go-cni icon indicating copy to clipboard operation
go-cni copied to clipboard

Published 20 hours ago verified publisher icon containerd

ip may be leaked when call RunPodSandbox failed

Open yylt opened this issue 4 years ago • 3 comments

environments

  • containerd 1.4.0
  • cni v0.6.0

cni configuration

{
  "name":"cni0",
  "cniVersion":"0.3.1",
  "plugins":[
    {
      "type":"flannel",
      "delegate":{
        "forceAddress":true,
        "hairpinMode": true,
        "isDefaultGateway":true
      }
    },
    {
      "type":"portmap",
      "capabilities":{
        "portMappings":true
      }
    }
  ]
}

containerd log

Oct 13 19:57:27 node-6 containerd: time="2020-10-13T19:57:27.000650503+08:00" level=error msg="Failed to destroy network for sandbox \"48579e8be48f4e17144c81e6750947513bd790985c3513a78a84d3569d94b33c\"" error="delegateDel: error invoking ConflistDel - \"cni0\": conflistDel: error in getting result from DelNetworkList: could not teardown ipv4 snat: running [/usr/sbin/iptables -t nat -N CNI-SN-789e45a28000a6e5f5d67 --wait]: exit status 4: iptables: Resource temporarily unavailable.\n"

expected

ip recycled

real

ip leaked

look like, this should be cni question, but cni plugins should return failed also

yylt avatar Oct 19 '20 09:10 yylt

fyi we moved up to the latest cni, cni plugins, and cni config in containerd v1.4.1

were you running with containerd in -l debug mode?

temporarily unavailable sounds like a zombie process issue... qemu-kvm?

lots of variables here..

mikebrow avatar Oct 19 '20 17:10 mikebrow

fyi we moved up to the latest cni, cni plugins, and cni config in containerd v1.4.1

were you running with containerd in -l debug mode?

temporarily unavailable sounds like a zombie process issue... qemu-kvm?

lots of variables here..

sorry for many info lost.

produce

  1. use kata-shim to run secure container. and the binary file qemu-kvm which used by kata-shim was removed sometime.
  2. now we create a secure pod
  3. journalctl -eu containerd -o cat will see RunPodSandbox failed, but the ip which had allocated was not recycled.

yylt avatar Oct 20 '20 02:10 yylt

In the error log, I see mentions of Deletion, however the command "/usr/sbin/iptables -t nat -N CNI-SN-789e45a28000a6e5f5d67 --wait" is creating a new iptables chain in the nat table which is an odd action when calling DEL. That error most likely came from the portmap plugin. When you say "ip leaked" is the error above preventing the ipam from reclaiming the ip address? I think flannel writes the currently used ip addresses to /var/lib/cni/networks? Are you seeing the ip address file to around after the pod is deleted?

MikeZappa87 avatar Dec 15 '21 05:12 MikeZappa87