Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ip may be leaked when call RunPodSandbox failed #60

Open
yylt opened this issue Oct 19, 2020 · 3 comments
Open

ip may be leaked when call RunPodSandbox failed #60

yylt opened this issue Oct 19, 2020 · 3 comments

Comments

@yylt
Copy link

yylt commented Oct 19, 2020
edited
Loading

environments

  • containerd 1.4.0
  • cni v0.6.0

cni configuration

{
  "name":"cni0",
  "cniVersion":"0.3.1",
  "plugins":[
    {
      "type":"flannel",
      "delegate":{
        "forceAddress":true,
        "hairpinMode": true,
        "isDefaultGateway":true
      }
    },
    {
      "type":"portmap",
      "capabilities":{
        "portMappings":true
      }
    }
  ]
}

containerd log

Oct 13 19:57:27 node-6 containerd: time="2020-10-13T19:57:27.000650503+08:00" level=error msg="Failed to destroy network for sandbox \"48579e8be48f4e17144c81e6750947513bd790985c3513a78a84d3569d94b33c\"" error="delegateDel: error invoking ConflistDel - \"cni0\": conflistDel: error in getting result from DelNetworkList: could not teardown ipv4 snat: running [/usr/sbin/iptables -t nat -N CNI-SN-789e45a28000a6e5f5d67 --wait]: exit status 4: iptables: Resource temporarily unavailable.\n"

expected

ip recycled

real

ip leaked

look like, this should be cni question, but cni plugins should return failed also
@mikebrow
Copy link
Member

fyi we moved up to the latest cni, cni plugins, and cni config in containerd v1.4.1

were you running with containerd in -l debug mode?

temporarily unavailable sounds like a zombie process issue... qemu-kvm?

lots of variables here..

@yylt
Copy link
Author

yylt commented Oct 20, 2020

fyi we moved up to the latest cni, cni plugins, and cni config in containerd v1.4.1

were you running with containerd in -l debug mode?

temporarily unavailable sounds like a zombie process issue... qemu-kvm?

lots of variables here..

sorry for many info lost.

produce

  1. use kata-shim to run secure container. and the binary file qemu-kvm which used by kata-shim was removed sometime.
  2. now we create a secure pod
  3. journalctl -eu containerd -o cat will see RunPodSandbox failed, but the ip which had allocated was not recycled.

@yylt yylt mentioned this issue Oct 26, 2020
Closed
@yylt yylt mentioned this issue Jul 27, 2021
Closed
@MikeZappa87
Copy link
Contributor

In the error log, I see mentions of Deletion, however the command "/usr/sbin/iptables -t nat -N CNI-SN-789e45a28000a6e5f5d67 --wait" is creating a new iptables chain in the nat table which is an odd action when calling DEL. That error most likely came from the portmap plugin. When you say "ip leaked" is the error above preventing the ipam from reclaiming the ip address? I think flannel writes the currently used ip addresses to /var/lib/cni/networks? Are you seeing the ip address file to around after the pod is deleted?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikebrow @yylt @MikeZappa87