd622b6483a558a/kata.sock: use of closed network connection" name=kata-proxy pid=12597 sandbox=a065ec112b03829c8e260b88563564eb70a6e0398d07053bffd622b6483a558a source=proxy time="2019-11-20T10:48:59.670627337+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/64e66e43bf26fa4fe17f78073e34557f482edf4790d4a9a695b1816e31871092/kata.sock: use of closed network connection" name=kata-proxy pid=13582 sandbox=64e66e43bf26fa4fe17f78073e34557f482edf4790d4a9a695b1816e31871092 source=proxy time="2019-11-20T10:49:46.966214967+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/64f7042799da34f1082c61185add16dc78bd7ce433e256c279c42134e2774f1b/kata.sock: use of closed network connection" name=kata-proxy pid=14437 sandbox=64f7042799da34f1082c61185add16dc78bd7ce433e256c279c42134e2774f1b source=proxy time="2019-11-20T14:04:42.526573295+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/59466308a7e01f49406400364d7d98b29e71fb463979e84049d57efdb349ba1d/proxy.sock: use of closed network connection" name=kata-proxy pid=15984 sandbox=59466308a7e01f49406400364d7d98b29e71fb463979e84049d57efdb349ba1d source=proxy time="2019-11-20T14:14:43.082527966+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/a3d8b5539eb40b8a208dcdfa66760f7923b15a779f144e88ce9776c657af639b/kata.sock: use of closed network connection" name=kata-proxy pid=21500 sandbox=a3d8b5539eb40b8a208dcdfa66760f7923b15a779f144e88ce9776c657af639b source=proxy time="2019-11-20T14:15:55.452610021+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/f9dd9af62c21d342c05d2947fe9185c58c169d4a5c90421140829ccd127d3d87/kata.sock: use of closed network connection" name=kata-proxy pid=22772 sandbox=f9dd9af62c21d342c05d2947fe9185c58c169d4a5c90421140829ccd127d3d87 source=proxy time="2019-11-20T14:16:36.152949077+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/ec573333c715bb8b00f6f8730c04e0a128ed36531cf19a264d5b12e594b1263b/kata.sock: use of closed network connection" name=kata-proxy pid=23822 sandbox=ec573333c715bb8b00f6f8730c04e0a128ed36531cf19a264d5b12e594b1263b source=proxy time="2019-11-20T14:16:36.153165228+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/ec573333c715bb8b00f6f8730c04e0a128ed36531cf19a264d5b12e594b1263b/proxy.sock: use of closed network connection" name=kata-proxy pid=23822 sandbox=ec573333c715bb8b00f6f8730c04e0a128ed36531cf19a264d5b12e594b1263b source=proxy time="2019-11-20T14:17:26.579915122+02:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/f748b8aab483eee8e180aa41478cd97c6a434a98dece2122ec45199b0b78b3c6/kata.sock: use of closed network connection" name=kata-proxy pid=24919 sandbox=f748b8aab483eee8e180aa41478cd97c6a434a98dece2122ec45199b0b78b3c6 source=proxy time="2019-11-20T14:24:16.870003774+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/00021c7186a93f0da3aa9b832c1eb18d078f0ef81b660d5658611ff11d114a61/proxy.sock: use of closed network connection" name=kata-proxy pid=28802 sandbox=00021c7186a93f0da3aa9b832c1eb18d078f0ef81b660d5658611ff11d114a61 source=proxy time="2019-11-20T15:34:27.862511222+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/dd093872acd19deff37939fc06bf4c7385d67a46b9e08162b0654cdff6a9c92e/proxy.sock: use of closed network connection" name=kata-proxy pid=8658 sandbox=dd093872acd19deff37939fc06bf4c7385d67a46b9e08162b0654cdff6a9c92e source=proxy time="2019-11-20T16:56:51.962616124+02:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a/proxy.sock: use of closed network connection" name=kata-proxy pid=5703 sandbox=cbb87d0019f7bb7d0dd3cbb7439544b29d35cfafbcbb1cd067069e485a3a629a source=proxy ``` ## Shim logs Recent shim problems found in system journal: ``` time="2019-10-04T15:21:42.544194881+03:00" level=error msg="forward signal failed" container=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 error="rpc error: code = Unavailable desc = transport is closing" exec-id=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 name=kata-shim pid=1 signal=terminated source=shim time="2019-10-04T15:22:02.528443528+03:00" level=error msg="failed waiting for process" container=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to unix socket ////run/vc/sbs/2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97/proxy.sock\"" exec-id=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 name=kata-shim pid=1 source=shim time="2019-10-04T15:22:02.528503217+03:00" level=error msg="forward signal failed" container=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to unix socket ////run/vc/sbs/2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97/proxy.sock\"" exec-id=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 name=kata-shim pid=1 signal=continued source=shim time="2019-10-04T15:22:02.528796501+03:00" level=error msg="forward signal failed" container=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to unix socket ////run/vc/sbs/2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97/proxy.sock\"" exec-id=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 name=kata-shim pid=1 signal=terminated source=shim time="2019-10-04T15:22:02.528845827+03:00" level=error msg="forward signal failed" container=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to unix socket ////run/vc/sbs/2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97/proxy.sock\"" exec-id=2e489f1438286d9699b660cf296ab21ae2f9c3ac2d17bb3fbcf2b50b0dd50f97 name=kata-shim pid=1 signal=continued source=shim time="2019-11-19T14:39:35.392985824+02:00" level=error msg="forward signal failed" container=ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b error="rpc error: code = Unavailable desc = transport is closing" exec-id=ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b name=kata-shim pid=1 signal=terminated source=shim time="2019-11-19T14:39:55.393095857+02:00" level=error msg="failed waiting for process" container=ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to unix socket ////run/vc/sbs/ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b/proxy.sock\"" exec-id=ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b name=kata-shim pid=1 source=shim time="2019-11-19T14:39:55.393274381+02:00" level=error msg="forward signal failed" container=ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to unix socket ////run/vc/sbs/ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b/proxy.sock\"" exec-id=ed8ce45ca60a314d2d89dbd30479e50f9ff8cebc9fbdcac8cea4ae7bc89f3f0b name=kata-shim pid=1 signal=continued source=shim time="2019-11-19T15:01:20.163738408+02:00" level=warning msg="copy stdin failed" container=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 error="read /dev/stdin: input/output error" exec-id=21166d69-74dd-4635-8b61-5848c2e41b63 name=kata-shim pid=33 source=shim time="2019-11-19T15:01:20.163783822+02:00" level=warning msg="close stdin failed" container=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 error="rpc error: code = Unavailable desc = transport is closing" exec-id=21166d69-74dd-4635-8b61-5848c2e41b63 name=kata-shim pid=33 source=shim time="2019-11-19T15:01:20.163920168+02:00" level=error msg="forward signal failed" container=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 error="rpc error: code = Unavailable desc = transport is closing" exec-id=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 name=kata-shim pid=1 signal=terminated source=shim time="2019-11-19T15:01:20.166645729+02:00" level=error msg="forward signal failed" container=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 error="rpc error: code = Unavailable desc = transport is closing" exec-id=21166d69-74dd-4635-8b61-5848c2e41b63 name=kata-shim pid=33 signal=hangup source=shim time="2019-11-19T15:01:20.188494751+02:00" level=error msg="forward signal failed" container=137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc error="rpc error: code = Unavailable desc = transport is closing" exec-id=137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc name=kata-shim pid=1 signal=terminated source=shim time="2019-11-19T15:01:40.163920366+02:00" level=error msg="failed waiting for process" container=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc/root/kata.hvsock\"" exec-id=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 name=kata-shim pid=1 source=shim time="2019-11-19T15:01:40.163931027+02:00" level=error msg="forward signal failed" container=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc/root/kata.hvsock\"" exec-id=36280fc8ee1632316c97707530072b4cdf4aeee493a1940e8d828b5587bcb2a3 name=kata-shim pid=1 signal=continued source=shim time="2019-11-19T15:01:40.188558836+02:00" level=error msg="forward signal failed" container=137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc/root/kata.hvsock\"" exec-id=137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc name=kata-shim pid=1 signal=continued source=shim time="2019-11-19T15:01:40.188610044+02:00" level=error msg="failed waiting for process" container=137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc/root/kata.hvsock\"" exec-id=137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc name=kata-shim pid=1 source=shim time="2019-11-19T15:01:40.188612491+02:00" level=error msg="forward signal failed" container=137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc/root/kata.hvsock\"" exec-id=137589e0ebbb847b5e60a8c511e4e8370520bc5ececf6ec1f89ce3aeee3eadfc name=kata-shim pid=1 signal=terminated source=shim time="2019-11-19T15:21:32.861995846+02:00" level=error msg="forward signal failed" container=a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3 error="rpc error: code = Unavailable desc = transport is closing" exec-id=a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3 name=kata-shim pid=1 signal=terminated source=shim time="2019-11-19T15:21:32.862075091+02:00" level=error msg="forward signal failed" container=a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: " exec-id=a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3 name=kata-shim pid=1 signal=continued source=shim time="2019-11-19T15:21:52.862018454+02:00" level=error msg="failed waiting for process" container=a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3/root/kata.hvsock\"" exec-id=a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3 name=kata-shim pid=1 source=shim time="2019-11-19T15:21:52.862061164+02:00" level=error msg="forward signal failed" container=a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3/root/kata.hvsock\"" exec-id=a85b8eb6b76af8af7798b964cbbc56bda053fce096afdf25fffb8e089c3181c3 name=kata-shim pid=1 signal=terminated source=shim time="2019-11-19T17:26:32.503772088+02:00" level=error msg="forward signal failed" container=573fee4f5d1c54fefe1c7c9fe82eecd223a10c2c23c6a74fc0f88a9bb98a5899 error="rpc error: code = Unavailable desc = transport is closing" exec-id=573fee4f5d1c54fefe1c7c9fe82eecd223a10c2c23c6a74fc0f88a9bb98a5899 name=kata-shim pid=1 signal=terminated source=shim time="2019-11-19T17:26:32.503797934+02:00" level=error msg="failed waiting for process" container=573fee4f5d1c54fefe1c7c9fe82eecd223a10c2c23c6a74fc0f88a9bb98a5899 error="rpc error: code = Unavailable desc = transport is closing" exec-id=573fee4f5d1c54fefe1c7c9fe82eecd223a10c2c23c6a74fc0f88a9bb98a5899 name=kata-shim pid=1 source=shim time="2019-11-20T12:54:36.133189704+02:00" level=error msg="failed waiting for process" container=6857d9d18d07c43c70b61f611270a9c2a172354098e96d7607674429f7a2a25e error="rpc error: code = Unavailable desc = transport is closing" exec-id=ecfb858e-d769-4d26-899c-672ee62958b7 name=kata-shim pid=21 source=shim time="2019-11-20T12:54:56.133285922+02:00" level=error msg="failed waiting for process" container=6857d9d18d07c43c70b61f611270a9c2a172354098e96d7607674429f7a2a25e error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/271e63f5c2879d5437bf9bf849fc3655649c125cfb07699414c54634e734e490/root/kata.hvsock\"" exec-id=6857d9d18d07c43c70b61f611270a9c2a172354098e96d7607674429f7a2a25e name=kata-shim pid=1 source=shim time="2019-11-20T12:55:16.138618957+02:00" level=error msg="failed waiting for process" container=271e63f5c2879d5437bf9bf849fc3655649c125cfb07699414c54634e734e490 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/271e63f5c2879d5437bf9bf849fc3655649c125cfb07699414c54634e734e490/root/kata.hvsock\"" exec-id=271e63f5c2879d5437bf9bf849fc3655649c125cfb07699414c54634e734e490 name=kata-shim pid=1 source=shim time="2019-11-20T14:57:00.044142712+02:00" level=error msg="forward signal failed" container=3ffd7153ee930dc411ef8bc5a50d0c1cbacb34c35d5b1dced3608b0b9c1c1021 error="rpc error: code = Unavailable desc = transport is closing" exec-id=3ffd7153ee930dc411ef8bc5a50d0c1cbacb34c35d5b1dced3608b0b9c1c1021 name=kata-shim pid=1 signal=terminated source=shim time="2019-11-20T14:57:20.043896973+02:00" level=error msg="failed waiting for process" container=3ffd7153ee930dc411ef8bc5a50d0c1cbacb34c35d5b1dced3608b0b9c1c1021 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/3ffd7153ee930dc411ef8bc5a50d0c1cbacb34c35d5b1dced3608b0b9c1c1021/root/kata.hvsock\"" exec-id=3ffd7153ee930dc411ef8bc5a50d0c1cbacb34c35d5b1dced3608b0b9c1c1021 name=kata-shim pid=1 source=shim time="2019-11-20T14:57:20.043945122+02:00" level=error msg="forward signal failed" container=3ffd7153ee930dc411ef8bc5a50d0c1cbacb34c35d5b1dced3608b0b9c1c1021 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/3ffd7153ee930dc411ef8bc5a50d0c1cbacb34c35d5b1dced3608b0b9c1c1021/root/kata.hvsock\"" exec-id=3ffd7153ee930dc411ef8bc5a50d0c1cbacb34c35d5b1dced3608b0b9c1c1021 name=kata-shim pid=1 signal=continued source=shim time="2019-11-20T15:23:11.70297483+02:00" level=error msg="forward signal failed" container=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f error="rpc error: code = Unavailable desc = transport is closing" exec-id=7f872b92-b1e0-49ab-9d6d-8f3d1f6bc8c7 name=kata-shim pid=11 signal=terminated source=shim time="2019-11-20T15:23:11.703042024+02:00" level=error msg="forward signal failed" container=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f error="rpc error: code = Unavailable desc = transport is closing" exec-id=7f872b92-b1e0-49ab-9d6d-8f3d1f6bc8c7 name=kata-shim pid=11 signal=continued source=shim time="2019-11-20T15:23:11.705234335+02:00" level=error msg="forward signal failed" container=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f error="rpc error: code = Unavailable desc = transport is closing" exec-id=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f name=kata-shim pid=1 signal=terminated source=shim time="2019-11-20T15:23:11.711117419+02:00" level=error msg="forward signal failed" container=3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b error="rpc error: code = Unavailable desc = transport is closing" exec-id=3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b name=kata-shim pid=1 signal=terminated source=shim time="2019-11-20T15:23:31.70312992+02:00" level=error msg="failed waiting for process" container=3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b/root/kata.hvsock\"" exec-id=3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b name=kata-shim pid=1 source=shim time="2019-11-20T15:23:31.703172371+02:00" level=error msg="forward signal failed" container=3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b/root/kata.hvsock\"" exec-id=3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b name=kata-shim pid=1 signal=continued source=shim time="2019-11-20T15:23:31.70336884+02:00" level=warning msg="copy stdin failed" container=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f error="read /dev/stdin: input/output error" exec-id=7f872b92-b1e0-49ab-9d6d-8f3d1f6bc8c7 name=kata-shim pid=11 source=shim time="2019-11-20T15:23:31.703400439+02:00" level=error msg="forward signal failed" container=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b/root/kata.hvsock\"" exec-id=7f872b92-b1e0-49ab-9d6d-8f3d1f6bc8c7 name=kata-shim pid=11 signal=hangup source=shim time="2019-11-20T15:23:31.703465333+02:00" level=warning msg="close stdin failed" container=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b/root/kata.hvsock\"" exec-id=7f872b92-b1e0-49ab-9d6d-8f3d1f6bc8c7 name=kata-shim pid=11 source=shim time="2019-11-20T15:23:31.705342519+02:00" level=error msg="failed waiting for process" container=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b/root/kata.hvsock\"" exec-id=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f name=kata-shim pid=1 source=shim time="2019-11-20T15:23:31.705486256+02:00" level=error msg="forward signal failed" container=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/3b5db54e6be6384c6581b5607a567228922f11416b5cd2e46226893e11350a8b/root/kata.hvsock\"" exec-id=aa80acb1646110a9ada2228391fdd4903ff8b107dd245a2b586129fa9f6ee42f name=kata-shim pid=1 signal=continued source=shim time="2019-11-20T15:48:24.283012806+02:00" level=error msg="forward signal failed" container=8464052ad3630a80624d74019cfd7fb299fcc7a53ba4ee8b08739137c228acc0 error="rpc error: code = Unavailable desc = transport is closing" exec-id=8464052ad3630a80624d74019cfd7fb299fcc7a53ba4ee8b08739137c228acc0 name=kata-shim pid=1 signal=terminated source=shim time="2019-11-20T15:48:44.283114393+02:00" level=error msg="failed waiting for process" container=8464052ad3630a80624d74019cfd7fb299fcc7a53ba4ee8b08739137c228acc0 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/8464052ad3630a80624d74019cfd7fb299fcc7a53ba4ee8b08739137c228acc0/root/kata.hvsock\"" exec-id=8464052ad3630a80624d74019cfd7fb299fcc7a53ba4ee8b08739137c228acc0 name=kata-shim pid=1 source=shim time="2019-11-20T15:48:44.283153993+02:00" level=error msg="forward signal failed" container=8464052ad3630a80624d74019cfd7fb299fcc7a53ba4ee8b08739137c228acc0 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/8464052ad3630a80624d74019cfd7fb299fcc7a53ba4ee8b08739137c228acc0/root/kata.hvsock\"" exec-id=8464052ad3630a80624d74019cfd7fb299fcc7a53ba4ee8b08739137c228acc0 name=kata-shim pid=1 signal=continued source=shim time="2019-11-20T16:43:34.245755019+02:00" level=error msg="forward signal failed" container=335f84fd0a759406a6bf4b262004cc250c3910943650f2a41414434b6c266642 error="rpc error: code = Unavailable desc = transport is closing" exec-id=335f84fd0a759406a6bf4b262004cc250c3910943650f2a41414434b6c266642 name=kata-shim pid=1 signal=terminated source=shim time="2019-11-20T16:43:54.245928351+02:00" level=error msg="forward signal failed" container=335f84fd0a759406a6bf4b262004cc250c3910943650f2a41414434b6c266642 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/335f84fd0a759406a6bf4b262004cc250c3910943650f2a41414434b6c266642/root/kata.hvsock\"" exec-id=335f84fd0a759406a6bf4b262004cc250c3910943650f2a41414434b6c266642 name=kata-shim pid=1 signal=continued source=shim time="2019-11-20T16:43:54.245977778+02:00" level=error msg="failed waiting for process" container=335f84fd0a759406a6bf4b262004cc250c3910943650f2a41414434b6c266642 error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing rpc error: code = DeadlineExceeded desc = timed out connecting to hybrid vsocket hvsock:/var/lib/vc/firecracker/335f84fd0a759406a6bf4b262004cc250c3910943650f2a41414434b6c266642/root/kata.hvsock\"" exec-id=335f84fd0a759406a6bf4b262004cc250c3910943650f2a41414434b6c266642 name=kata-shim pid=1 source=shim ``` ## Throttler logs No recent throttler problems found in system journal. --- # Container manager details Have `docker` ## Docker Output of "`docker version`": ``` Client: Docker Engine - Community Version: 19.03.1 API version: 1.40 Go version: go1.12.5 Git commit: 74b1e89 Built: Thu Jul 25 21:21:05 2019 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.1 API version: 1.40 (minimum version 1.12) Go version: go1.12.5 Git commit: 74b1e89 Built: Thu Jul 25 21:19:41 2019 OS/Arch: linux/amd64 Experimental: false containerd: Version: v1.3.0-beta.2 GitCommit: 640860a042b93c26c0a33081ee02230def486f81 runc: Version: 1.0.0-rc8 GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f docker-init: Version: 0.18.0 GitCommit: fec3683 ``` Output of "`docker info`": ``` Client: Debug Mode: false Server: Containers: 1 Running: 0 Paused: 0 Stopped: 1 Images: 20 Server Version: 19.03.1 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 640860a042b93c26c0a33081ee02230def486f81 runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f init version: fec3683 Security Options: apparmor seccomp Profile: default Kernel Version: 5.2.2-050202-generic Operating System: Ubuntu 18.04.2 LTS OSType: linux Architecture: x86_64 CPUs: 8 Total Memory: 31.27GiB Name: minion ID: RHVD:ILPB:IJV3:75UP:JBZK:3IHD:64CM:N3E6:HDM4:5ES3:VTC7:V6II Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 192.168.1.99:7000 192.168.1.99:2501 192.168.1.99:2601 192.168.1.99:5000 192.168.1.99:6000 127.0.0.0/8 Live Restore Enabled: false WARNING: No swap limit support ``` Output of "`systemctl show docker`": ``` Type=notify Restart=always NotifyAccess=main RestartUSec=2s TimeoutStartUSec=infinity TimeoutStopUSec=infinity RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestamp=Thu 2019-11-21 10:31:59 EET WatchdogTimestampMonotonic=64050253706 PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=1930 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=success UID=[not set] GID=[not set] NRestarts=0 ExecMainStartTimestamp=Thu 2019-11-21 10:31:58 EET ExecMainStartTimestampMonotonic=64049419841 ExecMainExitTimestampMonotonic=0 ExecMainPID=1930 ExecMainCode=0 ExecMainStatus=0 ExecStart={ path=/usr/bin/dockerd ; argv[]=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ; ignore_errors=no ; start_time=[Thu 2019-11-21 10:31:58 EET] ; stop_time=[n/a] ; pid=1930 ; code=(null) ; status=0/0 } ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } Slice=system.slice ControlGroup=/system.slice/docker.service MemoryCurrent=[not set] CPUUsageNSec=[not set] TasksCurrent=18 IPIngressBytes=18446744073709551615 IPIngressPackets=18446744073709551615 IPEgressBytes=18446744073709551615 IPEgressPackets=18446744073709551615 Delegate=yes DelegateControllers=cpu cpuacct io blkio memory devices pids CPUAccounting=no CPUWeight=[not set] StartupCPUWeight=[not set] CPUShares=[not set] StartupCPUShares=[not set] CPUQuotaPerSecUSec=infinity IOAccounting=no IOWeight=[not set] StartupIOWeight=[not set] BlockIOAccounting=no BlockIOWeight=[not set] StartupBlockIOWeight=[not set] MemoryAccounting=no MemoryLow=0 MemoryHigh=infinity MemoryMax=infinity MemorySwapMax=infinity MemoryLimit=infinity DevicePolicy=auto TasksAccounting=yes TasksMax=infinity IPAccounting=no UMask=0022 LimitCPU=infinity LimitCPUSoft=infinity LimitFSIZE=infinity LimitFSIZESoft=infinity LimitDATA=infinity LimitDATASoft=infinity LimitSTACK=infinity LimitSTACKSoft=8388608 LimitCORE=infinity LimitCORESoft=infinity LimitRSS=infinity LimitRSSSoft=infinity LimitNOFILE=infinity LimitNOFILESoft=infinity LimitAS=infinity LimitASSoft=infinity LimitNPROC=infinity LimitNPROCSoft=infinity LimitMEMLOCK=16777216 LimitMEMLOCKSoft=16777216 LimitLOCKS=infinity LimitLOCKSSoft=infinity LimitSIGPENDING=127818 LimitSIGPENDINGSoft=127818 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=infinity LimitRTTIMESoft=infinity OOMScoreAdjust=0 Nice=0 IOSchedulingClass=0 IOSchedulingPriority=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardInputData= StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 LogLevelMax=-1 SecureBits=0 CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend AmbientCapabilities= DynamicUser=no RemoveIPC=no MountFlags= PrivateTmp=no PrivateDevices=no ProtectKernelTunables=no ProtectKernelModules=no ProtectControlGroups=no PrivateNetwork=no PrivateUsers=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 LockPersonality=no RuntimeDirectoryPreserve=no RuntimeDirectoryMode=0755 StateDirectoryMode=0755 CacheDirectoryMode=0755 LogsDirectoryMode=0755 ConfigurationDirectoryMode=0755 MemoryDenyWriteExecute=no RestrictRealtime=no RestrictNamespaces=no MountAPIVFS=no KeyringMode=private KillMode=process KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=docker.service Names=docker.service Requires=docker.socket system.slice sysinit.target Wants=network-online.target BindsTo=containerd.service ConsistsOf=docker.socket Conflicts=shutdown.target Before=shutdown.target After=basic.target sysinit.target containerd.service system.slice systemd-journald.socket firewalld.service docker.socket network-online.target TriggeredBy=docker.socket Documentation=https://docs.docker.com Description=Docker Application Container Engine LoadState=loaded ActiveState=active SubState=running FragmentPath=/lib/systemd/system/docker.service UnitFileState=disabled UnitFilePreset=enabled StateChangeTimestamp=Thu 2019-11-21 10:31:59 EET StateChangeTimestampMonotonic=64050253708 InactiveExitTimestamp=Thu 2019-11-21 10:31:58 EET InactiveExitTimestampMonotonic=64049419896 ActiveEnterTimestamp=Thu 2019-11-21 10:31:59 EET ActiveEnterTimestampMonotonic=64050253708 ActiveExitTimestampMonotonic=0 InactiveEnterTimestampMonotonic=0 CanStart=yes CanStop=yes CanReload=yes CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobRunningTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Thu 2019-11-21 10:31:58 EET ConditionTimestampMonotonic=64049418680 AssertTimestamp=Thu 2019-11-21 10:31:58 EET AssertTimestampMonotonic=64049418680 Transient=no Perpetual=no StartLimitIntervalUSec=1min StartLimitBurst=3 StartLimitAction=none FailureAction=none SuccessAction=none InvocationID=e2405a4759754387b5a4242a7f901d19 CollectMode=inactive ``` Have `kubectl` ## Kubernetes Output of "`kubectl version`": ``` Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.2", GitCommit:"f6278300bebbb750328ac16ee6dd3aa7d3549568", GitTreeState:"clean", BuildDate:"2019-08-05T09:23:26Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"} The connection to the server localhost:8080 was refused - did you specify the right host or port? ``` Output of "`kubectl config view`": ``` apiVersion: v1 clusters: [] contexts: [] current-context: "" kind: Config preferences: {} users: [] ``` Output of "`systemctl show kubelet`": ``` Type=simple Restart=always NotifyAccess=none RestartUSec=10s TimeoutStartUSec=1min 30s TimeoutStopUSec=1min 30s RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestampMonotonic=0 PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=0 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=exit-code UID=[not set] GID=[not set] NRestarts=7212 ExecMainStartTimestamp=Thu 2019-11-21 13:16:41 EET ExecMainStartTimestampMonotonic=73933088821 ExecMainExitTimestamp=Thu 2019-11-21 13:16:41 EET ExecMainExitTimestampMonotonic=73933148606 ExecMainPID=20240 ExecMainCode=1 ExecMainStatus=255 ExecStart={ path=/usr/bin/kubelet ; argv[]=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS ; ignore_errors=no ; start_time=[Thu 2019-11-21 13:16:41 EET] ; stop_time=[Thu 2019-11-21 13:16:41 EET] ; pid=20240 ; code=exited ; status=255 } Slice=system.slice MemoryCurrent=[not set] CPUUsageNSec=[not set] TasksCurrent=[not set] IPIngressBytes=18446744073709551615 IPIngressPackets=18446744073709551615 IPEgressBytes=18446744073709551615 IPEgressPackets=18446744073709551615 Delegate=no CPUAccounting=no CPUWeight=[not set] StartupCPUWeight=[not set] CPUShares=[not set] StartupCPUShares=[not set] CPUQuotaPerSecUSec=infinity IOAccounting=no IOWeight=[not set] StartupIOWeight=[not set] BlockIOAccounting=no BlockIOWeight=[not set] StartupBlockIOWeight=[not set] MemoryAccounting=no MemoryLow=0 MemoryHigh=infinity MemoryMax=infinity MemorySwapMax=infinity MemoryLimit=infinity DevicePolicy=auto TasksAccounting=yes TasksMax=4915 IPAccounting=no Environment=[unprintable] KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml EnvironmentFile=/var/lib/kubelet/kubeadm-flags.env (ignore_errors=yes) EnvironmentFile=/etc/default/kubelet (ignore_errors=yes) UMask=0022 LimitCPU=infinity LimitCPUSoft=infinity LimitFSIZE=infinity LimitFSIZESoft=infinity LimitDATA=infinity LimitDATASoft=infinity LimitSTACK=infinity LimitSTACKSoft=8388608 LimitCORE=infinity LimitCORESoft=0 LimitRSS=infinity LimitRSSSoft=infinity LimitNOFILE=4096 LimitNOFILESoft=1024 LimitAS=infinity LimitASSoft=infinity LimitNPROC=127818 LimitNPROCSoft=127818 LimitMEMLOCK=16777216 LimitMEMLOCKSoft=16777216 LimitLOCKS=infinity LimitLOCKSSoft=infinity LimitSIGPENDING=127818 LimitSIGPENDINGSoft=127818 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=infinity LimitRTTIMESoft=infinity OOMScoreAdjust=0 Nice=0 IOSchedulingClass=0 IOSchedulingPriority=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardInputData= StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 LogLevelMax=-1 SecureBits=0 CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend AmbientCapabilities= DynamicUser=no RemoveIPC=no MountFlags= PrivateTmp=no PrivateDevices=no ProtectKernelTunables=no ProtectKernelModules=no ProtectControlGroups=no PrivateNetwork=no PrivateUsers=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 LockPersonality=no RuntimeDirectoryPreserve=no RuntimeDirectoryMode=0755 StateDirectoryMode=0755 CacheDirectoryMode=0755 LogsDirectoryMode=0755 ConfigurationDirectoryMode=0755 MemoryDenyWriteExecute=no RestrictRealtime=no RestrictNamespaces=no MountAPIVFS=no KeyringMode=private KillMode=control-group KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=kubelet.service Names=kubelet.service Requires=system.slice sysinit.target WantedBy=multi-user.target Conflicts=shutdown.target Before=multi-user.target shutdown.target After=basic.target sysinit.target system.slice systemd-journald.socket Documentation=https://kubernetes.io/docs/home/ Description=kubelet: The Kubernetes Node Agent LoadState=loaded ActiveState=activating SubState=auto-restart FragmentPath=/lib/systemd/system/kubelet.service DropInPaths=/etc/systemd/system/kubelet.service.d/10-kubeadm.conf UnitFileState=enabled UnitFilePreset=enabled StateChangeTimestamp=Thu 2019-11-21 13:16:41 EET StateChangeTimestampMonotonic=73933149119 InactiveExitTimestamp=Thu 2019-11-21 13:16:41 EET InactiveExitTimestampMonotonic=73933149119 ActiveEnterTimestamp=Thu 2019-11-21 13:16:41 EET ActiveEnterTimestampMonotonic=73933088931 ActiveExitTimestamp=Thu 2019-11-21 13:16:41 EET ActiveExitTimestampMonotonic=73933148702 InactiveEnterTimestamp=Thu 2019-11-21 13:16:41 EET InactiveEnterTimestampMonotonic=73933148702 CanStart=yes CanStop=yes CanReload=no CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobRunningTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Thu 2019-11-21 13:16:41 EET ConditionTimestampMonotonic=73933086508 AssertTimestamp=Thu 2019-11-21 13:16:41 EET AssertTimestampMonotonic=73933086509 Transient=no Perpetual=no StartLimitIntervalUSec=0 StartLimitBurst=5 StartLimitAction=none FailureAction=none SuccessAction=none InvocationID=10ad90b90d5446a4a624bf71b0effa19 CollectMode=inactive ``` Have `crio` ## crio Output of "`crio --version`": ``` crio version 1.15.3-dev commit: unknown ``` Output of "`systemctl show crio`": ``` Type=notify Restart=on-abnormal NotifyAccess=main RestartUSec=100ms TimeoutStartUSec=infinity TimeoutStopUSec=1min 30s RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestamp=Wed 2019-11-20 16:53:14 EET WatchdogTimestampMonotonic=526071250 PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=4094 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=success UID=[not set] GID=[not set] NRestarts=0 ExecMainStartTimestamp=Wed 2019-11-20 16:53:12 EET ExecMainStartTimestampMonotonic=524153772 ExecMainExitTimestampMonotonic=0 ExecMainPID=4094 ExecMainCode=0 ExecMainStatus=0 ExecStart={ path=/usr/local/bin/crio ; argv[]=/usr/local/bin/crio $CRIO_STORAGE_OPTIONS $CRIO_NETWORK_OPTIONS $CRIO_METRICS_OPTIONS ; ignore_errors=no ; start_time=[Wed 2019-11-20 16:53:12 EET] ; stop_time=[n/a] ; pid=4094 ; code=(null) ; status=0/0 } ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } Slice=system.slice ControlGroup=/system.slice/crio.service MemoryCurrent=[not set] CPUUsageNSec=[not set] TasksCurrent=26 IPIngressBytes=18446744073709551615 IPIngressPackets=18446744073709551615 IPEgressBytes=18446744073709551615 IPEgressPackets=18446744073709551615 Delegate=no CPUAccounting=no CPUWeight=[not set] StartupCPUWeight=[not set] CPUShares=[not set] StartupCPUShares=[not set] CPUQuotaPerSecUSec=infinity IOAccounting=no IOWeight=[not set] StartupIOWeight=[not set] BlockIOAccounting=no BlockIOWeight=[not set] StartupBlockIOWeight=[not set] MemoryAccounting=no MemoryLow=0 MemoryHigh=infinity MemoryMax=infinity MemorySwapMax=infinity MemoryLimit=infinity DevicePolicy=auto TasksAccounting=yes TasksMax=infinity IPAccounting=no Environment=GOTRACEBACK=crash EnvironmentFile=/etc/sysconfig/crio (ignore_errors=yes) UMask=0022 LimitCPU=infinity LimitCPUSoft=infinity LimitFSIZE=infinity LimitFSIZESoft=infinity LimitDATA=infinity LimitDATASoft=infinity LimitSTACK=infinity LimitSTACKSoft=8388608 LimitCORE=infinity LimitCORESoft=infinity LimitRSS=infinity LimitRSSSoft=infinity LimitNOFILE=1048576 LimitNOFILESoft=1048576 LimitAS=infinity LimitASSoft=infinity LimitNPROC=1048576 LimitNPROCSoft=1048576 LimitMEMLOCK=16777216 LimitMEMLOCKSoft=16777216 LimitLOCKS=infinity LimitLOCKSSoft=infinity LimitSIGPENDING=127818 LimitSIGPENDINGSoft=127818 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=infinity LimitRTTIMESoft=infinity OOMScoreAdjust=-999 Nice=0 IOSchedulingClass=0 IOSchedulingPriority=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardInputData= StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 LogLevelMax=-1 SecureBits=0 CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend AmbientCapabilities= DynamicUser=no RemoveIPC=no MountFlags= PrivateTmp=no PrivateDevices=no ProtectKernelTunables=no ProtectKernelModules=no ProtectControlGroups=no PrivateNetwork=no PrivateUsers=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 LockPersonality=no RuntimeDirectoryPreserve=no RuntimeDirectoryMode=0755 StateDirectoryMode=0755 CacheDirectoryMode=0755 LogsDirectoryMode=0755 ConfigurationDirectoryMode=0755 MemoryDenyWriteExecute=no RestrictRealtime=no RestrictNamespaces=no MountAPIVFS=no KeyringMode=private KillMode=control-group KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=crio.service Names=crio.service Requires=system.slice sysinit.target Wants=network-online.target Conflicts=shutdown.target Before=shutdown.target After=basic.target network-online.target systemd-journald.socket sysinit.target system.slice Documentation=https://github.com/cri-o/cri-o Description=Open Container Initiative Daemon LoadState=loaded ActiveState=active SubState=running FragmentPath=/usr/local/lib/systemd/system/crio.service UnitFileState=disabled UnitFilePreset=enabled StateChangeTimestamp=Wed 2019-11-20 16:53:14 EET StateChangeTimestampMonotonic=526071251 InactiveExitTimestamp=Wed 2019-11-20 16:53:12 EET InactiveExitTimestampMonotonic=524153790 ActiveEnterTimestamp=Wed 2019-11-20 16:53:14 EET ActiveEnterTimestampMonotonic=526071251 ActiveExitTimestampMonotonic=0 InactiveEnterTimestampMonotonic=0 CanStart=yes CanStop=yes CanReload=yes CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobRunningTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Wed 2019-11-20 16:53:12 EET ConditionTimestampMonotonic=524153216 AssertTimestamp=Wed 2019-11-20 16:53:12 EET AssertTimestampMonotonic=524153217 Transient=no Perpetual=no StartLimitIntervalUSec=10s StartLimitBurst=5 StartLimitAction=none FailureAction=none SuccessAction=none InvocationID=ff88cfa87f7a48288631a1dac8318465 CollectMode=inactive ``` Output of "`cat /etc/crio/crio.conf`": ``` [crio] root = "/var/lib/containers/storage" # directory where the reference to the images are stored runroot = "/var/run/containers/storage" # directory where the layer for new containers is created file_locking = false file_locking_path = "/run/crio.lock" storage_driver = "devicemapper" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. storage_option = [ "dm.directlvm_device=/dev/sda2", # CHANGE ACCORDING TO YOUR PHYSICAL VOLUME "dm.directlvm_device_force=true", "dm.thinp_percent=95", "dm.thinp_metapercent=1", "dm.thinp_autoextend_threshold=80", "dm.thinp_autoextend_percent=20" ] [crio.api] listen = "/var/run/crio/crio.sock" stream_address = "127.0.0.1" stream_port = "0" # Enable encrypted TLS transport of the stream server. stream_enable_tls = false # Path to the x509 certificate file used to serve the encrypted stream. This # file can change, and CRI-O will automatically pick up the changes within 5 # minutes. stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can # change, and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client # communication with the encrypted stream. This file can change, and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" # Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_send_msg_size = 16777216 # Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_recv_msg_size = 16777216 [crio.runtime] manage_network_ns_lifecycle = true default_runtime = "runc" no_pivot = false conmon = "/usr/local/libexec/crio/conmon" # safe to check this path exists conmon_env = [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ] selinux = false seccomp_profile = "/etc/crio/seccomp.json" apparmor_profile = "crio-default" cgroup_manager = "cgroupfs" default_capabilities = [ "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "NET_RAW", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL", ] pids_limit = 1024 log_size_max = -1 # Path to directory in which container exit files are written to by conmon. container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" # If set to true, all containers will run in read-only mode. read_only = false # Changes the verbosity of the logs based on the level it is set to. Options # are fatal, panic, error, warn, info, and debug. log_level = "error" # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. uid_mappings = "" # The GID mappings for the user namespace of each container. A range is # specified in the form containerGID:HostGID:Size. Multiple ranges must be # separated by comma. gid_mappings = "" # The minimal amount of time in seconds to wait before issuing a timeout # regarding the proper termination of the container. ctr_stop_timeout = 0 # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level # of trust of the workload. [crio.runtime.runtimes.runc] runtime_path = "/usr/sbin/runc" # Be careful that these 3 paths actually match on disk [crio.runtime.runtimes.kata] runtime_path = "/usr/bin/kata-runtime" [crio.runtime.runtimes.kata-fc] runtime_path = "/usr/bin/kata-fc" [crio.image] default_transport = "docker://" pause_image = "k8s.gcr.io/pause:3.1" pause_command = "/pause" signature_policy = "" image_volumes = "mkdir" # CHANGE THE INSECURE REGS ACCORDING TO YOUR OWN SETUP insecure_registries = [ "192.168.1.99:5000","192.168.1.99:6000", "192.168.1.99:7000", "192.168.1.99:2501", "192.168.1.99:2601", ] registries = [ "docker.io", "registry-1.docker.io", "index.docker.io", ] [crio.network] network_dir = "/etc/cni/net.d" plugin_dir = "/opt/cni/bin" ``` Have `containerd` ## containerd Output of "`containerd --version`": ``` containerd github.com/containerd/containerd v1.3.0-beta.2 640860a042b93c26c0a33081ee02230def486f81 ``` Output of "`systemctl show containerd`": ``` Type=simple Restart=no NotifyAccess=none RestartUSec=100ms TimeoutStartUSec=1min 30s TimeoutStopUSec=1min 30s RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestamp=Thu 2019-11-21 10:31:58 EET WatchdogTimestampMonotonic=64049417491 PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=1929 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=success UID=[not set] GID=[not set] NRestarts=0 ExecMainStartTimestamp=Thu 2019-11-21 10:31:58 EET ExecMainStartTimestampMonotonic=64049417404 ExecMainExitTimestampMonotonic=0 ExecMainPID=1929 ExecMainCode=0 ExecMainStatus=0 ExecStartPre={ path=/sbin/modprobe ; argv[]=/sbin/modprobe overlay ; ignore_errors=yes ; start_time=[Thu 2019-11-21 10:31:58 EET] ; stop_time=[Thu 2019-11-21 10:31:58 EET] ; pid=1914 ; code=exited ; status=0 } ExecStart={ path=/usr/bin/containerd ; argv[]=/usr/bin/containerd ; ignore_errors=no ; start_time=[Thu 2019-11-21 10:31:58 EET] ; stop_time=[n/a] ; pid=1929 ; code=(null) ; status=0/0 } Slice=system.slice ControlGroup=/system.slice/containerd.service MemoryCurrent=[not set] CPUUsageNSec=[not set] TasksCurrent=18 IPIngressBytes=18446744073709551615 IPIngressPackets=18446744073709551615 IPEgressBytes=18446744073709551615 IPEgressPackets=18446744073709551615 Delegate=yes DelegateControllers=cpu cpuacct io blkio memory devices pids CPUAccounting=no CPUWeight=[not set] StartupCPUWeight=[not set] CPUShares=[not set] StartupCPUShares=[not set] CPUQuotaPerSecUSec=infinity IOAccounting=no IOWeight=[not set] StartupIOWeight=[not set] BlockIOAccounting=no BlockIOWeight=[not set] StartupBlockIOWeight=[not set] MemoryAccounting=no MemoryLow=0 MemoryHigh=infinity MemoryMax=infinity MemorySwapMax=infinity MemoryLimit=infinity DevicePolicy=auto TasksAccounting=yes TasksMax=infinity IPAccounting=no UMask=0022 LimitCPU=infinity LimitCPUSoft=infinity LimitFSIZE=infinity LimitFSIZESoft=infinity LimitDATA=infinity LimitDATASoft=infinity LimitSTACK=infinity LimitSTACKSoft=8388608 LimitCORE=infinity LimitCORESoft=infinity LimitRSS=infinity LimitRSSSoft=infinity LimitNOFILE=1048576 LimitNOFILESoft=1048576 LimitAS=infinity LimitASSoft=infinity LimitNPROC=infinity LimitNPROCSoft=infinity LimitMEMLOCK=16777216 LimitMEMLOCKSoft=16777216 LimitLOCKS=infinity LimitLOCKSSoft=infinity LimitSIGPENDING=127818 LimitSIGPENDINGSoft=127818 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=infinity LimitRTTIMESoft=infinity OOMScoreAdjust=0 Nice=0 IOSchedulingClass=0 IOSchedulingPriority=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardInputData= StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 LogLevelMax=-1 SecureBits=0 CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write cap_audit_control cap_setfcap cap_mac_override cap_mac_admin cap_syslog cap_wake_alarm cap_block_suspend AmbientCapabilities= DynamicUser=no RemoveIPC=no MountFlags= PrivateTmp=no PrivateDevices=no ProtectKernelTunables=no ProtectKernelModules=no ProtectControlGroups=no PrivateNetwork=no PrivateUsers=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 LockPersonality=no RuntimeDirectoryPreserve=no RuntimeDirectoryMode=0755 StateDirectoryMode=0755 CacheDirectoryMode=0755 LogsDirectoryMode=0755 ConfigurationDirectoryMode=0755 MemoryDenyWriteExecute=no RestrictRealtime=no RestrictNamespaces=no MountAPIVFS=no KeyringMode=private KillMode=process KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=containerd.service Names=containerd.service Requires=system.slice sysinit.target BoundBy=docker.service Conflicts=shutdown.target Before=docker.service shutdown.target After=system.slice basic.target network.target sysinit.target systemd-journald.socket Documentation=https://containerd.io Description=containerd container runtime LoadState=loaded ActiveState=active SubState=running FragmentPath=/lib/systemd/system/containerd.service UnitFileState=disabled UnitFilePreset=enabled StateChangeTimestamp=Thu 2019-11-21 10:31:58 EET StateChangeTimestampMonotonic=64049417493 InactiveExitTimestamp=Thu 2019-11-21 10:31:58 EET InactiveExitTimestampMonotonic=64049404155 ActiveEnterTimestamp=Thu 2019-11-21 10:31:58 EET ActiveEnterTimestampMonotonic=64049417493 ActiveExitTimestampMonotonic=0 InactiveEnterTimestampMonotonic=0 CanStart=yes CanStop=yes CanReload=no CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobRunningTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Thu 2019-11-21 10:31:58 EET ConditionTimestampMonotonic=64049403076 AssertTimestamp=Thu 2019-11-21 10:31:58 EET AssertTimestampMonotonic=64049403077 Transient=no Perpetual=no StartLimitIntervalUSec=10s StartLimitBurst=5 StartLimitAction=none FailureAction=none SuccessAction=none InvocationID=122623b568d24699bb3f915a4e42b4e4 CollectMode=inactive ``` Output of "`cat /etc/containerd/config.toml`": ``` [plugins] [plugins.cri] [plugins.cri.containerd] snapshotter = "devmapper" no_pivot = false [plugins.cri.containerd.runtimes] [plugins.cri.containerd.runtimes.runc] runtime_type = "io.containerd.runc.v1" [plugins.cri.containerd.runtimes.runc.options] NoPivotRoot = false NoNewKeyring = false ShimCgroup = "" IoUid = 0 IoGid = 0 BinaryName = "runc" Root = "" CriuPath = "" SystemdCgroup = false [plugins.cri.containerd.runtimes.kata] runtime_type = "io.containerd.kata.v2" [plugins.cri.containerd.runtimes.kata.options] ConfigPath = "/usr/share/defaults/kata-containers/configuration.toml" [plugins.cri.containerd.runtimes.kata-firecracker] runtime_type = "io.containerd.katafc.v2" [plugins.cri.registry.mirrors] [plugins.cri.registry.mirrors."docker.io"] endpoint = ["https://registry-1.docker.io"] [plugins.cri.registry.mirrors."192.168.1.99:2501"] endpoint = ["http://192.168.1.99:2501"] [plugins.cri.registry.mirrors."192.168.1.99:4999"] endpoint = ["http://192.168.1.99:5000"] [plugins.devmapper] pool_name = "contd-thin--pool" base_image_size = "10GB" ``` --- # Packages Have `dpkg` Output of "`dpkg -l|egrep "(cc-oci-runtimecc-runtimerunv|kata-proxy|kata-runtime|kata-shim|kata-ksm-throttler|kata-containers-image|linux-container|qemu-)"`": ``` ii kata-containers-image 1.9.1-5 amd64 Kata containers image ii kata-ksm-throttler 1.9.1-5 amd64 ii kata-linux-container 4.19.75.54-5 amd64 linux kernel optimised for container-like workloads. ii kata-proxy 1.9.1-5 amd64 ii kata-runtime 1.9.1-5 amd64 ii kata-shim 1.9.1-5 amd64 ii qemu-lite 2.11.0+git.87517afd72-5 amd64 linux kernel optimised for container-like workloads. ii qemu-vanilla 4.1.0+git.9e06029aea-5 amd64 linux kernel optimised for container-like workloads. ``` No `rpm`
grahamwhaley commented 4 years ago

Thanks for the report @Dodan . Would you be able to try a couple of things to see if we can find some more clues...

1) before you quit the container where the failure happened, can you do a dmesg in it to get the kernel logs, to see if there was any OOM for instance (adding an exec -ti dmesg command to your test script may do it. 2) Could you run the failing command under strace, so we can capture a log of the system calls, and then hopefully we can find the failing system call (near the end of the logs), and that might provide clues as to where the error is.

thanks!

devimc commented 4 years ago

adding it to the queue

Dodan commented 4 years ago

Hello @grahamwhaley We gathered some logs using dmesg after each command given to the container and ran the install of build essential with strace. We put the logs in the attached file as the markdown rules were mangling the logs.

This is the Kata-Firecracker case, which fails. dmesg_strace_kata_firecracker_log.txt

devimc commented 4 years ago

Hi @Dodan I can't reproduce this issue,

crio version 1.15.0
commit: "485227d727401fa0472a449b5df3b0537e314ebb"

firecracker 0.18.0

kata-runtime  : 1.9.1
   commit   : b909cab6c40eacaca15038ab3f2706a634a50501
   OCI specs: 1.0.1-dev

Inside the container

# free -h
              total        used        free      shared  buff/cache   available
Mem:           2.0G         36M        1.9G         48K         37M        1.9G
Swap:            0B          0B          0B
# uname -a
Linux 4e40ad6b0d59 4.19.75 #1 SMP Wed Oct 9 00:11:25 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

the configuration file that you're sharing in the issue is for QEMU, can you share the configuration used for firecracker?

Dodan commented 4 years ago

@devimc This is interesting... On our setup, we manged to reproduce the issue on 2 separate machines with Ubuntu 18.04. Maybe we are doing something wrong.

Anyway, these are the configurations we use.

The script to launch kata-fc (a script we put /usr/bin/kata-fc):

#!/bin/bash
/usr/bin/kata-runtime --kata-config "/usr/share/defaults/kata-containers/configuration-fc.toml" $@

And this is the configuration file for firecracker (/usr/share/defaults/kata-containers/configuration-fc.toml)

```toml # Copyright (c) 2017-2019 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # # XXX: WARNING: this file is auto-generated. # XXX: # XXX: Source file: "cli/config/configuration-fc.toml.in" # XXX: Project: # XXX: Name: Kata Containers # XXX: Type: kata [hypervisor.firecracker] path = "/usr/bin/firecracker" # Path for the jailer specific to firecracker # If the jailer path is not set kata will launch firecracker # without a jail. If the jailer is set firecracker will be # launched in a jailed enviornment created by the jailer #jailer_path = "/usr/bin/jailer" kernel = "/usr/share/kata-containers/vmlinux.container" image = "/usr/share/kata-containers/kata-containers.img" # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. # # WARNING: - any parameter specified here will take priority over the default # parameter value of the same name used to start the virtual machine. # Do not set values here unless you understand the impact of doing so as you # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. kernel_params = "" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to 1 # < 0 --> will be set to the actual number of physical cores # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores default_vcpus = 1 # Default maximum number of vCPUs per SB/VM: # unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when # the actual number of physical cores is greater than it. # WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU # the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs # can be added to a SB/VM, but the memory footprint will be big. Another example, with # `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of # vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable, # unless you know what are you doing. default_maxvcpus = 0 # Bridges can be used to hot plug devices. # Limitations: # * Currently only pci bridges are supported # * Until 30 devices per bridge can be hot plugged. # * Until 5 PCI bridges can be cold plugged per VM. # This limitation could be a bug in the kernel # Default number of bridges per SB/VM: # unspecified or 0 --> will be set to 1 # > 1 <= 5 --> will be set to the specified number # > 5 --> will be set to 5 default_bridges = 1 # Default memory size in MiB for SB/VM. # If unspecified then it will be set 2048 MiB. default_memory = 2048 # # Default memory slots per SB/VM. # If unspecified then it will be set 10. # This is will determine the times that memory will be hotadded to sandbox/VM. #memory_slots = 10 # The size in MiB will be plused to max memory of hypervisor. # It is the memory address space for the NVDIMM devie. # If set block storage driver (block_device_driver) to "nvdimm", # should set memory_offset to the size of block device. # Default 0 #memory_offset = 0 # Disable block device from being used for a container's rootfs. # In case of a storage driver like devicemapper where a container's # root file system is backed by a block device, the block device is passed # directly to the hypervisor for performance reasons. # This flag prevents the block device from being passed to the hypervisor, # 9pfs is used instead to pass the rootfs. disable_block_device_use = false # Block storage driver to be used for the hypervisor in case the container # rootfs is backed by a block device. This is virtio-scsi, virtio-blk # or nvdimm. block_device_driver = "virtio-mmio" # Specifies cache-related options will be set to block devices or not. # Default false #block_device_cache_set = true # Specifies cache-related options for block devices. # Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. # Default false #block_device_cache_direct = true # Specifies cache-related options for block devices. # Denotes whether flush requests for the device are ignored. # Default false #block_device_cache_noflush = true # Enable pre allocation of VM RAM, default false # Enabling this will result in lower container density # as all of the memory will be allocated and locked # This is useful when you want to reserve all the memory # upfront or in the cases where you want memory latencies # to be very predictable # Default false #enable_mem_prealloc = true # Enable huge pages for VM RAM, default false # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network # stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true #enable_swap = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. This extra output is added # to the proxy logs, but only when proxy debug is also enabled. # # Default false #enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. # #disable_nesting_checks = true # This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = 8192 # If true and vsocks are supported, use vsocks to communicate directly # with the agent (no proxy is started). # Default true use_vsock = true # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on # a bridge. This value is valid for "pc" machine type. # Default false #hotplug_vfio_on_root_bus = true # If host doesn't support vhost_net, set to true. Thus we won't create vhost fds for nics. # Default false #disable_vhost_net = true # # Default entropy source. # The path to a host source of entropy (including a real hardware RNG) # /dev/urandom and /dev/random are two main options. # Be aware that /dev/random is a blocking source of entropy. If the host # runs out of entropy, the VMs boot time will increase leading to get startup # timeouts. # The source of entropy /dev/urandom is non-blocking and provides a # generally acceptable source of entropy. It should work well for pretty much # all practical purposes. #entropy_source= "/dev/urandom" # Path to OCI hook binaries in the *guest rootfs*. # This does not affect host-side hooks which must instead be added to # the OCI spec passed to the runtime. # # You can create a rootfs with hooks by customizing the osbuilder scripts: # https://github.com/kata-containers/osbuilder # # Hooks must be stored in a subdirectory of guest_hook_path according to their # hook type, i.e. "guest_hook_path/{prestart,postart,poststop}". # The agent will scan these directories for executable files and add them, in # lexicographical order, to the lifecycle of the guest container. # Hooks are executed in the runtime namespace of the guest. See the official documentation: # https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks # Warnings will be logged if any error is encountered will scanning for hooks, # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and # agent memory by mapping it readonly. It helps speeding up new container # creation and saves a lot of memory if there are many kata containers running # on the same host. # # When disabled, new VMs are created from scratch. # # Note: Requires "initrd=" to be set ("image=" is not supported). # # Default false #enable_template = true [shim.kata] path = "/usr/libexec/kata-containers/kata-shim" # If enabled, shim messages will be sent to the system log # (default: disabled) #enable_debug = true # If enabled, the shim will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # # Note: By default, the shim runs in a separate network namespace. Therefore, # to allow it to send trace details to the Jaeger agent running on the host, # it is necessary to set 'disable_new_netns=true' so that it runs in the host # network namespace. # # (default: disabled) #enable_tracing = true [agent.kata] # If enabled, make the agent display debug-level messages. # (default: disabled) #enable_debug = true # Enable agent tracing. # # If enabled, the default trace mode is "dynamic" and the # default trace type is "isolated". The trace mode and type are set # explicity with the `trace_type=` and `trace_mode=` options. # # Notes: # # - Tracing is ONLY enabled when `enable_tracing` is set: explicitly # setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing` # will NOT activate agent tracing. # # - See https://github.com/kata-containers/agent/blob/master/TRACING.md for # full details. # # (default: disabled) #enable_tracing = true # #trace_mode = "dynamic" #trace_type = "isolated" # Comma separated list of kernel modules and their parameters. # These modules will be loaded in the guest kernel using modprobe(8). # The following example can be used to load two kernel modules with parameters # - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"] # The first word is considered as the module name and the rest as its parameters. # Container will not be started when: # * A kernel module is specified and the modprobe command is not installed in the guest # or it fails loading the module. # * The module is not available in the guest or it doesn't met the guest kernel # requirements, like architecture and version. # kernel_modules=[] [netmon] # If enabled, the network monitoring process gets started when the # sandbox is created. This allows for the detection of some additional # network being added to the existing network namespace, after the # sandbox has been created. # (default: disabled) #enable_netmon = true # Specify the path to the netmon binary. path = "/usr/libexec/kata-containers/kata-netmon" # If enabled, netmon messages will be sent to the system log # (default: disabled) #enable_debug = true [runtime] # If enabled, the runtime will log additional debug messages to the # system log # (default: disabled) #enable_debug = true # # Internetworking model # Determines how the VM should be connected to the # the container network interface # Options: # # - bridged (Deprecated) # Uses a linux bridge to interconnect the container interface to # the VM. Works for most cases except macvlan and ipvlan. # ***NOTE: This feature has been deprecated with plans to remove this # feature in the future. Please use other network models listed below. # # - macvtap # Used when the Container network interface can be bridged using # macvtap. # # - none # Used when customize network. Only creates a tap device. No veth pair. # # - tcfilter # Uses tc filter rules to redirect traffic from the network interface # provided by plugin to a tap interface connected to the VM. # internetworking_model="tcfilter" # disable guest seccomp # Determines whether container seccomp profiles are passed to the virtual # machine and applied by the kata agent. If set to true, seccomp is not applied # within the guest # (default: true) disable_guest_seccomp=true # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) #enable_tracing = true # If enabled, the runtime will not create a network namespace for shim and hypervisor processes. # This option may have some potential impacts to your host. It should only be used when you know what you're doing. # `disable_new_netns` conflicts with `enable_netmon` # `disable_new_netns` conflicts with `internetworking_model=bridged` and `internetworking_model=macvtap`. It works only # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge # (like OVS) directly. # If you are using docker, `disable_new_netns` only works with `docker run --net=none` # (default: false) #disable_new_netns = true # if enable, the runtime will add all the kata processes inside one dedicated cgroup. # The container cgroups in the host are not created, just one single cgroup per sandbox. # The sandbox cgroup is not constrained by the runtime # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType sandbox_cgroup_only=false # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # They may break compatibility, and are prepared for a big version bump. # Supported experimental features: # 1. "newstore": new persist storage driver which breaks backward compatibility, # expected to move out of experimental in 2.0.0. # (default: []) experimental=[] ```
devimc commented 4 years ago

@Dodan I'm using the same Ubuntu version but different kernel, I'm using 4.15

devimc commented 4 years ago

I updated my kernel to 5.3.0-19 and still cannot reproduce this issue

Dodan commented 4 years ago

@devimc I'd have a few questions if you don't mind:

./kill_container.sh kata-fc
d3fac27a128019fb65a62a96c62a97975b3495f3498eea797106257d2bb95734
1
FATA[0000] Creating container failed: rpc error: code = Unknown desc = container create failed: [PATCH /drives/{drive_id}][400] patchGuestDriveByIdBadRequest  &{FaultMessage:Cannot open block device. Invalid permission/path.}
devimc commented 4 years ago

@Dodan

Are you using the Firecracker jailer when running the Kata-fc?

no, this is my configuration.toml

```toml [hypervisor.firecracker] path = "/usr/bin/firecracker" # Path for the jailer specific to firecracker # If the jailer path is not set kata will launch firecracker # without a jail. If the jailer is set firecracker will be # launched in a jailed enviornment created by the jailer #jailer_path = "/usr/bin/jailer" kernel = "/usr/share/kata-containers/vmlinux.container" image = "/usr/share/kata-containers/kata-containers.img" # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. # # WARNING: - any parameter specified here will take priority over the default # parameter value of the same name used to start the virtual machine. # Do not set values here unless you understand the impact of doing so as you # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. kernel_params = "" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to 1 # < 0 --> will be set to the actual number of physical cores # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores default_vcpus = 1 # Default maximum number of vCPUs per SB/VM: # unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when # the actual number of physical cores is greater than it. # WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU # the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs # can be added to a SB/VM, but the memory footprint will be big. Another example, with # `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of # vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable, # unless you know what are you doing. default_maxvcpus = 0 # Bridges can be used to hot plug devices. # Limitations: # * Currently only pci bridges are supported # * Until 30 devices per bridge can be hot plugged. # * Until 5 PCI bridges can be cold plugged per VM. # This limitation could be a bug in the kernel # Default number of bridges per SB/VM: # unspecified or 0 --> will be set to 1 # > 1 <= 5 --> will be set to the specified number # > 5 --> will be set to 5 default_bridges = 1 # Default memory size in MiB for SB/VM. # If unspecified then it will be set 2048 MiB. default_memory = 2048 # # Default memory slots per SB/VM. # If unspecified then it will be set 10. # This is will determine the times that memory will be hotadded to sandbox/VM. #memory_slots = 10 # The size in MiB will be plused to max memory of hypervisor. # It is the memory address space for the NVDIMM devie. # If set block storage driver (block_device_driver) to "nvdimm", # should set memory_offset to the size of block device. # Default 0 #memory_offset = 0 # Disable block device from being used for a container's rootfs. # In case of a storage driver like devicemapper where a container's # root file system is backed by a block device, the block device is passed # directly to the hypervisor for performance reasons. # This flag prevents the block device from being passed to the hypervisor, # 9pfs is used instead to pass the rootfs. disable_block_device_use = false # Block storage driver to be used for the hypervisor in case the container # rootfs is backed by a block device. This is virtio-scsi, virtio-blk # or nvdimm. block_device_driver = "virtio-mmio" # Specifies cache-related options will be set to block devices or not. # Default false #block_device_cache_set = true # Specifies cache-related options for block devices. # Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. # Default false #block_device_cache_direct = true # Specifies cache-related options for block devices. # Denotes whether flush requests for the device are ignored. # Default false #block_device_cache_noflush = true # Enable pre allocation of VM RAM, default false # Enabling this will result in lower container density # as all of the memory will be allocated and locked # This is useful when you want to reserve all the memory # upfront or in the cases where you want memory latencies # to be very predictable # Default false #enable_mem_prealloc = true # Enable huge pages for VM RAM, default false # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network # stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true #enable_swap = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. This extra output is added # to the proxy logs, but only when proxy debug is also enabled. # # Default false #enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. # #disable_nesting_checks = true # This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = 8192 # If true and vsocks are supported, use vsocks to communicate directly # with the agent (no proxy is started). # Default true use_vsock = true # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on # a bridge. This value is valid for "pc" machine type. # Default false #hotplug_vfio_on_root_bus = true # If host doesn't support vhost_net, set to true. Thus we won't create vhost fds for nics. # Default false #disable_vhost_net = true # # Default entropy source. # The path to a host source of entropy (including a real hardware RNG) # /dev/urandom and /dev/random are two main options. # Be aware that /dev/random is a blocking source of entropy. If the host # runs out of entropy, the VMs boot time will increase leading to get startup # timeouts. # The source of entropy /dev/urandom is non-blocking and provides a # generally acceptable source of entropy. It should work well for pretty much # all practical purposes. #entropy_source= "/dev/urandom" # Path to OCI hook binaries in the *guest rootfs*. # This does not affect host-side hooks which must instead be added to # the OCI spec passed to the runtime. # # You can create a rootfs with hooks by customizing the osbuilder scripts: # https://github.com/kata-containers/osbuilder # # Hooks must be stored in a subdirectory of guest_hook_path according to their # hook type, i.e. "guest_hook_path/{prestart,postart,poststop}". # The agent will scan these directories for executable files and add them, in # lexicographical order, to the lifecycle of the guest container. # Hooks are executed in the runtime namespace of the guest. See the official documentation: # https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks # Warnings will be logged if any error is encountered will scanning for hooks, # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and # agent memory by mapping it readonly. It helps speeding up new container # creation and saves a lot of memory if there are many kata containers running # on the same host. # # When disabled, new VMs are created from scratch. # # Note: Requires "initrd=" to be set ("image=" is not supported). # # Default false #enable_template = true [shim.kata] path = "/usr/libexec/kata-containers/kata-shim" # If enabled, shim messages will be sent to the system log # (default: disabled) #enable_debug = true # If enabled, the shim will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # # Note: By default, the shim runs in a separate network namespace. Therefore, # to allow it to send trace details to the Jaeger agent running on the host, # it is necessary to set 'disable_new_netns=true' so that it runs in the host # network namespace. # # (default: disabled) #enable_tracing = true [agent.kata] # If enabled, make the agent display debug-level messages. # (default: disabled) #enable_debug = true # Enable agent tracing. # # If enabled, the default trace mode is "dynamic" and the # default trace type is "isolated". The trace mode and type are set # explicity with the `trace_type=` and `trace_mode=` options. # # Notes: # # - Tracing is ONLY enabled when `enable_tracing` is set: explicitly # setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing` # will NOT activate agent tracing. # # - See https://github.com/kata-containers/agent/blob/master/TRACING.md for # full details. # # (default: disabled) #enable_tracing = true # #trace_mode = "dynamic" #trace_type = "isolated" # Comma separated list of kernel modules and their parameters. # These modules will be loaded in the guest kernel using modprobe(8). # The following example can be used to load two kernel modules with parameters # - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"] # The first word is considered as the module name and the rest as its parameters. # Container will not be started when: # * A kernel module is specified and the modprobe command is not installed in the guest # or it fails loading the module. # * The module is not available in the guest or it doesn't met the guest kernel # requirements, like architecture and version. # kernel_modules=[] [netmon] # If enabled, the network monitoring process gets started when the # sandbox is created. This allows for the detection of some additional # network being added to the existing network namespace, after the # sandbox has been created. # (default: disabled) #enable_netmon = true # Specify the path to the netmon binary. path = "/usr/libexec/kata-containers/kata-netmon" # If enabled, netmon messages will be sent to the system log # (default: disabled) #enable_debug = true [runtime] # If enabled, the runtime will log additional debug messages to the # system log # (default: disabled) #enable_debug = true # # Internetworking model # Determines how the VM should be connected to the # the container network interface # Options: # # - bridged (Deprecated) # Uses a linux bridge to interconnect the container interface to # the VM. Works for most cases except macvlan and ipvlan. # ***NOTE: This feature has been deprecated with plans to remove this # feature in the future. Please use other network models listed below. # # - macvtap # Used when the Container network interface can be bridged using # macvtap. # # - none # Used when customize network. Only creates a tap device. No veth pair. # # - tcfilter # Uses tc filter rules to redirect traffic from the network interface # provided by plugin to a tap interface connected to the VM. # internetworking_model="tcfilter" # disable guest seccomp # Determines whether container seccomp profiles are passed to the virtual # machine and applied by the kata agent. If set to true, seccomp is not applied # within the guest # (default: true) disable_guest_seccomp=true # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) #enable_tracing = true # If enabled, the runtime will not create a network namespace for shim and hypervisor processes. # This option may have some potential impacts to your host. It should only be used when you know what you're doing. # `disable_new_netns` conflicts with `enable_netmon` # `disable_new_netns` conflicts with `internetworking_model=bridged` and `internetworking_model=macvtap`. It works only # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge # (like OVS) directly. # If you are using docker, `disable_new_netns` only works with `docker run --net=none` # (default: false) #disable_new_netns = true # if enable, the runtime will add all the kata processes inside one dedicated cgroup. # The container cgroups in the host are not created, just one single cgroup per sandbox. # The sandbox cgroup is not constrained by the runtime # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType sandbox_cgroup_only=false # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # They may break compatibility, and are prepared for a big version bump. # Supported experimental features: # 1. "newstore": new persist storage driver which breaks backward compatibility, # expected to move out of experimental in 2.0.0. # (default: []) experimental=[] ```

Are you using a custom / self-compiled version of Firecracker & jailer. We've been using the "stock" ones, given at these links below.

I'm using the same binaries

We've been using kernel 5.2.2. Do you think this might be a factor?

4.15 and 5.3 work for me, so I don't think, btw I'm not using bare metal, I'm running on VMs (nested virtualization), can you try out in an ubuntu VM?

Dodan commented 4 years ago

@devimc Sorry for the late reply.

We tested this in a VM with nested virtualization and, indeed, we had discovered that sometimes this doesn't replicate.

Still, we usually see that in about 4 out of cases we the 137 error code killing the process. We noticed that the bug is more likely to occur, when the processes are long running, so maybe we should add installing via apt something like nginx or apache.

It is quite trickier than we expected to find something that replicates this 100% of the times run. Any idea you might have regarding this would be greatly appreciated.

devimc commented 4 years ago

@Dodan I tried installing libreoffice + firefox in a loop and I couldn't reproduce it, Q. do you have enough space in your dm.directlvm_device ?

I'm using a loop device as dm.directlvm_device

$ dd if=/dev/zero of=disk.img bs=10M count=500
$ printf "g\nn\n\n\n\nw\n" | fdisk disk.img
$ sudo losetup --show -Pf disk.img 
/dev/loop1
$ sudo mkfs.ext4  /dev/loop1p1
Dodan commented 4 years ago

@devimc We have enough space on the lvm. We use a lvm derived from a physical volume with ~150 GB.

This is what we see when calling lvs

  LV       VG      Attr       LSize    Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  thinpool storage twi-a-t--- <146.45g             0.16   1.03                            

We can try and see if it reproduces with a loop device.

Dodan commented 4 years ago

We tried reproducing this bug on a Centos machine with Kata 1.9.3, CRI-o 1.15.3 and kernel 5.4.2, and, indeed, the bug does not reproduce anymore.

We don't know which one of these differences solved the issues we were seeing, but we wanted to thank you for your support!

devimc commented 4 years ago

@Dodan you're welcome. I'm going to close this issue, feel free to re-open it if you can reduce it again.