Open kayrus opened 2 weeks ago
I'll take a look at this in the coming days. I want to be sure that the best solution is indeed the curl --max-time
flag. When I was implementing the RGW probe, I remember looking into that flag and rejecting it, but I forget my rationale at present.
@kayrus what do you mean by "accumulate" here?
When there is a network hiccup, the bash scripts with a curl probe start to accumulate
Can you provide logs that show what you mean?
Can you provide logs that show what you mean?
there are no logs, there are just dozens of bash
and curl
processes trying to access the endpoint
How are you determining that to be true? I would like to see some kind of output of proof that this is happening. My understanding of the kubernetes probes is that when they time out, kubernetes kills the process (bash), which should also kill the curl process in the script.
The dilemma I face is thus:
Because of the risk of introducing errors by making the proposed change, I want to make sure we are certain that there is an issue present. Rook has gotten the pod probes wrong in the past, and it has taken us a lot of effort to develop probes that are useful and bug-free, and to make sure that we are not implementing probes or probe features that risk causing cascading system failures.
We have also had Rook users in the past submit issues based on theory rather than on observed behavior. Since you are not providing evidence via observed behavior, I am still concerned that the reasoning behind the creation of this issue could be theoretical and not evidence-based. When users have reported theoretical issues in the past, it has led to us introducing unnecessary complexity into Rook, and it has sometimes caused bugs.
I did some in-depth investigation today, and I have findings to share.
This is the information I can find on the topic of probe "accumulation" (from June 2022): https://github.com/kubernetes/kubernetes/issues/110070#issuecomment-1150217612
In summary, cri-o and containerd runtimes will terminate probe processes if they pass the timeout threshold, preventing process "accumulation". The dockershim runtime does not have this ability, but since dockershim is not a supported K8s configuration, k8s will not fix the behavior. Because dockershim was already an unsupported runtime 2 years ago, I don't see any compelling reason that we should consider this a Rook bug in 2024.
To confirm that there isn't a bash issue present, I looked into how the script behaves in isolation when it receives a SIGTERM signal. When the SIGTERM signal is received while http_response="$(check "$RGW_URL")"
is running, I see that the curl process stops and does not remain running.
Because this involves liveness probes, I am taking this issue seriously. That also means that I am doing my own due diligence to be certain that Rook is doing the best thing for all its users.
And because my research and testing didn't find anything wrong, it means that I must put the burden of proof on you to show that the issue is real. For us to move forward with the bug fix, please show us via some sort of console output that the process accumulation is definitely happening in your environment and that the container runtime is something other than dockershim.
@BlaineEXE thanks a lot for your extra research. I'll try to provide more evidences next week.
Hi @kayrus I wanted to check in to see how things are progressing on your side.
I'm also happy to try to see if I can repro, if you can help me understand what you mean by "network hiccup." I'm not sure what would cause networking between a probe and pod to stall, but I might be able to simulate it if I understood more about the situation you're describing.
@BlaineEXE apologies, I was having other more important issues to fix, like keystone auth, etc.
Regarding the hanged curl
processes, in our case we're using containerd, and according to the ticket you provided this problem doesn't take place with containerd. I need some more time to reproduce an issue on our side.
Is this a bug report or feature request?
Deviation from expected behavior:
When there is a network hiccup, the bash scripts with a curl probe start to accumulate. By default curl has a high connect timeout, e.g.
And the probes are:
Expected behavior:
Curl probe should have about ~3 sec connect timeout. E.g. use
--connect-timeout 3
or--max-time 3
.How to reproduce it (minimal and precise):
n/a
File(s) to submit:
cluster.yaml
, if necessaryLogs to submit:
Crashing pod(s) logs, if necessary
To get logs, use
kubectl -n <namespace> logs <pod name>
When pasting logs, always surround them with backticks or use theinsert code
button from the Github UI. Read GitHub documentation if you need help.Cluster Status to submit:
Output of kubectl commands, if necessary
To get the health of the cluster, use
kubectl rook-ceph health
To get the status of the cluster, usekubectl rook-ceph ceph status
For more details, see the Rook kubectl PluginEnvironment:
uname -a
):rook version
inside of a Rook Pod):ceph -v
):kubectl version
):ceph health
in the Rook Ceph toolbox):