GC pod ips #35572
GC pod ips #35572
Conversation
k8s-github-robot
added
size/L
| @@ -49,6 +49,7 @@ import ( | |||
| "strconv" | |||
|
|
|||
| "k8s.io/kubernetes/pkg/kubelet/network/hostport" | |||
| "path/filepath" | |||
| statuses := pod.Status.ContainerStatuses | ||
| if len(statuses) == 0 { | ||
| return states | ||
| } else { |
| @@ -82,6 +82,23 @@ func FailedContainers(pod *api.Pod) map[string]ContainerFailures { | |||
| return states | |||
| } | |||
|
|
|||
| // TerminatedContainers inspects all containers in a pod and returns those | |||
| // that have terminated. | |||
There was a problem hiding this comment.
nit: explain what the map contains.
| // test node or default limits applied (if any). It's is essential | ||
| // that no containers end up in terminated. 100 was chosen because | ||
| // it's the max pods per node. | ||
| POD_COUNT = 100 |
There was a problem hiding this comment.
nit: why using the all caps with underscore name? Go convention is to use mixedCaps names.
| POD_CREATION_INTERVAL = 100 * time.Millisecond | ||
| RECOVER_TIMEOUT = 5 * time.Minute | ||
| START_TIMEOUT = 3 * time.Minute | ||
| MIN_PODS = 20 |
There was a problem hiding this comment.
What's the assumption about the IP capacity? It should affect the calculation of MIN_PODS and RESTART_COUNT.
There was a problem hiding this comment.
yeah it's above both (255), added comments
|
|
||
| runningPods = []*api.Pod{} | ||
| for _, pod := range podList.Items { | ||
| if r, err := testutils.PodRunningReady(&pod); err != nil { |
There was a problem hiding this comment.
nti: combine both conditions into one?
; err != nil || !r {
| By("Confirm no containers have terminated") | ||
| for _, pod := range postRestartRunningPods { | ||
| if c := testutils.TerminatedContainers(pod); len(c) != 0 { | ||
| framework.Failf("Pod %v has failed containers %+v after docker restart, this might indicate an IP leak", pod.Name, c) |
| // release leaked ips | ||
| for ip, containerID := range ipContainerIdMap { | ||
| // if the container is not running, release IP | ||
| if !runningContainerIDs.Has(containerID) { |
There was a problem hiding this comment.
nit (optional): reduce the indent by
if runningContainerIDs.Has(containerID) {
continue
}
| for _, pod := range pods { | ||
| containerID, err := plugin.host.GetRuntime().GetPodContainerID(pod) | ||
| if err != nil { | ||
| glog.Errorf("Failed to get infra containerID of %q/%q: %v", pod.Namespace, pod.Name, err) |
There was a problem hiding this comment.
Not sure if this should be an error. If docker has just restarted, kubelet may not have the chance to start the infra container yet. Maybe Warningf is more appropriate.
There was a problem hiding this comment.
changed to warning
| continue | ||
| } | ||
|
|
||
| runningContainerIDs.Insert(strings.TrimSpace(containerID.ID)) |
There was a problem hiding this comment.
What if the infra container has already terminated? You probably want to check the container state before inserting.
There was a problem hiding this comment.
this is a race we can't easily avoid. If it exits after getNonExitedPods and this line, assume we get a teardown. It's more important that we detect the gargabe in the ip dir.
There was a problem hiding this comment.
My comment wasn't about the race condition. getNonExitedPods returns pods with at least one running container, which may include a pod with a running user container and a dead infra container. I don't see the state of the infra container being checked anywhere.
There was a problem hiding this comment.
is that a problem?
There was a problem hiding this comment.
Other than the IP used by those infra containers wouldn't be recycled, there is no problem.
There was a problem hiding this comment.
And that pod will get cleaned up the normal way (teardown)? there's no way we restarted an old container because we must've tried the infra container first and failed, so this must be a crashing infra container of a current user pods that will at some point in the future naturally die. no?
| // Assumes PodSpecs retrieved from the runtime include the name and ID of containers in | ||
| // each pod. | ||
| func (plugin *kubenetNetworkPlugin) getActivePods() ([]*hostport.ActivePod, error) { | ||
| // getNonExitedPods returns a list of pods running or ready to run on this node |
There was a problem hiding this comment.
What "ready to run" means here is unclear...How about just "returns a list of pods where there are at least one running container in the pod"?
On the other hand, as I said in line 679, you probably just want a list of "non-terminated" infra containers. You can filter out pods with a terminated or non-existent infra container in one place.
There was a problem hiding this comment.
just reworded comment since this has already been tested and refactoring will require more stressing and no functional benefit.
There was a problem hiding this comment.
It's just a very convoluted way to get a set of running infra containers, but I get the need to keep the change minimal for cherrypicking.
yujuhong
added
release-note
| continue | ||
| } | ||
|
|
||
| runningContainerIDs.Insert(strings.TrimSpace(containerID.ID)) |
There was a problem hiding this comment.
this is a race we can't easily avoid. If it exits after getNonExitedPods and this line, assume we get a teardown. It's more important that we detect the gargabe in the ip dir.
| POD_CREATION_INTERVAL = 100 * time.Millisecond | ||
| RECOVER_TIMEOUT = 5 * time.Minute | ||
| START_TIMEOUT = 3 * time.Minute | ||
| MIN_PODS = 20 |
There was a problem hiding this comment.
yeah it's above both (255), added comments
| // Assumes PodSpecs retrieved from the runtime include the name and ID of containers in | ||
| // each pod. | ||
| func (plugin *kubenetNetworkPlugin) getActivePods() ([]*hostport.ActivePod, error) { | ||
| // getNonExitedPods returns a list of pods running or ready to run on this node |
There was a problem hiding this comment.
just reworded comment since this has already been tested and refactoring will require more stressing and no functional benefit.
| @@ -49,6 +49,7 @@ import ( | |||
| "strconv" | |||
|
|
|||
| "k8s.io/kubernetes/pkg/kubelet/network/hostport" | |||
| "path/filepath" | |||
| // test node or default limits applied (if any). It's is essential | ||
| // that no containers end up in terminated. 100 was chosen because | ||
| // it's the max pods per node. | ||
| POD_COUNT = 100 |
| framework.Failf("Failed to start *any* pods after docker restart, this might indicate an IP leak") | ||
| } | ||
| By("Confirm no containers have terminated") | ||
| for _, pod := range postRestartRunningPods { |
There was a problem hiding this comment.
yeah that's lastState, im checking state which shouldn't be terminated at the end of this experiment (it is in step 3 below):
- schedule new pods on a full ip node, they end up with state waiting (containerCreating, no available ips).
- If a pod gets a chance to run, we have state running (startedAt blah).
- If docker gets bounced and we end up with no available ips, we have state terminated (finishedAt blah), Ready=false.
- Now GC runs and frees up some ips (in fact with 100 pods gc keeps running after the 3rd restart).
- And we get state running (startedAt blah) with lastState terminated (finishedAt blah), Ready=true.
If GC hadn't run, we would be stuck at (3) a 100 containers with state terminated (finishedAt blah), ready=false.
| for _, pod := range pods { | ||
| containerID, err := plugin.host.GetRuntime().GetPodContainerID(pod) | ||
| if err != nil { | ||
| glog.Errorf("Failed to get infra containerID of %q/%q: %v", pod.Namespace, pod.Name, err) |
There was a problem hiding this comment.
changed to warning
|
@k8s-bot gce etcd3 e2e test this |
|
LGTM. |
|
Jenkins GCE etcd3 e2e failed for commit 18b2f085f36058447096aad601429e11e6c83250. Full PR test history. The magic incantation to run this job again is |
|
@k8s-bot gce etcd3 e2e test this |
|
Reviewers, I'm planning to apply the lgtm label tomorrow to cherrypick this for Friday's release. Tests passed and I have one LGTM. |
jessfraz
added
cherry-pick-approved
|
Applying label, @dchen1107 I'll get verbal confirmation from you before cherrypicking |
bprashanth
added
the
lgtm
|
Jenkins verification failed for commit 18b2f085f36058447096aad601429e11e6c83250. Full PR test history. The magic incantation to run this job again is |
bprashanth
added
lgtm
The docker runtime doesn't tear down networking when GC-ing pods. rkt already does so make docker do it too. To ensure this happens, networking is always torn down for the container even if the container itself is not deleted. This prevents IPAM from leaking when the pod gets killed for some reason outside kubelet (like docker restart) or when pods are killed while kubelet isn't running. Fixes: kubernetes#14940 Related: kubernetes#35572
The docker runtime doesn't tear down networking when GC-ing pods. rkt already does so make docker do it too. To ensure this happens, networking is always torn down for the container even if the container itself is not deleted. This prevents IPAM from leaking when the pod gets killed for some reason outside kubelet (like docker restart) or when pods are killed while kubelet isn't running. Fixes: kubernetes#14940 Related: kubernetes#35572
The docker runtime doesn't tear down networking when GC-ing pods. rkt already does so make docker do it too. To ensure this happens, networking is always torn down for the container even if the container itself is not deleted. This prevents IPAM from leaking when the pod gets killed for some reason outside kubelet (like docker restart) or when pods are killed while kubelet isn't running. Fixes: kubernetes#14940 Related: kubernetes#35572
The docker runtime doesn't tear down networking when GC-ing pods. rkt already does so make docker do it too. To ensure this happens, networking is always torn down for the container even if the container itself is not deleted. This prevents IPAM from leaking when the pod gets killed for some reason outside kubelet (like docker restart) or when pods are killed while kubelet isn't running. Fixes: kubernetes#14940 Related: kubernetes#35572
The docker runtime doesn't tear down networking when GC-ing pods. rkt already does so make docker do it too. To ensure this happens, networking is always torn down for the container even if the container itself is not deleted. This prevents IPAM from leaking when the pod gets killed for some reason outside kubelet (like docker restart) or when pods are killed while kubelet isn't running. Fixes: kubernetes#14940 Related: kubernetes#35572
The docker runtime doesn't tear down networking when GC-ing pods. rkt already does so make docker do it too. To ensure this happens, networking is always torn down for the container even if the container itself is not deleted. This prevents IPAM from leaking when the pod gets killed for some reason outside kubelet (like docker restart) or when pods are killed while kubelet isn't running. Fixes: kubernetes#14940 Related: kubernetes#35572
Automatic merge from submit-queue (batch tested with PRs 40505, 34664, 37036, 40726, 41595) dockertools: call TearDownPod when GC-ing infra pods The docker runtime doesn't tear down networking when GC-ing pods. rkt already does so make docker do it too. To ensure this happens, infra pods are now always GC-ed rather than gating them by containersToKeep. This prevents IPAM from leaking when the pod gets killed for some reason outside kubelet (like docker restart) or when pods are killed while kubelet isn't running. Fixes: #14940 Related: #35572
The docker runtime doesn't tear down networking when GC-ing pods. rkt already does so make docker do it too. To ensure this happens, networking is always torn down for the container even if the container itself is not deleted. This prevents IPAM from leaking when the pod gets killed for some reason outside kubelet (like docker restart) or when pods are killed while kubelet isn't running. Fixes: kubernetes#14940 Related: kubernetes#35572
Finally managed to write a failing test.
Supersedes #34373
This change is