Docker in Kata has low performance with bind mount or volume /var/lib/docker

[EastonLee]

Which feature do you think can be improved?

Docker in Kata performance

How can it be improved?

Docker pull can be faster

Additional Information

Nothing to add

Before raising this feature request

Have you looked at the limitations document?

Yes

First I found Docker in Kata can only start when --privileged is specified. But with the default kata-runtime, the DINK will fallback to vfs as storage driver, thus having bad performance, especially during the docker pull stage. Then I tried using bind mount and volume to mount /var/lib/docker. docker pull in Kata was still slow, docker pull ubuntu:latest took more than 1 minutes and docker pull python:latest took more than 8 minutes.

I can understand the 9pfs in default kata-runtime is not performant, but I can't understand why bind mount and volume are also slow, since the IO ops go to host filesystem.

The result of kata-collect-data.sh is pasted bellow

[EastonLee]

Show kata-collect-data.sh details

# Meta details Running `kata-collect-data.sh` version `1.11.0-alpha1 (commit )` at `2020-04-15.19:49:08.030969327+0800`. --- Runtime is `/usr/bin/kata-runtime`. # `kata-env` Output of "`/usr/bin/kata-runtime kata-env`": ```toml [Meta] Version = "1.0.24" [Runtime] Debug = false Trace = false DisableGuestSeccomp = true DisableNewNetNs = false SandboxCgroupOnly = false Path = "/usr/bin/kata-runtime" [Runtime.Version] OCI = "1.0.1-dev" [Runtime.Version.Version] Semver = "1.11.0-alpha1" Major = 1 Minor = 11 Patch = 0 Commit = "" [Runtime.Config] Path = "/usr/share/defaults/kata-containers/configuration.toml" [Hypervisor] MachineType = "pc" Version = "QEMU emulator version 4.1.1\nCopyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers" Path = "/usr/bin/qemu-vanilla-system-x86_64" BlockDeviceDriver = "virtio-scsi" EntropySource = "/dev/urandom" SharedFS = "virtio-9p" VirtioFSDaemon = "/usr/bin/virtiofsd" Msize9p = 8192 MemorySlots = 10 PCIeRootPort = 0 HotplugVFIOOnRootBus = false Debug = false UseVSock = false [Image] Path = "/usr/share/kata-containers/kata-containers-image_clearlinux_1.11.0-alpha1_agent_1f432c6896.img" [Kernel] Path = "/usr/share/kata-containers/vmlinuz-5.4.15.69-46.container" Parameters = "systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket" [Initrd] Path = "" [Proxy] Type = "kataProxy" Path = "/usr/libexec/kata-containers/kata-proxy" Debug = false [Proxy.Version] Semver = "1.11.0-alpha1-e7d2214" Major = 1 Minor = 11 Patch = 0 Commit = "e7d2214" [Shim] Type = "kataShim" Path = "/usr/libexec/kata-containers/kata-shim" Debug = false [Shim.Version] Semver = "1.11.0-alpha1-6a828a4" Major = 1 Minor = 11 Patch = 0 Commit = "6a828a4" [Agent] Type = "kata" Debug = false Trace = false TraceMode = "" TraceType = "" [Host] Kernel = "4.15.0-42-corp-generic" Architecture = "amd64" VMContainerCapable = true SupportVSocks = true [Host.Distro] Name = "Ubuntu" Version = "16.04" [Host.CPU] Vendor = "GenuineIntel" Model = "Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz" [Netmon] Path = "/usr/libexec/kata-containers/kata-netmon" Debug = false Enable = false [Netmon.Version] Semver = "1.11.0-alpha1" Major = 1 Minor = 11 Patch = 0 Commit = "<>" ``` --- # Runtime config files ## Runtime default config files ``` /etc/kata-containers/configuration.toml /usr/share/defaults/kata-containers/configuration.toml ``` ## Runtime config file contents Config file `/etc/kata-containers/configuration.toml` not found Output of "`cat "/usr/share/defaults/kata-containers/configuration.toml"`": ```toml # Copyright (c) 2017-2019 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # # XXX: WARNING: this file is auto-generated. # XXX: # XXX: Source file: "cli/config/configuration-qemu.toml.in" # XXX: Project: # XXX: Name: Kata Containers # XXX: Type: kata [hypervisor.qemu] path = "/usr/bin/qemu-vanilla-system-x86_64" kernel = "/usr/share/kata-containers/vmlinuz.container" image = "/usr/share/kata-containers/kata-containers.img" machine_type = "pc" # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. # # WARNING: - any parameter specified here will take priority over the default # parameter value of the same name used to start the virtual machine. # Do not set values here unless you understand the impact of doing so as you # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. kernel_params = "" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty firmware = "" # Machine accelerators # comma-separated list of machine accelerators to pass to the hypervisor. # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` machine_accelerators="" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to 1 # < 0 --> will be set to the actual number of physical cores # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores default_vcpus = 1 # Default maximum number of vCPUs per SB/VM: # unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when # the actual number of physical cores is greater than it. # WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU # the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs # can be added to a SB/VM, but the memory footprint will be big. Another example, with # `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of # vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable, # unless you know what are you doing. default_maxvcpus = 0 # Bridges can be used to hot plug devices. # Limitations: # * Currently only pci bridges are supported # * Until 30 devices per bridge can be hot plugged. # * Until 5 PCI bridges can be cold plugged per VM. # This limitation could be a bug in qemu or in the kernel # Default number of bridges per SB/VM: # unspecified or 0 --> will be set to 1 # > 1 <= 5 --> will be set to the specified number # > 5 --> will be set to 5 default_bridges = 1 # Default memory size in MiB for SB/VM. # If unspecified then it will be set 2048 MiB. default_memory = 2048 # # Default memory slots per SB/VM. # If unspecified then it will be set 10. # This is will determine the times that memory will be hotadded to sandbox/VM. #memory_slots = 10 # The size in MiB will be plused to max memory of hypervisor. # It is the memory address space for the NVDIMM devie. # If set block storage driver (block_device_driver) to "nvdimm", # should set memory_offset to the size of block device. # Default 0 #memory_offset = 0 # Specifies virtio-mem will be enabled or not. # Please note that this option should be used with the command # "echo 1 > /proc/sys/vm/overcommit_memory". # Default false #enable_virtio_mem = true # Disable block device from being used for a container's rootfs. # In case of a storage driver like devicemapper where a container's # root file system is backed by a block device, the block device is passed # directly to the hypervisor for performance reasons. # This flag prevents the block device from being passed to the hypervisor, # 9pfs is used instead to pass the rootfs. disable_block_device_use = false # Shared file system type: # - virtio-9p (default) # - virtio-fs shared_fs = "virtio-9p" # Path to vhost-user-fs daemon. virtio_fs_daemon = "/usr/bin/virtiofsd" # Default size of DAX cache in MiB virtio_fs_cache_size = 1024 # Extra args for virtiofsd daemon # # Format example: # ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"] # # see `virtiofsd -h` for possible options. virtio_fs_extra_args = [] # Cache mode: # # - none # Metadata, data, and pathname lookup are not cached in guest. They are # always fetched from host and any changes are immediately pushed to host. # # - auto # Metadata and pathname lookup cache expires after a configured amount of # time (default is 1 second). Data is cached while the file is open (close # to open consistency). # # - always # Metadata, data, and pathname lookup are cached in guest and never expire. virtio_fs_cache = "always" # Block storage driver to be used for the hypervisor in case the container # rootfs is backed by a block device. This is virtio-scsi, virtio-blk # or nvdimm. block_device_driver = "virtio-scsi" # Specifies cache-related options will be set to block devices or not. # Default false #block_device_cache_set = true # Specifies cache-related options for block devices. # Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. # Default false #block_device_cache_direct = true # Specifies cache-related options for block devices. # Denotes whether flush requests for the device are ignored. # Default false #block_device_cache_noflush = true # Enable iothreads (data-plane) to be used. This causes IO to be # handled in a separate IO thread. This is currently only implemented # for SCSI. # enable_iothreads = false # Enable pre allocation of VM RAM, default false # Enabling this will result in lower container density # as all of the memory will be allocated and locked # This is useful when you want to reserve all the memory # upfront or in the cases where you want memory latencies # to be very predictable # Default false #enable_mem_prealloc = true # Enable huge pages for VM RAM, default false # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network # stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true # Enable vhost-user storage device, default false # Enabling this will result in some Linux reserved block type # major range 240-254 being chosen to represent vhost-user devices. enable_vhost_user_store = false # The base directory specifically used for vhost-user devices. # Its sub-path "block" is used for block devices; "block/sockets" is # where we expect vhost-user sockets to live; "block/devices" is where # simulated block device nodes for vhost-user devices to live. vhost_user_store_path = "/var/run/kata-containers/vhost-user" # Enable file based guest memory support. The default is an empty string which # will disable this feature. In the case of virtio-fs, this is enabled # automatically and '/dev/shm' is used as the backing folder. # This option will be ignored if VM templating is enabled. #file_mem_backend = "" # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true #enable_swap = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. This extra output is added # to the proxy logs, but only when proxy debug is also enabled. # # Default false #enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. # #disable_nesting_checks = true # This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = 8192 # If true and vsocks are supported, use vsocks to communicate directly # with the agent and no proxy is started, otherwise use unix # sockets and start a proxy to communicate with the agent. # Default false #use_vsock = true # If false and nvdimm is supported, use nvdimm device to plug guest image. # Otherwise virtio-block device is used. # Default is false #disable_image_nvdimm = true # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on # a bridge. This value is valid for "pc" machine type. # Default false #hotplug_vfio_on_root_bus = true # Before hot plugging a PCIe device, you need to add a pcie_root_port device. # Use this parameter when using some large PCI bar devices, such as Nvidia GPU # The value means the number of pcie_root_port # This value is valid when hotplug_vfio_on_root_bus is true and machine_type is "q35" # Default 0 #pcie_root_port = 2 # If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off # security (vhost-net runs ring0) for network I/O performance. #disable_vhost_net = true # # Default entropy source. # The path to a host source of entropy (including a real hardware RNG) # /dev/urandom and /dev/random are two main options. # Be aware that /dev/random is a blocking source of entropy. If the host # runs out of entropy, the VMs boot time will increase leading to get startup # timeouts. # The source of entropy /dev/urandom is non-blocking and provides a # generally acceptable source of entropy. It should work well for pretty much # all practical purposes. #entropy_source= "/dev/urandom" # Path to OCI hook binaries in the *guest rootfs*. # This does not affect host-side hooks which must instead be added to # the OCI spec passed to the runtime. # # You can create a rootfs with hooks by customizing the osbuilder scripts: # https://github.com/kata-containers/osbuilder # # Hooks must be stored in a subdirectory of guest_hook_path according to their # hook type, i.e. "guest_hook_path/{prestart,postart,poststop}". # The agent will scan these directories for executable files and add them, in # lexicographical order, to the lifecycle of the guest container. # Hooks are executed in the runtime namespace of the guest. See the official documentation: # https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks # Warnings will be logged if any error is encountered will scanning for hooks, # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and # agent memory by mapping it readonly. It helps speeding up new container # creation and saves a lot of memory if there are many kata containers running # on the same host. # # When disabled, new VMs are created from scratch. # # Note: Requires "initrd=" to be set ("image=" is not supported). # # Default false #enable_template = true # Specifies the path of template. # # Default "/run/vc/vm/template" #template_path = "/run/vc/vm/template" # The number of caches of VMCache: # unspecified or == 0 --> VMCache is disabled # > 0 --> will be set to the specified number # # VMCache is a function that creates VMs as caches before using it. # It helps speed up new container creation. # The function consists of a server and some clients communicating # through Unix socket. The protocol is gRPC in protocols/cache/cache.proto. # The VMCache server will create some VMs and cache them by factory cache. # It will convert the VM to gRPC format and transport it when gets # requestion from clients. # Factory grpccache is the VMCache client. It will request gRPC format # VM and convert it back to a VM. If VMCache function is enabled, # kata-runtime will request VM from factory grpccache when it creates # a new sandbox. # # Default 0 #vm_cache_number = 0 # Specify the address of the Unix socket that is used by VMCache. # # Default /var/run/kata-containers/cache.sock #vm_cache_endpoint = "/var/run/kata-containers/cache.sock" [proxy.kata] path = "/usr/libexec/kata-containers/kata-proxy" # If enabled, proxy messages will be sent to the system log # (default: disabled) #enable_debug = true [shim.kata] path = "/usr/libexec/kata-containers/kata-shim" # If enabled, shim messages will be sent to the system log # (default: disabled) #enable_debug = true # If enabled, the shim will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # # Note: By default, the shim runs in a separate network namespace. Therefore, # to allow it to send trace details to the Jaeger agent running on the host, # it is necessary to set 'disable_new_netns=true' so that it runs in the host # network namespace. # # (default: disabled) #enable_tracing = true [agent.kata] # If enabled, make the agent display debug-level messages. # (default: disabled) #enable_debug = true # Enable agent tracing. # # If enabled, the default trace mode is "dynamic" and the # default trace type is "isolated". The trace mode and type are set # explicity with the `trace_type=` and `trace_mode=` options. # # Notes: # # - Tracing is ONLY enabled when `enable_tracing` is set: explicitly # setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing` # will NOT activate agent tracing. # # - See https://github.com/kata-containers/agent/blob/master/TRACING.md for # full details. # # (default: disabled) #enable_tracing = true # #trace_mode = "dynamic" #trace_type = "isolated" # Comma separated list of kernel modules and their parameters. # These modules will be loaded in the guest kernel using modprobe(8). # The following example can be used to load two kernel modules with parameters # - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"] # The first word is considered as the module name and the rest as its parameters. # Container will not be started when: # * A kernel module is specified and the modprobe command is not installed in the guest # or it fails loading the module. # * The module is not available in the guest or it doesn't met the guest kernel # requirements, like architecture and version. # kernel_modules=[] [netmon] # If enabled, the network monitoring process gets started when the # sandbox is created. This allows for the detection of some additional # network being added to the existing network namespace, after the # sandbox has been created. # (default: disabled) #enable_netmon = true # Specify the path to the netmon binary. path = "/usr/libexec/kata-containers/kata-netmon" # If enabled, netmon messages will be sent to the system log # (default: disabled) #enable_debug = true [runtime] # If enabled, the runtime will log additional debug messages to the # system log # (default: disabled) #enable_debug = true # # Internetworking model # Determines how the VM should be connected to the # the container network interface # Options: # # - macvtap # Used when the Container network interface can be bridged using # macvtap. # # - none # Used when customize network. Only creates a tap device. No veth pair. # # - tcfilter # Uses tc filter rules to redirect traffic from the network interface # provided by plugin to a tap interface connected to the VM. # internetworking_model="tcfilter" # disable guest seccomp # Determines whether container seccomp profiles are passed to the virtual # machine and applied by the kata agent. If set to true, seccomp is not applied # within the guest # (default: true) disable_guest_seccomp=true # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) #enable_tracing = true # If enabled, the runtime will not create a network namespace for shim and hypervisor processes. # This option may have some potential impacts to your host. It should only be used when you know what you're doing. # `disable_new_netns` conflicts with `enable_netmon` # `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge # (like OVS) directly. # If you are using docker, `disable_new_netns` only works with `docker run --net=none` # (default: false) #disable_new_netns = true # if enabled, the runtime will add all the kata processes inside one dedicated cgroup. # The container cgroups in the host are not created, just one single cgroup per sandbox. # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. # The sandbox cgroup is constrained if there is no container type annotation. # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType sandbox_cgroup_only=false # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: # (default: []) experimental=[] ``` --- # KSM throttler ## version Output of "`/usr/libexec/kata-ksm-throttler/kata-ksm-throttler --version`": ``` kata-ksm-throttler version 1.11.0-alpha1-7b2d85e ``` ## systemd service # Image details ```yaml --- osbuilder: url: "https://github.com/kata-containers/osbuilder" version: "unknown" rootfs-creation-time: "2020-04-02T21:30:47.329724816+0000Z" description: "osbuilder rootfs" file-format-version: "0.0.2" architecture: "x86_64" base-distro: name: "Clear" version: "32740" packages: default: - "chrony" - "iptables-bin" - "kmod-bin" - "libudev0-shim" - "systemd" - "util-linux-bin" extra: agent: url: "https://github.com/kata-containers/agent" name: "kata-agent" version: "1.11.0-alpha1-1f432c689651315b918801419d9b6efe268abccc" agent-is-init-daemon: "no" ``` --- # Initrd details No initrd --- # Logfiles ## Runtime logs Recent runtime problems found in system journal: ``` time="2020-04-15T16:16:00.426493338+08:00" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a error="open /run/vc/sbs/1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a/devices.json: no such file or directory" name=kata-runtime pid=324500 sandbox=1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a sandboxid=1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a source=virtcontainers subsystem=sandbox time="2020-04-15T16:16:00.521747194+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a/qmp.sock: use of closed network connection" arch=amd64 command=create container=1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a name=kata-runtime pid=324500 source=virtcontainers subsystem=qmp time="2020-04-15T16:16:04.030653509+08:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a name=kata-runtime pid=324500 sandbox=1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a source=virtcontainers subsystem=sandbox time="2020-04-15T16:16:04.032043286+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a/qmp.sock: use of closed network connection" arch=amd64 command=create container=1a8b9ac07fca9d34d01ff33da8bbe6364e6398e7fea53db388aae8f1f541b16a name=kata-runtime pid=324500 source=virtcontainers subsystem=qmp time="2020-04-15T16:32:03.561952554+08:00" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4 error="open /run/vc/sbs/062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4/devices.json: no such file or directory" name=kata-runtime pid=325147 sandbox=062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4 sandboxid=062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4 source=virtcontainers subsystem=sandbox time="2020-04-15T16:32:03.682098469+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4/qmp.sock: use of closed network connection" arch=amd64 command=create container=062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4 name=kata-runtime pid=325147 source=virtcontainers subsystem=qmp time="2020-04-15T16:32:07.523269134+08:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4 name=kata-runtime pid=325147 sandbox=062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4 source=virtcontainers subsystem=sandbox time="2020-04-15T16:32:07.525098015+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4/qmp.sock: use of closed network connection" arch=amd64 command=create container=062b7af966ce4c7c4636b27e0ef01c4d06c3c958a01b7fc67280ecaa19840ce4 name=kata-runtime pid=325147 source=virtcontainers subsystem=qmp time="2020-04-15T18:15:33.444358993+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/qmp.sock: use of closed network connection" arch=amd64 command=create container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326821 source=virtcontainers subsystem=qmp time="2020-04-15T18:15:37.551433159+08:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326821 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers subsystem=sandbox time="2020-04-15T18:15:37.553881032+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/qmp.sock: use of closed network connection" arch=amd64 command=create container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326821 source=virtcontainers subsystem=qmp time="2020-04-15T18:15:37.601296629+08:00" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/config.json: no such file or directory" arch=amd64 command=start container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326927 source=virtcontainers time="2020-04-15T18:15:37.603448778+08:00" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-15T18:15:37.605189993+08:00" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/config.json: no such file or directory" arch=amd64 command=start container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326927 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers time="2020-04-15T18:15:37.605933601+08:00" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-15T18:15:37.755914723+08:00" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/config.json: no such file or directory" arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326946 source=virtcontainers time="2020-04-15T18:15:37.757561082+08:00" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-15T18:15:37.860053901+08:00" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/config.json: no such file or directory" arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326946 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers time="2020-04-15T18:15:37.860922975+08:00" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-15T18:15:37.863505993+08:00" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/config.json: no such file or directory" arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326946 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers time="2020-04-15T18:15:37.864838473+08:00" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-15T18:15:37.907540594+08:00" level=info msg="sanner return error: " arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326946 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers subsystem=qmp time="2020-04-15T18:15:37.963320482+08:00" level=error msg="Could not read qemu pid file" arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f error="open /run/vc/vm/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/pid: no such file or directory" name=kata-runtime pid=326946 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers subsystem=qemu time="2020-04-15T18:15:37.963759797+08:00" level=error msg="Could not read qemu pid file" arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f error="open /run/vc/vm/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/pid: no such file or directory" name=kata-runtime pid=326946 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers subsystem=qemu time="2020-04-15T18:15:37.964097195+08:00" level=warning msg="failed to get sandbox config from old store: open /var/lib/vc/sbs/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/config.json: no such file or directory" arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326946 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers time="2020-04-15T18:15:37.964990592+08:00" level=warning msg="cgroups have not been created and cgroup path is empty" source=virtcontainers/pkg/cgroups time="2020-04-15T18:15:37.969788575+08:00" level=error msg="Could not read qemu pid file" arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f error="open /run/vc/vm/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/pid: no such file or directory" name=kata-runtime pid=326946 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers subsystem=qemu time="2020-04-15T18:15:37.970035464+08:00" level=warning msg="sandbox cgroups path is empty" arch=amd64 command=delete container=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f name=kata-runtime pid=326946 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=virtcontainers subsystem=sandbox time="2020-04-15T18:39:24.53094347+08:00" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 error="open /run/vc/sbs/dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1/devices.json: no such file or directory" name=kata-runtime pid=328128 sandbox=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 sandboxid=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 source=virtcontainers subsystem=sandbox time="2020-04-15T18:39:24.656951727+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1/qmp.sock: use of closed network connection" arch=amd64 command=create container=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 name=kata-runtime pid=328128 source=virtcontainers subsystem=qmp time="2020-04-15T18:39:28.48375574+08:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 name=kata-runtime pid=328128 sandbox=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 source=virtcontainers subsystem=sandbox time="2020-04-15T18:39:28.487027407+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1/qmp.sock: use of closed network connection" arch=amd64 command=create container=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 name=kata-runtime pid=328128 source=virtcontainers subsystem=qmp time="2020-04-15T18:42:30.374846665+08:00" level=info msg="sanner return error: " arch=amd64 command=kill container=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 name=kata-runtime pid=328496 sandbox=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 source=virtcontainers subsystem=qmp time="2020-04-15T18:42:30.519043497+08:00" level=warning msg="sandox cgroups path is empty" arch=amd64 command=delete container=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 name=kata-runtime pid=328533 sandbox=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 source=virtcontainers subsystem=sandbox time="2020-04-15T18:43:09.961622889+08:00" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 error="open /run/vc/sbs/b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9/devices.json: no such file or directory" name=kata-runtime pid=328727 sandbox=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 sandboxid=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 source=virtcontainers subsystem=sandbox time="2020-04-15T18:43:10.059152008+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9/qmp.sock: use of closed network connection" arch=amd64 command=create container=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 name=kata-runtime pid=328727 source=virtcontainers subsystem=qmp time="2020-04-15T18:43:14.891757995+08:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 name=kata-runtime pid=328727 sandbox=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 source=virtcontainers subsystem=sandbox time="2020-04-15T18:43:14.893789339+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9/qmp.sock: use of closed network connection" arch=amd64 command=create container=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 name=kata-runtime pid=328727 source=virtcontainers subsystem=qmp time="2020-04-15T18:47:49.951870883+08:00" level=info msg="sanner return error: " arch=amd64 command=kill container=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 name=kata-runtime pid=328974 sandbox=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 source=virtcontainers subsystem=qmp time="2020-04-15T18:47:50.09254801+08:00" level=warning msg="sandox cgroups path is empty" arch=amd64 command=delete container=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 name=kata-runtime pid=329012 sandbox=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 source=virtcontainers subsystem=sandbox time="2020-04-15T18:49:31.731602458+08:00" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 error="open /run/vc/sbs/f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1/devices.json: no such file or directory" name=kata-runtime pid=329309 sandbox=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 sandboxid=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 source=virtcontainers subsystem=sandbox time="2020-04-15T18:49:31.816782805+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1/qmp.sock: use of closed network connection" arch=amd64 command=create container=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 name=kata-runtime pid=329309 source=virtcontainers subsystem=qmp time="2020-04-15T18:49:33.573323426+08:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 name=kata-runtime pid=329309 sandbox=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 source=virtcontainers subsystem=sandbox time="2020-04-15T18:49:33.575439559+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1/qmp.sock: use of closed network connection" arch=amd64 command=create container=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 name=kata-runtime pid=329309 source=virtcontainers subsystem=qmp time="2020-04-15T19:01:51.779961012+08:00" level=info msg="sanner return error: " arch=amd64 command=kill container=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 name=kata-runtime pid=329661 sandbox=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 source=virtcontainers subsystem=qmp time="2020-04-15T19:01:51.919944892+08:00" level=warning msg="sandox cgroups path is empty" arch=amd64 command=delete container=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 name=kata-runtime pid=329693 sandbox=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 source=virtcontainers subsystem=sandbox time="2020-04-15T19:46:10.46178911+08:00" level=warning msg="load sandbox devices failed" arch=amd64 command=create container=2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04 error="open /run/vc/sbs/2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04/devices.json: no such file or directory" name=kata-runtime pid=330809 sandbox=2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04 sandboxid=2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04 source=virtcontainers subsystem=sandbox time="2020-04-15T19:46:10.573958479+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04/qmp.sock: use of closed network connection" arch=amd64 command=create container=2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04 name=kata-runtime pid=330809 source=virtcontainers subsystem=qmp time="2020-04-15T19:46:14.450195224+08:00" level=warning msg="sandbox's cgroup won't be updated: cgroup path is empty" arch=amd64 command=create container=2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04 name=kata-runtime pid=330809 sandbox=2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04 source=virtcontainers subsystem=sandbox time="2020-04-15T19:46:14.45269842+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04/qmp.sock: use of closed network connection" arch=amd64 command=create container=2339b9d3f3d3c4f1b065e95c6f3d4e513304e4dd2d49c373e817b061c315dc04 name=kata-runtime pid=330809 source=virtcontainers subsystem=qmp ``` ## Proxy logs Recent proxy problems found in system journal: ``` time="2020-04-15T16:13:04.129458202+08:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/8bd56e0e7a5d3e67fee3f37a2696895fc250c3a3f84a0912908f6f50f42ecacb/kata.sock: use of closed network connection" name=kata-proxy pid=323412 sandbox=8bd56e0e7a5d3e67fee3f37a2696895fc250c3a3f84a0912908f6f50f42ecacb source=proxy time="2020-04-15T16:14:53.577563384+08:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/40c386664847515e1ecae995ea28043e829d24549462261bc7a33172ae9132c5/kata.sock: use of closed network connection" name=kata-proxy pid=324009 sandbox=40c386664847515e1ecae995ea28043e829d24549462261bc7a33172ae9132c5 source=proxy time="2020-04-15T18:15:37.88395085+08:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/kata.sock: use of closed network connection" name=kata-proxy pid=326873 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=proxy time="2020-04-15T18:15:37.883992382+08:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f/proxy.sock: use of closed network connection" name=kata-proxy pid=326873 sandbox=c3539333d434e8e95771ac21c52a5c5cc3b4925ae01e9149f9b1c76045bade2f source=proxy time="2020-04-15T18:42:30.334706168+08:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1/kata.sock: use of closed network connection" name=kata-proxy pid=328172 sandbox=dc3ab63ce0aa6dc1d5c92f7003b47d75fa7dd22ad3b5c732a5b7b166accc9db1 source=proxy time="2020-04-15T18:47:49.932815172+08:00" level=fatal msg="channel error" error="accept unix /run/vc/sbs/b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9/proxy.sock: use of closed network connection" name=kata-proxy pid=328769 sandbox=b8d5c8c1abe7ba5bdc5a741b6f091f3ebb449ba1a4fa2eb382016129e43b0ea9 source=proxy time="2020-04-15T19:01:51.754874522+08:00" level=fatal msg="failed to handle exit signal" error="close unix @->/run/vc/vm/f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1/kata.sock: use of closed network connection" name=kata-proxy pid=329352 sandbox=f55e07272e8f31b98026e11bf6917bf97e5af6727b20e652584ed7f837e2c6a1 source=proxy ``` ## Shim logs No recent shim problems found in system journal. ## Throttler logs No recent throttler problems found in system journal. --- # Container manager details Have `docker` ## Docker Output of "`docker version`": ``` Client: Docker Engine - Community Version: 19.03.8 API version: 1.40 Go version: go1.12.17 Git commit: afacb8b7f0 Built: Wed Mar 11 01:25:58 2020 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.8 API version: 1.40 (minimum version 1.12) Go version: go1.12.17 Git commit: afacb8b7f0 Built: Wed Mar 11 01:24:30 2020 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.2.13 GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429 docker-init: Version: 0.18.0 GitCommit: fec3683 ``` Output of "`docker info`": ``` Client: Debug Mode: false Server: Containers: 17 Running: 8 Paused: 0 Stopped: 9 Images: 40 Server Version: 19.03.8 Storage Driver: overlay2 Backing Filesystem: Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: kata-qemu-virtiofs kata-runtime runc kata-clh kata-fc kata-qemu Default Runtime: kata-runtime Init Binary: docker-init containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429 runc version: N/A init version: fec3683 Security Options: apparmor seccomp Profile: default Kernel Version: 4.15.0-42-corp-generic Operating System: Ubuntu 16.04.6 LTS OSType: linux Architecture: x86_64 CPUs: 8 Total Memory: 7.289GiB Name: xxxxxxxx ID: 5WAV:7DZI:ST7B:VCAQ:A56X:NX2I:W2LV:5CXK:PFPU:7EZS:JTBH:OK6I Docker Root Dir: /var/lib/docker Debug Mode: true File Descriptors: 70 Goroutines: 67 System Time: 2020-04-15T19:49:08.711520162+08:00 EventsListeners: 0 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: true WARNING: No swap limit support ``` Output of "`systemctl show docker`": ``` Type=notify Restart=always NotifyAccess=main RestartUSec=2s TimeoutStartUSec=infinity TimeoutStopUSec=infinity RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestamp=Tue 2020-04-14 22:26:12 +08 WatchdogTimestampMonotonic=1063328305274 FailureAction=none PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=307038 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=success ExecMainStartTimestamp=Tue 2020-04-14 22:26:12 +08 ExecMainStartTimestampMonotonic=1063327946086 ExecMainExitTimestampMonotonic=0 ExecMainPID=307038 ExecMainCode=0 ExecMainStatus=0 ExecStart={ path=/usr/bin/dockerd ; argv[]=/usr/bin/dockerd -D --add-runtime kata-runtime=/usr/bin/kata-runtime --default-runtime=kata-runtime ; ignore_errors=no ; start_time=[Tue 2020-04-14 22:26:12 +08] ; stop_time=[n/a] ; pid=307038 ; code=(null) ; status=0/0 } ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } Slice=system.slice ControlGroup=/system.slice/docker.service MemoryCurrent=86433792 CPUUsageNSec=20912087213 TasksCurrent=19 Delegate=yes CPUAccounting=no CPUShares=18446744073709551615 StartupCPUShares=18446744073709551615 CPUQuotaPerSecUSec=infinity BlockIOAccounting=no BlockIOWeight=18446744073709551615 StartupBlockIOWeight=18446744073709551615 MemoryAccounting=no MemoryLimit=18446744073709551615 DevicePolicy=auto TasksAccounting=no TasksMax=18446744073709551615 UMask=0022 LimitCPU=18446744073709551615 LimitCPUSoft=18446744073709551615 LimitFSIZE=18446744073709551615 LimitFSIZESoft=18446744073709551615 LimitDATA=18446744073709551615 LimitDATASoft=18446744073709551615 LimitSTACK=18446744073709551615 LimitSTACKSoft=8388608 LimitCORE=18446744073709551615 LimitCORESoft=18446744073709551615 LimitRSS=18446744073709551615 LimitRSSSoft=18446744073709551615 LimitNOFILE=18446744073709551615 LimitNOFILESoft=18446744073709551615 LimitAS=18446744073709551615 LimitASSoft=18446744073709551615 LimitNPROC=18446744073709551615 LimitNPROCSoft=18446744073709551615 LimitMEMLOCK=18446744073709551615 LimitMEMLOCKSoft=18446744073709551615 LimitLOCKS=18446744073709551615 LimitLOCKSSoft=18446744073709551615 LimitSIGPENDING=29620 LimitSIGPENDINGSoft=29620 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=18446744073709551615 LimitRTTIMESoft=18446744073709551615 OOMScoreAdjust=0 Nice=0 IOScheduling=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 SecureBits=0 CapabilityBoundingSet=18446744073709551615 AmbientCapabilities=0 MountFlags=0 PrivateTmp=no PrivateNetwork=no PrivateDevices=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 RuntimeDirectoryMode=0755 KillMode=process KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=docker.service Names=docker.service Requires=system.slice docker.socket sysinit.target Wants=network-online.target BindsTo=containerd.service WantedBy=multi-user.target ConsistsOf=docker.socket Conflicts=shutdown.target Before=multi-user.target shutdown.target After=network-online.target firewalld.service systemd-journald.socket sysinit.target system.slice containerd.service basic.target docker.socket TriggeredBy=docker.socket Documentation=https://docs.docker.com Description=Docker Application Container Engine LoadState=loaded ActiveState=active SubState=running FragmentPath=/lib/systemd/system/docker.service DropInPaths=/etc/systemd/system/docker.service.d/kata-containers.conf UnitFileState=enabled UnitFilePreset=enabled StateChangeTimestamp=Tue 2020-04-14 22:26:12 +08 StateChangeTimestampMonotonic=1063328305275 InactiveExitTimestamp=Tue 2020-04-14 22:26:12 +08 InactiveExitTimestampMonotonic=1063327946152 ActiveEnterTimestamp=Tue 2020-04-14 22:26:12 +08 ActiveEnterTimestampMonotonic=1063328305275 ActiveExitTimestamp=Tue 2020-04-14 22:26:12 +08 ActiveExitTimestampMonotonic=1063327933449 InactiveEnterTimestamp=Tue 2020-04-14 22:26:12 +08 InactiveEnterTimestampMonotonic=1063327941369 CanStart=yes CanStop=yes CanReload=yes CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Tue 2020-04-14 22:26:12 +08 ConditionTimestampMonotonic=1063327945236 AssertTimestamp=Tue 2020-04-14 22:26:12 +08 AssertTimestampMonotonic=1063327945236 Transient=no StartLimitInterval=60000000 StartLimitBurst=3 StartLimitAction=none ``` No `kubectl` No `crio` Have `containerd` ## containerd Output of "`containerd --version`": ``` containerd containerd.io 1.2.13 7ad184331fa3e55e52b890ea95e65ba581ae3429 ``` Output of "`systemctl show containerd`": ``` Type=simple Restart=no NotifyAccess=none RestartUSec=100ms TimeoutStartUSec=1min 30s TimeoutStopUSec=1min 30s RuntimeMaxUSec=infinity WatchdogUSec=0 WatchdogTimestamp=Thu 2020-04-02 15:04:07 +08 WatchdogTimestampMonotonic=4912621 FailureAction=none PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=1305 ControlPID=0 FileDescriptorStoreMax=0 NFileDescriptorStore=0 StatusErrno=0 Result=success ExecMainStartTimestamp=Thu 2020-04-02 15:04:07 +08 ExecMainStartTimestampMonotonic=4912595 ExecMainExitTimestampMonotonic=0 ExecMainPID=1305 ExecMainCode=0 ExecMainStatus=0 ExecStartPre={ path=/sbin/modprobe ; argv[]=/sbin/modprobe overlay ; ignore_errors=yes ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } ExecStart={ path=/usr/bin/containerd ; argv[]=/usr/bin/containerd ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } Slice=system.slice ControlGroup=/system.slice/containerd.service MemoryCurrent=5596430336 CPUUsageNSec=103386249032875 TasksCurrent=885 Delegate=yes CPUAccounting=no CPUShares=18446744073709551615 StartupCPUShares=18446744073709551615 CPUQuotaPerSecUSec=infinity BlockIOAccounting=no BlockIOWeight=18446744073709551615 StartupBlockIOWeight=18446744073709551615 MemoryAccounting=no MemoryLimit=18446744073709551615 DevicePolicy=auto TasksAccounting=no TasksMax=18446744073709551615 UMask=0022 LimitCPU=18446744073709551615 LimitCPUSoft=18446744073709551615 LimitFSIZE=18446744073709551615 LimitFSIZESoft=18446744073709551615 LimitDATA=18446744073709551615 LimitDATASoft=18446744073709551615 LimitSTACK=18446744073709551615 LimitSTACKSoft=8388608 LimitCORE=18446744073709551615 LimitCORESoft=18446744073709551615 LimitRSS=18446744073709551615 LimitRSSSoft=18446744073709551615 LimitNOFILE=1048576 LimitNOFILESoft=1048576 LimitAS=18446744073709551615 LimitASSoft=18446744073709551615 LimitNPROC=18446744073709551615 LimitNPROCSoft=18446744073709551615 LimitMEMLOCK=18446744073709551615 LimitMEMLOCKSoft=18446744073709551615 LimitLOCKS=18446744073709551615 LimitLOCKSSoft=18446744073709551615 LimitSIGPENDING=29620 LimitSIGPENDINGSoft=29620 LimitMSGQUEUE=819200 LimitMSGQUEUESoft=819200 LimitNICE=0 LimitNICESoft=0 LimitRTPRIO=0 LimitRTPRIOSoft=0 LimitRTTIME=18446744073709551615 LimitRTTIMESoft=18446744073709551615 OOMScoreAdjust=0 Nice=0 IOScheduling=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SyslogLevel=6 SyslogFacility=3 SecureBits=0 CapabilityBoundingSet=18446744073709551615 AmbientCapabilities=0 MountFlags=0 PrivateTmp=no PrivateNetwork=no PrivateDevices=no ProtectHome=no ProtectSystem=no SameProcessGroup=no UtmpMode=init IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 RuntimeDirectoryMode=0755 KillMode=process KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=containerd.service Names=containerd.service Requires=system.slice sysinit.target WantedBy=multi-user.target BoundBy=docker.service Conflicts=shutdown.target Before=multi-user.target shutdown.target docker.service After=systemd-journald.socket sysinit.target system.slice basic.target network.target Documentation=https://containerd.io Description=containerd container runtime LoadState=loaded ActiveState=active SubState=running FragmentPath=/lib/systemd/system/containerd.service UnitFileState=enabled UnitFilePreset=enabled StateChangeTimestamp=Thu 2020-04-02 15:04:07 +08 StateChangeTimestampMonotonic=4912622 InactiveExitTimestamp=Thu 2020-04-02 15:04:07 +08 InactiveExitTimestampMonotonic=4892178 ActiveEnterTimestamp=Thu 2020-04-02 15:04:07 +08 ActiveEnterTimestampMonotonic=4912622 ActiveExitTimestampMonotonic=0 InactiveEnterTimestampMonotonic=0 CanStart=yes CanStop=yes CanReload=no CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no NeedDaemonReload=no JobTimeoutUSec=infinity JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Thu 2020-04-02 15:04:07 +08 ConditionTimestampMonotonic=4891425 AssertTimestamp=Thu 2020-04-02 15:04:07 +08 AssertTimestampMonotonic=4891426 Transient=no StartLimitInterval=10000000 StartLimitBurst=5 StartLimitAction=none ``` Output of "`cat /etc/containerd/config.toml`": ``` # Copyright 2018-2020 Docker Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. disabled_plugins = ["cri"] #root = "/var/lib/containerd" #state = "/run/containerd" #subreaper = true #oom_score = 0 #[grpc] # address = "/run/containerd/containerd.sock" # uid = 0 # gid = 0 #[debug] # address = "/run/containerd/debug.sock" # uid = 0 # gid = 0 # level = "info" ``` --- # Packages Have `dpkg` Output of "`dpkg -l|egrep "(cc-oci-runtimecc-runtimerunv|kata-proxy|kata-runtime|kata-shim|kata-ksm-throttler|kata-containers-image|linux-container|qemu-)"`": ``` ii kata-containers-image 1.11.0~alpha1-43 amd64 Kata containers image ii kata-ksm-throttler 1.11.0~alpha1-46 amd64 ii kata-linux-container 5.4.15.69-46 amd64 linux kernel optimised for container-like workloads. ii kata-proxy 1.11.0~alpha1-44 amd64 ii kata-runtime 1.11.0~alpha1-52 amd64 ii kata-shim 1.11.0~alpha1-42 amd64 ii qemu-guest-agent 1:2.5+dfsg-5ubuntu10.39 amd64 Guest-side qemu-system agent ii qemu-vanilla 4.1.1+git.99c5874a9b-47 amd64 linux kernel optimised for container-like workloads. ``` No `rpm` ---

[grahamwhaley]

thanks @EastonLee - to help others diagnose, can you post:

• the exact command you ran (on the host)
• the output of mount from inside the container

that may help us understand what is mounted where and how - thanks!

[EastonLee]

hi @grahamwhaley thanks for the quick reply on the host, to start the Kata container, I tried bind mount docker run -d --privileged --runtime=kata-qemu --mount source=privileged_qemu_volume_ubuntu1604_04,target=/var/lib/docker --name=privileged_qemu_volume_ubuntu1604_04 harbor.corp.com/cloud/virtualdev:ubuntu1604 /lib/systemd/systemd mount output:

root@9bb85b430abe:/# mount
kataShared on / type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
kataShared on /etc/resolv.conf type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
kataShared on /etc/hostname type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
kataShared on /etc/hosts type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
kataShared on /var/lib/docker type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
root@9bb85b430abe:/#
root@9bb85b430abe:/# stat -f /var/lib/docker
  File: "/var/lib/docker"
    ID: 6d150c7e4dd9cbf9 Namelen: 255     Type: ext2/ext3
Block size: 4096       Fundamental block size: 4096
Blocks: Total: 12689695   Free: 741475     Available: 737379
Inodes: Total: 6400000    Free: 5660701

I also tried volume docker run -d --privileged --runtime=kata-qemu --mount type=bind,source=/data/shared/privileged_qemu_bind_ubuntu1604_04,target=/var/lib/docker --name=privileged_qemu_bind_ubuntu1604_04 harbor.corp.com/cloud/virtualdev:ubuntu1604 /lib/systemd/systemd the mount output:

root@0470be26e35f:/# mount
kataShared on / type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
kataShared on /etc/resolv.conf type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
kataShared on /etc/hostname type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
kataShared on /etc/hosts type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
kataShared on /var/lib/docker type 9p (rw,nodev,relatime,dirsync,mmap,access=client,trans=virtio)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
root@0470be26e35f:/#
root@0470be26e35f:/#
root@0470be26e35f:/# stat -f /var/lib/docker
  File: "/var/lib/docker"
    ID: 6d150c7e4dd9cbf9 Namelen: 255     Type: ext2/ext3
Block size: 4096       Fundamental block size: 4096
Blocks: Total: 12689695   Free: 741481     Available: 737385
Inodes: Total: 6400000    Free: 5660703

The performance of docker pull python with both configuration was slow.

[grahamwhaley]

Thx @EastonLee . For both those cases, that /var/lib/docker is still a 9p mount in the mount output. I'll /cc some others so they can help with details of why, and what the fix/workarounds might be. I'm not sure we have a comprehensive document on this... anybody know? /cc @egernst @amshinde

[jodh-intel]

Hi @EastonLee - If this is still a problem for you, please could you try this with Kata 2.0 which uses virtio-fs rather than 9p by default? Alternatively, feel free to close if not an issue any more.